blob: bf9f952481c5065cd6b7b3a872663bbd9ae28c38 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
#!/bin/bash
# Test: print_config_masked - IP masking logic
. "$(dirname "$0")/../lib/setup.sh"
oneTimeTearDown() { rm -rf "${MOCK_ROOT:-}"; }
# Apply the IP-masking awk pass from print_config_masked to a single input line.
# Mirrors the second awk block in print_config_masked so we can test it in isolation
# without needing to write files to /etc/config/.
_mask_ips() {
printf '%s\n' "$1" | awk '
/^[ \t]*(option|list)[ \t]+allowed_ips[ \t]+/ { print; next }
{
line = $0; result = ""
while (match(line, /([0-9]{1,3}\.){3}[0-9]{1,3}/)) {
ip = substr(line, RSTART, RLENGTH)
result = result substr(line, 1, RSTART-1)
line = substr(line, RSTART+RLENGTH)
if (ip ~ /^(10\.|127\.|192\.168\.)/ || ip ~ /^172\.(1[6-9]|2[0-9]|3[01])\./)
result = result ip
else { masked = ip; gsub(/[0-9]/, "*", masked); result = result masked }
}
print result line
}
'
}
testPublicIPIsMasked() {
assertEquals "Public IP masked" \
" option gateway '*.*.*.*'" \
"$(_mask_ips " option gateway '1.2.3.4'")"
}
testRFC1918_10_preserved() {
assertEquals "10.x not masked" \
" option gateway '10.0.0.1'" \
"$(_mask_ips " option gateway '10.0.0.1'")"
}
testRFC1918_192_168_preserved() {
assertEquals "192.168.x not masked" \
" option gateway '192.168.1.254'" \
"$(_mask_ips " option gateway '192.168.1.254'")"
}
testRFC1918_172_16_preserved() {
assertEquals "172.16.x not masked" \
" option gateway '172.16.0.1'" \
"$(_mask_ips " option gateway '172.16.0.1'")"
}
testRFC1918_172_31_preserved() {
assertEquals "172.31.x not masked" \
" option gateway '172.31.255.254'" \
"$(_mask_ips " option gateway '172.31.255.254'")"
}
testBorderBelow_172_16_masked() {
assertEquals "172.15.x is not RFC1918 - masked" \
" option gateway '***.**.*.*'" \
"$(_mask_ips " option gateway '172.15.0.1'")"
}
testBorderAbove_172_31_masked() {
assertEquals "172.32.x is not RFC1918 - masked" \
" option gateway '***.**.*.*'" \
"$(_mask_ips " option gateway '172.32.0.1'")"
}
testLoopbackPreserved() {
assertEquals "127.x loopback not masked" \
" option dns '127.0.0.1'" \
"$(_mask_ips " option dns '127.0.0.1'")"
}
testAllowedIPsLineNotMasked() {
assertEquals "allowed_ips line bypasses IP masking" \
" option allowed_ips '8.8.8.8/32'" \
"$(_mask_ips " option allowed_ips '8.8.8.8/32'")"
}
testMixedLinePrivateAndPublic() {
assertEquals "Private preserved, public masked on same line" \
" option foo '192.168.1.1 *.*.*.*'" \
"$(_mask_ips " option foo '192.168.1.1 8.8.8.8'")"
}
. shunit2
|
