didericis
3be70eb07a
Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.
Policy change (move defaults to egress-proxy):
- `egress_proxy_routes_for_bottle(bottle)` now folds in
DEFAULT_ALLOWLIST (the claude-code defaults) and
`bottle.egress.allowlist` (user adds) as bare-pass routes (no
auth, no path filter), on top of the bottle's
`egress_proxy.routes`. Manifest routes win on host collision.
- `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
effective host set when egress-proxy is in use. Pipelock is
no longer the bottle's primary allowlist authority; it
enforces a downstream copy as defense-in-depth + does DLP body
scanning.
- Split out `egress_proxy_manifest_routes(bottle)` for callers
that want just the manifest entries (tests, internal use).
- DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
(pipelock re-imports for the no-egress-proxy fallback path).
- Dropped the `egress-proxy` auto-allow on pipelock's allowlist
— the agent never dials egress-proxy via the proxy mechanism;
pipelock only sees upstream hostnames from egress-proxy's
CONNECTs.
Introspection endpoint (existing mitmproxy feature):
- Egress-proxy addon recognises requests to the magic host
`_egress-proxy.local` and synthesizes responses via
`flow.response = http.Response.make(...)` — no upstream
connection, no allowlist enforcement on the magic host.
- `GET /allowlist` returns the in-memory route table as JSON
(host + path_allowlist + auth_scheme + token_env per route;
no token VALUES).
- Smoke-tested end-to-end against a real egress-proxy container.
MCP tool (existing supervise plumbing):
- New `list-egress-proxy-routes` tool (no inputs, no operator
approval). Handler fetches via egress-proxy's introspection
endpoint using urllib's ProxyHandler against
`EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
tool's text content; `isError: true` if the proxy is
unreachable.
- `egress-proxy-block` description now points the agent at
`list-egress-proxy-routes` instead of a staged file path.
- `pipelock-block` description acknowledges the mirror — agents
should prefer `egress-proxy-block` to add hosts; pipelock-block
stays for the rare divergence case.
Drop agent-side file mounts:
- Supervise's `current-config` dir staging no longer writes
routes.yaml / allowlist. Only `Dockerfile` remains
(capability-block still reads it from
`/etc/claude-bottle/current-config/Dockerfile`).
- `prepare.py` stops passing `routes_content` /
`allowlist_content` to `supervise.prepare`.
- `Supervise.prepare` signature simplified to one
`dockerfile_content` kwarg.
Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
179 lines
7.0 KiB
Python
179 lines
7.0 KiB
Python
"""mitmproxy addon entrypoint for the egress-proxy sidecar (PRD 0017).
|
|
|
|
Loaded by `mitmdump -s /app/egress_proxy_addon.py` inside the
|
|
egress-proxy container. Wraps the pure logic from
|
|
`egress_proxy_addon_core` with mitmproxy's HTTPFlow API:
|
|
|
|
- At startup, read `EGRESS_PROXY_ROUTES` (default
|
|
`/etc/egress-proxy/routes.yaml`, JSON content) → routes table.
|
|
- SIGHUP re-reads the file and atomically swaps the in-memory
|
|
table. A parse error keeps the old table in place — better to
|
|
keep serving the old config than to leave the proxy with no
|
|
routes after a typo.
|
|
- On each `request`: strip the inbound Authorization header, then
|
|
consult `decide()` for forward / block / inject-auth and apply
|
|
the decision to the flow.
|
|
|
|
This file imports `mitmproxy` and is never imported on the host —
|
|
mitmproxy is a container-only dependency. The host's tests target
|
|
`egress_proxy_addon_core`.
|
|
|
|
Dockerfile.egress-proxy copies both this file and
|
|
`egress_proxy_addon_core.py` flat into `/app/`; the absolute import
|
|
below works because mitmdump runs with `/app` on its sys.path. The
|
|
parallel file in the package source tree (claude_bottle/) is the
|
|
build input — not a module the host imports."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import dataclasses
|
|
import json
|
|
import os
|
|
import signal
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
from mitmproxy import http # type: ignore[import-not-found]
|
|
|
|
# Absolute import (NOT `from .egress_proxy_addon_core`) — the
|
|
# container drops both files flat into /app/ so they are sibling
|
|
# top-level modules to mitmdump's loader, not a package.
|
|
from egress_proxy_addon_core import Route, decide, is_git_push_request, load_routes # type: ignore[import-not-found]
|
|
|
|
|
|
DEFAULT_ROUTES_PATH = "/etc/egress-proxy/routes.yaml"
|
|
|
|
# Magic hostname the addon recognises as an introspection target.
|
|
# Requests through the proxy for `_egress-proxy.local/<path>` are
|
|
# intercepted and answered with synthetic responses (the addon's
|
|
# `request` hook sets `flow.response` before any upstream connection).
|
|
# The hostname is not in DNS — only clients dialing through this
|
|
# specific egress-proxy can reach it, and only via HTTP (no TLS).
|
|
# Used by the supervise sidecar's `list-egress-proxy-routes` MCP
|
|
# tool to surface the live route table to the agent.
|
|
INTROSPECT_HOST = "_egress-proxy.local"
|
|
|
|
|
|
class EgressProxyAddon:
|
|
"""The mitmproxy addon. One instance per `mitmdump` process; the
|
|
request hook is invoked on every CONNECT-decapsulated HTTP/HTTPS
|
|
request the agent makes."""
