ci: check example policy files

cmd: add check parameter
2025-04-23 20:34:57 +02:00
parent 6bb7ca979d
commit 57755112ea
4 changed files with 88 additions and 32 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -21,10 +21,26 @@ local Build(go, alpine, os, arch) = {
                "apk update",
                "apk add --no-cache git",
                "mkdir .bin",
-                "go build -v -o ./.bin/go-away ./cmd/go-away",
+                "go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away",
                "go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime",
            ],
        },
+        {
+            name: "check-policy-forgejo",
+            image: "alpine:" + alpine,
+            depends_on: ["build"],
+            commands: [
+                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/forgejo.yml --policy-snippets examples/snippets/"
+            ],
+        },
+        {
+            name: "check-policy-generic",
+            image: "alpine:" + alpine,
+            depends_on: ["build"],
+            commands: [
+                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/generic.yml --policy-snippets examples/snippets/"
+            ],
+        },
        {
            name: "test-wasm-success",
            image: "alpine:" + alpine,
--- a/.drone.yml
+++ b/.drone.yml
@@ -14,10 +14,24 @@ steps:
  - apk update
  - apk add --no-cache git
  - mkdir .bin
-  - go build -v -o ./.bin/go-away ./cmd/go-away
+  - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
  - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
  image: golang:1.24-alpine3.21
  name: build
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/forgejo.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-forgejo
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/generic.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-generic
 - commands:
  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -55,10 +69,24 @@ steps:
  - apk update
  - apk add --no-cache git
  - mkdir .bin
-  - go build -v -o ./.bin/go-away ./cmd/go-away
+  - go build -v -pgo=auto -v -trimpath -ldflags=-buildid= -o ./.bin/go-away ./cmd/go-away
  - go build -v -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
  image: golang:1.24-alpine3.21
  name: build
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/forgejo.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-forgejo
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/generic.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  name: check-policy-generic
 - commands:
  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -322,6 +350,6 @@ trigger:
 type: docker
 ---
 kind: signature
-hmac: f27dd6fbc73d3dd6e26739576a02b6bf0f9d1c43ee9d6d1439afacdf4e4dbf96
+hmac: 8aed9810938e4aa4b34c4afb35e1101f27f98a61ffe5349be9a30f22ce7480ed

 ...
--- a/cmd/go-away/main.go
+++ b/cmd/go-away/main.go
@@ -128,6 +128,7 @@ func main() {
 	slogLevel := flag.String("slog-level", "WARN", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	debugMode := flag.Bool("debug", false, "debug mode with logs and server timings")
 	passThrough := flag.Bool("passthrough", false, "passthrough mode sends all requests to matching backends until state is loaded")
+	check := flag.Bool("check", false, "check configuration and policies, then exit")
 	acmeAutocert := flag.String("acme-autocert", "", "enables HTTP(s) mode and uses the provided ACME server URL or available service (available: letsencrypt)")

 	clientIpHeader := flag.String("client-ip-header", "", "Client HTTP header to fetch their IP address from (X-Real-Ip, X-Client-Ip, X-Forwarded-For, Cf-Connecting-Ip, etc.)")
@@ -265,34 +266,6 @@ func main() {
 		tlsConfig = acmeManager.TLSConfig()
 	}

-	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
-	slog.Warn(
-		"listening",
-		"url", listenUrl,
-	)
-
-	var serverHandler atomic.Pointer[http.Handler]
-	server := utils.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if handler := serverHandler.Load(); handler == nil {
-			http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
-		} else {
-			(*handler).ServeHTTP(w, r)
-		}
-	}), tlsConfig)
-
-	if *passThrough {
-		// setup a passthrough handler temporarily
-		fn := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			backend := utils.SelectHTTPHandler(createdBackends, r.Host)
-			if backend == nil {
-				http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
-			} else {
-				backend.ServeHTTP(w, r)
-			}
-		}))
-		serverHandler.Store(&fn)
-	}
-
 	loadPolicyState := func() (http.Handler, error) {
 		policyData, err := os.ReadFile(*policyFile)
 		if err != nil {
@@ -325,6 +298,44 @@ func main() {
 		return state, nil
 	}

+	if *check {
+		_, err := loadPolicyState()
+		if err != nil {
+			slog.Error(err.Error())
+			os.Exit(1)
+		}
+		slog.Info("load ok")
+		os.Exit(0)
+	}
+
+	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
+	slog.Warn(
+		"listening",
+		"url", listenUrl,
+	)
+
+	var serverHandler atomic.Pointer[http.Handler]
+	server := utils.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if handler := serverHandler.Load(); handler == nil {
+			http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+		} else {
+			(*handler).ServeHTTP(w, r)
+		}
+	}), tlsConfig)
+
+	if *passThrough {
+		// setup a passthrough handler temporarily
+		fn := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			backend := utils.SelectHTTPHandler(createdBackends, r.Host)
+			if backend == nil {
+				http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+			} else {
+				backend.ServeHTTP(w, r)
+			}
+		}))
+		serverHandler.Store(&fn)
+	}
+
 	go func() {
 		handler, err := loadPolicyState()
 		if err != nil {
--- a/lib/state.go
+++ b/lib/state.go
@@ -128,6 +128,7 @@ func NewState(p policy.Policy, settings policy.Settings) (handler http.Handler,
 				cacheKey := fmt.Sprintf("%s-%d", k, i)
 				var cached []net.IPNet
 				if useCache && networkCache != nil {
+					//TODO: add randomness
 					cachedData, err := networkCache.Get(cacheKey, time.Hour*24)
 					var l []string
 					_ = json.Unmarshal(cachedData, &l)