2020-01-12 18:23:35 +01:00
|
|
|
package resolver
|
|
|
|
|
|
|
|
import (
|
2023-10-07 22:21:40 +02:00
|
|
|
"context"
|
2022-12-26 22:11:45 +01:00
|
|
|
"time"
|
|
|
|
|
2021-08-25 22:06:34 +02:00
|
|
|
"github.com/0xERR0R/blocky/config"
|
|
|
|
. "github.com/0xERR0R/blocky/evt"
|
|
|
|
. "github.com/0xERR0R/blocky/helpertest"
|
|
|
|
"github.com/0xERR0R/blocky/lists"
|
2023-03-12 22:14:10 +01:00
|
|
|
"github.com/0xERR0R/blocky/log"
|
2021-08-29 21:51:24 +02:00
|
|
|
. "github.com/0xERR0R/blocky/model"
|
2022-01-19 22:03:41 +01:00
|
|
|
"github.com/0xERR0R/blocky/redis"
|
2021-08-25 22:06:34 +02:00
|
|
|
"github.com/0xERR0R/blocky/util"
|
2022-01-19 22:03:41 +01:00
|
|
|
"github.com/alicebob/miniredis/v2"
|
|
|
|
"github.com/creasty/defaults"
|
2020-08-24 22:15:31 +02:00
|
|
|
|
2020-01-12 18:23:35 +01:00
|
|
|
"github.com/miekg/dns"
|
2022-03-03 11:27:27 +01:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2020-05-04 22:20:13 +02:00
|
|
|
. "github.com/onsi/gomega"
|
2020-01-12 18:23:35 +01:00
|
|
|
"github.com/stretchr/testify/mock"
|
|
|
|
)
|
|
|
|
|
2022-12-26 22:11:45 +01:00
|
|
|
var (
|
|
|
|
group1File, group2File, defaultGroupFile *TmpFile
|
|
|
|
tmpDir *TmpFolder
|
|
|
|
)
|
2022-03-03 11:27:27 +01:00
|
|
|
|
|
|
|
var _ = BeforeSuite(func() {
|
2022-08-06 22:44:26 +02:00
|
|
|
tmpDir = NewTmpFolder("BlockingResolver")
|
|
|
|
group1File = tmpDir.CreateStringFile("group1File", "DOMAIN1.com")
|
|
|
|
group2File = tmpDir.CreateStringFile("group2File", "blocked2.com")
|
|
|
|
defaultGroupFile = tmpDir.CreateStringFile("defaultGroupFile",
|
|
|
|
"blocked3.com",
|
|
|
|
"123.145.123.145",
|
|
|
|
"2001:db8:85a3:08d3::370:7344",
|
|
|
|
"badcnamedomain.com")
|
2022-03-03 11:27:27 +01:00
|
|
|
})
|
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
var (
|
|
|
|
sut *BlockingResolver
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig config.Blocking
|
2022-11-30 19:29:37 +01:00
|
|
|
m *mockResolver
|
2020-05-04 22:20:13 +02:00
|
|
|
mockAnswer *dns.Msg
|
2023-10-07 22:21:40 +02:00
|
|
|
ctx context.Context
|
|
|
|
cancelFn context.CancelFunc
|
2020-05-04 22:20:13 +02:00
|
|
|
)
|
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
Describe("Type", func() {
|
|
|
|
It("follows conventions", func() {
|
|
|
|
expectValidResolverType(sut)
|
|
|
|
})
|
|
|
|
})
|
2022-11-29 18:55:12 +01:00
|
|
|
|
2020-05-04 22:20:13 +02:00
|
|
|
BeforeEach(func() {
|
2023-10-07 22:21:40 +02:00
|
|
|
ctx, cancelFn = context.WithCancel(context.Background())
|
|
|
|
DeferCleanup(cancelFn)
|
|
|
|
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
|
|
|
}
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
mockAnswer = new(dns.Msg)
|
|
|
|
})
|
|
|
|
|
|
|
|
JustBeforeEach(func() {
|
2022-12-29 14:58:25 +01:00
|
|
|
var err error
|
2023-08-21 09:50:23 +02:00
|
|
|
|
2022-11-30 19:29:37 +01:00
|
|
|
m = &mockResolver{}
|
2020-05-04 22:20:13 +02:00
|
|
|
m.On("Resolve", mock.Anything).Return(&Response{Res: mockAnswer}, nil)
|
2023-10-07 22:21:40 +02:00
|
|
|
|
|
|
|
sut, err = NewBlockingResolver(ctx, sutConfig, nil, systemResolverBootstrap)
|
2022-05-06 22:34:08 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2020-05-04 22:20:13 +02:00
|
|
|
sut.Next(m)
|
|
|
|
})
|
|
|
|
|
2023-03-12 22:14:10 +01:00
|
|
|
Describe("IsEnabled", func() {
|
|
|
|
It("is false", func() {
|
|
|
|
Expect(sut.IsEnabled()).Should(BeFalse())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
Describe("LogConfig", func() {
|
|
|
|
It("should log something", func() {
|
|
|
|
logger, hook := log.NewMockEntry()
|
|
|
|
|
|
|
|
sut.LogConfig(logger)
|
|
|
|
|
|
|
|
