coredns/plugin/acl/setup_test.go

package acl

import (
	"testing"

	"github.com/coredns/caddy"
)

func TestSetup(t *testing.T) {
	tests := []struct {
		name    string
		config  string
		wantErr bool
	}{
		// IPv4 tests.
		{
			"Blacklist 1",
			`acl {
				block type A net 192.168.0.0/16
			}`,
			false,
		},
		{
			"Blacklist 2",
			`acl {
				block type * net 192.168.0.0/16
			}`,
			false,
		},
		{
			"Blacklist 3",
			`acl {
				block type A net *
			}`,
			false,
		},
		{
			"Blacklist 4",
			`acl {
				allow type * net 192.168.1.0/24
				block type * net 192.168.0.0/16
			}`,
			false,
		},
		{
			"Filter 1",
			`acl {
				filter type A net 192.168.0.0/16
			}`,
			false,
		},
		{
			"Whitelist 1",
			`acl {
				allow type * net 192.168.0.0/16
				block type * net *
			}`,
			false,
		},
		{
			"Drop 1",
			`acl {
				drop type * net 192.168.0.0/16
			}`,
			false,
		},
		{
			"fine-grained 1",
			`acl a.example.org {
				block type * net 192.168.1.0/24
			}`,
			false,
		},
		{
			"fine-grained 2",
			`acl a.example.org {
				block type * net 192.168.1.0/24
			}
			acl b.example.org {
				block type * net 192.168.2.0/24
			}`,
			false,
		},
		{
			"Multiple Networks 1",
			`acl example.org {
				block type * net 192.168.1.0/24 192.168.3.0/24
			}`,
			false,
		},
		{
			"Multiple Qtypes 1",
			`acl example.org {
				block type TXT ANY CNAME net 192.168.3.0/24
			}`,
			false,
		},
		{
			"Missing argument 1",
			`acl {
				block A net 192.168.0.0/16
			}`,
			true,
		},
		{
			"Missing argument 2",
			`acl {
				block type net 192.168.0.0/16
			}`,
			true,
		},
		{
			"Illegal argument 1",
			`acl {
				block type ABC net 192.168.0.0/16
			}`,
			true,
		},
		{
			"Illegal argument 2",
			`acl {
				blck type A net 192.168.0.0/16
			}`,
			true,
		},
		{
			"Illegal argument 3",
			`acl {
				block type A net 192.168.0/16
			}`,
			true,
		},
		{
			"Illegal argument 4",
			`acl {
				block type A net 192.168.0.0/33
			}`,
			true,
		},
		// IPv6 tests.
		{
			"Blacklist 1 IPv6",
			`acl {
				block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
			}`,
			false,
		},
		{
			"Blacklist 2 IPv6",
			`acl {
				block type * net 2001:db8:85a3::8a2e:370:7334
			}`,
			false,
		},
		{
			"Blacklist 3 IPv6",
			`acl {
				block type A
			}`,
			false,
		},
		{
			"Blacklist 4 IPv6",
			`acl {
				allow net 2001:db8:abcd:0012::0/64
				block net 2001:db8:abcd:0012::0/48
			}`,
			false,
		},
		{
			"Filter 1 IPv6",
			`acl {
				filter type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
			}`,
			false,
		},
		{
			"Whitelist 1 IPv6",
			`acl {
				allow net 2001:db8:abcd:0012::0/64
				block
			}`,
			false,
		},
		{
			"Drop 1 IPv6",
			`acl {
				drop net 2001:db8:abcd:0012::0/64
			}`,
			false,
		},
		{
			"fine-grained 1 IPv6",
			`acl a.example.org {
				block net 2001:db8:abcd:0012::0/64
			}`,
			false,
		},
		{
			"fine-grained 2 IPv6",
			`acl a.example.org {
				block net 2001:db8:abcd:0012::0/64
			}
			acl b.example.org {
				block net 2001:db8:abcd:0013::0/64
			}`,
			false,
		},
		{
			"Multiple Networks 1 IPv6",
			`acl example.org {
				block net 2001:db8:abcd:0012::0/64 2001:db8:85a3::8a2e:370:7334/64
			}`,
			false,
		},
		{
			"Illegal argument 1 IPv6",
			`acl {
				block type A net 2001::85a3::8a2e:370:7334
			}`,
			true,
		},
		{
			"Illegal argument 2 IPv6",
			`acl {
				block type A net 2001:db8:85a3:::8a2e:370:7334
			}`,
			true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctr := caddy.NewTestController("dns", tt.config)
			if err := setup(ctr); (err != nil) != tt.wantErr {
				t.Errorf("Error: setup() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func TestNormalize(t *testing.T) {
	type args struct {
		rawNet string
	}
	tests := []struct {
		name string
		args args
		want string
	}{
		{
			"Network range 1",
			args{"10.218.10.8/24"},
			"10.218.10.8/24",
		},
		{
			"IP address 1",
			args{"10.218.10.8"},
			"10.218.10.8/32",
		},
		{
			"IPv6 address 1",
			args{"2001:0db8:85a3:0000:0000:8a2e:0370:7334"},
			"2001:0db8:85a3:0000:0000:8a2e:0370:7334/128",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := normalize(tt.args.rawNet); got != tt.want {
				t.Errorf("Error: normalize() = %v, want %v", got, tt.want)
			}
		})
	}
}
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`package acl`

