didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
22bc13dc3cc27da1da49f7a40d78dee7f0aced5a
bot-bottle/tests/integration/test_mitmproxy_allows_normal_https.py
T
didericis 22bc13dc3c
test / unit (pull_request) Successful in 20s
Details
test / integration (pull_request) Successful in 15s
Details
feat(mitmproxy): integration tests for the bumped HTTPS path 
Fourth and final step of PRD 0005. Two new end-to-end tests that
exercise the full chain agent -> mitmproxy(bump) -> addon ->
pipelock -> upstream and pin the two paths the addon implements.

- test_mitmproxy_blocks_secret_https_post: HTTPS variant of the
  existing test_pipelock_blocks_secret_post. Posts a credential
  pattern in the body over HTTPS through the bottle. mitmproxy
  bumps the CONNECT (the agent trusts the per-bottle ephemeral CA
  installed by provision_ca), the addon forwards the decrypted
  request to pipelock, pipelock returns 403 with the known
  `blocked: ...` body shape, and the addon short-circuits the
  flow with status=403 + X-Pipelock-Bridge: block. The two-axis
  assertion (status + header) proves the addon-mediated path is
  what produced the block, not some other layer.

- test_mitmproxy_allows_normal_https: hits raw.githubusercontent.com
  (a baked-in allowlist host) over HTTPS through the bottle.
  Verifies the addon's allow path: mitmproxy bumps, addon
  forwards to pipelock for the scan, pipelock allows, mitmproxy
  proceeds to the real upstream, response comes back through. The
  absence of X-Pipelock-Bridge on the response is the signal that
  the addon didn't short-circuit. Body length sanity-checks that
  the response is real upstream content, not a synthesized stub.

Both probes are stdlib-only Node (http.request CONNECT + tls.connect
on the tunneled socket) — pulling in undici as a dep would be the
clean way to do HTTPS-through-proxy but is out of scope.

The earlier integration tests still pass with mitmproxy in path:
their assertions hold under the new topology, though their semantic
coverage shifts (e.g. test_pipelock_allow_node now exercises
mitmproxy's CONNECT-200 path rather than pipelock's host allowlist
on CONNECT). Updating those tests is a follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-12 13:46:09 -04:00

