package policy

import (
	"crypto/x509"
	"crypto/x509/pkix"
	"errors"
	"net"
	"net/url"
	"reflect"
	"testing"

	"github.com/google/go-cmp/cmp"
	"github.com/stretchr/testify/assert"
	"golang.org/x/crypto/ssh"
)

// TODO(hs): the functionality in the policy engine is a nice candidate for trying fuzzing on
// TODO(hs): more complex test use cases that combine multiple names and permitted/excluded entries?

func TestNamePolicyEngine_matchDomainConstraint(t *testing.T) {
	tests := []struct {
		name                      string
		allowLiteralWildcardNames bool
		domain                    string
		constraint                string
		want                      bool
		wantErr                   bool
	}{
		{
			name:       "fail/wildcard",
			domain:     "host.local",
			constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/wildcard-literal",
			domain:     "*.example.com",
			constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/specific-domain",
			domain:     "www.example.com",
			constraint: "host.example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/single-whitespace-domain",
			domain:     " ",
			constraint: "host.example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/period-domain",
			domain:     ".host.example.com",
			constraint: ".example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/wrong-asterisk-prefix",
			domain:     "*Xexample.com",
			constraint: ".example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/asterisk-in-domain",
			domain:     "e*ample.com",
			constraint: ".com",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/asterisk-label",
			domain:     "example.*.local",
			constraint: ".local",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/multiple-periods",
			domain:     "example.local",
			constraint: "..local",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/error-parsing-domain",
			domain:     string(byte(0)),
			constraint: ".local",
			want:       false,
			wantErr:    true,
		},
		{
			name:       "fail/error-parsing-constraint",
			domain:     "example.local",
			constraint: string(byte(0)),
			want:       false,
			wantErr:    true,
		},
		{
			name:       "fail/no-subdomain",
			domain:     "local",
			constraint: ".local",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/too-many-subdomains",
			domain:     "www.example.local",
			constraint: ".local",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "fail/wrong-domain",
			domain:     "example.notlocal",
			constraint: ".local",
			want:       false,
			wantErr:    false,
		},
		{
			name:       "false/idna-internationalized-domain-name",
			domain:     "JP納豆.例.jp", // Example value from https://www.w3.org/International/articles/idn-and-iri/
			constraint: ".例.jp",
			want:       false,
			wantErr:    true,
		},
		{
			name:       "false/idna-internationalized-domain-name-constraint",
			domain:     "xn--jp-cd2fp15c.xn--fsq.jp", // Example value from https://www.w3.org/International/articles/idn-and-iri/
			constraint: ".例.jp",
			want:       false,
			wantErr:    true,
		},
		{
			name:       "ok/empty-constraint",
			domain:     "www.example.com",
			constraint: "",
			want:       true,
			wantErr:    false,
		},
		{
			name:       "ok/wildcard",
			domain:     "www.example.com",
			constraint: ".example.com", // internally we're using the x509 period prefix as the indicator for exactly one subdomain
			want:       true,
			wantErr:    false,
		},
		{
			name:                      "ok/wildcard-literal",
			allowLiteralWildcardNames: true,
			domain:                    "*.example.com", // specifically allowed using an option on the NamePolicyEngine
			constraint:                ".example.com",  // internally we're using the x509 period prefix as the indicator for exactly one subdomain
			want:                      true,
			wantErr:                   false,
		},
		{
			name:       "ok/specific-domain",
			domain:     "www.example.com",
			constraint: "www.example.com",
			want:       true,
			wantErr:    false,
		},
		{
			name:       "ok/different-case",
			domain:     "WWW.EXAMPLE.com",
			constraint: "www.example.com",
			want:       true,
			wantErr:    false,
		},
		{
			name:       "ok/idna-internationalized-domain-name-punycode",
			domain:     "xn--jp-cd2fp15c.xn--fsq.jp", // Example value from https://www.w3.org/International/articles/idn-and-iri/
			constraint: ".xn--fsq.jp",
			want:       true,
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			engine := NamePolicyEngine{
				allowLiteralWildcardNames: tt.allowLiteralWildcardNames,
			}
			got, err := engine.matchDomainConstraint(tt.domain, tt.constraint)
			if (err != nil) != tt.wantErr {
				t.Errorf("NamePolicyEngine.matchDomainConstraint() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("NamePolicyEngine.matchDomainConstraint() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_matchIPConstraint(t *testing.T) {
	nat64IP, nat64Net, err := net.ParseCIDR("64:ff9b::/96")
	assert.NoError(t, err)
	tests := []struct {
		name       string
		ip         net.IP
		constraint *net.IPNet
		want       bool
		wantErr    bool
	}{
		{
			name:       "false/ipv4-in-ipv6-nat64",
			ip:         net.ParseIP("192.0.2.128"),
			constraint: nat64Net,
			want:       false,
			wantErr:    false,
		},
		{
			name: "ok/ipv4",
			ip:   net.ParseIP("127.0.0.1"),
			constraint: &net.IPNet{
				IP:   net.ParseIP("127.0.0.0"),
				Mask: net.IPv4Mask(255, 255, 255, 0),
			},
			want:    true,
			wantErr: false,
		},
		{
			name: "ok/ipv6",
			ip:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7335"),
			constraint: &net.IPNet{
				IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
				Mask: net.CIDRMask(120, 128),
			},
			want:    true,
			wantErr: false,
		},
		{
			name: "ok/ipv4-in-ipv6", // ipv4 in ipv6 addresses are considered the same in the current implementation, because Go parses them as IPv4
			ip:   net.ParseIP("::ffff:192.0.2.128"),
			constraint: &net.IPNet{
				IP:   net.ParseIP("192.0.2.0"),
				Mask: net.IPv4Mask(255, 255, 255, 0),
			},
			want:    true,
			wantErr: false,
		},
		{
			name:       "ok/ipv4-in-ipv6-nat64-fixed-ip",
			ip:         nat64IP,
			constraint: nat64Net,
			want:       true,
			wantErr:    false,
		},
		{
			name:       "ok/ipv4-in-ipv6-nat64",
			ip:         net.ParseIP("64:ff9b::192.0.2.129"),
			constraint: nat64Net,
			want:       true,
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := matchIPConstraint(tt.ip, tt.constraint)
			if (err != nil) != tt.wantErr {
				t.Errorf("matchIPConstraint() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("matchIPConstraint() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestNamePolicyEngine_matchEmailConstraint(t *testing.T) {

	tests := []struct {
		name       string
		engine     *NamePolicyEngine
		mailbox    rfc2821Mailbox
		constraint string
		want       bool
		wantErr    bool
	}{
		{
			name:   "fail/asterisk-label",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "@host.*.example.com",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/asterisk-inside-domain",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "@h*st.example.com",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/parse-email",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "@example.com",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/wildcard",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "fail/wildcard-x509-period",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: ".local",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "fail/specific-mail-wrong-domain",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "mail@example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "fail/specific-mail-wrong-local",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "root",
				domain: "example.com",
			},
