| package main |
| |
| import "testing" |
| |
| func TestPatterns(t *testing.T) { |
| f := ingressFilter{} |
| // Test that sane filters are allowed. |
| for _, el := range []struct { |
| ns string |
| domain string |
| }{ |
| {"matrix", "matrix.hackerspace.pl"}, |
| {"ceph-waw3", "*.hackerspace.pl"}, |
| {"personal-q3k", "*.k0.q3k.org"}, |
| {"personal-vuko", "shells.vuko.pl"}, |
| {"minecraft", "*.k0.q3k.org"}, |
| } { |
| err := f.allow(el.ns, el.domain) |
| if err != nil { |
| t.Fatalf("allow(%q, %q): %v", el.ns, el.domain, err) |
| } |
| } |
| // Test that broken patterns are rejected. |
| if err := f.allow("borked", "*.hackerspace.*"); err == nil { |
| t.Fatalf("allow(double star): wanted err, got nil") |
| } |
| if err := f.allow("borked", ""); err == nil { |
| t.Fatalf("allow(empty): wanted err, got nil") |
| } |
| if err := f.allow("borked", "*foo.example.com"); err == nil { |
| t.Fatalf("allow(partial wildcard): wanted err, got nil") |
| } |
| } |
| |
| func TestMatch(t *testing.T) { |
| f := ingressFilter{} |
| // Errors discarded, tested in TestPatterns. |
| f.allow("matrix", "matrix.hackerspace.pl") |
| f.allow("ceph-waw3", "*.hackerspace.pl") |
| f.allow("personal-q3k", "*.k0.q3k.org") |
| f.allow("personal-vuko", "shells.vuko.pl") |
| f.allow("minecraft", "*.k0.q3k.org") |
| |
| for _, el := range []struct { |
| ns string |
| dns string |
| expected bool |
| }{ |
| // Explicitly allowed. |
| {"matrix", "matrix.hackerspace.pl", true}, |
| // *.hackerspace.pl is explicitly mentioned in ceph-waw3, so this is |
| // forbidden. |
| {"matrix", "matrix2.hackerspace.pl", false}, |
| // Hackers should not be able to take over critical domains. |
| {"personal-hacker", "matrix.hackerspace.pl", false}, |
| {"personal-hacker", "totallylegit.hackerspace.pl", false}, |
| // q3k can do his thing, even nested.. |
| {"personal-q3k", "foo.k0.q3k.org", true}, |
| {"personal-q3k", "foo.bar.k0.q3k.org", true}, |
| // counterintuitive: only *.k0.q3k.org is constrained, so k0.q3k.org |
| // (as anything.q3k.org) is allowed everywhere. |
| {"personal-hacker", "k0.q3k.org", true}, |
| // vuko's shell service is only allowed in his NS. |
| {"personal-vuko", "shells.vuko.pl", true}, |
| // counterintuitive: vuko.pl is allowed everywhere else, too. This is |
| // because there's no *.vuko.pl wildcard anywhere, so nothing would |
| // block it. Solution: add an explicit *.vuko.pl wildcard to the |
| // namespace, or just don't do a wildcard CNAME redirect to our |
| // ingress. |
| {"personal-hacker", "foobar.vuko.pl", true}, |
| // Unknown domains are fine. |
| {"personal-hacker", "www.github.com", true}, |
| } { |
| if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want { |
| t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want) |
| } |
| } |
| } |