+++ /dev/null
-// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
-// vim: ts=8 sw=2 smarttab
-/*
- * Ceph - scalable distributed file system
- *
- * Copyright (C) 2015 Red Hat
- *
- * This is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License version 2.1, as published by the Free Software
- * Foundation. See file COPYING.
- *
- */
-
-#include <string>
-
-#include <boost/intrusive_ptr.hpp>
-#include <boost/optional.hpp>
-
-#include <gtest/gtest.h>
-
-#include "common/code_environment.h"
-#include "common/ceph_context.h"
-#include "global/global_init.h"
-#include "rgw/rgw_auth.h"
-#include "rgw/rgw_iam_policy.h"
-
-
-using std::string;
-using std::vector;
-
-using boost::container::flat_set;
-using boost::intrusive_ptr;
-using boost::make_optional;
-using boost::none;
-using boost::optional;
-
-using rgw::auth::Identity;
-using rgw::auth::Principal;
-
-using rgw::IAM::ARN;
-using rgw::IAM::Effect;
-using rgw::IAM::Environment;
-using rgw::IAM::Partition;
-using rgw::IAM::Policy;
-using rgw::IAM::s3All;
-using rgw::IAM::s3Count;
-using rgw::IAM::s3GetAccelerateConfiguration;
-using rgw::IAM::s3GetBucketAcl;
-using rgw::IAM::s3GetBucketCORS;
-using rgw::IAM::s3GetBucketLocation;
-using rgw::IAM::s3GetBucketLogging;
-using rgw::IAM::s3GetBucketNotification;
-using rgw::IAM::s3GetBucketPolicy;
-using rgw::IAM::s3GetBucketRequestPayment;
-using rgw::IAM::s3GetBucketTagging;
-using rgw::IAM::s3GetBucketVersioning;
-using rgw::IAM::s3GetBucketWebsite;
-using rgw::IAM::s3GetLifecycleConfiguration;
-using rgw::IAM::s3GetObject;
-using rgw::IAM::s3GetObjectAcl;
-using rgw::IAM::s3GetObjectVersionAcl;
-using rgw::IAM::s3GetObjectTorrent;
-using rgw::IAM::s3GetObjectTagging;
-using rgw::IAM::s3GetObjectVersion;
-using rgw::IAM::s3GetObjectVersionTagging;
-using rgw::IAM::s3GetObjectVersionTorrent;
-using rgw::IAM::s3GetReplicationConfiguration;
-using rgw::IAM::s3ListAllMyBuckets;
-using rgw::IAM::s3ListBucket;
-using rgw::IAM::s3ListBucket;
-using rgw::IAM::s3ListBucketMultiPartUploads;
-using rgw::IAM::s3ListBucketVersions;
-using rgw::IAM::s3ListMultipartUploadParts;
-using rgw::IAM::s3None;
-using rgw::IAM::s3PutBucketAcl;
-using rgw::IAM::s3PutBucketPolicy;
-using rgw::IAM::Service;
-using rgw::IAM::TokenID;
-using rgw::IAM::Version;
-
-class FakeIdentity : public Identity {
- const Principal id;
-public:
-
- FakeIdentity(Principal&& id) : id(std::move(id)) {}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
- abort();
- return 0;
- };
-
- bool is_admin_of(const rgw_user& uid) const override {
- abort();
- return false;
- }
-
- bool is_owner_of(const rgw_user& uid) const override {
- abort();
- return false;
- }
-
- virtual uint32_t get_perm_mask() const override {
- abort();
- return 0;
- }
-
- void to_str(std::ostream& out) const override {
- abort();
- }
-
- bool is_identity(const flat_set<Principal>& ids) const override {
- return ids.find(id) != ids.end();
- }
-};
-
-class PolicyTest : public ::testing::Test {
-protected:
- intrusive_ptr<CephContext> cct;
- static const string arbitrary_tenant;
- static string example1;
- static string example2;
- static string example3;
-public:
- PolicyTest() {
- cct = new CephContext(CEPH_ENTITY_TYPE_CLIENT);
- }
-};
-
-TEST_F(PolicyTest, Parse1) {
- optional<Policy> p;
-
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example1)));
- ASSERT_TRUE(p);
-
- EXPECT_EQ(p->text, example1);
- EXPECT_EQ(p->version, Version::v2012_10_17);
- EXPECT_FALSE(p->id);
- EXPECT_FALSE(p->statements[0].sid);
- EXPECT_FALSE(p->statements.empty());
- EXPECT_EQ(p->statements.size(), 1U);
- EXPECT_TRUE(p->statements[0].princ.empty());
- EXPECT_TRUE(p->statements[0].noprinc.empty());
- EXPECT_EQ(p->statements[0].effect, Effect::Allow);
- EXPECT_EQ(p->statements[0].action, s3ListBucket);
- EXPECT_EQ(p->statements[0].notaction, s3None);
- ASSERT_FALSE(p->statements[0].resource.empty());
- ASSERT_EQ(p->statements[0].resource.size(), 1U);
- EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws);
