t/plugin/referer-restriction.t - apisix - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 use t::APISIX 'no_plan';

 add_block_preprocessor(sub {
     my ($block) = @_;

     $block->set_value("no_error_log", "[error]");

     $block;
 });

 repeat_each(1);
 no_long_string();
 no_root_location();
 no_shuffle();
 run_tests;

 __DATA__

 === TEST 1: set whitelist
 --- config
     location /t {
         content_by_lua_block {
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                  ngx.HTTP_PUT,
                  [[{
                         "uri": "/hello",
                         "upstream": {
                             "type": "roundrobin",
                             "nodes": {
                                 "127.0.0.1:1980": 1
                             }
                         },
                         "plugins": {
                             "referer-restriction": {
                                  "whitelist": [
                                      "*.xx.com",
                                      "yy.com"
                                  ]
                             }
                         }
                 }]]
                 )

             if code >= 300 then
                 ngx.status = code
             end
             ngx.say(body)
         }
     }
 --- request
 GET /t
 --- response_body
 passed


 === TEST 2: hit route and in the whitelist (wildcard)
 --- request
 GET /hello
 --- more_headers
 Referer: http://www.xx.com
 --- response_body
 hello world


 === TEST 3: hit route and in the whitelist
 --- request
 GET /hello
 --- more_headers
 Referer: https://yy.com/am
 --- response_body
 hello world


 === TEST 4: hit route and not in the whitelist
 --- request
 GET /hello
 --- more_headers
 Referer: https://www.yy.com/am
 --- error_code: 403


 === TEST 5: hit route and without Referer
 --- request
 GET /hello
 --- error_code: 403


 === TEST 6: set whitelist, allow Referer missing
 --- config
     location /t {
         content_by_lua_block {
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                  ngx.HTTP_PUT,
                  [[{
                         "uri": "/hello",
                         "upstream": {
                             "type": "roundrobin",
                             "nodes": {
                                 "127.0.0.1:1980": 1
                             }
                         },
                         "plugins": {
                             "referer-restriction": {
                                 "bypass_missing": true,
                                  "whitelist": [
                                      "*.xx.com",
                                      "yy.com"
                                  ]
                             }
                         }
                 }]]
                 )

             if code >= 300 then
                 ngx.status = code
             end
             ngx.say(body)
         }
     }
 --- request
 GET /t
 --- response_body
 passed


 === TEST 7: hit route and without Referer
 --- request
 GET /hello
 --- response_body
 hello world


 === TEST 8: malformed Referer is treated as missing
 --- request
 GET /hello
 --- more_headers
 Referer: www.yy.com
 --- response_body
 hello world


 === TEST 9: invalid schema
 --- config
     location /t {
         content_by_lua_block {
             local plugin = require("apisix.plugins.referer-restriction")
             local cases = {
                 "x.*",
                 "~y.xn",
                 "::1",
             }
             for _, c in ipairs(cases) do
                 local ok, err = plugin.check_schema({
                     whitelist = {c}
                 })
                 if ok then
                     ngx.log(ngx.ERR, c)
                 end
             end
         }
     }
 --- request
 GET /t


 === TEST 10: set blacklist with reject message
 --- config
     location /t {
         content_by_lua_block {
             local t = require("lib.test_admin").test
             local code, body = t('/apisix/admin/routes/1',
                  ngx.HTTP_PUT,
                  [[{
                         "uri": "/hello",
                         "upstream": {
                             "type": "roundrobin",
                             "nodes": {
                                 "127.0.0.1:1980": 1
                             }
                         },
                         "plugins": {
                             "referer-restriction": {
                                  "blacklist": [
                                      "*.xx.com"
                                  ],
                                  "message": "Your referer host is deny"
                             }
                         }
                 }]]
                 )

             if code >= 300 then
                 ngx.status = code
             end
             ngx.say(body)
         }
     }
 --- request
 GET /t
 --- response_body
 passed


 === TEST 11: hit route and in the blacklist
 --- request
 GET /hello
 --- more_headers
 Referer: http://www.xx.com
 --- error_code: 403
 --- response_body
 {"message":"Your referer host is deny"}


 === TEST 12: hit route and not in the blacklist
 --- request
 GET /hello
 --- more_headers
 Referer: https://yy.com
 --- response_body
 hello world


 === TEST 13: whitelist and blacklist mutual exclusive
 --- config
     location /t {
         content_by_lua_block {
             local plugin = require("apisix.plugins.referer-restriction")
             local ok, err = plugin.check_schema({whitelist={"xx.com"}, blacklist={"yy.com"}})
             if not ok then
                 ngx.say(err)
             end

             ngx.say("done")
         }
     }
 --- request
 GET /t
 --- response_body
 value should match only one schema, but matches both schemas 1 and 2
 done
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	use t::APISIX 'no_plan';

	add_block_preprocessor(sub {
	my ($block) = @_;

