refactor(pipelock): allowlist-resolution helpers take a Bottle, not (manifest, name)
test / run tests/run_tests.py (pull_request) Successful in 17s
test / run tests/run_tests.py (pull_request) Successful in 17s
Every function in the 'Allowlist resolution' section was doing `manifest.bottles[bottle_name].X` as its first move. Push the lookup to the caller and have each helper take a resolved Bottle: pipelock_bottle_allowlist pipelock_bottle_ssh_hostnames pipelock_bottle_ssh_trusted_domains pipelock_bottle_ssh_ip_cidrs pipelock_effective_allowlist pipelock_allowlist_summary PipelockProxy._build_pipelock_yaml resolves bottle once at the top and passes it through; DockerBottleBackend.prepare already had the bottle in scope and now uses it directly. Tests pass the resolved bottle from each fixture.
This commit is contained in:
@@ -18,13 +18,13 @@ from tests.fixtures import fixture_minimal, fixture_with_egress, fixture_with_ss
|
||||
|
||||
class TestBottleAllowlist(unittest.TestCase):
|
||||
def test_egress_allowlist_present(self):
|
||||
out = pipelock_bottle_allowlist(fixture_with_egress(), "dev")
|
||||
out = pipelock_bottle_allowlist(fixture_with_egress().bottles["dev"])
|
||||
self.assertIn("github.com", out)
|
||||
self.assertIn("gitlab.com", out)
|
||||
self.assertIn("registry.npmjs.org", out)
|
||||
|
||||
def test_empty_when_no_egress_block(self):
|
||||
out = pipelock_bottle_allowlist(fixture_minimal(), "dev")
|
||||
out = pipelock_bottle_allowlist(fixture_minimal().bottles["dev"])
|
||||
self.assertEqual([], out)
|
||||
|
||||
def test_rejects_non_string_entry(self):
|
||||
@@ -38,17 +38,17 @@ class TestBottleAllowlist(unittest.TestCase):
|
||||
|
||||
class TestSSHHostnames(unittest.TestCase):
|
||||
def test_hostnames_include_both(self):
|
||||
hosts = pipelock_bottle_ssh_hostnames(fixture_with_ssh(), "dev")
|
||||
hosts = pipelock_bottle_ssh_hostnames(fixture_with_ssh().bottles["dev"])
|
||||
self.assertIn("100.78.141.42", hosts)
|
||||
self.assertIn("github.com", hosts)
|
||||
|
||||
def test_ip_cidrs_only_ipv4(self):
|
||||
cidrs = pipelock_bottle_ssh_ip_cidrs(fixture_with_ssh(), "dev")
|
||||
cidrs = pipelock_bottle_ssh_ip_cidrs(fixture_with_ssh().bottles["dev"])
|
||||
self.assertIn("100.78.141.42/32", cidrs)
|
||||
self.assertNotIn("github.com", cidrs)
|
||||
|
||||
def test_trusted_domains_only_hostnames(self):
|
||||
trusted = pipelock_bottle_ssh_trusted_domains(fixture_with_ssh(), "dev")
|
||||
trusted = pipelock_bottle_ssh_trusted_domains(fixture_with_ssh().bottles["dev"])
|
||||
self.assertIn("github.com", trusted)
|
||||
self.assertNotIn("100.78.141.42", trusted)
|
||||
|
||||
@@ -69,7 +69,7 @@ class TestEffectiveAllowlist(unittest.TestCase):
|
||||
},
|
||||
"agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
|
||||
})
|
||||
eff = pipelock_effective_allowlist(manifest, "dev")
|
||||
eff = pipelock_effective_allowlist(manifest.bottles["dev"])
|
||||
self.assertIn("api.anthropic.com", eff)
|
||||
self.assertIn("registry.npmjs.org", eff)
|
||||
self.assertIn("100.78.141.42", eff)
|
||||
|
||||
Reference in New Issue
Block a user