Expect(hook.Calls).ShouldNot(BeEmpty())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-01-19 21:52:24 +01:00
|
|
|
Describe("Events", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"gr1": config.NewBytesSources(group1File.Path),
|
|
|
|
"gr2": config.NewBytesSources(group2File.Path),
|
2021-01-19 21:52:24 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
})
|
|
|
|
When("List is refreshed", func() {
|
|
|
|
It("event should be fired", func() {
|
|
|
|
groupCnt := make(map[string]int)
|
2022-12-29 14:58:25 +01:00
|
|
|
err := Bus().Subscribe(BlockingCacheGroupChanged, func(listType lists.ListCacheType, group string, cnt int) {
|
2021-01-19 21:52:24 +01:00
|
|
|
groupCnt[group] = cnt
|
|
|
|
})
|
|
|
|
Expect(err).Should(Succeed())
|
|
|
|
|
|
|
|
// recreate to trigger a reload
|
2023-10-07 22:21:40 +02:00
|
|
|
sut, err = NewBlockingResolver(ctx, sutConfig, nil, systemResolverBootstrap)
|
2022-05-06 22:34:08 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2021-01-19 21:52:24 +01:00
|
|
|
|
2021-12-22 22:20:39 +01:00
|
|
|
Eventually(groupCnt, "1s").Should(HaveLen(2))
|
2021-01-19 21:52:24 +01:00
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
2022-02-14 21:38:26 +01:00
|
|
|
Describe("Blocking with full-qualified client name", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2022-02-14 21:38:26 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"gr1": config.NewBytesSources(group1File.Path),
|
|
|
|
"gr2": config.NewBytesSources(group2File.Path),
|
2022-02-14 21:38:26 +01:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"gr1"},
|
|
|
|
"full.qualified.com": {"gr2"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
When("Full-qualified group name is used", func() {
|
2022-05-06 22:34:08 +02:00
|
|
|
It("should block request", func() {
|
2023-01-21 20:13:54 +01:00
|
|
|
m.AnswerFn = func(t dns.Type, qName string) (*dns.Msg, error) {
|
|
|
|
if t == dns.Type(dns.TypeA) && qName == "full.qualified.com." {
|
|
|
|
return util.NewMsgWithAnswer(qName, 60*60, A, "192.168.178.39")
|
2022-02-14 21:38:26 +01:00
|
|
|
}
|
2022-05-10 09:09:50 +02:00
|
|
|
|
2023-01-21 20:13:54 +01:00
|
|
|
return nil, nil //nolint:nilnil
|
2022-03-17 22:30:21 +01:00
|
|
|
}
|
2022-02-14 21:38:26 +01:00
|
|
|
Bus().Publish(ApplicationStarted, "")
|
|
|
|
Eventually(func(g Gomega) {
|
2023-11-19 21:47:50 +01:00
|
|
|
g.Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "192.168.178.39", "client1"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(And(
|
|
|
|
BeDNSRecord("blocked2.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 60)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2022-09-23 23:42:18 +02:00
|
|
|
}, "10s", "1s").Should(Succeed())
|
2022-02-14 21:38:26 +01:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2023-12-03 23:47:18 +01:00
|
|
|
Describe("Blocking with fast init strategy", func() {
|
2022-12-17 23:06:58 +01:00
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2022-12-17 23:06:58 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"gr1": {config.TextBytesSource("/regex/")},
|
2022-12-17 23:06:58 +01:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"gr1"},
|
|
|
|
},
|
2023-12-20 21:38:33 +01:00
|
|
|
Loading: config.SourceLoading{
|
2023-12-03 23:47:18 +01:00
|
|
|
Init: config.Init{Strategy: config.InitStrategyFast},
|
2023-12-03 23:46:59 +01:00
|
|
|
},
|
2022-12-17 23:06:58 +01:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
When("Domain is on the denylist", func() {
|
2022-12-17 23:06:58 +01:00
|
|
|
It("should block request", func() {
|
2022-12-29 14:58:25 +01:00
|
|
|
Eventually(sut.Resolve).