- EXPECT_EQ(p->statements[0].resource.begin()->service, Service::s3);
- EXPECT_TRUE(p->statements[0].resource.begin()->region.empty());
- EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
- EXPECT_EQ(p->statements[0].resource.begin()->resource, "example_bucket");
- EXPECT_TRUE(p->statements[0].notresource.empty());
- EXPECT_TRUE(p->statements[0].conditions.empty());
-}
-
-TEST_F(PolicyTest, Eval1) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example1));
- Environment e;
-
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
- Effect::Allow);
-
- EXPECT_EQ(p.eval(e, none, s3PutBucketAcl,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
- Effect::Pass);
-
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "erroneous_bucket")),
- Effect::Pass);
-
-}
-
-TEST_F(PolicyTest, Parse2) {
- optional<Policy> p;
-
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example2)));
- ASSERT_TRUE(p);
-
- EXPECT_EQ(p->text, example2);
- EXPECT_EQ(p->version, Version::v2012_10_17);
- EXPECT_EQ(*p->id, "S3-Account-Permissions");
- ASSERT_FALSE(p->statements.empty());
- EXPECT_EQ(p->statements.size(), 1U);
- EXPECT_EQ(*p->statements[0].sid, "1");
- EXPECT_FALSE(p->statements[0].princ.empty());
- EXPECT_EQ(p->statements[0].princ.size(), 1U);
- EXPECT_EQ(*p->statements[0].princ.begin(),
- Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
- EXPECT_TRUE(p->statements[0].noprinc.empty());
- EXPECT_EQ(p->statements[0].effect, Effect::Allow);
- EXPECT_EQ(p->statements[0].action, s3All);
- EXPECT_EQ(p->statements[0].notaction, s3None);
- ASSERT_FALSE(p->statements[0].resource.empty());
- ASSERT_EQ(p->statements[0].resource.size(), 2U);
- EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws);
- EXPECT_EQ(p->statements[0].resource.begin()->service, Service::s3);
- EXPECT_TRUE(p->statements[0].resource.begin()->region.empty());
- EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
- EXPECT_EQ(p->statements[0].resource.begin()->resource, "mybucket");
- EXPECT_EQ((p->statements[0].resource.begin() + 1)->partition,
- Partition::aws);
- EXPECT_EQ((p->statements[0].resource.begin() + 1)->service,
- Service::s3);
- EXPECT_TRUE((p->statements[0].resource.begin() + 1)->region.empty());
- EXPECT_EQ((p->statements[0].resource.begin() + 1)->account,
- arbitrary_tenant);
- EXPECT_EQ((p->statements[0].resource.begin() + 1)->resource, "mybucket/*");
- EXPECT_TRUE(p->statements[0].notresource.empty());
- EXPECT_TRUE(p->statements[0].conditions.empty());
-}
-
-TEST_F(PolicyTest, Eval2) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example2));
- Environment e;
-
- auto trueacct = FakeIdentity(
- Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
-
- auto notacct = FakeIdentity(
- Principal::tenant("some-other-account"));
- for (auto i = 0ULL; i < s3Count; ++i) {
- EXPECT_EQ(p.eval(e, trueacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
- Effect::Allow);
- EXPECT_EQ(p.eval(e, trueacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/myobject")),
- Effect::Allow);
-
- EXPECT_EQ(p.eval(e, notacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
- Effect::Pass);
- EXPECT_EQ(p.eval(e, notacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/myobject")),
- Effect::Pass);
-
- EXPECT_EQ(p.eval(e, trueacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "notyourbucket")),
- Effect::Pass);
- EXPECT_EQ(p.eval(e, trueacct, 1ULL << i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "notyourbucket/notyourobject")),
- Effect::Pass);
-
- }
-}
-
-TEST_F(PolicyTest, Parse3) {
- optional<Policy> p;
-
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example3)));
- ASSERT_TRUE(p);
-
- EXPECT_EQ(p->text, example3);
- EXPECT_EQ(p->version, Version::v2012_10_17);
- EXPECT_FALSE(p->id);
- ASSERT_FALSE(p->statements.empty());
- EXPECT_EQ(p->statements.size(), 3U);
-
- EXPECT_EQ(*p->statements[0].sid, "FirstStatement");
- EXPECT_TRUE(p->statements[0].princ.empty());
- EXPECT_TRUE(p->statements[0].noprinc.empty());
