forked from TrueCloudLab/certificates
Remove Adder options
This commit is contained in:
parent
8d15a027a7
commit
82e0033428
4 changed files with 107 additions and 922 deletions
|
@ -258,6 +258,9 @@ func splitSSHPrincipals(cert *ssh.Certificate) (dnsNames []string, ips []net.IP,
|
|||
// in the SSH certificate. We're exluding URIs, because they can be confusing
|
||||
// when used in a SSH user certificate.
|
||||
principals, ips, emails, uris = x509util.SplitSANs(cert.ValidPrincipals)
|
||||
if len(ips) > 0 {
|
||||
err = fmt.Errorf("IP principals %v not expected in SSH user certificate ", ips)
|
||||
}
|
||||
if len(uris) > 0 {
|
||||
err = fmt.Errorf("URL principals %v not expected in SSH user certificate ", uris)
|
||||
}
|
||||
|
|
|
@ -637,7 +637,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"www.example.com"},
|
||||
|
@ -648,7 +648,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-wildcard-literal-x509",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.x509local"),
|
||||
WithPermittedDNSDomain("*.x509local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -661,7 +661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-single-host",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("host.local"),
|
||||
WithPermittedDNSDomain("host.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"differenthost.local"},
|
||||
|
@ -672,7 +672,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-no-label",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"local"},
|
||||
|
@ -683,7 +683,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-empty-label",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"www..local"},
|
||||
|
@ -694,7 +694,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-dot-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -707,7 +707,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-wildcard-multiple-subdomains",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -720,7 +720,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-wildcard-literal",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -733,7 +733,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.豆.jp"),
|
||||
WithPermittedDNSDomain("*.豆.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -746,7 +746,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ipv4-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -764,7 +764,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ipv6-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -782,7 +782,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-wildcard",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -795,7 +795,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-wildcard-x509",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("example.com"),
|
||||
WithPermittedEmailAddress("example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -808,7 +808,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-specific-mailbox",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("test@local.com"),
|
||||
WithPermittedEmailAddress("test@local.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -821,7 +821,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-wildcard-subdomain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -834,7 +834,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@例.jp"),
|
||||
WithPermittedEmailAddress("@例.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"bücher@例.jp"},
|
||||
|
@ -845,7 +845,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-idna-internationalized-domain-rfc822",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@例.jp"),
|
||||
WithPermittedEmailAddress("@例.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"bücher@例.jp" + string(byte(0))},
|
||||
|
@ -856,7 +856,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-idna-internationalized-domain-ascii",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@例.jp"),
|
||||
WithPermittedEmailAddress("@例.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"mail@xn---bla.jp"},
|
||||
|
@ -867,7 +867,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-domain-wildcard",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -883,7 +883,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("test.local"),
|
||||
WithPermittedURIDomain("test.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -899,7 +899,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -915,7 +915,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.bücher.example.com"),
|
||||
WithPermittedURIDomain("*.bücher.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -932,7 +932,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("*.example.com"),
|
||||
WithExcludedDNSDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"www.example.com"},
|
||||
|
@ -943,7 +943,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-excluded-single-host",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("host.example.com"),
|
||||
WithExcludedDNSDomain("host.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"host.example.com"},
|
||||
|
@ -954,7 +954,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ipv4-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -972,7 +972,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ipv6-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -990,7 +990,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedEmailAddress("@example.com"),
|
||||
WithExcludedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"mail@example.com"},
|
||||
|
@ -1001,7 +1001,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedURIDomain("*.example.com"),
|
||||
WithExcludedURIDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1017,7 +1017,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-excluded-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedURIDomain("*.local"),
|
||||
WithExcludedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1035,7 +1035,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-dns-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1049,7 +1049,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-dns-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedDNSDomain("*.local"),
|
||||
WithExcludedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1063,7 +1063,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-ipv4-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1084,7 +1084,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-ipv4-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1105,7 +1105,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-ipv6-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -1126,7 +1126,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-ipv6-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -1147,7 +1147,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-email-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedEmailAddress("@example.local"),
|
||||
WithPermittedEmailAddress("@example.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1161,7 +1161,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-email-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedEmailAddress("@example.local"),
|
||||
WithExcludedEmailAddress("@example.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1175,7 +1175,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-uri-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedURIDomain("*.example.com"),
|
||||
WithPermittedURIDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1189,7 +1189,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "fail/subject-uri-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedURIDomain("*.example.com"),
|
||||
WithExcludedURIDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1203,7 +1203,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||
|
@ -1214,7 +1214,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"mail@smallstep.com"},
|
||||
|
@ -1225,7 +1225,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1241,7 +1241,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1259,7 +1259,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1277,7 +1277,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1300,7 +1300,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"www.example.com"},
|
||||
|
@ -1311,7 +1311,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{
|
||||
|
@ -1324,7 +1324,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1340,7 +1340,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"host.local"},
|
||||
|
@ -1351,7 +1351,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{
|
||||
|
@ -1364,7 +1364,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed.
