Add more constraint unit tests

2022-09-20 11:33:36 -07:00 · 2022-09-20 11:33:36 -07:00 · 7bea2f4d0e
commit 7bea2f4d0e
parent 495494ce8f
2 changed files with 102 additions and 12 deletions
--- a/authority/internal/constraints/constraints.go
+++ b/authority/internal/constraints/constraints.go
@ -9,12 +9,15 @@ import (

 var oidExtensionNameConstraints = []int{2, 5, 29, 30}

+// ConstraintError is the typed error that will be returned if a constraint
+// error is found.
 type ConstraintError struct {
 	Type   string
 	Name   string
 	Detail string
 }

+// Error implements the error interface.
 func (e ConstraintError) Error() string {
 	return e.Detail
 }
@ -31,6 +34,8 @@ type service struct {
 	excludedURIDomains      []string
 }

+// New creates a constraint validation service that contains the given chain of
+// certificates.
 func New(chain ...*x509.Certificate) *service {
 	s := new(service)
 	for _, crt := range chain {
@ -55,8 +60,9 @@ func New(chain ...*x509.Certificate) *service {
 	return s
 }

-// Validates
-func (s *service) Validate(dnsNames []string, ipAddresses []*net.IP, emailAddresses []string, uris []*url.URL) error {
+// Validate checks the given names with the name constraints defined in the
+// service.
+func (s *service) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
 	if !s.hasNameConstraints {
 		return nil
 	}
--- a/authority/internal/constraints/constraints_test.go
+++ b/authority/internal/constraints/constraints_test.go
@ -94,7 +94,7 @@ func Test_service_Validate(t *testing.T) {
 	}
 	type args struct {
 		dnsNames       []string
-		ipAddresses    []*net.IP
+		ipAddresses    []net.IP
 		emailAddresses []string
 		uris           []*url.URL
 	}
@ -106,18 +106,102 @@ func Test_service_Validate(t *testing.T) {
 	}{
 		{"ok", fields{hasNameConstraints: false}, args{
 			dnsNames:       []string{"example.com", "host.example.com"},
-			ipAddresses:    []*net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x1, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
+			ipAddresses:    []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x1, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
 			emailAddresses: []string{"root@example.com"},
 			uris:           []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}},
 		}, false},
-		// {"ok dns", fields{}, args{}, false},
-		// {"ok ip", fields{}, args{}, false},
-		// {"ok email", fields{}, args{}, false},
-		// {"ok uri", fields{}, args{}, false},
-		// {"fail dns", fields{}, args{}, true},
-		// {"fail ip", fields{}, args{}, true},
-		// {"fail email", fields{}, args{}, true},
-		// {"fail uri", fields{}, args{}, true},
+		{"ok permitted dns ", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{"example.com", "www.example.com"}}, false},
+		{"ok not excluded dns", fields{
+			hasNameConstraints: true,
+			excludedDNSDomains: []string{"example.org"},
+		}, args{dnsNames: []string{"example.com", "www.example.com"}}, false},
+		{"ok permitted ip", fields{
+			hasNameConstraints: true,
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}}}, false},
+		{"ok not excluded ip", fields{
+			hasNameConstraints: true,
+			excludedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false},
+		{"ok permitted emails ", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@coyote.acme.com", `"(quoted)"@www.acme.com`}}, false},
+		{"ok not excluded emails", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"name@example.com", "root@acme.com", "root@other.com"}}, false},
+		{"ok permitted uris ", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "www.acme.com", Path: "/path"}}}, false},
+		{"ok not excluded uris", fields{
+			hasNameConstraints: true,
+			excludedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.org", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, false},
+		{"fail permitted dns ", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{"www.example.com", "www.example.org"}}, true},
+		{"fail not excluded dns", fields{
+			hasNameConstraints: true,
+			excludedDNSDomains: []string{"example.org"},
+		}, args{dnsNames: []string{"example.com", "www.example.org"}}, true},
+		{"fail permitted ip", fields{
+			hasNameConstraints: true,
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 10}}}, true},
+		{"fail not excluded ip", fields{
+			hasNameConstraints: true,
+			excludedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 1, 1}}}, true},
+		{"fail permitted emails ", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@acme.com"}}, true},
+		{"fail not excluded emails", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"name@example.com", "root@example.com"}}, true},
+		{"fail permitted uris ", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true},
+		{"fail not excluded uris", fields{
+			hasNameConstraints: true,
+			excludedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "www.example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true},
+		{"fail parse emails ", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"example.com"},
+		}, args{emailAddresses: []string{`(notquoted)@example.com`}}, true},
+		{"fail match dns", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{`www.example.com.`}}, true},
+		{"fail match email", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{`(notquoted)@example.com`},
+		}, args{emailAddresses: []string{`ok@example.com`}}, true},
+		{"fail match uri", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com"},
+		}, args{uris: []*url.URL{{Scheme: "urn", Opaque: "uuid:36efb1ae-6617-4b23-b799-874a37aaea1c"}}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {