From a2cfbe3d546404932ca15bd8b7db981932a9a179 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 21 Apr 2022 12:14:03 +0200 Subject: [PATCH] Fix (part of) PR comments --- api/read/read.go | 2 +- authority/admin/api/policy.go | 9 +- authority/admin/api/policy_test.go | 9 +- authority/admin/errors.go | 13 +- authority/policy.go | 34 +-- authority/policy/options.go | 40 +-- authority/policy/policy.go | 32 +-- authority/provisioners.go | 70 ++--- policy/engine_test.go | 418 +++++++++++++---------------- policy/options.go | 143 ++-------- policy/options_test.go | 369 +++---------------------- 11 files changed, 343 insertions(+), 796 deletions(-) diff --git a/api/read/read.go b/api/read/read.go index 6cfc90ee..2f7348bd 100644 --- a/api/read/read.go +++ b/api/read/read.go @@ -24,7 +24,7 @@ func JSON(r io.Reader, v interface{}) error { } // ProtoJSON reads JSON from the request body and stores it in the value -// pointed to by v. +// pointed to by m. func ProtoJSON(r io.Reader, m proto.Message) error { data, err := io.ReadAll(r) if err != nil { diff --git a/authority/admin/api/policy.go b/authority/admin/api/policy.go index fc6ab1d9..34b7bf96 100644 --- a/authority/admin/api/policy.go +++ b/authority/admin/api/policy.go @@ -74,8 +74,7 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r } if policy != nil { - adminErr := admin.NewError(admin.ErrorBadRequestType, "authority already has a policy") - adminErr.Status = http.StatusConflict + adminErr := admin.NewError(admin.ErrorConflictType, "authority already has a policy") render.Error(w, adminErr) return } @@ -197,8 +196,7 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, policy := prov.GetPolicy() if policy != nil { - adminErr := admin.NewError(admin.ErrorBadRequestType, "provisioner %s already has a policy", prov.Name) - adminErr.Status = http.StatusConflict + adminErr := admin.NewError(admin.ErrorConflictType, "provisioner %s already has a policy", prov.Name) render.Error(w, adminErr) return } @@ -307,8 +305,7 @@ func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, policy := eak.GetPolicy() if policy != nil { - adminErr := admin.NewError(admin.ErrorBadRequestType, "ACME EAK %s already has a policy", eak.Id) - adminErr.Status = http.StatusConflict + adminErr := admin.NewError(admin.ErrorConflictType, "ACME EAK %s already has a policy", eak.Id) render.Error(w, adminErr) return } diff --git a/authority/admin/api/policy_test.go b/authority/admin/api/policy_test.go index e3cc6b65..72a462a4 100644 --- a/authority/admin/api/policy_test.go +++ b/authority/admin/api/policy_test.go @@ -154,9 +154,8 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) { }, "fail/existing-policy": func(t *testing.T) test { ctx := context.Background() - err := admin.NewError(admin.ErrorBadRequestType, "authority already has a policy") + err := admin.NewError(admin.ErrorConflictType, "authority already has a policy") err.Message = "authority already has a policy" - err.Status = http.StatusConflict return test{ ctx: ctx, auth: &mockAdminAuthority{ @@ -864,9 +863,8 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) { Policy: policy, } ctx := linkedca.NewContextWithProvisioner(context.Background(), prov) - err := admin.NewError(admin.ErrorBadRequestType, "provisioner provName already has a policy") + err := admin.NewError(admin.ErrorConflictType, "provisioner provName already has a policy") err.Message = "provisioner provName already has a policy" - err.Status = http.StatusConflict return test{ ctx: ctx, err: err, @@ -1466,9 +1464,8 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) { } ctx := linkedca.NewContextWithProvisioner(context.Background(), prov) ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak) - err := admin.NewError(admin.ErrorBadRequestType, "ACME EAK eakID already has a policy") + err := admin.NewError(admin.ErrorConflictType, "ACME EAK eakID already has a policy") err.Message = "ACME EAK eakID already has a policy" - err.Status = http.StatusConflict return test{ ctx: ctx, err: err, diff --git a/authority/admin/errors.go b/authority/admin/errors.go index baa32dd9..2cf0c0e5 100644 --- a/authority/admin/errors.go +++ b/authority/admin/errors.go @@ -24,10 +24,12 @@ const ( ErrorBadRequestType // ErrorNotImplementedType not implemented. ErrorNotImplementedType - // ErrorUnauthorizedType internal server error. + // ErrorUnauthorizedType unauthorized. ErrorUnauthorizedType // ErrorServerInternalType internal server error. ErrorServerInternalType + // ErrorConflictType conflict. + ErrorConflictType ) // String returns the string representation of the admin problem type, @@ -48,6 +50,8 @@ func (ap ProblemType) String() string { return "unauthorized" case ErrorServerInternalType: return "internalServerError" + case ErrorConflictType: + return "conflict" default: return fmt.Sprintf("unsupported error type '%d'", int(ap)) } @@ -64,7 +68,7 @@ var ( errorServerInternalMetadata = errorMetadata{ typ: ErrorServerInternalType.String(), details: "the server experienced an internal error", - status: 500, + status: http.StatusInternalServerError, } errorMap = map[ProblemType]errorMetadata{ ErrorNotFoundType: { @@ -98,6 +102,11 @@ var ( status: http.StatusUnauthorized, }, ErrorServerInternalType: errorServerInternalMetadata, + ErrorConflictType: { + typ: ErrorConflictType.String(), + details: "conflict", + status: http.StatusConflict, + }, } ) diff --git a/authority/policy.go b/authority/policy.go index 96307586..dd24ecf7 100644 --- a/authority/policy.go +++ b/authority/policy.go @@ -318,11 +318,10 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { opts := &authPolicy.Options{} // fill x509 policy configuration - if p.GetX509() != nil { + if x509 := p.GetX509(); x509 != nil { opts.X509 = &authPolicy.X509PolicyOptions{} - if p.GetX509().GetAllow() != nil { + if allow := x509.GetAllow(); allow != nil { opts.X509.AllowedNames = &authPolicy.X509NameOptions{} - allow := p.GetX509().GetAllow() if allow.Dns != nil { opts.X509.AllowedNames.DNSDomains = allow.Dns } @@ -336,9 +335,8 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { opts.X509.AllowedNames.URIDomains = allow.Uris } } - if p.GetX509().GetDeny() != nil { + if deny := x509.GetDeny(); deny != nil { opts.X509.DeniedNames = &authPolicy.X509NameOptions{} - deny := p.GetX509().GetDeny() if deny.Dns != nil { opts.X509.DeniedNames.DNSDomains = deny.Dns } @@ -352,22 +350,21 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { opts.X509.DeniedNames.URIDomains = deny.Uris } } - if p.GetX509().GetAllowWildcardLiteral() != nil { - opts.X509.AllowWildcardLiteral = &p.GetX509().GetAllowWildcardLiteral().Value + if v := x509.GetAllowWildcardLiteral(); v != nil { + opts.X509.AllowWildcardLiteral = &v.Value } - if p.GetX509().GetVerifySubjectCommonName() != nil { - opts.X509.VerifySubjectCommonName = &p.GetX509().VerifySubjectCommonName.Value + if v := x509.GetVerifySubjectCommonName(); v != nil { + opts.X509.VerifySubjectCommonName = &v.Value } } // fill ssh policy configuration - if p.GetSsh() != nil { + if ssh := p.GetSsh(); ssh != nil { opts.SSH = &authPolicy.SSHPolicyOptions{} - if p.GetSsh().GetHost() != nil { + if host := ssh.GetHost(); host != nil { opts.SSH.Host = &authPolicy.SSHHostCertificateOptions{} - if p.GetSsh().GetHost().GetAllow() != nil { + if allow := host.GetAllow(); allow != nil { opts.SSH.Host.AllowedNames = &authPolicy.SSHNameOptions{} - allow := p.GetSsh().GetHost().GetAllow() if allow.Dns != nil { opts.SSH.Host.AllowedNames.DNSDomains = allow.Dns } @@ -378,9 +375,8 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { opts.SSH.Host.AllowedNames.Principals = allow.Principals } } - if p.GetSsh().GetHost().GetDeny() != nil { + if deny := host.GetDeny(); deny != nil { opts.SSH.Host.DeniedNames = &authPolicy.SSHNameOptions{} - deny := p.GetSsh().GetHost().GetDeny() if deny.Dns != nil { opts.SSH.Host.DeniedNames.DNSDomains = deny.Dns } @@ -392,11 +388,10 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { } } } - if p.GetSsh().GetUser() != nil { + if user := ssh.GetUser(); user != nil { opts.SSH.User = &authPolicy.SSHUserCertificateOptions{} - if p.GetSsh().GetUser().GetAllow() != nil { + if allow := user.GetAllow(); allow != nil { opts.SSH.User.AllowedNames = &authPolicy.SSHNameOptions{} - allow := p.GetSsh().GetUser().GetAllow() if