Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1e808b61e5'
${ noResults }
smallstep-certificates/policy/engine_test.go

2062 lines
47 KiB
Go
Raw Normal View History Unescape Escape

Merge logic for X509 and SSH policy
2 years ago
package policy
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
import (
"crypto/x509"
Add more tests
2 years ago
"crypto/x509/pkix"
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
"net"
"net/url"
"testing"
"github.com/smallstep/assert"
)
Improve test case and code coverage
2 years ago
// TODO(hs): the functionality in the policy engine is a nice candidate for trying fuzzing on
// TODO(hs): more complex uses cases that combine multiple names and permitted/excluded entries
// TODO(hs): check errors (reasons) are as expected
func TestNamePolicyEngine_matchDomainConstraint(t *testing.T) {
tests := []struct {
name string
engine *NamePolicyEngine
domain string
constraint string
want bool
wantErr bool
}{
{
name: "fail/wildcard",
engine: &NamePolicyEngine{},
domain: "host.local",
constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
want: false,
wantErr: false,
},
{
name: "fail/wildcard-literal",
engine: &NamePolicyEngine{},
domain: "*.example.com",
constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
want: false,
wantErr: false,
},
{
name: "fail/specific-domain",
engine: &NamePolicyEngine{},
domain: "www.example.com",
constraint: "host.example.com",
want: false,
wantErr: false,
},
{
name: "fail/single-whitespace-domain",
engine: &NamePolicyEngine{},
domain: " ",
constraint: "host.example.com",
want: false,
wantErr: false,
},
{
name: "fail/period-domain",
engine: &NamePolicyEngine{},
domain: ".host.example.com",
constraint: ".example.com",
want: false,
wantErr: false,
},
{
name: "fail/wrong-asterisk-prefix",
engine: &NamePolicyEngine{},
domain: "*Xexample.com",
constraint: ".example.com",
want: false,
wantErr: false,
},
{
name: "fail/asterisk-in-domain",
engine: &NamePolicyEngine{},
domain: "e*ample.com",
constraint: ".com",
want: false,
wantErr: false,
},
{
name: "fail/asterisk-label",
engine: &NamePolicyEngine{},
domain: "example.*.local",
constraint: ".local",
want: false,
wantErr: false,
},
{
name: "fail/multiple-periods",
engine: &NamePolicyEngine{},
domain: "example.local",
constraint: "..local",
want: false,
wantErr: false,
},
{
name: "fail/error-parsing-domain",
engine: &NamePolicyEngine{},
domain: string([]byte{0}),
constraint: ".local",
want: false,
wantErr: true,
},
{
name: "fail/error-parsing-constraint",
engine: &NamePolicyEngine{},
domain: "example.local",
constraint: string([]byte{0}),
want: false,
wantErr: true,
},
{
name: "fail/no-subdomain",
engine: &NamePolicyEngine{},
domain: "local",
constraint: ".local",
want: false,
wantErr: false,
},
{
name: "fail/too-many-subdomains",
engine: &NamePolicyEngine{},
domain: "www.example.local",
constraint: ".local",
want: false,
wantErr: false,
},
{
name: "fail/wrong-domain",
engine: &NamePolicyEngine{},
domain: "example.notlocal",
constraint: ".local",
want: false,
wantErr: false,
},
{
name: "ok/empty-constraint",
engine: &NamePolicyEngine{},
domain: "www.example.com",
constraint: "",
want: true,
wantErr: false,
},
{
name: "ok/wildcard",
engine: &NamePolicyEngine{},
domain: "www.example.com",
constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
want: true,
wantErr: false,
},
{
name: "ok/wildcard-literal",
engine: &NamePolicyEngine{
allowLiteralWildcardNames: true,
},
domain: "*.example.com", // specifically allowed using an option on the NamePolicyEngine
constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
want: true,
wantErr: false,
},
{
name: "ok/specific-domain",
engine: &NamePolicyEngine{},
domain: "www.example.com",
constraint: "www.example.com",
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.engine.matchDomainConstraint(tt.domain, tt.constraint)
if (err != nil) != tt.wantErr {
t.Errorf("NamePolicyEngine.matchDomainConstraint() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("NamePolicyEngine.matchDomainConstraint() = %v, want %v", got, tt.want)
}
})
}
}
func Test_matchIPConstraint(t *testing.T) {
nat64IP, nat64Net, err := net.ParseCIDR("64:ff9b::/96")
assert.FatalError(t, err)
tests := []struct {
name string
ip net.IP
constraint *net.IPNet
want bool
wantErr bool
}{
{
name: "false/ipv4-in-ipv6-nat64",
ip: net.ParseIP("192.0.2.128"),
constraint: nat64Net,
want: false,
wantErr: false,
},
{
name: "ok/ipv4",
ip: net.ParseIP("127.0.0.1"),
constraint: &net.IPNet{
IP: net.ParseIP("127.0.0.0"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
want: true,
wantErr: false,
},
{
name: "ok/ipv6",
ip: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7335"),
constraint: &net.IPNet{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
want: true,
wantErr: false,
},
{
name: "ok/ipv4-in-ipv6", // ipv4 in ipv6 addresses are considered the same in the current implementation, because Go parses them as IPv4
ip: net.ParseIP("::ffff:192.0.2.128"),
constraint: &net.IPNet{
IP: net.ParseIP("192.0.2.0"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
want: true,
wantErr: false,
},
{
name: "ok/ipv4-in-ipv6-nat64-fixed-ip",
ip: nat64IP,
constraint: nat64Net,
want: true,
wantErr: false,
},
{
name: "ok/ipv4-in-ipv6-nat64",
ip: net.ParseIP("64:ff9b::192.0.2.129"),
constraint: nat64Net,
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := matchIPConstraint(tt.ip, tt.constraint)
if (err != nil) != tt.wantErr {
t.Errorf("matchIPConstraint() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("matchIPConstraint() = %v, want %v", got, tt.want)
}
})
}
}
