697ef6d200
- Add gotestsum for real-time test progress visibility - Parallelize 174 tests across 14 files for faster execution - Add -short mode support skipping 21 heavy integration tests - Create testutil/db.go helper for future transaction rollbacks - Fix data race in notification_service_test.go - Fix 4 CrowdSec LAPI test failures with permissive validator Performance improvements: - Tests now run in parallel (174 tests with t.Parallel()) - Quick feedback loop via -short mode - Zero race conditions detected - Coverage maintained at 87.7% Closes test optimization initiative
1286 lines
40 KiB
Go
1286 lines
40 KiB
Go
package utils
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// ============== Phase 3.2: URL Testing SSRF Protection Tests ==============
|
|
|
|
func TestSSRFSafeDialer_ValidPublicIP(t *testing.T) {
|
|
dialer := ssrfSafeDialer()
|
|
require.NotNil(t, dialer)
|
|
|
|
// Test with a public IP (8.8.8.8:443)
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
conn, err := dialer(ctx, "tcp", "8.8.8.8:443")
|
|
if err == nil {
|
|
defer conn.Close()
|
|
assert.NotNil(t, conn, "connection to public IP should succeed")
|
|
} else {
|
|
// Connection might fail for network reasons, but error should not be about private IP
|
|
assert.NotContains(t, err.Error(), "private IP", "error should not be about private IP blocking")
|
|
}
|
|
}
|
|
|
|
func TestSSRFSafeDialer_PrivateIPBlocking(t *testing.T) {
|
|
dialer := ssrfSafeDialer()
|
|
require.NotNil(t, dialer)
|
|
|
|
privateIPs := []string{
|
|
"10.0.0.1:80",
|
|
"192.168.1.1:80",
|
|
"172.16.0.1:80",
|
|
"127.0.0.1:80",
|
|
}
|
|
|
|
for _, addr := range privateIPs {
|
|
t.Run(addr, func(t *testing.T) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
|
defer cancel()
|
|
|
|
conn, err := dialer(ctx, "tcp", addr)
|
|
if conn != nil {
|
|
conn.Close()
|
|
}
|
|
|
|
require.Error(t, err, "connection to private IP should fail")
|
|
assert.Contains(t, err.Error(), "private IP", "error should mention private IP")
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSSRFSafeDialer_DNSResolutionFailure(t *testing.T) {
|
|
dialer := ssrfSafeDialer()
|
|
require.NotNil(t, dialer)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
|
defer cancel()
|
|
|
|
conn, err := dialer(ctx, "tcp", "nonexistent-domain-12345.invalid:80")
|
|
if conn != nil {
|
|
conn.Close()
|
|
}
|
|
|
|
require.Error(t, err, "connection to nonexistent domain should fail")
|
|
assert.Contains(t, err.Error(), "DNS resolution", "error should mention DNS resolution")
|
|
}
|
|
|
|
func TestSSRFSafeDialer_MultipleIPsWithPrivate(t *testing.T) {
|
|
// This test verifies that if DNS returns multiple IPs and any is private, all are blocked
|
|
// We can't easily mock DNS in this test, so we'll test the isPrivateIP logic instead
|
|
|
|
// Test that isPrivateIP correctly identifies private IPs
|
|
privateIPs := []net.IP{
|
|
net.ParseIP("10.0.0.1"),
|
|
net.ParseIP("192.168.1.1"),
|
|
net.ParseIP("172.16.0.1"),
|
|
net.ParseIP("127.0.0.1"),
|
|
net.ParseIP("169.254.169.254"),
|
|
}
|
|
|
|
for _, ip := range privateIPs {
|
|
assert.True(t, isPrivateIP(ip), "IP %s should be identified as private", ip)
|
|
}
|
|
|
|
publicIPs := []net.IP{
|
|
net.ParseIP("8.8.8.8"),
|
|
net.ParseIP("1.1.1.1"),
|
|
net.ParseIP("93.184.216.34"), // example.com
|
|
}
|
|
|
|
for _, ip := range publicIPs {
|
|
assert.False(t, isPrivateIP(ip), "IP %s should be identified as public", ip)
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_ProductionPathValidation(t *testing.T) {
|
|
// Test that production path (no custom transport) performs SSRF validation
|
|
tests := []struct {
|
|
name string
|
|
url string
|
|
shouldFail bool
|
|
errorString string
|
|
}{
|
|
{
|
|
name: "localhost blocked at dial time",
|
|
url: "http://localhost",
|
|
shouldFail: true,
|
|
errorString: "private IP", // Blocked by ssrfSafeDialer
|
|
},
|
|
{
|
|
name: "127.0.0.1 blocked at dial time",
|
|
url: "http://127.0.0.1",
|
|
shouldFail: true,
|
|
errorString: "private IP", // Blocked by ssrfSafeDialer
|
|
},
|
|
{
|
|
name: "private 10.x blocked at validation",
|
|
url: "http://10.0.0.1",
|
|
shouldFail: true,
|
|
errorString: "security validation failed",
|
|
},
|
|
{
|
|
name: "private 192.168.x blocked at validation",
|
|
url: "http://192.168.1.1",
|
|
shouldFail: true,
