fix(cred_proxy): close git-push bypass + route through pipelock (PRD 0010)
Three coupled fixes that close a documented bypass of git-gate's gitleaks pre-receive hook: 1. cred-proxy refuses git smart-HTTP push at runtime. Any path ending in /git-receive-pack or /info/refs?service=git-receive-pack returns 403 with a pointer at the bottle.git SSH path. Fetch (upload-pack) is still allowed — the bypass we're closing is push, where gitleaks is the load-bearing scanner. Hard guarantee. 2. The provisioner suppresses the cred-proxy `~/.gitconfig` insteadOf rewrite for any host already declared in bottle.git. git-gate is the canonical git path there; we don't write a competing rule that would let `git clone https://<host>/...` succeed in ways that confuse on push. Defense in depth — (1) is the hard guarantee. 3. cred-proxy routes its outbound HTTPS through pipelock. The sidecar's environ now sets HTTPS_PROXY=<pipelock-url>, and the image's entrypoint runs `update-ca-certificates` over the per-bottle pipelock CA (docker cp'd into /usr/local/share/ca-certificates/pipelock.crt before start) so the proxy's HTTPS client trusts pipelock's bumped certs. Consequence: pipelock's allowlist + body scanner now sit in the cred-proxy egress path the same way they sit in front of direct agent traffic. The cred-proxy upstream hosts (api.github.com, github.com, gitea hosts, registry.npmjs.org) come OFF pipelock's passthrough_domains. Only api.anthropic.com remains on passthrough (LLM body content legitimately trips DLP). PRD 0010 updated to reflect all three. Tests adjusted: the "cred-proxy hosts go on passthrough" assertion in test_pipelock_allowlist flips to "they don't", a new TestIsGitPushRequest exercises the smart-HTTP refusal predicate, and the gitconfig renderer tests cover the per-host suppression matrix.
This commit is contained in:
@@ -4,6 +4,7 @@ The full docker lifecycle is exercised by integration tests; here we
|
||||
cover the pure helpers and the validation checks `.start` runs
|
||||
before touching docker."""
|
||||
|
||||
import tempfile
|
||||
import unittest
|
||||
from pathlib import Path
|
||||
|
||||
@@ -26,6 +27,8 @@ def _empty_plan(**overrides):
|
||||
"token_env_map": {},
|
||||
"internal_network": "",
|
||||
"egress_network": "",
|
||||
"pipelock_ca_host_path": Path(),
|
||||
"pipelock_proxy_url": "",
|
||||
}
|
||||
base.update(overrides)
|
||||
return CredProxyPlan(**base)
|
||||
@@ -77,6 +80,26 @@ class TestStartGuards(unittest.TestCase):
|
||||
routes_path=Path("/tmp/cred-proxy-test-does-not-exist.json"),
|
||||
))
|
||||
|
||||
def test_pipelock_url_without_ca_dies(self):
|
||||
# URL set + CA path empty/missing is a wiring bug: either both
|
||||
# populated (production) or both empty (test escape hatch).
|
||||
upstream = CredProxyUpstream(
|
||||
kind="anthropic", path="/anthropic/",
|
||||
upstream="https://api.anthropic.com",
|
||||
auth_scheme="Bearer", token_env="CRED_PROXY_TOKEN_0",
|
||||
token_ref="T",
|
||||
)
|
||||
with tempfile.NamedTemporaryFile() as routes:
|
||||
with self.assertRaises(Die):
|
||||
self.proxy.start(_empty_plan(
|
||||
upstreams=(upstream,),
|
||||
internal_network="net-x",
|
||||
egress_network="egress-x",
|
||||
routes_path=Path(routes.name),
|
||||
pipelock_proxy_url="http://pipelock:8888",
|
||||
pipelock_ca_host_path=Path("/tmp/cred-proxy-no-ca.pem"),
|
||||
))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
Reference in New Issue
Block a user