|
2023-11-19 21:47:50 +01:00
|
|
|
WithContext(ctx).
|
2022-12-29 14:58:25 +01:00
|
|
|
WithArguments(newRequestWithClient("regex.com.", dns.Type(dns.TypeA), "1.2.1.2", "client1")).
|
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("regex.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 60)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2022-12-17 23:06:58 +01:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-05-04 22:20:13 +02:00
|
|
|
Describe("Blocking requests", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockTTL: config.Duration(6 * time.Hour),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"gr1": config.NewBytesSources(group1File.Path),
|
|
|
|
"gr2": config.NewBytesSources(group2File.Path),
|
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
2023-03-07 14:23:02 +01:00
|
|
|
"Client1": {"gr1"},
|
2021-11-14 21:28:52 +01:00
|
|
|
"client2,client3": {"gr1"},
|
|
|
|
"client3": {"gr2"},
|
|
|
|
"192.168.178.55": {"gr1"},
|
|
|
|
"altName": {"gr2"},
|
|
|
|
"10.43.8.67/28": {"gr1"},
|
|
|
|
"wildcard[0-9]*": {"gr1"},
|
|
|
|
"default": {"defaultGroup"},
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
BlockType: "ZeroIP",
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
When("client name is defined in client groups block", func() {
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the A query if domain is on the denylist (single)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client1"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the A query if domain is on the denylist (multipart 1)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client2"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-11-14 21:28:52 +01:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the A query if domain is on the denylist (multipart 2)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client3"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-11-14 21:28:52 +01:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the A query if domain is on the denylist (merged)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "client3"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked2.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr2)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-11-14 21:28:52 +01:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the AAAA query if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", AAAA, "1.2.1.2", "client1"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", AAAA, "::"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the HTTPS query if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", HTTPS, "1.2.1.2", "client1"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(HaveReturnCode(dns.RcodeNameError))
|
2021-03-26 22:29:35 +01:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the MX query if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", MX, "1.2.1.2", "client1"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(HaveReturnCode(dns.RcodeNameError))
|
2021-03-26 22:29:35 +01:00
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
When("Client ip is defined in client groups block", func() {
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the query if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "192.168.178.55", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
2020-08-24 21:47:28 +02:00
|
|
|
When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() {
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should not block the query for 10.43.8.63 if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.63", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-08-24 21:47:28 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should not block the query for 10.43.8.80 if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.80", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-08-24 21:47:28 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() {
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the query for 10.43.8.64 if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.64", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-08-24 21:47:28 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the query for 10.43.8.79 if domain is on the denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.79", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-08-24 21:47:28 +02:00
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
When("Client has multiple names and for each name a client group block definition exists", func() {
|
|
|
|
It("should block query if domain is in one group", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client1", "altname"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
It("should block query if domain is in another group too", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "client1", "altName"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked2.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr2)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