allow.Emails != nil { opts.SSH.User.AllowedNames.EmailAddresses = allow.Emails } @@ -404,9 +399,8 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options { opts.SSH.User.AllowedNames.Principals = allow.Principals } } - if p.GetSsh().GetUser().GetDeny() != nil { + if deny := user.GetDeny(); deny != nil { opts.SSH.User.DeniedNames = &authPolicy.SSHNameOptions{} - deny := p.GetSsh().GetUser().GetDeny() if deny.Emails != nil { opts.SSH.User.DeniedNames.EmailAddresses = deny.Emails } diff --git a/authority/policy/options.go b/authority/policy/options.go index c3b30c0a..68efe45a 100644 --- a/authority/policy/options.go +++ b/authority/policy/options.go @@ -67,24 +67,20 @@ func (o *X509NameOptions) HasNames() bool { len(o.URIDomains) > 0 } -// GetDeniedNameOptions returns the x509 denied name policy configuration -func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions { +// GetAllowedNameOptions returns x509 allowed name policy configuration +func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions { if o == nil { return nil } - return o.DeniedNames + return o.AllowedNames } -// GetAllowedUserNameOptions returns the SSH allowed user name policy -// configuration. -func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions { +// GetDeniedNameOptions returns the x509 denied name policy configuration +func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions { if o == nil { return nil } - if o.User == nil { - return nil - } - return o.User.AllowedNames + return o.DeniedNames } func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool { @@ -122,21 +118,19 @@ type SSHPolicyOptions struct { Host *SSHHostCertificateOptions `json:"host,omitempty"` } -// GetAllowedNameOptions returns x509 allowed name policy configuration -func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions { - if o == nil { +// GetAllowedUserNameOptions returns the SSH allowed user name policy +// configuration. +func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions { + if o == nil || o.User == nil { return nil } - return o.AllowedNames + return o.User.AllowedNames } // GetDeniedUserNameOptions returns the SSH denied user name policy // configuration. func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions { - if o == nil { - return nil - } - if o.User == nil { + if o == nil || o.User == nil { return nil } return o.User.DeniedNames @@ -145,10 +139,7 @@ func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions { // GetAllowedHostNameOptions returns the SSH allowed host name policy // configuration. func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions { - if o == nil { - return nil - } - if o.Host == nil { + if o == nil || o.Host == nil { return nil } return o.Host.AllowedNames @@ -157,10 +148,7 @@ func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions { // GetDeniedHostNameOptions returns the SSH denied host name policy // configuration. func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions { - if o == nil { - return nil - } - if o.Host == nil { + if o == nil || o.Host == nil { return nil } return o.Host.DeniedNames diff --git a/authority/policy/policy.go b/authority/policy/policy.go index f1142ea7..564fca24 100644 --- a/authority/policy/policy.go +++ b/authority/policy/policy.go @@ -28,20 +28,20 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, allowed := policyOptions.GetAllowedNameOptions() if allowed != nil && allowed.HasNames() { options = append(options, - policy.WithPermittedDNSDomains(allowed.DNSDomains), - policy.WithPermittedIPsOrCIDRs(allowed.IPRanges), - policy.WithPermittedEmailAddresses(allowed.EmailAddresses), - policy.WithPermittedURIDomains(allowed.URIDomains), + policy.WithPermittedDNSDomains(allowed.DNSDomains...), + policy.WithPermittedIPsOrCIDRs(allowed.IPRanges...), + policy.WithPermittedEmailAddresses(allowed.EmailAddresses...), + policy.WithPermittedURIDomains(allowed.URIDomains...), ) } denied := policyOptions.GetDeniedNameOptions() if denied != nil && denied.HasNames() { options = append(options, - policy.WithExcludedDNSDomains(denied.DNSDomains), - policy.WithExcludedIPsOrCIDRs(denied.IPRanges), - policy.WithExcludedEmailAddresses(denied.EmailAddresses), - policy.WithExcludedURIDomains(denied.URIDomains), + policy.WithExcludedDNSDomains(denied.DNSDomains...), + policy.WithExcludedIPsOrCIDRs(denied.IPRanges...), + policy.WithExcludedEmailAddresses(denied.EmailAddresses...), + policy.WithExcludedURIDomains(denied.URIDomains...), ) } @@ -114,19 +114,19 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn if allowed != nil && allowed.HasNames() { options = append(options, - policy.WithPermittedDNSDomains(allowed.DNSDomains), - policy.WithPermittedIPsOrCIDRs(allowed.IPRanges), - policy.WithPermittedEmailAddresses(allowed.EmailAddresses), - policy.WithPermittedPrincipals(allowed.Principals), + policy.WithPermittedDNSDomains(allowed.DNSDomains...), + policy.WithPermittedIPsOrCIDRs(allowed.IPRanges...), + policy.WithPermittedEmailAddresses(allowed.EmailAddresses...), + policy.WithPermittedPrincipals(allowed.Principals...), ) } if denied != nil && denied.HasNames() { options = append(options, - policy.WithExcludedDNSDomains(denied.DNSDomains), - policy.WithExcludedIPsOrCIDRs(denied.IPRanges), - policy.WithExcludedEmailAddresses(denied.EmailAddresses), - policy.WithExcludedPrincipals(denied.Principals), + policy.WithExcludedDNSDomains(denied.DNSDomains...), + policy.WithExcludedIPsOrCIDRs(denied.IPRanges...), + policy.WithExcludedEmailAddresses(denied.EmailAddresses...), + policy.WithExcludedPrincipals(denied.Principals...), ) } diff --git a/authority/provisioners.go b/authority/provisioners.go index 990d892f..26aff4d8 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -10,17 +10,19 @@ import ( "os" "github.com/pkg/errors" + "gopkg.in/square/go-jose.v2/jwt" + + "go.step.sm/cli-utils/step" + "go.step.sm/cli-utils/ui" + "go.step.sm/crypto/jose" + "go.step.sm/linkedca" + "github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/config" "github.com/smallstep/certificates/authority/policy" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/db" "github.com/smallstep/certificates/errs" - "go.step.sm/cli-utils/step" - "go.step.sm/cli-utils/ui" - "go.step.sm/crypto/jose" - "go.step.sm/linkedca" - "gopkg.in/square/go-jose.v2/jwt" ) // GetEncryptedKey returns the JWE key corresponding to the given kid argument. @@ -440,55 +442,55 @@ func optionsToCertificates(p *linkedca.Provisioner) *provisioner.Options { ops.SSH.Template = string(p.SshTemplate.Template) ops.SSH.TemplateData = p.SshTemplate.Data } - if p.Policy != nil { - if p.Policy.X509 != nil { - if p.Policy.X509.Allow != nil { + if pol := p.GetPolicy(); pol != nil { + if x := pol.GetX509(); x != nil { + if allow := x.GetAllow(); allow != nil { ops.X509.AllowedNames = &policy.X509NameOptions{ - DNSDomains: p.Policy.X509.Allow.Dns, - IPRanges: p.Policy.X509.Allow.Ips, - EmailAddresses: p.Policy.X509.Allow.Emails, - URIDomains: p.Policy.X509.Allow.Uris, + DNSDomains: allow.Dns, + IPRanges: allow.Ips, + EmailAddresses: allow.Emails, + URIDomains: allow.Uris, } } - if p.Policy.X509.Deny != nil { + if deny := x.GetDeny(); deny != nil { ops.X509.DeniedNames = &policy.X509NameOptions{ - DNSDomains: p.Policy.X509.Deny.Dns, - IPRanges: p.Policy.X509.Deny.Ips, - EmailAddresses: p.Policy.X509.Deny.Emails, - URIDomains: p.Policy.X509.Deny.Uris, + DNSDomains: deny.Dns, + IPRanges: deny.Ips, + EmailAddresses: deny.Emails, + URIDomains: deny.Uris, } } } - if p.Policy.Ssh != nil { - if p.Policy.Ssh.Host != nil { + if ssh := pol.GetSsh(); ssh != nil { + if host := ssh.GetHost(); host != nil { ops.SSH.Host = &policy.SSHHostCertificateOptions{} - if p.Policy.Ssh.Host.Allow != nil { + if allow := host.GetAllow(); allow != nil { ops.SSH.Host.AllowedNames = &policy.SSHNameOptions{ - DNSDomains: p.Policy.Ssh.Host.Allow.Dns, - IPRanges: p.Policy.Ssh.Host.Allow.Ips, - Principals: p.Policy.Ssh.Host.Allow.Principals, + DNSDomains: allow.Dns, + IPRanges: allow.Ips, + Principals: allow.Principals, } } - if p.Policy.Ssh.Host.Deny != nil { + if deny := host.GetDeny(); deny != nil { ops.SSH.Host.DeniedNames = &policy.SSHNameOptions{ - DNSDomains: p.Policy.Ssh.Host.Deny.Dns, - IPRanges: p.Policy.Ssh.Host.Deny.Ips, - Principals: p.Policy.Ssh.Host.Deny.Principals, + DNSDomains: deny.Dns, + IPRanges: deny.Ips, + Principals: deny.Principals, } } } - if p.Policy.Ssh.User != nil { + if user := ssh.GetUser(); user != nil { ops.SSH.User = &policy.SSHUserCertificateOptions{} - if p.Policy.Ssh.User.Allow != nil { + if allow := user.GetAllow(); allow != nil { ops.SSH.User.AllowedNames = &policy.SSHNameOptions{ - EmailAddresses: p.Policy.Ssh.User.Allow.Emails, - Principals: p.Policy.Ssh.User.Allow.Principals, + EmailAddresses: allow.Emails, + Principals: allow.Principals, } } - if p.Policy.Ssh.User.Deny != nil { + if deny := user.GetDeny(); deny != nil { ops.SSH.User.DeniedNames = &policy.SSHNameOptions{ - EmailAddresses: p.Policy.Ssh.User.Deny.Emails, - Principals: p.Policy.Ssh.User.Deny.Principals, + EmailAddresses: deny.Emails, + Principals: deny.Principals, } } } diff --git a/policy/engine_test.go b/policy/engine_test.go index 25e69af3..cce4ad34 100755 --- a/policy/engine_test.go +++ b/policy/engine_test.go @@ -637,7 +637,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -648,7 +648,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-literal-x509", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.x509local"), + WithPermittedDNSDomains("*.x509local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -661,7 +661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-single-host", options: []NamePolicyOption{ - WithPermittedDNSDomain("host.local"), + WithPermittedDNSDomains("host.local"), }, cert: &x509.Certificate{ DNSNames: []string{"differenthost.local"}, @@ -672,7 +672,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-no-label", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"local"}, @@ -683,7 +683,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-empty-label", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"www..local"}, @@ -694,7 +694,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-dot-domain", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -707,7 +707,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-multiple-subdomains", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -720,7 +720,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-literal", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -733,7 +733,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.豆.jp"), + WithPermittedDNSDomains("*.豆.jp"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -747,11 +747,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ipv4-permitted", options: []NamePolicyOption{ WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -765,11 +763,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ipv6-permitted", options: []NamePolicyOption{ WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -782,7 +778,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard", options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -795,7 +791,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard-x509", options: []NamePolicyOption{ - WithPermittedEmailAddress("example.com"), + WithPermittedEmailAddresses("example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -808,7 +804,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-specific-mailbox", options: []NamePolicyOption{ - WithPermittedEmailAddress("test@local.com"), + WithPermittedEmailAddresses("test@local.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -821,7 +817,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard-subdomain", options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -834,7 +830,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddresses("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"bücher@例.jp"}, @@ -845,7 +841,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain-rfc822", options: []NamePolicyOption{ - WithPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddresses("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"bücher@例.jp" + string(byte(0))}, @@ -856,7 +852,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain-ascii", options: []NamePolicyOption{ - WithPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddresses("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@xn---bla.jp"}, @@ -867,7 +863,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-domain-wildcard", options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -883,7 +879,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted", options: []NamePolicyOption{ - WithPermittedURIDomain("test.local"), + WithPermittedURIDomains("test.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -899,7 +895,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -915,7 +911,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedURIDomain("*.bücher.example.com"), + WithPermittedURIDomains("*.bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -932,7 +928,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-excluded", options: []NamePolicyOption{ - WithExcludedDNSDomain("*.example.com"), + WithExcludedDNSDomains("*.example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -943,7 +939,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-excluded-single-host", options: []NamePolicyOption{ - WithExcludedDNSDomain("host.example.com"), + WithExcludedDNSDomains("host.example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"host.example.com"}, @@ -955,11 +951,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ipv4-excluded", options: []NamePolicyOption{ WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -973,11 +967,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ipv6-excluded", options: []NamePolicyOption{ WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -990,7 +982,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-excluded", options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.com"}, @@ -1001,7 +993,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-excluded", options: []NamePolicyOption{ - WithExcludedURIDomain("*.example.com"), + WithExcludedURIDomains("*.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1017,7 +1009,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-excluded-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld options: []NamePolicyOption{ - WithExcludedURIDomain("*.local"), + WithExcludedURIDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1035,7 +1027,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-dns-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1049,7 +1041,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-dns-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1064,11 +1056,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1085,11 +1075,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1106,11 +1094,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -1127,11 +1113,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -1147,7 +1131,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-email-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedEmailAddress("@example.local"), + WithPermittedEmailAddresses("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1161,7 +1145,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-email-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedEmailAddress("@example.local"), + WithExcludedEmailAddresses("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1175,7 +1159,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-uri-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedURIDomain("*.example.com"), + WithPermittedURIDomains("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1189,7 +1173,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-uri-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedURIDomain("*.example.com"), + WithExcludedURIDomains("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1203,7 +1187,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed. options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -1214,7 +1198,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed. options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@smallstep.com"}, @@ -1225,7 +1209,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed. options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1242,11 +1226,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed. options: []NamePolicyOption{ WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1260,11 +1242,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed. options: []NamePolicyOption{ WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1278,11 +1258,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed. options: []NamePolicyOption{ WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1300,7 +1278,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed. options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -1311,7 +1289,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed. options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{ @@ -1324,7 +1302,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed. options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1340,7 +1318,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed. options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"host.local"}, @@ -1351,7 +1329,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed. options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{ @@ -1364,7 +1342,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed. options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@smallstep.com"}, @@ -1377,14 +1355,14 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/combined-simple-all-badhost.local", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), - WithPermittedCIDR("127.0.0.1/24"), - WithPermittedEmailAddress("@example.local"), - WithPermittedURIDomain("*.example.local"), - WithExcludedDNSDomain("badhost.local"), - WithExcludedCIDR("127.0.0.128/25"), - WithExcludedEmailAddress("badmail@example.local"), - WithExcludedURIDomain("badwww.example.local"), + WithPermittedDNSDomains("*.local"), + WithPermittedCIDRs("127.0.0.1/24"), + WithPermittedEmailAddresses("@example.local"), + WithPermittedURIDomains("*.example.local"), + WithExcludedDNSDomains("badhost.local"), + WithExcludedCIDRs("127.0.0.128/25"), + WithExcludedEmailAddresses("badmail@example.local"), + WithExcludedURIDomains("badwww.example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1488,7 +1466,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"example.local"}, @@ -1499,7 +1477,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-wildcard", options: []NamePolicyOption{ - WithPermittedDNSDomains([]string{"*.local", "*.x509local"}), + WithPermittedDNSDomains("*.local", "*.x509local"), WithAllowLiteralWildcardNames(), }, cert: &x509.Certificate{ @@ -1514,7 +1492,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-wildcard-literal", options: []NamePolicyOption{ - WithPermittedDNSDomains([]string{"*.local", "*.x509local"}), + WithPermittedDNSDomains("*.local", "*.x509local"), WithAllowLiteralWildcardNames(), }, cert: &x509.Certificate{ @@ -1529,7 +1507,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-combined", options: []NamePolicyOption{ - WithPermittedDNSDomains([]string{"*.local", "*.x509local", "host.example.com"}), + WithPermittedDNSDomains("*.local", "*.x509local", "host.example.com"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -1544,7 +1522,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.例.jp"), + WithPermittedDNSDomains("*.例.jp"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -1557,7 +1535,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv4-permitted", options: []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), + WithPermittedCIDRs("127.0.0.1/24"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.20")}, @@ -1568,7 +1546,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv6-permitted", options: []NamePolicyOption{ - WithPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), + WithPermittedCIDRs("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")}, @@ -1579,7 +1557,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-wildcard", options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1592,7 +1570,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-plain-domain", options: []NamePolicyOption{ - WithPermittedEmailAddress("example.com"), + WithPermittedEmailAddresses("example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1605,7 +1583,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-specific-mailbox", options: []NamePolicyOption{ - WithPermittedEmailAddress("test@local.com"), + WithPermittedEmailAddresses("test@local.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1618,7 +1596,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddresses("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{}, @@ -1629,7 +1607,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-domain-wildcard", options: []NamePolicyOption{ - WithPermittedURIDomain("*.local"), + WithPermittedURIDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1645,7 +1623,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-specific-uri", options: []NamePolicyOption{ - WithPermittedURIDomain("test.local"), + WithPermittedURIDomains("test.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1661,7 +1639,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-with-port", options: []NamePolicyOption{ - WithPermittedURIDomain("*.example.com"), + WithPermittedURIDomains("*.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1677,7 +1655,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedURIDomain("*.bücher.example.com"), + WithPermittedURIDomains("*.bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1693,7 +1671,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - WithPermittedURIDomain("bücher.example.com"), + WithPermittedURIDomains("bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1710,7 +1688,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded", options: []NamePolicyOption{ - WithExcludedDNSDomain("*.notlocal"), + WithExcludedDNSDomains("*.notlocal"), }, cert: &x509.Certificate{ DNSNames: []string{"example.local"}, @@ -1722,11 +1700,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/ipv4-excluded", options: []NamePolicyOption{ WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1739,7 +1715,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv6-excluded", options: []NamePolicyOption{ - WithExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), + WithExcludedCIDRs("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")}, @@ -1750,7 +1726,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-excluded", options: []NamePolicyOption{ - WithExcludedEmailAddress("@notlocal"), + WithExcludedEmailAddresses("@notlocal"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@local"}, @@ -1761,7 +1737,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-excluded-with-subdomain", options: []NamePolicyOption{ - WithExcludedEmailAddress("@local"), + WithExcludedEmailAddresses("@local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.local"}, @@ -1772,7 +1748,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-excluded", options: []NamePolicyOption{ - WithExcludedURIDomain("*.google.com"), + WithExcludedURIDomains("*.google.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1790,7 +1766,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-empty", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1805,7 +1781,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-dns-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1819,7 +1795,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-dns-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedDNSDomain("*.notlocal"), + WithExcludedDNSDomains("*.notlocal"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1834,11 +1810,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("127.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("127.