refactor(acl): memoize IPAllowed with goutils keyed TTL cache

Replace the xsync map plus manual expiry on checkCache with cache.NewKeyFunc(evaluateIP).WithTTL. Move deny/allow/default logic into evaluateIP; wire getCachedCity and IPAllowed through the cache API. Refresh README security notes and add tests showing cached decisions persist across in-memory rule changes until TTL expires.
2026-04-27 11:17:29 +02:00 · 2026-04-19 15:09:04 +08:00
parent c5b9bd38b7
commit c8d7d4f7d3
3 changed files with 112 additions and 53 deletions
--- a/internal/acl/config_test.go
+++ b/internal/acl/config_test.go
@@ -0,0 +1,61 @@
+package acl
+
+import (
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIPAllowedCachesDecision(t *testing.T) {
+	t.Parallel()
+
+	testIP := net.ParseIP("8.8.8.8")
+	require.NotNil(t, testIP)
+
+	t.Run("cached allow survives rule changes", func(t *testing.T) {
+		t.Parallel()
+
+		cfg := &Config{
+			Default:    ACLDeny,
+			AllowLocal: new(false),
+			Allow:      mustMatchers(t, "ip:8.8.8.8"),
+		}
+		require.NoError(t, cfg.Validate())
+
+		require.True(t, cfg.IPAllowed(testIP))
+
+		cfg.Allow = nil
+		cfg.Deny = mustMatchers(t, "ip:8.8.8.8")
+
+		require.True(t, cfg.IPAllowed(testIP))
+	})
+
+	t.Run("cached deny survives rule changes", func(t *testing.T) {
+		t.Parallel()
+
+		cfg := &Config{
+			Default:    ACLAllow,
+			AllowLocal: new(false),
+			Deny:       mustMatchers(t, "ip:8.8.8.8"),
+		}
+		require.NoError(t, cfg.Validate())
+
+		require.False(t, cfg.IPAllowed(testIP))
+
+		cfg.Deny = nil
+		cfg.Allow = mustMatchers(t, "ip:8.8.8.8")
+
+		require.False(t, cfg.IPAllowed(testIP))
+	})
+}
+
+func mustMatchers(t *testing.T, rules ...string) Matchers {
+	t.Helper()
+
+	matchers := make(Matchers, len(rules))
+	for i, rule := range rules {
+		require.NoError(t, matchers[i].Parse(rule))
+	}
+	return matchers
+}