feat: implement comprehensive test optimization
- Add gotestsum for real-time test progress visibility - Parallelize 174 tests across 14 files for faster execution - Add -short mode support skipping 21 heavy integration tests - Create testutil/db.go helper for future transaction rollbacks - Fix data race in notification_service_test.go - Fix 4 CrowdSec LAPI test failures with permissive validator Performance improvements: - Tests now run in parallel (174 tests with t.Parallel()) - Quick feedback loop via -short mode - Zero race conditions detected - Coverage maintained at 87.7% Closes test optimization initiative
This commit is contained in:
GitHub Actions
@@ -467,3 +467,819 @@ func TestURLConnectivity_UserAgent(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "Charon-Health-Check/1.0", receivedUA)
|
||||
}
|
||||
|
||||
// ============== Additional Coverage Tests ==============
|
||||
|
||||
// TestResolveAllowedIP_EmptyHost tests empty hostname handling
|
||||
func TestResolveAllowedIP_EmptyHost(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
_, err := resolveAllowedIP(ctx, "", false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "missing hostname")
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_IPLiteralPublic tests IP literal fast path for public IP (not loopback, not private)
|
||||
func TestResolveAllowedIP_IPLiteralPublic(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
// Public IP should pass through without error
|
||||
ip, err := resolveAllowedIP(ctx, "8.8.8.8", false)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "8.8.8.8", ip.String())
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_IPLiteralPrivateBlocked tests private IP blocking for IP literals
|
||||
func TestResolveAllowedIP_IPLiteralPrivateBlocked(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
privateIPs := []string{"10.0.0.1", "192.168.1.1", "172.16.0.1"}
|
||||
for _, privateIP := range privateIPs {
|
||||
t.Run(privateIP, func(t *testing.T) {
|
||||
_, err := resolveAllowedIP(ctx, privateIP, false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "private IP")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_DNSResolutionFailure tests DNS failure handling
|
||||
func TestResolveAllowedIP_DNSResolutionFailure(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
||||
defer cancel()
|
||||
|
||||
_, err := resolveAllowedIP(ctx, "nonexistent-domain-xyz123.invalid", false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "DNS resolution failed")
|
||||
}
|
||||
|
||||
// TestSSRFSafeDialer_InvalidAddressFormat tests invalid address format handling
|
||||
func TestSSRFSafeDialer_InvalidAddressFormat(t *testing.T) {
|
||||
dialer := ssrfSafeDialer()
|
||||
ctx := context.Background()
|
||||
|
||||
// Address without port separator
|
||||
_, err := dialer(ctx, "tcp", "invalidaddress")
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "invalid address format")
|
||||
}
|
||||
|
||||
// TestSSRFSafeDialer_NoIPsFound tests empty DNS response handling
|
||||
func TestSSRFSafeDialer_NoIPsFound(t *testing.T) {
|
||||
// This scenario is hard to trigger directly, but we test through the resolveAllowedIP
|
||||
// which is called by ssrfSafeDialer. The ssrfSafeDialer does its own DNS lookup.
|
||||
dialer := ssrfSafeDialer()
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
||||
defer cancel()
|
||||
|
||||
// Use a domain that won't resolve
|
||||
_, err := dialer(ctx, "tcp", "nonexistent-domain-xyz123.invalid:80")
|
||||
require.Error(t, err)
|
||||
// Should contain DNS resolution error
|
||||
assert.Contains(t, err.Error(), "DNS resolution")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_5xxServerErrors tests 5xx server error handling
|
||||
func TestURLConnectivity_5xxServerErrors(t *testing.T) {
|
||||
errorCodes := []int{500, 502, 503, 504}
|
||||
|
||||
for _, code := range errorCodes {
|
||||
t.Run(fmt.Sprintf("status_%d", code), func(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(code)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), fmt.Sprintf("server returned status %d", code))
|
||||
assert.False(t, reachable)
|
||||
assert.Greater(t, latency, float64(0)) // Latency is still recorded
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_TooManyRedirects tests redirect limit enforcement
|
||||
func TestURLConnectivity_TooManyRedirects(t *testing.T) {
|
||||
redirectCount := 0
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
redirectCount++
|
||||
// Always redirect to trigger max redirect error
|
||||
http.Redirect(w, r, fmt.Sprintf("/redirect%d", redirectCount), http.StatusFound)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "redirect")
|
||||
assert.False(t, reachable)
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_TooManyRedirects tests redirect limit
|
||||
