• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "sandboxed_api/sandbox2/network_proxy/filtering.h"
16 
17 #include <arpa/inet.h>
18 #include <netinet/in.h>
19 #include <sys/socket.h>
20 
21 #include <cstdint>
22 #include <cstring>
23 #include <string>
24 
25 #include "gmock/gmock.h"
26 #include "gtest/gtest.h"
27 #include "absl/log/check.h"
28 #include "sandboxed_api/util/status_matchers.h"
29 
30 namespace sandbox2 {
31 namespace {
32 
33 using ::sapi::IsOk;
34 using ::testing::IsFalse;
35 using ::testing::IsTrue;
36 
PrepareIpv6(const std::string & ip,uint32_t port=80)37 static struct sockaddr* PrepareIpv6(const std::string& ip, uint32_t port = 80) {
38   static struct sockaddr_in6 saddr {};
39   memset(&saddr, 0, sizeof(saddr));
40 
41   saddr.sin6_family = AF_INET6;
42   saddr.sin6_port = htons(port);
43 
44   int err = inet_pton(AF_INET6, ip.c_str(), &saddr.sin6_addr);
45   CHECK_GE(err, -1);
46 
47   return reinterpret_cast<struct sockaddr*>(&saddr);
48 }
49 
PrepareIpv4(const std::string & ip,uint32_t port=80)50 static struct sockaddr* PrepareIpv4(const std::string& ip, uint32_t port = 80) {
51   static struct sockaddr_in saddr {};
52   memset(&saddr, 0, sizeof(saddr));
53 
54   saddr.sin_family = AF_INET;
55   saddr.sin_port = htons(port);
56 
57   int err = inet_pton(AF_INET, ip.c_str(), &saddr.sin_addr);
58   CHECK_GE(err, -1);
59 
60   return reinterpret_cast<struct sockaddr*>(&saddr);
61 }
62 
TEST(FilteringTest,Basic)63 TEST(FilteringTest, Basic) {
64   sandbox2::AllowedHosts allowed_hosts;
65 
66   // Create rules
67   EXPECT_THAT(allowed_hosts.AllowIPv4("127.0.0.1"), IsOk());
68   EXPECT_THAT(allowed_hosts.AllowIPv4("127.0.0.2", 33), IsOk());
69   EXPECT_THAT(allowed_hosts.AllowIPv4("120.120.120.120/255.255.255.0"), IsOk());
70   EXPECT_THAT(allowed_hosts.AllowIPv4("130.130.130.130/255.255.252.0", 1000),
71               IsOk());
72   EXPECT_THAT(allowed_hosts.AllowIPv4("140.140.140.140/8"), IsOk());
73   EXPECT_THAT(allowed_hosts.AllowIPv4("150.150.150.150/10", 123), IsOk());
74 
75   EXPECT_THAT(allowed_hosts.AllowIPv6("::2"), IsOk());
76   EXPECT_THAT(allowed_hosts.AllowIPv6("::1", 80), IsOk());
77   EXPECT_THAT(allowed_hosts.AllowIPv6("0:1234:0:0:0:0:0:0/32"), IsOk());
78   EXPECT_THAT(allowed_hosts.AllowIPv6("0:5678:0:0:0:0:0:0/46", 70), IsOk());
79 
80   // IPv4 tests
81   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("130.0.0.3")), IsFalse());
82   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("127.0.0.1")), IsTrue());
83   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("127.0.0.2")), IsFalse());
84   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("127.0.0.2", 33)),
85               IsTrue());
86   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("120.120.120.255")),
87               IsTrue());
88   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("120.120.121.120")),
89               IsFalse());
90   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("130.130.128.130", 1000)),
91               IsTrue());
92   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("130.130.132.134", 1000)),
93               IsFalse());
94   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("130.130.128.130", 1001)),
95               IsFalse());
96   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("140.0.140.140")),
97               IsTrue());
98   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("141.140.140.140")),
99               IsFalse());
100   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("150.182.150.150", 123)),
101               IsTrue());
102   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv4("150.214.150.150", 123)),
103               IsFalse());
104 
105   // IPv6 tests
106   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("::3")), IsFalse());
107   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("::2")), IsTrue());
108   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("::1")), IsTrue());
109   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("::1", 81)), IsFalse());
110   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("0:1234:ffff:0:0:0:0:0")),
111               IsTrue());
112   EXPECT_THAT(allowed_hosts.IsHostAllowed(PrepareIpv6("0:1233:0000:0:0:0:0:0")),
113               IsFalse());
114   EXPECT_THAT(
115       allowed_hosts.IsHostAllowed(PrepareIpv6("0:5678:0002:0:0:0:0:0", 70)),
116       IsTrue());
117   EXPECT_THAT(
118       allowed_hosts.IsHostAllowed(PrepareIpv6("0:5678:0004:0:0:0:0:0", 70)),
119       IsFalse());
120   EXPECT_THAT(
121       allowed_hosts.IsHostAllowed(PrepareIpv6("0:5678:0000:0:0:0:0:0", 2222)),
122       IsFalse());
123 }
124 
125 }  // namespace
126 }  // namespace sandbox2
127