didericis
6130ea385f
PRD 0007: SSH traffic now flows through the per-agent ssh-gate sidecar, so pipelock should know nothing about bottle.ssh. Removed: - pipelock_bottle_ssh_hostnames, _trusted_domains, _ip_cidrs. - The trusted_domains / ssrf blocks built from ssh entries. - pipelock_proxy_host_port — its last caller (the ssh provisioner) is gone. - is_ipv4_literal — only used to classify ssh hostnames into trusted_domains vs ssrf.ip_allowlist, both of which are gone. api_allowlist now derives solely from baked-in defaults + bottle.egress.allowlist. Tests updated to pin the new shape and assert ssh hostnames do NOT leak into pipelock's config.
19 lines
584 B
Python
19 lines
584 B
Python
"""Cross-cutting utility helpers used by multiple modules.
|
|
|
|
Top-level (i.e. backend-agnostic) — backend-specific helpers live one
|
|
level deeper, under their backend package."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
|
|
|
|
def expand_tilde(path: str) -> str:
|
|
"""Expand a leading '~' to $HOME. Leaves paths without a leading
|
|
tilde unchanged. Falls back to the empty string if $HOME is unset
|
|
(callers should already have checked HOME if they care)."""
|
|
if path.startswith("~"):
|
|
home = os.environ.get("HOME", "")
|
|
return home + path[1:]
|
|
return path
|