feat: allow bypassing of basic auth from a list of authorized cidrs (#50)

2025-08-05 16:24:41 +02:00
parent 9d10a69b0d
commit a50f926463
7 changed files with 208 additions and 56 deletions
--- a/internal/cidr/match_test.go
+++ b/internal/cidr/match_test.go
@ -0,0 +1,77 @@
+package cidr
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+)
+
+func TestMatchAny(t *testing.T) {
+	type testCase struct {
+		RemoteHostPort  string
+		AuthorizedCIDRs []string
+		ExpectedResult  bool
+		ExpectedError   error
+	}
+
+	testCases := []testCase{
+		{
+			RemoteHostPort: "192.168.1.15",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+			},
+			ExpectedResult: false,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+				"192.168.1.6/32",
+				"192.168.1.7/32",
+			},
+			ExpectedResult: false,
+		},
+		{
+			RemoteHostPort:  "[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8001",
+			AuthorizedCIDRs: []string{"2000::/3"},
+			ExpectedResult:  true,
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			result, err := MatchAny(tc.RemoteHostPort, tc.AuthorizedCIDRs...)
+
+			if g, e := result, tc.ExpectedResult; e != g {
+				t.Errorf("result: expected '%v', got '%v'", e, g)
+			}
+
+			if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
+				t.Errorf("err: expected '%v', got '%v'", e, g)
+			}
+		})
+	}
+}