|
|
errorString: "security validation failed",
|
|
},
|
|
{
|
|
name: "AWS metadata blocked at validation",
|
|
url: "http://169.254.169.254",
|
|
shouldFail: true,
|
|
errorString: "security validation failed",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(tt.url)
|
|
|
|
if tt.shouldFail {
|
|
require.Error(t, err, "expected error for %s", tt.url)
|
|
assert.Contains(t, err.Error(), tt.errorString)
|
|
assert.False(t, reachable)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_TestHook_AllowsLocalhostWithInjectedTransport(t *testing.T) {
|
|
// Deterministic connectivity test using a local server + injected transport.
|
|
// This does not weaken production defaults because it uses package-private hooks.
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
func TestValidateRedirectTarget_AllowsLocalhost(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "http://localhost/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, nil, 2, true, true)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func TestValidateRedirectTarget_BlocksInvalidExternalRedirect(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "http://example..com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, nil, 2, true, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "redirect target validation failed")
|
|
}
|
|
|
|
func TestURLConnectivity_RejectsUserinfo(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity("http://user:pass@example.com")
|
|
require.Error(t, err)
|
|
require.False(t, reachable)
|
|
assert.Contains(t, err.Error(), "embedded credentials")
|
|
}
|
|
|
|
func TestURLConnectivity_InvalidScheme(t *testing.T) {
|
|
tests := []string{
|
|
"ftp://example.com",
|
|
"file:///etc/passwd",
|
|
"javascript:alert(1)",
|
|
"data:text/html,<script>alert(1)</script>",
|
|
"gopher://example.com",
|
|
}
|
|
|
|
for _, url := range tests {
|
|
t.Run(url, func(t *testing.T) {
|
|
reachable, latency, err := TestURLConnectivity(url)
|
|
|
|
require.Error(t, err, "invalid scheme should fail")
|
|
assert.Contains(t, err.Error(), "only http and https schemes are allowed")
|
|
assert.False(t, reachable)
|
|
assert.Equal(t, float64(0), latency)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_SSRFValidationFailure(t *testing.T) {
|
|
// Test that SSRF validation catches private IPs
|
|
// Note: localhost/127.0.0.1 are allowed by ValidateExternalURL (WithAllowLocalhost)
|
|
// but blocked by ssrfSafeDialer at connection time
|
|
privateURLs := []struct {
|
|
url string
|
|
errorString string
|
|
}{
|
|
{"http://10.0.0.1", "security validation failed"},
|
|
{"http://192.168.1.1", "security validation failed"},
|
|
{"http://172.16.0.1", "security validation failed"},
|
|
{"http://localhost", "private IP"}, // Blocked at dial time
|
|
{"http://127.0.0.1", "private IP"}, // Blocked at dial time
|
|
}
|
|
|
|
for _, tc := range privateURLs {
|
|
t.Run(tc.url, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(tc.url)
|
|
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), tc.errorString)
|
|
assert.False(t, reachable)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_HTTPRequestFailure(t *testing.T) {
|
|
// Create a server that immediately closes connections
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err)
|
|
defer listener.Close()
|
|
|
|
go func() {
|
|
for {
|
|
conn, err := listener.Accept()
|
|
if err != nil {
|
|
return
|
|
}
|
|
conn.Close() // Immediately close to cause connection failure
|
|
}
|
|
}()
|
|
|
|
// Use custom transport to bypass SSRF protection for this test
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
// Should get a connection error
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
}
|
|
|
|
func TestURLConnectivity_RedirectHandling(t *testing.T) {
|
|
// Create a mock server that redirects once then returns 200
|
|
redirectCount := 0
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if redirectCount < 1 {
|
|
redirectCount++
|
|
http.Redirect(w, r, "/redirected", http.StatusFound)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
func TestURLConnectivity_2xxSuccess(t *testing.T) {
|
|
successCodes := []int{200, 201, 204}
|
|
|
|
for _, code := range successCodes {
|
|
t.Run(fmt.Sprintf("status_%d", code), func(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(code)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_3xxSuccess(t *testing.T) {
