alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Remove Adder options

Browse source
This commit is contained in:
Herman Slatman 2022-04-18 21:47:31 +02:00
parent 8d15a027a7
commit 82e0033428
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
4 changed files with 107 additions and 922 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
policy/engine.go
View file

@ -258,6 +258,9 @@ func splitSSHPrincipals(cert *ssh.Certificate) (dnsNames []string, ips []net.IP,
// in the SSH certificate. We're exluding URIs, because they can be confusing
// when used in a SSH user certificate.
principals, ips, emails, uris = x509util.SplitSANs(cert.ValidPrincipals)
if len(ips) > 0 {
err = fmt.Errorf("IP principals %v not expected in SSH user certificate ", ips)
}
if len(uris) > 0 {
err = fmt.Errorf("URL principals %v not expected in SSH user certificate ", uris)
}

207
policy/engine_test.go
View file

@ -637,7 +637,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"www.example.com"},
@ -648,7 +648,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-wildcard-literal-x509",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.x509local"),
WithPermittedDNSDomain("*.x509local"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -661,7 +661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-single-host",
options: []NamePolicyOption{
AddPermittedDNSDomain("host.local"),
WithPermittedDNSDomain("host.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"differenthost.local"},
@ -672,7 +672,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-no-label",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"local"},
@ -683,7 +683,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-empty-label",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"www..local"},
@ -694,7 +694,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-dot-domain",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -707,7 +707,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-wildcard-multiple-subdomains",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -720,7 +720,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-wildcard-literal",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -733,7 +733,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.豆.jp"),
WithPermittedDNSDomain("*.豆.jp"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -746,7 +746,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ipv4-permitted",
options: []NamePolicyOption{
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -764,7 +764,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ipv6-permitted",
options: []NamePolicyOption{
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -782,7 +782,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -795,7 +795,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-wildcard-x509",
options: []NamePolicyOption{
AddPermittedEmailAddress("example.com"),
WithPermittedEmailAddress("example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -808,7 +808,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-specific-mailbox",
options: []NamePolicyOption{
AddPermittedEmailAddress("test@local.com"),
WithPermittedEmailAddress("test@local.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -821,7 +821,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-wildcard-subdomain",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -834,7 +834,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedEmailAddress("@例.jp"),
WithPermittedEmailAddress("@例.jp"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"bücher@例.jp"},
@ -845,7 +845,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-idna-internationalized-domain-rfc822",
options: []NamePolicyOption{
AddPermittedEmailAddress("@例.jp"),
WithPermittedEmailAddress("@例.jp"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"bücher@例.jp" + string(byte(0))},
@ -856,7 +856,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-idna-internationalized-domain-ascii",
options: []NamePolicyOption{
AddPermittedEmailAddress("@例.jp"),
WithPermittedEmailAddress("@例.jp"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@xn---bla.jp"},
@ -867,7 +867,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-domain-wildcard",
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -883,7 +883,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted",
options: []NamePolicyOption{
AddPermittedURIDomain("test.local"),
WithPermittedURIDomain("test.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -899,7 +899,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -915,7 +915,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedURIDomain("*.bücher.example.com"),
WithPermittedURIDomain("*.bücher.example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -932,7 +932,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-excluded",
options: []NamePolicyOption{
AddExcludedDNSDomain("*.example.com"),
WithExcludedDNSDomain("*.example.com"),
},
cert: &x509.Certificate{
DNSNames: []string{"www.example.com"},
@ -943,7 +943,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-excluded-single-host",
options: []NamePolicyOption{
AddExcludedDNSDomain("host.example.com"),
WithExcludedDNSDomain("host.example.com"),
},
cert: &x509.Certificate{
DNSNames: []string{"host.example.com"},
@ -954,7 +954,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ipv4-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -972,7 +972,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ipv6-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -990,7 +990,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-excluded",
options: []NamePolicyOption{
AddExcludedEmailAddress("@example.com"),
WithExcludedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.com"},
@ -1001,7 +1001,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-excluded",
options: []NamePolicyOption{
AddExcludedURIDomain("*.example.com"),
WithExcludedURIDomain("*.example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1017,7 +1017,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-excluded-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
options: []NamePolicyOption{
AddExcludedURIDomain("*.local"),
WithExcludedURIDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1035,7 +1035,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-dns-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1049,7 +1049,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-dns-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.local"),
WithExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1063,7 +1063,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-ipv4-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1084,7 +1084,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-ipv4-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1105,7 +1105,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-ipv6-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -1126,7 +1126,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-ipv6-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -1147,7 +1147,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-email-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedEmailAddress("@example.local"),
WithPermittedEmailAddress("@example.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1161,7 +1161,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-email-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedEmailAddress("@example.local"),
WithExcludedEmailAddress("@example.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1175,7 +1175,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-uri-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedURIDomain("*.example.com"),
WithPermittedURIDomain("*.example.com"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1189,7 +1189,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "fail/subject-uri-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedURIDomain("*.example.com"),
WithExcludedURIDomain("*.example.com"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1203,7 +1203,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
@ -1214,7 +1214,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@smallstep.com"},
@ -1225,7 +1225,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1241,7 +1241,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1259,7 +1259,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1277,7 +1277,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1300,7 +1300,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
DNSNames: []string{"www.example.com"},
@ -1311,7 +1311,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{
@ -1324,7 +1324,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed.
