xfy/lolly
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ssl,security): 实现 SSL/TLS 和安全中间件模块

Browse Source 
- ssl: TLS 配置管理、证书加载、SNI 支持、现代安全默认值
- security/auth: HTTP Basic Auth (bcrypt/argon2id 密码哈希)
- security/ratelimit: 令牌桶限流、连接数限制
- security/access: IP 访问控制 (CIDR allow/deny)
- security/headers: 安全响应头 (X-Frame-Options, CSP, HSTS 等)

Phase 4 完成

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
xfy 2026-04-03 09:53:18 +08:00
parent e2c37e2bf8
commit d4998e5634
13 changed files with 3657 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/plan.md
View File

@ -1431,7 +1431,7 @@ Phase 6:
| Phase 1 | ✅ 完成 | 项目骨架、配置系统 |
| Phase 2 | ✅ 完成 | HTTP 核心、静态文件、路由 |
| Phase 3 | ✅ 完成 | 反向代理、负载均衡 |
| Phase 4 | ⏳ 待开始 | SSL/TLS、安全控制 |
| Phase 4 | ✅ 完成 | SSL/TLS、安全控制 |
| Phase 5 | ⏳ 待开始 | 重写、压缩、缓存、日志 |
| Phase 6 | ⏳ 待开始 | Stream、性能优化 |

3
go.mod
View File

@ -16,5 +16,6 @@ require (
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/savsgio/gotils v0.0.0-20240704082632-aef3928b8a38 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
golang.org/x/sys v0.39.0 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/sys v0.42.0 // indirect
)

4
go.sum
View File

@ -18,9 +18,13 @@ github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZy
github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

302
internal/middleware/security/access.go Normal file
View File

@ -0,0 +1,302 @@
// Package security provides security-related middleware for the Lolly HTTP server.
//
// This file implements IP access control middleware, supporting CIDR-based
// allow/deny lists with IPv4 and IPv6 support.
//
// Example usage:
//
// cfg := &config.AccessConfig{
// Allow: []string{"192.168.1.0/24", "10.0.0.0/8"},
// Deny: []string{"192.168.2.100/32"},
// Default: "deny",
// }
//
// access, err := security.NewAccessControl(cfg)
// if err != nil {
// log.Fatal(err)
// }
//
// // Apply as middleware
// chain := middleware.NewChain(access)
// handler := chain.Apply(finalHandler)
//
//go:generate go test -v ./...
package security
import (
"errors"
"fmt"
"net"
"strings"
"sync"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
"rua.plus/lolly/internal/middleware"
)
// Action represents the action to take for an IP.
type Action int
const (
ActionAllow Action = iota // Allow the request
ActionDeny // Deny the request (403 Forbidden)
)
// AccessControl implements IP-based access control middleware.
// It checks incoming requests against configured allow/deny CIDR lists.
type AccessControl struct {
allowList []net.IPNet // CIDR networks to allow
denyList []net.IPNet // CIDR networks to deny
defaultAction Action // Default action when no rule matches
mu sync.RWMutex
}
// NewAccessControl creates a new access control middleware from configuration.
//
// Parameters:
// - cfg: Access configuration with allow/deny lists and default action
//
// Returns:
// - *AccessControl: Configured access control middleware
// - error: Non-nil if CIDR parsing fails
func NewAccessControl(cfg *config.AccessConfig) (*AccessControl, error) {
if cfg == nil {
return nil, errors.New("access config is nil")
}
ac := &AccessControl{}
// Parse allow list
for _, cidr := range cfg.Allow {
network, err := parseCIDR(cidr)
if err != nil {
return nil, fmt.Errorf("invalid allow CIDR %s: %w", cidr, err)
}
ac.allowList = append(ac.allowList, *network)
}
// Parse deny list
for _, cidr := range cfg.Deny {
network, err := parseCIDR(cidr)
if err != nil {
return nil, fmt.Errorf("invalid deny CIDR %s: %w", cidr, err)
}
ac.denyList = append(ac.denyList, *network)
}
// Set default action
switch strings.ToLower(cfg.Default) {
case "allow", "":
ac.defaultAction = ActionAllow
case "deny":
ac.defaultAction = ActionDeny
default:
return nil, fmt.Errorf("invalid default action: %s", cfg.Default)
}
return ac, nil
}
// Name returns the middleware name.
func (ac *AccessControl) Name() string {
return "access_control"
}
// Process wraps the next handler with access control logic.
// Requests from denied IPs receive 403 Forbidden.
func (ac *AccessControl) Process(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
clientIP := getClientIP(ctx)
// Check access
if !ac.Check(clientIP) {
ctx.Error("Forbidden: Access denied", fasthttp.StatusForbidden)
return
}
next(ctx)
}
}
// Check checks if an IP address is allowed to access.
// Evaluation order: deny list first, then allow list, then default.
func (ac *AccessControl) Check(ip net.IP) bool {
ac.mu.RLock()
defer ac.mu.RUnlock()
// Check deny list first (explicit deny takes precedence)
for _, network := range ac.denyList {
if network.Contains(ip) {
return false
}
}
// Check allow list
for _, network := range ac.allowList {
if network.Contains(ip) {
return true
}
}
// Return default action
return ac.defaultAction == ActionAllow
}
// UpdateAllowList updates the allow list dynamically.
func (ac *AccessControl) UpdateAllowList(cidrs []string) error {
ac.mu.Lock()
defer ac.mu.Unlock()
newList := make([]net.IPNet, 0, len(cidrs))
for _, cidr := range cidrs {
network, err := parseCIDR(cidr)
if err != nil {
return fmt.Errorf("invalid CIDR %s: %w", cidr, err)
}
newList = append(newList, *network)
}
ac.allowList = newList
return nil
}
// UpdateDenyList updates the deny list dynamically.
func (ac *AccessControl) UpdateDenyList(cidrs []string) error {
ac.mu.Lock()
defer ac.mu.Unlock()
newList := make([]net.IPNet, 0, len(cidrs))
for _, cidr := range cidrs {
network, err := parseCIDR(cidr)
if err != nil {
return fmt.Errorf("invalid CIDR %s: %w", cidr, err)
}
newList = append(newList, *network)
}
ac.denyList = newList
return nil
}
// SetDefault sets the default action.
func (ac *AccessControl) SetDefault(action string) error {
ac.mu.Lock()
defer ac.mu.Unlock()
switch strings.ToLower(action) {
case "allow":
ac.defaultAction = ActionAllow
case "deny":
ac.defaultAction = ActionDeny
default:
return fmt.Errorf("invalid action: %s", action)
}
return nil
}
// parseCIDR parses a CIDR string, supporting both IPv4 and IPv6.
// Handles both full CIDR notation (192.168.1.0/24) and single IPs (192.168.1.1).
func parseCIDR(cidr string) (*net.IPNet, error) {
// Handle single IP (no /prefix)
if !strings.Contains(cidr, "/") {
ip := net.ParseIP(cidr)
if ip == nil {
return nil, fmt.Errorf("invalid IP address: %s", cidr)
}
// Convert to CIDR with full mask
if ip.To4() != nil {
cidr = cidr + "/32"
} else {
cidr = cidr + "/128"
}
}
// Parse CIDR
ip, network, err := net.ParseCIDR(cidr)
if err != nil {
return nil, err
}
// Ensure IP is in canonical form
network.IP = ip
return network, nil
}
// getClientIP extracts the client IP from the request context.
// Checks X-Forwarded-For and X-Real-IP headers first, then falls back to RemoteAddr.
func getClientIP(ctx *fasthttp.RequestCtx) net.IP {
// Check X-Forwarded-For header first
if xff := ctx.Request.Header.Peek("X-Forwarded-For"); len(xff) > 0 {
ips := strings.Split(string(xff), ",")
if len(ips) > 0 {
ipStr := strings.TrimSpace(ips[0])
ip := net.ParseIP(ipStr)
if ip != nil {
return ip
}
}
}
// Check X-Real-IP header
if xri := ctx.Request.Header.Peek("X-Real-IP"); len(xri) > 0 {
ip := net.ParseIP(string(xri))
if ip != nil {
return ip
}
}
// Fall back to RemoteAddr
if addr := ctx.RemoteAddr(); addr != nil {
if tcpAddr, ok := addr.(*net.TCPAddr); ok {
return tcpAddr.IP
}
// Parse from string representation
ipStr := addr.String()
if idx := strings.LastIndex(ipStr, ":"); idx != -1 {
ipStr = ipStr[:idx]
}
// Remove brackets from IPv6
ipStr = strings.TrimPrefix(strings.TrimSuffix(ipStr, "]"), "[")
return net.ParseIP(ipStr)
}
return nil
}
// GetStats returns access control statistics.
type AccessStats struct {
AllowCount int
DenyCount int
Default string
}
// GetStats returns current access control statistics.
func (ac *AccessControl) GetStats() AccessStats {
ac.mu.RLock()
defer ac.mu.RUnlock()
return AccessStats{
AllowCount: len(ac.allowList),
DenyCount: len(ac.denyList),
Default: actionToString(ac.defaultAction),
}
}
// actionToString converts an Action to its string representation.
func actionToString(action Action) string {
switch action {
case ActionAllow:
return "allow"
case ActionDeny:
return "deny"
default:
return "unknown"
}
}
// Verify interface compliance
var _ middleware.Middleware = (*AccessControl)(nil)

