keypairs/keyfetch/issuer_test.go

package keyfetch

import (
	"errors"
	"net/http"
	"net/url"
	"testing"
)

func TestInvalidIssuer(t *testing.T) {
	_, err := NewWhitelist([]string{"somethingorother"})
	if nil == err {
		t.Log("invalid http urls can get through, but that's okay")
	}

	_, err = NewWhitelist([]string{"//example.com/foo"})
	if nil == err {
		t.Fatal(errors.New("semi-bad url got through"))
	}
}

func TestIssuerMatches(t *testing.T) {
	// because [""] = strings.Split(os.Getenv("DOESNTEXIST"), ",")
	trusted := []string{
		"",
		"https://example.com/",
		"foobar.net/def/",
		"https://*.wild.org",
		"https://*.west.mali/verde",
	}
	privates := []string{
		"http://happy.xyz/abc",
	}

	_, err := NewWhitelist(append(trusted, privates...))
	if nil == err {
		t.Fatal(errors.New("An insecure domain got through!"))
	}

	// Empty list is allowed... I guess?
	list, err := NewWhitelist(nil)
	if nil != err {
		t.Fatal(err)
	}
	// Combo list
	list, err = NewWhitelist(trusted[1:], privates)
	if nil != err {
		t.Fatal(err)
	}

	var iss string
	iss = "https://example.com"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good domain didn't make it:", iss)
	}

	iss = "https://example.com/"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good domain didn't make it:", iss)
	}

	iss = "http://example.com"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://example.com/foo"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "http://happy.xyz/abc"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "http://happy.xyz/abc/"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "http://happy.xyz/abc/d"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "http://happy.xyz/abcd"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://foobar.net/def"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "https://foobar.net/def/"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "http://foobar.net/def/"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://foobar.net/def/e"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://foobar.net/defe"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://wild.org"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://foo.wild.org"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "https://sub.foo.wild.org"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "https://foo.wild.org/cherries"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}

	iss = "https://sub.west.mali/verde/"
	if !list.IsTrustedIssuer(iss) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	iss = "https://sub.west.mali"
	if list.IsTrustedIssuer(iss) {
		t.Fatal("A bad URL slipped past", iss)
	}
}

func TestImplicitIssuer(t *testing.T) {
	var r *http.Request
	var iss string

	r = &http.Request{
		Host: "example.com",
		URL:  &url.URL{Path: "/foo/bar/baz"},
		Header: http.Header(map[string][]string{
			"x-forwarded-host": []string{"example.com"},
		}),
	}
	iss = "https://example.com/foo"
	if !isTrustedIssuer(iss, nil, r) {
		t.Fatal("A good URL didn't make it:", iss)
	}

	r = &http.Request{
		Host: "example.com",
		URL:  &url.URL{Path: "/"},
		Header: http.Header(map[string][]string{
			"x-forwarded-host":  []string{"example.com"},
			"x-forwarded-proto": []string{"http"},
		}),
	}
	iss = "http://example.com/foo"
	if isTrustedIssuer(iss, nil, r) {
		t.Fatal("A bad URL slipped past:", iss)
	}

	r = &http.Request{
		Host: "example.com",
		URL:  &url.URL{Path: "/foo"},
		Header: http.Header(map[string][]string{
			"x-forwarded-host": []string{"example.com"},
		}),
	}
	iss = "https://example.com/foo/bar/baz"
	if isTrustedIssuer(iss, nil, r) {
		t.Fatal("A bad URL slipped past:", iss)
	}

	r = &http.Request{
		Host: "example.com",
		URL:  &url.URL{Path: "/"},
		Header: http.Header(map[string][]string{
			"x-forwarded-proto": []string{"https"},
		}),
	}
	iss = "https://example.com/"
	if !isTrustedIssuer(iss, nil, r) {
		t.Fatal("A good URL didn't make it:", iss)
	}
}
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`package keyfetch`

			`import (`
			`"errors"`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00			`"net/http"`
			`"net/url"`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`"testing"`
			`)`

			`func TestInvalidIssuer(t *testing.T) {`
			`_, err := NewWhitelist([]string{"somethingorother"})`
			`if nil == err {`
			`t.Log("invalid http urls can get through, but that's okay")`
			`}`

			`_, err = NewWhitelist([]string{"//example.com/foo"})`
			`if nil == err {`
			`t.Fatal(errors.New("semi-bad url got through"))`
			`}`
			`}`

