fix(pipelock): allow route ssrf ip policy

2026-05-28 19:32:31 -04:00
parent bcadc07d09
commit fed006441d
6 changed files with 134 additions and 6 deletions
@@ -223,9 +223,20 @@ class TestPipelockPolicy(unittest.TestCase):
        }])
        self.assertTrue(b.egress.routes[0].Pipelock.TlsPassthrough)

+    def test_ssrf_ip_allowlist_route_policy(self):
+        b = _bottle([{
+            "host": "gitea.dideric.is",
+            "pipelock": {"ssrf_ip_allowlist": ["100.78.141.42/32"]},
+        }])
+        self.assertEqual(
+            ("100.78.141.42/32",),
+            b.egress.routes[0].Pipelock.SsrfIpAllowlist,
+        )
+
    def test_tls_passthrough_defaults_false(self):
        b = _bottle([{"host": "api.openai.com"}])
        self.assertFalse(b.egress.routes[0].Pipelock.TlsPassthrough)
+        self.assertEqual((), b.egress.routes[0].Pipelock.SsrfIpAllowlist)

    def test_pipelock_policy_must_be_object(self):
        with self.assertRaises(Die):
@@ -238,6 +249,20 @@ class TestPipelockPolicy(unittest.TestCase):
                "pipelock": {"tls_passthrough": "yes"},
            }])

+    def test_ssrf_ip_allowlist_must_be_array(self):
+        with self.assertRaises(Die):
+            _bottle([{
+                "host": "x.example",
+                "pipelock": {"ssrf_ip_allowlist": "100.78.141.42/32"},
+            }])
+
+    def test_ssrf_ip_allowlist_items_must_be_cidr_or_ip(self):
+        with self.assertRaises(Die):
+            _bottle([{
+                "host": "x.example",
+                "pipelock": {"ssrf_ip_allowlist": ["not-an-ip"]},
+            }])
+
    def test_unknown_pipelock_key_rejected(self):
        with self.assertRaises(Die):
            _bottle([{"host": "x.example", "pipelock": {"wat": True}}])