Baffle-WAF/baffle-hub
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1aa77066a1c54164ded3dfa26b6c18c181461063
baffle-hub/test/models/rule_test.rb

297 lines
8.3 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require "test_helper"
class RuleTest < ActiveSupport::TestCase
# Validation tests
test "should create valid network rule" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.new(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
source: "manual",
user: users(:one)
)
assert rule.valid?
rule.save!
assert_equal 8, rule.priority # Auto-calculated from CIDR prefix
end
test "should create valid network rule with IPv6" do
network_range = NetworkRange.create!(cidr: "2001:db8::/32")
rule = Rule.new(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
source: "manual",
user: users(:one)
)
assert rule.valid?
rule.save!
assert_equal 32, rule.priority
end
test "should create valid rate_limit rule" do
rule = Rule.new(
waf_rule_type: "rate_limit",
waf_action: "deny", # Rate limit rules use deny action when triggered
conditions: { cidr: "0.0.0.0/0", scope: "global" },
metadata: { limit: 100, window: 60 },
source: "manual",
user: users(:one)
)
assert rule.valid?
end
test "should create valid path_pattern rule" do
rule = Rule.new(
waf_rule_type: "path_pattern",
waf_action: "log",
conditions: { patterns: ["/.env", "/.git"] },
source: "default",
user: users(:one)
)
assert rule.valid?
end
test "should require waf_rule_type" do
rule = Rule.new(waf_action: "deny", waf_rule_type: nil, conditions: { patterns: ["/test"] }, user: users(:one))
assert_not rule.valid?
assert_includes rule.errors[:waf_rule_type], "can't be blank"
end
test "should require waf_action" do
rule = Rule.new(waf_rule_type: "path_pattern", waf_action: nil, conditions: { patterns: ["/test"] }, user: users(:one))
assert_not rule.valid?
assert_includes rule.errors[:waf_action], "can't be blank"
end
test "should validate network has valid CIDR" do
rule = Rule.new(
waf_rule_type: "network",
waf_action: "deny",
conditions: { cidr: "invalid-cidr" }, # Invalid CIDR
user: users(:one)
)
assert_not rule.valid?
# Network rules now validate differently - they need a network_range
assert_includes rule.errors[:network_range], "is required for network rules"
end
test "should validate rate_limit has limit and window in metadata" do
rule = Rule.new(
waf_rule_type: "rate_limit",
waf_action: "deny", # Rate limit rules use deny action when triggered
conditions: { cidr: "0.0.0.0/0", scope: "global" },
metadata: { limit: 100 }, # Missing window
user: users(:one)
)
assert_not rule.valid?
assert_includes rule.errors[:metadata], "must include 'limit' and 'window' for rate_limit rules"
end
# Default value tests
test "should default enabled to true" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
user: users(:one)
)
assert rule.enabled?
end
# Priority calculation tests
test "should calculate priority from IPv4 CIDR prefix" do
network_range = NetworkRange.create!(cidr: "192.168.1.0/24")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
user: users(:one)
)
assert_equal 24, rule.priority
end
# Scope tests
test "active scope returns enabled and non-expired rules" do
active_range = NetworkRange.create!(cidr: "10.0.0.0/8")
active = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: active_range,
enabled: true,
user: users(:one)
)
disabled_range = NetworkRange.create!(cidr: "192.168.0.0/16")
disabled = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: disabled_range,
enabled: false,
user: users(:one)
)
expired_range = NetworkRange.create!(cidr: "172.16.0.0/12")
expired = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: expired_range,
enabled: true,
expires_at: 1.hour.ago,
user: users(:one)
)
results = Rule.active.to_a
assert_includes results, active
assert_not_includes results, disabled
assert_not_includes results, expired
end
# Instance method tests
test "active? returns true for enabled non-expired rule" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
enabled: true,
user: users(:one)
)
assert rule.active?
end
test "disable! sets enabled to false and adds metadata" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
user: users(:one)
)
rule.disable!(reason: "False positive")
assert_not rule.enabled?
assert_equal "False positive", rule.metadata["disabled_reason"]
assert rule.metadata["disabled_at"].present?
end
# Agent format tests
test "to_agent_format returns correct structure" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "deny",
network_range: network_range,
expires_at: 1.day.from_now,
source: "manual",
metadata: { reason: "Test" },
user: users(:one)
)
format = rule.to_agent_format
assert_equal rule.id, format[:id]
assert_equal "network", format[:waf_rule_type]
assert_equal "deny", format[:waf_action]
assert_equal 8, format[:priority]
assert_equal true, format[:enabled]
end
# Tag functionality tests
test "should store and retrieve tags in metadata" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
metadata: { tags: ["bot:googlebot", "trusted"] },
user: users(:one)
)
assert_equal ["bot:googlebot", "trusted"], rule.tags
end
test "should add tag to rule" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
user: users(:one)
)
rule.add_tag("bot:googlebot")
rule.save!
assert_includes rule.tags, "bot:googlebot"
end
test "should remove tag from rule" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
metadata: { tags: ["bot:googlebot", "trusted"] },
user: users(:one)
)
rule.remove_tag("trusted")
rule.save!
assert_not_includes rule.tags, "trusted"
assert_includes rule.tags, "bot:googlebot"
end
test "should check if rule has tag" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
metadata: { tags: ["bot:googlebot"] },
user: users(:one)
)
assert rule.has_tag?("bot:googlebot")
assert_not rule.has_tag?("bot:bingbot")
end
test "should store headers in metadata" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
metadata: {
tags: ["bot:googlebot"],
headers: { "X-Bot-Agent" => "googlebot" }
},
user: users(:one)
)
assert_equal({ "X-Bot-Agent" => "googlebot" }, rule.headers)
end
test "should set tags via assignment" do
network_range = NetworkRange.create!(cidr: "10.0.0.0/8")
rule = Rule.create!(
waf_rule_type: "network",
waf_action: "allow",
network_range: network_range,
user: users(:one)
)
rule.tags = ["bot:bingbot", "network:microsoft"]
rule.save!
assert_equal ["bot:bingbot", "network:microsoft"], rule.tags
end
end
Reference in New Issue View Git Blame Copy Permalink