|
|
|
|
def __init__(self) -> None:
|
|
self.routes_path = os.environ.get("EGRESS_PROXY_ROUTES", DEFAULT_ROUTES_PATH)
|
|
self.routes: tuple[Route, ...] = ()
|
|
self._reload(initial=True)
|
|
self._install_sighup()
|
|
|
|
def _reload(self, *, initial: bool = False) -> None:
|
|
try:
|
|
text = Path(self.routes_path).read_text(encoding="utf-8")
|
|
new_routes = load_routes(text)
|
|
except (OSError, ValueError) as e:
|
|
tag = "boot" if initial else "SIGHUP"
|
|
sys.stderr.write(
|
|
f"egress-proxy: {tag} load failed: {e}\n"
|
|
)
|
|
if initial:
|
|
# No baseline to fall back on; serve nothing rather
|
|
# than masquerade as a proxy with a route table the
|
|
# operator never declared.
|
|
self.routes = ()
|
|
return
|
|
self.routes = new_routes
|
|
sys.stderr.write(
|
|
f"egress-proxy: loaded {len(self.routes)} route(s): "
|
|
f"{', '.join(r.host for r in self.routes)}\n"
|
|
)
|
|
|
|
def _install_sighup(self) -> None:
|
|
if not hasattr(signal, "SIGHUP"):
|
|
return
|
|
|
|
def handler(signum: int, frame: object) -> None:
|
|
del signum, frame
|
|
self._reload()
|
|
|
|
signal.signal(signal.SIGHUP, handler)
|
|
|
|
def _serve_introspection(self, flow: http.HTTPFlow, path: str) -> None:
|
|
"""Synthesize a response for `_egress-proxy.local` requests.
|
|
Currently supports `/allowlist` which returns the in-memory
|
|
route table as JSON (host, path_allowlist, auth_scheme,
|
|
token_env per route — no token VALUES, those live in the
|
|
container's environ)."""
|
|
if path == "/allowlist":
|
|
payload = json.dumps(
|
|
{"routes": [dataclasses.asdict(r) for r in self.routes]},
|
|
indent=2,
|
|
).encode("utf-8")
|
|
flow.response = http.Response.make(
|
|
200, payload,
|
|
{"Content-Type": "application/json"},
|
|
)
|
|
return
|
|
flow.response = http.Response.make(
|
|
404,
|
|
f"egress-proxy introspection: no such endpoint {path!r}".encode(),
|
|
{"Content-Type": "text/plain; charset=utf-8"},
|
|
)
|
|
|
|
# mitmproxy's addon API: this method name + signature is how
|
|
# mitmdump discovers the request hook.
|
|
def request(self, flow: http.HTTPFlow) -> None:
|
|
request_path, _, query = flow.request.path.partition("?")
|
|
|
|
# Introspection: requests to the magic `_egress-proxy.local`
|
|
# host are answered locally with a synthetic response. Check
|
|
# before the strip-auth + route logic — these requests aren't
|
|
# real upstream traffic, the agent isn't injecting auth, and
|
|
# the addon's own decide() would 403 the magic host (it's
|
|
# never in the routes table).
|
|
if flow.request.pretty_host == INTROSPECT_HOST:
|
|
self._serve_introspection(flow, request_path)
|
|
return
|
|
|
|
# Inbound Authorization is always stripped — the agent cannot
|
|
# smuggle a stolen token through the proxy. If the matched
|
|
# route declares an auth pair, a fresh header is injected
|
|
# below.
|
|
flow.request.headers.pop("authorization", None)
|
|
|
|
# Universal HTTPS git-push block. Defense-in-depth: git-gate
|
|
# (PRD 0008) is the only sanctioned outbound path for git
|
|
# writes — its pre-receive runs gitleaks. Letting HTTPS push
|
|
# through egress-proxy + auth injection would route around
|
|
# that scan, so we 403 before any route logic.
|
|
if is_git_push_request(request_path, query):
|
|
flow.response = http.Response.make(
|
|
403,
|
|
(
|
|
b"egress-proxy: git push over HTTPS is not supported; "
|
|
b"use the bottle.git SSH path (gitleaks-scanned by "
|
|
b"git-gate's pre-receive hook)."
|
|
),
|
|
{"Content-Type": "text/plain; charset=utf-8"},
|
|
)
|
|
return
|
|
|
|
decision = decide(
|
|
self.routes,
|
|
flow.request.pretty_host,
|
|
request_path,
|
|
os.environ,
|
|
)
|
|
|
|
if decision.action == "block":
|
|
flow.response = http.Response.make(
|
|
403,
|
|
decision.reason.encode("utf-8"),
|
|
{"Content-Type": "text/plain; charset=utf-8"},
|
|
)
|
|
return
|
|
|
|
if decision.inject_authorization is not None:
|
|
flow.request.headers["authorization"] = decision.inject_authorization
|
|
|
|
|
|
addons = [EgressProxyAddon()]
|