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"mail@smallstep.com"},
|
||||
|
@ -1488,7 +1488,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{"example.local"},
|
||||
|
@ -1499,8 +1499,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-permitted-wildcard",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
AddPermittedDNSDomain("*.x509local"),
|
||||
WithPermittedDNSDomains([]string{"*.local", "*.x509local"}),
|
||||
WithAllowLiteralWildcardNames(),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
|
@ -1515,8 +1514,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-permitted-wildcard-literal",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
AddPermittedDNSDomain("*.x509local"),
|
||||
WithPermittedDNSDomains([]string{"*.local", "*.x509local"}),
|
||||
WithAllowLiteralWildcardNames(),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
|
@ -1531,9 +1529,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-permitted-combined",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
AddPermittedDNSDomain("*.x509local"),
|
||||
AddPermittedDNSDomain("host.example.com"),
|
||||
WithPermittedDNSDomains([]string{"*.local", "*.x509local", "host.example.com"}),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -1548,7 +1544,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("*.例.jp"),
|
||||
WithPermittedDNSDomain("*.例.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
DNSNames: []string{
|
||||
|
@ -1561,7 +1557,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/ipv4-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedCIDR("127.0.0.1/24"),
|
||||
WithPermittedCIDR("127.0.0.1/24"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{net.ParseIP("127.0.0.20")},
|
||||
|
@ -1572,7 +1568,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/ipv6-permitted",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
|
||||
WithPermittedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")},
|
||||
|
@ -1583,7 +1579,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/mail-permitted-wildcard",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
WithPermittedEmailAddress("@example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -1596,7 +1592,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/mail-permitted-plain-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("example.com"),
|
||||
WithPermittedEmailAddress("example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -1609,7 +1605,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/mail-permitted-specific-mailbox",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("test@local.com"),
|
||||
WithPermittedEmailAddress("test@local.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{
|
||||
|
@ -1622,7 +1618,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/mail-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("@例.jp"),
|
||||
WithPermittedEmailAddress("@例.jp"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{},
|
||||
|
@ -1633,7 +1629,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/uri-permitted-domain-wildcard",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.local"),
|
||||
WithPermittedURIDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1649,7 +1645,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/uri-permitted-specific-uri",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("test.local"),
|
||||
WithPermittedURIDomain("test.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1665,7 +1661,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/uri-permitted-with-port",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.example.com"),
|
||||
WithPermittedURIDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1681,7 +1677,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/uri-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("*.bücher.example.com"),
|
||||
WithPermittedURIDomain("*.bücher.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1697,7 +1693,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/uri-permitted-idna-internationalized-domain",
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("bücher.example.com"),
|
||||
WithPermittedURIDomain("bücher.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -1725,7 +1721,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/ipv4-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1743,7 +1739,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/ipv6-excluded",
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
|
||||
WithExcludedCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")},
|
||||
|
@ -1794,7 +1790,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-empty",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1809,7 +1805,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-dns-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
WithPermittedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1823,7 +1819,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-dns-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedDNSDomain("*.notlocal"),
|
||||
WithExcludedDNSDomain("*.notlocal"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1837,7 +1833,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-ipv4-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
|
@ -1858,7 +1854,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-ipv4-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("128.0.0.1"),
|
||||
|
@ -1879,7 +1875,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-ipv6-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedIPRanges(
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -1900,7 +1896,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-ipv6-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedIPRanges(
