2017-01-18 23:55:14 +00:00
|
|
|
package helper
|
|
|
|
|
|
|
|
import (
|
2019-06-24 15:29:26 +00:00
|
|
|
"fmt"
|
2020-10-22 19:47:49 +00:00
|
|
|
"path/filepath"
|
2017-01-18 23:55:14 +00:00
|
|
|
"reflect"
|
|
|
|
"sort"
|
|
|
|
"testing"
|
2020-07-28 20:12:08 +00:00
|
|
|
"time"
|
2020-07-17 14:41:45 +00:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2017-01-18 23:55:14 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestSliceStringIsSubset(t *testing.T) {
|
|
|
|
l := []string{"a", "b", "c"}
|
|
|
|
s := []string{"d"}
|
|
|
|
|
|
|
|
sub, offending := SliceStringIsSubset(l, l[:1])
|
|
|
|
if !sub || len(offending) != 0 {
|
|
|
|
t.Fatalf("bad %v %v", sub, offending)
|
|
|
|
}
|
|
|
|
|
|
|
|
sub, offending = SliceStringIsSubset(l, s)
|
|
|
|
if sub || len(offending) == 0 || offending[0] != "d" {
|
|
|
|
t.Fatalf("bad %v %v", sub, offending)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-10 19:00:36 +00:00
|
|
|
func TestSliceStringContains(t *testing.T) {
|
|
|
|
list := []string{"a", "b", "c"}
|
|
|
|
require.True(t, SliceStringContains(list, "a"))
|
|
|
|
require.True(t, SliceStringContains(list, "b"))
|
|
|
|
require.True(t, SliceStringContains(list, "c"))
|
|
|
|
require.False(t, SliceStringContains(list, "d"))
|
|
|
|
}
|
|
|
|
|
2020-07-28 20:12:08 +00:00
|
|
|
func TestCompareTimePtrs(t *testing.T) {
|
|
|
|
t.Run("nil", func(t *testing.T) {
|
|
|
|
a := (*time.Duration)(nil)
|
|
|
|
b := (*time.Duration)(nil)
|
|
|
|
require.True(t, CompareTimePtrs(a, b))
|
|
|
|
c := TimeToPtr(3 * time.Second)
|
|
|
|
require.False(t, CompareTimePtrs(a, c))
|
|
|
|
require.False(t, CompareTimePtrs(c, a))
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("not nil", func(t *testing.T) {
|
|
|
|
a := TimeToPtr(1 * time.Second)
|
|
|
|
b := TimeToPtr(1 * time.Second)
|
|
|
|
c := TimeToPtr(2 * time.Second)
|
|
|
|
require.True(t, CompareTimePtrs(a, b))
|
|
|
|
require.False(t, CompareTimePtrs(a, c))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-06-24 15:29:26 +00:00
|
|
|
func TestCompareSliceSetString(t *testing.T) {
|
|
|
|
cases := []struct {
|
|
|
|
A []string
|
|
|
|
B []string
|
|
|
|
Result bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
A: []string{},
|
|
|
|
B: []string{},
|
|
|
|
Result: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{},
|
|
|
|
B: []string{"a"},
|
|
|
|
Result: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a"},
|
|
|
|
B: []string{"a"},
|
|
|
|
Result: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a"},
|
|
|
|
B: []string{"b"},
|
|
|
|
Result: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a", "b"},
|
|
|
|
B: []string{"b"},
|
|
|
|
Result: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a", "b"},
|
|
|
|
B: []string{"a"},
|
|
|
|
Result: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a", "b"},
|
|
|
|
B: []string{"a", "b"},
|
|
|
|
Result: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
A: []string{"a", "b"},
|
|
|
|
B: []string{"b", "a"},
|
|
|
|
Result: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, tc := range cases {
|
|
|
|
tc := tc
|
|
|
|
t.Run(fmt.Sprintf("case-%da", i), func(t *testing.T) {
|
|
|
|
if res := CompareSliceSetString(tc.A, tc.B); res != tc.Result {
|
|
|
|
t.Fatalf("expected %t but CompareSliceSetString(%v, %v) -> %t",
|
|
|
|
tc.Result, tc.A, tc.B, res,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
// Function is commutative so compare B and A
|
|
|
|
t.Run(fmt.Sprintf("case-%db", i), func(t *testing.T) {
|
|
|
|
if res := CompareSliceSetString(tc.B, tc.A); res != tc.Result {
|
|
|
|
t.Fatalf("expected %t but CompareSliceSetString(%v, %v) -> %t",
|
|
|
|