func TestNamePolicyEngine_matchEmailConstraint(t *testing.T) {
tests := []struct {
name string
engine *NamePolicyEngine
mailbox rfc2821Mailbox
constraint string
want bool
wantErr bool
}{
{
name: "fail/asterisk-prefix",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "*@example.com",
want: false,
wantErr: true,
},
{
name: "fail/asterisk-label",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "@host.*.example.com",
want: false,
wantErr: true,
},
{
name: "fail/asterisk-inside-local",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "m*il@local",
want: false,
wantErr: true,
},
{
name: "fail/asterisk-inside-domain",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "@h*st.example.com",
want: false,
wantErr: true,
},
{
name: "fail/parse-email",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "@example.com",
want: false,
wantErr: true,
},
{
name: "fail/wildcard",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "example.com",
want: false,
wantErr: false,
},
{
name: "fail/wildcard-x509-period",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: ".local", // "wildcard" for the local domain; requires exactly 1 subdomain
want: false,
wantErr: false,
},
{
name: "fail/specific-mail-wrong-domain",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "mail@example.com",
want: false,
wantErr: false,
},
{
name: "fail/specific-mail-wrong-local",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "root",
domain: "example.com",
},
constraint: "mail@example.com",
want: false,
wantErr: false,
},
{
name: "ok/wildcard",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "local", // "wildcard" for the local domain
want: true,
wantErr: false,
},
{
name: "ok/wildcard-x509-period",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "example.local",
},
constraint: ".local", // "wildcard" for the local domain; requires exactly 1 subdomain
want: true,
wantErr: false,
},
{
name: "ok/specific-mail",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "local",
},
constraint: "mail@local",
want: true,
wantErr: false,
},
{
name: "ok/wildcard-tld",
engine: &NamePolicyEngine{},
mailbox: rfc2821Mailbox{
local: "mail",
domain: "example.com",
},
constraint: "example.com", // "wildcard" for 'example.com'
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.engine.matchEmailConstraint(tt.mailbox, tt.constraint)
if (err != nil) != tt.wantErr {
t.Errorf("NamePolicyEngine.matchEmailConstraint() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("NamePolicyEngine.matchEmailConstraint() = %v, want %v", got, tt.want)
}
})
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
}
Improve test case and code coverage
2 years ago
}
func TestNamePolicyEngine_matchURIConstraint(t *testing.T) {
tests := []struct {
name string
engine *NamePolicyEngine
uri *url.URL
constraint string
want bool
wantErr bool
}{
{
name: "fail/empty-host",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "",
},
constraint: ".local",
want: false,
wantErr: true,
},
{
name: "fail/host-with-asterisk-prefix",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "*.local",
},
constraint: ".local",
want: false,
wantErr: true,
},
{
name: "fail/host-with-asterisk-label",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "host.*.local",
},
constraint: ".local",
want: false,
wantErr: true,
},
{
name: "fail/host-with-asterisk-inside",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "h*st.local",
},
constraint: ".local",
want: false,
wantErr: true,
},
{
name: "fail/wildcard",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "www.example.notlocal",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: false,
wantErr: false,
},
{
name: "fail/wildcard-subdomains-too-deep",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "www.sub.example.local",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: false,
wantErr: false,
},
{
name: "fail/host-with-port-split-error",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "www.example.local::8080",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: false,
wantErr: true,
},
{
name: "fail/host-with-ipv4",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "127.0.0.1",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: false,
wantErr: true,
},
{
name: "fail/host-with-ipv6",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "[2001:0db8:85a3:0000:0000:8a2e:0370:7334]",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: false,
wantErr: true,
},
{
name: "ok/wildcard",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "www.example.local",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: true,
wantErr: false,
},
{
name: "ok/host-with-port",
engine: &NamePolicyEngine{},
uri: &url.URL{
Scheme: "https",
Host: "www.example.local:8080",
},
constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.engine.matchURIConstraint(tt.uri, tt.constraint)
if (err != nil) != tt.wantErr {
t.Errorf("NamePolicyEngine.matchURIConstraint() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("NamePolicyEngine.matchURIConstraint() = %v, want %v", got, tt.want)
}
})
}
}
func TestNamePolicyEngine_AreCertificateNamesAllowed(t *testing.T) {
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
tests := []struct {
name string
Improve test case and code coverage
2 years ago
options []NamePolicyOption
Add more tests
2 years ago
cert *x509.Certificate
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
want bool
wantErr bool
}{
Improve test case and code coverage
2 years ago
// SINGLE SAN TYPE PERMITTED FAILURE TESTS
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
name: "fail/dns-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
