fix(supervise): apply egress approvals
This commit is contained in:
@@ -2,10 +2,16 @@
|
||||
add_route removed; docker exec / cp / kill paths are covered by the
|
||||
integration test)."""
|
||||
|
||||
import tempfile
|
||||
import unittest
|
||||
from pathlib import Path
|
||||
from types import SimpleNamespace
|
||||
from unittest.mock import patch
|
||||
|
||||
from bot_bottle import supervise
|
||||
from bot_bottle.backend.docker.egress_apply import (
|
||||
EgressApplyError,
|
||||
apply_routes_change,
|
||||
validate_routes_content,
|
||||
)
|
||||
|
||||
@@ -52,5 +58,45 @@ class TestValidateRoutesContent(unittest.TestCase):
|
||||
)
|
||||
|
||||
|
||||
class TestApplyRoutesChange(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self._tmp = tempfile.TemporaryDirectory(prefix="egress-apply-test.")
|
||||
original = supervise.bot_bottle_root
|
||||
|
||||
def fake_root() -> Path:
|
||||
return Path(self._tmp.name) / ".bot-bottle"
|
||||
|
||||
supervise.bot_bottle_root = fake_root # type: ignore[assignment]
|
||||
self.addCleanup(lambda: setattr(supervise, "bot_bottle_root", original))
|
||||
self.addCleanup(self._tmp.cleanup)
|
||||
|
||||
def test_writes_live_routes_and_signals_reload(self):
|
||||
calls: list[list[str]] = []
|
||||
|
||||
def fake_run(argv, **kwargs):
|
||||
calls.append(list(argv))
|
||||
return SimpleNamespace(returncode=0, stdout="", stderr="")
|
||||
|
||||
with patch(
|
||||
"bot_bottle.backend.docker.egress_apply.subprocess.run",
|
||||
side_effect=fake_run,
|
||||
):
|
||||
before, after = apply_routes_change(
|
||||
"dev",
|
||||
"routes:\n - host: google.com\n",
|
||||
)
|
||||
|
||||
self.assertEqual("", before)
|
||||
self.assertEqual("routes:\n - host: google.com\n", after)
|
||||
self.assertEqual(
|
||||
"routes:\n - host: google.com\n",
|
||||
(Path(self._tmp.name) / ".bot-bottle/state/dev/egress/egress_routes.yaml").read_text(encoding="utf-8"),
|
||||
)
|
||||
self.assertEqual(
|
||||
["docker", "kill", "--signal", "HUP", "bot-bottle-sidecars-dev"],
|
||||
calls[0],
|
||||
)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -125,15 +125,10 @@ class TestMacosContainerLaunchArgv(unittest.TestCase):
|
||||
f"type=bind,source={self.stage_dir / 'egress-ca'},target=/home/mitmproxy/.mitmproxy",
|
||||
argv,
|
||||
)
|
||||
routes_dir = self.stage_dir / "macos-container-egress"
|
||||
self.assertIn(
|
||||
f"type=bind,source={routes_dir},target=/etc/egress,readonly",
|
||||
f"type=bind,source={self.stage_dir / 'source-routes.yaml'},target=/etc/egress/routes.yaml,readonly",
|
||||
argv,
|
||||
)
|
||||
self.assertEqual(
|
||||
"routes: []\n",
|
||||
(routes_dir / "routes.yaml").read_text(encoding="utf-8"),
|
||||
)
|
||||
self.assertIn(
|
||||
"type=bind,source=/state/supervise/queue,target=/run/supervise/queue",
|
||||
argv,
|
||||
|
||||
@@ -9,6 +9,7 @@ import tempfile
|
||||
import unittest
|
||||
from datetime import datetime, timezone
|
||||
from pathlib import Path
|
||||
from unittest.mock import patch
|
||||
|
||||
from bot_bottle import supervise
|
||||
from bot_bottle.cli import supervise as supervise_cli
|
||||
@@ -155,7 +156,15 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
|
||||
|
||||
def test_approve_egress_block_writes_audit_log(self):
|
||||
qp = self._enqueue(tool=supervise.TOOL_EGRESS_BLOCK)
|
||||
supervise_cli.approve(qp)
|
||||
with patch(
|
||||
"bot_bottle.cli.supervise.apply_routes_change",
|
||||
return_value=("routes: []\n", "routes:\n - host: example.com\n"),
|
||||
) as apply_routes_change:
|
||||
supervise_cli.approve(qp)
|
||||
apply_routes_change.assert_called_once_with(
|
||||
"dev",
|
||||
"routes:\n - host: example.com\n",
|
||||
)
|
||||
entries = read_audit_entries("egress", "dev")
|
||||
self.assertEqual(1, len(entries))
|
||||
self.assertEqual(STATUS_APPROVED, entries[0].operator_action)
|
||||
|
||||
Reference in New Issue
Block a user