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1855,11 +1829,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("128.0.0.1"), - Mask: net.IPv4Mask(255, 255, 255, 0), - }, + &net.IPNet{ + IP: net.ParseIP("128.0.0.1"), + Mask: net.IPv4Mask(255, 255, 255, 0), }, ), }, @@ -1876,11 +1848,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithPermittedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -1897,11 +1867,9 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { options: []NamePolicyOption{ WithSubjectCommonNameVerification(), WithExcludedIPRanges( - []*net.IPNet{ - { - IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), - Mask: net.CIDRMask(120, 128), - }, + &net.IPNet{ + IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), + Mask: net.CIDRMask(120, 128), }, ), }, @@ -1917,7 +1885,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-email-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedEmailAddress("@example.local"), + WithPermittedEmailAddresses("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1931,7 +1899,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-email-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedEmailAddress("@example.notlocal"), + WithExcludedEmailAddresses("@example.notlocal"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1945,7 +1913,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-uri-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedURIDomain("*.example.com"), + WithPermittedURIDomains("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1959,7 +1927,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-uri-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedURIDomain("*.smallstep.com"), + WithExcludedURIDomains("*.smallstep.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1973,7 +1941,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -1984,7 +1952,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.com"}, @@ -1995,7 +1963,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -2011,7 +1979,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ip-excluded-with-dns", // when only IP is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), + WithExcludedCIDRs("127.0.0.1/24"), }, cert: &x509.Certificate{ DNSNames: []string{"test.local"}, @@ -2022,7 +1990,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), + WithExcludedCIDRs("127.0.0.1/24"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.com"}, @@ -2033,7 +2001,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), + WithExcludedCIDRs("127.0.0.1/24"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -2049,7 +2017,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-excluded-with-dns", // when only mail is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"test.local"}, @@ -2060,7 +2028,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-excluded-with-ip", // when only mail is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -2071,7 +2039,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-excluded-with-uri", // when only mail is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -2087,7 +2055,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedURIDomain("*.example.local"), + WithExcludedURIDomains("*.example.local"), }, cert: &x509.Certificate{ DNSNames: []string{"test.example.local"}, @@ -2098,7 +2066,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedURIDomain("*.example.local"), + WithExcludedURIDomains("*.example.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -2109,7 +2077,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-excluded-with-mail", // when only URI is exluded, we allow anything else options: []NamePolicyOption{ - WithExcludedURIDomain("*.example.local"), + WithExcludedURIDomains("*.example.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.local"}, @@ -2121,7 +2089,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -2137,10 +2105,10 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/combined-simple-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), - WithPermittedCIDR("127.0.0.1/24"), - WithPermittedEmailAddress("@example.local"), - WithPermittedURIDomain("*.example.local"), + WithPermittedDNSDomains("*.local"), + WithPermittedCIDRs("127.0.0.1/24"), + WithPermittedEmailAddresses("@example.local"), + WithPermittedURIDomains("*.example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -2162,10 +2130,10 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/combined-simple-permitted-without-subject-verification", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), - WithPermittedCIDR("127.0.0.1/24"), - WithPermittedEmailAddress("@example.local"), - WithPermittedURIDomain("*.example.local"), + WithPermittedDNSDomains("*.local"), + WithPermittedCIDRs("127.0.0.1/24"), + WithPermittedEmailAddresses("@example.local"), + WithPermittedURIDomains("*.example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -2188,14 +2156,14 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/combined-simple-all", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - WithPermittedDNSDomain("*.local"), - WithPermittedCIDR("127.0.0.1/24"), - WithPermittedEmailAddress("@example.local"), - WithPermittedURIDomain("*.example.local"), - WithExcludedDNSDomain("badhost.local"), - WithExcludedCIDR("127.0.0.128/25"), - WithExcludedEmailAddress("badmail@example.local"), - WithExcludedURIDomain("badwww.example.local"), + WithPermittedDNSDomains("*.local"), + WithPermittedCIDRs("127.0.0.1/24"), + WithPermittedEmailAddresses("@example.local"), + WithPermittedURIDomains("*.example.local"), + WithExcludedDNSDomains("badhost.local"), + WithExcludedCIDRs("127.0.0.128/25"), + WithExcludedEmailAddresses("badmail@example.local"), + WithExcludedURIDomains("badwww.example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -2280,7 +2248,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-with-permitted-dns-domain", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2294,7 +2262,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-with-excluded-dns-domain", options: []NamePolicyOption{ - WithExcludedDNSDomain("*.local"), + WithExcludedDNSDomains("*.local"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2306,9 +2274,9 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { wantErr: true, }, { - name: "fail/host-with-permitted-ip", + name: "fail/host-with-permitted-cidr", options: []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), + WithPermittedCIDRs("127.0.0.1/24"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2320,9 +2288,9 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { wantErr: true, }, { - name: "fail/host-with-excluded-ip", + name: "fail/host-with-excluded-cidr", options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), + WithExcludedCIDRs("127.0.0.1/24"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2336,7 +2304,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-with-permitted-email", options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2350,7 +2318,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-with-excluded-email", options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2364,7 +2332,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-with-permitted-principals", options: []NamePolicyOption{ - WithPermittedPrincipals([]string{"localhost"}), + WithPermittedPrincipals("localhost"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2378,7 +2346,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-with-excluded-principals", options: []NamePolicyOption{ - WithExcludedPrincipals([]string{"localhost"}), + WithExcludedPrincipals("localhost"), }, cert: &ssh.Certificate{ ValidPrincipals: []string{ @@ -2391,7 +2359,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-with-permitted-principals", options: []NamePolicyOption{ - WithPermittedPrincipals([]string{"user"}), + WithPermittedPrincipals("user"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2405,7 +2373,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-with-excluded-principals", options: []NamePolicyOption{ - WithExcludedPrincipals([]string{"user"}), + WithExcludedPrincipals("user"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2419,7 +2387,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-with-permitted-principal-as-mail", options: []NamePolicyOption{ - WithPermittedPrincipals([]string{"ops"}), + WithPermittedPrincipals("ops"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2433,7 +2401,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-principal-with-permitted-dns-domain", // when only DNS is permitted, username principals are not allowed. options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2447,7 +2415,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/host-principal-with-permitted-ip-range", // when only IPs are permitted, username principals are not allowed. options: []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), + WithPermittedCIDRs("127.0.0.1/24"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2461,7 +2429,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/user-principal-with-permitted-email", // when only emails are permitted, username principals are not allowed. options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2475,8 +2443,8 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/combined-user", options: []NamePolicyOption{ - WithPermittedEmailAddress("@smallstep.com"), - WithExcludedEmailAddress("root@smallstep.com"), + WithPermittedEmailAddresses("@smallstep.com"), + WithExcludedEmailAddresses("root@smallstep.