			constraint: "mail@example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "ok/wildcard",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "local", // "wildcard" for the local domain
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/wildcard-x509-period",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "example.local",
			},
			constraint: ".local", // "wildcard" for the local domain; requires exactly 1 subdomain
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/asterisk-prefix",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "*@example.com",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "ok/asterisk-prefix-match",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "*",
				domain: "example.com",
			},
			constraint: "*@example.com",
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/asterisk-inside-local",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "m*il@local",
			want:       false,
			wantErr:    false,
		},
		{
			name:   "ok/asterisk-inside-local-match",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "m*il",
				domain: "local",
			},
			constraint: "m*il@local",
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/specific-mail",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "local",
			},
			constraint: "mail@local",
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/wildcard-tld",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "example.com",
			},
			constraint: "example.com", // "wildcard" for 'example.com'
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/different-case",
			engine: &NamePolicyEngine{},
			mailbox: rfc2821Mailbox{
				local:  "mail",
				domain: "EXAMPLE.com",
			},
			constraint: "example.com", // "wildcard" for 'example.com'
			want:       true,
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := tt.engine.matchEmailConstraint(tt.mailbox, tt.constraint)
			if (err != nil) != tt.wantErr {
				t.Errorf("NamePolicyEngine.matchEmailConstraint() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("NamePolicyEngine.matchEmailConstraint() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestNamePolicyEngine_matchURIConstraint(t *testing.T) {
	tests := []struct {
		name       string
		engine     *NamePolicyEngine
		uri        *url.URL
		constraint string
		want       bool
		wantErr    bool
	}{
		{
			name:   "fail/empty-host",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "",
			},
			constraint: ".local",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/host-with-asterisk-prefix",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "*.local",
			},
			constraint: ".local",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/host-with-asterisk-label",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "host.*.local",
			},
			constraint: ".local",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/host-with-asterisk-inside",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "h*st.local",
			},
			constraint: ".local",
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/wildcard",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.example.notlocal",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       false,
			wantErr:    false,
		},
		{
			name:   "fail/wildcard-subdomains-too-deep",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.sub.example.local",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       false,
			wantErr:    false,
		},
		{
			name:   "fail/host-with-port-split-error",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.example.local::8080",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/host-with-ipv4",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "127.0.0.1",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       false,
			wantErr:    true,
		},
		{
			name:   "fail/host-with-ipv6",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "[2001:0db8:85a3:0000:0000:8a2e:0370:7334]",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       false,
			wantErr:    true,
		},
		{
			name:   "ok/wildcard",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.example.local",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/host-with-port",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.example.local:8080",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       true,
			wantErr:    false,
		},
		{
			name:   "ok/different-case",
			engine: &NamePolicyEngine{},
			uri: &url.URL{
				Scheme: "https",
				Host:   "www.EXAMPLE.local",
			},
			constraint: ".example.local", // using x509 period as the "wildcard"; expects a single subdomain
			want:       true,
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := tt.engine.matchURIConstraint(tt.uri, tt.constraint)
			if (err != nil) != tt.wantErr {
				t.Errorf("NamePolicyEngine.matchURIConstraint() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("NamePolicyEngine.matchURIConstraint() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestNamePolicyEngine_X509_AllAllowed(t *testing.T) {
	tests := []struct {
		name    string
		options []NamePolicyOption
		cert    *x509.Certificate
		want    bool
		wantErr *NamePolicyError
	}{
		// SINGLE SAN TYPE PERMITTED FAILURE TESTS
		{
			name: "fail/dns-permitted",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"www.example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
		},
		{
			name: "fail/dns-permitted-wildcard-literal-x509",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.x509local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"*.x509local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "*.x509local",
			},
		},
		{
			name: "fail/dns-permitted-single-host",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("host.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"differenthost.local"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "differenthost.local",
			},
		},
		{
			name: "fail/dns-permitted-no-label",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"local"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "local",
			},
		},
		{
			name: "fail/dns-permitted-empty-label",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"www..local"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseDomain,
				NameType: DNSNameType,
				Name:     "www..local",
			},
		},
		{
			name: "fail/dns-permitted-dot-domain",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					".local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     ".local",
			},
		},
		{
			name: "fail/dns-permitted-wildcard-multiple-subdomains",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"sub.example.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "sub.example.local",
			},
		},
		{
			name: "fail/dns-permitted-wildcard-literal",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"*.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "*.local",
			},
		},
		{
			name: "fail/dns-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.豆.jp"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					string(byte(0)) + ".例.jp",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseDomain,
				NameType: DNSNameType,
				Name:     string(byte(0)) + ".例.jp",
			},
		},
		{
			name: "fail/ipv4-permitted",
			options: []NamePolicyOption{
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("1.1.1.1")},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "1.1.1.1",
			},
		},
		{
			name: "fail/ipv6-permitted",
			options: []NamePolicyOption{
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("3001:0db8:85a3:0000:0000:8a2e:0370:7334")},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "3001:db8:85a3::8a2e:370:7334", // IPv6 is shortened internally
			},
		},
		{
			name: "fail/mail-permitted-wildcard",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@local.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "test@local.com",
