...

Source file src/github.com/letsencrypt/boulder/ratelimit/rate-limits_test.go

Documentation: github.com/letsencrypt/boulder/ratelimit 

     1  package ratelimit
     2  
     3  import (
     4  	"os"
     5  	"testing"
     6  	"time"
     7  
     8  	"github.com/letsencrypt/boulder/config"
     9  	"github.com/letsencrypt/boulder/test"
    10  )
    11  
    12  func TestEnabled(t *testing.T) {
    13  	policy := RateLimitPolicy{
    14  		Threshold: 10,
    15  	}
    16  	if !policy.Enabled() {
    17  		t.Errorf("Policy should have been enabled.")
    18  	}
    19  }
    20  
    21  func TestNotEnabled(t *testing.T) {
    22  	policy := RateLimitPolicy{
    23  		Threshold: 0,
    24  	}
    25  	if policy.Enabled() {
    26  		t.Errorf("Policy should not have been enabled.")
    27  	}
    28  }
    29  
    30  func TestGetThreshold(t *testing.T) {
    31  	policy := RateLimitPolicy{
    32  		Threshold: 1,
    33  		Overrides: map[string]int64{
    34  			"key": 2,
    35  			"baz": 99,
    36  		},
    37  		RegistrationOverrides: map[int64]int64{
    38  			101: 3,
    39  		},
    40  	}
    41  
    42  	testCases := []struct {
    43  		Name     string
    44  		Key      string
    45  		RegID    int64
    46  		Expected int64
    47  	}{
    48  
    49  		{
    50  			Name:     "No key or reg overrides",
    51  			Key:      "foo",
    52  			RegID:    11,
    53  			Expected: 1,
    54  		},
    55  		{
    56  			Name:     "Key override, no reg override",
    57  			Key:      "key",
    58  			RegID:    11,
    59  			Expected: 2,
    60  		},
    61  		{
    62  			Name:     "No key override, reg override",
    63  			Key:      "foo",
    64  			RegID:    101,
    65  			Expected: 3,
    66  		},
    67  		{
    68  			Name:     "Key override, larger reg override",
    69  			Key:      "foo",
    70  			RegID:    101,
    71  			Expected: 3,
    72  		},
    73  		{
    74  			Name:     "Key override, smaller reg override",
    75  			Key:      "baz",
    76  			RegID:    101,
    77  			Expected: 99,
    78  		},
    79  	}
    80  
    81  	for _, tc := range testCases {
    82  		t.Run(tc.Name, func(t *testing.T) {
    83  			threshold, _ := policy.GetThreshold(tc.Key, tc.RegID)
    84  			test.AssertEquals(t,
    85  				threshold,
    86  				tc.Expected)
    87  		})
    88  	}
    89  }
    90  
    91  func TestWindowBegin(t *testing.T) {
    92  	policy := RateLimitPolicy{
    93  		Window: config.Duration{Duration: 24 * time.Hour},
    94  	}
    95  	now := time.Date(2015, 9, 22, 0, 0, 0, 0, time.UTC)
    96  	expected := time.Date(2015, 9, 21, 0, 0, 0, 0, time.UTC)
    97  	actual := policy.WindowBegin(now)
    98  	if actual != expected {
    99  		t.Errorf("Incorrect WindowBegin: %s, expected %s", actual, expected)
   100  	}
   101  }
   102  
   103  func TestLoadPolicies(t *testing.T) {
   104  	policy := New()
   105  
   106  	policyContent, readErr := os.ReadFile("../test/rate-limit-policies.yml")
   107  	test.AssertNotError(t, readErr, "Failed to load rate-limit-policies.yml")
   108  
   109  	// Test that loading a good policy from YAML doesn't error
   110  	err := policy.LoadPolicies(policyContent)
   111  	test.AssertNotError(t, err, "Failed to parse rate-limit-policies.yml")
   112  
   113  	// Test that the CertificatesPerName section parsed correctly
   114  	certsPerName := policy.CertificatesPerName()
   115  	test.AssertEquals(t, certsPerName.Threshold, int64(2))
   116  	test.AssertDeepEquals(t, certsPerName.Overrides, map[string]int64{
   117  		"ratelimit.me":          1,
