security: add tenant allowlist and WAF canary proof

2026-06-18 16:21:08 -05:00
parent bd050c3d9b
commit 9cef99739a
5 changed files with 90 additions and 8 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -1128,9 +1128,48 @@ public sealed class FleetManifestLintTests
            .Should()
            .Equal("andrew-tenant-rate-limit", "andrew-tenant-secure-headers");

+        var adminRoute = ingressRoute.RootElement
+            .GetProperty("spec")
+            .GetProperty("routes")
+            .EnumerateArray()
+            .Single(route => route.GetProperty("match").GetString()!.Contains("PathPrefix(`/admin-allowlist-proof`)", StringComparison.Ordinal));
+        adminRoute.GetProperty("priority").GetInt32().Should().Be(300);
+        adminRoute.GetProperty("services").EnumerateArray().Should().ContainSingle().Subject
+            .GetProperty("name").GetString().Should().Be("andrew-web-waf");
+        adminRoute.GetProperty("middlewares")
+            .EnumerateArray()
+            .Select(item => item.GetProperty("name").GetString())
+            .Should()
+            .Equal("andrew-admin-ip-allowlist", "andrew-tenant-rate-limit", "andrew-tenant-secure-headers");
+
        using var rateLimit = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "middleware-andrew-tenant-rate-limit.json")));
        rateLimit.RootElement.GetProperty("spec").GetProperty("rateLimit").GetProperty("average").GetInt32().Should().Be(120);

+        using var allowlist = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "middleware-andrew-admin-ip-allowlist.json")));
+        allowlist.RootElement.GetProperty("kind").GetString().Should().Be("Middleware");
+        allowlist.RootElement.GetProperty("spec").GetProperty("ipAllowList").GetProperty("sourceRange")
+            .EnumerateArray()
+            .Select(item => item.GetString())
+            .Should()
+            .Equal("10.0.56.14/32");
+
+        using var nginxConfig = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "configmap-andrew-web-nginx-conf.json")));
+        var nginx = nginxConfig.RootElement.GetProperty("data").GetProperty("default.conf").GetString();
+        nginx.Should().Contain("location = /lamp-canary/index.php");
+        nginx.Should().Contain("location = /lamp-canary/wp-login.php");
+        nginx.Should().Contain("location = /lamp-canary/mediawiki/index.php");
+        nginx.Should().Contain("location = /admin-allowlist-proof");
+
+        using var webDeployment = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "deployment-andrew-web.json")));
+        webDeployment.RootElement.GetProperty("spec")
+            .GetProperty("template")
+            .GetProperty("metadata")
+            .GetProperty("annotations")
+            .GetProperty("flowercore.io/config-revision")
+            .GetString()
+            .Should()
+            .Be("whc4-lamp-allowlist-20260618");
+
        using var headers = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "middleware-andrew-tenant-secure-headers.json")));
        var headerSpec = headers.RootElement.GetProperty("spec").GetProperty("headers");
        headerSpec.GetProperty("contentTypeNosniff").GetBoolean().Should().BeTrue();