passthroughHandler is the test fixture: forward the parsed request to the upstream and stream the response back. Mirrors what a production handler would do without any PII rewriting, so the proxy core's CONNECT/TLS/req-loop semantics are testable in isolation from the redaction logic.
(upstreamRoots *x509.CertPool, upstreamAddr string)
| 21 | // so the proxy core's CONNECT/TLS/req-loop semantics are testable |
| 22 | // in isolation from the redaction logic. |
| 23 | func passthroughHandler(upstreamRoots *x509.CertPool, upstreamAddr string) InterceptHandler { |
| 24 | return func(w http.ResponseWriter, r *http.Request, host string) { |
| 25 | // Build the upstream URL — host is what the client thought |
| 26 | // it was talking to (api.anthropic.com); upstreamAddr is |
| 27 | // where the test fake actually lives. We use upstreamAddr |
| 28 | // directly because the test fake's cert is self-signed |
| 29 | // against an arbitrary CA we control. |
| 30 | u := *r.URL |
| 31 | u.Scheme = "https" |
| 32 | u.Host = upstreamAddr |
| 33 | |
| 34 | body := r.Body |
| 35 | req, err := http.NewRequest(r.Method, u.String(), body) |
| 36 | if err != nil { |
| 37 | http.Error(w, "bad request: "+err.Error(), http.StatusBadRequest) |
| 38 | return |
| 39 | } |
| 40 | req.Header = r.Header.Clone() |
| 41 | req.Header.Set("Host", host) |
| 42 | |
| 43 | client := &http.Client{ |
| 44 | Transport: &http.Transport{ |
| 45 | TLSClientConfig: &tls.Config{ |
| 46 | RootCAs: upstreamRoots, |
| 47 | // httptest.NewTLSServer issues a cert for |
| 48 | // example.com / *.example.com regardless of the |
| 49 | // listener's actual hostname. Trust that name |
| 50 | // rather than the SNI the client used — |
| 51 | // production code would set ServerName=host. |
| 52 | ServerName: "example.com", |
| 53 | }, |
| 54 | }, |
| 55 | Timeout: 10 * time.Second, |
| 56 | } |
| 57 | resp, err := client.Do(req) |
| 58 | if err != nil { |
| 59 | http.Error(w, "upstream: "+err.Error(), http.StatusBadGateway) |
| 60 | return |
| 61 | } |
| 62 | defer func() { _ = resp.Body.Close() }() |
| 63 | |
| 64 | for k, vs := range resp.Header { |
| 65 | for _, v := range vs { |
| 66 | w.Header().Add(k, v) |
| 67 | } |
| 68 | } |
| 69 | w.WriteHeader(resp.StatusCode) |
| 70 | _, _ = io.Copy(w, resp.Body) |
| 71 | } |
| 72 | } |
| 73 | |
| 74 | // startMITMTestRig spins up: |
| 75 | // - A fake "upstream" HTTPS server with a self-signed cert |