|
|
redirectCodes := []int{301, 302, 307, 308}
|
|
|
|
for _, code := range redirectCodes {
|
|
t.Run(fmt.Sprintf("status_%d", code), func(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/" {
|
|
w.Header().Set("Location", "/target")
|
|
w.WriteHeader(code)
|
|
} else {
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
// 3xx codes are considered "reachable" (status < 400)
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestURLConnectivity_4xxFailure(t *testing.T) {
|
|
errorCodes := []int{400, 401, 403, 404, 429}
|
|
|
|
for _, code := range errorCodes {
|
|
t.Run(fmt.Sprintf("status_%d", code), func(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(code)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), fmt.Sprintf("server returned status %d", code))
|
|
assert.False(t, reachable)
|
|
assert.Greater(t, latency, float64(0)) // Latency is still recorded
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsPrivateIP_AllReservedRanges(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
ip string
|
|
expected bool
|
|
}{
|
|
// RFC 1918 - Private IPv4
|
|
{"10.0.0.1", "10.0.0.1", true},
|
|
{"10.255.255.255", "10.255.255.255", true},
|
|
{"172.16.0.1", "172.16.0.1", true},
|
|
{"172.31.255.255", "172.31.255.255", true},
|
|
{"192.168.0.1", "192.168.0.1", true},
|
|
{"192.168.255.255", "192.168.255.255", true},
|
|
|
|
// Loopback
|
|
{"127.0.0.1", "127.0.0.1", true},
|
|
{"127.0.0.2", "127.0.0.2", true},
|
|
{"127.255.255.255", "127.255.255.255", true},
|
|
|
|
// Link-Local (includes AWS/GCP metadata)
|
|
{"169.254.0.1", "169.254.0.1", true},
|
|
{"169.254.169.254", "169.254.169.254", true},
|
|
{"169.254.255.255", "169.254.255.255", true},
|
|
|
|
// Reserved ranges
|
|
{"0.0.0.0", "0.0.0.0", true},
|
|
{"0.0.0.1", "0.0.0.1", true},
|
|
{"240.0.0.1", "240.0.0.1", true},
|
|
{"255.255.255.255", "255.255.255.255", true},
|
|
|
|
// IPv6 Loopback
|
|
{"::1", "::1", true},
|
|
|
|
// IPv6 Unique Local (fc00::/7)
|
|
{"fc00::1", "fc00::1", true},
|
|
{"fd00::1", "fd00::1", true},
|
|
|
|
// IPv6 Link-Local (fe80::/10)
|
|
{"fe80::1", "fe80::1", true},
|
|
|
|
// Public IPs - should be false
|
|
{"8.8.8.8", "8.8.8.8", false},
|
|
{"1.1.1.1", "1.1.1.1", false},
|
|
{"93.184.216.34", "93.184.216.34", false}, // example.com
|
|
{"2606:2800:220:1:248:1893:25c8:1946", "2606:2800:220:1:248:1893:25c8:1946", false}, // example.com IPv6
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
ip := net.ParseIP(tt.ip)
|
|
require.NotNil(t, ip, "failed to parse IP: %s", tt.ip)
|
|
|
|
result := isPrivateIP(ip)
|
|
assert.Equal(t, tt.expected, result, "isPrivateIP(%s) = %v, want %v", tt.ip, result, tt.expected)
|
|
})
|
|
}
|
|
}
|
|
|
|
// Test helper to verify error wrapping
|
|
func TestURLConnectivity_ErrorWrapping(t *testing.T) {
|
|
// Test invalid URL
|
|
_, _, err := TestURLConnectivity("://invalid")
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "invalid URL")
|
|
|
|
// Error should be a plain error (not wrapped in this case)
|
|
assert.NotNil(t, err)
|
|
}
|
|
|
|
// Test that User-Agent header is set correctly
|
|
func TestURLConnectivity_UserAgent(t *testing.T) {
|
|
receivedUA := ""
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
receivedUA = r.Header.Get("User-Agent")
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
_, _, err := testURLConnectivity(mockServer.URL, withAllowLocalhostForTesting(), withTransportForTesting(mockServer.Client().Transport))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "Charon-Health-Check/1.0", receivedUA)
|
|
}
|
|
|
|
// ============== Additional Coverage Tests ==============
|
|
|
|
// TestResolveAllowedIP_EmptyHost tests empty hostname handling
|
|
func TestResolveAllowedIP_EmptyHost(t *testing.T) {
|
|
ctx := context.Background()
|
|
_, err := resolveAllowedIP(ctx, "", false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "missing hostname")
|
|
}
|
|
|
|
// TestResolveAllowedIP_IPLiteralPublic tests IP literal fast path for public IP (not loopback, not private)
|
|
func TestResolveAllowedIP_IPLiteralPublic(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// Public IP should pass through without error
|
|
ip, err := resolveAllowedIP(ctx, "8.8.8.8", false)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "8.8.8.8", ip.String())
