upaas/internal/middleware/realip_test.go

package middleware //nolint:testpackage // tests RealIP via internal package access

import (
	"context"
	"net"
	"net/http"
	"testing"
)

func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
	t.Parallel()

	tests := []struct {
		name       string
		remoteAddr string
		xRealIP    string
		xff        string
		want       string
	}{
		// === Trusted proxy (RFC1918 / loopback) — headers ARE honoured ===
		{
			name:       "trusted: X-Real-IP from 10.x",
			remoteAddr: "10.0.0.1:1234",
			xRealIP:    "203.0.113.5",
			xff:        "198.51.100.1, 10.0.0.1",
			want:       "203.0.113.5",
		},
		{
			name:       "trusted: XFF from 10.x when no X-Real-IP",
			remoteAddr: "10.0.0.1:1234",
			xff:        "198.51.100.1, 10.0.0.1",
			want:       "198.51.100.1",
		},
		{
			name:       "trusted: XFF single IP from 10.x",
			remoteAddr: "10.0.0.1:1234",
			xff:        "203.0.113.10",
			want:       "203.0.113.10",
		},
		{
			name:       "trusted: falls back to RemoteAddr (192.168.x)",
			remoteAddr: "192.168.1.1:5678",
			want:       "192.168.1.1",
		},
		{
			name:       "trusted: RemoteAddr without port",
			remoteAddr: "192.168.1.1",
			want:       "192.168.1.1",
		},
		{
			name:       "trusted: X-Real-IP with whitespace from 10.x",
			remoteAddr: "10.0.0.1:1234",
			xRealIP:    "  203.0.113.5  ",
			want:       "203.0.113.5",
		},
		{
			name:       "trusted: XFF with whitespace from 10.x",
			remoteAddr: "10.0.0.1:1234",
			xff:        "  198.51.100.1 , 10.0.0.1",
			want:       "198.51.100.1",
		},
		{
			name:       "trusted: empty X-Real-IP falls through to XFF from 10.x",
			remoteAddr: "10.0.0.1:1234",
			xRealIP:    "  ",
			xff:        "198.51.100.1",
			want:       "198.51.100.1",
		},
		{
			name:       "trusted: loopback honours X-Real-IP",
			remoteAddr: "127.0.0.1:9999",
			xRealIP:    "93.184.216.34",
			want:       "93.184.216.34",
		},
		{
			name:       "trusted: 172.16.x honours XFF",
			remoteAddr: "172.16.0.1:4321",
			xff:        "8.8.8.8",
			want:       "8.8.8.8",
		},

		// === Untrusted proxy (public IP) — headers IGNORED, use RemoteAddr ===
		{
			name:       "untrusted: X-Real-IP ignored from public IP",
			remoteAddr: "203.0.113.50:1234",
			xRealIP:    "10.0.0.1",
			want:       "203.0.113.50",
		},
		{
			name:       "untrusted: XFF ignored from public IP",
			remoteAddr: "198.51.100.99:5678",
			xff:        "10.0.0.1, 192.168.1.1",
			want:       "198.51.100.99",
		},
		{
			name:       "untrusted: both headers ignored from public IP",
			remoteAddr: "8.8.8.8:443",
			xRealIP:    "1.2.3.4",
			xff:        "5.6.7.8",
			want:       "8.8.8.8",
		},
		{
			name:       "untrusted: no headers, public RemoteAddr",
			remoteAddr: "93.184.216.34:8080",
			want:       "93.184.216.34",
		},
		{
			name:       "untrusted: public RemoteAddr without port",
			remoteAddr: "93.184.216.34",
			want:       "93.184.216.34",
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
			req.RemoteAddr = tt.remoteAddr

			if tt.xRealIP != "" {
				req.Header.Set("X-Real-IP", tt.xRealIP)
			}

			if tt.xff != "" {
				req.Header.Set("X-Forwarded-For", tt.xff)
			}

			got := RealIP(req)
			if got != tt.want {
				t.Errorf("RealIP() = %q, want %q", got, tt.want)
			}
		})
	}
}

func TestIsTrustedProxy(t *testing.T) {
	t.Parallel()

	trusted := []string{"10.0.0.1", "10.255.255.255", "172.16.0.1", "172.31.255.255",
		"192.168.0.1", "192.168.255.255", "127.0.0.1", "127.255.255.255", "::1"}
	untrusted := []string{"8.8.8.8", "203.0.113.1", "172.32.0.1", "11.0.0.1", "2001:db8::1"}

	for _, addr := range trusted {
		ip := net.ParseIP(addr)
		if !isTrustedProxy(ip) {
			t.Errorf("expected %s to be trusted", addr)
		}
	}

	for _, addr := range untrusted {
		ip := net.ParseIP(addr)
		if isTrustedProxy(ip) {
			t.Errorf("expected %s to be untrusted", addr)
		}
	}
}