Daniel Legt
f0dcdd50ca
All checks were successful
Build and Publish Docker Image / deploy (push) Successful in 2m30s
- Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration.
56 lines
2.0 KiB
Go
56 lines
2.0 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"warpbox/lib/config"
|
|
)
|
|
|
|
func TestClientIPDirectClient(t *testing.T) {
|
|
app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
|
|
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
ctx.Request.RemoteAddr = "198.51.100.10:1234"
|
|
ctx.Request.Header.Set("X-Forwarded-For", "203.0.113.4")
|
|
if got := app.clientIP(ctx); got != "198.51.100.10" {
|
|
t.Fatalf("expected direct remote IP, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestClientIPTrustedProxyChain(t *testing.T) {
|
|
app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
|
|
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
ctx.Request.RemoteAddr = "10.1.2.3:8080"
|
|
ctx.Request.Header.Set("X-Forwarded-For", "203.0.113.44, 10.0.0.5")
|
|
if got := app.clientIP(ctx); got != "203.0.113.44" {
|
|
t.Fatalf("expected forwarded public client IP, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestClientIPTrustedDockerBridgeProxy(t *testing.T) {
|
|
app := &App{config: &config.Config{TrustedProxyCIDRs: "172.30.0.1/32"}}
|
|
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
ctx.Request.RemoteAddr = "172.30.0.1:8080"
|
|
ctx.Request.Header.Set("X-Forwarded-For", "198.51.100.55")
|
|
if got := app.clientIP(ctx); got != "198.51.100.55" {
|
|
t.Fatalf("expected forwarded client IP from trusted docker bridge, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestClientIPSpoofedHeaderFromUntrustedRemote(t *testing.T) {
|
|
app := &App{config: &config.Config{TrustedProxyCIDRs: "10.0.0.0/8"}}
|
|
ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
ctx.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
ctx.Request.RemoteAddr = "203.0.113.200:8080"
|
|
ctx.Request.Header.Set("X-Forwarded-For", "198.51.100.55")
|
|
if got := app.clientIP(ctx); got != "203.0.113.200" {
|
|
t.Fatalf("expected untrusted remote IP, got %q", got)
|
|
}
|
|
}
|