(t *testing.T)
| 490 | } |
| 491 | |
| 492 | func TestExtractIPFromRealIPHeader(t *testing.T) { |
| 493 | _, ipForRemoteAddrExternalRange, _ := net.ParseCIDR("203.0.113.199/24") |
| 494 | _, ipv6ForRemoteAddrExternalRange, _ := net.ParseCIDR("2001:db8::/64") |
| 495 | |
| 496 | var testCases = []struct { |
| 497 | whenRequest http.Request |
| 498 | name string |
| 499 | expectIP string |
| 500 | givenTrustOptions []TrustOption |
| 501 | }{ |
| 502 | { |
| 503 | name: "request has no headers, extracts IP from request remote addr", |
| 504 | whenRequest: http.Request{ |
| 505 | RemoteAddr: "203.0.113.1:8080", |
| 506 | }, |
| 507 | expectIP: "203.0.113.1", |
| 508 | }, |
| 509 | { |
| 510 | name: "request is from external IP has INVALID external X-Real-Ip header, extract IP from remote addr", |
| 511 | whenRequest: http.Request{ |
| 512 | Header: http.Header{ |
| 513 | HeaderXRealIP: []string{"xxx.yyy.zzz.ccc"}, // <-- this is invalid |
| 514 | }, |
| 515 | RemoteAddr: "203.0.113.1:8080", |
| 516 | }, |
| 517 | expectIP: "203.0.113.1", |
| 518 | }, |
| 519 | { |
| 520 | name: "request is from external IP has valid + UNTRUSTED external X-Real-Ip header, extract IP from remote addr", |
| 521 | whenRequest: http.Request{ |
| 522 | Header: http.Header{ |
| 523 | HeaderXRealIP: []string{"203.0.113.199"}, // <-- this is untrusted |
| 524 | }, |
| 525 | RemoteAddr: "203.0.113.1:8080", |
| 526 | }, |
| 527 | expectIP: "203.0.113.1", |
| 528 | }, |
| 529 | { |
| 530 | name: "request is from external IP has valid + UNTRUSTED external X-Real-Ip header, extract IP from remote addr", |
| 531 | whenRequest: http.Request{ |
| 532 | Header: http.Header{ |
| 533 | HeaderXRealIP: []string{"[2001:db8::113:199]"}, // <-- this is untrusted |
| 534 | }, |
| 535 | RemoteAddr: "[2001:db8::113:1]:8080", |
| 536 | }, |
| 537 | expectIP: "2001:db8::113:1", |
| 538 | }, |
| 539 | { |
| 540 | name: "request is from external IP has valid + TRUSTED X-Real-Ip header, extract IP from X-Real-Ip header", |
| 541 | givenTrustOptions: []TrustOption{ // case for "trust direct-facing proxy" |
| 542 | TrustIPRange(ipForRemoteAddrExternalRange), // we trust external IP range "203.0.113.199/24" |
| 543 | }, |
| 544 | whenRequest: http.Request{ |
| 545 | Header: http.Header{ |
| 546 | HeaderXRealIP: []string{"203.0.113.199"}, |
| 547 | }, |
| 548 | RemoteAddr: "203.0.113.1:8080", |
| 549 | }, |
nothing calls this directly
no test coverage detected
searching dependent graphs…