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
{
|
||||
IP: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
||||
|
@ -1921,7 +1917,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-email-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedEmailAddress("@example.local"),
|
||||
WithPermittedEmailAddress("@example.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1935,7 +1931,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-email-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedEmailAddress("@example.notlocal"),
|
||||
WithExcludedEmailAddress("@example.notlocal"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1949,7 +1945,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-uri-permitted",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddPermittedURIDomain("*.example.com"),
|
||||
WithPermittedURIDomain("*.example.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1963,7 +1959,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/subject-uri-excluded",
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedURIDomain("*.smallstep.com"),
|
||||
WithExcludedURIDomain("*.smallstep.com"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -1977,7 +1973,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("*.local"),
|
||||
WithExcludedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
|
||||
|
@ -1988,7 +1984,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("*.local"),
|
||||
WithExcludedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
EmailAddresses: []string{"mail@example.com"},
|
||||
|
@ -1999,7 +1995,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
{
|
||||
name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("*.local"),
|
||||
WithExcludedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
URIs: []*url.URL{
|
||||
|
@ -2125,7 +2121,7 @@ func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
|
|||
name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else
|
||||
options: []NamePolicyOption{
|
||||
WithSubjectCommonNameVerification(),
|
||||
AddExcludedDNSDomain("*.local"),
|
||||
WithExcludedDNSDomain("*.local"),
|
||||
},
|
||||
cert: &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
|
@ -2750,6 +2746,18 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/user-ip": func(t *testing.T) test {
|
||||
r := emptyResult()
|
||||
r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
|
||||
return test{
|
||||
cert: &ssh.Certificate{
|
||||
CertType: ssh.UserCert,
|
||||
ValidPrincipals: []string{"127.0.0.1"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/user-uri": func(t *testing.T) test {
|
||||
r := emptyResult()
|
||||
return test{
|
||||
|
@ -2781,6 +2789,7 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
ValidPrincipals: []string{"host.example.com"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/host-ip": func(t *testing.T) test {
|
||||
|
@ -2792,6 +2801,7 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
ValidPrincipals: []string{"127.0.0.1"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/host-email": func(t *testing.T) test {
|
||||
|
@ -2815,6 +2825,7 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
ValidPrincipals: []string{"localhost"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/user-username-with-period": func(t *testing.T) test {
|
||||
|
@ -2826,17 +2837,6 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
ValidPrincipals: []string{"x.joe"},
|
||||
},
|
||||
r: r,
|
||||
}
|
||||
},
|
||||
"ok/user-ip": func(t *testing.T) test {
|
||||
r := emptyResult()
|
||||
r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
|
||||
return test{
|
||||
cert: &ssh.Certificate{
|
||||
CertType: ssh.UserCert,
|
||||
ValidPrincipals: []string{"127.0.0.1"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
|
@ -2849,6 +2849,7 @@ func Test_splitSSHPrincipals(t *testing.T) {
|
|||
ValidPrincipals: []string{"ops@work"},
|
||||
},
|
||||
r: r,
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
}
|
||||
|
|
|
@ -41,21 +41,6 @@ func WithPermittedDNSDomains(domains []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedDNSDomains(domains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomains := make([]string, len(domains))
|
||||
for i, domain := range domains {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
||||
}
|
||||
normalizedDomains[i] = normalizedDomain
|
||||
}
|
||||
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomains...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedDNSDomains(domains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomains := make([]string, len(domains))
|
||||
|
@ -71,21 +56,6 @@ func WithExcludedDNSDomains(domains []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedDNSDomains(domains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomains := make([]string, len(domains))
|
||||
for i, domain := range domains {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
||||
}
|
||||
normalizedDomains[i] = normalizedDomain
|
||||
}
|
||||
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomains...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedDNSDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
|
@ -97,17 +67,6 @@ func WithPermittedDNSDomain(domain string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedDNSDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
||||
}
|
||||
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomain)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedDNSDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
|
@ -119,17 +78,6 @@ func WithExcludedDNSDomain(domain string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedDNSDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
||||
}
|
||||
