clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-24 22:54:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

parser state

Browse Source
This commit is contained in:
kevin zhao
2025-11-13 17:12:21 -05:00
parent 43db77a97b
commit cd4df53316
3 changed files with 73 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
codex-rs/execpolicy2/src/main.rs
View File

@@ -53,9 +53,9 @@ fn load_policies(policy_paths: &[PathBuf]) -> Result<codex_execpolicy2::Policy>
})
.collect::<Result<_>>()
.context("failed to load policy files")?;
Ok(PolicyParser::parse_many(loaded_policies.iter().map(
|(policy_identifier, policy_file_contents)| {
(policy_identifier.as_str(), policy_file_contents.as_str())
},
))?)
let mut parser = PolicyParser::new();
for (policy_identifier, policy_file_contents) in &loaded_policies {
parser.parse(policy_identifier, policy_file_contents)?;
}
Ok(parser.build())
}

61
codex-rs/execpolicy2/src/parser.rs
View File

@@ -25,45 +25,44 @@ use crate::rule::RuleRef;
use crate::rule::validate_match_examples;
use crate::rule::validate_not_match_examples;
pub struct PolicyParser;
pub struct PolicyParser {
builder: RefCell<PolicyBuilder>,
}
impl Default for PolicyParser {
fn default() -> Self {
Self::new()
}
}
impl PolicyParser {
/// Parses a policy, tagging parser errors with `policy_identifier` so failures include the
/// identifier alongside line numbers.
pub fn parse(
policy_identifier: &str,
policy_file_contents: &str,
) -> Result<crate::policy::Policy> {
Self::parse_many([(policy_identifier, policy_file_contents)])
pub fn new() -> Self {
Self {
builder: RefCell::new(PolicyBuilder::new()),
}
}
/// Parses multiple policy files and merges the resulting rules.
pub fn parse_many<Policies, Identifier, Contents>(
policies: Policies,
) -> Result<crate::policy::Policy>
where
Policies: IntoIterator<Item = (Identifier, Contents)>,
Identifier: AsRef<str>,
Contents: AsRef<str>,
{
/// Parses a policy, tagging parser errors with `policy_identifier` so failures include the
/// identifier alongside line numbers.
pub fn parse(&mut self, policy_identifier: &str, policy_file_contents: &str) -> Result<()> {
let mut dialect = Dialect::Extended.clone();
dialect.enable_f_strings = true;
let globals = GlobalsBuilder::standard().with(policy_builtins).build();
let ast = AstModule::parse(
policy_identifier,
policy_file_contents.to_string(),
&dialect,
)
.map_err(Error::Starlark)?;
let module = Module::new();
let mut eval = Evaluator::new(&module);
eval.extra = Some(&self.builder);
eval.eval_module(ast, &globals).map_err(Error::Starlark)?;
Ok(())
}
let builder = RefCell::new(PolicyBuilder::new());
for (policy_identifier, policy_file_contents) in policies {
let ast = AstModule::parse(
policy_identifier.as_ref(),
policy_file_contents.as_ref().to_string(),
&dialect,
)
.map_err(Error::Starlark)?;
let module = Module::new();
let mut eval = Evaluator::new(&module);
eval.extra = Some(&builder);
eval.eval_module(ast, &globals).map_err(Error::Starlark)?;
}
Ok(builder.into_inner().build())
pub fn build(self) -> crate::policy::Policy {
self.builder.into_inner().build()
}
}

50
codex-rs/execpolicy2/tests/basic.rs
View File

@@ -41,7 +41,11 @@ prefix_rule(
pattern = ["git", "status"],
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let cmd = tokens(&["git", "status"]);
let evaluation = policy.check(&cmd);
assert_eq!(
@@ -70,12 +74,14 @@ prefix_rule(
decision = "forbidden",
)
"#;
let policy = PolicyParser::parse_many([
("first.codexpolicy", first_policy),
("second.codexpolicy", second_policy),
])
.expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("first.codexpolicy", first_policy)
.expect("parse policy");
parser
.parse("second.codexpolicy", second_policy)
.expect("parse policy");
let policy = parser.build();
let git_rules = rule_snapshots(policy.rules().get_vec("git").expect("git rules"));
assert_eq!(
@@ -136,7 +142,11 @@ prefix_rule(
pattern = [["bash", "sh"], ["-c", "-l"]],
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let bash_rules = rule_snapshots(policy.rules().get_vec("bash").expect("bash rules"));
let sh_rules = rule_snapshots(policy.rules().get_vec("sh").expect("sh rules"));
@@ -193,7 +203,11 @@ prefix_rule(
pattern = ["npm", ["i", "install"], ["--legacy-peer-deps", "--no-save"]],
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let rules = rule_snapshots(policy.rules().get_vec("npm").expect("npm rules"));
assert_eq!(
@@ -251,7 +265,11 @@ prefix_rule(
],
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let match_eval = policy.check(&tokens(&["git", "status"]));
assert_eq!(
Evaluation::Match {
@@ -289,7 +307,11 @@ prefix_rule(
decision = "forbidden",
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let status = policy.check(&tokens(&["git", "status"]));
assert_eq!(
@@ -344,7 +366,11 @@ prefix_rule(
decision = "forbidden",
)
"#;
let policy = PolicyParser::parse("test.codexpolicy", policy_src).expect("parse policy");
let mut parser = PolicyParser::new();
parser
.parse("test.codexpolicy", policy_src)
.expect("parse policy");
let policy = parser.build();
let commands = vec![
tokens(&["git", "status"]),