			`func TestIssuerMatches(t *testing.T) {`
Warn on empty string in whitelist 2019-04-17 23:08:53 +00:00			`// because [""] = strings.Split(os.Getenv("DOESNTEXIST"), ",")`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`trusted := []string{`
Warn on empty string in whitelist 2019-04-17 23:08:53 +00:00			`"",`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`"https://example.com/",`
			`"foobar.net/def/",`
			`"https://*.wild.org",`
			`"https://*.west.mali/verde",`
			`}`
v0.4.0 require separate string for private issuers 2019-04-15 17:09:34 +00:00			`privates := []string{`
			`"http://happy.xyz/abc",`
			`}`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00
v0.4.0 require separate string for private issuers 2019-04-15 17:09:34 +00:00			`_, err := NewWhitelist(append(trusted, privates...))`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`if nil == err {`
			`t.Fatal(errors.New("An insecure domain got through!"))`
			`}`

v0.4.0 require separate string for private issuers 2019-04-15 17:09:34 +00:00			`// Empty list is allowed... I guess?`
			`list, err := NewWhitelist(nil)`
			`if nil != err {`
			`t.Fatal(err)`
			`}`
			`// Combo list`
Warn on empty string in whitelist 2019-04-17 23:08:53 +00:00			`list, err = NewWhitelist(trusted[1:], privates)`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`if nil != err {`
			`t.Fatal(err)`
			`}`

			`var iss string`
			`iss = "https://example.com"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good domain didn't make it:", iss)`
			`}`

			`iss = "https://example.com/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good domain didn't make it:", iss)`
			`}`

			`iss = "http://example.com"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://example.com/foo"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "http://happy.xyz/abc"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "http://happy.xyz/abc/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "http://happy.xyz/abc/d"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "http://happy.xyz/abcd"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://foobar.net/def"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "https://foobar.net/def/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "http://foobar.net/def/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://foobar.net/def/e"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://foobar.net/defe"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://wild.org"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://foo.wild.org"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "https://sub.foo.wild.org"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "https://foo.wild.org/cherries"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`

			`iss = "https://sub.west.mali/verde/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`iss = "https://sub.west.mali"`
add specific key test 2019-03-25 23:48:39 +00:00			`if list.IsTrustedIssuer(iss) {`
added IsTrustedIssuer + tests 2019-03-06 18:08:40 +00:00			`t.Fatal("A bad URL slipped past", iss)`
			`}`
			`}`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00
			`func TestImplicitIssuer(t *testing.T) {`
			`var r *http.Request`
			`var iss string`

			`r = &http.Request{`
			`Host: "example.com",`
			`URL: &url.URL{Path: "/foo/bar/baz"},`
			`Header: http.Header(map[string][]string{`
			`"x-forwarded-host": []string{"example.com"},`
			`}),`
			`}`
			`iss = "https://example.com/foo"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !isTrustedIssuer(iss, nil, r) {`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`

			`r = &http.Request{`
			`Host: "example.com",`
			`URL: &url.URL{Path: "/"},`
			`Header: http.Header(map[string][]string{`
			`"x-forwarded-host": []string{"example.com"},`
			`"x-forwarded-proto": []string{"http"},`
			`}),`
			`}`
			`iss = "http://example.com/foo"`
add specific key test 2019-03-25 23:48:39 +00:00			`if isTrustedIssuer(iss, nil, r) {`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00			`t.Fatal("A bad URL slipped past:", iss)`
			`}`

			`r = &http.Request{`
			`Host: "example.com",`
			`URL: &url.URL{Path: "/foo"},`
			`Header: http.Header(map[string][]string{`
			`"x-forwarded-host": []string{"example.com"},`
			`}),`
			`}`
			`iss = "https://example.com/foo/bar/baz"`
add specific key test 2019-03-25 23:48:39 +00:00			`if isTrustedIssuer(iss, nil, r) {`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00			`t.Fatal("A bad URL slipped past:", iss)`
			`}`

			`r = &http.Request{`
			`Host: "example.com",`
			`URL: &url.URL{Path: "/"},`
			`Header: http.Header(map[string][]string{`
			`"x-forwarded-proto": []string{"https"},`
			`}),`
			`}`
			`iss = "https://example.com/"`
add specific key test 2019-03-25 23:48:39 +00:00			`if !isTrustedIssuer(iss, nil, r) {`
add tests for implicit issuer 2019-03-06 21:59:25 +00:00			`t.Fatal("A good URL didn't make it:", iss)`
			`}`
			`}`