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1340,7 +1340,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"host.local"},
@ -1351,7 +1351,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{
@ -1364,7 +1364,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed.
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@smallstep.com"},
@ -1488,7 +1488,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-permitted",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
DNSNames: []string{"example.local"},
@ -1499,8 +1499,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain("*.x509local"),
WithPermittedDNSDomains([]string{"*.local", "*.x509local"}),
WithAllowLiteralWildcardNames(),
},
cert: &x509.Certificate{
@ -1515,8 +1514,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-permitted-wildcard-literal",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain("*.x509local"),
WithPermittedDNSDomains([]string{"*.local", "*.x509local"}),
WithAllowLiteralWildcardNames(),
},
cert: &x509.Certificate{
@ -1531,9 +1529,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-permitted-combined",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.local"),
AddPermittedDNSDomain("*.x509local"),
AddPermittedDNSDomain("host.example.com"),
WithPermittedDNSDomains([]string{"*.local", "*.x509local", "host.example.com"}),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -1548,7 +1544,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedDNSDomain("*.例.jp"),
WithPermittedDNSDomain("*.例.jp"),
},
cert: &x509.Certificate{
DNSNames: []string{
@ -1561,7 +1557,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/ipv4-permitted",
options: []NamePolicyOption{
AddPermittedCIDR("127.0.0.1/24"),
WithPermittedCIDR("127.0.0.1/24"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.20")},
@ -1572,7 +1568,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/ipv6-permitted",
options: []NamePolicyOption{
AddPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
WithPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")},
@ -1583,7 +1579,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/mail-permitted-wildcard",
options: []NamePolicyOption{
AddPermittedEmailAddress("@example.com"),
WithPermittedEmailAddress("@example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -1596,7 +1592,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/mail-permitted-plain-domain",
options: []NamePolicyOption{
AddPermittedEmailAddress("example.com"),
WithPermittedEmailAddress("example.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -1609,7 +1605,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/mail-permitted-specific-mailbox",
options: []NamePolicyOption{
AddPermittedEmailAddress("test@local.com"),
WithPermittedEmailAddress("test@local.com"),
},
cert: &x509.Certificate{
EmailAddresses: []string{
@ -1622,7 +1618,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/mail-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedEmailAddress("@例.jp"),
WithPermittedEmailAddress("@例.jp"),
},
cert: &x509.Certificate{
EmailAddresses: []string{},
@ -1633,7 +1629,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/uri-permitted-domain-wildcard",
options: []NamePolicyOption{
AddPermittedURIDomain("*.local"),
WithPermittedURIDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1649,7 +1645,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/uri-permitted-specific-uri",
options: []NamePolicyOption{
AddPermittedURIDomain("test.local"),
WithPermittedURIDomain("test.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1665,7 +1661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/uri-permitted-with-port",
options: []NamePolicyOption{
AddPermittedURIDomain("*.example.com"),
WithPermittedURIDomain("*.example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1681,7 +1677,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/uri-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedURIDomain("*.bücher.example.com"),
WithPermittedURIDomain("*.bücher.example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1697,7 +1693,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/uri-permitted-idna-internationalized-domain",
options: []NamePolicyOption{
AddPermittedURIDomain("bücher.example.com"),
WithPermittedURIDomain("bücher.example.com"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -1725,7 +1721,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/ipv4-excluded",
options: []NamePolicyOption{
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1743,7 +1739,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/ipv6-excluded",
options: []NamePolicyOption{
AddExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
WithExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")},
@ -1794,7 +1790,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-empty",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1809,7 +1805,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-dns-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedDNSDomain("*.local"),
WithPermittedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1823,7 +1819,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-dns-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.notlocal"),
WithExcludedDNSDomain("*.notlocal"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1837,7 +1833,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-ipv4-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("127.0.0.1"),
@ -1858,7 +1854,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-ipv4-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("128.0.0.1"),
@ -1879,7 +1875,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-ipv6-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedIPRanges(
WithPermittedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -1900,7 +1896,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-ipv6-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedIPRanges(
WithExcludedIPRanges(
[]*net.IPNet{
{
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
@ -1921,7 +1917,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-email-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedEmailAddress("@example.local"),
WithPermittedEmailAddress("@example.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1935,7 +1931,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-email-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedEmailAddress("@example.notlocal"),
WithExcludedEmailAddress("@example.notlocal"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1949,7 +1945,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-uri-permitted",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddPermittedURIDomain("*.example.com"),
WithPermittedURIDomain("*.example.com"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1963,7 +1959,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/subject-uri-excluded",
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedURIDomain("*.smallstep.com"),
WithExcludedURIDomain("*.smallstep.com"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -1977,7 +1973,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
WithExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
@ -1988,7 +1984,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
WithExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
EmailAddresses: []string{"mail@example.com"},
@ -1999,7 +1995,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
{
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
AddExcludedDNSDomain("*.local"),
WithExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
URIs: []*url.URL{
@ -2125,7 +2121,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else
options: []NamePolicyOption{
WithSubjectCommonNameVerification(),
AddExcludedDNSDomain("*.local"),
WithExcludedDNSDomain("*.local"),
},
cert: &x509.Certificate{
Subject: pkix.Name{
@ -2750,6 +2746,18 @@ func Test_splitSSHPrincipals(t *testing.T) {
wantErr: true,
}
},
"fail/user-ip": func(t *testing.T) test {
r := emptyResult()
r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
return test{
cert: &ssh.Certificate{
CertType: ssh.UserCert,
ValidPrincipals: []string{"127.0.0.1"},
},
r: r,
wantErr: true,
}
},
"fail/user-uri": func(t *testing.T) test {
r := emptyResult()
return test{
@ -2780,7 +2788,8 @@ func Test_splitSSHPrincipals(t *testing.T) {
CertType: ssh.HostCert,
ValidPrincipals: []string{"host.example.com"},
},
r: r,
r: r,
wantErr: false,
}
},
"ok/host-ip": func(t *testing.T) test {
@ -2791,7 +2800,8 @@ func Test_splitSSHPrincipals(t *testing.T) {
CertType: ssh.HostCert,
ValidPrincipals: []string{"127.0.0.1"},
},
r: r,
r: r,
wantErr: false,
}
},
"ok/host-email": func(t *testing.T) test {
@ -2814,7 +2824,8 @@ func Test_splitSSHPrincipals(t *testing.T) {
CertType: ssh.UserCert,
ValidPrincipals: []string{"localhost"},
},
r: r,
r: r,
wantErr: false,
}
},
"ok/user-username-with-period": func(t *testing.T) test {
@ -2825,17 +2836,6 @@ func Test_splitSSHPrincipals(t *testing.T) {
CertType: ssh.UserCert,
ValidPrincipals: []string{"x.joe"},
},
r: r,
}
},
"ok/user-ip": func(t *testing.T) test {
r := emptyResult()
r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
return test{
cert: &ssh.Certificate{
CertType: ssh.UserCert,
ValidPrincipals: []string{"127.0.0.1"},
},
r: r,
wantErr: false,
}
@ -2848,7 +2848,8 @@ func Test_splitSSHPrincipals(t *testing.T) {
CertType: ssh.UserCert,
ValidPrincipals: []string{"ops@work"},
},
r: r,
r: r,
wantErr: false,
}
},
}

247
policy/options.go
View file

@ -41,21 +41,6 @@ func WithPermittedDNSDomains(domains []string) NamePolicyOption {
}
}
func AddPermittedDNSDomains(domains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomains := make([]string, len(domains))
for i, domain := range domains {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
}
normalizedDomains[i] = normalizedDomain
}
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomains...)
