vane 0.9.2

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331

/* integration/tests/l7/test_static_server.go */
package l7

import (
	"bytes"
	"compress/gzip"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"time"

	"canmi.net/vane-mock-tests/pkg/config/advanced"
	"canmi.net/vane-mock-tests/pkg/env"
	"canmi.net/vane-mock-tests/pkg/term"
)

func setupStaticTest(s *env.Sandbox, extraInputs map[string]interface{}) (int, string, error) {
	// 1. Create Temp Root
	tmpRoot := filepath.Join(s.RootDir, "static_content")
	os.MkdirAll(tmpRoot, 0755)

	// 2. Create index.html
	os.WriteFile(filepath.Join(tmpRoot, "index.html"), []byte("<h1>Hello Vane</h1>"), 0644)
	// 3. Create a larger file for range requests
	largeContent := strings.Repeat("ABCDEFGHIJ", 10) // 100 bytes
	os.WriteFile(filepath.Join(tmpRoot, "large.txt"), []byte(largeContent), 0644)

	// 4. Configure Vane
	ports, _ := env.GetFreePorts(1)
	vanePort := ports[0]

	inputs := map[string]interface{}{
		"root": tmpRoot,
		"uri":  "{{req.path}}",
	}
	for k, v := range extraInputs {
		inputs[k] = v
	}

	l7Conf := advanced.ApplicationConfig{
		Pipeline: advanced.ProcessingStep{
			"internal.driver.static": advanced.PluginInstance{
				Input: inputs,
				Output: map[string]advanced.ProcessingStep{
					"success": {
						"internal.terminator.response": advanced.PluginInstance{
							Input: map[string]interface{}{},
						},
					},
					"not_found": {
						"internal.terminator.response": advanced.PluginInstance{
							Input: map[string]interface{}{"status": 404, "body": "Not Found Custom"},
						},
					},
					"failure": {
						"internal.terminator.response": advanced.PluginInstance{
							Input: map[string]interface{}{"status": 500, "body": "Static Error"},
						},
					},
				},
			},
		},
	}
	l7Bytes, _ := json.Marshal(l7Conf)
	s.WriteConfig("application/httpx.json", l7Bytes)

	l4pConf := advanced.L4FlowConfig{Connection: advanced.NewUpgrade("httpx")}
	l4pBytes, _ := json.Marshal(l4pConf)
	s.WriteConfig("resolver/http.json", l4pBytes)

	l4Conf := advanced.L4FlowConfig{Connection: advanced.NewUpgrade("http")}
	l4Bytes, _ := json.Marshal(l4Conf)
	s.WriteConfig(fmt.Sprintf("listener/[%d]/tcp.json", vanePort), l4Bytes)

	return vanePort, tmpRoot, nil
}

func TestStaticServeBasic(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	vanePort, _, _ := setupStaticTest(s, nil)

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	client := &http.Client{Timeout: 2 * time.Second}

	// 1. Request / (should get index.html)
	resp, err := client.Get(fmt.Sprintf("http://127.0.0.1:%d/", vanePort))
	if err != nil {
		return err
	}
	defer resp.Body.Close()
	body, _ := io.ReadAll(resp.Body)
	if !strings.Contains(string(body), "Hello Vane") {
		return term.FormatFailure("Failed to serve index.html", term.NewNode(string(body)))
	}

	// 2. Request /large.txt
	resp2, err := client.Get(fmt.Sprintf("http://127.0.0.1:%d/large.txt", vanePort))
	if err != nil {
		return err
	}
	defer resp2.Body.Close()
	if resp2.StatusCode != 200 || resp2.ContentLength != 100 {
		return term.FormatFailure("Failed to serve large.txt", nil)
	}

	return nil
}

func TestStaticRange(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	vanePort, _, _ := setupStaticTest(s, nil)

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	client := &http.Client{Timeout: 2 * time.Second}

	// Request Range: bytes=10-19
	req, _ := http.NewRequest("GET", fmt.Sprintf("http://127.0.0.1:%d/large.txt", vanePort), nil)
	req.Header.Set("Range", "bytes=10-19")
	resp, err := client.Do(req)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	if resp.StatusCode != 206 {
		return term.FormatFailure(fmt.Sprintf("Expected 206, got %d", resp.StatusCode), nil)
	}
	body, _ := io.ReadAll(resp.Body)
	if len(body) != 10 {
		return term.FormatFailure(fmt.Sprintf("Expected 10 bytes, got %d", len(body)), nil)
	}
	// "ABCDEFGHIJ" repeated. 10-19 should be "ABCDEFGHIJ" (the second block)
	if string(body) != "ABCDEFGHIJ" {
		return term.FormatFailure(fmt.Sprintf("Wrong range content: %s", string(body)), nil)
	}

	return nil
}

func TestStaticSPA(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	// Enable SPA mode
	vanePort, _, _ := setupStaticTest(s, map[string]interface{}{"spa": true})

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	client := &http.Client{Timeout: 2 * time.Second}

