didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
22bc13dc3cc27da1da49f7a40d78dee7f0aced5a
bot-bottle/tests/integration/test_mitmproxy_blocks_secret_https_post.py
T
didericis 22bc13dc3c
test / unit (pull_request) Successful in 20s
Details
test / integration (pull_request) Successful in 15s
Details
feat(mitmproxy): integration tests for the bumped HTTPS path 
Fourth and final step of PRD 0005. Two new end-to-end tests that
exercise the full chain agent -> mitmproxy(bump) -> addon ->
pipelock -> upstream and pin the two paths the addon implements.

- test_mitmproxy_blocks_secret_https_post: HTTPS variant of the
  existing test_pipelock_blocks_secret_post. Posts a credential
  pattern in the body over HTTPS through the bottle. mitmproxy
  bumps the CONNECT (the agent trusts the per-bottle ephemeral CA
  installed by provision_ca), the addon forwards the decrypted
  request to pipelock, pipelock returns 403 with the known
  `blocked: ...` body shape, and the addon short-circuits the
  flow with status=403 + X-Pipelock-Bridge: block. The two-axis
  assertion (status + header) proves the addon-mediated path is
  what produced the block, not some other layer.

- test_mitmproxy_allows_normal_https: hits raw.githubusercontent.com
  (a baked-in allowlist host) over HTTPS through the bottle.
  Verifies the addon's allow path: mitmproxy bumps, addon
  forwards to pipelock for the scan, pipelock allows, mitmproxy
  proceeds to the real upstream, response comes back through. The
  absence of X-Pipelock-Bridge on the response is the signal that
  the addon didn't short-circuit. Body length sanity-checks that
  the response is real upstream content, not a synthesized stub.

Both probes are stdlib-only Node (http.request CONNECT + tls.connect
on the tunneled socket) — pulling in undici as a dep would be the
clean way to do HTTPS-through-proxy but is out of scope.

The earlier integration tests still pass with mitmproxy in path:
their assertions hold under the new topology, though their semantic
coverage shifts (e.g. test_pipelock_allow_node now exercises
mitmproxy's CONNECT-200 path rather than pipelock's host allowlist
on CONNECT). Updating those tests is a follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-12 13:46:09 -04:00