func TestValidateRedirectTarget_TooManyRedirects(t *testing.T) {
|
||||
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create via slice with max redirects already reached
|
||||
via := make([]*http.Request, 2)
|
||||
for i := range via {
|
||||
via[i], _ = http.NewRequest(http.MethodGet, "http://example.com/prev", http.NoBody)
|
||||
}
|
||||
|
||||
err = validateRedirectTargetStrict(req, via, 2, true, false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "too many redirects")
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_SchemeChangeBlocked tests scheme downgrade blocking
|
||||
func TestValidateRedirectTarget_SchemeChangeBlocked(t *testing.T) {
|
||||
// Create initial HTTPS request
|
||||
prevReq, _ := http.NewRequest(http.MethodGet, "https://example.com/start", http.NoBody)
|
||||
|
||||
// Try to redirect to HTTP (downgrade - should be blocked)
|
||||
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "redirect scheme change blocked")
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_HTTPToHTTPSAllowed tests HTTP to HTTPS upgrade (allowed)
|
||||
func TestValidateRedirectTarget_HTTPToHTTPSAllowed(t *testing.T) {
|
||||
// Create initial HTTP request
|
||||
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
||||
|
||||
// Redirect to HTTPS (upgrade - should be allowed with allowHTTPSUpgrade=true)
|
||||
req, err := http.NewRequest(http.MethodGet, "https://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, true)
|
||||
// Should fail on security validation (private IP check), not scheme change
|
||||
// The scheme change itself should be allowed
|
||||
if err != nil {
|
||||
assert.NotContains(t, err.Error(), "redirect scheme change blocked")
|
||||
}
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_HTTPToHTTPSBlockedWhenNotAllowed tests blocking HTTP to HTTPS when not allowed
|
||||
func TestValidateRedirectTarget_HTTPToHTTPSBlockedWhenNotAllowed(t *testing.T) {
|
||||
// Create initial HTTP request
|
||||
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
||||
|
||||
// Redirect to HTTPS (upgrade - should be blocked when allowHTTPSUpgrade=false)
|
||||
req, err := http.NewRequest(http.MethodGet, "https://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, false, false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "redirect scheme change blocked")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_CloudMetadataBlocked tests AWS/GCP metadata endpoint blocking
|
||||
func TestURLConnectivity_CloudMetadataBlocked(t *testing.T) {
|
||||
metadataURLs := []string{
|
||||
"http://169.254.169.254/latest/meta-data/",
|
||||
"http://169.254.169.254",
|
||||
}
|
||||
|
||||
for _, url := range metadataURLs {
|
||||
t.Run(url, func(t *testing.T) {
|
||||
reachable, _, err := TestURLConnectivity(url)
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
// Should be blocked by security validation
|
||||
assert.Contains(t, err.Error(), "security validation failed")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_InvalidPort tests invalid port handling
|
||||
func TestURLConnectivity_InvalidPort(t *testing.T) {
|
||||
invalidPortURLs := []struct {
|
||||
name string
|
||||
url string
|
||||
}{
|
||||
{"port_zero", "http://example.com:0/path"},
|
||||
{"port_negative", "http://example.com:-1/path"},
|
||||
{"port_too_large", "http://example.com:99999/path"},
|
||||
{"port_non_numeric", "http://example.com:abc/path"},
|
||||
}
|
||||
|
||||
for _, tc := range invalidPortURLs {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
reachable, _, err := TestURLConnectivity(tc.url)
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_HTTPSScheme tests HTTPS URL handling
|
||||
func TestURLConnectivity_HTTPSScheme(t *testing.T) {
|
||||
// Create HTTPS test server
|
||||
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
// Use the TLS server's client which has the right certificate configured
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_ExplicitPort tests URLs with explicit ports
|
||||
func TestURLConnectivity_ExplicitPort(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
// The test server already has an explicit port in its URL
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_DefaultHTTPPort tests default HTTP port (80) handling
|
||||
func TestURLConnectivity_DefaultHTTPPort(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
// Redirect to the test server regardless of the requested address
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
// URL without explicit port should default to 80
|
||||
reachable, _, err := testURLConnectivity(
|
||||
"http://localhost/",
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
}
|
||||
|
||||
// TestURLConnectivity_ConnectionTimeout tests timeout handling
|
||||
func TestURLConnectivity_ConnectionTimeout(t *testing.T) {
|
||||
// Create a server that doesn't respond