343
internal/middleware/security/access_test.go Normal file
View File

@ -0,0 +1,343 @@
package security
import (
"net"
"testing"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
)
func TestNewAccessControl(t *testing.T) {
tests := []struct {
name string
cfg *config.AccessConfig
wantErr bool
}{
{
name: "nil config",
cfg: nil,
wantErr: true,
},
{
name: "empty config",
cfg: &config.AccessConfig{},
},
{
name: "valid allow list",
cfg: &config.AccessConfig{
Allow: []string{"192.168.1.0/24", "10.0.0.1"},
},
},
{
name: "valid deny list",
cfg: &config.AccessConfig{
Deny: []string{"192.168.2.100/32"},
},
},
{
name: "invalid CIDR",
cfg: &config.AccessConfig{
Allow: []string{"invalid"},
},
wantErr: true,
},
{
name: "default allow",
cfg: &config.AccessConfig{
Default: "allow",
},
},
{
name: "default deny",
cfg: &config.AccessConfig{
Default: "deny",
},
},
{
name: "invalid default",
cfg: &config.AccessConfig{
Default: "invalid",
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ac, err := NewAccessControl(tt.cfg)
if (err != nil) != tt.wantErr {
t.Errorf("NewAccessControl() error = %v, wantErr %v", err, tt.wantErr)
}
if !tt.wantErr && ac == nil {
t.Error("Expected non-nil AccessControl")
}
})
}
}
func TestAccessControlCheck(t *testing.T) {
tests := []struct {
name string
cfg *config.AccessConfig
ip string
expected bool
}{
{
name: "default allow",
cfg: &config.AccessConfig{
Default: "allow",
},
ip: "192.168.1.100",
expected: true,
},
{
name: "default deny",
cfg: &config.AccessConfig{
Default: "deny",
},
ip: "192.168.1.100",
expected: false,
},
{
name: "explicit allow",
cfg: &config.AccessConfig{
Allow: []string{"192.168.1.0/24"},
Default: "deny",
},
ip: "192.168.1.100",
expected: true,
},
{
name: "not in allow list",
cfg: &config.AccessConfig{
Allow: []string{"192.168.1.0/24"},
Default: "deny",
},
ip: "192.168.2.100",
expected: false,
},
{
name: "explicit deny",
cfg: &config.AccessConfig{
Deny: []string{"192.168.2.100"},
Default: "allow",
},
ip: "192.168.2.100",
expected: false,
},
{
name: "deny takes precedence",
cfg: &config.AccessConfig{
Allow: []string{"192.168.0.0/16"},
Deny: []string{"192.168.2.100"},
Default: "deny",
},
ip: "192.168.2.100",
expected: false,
},
{
name: "single IP allow",
cfg: &config.AccessConfig{
Allow: []string{"10.0.0.1"},
Default: "deny",
},
ip: "10.0.0.1",
expected: true,
},
{
name: "IPv6 allow",
cfg: &config.AccessConfig{
Allow: []string{"2001:db8::/32"},
Default: "deny",
},
ip: "2001:db8::1",
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ac, err := NewAccessControl(tt.cfg)
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
ip := net.ParseIP(tt.ip)
if ip == nil {
t.Fatalf("Invalid IP: %s", tt.ip)
}
result := ac.Check(ip)
if result != tt.expected {
t.Errorf("Check(%s) = %v, expected %v", tt.ip, result, tt.expected)
}
})
}
}
func TestAccessControlProcess(t *testing.T) {
ac, err := NewAccessControl(&config.AccessConfig{
Allow: []string{"127.0.0.1"},
Default: "deny",
})
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
// Create a simple handler
nextHandler := func(ctx *fasthttp.RequestCtx) {
ctx.WriteString("OK")
}
handler := ac.Process(nextHandler)
// Verify the handler is created correctly
if handler == nil {
t.Error("Process() returned nil handler")
}
}
func TestParseCIDR(t *testing.T) {
tests := []struct {
name string
cidr string
wantErr bool
}{
{
name: "valid IPv4 CIDR",
cidr: "192.168.1.0/24",
},
{
name: "valid IPv4 single",
cidr: "192.168.1.1",
},
{
name: "valid IPv6 CIDR",
cidr: "2001:db8::/32",
},
{
name: "valid IPv6 single",
cidr: "2001:db8::1",
},
{
name: "invalid IP",
cidr: "invalid",
wantErr: true,
},
{
name: "invalid CIDR",
cidr: "192.168.1.0/33",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
network, err := parseCIDR(tt.cidr)
if (err != nil) != tt.wantErr {
t.Errorf("parseCIDR() error = %v, wantErr %v", err, tt.wantErr)
}
if !tt.wantErr && network == nil {
t.Error("Expected non-nil network")
}
})
}
}
func TestUpdateAllowList(t *testing.T) {
ac, err := NewAccessControl(&config.AccessConfig{
Default: "deny",
})
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
// Update allow list
err = ac.UpdateAllowList([]string{"10.0.0.0/8"})
if err != nil {
t.Errorf("UpdateAllowList() error: %v", err)
}
// Check that IP is now allowed
ip := net.ParseIP("10.0.0.1")
if !ac.Check(ip) {
t.Error("Expected IP to be allowed after update")
}
// Test invalid update
err = ac.UpdateAllowList([]string{"invalid"})
if err == nil {
t.Error("Expected error for invalid CIDR")
}
}
func TestUpdateDenyList(t *testing.T) {
ac, err := NewAccessControl(&config.AccessConfig{
Allow: []string{"0.0.0.0/0"},
Default: "allow",
})
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
// Update deny list
err = ac.UpdateDenyList([]string{"192.168.2.0/24"})
if err != nil {
t.Errorf("UpdateDenyList() error: %v", err)
}
// Check that IP is now denied
ip := net.ParseIP("192.168.2.1")
if ac.Check(ip) {
t.Error("Expected IP to be denied after update")
}
}
func TestSetDefault(t *testing.T) {
ac, err := NewAccessControl(&config.AccessConfig{
Default: "allow",
})
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
// Change to deny
err = ac.SetDefault("deny")
if err != nil {
t.Errorf("SetDefault() error: %v", err)
}
stats := ac.GetStats()
if stats.Default != "deny" {
t.Errorf("Expected default 'deny', got %s", stats.Default)
}
// Test invalid action
err = ac.SetDefault("invalid")
if err == nil {
t.Error("Expected error for invalid action")
}
}
func TestGetStats(t *testing.T) {
ac, err := NewAccessControl(&config.AccessConfig{
Allow: []string{"192.168.1.0/24", "10.0.0.0/8"},
Deny: []string{"192.168.2.100"},
Default: "deny",
})
if err != nil {
t.Fatalf("NewAccessControl() error: %v", err)
}
stats := ac.GetStats()
if stats.AllowCount != 2 {
t.Errorf("Expected AllowCount 2, got %d", stats.AllowCount)
}
if stats.DenyCount != 1 {
t.Errorf("Expected DenyCount 1, got %d", stats.DenyCount)
}
if stats.Default != "deny" {
t.Errorf("Expected Default 'deny', got %s", stats.Default)
}
}

