GATE-4979: Add support for resolver policies

cloudflare · Nov 4, 2023 · 8b1f00f · 8b1f00f
1 parent 8bfcfe5
commit 8b1f00f
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/teams_rules.go b/teams_rules.go
@@ -57,6 +57,12 @@ type TeamsRuleSettings struct {
 
 	// Action taken when an untrusted origin certificate error occurs in a http allow rule
 	UntrustedCertSettings *UntrustedCertSettings `json:"untrusted_cert"`
+
+	// Specifies that a resolver policy should use Cloudflare's DNS Resolver.
+	ResolveDnsThroughCF bool `json:"resolve_dns_through_cloudflare,omitempty"`
+
+	// Resolver policy settings.
+	DnsResolverSettings *DnsResolverSettings `json:"dns_resolvers,omitempty"`
 }
 
 type TeamsGatewayUntrustedCertAction string
@@ -101,6 +107,28 @@ type TeamsCheckSessionSettings struct {
 	Duration Duration `json:"duration"`
 }
 
+type (
+	DnsResolverSettings struct {
+		V4Resolvers []ResolverAddressV4 `json:"ipv4,omitempty"`
+		V6Resolvers []ResolverAddressV6 `json:"ipv6,omitempty"`
+	}
+
+	ResolverAddressV4 struct {
+		ResolverAddress
+	}
+
+	ResolverAddressV6 struct {
+		ResolverAddress
+	}
+
+	ResolverAddress struct {
+		IP                         string `json:"ip"`
+		Port                       *int   `json:"port,omitempty"`
+		VnetID                     string `json:"vnet_id,omitempty"`
+		RouteThroughPrivateNetwork bool   `json:"route_through_private_network,omitempty"`
+	}
+)
+
 type TeamsDlpPayloadLogSettings struct {
 	Enabled bool `json:"enabled"`
 }

diff --git a/teams_rules_test.go b/teams_rules_test.go
@@ -53,6 +53,19 @@ func TestTeamsRules(t *testing.T) {
                     "insecure_disable_dnssec_validation": false,
 					"untrusted_cert": {
 						"action": "error"
+					},
+					"dns_resolvers": {
+						"ipv4": [
+							{"ip": "10.0.0.2", "port": 5053},
+							{
+								"ip": "192.168.0.2",
+								"vnet_id": "16fd7a32-11f0-4687-a0bb-7031d241e184",
+								"route_through_private_network": true
+							}
+						],
+						"ipv6": [
+							{"ip": "2460::1"}
+						]
 					}
 				  }
 				},
@@ -84,7 +97,8 @@ func TestTeamsRules(t *testing.T) {
                     "insecure_disable_dnssec_validation": true,
 					"untrusted_cert": {
 						"action": "pass_through"
-					}
+					},
+					"resolve_dns_through_cloudflare": true
 				  }
 				}
 			]
@@ -94,6 +108,7 @@ func TestTeamsRules(t *testing.T) {
 
 	createdAt, _ := time.Parse(time.RFC3339, "2014-01-01T05:20:00.12345Z")
 	updatedAt, _ := time.Parse(time.RFC3339, "2014-01-01T05:20:00.12345Z")
+	dnsPort := 5053
 
 	want := []TeamsRule{{
 		ID:            "7559a944-3dd7-41bf-b183-360a814a8c36",
@@ -123,6 +138,30 @@ func TestTeamsRules(t *testing.T) {
 			UntrustedCertSettings: &UntrustedCertSettings{
 				Action: UntrustedCertError,
 			},
+			DnsResolverSettings: &DnsResolverSettings{
+				V4Resolvers: []ResolverAddressV4{
+					{
+						ResolverAddress{
+							IP:   "10.0.0.2",
+							Port: &dnsPort,
+						},
+					},
+					{
+						ResolverAddress{
+							IP: "192.168.0.2",
+							VnetID: "16fd7a32-11f0-4687-a0bb-7031d241e184",
+							RouteThroughPrivateNetwork: true,
+						},
+					},
+				},
+				V6Resolvers: []ResolverAddressV6{
+					{
+						ResolverAddress{
+							IP: "2460::1",
+						},
+					},
+				},
+			},
 		},
 		CreatedAt: &createdAt,
 		UpdatedAt: &updatedAt,
@@ -154,6 +193,7 @@ func TestTeamsRules(t *testing.T) {
 				UntrustedCertSettings: &UntrustedCertSettings{
 					Action: UntrustedCertPassthrough,
 				},
+				ResolveDnsThroughCF: true,
 			},
 			CreatedAt: &createdAt,
 			UpdatedAt: &updatedAt,