DNSNames: []string{"www.example.com"},
},
want: false,
wantErr: true,
},
Improve test case and code coverage
2 years ago
{
name: "fail/dns-permitted-wildcard-literal-x509",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.x509local"),
},
cert: &x509.Certificate{
DNSNames: []string{
"*.x509local",
},
},
want: false,
wantErr: true,
},
Add more tests
2 years ago
{
name: "fail/dns-permitted-single-host",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddPermittedDNSDomain("host.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
DNSNames: []string{"differenthost.local"},
},
want: false,
wantErr: true,
},
{
name: "fail/dns-permitted-no-label",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
DNSNames: []string{"local"},
},
want: false,
wantErr: true,
},
{
name: "fail/dns-permitted-empty-label",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
DNSNames: []string{"www..local"},
},
want: false,
wantErr: true,
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/dns-permitted-dot-domain",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{
".local",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
Add more tests
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/dns-permitted-wildcard-multiple-subdomains",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{
"sub.example.local",
},
Add more tests
2 years ago
},
want: false,
wantErr: true,
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/dns-permitted-wildcard-literal",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{
"*.local",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/ipv4-permitted",
options: []NamePolicyOption{
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("1.1.1.1")},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
{
name: "fail/ipv6-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
IPAddresses: []net.IP{net.ParseIP("3001:0db8:85a3:0000:0000:8a2e:0370:7334")},
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/mail-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@local.com",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/mail-permitted-wildcard-x509",
options: []NamePolicyOption{
AddPermittedEmailAddress("example.com"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@local.com",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
Add more tests
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/mail-permitted-specific-mailbox",
options: []NamePolicyOption{
AddPermittedEmailAddress("test@local.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"root@local.com",
},
Add more tests
2 years ago
},
want: false,
wantErr: true,
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/mail-permitted-wildcard-subdomain",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@sub.example.com",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/permitted-uri-domain-wildcard",
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "example.com",
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
},
},
want: false,
wantErr: true,
},
Add more tests
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/permitted-uri",
options: []NamePolicyOption{
AddPermittedURIDomain("test.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "bad.local",
Add more tests
2 years ago
},
},
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/permitted-uri-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "*.local",
Add more tests
2 years ago
},
},
},
want: false,
wantErr: true,
},
Improve test case and code coverage
2 years ago
// SINGLE SAN TYPE EXCLUDED FAILURE TESTS
Add more tests
2 years ago
{
Improve test case and code coverage
2 years ago
name: "fail/dns-excluded",
options: []NamePolicyOption{
AddExcludedDNSDomain("*.example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{"www.example.com"},
Add more tests
2 years ago
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/dns-excluded-single-host",
options: []NamePolicyOption{
AddExcludedDNSDomain("host.example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{"host.example.com"},
Add more tests
2 years ago
},
want: false,
wantErr: true,
},
{
Improve test case and code coverage
2 years ago
name: "fail/ipv4-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: false,
wantErr: true,
},
{
name: "fail/ipv6-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")},
},
want: false,
wantErr: true,
},
{
name: "fail/mail-excluded",
options: []NamePolicyOption{
AddExcludedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.com"},
Add more tests
2 years ago
},
want: false,
wantErr: true,
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
name: "fail/uri-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
AddExcludedURIDomain("*.example.com"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "www.example.com",
Add more tests
2 years ago
},
},
},
want: false,
wantErr: true,
},
Improve test case and code coverage
2 years ago
// SUBJECT FAILURE TESTS
Add more tests
2 years ago
{
name: "fail/subject-dns-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "example.notlocal",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-dns-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "example.local",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-ipv4-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "10.10.10.10",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-ipv4-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
Improve test case and code coverage
2 years ago
CommonName: "127.0.0.30",
Add more tests
2 years ago
