mirror of
https://github.com/coredns/coredns.git
synced 2025-12-19 16:45:11 -05:00
0d8cbb1a6b
Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
145 lines
3.0 KiB
Go
145 lines
3.0 KiB
Go
package https
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/coredns/caddy"
|
|
"github.com/coredns/coredns/core/dnsserver"
|
|
)
|
|
|
|
func TestSetup(t *testing.T) {
|
|
tests := []struct {
|
|
input string
|
|
shouldErr bool
|
|
expectedErrContent string
|
|
expectedMaxConnections *int
|
|
}{
|
|
// Valid configurations
|
|
{
|
|
input: `https`,
|
|
shouldErr: false,
|
|
},
|
|
{
|
|
input: `https {
|
|
}`,
|
|
shouldErr: false,
|
|
},
|
|
{
|
|
input: `https {
|
|
max_connections 200
|
|
}`,
|
|
shouldErr: false,
|
|
expectedMaxConnections: intPtr(200),
|
|
},
|
|
// Zero values (unbounded)
|
|
{
|
|
input: `https {
|
|
max_connections 0
|
|
}`,
|
|
shouldErr: false,
|
|
expectedMaxConnections: intPtr(0),
|
|
},
|
|
// Error cases
|
|
{
|
|
input: `https {
|
|
max_connections
|
|
}`,
|
|
shouldErr: true,
|
|
expectedErrContent: "Wrong argument count",
|
|
},
|
|
{
|
|
input: `https {
|
|
max_connections abc
|
|
}`,
|
|
shouldErr: true,
|
|
expectedErrContent: "invalid max_connections value",
|
|
},
|
|
{
|
|
input: `https {
|
|
max_connections -1
|
|
}`,
|
|
shouldErr: true,
|
|
expectedErrContent: "must be a non-negative integer",
|
|
},
|
|
{
|
|
input: `https {
|
|
max_connections 100
|
|
max_connections 200
|
|
}`,
|
|
shouldErr: true,
|
|
expectedErrContent: "already defined",
|
|
},
|
|
{
|
|
input: `https {
|
|
unknown_option 123
|
|
}`,
|
|
shouldErr: true,
|
|
expectedErrContent: "unknown property",
|
|
},
|
|
{
|
|
input: `https extra_arg`,
|
|
shouldErr: true,
|
|
expectedErrContent: "Wrong argument count",
|
|
},
|
|
}
|
|
|
|
for i, test := range tests {
|
|
c := caddy.NewTestController("dns", test.input)
|
|
err := setup(c)
|
|
|
|
if test.shouldErr && err == nil {
|
|
t.Errorf("Test %d (%s): Expected error but got none", i, test.input)
|
|
continue
|
|
}
|
|
|
|
if !test.shouldErr && err != nil {
|
|
t.Errorf("Test %d (%s): Expected no error but got: %v", i, test.input, err)
|
|
continue
|
|
}
|
|
|
|
if test.shouldErr && test.expectedErrContent != "" {
|
|
if !strings.Contains(err.Error(), test.expectedErrContent) {
|
|
t.Errorf("Test %d (%s): Expected error containing '%s' but got: %v",
|
|
i, test.input, test.expectedErrContent, err)
|
|
}
|
|
continue
|
|
}
|
|
|
|
if !test.shouldErr {
|
|
config := dnsserver.GetConfig(c)
|
|
assertIntPtrValue(t, i, test.input, "MaxHTTPSConnections", config.MaxHTTPSConnections, test.expectedMaxConnections)
|
|
}
|
|
}
|
|
}
|
|
|
|
func intPtr(v int) *int {
|
|
return &v
|
|
}
|
|
|
|
func assertIntPtrValue(t *testing.T, testIndex int, testInput, fieldName string, actual, expected *int) {
|
|
t.Helper()
|
|
if actual == nil && expected == nil {
|
|
return
|
|
}
|
|
|
|
if (actual == nil) != (expected == nil) {
|
|
t.Errorf("Test %d (%s): Expected %s to be %v, but got %v",
|
|
testIndex, testInput, fieldName, formatNilableInt(expected), formatNilableInt(actual))
|
|
return
|
|
}
|
|
|
|
if *actual != *expected {
|
|
t.Errorf("Test %d (%s): Expected %s to be %d, but got %d",
|
|
testIndex, testInput, fieldName, *expected, *actual)
|
|
}
|
|
}
|
|
|
|
func formatNilableInt(v *int) string {
|
|
if v == nil {
|
|
return "nil"
|
|
}
|
|
return fmt.Sprintf("%d", *v)
|
|
}
|