Reevaluate and update firewall core logic

2019-02-22 16:18:58 +01:00
parent d28ed664aa
commit f7a07cbb2f
39 changed files with 1469 additions and 915 deletions
--- a/profile/set_test.go
+++ b/profile/set_test.go
@@ -1,9 +1,11 @@
 package profile

 import (
+	"net"
 	"testing"
 	"time"

+	"github.com/Safing/portbase/utils/testutils"
 	"github.com/Safing/portmaster/status"
 )

@@ -28,31 +30,30 @@ func init() {
 		},
 		Endpoints: []*EndpointPermission{
 			&EndpointPermission{
-				DomainOrIP: "good.bad.example.com.",
-				Wildcard:   false,
-				Permit:     true,
-				Created:    time.Now().Unix(),
+				Type:    EptDomain,
+				Value:   "good.bad.example.com.",
+				Permit:  true,
+				Created: time.Now().Unix(),
 			},
 			&EndpointPermission{
-				DomainOrIP: "bad.example.com.",
-				Wildcard:   true,
-				Permit:     false,
-				Created:    time.Now().Unix(),
+				Type:    EptDomain,
+				Value:   "*bad.example.com.",
+				Permit:  false,
+				Created: time.Now().Unix(),
 			},
 			&EndpointPermission{
-				DomainOrIP: "example.com.",
-				Wildcard:   false,
-				Permit:     true,
-				Created:    time.Now().Unix(),
+				Type:    EptDomain,
+				Value:   "example.com.",
+				Permit:  true,
+				Created: time.Now().Unix(),
 			},
 			&EndpointPermission{
-				DomainOrIP: "",
-				Wildcard:   true,
-				Permit:     true,
-				Protocol:   6,
-				StartPort:  22000,
-				EndPort:    22000,
-				Created:    time.Now().Unix(),
+				Type:      EptAny,
+				Permit:    true,
+				Protocol:  6,
+				StartPort: 22000,
+				EndPort:   22000,
+				Created:   time.Now().Unix(),
 			},
 		},
 	}
@@ -66,36 +67,33 @@ func init() {
 		// },
 		Endpoints: []*EndpointPermission{
 			&EndpointPermission{
-				DomainOrIP: "bad2.example.com.",
-				Wildcard:   true,
-				Permit:     false,
-				Created:    time.Now().Unix(),
+				Type:    EptDomain,
+				Value:   "*bad2.example.com.",
+				Permit:  false,
+				Created: time.Now().Unix(),
 			},
 			&EndpointPermission{
-				DomainOrIP: "",
-				Wildcard:   true,
-				Permit:     true,
-				Protocol:   6,
-				StartPort:  80,
-				EndPort:    80,
-				Created:    time.Now().Unix(),
+				Type:      EptAny,
+				Permit:    true,
+				Protocol:  6,
+				StartPort: 80,
+				EndPort:   80,
+				Created:   time.Now().Unix(),
 			},
 		},
 		ServiceEndpoints: []*EndpointPermission{
 			&EndpointPermission{
-				DomainOrIP: "",
-				Wildcard:   true,
-				Permit:     true,
-				Protocol:   17,
-				StartPort:  12345,
-				EndPort:    12347,
-				Created:    time.Now().Unix(),
+				Type:      EptAny,
+				Permit:    true,
+				Protocol:  17,
+				StartPort: 12345,
+				EndPort:   12347,
+				Created:   time.Now().Unix(),
 			},
 			&EndpointPermission{ // default deny
-				DomainOrIP: "",
-				Wildcard:   true,
-				Permit:     false,
-				Created:    time.Now().Unix(),
+				Type:    EptAny,
+				Permit:  false,
+				Created: time.Now().Unix(),
 			},
 		},
 	}
@@ -104,25 +102,39 @@ func init() {
 func testFlag(t *testing.T, set *Set, flag uint8, shouldBeActive bool) {
 	active := set.CheckFlag(flag)
 	if active != shouldBeActive {
-		t.Errorf("unexpected result: flag %s: permitted=%v, expected=%v", flagNames[flag], active, shouldBeActive)
+		t.Errorf("unexpected result: flag %s: active=%v, expected=%v", flagNames[flag], active, shouldBeActive)
 	}
 }

-func testEndpoint(t *testing.T, set *Set, domainOrIP string, protocol uint8, port uint16, inbound bool, shouldBePermitted bool) {
-	var permitted, ok bool
-	permitted, _, ok = set.CheckEndpoint(domainOrIP, protocol, port, inbound)
-	if !ok {
-		t.Errorf("endpoint %s/%d/%d/%v should be in test profile set", domainOrIP, protocol, port, inbound)
-	}
-	if permitted != shouldBePermitted {
-		t.Errorf("unexpected result for endpoint %s/%d/%d/%v: permitted=%v, expected=%v", domainOrIP, protocol, port, inbound, permitted, shouldBePermitted)
+func testEndpointDomain(t *testing.T, set *Set, domain string, expectedResult EPResult) {
+	var result EPResult
+	result, _ = set.CheckEndpointDomain(domain)
+	if result != expectedResult {
+		t.Errorf(
+			"line %d: unexpected result for endpoint domain %s: result=%s, expected=%s",
+			testutils.GetLineNumberOfCaller(1),
+			domain,
+			result,
+			expectedResult,
+		)
 	}
 }