- EXPECT_EQ(p->statements[0].effect, Effect::Allow);
- EXPECT_EQ(p->statements[0].action, s3PutBucketPolicy);
- EXPECT_EQ(p->statements[0].notaction, s3None);
- ASSERT_FALSE(p->statements[0].resource.empty());
- ASSERT_EQ(p->statements[0].resource.size(), 1U);
- EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::wildcard);
- EXPECT_EQ(p->statements[0].resource.begin()->service, Service::wildcard);
- EXPECT_EQ(p->statements[0].resource.begin()->region, "*");
- EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
- EXPECT_EQ(p->statements[0].resource.begin()->resource, "*");
- EXPECT_TRUE(p->statements[0].notresource.empty());
- EXPECT_TRUE(p->statements[0].conditions.empty());
-
- EXPECT_EQ(*p->statements[1].sid, "SecondStatement");
- EXPECT_TRUE(p->statements[1].princ.empty());
- EXPECT_TRUE(p->statements[1].noprinc.empty());
- EXPECT_EQ(p->statements[1].effect, Effect::Allow);
- EXPECT_EQ(p->statements[1].action, s3ListAllMyBuckets);
- EXPECT_EQ(p->statements[1].notaction, s3None);
- ASSERT_FALSE(p->statements[1].resource.empty());
- ASSERT_EQ(p->statements[1].resource.size(), 1U);
- EXPECT_EQ(p->statements[1].resource.begin()->partition, Partition::wildcard);
- EXPECT_EQ(p->statements[1].resource.begin()->service, Service::wildcard);
- EXPECT_EQ(p->statements[1].resource.begin()->region, "*");
- EXPECT_EQ(p->statements[1].resource.begin()->account, arbitrary_tenant);
- EXPECT_EQ(p->statements[1].resource.begin()->resource, "*");
- EXPECT_TRUE(p->statements[1].notresource.empty());
- EXPECT_TRUE(p->statements[1].conditions.empty());
-
- EXPECT_EQ(*p->statements[2].sid, "ThirdStatement");
- EXPECT_TRUE(p->statements[2].princ.empty());
- EXPECT_TRUE(p->statements[2].noprinc.empty());
- EXPECT_EQ(p->statements[2].effect, Effect::Allow);
- EXPECT_EQ(p->statements[2].action, (s3ListMultipartUploadParts |
- s3ListBucket | s3ListBucketVersions |
- s3ListAllMyBuckets |
- s3ListBucketMultiPartUploads |
- s3GetObject | s3GetObjectVersion |
- s3GetObjectAcl | s3GetObjectVersionAcl |
- s3GetObjectTorrent |
- s3GetObjectVersionTorrent |
- s3GetAccelerateConfiguration |
- s3GetBucketAcl | s3GetBucketCORS |
- s3GetBucketVersioning |
- s3GetBucketRequestPayment |
- s3GetBucketLocation |
- s3GetBucketPolicy |
- s3GetBucketNotification |
- s3GetBucketLogging |
- s3GetBucketTagging |
- s3GetBucketWebsite |
- s3GetLifecycleConfiguration |
- s3GetReplicationConfiguration |
- s3GetObjectTagging |
- s3GetObjectVersionTagging));
- EXPECT_EQ(p->statements[2].notaction, s3None);
- ASSERT_FALSE(p->statements[2].resource.empty());
- ASSERT_EQ(p->statements[2].resource.size(), 2U);
- EXPECT_EQ(p->statements[2].resource.begin()->partition, Partition::aws);
- EXPECT_EQ(p->statements[2].resource.begin()->service, Service::s3);
- EXPECT_TRUE(p->statements[2].resource.begin()->region.empty());
- EXPECT_EQ(p->statements[2].resource.begin()->account, arbitrary_tenant);
- EXPECT_EQ(p->statements[2].resource.begin()->resource, "confidential-data");
- EXPECT_EQ((p->statements[2].resource.begin() + 1)->partition,
- Partition::aws);
- EXPECT_EQ((p->statements[2].resource.begin() + 1)->service, Service::s3);
- EXPECT_TRUE((p->statements[2].resource.begin() + 1)->region.empty());
- EXPECT_EQ((p->statements[2].resource.begin() + 1)->account,
- arbitrary_tenant);
- EXPECT_EQ((p->statements[2].resource.begin() + 1)->resource,
- "confidential-data/*");
- EXPECT_TRUE(p->statements[2].notresource.empty());
- ASSERT_FALSE(p->statements[2].conditions.empty());
- ASSERT_EQ(p->statements[2].conditions.size(), 1U);
- EXPECT_EQ(p->statements[2].conditions[0].op, TokenID::Bool);
- EXPECT_EQ(p->statements[2].conditions[0].key, "aws:MultiFactorAuthPresent");
- EXPECT_FALSE(p->statements[2].conditions[0].ifexists);
- ASSERT_FALSE(p->statements[2].conditions[0].vals.empty());
- EXPECT_EQ(p->statements[2].conditions[0].vals.size(), 1U);
- EXPECT_EQ(p->statements[2].conditions[0].vals[0], "true");
-}
-
-TEST_F(PolicyTest, Eval3) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example3));