|
||||
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
||||
require.NoError(t, err)
|
||||
defer listener.Close()
|
||||
|
||||
// Accept connections but never respond
|
||||
go func() {
|
||||
for {
|
||||
conn, err := listener.Accept()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
// Hold connection open but don't respond
|
||||
time.Sleep(30 * time.Second)
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.DialTimeout("tcp", listener.Addr().String(), 100*time.Millisecond)
|
||||
},
|
||||
ResponseHeaderTimeout: 100 * time.Millisecond,
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity(
|
||||
"http://localhost/",
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(transport),
|
||||
)
|
||||
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
assert.Contains(t, err.Error(), "connection failed")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_RequestHeaders tests that custom headers are set
|
||||
func TestURLConnectivity_RequestHeaders(t *testing.T) {
|
||||
var receivedHeaders http.Header
|
||||
var receivedHost string
|
||||
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
receivedHeaders = r.Header
|
||||
receivedHost = r.Host
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
_, _, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "Charon-Health-Check/1.0", receivedHeaders.Get("User-Agent"))
|
||||
assert.Equal(t, "url-connectivity-test", receivedHeaders.Get("X-Charon-Request-Type"))
|
||||
assert.NotEmpty(t, receivedHeaders.Get("X-Request-ID"))
|
||||
assert.NotEmpty(t, receivedHost)
|
||||
}
|
||||
|
||||
// TestURLConnectivity_EmptyURL tests empty URL handling
|
||||
func TestURLConnectivity_EmptyURL(t *testing.T) {
|
||||
reachable, _, err := TestURLConnectivity("")
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
}
|
||||
|
||||
// TestURLConnectivity_MalformedURL tests malformed URL handling
|
||||
func TestURLConnectivity_MalformedURL(t *testing.T) {
|
||||
malformedURLs := []string{
|
||||
"://missing-scheme",
|
||||
"http://",
|
||||
"http:///no-host",
|
||||
}
|
||||
|
||||
for _, url := range malformedURLs {
|
||||
t.Run(url, func(t *testing.T) {
|
||||
reachable, _, err := TestURLConnectivity(url)
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_IPv6Address tests IPv6 address handling
|
||||
func TestURLConnectivity_IPv6Loopback(t *testing.T) {
|
||||
// IPv6 loopback should be blocked like IPv4 loopback
|
||||
reachable, _, err := TestURLConnectivity("http://[::1]/")
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
// Should be blocked by security validation
|
||||
assert.Contains(t, err.Error(), "security validation failed")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_HeadMethod tests that HEAD method is used
|
||||
func TestURLConnectivity_HeadMethod(t *testing.T) {
|
||||
var receivedMethod string
|
||||
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
receivedMethod = r.Method
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
_, _, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.MethodHead, receivedMethod)
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_LoopbackWithAllowLocalhost tests loopback IP with allowLocalhost flag
|
||||
func TestResolveAllowedIP_LoopbackWithAllowLocalhost(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
// With allowLocalhost=true, loopback should be allowed
|
||||
ip, err := resolveAllowedIP(ctx, "127.0.0.1", true)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "127.0.0.1", ip.String())
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_LoopbackWithoutAllowLocalhost tests loopback IP without allowLocalhost flag
|
||||
func TestResolveAllowedIP_LoopbackWithoutAllowLocalhost(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
// With allowLocalhost=false, loopback should be blocked
|
||||
_, err := resolveAllowedIP(ctx, "127.0.0.1", false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "private IP")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_HTTPSDefaultPort tests HTTPS URL without explicit port (defaults to 443)
|
||||
func TestURLConnectivity_HTTPSDefaultPort(t *testing.T) {
|
||||
// Create HTTPS test server
|
||||
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
// Use the TLS server's client which has the right certificate configured
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_ValidPortNumber tests URL with valid explicit port
|
||||
func TestURLConnectivity_ValidPortNumber(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL+"/path",
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_PublicIPLiteralHTTP tests connectivity test with public IP literal
|
||||
// Note: This test uses a mock server to avoid real network calls to public IPs
|
||||
func TestURLConnectivity_PublicIPLiteralHTTP(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
