tmp commit: seems working

Author: evgeniy-scherbina

e2e_tests/boundary_integration_test.go

@@ -134,9 +134,9 @@ func TestBoundaryIntegration(t *testing.T) {
 	})
 
 	// Test blocked domain (from inside the jail)
-	t.Run("BlockedDomainTest", func(t *testing.T) {
+	t.Run("HTTPBlockedDomainTest", func(t *testing.T) {
 		// Run curl directly in the namespace using ip netns exec
-		curlCmd := exec.Command("sudo", "sudo", "nsenter", "-t", pid, "-n", "--",
+		curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--",
 			"curl", "-s", "http://example.com")
 
 		// Capture stderr separately
@@ -150,6 +150,101 @@ func TestBoundaryIntegration(t *testing.T) {
 		require.Contains(t, string(output), "Request Blocked by Boundary")
 	})
 
+	// Test blocked domain (from inside the jail)
+	t.Run("HTTPSBlockedDomainTest", func(t *testing.T) {
+		_, _, _, _, configDir := util.GetUserInfo()
+		certPath := fmt.Sprintf("%v/ca-cert.pem", configDir)
+
+		// Run curl directly in the namespace using ip netns exec
+		curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--",
+			"env", fmt.Sprintf("SSL_CERT_FILE=%v", certPath), "curl", "-s", "https://example.com")
+
+		// Capture stderr separately
+		var stderr bytes.Buffer
+		curlCmd.Stderr = &stderr
+		output, err := curlCmd.Output()
+
+		if err != nil {
+			t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output))
+		}
+		require.Contains(t, string(output), "Request Blocked by Boundary")
+	})
+
+	// Gracefully close process, call cleanup methods
+	err = boundaryCmd.Process.Signal(os.Interrupt)
+	require.NoError(t, err, "Failed to interrupt boundary process")
+	time.Sleep(time.Second * 1)
+
+	// Clean up
+	cancel()                 // This will terminate the boundary process
+	err = boundaryCmd.Wait() // Wait for process to finish
+	if err != nil {
+		t.Logf("Boundary process finished with error: %v", err)
+	}
+
+	// Clean up binary
+	err = os.Remove("/tmp/boundary-test")
+	require.NoError(t, err, "Failed to remove /tmp/boundary-test")
+}
+
+func TestBoundaryIntegration2(t *testing.T) {
+	// Find project root by looking for go.mod file
+	projectRoot := findProjectRoot(t)
+
+	// Build the boundary binary
+	buildCmd := exec.Command("go", "build", "-o", "/tmp/boundary-test", "./cmd/...")
+	buildCmd.Dir = projectRoot
+	err := buildCmd.Run()
+	require.NoError(t, err, "Failed to build boundary binary")
+
+	// Create context for boundary process
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	// Start boundary process with sudo
+	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
+		"--allow", "example.com",
+		"--log-level", "debug",
+		"--", "/bin/bash", "-c", "/usr/bin/sleep 10 && /usr/bin/echo 'Test completed'")
+
+	boundaryCmd.Stdin = os.Stdin
+	boundaryCmd.Stdout = os.Stdout
+	boundaryCmd.Stderr = os.Stderr
+
+	// Start the process
+	err = boundaryCmd.Start()
+	require.NoError(t, err, "Failed to start boundary process")
+
+	// Give boundary time to start
+	time.Sleep(2 * time.Second)
+
+	pidInt := getChildProcessPID(t)
+	pid := fmt.Sprintf("%v", pidInt)
+
+	// Test HTTPS request through boundary (from inside the jail)
+	t.Run("HTTPSRequestThroughBoundary", func(t *testing.T) {
+		_, _, _, _, configDir := util.GetUserInfo()
+		certPath := fmt.Sprintf("%v/ca-cert.pem", configDir)
+
+		// Run curl directly in the namespace using ip netns exec
+		curlCmd := exec.Command("sudo", "nsenter", "-t", pid, "-n", "--",
+			"env", fmt.Sprintf("SSL_CERT_FILE=%v", certPath), "curl", "-s", "https://example.com")
+
+		// Capture stderr separately
+		var stderr bytes.Buffer
+		curlCmd.Stderr = &stderr
+		output, err := curlCmd.Output()
+
+		if err != nil {
+			t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output))
+		}
+
+		// Verify response contains expected content
+		expectedResponse := `<!doctype html><html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.<p><a href="https://iana.org/domains/example">Learn more</a></div></body></html>
+`
+		require.Equal(t, expectedResponse, string(output))
+	})
+
 	// Gracefully close process, call cleanup methods
 	err = boundaryCmd.Process.Signal(os.Interrupt)
 	require.NoError(t, err, "Failed to interrupt boundary process")

proxy/proxy.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"bufio"
+	"bytes"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -10,8 +11,11 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"net/url"
+	"strconv"
 	"strings"
 	"sync/atomic"
+	"time"
 
