def test_manual_ip_blacklist(self):
"""Test manually blacklisting based on IP"""
validator = AddrValidator(
allow_ipv6=True,
ip_blacklist=(
ipaddress.ip_network("132.0.5.0/24"),
ipaddress.ip_network("152.0.0.0/8"),
ipaddress.ip_network("::1"),
),
)
self.assertFalse(validator.is_ip_allowed("132.0.5.1"))
self.assertFalse(validator.is_ip_allowed("152.254.90.1"))
self.assertTrue(validator.is_ip_allowed("178.254.90.1"))
self.assertFalse(validator.is_ip_allowed("::1"))
# Google, found via `dig google.com AAAA`
self.assertTrue(validator.is_ip_allowed("2607:f8b0:400a:807::200e"))
def test_ip_whitelist_blacklist_conflict(self):
"""Manual whitelist should take precedence over manual blacklist"""
validator = AddrValidator(
ip_whitelist=(ipaddress.ip_network("127.0.0.1"), ),
ip_blacklist=(ipaddress.ip_network("127.0.0.1"), ),
)
self.assertTrue(validator.is_ip_allowed("127.0.0.1"))
def test_safecurl_blacklist(self):
"""Test that we at least disallow everything SafeCurl does"""
# All IPs that SafeCurl would disallow
bad_netblocks = (ipaddress.ip_network(x)
for x in ('0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10',
'127.0.0.0/8', '169.254.0.0/16',
'172.16.0.0/12', '192.0.0.0/29',
'192.0.2.0/24', '192.88.99.0/24',
'192.168.0.0/16', '198.18.0.0/15',
'198.51.100.0/24', '203.0.113.0/24',
'224.0.0.0/4', '240.0.0.0/4'))
i = 0
validator = AddrValidator()
for bad_netblock in bad_netblocks:
num_ips = bad_netblock.num_addresses
# Don't test *every* IP in large netblocks
step_size = int(min(max(num_ips / 255, 1), 128))
for ip_idx in six.moves.range(0, num_ips, step_size):
i += 1
bad_ip = bad_netblock[ip_idx]
bad_ip_allowed = validator.is_ip_allowed(bad_ip)
if bad_ip_allowed:
print(i, bad_ip)
self.assertFalse(bad_ip_allowed)
def test_ip_whitelist(self):
"""Test manually whitelisting based on IP"""
validator = AddrValidator(
ip_whitelist=(ipaddress.ip_network("127.0.0.1"), ), )
self.assertTrue(validator.is_ip_allowed("127.0.0.1"))