diff --git a/policy/engine.go b/policy/engine.go index afaa2416..fe86ed5c 100755 --- a/policy/engine.go +++ b/policy/engine.go @@ -258,6 +258,9 @@ func splitSSHPrincipals(cert *ssh.Certificate) (dnsNames []string, ips []net.IP, // in the SSH certificate. We're exluding URIs, because they can be confusing // when used in a SSH user certificate. principals, ips, emails, uris = x509util.SplitSANs(cert.ValidPrincipals) + if len(ips) > 0 { + err = fmt.Errorf("IP principals %v not expected in SSH user certificate ", ips) + } if len(uris) > 0 { err = fmt.Errorf("URL principals %v not expected in SSH user certificate ", uris) } diff --git a/policy/engine_test.go b/policy/engine_test.go index dd0b403f..25e69af3 100755 --- a/policy/engine_test.go +++ b/policy/engine_test.go @@ -637,7 +637,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -648,7 +648,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-literal-x509", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.x509local"), + WithPermittedDNSDomain("*.x509local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -661,7 +661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-single-host", options: []NamePolicyOption{ - AddPermittedDNSDomain("host.local"), + WithPermittedDNSDomain("host.local"), }, cert: &x509.Certificate{ DNSNames: []string{"differenthost.local"}, @@ -672,7 +672,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-no-label", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"local"}, @@ -683,7 +683,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-empty-label", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"www..local"}, @@ -694,7 +694,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-dot-domain", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -707,7 +707,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-multiple-subdomains", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -720,7 +720,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-wildcard-literal", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -733,7 +733,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.豆.jp"), + WithPermittedDNSDomain("*.豆.jp"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -746,7 +746,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ipv4-permitted", options: []NamePolicyOption{ - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -764,7 +764,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ipv6-permitted", options: []NamePolicyOption{ - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -782,7 +782,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard", options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -795,7 +795,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard-x509", options: []NamePolicyOption{ - AddPermittedEmailAddress("example.com"), + WithPermittedEmailAddress("example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -808,7 +808,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-specific-mailbox", options: []NamePolicyOption{ - AddPermittedEmailAddress("test@local.com"), + WithPermittedEmailAddress("test@local.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -821,7 +821,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-wildcard-subdomain", options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -834,7 +834,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddress("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"bücher@例.jp"}, @@ -845,7 +845,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain-rfc822", options: []NamePolicyOption{ - AddPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddress("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"bücher@例.jp" + string(byte(0))}, @@ -856,7 +856,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-idna-internationalized-domain-ascii", options: []NamePolicyOption{ - AddPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddress("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@xn---bla.jp"}, @@ -867,7 +867,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-domain-wildcard", options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -883,7 +883,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted", options: []NamePolicyOption{ - AddPermittedURIDomain("test.local"), + WithPermittedURIDomain("test.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -899,7 +899,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -915,7 +915,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedURIDomain("*.bücher.example.com"), + WithPermittedURIDomain("*.bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -932,7 +932,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-excluded", options: []NamePolicyOption{ - AddExcludedDNSDomain("*.example.com"), + WithExcludedDNSDomain("*.example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -943,7 +943,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-excluded-single-host", options: []NamePolicyOption{ - AddExcludedDNSDomain("host.example.com"), + WithExcludedDNSDomain("host.example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"host.example.com"}, @@ -954,7 +954,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ipv4-excluded", options: []NamePolicyOption{ - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -972,7 +972,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ipv6-excluded", options: []NamePolicyOption{ - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -990,7 +990,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-excluded", options: []NamePolicyOption{ - AddExcludedEmailAddress("@example.com"), + WithExcludedEmailAddress("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.com"}, @@ -1001,7 +1001,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-excluded", options: []NamePolicyOption{ - AddExcludedURIDomain("*.example.com"), + WithExcludedURIDomain("*.