didericis
fa06a3a0ab
Two related fixes on top of PR #29's chunk-2 cutover: 1. Universal HTTPS git-push block in the egress-proxy addon (`is_git_push_request` in egress_proxy_addon_core, called from the mitmproxy request hook before route matching). 403s any `/git-receive-pack` or `info/refs?service=git-receive-pack` — defense in depth so git-gate (PRD 0008) remains the only outbound path for writes, gitleaks-scanned by its pre-receive. Replicates cred-proxy's `is_git_push_request` behavior. 2. Restored agent-side role provisioner. Brings back `Role` on EgressProxyRoute (manifest + runtime) with three roles — `anthropic-base-url`, `npm-registry`, `tea-login`. Singleton constraint on the first two carries over from cred-proxy. `git-insteadof` is intentionally absent (option 1 above handles the push-bypass concern, and the canonical-URL rewrite has no function when egress-proxy is on HTTPS_PROXY). The provisioner (`backend/docker/provision/egress_proxy.py`): - `~/.npmrc` registry= the canonical upstream URL. - `~/.config/tea/config.yml` logins[] entry per tea-login route. - `ANTHROPIC_BASE_URL` env set in prepare.py based on the anthropic-base-url role (was a token_ref="CLAUDE_CODE_OAUTH_TOKEN" check in this PR's earlier draft — the role marker is cleaner and matches the cred-proxy precedent the user wants kept). All three dotfile values point at canonical upstream URLs; the agent's HTTPS_PROXY=egress-proxy routes them through the proxy automatically. Tests: 11 new role-validation tests, 11 new provisioner-render tests, the chunk-1 manifest fixture exercise role=anthropic-base-url. 400 tests pass (was 376). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
232 lines
8.1 KiB
Python
232 lines
8.1 KiB
Python
"""Unit: manifest parsing for `bottle.egress_proxy.routes[]` (PRD 0017).
|
|
|
|
The route shape is new: `host` (required), optional `path_allowlist`,
|
|
optional nested `auth: { scheme, token_ref }`. Validation rules per
|
|
the PRD: empty `auth: {}` is an error, partial `auth` is an error,
|
|
auth omission means unauthenticated."""
|
|
|
|
import unittest
|
|
|
|
from claude_bottle.log import Die
|
|
from claude_bottle.manifest import EgressProxyRoute, Manifest
|
|
|
|
|
|
def _bottle(routes):
|
|
return Manifest.from_json_obj({
|
|
"bottles": {"dev": {"egress_proxy": {"routes": routes}}},
|
|
"agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
|
|
}).bottles["dev"]
|
|
|
|
|
|
class TestMinimalRoute(unittest.TestCase):
|
|
def test_host_only(self):
|
|
b = _bottle([{"host": "api.example.com"}])
|
|
self.assertEqual(1, len(b.egress_proxy.routes))
|
|
r = b.egress_proxy.routes[0]
|
|
self.assertEqual("api.example.com", r.Host)
|
|
self.assertEqual((), r.PathAllowlist)
|
|
self.assertEqual("", r.AuthScheme)
|
|
self.assertEqual("", r.TokenRef)
|
|
|
|
def test_host_required(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{}])
|
|
|
|
def test_host_must_be_non_empty(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": ""}])
|
|
|
|
def test_unknown_top_level_key_dies(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "wat": "yes"}])
|
|
|
|
|
|
class TestPathAllowlist(unittest.TestCase):
|
|
def test_optional(self):
|
|
b = _bottle([{"host": "x.example"}])
|
|
self.assertEqual((), b.egress_proxy.routes[0].PathAllowlist)
|
|
|
|
def test_must_be_array(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "path_allowlist": "/x/"}])
|
|
|
|
def test_items_must_be_strings(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "path_allowlist": [42]}])
|
|
|
|
def test_items_must_be_absolute_paths(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "path_allowlist": ["nope/"]}])
|
|
|
|
def test_full_list(self):
|
|
b = _bottle([{
|
|
"host": "github.com",
|
|
"path_allowlist": ["/didericis/", "/users/didericis"],
|
|
}])
|
|
self.assertEqual(
|
|
("/didericis/", "/users/didericis"),
|
|
b.egress_proxy.routes[0].PathAllowlist,
|
|
)
|
|
|
|
|
|
class TestAuth(unittest.TestCase):
|
|
def test_omitted_means_no_auth(self):
|
|
b = _bottle([{"host": "github.com"}])
|
|
r = b.egress_proxy.routes[0]
|
|
self.assertEqual("", r.AuthScheme)
|
|
self.assertEqual("", r.TokenRef)
|
|
|
|
def test_full_auth(self):
|
|
b = _bottle([{
|
|
"host": "api.github.com",
|
|
"auth": {"scheme": "Bearer", "token_ref": "GH_PAT"},
|
|
}])
|
|
r = b.egress_proxy.routes[0]
|
|
self.assertEqual("Bearer", r.AuthScheme)
|
|
self.assertEqual("GH_PAT", r.TokenRef)
|
|
|
|
def test_empty_auth_block_rejected(self):