			`import (`
			`"testing"`

For caddy v1 in our org (#4018) * For caddy v1 in our org This RP changes all imports for caddyserver/caddy to coredns/caddy. This is the v1 code of caddy. For the coredns/caddy repo the following changes have been made: * anything not needed by us is deleted * all `telemetry` stuff is deleted * all its import paths are also changed to point to coredns/caddy * the v1 branch has been moved to the master branch * a v1.1.0 tag has been added to signal the latest release Signed-off-by: Miek Gieben <miek@miek.nl> * Fix imports Signed-off-by: Miek Gieben <miek@miek.nl> * Group coredns/caddy with out plugins Signed-off-by: Miek Gieben <miek@miek.nl> * remove this file Signed-off-by: Miek Gieben <miek@miek.nl> * Relax import ordering github.com/coredns is now also a coredns dep, this makes github.com/coredns/caddy fit more natural in the list. Signed-off-by: Miek Gieben <miek@miek.nl> * Fix final import Signed-off-by: Miek Gieben <miek@miek.nl> 2020-09-24 18:14:41 +02:00			`"github.com/coredns/caddy"`
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`)`

			`func TestSetup(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`config string`
			`wantErr bool`
			`}{`
			`// IPv4 tests.`
			`{`
			`"Blacklist 1",`
			`acl {
			`block type A net 192.168.0.0/16`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 2",`
			`acl {
			`block type * net 192.168.0.0/16`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 3",`
			`acl {
			`block type A net *`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 4",`
			`acl {
			`allow type * net 192.168.1.0/24`
			`block type * net 192.168.0.0/16`
			}`,
			`false,`
			`},`
plugin/acl: add the ability to filter records (#4389) Currently ACLs only allow for allow and block, however it isn't always desirable to set the status code to REFUSED. Often times you want to completely hide the fact that those records even exist. Adding the ability to acl to filter results makes it significantly harder for a third party to know that the records are being masked. Signed-off-by: George Shammas <george@shamm.as> 2021-02-01 09:52:23 -05:00			`{`
			`"Filter 1",`
			`acl {
			`filter type A net 192.168.0.0/16`
			}`,
			`false,`
			`},`
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`{`
			`"Whitelist 1",`
			`acl {
			`allow type * net 192.168.0.0/16`
			`block type * net *`
			}`,
			`false,`
			`},`
plugin/acl: adding ability to drop queries (#5722) Both block and filter actions write responses to the client based upon the source IP address of the UDP packet containing the query. An attacker spoofing the source IP address to that of their target, can elicit a response to be sent to the victim host, known as DNS Reflection. If an attacker is able to elicit a large response from a relatively small query, with a spoofed source IP address, they are able to increase the amount of data sent to the victim, known as DNS Amplification. Scaling this from one to many queries allows an attacker to perform an effective Denial of Service (DoS) attack against their target. Adding the drop action enables CoreDNS to ignore queries of a given type or network range from being processed and a response written, where an operator knows ahead of time, should not originate or be destined to. Signed-off-by: rsclarke <hey@rsclarke.dev> Signed-off-by: rsclarke <hey@rsclarke.dev> 2022-11-01 17:16:55 +08:00			`{`
			`"Drop 1",`
			`acl {
			`drop type * net 192.168.0.0/16`
			}`,
			`false,`
			`},`
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`{`
			`"fine-grained 1",`
			`acl a.example.org {
			`block type * net 192.168.1.0/24`
			}`,
			`false,`
			`},`
			`{`
			`"fine-grained 2",`
			`acl a.example.org {
			`block type * net 192.168.1.0/24`
			`}`
			`acl b.example.org {`
			`block type * net 192.168.2.0/24`
			}`,
			`false,`
			`},`
			`{`
			`"Multiple Networks 1",`
			`acl example.org {
			`block type * net 192.168.1.0/24 192.168.3.0/24`
			}`,
			`false,`
			`},`
			`{`
			`"Multiple Qtypes 1",`
			`acl example.org {
			`block type TXT ANY CNAME net 192.168.3.0/24`
			}`,
			`false,`
			`},`
			`{`
			`"Missing argument 1",`
			`acl {
			`block A net 192.168.0.0/16`
			}`,
			`true,`
			`},`
			`{`
			`"Missing argument 2",`
			`acl {
			`block type net 192.168.0.0/16`
			}`,
			`true,`
			`},`
			`{`
			`"Illegal argument 1",`
			`acl {
			`block type ABC net 192.168.0.0/16`
			}`,
			`true,`
			`},`
			`{`