// Test with localhost which is allowed with the test flag
|
||||
// This exercises the code path for HTTP scheme handling
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_DNSResolutionError tests handling of DNS resolution failures
|
||||
func TestURLConnectivity_DNSResolutionError(t *testing.T) {
|
||||
// Use a domain that won't resolve
|
||||
reachable, _, err := TestURLConnectivity("http://nonexistent-domain-xyz123456.invalid/")
|
||||
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
// Should fail with security validation due to DNS failure
|
||||
assert.Contains(t, err.Error(), "security validation failed")
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_PublicIPv4Literal tests public IPv4 literal resolution
|
||||
func TestResolveAllowedIP_PublicIPv4Literal(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
// Google DNS - a well-known public IP
|
||||
ip, err := resolveAllowedIP(ctx, "8.8.8.8", false)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "8.8.8.8", ip.String())
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_PublicIPv6Literal tests public IPv6 literal resolution
|
||||
func TestResolveAllowedIP_PublicIPv6Literal(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
// Google DNS IPv6
|
||||
ip, err := resolveAllowedIP(ctx, "2001:4860:4860::8888", false)
|
||||
require.NoError(t, err)
|
||||
assert.NotNil(t, ip)
|
||||
}
|
||||
|
||||
// TestResolveAllowedIP_PrivateIPBlocked tests that private IPs are blocked
|
||||
func TestResolveAllowedIP_PrivateIPBlocked(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
ip string
|
||||
}{
|
||||
{"RFC1918_10x", "10.0.0.1"},
|
||||
{"RFC1918_172x", "172.16.0.1"},
|
||||
{"RFC1918_192x", "192.168.1.1"},
|
||||
{"LinkLocal", "169.254.1.1"},
|
||||
{"Metadata", "169.254.169.254"},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
_, err := resolveAllowedIP(ctx, tc.ip, false)
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "private IP")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_PrivateNetworkRanges tests all private network ranges are blocked
|
||||
func TestURLConnectivity_PrivateNetworkRanges(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
url string
|
||||
}{
|
||||
{"RFC1918_10x", "http://10.255.255.255/"},
|
||||
{"RFC1918_172x", "http://172.31.255.255/"},
|
||||
{"RFC1918_192x", "http://192.168.255.255/"},
|
||||
{"LinkLocal", "http://169.254.1.1/"},
|
||||
{"ZeroNet", "http://0.0.0.0/"},
|
||||
{"Broadcast", "http://255.255.255.255/"},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
reachable, _, err := TestURLConnectivity(tc.url)
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
assert.Contains(t, err.Error(), "security validation failed")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_MultipleStatusCodes tests various HTTP status codes
|
||||
func TestURLConnectivity_MultipleStatusCodes(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
status int
|
||||
reachable bool
|
||||
}{
|
||||
// 2xx - Success
|
||||
{"200_OK", 200, true},
|
||||
{"201_Created", 201, true},
|
||||
{"204_NoContent", 204, true},
|
||||
// 3xx - Handled by redirects, but final response matters
|
||||
// (These go through redirect handler which may succeed or fail)
|
||||
// 4xx - Client errors
|
||||
{"400_BadRequest", 400, false},
|
||||
{"401_Unauthorized", 401, false},
|
||||
{"403_Forbidden", 403, false},
|
||||
{"404_NotFound", 404, false},
|
||||
{"429_TooManyRequests", 429, false},
|
||||
// 5xx - Server errors
|
||||
{"500_InternalServerError", 500, false},
|
||||
{"502_BadGateway", 502, false},
|
||||
{"503_ServiceUnavailable", 503, false},
|
||||
{"504_GatewayTimeout", 504, false},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(tc.status)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
if tc.reachable {
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
} else {
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_RedirectToPrivateIP tests redirect to private IP is blocked
|
||||
func TestURLConnectivity_RedirectToPrivateIP(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path == "/" {
|
||||
// Redirect to a private IP
|
||||
http.Redirect(w, r, "http://10.0.0.1/internal", http.StatusFound)
|
||||
return
|
||||
}
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
// Should be blocked by redirect validation
|
||||
assert.Contains(t, err.Error(), "redirect")
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_ValidExternalRedirect tests valid external redirect
|
||||
func TestValidateRedirectTarget_ValidExternalRedirect(t *testing.T) {
|
||||
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
// No previous redirects
|
||||
err = validateRedirectTargetStrict(req, nil, 2, true, false)
|
||||
// Should pass scheme/redirect count validation but may fail on security validation
|
||||