|
|
# Per PRD 0017: `auth: {}` is an error, not a synonym for
|
|
# "no auth" — that's what omission is for.
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "auth": {}}])
|
|
|
|
def test_missing_scheme_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{
|
|
"host": "x.example",
|
|
"auth": {"token_ref": "T"},
|
|
}])
|
|
|
|
def test_missing_token_ref_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{
|
|
"host": "x.example",
|
|
"auth": {"scheme": "Bearer"},
|
|
}])
|
|
|
|
def test_unknown_scheme_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{
|
|
"host": "x.example",
|
|
"auth": {"scheme": "Basic", "token_ref": "T"},
|
|
}])
|
|
|
|
def test_token_scheme_allowed(self):
|
|
# Gitea quirk: `Authorization: token <pat>` (not Bearer).
|
|
b = _bottle([{
|
|
"host": "git.example",
|
|
"auth": {"scheme": "token", "token_ref": "GITEA_PAT"},
|
|
}])
|
|
self.assertEqual("token", b.egress_proxy.routes[0].AuthScheme)
|
|
|
|
def test_unknown_auth_key_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{
|
|
"host": "x.example",
|
|
"auth": {"scheme": "Bearer", "token_ref": "T", "extra": "no"},
|
|
}])
|
|
|
|
|
|
class TestRole(unittest.TestCase):
|
|
def test_omitted_means_no_roles(self):
|
|
b = _bottle([{"host": "x.example"}])
|
|
self.assertEqual((), b.egress_proxy.routes[0].Role)
|
|
|
|
def test_string_normalizes_to_tuple(self):
|
|
b = _bottle([{"host": "api.anthropic.com",
|
|
"role": "anthropic-base-url",
|
|
"auth": {"scheme": "Bearer", "token_ref": "T"}}])
|
|
self.assertEqual(("anthropic-base-url",),
|
|
b.egress_proxy.routes[0].Role)
|
|
|
|
def test_list_supported(self):
|
|
b = _bottle([{"host": "registry.npmjs.org",
|
|
"role": ["npm-registry"]}])
|
|
self.assertEqual(("npm-registry",), b.egress_proxy.routes[0].Role)
|
|
|
|
def test_unknown_role_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "role": "git-insteadof"}])
|
|
|
|
def test_non_string_role_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "role": 42}])
|
|
|
|
def test_list_with_non_string_item_rejected(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([{"host": "x.example", "role": ["npm-registry", 42]}])
|
|
|
|
def test_singleton_anthropic_base_url_enforced(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([
|
|
{"host": "api.anthropic.com", "role": "anthropic-base-url",
|
|
"auth": {"scheme": "Bearer", "token_ref": "T1"}},
|
|
{"host": "api2.anthropic.example",
|
|
"role": "anthropic-base-url",
|
|
"auth": {"scheme": "Bearer", "token_ref": "T2"}},
|
|
])
|
|
|
|
def test_singleton_npm_registry_enforced(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([
|
|
{"host": "registry.npmjs.org", "role": "npm-registry"},
|
|
{"host": "npm.example", "role": "npm-registry"},
|
|
])
|
|
|
|
def test_tea_login_is_not_singleton(self):
|
|
# Multiple Gitea instances on one bottle is a legitimate
|
|
# dev setup; tea-login lays one logins[] entry per route.
|
|
b = _bottle([
|
|
{"host": "gitea.example", "role": "tea-login",
|
|
"auth": {"scheme": "token", "token_ref": "T1"}},
|
|
{"host": "other-gitea.example", "role": "tea-login",
|
|
"auth": {"scheme": "token", "token_ref": "T2"}},
|
|
])
|
|
self.assertEqual(2, len(b.egress_proxy.routes))
|
|
|
|
|
|
class TestRouteValidation(unittest.TestCase):
|
|
def test_duplicate_hosts_rejected(self):
|
|
# Routes match by exact host; duplicates leave the choice
|
|
# ambiguous, so we reject them up front rather than picking
|
|
# the first/last silently.
|
|
with self.assertRaises(Die):
|
|
_bottle([
|
|
{"host": "github.com"},
|
|
{"host": "github.com", "path_allowlist": ["/x/"]},
|
|
])
|
|
|
|
def test_duplicate_host_case_insensitive(self):
|
|
with self.assertRaises(Die):
|
|
_bottle([
|
|
{"host": "GitHub.com"},
|
|
{"host": "github.com"},
|
|
])
|
|
|
|
def test_empty_routes_allowed(self):
|
|
b = _bottle([])
|
|
self.assertEqual((), b.egress_proxy.routes)
|
|
|
|
def test_no_egress_proxy_block_means_empty(self):
|
|
# The bottle dataclass defaults to an empty EgressProxyConfig.
|
|
b = Manifest.from_json_obj({
|
|
"bottles": {"dev": {}},
|
|
"agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
|
|
}).bottles["dev"]
|
|
self.assertEqual((), b.egress_proxy.routes)
|
|
|
|
|
|
class TestConfigShape(unittest.TestCase):
|
|
def test_unknown_egress_proxy_key_rejected(self):
|
|
with self.assertRaises(Die):
|
|
Manifest.from_json_obj({
|
|
"bottles": {"dev": {"egress_proxy": {"wat": []}}},
|
|
"agents": {"demo": {"skills": [], "prompt": "",
|
|
"bottle": "dev"}},
|
|
})
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|