-
Notifications
You must be signed in to change notification settings - Fork 449
Expand file tree
/
Copy pathfirewall_args_test.go
More file actions
338 lines (282 loc) · 10.7 KB
/
Copy pathfirewall_args_test.go
File metadata and controls
338 lines (282 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
//go:build !integration
package workflow
import (
"strings"
"testing"
"github.com/github/gh-aw/pkg/constants"
)
// TestFirewallArgsInCopilotEngine tests that custom firewall args are included in AWF command
func TestFirewallArgsInCopilotEngine(t *testing.T) {
t.Run("no custom args uses only default flags", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that the command contains awf (AWF v0.15.0+ uses chroot mode by default)
if !strings.Contains(stepContent, "sudo -E awf") {
t.Error("Expected command to contain 'sudo -E awf'")
}
// With config file support (default AWF version), domains appear in the JSON config
// rather than as a --allow-domains CLI flag. Verify the config JSON is written.
if !strings.Contains(stepContent, "allowDomains") {
t.Error("Expected command to contain 'allowDomains' in the AWF config JSON")
}
if !strings.Contains(stepContent, "--log-level") {
t.Error("Expected command to contain '--log-level'")
}
initSnippet := `GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""`
conditionSnippet := `if [[ "${DOCKER_HOST:-}" =~ ^tcp://(localhost|127\.0\.0\.1)(:[0-9]+)?$ ]]; then`
flagAssignmentSnippet := `GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"`
initIdx := strings.Index(stepContent, initSnippet)
conditionIdx := strings.Index(stepContent, conditionSnippet)
flagIdx := strings.Index(stepContent, flagAssignmentSnippet)
if initIdx == -1 || conditionIdx == -1 || flagIdx == -1 || !(initIdx < conditionIdx && conditionIdx < flagIdx) {
t.Error("Expected command to initialize ARC/DinD probe variable, then evaluate DOCKER_HOST condition, then assign docker-host-path-prefix flag")
}
// Verify that --log-dir is included in copilot args for log collection
if !strings.Contains(stepContent, "--log-dir /tmp/gh-aw/sandbox/agent/logs/") {
t.Error("Expected copilot command to contain '--log-dir /tmp/gh-aw/sandbox/agent/logs/' for log collection in firewall mode")
}
})
t.Run("custom args are included in AWF command", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
Args: []string{"--custom-arg", "value", "--another-flag"},
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that custom args are included
if !strings.Contains(stepContent, "--custom-arg") {
t.Error("Expected command to contain custom arg '--custom-arg'")
}
if !strings.Contains(stepContent, "value") {
t.Error("Expected command to contain custom arg value 'value'")
}
if !strings.Contains(stepContent, "--another-flag") {
t.Error("Expected command to contain custom arg '--another-flag'")
}
// With config file support, domains appear in the JSON config (not as --allow-domains)
if !strings.Contains(stepContent, "allowDomains") {
t.Error("Expected command to still contain 'allowDomains' in the AWF config JSON")
}
})
t.Run("custom args with spaces are properly escaped", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
Args: []string{"--message", "hello world", "--path", "/some/path with spaces"},
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that args with spaces are present (they should be escaped)
if !strings.Contains(stepContent, "--message") {
t.Error("Expected command to contain '--message' flag")
}
// The value might be escaped, so just check the flag exists
if !strings.Contains(stepContent, "--path") {
t.Error("Expected command to contain '--path' flag")
}
})
t.Run("AWF uses chroot mode instead of individual binary mounts", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that AWF is used for transparent host access (AWF v0.15.0+)
// Chroot mode is now the default, so no --enable-chroot flag is needed
if !strings.Contains(stepContent, "sudo -E awf") {
t.Error("Expected AWF command for transparent host access")
}
// Verify that individual binary mounts are not used (chroot mode is default)
if strings.Contains(stepContent, "--mount /usr/bin/gh:/usr/bin/gh:ro") {
t.Error("Individual binary mounts should not be present with default chroot mode")
}
})
t.Run("AWF command includes image-tag with default version", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// With config file support (default AWF version), the image tag is expressed in the
// JSON config file rather than as a --image-tag CLI flag.
// Verify the image tag version appears in the config JSON.
expectedVersion := strings.TrimPrefix(string(constants.DefaultFirewallVersion), "v")
if !strings.Contains(stepContent, expectedVersion) {
t.Errorf("Expected AWF config JSON to contain image tag version '%s'", expectedVersion)
}
// imageTag field name must be present
if !strings.Contains(stepContent, "imageTag") {
t.Error("Expected AWF config JSON to contain 'imageTag' field")
}
})
t.Run("AWF command includes image-tag with custom version", func(t *testing.T) {
customVersion := "v0.5.0"
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
Version: customVersion,
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Image tag is now always written to the JSON config file, never as a CLI flag.
expectedImageTag := `"imageTag":"` + strings.TrimPrefix(customVersion, "v")
if !strings.Contains(stepContent, expectedImageTag) {
t.Errorf("Expected AWF config JSON to contain '%s', got:\n%s", expectedImageTag, stepContent)
}
// --image-tag must NOT appear as a CLI flag
if strings.Contains(stepContent, "--image-tag") {
t.Error("--image-tag should not appear as a CLI flag; it is in the config JSON")
}
})
t.Run("skips docker-host-path-prefix probe when AWF version is too old", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
Version: "v0.25.42",
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
if strings.Contains(stepContent, "--docker-host-path-prefix /tmp/gh-aw") {
t.Error("Expected command to skip --docker-host-path-prefix for unsupported AWF versions")
}
})
t.Run("AWF command includes ssl-bump flag when enabled", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
SSLBump: true,
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that --ssl-bump flag is included
if !strings.Contains(stepContent, "--ssl-bump") {
t.Error("Expected AWF command to contain '--ssl-bump' flag")
}
})
t.Run("AWF command includes allow-urls with ssl-bump enabled", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
SSLBump: true,
AllowURLs: []string{"https://github.com/githubnext/*", "https://api.github.com/repos/*"},
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that --ssl-bump flag is included
if !strings.Contains(stepContent, "--ssl-bump") {
t.Error("Expected AWF command to contain '--ssl-bump' flag")
}
// Check that --allow-urls is included with the comma-separated URLs
if !strings.Contains(stepContent, "--allow-urls") {
t.Error("Expected AWF command to contain '--allow-urls' flag")
}
if !strings.Contains(stepContent, "https://github.com/githubnext/*") {
t.Error("Expected AWF command to contain URL pattern 'https://github.com/githubnext/*'")
}
})
t.Run("AWF command does not include allow-urls without ssl-bump", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "copilot",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
SSLBump: false, // SSL Bump disabled
AllowURLs: []string{"https://github.com/githubnext/*"},
},
},
}
engine := NewCopilotEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
stepContent := requireCopilotExecutionStep(t, steps)
// Check that --ssl-bump flag is NOT included
if strings.Contains(stepContent, "--ssl-bump") {
t.Error("Expected AWF command to NOT contain '--ssl-bump' flag when SSLBump is false")
}
// Check that --allow-urls is NOT included when ssl-bump is disabled
if strings.Contains(stepContent, "--allow-urls") {
t.Error("Expected AWF command to NOT contain '--allow-urls' flag when SSLBump is false")
}
})
}