This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
ipauth_test.go
125 lines (101 loc) · 3.49 KB
/
ipauth_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package network
import (
"io/ioutil"
"net"
"github.com/nats-io/nats-server/v2/server"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/sirupsen/logrus"
)
var _ = Describe("Network Broker/IPAuth", func() {
var (
log *logrus.Entry
auth *IPAuth
user *server.User
)
BeforeEach(func() {
logger := logrus.New()
logger.Out = ioutil.Discard
log = logrus.NewEntry(logger)
auth = &IPAuth{
allowList: []string{},
log: log,
}
user = &server.User{
Username: "bob",
Password: "secret",
Permissions: &server.Permissions{},
}
})
Describe("remoteInClientAllowList", func() {
It("Should allow all when no allowlist is set", func() {
ipv4Addr, _, err := net.ParseCIDR("192.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
Expect(auth.remoteInClientAllowList(&net.IPAddr{IP: ipv4Addr})).To(BeTrue())
})
It("Should handle nil remotes", func() {
Expect(auth.remoteInClientAllowList(nil)).To(BeTrue())
})
It("Should handle invalid remotes", func() {
ipv4Addr, _, err := net.ParseCIDR("192.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
auth.allowList = []string{"192.0.2.1/24"}
Expect(auth.remoteInClientAllowList(&net.IPAddr{IP: ipv4Addr})).To(BeFalse())
})
It("Should handle simple strings", func() {
ipv4Addr, _, err := net.ParseCIDR("192.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
auth.allowList = []string{"192.0.2.1"}
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv4Addr, Port: 1232})).To(BeTrue())
})
It("Should handle subnets", func() {
ipv4Addr, _, err := net.ParseCIDR("192.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
auth.allowList = []string{"192.0.0.0/8"}
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv4Addr, Port: 1232})).To(BeTrue())
})
It("Should support IPv6", func() {
auth.allowList = []string{
"2a00:1450::/32",
"2a01:1450:4002:801::200e",
}
ipv6Addr, _, err := net.ParseCIDR("2a00:1450:4002:801::200e/64")
Expect(err).ToNot(HaveOccurred())
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv6Addr, Port: 1232})).To(BeTrue())
ipv6Addr, _, err = net.ParseCIDR("2a01:1450:4002:801::200e/64")
Expect(err).ToNot(HaveOccurred())
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv6Addr, Port: 1232})).To(BeTrue())
ipv6Addr, _, err = net.ParseCIDR("2a02:1450:4002:801::200e/64")
Expect(err).ToNot(HaveOccurred())
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv6Addr, Port: 1232})).To(BeFalse())
})
It("Should be false for un matched nodes", func() {
ipv4Addr, _, err := net.ParseCIDR("192.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
auth.allowList = []string{"127.0.0.0/8"}
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv4Addr, Port: 1232})).To(BeFalse())
ipv4Addr, _, err = net.ParseCIDR("127.0.2.1/24")
Expect(err).ToNot(HaveOccurred())
Expect(auth.remoteInClientAllowList(&net.TCPAddr{IP: ipv4Addr, Port: 1232})).To(BeTrue())
})
})
Describe("setServerPermissions", func() {
It("Should set correct permissions", func() {
auth.setServerPermissions(user)
Expect(user.Permissions.Publish.Allow).To(Equal([]string{
">",
}))
Expect(user.Permissions.Publish.Deny).To(Equal([]string{
"*.broadcast.agent.>",
"*.node.>",
"choria.federation.*.federation",
}))
Expect(user.Permissions.Subscribe.Allow).To(HaveLen(0))
Expect(user.Permissions.Subscribe.Deny).To(Equal([]string{
"*.reply.>",
"choria.federation.>",
"choria.lifecycle.>",
}))
})
})
})