			},
		},
		{
			name: "fail/mail-permitted-wildcard-x509",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@local.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "test@local.com",
			},
		},
		{
			name: "fail/mail-permitted-specific-mailbox",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("test@local.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"root@local.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "root@local.com",
			},
		},
		{
			name: "fail/mail-permitted-wildcard-subdomain",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@sub.example.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "test@sub.example.com",
			},
		},
		{
			name: "fail/mail-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@例.jp"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"bücher@例.jp"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseRFC822Name,
				NameType: EmailNameType,
				Name:     "bücher@例.jp",
			},
		},
		{
			name: "fail/mail-permitted-idna-internationalized-domain-rfc822",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@例.jp"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"bücher@例.jp" + string(byte(0))},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseRFC822Name,
				NameType: EmailNameType,
				Name:     "bücher@例.jp" + string(byte(0)),
			},
		},
		{
			name: "fail/mail-permitted-idna-internationalized-domain-ascii",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@例.jp"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@xn---bla.jp"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseDomain,
				NameType: EmailNameType,
				Name:     "mail@xn---bla.jp",
			},
		},
		{
			name: "fail/uri-permitted-domain-wildcard",
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://example.com",
			},
		},
		{
			name: "fail/uri-permitted",
			options: []NamePolicyOption{
				WithPermittedURIDomains("test.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "bad.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://bad.local",
			},
		},
		{
			name: "fail/uri-permitted-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "*.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotMatchNameToConstraint,
				NameType: URINameType,
				Name:     "https://*.local",
			},
		},
		{
			name: "fail/uri-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.bücher.example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "abc.bücher.example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotMatchNameToConstraint,
				NameType: URINameType,
				Name:     "https://abc.b%C3%BCcher.example.com",
			},
		},
		// SINGLE SAN TYPE EXCLUDED FAILURE TESTS
		{
			name: "fail/dns-excluded",
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"www.example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
		},
		{
			name: "fail/dns-excluded-single-host",
			options: []NamePolicyOption{
				WithExcludedDNSDomains("host.example.com"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"host.example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "host.example.com",
			},
		},
		{
			name: "fail/ipv4-excluded",
			options: []NamePolicyOption{
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "127.0.0.1",
			},
		},
		{
			name: "fail/ipv6-excluded",
			options: []NamePolicyOption{
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "2001:db8:85a3::8a2e:370:7334",
			},
		},
		{
			name: "fail/mail-excluded",
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@example.com",
			},
		},
		{
			name: "fail/uri-excluded",
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://www.example.com",
			},
		},
		{
			name: "fail/uri-excluded-with-literal-wildcard", // don't allow literal wildcard in URI, e.g. xxxx://*.domain.tld
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "*.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotMatchNameToConstraint,
				NameType: URINameType,
				Name:     "https://*.local",
			},
		},
		// SUBJECT FAILURE TESTS
		{
			name: "fail/subject-permitted-no-match",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedCommonNames("this name is allowed", "and this one too"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "some certificate name",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed, // only permitted names allowed
				NameType: CNNameType,
				Name:     "some certificate name",
			},
		},
		{
			name: "fail/subject-excluded-match",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedCommonNames("this name is not allowed"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "this name is not allowed",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseDomain, // CN cannot be parsed as DNS in this case
				NameType: CNNameType,
				Name:     "this name is not allowed",
			},
		},
		{
			name: "fail/subject-dns-no-domain",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "name with space.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   CannotParseDomain,
				NameType: CNNameType,
				Name:     "name with space.local",
			},
		},
		{
			name: "fail/subject-dns-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "example.notlocal",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "example.notlocal",
			},
		},
		{
			name: "fail/subject-dns-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "example.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "example.local",
			},
		},
		{
			name: "fail/subject-ipv4-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "10.10.10.10",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "10.10.10.10",
			},
		},
		{
			name: "fail/subject-ipv4-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "127.0.0.30",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "127.0.0.30",
			},
		},
		{
			name: "fail/subject-ipv6-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "2002:0db8:85a3:0000:0000:8a2e:0370:7339",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "2002:db8:85a3::8a2e:370:7339",
			},
		},
		{
			name: "fail/subject-ipv6-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "2001:0db8:85a3:0000:0000:8a2e:0370:7339",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "2001:db8:85a3::8a2e:370:7339",
			},
		},
		{
			name: "fail/subject-email-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedEmailAddresses("@example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "mail@smallstep.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "mail@smallstep.com",
			},
		},
		{
			name: "fail/subject-email-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedEmailAddresses("@example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "mail@example.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "mail@example.local",
			},
		},
		{
			name: "fail/subject-uri-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedURIDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "https://www.google.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "https://www.google.com",
			},
		},
		{
			name: "fail/subject-uri-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedURIDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "https://www.example.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "https://www.example.com",
			},
		},
		// DIFFERENT SAN PERMITTED FAILURE TESTS
		{
			name: "fail/dns-permitted-with-ip-name", // when only DNS is permitted, IPs are not allowed.
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "127.0.0.1",
			},
		},
		{
			name: "fail/dns-permitted-with-mail", // when only DNS is permitted, mails are not allowed.
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@smallstep.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@smallstep.com",
			},
		},
		{
			name: "fail/dns-permitted-with-uri", // when only DNS is permitted, URIs are not allowed.
