Build initial caddy-opnsense-blocker daemon

2026-03-12 00:51:06 +01:00
commit 4e87d84237
21 changed files with 4354 additions and 0 deletions
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -0,0 +1,106 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestLoadAppliesDefaultsAndReadsSecrets(t *testing.T) {
+	t.Parallel()
+
+	tempDir := t.TempDir()
+	keyPath := filepath.Join(tempDir, "api-key")
+	secretPath := filepath.Join(tempDir, "api-secret")
+	if err := os.WriteFile(keyPath, []byte("test-key\n"), 0o600); err != nil {
+		t.Fatalf("write key file: %v", err)
+	}
+	if err := os.WriteFile(secretPath, []byte("test-secret\n"), 0o600); err != nil {
+		t.Fatalf("write secret file: %v", err)
+	}
+
+	configPath := filepath.Join(tempDir, "config.yaml")
+	payload := fmt.Sprintf(`storage:
+  path: %s/data/blocker.db
+opnsense:
+  enabled: true
+  base_url: https://router.example.test
+  api_key_file: %s
+  api_secret_file: %s
+  ensure_alias: true
+  alias:
+    name: blocked-ips
+profiles:
+  main:
+    auto_block: true
+    block_unexpected_posts: true
+    block_php_paths: true
+    allowed_post_paths:
+      - /search
+    suspicious_path_prefixes:
+      - /wp-admin
+    excluded_cidrs:
+      - 10.0.0.0/8
+    known_agents:
+      - name: friendly-bot
+        decision: allow
+        user_agent_prefixes:
+          - FriendlyBot/
+sources:
+  - name: main
+    path: %s/access.json
+    profile: main
+`, tempDir, keyPath, secretPath, tempDir)
+	if err := os.WriteFile(configPath, []byte(payload), 0o600); err != nil {
+		t.Fatalf("write config file: %v", err)
+	}
+
+	cfg, err := Load(configPath)
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+
+	if got, want := cfg.Server.ListenAddress, "127.0.0.1:9080"; got != want {
+		t.Fatalf("unexpected listen address: got %q want %q", got, want)
+	}
+	if got, want := cfg.Sources[0].InitialPosition, "end"; got != want {
+		t.Fatalf("unexpected initial position: got %q want %q", got, want)
+	}
+	if got, want := cfg.OPNsense.APIKey, "test-key"; got != want {
+		t.Fatalf("unexpected api key: got %q want %q", got, want)
+	}
+	if got, want := cfg.OPNsense.APISecret, "test-secret"; got != want {
+		t.Fatalf("unexpected api secret: got %q want %q", got, want)
+	}
+	profile := cfg.Profiles["main"]
+	if !profile.IsAllowedPostPath("/search") {
+		t.Fatalf("expected /search to be normalized as an allowed POST path")
+	}
+	if len(profile.SuspiciousPrefixes()) != 1 || profile.SuspiciousPrefixes()[0] != "/wp-admin" {
+		t.Fatalf("unexpected suspicious prefixes: %#v", profile.SuspiciousPrefixes())
+	}
+}
+
+func TestLoadRejectsInvalidInitialPosition(t *testing.T) {
+	t.Parallel()
+
+	tempDir := t.TempDir()
+	configPath := filepath.Join(tempDir, "config.yaml")
+	payload := fmt.Sprintf(`profiles:
+  main:
+    auto_block: true
+sources:
+  - name: main
+    path: %s/access.json
+    profile: main
+    initial_position: sideways
+`, tempDir)
+	if err := os.WriteFile(configPath, []byte(payload), 0o600); err != nil {
+		t.Fatalf("write config file: %v", err)
+	}
+
+	if _, err := Load(configPath); err == nil {
+		t.Fatalf("expected invalid initial_position to be rejected")
+	}
+}