- Environment em;
- Environment tr = { { "aws:MultiFactorAuthPresent", "true" } };
- Environment fa = { { "aws:MultiFactorAuthPresent", "false" } };
-
- auto s3allow = (s3ListMultipartUploadParts | s3ListBucket |
- s3ListBucketVersions | s3ListAllMyBuckets |
- s3ListBucketMultiPartUploads | s3GetObject |
- s3GetObjectVersion | s3GetObjectAcl | s3GetObjectVersionAcl |
- s3GetObjectTorrent | s3GetObjectVersionTorrent |
- s3GetAccelerateConfiguration | s3GetBucketAcl |
- s3GetBucketCORS | s3GetBucketVersioning |
- s3GetBucketRequestPayment | s3GetBucketLocation |
- s3GetBucketPolicy | s3GetBucketNotification |
- s3GetBucketLogging | s3GetBucketTagging |
- s3GetBucketWebsite | s3GetLifecycleConfiguration |
- s3GetReplicationConfiguration |
- s3GetObjectTagging | s3GetObjectVersionTagging);
-
- EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
- Effect::Allow);
-
- EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
- Effect::Allow);
-
-
- for (auto i = 0ULL; i < s3Count; ++i) {
- auto op = 1ULL << i;
- if ((op == s3ListAllMyBuckets) || (op == s3PutBucketPolicy)) {
- continue;
- }
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
- Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
- op & s3allow ? Effect::Allow : Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
- Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
- Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
- op & s3allow ? Effect::Allow : Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
- Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
- Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
- Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
- Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
-
- }
-}
-
-const string PolicyTest::arbitrary_tenant = "arbitrary_tenant";
-string PolicyTest::example1 = R"(
-{
- "Version": "2012-10-17",
- "Statement": {
- "Effect": "Allow",
- "Action": "s3:ListBucket",
- "Resource": "arn:aws:s3:::example_bucket"
- }
-}
-)";
-
-string PolicyTest::example2 = R"(
-{
- "Version": "2012-10-17",
- "Id": "S3-Account-Permissions",
- "Statement": [{
- "Sid": "1",
- "Effect": "Allow",
- "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
- "Action": "s3:*",
- "Resource": [
- "arn:aws:s3:::mybucket",
- "arn:aws:s3:::mybucket/*"
- ]
- }]
-}
-)";
-
-string PolicyTest::example3 = R"(
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "FirstStatement",
- "Effect": "Allow",
- "Action": ["s3:PutBucketPolicy"],
- "Resource": "*"
- },
- {
- "Sid": "SecondStatement",
- "Effect": "Allow",
- "Action": "s3:ListAllMyBuckets",
- "Resource": "*"
- },
- {
- "Sid": "ThirdStatement",
- "Effect": "Allow",
- "Action": [
- "s3:List*",
- "s3:Get*"
- ],
- "Resource": [
- "arn:aws:s3:::confidential-data",
- "arn:aws:s3:::confidential-data/*"
- ],
- "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
- }
- ]
-}
-)";
-
-TEST(MatchWildcards, Simple)
-{
- EXPECT_TRUE(match_wildcards("", ""));
- EXPECT_TRUE(match_wildcards("", "", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("", "abc"));
- EXPECT_FALSE(match_wildcards("", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abc", ""));
- EXPECT_FALSE(match_wildcards("abc", "", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("abc", "abc"));
- EXPECT_TRUE(match_wildcards("abc", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abc", "abC"));
- EXPECT_TRUE(match_wildcards("abc", "abC", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abC", "abc"));
- EXPECT_TRUE(match_wildcards("abC", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abc", "abcd"));
- EXPECT_FALSE(match_wildcards("abc", "abcd", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abcd", "abc"));
- EXPECT_FALSE(match_wildcards("abcd", "abc", MATCH_CASE_INSENSITIVE));
-}
-
-TEST(MatchWildcards, QuestionMark)
-{
- EXPECT_FALSE(match_wildcards("?", ""));
- EXPECT_FALSE(match_wildcards("?", "", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("?", "a"));
