jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-26 02:35:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
45fc5a31bcf686028d3740c5da2abfafdd67bbb3
higress/plugins/wasm-go/extensions/ext-auth/expr/expr_extra_test.go

94 lines
3.5 KiB
Go
Raw Blame History

// Copyright (c) 2025 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package expr
import (
"testing"
"github.com/stretchr/testify/require"
)
// === Module A — MatchRulesDefaults ======================================
//
// MatchRulesDefaults is at 0% in the baseline. It is consumed by
// config.ParseConfig as the zero-value MatchRules when the user supplies
// no match_list, so a regression here would silently change route-skip
// semantics from "whitelist with empty rule list" (block all by default)
// to whatever a future zero-value happens to mean.
func TestMatchRulesDefaults_WhitelistMode(t *testing.T) {
d := MatchRulesDefaults()
require.Equal(t, ModeWhitelist, d.Mode)
}
func TestMatchRulesDefaults_EmptyButNonNilRuleList(t *testing.T) {
d := MatchRulesDefaults()
require.NotNil(t, d.RuleList)
require.Len(t, d.RuleList, 0)
}
// In whitelist mode with an empty rule list, every (domain, method, path)
// triple must be DENIED by the rule check (i.e. the auth server gets to see
// the request). The dual contract — blacklist + empty rule list = ALLOW —
// is already covered by match_rules_test.go via populated rule sets, but
// the empty-list defaults case is an important degenerate edge.
func TestMatchRulesDefaults_EmptyWhitelistDenies(t *testing.T) {
d := MatchRulesDefaults()
require.False(t, d.IsAllowedByMode("example.com", "GET", "/x"))
}
// === Module B — IsAllowedByMode default branch ==========================
//
// `default: return false` at match_rules.go:51 is unreachable through
// MatchRulesDefaults because Mode is whitelist there. A misconfigured /
// hand-built MatchRules with an unknown mode must safely fall back to
// "not allowed" so the request still goes through the auth server rather
// than silently bypassing it.
func TestIsAllowedByMode_UnknownModeFallsToFalse(t *testing.T) {
mr := MatchRules{Mode: "not-a-mode", RuleList: []Rule{}}
require.False(t, mr.IsAllowedByMode("example.com", "GET", "/x"))
}
// === Module C — BuildStringMatcher edges ================================
//
// BuildStringMatcher is at 75%; the unknown-type error branch and the
// invalid-regex branch are both unreached. Both must produce errors rather
// than nil-matchers so config.parseMatchRules can surface a proper config
// validation error.
func TestBuildStringMatcher_UnknownType(t *testing.T) {
m, err := BuildStringMatcher("not-a-pattern", "x", false)
require.Error(t, err)
require.Nil(t, m)
require.Contains(t, err.Error(), "unknown string matcher type")
}
func TestBuildStringMatcher_InvalidRegex(t *testing.T) {
// Unbalanced "[" is a regexp.Compile error.
m, err := BuildStringMatcher(MatchPatternRegex, "[unbalanced", false)
require.Error(t, err)
require.Nil(t, m)
}
// IgnoreCase + already-prefixed `(?i)` regex must NOT double-prefix —
// pins matcher.go:119-121's idempotency check.
func TestBuildStringMatcher_RegexIgnoreCaseAlreadyPrefixed(t *testing.T) {
m, err := BuildStringMatcher(MatchPatternRegex, "(?i)foo", true)
require.NoError(t, err)
require.NotNil(t, m)
require.True(t, m.Match("FOO"))
}
Reference in New Issue View Git Blame Copy Permalink