tk/Ocelot
1
0
Fork 0
mirror of https://github.com/nsnail/Ocelot.git synced 2025-06-19 14:08:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

add a security module (#628) (#629)

Browse Source 
* Add security mechanisms, IP whitelists, blacklists, and extended security interfaces.

* Optimized configuration name

* Fix IP Security Bug

* Repair Security Protection Module Bug

* Add security module unit test

* Optimize log prompts
This commit is contained in:
阿凌
2018-09-26 01:29:38 +08:00
committed by Tom Pallister
parent aa14b2f877
commit 4a8f4c2e03
18 changed files with 526 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
test/Ocelot.UnitTests/Configuration/ReRoutesCreatorTests.cs
View File

@ -30,7 +30,8 @@
private Mock<IDownstreamAddressesCreator> _daCreator;
private Mock<ILoadBalancerOptionsCreator> _lboCreator;
private Mock<IReRouteKeyCreator> _rrkCreator;
private FileConfiguration _fileConfig;
private Mock<ISecurityOptionsCreator> _soCreator;
private FileConfiguration _fileConfig;
private ReRouteOptions _rro;
private string _requestId;
private string _rrk;
@ -45,6 +46,7 @@
private List<DownstreamHostAndPort> _dhp;
private LoadBalancerOptions _lbo;
private List<ReRoute> _result;
private SecurityOptions _securityOptions;
public ReRoutesCreatorTests()
{
@ -61,6 +63,7 @@
_daCreator = new Mock<IDownstreamAddressesCreator>();
_lboCreator = new Mock<ILoadBalancerOptionsCreator>();
_rrkCreator = new Mock<IReRouteKeyCreator>();
_soCreator = new Mock<ISecurityOptionsCreator>();
_creator = new ReRoutesCreator(
_cthCreator.Object,
@ -75,7 +78,8 @@
_hfarCreator.Object,
_daCreator.Object,
_lboCreator.Object,
_rrkCreator.Object
_rrkCreator.Object,
_soCreator.Object
);
}
@ -266,6 +270,7 @@
_hfarCreator.Verify(x => x.Create(fileReRoute), Times.Once);
_daCreator.Verify(x => x.Create(fileReRoute), Times.Once);
_lboCreator.Verify(x => x.Create(fileReRoute.LoadBalancerOptions), Times.Once);
_soCreator.Verify(x => x.Create(fileReRoute.SecurityOptions), Times.Once);
}
}
}

72
test/Ocelot.UnitTests/Configuration/SecurityOptionsCreatorTests.cs Normal file
View File

@ -0,0 +1,72 @@
using Ocelot.Configuration;
using Ocelot.Configuration.Creator;
using Ocelot.Configuration.File;
using Shouldly;
using System;
using System.Collections.Generic;
using System.Text;
using TestStack.BDDfy;
using Xunit;
namespace Ocelot.UnitTests.Configuration
{
public class SecurityOptionsCreatorTests
{
private FileReRoute _fileReRoute;
private FileGlobalConfiguration _fileGlobalConfig;
private SecurityOptions _result;
private ISecurityOptionsCreator _creator;
public SecurityOptionsCreatorTests()
{
_creator = new SecurityOptionsCreator();
}
[Fact]
public void should_create_security_config()
{
var ipAllowedList = new List<string>() { "127.0.0.1", "192.168.1.1" };
var ipBlockedList = new List<string>() { "127.0.0.1", "192.168.1.1" };
var fileReRoute = new FileReRoute
{
SecurityOptions = new FileSecurityOptions()
{
IPAllowedList = ipAllowedList,
IPBlockedList = ipBlockedList
}
};
var expected = new SecurityOptions(ipAllowedList, ipBlockedList);
this.Given(x => x.GivenThe(fileReRoute))
.When(x => x.WhenICreate())
.Then(x => x.ThenTheResultIs(expected))
.BDDfy();
}
private void GivenThe(FileReRoute reRoute)
{
_fileReRoute = reRoute;
}
private void WhenICreate()
{
_result = _creator.Create(_fileReRoute.SecurityOptions);
}
private void ThenTheResultIs(SecurityOptions expected)
{
for (int i = 0; i < expected.IPAllowedList.Count; i++)
{
_result.IPAllowedList[i].ShouldBe(expected.IPAllowedList[i]);
}
for (int i = 0; i < expected.IPBlockedList.Count; i++)
{
_result.IPBlockedList[i].ShouldBe(expected.IPBlockedList[i]);
}
}
}
}

117
test/Ocelot.UnitTests/Security/IPSecurityPolicyTests.cs Normal file
View File