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-ipv6-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "2002:0db8:85a3:0000:0000:8a2e:0370:7339",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-ipv6-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "2001:0db8:85a3:0000:0000:8a2e:0370:7339",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-email-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedEmailAddress("@example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "mail@smallstep.com",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-email-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedEmailAddress("@example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "mail@example.local",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-uri-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedURIDomain("*.example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "https://www.google.com",
},
},
want: false,
wantErr: true,
},
{
name: "fail/subject-uri-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedURIDomain("*.example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "https://www.example.com",
},
},
want: false,
wantErr: true,
},
Improve test case and code coverage
2 years ago
// DIFFERENT SAN PERMITTED FAILURE TESTS
{
name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: false,
wantErr: true,
},
{
name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@smallstep.com"},
},
want: false,
wantErr: true,
},
{
name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: false,
wantErr: true,
},
{
name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
),
},
cert: &x509.Certificate{
DNSNames: []string{"www.example.com"},
},
want: false,
wantErr: true,
},
{
name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@smallstep.com"},
},
want: false,
wantErr: true,
},
{
name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: false,
wantErr: true,
},
{
name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
DNSNames: []string{"www.example.com"},
},
want: false,
wantErr: true,
},
{
name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{
net.ParseIP("127.0.0.1"),
},
},
want: false,
wantErr: true,
},
{
name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: false,
wantErr: true,
},
{
name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"host.local"},
},
want: false,
wantErr: true,
},
{
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{
net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
},
},
want: false,
wantErr: true,
},
{
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@smallstep.com"},
},
want: false,
wantErr: true,
},
// COMBINED FAILURE TESTS
Add more tests
2 years ago
{
name: "fail/combined-simple-all-badhost.local",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
WithPermittedDNSDomain("*.local"),
WithPermittedCIDR("127.0.0.1/24"),
WithPermittedEmailAddress("@example.local"),
WithPermittedURIDomain("*.example.local"),
WithExcludedDNSDomain("badhost.local"),
WithExcludedCIDR("127.0.0.128/25"),
WithExcludedEmailAddress("badmail@example.local"),
WithExcludedURIDomain("badwww.example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "badhost.local",
},
DNSNames: []string{"example.local"},
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("127.0.0.40")},
Add more tests
2 years ago
EmailAddresses: []string{"mail@example.local"},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.local",
},
},
},
want: false,
wantErr: true,
},
Improve test case and code coverage
2 years ago
// NO CONSTRAINT SUCCESS TESTS
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
Improve test case and code coverage
2 years ago
name: "ok/dns-no-constraints",
options: []NamePolicyOption{},
Add more tests
2 years ago
cert: &x509.Certificate{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
DNSNames: []string{"www.example.com"},
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/ipv4-no-constraints",
options: []NamePolicyOption{},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{
net.ParseIP("127.0.0.1"),
},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/ipv6-no-constraints",
options: []NamePolicyOption{},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{
net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/mail-no-constraints",
options: []NamePolicyOption{},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{"mail@smallstep.com"},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/uri-no-constraints",
options: []NamePolicyOption{},
cert: &x509.Certificate{
URIs: []*url.URL{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
{
Improve test case and code coverage
2 years ago
Scheme: "https",
Host: "www.example.com",
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
},
},
Improve test case and code coverage
2 years ago
want: true,
wantErr: false,
},
{
name: "ok/subject-no-constraints",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
Subject: pkix.Name{
CommonName: "www.example.com",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/subject-empty-no-constraints",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "",
Add more tests
2 years ago
},
},
Improve test case and code coverage
2 years ago
want: true,
wantErr: false,
},
// SINGLE SAN TYPE PERMITTED SUCCESS TESTS
{
name: "ok/dns-permitted",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{"example.local"},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/dns-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain(".x509local"),
WithAllowLiteralWildcardNames(),
},
cert: &x509.Certificate{
DNSNames: []string{
"host.local",
"test.x509local",
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