2020-08-24 22:15:31 +02:00
|
|
|
When("Client name matches wildcard", func() {
|
|
|
|
It("should block query if domain is in one group", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "wildcard1name"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (gr1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-08-24 22:15:31 +02:00
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
When("Default group is defined", func() {
|
|
|
|
It("should block domains from default group for each client", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
When("BlockType is NxDomain", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"defaultGroup"},
|
|
|
|
},
|
|
|
|
BlockType: "NxDomain",
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return NXDOMAIN if query is blocked", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeNameError),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-09-12 21:17:32 +02:00
|
|
|
When("BlockTTL is set", func() {
|
2021-09-04 23:10:32 +02:00
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
2021-09-04 23:10:32 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"defaultGroup"},
|
|
|
|
},
|
2021-09-12 21:17:32 +02:00
|
|
|
BlockTTL: config.Duration(time.Second * 1234),
|
2021-09-04 23:10:32 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return answer with specified TTL", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 1234)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2021-09-04 23:10:32 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
When("BlockType is custom IP", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
sutConfig.BlockType = "12.12.12.12"
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return custom IP with specified TTL", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "12.12.12.12"),
|
|
|
|
HaveTTL(BeNumerically("==", 1234)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2021-09-04 23:10:32 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-05-16 21:47:32 +02:00
|
|
|
When("BlockType is custom IP", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockTTL: config.Duration(6 * time.Hour),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
2020-05-16 21:47:32 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"defaultGroup"},
|
|
|
|
},
|
|
|
|
BlockType: "12.12.12.12, 2001:0db8:85a3:0000:0000:8a2e:0370:7334",
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return ipv4 address for A query if query is blocked", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "12.12.12.12"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2020-05-16 21:47:32 +02:00
|
|
|
})
|
|
|
|
|
2021-03-26 22:29:35 +01:00
|
|
|
It("should return ipv6 address for AAAA query if query is blocked", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", AAAA, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", AAAA, "2001:db8:85a3::8a2e:370:7334"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2020-05-16 21:47:32 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
When("BlockType is custom IP only for ipv4", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
2020-05-16 21:47:32 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"defaultGroup"},
|
|
|
|
},
|
|
|
|
BlockType: "12.12.12.12",
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockTTL: config.Duration(6 * time.Hour),
|
2020-05-16 21:47:32 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should use fallback for ipv6 and return zero ip", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", AAAA, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", AAAA, "::"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
))
|
2020-05-16 21:47:32 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
When("Denylist contains IP", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
When("IP4", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
// return defined IP as response
|
2022-12-29 14:58:25 +01:00
|
|
|
mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145")
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block query, if lookup result contains denylisted IP", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("example.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED IP (defaultGroup)"),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
When("IP6", func() {
|
|
|
|
BeforeEach(func() {
|
|
|
|
// return defined IP as response
|
2022-04-22 22:12:35 +02:00
|
|
|
mockAnswer, _ = util.NewMsgWithAnswer(
|
|
|
|
"example.com.", 300,
|
2022-12-29 14:58:25 +01:00
|
|
|
AAAA, "2001:0db8:85a3:08d3::0370:7344",
|
2022-04-22 22:12:35 +02:00
|
|
|
)
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block query, if lookup result contains denylisted IP", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", AAAA, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("example.com.", AAAA, "::"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED IP (defaultGroup)"),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
