From 57755112eabb65707c889e408c3c13cf52a2352d Mon Sep 17 00:00:00 2001
From: WeebDataHoarder <weebdatahoarder@noreply.gammaspectra.live>
Date: Wed, 23 Apr 2025 20:34:57 +0200
Subject: [PATCH] ci: check example policy files cmd: add check parameter

---
 .drone.jsonnet      | 18 +++++++++++-
 .drone.yml          | 34 +++++++++++++++++++++--
 cmd/go-away/main.go | 67 ++++++++++++++++++++++++++-------------------
 lib/state.go        |  1 +
 4 files changed, 88 insertions(+), 32 deletions(-)

diff --git a/.drone.jsonnet b/.drone.jsonnet
index fdc9a6d..99470f9 100644
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -21,10 +21,26 @@ local Build(go, alpine, os, arch) = {
                 "apk update",
                 "apk add --no-cache git",
                 "mkdir .bin",
-                "go build -v -o ./.bin/go-away ./cmd/go-away",
+                "go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away",
                 "go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime",
             ],
         },
+        {
+            name: "check-policy-forgejo",
+            image: "alpine:" + alpine,
+            depends_on: ["build"],
+            commands: [
+                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/forgejo.yml --policy-snippets examples/snippets/"
+            ],
+        },
+        {
+            name: "check-policy-generic",
+            image: "alpine:" + alpine,
+            depends_on: ["build"],
+            commands: [
+                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/generic.yml --policy-snippets examples/snippets/"
+            ],
+        },
         {
             name: "test-wasm-success",
             image: "alpine:" + alpine,
diff --git a/.drone.yml b/.drone.yml
index a2cafe2..4aee29f 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -14,10 +14,24 @@ steps:
   - apk update
   - apk add --no-cache git
   - mkdir .bin
-  - go build -v -o ./.bin/go-away ./cmd/go-away
+  - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
   - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
   image: golang:1.24-alpine3.21
   name: build
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/forgejo.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-forgejo
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/generic.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-generic
 - commands:
   - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
     -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -55,10 +69,24 @@ steps:
   - apk update
   - apk add --no-cache git
   - mkdir .bin
-  - go build -v -o ./.bin/go-away ./cmd/go-away
+  - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
   - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
   image: golang:1.24-alpine3.21
   name: build
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/forgejo.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-forgejo
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/generic.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-generic
 - commands:
   - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
     -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -322,6 +350,6 @@ trigger:
 type: docker
 ---
 kind: signature
-hmac: f27dd6fbc73d3dd6e26739576a02b6bf0f9d1c43ee9d6d1439afacdf4e4dbf96
+hmac: 8aed9810938e4aa4b34c4afb35e1101f27f98a61ffe5349be9a30f22ce7480ed
 
 ...
diff --git a/cmd/go-away/main.go b/cmd/go-away/main.go
index 56017d4..2d8bf7a 100644
--- a/cmd/go-away/main.go
+++ b/cmd/go-away/main.go
@@ -128,6 +128,7 @@ func main() {
 	slogLevel := flag.String("slog-level", "WARN", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	debugMode := flag.Bool("debug", false, "debug mode with logs and server timings")
 	passThrough := flag.Bool("passthrough", false, "passthrough mode sends all requests to matching backends until state is loaded")
+	check := flag.Bool("check", false, "check configuration and policies, then exit")
 	acmeAutocert := flag.String("acme-autocert", "", "enables HTTP(s) mode and uses the provided ACME server URL or available service (available: letsencrypt)")
 
 	clientIpHeader := flag.String("client-ip-header", "", "Client HTTP header to fetch their IP address from (X-Real-Ip, X-Client-Ip, X-Forwarded-For, Cf-Connecting-Ip, etc.)")
@@ -265,34 +266,6 @@ func main() {
 		tlsConfig = acmeManager.TLSConfig()
 	}
 
-	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
-	slog.Warn(
-		"listening",
-		"url", listenUrl,
-	)
-
-	var serverHandler atomic.Pointer[http.Handler]
-	server := utils.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if handler := serverHandler.Load(); handler == nil {
-			http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
-		} else {
-			(*handler).ServeHTTP(w, r)
-		}
-	}), tlsConfig)
-
-	if *passThrough {
-		// setup a passthrough handler temporarily
-		fn := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			backend := utils.SelectHTTPHandler(createdBackends, r.Host)
-			if backend == nil {
-				http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
-			} else {
-				backend.ServeHTTP(w, r)
-			}
-		}))
-		serverHandler.Store(&fn)
-	}
-
 	loadPolicyState := func() (http.Handler, error) {
 		policyData, err := os.ReadFile(*policyFile)
 		if err != nil {
@@ -325,6 +298,44 @@ func main() {
 		return state, nil
 	}
 
+	if *check {
+		_, err := loadPolicyState()
+		if err != nil {
+			slog.Error(err.Error())
+			os.Exit(1)
+		}
+		slog.Info("load ok")
+		os.Exit(0)
+	}
+
+	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
+	slog.Warn(
+		"listening",
+		"url", listenUrl,
+	)
+
+	var serverHandler atomic.Pointer[http.Handler]
+	server := utils.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if handler := serverHandler.Load(); handler == nil {
+			http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+		} else {
+			(*handler).ServeHTTP(w, r)
+		}
+	}), tlsConfig)
+
+	if *passThrough {
+		// setup a passthrough handler temporarily
+		fn := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			backend := utils.SelectHTTPHandler(createdBackends, r.Host)
+			if backend == nil {
+				http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+			} else {
+				backend.ServeHTTP(w, r)
+			}
+		}))
+		serverHandler.Store(&fn)
+	}
+
 	go func() {
 		handler, err := loadPolicyState()
 		if err != nil {
diff --git a/lib/state.go b/lib/state.go
index bd07ea9..74d4521 100644
--- a/lib/state.go
+++ b/lib/state.go
@@ -128,6 +128,7 @@ func NewState(p policy.Policy, settings policy.Settings) (handler http.Handler,
 				cacheKey := fmt.Sprintf("%s-%d", k, i)
 				var cached []net.IPNet
 				if useCache && networkCache != nil {
+					//TODO: add randomness
 					cachedData, err := networkCache.Get(cacheKey, time.Hour*24)
 					var l []string
 					_ = json.Unmarshal(cachedData, &l)