Revamp Profile Domains and Ports to Endpoints and ServiceEndpoints

2019-01-17 10:55:06 +01:00
parent 4017de7dac
commit bde81d815d
13 changed files with 417 additions and 249 deletions
--- a/profile/set_test.go
+++ b/profile/set_test.go
@@ -26,26 +26,33 @@ func init() {
 		Flags: map[uint8]uint8{
 			Independent: status.SecurityLevelFortress,
 		},
-		Domains: map[string]*DomainDecision{
-			"example.com": &DomainDecision{
-				Permit:            true,
-				Created:           time.Now().Unix(),
-				IncludeSubdomains: false,
+		Endpoints: []*EndpointPermission{
+			&EndpointPermission{
+				DomainOrIP: "good.bad.example.com.",
+				Wildcard:   false,
+				Permit:     true,
+				Created:    time.Now().Unix(),
 			},
-			"bad.example.com": &DomainDecision{
-				Permit:            false,
-				Created:           time.Now().Unix(),
-				IncludeSubdomains: true,
+			&EndpointPermission{
+				DomainOrIP: "bad.example.com.",
+				Wildcard:   true,
+				Permit:     false,
+				Created:    time.Now().Unix(),
 			},
-		},
-		Ports: map[int16][]*Port{
-			6: []*Port{
-				&Port{
-					Permit:  true,
-					Created: time.Now().Unix(),
-					Start:   22000,
-					End:     22000,
-				},
+			&EndpointPermission{
+				DomainOrIP: "example.com.",
+				Wildcard:   false,
+				Permit:     true,
+				Created:    time.Now().Unix(),
+			},
+			&EndpointPermission{
+				DomainOrIP: "",
+				Wildcard:   true,
+				Permit:     true,
+				Protocol:   6,
+				StartPort:  22000,
+				EndPort:    22000,
+				Created:    time.Now().Unix(),
 			},
 		},
 	}
@@ -54,37 +61,41 @@ func init() {
 		ID:            "unit-test-stamp",
 		Name:          "Unit Test Stamp Profile",
 		SecurityLevel: status.SecurityLevelFortress,
-		Flags: map[uint8]uint8{
-			Internet: status.SecurityLevelsAll,
-		},
-		Domains: map[string]*DomainDecision{
-			"bad2.example.com": &DomainDecision{
-				Permit:            false,
-				Created:           time.Now().Unix(),
-				IncludeSubdomains: true,
+		// Flags: map[uint8]uint8{
+		// 	Internet: status.SecurityLevelsAll,
+		// },
+		Endpoints: []*EndpointPermission{
+			&EndpointPermission{
+				DomainOrIP: "bad2.example.com.",
+				Wildcard:   true,
+				Permit:     false,
+				Created:    time.Now().Unix(),
 			},
-			"good.bad.example.com": &DomainDecision{
-				Permit:            true,
-				Created:           time.Now().Unix(),
-				IncludeSubdomains: false,
+			&EndpointPermission{
+				DomainOrIP: "",
+				Wildcard:   true,
+				Permit:     true,
+				Protocol:   6,
+				StartPort:  80,
+				EndPort:    80,
+				Created:    time.Now().Unix(),
 			},
 		},
-		Ports: map[int16][]*Port{
-			6: []*Port{
-				&Port{
-					Permit:  false,
-					Created: time.Now().Unix(),
-					Start:   80,
-					End:     80,
-				},
+		ServiceEndpoints: []*EndpointPermission{
+			&EndpointPermission{
+				DomainOrIP: "",
+				Wildcard:   true,
+				Permit:     true,
+				Protocol:   17,
+				StartPort:  12345,
+				EndPort:    12347,
+				Created:    time.Now().Unix(),
 			},
-			-17: []*Port{
-				&Port{
-					Permit:  true,
-					Created: time.Now().Unix(),
-					Start:   12345,
-					End:     12347,
-				},
+			&EndpointPermission{ // default deny
+				DomainOrIP: "",
+				Wildcard:   true,
+				Permit:     false,
+				Created:    time.Now().Unix(),
 			},
 		},
 	}
@@ -97,37 +108,21 @@ func testFlag(t *testing.T, set *Set, flag uint8, shouldBeActive bool) {
 	}
 }

-func testDomain(t *testing.T, set *Set, domain string, shouldBePermitted bool) {
-	permitted, ok := set.CheckDomain(domain)
+func testEndpoint(t *testing.T, set *Set, domainOrIP string, protocol uint8, port uint16, inbound bool, shouldBePermitted bool) {
+	var permitted, ok bool
+	permitted, _, ok = set.CheckEndpoint(domainOrIP, protocol, port, inbound)
 	if !ok {
-		t.Errorf("domain %s should be in test profile set", domain)
+		t.Errorf("endpoint %s/%d/%d/%v should be in test profile set", domainOrIP, protocol, port, inbound)
 	}
 	if permitted != shouldBePermitted {
-		t.Errorf("unexpected result: domain %s: permitted=%v, expected=%v", domain, permitted, shouldBePermitted)
+		t.Errorf("unexpected result for endpoint %s/%d/%d/%v: permitted=%v, expected=%v", domainOrIP, protocol, port, inbound, permitted, shouldBePermitted)
 	}
 }