When("denylist contains domain which is CNAME in response", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
BeforeEach(func() {
|
|
|
|
// reconfigure mock, to return CNAMEs
|
|
|
|
rr1, _ := dns.NewRR("example.com 300 IN CNAME domain.com")
|
|
|
|
rr2, _ := dns.NewRR("domain.com 300 IN CNAME badcnamedomain.com")
|
|
|
|
rr3, _ := dns.NewRR("badcnamedomain.com 300 IN A 125.125.125.125")
|
|
|
|
mockAnswer = new(dns.Msg)
|
|
|
|
mockAnswer.Answer = []dns.RR{rr1, rr2, rr3}
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block the query, if response contains a CNAME with domain on a denylist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("example.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 21600)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
HaveReason("BLOCKED CNAME (defaultGroup)"),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
Describe("Allowlisting", func() {
|
|
|
|
When("Requested domain is on black and allowlist", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
|
|
|
|
Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
|
2020-05-04 22:20:13 +02:00
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"gr1"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
})
|
|
|
|
It("Should not be blocked", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
When("Only allowlist is defined", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "zeroIP",
|
|
|
|
BlockTTL: config.Duration(60 * time.Second),
|
2024-04-08 19:09:51 +02:00
|
|
|
Allowlists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"gr1": config.NewBytesSources(group1File.Path),
|
|
|
|
"gr2": config.NewBytesSources(group2File.Path),
|
2021-05-05 22:07:14 +02:00
|
|
|
},
|
2020-05-04 22:20:13 +02:00
|
|
|
ClientGroupsBlock: map[string][]string{
|
2021-05-05 22:07:14 +02:00
|
|
|
"default": {"gr1"},
|
|
|
|
"one-client": {"gr1"},
|
|
|
|
"two-client": {"gr2"},
|
|
|
|
"all-client": {"gr1", "gr2"},
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block everything else except domains on the allowlist with default group", func() {
|
|
|
|
By("querying domain on the allowlist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
By("querying another domain, which is not on the allowlist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("google.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("google.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 60)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
2024-04-08 19:09:51 +02:00
|
|
|
HaveReason("BLOCKED (ALLOWLIST ONLY)"),
|
2022-12-29 14:58:25 +01:00
|
|
|
))
|
|
|
|
|
2020-05-04 22:20:13 +02:00
|
|
|
Expect(m.Calls).Should(HaveLen(1))
|
|
|
|
})
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block everything else except domains on the allowlist "+
|
|
|
|
"if multiple allowlist only groups are defined", func() {
|
|
|
|
By("querying domain on the allowlist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "one-client"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-05-05 22:07:14 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
By("querying another domain, which is not on the allowlist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "one-client"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked2.com.", A, "0.0.0.0"),
|
|
|
|
HaveTTL(BeNumerically("==", 60)),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
2024-04-08 19:09:51 +02:00
|
|
|
HaveReason("BLOCKED (ALLOWLIST ONLY)"),
|
2022-12-29 14:58:25 +01:00
|
|
|
))
|
2021-05-05 22:07:14 +02:00
|
|
|
Expect(m.Calls).Should(HaveLen(1))
|
|
|
|
})
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should block everything else except domains on the allowlist "+
|
|
|
|
"if multiple allowlist only groups are defined", func() {
|
|
|
|
By("querying domain on the allowlist group 1", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "all-client"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-05-05 22:07:14 +02:00
|
|
|
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
By("querying another domain, which is in the allowlist group 1", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "all-client"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-05-05 22:07:14 +02:00
|
|
|
Expect(m.Calls).Should(HaveLen(2))
|
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
2024-04-08 19:09:51 +02:00
|
|
|
When("IP address is on black and allowlist", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
|
|
|
|
Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(defaultGroupFile.Path)},
|
2020-05-04 22:20:13 +02:00
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"gr1"},
|
|
|
|
},
|
|
|
|
}
|
2022-12-29 14:58:25 +01:00
|
|
|
mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145")
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