173 lines
5.8 KiB
Python
Raw Blame History

"""Integration: with mitmproxy in front of pipelock, a credential
POST sent over HTTPS is now blocked by pipelock's body-scan layer.
This is the HTTPS variant of test_pipelock_blocks_secret_post — the
two together prove the TLS-interception layer is doing the work the
PRD targets. The earlier plain-HTTP test only fired because the agent
was forced to bypass TLS; real Claude Code traffic to api.anthropic.com
goes over CONNECT-tunneled HTTPS and would have slipped past pipelock
prior to this PRD.
End-to-end: drives `BottleBackend.prepare → launch` so the real
image build, network plumbing, pipelock sidecar, mitmproxy sidecar,
ephemeral CA generation, and trust-store install are all in the
loop.
"""
from __future__ import annotations
import os
import shutil
import tempfile
import unittest
from pathlib import Path
from claude_bottle.backend import BottleSpec, get_bottle_backend
from claude_bottle.manifest import Manifest
from tests._docker import skip_unless_docker
# Synthetic value shaped like a GitHub Personal Access Token; not a
# real credential. Pipelock's default DLP rules pattern-match this
# format and mitmproxy's addon short-circuits with the 403 it
# receives back.
_FAKE_TOKEN = "ghp_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV3wX4yZ"
# Build the request by hand using stdlib `http` (for CONNECT) and
# `tls` (for the bumped tunnel). Node 22's `fetch` doesn't expose
# proxy configuration without undici as an installable dep, and
# this project keeps the bottle image dep-light. NODE_EXTRA_CA_CERTS
# is wired by launch.py so the agent trusts mitmproxy's bumped cert.
#
# Output contract (parsed by the test):
# - "status=<code>" HTTP status of the decrypted response
# - "bridge=<value>" X-Pipelock-Bridge header from the addon's
# short-circuit, empty on the allow path
# - "error=<...>" thrown error
_PROBE_JS = r"""
const http = require('http');
const tls = require('tls');
const proxy = new URL(process.env.HTTPS_PROXY);
const body = 'token=' + process.env.FAKE_TOKEN;
const connectReq = http.request({
host: proxy.hostname,
port: proxy.port,
method: 'CONNECT',
path: 'api.anthropic.com:443',
});
connectReq.setTimeout(8000, () => {
console.log('timeout=connect');
connectReq.destroy();
});
connectReq.on('error', (e) => {
console.log('error=' + (e.code || '') + ' ' + e.message);
});
connectReq.on('connect', (res, socket) => {
if (res.statusCode !== 200) {
console.log('status=' + res.statusCode);
console.log('bridge=' + (res.headers['x-pipelock-bridge'] || ''));
return;
}
const tlsSocket = tls.connect({
socket: socket,
servername: 'api.anthropic.com',
});
tlsSocket.on('secureConnect', () => {
tlsSocket.write(
'POST /dlp-probe HTTP/1.1\r\n' +
'Host: api.anthropic.com\r\n' +
'Content-Type: application/x-www-form-urlencoded\r\n' +
'Content-Length: ' + Buffer.byteLength(body) + '\r\n' +
'Connection: close\r\n' +
'\r\n' + body
);
});
let buf = '';
tlsSocket.on('data', (c) => { buf += c.toString('utf8'); });
tlsSocket.on('end', () => {
const lines = buf.split('\r\n');
const m = lines[0].match(/HTTP\/[\d.]+ (\d+)/);
let bridge = '';
for (let i = 1; i < lines.length; i++) {
if (lines[i] === '') break;
const ix = lines[i].indexOf(': ');
if (ix < 0) continue;
if (lines[i].slice(0, ix).toLowerCase() === 'x-pipelock-bridge') {
bridge = lines[i].slice(ix + 2);
}
}
console.log('status=' + (m ? m[1] : '?'));
console.log('bridge=' + bridge);
});
tlsSocket.on('error', (e) => {
console.log('tls_error=' + (e.code || '') + ' ' + e.message);
});
});
connectReq.end();
"""
@skip_unless_docker()
class TestMitmproxyBlocksSecretHttpsPost(unittest.TestCase):
@unittest.skipIf(
os.environ.get("GITEA_ACTIONS") == "true",
"skipped under act_runner: docker socket mount topology breaks "
"in-process visibility of networks created on the host daemon",
)
def test_https_post_with_credential_body_is_blocked(self):
manifest = Manifest.from_json_obj({
"bottles": {
"dev": {"env": {"FAKE_TOKEN": _FAKE_TOKEN}},
},
"agents": {
"demo": {"skills": [], "prompt": "", "bottle": "dev"},
},
})
backend = get_bottle_backend()
stage_dir = Path(tempfile.mkdtemp(prefix="cb-test-stage."))
try:
spec = BottleSpec(
manifest=manifest,
agent_name="demo",
copy_cwd=False,
user_cwd=str(stage_dir),
forward_oauth_token=False,
)
plan = backend.prepare(spec, stage_dir=stage_dir)
with backend.launch(plan) as bottle:
script = (
"set -e\n"
"cat > /tmp/probe.js <<'PROBE_EOF'\n"
f"{_PROBE_JS}\n"
"PROBE_EOF\n"
"node /tmp/probe.js\n"
)
result = bottle.exec(script)
finally:
shutil.rmtree(stage_dir, ignore_errors=True)
self.assertEqual(
0, result.returncode,
f"exec wrapper failed: stdout={result.stdout!r} stderr={result.stderr!r}",
)
# The addon short-circuits the flow with X-Pipelock-Bridge: block
# on a pipelock block — the cleanest signal that the chain
# mitmproxy(bump) -> addon(forward) -> pipelock(scan) -> block
# all happened, end to end.
self.assertIn(
"status=403", result.stdout,
f"expected 403 from pipelock block; got: {result.stdout!r}",
)
self.assertIn(
"bridge=block", result.stdout,
f"X-Pipelock-Bridge header missing; the addon may not be "
f"in path: {result.stdout!r}",
)
if __name__ == "__main__":
unittest.main()
Reference in New Issue View Git Blame Copy Permalink