},
Improve test case and code coverage
2 years ago
want: true,
wantErr: false,
},
{
name: "ok/empty-dns-constraint",
options: []NamePolicyOption{
AddPermittedDNSDomain(""),
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{"example.local"},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/dns-permitted-wildcard-literal",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain("*.x509local"),
WithAllowLiteralWildcardNames(),
},
cert: &x509.Certificate{
DNSNames: []string{
"*.local",
"*.x509local",
Add more tests
2 years ago
},
},
Improve test case and code coverage
2 years ago
want: true,
wantErr: false,
},
{
name: "ok/dns-permitted-combined",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain("*.x509local"),
AddPermittedDNSDomain("host.example.com"),
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
DNSNames: []string{
"example.local",
"example.x509local",
"host.example.com",
},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/ipv4-permitted",
options: []NamePolicyOption{
AddPermittedCIDR("127.0.0.1/24"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("127.0.0.20")},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/ipv6-permitted",
options: []NamePolicyOption{
AddPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/mail-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@example.com",
},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/mail-permitted-plain-domain",
options: []NamePolicyOption{
AddPermittedEmailAddress("example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@example.com",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/mail-permitted-specific-mailbox",
options: []NamePolicyOption{
AddPermittedEmailAddress("test@local.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Improve test case and code coverage
2 years ago
EmailAddresses: []string{
"test@local.com",
},
Add more tests
2 years ago
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/uri-permitted-domain-wildcard",
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "example.local",
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
},
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/uri-permitted-specific-uri",
options: []NamePolicyOption{
AddPermittedURIDomain("test.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "test.local",
Add more tests
2 years ago
},
},
},
want: true,
wantErr: false,
},
{
Improve test case and code coverage
2 years ago
name: "ok/uri-permitted-with-port",
options: []NamePolicyOption{
AddPermittedURIDomain(".example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Improve test case and code coverage
2 years ago
Host: "www.example.com:8080",
Add more tests
2 years ago
},
},
},
want: true,
wantErr: false,
},
Improve test case and code coverage
2 years ago
// SINGLE SAN TYPE EXCLUDED SUCCESS TESTS
{
name: "ok/dns-excluded",
options: []NamePolicyOption{
WithExcludedDNSDomain("*.notlocal"),
},
cert: &x509.Certificate{
DNSNames: []string{"example.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/ipv4-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("10.10.10.10")},
},
want: true,
wantErr: false,
},
{
name: "ok/ipv6-excluded",
options: []NamePolicyOption{
AddExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")},
},
want: true,
wantErr: false,
},
{
name: "ok/mail-excluded",
options: []NamePolicyOption{
WithExcludedEmailAddress("@notlocal"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@local"},
},
want: true,
wantErr: false,
},
{
name: "ok/mail-excluded-with-subdomain",
options: []NamePolicyOption{
WithExcludedEmailAddress("@local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.local"},
},
want: true,
wantErr: false,
},
Add more tests
2 years ago
{
name: "ok/uri-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithExcludedURIDomain("*.google.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: true,
wantErr: false,
},
Improve test case and code coverage
2 years ago
// SUBJECT SUCCESS TESTS
Add more tests
2 years ago
{
name: "ok/subject-empty",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "",
},
DNSNames: []string{"example.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-dns-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "example.local",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-dns-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.notlocal"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "example.local",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-ipv4-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "127.0.0.20",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-ipv4-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("128.0.0.1"),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "127.0.0.1",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-ipv6-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "2001:0db8:85a3:0000:0000:8a2e:0370:7339",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-ipv6-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
Mask: net.CIDRMask(120, 128),
},
Add more tests
2 years ago
},
Improve test case and code coverage
2 years ago
),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "2009:0db8:85a3:0000:0000:8a2e:0370:7339",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-email-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedEmailAddress("@example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "mail@example.local",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-email-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedEmailAddress("@example.notlocal"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "mail@example.local",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-uri-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedURIDomain("*.example.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "https://www.example.com",
},
},
want: true,
wantErr: false,
},
{
name: "ok/subject-uri-excluded",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedURIDomain("*.smallstep.com"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "https://www.example.com",
},
},
want: true,
wantErr: false,
},
Improve test case and code coverage
2 years ago
// DIFFERENT SAN TYPE EXCLUDED SUCCESS TESTS
{
name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: true,
wantErr: false,
},
{
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.com"},
},
want: true,
wantErr: false,
},
{
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: true,
wantErr: false,
},
{
name: "ok/ip-excluded-with-dns", // when only IP is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedCIDR("127.0.0.1/24"),
},
cert: &x509.Certificate{
DNSNames: []string{"test.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedCIDR("127.0.0.1/24"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.com"},
},
want: true,
wantErr: false,
},
{
name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedCIDR("127.0.0.1/24"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: true,
wantErr: false,
},
{
name: "ok/mail-excluded-with-dns", // when only mail is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
DNSNames: []string{"test.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/mail-excluded-with-ip", // when only mail is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: true,
wantErr: false,
},
{
name: "ok/mail-excluded-with-uri", // when only mail is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.com",
},
},
},
want: true,
wantErr: false,
},
{
name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedURIDomain("*.example.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"test.example.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedURIDomain("*.example.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: true,
wantErr: false,
},
{
name: "ok/uri-excluded-with-mail", // when only URI is exluded, we allow anything else
options: []NamePolicyOption{
WithExcludedURIDomain("*.example.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.local"},
},
want: true,
wantErr: false,
},
{
name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "127.0.0.1",
},
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
},
want: true,
wantErr: false,
},
// COMBINED SUCCESS TESTS
Add more tests
2 years ago
{
name: "ok/combined-simple-permitted",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
WithPermittedDNSDomain("*.local"),
WithPermittedCIDR("127.0.0.1/24"),
WithPermittedEmailAddress("@example.local"),
WithPermittedURIDomain("*.example.local"),
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
},
Add more tests
2 years ago
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "somehost.local",
},
DNSNames: []string{"example.local"},
Improve test case and code coverage
2 years ago
IPAddresses: []net.IP{net.ParseIP("127.0.0.15")},
Add more tests
2 years ago
EmailAddresses: []string{"mail@example.local"},
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.local",
},
},
},
want: true,
wantErr: false,
},
{
name: "ok/combined-simple-permitted-without-subject-verification",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithPermittedDNSDomain("*.local"),
WithPermittedCIDR("127.0.0.1/24"),
WithPermittedEmailAddress("@example.local"),
WithPermittedURIDomain("*.example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "forbidden-but-non-verified-domain.example.com",
},
DNSNames: []string{"example.local"},
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
EmailAddresses: []string{"mail@example.local"},
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.local",
},
},
},
want: true,
wantErr: false,
},
{
name: "ok/combined-simple-all",
Improve test case and code coverage
2 years ago
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
WithPermittedDNSDomain("*.local"),
WithPermittedCIDR("127.0.0.1/24"),
WithPermittedEmailAddress("@example.local"),
WithPermittedURIDomain("*.example.local"),
WithExcludedDNSDomain("badhost.local"),
WithExcludedCIDR("127.0.0.128/25"),
WithExcludedEmailAddress("badmail@example.local"),
WithExcludedURIDomain("badwww.example.local"),
Add more tests
2 years ago
},
cert: &x509.Certificate{
Subject: pkix.Name{
CommonName: "somehost.local",
},
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
DNSNames: []string{"example.local"},
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
EmailAddresses: []string{"mail@example.local"},
URIs: []*url.URL{
{
Scheme: "https",
Host: "www.example.local",
},
},
},
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Improve test case and code coverage
2 years ago
engine, err := New(tt.options...)
assert.FatalError(t, err)
got, err := engine.AreCertificateNamesAllowed(tt.cert) // TODO: perform tests on CSR, sans, etc. too
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
if (err != nil) != tt.wantErr {
Add more tests
2 years ago
t.Errorf("NamePolicyEngine.AreCertificateNamesAllowed() error = %v, wantErr %v", err, tt.wantErr)
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
return
}
if got != tt.want {
Add more tests
2 years ago
t.Errorf("NamePolicyEngine.AreCertificateNamesAllowed() = %v, want %v", got, tt.want)
Add initial implementation of x509 and SSH allow/deny policy engine
2 years ago
}
})
}
}