keypairs/keyfetch/issuer_test.go

201 lines
4.3 KiB
Go

package keyfetch
import (
"errors"
"net/http"
"net/url"
"testing"
)
func TestInvalidIssuer(t *testing.T) {
_, err := NewWhitelist([]string{"somethingorother"})
if nil == err {
t.Log("invalid http urls can get through, but that's okay")
}
_, err = NewWhitelist([]string{"//example.com/foo"})
if nil == err {
t.Fatal(errors.New("semi-bad url got through"))
}
}
func TestIssuerMatches(t *testing.T) {
// because [""] = strings.Split(os.Getenv("DOESNTEXIST"), ",")
trusted := []string{
"",
"https://example.com/",
"foobar.net/def/",
"https://*.wild.org",
"https://*.west.mali/verde",
}
privates := []string{
"http://happy.xyz/abc",
}
_, err := NewWhitelist(append(trusted, privates...))
if nil == err {
t.Fatal(errors.New("an insecure domain got through"))
}
// Empty list is allowed... I guess?
list, err := NewWhitelist(nil)
if nil != err {
t.Fatal(err)
}
// Combo list
list, err = NewWhitelist(trusted[1:], privates)
if nil != err {
t.Fatal(err)
}
var iss string
iss = "https://example.com"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good domain didn't make it:", iss)
}
iss = "https://example.com/"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good domain didn't make it:", iss)
}
iss = "http://example.com"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://example.com/foo"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "http://happy.xyz/abc"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "http://happy.xyz/abc/"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "http://happy.xyz/abc/d"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "http://happy.xyz/abcd"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://foobar.net/def"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "https://foobar.net/def/"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "http://foobar.net/def/"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://foobar.net/def/e"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://foobar.net/defe"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://wild.org"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://foo.wild.org"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "https://sub.foo.wild.org"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "https://foo.wild.org/cherries"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
iss = "https://sub.west.mali/verde/"
if !list.IsTrustedIssuer(iss) {
t.Fatal("A good URL didn't make it:", iss)
}
iss = "https://sub.west.mali"
if list.IsTrustedIssuer(iss) {
t.Fatal("A bad URL slipped past", iss)
}
}
func TestImplicitIssuer(t *testing.T) {
var r *http.Request
var iss string
r = &http.Request{
Host: "example.com",
URL: &url.URL{Path: "/foo/bar/baz"},
Header: http.Header(map[string][]string{
"x-forwarded-host": []string{"example.com"},
}),
}
iss = "https://example.com/foo"
if !isTrustedIssuer(iss, nil, r) {
t.Fatal("A good URL didn't make it:", iss)
}
r = &http.Request{
Host: "example.com",
URL: &url.URL{Path: "/"},
Header: http.Header(map[string][]string{
"x-forwarded-host": []string{"example.com"},
"x-forwarded-proto": []string{"http"},
}),
}
iss = "http://example.com/foo"
if isTrustedIssuer(iss, nil, r) {
t.Fatal("A bad URL slipped past:", iss)
}
r = &http.Request{
Host: "example.com",
URL: &url.URL{Path: "/foo"},
Header: http.Header(map[string][]string{
"x-forwarded-host": []string{"example.com"},
}),
}
iss = "https://example.com/foo/bar/baz"
if isTrustedIssuer(iss, nil, r) {
t.Fatal("A bad URL slipped past:", iss)
}
r = &http.Request{
Host: "example.com",
URL: &url.URL{Path: "/"},
Header: http.Header(map[string][]string{
"x-forwarded-proto": []string{"https"},
}),
}
iss = "https://example.com/"
if !isTrustedIssuer(iss, nil, r) {
t.Fatal("A good URL didn't make it:", iss)
}
}