|
|
}
|
|
|
|
// TestResolveAllowedIP_IPLiteralPrivateBlocked tests private IP blocking for IP literals
|
|
func TestResolveAllowedIP_IPLiteralPrivateBlocked(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
privateIPs := []string{"10.0.0.1", "192.168.1.1", "172.16.0.1"}
|
|
for _, privateIP := range privateIPs {
|
|
t.Run(privateIP, func(t *testing.T) {
|
|
_, err := resolveAllowedIP(ctx, privateIP, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "private IP")
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestResolveAllowedIP_DNSResolutionFailure tests DNS failure handling
|
|
func TestResolveAllowedIP_DNSResolutionFailure(t *testing.T) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
|
defer cancel()
|
|
|
|
_, err := resolveAllowedIP(ctx, "nonexistent-domain-xyz123.invalid", false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "DNS resolution failed")
|
|
}
|
|
|
|
// TestSSRFSafeDialer_InvalidAddressFormat tests invalid address format handling
|
|
func TestSSRFSafeDialer_InvalidAddressFormat(t *testing.T) {
|
|
dialer := ssrfSafeDialer()
|
|
ctx := context.Background()
|
|
|
|
// Address without port separator
|
|
_, err := dialer(ctx, "tcp", "invalidaddress")
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "invalid address format")
|
|
}
|
|
|
|
// TestSSRFSafeDialer_NoIPsFound tests empty DNS response handling
|
|
func TestSSRFSafeDialer_NoIPsFound(t *testing.T) {
|
|
// This scenario is hard to trigger directly, but we test through the resolveAllowedIP
|
|
// which is called by ssrfSafeDialer. The ssrfSafeDialer does its own DNS lookup.
|
|
dialer := ssrfSafeDialer()
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
|
defer cancel()
|
|
|
|
// Use a domain that won't resolve
|
|
_, err := dialer(ctx, "tcp", "nonexistent-domain-xyz123.invalid:80")
|
|
require.Error(t, err)
|
|
// Should contain DNS resolution error
|
|
assert.Contains(t, err.Error(), "DNS resolution")
|
|
}
|
|
|
|
// TestURLConnectivity_5xxServerErrors tests 5xx server error handling
|
|
func TestURLConnectivity_5xxServerErrors(t *testing.T) {
|
|
errorCodes := []int{500, 502, 503, 504}
|
|
|
|
for _, code := range errorCodes {
|
|
t.Run(fmt.Sprintf("status_%d", code), func(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(code)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, latency, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), fmt.Sprintf("server returned status %d", code))
|
|
assert.False(t, reachable)
|
|
assert.Greater(t, latency, float64(0)) // Latency is still recorded
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_TooManyRedirects tests redirect limit enforcement
|
|
func TestURLConnectivity_TooManyRedirects(t *testing.T) {
|
|
redirectCount := 0
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
redirectCount++
|
|
// Always redirect to trigger max redirect error
|
|
http.Redirect(w, r, fmt.Sprintf("/redirect%d", redirectCount), http.StatusFound)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "redirect")
|
|
assert.False(t, reachable)
|
|
}
|
|
|
|
// TestValidateRedirectTarget_TooManyRedirects tests redirect limit
|
|
func TestValidateRedirectTarget_TooManyRedirects(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
// Create via slice with max redirects already reached
|
|
via := make([]*http.Request, 2)
|
|
for i := range via {
|
|
via[i], _ = http.NewRequest(http.MethodGet, "http://example.com/prev", http.NoBody)
|
|
}
|
|
|
|
err = validateRedirectTargetStrict(req, via, 2, true, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "too many redirects")
|
|
}
|
|
|
|
// TestValidateRedirectTarget_SchemeChangeBlocked tests scheme downgrade blocking
|
|
func TestValidateRedirectTarget_SchemeChangeBlocked(t *testing.T) {
|
|
// Create initial HTTPS request
|
|
prevReq, _ := http.NewRequest(http.MethodGet, "https://example.com/start", http.NoBody)
|
|
|
|
// Try to redirect to HTTP (downgrade - should be blocked)
|
|
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "redirect scheme change blocked")
|
|
}
|
|
|
|
// TestValidateRedirectTarget_HTTPToHTTPSAllowed tests HTTP to HTTPS upgrade (allowed)
|
|
func TestValidateRedirectTarget_HTTPToHTTPSAllowed(t *testing.T) {
|
|
// Create initial HTTP request
|
|
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
|
|
|
