From 42ec875688a2884409b6f84790c48a4de2e6b893 Mon Sep 17 00:00:00 2001 From: Daniel Rocha <68558152+danroc@users.noreply.github.com> Date: Thu, 14 Nov 2024 22:51:59 +0100 Subject: [PATCH] feat: add `UpdateConfig` method to `rules.Engine` (#7) --- pkg/database/database.go | 2 +- pkg/rules/engine.go | 20 +++++++++---- pkg/rules/engine_test.go | 63 ++++++++++++++++++++++++++-------------- 3 files changed, 56 insertions(+), 29 deletions(-) diff --git a/pkg/database/database.go b/pkg/database/database.go index 4429b98..fb240c4 100644 --- a/pkg/database/database.go +++ b/pkg/database/database.go @@ -98,7 +98,7 @@ func (db *Database) Update(reader io.Reader) error { // Find returns the data associated with the entry that contains the given IP. // If the IP is not found, nil is returned. func (db *Database) Find(ip net.IP) []string { - // If the given IP address is invalid, we return nil to indidate that the + // If the given IP address is invalid, we return nil to indicate that the // IP cannot be found in the database. It is up to the caller to validate // the IP address before calling this method. if ip == nil { diff --git a/pkg/rules/engine.go b/pkg/rules/engine.go index a9c9e35..c029e09 100644 --- a/pkg/rules/engine.go +++ b/pkg/rules/engine.go @@ -4,6 +4,7 @@ package rules import ( "net" "strings" + "sync/atomic" "github.com/danroc/geoblock/pkg/schema" "github.com/danroc/geoblock/pkg/utils" @@ -12,15 +13,15 @@ import ( // Engine is the access control egine that checks if a given query is allowed // by the rules. type Engine struct { - config *schema.AccessControl + config atomic.Pointer[schema.AccessControl] } // NewEngine creates a new access control engine for the given access control // configuration. func NewEngine(config *schema.AccessControl) *Engine { - return &Engine{ - config: config, - } + e := &Engine{} + e.config.Store(config) + return e } // Query represents a query to be checked by the access control engine. @@ -84,14 +85,21 @@ func ruleApplies(rule *schema.AccessControlRule, query *Query) bool { return true } +// UpdateConfig updates the engine's configuration with the given access +// control configuration. +func (e *Engine) UpdateConfig(config *schema.AccessControl) { + e.config.Store(config) +} + // Authorize checks if the given query is allowed by the engine's rules. The // engine will return true if the query is allowed, false otherwise. func (e *Engine) Authorize(query *Query) bool { - for _, rule := range e.config.Rules { + config := e.config.Load() + for _, rule := range config.Rules { if ruleApplies(&rule, query) { return rule.Policy == schema.PolicyAllow } } - return e.config.DefaultPolicy == schema.PolicyAllow + return config.DefaultPolicy == schema.PolicyAllow } diff --git a/pkg/rules/engine_test.go b/pkg/rules/engine_test.go index e9b5416..e9c8298 100644 --- a/pkg/rules/engine_test.go +++ b/pkg/rules/engine_test.go @@ -1,17 +1,18 @@ -package rules +package rules_test import ( "net" "testing" + "github.com/danroc/geoblock/pkg/rules" "github.com/danroc/geoblock/pkg/schema" ) -func TestEngine_Authorize(t *testing.T) { +func TestEngineAuthorize(t *testing.T) { tests := []struct { name string config *schema.AccessControl - query *Query + query *rules.Query want bool }{ { @@ -20,7 +21,7 @@ func TestEngine_Authorize(t *testing.T) { Rules: []schema.AccessControlRule{}, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", }, want: true, @@ -31,7 +32,7 @@ func TestEngine_Authorize(t *testing.T) { Rules: []schema.AccessControlRule{}, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", }, want: false, @@ -47,7 +48,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.org", }, want: true, @@ -63,7 +64,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", }, want: false, @@ -79,7 +80,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", }, want: false, @@ -95,7 +96,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedMethod: "POST", }, want: true, @@ -111,7 +112,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ RequestedMethod: "POST", }, want: false, @@ -127,7 +128,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedMethod: "POST", }, want: false, @@ -152,7 +153,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ SourceIP: net.IPv4(10, 1, 1, 1), }, want: true, @@ -177,7 +178,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ SourceIP: net.IPv4(192, 168, 1, 1), }, want: false, @@ -193,7 +194,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ SourceCountry: "FR", }, want: true, @@ -209,7 +210,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ SourceCountry: "US", }, want: false, @@ -225,7 +226,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ SourceCountry: "DE", }, want: false, @@ -241,7 +242,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ SourceASN: 1111, }, want: true, @@ -257,7 +258,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyAllow, }, - query: &Query{ + query: &rules.Query{ SourceASN: 2222, }, want: false, @@ -273,7 +274,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ SourceASN: 3333, }, want: false, @@ -297,7 +298,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", SourceIP: net.IPv4(10, 1, 1, 1), SourceCountry: "FR", @@ -322,7 +323,7 @@ func TestEngine_Authorize(t *testing.T) { }, DefaultPolicy: schema.PolicyDeny, }, - query: &Query{ + query: &rules.Query{ RequestedDomain: "example.com", SourceIP: net.IPv4(192, 168, 1, 1), }, @@ -332,10 +333,28 @@ func TestEngine_Authorize(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - e := NewEngine(tt.config) + e := rules.NewEngine(tt.config) if got := e.Authorize(tt.query); got != tt.want { t.Errorf("Engine.Authorize() = %v, want %v", got, tt.want) } }) } } + +func TestEngineUpdateConfig(t *testing.T) { + e := rules.NewEngine(&schema.AccessControl{ + DefaultPolicy: schema.PolicyAllow, + }) + + if got := e.Authorize(&rules.Query{}); got != true { + t.Errorf("Engine.Authorize() = %v, want %v", got, true) + } + + e.UpdateConfig(&schema.AccessControl{ + DefaultPolicy: schema.PolicyDeny, + }) + + if got := e.Authorize(&rules.Query{}); got != false { + t.Errorf("Engine.Authorize() = %v, want %v", got, false) + } +}