tc.Result, tc.B, tc.A, res,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-18 23:55:14 +00:00
|
|
|
func TestMapStringStringSliceValueSet(t *testing.T) {
|
|
|
|
m := map[string][]string{
|
2017-09-26 22:26:33 +00:00
|
|
|
"foo": {"1", "2"},
|
|
|
|
"bar": {"3"},
|
2017-01-18 23:55:14 +00:00
|
|
|
"baz": nil,
|
|
|
|
}
|
|
|
|
|
|
|
|
act := MapStringStringSliceValueSet(m)
|
|
|
|
exp := []string{"1", "2", "3"}
|
|
|
|
sort.Strings(act)
|
|
|
|
if !reflect.DeepEqual(act, exp) {
|
|
|
|
t.Fatalf("Bad; got %v; want %v", act, exp)
|
|
|
|
}
|
|
|
|
}
|
2017-03-09 00:44:46 +00:00
|
|
|
|
2017-08-15 23:13:05 +00:00
|
|
|
func TestCopyMapStringSliceString(t *testing.T) {
|
|
|
|
m := map[string][]string{
|
2017-09-26 22:26:33 +00:00
|
|
|
"x": {"a", "b", "c"},
|
|
|
|
"y": {"1", "2", "3"},
|
2017-08-15 23:13:05 +00:00
|
|
|
"z": nil,
|
|
|
|
}
|
|
|
|
|
|
|
|
c := CopyMapStringSliceString(m)
|
|
|
|
if !reflect.DeepEqual(c, m) {
|
|
|
|
t.Fatalf("%#v != %#v", m, c)
|
|
|
|
}
|
|
|
|
|
|
|
|
c["x"][1] = "---"
|
|
|
|
if reflect.DeepEqual(c, m) {
|
|
|
|
t.Fatalf("Shared slices: %#v == %#v", m["x"], c["x"])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-07-28 20:12:08 +00:00
|
|
|
func TestCopyMapSliceInterface(t *testing.T) {
|
|
|
|
m := map[string]interface{}{
|
|
|
|
"foo": "bar",
|
|
|
|
"baz": 2,
|
|
|
|
}
|
|
|
|
|
|
|
|
c := CopyMapStringInterface(m)
|
|
|
|
require.True(t, reflect.DeepEqual(m, c))
|
|
|
|
|
|
|
|
m["foo"] = "zzz"
|
|
|
|
require.False(t, reflect.DeepEqual(m, c))
|
|
|
|
}
|
|
|
|
|
2017-03-09 00:44:46 +00:00
|
|
|
func TestClearEnvVar(t *testing.T) {
|
|
|
|
type testCase struct {
|
|
|
|
input string
|
|
|
|
expected string
|
|
|
|
}
|
|
|
|
cases := []testCase{
|
|
|
|
{"asdf", "asdf"},
|
|
|
|
{"ASDF", "ASDF"},
|
|
|
|
{"0sdf", "_sdf"},
|
|
|
|
{"asd0", "asd0"},
|
|
|
|
{"_asd", "_asd"},
|
|
|
|
{"-asd", "_asd"},
|
2018-01-16 18:13:50 +00:00
|
|
|
{"asd.fgh", "asd.fgh"},
|
|
|
|
{"A~!@#$%^&*()_+-={}[]|\\;:'\"<,>?/Z", "A______________________________Z"},
|
2017-03-09 00:44:46 +00:00
|
|
|
{"A\U0001f4a9Z", "A____Z"},
|
|
|
|
}
|
|
|
|
for _, c := range cases {
|
|
|
|
if output := CleanEnvVar(c.input, '_'); output != c.expected {
|
|
|
|
t.Errorf("CleanEnvVar(%q, '_') -> %q != %q", c.input, output, c.expected)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func BenchmarkCleanEnvVar(b *testing.B) {
|
|
|
|
in := "NOMAD_ADDR_redis-cache"
|
|
|
|
replacement := byte('_')
|
|
|
|
b.SetBytes(int64(len(in)))
|
|
|
|
b.ReportAllocs()
|
|
|
|
b.ResetTimer()
|
|
|
|
for i := 0; i < b.N; i++ {
|
|
|
|
CleanEnvVar(in, replacement)
|
|
|
|
}
|
|
|
|
}
|
2020-07-17 14:41:45 +00:00
|
|
|
|
|
|
|
func TestCheckNamespaceScope(t *testing.T) {
|
|
|
|
cases := []struct {
|
|
|
|
desc string
|
|
|
|
provided string
|
|
|
|
requested []string
|
|
|
|
offending []string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
desc: "root ns requesting namespace",
|
|
|
|
provided: "",
|
|
|
|
requested: []string{"engineering"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "matching parent ns with child",
|
|
|
|
provided: "engineering",
|
|
|
|
requested: []string{"engineering", "engineering/sub-team"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "mismatch ns",
|
|
|
|
provided: "engineering",
|
|
|
|
requested: []string{"finance", "engineering/sub-team", "eng"},
|
|
|
|
offending: []string{"finance", "eng"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "mismatch child",
|
|
|
|
provided: "engineering/sub-team",
|
|
|
|
requested: []string{"engineering/new-team", "engineering/sub-team", "engineering/sub-team/child"},
|
|
|
|