// Redirect to HTTPS (upgrade - should be allowed with allowHTTPSUpgrade=true)
|
|
req, err := http.NewRequest(http.MethodGet, "https://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, true)
|
|
// Should fail on security validation (private IP check), not scheme change
|
|
// The scheme change itself should be allowed
|
|
if err != nil {
|
|
assert.NotContains(t, err.Error(), "redirect scheme change blocked")
|
|
}
|
|
}
|
|
|
|
// TestValidateRedirectTarget_HTTPToHTTPSBlockedWhenNotAllowed tests blocking HTTP to HTTPS when not allowed
|
|
func TestValidateRedirectTarget_HTTPToHTTPSBlockedWhenNotAllowed(t *testing.T) {
|
|
// Create initial HTTP request
|
|
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
|
|
|
// Redirect to HTTPS (upgrade - should be blocked when allowHTTPSUpgrade=false)
|
|
req, err := http.NewRequest(http.MethodGet, "https://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, false, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "redirect scheme change blocked")
|
|
}
|
|
|
|
// TestURLConnectivity_CloudMetadataBlocked tests AWS/GCP metadata endpoint blocking
|
|
func TestURLConnectivity_CloudMetadataBlocked(t *testing.T) {
|
|
metadataURLs := []string{
|
|
"http://169.254.169.254/latest/meta-data/",
|
|
"http://169.254.169.254",
|
|
}
|
|
|
|
for _, url := range metadataURLs {
|
|
t.Run(url, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(url)
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
// Should be blocked by security validation
|
|
assert.Contains(t, err.Error(), "security validation failed")
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_InvalidPort tests invalid port handling
|
|
func TestURLConnectivity_InvalidPort(t *testing.T) {
|
|
invalidPortURLs := []struct {
|
|
name string
|
|
url string
|
|
}{
|
|
{"port_zero", "http://example.com:0/path"},
|
|
{"port_negative", "http://example.com:-1/path"},
|
|
{"port_too_large", "http://example.com:99999/path"},
|
|
{"port_non_numeric", "http://example.com:abc/path"},
|
|
}
|
|
|
|
for _, tc := range invalidPortURLs {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(tc.url)
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_HTTPSScheme tests HTTPS URL handling
|
|
func TestURLConnectivity_HTTPSScheme(t *testing.T) {
|
|
// Create HTTPS test server
|
|
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// Use the TLS server's client which has the right certificate configured
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_ExplicitPort tests URLs with explicit ports
|
|
func TestURLConnectivity_ExplicitPort(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// The test server already has an explicit port in its URL
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_DefaultHTTPPort tests default HTTP port (80) handling
|
|
func TestURLConnectivity_DefaultHTTPPort(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
// Redirect to the test server regardless of the requested address
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
// URL without explicit port should default to 80
|
|
reachable, _, err := testURLConnectivity(
|
|
"http://localhost/",
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
}
|
|
|
|
// TestURLConnectivity_ConnectionTimeout tests timeout handling
|
|
func TestURLConnectivity_ConnectionTimeout(t *testing.T) {
|
|
// Create a server that doesn't respond
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err)
|
|
defer listener.Close()
|
|
|
|
// Accept connections but never respond
|
|
go func() {
|
|
for {
|
|
conn, err := listener.Accept()
|
|
if err != nil {
|
|
return
|
|
}
|
|
// Hold connection open but don't respond
|
|
time.Sleep(30 * time.Second)
|
|
conn.Close()
|
|
}
|
|
}()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.DialTimeout("tcp", listener.Addr().String(), 100*time.Millisecond)
|
|
},
|
|
ResponseHeaderTimeout: 100 * time.Millisecond,
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity(
|
|
"http://localhost/",
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(transport),
|
|
)
|
|
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
assert.Contains(t, err.Error(), "connection failed")
|
|
}
|
|
|
|
// TestURLConnectivity_RequestHeaders tests that custom headers are set
|
|
func TestURLConnectivity_RequestHeaders(t *testing.T) {
|
|
var receivedHeaders http.Header