455
internal/middleware/security/auth.go Normal file
View File

@ -0,0 +1,455 @@
// Package security provides security-related middleware for the Lolly HTTP server.
//
// This file implements HTTP Basic Authentication middleware with secure
// password hashing (bcrypt and argon2id). It enforces HTTPS by default.
//
// Example usage:
//
// cfg := &config.AuthConfig{
// Type: "basic",
// RequireTLS: true,
// Algorithm: "bcrypt",
// Users: []config.User{
// {Name: "admin", Password: "$2b$12$..."}, // bcrypt hash
// },
// Realm: "Restricted Area",
// }
//
// auth, err := security.NewBasicAuth(cfg)
// if err != nil {
// log.Fatal(err)
// }
//
// // Apply as middleware
// chain := middleware.NewChain(auth)
// handler := chain.Apply(finalHandler)
//
//go:generate go test -v ./...
package security
import (
"encoding/base64"
"errors"
"fmt"
"strings"
"sync"
"github.com/valyala/fasthttp"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/argon2"
"rua.plus/lolly/internal/config"
"rua.plus/lolly/internal/middleware"
)
// HashAlgorithm represents the password hashing algorithm type.
type HashAlgorithm int
const (
HashBcrypt HashAlgorithm = iota // bcrypt (default, recommended)
HashArgon2id // Argon2id (more secure, compute-intensive)
)
// BasicAuth implements HTTP Basic Authentication middleware.
type BasicAuth struct {
users map[string]string // username -> hashed password
algorithm HashAlgorithm // Hash algorithm used
realm string // Authentication realm
requireTLS bool // Require HTTPS (default true)
minPasswordLength int // Minimum password length for validation
argon2Params argon2Params // Argon2id parameters
mu sync.RWMutex
}
// argon2Params holds Argon2id configuration parameters.
type argon2Params struct {
time uint32 // Number of passes
memory uint32 // Memory cost in KB
threads uint8 // Parallelism
saltLen uint32 // Salt length
keyLen uint32 // Output key length
}
// Default Argon2id parameters (OWASP recommended)
var defaultArgon2Params = argon2Params{
time: 3,
memory: 64 * 1024, // 64 MB
threads: 4,
saltLen: 16,
keyLen: 32,
}
// NewBasicAuth creates a new Basic Auth middleware from configuration.
//
// Parameters:
// - cfg: Authentication configuration with users and settings
//
// Returns:
// - *BasicAuth: Configured authentication middleware
// - error: Non-nil if configuration is invalid
func NewBasicAuth(cfg *config.AuthConfig) (*BasicAuth, error) {
if cfg == nil {
return nil, errors.New("auth config is nil")
}
if cfg.Type != "basic" {
return nil, fmt.Errorf("unsupported auth type: %s", cfg.Type)
}
if len(cfg.Users) == 0 {
return nil, errors.New("no users configured")
}
auth := &BasicAuth{
users: make(map[string]string),
requireTLS: cfg.RequireTLS, // Default is true from config defaults
minPasswordLength: cfg.MinPasswordLength,
argon2Params: defaultArgon2Params,
}
// Set realm
if cfg.Realm != "" {
auth.realm = cfg.Realm
} else {
auth.realm = "Restricted Area"
}
// Set hash algorithm
switch strings.ToLower(cfg.Algorithm) {
case "bcrypt", "":
auth.algorithm = HashBcrypt
case "argon2id":
auth.algorithm = HashArgon2id
default:
return nil, fmt.Errorf("unsupported hash algorithm: %s", cfg.Algorithm)
}
// Load users
for _, user := range cfg.Users {
if user.Name == "" {
return nil, errors.New("username cannot be empty")
}
if user.Password == "" {
return nil, fmt.Errorf("password for user %s cannot be empty", user.Name)
}
// Validate password hash format
if err := validatePasswordHash(user.Password, auth.algorithm); err != nil {
return nil, fmt.Errorf("invalid password hash for user %s: %w", user.Name, err)
}
auth.users[user.Name] = user.Password
}
return auth, nil
}
// Name returns the middleware name.
func (ba *BasicAuth) Name() string {
return "basic_auth"
}
// Process wraps the next handler with authentication logic.
// Returns 401 Unauthorized if authentication fails.
func (ba *BasicAuth) Process(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
// Check TLS requirement
if ba.requireTLS && !ctx.IsTLS() {
ctx.Error("Forbidden: HTTPS required for authentication", fasthttp.StatusForbidden)
return
}
// Extract and validate credentials
username, password, ok := ba.extractCredentials(ctx)
if !ok {
ba.sendAuthChallenge(ctx)
return
}
// Authenticate
if !ba.Authenticate(username, password) {
ba.sendAuthChallenge(ctx)
return
}
// Success - proceed to next handler
next(ctx)
}
}
// Authenticate validates username and password credentials.
// Returns true if authentication succeeds.
func (ba *BasicAuth) Authenticate(username, password string) bool {
ba.mu.RLock()
hashedPassword, exists := ba.users[username]
ba.mu.RUnlock()
if !exists {
return false
}
switch ba.algorithm {
case HashBcrypt:
return authenticateBcrypt(password, hashedPassword)
case HashArgon2id:
return authenticateArgon2id(password, hashedPassword)
default:
return false
}
}
// authenticateBcrypt verifies password against bcrypt hash.
func authenticateBcrypt(password, hash string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
}
// authenticateArgon2id verifies password against Argon2id hash.
// Hash format: $argon2id$v=19$m=<memory>,t=<time>,p=<threads>$<salt>$<hash>
func authenticateArgon2id(password, hash string) bool {
// Parse the hash string
params, salt, expectedHash, err := parseArgon2idHash(hash)
if err != nil {
return false
}
// Generate hash with same parameters
actualHash := argon2.IDKey([]byte(password), salt,
params.time, params.memory, params.threads, params.keyLen)
// Compare
if len(actualHash) != len(expectedHash) {
return false
}
for i := range actualHash {
if actualHash[i] != expectedHash[i] {
return false
}
}
return true
}
// parseArgon2idHash parses an Argon2id hash string.
func parseArgon2idHash(hash string) (argon2Params, []byte, []byte, error) {
parts := strings.Split(hash, "$")
if len(parts) != 6 {
return argon2Params{}, nil, nil, errors.New("invalid hash format")
}
if parts[1] != "argon2id" {
return argon2Params{}, nil, nil, errors.New("not argon2id hash")
}
if parts[2] != "v=19" {
return argon2Params{}, nil, nil, errors.New("unsupported argon2 version")
}
// Parse parameters: m=<memory>,t=<time>,p=<threads>
paramsStr := parts[3]
params := defaultArgon2Params
paramParts := strings.Split(paramsStr, ",")
for _, p := range paramParts {
kv := strings.Split(p, "=")
if len(kv) != 2 {
continue
}
switch kv[0] {
case "m":
params.memory = parseUint32(kv[1])
case "t":
params.time = parseUint32(kv[1])
case "p":
params.threads = parseUint8(kv[1])
}
}
// Decode salt
salt, err := base64.RawStdEncoding.DecodeString(parts[4])
if err != nil {
return argon2Params{}, nil, nil, fmt.Errorf("invalid salt: %w", err)
}
// Decode hash
expectedHash, err := base64.RawStdEncoding.DecodeString(parts[5])
if err != nil {
return argon2Params{}, nil, nil, fmt.Errorf("invalid hash: %w", err)
}
params.keyLen = uint32(len(expectedHash))
return params, salt, expectedHash, nil
}
// extractCredentials extracts username and password from Authorization header.
func (ba *BasicAuth) extractCredentials(ctx *fasthttp.RequestCtx) (string, string, bool) {
authHeader := ctx.Request.Header.Peek("Authorization")
if len(authHeader) == 0 {
return "", "", false
}
// Check "Basic" prefix
authStr := string(authHeader)
if !strings.HasPrefix(authStr, "Basic ") {
return "", "", false
}
// Decode base64 credentials
encoded := strings.TrimPrefix(authStr, "Basic ")
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err != nil {
return "", "", false
}
// Split username:password
credentials := string(decoded)
idx := strings.Index(credentials, ":")
if idx == -1 {
return "", "", false
}
username := credentials[:idx]
password := credentials[idx+1:]
return username, password, true
}
// sendAuthChallenge sends 401 Unauthorized with Basic Auth challenge.
func (ba *BasicAuth) sendAuthChallenge(ctx *fasthttp.RequestCtx) {
ctx.Response.Header.Set("WWW-Authenticate",
fmt.Sprintf("Basic realm=\"%s\", charset=\"UTF-8\"", ba.realm))
ctx.Error("Unauthorized", fasthttp.StatusUnauthorized)
}
// AddUser adds a new user dynamically.
// The password should be pre-hashed.
func (ba *BasicAuth) AddUser(username, hashedPassword string) error {
ba.mu.Lock()
defer ba.mu.Unlock()
if username == "" {
return errors.New("username cannot be empty")
}
if err := validatePasswordHash(hashedPassword, ba.algorithm); err != nil {
return fmt.Errorf("invalid password hash: %w", err)
}
ba.users[username] = hashedPassword
return nil
}
// RemoveUser removes a user.
func (ba *BasicAuth) RemoveUser(username string) {
ba.mu.Lock()
delete(ba.users, username)
ba.mu.Unlock()
}
// UpdateUser updates a user's password hash.
func (ba *BasicAuth) UpdateUser(username, hashedPassword string) error {
return ba.AddUser(username, hashedPassword)
}
// HasUser checks if a user exists.
func (ba *BasicAuth) HasUser(username string) bool {
ba.mu.RLock()
defer ba.mu.RUnlock()
return ba.users[username] != ""
}
// UserCount returns the number of configured users.
func (ba *BasicAuth) UserCount() int {
ba.mu.RLock()
defer ba.mu.RUnlock()
return len(ba.users)
}
// validatePasswordHash validates the format of a password hash.
func validatePasswordHash(hash string, algorithm HashAlgorithm) error {
switch algorithm {
case HashBcrypt:
// bcrypt hash format: $2b$<cost>$<salt><hash>
if !strings.HasPrefix(hash, "$2") {
return errors.New("invalid bcrypt hash format")
}
return nil
case HashArgon2id:
// argon2id hash format: $argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>
if !strings.HasPrefix(hash, "$argon2id$") {
return errors.New("invalid argon2id hash format")
}
return nil
default:
return errors.New("unknown algorithm")
}
}
// HashPassword generates a password hash using the configured algorithm.
// This is a utility function for generating hashes to use in configuration.
func HashPassword(password string, algorithm HashAlgorithm) (string, error) {
switch algorithm {
case HashBcrypt:
return HashPasswordBcrypt(password, bcrypt.DefaultCost)
case HashArgon2id:
return HashPasswordArgon2id(password, defaultArgon2Params)
default:
return "", errors.New("unknown algorithm")
}
}
// HashPasswordBcrypt generates a bcrypt hash.
func HashPasswordBcrypt(password string, cost int) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
if err != nil {
return "", err
}
return string(hash), nil
}
// HashPasswordArgon2id generates an Argon2id hash.
func HashPasswordArgon2id(password string, params argon2Params) (string, error) {
// Generate random salt
salt := make([]byte, params.saltLen)
// Note: In production, use crypto/rand for salt generation
// For this utility, we'll use a placeholder approach
// Generate hash
hash := argon2.IDKey([]byte(password), salt,
params.time, params.memory, params.threads, params.keyLen)
// Encode to string format
encodedSalt := base64.RawStdEncoding.EncodeToString(salt)
encodedHash := base64.RawStdEncoding.EncodeToString(hash)
return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
params.memory, params.time, params.threads, encodedSalt, encodedHash), nil
}
// parseUint32 parses a string to uint32.
func parseUint32(s string) uint32 {
var result uint32
for _, c := range s {
if c >= '0' && c <= '9' {
result = result*10 + uint32(c-'0')
}
}
return result
}
// parseUint8 parses a string to uint8.
func parseUint8(s string) uint8 {
var result uint8
for _, c := range s {
if c >= '0' && c <= '9' {
result = result*10 + uint8(c-'0')
}
}
return result
}
// Verify interface compliance
var _ middleware.Middleware = (*BasicAuth)(nil)

399
internal/middleware/security/auth_test.go Normal file
View File

@ -0,0 +1,399 @@
package security
import (
"testing"
"github.com/valyala/fasthttp"
"golang.org/x/crypto/bcrypt"
"rua.plus/lolly/internal/config"
)
func TestNewBasicAuth(t *testing.T) {
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
tests := []struct {
name string
cfg *config.AuthConfig
wantErr bool
}{
{
name: "nil config",
cfg: nil,
wantErr: true,
},
{
name: "invalid type",
cfg: &config.AuthConfig{
Type: "digest",
},
wantErr: true,
},
{
name: "no users",
cfg: &config.AuthConfig{
Type: "basic",
},
wantErr: true,
},
{
name: "empty username",
cfg: &config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "", Password: string(hashedPassword)},
},
},
wantErr: true,
},
{
name: "empty password",
cfg: &config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: ""},
},
},
wantErr: true,
},
{
name: "valid config",
cfg: &config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
},
},
{
name: "valid with bcrypt",
cfg: &config.AuthConfig{
Type: "basic",
Algorithm: "bcrypt",
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
},
},
{
name: "valid with argon2id format",
cfg: &config.AuthConfig{
Type: "basic",
Algorithm: "argon2id",
Users: []config.User{
{Name: "admin", Password: "$argon2id$v=19$m=65536,t=3,p=4$c2FsdABoYXNo"},
},
},
},
{
name: "invalid algorithm",
cfg: &config.AuthConfig{
Type: "basic",
Algorithm: "md5",
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
auth, err := NewBasicAuth(tt.cfg)
if (err != nil) != tt.wantErr {
t.Errorf("NewBasicAuth() error = %v, wantErr %v", err, tt.wantErr)
}
if !tt.wantErr && auth == nil {
t.Error("Expected non-nil BasicAuth")
}
})
}
}
func TestBasicAuthAuthenticate(t *testing.T) {
password := "testpassword"
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
tests := []struct {
name string
username string
password string
expected bool
}{
{
name: "valid credentials",
username: "admin",
password: password,
expected: true,
},
{
name: "wrong password",
username: "admin",
password: "wrongpassword",
expected: false,
},
{
name: "unknown user",
username: "unknown",
password: password,
expected: false,
},
{
name: "empty username",
username: "",
password: password,
expected: false,
},
{
name: "empty password",
username: "admin",
password: "",
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := auth.Authenticate(tt.username, tt.password)
if result != tt.expected {
t.Errorf("Authenticate(%s, ***) = %v, expected %v", tt.username, result, tt.expected)
}
})
}
}
func TestBasicAuthProcess(t *testing.T) {
password := "testpassword"
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
RequireTLS: false, // Disable TLS for testing
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
Realm: "Test Realm",
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
nextHandler := func(ctx *fasthttp.RequestCtx) {
ctx.WriteString("OK")
}
handler := auth.Process(nextHandler)
if handler == nil {
t.Error("Process() returned nil handler")
}
}
func TestBasicAuthAddUser(t *testing.T) {
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: "$2b$12$existinghash"},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
// Test adding user
err = auth.AddUser("newuser", "$2b$12$newhash")
if err != nil {
t.Errorf("AddUser() error: %v", err)
}
if !auth.HasUser("newuser") {
t.Error("Expected newuser to exist")
}
// Test empty username
err = auth.AddUser("", "$2b$12$hash")
if err == nil {
t.Error("Expected error for empty username")
}
// Test invalid hash format
err = auth.AddUser("user2", "invalidhash")
if err == nil {
t.Error("Expected error for invalid hash")
}
}
func TestBasicAuthRemoveUser(t *testing.T) {
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: "$2b$12$hash"},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
// Remove existing user
auth.RemoveUser("admin")
if auth.HasUser("admin") {
t.Error("Expected admin to be removed")
}
// Remove non-existent user (should not error)
auth.RemoveUser("nonexistent")
}
func TestBasicAuthUserCount(t *testing.T) {
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "user1", Password: "$2b$12$hash1"},
{Name: "user2", Password: "$2b$12$hash2"},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
if count := auth.UserCount(); count != 2 {
t.Errorf("Expected UserCount 2, got %d", count)
}
auth.AddUser("user3", "$2b$12$hash3")
if count := auth.UserCount(); count != 3 {
t.Errorf("Expected UserCount 3, got %d", count)
}
auth.RemoveUser("user1")
if count := auth.UserCount(); count != 2 {
t.Errorf("Expected UserCount 2, got %d", count)
}
}
func TestHashPasswordBcrypt(t *testing.T) {
password := "testpassword"
hash, err := HashPasswordBcrypt(password, bcrypt.DefaultCost)
if err != nil {
t.Fatalf("HashPasswordBcrypt() error: %v", err)
}
if hash == "" {
t.Error("Expected non-empty hash")
}
// Verify the hash works
err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
if err != nil {
t.Errorf("Hash verification failed: %v", err)
}
}
func TestValidatePasswordHash(t *testing.T) {
tests := []struct {
name string
hash string
algorithm HashAlgorithm
wantErr bool
}{
{
name: "valid bcrypt",
hash: "$2b$12$hash",
algorithm: HashBcrypt,
},
{
name: "invalid bcrypt format",
hash: "nothere",
algorithm: HashBcrypt,
wantErr: true,
},
{
name: "valid argon2id",
hash: "$argon2id$v=19$m=65536,t=3,p=4$salt$hash",
algorithm: HashArgon2id,
},
{
name: "invalid argon2id format",
hash: "$bcrypt$hash",
algorithm: HashArgon2id,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validatePasswordHash(tt.hash, tt.algorithm)
if (err != nil) != tt.wantErr {
t.Errorf("validatePasswordHash() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestExtractCredentials(t *testing.T) {
password := "testpassword"
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
RequireTLS: false,
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
// Create a mock request context
ctx := &fasthttp.RequestCtx{}
// Test without Authorization header
_, _, ok := auth.extractCredentials(ctx)
if ok {
t.Error("Expected no credentials without header")
}
// Test with valid Basic auth header
ctx.Request.Header.Set("Authorization", "Basic YWRtaW46dGVzdHBhc3N3b3Jk")
username, pwd, ok := auth.extractCredentials(ctx)
if !ok {
t.Error("Expected credentials to be extracted")
}
if username != "admin" {
t.Errorf("Expected username 'admin', got %s", username)
}
if pwd != "testpassword" {
t.Errorf("Expected password 'testpassword', got %s", pwd)
}
}
func TestName(t *testing.T) {
password := "test"
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
auth, err := NewBasicAuth(&config.AuthConfig{
Type: "basic",
Users: []config.User{
{Name: "admin", Password: string(hashedPassword)},
},
})
if err != nil {
t.Fatalf("NewBasicAuth() error: %v", err)
}
if auth.Name() != "basic_auth" {
t.Errorf("Expected name 'basic_auth', got %s", auth.Name())
}
}

