WIP: Add integration test

jeremy5189 · jeremy5189 · commit 7dfd539380b8 · 2026-03-30T18:32:43.000-04:00
diff --git a/banjax_base_test.go b/banjax_base_test.go
@@ -24,6 +24,7 @@ const fixtureConfigTestShaInv = "./fixtures/banjax-config-test-sha-inv.yaml"
 const fixtureConfigTestRegexBanner = "./fixtures/banjax-config-test-regex-banner.yaml"
 const fixtureConfigTestReloadCIDR = "./fixtures/banjax-config-test-reload-cidr.yaml"
 const fixtureConfigTestPersiteFail = "./fixtures/banjax-config-test-persite-fail.yaml"
+const fixtureConfigTestUA = "./fixtures/banjax-config-test-ua.yaml"
 
 var tmpDir string
 var configFile string
@@ -194,6 +195,17 @@ func ClientIP(ip string) http.Header {
 	return http.Header{"X-Client-IP": {ip}}
 }
 
+func ClientUserAgent(ua string) http.Header {
+	return http.Header{"X-Client-User-Agent": {ua}}
+}
+
+func ClientIPAndUserAgent(ip string, ua string) http.Header {
+	return http.Header{
+		"X-Client-IP":         {ip},
+		"X-Client-User-Agent": {ua},
+	}
+}
+
 func randomIP() string {
 	octets := []string{}
 	for i := 0; i < 4; i++ {
diff --git a/banjax_integration_test.go b/banjax_integration_test.go
@@ -405,3 +405,59 @@ func TestRegexesWithRatesAllowList(t *testing.T) {
 		{"GET", prefix + "/blockme/", 200, ClientIP("20.20.20.20"), nil},
 	})
 }
+
+func TestGlobalUserAgentDecisionLists(t *testing.T) {
+	defer reloadConfig(fixtureConfigTest, 1, t)
+
+	reloadConfig(fixtureConfigTestUA, 1, t)
+
+	/*
+		global_user_agent_decision_lists:
+		  nginx_block:
+		    - "AhrefsBot"
+		    - "SemrushBot"
+		  challenge:
+		    - "Macintosh.*Firefox/\\d+"
+	*/
+	prefix := "/auth_request?path="
+	httpTester(t, []TestResource{
+		{"GET", "/info", 200, nil, []string{"2025-01-01"}},
+		// AhrefsBot is globally nginx_blocked (403)
+		{"GET", prefix + "/ua_ahref", 403, ClientUserAgent("Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"), nil},
+		// SemrushBot is globally nginx_blocked (403)
+		{"GET", prefix + "/ua_semrush", 403, ClientUserAgent("Mozilla/5.0 (compatible; SemrushBot/7.0; +http://www.semrush.com/bot.html)"), nil},
+		// Firefox on Mac is globally challenged (429)
+		{"GET", prefix + "/ua_firefox_mac", 429, ClientUserAgent("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:149.0) Gecko/20100101 Firefox/149.0"), nil},
+		// Firefox on Windows does not match the Macintosh pattern — allowed (200)
+		{"GET", prefix + "/ua_firefox_win", 200, ClientUserAgent("Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0"), nil},
+		// Googlebot has no UA rule — allowed (200)
+		{"GET", prefix + "/ua_googlebot", 200, ClientUserAgent("Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"), nil},
+	})
+}
+
+func TestPerSiteUserAgentDecisionLists(t *testing.T) {
+	defer reloadConfig(fixtureConfigTest, 1, t)
+
+	reloadConfig(fixtureConfigTestUA, 1, t)
+
+	/*
+		per_site_user_agent_decision_lists:
+		  "localhost:8081":
+		    allow:
+		      - "GPTBot"
+
+		global_decision_lists:
+		  challenge:
+		    - 8.8.8.8
+	*/
+	prefix := "/auth_request?path="
+	httpTester(t, []TestResource{
+		{"GET", "/info", 200, nil, []string{"2025-01-01"}},
+		// 8.8.8.8 is in global challenge IP list — should be challenged without a UA override
+		{"GET", prefix + "/ua_ip_challenge", 429, ClientIP("8.8.8.8"), nil},
+		// GPTBot from 8.8.8.8: per-site UA allow overrides the global IP challenge
+		{"GET", prefix + "/ua_gptbot_override", 200, ClientIPAndUserAgent("8.8.8.8", "Mozilla/5.0 (compatible; GPTBot/1.0; +https://openai.com/gptbot)"), nil},
+		// AhrefsBot from 8.8.8.8: global IP challenge fires before global UA block (per-site UA has no AhrefsBot rule)
+		{"GET", prefix + "/ua_ahref_challenged_ip", 429, ClientIPAndUserAgent("8.8.8.8", "Mozilla/5.0 (compatible; AhrefsBot/7.0)"), nil},
+	})
+}
diff --git a/fixtures/banjax-config-test-ua.yaml b/fixtures/banjax-config-test-ua.yaml
@@ -0,0 +1,55 @@
+config_version: 2025-01-01_00:00:00
+global_decision_lists:
+  allow:
+    - 20.20.20.20
+  nginx_block:
+    - 70.80.90.100
+  challenge:
+    - 8.8.8.8
+iptables_ban_seconds: 10
+iptables_unbanner_seconds: 5
+kafka_brokers:
+  - "localhost:9092"
+kafka_security_protocol: 'ssl'
+kafka_ssl_ca: "/etc/banjax/caroot.pem"
+kafka_ssl_key: "/etc/banjax/key.pem"
+kafka_ssl_key_password: password
+kafka_report_topic: 'banjax_report_topic'
+kafka_command_topic: 'banjax_command_topic'
+password_protected_paths:
+  "localhost":
+    - wp-admin
+password_protected_path_exceptions:
+  "localhost":
+    - wp-admin/admin-ajax.php
+password_hashes:
+  "localhost:8081": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+  "localhost": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
+sitewide_sha_inv_list:
+  example.com: block
+  foobar.com: no_block
+server_log_file: /var/log/banjax/banjax-format.log
+banning_log_file: /etc/banjax/ban_ip_list.log
+expiring_decision_ttl_seconds: 10
+too_many_failed_challenges_interval_seconds: 10
+too_many_failed_challenges_threshold: 6
+password_cookie_ttl_seconds: 14400
+sha_inv_cookie_ttl_seconds: 14400
+hmac_secret: secret
+gin_log_file: /var/log/banjax/gin.log
+metrics_log_file: /var/log/banjax/metrics.log
+standalone_testing: true
+
+# UA blocking: AhrefsBot globally blocked, Firefox on Mac globally challenged
+# GPTBot is allowed on localhost (per-site override of the global IP block for 8.8.8.8)
+global_user_agent_decision_lists:
+  nginx_block:
+    - "AhrefsBot"
+    - "SemrushBot"
+  challenge:
+    - "Macintosh.*Firefox/\\d+"
+
+per_site_user_agent_decision_lists:
+  "localhost":
+    allow:
+      - "GPTBot"