168 lines
5.9 KiB
Python
Raw Blame History

"""Integration: with mitmproxy in front of pipelock, a plain HTTPS
GET to an allowlisted host with no credential pattern still gets
through end-to-end.
The complement to test_mitmproxy_blocks_secret_https_post — together
they isolate the addon's two paths (block vs. allow). This test
also functions as the end-to-end TLS-trust check: if the agent's
trust store didn't have mitmproxy's CA installed, the TLS handshake
between the agent and mitmproxy's bumped cert would fail and the
fetch would throw before we ever saw a response.
"""
from __future__ import annotations
import os
import shutil
import tempfile
import unittest
from pathlib import Path
from claude_bottle.backend import BottleSpec, get_bottle_backend
from tests._docker import skip_unless_docker
from tests.fixtures import fixture_minimal
# raw.githubusercontent.com is in the baked-in DEFAULT_ALLOWLIST.
# Pick a file path that's stable enough across runs — `git`'s own
# README.md on the master branch is a long-lived artifact and one
# of github's most-trafficked raw files.
_TARGET_URL = "https://raw.githubusercontent.com/git/git/master/README.md"
# stdlib http (for CONNECT) + tls (for the bumped tunnel); see the
# block test for the rationale on not pulling undici in as a dep.
#
# Output contract:
# - "status=<code>" HTTP status from upstream (or addon, if
# blocked)
# - "bridge=<value>" X-Pipelock-Bridge header; empty on allow
# - "len=<N>" response body length, sanity-check it's a
# real response and not an empty proxy stub
# - "error=<...>" thrown error
_PROBE_JS = r"""
const http = require('http');
const tls = require('tls');
const proxy = new URL(process.env.HTTPS_PROXY);
const connectReq = http.request({
host: proxy.hostname,
port: proxy.port,
method: 'CONNECT',
path: 'raw.githubusercontent.com:443',
});
connectReq.setTimeout(10000, () => {
console.log('timeout=connect');
connectReq.destroy();
});
connectReq.on('error', (e) => {
console.log('error=' + (e.code || '') + ' ' + e.message);
});
connectReq.on('connect', (res, socket) => {
if (res.statusCode !== 200) {
console.log('status=' + res.statusCode);
console.log('bridge=' + (res.headers['x-pipelock-bridge'] || ''));
return;
}
const tlsSocket = tls.connect({
socket: socket,
servername: 'raw.githubusercontent.com',
});
tlsSocket.on('secureConnect', () => {
tlsSocket.write(
'GET /git/git/master/README.md HTTP/1.1\r\n' +
'Host: raw.githubusercontent.com\r\n' +
'User-Agent: claude-bottle-mitm-test\r\n' +
'Accept: */*\r\n' +
'Connection: close\r\n' +
'\r\n'
);
});
let buf = Buffer.alloc(0);
tlsSocket.on('data', (c) => { buf = Buffer.concat([buf, c]); });
tlsSocket.on('end', () => {
const text = buf.toString('utf8');
const headersEnd = text.indexOf('\r\n\r\n');
const head = headersEnd >= 0 ? text.slice(0, headersEnd) : text;
const body = headersEnd >= 0 ? text.slice(headersEnd + 4) : '';
const lines = head.split('\r\n');
const m = lines[0].match(/HTTP\/[\d.]+ (\d+)/);
let bridge = '';
for (let i = 1; i < lines.length; i++) {
const ix = lines[i].indexOf(': ');
if (ix < 0) continue;
if (lines[i].slice(0, ix).toLowerCase() === 'x-pipelock-bridge') {
bridge = lines[i].slice(ix + 2);
}
}
console.log('status=' + (m ? m[1] : '?'));
console.log('bridge=' + bridge);
console.log('len=' + body.length);
});
tlsSocket.on('error', (e) => {
console.log('tls_error=' + (e.code || '') + ' ' + e.message);
});
});
connectReq.end();
"""
@skip_unless_docker()
class TestMitmproxyAllowsNormalHttps(unittest.TestCase):
@unittest.skipIf(
os.environ.get("GITEA_ACTIONS") == "true",
"skipped under act_runner: docker socket mount topology breaks "
"in-process visibility of networks created on the host daemon",
)
def test_https_get_to_allowed_host_succeeds(self):
backend = get_bottle_backend()
stage_dir = Path(tempfile.mkdtemp(prefix="cb-test-stage."))
try:
spec = BottleSpec(
manifest=fixture_minimal(),
agent_name="demo",
copy_cwd=False,
user_cwd=str(stage_dir),
forward_oauth_token=False,
)
plan = backend.prepare(spec, stage_dir=stage_dir)
with backend.launch(plan) as bottle:
script = (
"set -e\n"
"cat > /tmp/probe.js <<'PROBE_EOF'\n"
f"{_PROBE_JS}\n"
"PROBE_EOF\n"
"node /tmp/probe.js\n"
)
result = bottle.exec(script)
finally:
shutil.rmtree(stage_dir, ignore_errors=True)
self.assertEqual(
0, result.returncode,
f"exec wrapper failed: stdout={result.stdout!r} stderr={result.stderr!r}",
)
# The TLS-trust setup is implicit here — if it had failed,
# fetch would have thrown rather than returned a status.
self.assertIn(
"status=200", result.stdout,
f"expected 200 from raw.githubusercontent.com; got: {result.stdout!r}",
)
# X-Pipelock-Bridge is set only on the addon's short-circuit
# paths (block / misconfigured / scanner-unreachable). An
# allow flow goes straight through mitmproxy to upstream and
# the header should be absent.
self.assertIn(
"bridge=\n", result.stdout,
f"X-Pipelock-Bridge unexpectedly present on the allow "
f"path: {result.stdout!r}",
)
# Sanity: the README is many KB. An empty body would suggest
# the response was synthesized by something in the chain
# rather than fetched from github.
self.assertNotIn("len=0\n", result.stdout)
if __name__ == "__main__":
unittest.main()
Reference in New Issue View Git Blame Copy Permalink