offending: []string{"engineering/new-team"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "matching prefix",
|
|
|
|
provided: "engineering",
|
|
|
|
requested: []string{"engineering/new-team", "engineering/new-team/sub-team"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range cases {
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
|
|
|
offending := CheckNamespaceScope(tc.provided, tc.requested)
|
|
|
|
require.Equal(t, offending, tc.offending)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2020-10-16 17:23:44 +00:00
|
|
|
|
2020-10-22 19:47:49 +00:00
|
|
|
func TestPathEscapesSandbox(t *testing.T) {
|
2020-10-16 17:23:44 +00:00
|
|
|
cases := []struct {
|
2020-10-22 19:47:49 +00:00
|
|
|
name string
|
|
|
|
path string
|
|
|
|
dir string
|
|
|
|
expected bool
|
2020-10-16 17:23:44 +00:00
|
|
|
}{
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
// this is the ${NOMAD_SECRETS_DIR} case
|
|
|
|
name: "ok joined absolute path inside sandbox",
|
|
|
|
path: filepath.Join("/alloc", "/secrets"),
|
2020-10-16 17:23:44 +00:00
|
|
|
dir: "/alloc",
|
2020-10-22 19:47:49 +00:00
|
|
|
expected: false,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
name: "fail unjoined absolute path outside sandbox",
|
|
|
|
path: "/secrets",
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "ok joined relative path inside sandbox",
|
|
|
|
path: filepath.Join("/alloc", "./safe"),
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "fail unjoined relative path outside sandbox",
|
2020-10-16 17:23:44 +00:00
|
|
|
path: "./safe",
|
|
|
|
dir: "/alloc",
|
2020-10-22 19:47:49 +00:00
|
|
|
expected: true,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "ok relative path traversal constrained to sandbox",
|
2020-10-22 19:47:49 +00:00
|
|
|
path: filepath.Join("/alloc", "../../alloc/safe"),
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "ok unjoined absolute path traversal constrained to sandbox",
|
|
|
|
path: filepath.Join("/alloc", "/../alloc/safe"),
|
2020-10-16 17:23:44 +00:00
|
|
|
dir: "/alloc",
|
2020-10-22 19:47:49 +00:00
|
|
|
expected: false,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
name: "ok unjoined absolute path traversal constrained to sandbox",
|
2020-10-16 17:23:44 +00:00
|
|
|
path: "/../alloc/safe",
|
|
|
|
dir: "/alloc",
|
2020-10-22 19:47:49 +00:00
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "fail joined relative path traverses outside sandbox",
|
|
|
|
path: filepath.Join("/alloc", "../../../unsafe"),
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: true,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
name: "fail unjoined relative path traverses outside sandbox",
|
|
|
|
path: "../../../unsafe",
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: true,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
name: "fail joined absolute path tries to transverse outside sandbox",
|
|
|
|
path: filepath.Join("/alloc", "/alloc/../../unsafe"),
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: true,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
{
|
2020-10-22 19:47:49 +00:00
|
|
|
name: "fail unjoined absolute path tries to transverse outside sandbox",
|
|
|
|
path: "/alloc/../../unsafe",
|
|
|
|
dir: "/alloc",
|
|
|
|
expected: true,
|
2020-10-16 17:23:44 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range cases {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
|
|
caseMsg := fmt.Sprintf("path: %v\ndir: %v", tc.path, tc.dir)
|
2020-10-22 19:47:49 +00:00
|
|
|
escapes := PathEscapesSandbox(tc.dir, tc.path)
|
2020-10-16 17:23:44 +00:00
|
|
|
require.Equal(t, tc.expected, escapes, caseMsg)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|