forked from Black-HOST/csf
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsanity.t
More file actions
237 lines (182 loc) · 8.79 KB
/
Copy pathsanity.t
File metadata and controls
237 lines (182 loc) · 8.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#!/usr/bin/env perl
use strict;
use warnings;
use FindBin qw($Bin);
use File::Spec;
use File::Temp qw(tempdir);
use Test::More;
use lib "$Bin/../lib";
use TestBootstrap ();
require ConfigServer::Sanity;
{
package Local::SanityConfig;
sub new {
my ($class, $config) = @_;
return bless { config => $config }, $class;
}
sub config {
my ($self) = @_;
return %{ $self->{config} };
}
}
sub write_test_sanity_file {
my $dir = tempdir(CLEANUP => 1);
my $path = File::Spec->catfile($dir, 'sanity.txt');
open(my $fh, '>', $path) or die "Unable to create test sanity file $path: $!";
print {$fh} <<'EOF';
AT_INTERVAL=10-3600=60
DROP=DROP|TARPIT|REJECT=DROP
CT_LIMIT=0|10-1000=0
DENY_IP_LIMIT=10-1000=200
EOF
close($fh);
return ($dir, $path);
}
sub reset_sanity_state {
%ConfigServer::Sanity::sanity = ();
%ConfigServer::Sanity::sanitydefault = ();
$ConfigServer::Sanity::loaded = 0;
return;
}
sub with_mock_config {
my ($config, $code) = @_;
no warnings qw(redefine once);
local *ConfigServer::Config::loadconfig = sub {
return Local::SanityConfig->new($config);
};
return $code->();
}
subtest 'sanity data is loaded lazily on first use' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
is($ConfigServer::Sanity::loaded, 0, 'sanity rules are not loaded at import time');
is(scalar keys %ConfigServer::Sanity::sanity, 0, 'sanity hash is empty before first call');
is(scalar keys %ConfigServer::Sanity::sanitydefault, 0, 'default hash is empty before first call');
my ($insane, $range, $default) = ConfigServer::Sanity::sanity('AT_INTERVAL', '60');
is($insane, 0, 'first call validates successfully');
is($range, '10-3600', 'range comes from the loaded sanity file');
is($default, '60', 'default comes from the loaded sanity file');
is($ConfigServer::Sanity::loaded, 1, 'first call loads sanity rules');
});
};
subtest 'range, discrete, and mixed rules are validated correctly' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
my ($insane, $range, $default);
($insane, $range, $default) = ConfigServer::Sanity::sanity('AT_INTERVAL', '10');
is($insane, 0, 'range rule accepts the lower boundary');
is($range, '10-3600', 'range rule is reported as stored');
is($default, '60', 'range rule default is returned');
($insane, $range, $default) = ConfigServer::Sanity::sanity('AT_INTERVAL', '3601');
is($insane, 1, 'range rule rejects values above the upper boundary');
($insane, $range, $default) = ConfigServer::Sanity::sanity('DROP', 'TARPIT');
is($insane, 0, 'discrete rule accepts an allowed token');
is($range, 'DROP or TARPIT or REJECT', 'discrete rule is formatted for display');
is($default, 'DROP', 'discrete rule default is returned');
($insane, $range, $default) = ConfigServer::Sanity::sanity('DROP', 'QUEUE');
is($insane, 1, 'discrete rule rejects an unsupported token');
($insane, $range, $default) = ConfigServer::Sanity::sanity('CT_LIMIT', '0');
is($insane, 0, 'mixed rule accepts its exact zero value');
is($range, '0 or 10-1000', 'mixed rule keeps both exact and ranged choices');
is($default, '0', 'mixed rule default is returned');
($insane, $range, $default) = ConfigServer::Sanity::sanity('CT_LIMIT', '500');
is($insane, 0, 'mixed rule accepts values in its numeric range');
($insane, $range, $default) = ConfigServer::Sanity::sanity('CT_LIMIT', '5');
is($insane, 1, 'mixed rule rejects values outside every allowed branch');
});
};
subtest 'undef values return early without loading sanity rules' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
my @result = ConfigServer::Sanity::sanity('AT_INTERVAL', undef);
is_deeply(\@result, [0], 'undef values return the early 0 result');
