smartproxy/test/core/utils/test.shared-security-manager.ts

import { expect, tap } from '@git.zone/tstest/tapbundle';
import { SharedSecurityManager } from '../../../ts/core/utils/shared-security-manager.js';
import type { IRouteConfig, IRouteContext } from '../../../ts/proxies/smart-proxy/models/route-types.js';

// Test security manager
tap.test('Shared Security Manager', async () => {
  let securityManager: SharedSecurityManager;

  // Set up a new security manager for each test
  securityManager = new SharedSecurityManager({
    maxConnectionsPerIP: 5,
    connectionRateLimitPerMinute: 10
  });

  tap.test('should validate IPs correctly', async () => {
    // Should allow IPs under connection limit
    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
    
    // Track multiple connections
    for (let i = 0; i < 4; i++) {
      securityManager.trackConnectionByIP('192.168.1.1', `conn_${i}`);
    }
    
    // Should still allow IPs under connection limit
    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
    
    // Add one more to reach the limit
    securityManager.trackConnectionByIP('192.168.1.1', 'conn_4');
    
    // Should now block IPs over connection limit
    expect(securityManager.validateIP('192.168.1.1').allowed).toBeFalse();
    
    // Remove a connection
    securityManager.removeConnectionByIP('192.168.1.1', 'conn_0');
    
    // Should allow again after connection is removed
    expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();
  });
  
  tap.test('should authorize IPs based on allow/block lists', async () => {
    // Test with allow list only
    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'])).toBeTrue();
    expect(securityManager.isIPAuthorized('192.168.2.1', ['192.168.1.*'])).toBeFalse();
    
    // Test with block list
    expect(securityManager.isIPAuthorized('192.168.1.5', ['*'], ['192.168.1.5'])).toBeFalse();
    expect(securityManager.isIPAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).toBeTrue();
    
    // Test with both allow and block lists
    expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).toBeTrue();
    expect(securityManager.isIPAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).toBeFalse();
  });

  tap.test('should validate route access', async () => {
    const route: IRouteConfig = {
      match: {
        ports: [8080]
      },
      action: {
        type: 'forward',
        target: { host: 'target.com', port: 443 }
      },
      security: {
        ipAllowList: ['10.0.0.*', '192.168.1.*'],
        ipBlockList: ['192.168.1.100'],
        maxConnections: 3
      }
    };

    const allowedContext: IRouteContext = {
      clientIp: '192.168.1.1',
      port: 8080,
      serverIp: '127.0.0.1',
      isTls: false,
      timestamp: Date.now(),
      connectionId: 'test_conn_1'
    };

    const blockedByIPContext: IRouteContext = {
      ...allowedContext,
      clientIp: '192.168.1.100'
    };

    const blockedByRangeContext: IRouteContext = {
      ...allowedContext,
      clientIp: '172.16.0.1'
    };

    const blockedByMaxConnectionsContext: IRouteContext = {
      ...allowedContext,
      connectionId: 'test_conn_4'
    };

    expect(securityManager.isAllowed(route, allowedContext)).toBeTrue();
    expect(securityManager.isAllowed(route, blockedByIPContext)).toBeFalse();
    expect(securityManager.isAllowed(route, blockedByRangeContext)).toBeFalse();
    
    // Test max connections for route - assuming implementation has been updated
    if ((securityManager as any).trackConnectionByRoute) {
      (securityManager as any).trackConnectionByRoute(route, 'conn_1');
      (securityManager as any).trackConnectionByRoute(route, 'conn_2');
      (securityManager as any).trackConnectionByRoute(route, 'conn_3');
      
      // Should now block due to max connections
      expect(securityManager.isAllowed(route, blockedByMaxConnectionsContext)).toBeFalse();
    }
  });

  tap.test('should clean up expired entries', async () => {
    const route: IRouteConfig = {
      match: {
        ports: [8080]
      },
      action: {
        type: 'forward',
        target: { host: 'target.com', port: 443 }
      },
      security: {
        rateLimit: {
          enabled: true,
          maxRequests: 5,
          window: 60 // 60 seconds
        }
      }
    };

    const context: IRouteContext = {
      clientIp: '192.168.1.1',
      port: 8080,
      serverIp: '127.0.0.1',
      isTls: false,
      timestamp: Date.now(),
      connectionId: 'test_conn_1'
    };

    // Test rate limiting if method exists
    if ((securityManager as any).checkRateLimit) {
      // Add 5 attempts (max allowed)
      for (let i = 0; i < 5; i++) {
        expect((securityManager as any).checkRateLimit(route, context)).toBeTrue();
      }

      // Should now be blocked
      expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();

      // Force cleanup (normally runs periodically)
      if ((securityManager as any).cleanup) {
        (securityManager as any).cleanup();
      }

      // Should still be blocked since entries are not expired yet
      expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();
    }
  });
});

// Export test runner
export default tap.start();
update 2025-05-19 12:04:26 +00:00			`import { expect, tap } from '@git.zone/tstest/tapbundle';`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`import { SharedSecurityManager } from '../../../ts/core/utils/shared-security-manager.js';`
			`import type { IRouteConfig, IRouteContext } from '../../../ts/proxies/smart-proxy/models/route-types.js';`