|
|
var receivedHost string
|
|
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
receivedHeaders = r.Header
|
|
receivedHost = r.Host
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
_, _, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "Charon-Health-Check/1.0", receivedHeaders.Get("User-Agent"))
|
|
assert.Equal(t, "url-connectivity-test", receivedHeaders.Get("X-Charon-Request-Type"))
|
|
assert.NotEmpty(t, receivedHeaders.Get("X-Request-ID"))
|
|
assert.NotEmpty(t, receivedHost)
|
|
}
|
|
|
|
// TestURLConnectivity_EmptyURL tests empty URL handling
|
|
func TestURLConnectivity_EmptyURL(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity("")
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
}
|
|
|
|
// TestURLConnectivity_MalformedURL tests malformed URL handling
|
|
func TestURLConnectivity_MalformedURL(t *testing.T) {
|
|
malformedURLs := []string{
|
|
"://missing-scheme",
|
|
"http://",
|
|
"http:///no-host",
|
|
}
|
|
|
|
for _, url := range malformedURLs {
|
|
t.Run(url, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(url)
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_IPv6Address tests IPv6 address handling
|
|
func TestURLConnectivity_IPv6Loopback(t *testing.T) {
|
|
// IPv6 loopback should be blocked like IPv4 loopback
|
|
reachable, _, err := TestURLConnectivity("http://[::1]/")
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
// Should be blocked by security validation
|
|
assert.Contains(t, err.Error(), "security validation failed")
|
|
}
|
|
|
|
// TestURLConnectivity_HeadMethod tests that HEAD method is used
|
|
func TestURLConnectivity_HeadMethod(t *testing.T) {
|
|
var receivedMethod string
|
|
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
receivedMethod = r.Method
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
_, _, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.MethodHead, receivedMethod)
|
|
}
|
|
|
|
// TestResolveAllowedIP_LoopbackWithAllowLocalhost tests loopback IP with allowLocalhost flag
|
|
func TestResolveAllowedIP_LoopbackWithAllowLocalhost(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// With allowLocalhost=true, loopback should be allowed
|
|
ip, err := resolveAllowedIP(ctx, "127.0.0.1", true)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "127.0.0.1", ip.String())
|
|
}
|
|
|
|
// TestResolveAllowedIP_LoopbackWithoutAllowLocalhost tests loopback IP without allowLocalhost flag
|
|
func TestResolveAllowedIP_LoopbackWithoutAllowLocalhost(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// With allowLocalhost=false, loopback should be blocked
|
|
_, err := resolveAllowedIP(ctx, "127.0.0.1", false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "private IP")
|
|
}
|
|
|
|
// TestURLConnectivity_HTTPSDefaultPort tests HTTPS URL without explicit port (defaults to 443)
|
|
func TestURLConnectivity_HTTPSDefaultPort(t *testing.T) {
|
|
// Create HTTPS test server
|
|
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// Use the TLS server's client which has the right certificate configured
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_ValidPortNumber tests URL with valid explicit port
|
|
func TestURLConnectivity_ValidPortNumber(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL+"/path",
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_PublicIPLiteralHTTP tests connectivity test with public IP literal
|
|
// Note: This test uses a mock server to avoid real network calls to public IPs
|
|
func TestURLConnectivity_PublicIPLiteralHTTP(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// Test with localhost which is allowed with the test flag
|
|
// This exercises the code path for HTTP scheme handling
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_DNSResolutionError tests handling of DNS resolution failures
|
|
func TestURLConnectivity_DNSResolutionError(t *testing.T) {
|
|
// Use a domain that won't resolve
|
|
reachable, _, err := TestURLConnectivity("http://nonexistent-domain-xyz123456.invalid/")
|
|
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
// Should fail with security validation due to DNS failure
|
|
assert.Contains(t, err.Error(), "security validation failed")
|
|
}
|
|
|
|
// TestResolveAllowedIP_PublicIPv4Literal tests public IPv4 literal resolution
|
|
