041106d623
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 17s
CI / ui (pull_request) Successful in 53s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m11s
Add a prod-only, in-memory IP ban enforced at the edge, fed by three signals:
sustained rate-limiter rejections (the IP-keyed public/email/admin classes — the
user class stays the backend soft-flag's concern), a honeypot decoy-path hit (the
contour caddy tags decoys with X-Scrabble-Honeypot and routes them to the gateway),
and a honeytoken (a planted bearer, GATEWAY_HONEYTOKEN). A banned IP is refused with
429 by the abuseGuard middleware before any work — covering the Connect edge, the
live stream and the static SPA/landing the per-op limiter never gated.
The ban is off by default: it keys by the real client IP the shared-NAT test contour
does not expose, so a ban there would be self-inflicted; detection still logs in the
contour, only the ban action is gated (GATEWAY_ABUSE_BAN_ENABLED). Rejection bans last
GATEWAY_ABUSE_BAN_DURATION; tripwire/honeytoken hits are near-zero-false-positive and
earn longer fixed bans. Each ban increments gateway_abuse_banned_total{reason}.
Operators see and lift active bans on the admin console's Throttled page; the gateway
syncs its active set to the backend every 30s (POST /api/v1/internal/bans/sync,
backend/internal/banview) and applies the operator unbans the response returns.
PRERELEASE phase AG. Docs baked into ARCHITECTURE / FUNCTIONAL (+ru) / both READMEs.
220 lines
7.9 KiB
Go
220 lines
7.9 KiB
Go
package connectsrv_test
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"connectrpc.com/connect"
|
|
|
|
"scrabble/gateway/internal/backendclient"
|
|
"scrabble/gateway/internal/config"
|
|
"scrabble/gateway/internal/connectsrv"
|
|
"scrabble/gateway/internal/push"
|
|
"scrabble/gateway/internal/ratelimit"
|
|
"scrabble/gateway/internal/session"
|
|
"scrabble/gateway/internal/transcode"
|
|
edgev1 "scrabble/gateway/proto/edge/v1"
|
|
"scrabble/gateway/proto/edge/v1/edgev1connect"
|
|
)
|
|
|
|
const honeypotHeader = "X-Scrabble-Honeypot"
|
|
|
|
// guardedEdge wires an edge with an explicit banlist and honeytoken over a fake
|
|
// backend, returning the front URL, a Connect client and a cleanup func.
|
|
func guardedEdge(t *testing.T, bl *ratelimit.Banlist, honeytoken string, limits config.RateLimitConfig, backendHandler http.HandlerFunc) (string, edgev1connect.GatewayClient, func()) {
|
|
t.Helper()
|
|
backendSrv := httptest.NewServer(backendHandler)
|
|
backend, err := backendclient.New(backendSrv.URL, "localhost:9090", 2*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("backendclient: %v", err)
|
|
}
|
|
edge := connectsrv.NewServer(connectsrv.Deps{
|
|
Registry: transcode.NewRegistry(backend, nil),
|
|
Sessions: session.NewCache(backend, time.Minute, 100),
|
|
Limiter: ratelimit.New(),
|
|
Banlist: bl,
|
|
Honeytoken: honeytoken,
|
|
Hub: push.NewHub(0),
|
|
RateLimit: limits,
|
|
Heartbeat: 15 * time.Second,
|
|
})
|
|
edgeSrv := httptest.NewServer(edge.HTTPHandler())
|
|
client := edgev1connect.NewGatewayClient(http.DefaultClient, edgeSrv.URL)
|
|
return edgeSrv.URL, client, func() {
|
|
edgeSrv.Close()
|
|
_ = backend.Close()
|
|
backendSrv.Close()
|
|
}
|
|
}
|
|
|
|
// noRedirect is an HTTP client that surfaces a redirect instead of following it,
|
|
// so the test can tell a 308 (passed the guard) from a 429 (blocked).
|
|
func noRedirect() *http.Client {
|
|
return &http.Client{CheckRedirect: func(*http.Request, []*http.Request) error {
|
|
return http.ErrUseLastResponse
|
|
}}
|
|
}
|
|
|
|
func enabledBanlist(threshold int) *ratelimit.Banlist {
|
|
return ratelimit.NewBanlist(ratelimit.BanConfig{
|
|
Enabled: true, Threshold: threshold, Window: time.Minute, Duration: time.Hour,
|
|
})
|
|
}
|
|
|
|
// TestAbuseGuardBlocksBannedIP verifies a banned client IP is refused with 429 at
|
|
// the HTTP layer, before any handler runs.
|
|
func TestAbuseGuardBlocksBannedIP(t *testing.T) {
|
|
bl := enabledBanlist(100)
|
|
bl.BanNow("127.0.0.1", ratelimit.ReasonTripwire)
|
|
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
|
defer cleanup()
|
|
|
|
resp, err := noRedirect().Get(url + "/")
|
|
if err != nil {
|
|
t.Fatalf("get: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
if resp.StatusCode != http.StatusTooManyRequests {
|
|
t.Fatalf("banned GET / = %d, want 429", resp.StatusCode)
|
|
}
|
|
}
|
|
|
|
// TestHoneypotHeaderTrips verifies a request carrying the honeypot header is 404'd
|
|
// and bans the client IP, so the next request is blocked.