return nil
}
}
func WithExcludedDNSDomains(domains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomains := make([]string, len(domains))
@ -71,21 +56,6 @@ func WithExcludedDNSDomains(domains []string) NamePolicyOption {
}
}
func AddExcludedDNSDomains(domains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomains := make([]string, len(domains))
for i, domain := range domains {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
}
normalizedDomains[i] = normalizedDomain
}
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomains...)
return nil
}
}
func WithPermittedDNSDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
@ -97,17 +67,6 @@ func WithPermittedDNSDomain(domain string) NamePolicyOption {
}
}
func AddPermittedDNSDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
}
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomain)
return nil
}
}
func WithExcludedDNSDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
@ -119,17 +78,6 @@ func WithExcludedDNSDomain(domain string) NamePolicyOption {
}
}
func AddExcludedDNSDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
}
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomain)
return nil
}
}
func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
return func(e *NamePolicyEngine) error {
e.permittedIPRanges = ipRanges
@ -137,13 +85,6 @@ func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
}
}
func AddPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
return func(e *NamePolicyEngine) error {
e.permittedIPRanges = append(e.permittedIPRanges, ipRanges...)
return nil
}
}
func WithPermittedCIDRs(cidrs []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
networks := make([]*net.IPNet, len(cidrs))
@ -159,21 +100,6 @@ func WithPermittedCIDRs(cidrs []string) NamePolicyOption {
}
}
func AddPermittedCIDRs(cidrs []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
networks := make([]*net.IPNet, len(cidrs))
for i, cidr := range cidrs {
_, nw, err := net.ParseCIDR(cidr)
if err != nil {
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
}
networks[i] = nw
}
e.permittedIPRanges = append(e.permittedIPRanges, networks...)
return nil
}
}
func WithExcludedCIDRs(cidrs []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
networks := make([]*net.IPNet, len(cidrs))
@ -189,21 +115,6 @@ func WithExcludedCIDRs(cidrs []string) NamePolicyOption {
}
}
func AddExcludedCIDRs(cidrs []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
networks := make([]*net.IPNet, len(cidrs))
for i, cidr := range cidrs {
_, nw, err := net.ParseCIDR(cidr)
if err != nil {
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
}
networks[i] = nw
}
e.excludedIPRanges = append(e.excludedIPRanges, networks...)
return nil
}
}
func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
networks := make([]*net.IPNet, len(ipsOrCIDRs))
@ -251,17 +162,6 @@ func WithPermittedCIDR(cidr string) NamePolicyOption {
}
}
func AddPermittedCIDR(cidr string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
_, nw, err := net.ParseCIDR(cidr)
if err != nil {
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
}
e.permittedIPRanges = append(e.permittedIPRanges, nw)
return nil
}
}
func WithPermittedIP(ip net.IP) NamePolicyOption {
return func(e *NamePolicyEngine) error {
nw := networkFor(ip)
@ -270,14 +170,6 @@ func WithPermittedIP(ip net.IP) NamePolicyOption {
}
}
func AddPermittedIP(ip net.IP) NamePolicyOption {
return func(e *NamePolicyEngine) error {
nw := networkFor(ip)
e.permittedIPRanges = append(e.permittedIPRanges, nw)
return nil
}
}
func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
return func(e *NamePolicyEngine) error {
e.excludedIPRanges = ipRanges
@ -285,13 +177,6 @@ func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
}
}
func AddExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
return func(e *NamePolicyEngine) error {
e.excludedIPRanges = append(e.excludedIPRanges, ipRanges...)