func TestResolveAllowedIP_PublicIPv4Literal(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// Google DNS - a well-known public IP
|
|
ip, err := resolveAllowedIP(ctx, "8.8.8.8", false)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "8.8.8.8", ip.String())
|
|
}
|
|
|
|
// TestResolveAllowedIP_PublicIPv6Literal tests public IPv6 literal resolution
|
|
func TestResolveAllowedIP_PublicIPv6Literal(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// Google DNS IPv6
|
|
ip, err := resolveAllowedIP(ctx, "2001:4860:4860::8888", false)
|
|
require.NoError(t, err)
|
|
assert.NotNil(t, ip)
|
|
}
|
|
|
|
// TestResolveAllowedIP_PrivateIPBlocked tests that private IPs are blocked
|
|
func TestResolveAllowedIP_PrivateIPBlocked(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
ip string
|
|
}{
|
|
{"RFC1918_10x", "10.0.0.1"},
|
|
{"RFC1918_172x", "172.16.0.1"},
|
|
{"RFC1918_192x", "192.168.1.1"},
|
|
{"LinkLocal", "169.254.1.1"},
|
|
{"Metadata", "169.254.169.254"},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
_, err := resolveAllowedIP(ctx, tc.ip, false)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "private IP")
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_PrivateNetworkRanges tests all private network ranges are blocked
|
|
func TestURLConnectivity_PrivateNetworkRanges(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
url string
|
|
}{
|
|
{"RFC1918_10x", "http://10.255.255.255/"},
|
|
{"RFC1918_172x", "http://172.31.255.255/"},
|
|
{"RFC1918_192x", "http://192.168.255.255/"},
|
|
{"LinkLocal", "http://169.254.1.1/"},
|
|
{"ZeroNet", "http://0.0.0.0/"},
|
|
{"Broadcast", "http://255.255.255.255/"},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
reachable, _, err := TestURLConnectivity(tc.url)
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
assert.Contains(t, err.Error(), "security validation failed")
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_MultipleStatusCodes tests various HTTP status codes
|
|
func TestURLConnectivity_MultipleStatusCodes(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
status int
|
|
reachable bool
|
|
}{
|
|
// 2xx - Success
|
|
{"200_OK", 200, true},
|
|
{"201_Created", 201, true},
|
|
{"204_NoContent", 204, true},
|
|
// 3xx - Handled by redirects, but final response matters
|
|
// (These go through redirect handler which may succeed or fail)
|
|
// 4xx - Client errors
|
|
{"400_BadRequest", 400, false},
|
|
{"401_Unauthorized", 401, false},
|
|
{"403_Forbidden", 403, false},
|
|
{"404_NotFound", 404, false},
|
|
{"429_TooManyRequests", 429, false},
|
|
// 5xx - Server errors
|
|
{"500_InternalServerError", 500, false},
|
|
{"502_BadGateway", 502, false},
|
|
{"503_ServiceUnavailable", 503, false},
|
|
{"504_GatewayTimeout", 504, false},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(tc.status)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
if tc.reachable {
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
} else {
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_RedirectToPrivateIP tests redirect to private IP is blocked
|
|
func TestURLConnectivity_RedirectToPrivateIP(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/" {
|
|
// Redirect to a private IP
|
|
http.Redirect(w, r, "http://10.0.0.1/internal", http.StatusFound)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
// Should be blocked by redirect validation
|
|
assert.Contains(t, err.Error(), "redirect")
|
|
}
|
|
|
|
// TestValidateRedirectTarget_ValidExternalRedirect tests valid external redirect
|
|
func TestValidateRedirectTarget_ValidExternalRedirect(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
// No previous redirects
|
|
err = validateRedirectTargetStrict(req, nil, 2, true, false)
|
|
// Should pass scheme/redirect count validation but may fail on security validation
|
|
// (depending on whether example.com resolves)
|
|
if err != nil {
|
|
// If it fails, it should be due to security validation, not redirect limits
|
|
assert.NotContains(t, err.Error(), "too many redirects")
|
|
assert.NotContains(t, err.Error(), "scheme change")
|
|
}
|
|
}
|
|
|
|
// TestValidateRedirectTarget_SameSchemeAllowed tests same scheme redirects are allowed
|
|
func TestValidateRedirectTarget_SameSchemeAllowed(t *testing.T) {
|
|
// Create initial HTTP request
|
|
prevReq, _ := http.NewRequest(http.MethodGet, "http://example.com/start", http.NoBody)
