@ -2,6 +2,7 @@ package x509policy
import (
"crypto/x509"
"crypto/x509/pkix"
"net"
"net/url"
"testing"
@ -9,8 +10,11 @@ import (
"github.com/smallstep/assert"
)
func TestGuard_IsAllowed ( t * testing . T ) {
func TestNamePolicyEngine_AreCertificateNamesAllowed ( t * testing . T ) {
// TODO(hs): refactor these tests into using validateNames instead of AreCertificateNamesAllowed
// TODO(hs): the functionality in the policy engine is a nice candidate for trying fuzzing on
type fields struct {
verifySubjectCommonName bool
permittedDNSDomains [ ] string
excludedDNSDomains [ ] string
permittedIPRanges [ ] * net . IPNet
@ -23,7 +27,7 @@ func TestGuard_IsAllowed(t *testing.T) {
tests := [ ] struct {
name string
fields fields
c sr * x509 . CertificateRequest
c ert * x509 . Certificate
want bool
wantErr bool
} {
@ -32,23 +36,67 @@ func TestGuard_IsAllowed(t *testing.T) {
fields : fields {
permittedDNSDomains : [ ] string { ".local" } ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
DNSNames : [ ] string { "www.example.com" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/dns-permitted-single-host" ,
fields : fields {
permittedDNSDomains : [ ] string { "host.local" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "differenthost.local" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/dns-permitted-no-label" ,
fields : fields {
permittedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "local" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/dns-permitted-empty-label" ,
fields : fields {
permittedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "www..local" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/dns-excluded" ,
fields : fields {
excludedDNSDomains : [ ] string { "example.com" } ,
} ,
csr : & x509 . CertificateRequest {
c ert : & x509 . Certificate {
DNSNames : [ ] string { "www.example.com" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/dns-excluded-single-host" ,
fields : fields {
excludedDNSDomains : [ ] string { "example.com" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "example.com" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/ipv4-permitted" ,
fields : fields {
@ -59,7 +107,7 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "1.1.1.1" ) } ,
} ,
want : false ,
@ -75,7 +123,7 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.1" ) } ,
} ,
want : false ,
@ -91,7 +139,7 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "3001:0db8:85a3:0000:0000:8a2e:0370:7334" ) } ,
} ,
want : false ,
@ -107,7 +155,7 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) } ,
} ,
want : false ,
@ -118,18 +166,29 @@ func TestGuard_IsAllowed(t *testing.T) {
fields : fields {
permittedEmailAddresses : [ ] string { "example.local" } ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@example.com" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/mail-permitted-period-domain" ,
fields : fields {
permittedEmailAddresses : [ ] string { ".example.local" } , // any address in a domain, but not on the host example.local
} ,
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@example.local" } ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/mail-excluded" ,
fields : fields {
excludedEmailAddresses : [ ] string { "example.local" } ,
} ,
csr : & x509 . CertificateRequest {
c ert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@example.local" } ,
} ,
want : false ,
@ -140,7 +199,7 @@ func TestGuard_IsAllowed(t *testing.T) {
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
@ -151,12 +210,282 @@ func TestGuard_IsAllowed(t *testing.T) {
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-permitted-period-host" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.local" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "example.local" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-permitted-period-host-certificate" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.local" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : ".example.local" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-permitted-empty-host" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-permitted-port-missing" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "example.local::" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-permitted-ip" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "127.0.0.1" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/uri-excluded" ,
fields : fields {
excludedURIDomains : [ ] string { ".example.local" } ,
} ,
csr : & x509 . CertificateRequest {
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "www.example.local" ,
} ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-dns-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "example.notlocal" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-dns-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "example.local" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-ipv4-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "127.0.0.1" ) ,
Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "10.10.10.10" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-ipv4-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "127.0.0.1" ) ,
Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "127.0.0.1" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-ipv6-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) ,
Mask : net . CIDRMask ( 120 , 128 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "2002:0db8:85a3:0000:0000:8a2e:0370:7339" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-ipv6-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) ,