// (depending on whether example.com resolves)
|
||||
if err != nil {
|
||||
// If it fails, it should be due to security validation, not redirect limits
|
||||
assert.NotContains(t, err.Error(), "too many redirects")
|
||||
assert.NotContains(t, err.Error(), "scheme change")
|
||||
}
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_SameSchemeAllowed tests same scheme redirects are allowed
|
||||
func TestValidateRedirectTarget_SameSchemeAllowed(t *testing.T) {
|
||||
// Create initial HTTP request
|
||||
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
||||
|
||||
// Redirect to same scheme
|
||||
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, false)
|
||||
// Same scheme should be allowed (may fail on security validation)
|
||||
if err != nil {
|
||||
assert.NotContains(t, err.Error(), "scheme change")
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_NetworkError tests handling of network connection errors
|
||||
func TestURLConnectivity_NetworkError(t *testing.T) {
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return nil, fmt.Errorf("connection refused")
|
||||
},
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity("http://localhost/", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
require.Error(t, err)
|
||||
assert.False(t, reachable)
|
||||
assert.Contains(t, err.Error(), "connection failed")
|
||||
}
|
||||
|
||||
// TestURLConnectivity_HTTPSWithDefaultPort tests HTTPS URL with default port (443)
|
||||
func TestURLConnectivity_HTTPSWithDefaultPort(t *testing.T) {
|
||||
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestURLConnectivity_HTTPWithExplicitPortValidation tests port validation
|
||||
func TestURLConnectivity_HTTPWithExplicitPortValidation(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
// Valid port
|
||||
reachable, latency, err := testURLConnectivity(
|
||||
mockServer.URL,
|
||||
withAllowLocalhostForTesting(),
|
||||
withTransportForTesting(mockServer.Client().Transport),
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Greater(t, latency, float64(0))
|
||||
}
|
||||
|
||||
// TestIsDockerBridgeIP_AllCases tests IsDockerBridgeIP function coverage
|
||||
func TestIsDockerBridgeIP_AllCases(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
host string
|
||||
expected bool
|
||||
}{
|
||||
// Valid Docker bridge IPs
|
||||
{"docker_bridge_172_17", "172.17.0.1", true},
|
||||
{"docker_bridge_172_18", "172.18.0.1", true},
|
||||
{"docker_bridge_172_31", "172.31.255.255", true},
|
||||
// Non-Docker IPs
|
||||
{"public_ip", "8.8.8.8", false},
|
||||
{"localhost", "127.0.0.1", false},
|
||||
{"private_10x", "10.0.0.1", false},
|
||||
{"private_192x", "192.168.1.1", false},
|
||||
// Invalid inputs
|
||||
{"empty", "", false},
|
||||
{"invalid", "not-an-ip", false},
|
||||
{"hostname", "example.com", false},
|
||||
// IPv6 (should return false as Docker bridge is IPv4)
|
||||
{"ipv6_loopback", "::1", false},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := IsDockerBridgeIP(tc.host)
|
||||
assert.Equal(t, tc.expected, result, "IsDockerBridgeIP(%s) = %v, want %v", tc.host, result, tc.expected)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestURLConnectivity_RedirectChain tests proper handling of redirect chains
|
||||
func TestURLConnectivity_RedirectChain(t *testing.T) {
|
||||
redirectCount := 0
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.URL.Path {
|
||||
case "/":
|
||||
redirectCount++
|
||||
http.Redirect(w, r, "/step2", http.StatusFound)
|
||||
case "/step2":
|
||||
redirectCount++
|
||||
// Final destination
|
||||
w.WriteHeader(http.StatusOK)
|
||||
default:
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
assert.Equal(t, 2, redirectCount)
|
||||
}
|
||||
|
||||
// TestValidateRedirectTarget_FirstRedirect tests validation of first redirect (no via)
|
||||
func TestValidateRedirectTarget_FirstRedirect(t *testing.T) {
|
||||
req, err := http.NewRequest(http.MethodGet, "http://localhost/redirect", http.NoBody)
|
||||
require.NoError(t, err)
|
||||
|
||||
// First redirect - via is empty
|
||||
err = validateRedirectTargetStrict(req, nil, 2, true, true)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
// TestURLConnectivity_ResponseBodyClosed tests that response body is properly closed
|
||||
func TestURLConnectivity_ResponseBodyClosed(t *testing.T) {
|
||||
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write([]byte("response body content")) //nolint:errcheck
|
||||
}))
|
||||
defer mockServer.Close()
|
||||
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
||||
},
|
||||
}
|
||||
|
||||
// Run multiple times to ensure no resource leak
|
||||
for i := 0; i < 5; i++ {
|
||||
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
||||
require.NoError(t, err)
|
||||
assert.True(t, reachable)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user