130 lines
4.0 KiB
TypeScript
130 lines
4.0 KiB
TypeScript
import { tap, expect } from '@git.zone/tstest/tapbundle';
|
|
import * as plugins from '../ts/plugins.js';
|
|
import { DcRouterDb, IpIntelligenceDoc, SecurityBlockRuleDoc, SecurityPolicyAuditDoc } from '../ts/db/index.js';
|
|
import { SecurityPolicyManager } from '../ts/security/index.js';
|
|
|
|
const createTestDb = async () => {
|
|
const storagePath = plugins.path.join(
|
|
plugins.os.tmpdir(),
|
|
`dcrouter-security-policy-${Date.now()}-${Math.random().toString(16).slice(2)}`,
|
|
);
|
|
|
|
DcRouterDb.resetInstance();
|
|
const db = DcRouterDb.getInstance({
|
|
storagePath,
|
|
dbName: `dcrouter-security-policy-${Date.now()}-${Math.random().toString(16).slice(2)}`,
|
|
});
|
|
await db.start();
|
|
await db.getDb().mongoDb.createCollection('__test_init');
|
|
|
|
return {
|
|
async cleanup() {
|
|
await db.stop();
|
|
DcRouterDb.resetInstance();
|
|
await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
|
|
},
|
|
};
|
|
};
|
|
|
|
const testDbPromise = createTestDb();
|
|
|
|
const clearTestState = async () => {
|
|
for (const rule of await SecurityBlockRuleDoc.findAll()) {
|
|
await rule.delete();
|
|
}
|
|
for (const record of await IpIntelligenceDoc.findAll()) {
|
|
await record.delete();
|
|
}
|
|
for (const event of await SecurityPolicyAuditDoc.findRecent(1000)) {
|
|
await event.delete();
|
|
}
|
|
};
|
|
|
|
tap.test('SecurityPolicyManager compiles start-end CIDR rules for edge firewall snapshots', async () => {
|
|
await testDbPromise;
|
|
await clearTestState();
|
|
const manager = new SecurityPolicyManager();
|
|
|
|
await manager.createBlockRule({
|
|
type: 'cidr',
|
|
value: '203.0.113.0 - 203.0.113.255',
|
|
reason: 'test range',
|
|
});
|
|
|
|
const policy = await manager.compilePolicy();
|
|
expect(policy.blockedCidrs).toEqual(['203.0.113.0/24']);
|
|
|
|
const firewall = await manager.compileRemoteIngressFirewall();
|
|
expect(firewall.blockedIps).toEqual(['203.0.113.0/24']);
|
|
});
|
|
|
|
tap.test('SecurityPolicyManager compiles intelligence network ranges for ASN rules', async () => {
|
|
await testDbPromise;
|
|
await clearTestState();
|
|
const manager = new SecurityPolicyManager();
|
|
|
|
const intelligenceDoc = new IpIntelligenceDoc();
|
|
intelligenceDoc.ipAddress = '198.51.100.23';
|
|
intelligenceDoc.asn = 64500;
|
|
intelligenceDoc.asnOrg = 'Example Network';
|
|
intelligenceDoc.networkRange = '198.51.100.0 - 198.51.100.127';
|
|
intelligenceDoc.firstSeenAt = Date.now();
|
|
intelligenceDoc.lastSeenAt = Date.now();
|
|
intelligenceDoc.updatedAt = Date.now();
|
|
intelligenceDoc.seenCount = 1;
|
|
await intelligenceDoc.save();
|
|
|
|
await manager.createBlockRule({
|
|
type: 'asn',
|
|
value: 'AS64500',
|
|
reason: 'test asn range',
|
|
});
|
|
|
|
const policy = await manager.compilePolicy();
|
|
expect(policy.blockedCidrs).toEqual(['198.51.100.0/25']);
|
|
});
|
|
|
|
tap.test('SecurityPolicyManager compiles intelligence CIDR arrays for ASN rules', async () => {
|
|
await testDbPromise;
|
|
await clearTestState();
|
|
const manager = new SecurityPolicyManager();
|
|
|
|
const intelligenceDoc = new IpIntelligenceDoc();
|
|
intelligenceDoc.ipAddress = '198.51.100.130';
|
|
intelligenceDoc.asn = 64501;
|
|
intelligenceDoc.asnOrg = 'Example Split Network';
|
|
intelligenceDoc.networkRange = null;
|
|
intelligenceDoc.networkCidrs = ['198.51.100.128/25', '198.51.101.0/24'];
|
|
intelligenceDoc.firstSeenAt = Date.now();
|
|
intelligenceDoc.lastSeenAt = Date.now();
|
|
intelligenceDoc.updatedAt = Date.now();
|
|
intelligenceDoc.seenCount = 1;
|
|
await intelligenceDoc.save();
|
|
|
|
await manager.createBlockRule({
|
|
type: 'asn',
|
|
value: 'AS64501',
|
|
reason: 'test asn cidr array',
|
|
});
|
|
|
|
const policy = await manager.compilePolicy();
|
|
expect(policy.blockedCidrs).toEqual(['198.51.100.128/25', '198.51.101.0/24']);
|
|
});
|
|
|
|
tap.test('SecurityPolicyManager returns an explicit empty edge firewall snapshot', async () => {
|
|
await testDbPromise;
|
|
await clearTestState();
|
|
const manager = new SecurityPolicyManager();
|
|
|
|
const firewall = await manager.compileRemoteIngressFirewall();
|
|
expect(firewall).toEqual({ blockedIps: [] });
|
|
});
|
|
|
|
tap.test('cleanup security policy test db', async () => {
|
|
const dbHandle = await testDbPromise;
|
|
await clearTestState();
|
|
await dbHandle.cleanup();
|
|
});
|
|
|
|
export default tap.start();
|