   118  		"lim.it":                0,
   119  		"le.wtf":                10000,
   120  		"le1.wtf":               10000,
   121  		"le2.wtf":               10000,
   122  		"le3.wtf":               10000,
   123  		"nginx.wtf":             10000,
   124  		"good-caa-reserved.com": 10000,
   125  		"bad-caa-reserved.com":  10000,
   126  		"ecdsa.le.wtf":          10000,
   127  		"must-staple.le.wtf":    10000,
   128  	})
   129  	test.AssertDeepEquals(t, certsPerName.RegistrationOverrides, map[int64]int64{
   130  		101: 1000,
   131  	})
   132  
   133  	// Test that the RegistrationsPerIP section parsed correctly
   134  	regsPerIP := policy.RegistrationsPerIP()
   135  	test.AssertEquals(t, regsPerIP.Threshold, int64(10000))
   136  	test.AssertDeepEquals(t, regsPerIP.Overrides, map[string]int64{
   137  		"127.0.0.1": 1000000,
   138  	})
   139  	test.AssertEquals(t, len(regsPerIP.RegistrationOverrides), 0)
   140  
   141  	// Test that the PendingAuthorizationsPerAccount section parsed correctly
   142  	pendingAuthsPerAcct := policy.PendingAuthorizationsPerAccount()
   143  	test.AssertEquals(t, pendingAuthsPerAcct.Threshold, int64(150))
   144  	test.AssertEquals(t, len(pendingAuthsPerAcct.Overrides), 0)
   145  	test.AssertEquals(t, len(pendingAuthsPerAcct.RegistrationOverrides), 0)
   146  
   147  	// Test that the CertificatesPerFQDN section parsed correctly
   148  	certsPerFQDN := policy.CertificatesPerFQDNSet()
   149  	test.AssertEquals(t, certsPerFQDN.Threshold, int64(6))
   150  	test.AssertDeepEquals(t, certsPerFQDN.Overrides, map[string]int64{
   151  		"le.wtf":                10000,
   152  		"le1.wtf":               10000,
   153  		"le2.wtf":               10000,
   154  		"le3.wtf":               10000,
   155  		"le.wtf,le1.wtf":        10000,
   156  		"good-caa-reserved.com": 10000,
   157  		"nginx.wtf":             10000,
   158  		"ecdsa.le.wtf":          10000,
   159  		"must-staple.le.wtf":    10000,
   160  	})
   161  	test.AssertEquals(t, len(certsPerFQDN.RegistrationOverrides), 0)
   162  	certsPerFQDNFast := policy.CertificatesPerFQDNSetFast()
   163  	test.AssertEquals(t, certsPerFQDNFast.Threshold, int64(2))
   164  	test.AssertDeepEquals(t, certsPerFQDNFast.Overrides, map[string]int64{
   165  		"le.wtf": 100,
   166  	})
   167  	test.AssertEquals(t, len(certsPerFQDNFast.RegistrationOverrides), 0)
   168  
   169  	// Test that loading invalid YAML generates an error
   170  	err = policy.LoadPolicies([]byte("err"))
   171  	test.AssertError(t, err, "Failed to generate error loading invalid yaml policy file")
   172  	// Re-check a field of policy to make sure a LoadPolicies error doesn't
   173  	// corrupt the existing policies
   174  	test.AssertDeepEquals(t, policy.RegistrationsPerIP().Overrides, map[string]int64{
   175  		"127.0.0.1": 1000000,
   176  	})
   177  
   178  	// Test that the RateLimitConfig accessors do not panic when there has been no
   179  	// `LoadPolicy` call, and instead return empty RateLimitPolicy objects with default
   180  	// values.
   181  	emptyPolicy := New()
   182  	test.AssertEquals(t, emptyPolicy.CertificatesPerName().Threshold, int64(0))
   183  	test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, int64(0))
   184  	test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, int64(0))
   185  	test.AssertEquals(t, emptyPolicy.PendingAuthorizationsPerAccount().Threshold, int64(0))
   186  	test.AssertEquals(t, emptyPolicy.CertificatesPerFQDNSet().Threshold, int64(0))
   187  }
   188  

View as plain text