return nil
}
}
func WithExcludedCIDR(cidr string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
_, nw, err := net.ParseCIDR(cidr)
@ -303,17 +188,6 @@ func WithExcludedCIDR(cidr string) NamePolicyOption {
}
}
func AddExcludedCIDR(cidr string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
_, nw, err := net.ParseCIDR(cidr)
if err != nil {
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
}
e.excludedIPRanges = append(e.excludedIPRanges, nw)
return nil
}
}
func WithExcludedIP(ip net.IP) NamePolicyOption {
return func(e *NamePolicyEngine) error {
var mask net.IPMask
@ -331,23 +205,6 @@ func WithExcludedIP(ip net.IP) NamePolicyOption {
}
}
func AddExcludedIP(ip net.IP) NamePolicyOption {
return func(e *NamePolicyEngine) error {
var mask net.IPMask
if !isIPv4(ip) {
mask = net.CIDRMask(128, 128)
} else {
mask = net.CIDRMask(32, 32)
}
nw := &net.IPNet{
IP: ip,
Mask: mask,
}
e.excludedIPRanges = append(e.excludedIPRanges, nw)
return nil
}
}
func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddresses := make([]string, len(emailAddresses))
@ -363,21 +220,6 @@ func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
}
}
func AddPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddresses := make([]string, len(emailAddresses))
for i, email := range emailAddresses {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
if err != nil {
return fmt.Errorf("cannot parse permitted email constraint %q: %w", email, err)
}
normalizedEmailAddresses[i] = normalizedEmailAddress
}
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddresses...)
return nil
}
}
func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddresses := make([]string, len(emailAddresses))
@ -393,21 +235,6 @@ func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
}
}
func AddExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddresses := make([]string, len(emailAddresses))
for i, email := range emailAddresses {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
if err != nil {
return fmt.Errorf("cannot parse excluded email constraint %q: %w", email, err)
}
normalizedEmailAddresses[i] = normalizedEmailAddress
}
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddresses...)
return nil
}
}
func WithPermittedEmailAddress(emailAddress string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
@ -419,17 +246,6 @@ func WithPermittedEmailAddress(emailAddress string) NamePolicyOption {
}
}
func AddPermittedEmailAddress(emailAddress string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
if err != nil {
return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err)
}
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddress)
return nil
}
}
func WithExcludedEmailAddress(emailAddress string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
@ -441,17 +257,6 @@ func WithExcludedEmailAddress(emailAddress string) NamePolicyOption {
}
}
func AddExcludedEmailAddress(emailAddress string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
if err != nil {
return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err)
}
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddress)
return nil
}
}
func WithPermittedURIDomains(uriDomains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomains := make([]string, len(uriDomains))
@ -467,21 +272,6 @@ func WithPermittedURIDomains(uriDomains []string) NamePolicyOption {
}
}
func AddPermittedURIDomains(uriDomains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomains := make([]string, len(uriDomains))
for i, domain := range uriDomains {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
}
normalizedURIDomains[i] = normalizedURIDomain
}
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomains...)
return nil
}
}
func WithPermittedURIDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
@ -493,17 +283,6 @@ func WithPermittedURIDomain(domain string) NamePolicyOption {
}
}
func AddPermittedURIDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
}
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomain)
return nil
}
}
func WithExcludedURIDomains(domains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomains := make([]string, len(domains))
@ -519,21 +298,6 @@ func WithExcludedURIDomains(domains []string) NamePolicyOption {
}
}
func AddExcludedURIDomains(domains []string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomains := make([]string, len(domains))
for i, domain := range domains {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
}
normalizedURIDomains[i] = normalizedURIDomain
}
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomains...)
return nil
}
}
func WithExcludedURIDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
@ -545,17 +309,6 @@ func WithExcludedURIDomain(domain string) NamePolicyOption {
}
}
func AddExcludedURIDomain(domain string) NamePolicyOption {
return func(e *NamePolicyEngine) error {
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
if err != nil {
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
}
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomain)
return nil
}
}
func WithPermittedPrincipals(principals []string) NamePolicyOption {
return func(g *NamePolicyEngine) error {
// TODO(hs): normalize and parse principal into the right type? Seems the safe thing to do.