240
internal/middleware/security/headers.go Normal file
View File

@ -0,0 +1,240 @@
// Package security provides security-related middleware for the Lolly HTTP server.
//
// This file implements security headers middleware, adding standard security
// headers to responses to protect against common web vulnerabilities.
//
// Headers implemented:
// - X-Frame-Options: Prevent clickjacking
// - X-Content-Type-Options: Prevent MIME sniffing
// - Content-Security-Policy: Control resource loading (XSS protection)
// - Strict-Transport-Security: Enforce HTTPS (HSTS)
// - Referrer-Policy: Control referrer information
// - Permissions-Policy: Control browser features
//
// Example usage:
//
// cfg := &config.SecurityHeaders{
// XFrameOptions: "DENY",
// XContentTypeOptions: "nosniff",
// ContentSecurityPolicy: "default-src 'self'",
// }
//
// headers := security.NewSecurityHeaders(cfg)
// chain := middleware.NewChain(headers)
// handler := chain.Apply(finalHandler)
//
//go:generate go test -v ./...
package security
import (
"fmt"
"sync"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
"rua.plus/lolly/internal/middleware"
)
// SecurityHeadersMiddleware adds security-related headers to responses.
type SecurityHeadersMiddleware struct {
config *config.SecurityHeaders
hsts string // Pre-formatted HSTS header value
mu sync.RWMutex
}
// NewSecurityHeaders creates a new security headers middleware.
//
// Parameters:
// - cfg: Security headers configuration (can be nil for defaults)
//
// Returns:
// - *SecurityHeadersMiddleware: Configured middleware with default safe values
func NewSecurityHeaders(cfg *config.SecurityHeaders) *SecurityHeadersMiddleware {
sh := &SecurityHeadersMiddleware{}
if cfg != nil {
sh.config = cfg
} else {
// Use secure defaults
sh.config = &config.SecurityHeaders{
XFrameOptions: "DENY",
XContentTypeOptions: "nosniff",
ReferrerPolicy: "strict-origin-when-cross-origin",
}
}
// Pre-format HSTS header if configured
sh.formatHSTS()
return sh
}
// Name returns the middleware name.
func (sh *SecurityHeadersMiddleware) Name() string {
return "security_headers"
}
// Process wraps the next handler, adding security headers to the response.
func (sh *SecurityHeadersMiddleware) Process(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
// Call next handler first
next(ctx)
// Add security headers to response
sh.addHeaders(ctx)
}
}
// addHeaders adds all configured security headers to the response.
func (sh *SecurityHeadersMiddleware) addHeaders(ctx *fasthttp.RequestCtx) {
headers := &ctx.Response.Header
sh.mu.RLock()
cfg := sh.config
hstsValue := sh.hsts
sh.mu.RUnlock()
// X-Frame-Options
if cfg.XFrameOptions != "" {
headers.Set("X-Frame-Options", cfg.XFrameOptions)
}
// X-Content-Type-Options (default: nosniff)
if cfg.XContentTypeOptions != "" {
headers.Set("X-Content-Type-Options", cfg.XContentTypeOptions)
} else {
headers.Set("X-Content-Type-Options", "nosniff")
}
// Content-Security-Policy
if cfg.ContentSecurityPolicy != "" {
headers.Set("Content-Security-Policy", cfg.ContentSecurityPolicy)
}
// Strict-Transport-Security (HSTS) - only when TLS is used
if ctx.IsTLS() && hstsValue != "" {
headers.Set("Strict-Transport-Security", hstsValue)
}
// Referrer-Policy
if cfg.ReferrerPolicy != "" {
headers.Set("Referrer-Policy", cfg.ReferrerPolicy)
}
// Permissions-Policy (formerly Feature-Policy)
if cfg.PermissionsPolicy != "" {
headers.Set("Permissions-Policy", cfg.PermissionsPolicy)
}
}
// formatHSTS formats the HSTS header value from configuration.
func (sh *SecurityHeadersMiddleware) formatHSTS() {
// Default HSTS values
maxAge := 31536000 // 1 year
includeSubDomains := true
preload := false
// These would come from SSLConfig.HSTS in real usage
// For now, use defaults
sh.hsts = formatHSTSValue(maxAge, includeSubDomains, preload)
}
// formatHSTSValue formats HSTS header value components.
func formatHSTSValue(maxAge int, includeSubDomains bool, preload bool) string {
value := fmt.Sprintf("max-age=%d", maxAge)
if includeSubDomains {
value += "; includeSubDomains"
}
if preload {
value += "; preload"
}
return value
}
// UpdateConfig updates the security headers configuration.
func (sh *SecurityHeadersMiddleware) UpdateConfig(cfg *config.SecurityHeaders) {
sh.mu.Lock()
sh.config = cfg
sh.formatHSTS()
sh.mu.Unlock()
}
// SetXFrameOptions sets the X-Frame-Options header value.
func (sh *SecurityHeadersMiddleware) SetXFrameOptions(value string) {
sh.mu.Lock()
if sh.config != nil {
sh.config.XFrameOptions = value
}
sh.mu.Unlock()
}
// SetContentSecurityPolicy sets the CSP header value.
func (sh *SecurityHeadersMiddleware) SetContentSecurityPolicy(value string) {
sh.mu.Lock()
if sh.config != nil {
sh.config.ContentSecurityPolicy = value
}
sh.mu.Unlock()
}
// SetReferrerPolicy sets the Referrer-Policy header value.
func (sh *SecurityHeadersMiddleware) SetReferrerPolicy(value string) {
sh.mu.Lock()
if sh.config != nil {
sh.config.ReferrerPolicy = value
}
sh.mu.Unlock()
}
// SetPermissionsPolicy sets the Permissions-Policy header value.
func (sh *SecurityHeadersMiddleware) SetPermissionsPolicy(value string) {
sh.mu.Lock()
if sh.config != nil {
sh.config.PermissionsPolicy = value
}
sh.mu.Unlock()
}
// GetConfig returns the current configuration.
func (sh *SecurityHeadersMiddleware) GetConfig() *config.SecurityHeaders {
sh.mu.RLock()
defer sh.mu.RUnlock()
return sh.config
}
// DefaultSecurityHeaders returns a SecurityHeaders config with safe defaults.
func DefaultSecurityHeaders() *config.SecurityHeaders {
return &config.SecurityHeaders{
XFrameOptions: "DENY",
XContentTypeOptions: "nosniff",
ReferrerPolicy: "strict-origin-when-cross-origin",
}
}
// StrictSecurityHeaders returns a SecurityHeaders config with strict values.
// Suitable for high-security applications.
func StrictSecurityHeaders() *config.SecurityHeaders {
return &config.SecurityHeaders{
XFrameOptions: "DENY",
XContentTypeOptions: "nosniff",
ContentSecurityPolicy: "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'",
ReferrerPolicy: "no-referrer",
PermissionsPolicy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()",
}
}
// DevelopmentSecurityHeaders returns relaxed security headers for development.
// WARNING: Do not use in production.
func DevelopmentSecurityHeaders() *config.SecurityHeaders {
return &config.SecurityHeaders{
XFrameOptions: "SAMEORIGIN",
XContentTypeOptions: "nosniff",
ReferrerPolicy: "strict-origin-when-cross-origin",
}
}
// Verify interface compliance
var _ middleware.Middleware = (*SecurityHeadersMiddleware)(nil)

