More use of tags - drop add_header action -> allow + headers+tags

2025-11-20 11:55:04 +11:00
parent 3f274c842c
commit de2eb43e2b
17 changed files with 526 additions and 49 deletions
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -7,3 +7,7 @@ one:
 two:
  email_address: two@example.com
  password_digest: <%= password_digest %>
+
+jason:
+  email_address: jason@example.com
+  password_digest: <%= password_digest %>
--- a/test/models/network_range_test.rb
+++ b/test/models/network_range_test.rb
@@ -211,16 +211,51 @@ class NetworkRangeTest < ActiveSupport::TestCase
    assert_equal @ipv4_range, children.first
  end

-  test "sibling_ranges finds same-level networks" do
-    # Create sibling networks
-    sibling1 = NetworkRange.create!(network: "192.168.0.0/24")
-    @ipv4_range.save! # 192.168.1.0/24
-    sibling2 = NetworkRange.create!(network: "192.168.2.0/24")
+  test "child_ranges works with Apple network hierarchy - 17.240.0.0/14" do
+    # This test demonstrates the current bug in child_ranges method
+    # Expected: 17.240.0.0/14 should have parents but no children in this test setup

-    siblings = @ipv4_range.sibling_ranges
-    assert_includes siblings, sibling1
-    assert_includes siblings, sibling2
-    assert_not_includes siblings, @ipv4_range
+    # Create the target network
+    target_network = NetworkRange.create!(network: "17.240.0.0/14", source: "manual")
+
+    # Create parent networks
+    parent1 = NetworkRange.create!(network: "17.240.0.0/13", source: "manual")  # Should contain 17.240.0.0/14
+    parent2 = NetworkRange.create!(network: "17.128.0.0/9", source: "manual")   # Should also contain 17.240.0.0/14
+
+    # Create some child networks (more specific networks contained by 17.240.0.0/14)
+    child1 = NetworkRange.create!(network: "17.240.0.0/15", source: "manual")  # First half of /14
+    child2 = NetworkRange.create!(network: "17.242.0.0/15", source: "manual")  # Second half of /14
+    child3 = NetworkRange.create!(network: "17.240.0.0/16", source: "manual")  # More specific
+    child4 = NetworkRange.create!(network: "17.241.0.0/16", source: "manual")  # More specific
+
+    # Test parent_ranges works correctly
+    parents = target_network.parent_ranges
+    assert_includes parents, parent1, "17.240.0.0/13 should be a parent of 17.240.0.0/14"
+    assert_includes parents, parent2, "17.128.0.0/9 should be a parent of 17.240.0.0/14"
+
+    # Test child_ranges - this is currently failing due to the bug
+    children = target_network.child_ranges
+    assert_includes children, child1, "17.240.0.0/15 should be a child of 17.240.0.0/14"
+    assert_includes children, child2, "17.242.0.0/15 should be a child of 17.240.0.0/14"
+    assert_includes children, child3, "17.240.0.0/16 should be a child of 17.240.0.0/14"
+    assert_includes children, child4, "17.241.0.0/16 should be a child of 17.240.0.0/14"
+    assert_not_includes children, parent1, "Parent networks should not be in child_ranges"
+    assert_not_includes children, parent2, "Parent networks should not be in child_ranges"
+    assert_not_includes children, target_network, "Self should not be in child_ranges"
+
+    # Test that parent can find child in its child_ranges
+    parent1_children = parent1.child_ranges
+    assert_includes parent1_children, target_network, "17.240.0.0/14 should be in child_ranges of 17.240.0.0/13"
+
+    parent2_children = parent2.child_ranges
+    assert_includes parent2_children, target_network, "17.240.0.0/14 should be in child_ranges of 17.128.0.0/9"
+
+    # Test bidirectional consistency
+    assert target_network.parent_ranges.include?(parent1), "Parent should list child"
+    assert parent1.child_ranges.include?(target_network), "Child should list parent"
+
+    assert target_network.parent_ranges.include?(parent2), "Parent should list child"
+    assert parent2.child_ranges.include?(target_network), "Child should list parent"
  end

  # Intelligence and Inheritance
--- a/test/models/rule_test.rb
+++ b/test/models/rule_test.rb
@@ -202,4 +202,95 @@ class RuleTest < ActiveSupport::TestCase
    assert_equal 8, format[:priority]
    assert_equal true, format[:enabled]
  end
+
+  # Tag functionality tests
+  test "should store and retrieve tags in metadata" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      metadata: { tags: ["bot:googlebot", "trusted"] },
+      user: users(:one)
+    )
+
+    assert_equal ["bot:googlebot", "trusted"], rule.tags
+  end
+
+  test "should add tag to rule" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      user: users(:one)
+    )
+
+    rule.add_tag("bot:googlebot")
+    rule.save!
+
+    assert_includes rule.tags, "bot:googlebot"
+  end
+
+  test "should remove tag from rule" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      metadata: { tags: ["bot:googlebot", "trusted"] },
+      user: users(:one)
+    )
+
+    rule.remove_tag("trusted")
+    rule.save!
+
+    assert_not_includes rule.tags, "trusted"
+    assert_includes rule.tags, "bot:googlebot"
+  end
+
+  test "should check if rule has tag" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      metadata: { tags: ["bot:googlebot"] },
+      user: users(:one)
+    )
+
+    assert rule.has_tag?("bot:googlebot")
+    assert_not rule.has_tag?("bot:bingbot")
+  end
+
+  test "should store headers in metadata" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      metadata: {
+        tags: ["bot:googlebot"],
+        headers: { "X-Bot-Agent" => "googlebot" }
+      },
+      user: users(:one)
+    )
+
+    assert_equal({ "X-Bot-Agent" => "googlebot" }, rule.headers)
+  end
+
+  test "should set tags via assignment" do
+    network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
+    rule = Rule.create!(
+      waf_rule_type: "network",
+      waf_action: "allow",
+      network_range: network_range,
+      user: users(:one)
+    )
+
+    rule.tags = ["bot:bingbot", "network:microsoft"]
+    rule.save!
+
+    assert_equal ["bot:bingbot", "network:microsoft"], rule.tags
+  end
 end