@ -0,0 +1,117 @@
using Microsoft.AspNetCore.Http;
using Ocelot.Configuration;
using Ocelot.Configuration.Builder;
using Ocelot.Middleware;
using Ocelot.Request.Middleware;
using Ocelot.Responses;
using Ocelot.Security.IPSecurity;
using System;
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Text;
using TestStack.BDDfy;
using Xunit;
namespace Ocelot.UnitTests.Security
{
public class IPSecurityPolicyTests
{
private readonly DownstreamContext _downstreamContext;
private readonly DownstreamReRouteBuilder _downstreamReRouteBuilder;
private readonly IPSecurityPolicy _ipSecurityPolicy;
private Response response;
public IPSecurityPolicyTests()
{
_downstreamContext = new DownstreamContext(new DefaultHttpContext());
_downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
_downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
_downstreamReRouteBuilder = new DownstreamReRouteBuilder();
_ipSecurityPolicy = new IPSecurityPolicy();
}
[Fact]
private void should_No_blocked_Ip_and_allowed_Ip()
{
this.Given(x => x.GivenSetDownstreamReRoute())
.When(x => x.WhenTheSecurityPolicy())
.Then(x => x.ThenSecurityPassing())
.BDDfy();
}
[Fact]
private void should_blockedIp_clientIp_block()
{
_downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
this.Given(x => x.GivenSetBlockedIP())
.Given(x => x.GivenSetDownstreamReRoute())
.When(x => x.WhenTheSecurityPolicy())
.Then(x => x.ThenNotSecurityPassing())
.BDDfy();
}
[Fact]
private void should_blockedIp_clientIp_Not_block()
{
_downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
this.Given(x => x.GivenSetBlockedIP())
.Given(x => x.GivenSetDownstreamReRoute())
.When(x => x.WhenTheSecurityPolicy())
.Then(x => x.ThenSecurityPassing())
.BDDfy();
}
[Fact]
private void should_allowedIp_clientIp_block()
{
_downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
this.Given(x => x.GivenSetAllowedIP())
.Given(x => x.GivenSetDownstreamReRoute())
.When(x => x.WhenTheSecurityPolicy())
.Then(x => x.ThenSecurityPassing())
.BDDfy();
}
[Fact]
private void should_allowedIp_clientIp_Not_block()
{
_downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
this.Given(x => x.GivenSetAllowedIP())
.Given(x => x.GivenSetDownstreamReRoute())
.When(x => x.WhenTheSecurityPolicy())
.Then(x => x.ThenNotSecurityPassing())
.BDDfy();
}
private void GivenSetAllowedIP()
{
_downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string> { "192.168.1.1" }, new List<string>()));
}
private void GivenSetBlockedIP()
{
_downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string>(), new List<string> { "192.168.1.1" }));
}
private void GivenSetDownstreamReRoute()
{
_downstreamContext.DownstreamReRoute = _downstreamReRouteBuilder.Build();
}
private void WhenTheSecurityPolicy()
{
response = this._ipSecurityPolicy.Security(_downstreamContext).GetAwaiter().GetResult();
}
private void ThenSecurityPassing()
{
Assert.False(response.IsError);
}
private void ThenNotSecurityPassing()
{
Assert.True(response.IsError);
}
}
}

108
test/Ocelot.UnitTests/Security/SecurityMiddlewareTests.cs Normal file
View File

@ -0,0 +1,108 @@
using Microsoft.AspNetCore.Http;
using Moq;
using Ocelot.Errors;
using Ocelot.Logging;
using Ocelot.Middleware;
using Ocelot.Request.Middleware;
using Ocelot.Responses;
using Ocelot.Security;
using Ocelot.Security.IPSecurity;
using Ocelot.Security.Middleware;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using TestStack.BDDfy;
using Xunit;
namespace Ocelot.UnitTests.Security
{
public class SecurityMiddlewareTests
{
private List<Mock<ISecurityPolicy>> _securityPolicyList;
private Mock<IOcelotLoggerFactory> _loggerFactory;
private Mock<IOcelotLogger> _logger;
private readonly SecurityMiddleware _middleware;
private readonly DownstreamContext _downstreamContext;
private readonly OcelotRequestDelegate _next;
public SecurityMiddlewareTests()
{
_loggerFactory = new Mock<IOcelotLoggerFactory>();
_logger = new Mock<IOcelotLogger>();
_loggerFactory.Setup(x => x.CreateLogger<SecurityMiddleware>()).Returns(_logger.Object);
_securityPolicyList = new List<Mock<ISecurityPolicy>>();
_securityPolicyList.Add(new Mock<ISecurityPolicy>());
_securityPolicyList.Add(new Mock<ISecurityPolicy>());
_next = context =>
{
return Task.CompletedTask;
};
_middleware = new SecurityMiddleware(_loggerFactory.Object, _securityPolicyList.Select(f => f.Object).ToList(), _next);
_downstreamContext = new DownstreamContext(new DefaultHttpContext());
_downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
}
[Fact]
public void should_legal_request()
{
this.Given(x => x.GivenPassingSecurityVerification())
.When(x => x.WhenICallTheMiddleware())
.Then(x => x.ThenTheRequestIsPassingSecurity())
.BDDfy();
}
[Fact]
public void should_verification_failed_request()
{
this.Given(x => x.GivenNotPassingSecurityVerification())
.When(x => x.WhenICallTheMiddleware())
.Then(x => x.ThenTheRequestIsNotPassingSecurity())
.BDDfy();
}
private void GivenPassingSecurityVerification()
{
foreach (var item in _securityPolicyList)
{
Response response = new OkResponse();
item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
}
}
private void GivenNotPassingSecurityVerification()
{
for (int i = 0; i < _securityPolicyList.Count; i++)
{
Mock<ISecurityPolicy> item = _securityPolicyList[i];
if (i == 0)
{
Error error = new UnauthenticatedError($"Not passing security verification");
Response response = new ErrorResponse(error);
item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
}
else
{
Response response = new OkResponse();
item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
}
}
}
private void WhenICallTheMiddleware()
{
_middleware.Invoke(_downstreamContext).GetAwaiter().GetResult();
}
private void ThenTheRequestIsPassingSecurity()
{
Assert.False(_downstreamContext.IsError);
}
private void ThenTheRequestIsNotPassingSecurity()
{
Assert.True(_downstreamContext.IsError);
}
}
}