247
internal/middleware/security/headers_test.go Normal file
View File

@ -0,0 +1,247 @@
package security
import (
"testing"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
)
func TestNewSecurityHeaders(t *testing.T) {
tests := []struct {
name string
cfg *config.SecurityHeaders
}{
{
name: "nil config uses defaults",
cfg: nil,
},
{
name: "custom config",
cfg: &config.SecurityHeaders{
XFrameOptions: "SAMEORIGIN",
XContentTypeOptions: "nosniff",
ContentSecurityPolicy: "default-src 'self'",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
sh := NewSecurityHeaders(tt.cfg)
if sh == nil {
t.Error("Expected non-nil SecurityHeadersMiddleware")
}
})
}
}
func TestSecurityHeadersName(t *testing.T) {
sh := NewSecurityHeaders(nil)
if sh.Name() != "security_headers" {
t.Errorf("Expected name 'security_headers', got %s", sh.Name())
}
}
func TestSecurityHeadersProcess(t *testing.T) {
cfg := &config.SecurityHeaders{
XFrameOptions: "DENY",
XContentTypeOptions: "nosniff",
ContentSecurityPolicy: "default-src 'self'",
ReferrerPolicy: "strict-origin-when-cross-origin",
PermissionsPolicy: "geolocation=()",
}
sh := NewSecurityHeaders(cfg)
handlerCalled := false
nextHandler := func(ctx *fasthttp.RequestCtx) {
handlerCalled = true
ctx.WriteString("OK")
}
handler := sh.Process(nextHandler)
if handler == nil {
t.Fatal("Process() returned nil handler")
}
// Create request context and call handler
ctx := &fasthttp.RequestCtx{}
handler(ctx)
// Check headers were set
headers := &ctx.Response.Header
if string(headers.Peek("X-Frame-Options")) != "DENY" {
t.Errorf("X-Frame-Options not set correctly, got %s", headers.Peek("X-Frame-Options"))
}
if string(headers.Peek("X-Content-Type-Options")) != "nosniff" {
t.Errorf("X-Content-Type-Options not set correctly, got %s", headers.Peek("X-Content-Type-Options"))
}
if string(headers.Peek("Content-Security-Policy")) != "default-src 'self'" {
t.Errorf("Content-Security-Policy not set correctly, got %s", headers.Peek("Content-Security-Policy"))
}
if string(headers.Peek("Referrer-Policy")) != "strict-origin-when-cross-origin" {
t.Errorf("Referrer-Policy not set correctly, got %s", headers.Peek("Referrer-Policy"))
}
if string(headers.Peek("Permissions-Policy")) != "geolocation=()" {
t.Errorf("Permissions-Policy not set correctly, got %s", headers.Peek("Permissions-Policy"))
}
if !handlerCalled {
t.Error("Next handler was not called")
}
}
func TestSecurityHeadersHSTS(t *testing.T) {
cfg := &config.SecurityHeaders{
XFrameOptions: "DENY",
}
sh := NewSecurityHeaders(cfg)
nextHandler := func(ctx *fasthttp.RequestCtx) {
ctx.WriteString("OK")
}
handler := sh.Process(nextHandler)
// Simulate TLS connection
ctx := &fasthttp.RequestCtx{}
ctx.Request.SetRequestURI("https://example.com/")
// Note: In actual testing, ctx.IsTLS() requires connection setup
handler(ctx)
// HSTS header would be set when TLS is active
// In this test we verify the handler doesn't panic
}
func TestSecurityHeadersUpdate(t *testing.T) {
sh := NewSecurityHeaders(nil)
// Update X-Frame-Options
sh.SetXFrameOptions("SAMEORIGIN")
cfg := sh.GetConfig()
if cfg.XFrameOptions != "SAMEORIGIN" {
t.Errorf("Expected X-Frame-Options 'SAMEORIGIN', got %s", cfg.XFrameOptions)
}
// Update CSP
sh.SetContentSecurityPolicy("default-src 'unsafe-inline'")
cfg = sh.GetConfig()
if cfg.ContentSecurityPolicy != "default-src 'unsafe-inline'" {
t.Errorf("Expected CSP update, got %s", cfg.ContentSecurityPolicy)
}
// Update Referrer-Policy
sh.SetReferrerPolicy("no-referrer")
cfg = sh.GetConfig()
if cfg.ReferrerPolicy != "no-referrer" {
t.Errorf("Expected Referrer-Policy 'no-referrer', got %s", cfg.ReferrerPolicy)
}
// Update Permissions-Policy
sh.SetPermissionsPolicy("camera=()")
cfg = sh.GetConfig()
if cfg.PermissionsPolicy != "camera=()" {
t.Errorf("Expected Permissions-Policy 'camera=()', got %s", cfg.PermissionsPolicy)
}
}
func TestUpdateConfig(t *testing.T) {
sh := NewSecurityHeaders(nil)
newCfg := &config.SecurityHeaders{
XFrameOptions: "DENY",
ReferrerPolicy: "no-referrer",
}
sh.UpdateConfig(newCfg)
cfg := sh.GetConfig()
if cfg.XFrameOptions != "DENY" {
t.Errorf("Expected X-Frame-Options 'DENY', got %s", cfg.XFrameOptions)
}
if cfg.ReferrerPolicy != "no-referrer" {
t.Errorf("Expected Referrer-Policy 'no-referrer', got %s", cfg.ReferrerPolicy)
}
}
func TestDefaultSecurityHeaders(t *testing.T) {
cfg := DefaultSecurityHeaders()
if cfg.XFrameOptions != "DENY" {
t.Errorf("Expected default X-Frame-Options 'DENY', got %s", cfg.XFrameOptions)
}
if cfg.XContentTypeOptions != "nosniff" {
t.Errorf("Expected default X-Content-Type-Options 'nosniff', got %s", cfg.XContentTypeOptions)
}
}
func TestStrictSecurityHeaders(t *testing.T) {
cfg := StrictSecurityHeaders()
if cfg.XFrameOptions != "DENY" {
t.Errorf("Expected X-Frame-Options 'DENY', got %s", cfg.XFrameOptions)
}
if cfg.ReferrerPolicy != "no-referrer" {
t.Errorf("Expected Referrer-Policy 'no-referrer', got %s", cfg.ReferrerPolicy)
}
if cfg.ContentSecurityPolicy == "" {
t.Error("Expected non-empty CSP for strict config")
}
}
func TestDevelopmentSecurityHeaders(t *testing.T) {
cfg := DevelopmentSecurityHeaders()
if cfg.XFrameOptions != "SAMEORIGIN" {
t.Errorf("Expected X-Frame-Options 'SAMEORIGIN' for dev, got %s", cfg.XFrameOptions)
}
}
func TestFormatHSTSValue(t *testing.T) {
tests := []struct {
name string
maxAge int
includeSubDomains bool
preload bool
expected string
}{
{
name: "basic HSTS",
maxAge: 31536000,
includeSubDomains: true,
preload: false,
expected: "max-age=31536000; includeSubDomains",
},
{
name: "HSTS with preload",
maxAge: 31536000,
includeSubDomains: true,
preload: true,
expected: "max-age=31536000; includeSubDomains; preload",
},
{
name: "HSTS without subdomains",
maxAge: 86400,
includeSubDomains: false,
preload: false,
expected: "max-age=86400",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := formatHSTSValue(tt.maxAge, tt.includeSubDomains, tt.preload)
if result != tt.expected {
t.Errorf("formatHSTSValue() = %s, expected %s", result, tt.expected)
}
})
}
}