It("should not block if DNS answer contains IP from the allowlist", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("example.com.", A, "123.145.123.145"),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
Describe("Delegate request to next resolver", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2024-04-08 19:09:51 +02:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
|
|
|
Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
|
2020-05-04 22:20:13 +02:00
|
|
|
ClientGroupsBlock: map[string][]string{
|
|
|
|
"default": {"gr1"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
})
|
|
|
|
AfterEach(func() {
|
|
|
|
// was delegated to next resolver
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
})
|
2024-04-08 19:09:51 +02:00
|
|
|
When("domain is not on the denylist", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
It("should delegate to next resolver", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
When("no lists defined", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2021-11-05 23:00:54 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
|
|
|
}
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
It("should delegate to next resolver", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
Describe("Control status via API", func() {
|
|
|
|
BeforeEach(func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{
|
2023-04-17 18:21:56 +02:00
|
|
|
"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
|
|
|
|
"group1": config.NewBytesSources(group1File.Path),
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
ClientGroupsBlock: map[string][]string{
|
2021-04-28 22:38:23 +02:00
|
|
|
"default": {"defaultGroup", "group1"},
|
2020-05-04 22:20:13 +02:00
|
|
|
},
|
|
|
|
BlockType: "ZeroIP",
|
|
|
|
}
|
|
|
|
})
|
|
|
|
When("Disable blocking is called", func() {
|
|
|
|
It("no query should be blocked", func() {
|
2021-04-28 22:38:23 +02:00
|
|
|
By("Perform query to ensure that the blocking status is active (defaultGroup)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
By("Perform query to ensure that the blocking status is active (group1)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
By("Calling Rest API to deactivate all groups", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
err := sut.DisableBlocking(context.TODO(), 0, []string{})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
By("perform the same query again (defaultGroup)", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 1)
|
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
By("perform the same query again (group1)", func() {
|
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 2)
|
|
|
|
})
|
|
|
|
|
|
|
|
By("Calling Rest API to deactivate only defaultGroup", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
err := sut.DisableBlocking(context.TODO(), 0, []string{"defaultGroup"})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
|
|
|
})
|
|
|
|
|
|
|
|
By("perform the same query again (defaultGroup)", func() {
|
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 3)
|
|
|
|
})
|
|
|
|
|
|
|
|
By("Perform query to ensure that the blocking status is active (group1)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
When("Disable blocking for all groups is called with a duration parameter", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
It("No query should be blocked only for passed amount of time", func() {
|
2021-04-28 22:38:23 +02:00
|
|
|
By("Perform query to ensure that the blocking status is active (defaultGroup)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2021-04-28 22:38:23 +02:00
|
|
|
By("Perform query to ensure that the blocking status is active (group1)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
By("Calling Rest API to deactivate blocking for 0.5 sec", func() {
|
2022-12-29 14:58:25 +01:00
|
|
|
enabled := make(chan bool, 1)
|
2021-01-19 21:52:24 +01:00
|
|
|
err := Bus().SubscribeOnce(BlockingEnabledEvent, func(state bool) {
|
2022-12-29 14:58:25 +01:00
|
|
|
enabled <- state
|
2021-01-19 21:52:24 +01:00
|
|
|
})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2023-11-27 18:08:31 +01:00
|
|
|
err = sut.DisableBlocking(context.TODO(), 500*time.Millisecond, []string{})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2022-12-29 14:58:25 +01:00
|
|
|
Eventually(enabled, "1s").Should(Receive(BeFalse()))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
By("perform the same query again to ensure that this query will not be blocked (defaultGroup)", func() {
|
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 1)
|
|
|
|
})
|
|
|
|
By("perform the same query again to ensure that this query will not be blocked (group1)", func() {
|
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 2)
|
|
|
|
})
|
|
|
|
|
|
|
|
By("Wait 1 sec and perform the same query again, should be blocked now", func() {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled := make(chan bool, 1)
|
2021-04-28 22:38:23 +02:00
|
|
|
