(t *testing.T)
| 474 | } |
| 475 | |
| 476 | func TestEffectiveHost(t *testing.T) { |
| 477 | t.Parallel() |
| 478 | |
| 479 | cidr32 := func(t *testing.T, ip string) *net.IPNet { |
| 480 | t.Helper() |
| 481 | |
| 482 | return &net.IPNet{ |
| 483 | IP: net.ParseIP(ip), |
| 484 | Mask: net.CIDRMask(32, 32), |
| 485 | } |
| 486 | } |
| 487 | |
| 488 | t.Run("UntrustedPeerFallsBackToReceivedHost", func(t *testing.T) { |
| 489 | t.Parallel() |
| 490 | |
| 491 | r := httptest.NewRequest(http.MethodGet, "http://received.test", nil) |
| 492 | r.RemoteAddr = "17.18.19.20:1234" |
| 493 | r.Header.Set(httpapi.XForwardedHostHeader, "app.test.coder.com") |
| 494 | |
| 495 | require.Equal(t, "received.test", httpmw.EffectiveHost(nil, r)) |
| 496 | }) |
| 497 | |
| 498 | t.Run("TrustedPeerUsesOriginalRemoteAddrForTrust", func(t *testing.T) { |
| 499 | t.Parallel() |
| 500 | |
| 501 | config := &httpmw.RealIPConfig{ |
| 502 | TrustedOrigins: []*net.IPNet{cidr32(t, "17.18.19.20")}, |
| 503 | TrustedHeaders: []string{"X-Real-Ip"}, |
| 504 | } |
| 505 | |
| 506 | r := httptest.NewRequest(http.MethodGet, "http://received.test", nil) |
| 507 | r.RemoteAddr = "17.18.19.20:1234" |
| 508 | // X-Real-Ip causes ExtractRealIP to rewrite r.RemoteAddr, so |
| 509 | // this test can verify trust still uses OriginalRemoteAddr, |
| 510 | // the actual socket peer. |
| 511 | r.Header.Set("X-Real-Ip", "99.88.77.66") |
| 512 | r.Header.Set(httpapi.XForwardedHostHeader, "app.test.coder.com") |
| 513 | |
| 514 | middleware := httpmw.ExtractRealIP(config) |
| 515 | next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) { |
| 516 | require.Equal(t, "99.88.77.66", r.RemoteAddr) |
| 517 | require.Equal(t, "app.test.coder.com", httpmw.EffectiveHost(config, r)) |
| 518 | }) |
| 519 | |
| 520 | middleware(next).ServeHTTP(httptest.NewRecorder(), r) |
| 521 | }) |
| 522 | |
| 523 | t.Run("UntrustedPeerDoesNotHonorForwardedHost", func(t *testing.T) { |
| 524 | t.Parallel() |
| 525 | |
| 526 | config := &httpmw.RealIPConfig{ |
| 527 | TrustedOrigins: []*net.IPNet{cidr32(t, "99.88.77.66")}, |
| 528 | TrustedHeaders: []string{"X-Real-Ip"}, |
| 529 | } |
| 530 | |
| 531 | r := httptest.NewRequest(http.MethodGet, "http://received.test", nil) |
| 532 | r.RemoteAddr = "17.18.19.20:1234" |
| 533 | r.Header.Set("X-Real-Ip", "99.88.77.66") |
nothing calls this directly
no test coverage detected