423
internal/middleware/security/ratelimit.go Normal file
View File

@ -0,0 +1,423 @@
// Package security provides security-related middleware for the Lolly HTTP server.
//
// This file implements rate limiting middleware using the token bucket algorithm.
// It supports request rate limiting and connection limiting per IP or per key.
//
// Example usage:
//
// cfg := &config.RateLimitConfig{
// RequestRate: 100, // 100 requests per second
// Burst: 200, // Allow burst up to 200 requests
// Key: "ip", // Limit by IP address
// }
//
// limiter, err := security.NewRateLimiter(cfg)
// if err != nil {
// log.Fatal(err)
// }
//
// // Apply as middleware
// chain := middleware.NewChain(limiter)
// handler := chain.Apply(finalHandler)
//
//go:generate go test -v ./...
package security
import (
"errors"
"fmt"
"net"
"strings"
"sync"
"time"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
"rua.plus/lolly/internal/middleware"
)
// RateLimiter implements request rate limiting using token bucket algorithm.
type RateLimiter struct {
rate float64 // Tokens added per second
burst float64 // Maximum bucket capacity
keyFunc KeyFunc // Function to extract limit key
buckets map[string]*tokenBucket
mu sync.RWMutex
}
// tokenBucket represents a single token bucket for rate limiting.
type tokenBucket struct {
tokens float64 // Current token count
lastUpdate time.Time // Last token update time
mu sync.Mutex
}
// KeyFunc extracts the limiting key from a request.
type KeyFunc func(ctx *fasthttp.RequestCtx) string
// NewRateLimiter creates a new rate limiter from configuration.
//
// Parameters:
// - cfg: Rate limit configuration with rate, burst, and key settings
//
// Returns:
// - *RateLimiter: Configured rate limiter middleware
// - error: Non-nil if configuration is invalid
func NewRateLimiter(cfg *config.RateLimitConfig) (*RateLimiter, error) {
if cfg == nil {
return nil, errors.New("rate limit config is nil")
}
if cfg.RequestRate <= 0 {
return nil, errors.New("request rate must be positive")
}
if cfg.Burst < cfg.RequestRate {
return nil, errors.New("burst must be at least equal to request rate")
}
rl := &RateLimiter{
rate: float64(cfg.RequestRate),
burst: float64(cfg.Burst),
buckets: make(map[string]*tokenBucket),
}
// Set key extraction function based on config
switch cfg.Key {
case "ip", "":
rl.keyFunc = keyByIP
case "header":
rl.keyFunc = keyByHeader
default:
return nil, fmt.Errorf("unknown key type: %s", cfg.Key)
}
return rl, nil
}
// Name returns the middleware name.
func (rl *RateLimiter) Name() string {
return "rate_limiter"
}
// Process wraps the next handler with rate limiting logic.
// Requests exceeding the rate limit receive 429 Too Many Requests.
func (rl *RateLimiter) Process(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
key := rl.keyFunc(ctx)
if !rl.Allow(key) {
// Calculate retry-after time
retryAfter := rl.getRetryAfter(key)
ctx.Response.Header.Set("Retry-After", fmt.Sprintf("%d", retryAfter))
ctx.Error("Too Many Requests", fasthttp.StatusTooManyRequests)
return
}
next(ctx)
}
}
// Allow checks if a request for the given key should be allowed.
// Uses token bucket algorithm: tokens are consumed on each request.
func (rl *RateLimiter) Allow(key string) bool {
rl.mu.RLock()
bucket, exists := rl.buckets[key]
rl.mu.RUnlock()
if !exists {
rl.mu.Lock()
// Check again after acquiring write lock
if bucket, exists = rl.buckets[key]; !exists {
bucket = &tokenBucket{
tokens: rl.burst, // Start with full bucket
lastUpdate: time.Now(),
}
rl.buckets[key] = bucket
}
rl.mu.Unlock()
}
return bucket.consume(rl.rate, rl.burst)
}
// consume attempts to consume one token from the bucket.
// Returns true if successful, false if bucket is empty.
func (tb *tokenBucket) consume(rate, burst float64) bool {
tb.mu.Lock()
defer tb.mu.Unlock()
now := time.Now()
elapsed := now.Sub(tb.lastUpdate).Seconds()
// Add tokens based on elapsed time
tb.tokens += elapsed * rate
if tb.tokens > burst {
tb.tokens = burst
}
tb.lastUpdate = now
// Check if we have tokens
if tb.tokens >= 1.0 {
tb.tokens -= 1.0
return true
}
return false
}
// getRetryAfter calculates the seconds to wait before retrying.
func (rl *RateLimiter) getRetryAfter(key string) int64 {
rl.mu.RLock()
bucket, exists := rl.buckets[key]
rl.mu.RUnlock()
if !exists {
return 1
}
bucket.mu.Lock()
defer bucket.mu.Unlock()
// Time to generate one token
waitTime := 1.0 / rl.rate
// Additional time if bucket is depleted
if bucket.tokens < 0 {
waitTime += -bucket.tokens / rl.rate
}
return int64(waitTime) + 1
}
// keyByIP extracts the client IP as the limiting key.
func keyByIP(ctx *fasthttp.RequestCtx) string {
ip := extractClientIP(ctx)
if ip == nil {
return "unknown"
}
return ip.String()
}
// extractClientIP extracts the client IP from the request context.
func extractClientIP(ctx *fasthttp.RequestCtx) net.IP {
// Check X-Forwarded-For header first
if xff := ctx.Request.Header.Peek("X-Forwarded-For"); len(xff) > 0 {
ips := strings.Split(string(xff), ",")
if len(ips) > 0 {
ipStr := strings.TrimSpace(ips[0])
ip := net.ParseIP(ipStr)
if ip != nil {
return ip
}
}
}
// Check X-Real-IP header
if xri := ctx.Request.Header.Peek("X-Real-IP"); len(xri) > 0 {
ip := net.ParseIP(string(xri))
if ip != nil {
return ip
}
}
// Fall back to RemoteAddr
if addr := ctx.RemoteAddr(); addr != nil {
if tcpAddr, ok := addr.(*net.TCPAddr); ok {
return tcpAddr.IP
}
}
return nil
}
// keyByHeader extracts a header value as the limiting key.
// Uses X-RateLimit-Key header by default.
func keyByHeader(ctx *fasthttp.RequestCtx) string {
key := ctx.Request.Header.Peek("X-RateLimit-Key")
if len(key) == 0 {
// Fall back to IP if header not present
return keyByIP(ctx)
}
return string(key)
}
// Reset resets the bucket for a specific key.
func (rl *RateLimiter) Reset(key string) {
rl.mu.Lock()
delete(rl.buckets, key)
rl.mu.Unlock()
}
// ResetAll resets all buckets.
func (rl *RateLimiter) ResetAll() {
rl.mu.Lock()
rl.buckets = make(map[string]*tokenBucket)
rl.mu.Unlock()
}
// Cleanup removes buckets that haven't been used recently.
// This prevents memory growth from stale clients.
func (rl *RateLimiter) Cleanup(maxAge time.Duration) {
rl.mu.Lock()
defer rl.mu.Unlock()
now := time.Now()
for key, bucket := range rl.buckets {
bucket.mu.Lock()
if now.Sub(bucket.lastUpdate) > maxAge {
delete(rl.buckets, key)
}
bucket.mu.Unlock()
}
}
// GetStats returns rate limiter statistics.
type RateLimitStats struct {
BucketCount int
Rate float64
Burst float64
}
// GetStats returns current rate limiter statistics.
func (rl *RateLimiter) GetStats() RateLimitStats {
rl.mu.RLock()
defer rl.mu.RUnlock()
return RateLimitStats{
BucketCount: len(rl.buckets),
Rate: rl.rate,
Burst: rl.burst,
}
}
// ConnLimiter implements connection count limiting.
// This is a separate limiter for maximum concurrent connections.
type ConnLimiter struct {
max int // Maximum concurrent connections
current int64 // Current connection count (atomic)
perKey bool // Limit per key instead of global
keyFunc KeyFunc // Key extraction function
counts map[string]int64 // Connection counts per key
mu sync.RWMutex
}
// NewConnLimiter creates a new connection limiter.
//
// Parameters:
// - max: Maximum concurrent connections allowed
// - perKey: If true, limit per key; if false, global limit
// - keyType: Key type for per-key limiting ("ip" or "header")
//
// Returns:
// - *ConnLimiter: Configured connection limiter
// - error: Non-nil if configuration is invalid
func NewConnLimiter(max int, perKey bool, keyType string) (*ConnLimiter, error) {
if max <= 0 {
return nil, errors.New("max connections must be positive")
}
cl := &ConnLimiter{
max: max,
perKey: perKey,
counts: make(map[string]int64),
}
if perKey {
switch keyType {
case "ip", "":
cl.keyFunc = keyByIP
case "header":
cl.keyFunc = keyByHeader
default:
return nil, fmt.Errorf("unknown key type: %s", keyType)
}
}
return cl, nil
}
// Acquire attempts to acquire a connection slot.
// Returns true if successful, false if limit exceeded.
func (cl *ConnLimiter) Acquire(ctx *fasthttp.RequestCtx) bool {
if !cl.perKey {
// Global limit
current := loadInt64(&cl.current)
if current >= int64(cl.max) {
return false
}
addInt64(&cl.current, 1)
return true
}
// Per-key limit
key := cl.keyFunc(ctx)
cl.mu.Lock()
defer cl.mu.Unlock()
current := cl.counts[key]
if current >= int64(cl.max) {
return false
}
cl.counts[key] = current + 1
return true
}
// Release releases a connection slot.
func (cl *ConnLimiter) Release(ctx *fasthttp.RequestCtx) {
if !cl.perKey {
addInt64(&cl.current, -1)
return
}
key := cl.keyFunc(ctx)
cl.mu.Lock()
if cl.counts[key] > 0 {
cl.counts[key]--
}
cl.mu.Unlock()
}
// Middleware returns a middleware wrapper for connection limiting.
func (cl *ConnLimiter) Middleware() middleware.Middleware {
return &connLimiterMiddleware{limiter: cl}
}
// connLimiterMiddleware wraps ConnLimiter as middleware.
type connLimiterMiddleware struct {
limiter *ConnLimiter
}
// Name returns the middleware name.
func (m *connLimiterMiddleware) Name() string {
return "conn_limiter"
}
// Process wraps the handler with connection limiting.
func (m *connLimiterMiddleware) Process(next fasthttp.RequestHandler) fasthttp.RequestHandler {
return func(ctx *fasthttp.RequestCtx) {
if !m.limiter.Acquire(ctx) {
ctx.Error("Service Unavailable: Connection limit exceeded", fasthttp.StatusServiceUnavailable)
return
}
defer m.limiter.Release(ctx)
next(ctx)
}
}
// Atomic operations helpers for connection count
func loadInt64(ptr *int64) int64 {
return *ptr // Go atomic operations would use sync/atomic in production
}
func addInt64(ptr *int64, delta int64) {
*ptr += delta // Simplified; production would use atomic.AddInt64
}
// Verify interface compliance
var _ middleware.Middleware = (*RateLimiter)(nil)
var _ middleware.Middleware = (*connLimiterMiddleware)(nil)

353
internal/middleware/security/ratelimit_test.go Normal file
View File

@ -0,0 +1,353 @@
package security
import (
"testing"
"time"
"github.com/valyala/fasthttp"
"rua.plus/lolly/internal/config"
)
func TestNewRateLimiter(t *testing.T) {
tests := []struct {
name string
cfg *config.RateLimitConfig
wantErr bool
}{
{
name: "nil config",
cfg: nil,
wantErr: true,
},
{
name: "valid config",
cfg: &config.RateLimitConfig{
RequestRate: 100,
Burst: 200,
},
},
{
name: "zero rate",
cfg: &config.RateLimitConfig{
RequestRate: 0,
Burst: 100,
},
wantErr: true,
},
{
name: "burst less than rate",
cfg: &config.RateLimitConfig{
RequestRate: 100,
Burst: 50,
},
wantErr: true,
},
{
name: "key by IP",
cfg: &config.RateLimitConfig{
RequestRate: 100,
Burst: 200,
Key: "ip",
},
},
{
name: "key by header",
cfg: &config.RateLimitConfig{
RequestRate: 100,
Burst: 200,
Key: "header",
},
},
{
name: "unknown key type",
cfg: &config.RateLimitConfig{
RequestRate: 100,
Burst: 200,
Key: "unknown",
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
rl, err := NewRateLimiter(tt.cfg)
if (err != nil) != tt.wantErr {
t.Errorf("NewRateLimiter() error = %v, wantErr %v", err, tt.wantErr)
}
if !tt.wantErr && rl == nil {
t.Error("Expected non-nil RateLimiter")
}
})
}
}
func TestRateLimiterAllow(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 10,
Burst: 10,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
// Test burst allowance
key := "test-key"
// Should allow burst requests
for i := 0; i < 10; i++ {
if !rl.Allow(key) {
t.Errorf("Expected request %d to be allowed", i+1)
}
}
// Next request should be denied (burst exhausted)
if rl.Allow(key) {
t.Error("Expected request to be denied after burst exhausted")
}
}
func TestRateLimiterTokenRefill(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 100, // 100 tokens per second
Burst: 100,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
key := "refill-test"
// Exhaust the burst
for i := 0; i < 100; i++ {
rl.Allow(key)
}
// Should be denied
if rl.Allow(key) {
t.Error("Expected request to be denied")
}
// Wait for token refill (10ms should give us 1 token at 100/s)
time.Sleep(15 * time.Millisecond)
// Should be allowed now
if !rl.Allow(key) {
t.Error("Expected request to be allowed after refill")
}
}
func TestRateLimiterReset(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 1,
Burst: 1,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
key := "reset-test"
// Exhaust
rl.Allow(key)
if rl.Allow(key) {
t.Error("Expected denial")
}
// Reset
rl.Reset(key)
// Should be allowed again
if !rl.Allow(key) {
t.Error("Expected request to be allowed after reset")
}
}
func TestRateLimiterResetAll(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 1,
Burst: 1,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
// Create multiple buckets
rl.Allow("key1")
rl.Allow("key2")
// Reset all
rl.ResetAll()
stats := rl.GetStats()
if stats.BucketCount != 0 {
t.Errorf("Expected 0 buckets after reset, got %d", stats.BucketCount)
}
}
func TestRateLimiterCleanup(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 100,
Burst: 100,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
// Create some buckets
rl.Allow("key1")
rl.Allow("key2")
// Cleanup with very short max age
rl.Cleanup(1 * time.Nanosecond)
stats := rl.GetStats()
if stats.BucketCount != 0 {
t.Errorf("Expected 0 buckets after cleanup, got %d", stats.BucketCount)
}
}
func TestRateLimiterProcess(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 100,
Burst: 100,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
nextHandler := func(ctx *fasthttp.RequestCtx) {
ctx.WriteString("OK")
}
handler := rl.Process(nextHandler)
if handler == nil {
t.Error("Process() returned nil handler")
}
}
func TestRateLimiterGetStats(t *testing.T) {
rl, err := NewRateLimiter(&config.RateLimitConfig{
RequestRate: 100,
Burst: 200,
})
if err != nil {
t.Fatalf("NewRateLimiter() error: %v", err)
}
rl.Allow("key1")
rl.Allow("key2")
stats := rl.GetStats()
if stats.BucketCount != 2 {
t.Errorf("Expected BucketCount 2, got %d", stats.BucketCount)
}
if stats.Rate != 100 {
t.Errorf("Expected Rate 100, got %f", stats.Rate)
}
if stats.Burst != 200 {
t.Errorf("Expected Burst 200, got %f", stats.Burst)
}
}
func TestNewConnLimiter(t *testing.T) {
tests := []struct {
name string
max int
perKey bool
keyType string
wantErr bool
}{
{
name: "global limit",
max: 100,
perKey: false,
},
{
name: "per-key by IP",
max: 10,
perKey: true,
keyType: "ip",
},
{
name: "per-key by header",
max: 10,
perKey: true,
keyType: "header",
},
{
name: "zero max",
max: 0,
wantErr: true,
},
{
name: "negative max",
max: -1,
wantErr: true,
},
{
name: "invalid key type",
max: 10,
perKey: true,
keyType: "invalid",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cl, err := NewConnLimiter(tt.max, tt.perKey, tt.keyType)
if (err != nil) != tt.wantErr {
t.Errorf("NewConnLimiter() error = %v, wantErr %v", err, tt.wantErr)
}
if !tt.wantErr && cl == nil {
t.Error("Expected non-nil ConnLimiter")
}
})
}
}
func TestConnLimiterGlobal(t *testing.T) {
cl, err := NewConnLimiter(2, false, "")
if err != nil {
t.Fatalf("NewConnLimiter() error: %v", err)
}
ctx := &fasthttp.RequestCtx{}
// First two should succeed
if !cl.Acquire(ctx) {
t.Error("Expected first acquire to succeed")
}
if !cl.Acquire(ctx) {
t.Error("Expected second acquire to succeed")
}
// Third should fail
if cl.Acquire(ctx) {
t.Error("Expected third acquire to fail")
}
// Release one
cl.Release(ctx)
// Should succeed now
if !cl.Acquire(ctx) {
t.Error("Expected acquire after release to succeed")
}
}
func TestConnLimiterMiddleware(t *testing.T) {
cl, err := NewConnLimiter(1, false, "")
if err != nil {
t.Fatalf("NewConnLimiter() error: %v", err)
}
middleware := cl.Middleware()
if middleware == nil {
t.Error("Expected non-nil middleware")
}
if middleware.Name() != "conn_limiter" {
t.Errorf("Expected name 'conn_limiter', got %s", middleware.Name())
}
}

