cluster/admitomatic/ingress_test.go - hscloud - Gitiles

 package main

 import "testing"

 func TestPatterns(t *testing.T) {
 	f := ingressFilter{}
 	// Test that sane filters are allowed.
 	for _, el := range []struct {
 		ns     string
 		domain string
 	}{
 		{"matrix", "matrix.hackerspace.pl"},
 		{"ceph-waw3", "*.hackerspace.pl"},
 		{"personal-q3k", "*.k0.q3k.org"},
 		{"personal-vuko", "shells.vuko.pl"},
 		{"minecraft", "*.k0.q3k.org"},
 	} {
 		err := f.allow(el.ns, el.domain)
 		if err != nil {
 			t.Fatalf("allow(%q, %q): %v", el.ns, el.domain, err)
 		}
 	}
 	// Test that broken patterns are rejected.
 	if err := f.allow("borked", "*.hackerspace.*"); err == nil {
 		t.Fatalf("allow(double star): wanted err, got nil")
 	}
 	if err := f.allow("borked", ""); err == nil {
 		t.Fatalf("allow(empty): wanted err, got nil")
 	}
 	if err := f.allow("borked", "*foo.example.com"); err == nil {
 		t.Fatalf("allow(partial wildcard): wanted err, got nil")
 	}
 }

 func TestMatch(t *testing.T) {
 	f := ingressFilter{}
 	// Errors discarded, tested in TestPatterns.
 	f.allow("matrix", "matrix.hackerspace.pl")
 	f.allow("ceph-waw3", "*.hackerspace.pl")
 	f.allow("personal-q3k", "*.k0.q3k.org")
 	f.allow("personal-vuko", "shells.vuko.pl")
 	f.allow("minecraft", "*.k0.q3k.org")

 	for _, el := range []struct {
 		ns       string
 		dns      string
 		expected bool
 	}{
 		// Explicitly allowed.
 		{"matrix", "matrix.hackerspace.pl", true},
 		// *.hackerspace.pl is explicitly mentioned in ceph-waw3, so this is
 		// forbidden.
 		{"matrix", "matrix2.hackerspace.pl", false},
 		// Hackers should not be able to take over critical domains.
 		{"personal-hacker", "matrix.hackerspace.pl", false},
 		{"personal-hacker", "totallylegit.hackerspace.pl", false},
 		// q3k can do his thing, even nested..
 		{"personal-q3k", "foo.k0.q3k.org", true},
 		{"personal-q3k", "foo.bar.k0.q3k.org", true},
 		// counterintuitive: only *.k0.q3k.org is constrained, so k0.q3k.org
 		// (as anything.q3k.org) is allowed everywhere.
 		{"personal-hacker", "k0.q3k.org", true},
 		// vuko's shell service is only allowed in his NS.
 		{"personal-vuko", "shells.vuko.pl", true},
 		// counterintuitive: vuko.pl is allowed everywhere else, too. This is
 		// because there's no *.vuko.pl wildcard anywhere, so nothing would
 		// block it. Solution: add an explicit *.vuko.pl wildcard to the
 		// namespace, or just don't do a wildcard CNAME redirect to our
 		// ingress.
 		{"personal-hacker", "foobar.vuko.pl", true},
 		// Unknown domains are fine.
 		{"personal-hacker", "www.github.com", true},
 	} {
 		if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want {
 			t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want)
 		}
 	}
 }
	package main

	import "testing"

	func TestPatterns(t *testing.T) {
	f := ingressFilter{}
	// Test that sane filters are allowed.
	for _, el := range []struct {
	ns string
	domain string
	}{
	{"matrix", "matrix.hackerspace.pl"},
	{"ceph-waw3", "*.hackerspace.pl"},
	{"personal-q3k", "*.k0.q3k.org"},
	{"personal-vuko", "shells.vuko.pl"},
	{"minecraft", "*.k0.q3k.org"},
	} {
	err := f.allow(el.ns, el.domain)
	if err != nil {
	t.Fatalf("allow(%q, %q): %v", el.ns, el.domain, err)
	}
	}
	// Test that broken patterns are rejected.
	if err := f.allow("borked", ".hackerspace."); err == nil {
	t.Fatalf("allow(double star): wanted err, got nil")
	}
	if err := f.allow("borked", ""); err == nil {
	t.Fatalf("allow(empty): wanted err, got nil")
	}
	if err := f.allow("borked", "*foo.example.com"); err == nil {
	t.Fatalf("allow(partial wildcard): wanted err, got nil")
	}
	}

	func TestMatch(t *testing.T) {
	f := ingressFilter{}
	// Errors discarded, tested in TestPatterns.
	f.allow("matrix", "matrix.hackerspace.pl")
	f.allow("ceph-waw3", "*.hackerspace.pl")
	f.allow("personal-q3k", "*.k0.q3k.org")
	f.allow("personal-vuko", "shells.vuko.pl")
	f.allow("minecraft", "*.k0.q3k.org")

	for _, el := range []struct {
	ns string
	dns string
	expected bool
	}{
	// Explicitly allowed.
	{"matrix", "matrix.hackerspace.pl", true},
	// *.hackerspace.pl is explicitly mentioned in ceph-waw3, so this is
	// forbidden.
	{"matrix", "matrix2.hackerspace.pl", false},
	// Hackers should not be able to take over critical domains.
	{"personal-hacker", "matrix.hackerspace.pl", false},
	{"personal-hacker", "totallylegit.hackerspace.pl", false},
	// q3k can do his thing, even nested..
	{"personal-q3k", "foo.k0.q3k.org", true},
	{"personal-q3k", "foo.bar.k0.q3k.org", true},
	// counterintuitive: only *.k0.q3k.org is constrained, so k0.q3k.org
	// (as anything.q3k.org) is allowed everywhere.
	{"personal-hacker", "k0.q3k.org", true},
	// vuko's shell service is only allowed in his NS.
	{"personal-vuko", "shells.vuko.pl", true},
	// counterintuitive: vuko.pl is allowed everywhere else, too. This is
	// because there's no *.vuko.pl wildcard anywhere, so nothing would
	// block it. Solution: add an explicit *.vuko.pl wildcard to the
	// namespace, or just don't do a wildcard CNAME redirect to our
	// ingress.
	{"personal-hacker", "foobar.vuko.pl", true},
	// Unknown domains are fine.
	{"personal-hacker", "www.github.com", true},
	} {
	if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want {
	t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want)
	}
	}
	}