WIP

stripe · Feb 13, 2024 · e17a390 · e17a390
1 parent d7f55b6
commit e17a390
Showing 1 changed file with 49 additions and 36 deletions.
diff --git a/pkg/smokescreen/smokescreen_test.go b/pkg/smokescreen/smokescreen_test.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"runtime"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -1240,7 +1241,6 @@ func TestBlockCONNECTProxyURLsByDefault(t *testing.T) {
 	// a := assert.New(t)
 	r := require.New(t)
 	cfg, err := testConfig("test-external-connect-proxy-srv")
-	logHook := proxyLogHook(cfg)
 
 	r.NoError(err)
 	err = cfg.SetAllowAddresses([]string{"127.0.0.1"})
@@ -1258,46 +1258,59 @@ func TestBlockCONNECTProxyURLsByDefault(t *testing.T) {
 	r.NoError(err)
 	cfg.Listener = l
 
-	proxy := proxyServer(cfg)
-	// The External proxy is a HTTPS proxy that will be used to connect to the remote server
-	externalProxy := httptest.NewUnstartedServer(BuildProxy(cfg))
-	externalProxy.StartTLS()
+	t.Run("Blocks a non-approved proxy when the X-Upstream-Https-Proxy header is set", func(t *testing.T) {
+		proxy := proxyServer(cfg)
+		logHook := proxyLogHook(cfg)
+		// The External proxy is a HTTPS proxy that will be used to connect to the remote server
+		//	externalProxy := httptest.NewUnstartedServer(BuildProxy(cfg))
+		// externalProxy.StartTLS()
 
-	fmt.Println(proxy.URL)
-	fmt.Println(externalProxy.URL)
-	remote := httptest.NewTLSServer(h)
-	fmt.Println(remote.URL)
-	client, err := proxyClientWithConnectHeaders(proxy.URL, http.Header{"X-Upstream-Https-Proxy": []string{"https://google.com"}})
-	r.NoError(err)
+		fmt.Println(proxy.URL)
+		// fmt.Println(externalProxy.URL)
+		remote := httptest.NewTLSServer(h)
+		fmt.Println(remote.URL)
+		client, err := proxyClientWithConnectHeaders(proxy.URL, http.Header{"X-Upstream-Https-Proxy": []string{"https://google.com"}})
+		r.NoError(err)
 
-	req, err := http.NewRequest("GET", remote.URL, nil)
-	r.NoError(err)
+		req, err := http.NewRequest("GET", remote.URL, nil)
+		r.NoError(err)
 
-	res, err := client.Do(req)
-
-	fmt.Println(res)
-	// serverCh <- true
-	// <-clientCh
-
-	// Metrics should show one successful connection and a corresponding successful
-	// DNS request along with its timing metric.
-	// tmc, ok := cfg.MetricsClient.(*metrics.MockMetricsClient)
-	// r.True(ok)
-	// i, err := tmc.GetCount("cn.atpt.total", map[string]string{"success": "true"})
-	// r.NoError(err)
-	// r.Equal(i, uint64(1))
-	// lookups, err := tmc.GetCount("resolver.attempts_total", make(map[string]string))
-	// r.NoError(err)
-	// r.Equal(lookups, uint64(1))
-	// ltime, err := tmc.GetCount("resolver.lookup_time", make(map[string]string))
-	// r.NoError(err)
-	// r.Equal(ltime, uint64(1))
+		client.Do(req)
 
-	entry := findCanonicalProxyDecision(logHook.AllEntries())
-	r.NotNil(entry)
-	// r.Contains(entry.Data, "proxy_type")
-	// r.Equal("connect", entry.Data["proxy_type"])
+		entry := findCanonicalProxyDecision(logHook.AllEntries())
+		r.NotNil(entry)
+		r.Equal("connect proxy host not allowed in rule", entry.Data["decision_reason"])
+		r.Equal("test-external-connect-proxy-srv", entry.Data["role"])
+		r.Equal(false, entry.Data["allow"])
+	})
+
+	t.Run("Allows an approved proxy when the X-Upstream-Https-Proxy header is set", func(t *testing.T) {
+		// cfg.EgressACL.Rules["test-external-connect-proxy-srv"].ExternalProxyGlobs
+		// TODO: figure out how to change the rules at runtime here
+		proxy := proxyServer(cfg)
+		logHook := proxyLogHook(cfg)
+		// The External proxy is a HTTPS proxy that will be used to connect to the remote server
+		externalProxy := httptest.NewUnstartedServer(BuildProxy(cfg))
+		externalProxy.StartTLS()
+		runtime.Breakpoint()
+		fmt.Println(proxy.URL)
+		// fmt.Println(externalProxy.URL)
+		remote := httptest.NewTLSServer(h)
+		fmt.Println(remote.URL)
+		client, err := proxyClientWithConnectHeaders(proxy.URL, http.Header{"X-Upstream-Https-Proxy": []string{"https://google.com"}})
+		r.NoError(err)
 
+		req, err := http.NewRequest("GET", remote.URL, nil)
+		r.NoError(err)
+
+		client.Do(req)
+
+		entry := findCanonicalProxyDecision(logHook.AllEntries())
+		r.NotNil(entry)
+		r.Equal("connect proxy host not allowed in rule", entry.Data["decision_reason"])
+		r.Equal("test-external-connect-proxy-srv", entry.Data["role"])
+		r.Equal(false, entry.Data["allow"])
+	})
 }
 func findCanonicalProxyDecision(logs []*logrus.Entry) *logrus.Entry {
 	for _, entry := range logs {