cluster/admitomatic: Regexp-based admission rules
Change-Id: Ic2b1d6a952dc194c0ee2fa1673ceb91c43799308
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1723
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/admitomatic/ingress_test.go b/cluster/admitomatic/ingress_test.go
index 92b1357..8544fab 100644
--- a/cluster/admitomatic/ingress_test.go
+++ b/cluster/admitomatic/ingress_test.go
@@ -39,6 +39,9 @@
if err := f.allow("borked", "*foo.example.com"); err == nil {
t.Fatalf("allow(partial wildcard): wanted err, got nil")
}
+ if err := f.allowRegexp("borked", "(.*"); err == nil {
+ t.Fatalf("allowRegexp(bad regexp): wanted err, got nil")
+ }
}
func TestMatch(t *testing.T) {
@@ -49,6 +52,8 @@
f.allow("personal-q3k", "*.k0.q3k.org")
f.allow("personal-vuko", "shells.vuko.pl")
f.allow("minecraft", "*.k0.q3k.org")
+ f.allow("hscloud-ovh-root", "hscloud.ovh")
+ f.allowRegexp("personal-$2", `(.*\.)?([^.]+)\.hscloud\.ovh`)
for _, el := range []struct {
ns string
@@ -79,6 +84,16 @@
{"personal-hacker", "foobar.vuko.pl", true},
// Unknown domains are fine.
{"personal-hacker", "www.github.com", true},
+ // Regexp matching for auto-namespaced domains
+ {"personal-radex", "radex.hscloud.ovh", true},
+ {"personal-radex", "foo.bar.radex.hscloud.ovh", true},
+ // Disallowed for other namespaces
+ {"personal-hacker", "radex.hscloud.ovh", false},
+ {"personal-hacker", "foo.bar.radex.hscloud.ovh", false},
+ {"matrix", "radex.hscloud.ovh", false},
+ // Check auto-namespaced domain's root
+ {"hscloud-ovh-root", "hscloud.ovh", true},
+ {"personal-hacker", "hscloud.ovh", false},
} {
if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want {
t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want)