add a security module （#628） (#629)

* Add security mechanisms, IP whitelists, blacklists, and extended security interfaces. * Optimized configuration name * Fix IP Security Bug * Repair Security Protection Module Bug * Add security module unit test * Optimize log prompts
2025-06-19 15:28:16 +08:00 · 2018-09-26 01:29:38 +08:00
parent aa14b2f877
commit 4a8f4c2e03
18 changed files with 526 additions and 10 deletions
--- a/test/Ocelot.UnitTests/Security/IPSecurityPolicyTests.cs
+++ b/test/Ocelot.UnitTests/Security/IPSecurityPolicyTests.cs
@ -0,0 +1,117 @@
+using Microsoft.AspNetCore.Http;
+using Ocelot.Configuration;
+using Ocelot.Configuration.Builder;
+using Ocelot.Middleware;
+using Ocelot.Request.Middleware;
+using Ocelot.Responses;
+using Ocelot.Security.IPSecurity;
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Security
+{
+    public class IPSecurityPolicyTests
+    {
+        private readonly DownstreamContext _downstreamContext;
+        private readonly DownstreamReRouteBuilder _downstreamReRouteBuilder;
+        private readonly IPSecurityPolicy _ipSecurityPolicy;
+        private Response response;
+        public IPSecurityPolicyTests()
+        {
+            _downstreamContext = new DownstreamContext(new DefaultHttpContext());
+            _downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            _downstreamReRouteBuilder = new DownstreamReRouteBuilder();
+            _ipSecurityPolicy = new IPSecurityPolicy();
+        }
+
+        [Fact]
+        private void should_No_blocked_Ip_and_allowed_Ip()
+        {
+            this.Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_blockedIp_clientIp_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            this.Given(x => x.GivenSetBlockedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenNotSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_blockedIp_clientIp_Not_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
+            this.Given(x => x.GivenSetBlockedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+
+        [Fact]
+        private void should_allowedIp_clientIp_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            this.Given(x => x.GivenSetAllowedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_allowedIp_clientIp_Not_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
+            this.Given(x => x.GivenSetAllowedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenNotSecurityPassing())
+                .BDDfy();
+        }
+
+        private void GivenSetAllowedIP()
+        {
+            _downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string> { "192.168.1.1" }, new List<string>()));
+        }
+
+        private void GivenSetBlockedIP()
+        {
+            _downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string>(), new List<string> { "192.168.1.1" }));
+        }
+
+        private void GivenSetDownstreamReRoute()
+        {
+            _downstreamContext.DownstreamReRoute = _downstreamReRouteBuilder.Build();
+        }
+
+        private void WhenTheSecurityPolicy()
+        {
+            response = this._ipSecurityPolicy.Security(_downstreamContext).GetAwaiter().GetResult();
+        }
+
+        private void ThenSecurityPassing()
+        {
+            Assert.False(response.IsError);
+        }
+
+        private void ThenNotSecurityPassing()
+        {
+            Assert.True(response.IsError);
+        }
+    }
+}
--- a/test/Ocelot.UnitTests/Security/SecurityMiddlewareTests.cs
+++ b/test/Ocelot.UnitTests/Security/SecurityMiddlewareTests.cs
@ -0,0 +1,108 @@
+using Microsoft.AspNetCore.Http;
+using Moq;
+using Ocelot.Errors;
+using Ocelot.Logging;
+using Ocelot.Middleware;
+using Ocelot.Request.Middleware;
+using Ocelot.Responses;
+using Ocelot.Security;
+using Ocelot.Security.IPSecurity;
+using Ocelot.Security.Middleware;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Text;
+using System.Threading.Tasks;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Security
+{
+    public class SecurityMiddlewareTests
+    {
+        private List<Mock<ISecurityPolicy>> _securityPolicyList;
+        private Mock<IOcelotLoggerFactory> _loggerFactory;
+        private Mock<IOcelotLogger> _logger;
+        private readonly SecurityMiddleware _middleware;
+        private readonly DownstreamContext _downstreamContext;
+        private readonly OcelotRequestDelegate _next;
+
+        public SecurityMiddlewareTests()
+        {
+            _loggerFactory = new Mock<IOcelotLoggerFactory>();
+            _logger = new Mock<IOcelotLogger>();
+            _loggerFactory.Setup(x => x.CreateLogger<SecurityMiddleware>()).Returns(_logger.Object);
+            _securityPolicyList = new List<Mock<ISecurityPolicy>>();
+            _securityPolicyList.Add(new Mock<ISecurityPolicy>());
+            _securityPolicyList.Add(new Mock<ISecurityPolicy>());
+            _next = context =>
+            {
+                return Task.CompletedTask;
+            };
+            _middleware = new SecurityMiddleware(_loggerFactory.Object, _securityPolicyList.Select(f => f.Object).ToList(), _next);
+            _downstreamContext = new DownstreamContext(new DefaultHttpContext());
+            _downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
+        }
+        [Fact]
+        public void should_legal_request()
+        {
+            this.Given(x => x.GivenPassingSecurityVerification())
+                .When(x => x.WhenICallTheMiddleware())
+                .Then(x => x.ThenTheRequestIsPassingSecurity())
+                .BDDfy();
+        }
+
+        [Fact]
+        public void should_verification_failed_request()
+        {
+            this.Given(x => x.GivenNotPassingSecurityVerification())
+                .When(x => x.WhenICallTheMiddleware())
+                .Then(x => x.ThenTheRequestIsNotPassingSecurity())
+                .BDDfy();
+        }
+
+        private void GivenPassingSecurityVerification()
+        {
+            foreach (var item in _securityPolicyList)
+            {
+                Response response = new OkResponse();
+                item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+            }
+        }
+
+        private void GivenNotPassingSecurityVerification()
+        {
+            for (int i = 0; i < _securityPolicyList.Count; i++)
+            {
+                Mock<ISecurityPolicy> item = _securityPolicyList[i];
+                if (i == 0)
+                {
+                    Error error = new UnauthenticatedError($"Not passing security verification");
+                    Response response = new ErrorResponse(error);
+                    item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+                }
+                else
+                {
+                    Response response = new OkResponse();
+                    item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+                }
+            }
+        }
+
+        private void WhenICallTheMiddleware()
+        {
+            _middleware.Invoke(_downstreamContext).GetAwaiter().GetResult();
+        }
+
+        private void ThenTheRequestIsPassingSecurity()
+        {
+            Assert.False(_downstreamContext.IsError);
+        }
+
+        private void ThenTheRequestIsNotPassingSecurity()
+        {
+            Assert.True(_downstreamContext.IsError);
+        }
+    }
+}