Files

54 lines
1.4 KiB
Go

package monitor
import "net"
import "testing"
func TestEgressPolicyBlocksInternal(t *testing.T) {
var policy EgressPolicy
var blocked []string
var allowed []string
var addr string
var ip net.IP
// Test the deny logic explicitly, independent of the deployment default
// (DefaultEgressPolicy may be configured to allow internal targets).
policy = EgressPolicy{AllowInternal: false}
blocked = []string{
"127.0.0.1", // loopback
"::1", // loopback v6
"169.254.169.254", // link-local / cloud metadata
"10.1.2.3", // private
"172.16.5.5", // private
"192.168.1.1", // private
"0.0.0.0", // unspecified
"fe80::1", // link-local v6
"fc00::1", // unique-local v6 (private)
}
allowed = []string{
"8.8.8.8",
"1.1.1.1",
"93.184.216.34", // example.com
}
for _, addr = range blocked {
ip = net.ParseIP(addr)
if policy.IPAllowed(ip) {
t.Errorf("expected %s to be blocked by default policy", addr)
}
}
for _, addr = range allowed {
ip = net.ParseIP(addr)
if !policy.IPAllowed(ip) {
t.Errorf("expected %s to be allowed by default policy", addr)
}
}
}
func TestEgressPolicyAllowInternal(t *testing.T) {
var policy EgressPolicy
policy = EgressPolicy{AllowInternal: true}
if !policy.IPAllowed(net.ParseIP("127.0.0.1")) {
t.Errorf("AllowInternal policy should permit loopback")
}
}