Files
scrabble-game/gateway/internal/connectsrv/abuse_test.go
T
Ilia Denisov 4ba9da6721
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
feat(edge): community IP blocklist (Spamhaus DROP) at the gateway
Refuse a client whose IP is in a curated CIDR feed with 403 in the same
abuseGuard, before the fail2ban ban. Prod-only (keys by real client IP), off by
default.

- ratelimit.Blocklist: a sorted-range IPv4 matcher (binary search) with an
  allowlist checked first; ParseDROP reads the feed; ApplyRefresh keeps the
  last-good feed on a transient fetch failure and drops it fail-open once stale
  (better to under-block than block a legitimate client on a frozen feed). A
  separate static CIDR set, not the per-IP fail2ban store.
- gateway: a refresher goroutine re-fetches every few hours (bounded fetch + size
  cap); config GATEWAY_BLOCKLIST_{ENABLED,URL,ALLOW,REFRESH,MAX_STALENESS}.
  IPv6 is not matched (a v6 client is still covered by fail2ban / the honeypot).
- observability: gateway_blocklist_blocked_total + entries/age gauges; a Grafana
  alert warns before the feed is dropped; service-overview panels.
- deploy: compose env + write-prod-env.sh + prod-deploy/rollback wiring (opt-in
  via PROD_ vars).
- docs (ARCHITECTURE, deploy/README); unit tests (match, allowlist, IPv6 skip,
  parser, fault-tolerance) + a 403 abuse-guard integration test.
2026-07-11 13:33:28 +02:00