_ = Bus().SubscribeOnce(BlockingEnabledEvent, func(state bool) {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled <- state
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
// wait 1 sec
|
2022-05-06 22:34:08 +02:00
|
|
|
Eventually(enabled, "1s").Should(Receive(BeTrue()))
|
2021-04-28 22:38:23 +02:00
|
|
|
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
|
|
|
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
When("Disable blocking for one group is called with a duration parameter", func() {
|
|
|
|
It("No query should be blocked only for passed amount of time", func() {
|
|
|
|
By("Perform query to ensure that the blocking status is active (defaultGroup)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
By("Perform query to ensure that the blocking status is active (group1)", func() {
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
By("Calling Rest API to deactivate blocking for one group for 0.5 sec", func() {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled := make(chan bool, 1)
|
2021-04-28 22:38:23 +02:00
|
|
|
err := Bus().SubscribeOnce(BlockingEnabledEvent, func(state bool) {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled <- false
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
Expect(err).Should(Succeed())
|
2023-11-27 18:08:31 +01:00
|
|
|
err = sut.DisableBlocking(context.TODO(), 500*time.Millisecond, []string{"group1"})
|
2021-01-19 21:52:24 +01:00
|
|
|
Expect(err).Should(Succeed())
|
2022-05-06 22:34:08 +02:00
|
|
|
Eventually(enabled, "1s").Should(Receive(BeFalse()))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
By("perform the same query again to ensure that this query will not be blocked (defaultGroup)", func() {
|
2020-05-04 22:20:13 +02:00
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2021-04-28 22:38:23 +02:00
|
|
|
})
|
|
|
|
By("perform the same query again to ensure that this query will not be blocked (group1)", func() {
|
|
|
|
// now is blocking disabled, query the url again
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
HaveNoAnswer(),
|
|
|
|
HaveResponseType(ResponseTypeRESOLVED),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
m.AssertExpectations(GinkgoT())
|
|
|
|
m.AssertNumberOfCalls(GinkgoT(), "Resolve", 1)
|
|
|
|
})
|
|
|
|
|
|
|
|
By("Wait 1 sec and perform the same query again, should be blocked now", func() {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled := make(chan bool, 1)
|
2021-01-19 21:52:24 +01:00
|
|
|
_ = Bus().SubscribeOnce(BlockingEnabledEvent, func(state bool) {
|
2022-05-06 22:34:08 +02:00
|
|
|
enabled <- state
|
2021-01-19 21:52:24 +01:00
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
// wait 1 sec
|
2022-05-06 22:34:08 +02:00
|
|
|
Eventually(enabled, "1s").Should(Receive(BeTrue()))
|
2020-05-04 22:20:13 +02:00
|
|
|
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("blocked3.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("blocked3.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (defaultGroup)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
|
|
|
|
2023-11-19 21:47:50 +01:00
|
|
|
Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
|
2022-12-29 14:58:25 +01:00
|
|
|
Should(
|
|
|
|
SatisfyAll(
|
|
|
|
BeDNSRecord("domain1.com.", A, "0.0.0.0"),
|
|
|
|
HaveResponseType(ResponseTypeBLOCKED),
|
|
|
|
HaveReason("BLOCKED (group1)"),
|
|
|
|
HaveReturnCode(dns.RcodeSuccess),
|
|
|
|
))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-04-28 22:38:23 +02:00
|
|
|
When("Disable blocking is called with wrong group name", func() {
|
|
|
|
It("should fail", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
err := sut.DisableBlocking(context.TODO(), 500*time.Millisecond, []string{"unknownGroupName"})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(HaveOccurred())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-05-04 22:20:13 +02:00
|
|
|
When("Blocking status is called", func() {
|
|
|
|
It("should return correct status", func() {
|
|
|
|
By("enable blocking via API", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
sut.EnableBlocking(context.TODO())
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
By("Query blocking status via API should return 'enabled'", func() {
|
2021-02-04 21:59:41 +01:00
|
|
|
result := sut.BlockingStatus()
|
2020-05-04 22:20:13 +02:00
|
|
|
Expect(result.Enabled).Should(BeTrue())
|
|
|
|
})
|
|
|
|
|
|
|
|
By("disable blocking via API", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
err := sut.DisableBlocking(context.TODO(), 500*time.Millisecond, []string{})
|
2021-04-28 22:38:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
By("Query blocking status via API again should return 'disabled'", func() {
|
2021-02-04 21:59:41 +01:00
|
|
|
result := sut.BlockingStatus()
|
2020-05-04 22:20:13 +02:00
|
|
|
|
|
|
|
Expect(result.Enabled).Should(BeFalse())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
Describe("Create resolver with wrong parameter", func() {