is($ConfigServer::Sanity::loaded, 0, 'undef values do not trigger lazy loading');
is(scalar keys %ConfigServer::Sanity::sanity, 0, 'undef values leave the sanity cache empty');
});
};
subtest 'display formatting does not mutate cached rules' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
my ($insane, $range, $default) = ConfigServer::Sanity::sanity('DROP', 'TARPIT');
is($insane, 0, 'first lookup validates an allowed token');
is($range, 'DROP or TARPIT or REJECT', 'display output is formatted for humans');
is($default, 'DROP', 'default value is preserved');
is($ConfigServer::Sanity::sanity{DROP}, 'DROP|TARPIT|REJECT', 'cached rule keeps raw separators after formatting');
($insane, $range, $default) = ConfigServer::Sanity::sanity('DROP', 'REJECT');
is($insane, 0, 'later lookups still validate against the cached rule');
is($range, 'DROP or TARPIT or REJECT', 'later lookups still report the formatted display value');
is($ConfigServer::Sanity::sanity{DROP}, 'DROP|TARPIT|REJECT', 'cached rule remains unchanged across calls');
});
};
subtest 'cached sanity data is reused after first load' => sub {
my (undef, $first_path) = write_test_sanity_file();
my $second_dir = tempdir(CLEANUP => 1);
my $second_path = File::Spec->catfile($second_dir, 'sanity.txt');
open(my $fh, '>', $second_path) or die "Unable to create second sanity file $second_path: $!";
print {$fh} <<'EOF';
AT_INTERVAL=100-200=150
DROP=DROP|REJECT=DROP
CT_LIMIT=1-5=2
DENY_IP_LIMIT=500-600=550
EOF
close($fh);
reset_sanity_state();
with_mock_config({ IPSET => 0 }, sub {
local $ConfigServer::Sanity::sanityfile = $first_path;
my ($insane, $range, $default) = ConfigServer::Sanity::sanity('AT_INTERVAL', '60');
is($insane, 0, 'first file is used for initial load');
is($range, '10-3600', 'initial range is from the first file');
is($default, '60', 'initial default is from the first file');
local $ConfigServer::Sanity::sanityfile = $second_path;
($insane, $range, $default) = ConfigServer::Sanity::sanity('AT_INTERVAL', '60');
is($insane, 0, 'cached data remains active after file path changes');
is($range, '10-3600', 'cached range is unchanged after first load');
is($default, '60', 'cached default is unchanged after first load');
});
};
subtest 'whitespace is ignored and unknown keys stay non-fatal' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
my ($insane, $range, $default) = ConfigServer::Sanity::sanity(' DROP ', ' TARPIT ');
is($insane, 0, 'leading and trailing whitespace is ignored');
is($range, 'DROP or TARPIT or REJECT', 'whitespace does not change the displayed rule');
is($default, 'DROP', 'whitespace does not change the default');
($insane, $range, $default) = ConfigServer::Sanity::sanity('UNKNOWN_ITEM', '999');
is($insane, 0, 'unknown keys are treated as non-insane');
is($range, undef, 'unknown keys have no reported range');
is($default, undef, 'unknown keys have no reported default');
});
};
subtest 'DENY_IP_LIMIT is skipped when IPSET is enabled' => sub {
my (undef, $path) = write_test_sanity_file();
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 1 }, sub {
my ($insane, $range, $default) = ConfigServer::Sanity::sanity('DENY_IP_LIMIT', '5');
is($insane, 0, 'DENY_IP_LIMIT is not validated when IPSET is enabled');
is($range, undef, 'no range is reported when DENY_IP_LIMIT is skipped');
is($default, undef, 'no default is reported when DENY_IP_LIMIT is skipped');
});
};
subtest 'missing sanity file fails with a clear error' => sub {
my $dir = tempdir(CLEANUP => 1);
my $path = File::Spec->catfile($dir, 'missing-sanity.txt');
reset_sanity_state();
local $ConfigServer::Sanity::sanityfile = $path;
with_mock_config({ IPSET => 0 }, sub {
my $ok = eval { ConfigServer::Sanity::sanity('AT_INTERVAL', '60'); 1 };
ok(!$ok, 'sanity() dies when the sanity file is missing');
like($@, qr/^Cannot open \Q$path\E:/, 'error message includes the missing file path');
});
};
done_testing();