244 lines
8.7 KiB
Go

package connectsrv_test
import (
"context"
"net"
"net/http"
"net/http/httptest"
"testing"
"time"
"connectrpc.com/connect"
"scrabble/gateway/internal/backendclient"
"scrabble/gateway/internal/config"
"scrabble/gateway/internal/connectsrv"
"scrabble/gateway/internal/push"
"scrabble/gateway/internal/ratelimit"
"scrabble/gateway/internal/session"
"scrabble/gateway/internal/transcode"
edgev1 "scrabble/gateway/proto/edge/v1"
"scrabble/gateway/proto/edge/v1/edgev1connect"
)
const honeypotHeader = "X-Scrabble-Honeypot"
// guardedEdge wires an edge with an explicit banlist and honeytoken over a fake
// backend, returning the front URL, a Connect client and a cleanup func.
func guardedEdge(t *testing.T, bl *ratelimit.Banlist, block *ratelimit.Blocklist, honeytoken string, limits config.RateLimitConfig, backendHandler http.HandlerFunc) (string, edgev1connect.GatewayClient, func()) {
t.Helper()
backendSrv := httptest.NewServer(backendHandler)
backend, err := backendclient.New(backendSrv.URL, "localhost:9090", 2*time.Second)
if err != nil {
t.Fatalf("backendclient: %v", err)
}
edge := connectsrv.NewServer(connectsrv.Deps{
Registry: transcode.NewRegistry(backend, nil),
Sessions: session.NewCache(backend, time.Minute, 100),
Limiter: ratelimit.New(),
Banlist: bl,
Blocklist: block,
Honeytoken: honeytoken,
Hub: push.NewHub(0),
RateLimit: limits,
Heartbeat: 15 * time.Second,
})
edgeSrv := httptest.NewServer(edge.HTTPHandler())
client := edgev1connect.NewGatewayClient(http.DefaultClient, edgeSrv.URL)
return edgeSrv.URL, client, func() {
edgeSrv.Close()
_ = backend.Close()
backendSrv.Close()
}
}
// noRedirect is an HTTP client that surfaces a redirect instead of following it,
// so the test can tell a 308 (passed the guard) from a 429 (blocked).
func noRedirect() *http.Client {
return &http.Client{CheckRedirect: func(*http.Request, []*http.Request) error {
return http.ErrUseLastResponse
}}
}
func enabledBanlist(threshold int) *ratelimit.Banlist {
return ratelimit.NewBanlist(ratelimit.BanConfig{
Enabled: true, Threshold: threshold, Window: time.Minute, Duration: time.Hour,
})
}
// TestAbuseGuardBlocksBannedIP verifies a banned client IP is refused with 429 at
// the HTTP layer, before any handler runs.
func TestAbuseGuardBlocksBannedIP(t *testing.T) {
bl := enabledBanlist(100)
bl.BanNow("127.0.0.1", ratelimit.ReasonTripwire)
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
defer cleanup()
resp, err := noRedirect().Get(url + "/")
if err != nil {
t.Fatalf("get: %v", err)
}
_ = resp.Body.Close()
if resp.StatusCode != http.StatusTooManyRequests {
t.Fatalf("banned GET / = %d, want 429", resp.StatusCode)
}
}
// TestHoneypotHeaderTrips verifies a request carrying the honeypot header is 404'd
// and bans the client IP, so the next request is blocked.
func TestHoneypotHeaderTrips(t *testing.T) {
bl := enabledBanlist(100)
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
t.Error("backend must not be called for a honeypot hit")
})
defer cleanup()
req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil)
req.Header.Set(honeypotHeader, "1")
resp, err := noRedirect().Do(req)
if err != nil {
t.Fatalf("honeypot get: %v", err)
}
_ = resp.Body.Close()
if resp.StatusCode != http.StatusNotFound {
t.Fatalf("honeypot hit = %d, want 404", resp.StatusCode)
}
if !bl.Banned("127.0.0.1") {
t.Fatal("a honeypot hit must ban the client IP")
}
follow, err := noRedirect().Get(url + "/")
if err != nil {
t.Fatalf("follow-up get: %v", err)
}
_ = follow.Body.Close()
if follow.StatusCode != http.StatusTooManyRequests {
t.Fatalf("post-trip GET / = %d, want 429", follow.StatusCode)
}
}
// TestHoneypotDetectsWithoutBanWhenDisabled verifies the prod-only gate: a disabled
// banlist still 404s the decoy (detection/logging) but bans nothing.
func TestHoneypotDetectsWithoutBanWhenDisabled(t *testing.T) {
bl := ratelimit.NewBanlist(ratelimit.BanConfig{}) // disabled
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
defer cleanup()
req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil)
req.Header.Set(honeypotHeader, "1")
resp, err := noRedirect().Do(req)
if err != nil {
t.Fatalf("honeypot get: %v", err)
}
_ = resp.Body.Close()
if resp.StatusCode != http.StatusNotFound {
t.Fatalf("decoy = %d, want 404", resp.StatusCode)
}
if bl.Banned("127.0.0.1") {
t.Fatal("a disabled banlist must not ban")
}
follow, err := noRedirect().Get(url + "/")
if err != nil {
t.Fatalf("follow-up: %v", err)
}
_ = follow.Body.Close()
if follow.StatusCode != http.StatusPermanentRedirect {
t.Fatalf("post-trip GET / = %d, want 308 (not banned)", follow.StatusCode)
}
}
// TestPublicRejectionStrikesBan verifies a public-class limiter rejection feeds the
// banlist: with a one-strike threshold the rejected IP is then banned.
func TestPublicRejectionStrikesBan(t *testing.T) {
bl := enabledBanlist(1)
limits := config.DefaultRateLimit()
limits.PublicPerMinute, limits.PublicBurst = 1, 1
_, client, cleanup := guardedEdge(t, bl, nil, "", limits, func(w http.ResponseWriter, r *http.Request) {
_, _ = w.Write([]byte(`{"token":"tok","user_id":"u-1","is_guest":true,"display_name":"Guest"}`))
})
defer cleanup()
if _, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest})); err != nil {
t.Fatalf("first execute: %v", err)
}
_, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest}))
if connect.CodeOf(err) != connect.CodeResourceExhausted {
t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err))
}
if !bl.Banned("127.0.0.1") {
t.Fatal("a public rejection must strike the banlist")
}
}
// TestUserRejectionDoesNotBan verifies the user limiter class (keyed by account id,
// not IP) does not feed the IP banlist — that path is the backend's soft flag.
func TestUserRejectionDoesNotBan(t *testing.T) {
bl := enabledBanlist(1)
limits := config.DefaultRateLimit()
limits.UserPerMinute, limits.UserBurst = 1, 1
_, client, cleanup := guardedEdge(t, bl, nil, "", limits, func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
case "/api/v1/internal/sessions/resolve":
_, _ = w.Write([]byte(`{"user_id":"u-1","is_guest":false}`))
case "/api/v1/user/feedback/unread":
_, _ = w.Write([]byte(`{"reply_unread":false}`))
default:
t.Errorf("unexpected backend path %s", r.URL.Path)
}
})
defer cleanup()
for i := range 2 {
req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgFeedbackUnread})
req.Header().Set("Authorization", "Bearer tok")
_, err := client.Execute(context.Background(), req)
if i == 1 && connect.CodeOf(err) != connect.CodeResourceExhausted {
t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err))
}
}
if len(bl.Active()) != 0 {
t.Fatalf("user-class rejection must not ban; active = %v", bl.Active())
}
}
// TestHoneytokenBansAndRejects verifies presenting the planted honeytoken bans the
// caller and returns the ordinary invalid-session error without a backend call.
func TestHoneytokenBansAndRejects(t *testing.T) {
bl := enabledBanlist(100)
_, client, cleanup := guardedEdge(t, bl, nil, "s3cr3t-trap", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
t.Error("backend must not be called for the honeytoken")
})
defer cleanup()
req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgProfileGet})
req.Header().Set("Authorization", "Bearer s3cr3t-trap")
_, err := client.Execute(context.Background(), req)
if connect.CodeOf(err) != connect.CodeUnauthenticated {
t.Fatalf("honeytoken code = %v, want Unauthenticated", connect.CodeOf(err))
}
if !bl.Banned("127.0.0.1") {
t.Fatal("the honeytoken must ban the caller")
}
}
// TestAbuseGuardBlocksBlocklistedIP verifies a client IP in the community blocklist feed is refused
// with 403 at the HTTP layer, before any handler runs.
func TestAbuseGuardBlocksBlocklistedIP(t *testing.T) {
block := ratelimit.NewBlocklist(true, nil)
_, feed, err := net.ParseCIDR("127.0.0.0/8")
if err != nil {
t.Fatal(err)
}
block.SetCIDRs([]*net.IPNet{feed}, time.Now())
url, _, cleanup := guardedEdge(t, nil, block, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
defer cleanup()
resp, err := noRedirect().Get(url + "/")
if err != nil {
t.Fatalf("get: %v", err)
}
_ = resp.Body.Close()
if resp.StatusCode != http.StatusForbidden {
t.Fatalf("blocklisted GET / = %d, want 403", resp.StatusCode)
}
}