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1017,7 +1017,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-excluded-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld options: []NamePolicyOption{ - AddExcludedURIDomain("*.local"), + WithExcludedURIDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1035,7 +1035,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-dns-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1049,7 +1049,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-dns-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedDNSDomain("*.local"), + WithExcludedDNSDomain("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1063,7 +1063,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-ipv4-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1084,7 +1084,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-ipv4-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1105,7 +1105,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-ipv6-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -1126,7 +1126,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-ipv6-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -1147,7 +1147,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-email-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedEmailAddress("@example.local"), + WithPermittedEmailAddress("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1161,7 +1161,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-email-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedEmailAddress("@example.local"), + WithExcludedEmailAddress("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1175,7 +1175,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-uri-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedURIDomain("*.example.com"), + WithPermittedURIDomain("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1189,7 +1189,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "fail/subject-uri-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedURIDomain("*.example.com"), + WithExcludedURIDomain("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1203,7 +1203,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed. options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -1214,7 +1214,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed. options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@smallstep.com"}, @@ -1225,7 +1225,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed. options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1241,7 +1241,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed. options: []NamePolicyOption{ - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1259,7 +1259,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed. options: []NamePolicyOption{ - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1277,7 +1277,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed. options: []NamePolicyOption{ - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1300,7 +1300,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed. options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ DNSNames: []string{"www.example.com"}, @@ -1311,7 +1311,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed. options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{ @@ -1324,7 +1324,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed. options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1340,7 +1340,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed. options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"host.local"}, @@ -1351,7 +1351,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed. options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{ @@ -1364,7 +1364,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed. options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@smallstep.com"}, @@ -1488,7 +1488,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ DNSNames: []string{"example.local"}, @@ -1499,8 +1499,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-wildcard", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), - AddPermittedDNSDomain("*.x509local"), + WithPermittedDNSDomains([]string{"*.local", "*.x509local"}), WithAllowLiteralWildcardNames(), }, cert: &x509.Certificate{ @@ -1515,8 +1514,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-wildcard-literal", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), - AddPermittedDNSDomain("*.x509local"), + WithPermittedDNSDomains([]string{"*.local", "*.x509local"}), WithAllowLiteralWildcardNames(), }, cert: &x509.Certificate{ @@ -1531,9 +1529,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-combined", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.local"), - AddPermittedDNSDomain("*.x509local"), - AddPermittedDNSDomain("host.example.com"), + WithPermittedDNSDomains([]string{"*.local", "*.x509local", "host.example.com"}), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -1548,7 +1544,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedDNSDomain("*.例.jp"), + WithPermittedDNSDomain("*.例.jp"), }, cert: &x509.Certificate{ DNSNames: []string{ @@ -1561,7 +1557,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv4-permitted", options: []NamePolicyOption{ - AddPermittedCIDR("127.0.0.1/24"), + WithPermittedCIDR("127.0.0.1/24"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.20")}, @@ -1572,7 +1568,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv6-permitted", options: []NamePolicyOption{ - AddPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), + WithPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")}, @@ -1583,7 +1579,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-wildcard", options: []NamePolicyOption{ - AddPermittedEmailAddress("@example.com"), + WithPermittedEmailAddress("@example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1596,7 +1592,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-plain-domain", options: []NamePolicyOption{ - AddPermittedEmailAddress("example.com"), + WithPermittedEmailAddress("example.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1609,7 +1605,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-specific-mailbox", options: []NamePolicyOption{ - AddPermittedEmailAddress("test@local.com"), + WithPermittedEmailAddress("test@local.com"), }, cert: &x509.Certificate{ EmailAddresses: []string{ @@ -1622,7 +1618,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/mail-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedEmailAddress("@例.jp"), + WithPermittedEmailAddress("@例.jp"), }, cert: &x509.Certificate{ EmailAddresses: []string{}, @@ -1633,7 +1629,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-domain-wildcard", options: []NamePolicyOption{ - AddPermittedURIDomain("*.local"), + WithPermittedURIDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1649,7 +1645,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-specific-uri", options: []NamePolicyOption{ - AddPermittedURIDomain("test.local"), + WithPermittedURIDomain("test.