572
policy/options_test.go
View file

@ -206,15 +206,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-dns-domains": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedDNSDomains([]string{"**.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-dns-domains": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -224,15 +215,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-dns-domains": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedDNSDomains([]string{"**.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-dns-domain": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -242,15 +224,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-dns-domain": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedDNSDomain("**.local"),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-dns-domain": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -260,15 +233,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-dns-domain": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedDNSDomain("**.local"),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-cidrs": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -278,15 +242,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-cidrs": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedCIDRs([]string{"127.0.0.1//24"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-cidrs": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -296,15 +251,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-cidrs": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedCIDRs([]string{"127.0.0.1//24"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -350,15 +296,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-cidr": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedCIDR("127.0.0.1//24"),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-cidr": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -368,15 +305,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-cidr": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedCIDR("127.0.0.1//24"),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-emails": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -386,15 +314,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-emails": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedEmailAddresses([]string{"*.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-emails": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -404,15 +323,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-emails": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedEmailAddresses([]string{"*.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-email": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -422,15 +332,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-email": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedEmailAddress("*.local"),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-email": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -440,15 +341,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-email": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedEmailAddress("*.local"),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-uris": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -458,15 +350,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-uris": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedURIDomains([]string{"**.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-uris": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -476,15 +359,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-uris": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedURIDomains([]string{"**.local"}),
},
want: nil,
wantErr: true,
}
},
"fail/with-permitted-uri": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -494,15 +368,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-permitted-uri": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddPermittedURIDomain("**.local"),
},
want: nil,
wantErr: true,
}
},
"fail/with-excluded-uri": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
@ -512,15 +377,6 @@ func TestNew(t *testing.T) {
wantErr: true,
}
},
"fail/add-excluded-uri": func(t *testing.T) test {
return test{
options: []NamePolicyOption{
AddExcludedURIDomain("**.local"),
},
want: nil,
wantErr: true,
}
},
"ok/default": func(t *testing.T) test {
return test{
options: []NamePolicyOption{},
@ -567,22 +423,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-dns-wildcard-domains": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedDNSDomains([]string{"*.local"}),
AddPermittedDNSDomains([]string{"*.example.com", "*.local"}),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedDNSDomains: []string{".local", ".example.com"},
numberOfDNSDomainConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-dns-domains": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedDNSDomains([]string{"*.local", "*.example.com"}),
@ -598,22 +438,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-dns-domains": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedDNSDomains([]string{"*.local"}),
AddExcludedDNSDomains([]string{"*.local", "*.example.com"}),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedDNSDomains: []string{".local", ".example.com"},
numberOfDNSDomainConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-dns-wildcard-domain": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedDNSDomain("*.example.com"),
@ -629,22 +453,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-dns-wildcard-domain": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedDNSDomain("*.example.com"),
AddPermittedDNSDomain("*.local"),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedDNSDomains: []string{".example.com", ".local"},
numberOfDNSDomainConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-dns-domain": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedDNSDomain("www.example.com"),
@ -660,22 +468,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-dns-domain": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedDNSDomain("www.example.com"),
AddPermittedDNSDomain("host.local"),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedDNSDomains: []string{"www.example.com", "host.local"},
numberOfDNSDomainConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-ip-ranges": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -701,36 +493,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-ip-ranges": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithPermittedIPRanges(
[]*net.IPNet{
nw1,
},
),
AddPermittedIPRanges(
[]*net.IPNet{
nw1, nw2,
},
),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-ip-ranges": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -756,36 +518,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-ip-ranges": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithExcludedIPRanges(
[]*net.IPNet{
nw1,
},
),
AddExcludedIPRanges(
[]*net.IPNet{
nw1, nw2,
},
),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-cidrs": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -807,28 +539,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-cidrs": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithPermittedCIDRs([]string{"127.0.0.1/24"}),
AddPermittedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-cidrs": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -850,28 +560,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-cidrs": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithExcludedCIDRs([]string{"127.0.0.1/24"}),
AddExcludedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -933,28 +621,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-cidr": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithPermittedCIDR("127.0.0.1/24"),
AddPermittedCIDR("192.168.0.1/24"),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-cidr": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
@ -974,28 +640,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-cidr": func(t *testing.T) test {
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
assert.FatalError(t, err)
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithExcludedCIDR("127.0.0.1/24"),
AddExcludedCIDR("192.168.0.1/24"),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-ipv4": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.15/32")
assert.FatalError(t, err)
@ -1015,28 +659,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-ipv4": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.45/32")
assert.FatalError(t, err)
ip2, nw2, err := net.ParseCIDR("192.168.0.55/32")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithPermittedIP(ip1),
AddPermittedIP(ip2),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-ipv4": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.15/32")
assert.FatalError(t, err)
@ -1056,28 +678,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-ipv4": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.45/32")
assert.FatalError(t, err)
ip2, nw2, err := net.ParseCIDR("192.168.0.55/32")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithExcludedIP(ip1),
AddExcludedIP(ip2),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-ipv6": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
assert.FatalError(t, err)
@ -1097,28 +697,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-ipv6": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.10/32")
assert.FatalError(t, err)
ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithPermittedIP(ip1),
AddPermittedIP(ip2),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-ipv6": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
assert.FatalError(t, err)
@ -1138,28 +716,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-ipv6": func(t *testing.T) test {
ip1, nw1, err := net.ParseCIDR("127.0.0.10/32")
assert.FatalError(t, err)
ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
assert.FatalError(t, err)
options := []NamePolicyOption{
WithExcludedIP(ip1),
AddExcludedIP(ip2),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedIPRanges: []*net.IPNet{
nw1, nw2,
},
numberOfIPRangeConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-emails": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedEmailAddresses([]string{"mail@local", "@example.com"}),
@ -1175,22 +731,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-emails": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedEmailAddresses([]string{"mail@local"}),
AddPermittedEmailAddresses([]string{"@example.com", "mail@local"}),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedEmailAddresses: []string{"mail@local", "example.com"},
numberOfEmailAddressConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-emails": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedEmailAddresses([]string{"mail@local", "@example.com"}),
@ -1206,22 +746,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-emails": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedEmailAddresses([]string{"mail@local"}),
AddExcludedEmailAddresses([]string{"@example.com", "mail@local"}),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedEmailAddresses: []string{"mail@local", "example.com"},
numberOfEmailAddressConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-email": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedEmailAddress("mail@local"),
@ -1237,22 +761,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-email": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedEmailAddress("mail@local"),
AddPermittedEmailAddress("@example.com"),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedEmailAddresses: []string{"mail@local", "example.com"},
numberOfEmailAddressConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-email": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedEmailAddress("mail@local"),
@ -1268,22 +776,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-email": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedEmailAddress("mail@local"),
AddExcludedEmailAddress("@example.com"),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedEmailAddresses: []string{"mail@local", "example.com"},
numberOfEmailAddressConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-uris": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedURIDomains([]string{"host.local", "*.example.com"}),
@ -1299,22 +791,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-uris": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedURIDomains([]string{"host.local"}),
AddPermittedURIDomains([]string{"*.example.com", "host.local"}),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedURIDomains: []string{"host.local", ".example.com"},
numberOfURIDomainConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-uris": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedURIDomains([]string{"host.local", "*.example.com"}),
@ -1330,22 +806,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-uris": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedURIDomains([]string{"host.local"}),
AddExcludedURIDomains([]string{"*.example.com", "host.local"}),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedURIDomains: []string{"host.local", ".example.com"},
numberOfURIDomainConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-uri": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedURIDomain("host.local"),
@ -1376,22 +836,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-permitted-uri": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedURIDomain("host.local"),
AddPermittedURIDomain("*.example.com"),
}
return test{
options: options,
want: &NamePolicyEngine{
permittedURIDomains: []string{"host.local", ".example.com"},
numberOfURIDomainConstraints: 2,
totalNumberOfPermittedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-excluded-uri": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedURIDomain("host.local"),
@ -1407,22 +851,6 @@ func TestNew(t *testing.T) {
wantErr: false,
}
},
"ok/add-excluded-uri": func(t *testing.T) test {
options := []NamePolicyOption{
WithExcludedURIDomain("host.local"),
AddExcludedURIDomain("*.example.com"),
}
return test{
options: options,
want: &NamePolicyEngine{
excludedURIDomains: []string{"host.local", ".example.com"},
numberOfURIDomainConstraints: 2,
totalNumberOfExcludedConstraints: 2,
totalNumberOfConstraints: 2,
},
wantErr: false,
}
},
"ok/with-permitted-principals": func(t *testing.T) test {
options := []NamePolicyOption{
WithPermittedPrincipals([]string{"root", "ops"}),