Mask : net . CIDRMask ( 120 , 128 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "2001:0db8:85a3:0000:0000:8a2e:0370:7339" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-email-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedEmailAddresses : [ ] string { "example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "mail@smallstep.com" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-email-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedEmailAddresses : [ ] string { "example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "mail@example.local" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-uri-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "https://www.google.com" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/subject-uri-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "https://www.example.com" ,
} ,
} ,
want : false ,
wantErr : true ,
} ,
{
name : "fail/combined-simple-all-badhost.local" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
permittedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "127.0.0.1" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) } } ,
permittedEmailAddresses : [ ] string { "example.local" } ,
permittedURIDomains : [ ] string { ".example.local" } ,
excludedDNSDomains : [ ] string { "badhost.local" } ,
excludedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "1.1.1.1" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) } } ,
excludedEmailAddresses : [ ] string { "badmail@example.local" } ,
excludedURIDomains : [ ] string { "https://badwww.example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "badhost.local" ,
} ,
DNSNames : [ ] string { "example.local" } ,
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.130" ) } ,
EmailAddresses : [ ] string { "mail@example.local" } ,
URIs : [ ] * url . URL {
{
Scheme : "https" ,
@ -170,25 +499,47 @@ func TestGuard_IsAllowed(t *testing.T) {
{
name : "ok/no-constraints" ,
fields : fields { } ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
DNSNames : [ ] string { "www.example.com" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/dns" ,
name : "ok/empty-dns-constraint" ,
fields : fields {
permittedDNSDomains : [ ] string { "" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/dns-permitted" ,
fields : fields {
permittedDNSDomains : [ ] string { ".local" } ,
} ,
csr : & x509 . CertificateRequest {
c ert : & x509 . Certificate {
DNSNames : [ ] string { "example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/ipv4" ,
name : "ok/dns-excluded" ,
fields : fields {
excludedDNSDomains : [ ] string { ".notlocal" } ,
} ,
cert : & x509 . Certificate {
DNSNames : [ ] string { "example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/ipv4-permitted" ,
fields : fields {
permittedIPRanges : [ ] * net . IPNet {
{
@ -197,14 +548,30 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.20" ) } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/ipv6" ,
name : "ok/ipv4-excluded" ,
fields : fields {
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "127.0.0.1" ) ,
Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "10.10.10.10" ) } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/ipv6-permitted" ,
fields : fields {
permittedIPRanges : [ ] * net . IPNet {
{
@ -213,29 +580,89 @@ func TestGuard_IsAllowed(t *testing.T) {
} ,
} ,
} ,
c sr : & x509 . Certificate Request {
c ert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7339" ) } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/mail" ,
name : "ok/ipv6-excluded" ,
fields : fields {
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) ,
Mask : net . CIDRMask ( 120 , 128 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
IPAddresses : [ ] net . IP { net . ParseIP ( "2003:0db8:85a3:0000:0000:8a2e:0370:7334" ) } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/mail-permitted" ,
fields : fields {
permittedEmailAddresses : [ ] string { "example.local" } ,
} ,
csr : & x509 . CertificateRequest {
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/mail-permitted-with-period-domain" ,
fields : fields {
permittedEmailAddresses : [ ] string { ".example.local" } ,
} ,
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@somehost.example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/mail-permitted-with-multiple-labels" ,
fields : fields {
permittedEmailAddresses : [ ] string { ".example.local" } ,
} ,
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@sub.www.example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/mail-excluded" ,
fields : fields {
excludedEmailAddresses : [ ] string { "example.notlocal" } ,
} ,
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/uri" ,
name : "ok/mail-excluded-with-period-domain" ,
fields : fields {
excludedEmailAddresses : [ ] string { ".example.notlocal" } ,
} ,
cert : & x509 . Certificate {
EmailAddresses : [ ] string { "mail@somehost.example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/uri-permitted" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
csr : & x509 . CertificateRequest {
c ert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
@ -247,14 +674,297 @@ func TestGuard_IsAllowed(t *testing.T) {
wantErr : false ,
} ,
{
name : "ok/combined-simple" ,
name : "ok/uri-permitted-with-port" ,
fields : fields {
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "www.example.com:8080" ,
} ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/uri-sub-permitted" ,
fields : fields {
permittedURIDomains : [ ] string { "example.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "sub.host.example.com" ,
} ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/uri-excluded" ,
fields : fields {
excludedURIDomains : [ ] string { ".google.com" } ,
} ,
cert : & x509 . Certificate {
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "www.example.com" ,
} ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-empty" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "" ,
} ,
DNSNames : [ ] string { "example.local" } ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-dns-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "example.local" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-dns-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedDNSDomains : [ ] string { ".notlocal" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "example.local" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-ipv4-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "127.0.0.1" ) ,
Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "127.0.0.20" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-ipv4-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "128.0.0.1" ) ,
Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "127.0.0.1" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-ipv6-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) ,
Mask : net . CIDRMask ( 120 , 128 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "2001:0db8:85a3:0000:0000:8a2e:0370:7339" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-ipv6-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedIPRanges : [ ] * net . IPNet {
{
IP : net . ParseIP ( "2001:0db8:85a3:0000:0000:8a2e:0370:7334" ) ,
Mask : net . CIDRMask ( 120 , 128 ) ,
} ,
} ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "2009:0db8:85a3:0000:0000:8a2e:0370:7339" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-email-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedEmailAddresses : [ ] string { "example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "mail@example.local" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-email-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedEmailAddresses : [ ] string { "example.notlocal" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "mail@example.local" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-uri-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedURIDomains : [ ] string { ".example.com" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "https://www.example.com" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/subject-uri-excluded" ,
fields : fields {
verifySubjectCommonName : true ,
excludedURIDomains : [ ] string { ".google.com" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "https://www.example.com" ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/combined-simple-permitted" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
permittedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "127.0.0.1" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) } } ,
permittedEmailAddresses : [ ] string { "example.local" } ,
permittedURIDomains : [ ] string { ".example.local" } ,
} ,
csr : & x509 . CertificateRequest {
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "somehost.local" ,
} ,
DNSNames : [ ] string { "example.local" } ,
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.1" ) } ,
EmailAddresses : [ ] string { "mail@example.local" } ,
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "www.example.local" ,
} ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/combined-simple-permitted-without-subject-verification" ,
fields : fields {
verifySubjectCommonName : false ,
permittedDNSDomains : [ ] string { ".local" } ,
permittedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "127.0.0.1" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) } } ,
permittedEmailAddresses : [ ] string { "example.local" } ,
permittedURIDomains : [ ] string { ".example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "forbidden-but-non-verified-domain.example.com" ,
} ,
DNSNames : [ ] string { "example.local" } ,
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.1" ) } ,
EmailAddresses : [ ] string { "mail@example.local" } ,
URIs : [ ] * url . URL {
{
Scheme : "https" ,
Host : "www.example.local" ,
} ,
} ,
} ,
want : true ,
wantErr : false ,
} ,
{
name : "ok/combined-simple-all" ,
fields : fields {
verifySubjectCommonName : true ,
permittedDNSDomains : [ ] string { ".local" } ,
permittedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "127.0.0.1" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 0 ) } } ,
permittedEmailAddresses : [ ] string { "example.local" } ,
permittedURIDomains : [ ] string { ".example.local" } ,
excludedDNSDomains : [ ] string { "badhost.local" } ,
excludedIPRanges : [ ] * net . IPNet { { IP : net . ParseIP ( "127.0.0.128" ) , Mask : net . IPv4Mask ( 255 , 255 , 255 , 128 ) } } ,
excludedEmailAddresses : [ ] string { "badmail@example.local" } ,
excludedURIDomains : [ ] string { "https://badwww.example.local" } ,
} ,
cert : & x509 . Certificate {
Subject : pkix . Name {
CommonName : "somehost.local" ,
} ,
DNSNames : [ ] string { "example.local" } ,
IPAddresses : [ ] net . IP { net . ParseIP ( "127.0.0.1" ) } ,
EmailAddresses : [ ] string { "mail@example.local" } ,
@ -268,12 +978,13 @@ func TestGuard_IsAllowed(t *testing.T) {
want : true ,
wantErr : false ,
} ,
// TODO: more complex uses cases that combine multiple names
// TODO: more complex uses cases that combine multiple names and permitted/excluded entries
// TODO: check errors (reasons) are as expected
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
g := & NamePolicyEngine {
verifySubjectCommonName : tt . fields . verifySubjectCommonName ,
permittedDNSDomains : tt . fields . permittedDNSDomains ,
excludedDNSDomains : tt . fields . excludedDNSDomains ,
permittedIPRanges : tt . fields . permittedIPRanges ,
@ -283,16 +994,16 @@ func TestGuard_IsAllowed(t *testing.T) {
permittedURIDomains : tt . fields . permittedURIDomains ,
excludedURIDomains : tt . fields . excludedURIDomains ,
}
got , err := g . AreC SRNamesAllowed( tt . csr )
got , err := g . AreC ertificateNamesAllowed( tt . cert )
if ( err != nil ) != tt . wantErr {
t . Errorf ( " Guard.I sAllowed() error = %v, wantErr %v", err , tt . wantErr )
t . Errorf ( " NamePolicyEngine.AreCertificateName sAllowed() error = %v, wantErr %v", err , tt . wantErr )
return
}
if err != nil {
assert . NotEquals ( t , "" , err . Error ( ) ) // TODO(hs): make this a complete equality check
}
if got != tt . want {
t . Errorf ( " Guard.I sAllowed() = %v, want %v", got , tt . want )
t . Errorf ( " NamePolicyEngine.AreCertificateName sAllowed() = %v, want %v", got , tt . want )
}
} )
}