	$block->set_value("no_error_log", "[error]");

	$block;
	});

	repeat_each(1);
	no_long_string();
	no_root_location();
	no_shuffle();
	run_tests;

	__DATA__

	=== TEST 1: set whitelist
	--- config
	location /t {
	content_by_lua_block {
	local t = require("lib.test_admin").test
	local code, body = t('/apisix/admin/routes/1',
	ngx.HTTP_PUT,
	[[{
	"uri": "/hello",
	"upstream": {
	"type": "roundrobin",
	"nodes": {
	"127.0.0.1:1980": 1
	}
	},
	"plugins": {
	"referer-restriction": {
	"whitelist": [
	"*.xx.com",
	"yy.com"
	]
	}
	}
	}]]
	)

	if code >= 300 then
	ngx.status = code
	end
	ngx.say(body)
	}
	}
	--- request
	GET /t
	--- response_body
	passed



	=== TEST 2: hit route and in the whitelist (wildcard)
	--- request
	GET /hello
	--- more_headers
	Referer: http://www.xx.com
	--- response_body
	hello world



	=== TEST 3: hit route and in the whitelist
	--- request
	GET /hello
	--- more_headers
	Referer: https://yy.com/am
	--- response_body
	hello world



	=== TEST 4: hit route and not in the whitelist
	--- request
	GET /hello
	--- more_headers
	Referer: https://www.yy.com/am
	--- error_code: 403



	=== TEST 5: hit route and without Referer
	--- request
	GET /hello
	--- error_code: 403



	=== TEST 6: set whitelist, allow Referer missing
	--- config
	location /t {
	content_by_lua_block {
	local t = require("lib.test_admin").test
	local code, body = t('/apisix/admin/routes/1',
	ngx.HTTP_PUT,
	[[{
	"uri": "/hello",
	"upstream": {
	"type": "roundrobin",
	"nodes": {
	"127.0.0.1:1980": 1
	}
	},
	"plugins": {
	"referer-restriction": {
	"bypass_missing": true,
	"whitelist": [
	"*.xx.com",
	"yy.com"
	]
	}
	}
	}]]
	)

	if code >= 300 then
	ngx.status = code
	end
	ngx.say(body)
	}
	}
	--- request
	GET /t
	--- response_body
	passed



	=== TEST 7: hit route and without Referer
	--- request
	GET /hello
	--- response_body
	hello world



	=== TEST 8: malformed Referer is treated as missing
	--- request
	GET /hello
	--- more_headers
	Referer: www.yy.com
	--- response_body
	hello world



	=== TEST 9: invalid schema
	--- config
	location /t {
	content_by_lua_block {
	local plugin = require("apisix.plugins.referer-restriction")
	local cases = {
	"x.*",
	"~y.xn",
	"::1",
	}
	for _, c in ipairs(cases) do
	local ok, err = plugin.check_schema({
	whitelist = {c}
	})
	if ok then
	ngx.log(ngx.ERR, c)
	end
	end
	}
	}
	--- request
	GET /t



	=== TEST 10: set blacklist with reject message
	--- config
	location /t {
	content_by_lua_block {
	local t = require("lib.test_admin").test
	local code, body = t('/apisix/admin/routes/1',
	ngx.HTTP_PUT,
	[[{
	"uri": "/hello",
	"upstream": {
	"type": "roundrobin",
	"nodes": {
	"127.0.0.1:1980": 1
	}
	},
	"plugins": {
	"referer-restriction": {
	"blacklist": [
	"*.xx.com"
	],
	"message": "Your referer host is deny"
	}
	}
	}]]
	)

	if code >= 300 then
	ngx.status = code
	end
	ngx.say(body)
	}
	}
	--- request
	GET /t
	--- response_body
	passed



	=== TEST 11: hit route and in the blacklist
	--- request
	GET /hello
	--- more_headers
	Referer: http://www.xx.com
	--- error_code: 403
	--- response_body
	{"message":"Your referer host is deny"}



	=== TEST 12: hit route and not in the blacklist
	--- request
	GET /hello
	--- more_headers
	Referer: https://yy.com
	--- response_body
	hello world



	=== TEST 13: whitelist and blacklist mutual exclusive
	--- config
	location /t {
	content_by_lua_block {
	local plugin = require("apisix.plugins.referer-restriction")
	local ok, err = plugin.check_schema({whitelist={"xx.com"}, blacklist={"yy.com"}})
	if not ok then
	ngx.say(err)
	end

	ngx.say("done")
	}
	}
	--- request
	GET /t
	--- response_body
	value should match only one schema, but matches both schemas 1 and 2
	done