201 lines
4.3 KiB
Go
201 lines
4.3 KiB
Go
package keyfetch
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"net/url"
|
|
"testing"
|
|
)
|
|
|
|
func TestInvalidIssuer(t *testing.T) {
|
|
_, err := NewWhitelist([]string{"somethingorother"})
|
|
if nil == err {
|
|
t.Log("invalid http urls can get through, but that's okay")
|
|
}
|
|
|
|
_, err = NewWhitelist([]string{"//example.com/foo"})
|
|
if nil == err {
|
|
t.Fatal(errors.New("semi-bad url got through"))
|
|
}
|
|
}
|
|
|
|
func TestIssuerMatches(t *testing.T) {
|
|
// because [""] = strings.Split(os.Getenv("DOESNTEXIST"), ",")
|
|
trusted := []string{
|
|
"",
|
|
"https://example.com/",
|
|
"foobar.net/def/",
|
|
"https://*.wild.org",
|
|
"https://*.west.mali/verde",
|
|
}
|
|
privates := []string{
|
|
"http://happy.xyz/abc",
|
|
}
|
|
|
|
_, err := NewWhitelist(append(trusted, privates...))
|
|
if nil == err {
|
|
t.Fatal(errors.New("an insecure domain got through"))
|
|
}
|
|
|
|
// Empty list is allowed... I guess?
|
|
list, err := NewWhitelist(nil)
|
|
if nil != err {
|
|
t.Fatal(err)
|
|
}
|
|
// Combo list
|
|
list, err = NewWhitelist(trusted[1:], privates)
|
|
if nil != err {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var iss string
|
|
iss = "https://example.com"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good domain didn't make it:", iss)
|
|
}
|
|
|
|
iss = "https://example.com/"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good domain didn't make it:", iss)
|
|
}
|
|
|
|
iss = "http://example.com"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://example.com/foo"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "http://happy.xyz/abc"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "http://happy.xyz/abc/"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "http://happy.xyz/abc/d"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "http://happy.xyz/abcd"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://foobar.net/def"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "https://foobar.net/def/"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "http://foobar.net/def/"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://foobar.net/def/e"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://foobar.net/defe"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://wild.org"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://foo.wild.org"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "https://sub.foo.wild.org"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "https://foo.wild.org/cherries"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
|
|
iss = "https://sub.west.mali/verde/"
|
|
if !list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
iss = "https://sub.west.mali"
|
|
if list.IsTrustedIssuer(iss) {
|
|
t.Fatal("A bad URL slipped past", iss)
|
|
}
|
|
}
|
|
|
|
func TestImplicitIssuer(t *testing.T) {
|
|
var r *http.Request
|
|
var iss string
|
|
|
|
r = &http.Request{
|
|
Host: "example.com",
|
|
URL: &url.URL{Path: "/foo/bar/baz"},
|
|
Header: http.Header(map[string][]string{
|
|
"x-forwarded-host": []string{"example.com"},
|
|
}),
|
|
}
|
|
iss = "https://example.com/foo"
|
|
if !isTrustedIssuer(iss, nil, r) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
|
|
r = &http.Request{
|
|
Host: "example.com",
|
|
URL: &url.URL{Path: "/"},
|
|
Header: http.Header(map[string][]string{
|
|
"x-forwarded-host": []string{"example.com"},
|
|
"x-forwarded-proto": []string{"http"},
|
|
}),
|
|
}
|
|
iss = "http://example.com/foo"
|
|
if isTrustedIssuer(iss, nil, r) {
|
|
t.Fatal("A bad URL slipped past:", iss)
|
|
}
|
|
|
|
r = &http.Request{
|
|
Host: "example.com",
|
|
URL: &url.URL{Path: "/foo"},
|
|
Header: http.Header(map[string][]string{
|
|
"x-forwarded-host": []string{"example.com"},
|
|
}),
|
|
}
|
|
iss = "https://example.com/foo/bar/baz"
|
|
if isTrustedIssuer(iss, nil, r) {
|
|
t.Fatal("A bad URL slipped past:", iss)
|
|
}
|
|
|
|
r = &http.Request{
|
|
Host: "example.com",
|
|
URL: &url.URL{Path: "/"},
|
|
Header: http.Header(map[string][]string{
|
|
"x-forwarded-proto": []string{"https"},
|
|
}),
|
|
}
|
|
iss = "https://example.com/"
|
|
if !isTrustedIssuer(iss, nil, r) {
|
|
t.Fatal("A good URL didn't make it:", iss)
|
|
}
|
|
}
|