	// Request non-existent path
	resp, err := client.Get(fmt.Sprintf("http://127.0.0.1:%d/some/missing/route", vanePort))
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	// Should get 200 OK and index.html content
	if resp.StatusCode != 200 {
		return term.FormatFailure(fmt.Sprintf("SPA: Expected 200, got %d", resp.StatusCode), nil)
	}
	body, _ := io.ReadAll(resp.Body)
	if !strings.Contains(string(body), "Hello Vane") {
		return term.FormatFailure("SPA: Failed to fallback to index.html", term.NewNode(string(body)))
	}

	return nil
}

func TestStaticBrowse(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	// Enable browsing and delete index.html to force listing
	vanePort, root, _ := setupStaticTest(s, map[string]interface{}{"browse": true})
	os.Remove(filepath.Join(root, "index.html"))

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	client := &http.Client{Timeout: 2 * time.Second}

	resp, err := client.Get(fmt.Sprintf("http://127.0.0.1:%d/", vanePort))
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	if resp.StatusCode != 200 {
		return term.FormatFailure(fmt.Sprintf("Browse: Expected 200, got %d", resp.StatusCode), nil)
	}
	body, _ := io.ReadAll(resp.Body)
	// Check for a link to large.txt
	if !strings.Contains(string(body), "large.txt") || !strings.Contains(string(body), "<a href=") {
		return term.FormatFailure("Browse: Listing HTML missing file links", term.NewNode(string(body)))
	}

	return nil
}

func TestStaticTraversal(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	vanePort, _, _ := setupStaticTest(s, nil)

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	client := &http.Client{Timeout: 2 * time.Second}

	// Try traversal
	resp, err := client.Get(fmt.Sprintf("http://127.0.0.1:%d/../../etc/passwd", vanePort))
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	// Should either be 404 (not found in jail) or 500 (plugin returned failure branch)
	// Actually, router::resolve_path returns Err for traversal, which triggers 'failure' branch.
	// Our config maps 'failure' to 500.
	if resp.StatusCode == 200 {
		return term.FormatFailure("Directory traversal succeeded (vulnerability!)", nil)
	}

	return nil
}

func TestStaticPrecompressed(ctx context.Context, s *env.Sandbox) error {
	debug, _ := ctx.Value(env.DebugKey).(bool)
	// Enable precompressed mode
	vanePort, root, _ := setupStaticTest(s, map[string]interface{}{"precompress": true})

	// Create dummy files
	os.WriteFile(filepath.Join(root, "style.css"), []byte("body { color: red; }"), 0644)

	// Create REAL .gz content
	var b bytes.Buffer
	gw := gzip.NewWriter(&b)
	gw.Write([]byte("GZIP_MOCK_CONTENT"))
	gw.Close()
	os.WriteFile(filepath.Join(root, "style.css.gz"), b.Bytes(), 0644)

	proc, err := s.StartVane(ctx, debug)
	if err != nil {
		return err
	}
	defer proc.Stop()
	proc.WaitForTcpPort(vanePort, 5*time.Second)

	// Create a client that does NOT auto-decompress
	tr := &http.Transport{
		DisableCompression: true,
	}
	client := &http.Client{
		Timeout:   2 * time.Second,
		Transport: tr,
	}

	// 1. Request with Accept-Encoding: gzip
	req, _ := http.NewRequest("GET", fmt.Sprintf("http://127.0.0.1:%d/style.css", vanePort), nil)
	req.Header.Set("Accept-Encoding", "gzip, deflate")
	resp, err := client.Do(req)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	if resp.StatusCode != 200 {
		return term.FormatFailure(fmt.Sprintf("Expected 200, got %d", resp.StatusCode), nil)
	}

	// Verify Header
	if ce := resp.Header.Get("Content-Encoding"); ce != "gzip" {
		return term.FormatFailure(fmt.Sprintf("Expected Content-Encoding: gzip, got '%s'", ce), nil)
	}

	// Verify Body (Should be RAW gzip bytes because we disabled compression)
	body, _ := io.ReadAll(resp.Body)
	if !bytes.Equal(body, b.Bytes()) {
		return term.FormatFailure("Did not serve correct .gz bytes", nil)
	}

	// 2. Request WITHOUT Accept-Encoding
	// Need a new client or reuse? Reuse is fine, DisableCompression just stops automatic header addition and decompression.
	// But standard client behavior adds "Accept-Encoding: gzip" automatically.
	// DisableCompression: true prevents that.

	req2, _ := http.NewRequest("GET", fmt.Sprintf("http://127.0.0.1:%d/style.css", vanePort), nil)
	resp2, err := client.Do(req2)
	if err != nil {
		return err
	}
	defer resp2.Body.Close()

	// Verify Header
	if ce := resp2.Header.Get("Content-Encoding"); ce != "" {
		return term.FormatFailure(fmt.Sprintf("Expected no Content-Encoding, got '%s'", ce), nil)
	}
	// Verify Body (should serve original)
	body2, _ := io.ReadAll(resp2.Body)
	if string(body2) != "body { color: red; }" {
		return term.FormatFailure("Did not serve original content", term.NewNode(string(body2)))
	}

	return nil
}