-func testUnregulatedEndpoint(t *testing.T, set *Set, domainOrIP string, protocol uint8, port uint16, inbound bool) {
-	_, _, ok := set.CheckEndpoint(domainOrIP, protocol, port, inbound)
-	if ok {
-		t.Errorf("endpoint %s/%d/%d/%v should not be in test profile set", domainOrIP, protocol, port, inbound)
+func testEndpointIP(t *testing.T, set *Set, domain string, ip net.IP, protocol uint8, port uint16, inbound bool, expectedResult EPResult) {
+	var result EPResult
+	result, _ = set.CheckEndpointIP(domain, ip, protocol, port, inbound)
+	if result != expectedResult {
+		t.Errorf(
+			"line %d: unexpected result for endpoint %s/%s/%d/%d/%v: result=%s, expected=%s",
+			testutils.GetLineNumberOfCaller(1),
+			domain,
+			ip,
+			protocol,
+			port,
+			inbound,
+			result,
+			expectedResult,
+		)
 	}
 }

@@ -133,28 +145,28 @@ func TestProfileSet(t *testing.T) {
 	set.Update(status.SecurityLevelDynamic)
 	testFlag(t, set, Whitelist, false)
 	// testFlag(t, set, Internet, true)
-	testEndpoint(t, set, "example.com.", 0, 0, false, true)
-	testEndpoint(t, set, "bad.example.com.", 0, 0, false, false)
-	testEndpoint(t, set, "other.bad.example.com.", 0, 0, false, false)
-	testEndpoint(t, set, "good.bad.example.com.", 0, 0, false, true)
-	testEndpoint(t, set, "bad2.example.com.", 0, 0, false, false)
-	testEndpoint(t, set, "10.2.3.4", 6, 22000, false, true)
-	testEndpoint(t, set, "fd00::1", 6, 22000, false, true)
-	testEndpoint(t, set, "test.local.", 6, 22000, false, true)
-	testUnregulatedEndpoint(t, set, "other.example.com.", 0, 0, false)
-	testUnregulatedEndpoint(t, set, "10.2.3.4", 17, 53, false)
-	testUnregulatedEndpoint(t, set, "10.2.3.4", 17, 443, false)
-	testUnregulatedEndpoint(t, set, "10.2.3.4", 6, 12346, false)
-	testEndpoint(t, set, "10.2.3.4", 17, 12345, true, true)
-	testEndpoint(t, set, "fd00::1", 17, 12347, true, true)
+	testEndpointDomain(t, set, "example.com.", Permitted)
+	testEndpointDomain(t, set, "bad.example.com.", Denied)
+	testEndpointDomain(t, set, "other.bad.example.com.", Denied)
+	testEndpointDomain(t, set, "good.bad.example.com.", Permitted)
+	testEndpointDomain(t, set, "bad2.example.com.", Undeterminable)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 6, 22000, false, Permitted)
+	testEndpointIP(t, set, "", net.ParseIP("fd00::1"), 6, 22000, false, Permitted)
+	testEndpointDomain(t, set, "test.local.", Undeterminable)
+	testEndpointDomain(t, set, "other.example.com.", Undeterminable)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 17, 53, false, NoMatch)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 17, 443, false, NoMatch)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 6, 12346, false, NoMatch)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 17, 12345, true, Permitted)
+	testEndpointIP(t, set, "", net.ParseIP("fd00::1"), 17, 12347, true, Permitted)

 	set.Update(status.SecurityLevelSecure)
 	// testFlag(t, set, Internet, true)

 	set.Update(status.SecurityLevelFortress) // Independent!
 	testFlag(t, set, Whitelist, true)
-	testEndpoint(t, set, "10.2.3.4", 17, 12345, true, false)
-	testEndpoint(t, set, "fd00::1", 17, 12347, true, false)
-	testUnregulatedEndpoint(t, set, "10.2.3.4", 6, 80, false)
-	testUnregulatedEndpoint(t, set, "bad2.example.com.", 0, 0, false)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 17, 12345, true, Denied)
+	testEndpointIP(t, set, "", net.ParseIP("fd00::1"), 17, 12347, true, Denied)
+	testEndpointIP(t, set, "", net.ParseIP("10.2.3.4"), 6, 80, false, NoMatch)
+	testEndpointDomain(t, set, "bad2.example.com.", Undeterminable)
 }