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://www.example.com",
			},
		},
		{
			name: "fail/ip-permitted-with-dns-name", // when only IP is permitted, DNS names are not allowed.
			options: []NamePolicyOption{
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"www.example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
		},
		{
			name: "fail/ip-permitted-with-mail", // when only IP is permitted, mails are not allowed.
			options: []NamePolicyOption{
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@smallstep.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@smallstep.com",
			},
		},
		{
			name: "fail/ip-permitted-with-uri", // when only IP is permitted, URIs are not allowed.
			options: []NamePolicyOption{
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://www.example.com",
			},
		},
		{
			name: "fail/mail-permitted-with-dns-name", // when only mail is permitted, DNS names are not allowed.
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"www.example.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
		},
		{
			name: "fail/mail-permitted-with-ip", // when only mail is permitted, IPs are not allowed.
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{
					net.ParseIP("127.0.0.1"),
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "127.0.0.1",
			},
		},
		{
			name: "fail/mail-permitted-with-uri", // when only mail is permitted, URIs are not allowed.
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: URINameType,
				Name:     "https://www.example.com",
			},
		},
		{
			name: "fail/uri-permitted-with-dns-name", // when only URI is permitted, DNS names are not allowed.
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"host.local"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "host.local",
			},
		},
		{
			name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, IPs are not allowed.
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{
					net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "2001:db8:85a3::8a2e:370:7334",
			},
		},
		{
			name: "fail/uri-permitted-with-ip-name", // when only URI is permitted, mails are not allowed.
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@smallstep.com"},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@smallstep.com",
			},
		},
		// COMBINED FAILURE TESTS
		{
			name: "fail/combined-simple-all-badhost.local-common-name",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
				WithExcludedDNSDomains("badhost.local"),
				WithExcludedCIDRs("127.0.0.128/25"),
				WithExcludedEmailAddresses("badmail@example.local"),
				WithExcludedURIDomains("badwww.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "badhost.local",
				},
				DNSNames:       []string{"example.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.40")},
				EmailAddresses: []string{"mail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: CNNameType,
				Name:     "badhost.local",
			},
		},
		{
			name: "fail/combined-simple-all-anotherbadhost.local-dns",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
				WithExcludedDNSDomains("anotherbadhost.local"),
				WithExcludedCIDRs("127.0.0.128/25"),
				WithExcludedEmailAddresses("badmail@example.local"),
				WithExcludedURIDomains("badwww.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "badhost.local",
				},
				DNSNames:       []string{"anotherbadhost.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.40")},
				EmailAddresses: []string{"mail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "anotherbadhost.local",
			},
		},
		{
			name: "fail/combined-simple-all-badmail@example.local",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
				WithExcludedDNSDomains("badhost.local"),
				WithExcludedCIDRs("127.0.0.128/25"),
				WithExcludedEmailAddresses("badmail@example.local"),
				WithExcludedURIDomains("badwww.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "badhost.local",
				},
				DNSNames:       []string{"example.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.40")},
				EmailAddresses: []string{"mail@example.local", "badmail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "badmail@example.local",
			},
		},
		// NO CONSTRAINT SUCCESS TESTS
		{
			name:    "ok/dns-no-constraints",
			options: []NamePolicyOption{},
			cert: &x509.Certificate{
				DNSNames: []string{"www.example.com"},
			},
			want: true,
		},
		{
			name:    "ok/ipv4-no-constraints",
			options: []NamePolicyOption{},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{
					net.ParseIP("127.0.0.1"),
				},
			},
			want: true,
		},
		{
			name:    "ok/ipv6-no-constraints",
			options: []NamePolicyOption{},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{
					net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
				},
			},
			want: true,
		},
		{
			name:    "ok/mail-no-constraints",
			options: []NamePolicyOption{},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@smallstep.com"},
			},
			want: true,
		},
		{
			name:    "ok/uri-no-constraints",
			options: []NamePolicyOption{},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/subject-no-constraints",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "www.example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-empty-no-constraints",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-permitted-match",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedCommonNames("this name is allowed"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "this name is allowed",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-excluded-match",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedCommonNames("this name is not allowed"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "some other name",
				},
			},
			want: true,
		},
		// SINGLE SAN TYPE PERMITTED SUCCESS TESTS
		{
			name: "ok/dns-permitted",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"example.local"},
			},
			want: true,
		},
		{
			name: "ok/dns-permitted-wildcard",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local", "*.x509local"),
				WithAllowLiteralWildcardNames(),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"host.local",
					"test.x509local",
				},
			},
			want: true,
		},
		{
			name: "ok/dns-permitted-wildcard-literal",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local", "*.x509local"),
				WithAllowLiteralWildcardNames(),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"*.local",
					"*.x509local",
				},
			},
			want: true,
		},
		{
			name: "ok/dns-permitted-combined",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local", "*.x509local", "host.example.com"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"example.local",
					"example.x509local",
					"host.example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/dns-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.例.jp"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{
					"JP納豆.例.jp", // Example value from https://www.w3.org/International/articles/idn-and-iri/
				},
			},
			want: true,
		},
		{
			name: "ok/ipv4-permitted",
			options: []NamePolicyOption{
				WithPermittedCIDRs("127.0.0.1/24"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.20")},
			},
			want: true,
		},
		{
			name: "ok/ipv6-permitted",
			options: []NamePolicyOption{
				WithPermittedCIDRs("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7339")},
			},
			want: true,
		},
		{
			name: "ok/mail-permitted-wildcard",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/mail-permitted-plain-domain",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("example.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/mail-permitted-specific-mailbox",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("test@local.com"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{
					"test@local.com",
				},
			},
			want: true,
		},
		{
			name: "ok/mail-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@例.jp"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{},
			},
			want: true,
		},
		{
			name: "ok/uri-permitted-domain-wildcard",
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "example.local",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/uri-permitted-specific-uri",
			options: []NamePolicyOption{
