fix: add "is abroad" case to IP rule operator switches

Copilot · nomeguy · Copilot · commit ecacef1f485d · 2025-10-25T10:12:43.000Z
Co-authored-by: nomeguy &lt;85475922+nomeguy@users.noreply.github.com&gt;
diff --git a/rule/rule_ip.go b/rule/rule_ip.go
@@ -61,6 +61,9 @@ func (r *IpRule) checkRule(expressions []*object.Expression, req *http.Request)
 					if !ipNet.Contains(netIp) {
 						return &RuleResult{Reason: reason}, nil
 					}
+				case "is abroad":
+					// This case should not be reached due to early continue, but adding for safety
+					continue
 				default:
 					return nil, fmt.Errorf("unknown operator: %s", expression.Operator)
 				}
@@ -74,6 +77,9 @@ func (r *IpRule) checkRule(expressions []*object.Expression, req *http.Request)
 					if ipStr != clientIp {
 						return &RuleResult{Reason: reason}, nil
 					}
+				case "is abroad":
+					// This case should not be reached due to early continue, but adding for safety
+					continue
 				default:
 					return nil, fmt.Errorf("unknown operator: %s", expression.Operator)
 				}
diff --git a/rule/rule_ip_abroad_test.go b/rule/rule_ip_abroad_test.go
@@ -0,0 +1,86 @@
+package rule
+
+import (
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/casbin/caswaf/ip"
+	"github.com/casbin/caswaf/object"
+)
+
+func init() {
+	// Initialize IP database for tests
+	// Check if we're in the rule directory and adjust path if needed
+	if _, err := os.Stat("../ip/17monipdb.dat"); err == nil {
+		os.Chdir("..")
+	}
+	ip.InitIpDb()
+}
+
+func TestIpRule_IsAbroad(t *testing.T) {
+	ipRule := &IpRule{}
+
+	tests := []struct {
+		name        string
+		operator    string
+		value       string
+		clientIP    string
+		shouldMatch bool
+		shouldError bool
+	}{
+		{
+			name:        "is abroad with empty value - foreign IP",
+			operator:    "is abroad",
+			value:       "",
+			clientIP:    "8.8.8.8",
+			shouldMatch: true,
+			shouldError: false,
+		},
+		{
+			name:        "is abroad with some value - foreign IP",
+			operator:    "is abroad",
+			value:       "1.1.1.1",
+			clientIP:    "8.8.8.8",
+			shouldMatch: true,
+			shouldError: false,
+		},
+		{
+			name:        "is abroad with CIDR value - foreign IP",
+			operator:    "is abroad",
+			value:       "1.1.1.0/24",
+			clientIP:    "8.8.8.8",
+			shouldMatch: true,
+			shouldError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			expressions := []*object.Expression{
+				{
+					Operator: tt.operator,
+					Value:    tt.value,
+				},
+			}
+
+			req := &http.Request{
+				RemoteAddr: tt.clientIP + ":1234",
+			}
+
+			result, err := ipRule.checkRule(expressions, req)
+
+			if tt.shouldError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+			if !tt.shouldError && err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+
+			gotMatch := result != nil
+			if gotMatch != tt.shouldMatch {
+				t.Errorf("Expected match: %v, got: %v", tt.shouldMatch, gotMatch)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,9 @@ func (r IpRule) checkRule(expressions []object.Expression, req *http.Request)`
`61`	`61`	`if !ipNet.Contains(netIp) {`
`62`	`62`	`return &RuleResult{Reason: reason}, nil`
`63`	`63`	`}`
	`64`	`+ case "is abroad":`
	`65`	`+ // This case should not be reached due to early continue, but adding for safety`
	`66`	`+ continue`
`64`	`67`	`default:`
`65`	`68`	`return nil, fmt.Errorf("unknown operator: %s", expression.Operator)`
`66`	`69`	`}`
`@@ -74,6 +77,9 @@ func (r IpRule) checkRule(expressions []object.Expression, req *http.Request)`
`74`	`77`	`if ipStr != clientIp {`
`75`	`78`	`return &RuleResult{Reason: reason}, nil`
`76`	`79`	`}`
	`80`	`+ case "is abroad":`
	`81`	`+ // This case should not be reached due to early continue, but adding for safety`
	`82`	`+ continue`
`77`	`83`	`default:`
`78`	`84`	`return nil, fmt.Errorf("unknown operator: %s", expression.Operator)`
`79`	`85`	`}`