fix(sandbox): add mechanistic smoke test for L4 deny and document the L4/L7 split#1412
Open
mesutoezdil wants to merge 4 commits into
Open
fix(sandbox): add mechanistic smoke test for L4 deny and document the L4/L7 split#1412mesutoezdil wants to merge 4 commits into
mesutoezdil wants to merge 4 commits into
Conversation
… L4/L7 split The old smoke script exercised an L7 PUT which hung because the denial aggregator is only wired to L4 CONNECT denies, not L7 enforcement. Add mechanistic-smoke.sh which triggers an L4 deny, waits for the aggregator to flush, and asserts a pending chunk appears under openshell rule get --status pending. Document the intentional L4-only scope of the mechanistic mapper in architecture/sandbox.md. Fixes NVIDIA#1333 Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
mesutoezdil
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
…p call Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Collaborator
|
I tested the new smoke locally on this branch with the Docker-backed e2e wrapper: e2e/with-docker-gateway.sh bash -lc '
target/debug/openshell settings set --global \
--key agent_policy_proposals_enabled \
--value true \
--yes
OPENSHELL_BIN="$PWD/target/debug/openshell" \
bash e2e/policy-advisor/mechanistic-smoke.sh
'It passed: the script created a sandbox, triggered the expected L4 CONNECT deny for A few items still need action before this fully resolves #1333:
The L4 retarget itself looks correct based on the local run; the main gap is making sure this becomes durable regression coverage and that all acceptance items from #1333 are addressed. |
- Initialize TMP_DIR before trap to prevent unbound variable on early exit - Add e2e:mechanistic-smoke mise task with gateway setup - Document mechanistic smoke in policy-advisor README
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
mesutoezdil
force-pushed
the
fix/1333-mechanistic-l4-smoke
branch
from
188cbf8 to
2bcc30e
Compare
Contributor
Author
|
Addressed all 3 items: wired the smoke into mise, guarded TMP_DIR, and added a unit test in proxy::tests::test_emit_denial_enqueues_denial_event that verifies an L4 deny enqueues a DenialEvent with the correct fields. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
e2e/policy-advisor/mechanistic-smoke.shto test the mechanistic mapper with an L4 CONNECT denyarchitecture/sandbox.mddocumenting the intentional L4-only scopemise run e2e:mechanistic-smokewith gateway setupe2e/policy-advisor/README.mdTMP_DIRreference on early exit (set -uguard)Related Issue: Refs #1333
Testing
bash -n e2e/policy-advisor/mechanistic-smoke.shpassesmarkdownlint-cli2 architecture/sandbox.mdpasses with 0 errorsmise run e2e:mechanistic-smokeruns the full flow against a Docker gateway