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/rules"
@@ -115,7 +119,18 @@ func (p *Server) isStopped() bool {
 }
 
 func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
-	defer conn.Close()
+	//defer func() {
+	//	time.Sleep(time.Millisecond * 500)
+	//	_ = time.Sleep
+	//
+	//	err := conn.Close()
+	//	if err != nil {
+	//		p.logger.Error("Failed to close connection", "error", err)
+	//	}
+	//
+	//	p.logger.Debug("Successfully closed connection")
+	//}()
+	_ = time.Sleep
 
 	// Detect protocol using TLS handshake detection
 	conn, isTLS := p.isTLSConnection(conn)
@@ -208,6 +223,22 @@ func (p *Server) handleTLSConnection(conn net.Conn) {
 	log.Printf("   Host: %s", req.Host)
 	log.Printf("   User-Agent: %s", req.Header.Get("User-Agent"))
 
+	// Check if request should be allowed
+	result := p.ruleEngine.Evaluate(req.Method, req.Host)
+
+	// Audit the request
+	//p.auditor.AuditRequest(audit.Request{
+	//	Method:  req.Method,
+	//	URL:     req.URL.String(),
+	//	Allowed: result.Allowed,
+	//	Rule:    result.Rule,
+	//})
+
+	if !result.Allowed {
+		p.writeBlockedResponse(tlsConn, req)
+		return
+	}
+
 	// Forward HTTPS request to destination
 	p.forwardHTTPSRequest(tlsConn, req)
 }
@@ -249,40 +280,67 @@ func (p *Server) forwardHTTPRequest(conn net.Conn, req *http.Request) {
 func (p *Server) forwardHTTPSRequest(conn net.Conn, req *http.Request) {
 	// Create HTTP client
 	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true, // For demo purposes
-			},
-		},
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse // Don't follow redirects
 		},
 	}
 
-	req.RequestURI = ""
-
 	// Set the scheme if it's missing
 	if req.URL.Scheme == "" {
 		req.URL.Scheme = "https"
 	}
 
-	// Set the host if it's missing
-	if req.URL.Host == "" {
-		req.URL.Host = req.Host
+	// Create a new request to the target server
+	targetURL := &url.URL{
+		Scheme:   req.URL.Scheme,
+		Host:     req.Host,
+		Path:     req.URL.Path,
+		RawQuery: req.URL.RawQuery,
+	}
+	newReq, err := http.NewRequest(req.Method, targetURL.String(), nil)
+	if err != nil {
+		panic(err)
+	}
+
+	// Copy headers
+	for name, values := range req.Header {
+		// Skip connection-specific headers
+		if strings.ToLower(name) == "connection" || strings.ToLower(name) == "proxy-connection" {
+			continue
+		}
+		for _, value := range values {
+			newReq.Header.Add(name, value)
+		}
 	}
 
 	// Make request to destination
-	resp, err := client.Do(req)
+	resp, err := client.Do(newReq)
 	if err != nil {
 		log.Printf("Failed to forward HTTPS request: %v", err)
 		return
 	}
-	defer resp.Body.Close()
 
 	log.Printf("🔒 HTTPS Response: %d %s", resp.StatusCode, resp.Status)
 
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		panic(err)
+	}
+	resp.Header.Add("Content-Length", strconv.Itoa(len(bodyBytes)))
+	resp.ContentLength = int64(len(bodyBytes))
+	err = resp.Body.Close()
+	if err != nil {
+		log.Printf("Failed to close HTTP response body: %v", err)
+	}
+	resp.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+
 	// Copy response back to client
-	resp.Write(conn)
+	err = resp.Write(conn)
+	if err != nil {
+		log.Printf("Failed to forward HTTPS request: %v", err)
+	}
+
+	log.Printf("Successfuly wrote to connection")
 }
 
 func (p *Server) writeBlockedResponse(conn net.Conn, req *http.Request) {