				WithPermittedURIDomains("test.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "test.local",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/uri-permitted-with-port",
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com:8080",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/uri-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedURIDomains("*.bücher.example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "abc.xn--bcher-kva.example.com",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/uri-permitted-idna-internationalized-domain",
			options: []NamePolicyOption{
				WithPermittedURIDomains("bücher.example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "xn--bcher-kva.example.com",
					},
				},
			},
			want: true,
		},
		// SINGLE SAN TYPE EXCLUDED SUCCESS TESTS
		{
			name: "ok/dns-excluded",
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.notlocal"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"example.local"},
			},
			want: true,
		},
		{
			name: "ok/ipv4-excluded",
			options: []NamePolicyOption{
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("10.10.10.10")},
			},
			want: true,
		},
		{
			name: "ok/ipv6-excluded",
			options: []NamePolicyOption{
				WithExcludedCIDRs("2001:0db8:85a3:0000:0000:8a2e:0370:7334/120"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("2003:0db8:85a3:0000:0000:8a2e:0370:7334")},
			},
			want: true,
		},
		{
			name: "ok/mail-excluded",
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@notlocal"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@local"},
			},
			want: true,
		},
		{
			name: "ok/mail-excluded-with-subdomain",
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@local"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@example.local"},
			},
			want: true,
		},
		{
			name: "ok/uri-excluded",
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.google.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: true,
		},
		// SUBJECT SUCCESS TESTS
		{
			name: "ok/subject-empty",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "",
				},
				DNSNames: []string{"example.local"},
			},
			want: true,
		},
		{
			name: "ok/subject-dns-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "example.local",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-dns-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedDNSDomains("*.notlocal"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "example.local",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-ipv4-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("127.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "127.0.0.20",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-ipv4-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("128.0.0.1"),
						Mask: net.IPv4Mask(255, 255, 255, 0),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "127.0.0.1",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-ipv6-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "2001:0db8:85a3:0000:0000:8a2e:0370:7339",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-ipv6-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedIPRanges(
					&net.IPNet{
						IP:   net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
						Mask: net.CIDRMask(120, 128),
					},
				),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "2009:0db8:85a3:0000:0000:8a2e:0370:7339",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-email-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedEmailAddresses("@example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "mail@example.local",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-email-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedEmailAddresses("@example.notlocal"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "mail@example.local",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-uri-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedURIDomains("*.example.com"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "https://www.example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/subject-uri-excluded",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedURIDomains("*.smallstep.com"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "https://www.example.com",
				},
			},
			want: true,
		},
		// DIFFERENT SAN TYPE EXCLUDED SUCCESS TESTS
		{
			name: "ok/dns-excluded-with-ip-name", // when only DNS is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: true,
		},
		{
			name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@example.com"},
			},
			want: true,
		},
		{
			name: "ok/dns-excluded-with-mail", // when only DNS is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/ip-excluded-with-dns", // when only IP is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedCIDRs("127.0.0.1/24"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"test.local"},
			},
			want: true,
		},
		{
			name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedCIDRs("127.0.0.1/24"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@example.com"},
			},
			want: true,
		},
		{
			name: "ok/ip-excluded-with-mail", // when only IP is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedCIDRs("127.0.0.1/24"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/mail-excluded-with-dns", // when only mail is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"test.local"},
			},
			want: true,
		},
		{
			name: "ok/mail-excluded-with-ip", // when only mail is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: true,
		},
		{
			name: "ok/mail-excluded-with-uri", // when only mail is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &x509.Certificate{
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.com",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.example.local"),
			},
			cert: &x509.Certificate{
				DNSNames: []string{"test.example.local"},
			},
			want: true,
		},
		{
			name: "ok/uri-excluded-with-dns", // when only URI is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.example.local"),
			},
			cert: &x509.Certificate{
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: true,
		},
		{
			name: "ok/uri-excluded-with-mail", // when only URI is exluded, we allow anything else
			options: []NamePolicyOption{
				WithExcludedURIDomains("*.example.local"),
			},
			cert: &x509.Certificate{
				EmailAddresses: []string{"mail@example.local"},
			},
			want: true,
		},
		{
			name: "ok/dns-excluded-with-subject-ip-name", // when only DNS is exluded, we allow anything else
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithExcludedDNSDomains("*.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "127.0.0.1",
				},
				IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
			},
			want: true,
		},
		// COMBINED SUCCESS TESTS
		{
			name: "ok/combined-simple-permitted",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "somehost.local",
				},
				DNSNames:       []string{"example.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.15")},
				EmailAddresses: []string{"mail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/combined-simple-permitted-without-subject-verification",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "forbidden-but-non-verified-domain.example.com",
				},
				DNSNames:       []string{"example.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.1")},
				EmailAddresses: []string{"mail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: true,
		},
		{
			name: "ok/combined-simple-all",
			options: []NamePolicyOption{
				WithSubjectCommonNameVerification(),
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithPermittedEmailAddresses("@example.local"),
				WithPermittedURIDomains("*.example.local"),
				WithExcludedDNSDomains("badhost.local"),
				WithExcludedCIDRs("127.0.0.128/25"),
				WithExcludedEmailAddresses("badmail@example.local"),
				WithExcludedURIDomains("badwww.example.local"),
			},
			cert: &x509.Certificate{
				Subject: pkix.Name{
					CommonName: "somehost.local",
				},
				DNSNames:       []string{"example.local"},
				IPAddresses:    []net.IP{net.ParseIP("127.0.0.1")},
				EmailAddresses: []string{"mail@example.local"},
				URIs: []*url.URL{
					{
						Scheme: "https",
						Host:   "www.example.local",
					},
				},
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			engine, err := New(tt.options...)
