188 lines
5.4 KiB
Go
188 lines
5.4 KiB
Go
package ratelimit
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/letsencrypt/boulder/config"
|
|
"github.com/letsencrypt/boulder/test"
|
|
)
|
|
|
|
func TestEnabled(t *testing.T) {
|
|
policy := RateLimitPolicy{
|
|
Threshold: 10,
|
|
}
|
|
if !policy.Enabled() {
|
|
t.Errorf("Policy should have been enabled.")
|
|
}
|
|
}
|
|
|
|
func TestNotEnabled(t *testing.T) {
|
|
policy := RateLimitPolicy{
|
|
Threshold: 0,
|
|
}
|
|
if policy.Enabled() {
|
|
t.Errorf("Policy should not have been enabled.")
|
|
}
|
|
}
|
|
|
|
func TestGetThreshold(t *testing.T) {
|
|
policy := RateLimitPolicy{
|
|
Threshold: 1,
|
|
Overrides: map[string]int64{
|
|
"key": 2,
|
|
"baz": 99,
|
|
},
|
|
RegistrationOverrides: map[int64]int64{
|
|
101: 3,
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
Name string
|
|
Key string
|
|
RegID int64
|
|
Expected int64
|
|
}{
|
|
|
|
{
|
|
Name: "No key or reg overrides",
|
|
Key: "foo",
|
|
RegID: 11,
|
|
Expected: 1,
|
|
},
|
|
{
|
|
Name: "Key override, no reg override",
|
|
Key: "key",
|
|
RegID: 11,
|
|
Expected: 2,
|
|
},
|
|
{
|
|
Name: "No key override, reg override",
|
|
Key: "foo",
|
|
RegID: 101,
|
|
Expected: 3,
|
|
},
|
|
{
|
|
Name: "Key override, larger reg override",
|
|
Key: "foo",
|
|
RegID: 101,
|
|
Expected: 3,
|
|
},
|
|
{
|
|
Name: "Key override, smaller reg override",
|
|
Key: "baz",
|
|
RegID: 101,
|
|
Expected: 99,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.Name, func(t *testing.T) {
|
|
threshold, _ := policy.GetThreshold(tc.Key, tc.RegID)
|
|
test.AssertEquals(t,
|
|
threshold,
|
|
tc.Expected)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestWindowBegin(t *testing.T) {
|
|
policy := RateLimitPolicy{
|
|
Window: config.Duration{Duration: 24 * time.Hour},
|
|
}
|
|
now := time.Date(2015, 9, 22, 0, 0, 0, 0, time.UTC)
|
|
expected := time.Date(2015, 9, 21, 0, 0, 0, 0, time.UTC)
|
|
actual := policy.WindowBegin(now)
|
|
if actual != expected {
|
|
t.Errorf("Incorrect WindowBegin: %s, expected %s", actual, expected)
|
|
}
|
|
}
|
|
|
|
func TestLoadPolicies(t *testing.T) {
|
|
policy := New()
|
|
|
|
policyContent, readErr := os.ReadFile("../test/rate-limit-policies.yml")
|
|
test.AssertNotError(t, readErr, "Failed to load rate-limit-policies.yml")
|
|
|
|
// Test that loading a good policy from YAML doesn't error
|
|
err := policy.LoadPolicies(policyContent)
|
|
test.AssertNotError(t, err, "Failed to parse rate-limit-policies.yml")
|
|
|
|
// Test that the CertificatesPerName section parsed correctly
|
|
certsPerName := policy.CertificatesPerName()
|
|
test.AssertEquals(t, certsPerName.Threshold, int64(2))
|
|
test.AssertDeepEquals(t, certsPerName.Overrides, map[string]int64{
|
|
"ratelimit.me": 1,
|
|
"lim.it": 0,
|
|
"le.wtf": 10000,
|
|
"le1.wtf": 10000,
|
|
"le2.wtf": 10000,
|
|
"le3.wtf": 10000,
|
|