-func testUnregulatedDomain(t *testing.T, set *Set, domain string) {
-	_, ok := set.CheckDomain(domain)
+func testUnregulatedEndpoint(t *testing.T, set *Set, domainOrIP string, protocol uint8, port uint16, inbound bool) {
+	_, _, ok := set.CheckEndpoint(domainOrIP, protocol, port, inbound)
 	if ok {
-		t.Errorf("domain %s should not be in test profile set", domain)
-	}
-}
-
-func testPort(t *testing.T, set *Set, listen bool, protocol uint8, port uint16, shouldBePermitted bool) {
-	permitted, ok := set.CheckPort(listen, protocol, port)
-	if !ok {
-		t.Errorf("port [%v %d %d] should be in test profile set", listen, protocol, port)
-	}
-	if permitted != shouldBePermitted {
-		t.Errorf("unexpected result: port [%v %d %d]: permitted=%v, expected=%v", listen, protocol, port, permitted, shouldBePermitted)
-	}
-}
-
-func testUnregulatedPort(t *testing.T, set *Set, listen bool, protocol uint8, port uint16) {
-	_, ok := set.CheckPort(listen, protocol, port)
-	if ok {
-		t.Errorf("port [%v %d %d] should not be in test profile set", listen, protocol, port)
+		t.Errorf("endpoint %s/%d/%d/%v should not be in test profile set", domainOrIP, protocol, port, inbound)
 	}
 }

@@ -137,31 +132,29 @@ func TestProfileSet(t *testing.T) {

 	set.Update(status.SecurityLevelDynamic)
 	testFlag(t, set, Whitelist, false)
-	testFlag(t, set, Internet, true)
-	testDomain(t, set, "example.com", true)
-	testDomain(t, set, "bad.example.com", false)
-	testDomain(t, set, "other.bad.example.com", false)
-	testDomain(t, set, "good.bad.example.com", false)
-	testDomain(t, set, "bad2.example.com", false)
-	testPort(t, set, false, 6, 443, true)
-	testPort(t, set, false, 6, 143, true)
-	testPort(t, set, false, 6, 22, true)
-	testPort(t, set, false, 6, 80, false)
-	testPort(t, set, false, 6, 80, false)
-	testPort(t, set, true, 17, 12345, true)
-	testPort(t, set, true, 17, 12346, true)
-	testPort(t, set, true, 17, 12347, true)
-	testUnregulatedDomain(t, set, "other.example.com")
-	testUnregulatedPort(t, set, false, 17, 53)
-	testUnregulatedPort(t, set, false, 17, 443)
-	testUnregulatedPort(t, set, true, 6, 443)
+	// testFlag(t, set, Internet, true)
+	testEndpoint(t, set, "example.com.", 0, 0, false, true)
+	testEndpoint(t, set, "bad.example.com.", 0, 0, false, false)
+	testEndpoint(t, set, "other.bad.example.com.", 0, 0, false, false)
+	testEndpoint(t, set, "good.bad.example.com.", 0, 0, false, true)
+	testEndpoint(t, set, "bad2.example.com.", 0, 0, false, false)
+	testEndpoint(t, set, "10.2.3.4", 6, 22000, false, true)
+	testEndpoint(t, set, "fd00::1", 6, 22000, false, true)
+	testEndpoint(t, set, "test.local.", 6, 22000, false, true)
+	testUnregulatedEndpoint(t, set, "other.example.com.", 0, 0, false)
+	testUnregulatedEndpoint(t, set, "10.2.3.4", 17, 53, false)
+	testUnregulatedEndpoint(t, set, "10.2.3.4", 17, 443, false)
+	testUnregulatedEndpoint(t, set, "10.2.3.4", 6, 12346, false)
+	testEndpoint(t, set, "10.2.3.4", 17, 12345, true, true)
+	testEndpoint(t, set, "fd00::1", 17, 12347, true, true)

 	set.Update(status.SecurityLevelSecure)
-	testFlag(t, set, Internet, true)
+	// testFlag(t, set, Internet, true)

 	set.Update(status.SecurityLevelFortress) // Independent!
-	testFlag(t, set, Internet, false)
-	testPort(t, set, false, 6, 80, true)
-	testUnregulatedDomain(t, set, "bad2.example.com")
-	testUnregulatedPort(t, set, true, 17, 12346)
+	testFlag(t, set, Whitelist, true)
+	testEndpoint(t, set, "10.2.3.4", 17, 12345, true, false)
+	testEndpoint(t, set, "fd00::1", 17, 12347, true, false)
+	testUnregulatedEndpoint(t, set, "10.2.3.4", 6, 80, false)
+	testUnregulatedEndpoint(t, set, "bad2.example.com.", 0, 0, false)
 }