ip_ban::engine::tests

vsilent · vsilent · commit c316f94a61b2 · 2026-04-05T15:37:45.000+03:00
diff --git a/ebpf/.cargo/config.toml b/ebpf/.cargo/config.toml
@@ -0,0 +1,7 @@
+[build]
+target = ["bpfel-unknown-none"]
+
+[target.bpfel-unknown-none]
+
+[unstable]
+build-std = ["core"]
diff --git a/src/firewall/response.rs b/src/firewall/response.rs
@@ -33,6 +33,13 @@ pub struct ResponseAction {
 }
 
 impl ResponseAction {
+    fn quarantine_container_error(container_id: &str) -> anyhow::Error {
+        anyhow::anyhow!(
+            "Docker-based container quarantine flow is required for {} because firewall backends do not implement container-specific quarantine. Use the Docker/API quarantine path instead.",
+            container_id
+        )
+    }
+
     fn preferred_backend() -> Result<Box<dyn FirewallBackend>> {
         if let Ok(mut backend) = NfTablesBackend::new() {
             backend.initialize()?;
@@ -105,10 +112,7 @@ impl ResponseAction {
                 let backend = Self::preferred_backend()?;
                 backend.block_port(*port)
             }
-            ResponseType::QuarantineContainer(id) => {
-                let backend = Self::preferred_backend()?;
-                backend.block_container(id)
-            }
+            ResponseType::QuarantineContainer(id) => Err(Self::quarantine_container_error(id)),
             ResponseType::KillProcess(pid) => {
                 let output = Command::new("kill")
                     .args(["-TERM", &pid.to_string()])
diff --git a/src/ip_ban/engine.rs b/src/ip_ban/engine.rs
@@ -181,6 +181,19 @@ mod tests {
     use crate::database::repositories::offenses::OffenseStatus;
     use crate::database::{create_pool, init_database, list_alerts, AlertFilter};
     use chrono::Utc;
+    #[cfg(target_os = "linux")]
+    use std::process::Command;
+
+    #[cfg(target_os = "linux")]
+    fn running_as_root() -> bool {
+        Command::new("id")
+            .arg("-u")
+            .output()
+            .ok()
+            .and_then(|output| String::from_utf8(output.stdout).ok())
+            .map(|stdout| stdout.trim() == "0")
+            .unwrap_or(false)
+    }
 
     #[actix_rt::test]
     async fn test_extract_ip_candidates() {
@@ -227,10 +240,21 @@ mod tests {
                 source_path: Some("/var/log/auth.log".into()),
                 sample_line: Some("Failed password from 192.0.2.44".into()),
             })
-            .await
-            .unwrap();
+            .await;
 
         assert!(!first);
+        #[cfg(target_os = "linux")]
+        if !running_as_root() {
+            let error = second.unwrap_err().to_string();
+            assert!(
+                error.contains("Operation not permitted")
+                    || error.contains("Permission denied")
+                    || error.contains("you must be root")
+            );
+            return;
+        }
+
+        let second = second.unwrap();
         assert!(second);
         assert!(active_block_for_ip(&pool, "192.0.2.44").unwrap().is_some());
     }
@@ -260,8 +284,20 @@ mod tests {
                 source_path: Some("/var/log/auth.log".into()),
                 sample_line: Some("Failed password from 192.0.2.55".into()),
             })
-            .await
-            .unwrap();
+            .await;
+
+        #[cfg(target_os = "linux")]
+        if !running_as_root() {
+            let error = blocked.unwrap_err().to_string();
+            assert!(
+                error.contains("Operation not permitted")
+                    || error.contains("Permission denied")
+                    || error.contains("you must be root")
+            );
+            return;
+        }
+
+        let blocked = blocked.unwrap();
         assert!(blocked);
 
         let released = engine.unban_expired().await.unwrap();
diff --git a/src/sniff/mod.rs b/src/sniff/mod.rs
@@ -300,6 +300,19 @@ mod tests {
     use crate::ip_ban::{IpBanConfig, IpBanEngine};
     use crate::sniff::analyzer::{AnomalySeverity, LogAnomaly, LogSummary};
     use chrono::Utc;
+    #[cfg(target_os = "linux")]
+    use std::process::Command;
+
+    #[cfg(target_os = "linux")]
+    fn running_as_root() -> bool {
+        Command::new("id")
+            .arg("-u")
+            .output()
+            .ok()
+            .and_then(|output| String::from_utf8(output.stdout).ok())
+            .map(|stdout| stdout.trim() == "0")
+            .unwrap_or(false)
+    }
 
     fn memory_sniff_config() -> SniffConfig {
         let mut config = SniffConfig::from_env_and_args(config::SniffArgs {
@@ -473,7 +486,20 @@ mod tests {
         );
 
         orchestrator.apply_ip_ban(&summary, &engine).await.unwrap();
-        orchestrator.apply_ip_ban(&summary, &engine).await.unwrap();
+        let second_attempt = orchestrator.apply_ip_ban(&summary, &engine).await;
+
+        #[cfg(target_os = "linux")]
+        if !running_as_root() {
+            let error = second_attempt.unwrap_err().to_string();
+            assert!(
+                error.contains("Operation not permitted")
+                    || error.contains("Permission denied")
+                    || error.contains("you must be root")
+            );
+            return;
+        }
+
+        second_attempt.unwrap();
 
         assert!(active_block_for_ip(&orchestrator.pool, "192.0.2.81")
             .unwrap()