|
|
|
|
When("Wrong blockType is used", func() {
|
2022-05-06 22:34:08 +02:00
|
|
|
It("should return error", func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
_, err := NewBlockingResolver(ctx, config.Blocking{
|
2020-05-04 22:20:13 +02:00
|
|
|
BlockType: "wrong",
|
2022-11-29 18:55:12 +01:00
|
|
|
}, nil, systemResolverBootstrap)
|
2020-05-04 22:20:13 +02:00
|
|
|
|
2022-05-06 22:34:08 +02:00
|
|
|
Expect(err).Should(
|
|
|
|
MatchError("unknown blockType 'wrong', please use one of: ZeroIP, NxDomain or specify destination IP address(es)"))
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
|
|
|
})
|
2023-04-17 18:21:56 +02:00
|
|
|
When("strategy is failOnError", func() {
|
2021-10-14 21:53:20 +02:00
|
|
|
It("should fail if lists can't be downloaded", func() {
|
2023-11-21 22:27:51 +01:00
|
|
|
_, err := NewBlockingResolver(ctx, config.Blocking{
|
2024-04-08 19:09:51 +02:00
|
|
|
Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources("wrongPath")},
|
|
|
|
Allowlists: map[string][]config.BytesSource{"allowlist": config.NewBytesSources("wrongPath")},
|
2023-12-20 21:38:33 +01:00
|
|
|
Loading: config.SourceLoading{
|
2023-12-03 23:47:18 +01:00
|
|
|
Init: config.Init{Strategy: config.InitStrategyFailOnError},
|
2023-12-03 23:46:59 +01:00
|
|
|
},
|
|
|
|
BlockType: "zeroIp",
|
2022-11-29 18:55:12 +01:00
|
|
|
}, nil, systemResolverBootstrap)
|
2021-10-14 21:53:20 +02:00
|
|
|
Expect(err).Should(HaveOccurred())
|
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|
2020-08-24 21:47:28 +02:00
|
|
|
|
2022-01-19 22:03:41 +01:00
|
|
|
Describe("Redis is configured", func() {
|
2022-04-26 10:43:23 +02:00
|
|
|
var redisServer *miniredis.Miniredis
|
|
|
|
var redisClient *redis.Client
|
2022-12-29 14:58:25 +01:00
|
|
|
var err error
|
2022-04-26 10:43:23 +02:00
|
|
|
JustBeforeEach(func() {
|
2022-01-19 22:03:41 +01:00
|
|
|
redisServer, err = miniredis.Run()
|
|
|
|
|
|
|
|
Expect(err).Should(Succeed())
|
|
|
|
|
2023-11-27 18:08:31 +01:00
|
|
|
var rcfg config.Redis
|
2022-01-19 22:03:41 +01:00
|
|
|
err = defaults.Set(&rcfg)
|
|
|
|
|
|
|
|
Expect(err).Should(Succeed())
|
|
|
|
rcfg.Address = redisServer.Addr()
|
2023-11-27 18:08:31 +01:00
|
|
|
redisClient, err = redis.New(context.TODO(), &rcfg)
|
2022-01-19 22:03:41 +01:00
|
|
|
|
|
|
|
Expect(err).Should(Succeed())
|
|
|
|
Expect(redisClient).ShouldNot(BeNil())
|
2023-11-21 22:27:51 +01:00
|
|
|
sutConfig = config.Blocking{
|
2022-01-19 22:03:41 +01:00
|
|
|
BlockType: "ZEROIP",
|
|
|
|
BlockTTL: config.Duration(time.Minute),
|
|
|
|
}
|
|
|
|
|
2023-10-07 22:21:40 +02:00
|
|
|
sut, err = NewBlockingResolver(ctx, sutConfig, redisClient, systemResolverBootstrap)
|
2022-12-29 14:58:25 +01:00
|
|
|
Expect(err).Should(Succeed())
|
2022-04-26 10:43:23 +02:00
|
|
|
})
|
|
|
|
JustAfterEach(func() {
|
2022-01-19 22:03:41 +01:00
|
|
|
redisServer.Close()
|
|
|
|
})
|
|
|
|
When("disable", func() {
|
2022-04-26 10:43:23 +02:00
|
|
|
It("should return disable", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
sut.EnableBlocking(context.TODO())
|
2022-01-19 22:03:41 +01:00
|
|
|
|
2022-04-26 10:43:23 +02:00
|
|
|
redisMockMsg := &redis.EnabledMessage{
|
|
|
|
State: false,
|
|
|
|
}
|
|
|
|
redisClient.EnabledChannel <- redisMockMsg
|
2022-01-19 22:03:41 +01:00
|
|
|
|
2022-04-26 10:43:23 +02:00
|
|
|
Eventually(func() bool {
|
2022-05-06 22:34:08 +02:00
|
|
|
return sut.BlockingStatus().Enabled
|
2022-04-26 10:43:23 +02:00
|
|
|
}, "5s").Should(BeFalse())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
When("disable", func() {
|
|
|
|
It("should return disable", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
sut.EnableBlocking(context.TODO())
|
2022-04-26 10:43:23 +02:00
|
|
|
redisMockMsg := &redis.EnabledMessage{
|
|
|
|
State: false,
|
|
|
|
Groups: []string{"unknown"},
|
|
|
|
}
|
|
|
|
redisClient.EnabledChannel <- redisMockMsg
|
2022-01-19 22:03:41 +01:00
|
|
|
|
2022-04-26 10:43:23 +02:00
|
|
|
Eventually(func() bool {
|
2022-05-06 22:34:08 +02:00
|
|
|
return sut.BlockingStatus().Enabled
|
2022-04-26 10:43:23 +02:00
|
|
|
}, "5s").Should(BeTrue())
|
|
|
|
})
|
2022-01-19 22:03:41 +01:00
|
|
|
})
|
|
|
|
When("enable", func() {
|
2022-04-26 10:43:23 +02:00
|
|
|
It("should return enable", func() {
|
2023-11-27 18:08:31 +01:00
|
|
|
err = sut.DisableBlocking(context.TODO(), time.Hour, []string{})
|
2022-04-26 10:43:23 +02:00
|
|
|
Expect(err).Should(Succeed())
|
2022-01-19 22:03:41 +01:00
|
|
|
|
2022-04-26 10:43:23 +02:00
|
|
|
redisMockMsg := &redis.EnabledMessage{
|
|
|
|
State: true,
|
|
|
|
}
|
|
|
|
redisClient.EnabledChannel <- redisMockMsg
|
2022-01-19 22:03:41 +01:00
|
|
|
|
2022-04-26 10:43:23 +02:00
|
|
|
Eventually(func() bool {
|
2022-05-06 22:34:08 +02:00
|
|
|
return sut.BlockingStatus().Enabled
|
2022-04-26 10:43:23 +02:00
|
|
|
}, "5s").Should(BeTrue())
|
|
|
|
})
|
2022-01-19 22:03:41 +01:00
|
|
|
})
|
|
|
|
})
|
2020-05-04 22:20:13 +02:00
|
|
|
})
|