mirror of https://gerrit.hackerspace.pl/hscloud
79 lines
2.6 KiB
Go
79 lines
2.6 KiB
Go
|
package main
|
||
|
|
||
|
import "testing"
|
||
|
|
||
|
func TestPatterns(t *testing.T) {
|
||
|
f := ingressFilter{}
|
||
|
// Test that sane filters are allowed.
|
||
|
for _, el := range []struct {
|
||
|
ns string
|
||
|
domain string
|
||
|
}{
|
||
|
{"matrix", "matrix.hackerspace.pl"},
|
||
|
{"ceph-waw3", "*.hackerspace.pl"},
|
||
|
{"personal-q3k", "*.k0.q3k.org"},
|
||
|
{"personal-vuko", "shells.vuko.pl"},
|
||
|
{"minecraft", "*.k0.q3k.org"},
|
||
|
} {
|
||
|
err := f.allow(el.ns, el.domain)
|
||
|
if err != nil {
|
||
|
t.Fatalf("allow(%q, %q): %v", el.ns, el.domain, err)
|
||
|
}
|
||
|
}
|
||
|
// Test that broken patterns are rejected.
|
||
|
if err := f.allow("borked", "*.hackerspace.*"); err == nil {
|
||
|
t.Fatalf("allow(double star): wanted err, got nil")
|
||
|
}
|
||
|
if err := f.allow("borked", ""); err == nil {
|
||
|
t.Fatalf("allow(empty): wanted err, got nil")
|
||
|
}
|
||
|
if err := f.allow("borked", "*foo.example.com"); err == nil {
|
||
|
t.Fatalf("allow(partial wildcard): wanted err, got nil")
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestMatch(t *testing.T) {
|
||
|
f := ingressFilter{}
|
||
|
// Errors discarded, tested in TestPatterns.
|
||
|
f.allow("matrix", "matrix.hackerspace.pl")
|
||
|
f.allow("ceph-waw3", "*.hackerspace.pl")
|
||
|
f.allow("personal-q3k", "*.k0.q3k.org")
|
||
|
f.allow("personal-vuko", "shells.vuko.pl")
|
||
|
f.allow("minecraft", "*.k0.q3k.org")
|
||
|
|
||
|
for _, el := range []struct {
|
||
|
ns string
|
||
|
dns string
|
||
|
expected bool
|
||
|
}{
|
||
|
// Explicitly allowed.
|
||
|
{"matrix", "matrix.hackerspace.pl", true},
|
||
|
// *.hackerspace.pl is explicitly mentioned in ceph-waw3, so this is
|
||
|
// forbidden.
|
||
|
{"matrix", "matrix2.hackerspace.pl", false},
|
||
|
// Hackers should not be able to take over critical domains.
|
||
|
{"personal-hacker", "matrix.hackerspace.pl", false},
|
||
|
{"personal-hacker", "totallylegit.hackerspace.pl", false},
|
||
|
// q3k can do his thing, even nested..
|
||
|
{"personal-q3k", "foo.k0.q3k.org", true},
|
||
|
{"personal-q3k", "foo.bar.k0.q3k.org", true},
|
||
|
// counterintuitive: only *.k0.q3k.org is constrained, so k0.q3k.org
|
||
|
// (as anything.q3k.org) is allowed everywhere.
|
||
|
{"personal-hacker", "k0.q3k.org", true},
|
||
|
// vuko's shell service is only allowed in his NS.
|
||
|
{"personal-vuko", "shells.vuko.pl", true},
|
||
|
// counterintuitive: vuko.pl is allowed everywhere else, too. This is
|
||
|
// because there's no *.vuko.pl wildcard anywhere, so nothing would
|
||
|
// block it. Solution: add an explicit *.vuko.pl wildcard to the
|
||
|
// namespace, or just don't do a wildcard CNAME redirect to our
|
||
|
// ingress.
|
||
|
{"personal-hacker", "foobar.vuko.pl", true},
|
||
|
// Unknown domains are fine.
|
||
|
{"personal-hacker", "www.github.com", true},
|
||
|
} {
|
||
|
if want, got := el.expected, f.domainAllowed(el.ns, el.dns); got != want {
|
||
|
t.Errorf("%q on %q is %v, wanted %v", el.dns, el.ns, got, want)
|
||
|
}
|
||
|
}
|
||
|
}
|