"nginx.wtf": 10000,
|
|
"good-caa-reserved.com": 10000,
|
|
"bad-caa-reserved.com": 10000,
|
|
"ecdsa.le.wtf": 10000,
|
|
"must-staple.le.wtf": 10000,
|
|
})
|
|
test.AssertDeepEquals(t, certsPerName.RegistrationOverrides, map[int64]int64{
|
|
101: 1000,
|
|
})
|
|
|
|
// Test that the RegistrationsPerIP section parsed correctly
|
|
regsPerIP := policy.RegistrationsPerIP()
|
|
test.AssertEquals(t, regsPerIP.Threshold, int64(10000))
|
|
test.AssertDeepEquals(t, regsPerIP.Overrides, map[string]int64{
|
|
"127.0.0.1": 1000000,
|
|
})
|
|
test.AssertEquals(t, len(regsPerIP.RegistrationOverrides), 0)
|
|
|
|
// Test that the PendingAuthorizationsPerAccount section parsed correctly
|
|
pendingAuthsPerAcct := policy.PendingAuthorizationsPerAccount()
|
|
test.AssertEquals(t, pendingAuthsPerAcct.Threshold, int64(150))
|
|
test.AssertEquals(t, len(pendingAuthsPerAcct.Overrides), 0)
|
|
test.AssertEquals(t, len(pendingAuthsPerAcct.RegistrationOverrides), 0)
|
|
|
|
// Test that the CertificatesPerFQDN section parsed correctly
|
|
certsPerFQDN := policy.CertificatesPerFQDNSet()
|
|
test.AssertEquals(t, certsPerFQDN.Threshold, int64(6))
|
|
test.AssertDeepEquals(t, certsPerFQDN.Overrides, map[string]int64{
|
|
"le.wtf": 10000,
|
|
"le1.wtf": 10000,
|
|
"le2.wtf": 10000,
|
|
"le3.wtf": 10000,
|
|
"le.wtf,le1.wtf": 10000,
|
|
"good-caa-reserved.com": 10000,
|
|
"nginx.wtf": 10000,
|
|
"ecdsa.le.wtf": 10000,
|
|
"must-staple.le.wtf": 10000,
|
|
})
|
|
test.AssertEquals(t, len(certsPerFQDN.RegistrationOverrides), 0)
|
|
certsPerFQDNFast := policy.CertificatesPerFQDNSetFast()
|
|
test.AssertEquals(t, certsPerFQDNFast.Threshold, int64(2))
|
|
test.AssertDeepEquals(t, certsPerFQDNFast.Overrides, map[string]int64{
|
|
"le.wtf": 100,
|
|
})
|
|
test.AssertEquals(t, len(certsPerFQDNFast.RegistrationOverrides), 0)
|
|
|
|
// Test that loading invalid YAML generates an error
|
|
err = policy.LoadPolicies([]byte("err"))
|
|
test.AssertError(t, err, "Failed to generate error loading invalid yaml policy file")
|
|
// Re-check a field of policy to make sure a LoadPolicies error doesn't
|
|
// corrupt the existing policies
|
|
test.AssertDeepEquals(t, policy.RegistrationsPerIP().Overrides, map[string]int64{
|
|
"127.0.0.1": 1000000,
|
|
})
|
|
|
|
// Test that the RateLimitConfig accessors do not panic when there has been no
|
|
// `LoadPolicy` call, and instead return empty RateLimitPolicy objects with default
|
|
// values.
|
|
emptyPolicy := New()
|
|
test.AssertEquals(t, emptyPolicy.CertificatesPerName().Threshold, int64(0))
|
|
test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, int64(0))
|
|
test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, int64(0))
|
|
test.AssertEquals(t, emptyPolicy.PendingAuthorizationsPerAccount().Threshold, int64(0))
|
|
test.AssertEquals(t, emptyPolicy.CertificatesPerFQDNSet().Threshold, int64(0))
|
|
}
|