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomain)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
e.permittedIPRanges = ipRanges
|
||||
|
@ -137,13 +85,6 @@ func WithPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
e.permittedIPRanges = append(e.permittedIPRanges, ipRanges...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedCIDRs(cidrs []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
networks := make([]*net.IPNet, len(cidrs))
|
||||
|
@ -159,21 +100,6 @@ func WithPermittedCIDRs(cidrs []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedCIDRs(cidrs []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
networks := make([]*net.IPNet, len(cidrs))
|
||||
for i, cidr := range cidrs {
|
||||
_, nw, err := net.ParseCIDR(cidr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
||||
}
|
||||
networks[i] = nw
|
||||
}
|
||||
e.permittedIPRanges = append(e.permittedIPRanges, networks...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedCIDRs(cidrs []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
networks := make([]*net.IPNet, len(cidrs))
|
||||
|
@ -189,21 +115,6 @@ func WithExcludedCIDRs(cidrs []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedCIDRs(cidrs []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
networks := make([]*net.IPNet, len(cidrs))
|
||||
for i, cidr := range cidrs {
|
||||
_, nw, err := net.ParseCIDR(cidr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
||||
}
|
||||
networks[i] = nw
|
||||
}
|
||||
e.excludedIPRanges = append(e.excludedIPRanges, networks...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
networks := make([]*net.IPNet, len(ipsOrCIDRs))
|
||||
|
@ -251,17 +162,6 @@ func WithPermittedCIDR(cidr string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedCIDR(cidr string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
_, nw, err := net.ParseCIDR(cidr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
||||
}
|
||||
e.permittedIPRanges = append(e.permittedIPRanges, nw)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedIP(ip net.IP) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
nw := networkFor(ip)
|
||||
|
@ -270,14 +170,6 @@ func WithPermittedIP(ip net.IP) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedIP(ip net.IP) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
nw := networkFor(ip)
|
||||
e.permittedIPRanges = append(e.permittedIPRanges, nw)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
e.excludedIPRanges = ipRanges
|
||||
|
@ -285,13 +177,6 @@ func WithExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedIPRanges(ipRanges []*net.IPNet) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
e.excludedIPRanges = append(e.excludedIPRanges, ipRanges...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedCIDR(cidr string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
_, nw, err := net.ParseCIDR(cidr)
|
||||
|
@ -303,17 +188,6 @@ func WithExcludedCIDR(cidr string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedCIDR(cidr string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
_, nw, err := net.ParseCIDR(cidr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
||||
}
|
||||
e.excludedIPRanges = append(e.excludedIPRanges, nw)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedIP(ip net.IP) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
var mask net.IPMask
|
||||
|
@ -331,23 +205,6 @@ func WithExcludedIP(ip net.IP) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedIP(ip net.IP) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
var mask net.IPMask
|
||||
if !isIPv4(ip) {
|
||||
mask = net.CIDRMask(128, 128)
|
||||
} else {
|
||||
mask = net.CIDRMask(32, 32)
|
||||
}
|
||||
nw := &net.IPNet{
|
||||
IP: ip,
|
||||
Mask: mask,
|
||||
}
|
||||
e.excludedIPRanges = append(e.excludedIPRanges, nw)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddresses := make([]string, len(emailAddresses))
|
||||
|
@ -363,21 +220,6 @@ func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddresses := make([]string, len(emailAddresses))
|
||||
for i, email := range emailAddresses {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted email constraint %q: %w", email, err)
|
||||
}
|
||||
normalizedEmailAddresses[i] = normalizedEmailAddress
|
||||
}
|
||||
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddresses...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddresses := make([]string, len(emailAddresses))
|
||||
|
@ -393,21 +235,6 @@ func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddresses := make([]string, len(emailAddresses))
|
||||
for i, email := range emailAddresses {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded email constraint %q: %w", email, err)
|
||||
}
|
||||
normalizedEmailAddresses[i] = normalizedEmailAddress
|
||||
}
|
||||
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddresses...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedEmailAddress(emailAddress string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
||||
|
@ -419,17 +246,6 @@ func WithPermittedEmailAddress(emailAddress string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedEmailAddress(emailAddress string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err)
|
||||
}
|
||||
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddress)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedEmailAddress(emailAddress string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
||||
|
@ -441,17 +257,6 @@ func WithExcludedEmailAddress(emailAddress string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedEmailAddress(emailAddress string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err)
|
||||
}
|
||||
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddress)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomains := make([]string, len(uriDomains))