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1665,7 +1661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-with-port", options: []NamePolicyOption{ - AddPermittedURIDomain("*.example.com"), + WithPermittedURIDomain("*.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1681,7 +1677,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedURIDomain("*.bücher.example.com"), + WithPermittedURIDomain("*.bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1697,7 +1693,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/uri-permitted-idna-internationalized-domain", options: []NamePolicyOption{ - AddPermittedURIDomain("bücher.example.com"), + WithPermittedURIDomain("bücher.example.com"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -1725,7 +1721,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv4-excluded", options: []NamePolicyOption{ - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1743,7 +1739,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/ipv6-excluded", options: []NamePolicyOption{ - AddExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), + WithExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")}, @@ -1794,7 +1790,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-empty", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1809,7 +1805,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-dns-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedDNSDomain("*.local"), + WithPermittedDNSDomain("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1823,7 +1819,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-dns-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedDNSDomain("*.notlocal"), + WithExcludedDNSDomain("*.notlocal"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1837,7 +1833,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-ipv4-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("127.0.0.1"), @@ -1858,7 +1854,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-ipv4-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("128.0.0.1"), @@ -1879,7 +1875,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-ipv6-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedIPRanges( + WithPermittedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -1900,7 +1896,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-ipv6-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedIPRanges( + WithExcludedIPRanges( []*net.IPNet{ { IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), @@ -1921,7 +1917,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-email-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedEmailAddress("@example.local"), + WithPermittedEmailAddress("@example.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1935,7 +1931,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-email-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedEmailAddress("@example.notlocal"), + WithExcludedEmailAddress("@example.notlocal"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1949,7 +1945,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-uri-permitted", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddPermittedURIDomain("*.example.com"), + WithPermittedURIDomain("*.example.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1963,7 +1959,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/subject-uri-excluded", options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedURIDomain("*.smallstep.com"), + WithExcludedURIDomain("*.smallstep.com"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -1977,7 +1973,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - AddExcludedDNSDomain("*.local"), + WithExcludedDNSDomain("*.local"), }, cert: &x509.Certificate{ IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, @@ -1988,7 +1984,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - AddExcludedDNSDomain("*.local"), + WithExcludedDNSDomain("*.local"), }, cert: &x509.Certificate{ EmailAddresses: []string{"mail@example.com"}, @@ -1999,7 +1995,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { { name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ - AddExcludedDNSDomain("*.local"), + WithExcludedDNSDomain("*.local"), }, cert: &x509.Certificate{ URIs: []*url.URL{ @@ -2125,7 +2121,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) { name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else options: []NamePolicyOption{ WithSubjectCommonNameVerification(), - AddExcludedDNSDomain("*.local"), + WithExcludedDNSDomain("*.local"), }, cert: &x509.Certificate{ Subject: pkix.Name{ @@ -2750,6 +2746,18 @@ func Test_splitSSHPrincipals(t *testing.T) { wantErr: true, } }, + "fail/user-ip": func(t *testing.T) test { + r := emptyResult() + r.wantIps = []net.IP{net.ParseIP("127.0.0.1")} + return test{ + cert: &ssh.Certificate{ + CertType: ssh.UserCert, + ValidPrincipals: []string{"127.0.0.1"}, + }, + r: r, + wantErr: true, + } + }, "fail/user-uri": func(t *testing.T) test { r := emptyResult() return test{ @@ -2780,7 +2788,8 @@ func Test_splitSSHPrincipals(t *testing.T) { CertType: ssh.HostCert, ValidPrincipals: []string{"host.example.com"}, }, - r: r, + r: r, + wantErr: false, } }, "ok/host-ip": func(t *testing.T) test { @@ -2791,7 +2800,8 @@ func Test_splitSSHPrincipals(t *testing.T) { CertType: ssh.HostCert, ValidPrincipals: []string{"127.0.0.1"}, }, - r: r, + r: r, + wantErr: false, } }, "ok/host-email": func(t *testing.T) test { @@ -2814,7 +2824,8 @@ func Test_splitSSHPrincipals(t *testing.T) { CertType: ssh.UserCert, ValidPrincipals: []string{"localhost"}, }, - r: r, + r: r, + wantErr: false, } }, "ok/user-username-with-period": func(t *testing.T) test { @@ -2825,17 +2836,6 @@ func Test_splitSSHPrincipals(t *testing.T) { CertType: ssh.UserCert, ValidPrincipals: []string{"x.joe"}, }, - r: r, - } - }, - "ok/user-ip": func(t *testing.T) test { - r := emptyResult() - r.wantIps = []net.IP{net.ParseIP("127.0.0.1")} - return test{ - cert: &ssh.Certificate{ - CertType: ssh.UserCert, - ValidPrincipals: []string{"127.0.0.1"}, - }, r: r, wantErr: false, } @@ -2848,7 +2848,8 @@ func Test_splitSSHPrincipals(t *testing.T) { CertType: ssh.UserCert, ValidPrincipals: []string{"ops@work"}, }, - r: r, + r: r, + wantErr: false, } }, } diff --git a/policy/options.go b/policy/options.go index 308d46b5..e01e082e 100755 --- a/policy/options.go +++ b/policy/options.go @@ -41,21 +41,6 @@ func WithPermittedDNSDomains(domains []string) NamePolicyOption { } } -func AddPermittedDNSDomains(domains []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomains := make([]string, len(domains)) - for i, domain := range domains { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err) - } - normalizedDomains[i] = normalizedDomain - } - e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomains...) - return nil - } -} - func WithExcludedDNSDomains(domains []string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedDomains := make([]string, len(domains)) @@ -71,21 +56,6 @@ func WithExcludedDNSDomains(domains []string) NamePolicyOption { } } -func AddExcludedDNSDomains(domains []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomains := make([]string, len(domains)) - for i, domain := range domains { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err) - } - normalizedDomains[i] = normalizedDomain - } - e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomains...) - return nil - } -} - func WithPermittedDNSDomain(domain string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) @@ -97,17 +67,6 @@ func WithPermittedDNSDomain(domain string) NamePolicyOption { } } -func AddPermittedDNSDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err) - } - e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomain) - return nil - } -} - func WithExcludedDNSDomain(domain string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) @@ -119,17 +78,6 @@ func WithExcludedDNSDomain(domain string) NamePolicyOption { } } -func AddExcludedDNSDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err) - } - e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomain) - return nil - } -} - func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { return func(e *NamePolicyEngine) error { e.permittedIPRanges = ipRanges @@ -137,13 +85,6 @@ func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { } } -func AddPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { - return func(e *NamePolicyEngine) error { - e.permittedIPRanges = append(e.permittedIPRanges, ipRanges...) - return nil - } -} - func WithPermittedCIDRs(cidrs []string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(cidrs)) @@ -159,21 +100,6 @@ func WithPermittedCIDRs(cidrs []string) NamePolicyOption { } } -func AddPermittedCIDRs(cidrs []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - networks := make([]*net.IPNet, len(cidrs)) - for i, cidr := range cidrs { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr) - } - networks[i] = nw - } - e.permittedIPRanges = append(e.permittedIPRanges, networks...) - return nil - } -} - func WithExcludedCIDRs(cidrs []string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(cidrs)) @@ -189,21 +115,6 @@ func WithExcludedCIDRs(cidrs []string) NamePolicyOption { } } -func AddExcludedCIDRs(cidrs []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - networks := make([]*net.IPNet, len(cidrs)) - for i, cidr := range cidrs { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr) - } - networks[i] = nw - } - e.excludedIPRanges = append(e.excludedIPRanges, networks...) - return nil - } -} - func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption { return func(e *NamePolicyEngine) error { networks := make([]*net.IPNet, len(ipsOrCIDRs)) @@ -251,17 +162,6 @@ func WithPermittedCIDR(cidr string) NamePolicyOption { } } -func AddPermittedCIDR(cidr string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr) - } - e.permittedIPRanges = append(e.permittedIPRanges, nw) - return nil - } -} - func WithPermittedIP(ip net.IP) NamePolicyOption { return func(e *NamePolicyEngine) error { nw := networkFor(ip) @@ -270,14 +170,6 @@ func WithPermittedIP(ip net.IP) NamePolicyOption { } } -func AddPermittedIP(ip net.IP) NamePolicyOption { - return func(e *NamePolicyEngine) error { - nw := networkFor(ip) - e.permittedIPRanges = append(e.permittedIPRanges, nw) - return nil - } -} - func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { return func(e *NamePolicyEngine) error { e.excludedIPRanges = ipRanges @@ -285,13 +177,6 @@ func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { } } -func AddExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption { - return func(e *NamePolicyEngine) error { - e.excludedIPRanges = append(e.excludedIPRanges, ipRanges...) - return nil - } -} - func WithExcludedCIDR(cidr string) NamePolicyOption { return func(e *NamePolicyEngine) error { _, nw, err := net.ParseCIDR(cidr) @@ -303,17 +188,6 @@ func WithExcludedCIDR(cidr string) NamePolicyOption { } } -func AddExcludedCIDR(cidr string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - _, nw, err := net.ParseCIDR(cidr) - if err != nil { - return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr) - } - e.excludedIPRanges = append(e.excludedIPRanges, nw) - return nil - } -} - func WithExcludedIP(ip net.IP) NamePolicyOption { return func(e *NamePolicyEngine) error { var mask net.IPMask @@ -331,23 +205,6 @@ func WithExcludedIP(ip net.IP) NamePolicyOption { } } -func AddExcludedIP(ip net.IP) NamePolicyOption { - return func(e *NamePolicyEngine) error { - var mask net.IPMask - if !isIPv4(ip) { - mask = net.CIDRMask(128, 128) - } else { - mask = net.CIDRMask(32, 32) - } - nw := &net.IPNet{ - IP: ip, - Mask: mask, - } - e.excludedIPRanges = append(e.excludedIPRanges, nw) - return nil - } -} - func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddresses := make([]string, len(emailAddresses)) @@ -363,21 +220,6 @@ func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption { } } -func AddPermittedEmailAddresses(emailAddresses []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddresses := make([]string, len(emailAddresses)) - for i, email := range emailAddresses { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email) - if err != nil { - return fmt.Errorf("cannot parse permitted email constraint %q: %w", email, err) - } - normalizedEmailAddresses[i] = normalizedEmailAddress - } - e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddresses...) - return nil - } -} - func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddresses := make([]string, len(emailAddresses)) @@ -393,21 +235,6 @@ func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption { } } -func AddExcludedEmailAddresses(emailAddresses []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddresses := make([]string, len(emailAddresses)) - for i, email := range emailAddresses { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email) - if err != nil { - return fmt.Errorf("cannot parse excluded email constraint %q: %w", email, err) - } - normalizedEmailAddresses[i] = normalizedEmailAddress - } - e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddresses...) - return nil - } -} - func WithPermittedEmailAddress(emailAddress string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) @@ -419,17 +246,6 @@ func WithPermittedEmailAddress(emailAddress string) NamePolicyOption { } } -func AddPermittedEmailAddress(emailAddress string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) - if err != nil { - return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err) - } - e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddress) - return nil - } -} - func WithExcludedEmailAddress(emailAddress string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) @@ -441,17 +257,6 @@ func WithExcludedEmailAddress(emailAddress string) NamePolicyOption { } } -func AddExcludedEmailAddress(emailAddress string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress) - if err != nil { - return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err) - } - e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddress) - return nil - } -} - func WithPermittedURIDomains(uriDomains []string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomains := make([]string, len(uriDomains)) @@ -467,21 +272,6 @@ func WithPermittedURIDomains(uriDomains []string) NamePolicyOption { } } -func AddPermittedURIDomains(uriDomains []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomains := make([]string, len(uriDomains)) - for i, domain := range uriDomains { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err) - } - normalizedURIDomains[i] = normalizedURIDomain - } - e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomains...) - return nil - } -} - func WithPermittedURIDomain(domain string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) @@ -493,17 +283,6 @@ func WithPermittedURIDomain(domain string) NamePolicyOption { } } -func AddPermittedURIDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err) - } - e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomain) - return nil - } -} - func WithExcludedURIDomains(domains []string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomains := make([]string, len(domains)) @@ -519,21 +298,6 @@ func WithExcludedURIDomains(domains []string) NamePolicyOption { } } -func AddExcludedURIDomains(domains []string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomains := make([]string, len(domains)) - for i, domain := range domains { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err) - } - normalizedURIDomains[i] = normalizedURIDomain - } - e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomains...) - return nil - } -} - func WithExcludedURIDomain(domain string) NamePolicyOption { return func(e *NamePolicyEngine) error { normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) @@ -545,17 +309,6 @@ func WithExcludedURIDomain(domain string) NamePolicyOption { } } -func AddExcludedURIDomain(domain string) NamePolicyOption { - return func(e *NamePolicyEngine) error { - normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain) - if err != nil { - return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err) - } - e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomain) - return nil - } -} - func WithPermittedPrincipals(principals []string) NamePolicyOption { return func(g *NamePolicyEngine) error { // TODO(hs): normalize and parse principal into the right type? Seems the safe thing to do. diff --git a/policy/options_test.go b/policy/options_test.go index a1c48e1f..78df3b7b 100644 --- a/policy/options_test.go +++ b/policy/options_test.go @@ -206,15 +206,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-dns-domains": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedDNSDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-dns-domains": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -224,15 +215,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-dns-domains": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedDNSDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-dns-domain": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -242,15 +224,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-dns-domain": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedDNSDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-dns-domain": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -260,15 +233,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-dns-domain": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedDNSDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-cidrs": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -278,15 +242,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-cidrs": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedCIDRs([]string{"127.0.0.1//24"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-cidrs": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -296,15 +251,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-cidrs": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedCIDRs([]string{"127.0.0.1//24"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -350,15 +296,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-cidr": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedCIDR("127.0.0.1//24"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-cidr": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -368,15 +305,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-cidr": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedCIDR("127.0.0.1//24"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-emails": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -386,15 +314,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-emails": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedEmailAddresses([]string{"*.