			assert.NoError(t, err)
			assert.NotNil(t, engine)
			gotErr := engine.IsX509CertificateAllowed(tt.cert)
			wantErr := tt.wantErr != nil

			if (gotErr != nil) != wantErr {
				t.Errorf("NamePolicyEngine.IsX509CertificateAllowed() error = %v, wantErr %v", gotErr, tt.wantErr)
				return
			}
			if gotErr != nil {
				var npe *NamePolicyError
				assert.True(t, errors.As(gotErr, &npe))
				assert.NotEqual(t, "", npe.Error())
				assert.Equal(t, tt.wantErr.Reason, npe.Reason)
				assert.Equal(t, tt.wantErr.NameType, npe.NameType)
				assert.Equal(t, tt.wantErr.Name, npe.Name)
				assert.NotEqual(t, "", npe.Detail())
				//assert.Equals(t, tt.err.Reason, npe.Reason) // NOTE: reason detail is skipped; it's a detail
			}

			// Perform the same tests for a CSR, which are similar to Certificates
			csr := &x509.CertificateRequest{
				Subject:        tt.cert.Subject,
				DNSNames:       tt.cert.DNSNames,
				EmailAddresses: tt.cert.EmailAddresses,
				IPAddresses:    tt.cert.IPAddresses,
				URIs:           tt.cert.URIs,
			}
			gotErr = engine.IsX509CertificateRequestAllowed(csr)
			wantErr = tt.wantErr != nil
			if (gotErr != nil) != wantErr {
				t.Errorf("NamePolicyEngine.AreCSRNamesAllowed() error = %v, wantErr %v", gotErr, tt.wantErr)
				return
			}
			if gotErr != nil {
				var npe *NamePolicyError
				assert.True(t, errors.As(gotErr, &npe))
				assert.NotEqual(t, "", npe.Error())
				assert.Equal(t, tt.wantErr.Reason, npe.Reason)
				assert.Equal(t, tt.wantErr.NameType, npe.NameType)
				assert.Equal(t, tt.wantErr.Name, npe.Name)
				assert.NotEqual(t, "", npe.Detail())
				//assert.Equals(t, tt.err.Reason, npe.Reason) // NOTE: reason detail is skipped; it's a detail
			}
		})
	}
}

func TestNamePolicyEngine_SSH_ArePrincipalsAllowed(t *testing.T) {
	tests := []struct {
		name    string
		options []NamePolicyOption
		cert    *ssh.Certificate
		want    bool
		wantErr *NamePolicyError
	}{
		{
			name: "fail/host-with-permitted-dns-domain",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"host.example.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "host.example.com",
			},
		},
		{
			name: "fail/host-with-excluded-dns-domain",
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.local"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"host.local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "host.local",
			},
		},
		{
			name: "fail/host-with-permitted-cidr",
			options: []NamePolicyOption{
				WithPermittedCIDRs("127.0.0.1/24"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"192.168.0.22",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "192.168.0.22",
			},
		},
		{
			name: "fail/host-with-excluded-cidr",
			options: []NamePolicyOption{
				WithExcludedCIDRs("127.0.0.1/24"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"127.0.0.0",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: IPNameType,
				Name:     "127.0.0.0",
			},
		},
		{
			name: "fail/user-with-permitted-email",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"mail@local",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@local",
			},
		},
		{
			name: "fail/user-with-excluded-email",
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"mail@example.com",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "mail@example.com",
			},
		},
		{
			name: "fail/host-with-permitted-principals",
			options: []NamePolicyOption{
				WithPermittedPrincipals("localhost"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"host",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "host",
			},
		},
		{
			name: "fail/user-with-permitted-principals",
			options: []NamePolicyOption{
				WithPermittedPrincipals("user"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"root",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: PrincipalNameType,
				Name:     "root",
			},
		},
		{
			name: "fail/user-with-excluded-principals",
			options: []NamePolicyOption{
				WithExcludedPrincipals("user"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"user",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: PrincipalNameType,
				Name:     "user",
			},
		},
		{
			name: "fail/user-with-permitted-principal-as-mail",
			options: []NamePolicyOption{
				WithPermittedPrincipals("ops"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"ops@work", // this is (currently) parsed as an email-like principal; not allowed with just "ops" as the permitted principal
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "ops@work",
			},
		},
		{
			name: "fail/host-principal-with-permitted-dns-domain", // when only DNS is permitted, username principals are not allowed.
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"user",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "user",
			},
		},
		{
			name: "fail/host-principal-with-permitted-ip-range", // when only IPs are permitted, username principals are not allowed.
			options: []NamePolicyOption{
				WithPermittedCIDRs("127.0.0.1/24"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"user",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "user",
			},
		},
		{
			name: "fail/user-principal-with-permitted-email", // when only emails are permitted, username principals are not allowed.
