rpki/tests/test_roa_validate_ee_resources.rs

use rpki::data_model::roa::{
    EeResources, IpPrefix, IpResourceSet, RoaAfi, RoaEContent, RoaIpAddress, RoaIpAddressFamily,
    RoaValidateError,
};

fn test_roa_single_v4_prefix() -> RoaEContent {
    RoaEContent {
        version: 0,
        as_id: 64496,
        ip_addr_blocks: vec![RoaIpAddressFamily {
            afi: RoaAfi::Ipv4,
            addresses: vec![RoaIpAddress {
                prefix: IpPrefix {
                    afi: RoaAfi::Ipv4,
                    prefix_len: 8,
                    addr: vec![10, 0, 0, 0],
                },
                max_length: Some(24),
            }],
        }],
    }
}

#[test]
fn validate_accepts_when_prefix_is_covered() {
    let roa = test_roa_single_v4_prefix();
    let ee = EeResources {
        ip_resources: IpResourceSet {
            prefixes: vec![IpPrefix {
                afi: RoaAfi::Ipv4,
                prefix_len: 0,
                addr: vec![0, 0, 0, 0],
            }],
        },
        ip_resources_inherit: false,
        as_resources_present: false,
    };
    roa.validate_against_ee_resources(&ee)
        .expect("prefix should be covered by 0/0");
}

#[test]
fn validate_rejects_when_as_resources_present() {
    let roa = test_roa_single_v4_prefix();
    let ee = EeResources {
        ip_resources: IpResourceSet { prefixes: vec![] },
        ip_resources_inherit: false,
        as_resources_present: true,
    };
    let err = roa.validate_against_ee_resources(&ee).unwrap_err();
    assert!(matches!(err, RoaValidateError::EeAsResourcesPresent));
}

#[test]
fn validate_rejects_when_ip_resources_inherit() {
    let roa = test_roa_single_v4_prefix();
    let ee = EeResources {
        ip_resources: IpResourceSet { prefixes: vec![] },
        ip_resources_inherit: true,
        as_resources_present: false,
    };
    let err = roa.validate_against_ee_resources(&ee).unwrap_err();
    assert!(matches!(err, RoaValidateError::EeIpResourcesInherit));
}

#[test]
fn validate_rejects_when_prefix_not_covered() {
    let roa = test_roa_single_v4_prefix();
    let ee = EeResources {
        ip_resources: IpResourceSet {
            prefixes: vec![IpPrefix {
                afi: RoaAfi::Ipv4,
                prefix_len: 24,
                addr: vec![192, 0, 2, 0],
            }],
        },
        ip_resources_inherit: false,
        as_resources_present: false,
    };
    let err = roa.validate_against_ee_resources(&ee).unwrap_err();
    assert!(matches!(err, RoaValidateError::PrefixNotInEeResources { .. }));
}

#[test]
fn contains_prefix_handles_non_octet_boundary_prefix_len() {
    let ee_set = IpResourceSet {
        prefixes: vec![IpPrefix {
            afi: RoaAfi::Ipv4,
            prefix_len: 9,
            addr: vec![0b1010_0000, 0, 0, 0], // 160.0.0.0/9
        }],
    };

    let covered = IpPrefix {
        afi: RoaAfi::Ipv4,
        prefix_len: 16,
        addr: vec![0b1010_0000, 0x12, 0, 0], // 160.18.0.0/16
    };
    assert!(ee_set.contains_prefix(&covered));

    let not_covered = IpPrefix {
        afi: RoaAfi::Ipv4,
        prefix_len: 16,
        addr: vec![0b1010_0001, 0x12, 0, 0], // 161.18.0.0/16
    };
    assert!(!ee_set.contains_prefix(&not_covered));
}