Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 1 | package main |
| 2 | |
| 3 | import "testing" |
| 4 | |
| 5 | func TestPatterns(t *testing.T) { |
| 6 | f := ingressFilter{} |
| 7 | // Test that sane filters are allowed. |
| 8 | for _, el := range []struct { |
| 9 | ns string |
| 10 | domain string |
| 11 | }{ |
| 12 | {"matrix", "matrix.hackerspace.pl"}, |
| 13 | {"ceph-waw3", "*.hackerspace.pl"}, |
| 14 | {"personal-q3k", "*.k0.q3k.org"}, |
| 15 | {"personal-vuko", "shells.vuko.pl"}, |
| 16 | {"minecraft", "*.k0.q3k.org"}, |
| 17 | } { |
| 18 | err := f.allow(el.ns, el.domain) |
| 19 | if err != nil { |
| 20 | t.Fatalf("allow(%q, %q): %v", el.ns, el.domain, err) |
| 21 | } |
| 22 | } |
| 23 | // Test that broken patterns are rejected. |
| 24 | if err := f.allow("borked", "*.hackerspace.*"); err == nil { |
| 25 | t.Fatalf("allow(double star): wanted err, got nil") |
| 26 | } |
| 27 | if err := f.allow("borked", ""); err == nil { |
| 28 | t.Fatalf("allow(empty): wanted err, got nil") |
| 29 | } |
| 30 | if err := f.allow("borked", "*foo.example.com"); err == nil { |
| 31 | t.Fatalf("allow(partial wildcard): wanted err, got nil") |
| 32 | } |
| 33 | } |
| 34 | |
| 35 | func TestMatch(t *testing.T) { |
| 36 | f := ingressFilter{} |
| 37 | // Errors discarded, tested in TestPatterns. |
| 38 | f.allow("matrix", "matrix.hackerspace.pl") |
| 39 | f.allow("ceph-waw3", "*.hackerspace.pl") |
| 40 | f.allow("personal-q3k", "*.k0.q3k.org") |
| 41 | f.allow("personal-vuko", "shells.vuko.pl") |
| 42 | f.allow("minecraft", "*.k0.q3k.org") |
| 43 | |
| 44 | for _, el := range []struct { |
| 45 | ns string |
| 46 | dns string |
| 47 | expected bool |
| 48 | }{ |
| 49 | // Explicitly allowed. |
| 50 | {"matrix", "matrix.hackerspace.pl", true}, |
| 51 | // *.hackerspace.pl is explicitly mentioned in ceph-waw3, so this is |
| 52 | // forbidden. |
| 53 | {"matrix", "matrix2.hackerspace.pl", false}, |
| 54 | // Hackers should not be able to take over critical domains. |
| 55 | {"personal-hacker", "matrix.hackerspace.pl", false}, |
| 56 | {"personal-hacker", "totallylegit.hackerspace.pl", false}, |
| 57 | // q3k can do his thing, even nested.. |
| 58 | {"personal-q3k", "foo.k0.q3k.org", true}, |
| 59 | {"personal-q3k", "foo.bar.k0.q3k.org", true}, |
| 60 | // counterintuitive: only *.k0.q3k.org is constrained, so k0.q3k.org |
| 61 | // (as anything.q3k.org) is allowed everywhere. |
| 62 | {"personal-hacker", "k0.q3k.org", true}, |
| 63 | // vuko's shell service is only allowed in his NS. |
| 64 | {"personal-vuko", "shells.vuko.pl", true}, |
| 65 | // counterintuitive: vuko.pl is allowed everywhere else, too. This is |
| 66 | // because there's no *.vuko.pl wildcard anywhere, so nothing would |
| 67 | // block it. Solution: add an explicit *.vuko.pl wildcard to the |
| 68 | // namespace, or just don't do a wildcard CNAME redirect to our |
| 69 | // ingress. |
| 70 | {"personal-hacker", "foobar.vuko.pl", true}, |
| 71 | // Unknown domains are fine. |
| 72 | {"personal-hacker", "www.github.com", true}, |
| 73 | } { |
| 74 | if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want { |
| 75 | t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want) |
| 76 | } |
| 77 | } |
| 78 | } |