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"user",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: PrincipalNameType,
				Name:     "user",
			},
		},
		{
			name: "fail/combined-user",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@smallstep.com"),
				WithExcludedEmailAddresses("root@smallstep.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"someone@smallstep.com",
					"someone",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: PrincipalNameType,
				Name:     "someone",
			},
		},
		{
			name: "fail/combined-user-with-excluded-user-principal",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@smallstep.com"),
				WithExcludedPrincipals("root"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"someone@smallstep.com",
					"root",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: PrincipalNameType,
				Name:     "root",
			},
		},
		{
			name: "fail/host-with-permitted-user-principals",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@work"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"example.work",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "example.work",
			},
		},
		{
			name: "fail/user-with-permitted-user-principals",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"herman@work",
				},
			},
			want: false,
			wantErr: &NamePolicyError{
				Reason:   NotAllowed,
				NameType: EmailNameType,
				Name:     "herman@work",
			},
		},
		{
			name: "ok/host-with-permitted-dns-domain",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"host.local",
				},
			},
			want: true,
		},
		{
			name: "ok/host-with-excluded-dns-domain",
			options: []NamePolicyOption{
				WithExcludedDNSDomains("*.example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"host.local",
				},
			},
			want: true,
		},
		{
			name: "ok/host-with-permitted-ip",
			options: []NamePolicyOption{
				WithPermittedCIDRs("127.0.0.1/24"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"127.0.0.33",
				},
			},
			want: true,
		},
		{
			name: "ok/host-with-excluded-ip",
			options: []NamePolicyOption{
				WithExcludedCIDRs("127.0.0.1/24"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"192.168.0.35",
				},
			},
			want: true,
		},
		{
			name: "ok/host-with-excluded-principals",
			options: []NamePolicyOption{
				WithExcludedPrincipals("localhost"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"localhost",
				},
			},
			want: true,
		},
		{
			name: "ok/user-with-permitted-email",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"mail@example.com",
				},
			},
			want: true,
		},
		{
			name: "ok/user-with-excluded-email",
			options: []NamePolicyOption{
				WithExcludedEmailAddresses("@example.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"mail@local",
				},
			},
			want: true,
		},
		{
			name: "ok/user-with-permitted-principals",
			options: []NamePolicyOption{
				WithPermittedPrincipals("*"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"user",
				},
			},
			want: true,
		},
		{
			name: "ok/user-with-excluded-principals",
			options: []NamePolicyOption{
				WithExcludedPrincipals("user"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"root",
				},
			},
			want: true,
		},
		{
			name: "ok/combined-user",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@smallstep.com"),
				WithPermittedPrincipals("*"), // without specifying the wildcard, "someone" would not be allowed.
				WithExcludedEmailAddresses("root@smallstep.com"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"someone@smallstep.com",
					"someone",
				},
			},
			want: true,
		},
		{
			name: "ok/combined-user-with-excluded-user-principal",
			options: []NamePolicyOption{
				WithPermittedEmailAddresses("@smallstep.com"),
				WithExcludedEmailAddresses("root@smallstep.com"),
				WithExcludedPrincipals("root"), // unlike the previous test, this implicitly allows any other username principal
			},
			cert: &ssh.Certificate{
				CertType: ssh.UserCert,
				ValidPrincipals: []string{
					"someone@smallstep.com",
					"someone",
				},
			},
			want: true,
		},
		{
			name: "ok/combined-host",
			options: []NamePolicyOption{
				WithPermittedDNSDomains("*.local"),
				WithPermittedCIDRs("127.0.0.1/24"),
				WithExcludedDNSDomains("badhost.local"),
				WithExcludedCIDRs("127.0.0.128/25"),
			},
			cert: &ssh.Certificate{
				CertType: ssh.HostCert,
				ValidPrincipals: []string{
					"example.local",
					"127.0.0.31",
				},
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			engine, err := New(tt.options...)
			assert.NoError(t, err)
			gotErr := engine.IsSSHCertificateAllowed(tt.cert)
			wantErr := tt.wantErr != nil
			if (gotErr != nil) != wantErr {
				t.Errorf("NamePolicyEngine.IsSSHCertificateAllowed() error = %v, wantErr %v", gotErr, tt.wantErr)
				return
			}
			if gotErr != nil {
				var npe *NamePolicyError
				assert.True(t, errors.As(gotErr, &npe))
				assert.NotEqual(t, "", npe.Error())
				assert.Equal(t, tt.wantErr.Reason, npe.Reason)
				assert.Equal(t, tt.wantErr.NameType, npe.NameType)
				assert.Equal(t, tt.wantErr.Name, npe.Name)
				assert.NotEqual(t, "", npe.Detail())
				//assert.Equals(t, tt.err.Reason, npe.Reason) // NOTE: reason detail is skipped; it's a detail
			}
		})
	}
}

type result struct {
	wantDNSNames  []string
	wantIps       []net.IP
	wantEmails    []string
	wantUsernames []string
}

func emptyResult() result {
	return result{
		wantDNSNames:  []string{},
		wantIps:       []net.IP{},
		wantEmails:    []string{},
		wantUsernames: []string{},
	}
}

func Test_splitSSHPrincipals(t *testing.T) {
	type test struct {
		cert    *ssh.Certificate
		r       result
		wantErr bool
	}
	var tests = map[string]func(t *testing.T) test{
		"fail/unexpected-cert-type": func(t *testing.T) test {
			r := emptyResult()
			return test{
				cert: &ssh.Certificate{
					CertType: uint32(0),
				},
				r:       r,
				wantErr: true,
			}
		},
		"fail/user-ip": func(t *testing.T) test {
			r := emptyResult()
			r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.UserCert,
					ValidPrincipals: []string{"127.0.0.1"},
				},
				r:       r,
				wantErr: true,
			}
		},
		"fail/user-uri": func(t *testing.T) test {
			r := emptyResult()
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.UserCert,
					ValidPrincipals: []string{"https://host.local/"},
				},
				r:       r,
				wantErr: true,
			}
		},
		"fail/host-uri": func(t *testing.T) test {
			r := emptyResult()
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.HostCert,