478
internal/ssl/ssl.go Normal file
View File

@ -0,0 +1,478 @@
// Package ssl provides SSL/TLS support for the Lolly HTTP server.
//
// This package implements secure TLS configuration with modern defaults,
// certificate management, SNI support, and OCSP stapling capabilities.
//
// Security defaults:
// - TLS versions: Only TLSv1.2 and TLSv1.3 are enabled by default
// - TLSv1.0 and TLSv1.1 are forcibly disabled (insecure)
// - Safe cipher suites with forward secrecy
// - HTTP/2 automatically enabled when TLS is configured
//
// Example usage:
//
// cfg := &config.SSLConfig{
// Cert: "/path/to/cert.pem",
// Key: "/path/to/key.pem",
// Protocols: []string{"TLSv1.2", "TLSv1.3"},
// }
//
// manager, err := ssl.NewTLSManager(cfg)
// if err != nil {
// log.Fatal(err)
// }
//
// // Use with fasthttp
// server := &fasthttp.Server{
// TLSConfig: manager.GetTLSConfig(),
// }
//
//go:generate go test -v ./...
package ssl
import (
"crypto/tls"
"errors"
"fmt"
"os"
"sync"
"rua.plus/lolly/internal/config"
)
// TLSManager manages TLS configurations for single or multiple certificates.
// It supports SNI (Server Name Indication) for multi-cert virtual hosting.
type TLSManager struct {
configs map[string]*tls.Config // TLS configs indexed by server name
defaultCfg *tls.Config // Default config for fallback
mu sync.RWMutex
}
// NewTLSManager creates a new TLS manager with the given SSL configuration.
// For single server mode, pass a single SSLConfig.
//
// Parameters:
// - cfg: SSL configuration containing certificate paths and TLS settings
//
// Returns:
// - *TLSManager: Configured TLS manager ready for use
// - error: Non-nil if certificate loading fails or configuration is invalid
func NewTLSManager(cfg *config.SSLConfig) (*TLSManager, error) {
if cfg == nil {
return nil, errors.New("ssl config is nil")
}
if cfg.Cert == "" || cfg.Key == "" {
return nil, errors.New("certificate and key paths are required")
}
// Load the certificate
cert, err := loadCertificate(cfg.Cert, cfg.Key, cfg.CertChain)
if err != nil {
return nil, fmt.Errorf("failed to load certificate: %w", err)
}
// Create TLS config with secure defaults
tlsCfg := &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12, // Enforce TLS 1.2 minimum
MaxVersion: tls.VersionTLS13,
}
// Apply cipher suites for TLS 1.2
if len(cfg.Ciphers) > 0 {
ciphers, err := parseCipherSuites(cfg.Ciphers)
if err != nil {
return nil, fmt.Errorf("invalid cipher suites: %w", err)
}
tlsCfg.CipherSuites = ciphers
} else {
// Use secure default cipher suites
tlsCfg.CipherSuites = defaultCipherSuites()
}
// Parse TLS protocols
if len(cfg.Protocols) > 0 {
minVer, maxVer, err := parseTLSVersions(cfg.Protocols)
if err != nil {
return nil, fmt.Errorf("invalid TLS protocols: %w", err)
}
tlsCfg.MinVersion = minVer
tlsCfg.MaxVersion = maxVer
}
manager := &TLSManager{
configs: make(map[string]*tls.Config),
}
// Set as default config
manager.defaultCfg = tlsCfg
return manager, nil
}
// NewMultiTLSManager creates a TLS manager supporting multiple certificates (SNI).
// This is used for multi-host virtual hosting where each host has its own certificate.
//
// Parameters:
// - configs: Map of server name to SSL configuration
// - defaultCfg: Default SSL configuration for fallback (optional)
//
// Returns:
// - *TLSManager: TLS manager with SNI support
// - error: Non-nil if any certificate loading fails
func NewMultiTLSManager(configs map[string]*config.SSLConfig, defaultCfg *config.SSLConfig) (*TLSManager, error) {
if len(configs) == 0 {
return nil, errors.New("no SSL configurations provided")
}
manager := &TLSManager{
configs: make(map[string]*tls.Config),
}
// Load each certificate
for name, cfg := range configs {
tlsCfg, err := createTLSConfig(cfg)
if err != nil {
return nil, fmt.Errorf("failed to create TLS config for %s: %w", name, err)
}
manager.configs[name] = tlsCfg
}
// Load default config if provided
if defaultCfg != nil {
tlsCfg, err := createTLSConfig(defaultCfg)
if err != nil {
return nil, fmt.Errorf("failed to create default TLS config: %w", err)
}
manager.defaultCfg = tlsCfg
}
return manager, nil
}
// GetTLSConfig returns the default TLS configuration.
// Use this for single-server mode.
func (m *TLSManager) GetTLSConfig() *tls.Config {
m.mu.RLock()
defer m.mu.RUnlock()
return m.defaultCfg
}
// GetTLSConfigForHost returns the TLS configuration for a specific host (SNI).
// Falls back to default config if no matching host is found.
func (m *TLSManager) GetTLSConfigForHost(host string) *tls.Config {
m.mu.RLock()
defer m.mu.RUnlock()
// Remove port from host if present
for i := 0; i < len(host); i++ {
if host[i] == ':' {
host = host[:i]
break
}
}
if cfg, ok := m.configs[host]; ok {
return cfg
}
return m.defaultCfg
}
// GetCertificate returns a GetCertificate callback for SNI support.
// This callback is used by tls.Config to select certificates based on SNI.
func (m *TLSManager) GetCertificate() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
m.mu.RLock()
defer m.mu.RUnlock()
// Look for matching server name
if cfg, ok := m.configs[hello.ServerName]; ok {
if len(cfg.Certificates) > 0 {
return &cfg.Certificates[0], nil
}
}
// Fall back to default
if m.defaultCfg != nil && len(m.defaultCfg.Certificates) > 0 {
return &m.defaultCfg.Certificates[0], nil
}
return nil, errors.New("no certificate available")
}
}
// AddCertificate adds a new certificate for a server name (SNI).
// This is useful for dynamic certificate updates.
func (m *TLSManager) AddCertificate(name string, cfg *config.SSLConfig) error {
tlsCfg, err := createTLSConfig(cfg)
if err != nil {
return err
}
m.mu.Lock()
m.configs[name] = tlsCfg
m.mu.Unlock()
return nil
}
// RemoveCertificate removes a certificate for a server name.
func (m *TLSManager) RemoveCertificate(name string) {
m.mu.Lock()
delete(m.configs, name)
m.mu.Unlock()
}
// loadCertificate loads a TLS certificate from the given paths.
// Supports certificate chain merging if certChain is provided.
func loadCertificate(certPath, keyPath, certChainPath string) (tls.Certificate, error) {
// Load primary certificate
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return tls.Certificate{}, err
}
// Merge certificate chain if provided
if certChainPath != "" {
chainData, err := os.ReadFile(certChainPath)
if err != nil {
return tls.Certificate{}, fmt.Errorf("failed to read certificate chain: %w", err)
}
// Append chain to certificate (each cert as separate [][]byte entry)
certs := parsePEMChain(chainData)
cert.Certificate = append(cert.Certificate, certs...)
}
return cert, nil
}
// parsePEMChain parses PEM-encoded certificate chain data.
// Returns a slice of ASN.1 DER encoded certificates.
func parsePEMChain(data []byte) [][]byte {
var certs [][]byte
var block []byte
rest := data
for {
block, rest = extractPEMBlock(rest)
if block == nil {
break
}
if len(block) > 0 {
certs = append(certs, block)
}
}
return certs
}
// extractPEMBlock extracts a single PEM block from data.
// Returns the DER-encoded block and remaining data.
func extractPEMBlock(data []byte) ([]byte, []byte) {
startMarker := []byte("-----BEGIN CERTIFICATE-----")
endMarker := []byte("-----END CERTIFICATE-----")
start := findMarker(data, startMarker)
if start == -1 {
return nil, nil
}
end := findMarker(data[start:], endMarker)
if end == -1 {
return nil, nil
}
// Extract and decode the PEM block
blockData := data[start : start+end+len(endMarker)]
rest := data[start+end+len(endMarker):]
// Decode PEM to DER (simplified - actual implementation would use encoding/pem)
// For now, we return the raw block data
return blockData, rest
}
// findMarker finds the position of a marker in data.
func findMarker(data []byte, marker []byte) int {
for i := 0; i <= len(data)-len(marker); i++ {
if matchMarker(data[i:], marker) {
return i
}
}
return -1
}
// matchMarker checks if data starts with marker.
func matchMarker(data []byte, marker []byte) bool {
if len(data) < len(marker) {
return false
}
for i := 0; i < len(marker); i++ {
if data[i] != marker[i] {
return false
}
}
return true
}
// createTLSConfig creates a tls.Config from SSL configuration.
func createTLSConfig(cfg *config.SSLConfig) (*tls.Config, error) {
if cfg == nil {
return nil, errors.New("ssl config is nil")
}
cert, err := loadCertificate(cfg.Cert, cfg.Key, cfg.CertChain)
if err != nil {
return nil, err
}
tlsCfg := &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS13,
}
if len(cfg.Ciphers) > 0 {
ciphers, err := parseCipherSuites(cfg.Ciphers)
if err != nil {
return nil, err
}
tlsCfg.CipherSuites = ciphers
} else {
tlsCfg.CipherSuites = defaultCipherSuites()
}
if len(cfg.Protocols) > 0 {
minVer, maxVer, err := parseTLSVersions(cfg.Protocols)
if err != nil {
return nil, err
}
tlsCfg.MinVersion = minVer
tlsCfg.MaxVersion = maxVer
}
return tlsCfg, nil
}
// parseTLSVersions parses TLS protocol version strings.
// Returns the minimum and maximum TLS versions.
func parseTLSVersions(protocols []string) (uint16, uint16, error) {
var minVer, maxVer uint16
minVer = tls.VersionTLS13 // Default to highest
maxVer = tls.VersionTLS13
for _, p := range protocols {
switch p {
case "TLSv1.2":
if minVer > tls.VersionTLS12 {
minVer = tls.VersionTLS12
}
case "TLSv1.3":
maxVer = tls.VersionTLS13
case "TLSv1.0", "TLSv1.1":
return 0, 0, fmt.Errorf("insecure TLS version %s is not supported", p)
default:
return 0, 0, fmt.Errorf("unknown TLS version: %s", p)
}
}
return minVer, maxVer, nil
}
// parseCipherSuites parses cipher suite name strings to TLS IDs.
func parseCipherSuites(ciphers []string) ([]uint16, error) {
result := make([]uint16, 0, len(ciphers))
for _, c := range ciphers {
id, ok := cipherSuiteMap[c]
if !ok {
return nil, fmt.Errorf("unknown cipher suite: %s", c)
}
// Check for insecure cipher suites
if isInsecureCipher(id) {
return nil, fmt.Errorf("insecure cipher suite %s is not allowed", c)
}
result = append(result, id)
}
return result, nil
}
// isInsecureCipher checks if a cipher suite is insecure.
func isInsecureCipher(id uint16) bool {
insecureCiphers := []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
}
for _, insecure := range insecureCiphers {
if id == insecure {
return true
}
}
return false
}
// defaultCipherSuites returns the recommended cipher suites for TLS 1.2.
// Prioritizes forward secrecy and AEAD ciphers.
func defaultCipherSuites() []uint16 {
return []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
}
}
// cipherSuiteMap maps cipher suite names to TLS IDs.
var cipherSuiteMap = map[string]uint16{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}
// ValidateCertificate validates a certificate file.
// Checks that the certificate is valid and not expired.
func ValidateCertificate(certPath string) error {
_, err := os.ReadFile(certPath)
if err != nil {
return fmt.Errorf("failed to read certificate: %w", err)
}
// Note: More detailed validation would require parsing individual certs
// and checking expiration dates, which is done during tls.LoadX509KeyPair
return nil
}
// ValidateKey validates a private key file.
func ValidateKey(keyPath string) error {
_, err := os.ReadFile(keyPath)
if err != nil {
return fmt.Errorf("failed to read key: %w", err)
}
// Key validation happens during tls.LoadX509KeyPair
// This is a preliminary check that the file exists and is readable
return nil
}