|
||||
|
@ -467,21 +272,6 @@ func WithPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomains := make([]string, len(uriDomains))
|
||||
for i, domain := range uriDomains {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
||||
}
|
||||
normalizedURIDomains[i] = normalizedURIDomain
|
||||
}
|
||||
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomains...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedURIDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
|
@ -493,17 +283,6 @@ func WithPermittedURIDomain(domain string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddPermittedURIDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
||||
}
|
||||
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomain)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedURIDomains(domains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomains := make([]string, len(domains))
|
||||
|
@ -519,21 +298,6 @@ func WithExcludedURIDomains(domains []string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedURIDomains(domains []string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomains := make([]string, len(domains))
|
||||
for i, domain := range domains {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
||||
}
|
||||
normalizedURIDomains[i] = normalizedURIDomain
|
||||
}
|
||||
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomains...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithExcludedURIDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
|
@ -545,17 +309,6 @@ func WithExcludedURIDomain(domain string) NamePolicyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func AddExcludedURIDomain(domain string) NamePolicyOption {
|
||||
return func(e *NamePolicyEngine) error {
|
||||
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
||||
}
|
||||
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomain)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithPermittedPrincipals(principals []string) NamePolicyOption {
|
||||
return func(g *NamePolicyEngine) error {
|
||||
// TODO(hs): normalize and parse principal into the right type? Seems the safe thing to do.
|
||||
|
|
|
@ -206,15 +206,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-dns-domains": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomains([]string{"**.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-dns-domains": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -224,15 +215,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-dns-domains": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomains([]string{"**.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-dns-domain": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -242,15 +224,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-dns-domain": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedDNSDomain("**.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-dns-domain": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -260,15 +233,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-dns-domain": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedDNSDomain("**.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-cidrs": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -278,15 +242,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-cidrs": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedCIDRs([]string{"127.0.0.1//24"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-cidrs": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -296,15 +251,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-cidrs": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedCIDRs([]string{"127.0.0.1//24"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -350,15 +296,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-cidr": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedCIDR("127.0.0.1//24"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-cidr": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -368,15 +305,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-cidr": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedCIDR("127.0.0.1//24"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-emails": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -386,15 +314,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-emails": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddresses([]string{"*.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-emails": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -404,15 +323,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-emails": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedEmailAddresses([]string{"*.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-email": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -422,15 +332,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-email": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedEmailAddress("*.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-email": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -440,15 +341,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-email": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedEmailAddress("*.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-uris": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -458,15 +350,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-uris": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomains([]string{"**.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-uris": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -476,15 +359,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-uris": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedURIDomains([]string{"**.local"}),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-permitted-uri": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -494,15 +368,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-permitted-uri": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddPermittedURIDomain("**.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/with-excluded-uri": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