|
|
func TestHoneypotHeaderTrips(t *testing.T) {
|
|
bl := enabledBanlist(100)
|
|
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
|
t.Error("backend must not be called for a honeypot hit")
|
|
})
|
|
defer cleanup()
|
|
|
|
req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil)
|
|
req.Header.Set(honeypotHeader, "1")
|
|
resp, err := noRedirect().Do(req)
|
|
if err != nil {
|
|
t.Fatalf("honeypot get: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
if resp.StatusCode != http.StatusNotFound {
|
|
t.Fatalf("honeypot hit = %d, want 404", resp.StatusCode)
|
|
}
|
|
if !bl.Banned("127.0.0.1") {
|
|
t.Fatal("a honeypot hit must ban the client IP")
|
|
}
|
|
follow, err := noRedirect().Get(url + "/")
|
|
if err != nil {
|
|
t.Fatalf("follow-up get: %v", err)
|
|
}
|
|
_ = follow.Body.Close()
|
|
if follow.StatusCode != http.StatusTooManyRequests {
|
|
t.Fatalf("post-trip GET / = %d, want 429", follow.StatusCode)
|
|
}
|
|
}
|
|
|
|
// TestHoneypotDetectsWithoutBanWhenDisabled verifies the prod-only gate: a disabled
|
|
// banlist still 404s the decoy (detection/logging) but bans nothing.
|
|
func TestHoneypotDetectsWithoutBanWhenDisabled(t *testing.T) {
|
|
bl := ratelimit.NewBanlist(ratelimit.BanConfig{}) // disabled
|
|
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
|
defer cleanup()
|
|
|
|
req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil)
|
|
req.Header.Set(honeypotHeader, "1")
|
|
resp, err := noRedirect().Do(req)
|
|
if err != nil {
|
|
t.Fatalf("honeypot get: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
if resp.StatusCode != http.StatusNotFound {
|
|
t.Fatalf("decoy = %d, want 404", resp.StatusCode)
|
|
}
|
|
if bl.Banned("127.0.0.1") {
|
|
t.Fatal("a disabled banlist must not ban")
|
|
}
|
|
follow, err := noRedirect().Get(url + "/")
|
|
if err != nil {
|
|
t.Fatalf("follow-up: %v", err)
|
|
}
|
|
_ = follow.Body.Close()
|
|
if follow.StatusCode != http.StatusPermanentRedirect {
|
|
t.Fatalf("post-trip GET / = %d, want 308 (not banned)", follow.StatusCode)
|
|
}
|
|
}
|
|
|
|
// TestPublicRejectionStrikesBan verifies a public-class limiter rejection feeds the
|
|
// banlist: with a one-strike threshold the rejected IP is then banned.
|
|
func TestPublicRejectionStrikesBan(t *testing.T) {
|
|
bl := enabledBanlist(1)
|
|
limits := config.DefaultRateLimit()
|
|
limits.PublicPerMinute, limits.PublicBurst = 1, 1
|
|
_, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
|
_, _ = w.Write([]byte(`{"token":"tok","user_id":"u-1","is_guest":true,"display_name":"Guest"}`))
|
|
})
|
|
defer cleanup()
|
|
|
|
if _, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest})); err != nil {
|
|
t.Fatalf("first execute: %v", err)
|
|
}
|
|
_, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest}))
|
|
if connect.CodeOf(err) != connect.CodeResourceExhausted {
|
|
t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err))
|
|
}
|
|
if !bl.Banned("127.0.0.1") {
|
|
t.Fatal("a public rejection must strike the banlist")
|
|
}
|
|
}
|
|
|
|
// TestUserRejectionDoesNotBan verifies the user limiter class (keyed by account id,
|
|
// not IP) does not feed the IP banlist — that path is the backend's soft flag.
|
|
func TestUserRejectionDoesNotBan(t *testing.T) {
|
|
bl := enabledBanlist(1)
|
|
limits := config.DefaultRateLimit()
|
|
limits.UserPerMinute, limits.UserBurst = 1, 1
|
|
_, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
|
switch r.URL.Path {
|
|
case "/api/v1/internal/sessions/resolve":
|
|
_, _ = w.Write([]byte(`{"user_id":"u-1","is_guest":false}`))
|
|
case "/api/v1/user/feedback/unread":
|
|
_, _ = w.Write([]byte(`{"reply_unread":false}`))
|
|
default:
|
|
t.Errorf("unexpected backend path %s", r.URL.Path)
|
|
}
|
|
})
|
|
defer cleanup()
|
|
|
|
for i := range 2 {
|
|
req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgFeedbackUnread})
|
|
req.Header().Set("Authorization", "Bearer tok")
|
|
_, err := client.Execute(context.Background(), req)
|
|
if i == 1 && connect.CodeOf(err) != connect.CodeResourceExhausted {
|
|
t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err))
|
|
}
|
|
}
|
|
if len(bl.Active()) != 0 {
|
|
t.Fatalf("user-class rejection must not ban; active = %v", bl.Active())
|
|
}
|
|
}
|
|
|
|
// TestHoneytokenBansAndRejects verifies presenting the planted honeytoken bans the
|
|
// caller and returns the ordinary invalid-session error without a backend call.
|
|
func TestHoneytokenBansAndRejects(t *testing.T) {
|
|
bl := enabledBanlist(100)
|
|
_, client, cleanup := guardedEdge(t, bl, "s3cr3t-trap", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
|
t.Error("backend must not be called for the honeytoken")
|
|
})
|
|
defer cleanup()
|
|
|
|
req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgProfileGet})
|
|
req.Header().Set("Authorization", "Bearer s3cr3t-trap")
|
|
_, err := client.Execute(context.Background(), req)
|
|
if connect.CodeOf(err) != connect.CodeUnauthenticated {
|
|
t.Fatalf("honeytoken code = %v, want Unauthenticated", connect.CodeOf(err))
|
|
}
|
|
if !bl.Banned("127.0.0.1") {
|
|
t.Fatal("the honeytoken must ban the caller")
|
|
}
|
|
}
|