|
|
|
|
// Redirect to same scheme
|
|
req, err := http.NewRequest(http.MethodGet, "http://example.com/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
err = validateRedirectTargetStrict(req, []*http.Request{prevReq}, 5, true, false)
|
|
// Same scheme should be allowed (may fail on security validation)
|
|
if err != nil {
|
|
assert.NotContains(t, err.Error(), "scheme change")
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_NetworkError tests handling of network connection errors
|
|
func TestURLConnectivity_NetworkError(t *testing.T) {
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return nil, fmt.Errorf("connection refused")
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost/", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.Error(t, err)
|
|
assert.False(t, reachable)
|
|
assert.Contains(t, err.Error(), "connection failed")
|
|
}
|
|
|
|
// TestURLConnectivity_HTTPSWithDefaultPort tests HTTPS URL with default port (443)
|
|
func TestURLConnectivity_HTTPSWithDefaultPort(t *testing.T) {
|
|
mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestURLConnectivity_HTTPWithExplicitPortValidation tests port validation
|
|
func TestURLConnectivity_HTTPWithExplicitPortValidation(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// Valid port
|
|
reachable, latency, err := testURLConnectivity(
|
|
mockServer.URL,
|
|
withAllowLocalhostForTesting(),
|
|
withTransportForTesting(mockServer.Client().Transport),
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Greater(t, latency, float64(0))
|
|
}
|
|
|
|
// TestIsDockerBridgeIP_AllCases tests IsDockerBridgeIP function coverage
|
|
func TestIsDockerBridgeIP_AllCases(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// Valid Docker bridge IPs
|
|
{"docker_bridge_172_17", "172.17.0.1", true},
|
|
{"docker_bridge_172_18", "172.18.0.1", true},
|
|
{"docker_bridge_172_31", "172.31.255.255", true},
|
|
// Non-Docker IPs
|
|
{"public_ip", "8.8.8.8", false},
|
|
{"localhost", "127.0.0.1", false},
|
|
{"private_10x", "10.0.0.1", false},
|
|
{"private_192x", "192.168.1.1", false},
|
|
// Invalid inputs
|
|
{"empty", "", false},
|
|
{"invalid", "not-an-ip", false},
|
|
{"hostname", "example.com", false},
|
|
// IPv6 (should return false as Docker bridge is IPv4)
|
|
{"ipv6_loopback", "::1", false},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
result := IsDockerBridgeIP(tc.host)
|
|
assert.Equal(t, tc.expected, result, "IsDockerBridgeIP(%s) = %v, want %v", tc.host, result, tc.expected)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestURLConnectivity_RedirectChain tests proper handling of redirect chains
|
|
func TestURLConnectivity_RedirectChain(t *testing.T) {
|
|
redirectCount := 0
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch r.URL.Path {
|
|
case "/":
|
|
redirectCount++
|
|
http.Redirect(w, r, "/step2", http.StatusFound)
|
|
case "/step2":
|
|
redirectCount++
|
|
// Final destination
|
|
w.WriteHeader(http.StatusOK)
|
|
default:
|
|
w.WriteHeader(http.StatusNotFound)
|
|
}
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
assert.Equal(t, 2, redirectCount)
|
|
}
|
|
|
|
// TestValidateRedirectTarget_FirstRedirect tests validation of first redirect (no via)
|
|
func TestValidateRedirectTarget_FirstRedirect(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "http://localhost/redirect", http.NoBody)
|
|
require.NoError(t, err)
|
|
|
|
// First redirect - via is empty
|
|
err = validateRedirectTargetStrict(req, nil, 2, true, true)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
// TestURLConnectivity_ResponseBodyClosed tests that response body is properly closed
|
|
func TestURLConnectivity_ResponseBodyClosed(t *testing.T) {
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte("response body content")) //nolint:errcheck
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
transport := &http.Transport{
|
|
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
return net.Dial("tcp", mockServer.Listener.Addr().String())
|
|
},
|
|
}
|
|
|
|
// Run multiple times to ensure no resource leak
|
|
for i := 0; i < 5; i++ {
|
|
reachable, _, err := testURLConnectivity("http://localhost", withAllowLocalhostForTesting(), withTransportForTesting(transport))
|
|
require.NoError(t, err)
|
|
assert.True(t, reachable)
|
|
}
|
|
}
|