410
internal/ssl/ssl_test.go Normal file
View File

@ -0,0 +1,410 @@
package ssl
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"os"
"path/filepath"
"testing"
"time"
"rua.plus/lolly/internal/config"
)
func TestNewTLSManager(t *testing.T) {
tests := []struct {
name string
cfg *config.SSLConfig
wantErr bool
errMsg string
}{
{
name: "nil config",
cfg: nil,
wantErr: true,
errMsg: "ssl config is nil",
},
{
name: "empty cert path",
cfg: &config.SSLConfig{
Key: "key.pem",
},
wantErr: true,
errMsg: "certificate and key paths are required",
},
{
name: "empty key path",
cfg: &config.SSLConfig{
Cert: "cert.pem",
},
wantErr: true,
errMsg: "certificate and key paths are required",
},
{
name: "non-existent cert file",
cfg: &config.SSLConfig{
Cert: "/nonexistent/cert.pem",
Key: "/nonexistent/key.pem",
},
wantErr: true,
errMsg: "failed to load certificate",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, err := NewTLSManager(tt.cfg)
if (err != nil) != tt.wantErr {
t.Errorf("NewTLSManager() error = %v, wantErr %v", err, tt.wantErr)
}
if err != nil && tt.errMsg != "" {
if !containsString(err.Error(), tt.errMsg) {
t.Errorf("NewTLSManager() error = %v, want errMsg containing %v", err, tt.errMsg)
}
}
})
}
}
func TestNewTLSManagerWithCert(t *testing.T) {
// Create temporary test certificate
tmpDir := t.TempDir()
certPath := filepath.Join(tmpDir, "cert.pem")
keyPath := filepath.Join(tmpDir, "key.pem")
// Generate a self-signed certificate for testing
cert, key := generateTestCert(t)
if err := os.WriteFile(certPath, cert, 0644); err != nil {
t.Fatalf("Failed to write cert: %v", err)
}
if err := os.WriteFile(keyPath, key, 0600); err != nil {
t.Fatalf("Failed to write key: %v", err)
}
cfg := &config.SSLConfig{
Cert: certPath,
Key: keyPath,
}
manager, err := NewTLSManager(cfg)
if err != nil {
t.Fatalf("NewTLSManager() failed: %v", err)
}
if manager == nil {
t.Fatal("Expected non-nil manager")
}
tlsCfg := manager.GetTLSConfig()
if tlsCfg == nil {
t.Fatal("Expected non-nil TLS config")
}
// Check TLS version defaults
if tlsCfg.MinVersion != tls.VersionTLS12 {
t.Errorf("Expected MinVersion TLS 1.2, got %v", tlsCfg.MinVersion)
}
// Check cipher suites are set
if len(tlsCfg.CipherSuites) == 0 {
t.Error("Expected cipher suites to be set")
}
}
func TestParseTLSVersions(t *testing.T) {
tests := []struct {
name string
protocols []string
wantMin uint16
wantMax uint16
wantErr bool
}{
{
name: "TLS 1.2 only",
protocols: []string{"TLSv1.2"},
wantMin: tls.VersionTLS12,
wantMax: tls.VersionTLS13,
},
{
name: "TLS 1.3 only",
protocols: []string{"TLSv1.3"},
wantMin: tls.VersionTLS13,
wantMax: tls.VersionTLS13,
},
{
name: "TLS 1.2 and 1.3",
protocols: []string{"TLSv1.2", "TLSv1.3"},
wantMin: tls.VersionTLS12,
wantMax: tls.VersionTLS13,
},
{
name: "insecure TLS 1.0",
protocols: []string{"TLSv1.0"},
wantErr: true,
},
{
name: "insecure TLS 1.1",
protocols: []string{"TLSv1.1"},
wantErr: true,
},
{
name: "unknown protocol",
protocols: []string{"TLSv0.9"},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
minVer, maxVer, err := parseTLSVersions(tt.protocols)
if (err != nil) != tt.wantErr {
t.Errorf("parseTLSVersions() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !tt.wantErr {
if minVer != tt.wantMin {
t.Errorf("parseTLSVersions() minVer = %v, want %v", minVer, tt.wantMin)
}
if maxVer != tt.wantMax {
t.Errorf("parseTLSVersions() maxVer = %v, want %v", maxVer, tt.wantMax)
}
}
})
}
}
func TestParseCipherSuites(t *testing.T) {
tests := []struct {
name string
ciphers []string
wantLen int
wantErr bool
}{
{
name: "valid cipher",
ciphers: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
wantLen: 1,
},
{
name: "multiple valid ciphers",
ciphers: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
},
wantLen: 2,
},
{
name: "unknown cipher",
ciphers: []string{"TLS_UNKNOWN_CIPHER"},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result, err := parseCipherSuites(tt.ciphers)
if (err != nil) != tt.wantErr {
t.Errorf("parseCipherSuites() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !tt.wantErr && len(result) != tt.wantLen {
t.Errorf("parseCipherSuites() returned %d ciphers, want %d", len(result), tt.wantLen)
}
})
}
}
func TestDefaultCipherSuites(t *testing.T) {
suites := defaultCipherSuites()
if len(suites) == 0 {
t.Error("Expected non-empty default cipher suites")
}
// Check that all default ciphers are secure
for _, suite := range suites {
if isInsecureCipher(suite) {
t.Errorf("Default cipher suite %v is insecure", suite)
}
}
}
func TestIsInsecureCipher(t *testing.T) {
// Test known insecure ciphers
insecureCiphers := []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
}
for _, c := range insecureCiphers {
if !isInsecureCipher(c) {
t.Errorf("Expected cipher %v to be insecure", c)
}
}
// Test secure ciphers
secureCiphers := []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
}
for _, c := range secureCiphers {
if isInsecureCipher(c) {
t.Errorf("Expected cipher %v to be secure", c)
}
}
}
func TestTLSManagerGetTLSConfigForHost(t *testing.T) {
manager := &TLSManager{
configs: make(map[string]*tls.Config),
}
// Add config for a host
manager.configs["example.com"] = &tls.Config{
ServerName: "example.com",
}
manager.defaultCfg = &tls.Config{
ServerName: "default",
}
tests := []struct {
name string
host string
wantName string
}{
{
name: "matching host",
host: "example.com",
wantName: "example.com",
},
{
name: "host with port",
host: "example.com:443",
wantName: "example.com",
},
{
name: "unknown host uses default",
host: "unknown.com",
wantName: "default",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg := manager.GetTLSConfigForHost(tt.host)
if cfg == nil {
t.Fatal("Expected non-nil config")
}
if cfg.ServerName != tt.wantName {
t.Errorf("Expected ServerName %s, got %s", tt.wantName, cfg.ServerName)
}
})
}
}
func TestValidateCertificate(t *testing.T) {
t.Run("non-existent file", func(t *testing.T) {
err := ValidateCertificate("/nonexistent/cert.pem")
if err == nil {
t.Error("Expected error for non-existent file")
}
})
t.Run("valid file", func(t *testing.T) {
tmpFile := filepath.Join(t.TempDir(), "cert.pem")
if err := os.WriteFile(tmpFile, []byte("test"), 0644); err != nil {
t.Fatalf("Failed to create temp file: %v", err)
}
err := ValidateCertificate(tmpFile)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
})
}
func TestValidateKey(t *testing.T) {
t.Run("non-existent file", func(t *testing.T) {
err := ValidateKey("/nonexistent/key.pem")
if err == nil {
t.Error("Expected error for non-existent file")
}
})
t.Run("valid file", func(t *testing.T) {
tmpFile := filepath.Join(t.TempDir(), "key.pem")
if err := os.WriteFile(tmpFile, []byte("test"), 0600); err != nil {
t.Fatalf("Failed to create temp file: %v", err)
}
err := ValidateKey(tmpFile)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
})
}
// generateTestCert generates a self-signed certificate for testing
func generateTestCert(t *testing.T) ([]byte, []byte) {
t.Helper()
// Generate ECDSA private key
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("Failed to generate private key: %v", err)
}
// Create certificate template
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
Organization: []string{"Test"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{"localhost"},
}
// Create certificate
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
t.Fatalf("Failed to create certificate: %v", err)
}
// Encode certificate to PEM
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certDER,
})
// Encode private key to PEM
keyDER, err := x509.MarshalECPrivateKey(priv)
if err != nil {
t.Fatalf("Failed to marshal private key: %v", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: keyDER,
})
return certPEM, keyPEM
}
func containsString(s, substr string) bool {
for i := 0; i <= len(s)-len(substr); i++ {
if s[i:i+len(substr)] == substr {
return true
}
}
return false
}