			`"Illegal argument 2",`
			`acl {
			`blck type A net 192.168.0.0/16`
			}`,
			`true,`
			`},`
			`{`
			`"Illegal argument 3",`
			`acl {
			`block type A net 192.168.0/16`
			}`,
			`true,`
			`},`
			`{`
			`"Illegal argument 4",`
			`acl {
			`block type A net 192.168.0.0/33`
			}`,
			`true,`
			`},`
			`// IPv6 tests.`
			`{`
			`"Blacklist 1 IPv6",`
			`acl {
			`block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 2 IPv6",`
			`acl {
			`block type * net 2001:db8:85a3::8a2e:370:7334`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 3 IPv6",`
			`acl {
			`block type A`
			}`,
			`false,`
			`},`
			`{`
			`"Blacklist 4 IPv6",`
			`acl {
			`allow net 2001:db8:abcd:0012::0/64`
			`block net 2001:db8:abcd:0012::0/48`
			}`,
			`false,`
			`},`
plugin/acl: add the ability to filter records (#4389) Currently ACLs only allow for allow and block, however it isn't always desirable to set the status code to REFUSED. Often times you want to completely hide the fact that those records even exist. Adding the ability to acl to filter results makes it significantly harder for a third party to know that the records are being masked. Signed-off-by: George Shammas <george@shamm.as> 2021-02-01 09:52:23 -05:00			`{`
			`"Filter 1 IPv6",`
			`acl {
			`filter type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334`
			}`,
			`false,`
			`},`
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`{`
			`"Whitelist 1 IPv6",`
			`acl {
			`allow net 2001:db8:abcd:0012::0/64`
			`block`
			}`,
			`false,`
			`},`
plugin/acl: adding ability to drop queries (#5722) Both block and filter actions write responses to the client based upon the source IP address of the UDP packet containing the query. An attacker spoofing the source IP address to that of their target, can elicit a response to be sent to the victim host, known as DNS Reflection. If an attacker is able to elicit a large response from a relatively small query, with a spoofed source IP address, they are able to increase the amount of data sent to the victim, known as DNS Amplification. Scaling this from one to many queries allows an attacker to perform an effective Denial of Service (DoS) attack against their target. Adding the drop action enables CoreDNS to ignore queries of a given type or network range from being processed and a response written, where an operator knows ahead of time, should not originate or be destined to. Signed-off-by: rsclarke <hey@rsclarke.dev> Signed-off-by: rsclarke <hey@rsclarke.dev> 2022-11-01 17:16:55 +08:00			`{`
			`"Drop 1 IPv6",`
			`acl {
			`drop net 2001:db8:abcd:0012::0/64`
			}`,
			`false,`
			`},`
Add plugin ACL for source ip filtering (#3103) * Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn> 2019-09-04 23:43:45 +08:00			`{`
			`"fine-grained 1 IPv6",`
			`acl a.example.org {
			`block net 2001:db8:abcd:0012::0/64`
			}`,
			`false,`
			`},`
			`{`
			`"fine-grained 2 IPv6",`
			`acl a.example.org {
			`block net 2001:db8:abcd:0012::0/64`
			`}`
			`acl b.example.org {`
			`block net 2001:db8:abcd:0013::0/64`
			}`,
			`false,`
			`},`
			`{`
			`"Multiple Networks 1 IPv6",`
			`acl example.org {
			`block net 2001:db8:abcd:0012::0/64 2001:db8:85a3::8a2e:370:7334/64`
			}`,
			`false,`
			`},`
			`{`
			`"Illegal argument 1 IPv6",`
			`acl {
			`block type A net 2001::85a3::8a2e:370:7334`
			}`,
			`true,`
			`},`
			`{`
			`"Illegal argument 2 IPv6",`
			`acl {
			`block type A net 2001:db8:85a3:::8a2e:370:7334`
			}`,
			`true,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`ctr := caddy.NewTestController("dns", tt.config)`
			`if err := setup(ctr); (err != nil) != tt.wantErr {`
			`t.Errorf("Error: setup() error = %v, wantErr %v", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`

			`func TestNormalize(t *testing.T) {`
			`type args struct {`
			`rawNet string`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`want string`
			`}{`
			`{`
			`"Network range 1",`
			`args{"10.218.10.8/24"},`
			`"10.218.10.8/24",`
			`},`
			`{`
			`"IP address 1",`
			`args{"10.218.10.8"},`
			`"10.218.10.8/32",`
			`},`
			`{`
			`"IPv6 address 1",`
			`args{"2001:0db8:85a3:0000:0000:8a2e:0370:7334"},`
			`"2001:0db8:85a3:0000:0000:8a2e:0370:7334/128",`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`if got := normalize(tt.args.rawNet); got != tt.want {`
			`t.Errorf("Error: normalize() = %v, want %v", got, tt.want)`
			`}`
			`})`
			`}`
			`}`