			`// Test security manager`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`tap.test('Shared Security Manager', async () => {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`let securityManager: SharedSecurityManager;`

feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`// Set up a new security manager for each test`
			`securityManager = new SharedSecurityManager({`
			`maxConnectionsPerIP: 5,`
			`connectionRateLimitPerMinute: 10`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`});`

feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`tap.test('should validate IPs correctly', async () => {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`// Should allow IPs under connection limit`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00
			`// Track multiple connections`
			`for (let i = 0; i < 4; i++) {`
			securityManager.trackConnectionByIP('192.168.1.1', `conn_${i}`);
			`}`

			`// Should still allow IPs under connection limit`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00
			`// Add one more to reach the limit`
			`securityManager.trackConnectionByIP('192.168.1.1', 'conn_4');`

			`// Should now block IPs over connection limit`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.validateIP('192.168.1.1').allowed).toBeFalse();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00
			`// Remove a connection`
			`securityManager.removeConnectionByIP('192.168.1.1', 'conn_0');`

			`// Should allow again after connection is removed`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.validateIP('192.168.1.1').allowed).toBeTrue();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`});`

feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`tap.test('should authorize IPs based on allow/block lists', async () => {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`// Test with allow list only`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'])).toBeTrue();`
			`expect(securityManager.isIPAuthorized('192.168.2.1', ['192.168.1.*'])).toBeFalse();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00
			`// Test with block list`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.isIPAuthorized('192.168.1.5', ['*'], ['192.168.1.5'])).toBeFalse();`
			`expect(securityManager.isIPAuthorized('192.168.1.1', ['*'], ['192.168.1.5'])).toBeTrue();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00
			`// Test with both allow and block lists`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`expect(securityManager.isIPAuthorized('192.168.1.1', ['192.168.1.*'], ['192.168.1.5'])).toBeTrue();`
			`expect(securityManager.isIPAuthorized('192.168.1.5', ['192.168.1.*'], ['192.168.1.5'])).toBeFalse();`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`});`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`tap.test('should validate route access', async () => {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`const route: IRouteConfig = {`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`match: {`
			`ports: [8080]`
			`},`
			`action: {`
			`type: 'forward',`
			`target: { host: 'target.com', port: 443 }`
			`},`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`security: {`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`ipAllowList: ['10.0.0.', '192.168.1.'],`
			`ipBlockList: ['192.168.1.100'],`
			`maxConnections: 3`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`}`
			`};`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`const allowedContext: IRouteContext = {`
			`clientIp: '192.168.1.1',`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`port: 8080,`
			`serverIp: '127.0.0.1',`
			`isTls: false,`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`timestamp: Date.now(),`
			`connectionId: 'test_conn_1'`
			`};`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`const blockedByIPContext: IRouteContext = {`
			`...allowedContext,`
			`clientIp: '192.168.1.100'`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`};`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`const blockedByRangeContext: IRouteContext = {`
			`...allowedContext,`
			`clientIp: '172.16.0.1'`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`};`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`const blockedByMaxConnectionsContext: IRouteContext = {`
			`...allowedContext,`
			`connectionId: 'test_conn_4'`
			`};`

			`expect(securityManager.isAllowed(route, allowedContext)).toBeTrue();`
			`expect(securityManager.isAllowed(route, blockedByIPContext)).toBeFalse();`
			`expect(securityManager.isAllowed(route, blockedByRangeContext)).toBeFalse();`

			`// Test max connections for route - assuming implementation has been updated`
			`if ((securityManager as any).trackConnectionByRoute) {`
			`(securityManager as any).trackConnectionByRoute(route, 'conn_1');`
			`(securityManager as any).trackConnectionByRoute(route, 'conn_2');`
			`(securityManager as any).trackConnectionByRoute(route, 'conn_3');`

			`// Should now block due to max connections`
			`expect(securityManager.isAllowed(route, blockedByMaxConnectionsContext)).toBeFalse();`
			`}`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`});`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`tap.test('should clean up expired entries', async () => {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`const route: IRouteConfig = {`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`match: {`
			`ports: [8080]`
			`},`
			`action: {`
			`type: 'forward',`
			`target: { host: 'target.com', port: 443 }`
			`},`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`security: {`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`rateLimit: {`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`enabled: true,`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`maxRequests: 5,`
			`window: 60 // 60 seconds`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`}`
			`}`
			`};`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00
			`const context: IRouteContext = {`
			`clientIp: '192.168.1.1',`
			`port: 8080,`
			`serverIp: '127.0.0.1',`
			`isTls: false,`
			`timestamp: Date.now(),`
			`connectionId: 'test_conn_1'`
			`};`

			`// Test rate limiting if method exists`
			`if ((securityManager as any).checkRateLimit) {`
			`// Add 5 attempts (max allowed)`
			`for (let i = 0; i < 5; i++) {`
			`expect((securityManager as any).checkRateLimit(route, context)).toBeTrue();`
			`}`

			`// Should now be blocked`
			`expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();`

			`// Force cleanup (normally runs periodically)`
			`if ((securityManager as any).cleanup) {`
			`(securityManager as any).cleanup();`
			`}`

			`// Should still be blocked since entries are not expired yet`
			`expect((securityManager as any).checkRateLimit(route, context)).toBeFalse();`
			`}`
fix(routing): unify route based architecture 2025-05-13 12:48:41 +00:00			`});`
feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions 2025-05-15 19:39:09 +00:00			`});`

			`// Export test runner`
			`export default tap.start();`