					ValidPrincipals: []string{"https://host.local/"},
				},
				r:       r,
				wantErr: true,
			}
		},
		"ok/host-dns": func(t *testing.T) test {
			r := emptyResult()
			r.wantDNSNames = []string{"host.example.com"}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.HostCert,
					ValidPrincipals: []string{"host.example.com"},
				},
				r:       r,
				wantErr: false,
			}
		},
		"ok/host-ip": func(t *testing.T) test {
			r := emptyResult()
			r.wantIps = []net.IP{net.ParseIP("127.0.0.1")}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.HostCert,
					ValidPrincipals: []string{"127.0.0.1"},
				},
				r:       r,
				wantErr: false,
			}
		},
		"ok/host-email": func(t *testing.T) test {
			r := emptyResult()
			r.wantEmails = []string{"ops@work"}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.HostCert,
					ValidPrincipals: []string{"ops@work"},
				},
				r:       r,
				wantErr: false,
			}
		},
		"ok/user-localhost": func(t *testing.T) test {
			r := emptyResult()
			r.wantUsernames = []string{"localhost"} // when type is User cert, this is considered a username; not a DNS
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.UserCert,
					ValidPrincipals: []string{"localhost"},
				},
				r:       r,
				wantErr: false,
			}
		},
		"ok/user-username-with-period": func(t *testing.T) test {
			r := emptyResult()
			r.wantUsernames = []string{"x.joe"}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.UserCert,
					ValidPrincipals: []string{"x.joe"},
				},
				r:       r,
				wantErr: false,
			}
		},
		"ok/user-maillike": func(t *testing.T) test {
			r := emptyResult()
			r.wantEmails = []string{"ops@work"}
			return test{
				cert: &ssh.Certificate{
					CertType:        ssh.UserCert,
					ValidPrincipals: []string{"ops@work"},
				},
				r:       r,
				wantErr: false,
			}
		},
	}
	for name, prep := range tests {
		tt := prep(t)
		t.Run(name, func(t *testing.T) {
			gotDNSNames, gotIps, gotEmails, gotUsernames, err := splitSSHPrincipals(tt.cert)
			if (err != nil) != tt.wantErr {
				t.Errorf("splitSSHPrincipals() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !cmp.Equal(tt.r.wantDNSNames, gotDNSNames) {
				t.Errorf("splitSSHPrincipals() DNS names diff =\n%s", cmp.Diff(tt.r.wantDNSNames, gotDNSNames))
			}
			if !cmp.Equal(tt.r.wantIps, gotIps) {
				t.Errorf("splitSSHPrincipals() IPs diff =\n%s", cmp.Diff(tt.r.wantIps, gotIps))
			}
			if !cmp.Equal(tt.r.wantEmails, gotEmails) {
				t.Errorf("splitSSHPrincipals() Emails diff =\n%s", cmp.Diff(tt.r.wantEmails, gotEmails))
			}
			if !cmp.Equal(tt.r.wantUsernames, gotUsernames) {
				t.Errorf("splitSSHPrincipals() Usernames diff =\n%s", cmp.Diff(tt.r.wantUsernames, gotUsernames))
			}
		})
	}
}

func Test_removeDuplicates(t *testing.T) {
	tests := []struct {
		name  string
		input []string
		want  []string
	}{
		{
			name:  "empty-slice",
			input: []string{},
			want:  []string{},
		},
		{
			name:  "single-item",
			input: []string{"x"},
			want:  []string{"x"},
		},
		{
			name:  "ok",
			input: []string{"x", "y", "x", "z", "x", "z", "y"},
			want:  []string{"x", "y", "z"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := removeDuplicates(tt.input); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("removeDuplicates() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_removeDuplicateIPNets(t *testing.T) {
	tests := []struct {
		name  string
		input []*net.IPNet
		want  []*net.IPNet
	}{
		{
			name:  "empty-slice",
			input: []*net.IPNet{},
			want:  []*net.IPNet{},
		},
		{
			name: "single-item",
			input: []*net.IPNet{
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
			},
			want: []*net.IPNet{
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
			},
		},
		{
			name: "multiple",
			input: []*net.IPNet{
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
				{
					IP:   net.ParseIP("192.168.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 0),
				},
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
				{
					IP:   net.ParseIP("10.10.0.0"),
					Mask: net.IPv4Mask(255, 255, 0, 0),
				},
				{
					IP:   net.ParseIP("192.168.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 0),
				},
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
				{
					IP:   net.ParseIP("192.168.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 0),
				},
			},
			want: []*net.IPNet{
				{
					IP:   net.ParseIP("127.0.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 255),
				},
				{
					IP:   net.ParseIP("192.168.0.1"),
					Mask: net.IPv4Mask(255, 255, 255, 0),
				},
				{
					IP:   net.ParseIP("10.10.0.0"),
					Mask: net.IPv4Mask(255, 255, 0, 0),
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if gotRet := removeDuplicateIPNets(tt.input); !reflect.DeepEqual(gotRet, tt.want) {
				t.Errorf("removeDuplicateIPNets() = %v, want %v", gotRet, tt.want)
			}
		})
	}
}

func TestNamePolicyError_Error(t *testing.T) {
	type fields struct {
		Reason   NamePolicyReason
		NameType NameType
		Name     string
		detail   string
	}
	tests := []struct {
		name   string
		fields fields
		want   string
	}{
		{
			name: "dns-not-allowed",
			fields: fields{
				Reason:   NotAllowed,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
			want: "dns name \"www.example.com\" not allowed",
		},
		{
			name: "dns-cannot-parse-domain",
			fields: fields{
				Reason:   CannotParseDomain,
				NameType: DNSNameType,
				Name:     "www.example.com",
			},
			want: "cannot parse dns domain \"www.example.com\"",
		},
		{
			name: "email-cannot-parse",
			fields: fields{
				Reason:   CannotParseRFC822Name,
				NameType: EmailNameType,
				Name:     "mail@example.com",
			},
			want: "cannot parse email rfc822Name \"mail@example.com\"",
		},
		{
			name: "uri-cannot-match",
			fields: fields{
				Reason:   CannotMatchNameToConstraint,
				NameType: URINameType,
				Name:     "https://*.local",
			},
			want: "error matching uri name \"https://*.local\" to constraint",
		},
		{
			name: "unknown",
			fields: fields{
				Reason:   -1,
				NameType: DNSNameType,
				Name:     "some name",
				detail:   "detail string",
			},
			want: "unknown error reason (-1): detail string",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			e := &NamePolicyError{
				Reason:   tt.fields.Reason,
				NameType: tt.fields.NameType,
				Name:     tt.fields.Name,
				detail:   tt.fields.detail,
			}
			if got := e.Error(); got != tt.want {
				t.Errorf("NamePolicyError.Error() = %v, want %v", got, tt.want)
			}
		})
	}
}