|
@ -512,15 +377,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"fail/add-excluded-uri": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{
|
||||
AddExcludedURIDomain("**.local"),
|
||||
},
|
||||
want: nil,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
"ok/default": func(t *testing.T) test {
|
||||
return test{
|
||||
options: []NamePolicyOption{},
|
||||
|
@ -567,22 +423,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-dns-wildcard-domains": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedDNSDomains([]string{"*.local"}),
|
||||
AddPermittedDNSDomains([]string{"*.example.com", "*.local"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedDNSDomains: []string{".local", ".example.com"},
|
||||
numberOfDNSDomainConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-dns-domains": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedDNSDomains([]string{"*.local", "*.example.com"}),
|
||||
|
@ -598,22 +438,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-dns-domains": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedDNSDomains([]string{"*.local"}),
|
||||
AddExcludedDNSDomains([]string{"*.local", "*.example.com"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedDNSDomains: []string{".local", ".example.com"},
|
||||
numberOfDNSDomainConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-dns-wildcard-domain": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedDNSDomain("*.example.com"),
|
||||
|
@ -629,22 +453,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-dns-wildcard-domain": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedDNSDomain("*.example.com"),
|
||||
AddPermittedDNSDomain("*.local"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedDNSDomains: []string{".example.com", ".local"},
|
||||
numberOfDNSDomainConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-dns-domain": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedDNSDomain("www.example.com"),
|
||||
|
@ -660,22 +468,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-dns-domain": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedDNSDomain("www.example.com"),
|
||||
AddPermittedDNSDomain("host.local"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedDNSDomains: []string{"www.example.com", "host.local"},
|
||||
numberOfDNSDomainConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-ip-ranges": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -701,36 +493,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-ip-ranges": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
nw1,
|
||||
},
|
||||
),
|
||||
AddPermittedIPRanges(
|
||||
[]*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-ip-ranges": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -756,36 +518,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-ip-ranges": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
nw1,
|
||||
},
|
||||
),
|
||||
AddExcludedIPRanges(
|
||||
[]*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-cidrs": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -807,28 +539,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-cidrs": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedCIDRs([]string{"127.0.0.1/24"}),
|
||||
AddPermittedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-cidrs": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -850,28 +560,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-cidrs": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedCIDRs([]string{"127.0.0.1/24"}),
|
||||
AddExcludedCIDRs([]string{"127.0.0.1/24", "192.168.0.1/24"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-ipsOrCIDRs-cidr": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -933,28 +621,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-cidr": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedCIDR("127.0.0.1/24"),
|
||||
AddPermittedCIDR("192.168.0.1/24"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-cidr": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -974,28 +640,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-cidr": func(t *testing.T) test {
|
||||
_, nw1, err := net.ParseCIDR("127.0.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
_, nw2, err := net.ParseCIDR("192.168.0.1/24")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedCIDR("127.0.0.1/24"),
|
||||
AddExcludedCIDR("192.168.0.1/24"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-ipv4": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.15/32")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -1015,28 +659,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-ipv4": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.45/32")
|
||||
assert.FatalError(t, err)
|
||||
ip2, nw2, err := net.ParseCIDR("192.168.0.55/32")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedIP(ip1),
|
||||
AddPermittedIP(ip2),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-ipv4": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.15/32")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -1056,28 +678,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-ipv4": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.45/32")
|
||||
assert.FatalError(t, err)
|
||||
ip2, nw2, err := net.ParseCIDR("192.168.0.55/32")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedIP(ip1),
|
||||