- EXPECT_TRUE(match_wildcards("?", "a", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("?bc", "abc"));
- EXPECT_TRUE(match_wildcards("?bc", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a?c", "abc"));
- EXPECT_TRUE(match_wildcards("a?c", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("abc", "a?c"));
- EXPECT_FALSE(match_wildcards("abc", "a?c", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("a?c", "abC"));
- EXPECT_TRUE(match_wildcards("a?c", "abC", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("ab?", "abc"));
- EXPECT_TRUE(match_wildcards("ab?", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a?c?e", "abcde"));
- EXPECT_TRUE(match_wildcards("a?c?e", "abcde", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("???", "abc"));
- EXPECT_TRUE(match_wildcards("???", "abc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("???", "abcd"));
- EXPECT_FALSE(match_wildcards("???", "abcd", MATCH_CASE_INSENSITIVE));
-}
-
-TEST(MatchWildcards, Asterisk)
-{
- EXPECT_TRUE(match_wildcards("*", ""));
- EXPECT_TRUE(match_wildcards("*", "", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("", "*"));
- EXPECT_FALSE(match_wildcards("", "*", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("*a", ""));
- EXPECT_FALSE(match_wildcards("*a", "", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("*a", "a"));
- EXPECT_TRUE(match_wildcards("*a", "a", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a*", "a"));
- EXPECT_TRUE(match_wildcards("a*", "a", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a*c", "ac"));
- EXPECT_TRUE(match_wildcards("a*c", "ac", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a*c", "abbc"));
- EXPECT_TRUE(match_wildcards("a*c", "abbc", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("a*c", "abbC"));
- EXPECT_TRUE(match_wildcards("a*c", "abbC", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("a*c*e", "abBce"));
- EXPECT_TRUE(match_wildcards("a*c*e", "abBce", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("http://*.example.com",
- "http://www.example.com"));
- EXPECT_TRUE(match_wildcards("http://*.example.com",
- "http://www.example.com", MATCH_CASE_INSENSITIVE));
- EXPECT_FALSE(match_wildcards("http://*.example.com",
- "http://www.Example.com"));
- EXPECT_TRUE(match_wildcards("http://*.example.com",
- "http://www.Example.com", MATCH_CASE_INSENSITIVE));
- EXPECT_TRUE(match_wildcards("http://example.com/*",
- "http://example.com/index.html"));
- EXPECT_TRUE(match_wildcards("http://example.com/*/*.jpg",
- "http://example.com/fun/smiley.jpg"));
- // note: parsing of * is not greedy, so * does not match 'bc' here
- EXPECT_FALSE(match_wildcards("a*c", "abcc"));
- EXPECT_FALSE(match_wildcards("a*c", "abcc", MATCH_CASE_INSENSITIVE));
-}
-
-TEST(MatchPolicy, Action)
-{
- constexpr auto flag = MATCH_POLICY_ACTION;
- EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
- EXPECT_TRUE(match_policy("a:b:c", "A:B:C", flag)); // case insensitive
- EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
- EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
-}
-
-TEST(MatchPolicy, Resource)
-{
- constexpr auto flag = MATCH_POLICY_RESOURCE;
- EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
- EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
- EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
- EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
-}
-
-TEST(MatchPolicy, ARN)
-{
- constexpr auto flag = MATCH_POLICY_ARN;
- EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
- EXPECT_TRUE(match_policy("a:b:c", "A:B:C", flag)); // case insensitive
- EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
- EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
-}
-
-TEST(MatchPolicy, String)
-{
- constexpr auto flag = MATCH_POLICY_STRING;
- EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
- EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
- EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
- EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
-}