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2491,8 +2459,8 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "fail/combined-user-with-excluded-user-principal", options: []NamePolicyOption{ - WithPermittedEmailAddress("@smallstep.com"), - WithExcludedPrincipals([]string{"root"}), + WithPermittedEmailAddresses("@smallstep.com"), + WithExcludedPrincipals("root"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2507,7 +2475,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/host-with-permitted-user-principals", options: []NamePolicyOption{ - WithPermittedEmailAddress("@work"), + WithPermittedEmailAddresses("@work"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2521,7 +2489,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/user-with-permitted-user-principals", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2535,7 +2503,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/host-with-permitted-dns-domain", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), + WithPermittedDNSDomains("*.local"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2549,7 +2517,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/host-with-excluded-dns-domain", options: []NamePolicyOption{ - WithExcludedDNSDomain("*.example.com"), + WithExcludedDNSDomains("*.example.com"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2563,7 +2531,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/host-with-permitted-ip", options: []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), + WithPermittedCIDRs("127.0.0.1/24"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2577,7 +2545,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/host-with-excluded-ip", options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), + WithExcludedCIDRs("127.0.0.1/24"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, @@ -2591,7 +2559,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/user-with-permitted-email", options: []NamePolicyOption{ - WithPermittedEmailAddress("@example.com"), + WithPermittedEmailAddresses("@example.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2605,7 +2573,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/user-with-excluded-email", options: []NamePolicyOption{ - WithExcludedEmailAddress("@example.com"), + WithExcludedEmailAddresses("@example.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2619,7 +2587,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/user-with-permitted-principals", options: []NamePolicyOption{ - WithPermittedPrincipals([]string{"*"}), + WithPermittedPrincipals("*"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2633,7 +2601,7 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/user-with-excluded-principals", options: []NamePolicyOption{ - WithExcludedPrincipals([]string{"user"}), + WithExcludedPrincipals("user"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2647,9 +2615,9 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/combined-user", options: []NamePolicyOption{ - WithPermittedEmailAddress("@smallstep.com"), - WithPermittedPrincipals([]string{"*"}), // without specifying the wildcard, "someone" would not be allowed. - WithExcludedEmailAddress("root@smallstep.com"), + WithPermittedEmailAddresses("@smallstep.com"), + WithPermittedPrincipals("*"), // without specifying the wildcard, "someone" would not be allowed. + WithExcludedEmailAddresses("root@smallstep.com"), }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2664,9 +2632,9 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/combined-user-with-excluded-user-principal", options: []NamePolicyOption{ - WithPermittedEmailAddress("@smallstep.com"), - WithExcludedEmailAddress("root@smallstep.com"), - WithExcludedPrincipals([]string{"root"}), // unlike the previous test, this implicitly allows any other username principal + WithPermittedEmailAddresses("@smallstep.com"), + WithExcludedEmailAddresses("root@smallstep.com"), + WithExcludedPrincipals("root"), // unlike the previous test, this implicitly allows any other username principal }, cert: &ssh.Certificate{ CertType: ssh.UserCert, @@ -2681,10 +2649,10 @@ func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) { { name: "ok/combined-host", options: []NamePolicyOption{ - WithPermittedDNSDomain("*.local"), - WithPermittedCIDR("127.0.0.1/24"), - WithExcludedDNSDomain("badhost.local"), - WithExcludedCIDR("127.0.0.128/25"), + WithPermittedDNSDomains("*.local"), + WithPermittedCIDRs("127.0.0.1/24"), + WithExcludedDNSDomains("badhost.local"), + WithExcludedCIDRs("127.0.0.128/25"), }, cert: &ssh.Certificate{ CertType: ssh.HostCert, diff --git a/policy/options.go b/policy/options.go index e01e082e..d244a311 100755 --- a/policy/options.go +++ b/policy/options.go @@ -26,7 +26,7 @@ func WithAllowLiteralWildcardNames() NamePolicyOption { } } -func WithPermittedDNSDomains(domains []string) NamePolicyOption { +func WithPermittedDNSDomains(domains ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedDomains := make([]string, len(domains)) for i, domain := range domains { @@ -41,7 +41,7 @@ func WithPermittedDNSDomains(domains []string) NamePolicyOption { } } -func WithExcludedDNSDomains(domains []string) NamePolicyOption { +func WithExcludedDNSDomains(domains ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedDomains := make([]string, len(domains)) for i, domain := range domains { @@ -56,36 +56,14 @@ func WithExcludedDNSDomains(domains []string) NamePolicyOption { } } -func WithPermittedDNSDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err) - } - e.permittedDNSDomains = []string{normalizedDomain} - return nil - } -} - -func WithExcludedDNSDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err) - } - e.excludedDNSDomains = []string{normalizedDomain} - return nil - } -} - -func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { +func WithPermittedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption { return func(e *NamePolicyEngine) error { e.permittedIPRanges = ipRanges return nil } } -func WithPermittedCIDRs(cidrs []string) NamePolicyOption { +func WithPermittedCIDRs(cidrs ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(cidrs)) for i, cidr := range cidrs { @@ -100,7 +78,7 @@ func WithPermittedCIDRs(cidrs []string) NamePolicyOption { } } -func WithExcludedCIDRs(cidrs []string) NamePolicyOption { +func WithExcludedCIDRs(cidrs ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(cidrs)) for i, cidr := range cidrs { @@ -115,7 +93,7 @@ func WithExcludedCIDRs(cidrs []string) NamePolicyOption { } } -func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption { +func WithPermittedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(ipsOrCIDRs)) for i, ipOrCIDR := range ipsOrCIDRs { @@ -133,7 +111,7 @@ func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption { } } -func WithExcludedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption { +func WithExcludedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(ipsOrCIDRs)) for i, ipOrCIDR := range ipsOrCIDRs { @@ -151,61 +129,14 @@ func WithExcludedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption { } } -func WithPermittedCIDR(cidr string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr) - } - e.permittedIPRanges = []*net.IPNet{nw} - return nil - } -} - -func WithPermittedIP(ip net.IP) NamePolicyOption { - return func(e *NamePolicyEngine) error { - nw := networkFor(ip) - e.permittedIPRanges = []*net.IPNet{nw} - return nil - } -} - -func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { +func WithExcludedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption { return func(e *NamePolicyEngine) error { e.excludedIPRanges = ipRanges return nil } } -func WithExcludedCIDR(cidr string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr) - } - e.excludedIPRanges = []*net.IPNet{nw} - return nil - } -} - -func WithExcludedIP(ip net.IP) NamePolicyOption { - return func(e *NamePolicyEngine) error { - var mask net.IPMask - if !isIPv4(ip) { - mask = net.CIDRMask(128, 128) - } else { - mask = net.CIDRMask(32, 32) - } - nw := &net.IPNet{ - IP: ip, - Mask: mask, - } - e.excludedIPRanges = []*net.IPNet{nw} - return nil - } -} - -func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption { +func WithPermittedEmailAddresses(emailAddresses ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddresses := make([]string, len(emailAddresses)) for i, email := range emailAddresses { @@ -220,7 +151,7 @@ func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption { } } -func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption { +func WithExcludedEmailAddresses(emailAddresses ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddresses := make([]string, len(emailAddresses)) for i, email := range emailAddresses { @@ -235,29 +166,7 @@ func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption { } } -func WithPermittedEmailAddress(emailAddress string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) - if err != nil { - return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err) - } - e.permittedEmailAddresses = []string{normalizedEmailAddress} - return nil - } -} - -func WithExcludedEmailAddress(emailAddress string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) - if err != nil { - return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err) - } - e.excludedEmailAddresses = []string{normalizedEmailAddress} - return nil - } -} - -func WithPermittedURIDomains(uriDomains []string) NamePolicyOption { +func WithPermittedURIDomains(uriDomains ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomains := make([]string, len(uriDomains)) for i, domain := range uriDomains { @@ -272,18 +181,7 @@ func WithPermittedURIDomains(uriDomains []string) NamePolicyOption { } } -func WithPermittedURIDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err) - } - e.permittedURIDomains = []string{normalizedURIDomain} - return nil - } -} - -func WithExcludedURIDomains(domains []string) NamePolicyOption { +func WithExcludedURIDomains(domains ...string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomains := make([]string, len(domains)) for i, domain := range domains { @@ -298,18 +196,7 @@ func WithExcludedURIDomains(domains []string) NamePolicyOption { } } -func WithExcludedURIDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err) - } - e.excludedURIDomains = []string{normalizedURIDomain} - return nil - } -} - -func WithPermittedPrincipals(principals []string) NamePolicyOption { +func WithPermittedPrincipals(principals ...string) NamePolicyOption { return func(g *NamePolicyEngine) error { // TODO(hs): normalize and parse principal into the right type? Seems the safe thing to do. g.permittedPrincipals = principals @@ -317,7 +204,7 @@ func WithPermittedPrincipals(principals []string) NamePolicyOption { } } -func WithExcludedPrincipals(principals []string) NamePolicyOption { +func WithExcludedPrincipals(principals ...string) NamePolicyOption { return func(g *NamePolicyEngine) error { // TODO(hs): normalize and parse principal into the right type? Seems the safe thing to do. g.excludedPrincipals = principals @@ -357,7 +244,7 @@ func normalizeAndValidateDNSDomainConstraint(constraint string) (string, error) if strings.LastIndex(normalizedConstraint, "*") > 0 { return "", fmt.Errorf("domain constraint %q can only have wildcard as starting character", constraint) } - if normalizedConstraint[0] == '*' && normalizedConstraint[1] != '.' { + if len(normalizedConstraint) >= 2 && normalizedConstraint[0] == '*' && normalizedConstraint[1] != '.' { return "", fmt.Errorf("wildcard character in domain constraint %q can only be used to match (full) labels", constraint) } if strings.HasPrefix(normalizedConstraint, "*.") { diff --git a/policy/options_test.go b/policy/options_test.go index 78df3b7b..ca2908e4 100644 --- a/policy/options_test.go +++ b/policy/options_test.go @@ -200,7 +200,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-dns-domains": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedDNSDomains([]string{"**.local"}), + WithPermittedDNSDomains("**.local"), }, want: nil, wantErr: true, @@ -209,25 +209,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-dns-domains": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedDNSDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-permitted-dns-domain": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithPermittedDNSDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-excluded-dns-domain": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithExcludedDNSDomain("**.local"), + WithExcludedDNSDomains("**.local"), }, want: nil, wantErr: true, @@ -236,7 +218,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-cidrs": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedCIDRs([]string{"127.0.0.1//24"}), + WithPermittedCIDRs("127.0.0.1//24"), }, want: nil, wantErr: true, @@ -245,7 +227,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-cidrs": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedCIDRs([]string{"127.0.0.1//24"}), + WithExcludedCIDRs("127.0.0.1//24"), }, want: nil, wantErr: true, @@ -254,7 +236,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedIPsOrCIDRs([]string{"127.0.0.1//24"}), + WithPermittedIPsOrCIDRs("127.0.0.1//24"), }, want: nil, wantErr: true, @@ -263,7 +245,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-ipsOrCIDRs-ip": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedIPsOrCIDRs([]string{"127.0.0:1"}), + WithPermittedIPsOrCIDRs("127.0.0:1"), }, want: nil, wantErr: true, @@ -272,7 +254,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-ipsOrCIDRs-cidr": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedIPsOrCIDRs([]string{"127.0.0.1//24"}), + WithExcludedIPsOrCIDRs("127.0.0.1//24"), }, want: nil, wantErr: true, @@ -281,25 +263,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-ipsOrCIDRs-ip": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedIPsOrCIDRs([]string{"127.0.0:1"}), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-permitted-cidr": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1//24"), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-excluded-cidr": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1//24"), + WithExcludedIPsOrCIDRs("127.0.0:1"), }, want: nil, wantErr: true, @@ -308,7 +272,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-emails": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedEmailAddresses([]string{"*.local"}), + WithPermittedEmailAddresses("*.local"), }, want: nil, wantErr: true, @@ -317,25 +281,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-emails": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedEmailAddresses([]string{"*.local"}), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-permitted-email": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithPermittedEmailAddress("*.local"), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-excluded-email": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithExcludedEmailAddress("*.local"), + WithExcludedEmailAddresses("*.local"), }, want: nil, wantErr: true, @@ -344,7 +290,7 @@ func TestNew(t *testing.T) { "fail/with-permitted-uris": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithPermittedURIDomains([]string{"**.local"}), + WithPermittedURIDomains("**.local"), }, want: nil, wantErr: true, @@ -353,25 +299,7 @@ func TestNew(t *testing.T) { "fail/with-excluded-uris": func(t *testing.T) test { return test{ options: []NamePolicyOption{ - WithExcludedURIDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-permitted-uri": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithPermittedURIDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, - "fail/with-excluded-uri": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - WithExcludedURIDomain("**.local"), + WithExcludedURIDomains("**.local"), }, want: nil, wantErr: true, @@ -410,7 +338,7 @@ func TestNew(t *testing.T) { }, "ok/with-permitted-dns-wildcard-domains": func(t *testing.T) test { options := []NamePolicyOption{ - WithPermittedDNSDomains([]string{"*.local", "*.example.com"}), + WithPermittedDNSDomains("*.local", "*.example.com"), } return