AddExcludedIP(ip2),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-ipv6": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -1097,28 +697,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-ipv6": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.10/32")
|
||||
assert.FatalError(t, err)
|
||||
ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedIP(ip1),
|
||||
AddPermittedIP(ip2),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-ipv6": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
|
||||
assert.FatalError(t, err)
|
||||
|
@ -1138,28 +716,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-ipv6": func(t *testing.T) test {
|
||||
ip1, nw1, err := net.ParseCIDR("127.0.0.10/32")
|
||||
assert.FatalError(t, err)
|
||||
ip2, nw2, err := net.ParseCIDR("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")
|
||||
assert.FatalError(t, err)
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedIP(ip1),
|
||||
AddExcludedIP(ip2),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedIPRanges: []*net.IPNet{
|
||||
nw1, nw2,
|
||||
},
|
||||
numberOfIPRangeConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-emails": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedEmailAddresses([]string{"mail@local", "@example.com"}),
|
||||
|
@ -1175,22 +731,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-emails": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedEmailAddresses([]string{"mail@local"}),
|
||||
AddPermittedEmailAddresses([]string{"@example.com", "mail@local"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedEmailAddresses: []string{"mail@local", "example.com"},
|
||||
numberOfEmailAddressConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-emails": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedEmailAddresses([]string{"mail@local", "@example.com"}),
|
||||
|
@ -1206,22 +746,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-emails": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedEmailAddresses([]string{"mail@local"}),
|
||||
AddExcludedEmailAddresses([]string{"@example.com", "mail@local"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedEmailAddresses: []string{"mail@local", "example.com"},
|
||||
numberOfEmailAddressConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-email": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedEmailAddress("mail@local"),
|
||||
|
@ -1237,22 +761,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-email": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedEmailAddress("mail@local"),
|
||||
AddPermittedEmailAddress("@example.com"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedEmailAddresses: []string{"mail@local", "example.com"},
|
||||
numberOfEmailAddressConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-email": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedEmailAddress("mail@local"),
|
||||
|
@ -1268,22 +776,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-email": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedEmailAddress("mail@local"),
|
||||
AddExcludedEmailAddress("@example.com"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedEmailAddresses: []string{"mail@local", "example.com"},
|
||||
numberOfEmailAddressConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-uris": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedURIDomains([]string{"host.local", "*.example.com"}),
|
||||
|
@ -1299,22 +791,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-uris": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedURIDomains([]string{"host.local"}),
|
||||
AddPermittedURIDomains([]string{"*.example.com", "host.local"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedURIDomains: []string{"host.local", ".example.com"},
|
||||
numberOfURIDomainConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-uris": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedURIDomains([]string{"host.local", "*.example.com"}),
|
||||
|
@ -1330,22 +806,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-uris": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedURIDomains([]string{"host.local"}),
|
||||
AddExcludedURIDomains([]string{"*.example.com", "host.local"}),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedURIDomains: []string{"host.local", ".example.com"},
|
||||
numberOfURIDomainConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-uri": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedURIDomain("host.local"),
|
||||
|
@ -1376,22 +836,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-permitted-uri": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedURIDomain("host.local"),
|
||||
AddPermittedURIDomain("*.example.com"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
permittedURIDomains: []string{"host.local", ".example.com"},
|
||||
numberOfURIDomainConstraints: 2,
|
||||
totalNumberOfPermittedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-excluded-uri": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedURIDomain("host.local"),
|
||||
|
@ -1407,22 +851,6 @@ func TestNew(t *testing.T) {
|
|||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/add-excluded-uri": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithExcludedURIDomain("host.local"),
|
||||
AddExcludedURIDomain("*.example.com"),
|
||||
}
|
||||
return test{
|
||||
options: options,
|
||||
want: &NamePolicyEngine{
|
||||
excludedURIDomains: []string{"host.local", ".example.com"},
|
||||
numberOfURIDomainConstraints: 2,
|
||||
totalNumberOfExcludedConstraints: 2,
|
||||
totalNumberOfConstraints: 2,
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-permitted-principals": func(t *testing.T) test {
|
||||
options := []NamePolicyOption{
|
||||
WithPermittedPrincipals([]string{"root", "ops"}),
|
||||
|
|
Loading…
Reference in a new issue