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-emails": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -404,15 +323,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-emails": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedEmailAddresses([]string{"*.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-email": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -422,15 +332,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-email": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedEmailAddress("*.local"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-email": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -440,15 +341,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-email": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedEmailAddress("*.local"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-uris": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -458,15 +350,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-uris": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedURIDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-uris": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -476,15 +359,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-uris": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedURIDomains([]string{"**.local"}), - }, - want: nil, - wantErr: true, - } - }, "fail/with-permitted-uri": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -494,15 +368,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-permitted-uri": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddPermittedURIDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, "fail/with-excluded-uri": func(t *testing.T) test { return test{ options: []NamePolicyOption{ @@ -512,15 +377,6 @@ func TestNew(t *testing.T) { wantErr: true, } }, - "fail/add-excluded-uri": func(t *testing.T) test { - return test{ - options: []NamePolicyOption{ - AddExcludedURIDomain("**.local"), - }, - want: nil, - wantErr: true, - } - }, "ok/default": func(t *testing.T) test { return test{ options: []NamePolicyOption{}, @@ -567,22 +423,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-dns-wildcard-domains": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedDNSDomains([]string{"*.local"}), - AddPermittedDNSDomains([]string{"*.example.com", "*.local"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedDNSDomains: []string{".local", ".example.com"}, - numberOfDNSDomainConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-dns-domains": func(t *testing.T) test { options := []NamePolicyOption{ WithExcludedDNSDomains([]string{"*.local", "*.example.com"}), @@ -598,22 +438,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-dns-domains": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedDNSDomains([]string{"*.local"}), - AddExcludedDNSDomains([]string{"*.local", "*.example.com"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedDNSDomains: []string{".local", ".example.com"}, - numberOfDNSDomainConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-dns-wildcard-domain": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedDNSDomain("*.example.com"), @@ -629,22 +453,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-dns-wildcard-domain": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedDNSDomain("*.example.com"), - AddPermittedDNSDomain("*.local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedDNSDomains: []string{".example.com", ".local"}, - numberOfDNSDomainConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-dns-domain": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedDNSDomain("www.example.com"), @@ -660,22 +468,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-dns-domain": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedDNSDomain("www.example.com"), - AddPermittedDNSDomain("host.local"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedDNSDomains: []string{"www.example.com", "host.local"}, - numberOfDNSDomainConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-ip-ranges": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -701,36 +493,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-ip-ranges": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedIPRanges( - []*net.IPNet{ - nw1, - }, - ), - AddPermittedIPRanges( - []*net.IPNet{ - nw1, nw2, - }, - ), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-ip-ranges": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -756,36 +518,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-ip-ranges": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIPRanges( - []*net.IPNet{ - nw1, - }, - ), - AddExcludedIPRanges( - []*net.IPNet{ - nw1, nw2, - }, - ), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-cidrs": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -807,28 +539,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-cidrs": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedCIDRs([]string{"127.0.0.1/24"}), - AddPermittedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-cidrs": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -850,28 +560,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-cidrs": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedCIDRs([]string{"127.0.0.1/24"}), - AddExcludedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -933,28 +621,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-cidr": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedCIDR("127.0.0.1/24"), - AddPermittedCIDR("192.168.0.1/24"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-cidr": func(t *testing.T) test { _, nw1, err := net.ParseCIDR("127.0.0.1/24") assert.FatalError(t, err) @@ -974,28 +640,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-cidr": func(t *testing.T) test { - _, nw1, err := net.ParseCIDR("127.0.0.1/24") - assert.FatalError(t, err) - _, nw2, err := net.ParseCIDR("192.168.0.1/24") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedCIDR("127.0.0.1/24"), - AddExcludedCIDR("192.168.0.1/24"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-ipv4": func(t *testing.T) test { ip1, nw1, err := net.ParseCIDR("127.0.0.15/32") assert.FatalError(t, err) @@ -1015,28 +659,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-ipv4": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.45/32") - assert.FatalError(t, err) - ip2, nw2, err := net.ParseCIDR("192.168.0.55/32") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedIP(ip1), - AddPermittedIP(ip2), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-ipv4": func(t *testing.T) test { ip1, nw1, err := net.ParseCIDR("127.0.0.15/32") assert.FatalError(t, err) @@ -1056,28 +678,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-ipv4": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.45/32") - assert.FatalError(t, err) - ip2, nw2, err := net.ParseCIDR("192.168.0.55/32") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIP(ip1), - AddExcludedIP(ip2), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-ipv6": func(t *testing.T) test { ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") assert.FatalError(t, err) @@ -1097,28 +697,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-ipv6": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.10/32") - assert.FatalError(t, err) - ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithPermittedIP(ip1), - AddPermittedIP(ip2), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-ipv6": func(t *testing.T) test { ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") assert.FatalError(t, err) @@ -1138,28 +716,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-ipv6": func(t *testing.T) test { - ip1, nw1, err := net.ParseCIDR("127.0.0.10/32") - assert.FatalError(t, err) - ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128") - assert.FatalError(t, err) - options := []NamePolicyOption{ - WithExcludedIP(ip1), - AddExcludedIP(ip2), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedIPRanges: []*net.IPNet{ - nw1, nw2, - }, - numberOfIPRangeConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-emails": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedEmailAddresses([]string{"mail@local", "@example.com"}), @@ -1175,22 +731,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-emails": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedEmailAddresses([]string{"mail@local"}), - AddPermittedEmailAddresses([]string{"@example.com", "mail@local"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedEmailAddresses: []string{"mail@local", "example.com"}, - numberOfEmailAddressConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-emails": func(t *testing.T) test { options := []NamePolicyOption{ WithExcludedEmailAddresses([]string{"mail@local", "@example.com"}), @@ -1206,22 +746,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-emails": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedEmailAddresses([]string{"mail@local"}), - AddExcludedEmailAddresses([]string{"@example.com", "mail@local"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedEmailAddresses: []string{"mail@local", "example.com"}, - numberOfEmailAddressConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-email": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedEmailAddress("mail@local"), @@ -1237,22 +761,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-email": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedEmailAddress("mail@local"), - AddPermittedEmailAddress("@example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedEmailAddresses: []string{"mail@local", "example.com"}, - numberOfEmailAddressConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-email": func(t *testing.T) test { options := []NamePolicyOption{ WithExcludedEmailAddress("mail@local"), @@ -1268,22 +776,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-email": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedEmailAddress("mail@local"), - AddExcludedEmailAddress("@example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedEmailAddresses: []string{"mail@local", "example.com"}, - numberOfEmailAddressConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-uris": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedURIDomains([]string{"host.local", "*.example.com"}), @@ -1299,22 +791,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-uris": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedURIDomains([]string{"host.local"}), - AddPermittedURIDomains([]string{"*.example.com", "host.local"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedURIDomains: []string{"host.local", ".example.com"}, - numberOfURIDomainConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-uris": func(t *testing.T) test { options := []NamePolicyOption{ WithExcludedURIDomains([]string{"host.local", "*.example.com"}), @@ -1330,22 +806,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-uris": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedURIDomains([]string{"host.local"}), - AddExcludedURIDomains([]string{"*.example.com", "host.local"}), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedURIDomains: []string{"host.local", ".example.com"}, - numberOfURIDomainConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-uri": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedURIDomain("host.local"), @@ -1376,22 +836,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-permitted-uri": func(t *testing.T) test { - options := []NamePolicyOption{ - WithPermittedURIDomain("host.local"), - AddPermittedURIDomain("*.example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - permittedURIDomains: []string{"host.local", ".example.com"}, - numberOfURIDomainConstraints: 2, - totalNumberOfPermittedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-excluded-uri": func(t *testing.T) test { options := []NamePolicyOption{ WithExcludedURIDomain("host.local"), @@ -1407,22 +851,6 @@ func TestNew(t *testing.T) { wantErr: false, } }, - "ok/add-excluded-uri": func(t *testing.T) test { - options := []NamePolicyOption{ - WithExcludedURIDomain("host.local"), - AddExcludedURIDomain("*.example.com"), - } - return test{ - options: options, - want: &NamePolicyEngine{ - excludedURIDomains: []string{"host.local", ".example.com"}, - numberOfURIDomainConstraints: 2, - totalNumberOfExcludedConstraints: 2, - totalNumberOfConstraints: 2, - }, - wantErr: false, - } - }, "ok/with-permitted-principals": func(t *testing.T) test { options := []NamePolicyOption{ WithPermittedPrincipals([]string{"root", "ops"}),