test{ options: options, @@ -425,7 +353,7 @@ func TestNew(t *testing.T) { }, "ok/with-excluded-dns-domains": func(t *testing.T) test { options := []NamePolicyOption{ - WithExcludedDNSDomains([]string{"*.local", "*.example.com"}), + WithExcludedDNSDomains("*.local", "*.example.com"), } return test{ options: options, @@ -438,47 +366,13 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/with-permitted-dns-wildcard-domain": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedDNSDomain("*.example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedDNSDomains: []string{".example.com"}, - numberOfDNSDomainConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-permitted-dns-domain": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedDNSDomain("www.example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedDNSDomains: []string{"www.example.com"}, - numberOfDNSDomainConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, "ok/with-permitted-ip-ranges": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) _, nw2, err := net.ParseCIDR("192.168.0.1/24") assert.FatalError(t, err) options := []NamePolicyOption{ - WithPermittedIPRanges( - []*net.IPNet{ - nw1, nw2, - }, - ), + WithPermittedIPRanges(nw1, nw2), } return test{ options: options, @@ -499,11 +393,7 @@ func TestNew(t *testing.T) { _, nw2, err := net.ParseCIDR("192.168.0.1/24") assert.FatalError(t, err) options := []NamePolicyOption{ - WithExcludedIPRanges( - []*net.IPNet{ - nw1, nw2, - }, - ), + WithExcludedIPRanges(nw1, nw2), } return test{ options: options, @@ -524,7 +414,7 @@ func TestNew(t *testing.T) { _, nw2, err := net.ParseCIDR("192.168.0.1/24") assert.FatalError(t, err) options := []NamePolicyOption{ - WithPermittedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}), + WithPermittedCIDRs("127.0.0.1/24", "192.168.0.1/24"), } return test{ options: options, @@ -545,7 +435,7 @@ func TestNew(t *testing.T) { _, nw2, err := net.ParseCIDR("192.168.0.1/24") assert.FatalError(t, err) options := []NamePolicyOption{ - WithExcludedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}), + WithExcludedCIDRs("127.0.0.1/24", "192.168.0.1/24"), } return test{ options: options, @@ -565,18 +455,20 @@ func TestNew(t *testing.T) { assert.FatalError(t, err) _, nw2, err := net.ParseCIDR("192.168.0.31/32") assert.FatalError(t, err) + _, nw3, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") + assert.FatalError(t, err) options := []NamePolicyOption{ - WithPermittedIPsOrCIDRs([]string{"127.0.0.1/24", "192.168.0.31"}), + WithPermittedIPsOrCIDRs("127.0.0.1/24", "192.168.0.31", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"), } return test{ options: options, want: &NamePolicyEngine{ permittedIPRanges: []*net.IPNet{ - nw1, nw2, + nw1, nw2, nw3, }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, + numberOfIPRangeConstraints: 3, + totalNumberOfPermittedConstraints: 3, + totalNumberOfConstraints: 3, }, wantErr: false, } @@ -586,139 +478,27 @@ func TestNew(t *testing.T) { assert.FatalError(t, err) _, nw2, err := net.ParseCIDR("192.168.0.31/32") assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIPsOrCIDRs([]string{"127.0.0.1/24", "192.168.0.31"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, - "ok/with-permitted-cidr": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") + _, nw3, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") assert.FatalError(t, err) options := []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, - }, - numberOfIPRangeConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-excluded-cidr": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, - }, - numberOfIPRangeConstraints: 1, - totalNumberOfExcludedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-permitted-ipv4": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.15/32") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedIP(ip1), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, - }, - numberOfIPRangeConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-excluded-ipv4": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.15/32") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIP(ip1), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, - }, - numberOfIPRangeConstraints: 1, - totalNumberOfExcludedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-permitted-ipv6": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedIP(ip1), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, - }, - numberOfIPRangeConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-excluded-ipv6": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIP(ip1), + WithExcludedIPsOrCIDRs("127.0.0.1/24", "192.168.0.31", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"), } return test{ options: options, want: &NamePolicyEngine{ excludedIPRanges: []*net.IPNet{ - nw1, + nw1, nw2, nw3, }, - numberOfIPRangeConstraints: 1, - totalNumberOfExcludedConstraints: 1, - totalNumberOfConstraints: 1, + numberOfIPRangeConstraints: 3, + totalNumberOfExcludedConstraints: 3, + totalNumberOfConstraints: 3, }, wantErr: false, } }, "ok/with-permitted-emails": func(t *testing.T) test { options := []NamePolicyOption{ - WithPermittedEmailAddresses([]string{"mail@local", "@example.com"}), + WithPermittedEmailAddresses("mail@local", "@example.com"), } return test{ options: options, @@ -733,7 +513,7 @@ func TestNew(t *testing.T) { }, "ok/with-excluded-emails": func(t *testing.T) test { options := []NamePolicyOption{ - WithExcludedEmailAddresses([]string{"mail@local", "@example.com"}), + WithExcludedEmailAddresses("mail@local", "@example.com"), } return test{ options: options, @@ -746,39 +526,9 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/with-permitted-email": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedEmailAddress("mail@local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedEmailAddresses: []string{"mail@local"}, - numberOfEmailAddressConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-excluded-email": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedEmailAddress("mail@local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedEmailAddresses: []string{"mail@local"}, - numberOfEmailAddressConstraints: 1, - totalNumberOfExcludedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, "ok/with-permitted-uris": func(t *testing.T) test { options := []NamePolicyOption{ - WithPermittedURIDomains([]string{"host.local", "*.example.com"}), + WithPermittedURIDomains("host.local", "*.example.com"), } return test{ options: options, @@ -793,7 +543,7 @@ func TestNew(t *testing.T) { }, "ok/with-excluded-uris": func(t *testing.T) test { options := []NamePolicyOption{ - WithExcludedURIDomains([]string{"host.local", "*.example.com"}), + WithExcludedURIDomains("host.local", "*.example.com"), } return test{ options: options, @@ -806,54 +556,9 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/with-permitted-uri": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedURIDomain("host.local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedURIDomains: []string{"host.local"}, - numberOfURIDomainConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-permitted-uri-idna": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedURIDomain("*.bücher.example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedURIDomains: []string{".xn--bcher-kva.example.com"}, - numberOfURIDomainConstraints: 1, - totalNumberOfPermittedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, - "ok/with-excluded-uri": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedURIDomain("host.local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedURIDomains: []string{"host.local"}, - numberOfURIDomainConstraints: 1, - totalNumberOfExcludedConstraints: 1, - totalNumberOfConstraints: 1, - }, - wantErr: false, - } - }, "ok/with-permitted-principals": func(t *testing.T) test { options := []NamePolicyOption{ - WithPermittedPrincipals([]string{"root", "ops"}), + WithPermittedPrincipals("root", "ops"), } return test{ options: options, @@ -868,7 +573,7 @@ func TestNew(t *testing.T) { }, "ok/with-excluded-principals": func(t *testing.T) test { options := []NamePolicyOption{ - WithExcludedPrincipals([]string{"root", "ops"}), + WithExcludedPrincipals("root", "ops"), } return test{ options: options,