From 246566a1951f0afbd750a09116942d7030eff0bb Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Thu, 22 Sep 2022 11:35:11 -0700
Subject: [PATCH] Change way to get hasNameConstraints

---
 authority/internal/constraints/constraints.go | 15 ++++-----
 .../internal/constraints/constraints_test.go  | 31 +++++++++++++++++++
 2 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go
index 2755e102..9aa6d9c3 100644
--- a/authority/internal/constraints/constraints.go
+++ b/authority/internal/constraints/constraints.go
@@ -66,16 +66,13 @@ func New(chain ...*x509.Certificate) *Engine {
 		e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
 		e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)
 		e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)
-
-		if !e.hasNameConstraints {
-			for _, ext := range crt.Extensions {
-				if ext.Id.Equal(oidExtensionNameConstraints) {
-					e.hasNameConstraints = true
-					break
-				}
-			}
-		}
 	}
+
+	e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 ||
+		len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 ||
+		len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 ||
+		len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0
+
 	return e
 }
 
diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go
index f65e1768..aaf5d410 100644
--- a/authority/internal/constraints/constraints_test.go
+++ b/authority/internal/constraints/constraints_test.go
@@ -79,6 +79,37 @@ func TestNew(t *testing.T) {
 	}
 }
 
+func TestNew_hasNameConstraints(t *testing.T) {
+	tests := []struct {
+		name string
+		fn   func(c *x509.Certificate)
+		want bool
+	}{
+		{"no constraints", func(c *x509.Certificate) {}, false},
+		{"permittedDNSDomains", func(c *x509.Certificate) { c.PermittedDNSDomains = []string{"constraint"} }, true},
+		{"excludedDNSDomains", func(c *x509.Certificate) { c.ExcludedDNSDomains = []string{"constraint"} }, true},
+		{"permittedIPRanges", func(c *x509.Certificate) {
+			c.PermittedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
+		}, true},
+		{"excludedIPRanges", func(c *x509.Certificate) {
+			c.ExcludedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
+		}, true},
+		{"permittedEmailAddresses", func(c *x509.Certificate) { c.PermittedEmailAddresses = []string{"constraint"} }, true},
+		{"excludedEmailAddresses", func(c *x509.Certificate) { c.ExcludedEmailAddresses = []string{"constraint"} }, true},
+		{"permittedURIDomains", func(c *x509.Certificate) { c.PermittedURIDomains = []string{"constraint"} }, true},
+		{"excludedURIDomains", func(c *x509.Certificate) { c.ExcludedURIDomains = []string{"constraint"} }, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cert := &x509.Certificate{}
+			tt.fn(cert)
+			if e := New(cert); e.hasNameConstraints != tt.want {
+				t.Errorf("Engine.hasNameConstraints = %v, want %v", e.hasNameConstraints, tt.want)
+			}
+		})
+	}
+}
+
 func TestEngine_Validate(t *testing.T) {
 	type fields struct {
 		hasNameConstraints      bool