mirror of
https://github.com/openai/codex.git
synced 2026-05-06 04:17:03 +00:00
Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
44ec706a44 | ||
|
|
a3880e937b | ||
|
|
ee05c896f7 | ||
|
|
ada7881352 | ||
|
|
c4c371f257 | ||
|
|
97aaf4cea4 |
@@ -1198,8 +1198,7 @@ mod tests {
|
||||
use codex_execpolicy::Decision;
|
||||
use codex_execpolicy::Evaluation;
|
||||
use codex_execpolicy::RuleMatch;
|
||||
use codex_protocol::protocol::NetworkAccess;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_utils_absolute_path::AbsolutePathBuf;
|
||||
use codex_utils_absolute_path::AbsolutePathBufGuard;
|
||||
use pretty_assertions::assert_eq;
|
||||
@@ -1215,10 +1214,6 @@ mod tests {
|
||||
)?)
|
||||
}
|
||||
|
||||
fn profile_from_sandbox_policy(sandbox_policy: &SandboxPolicy) -> PermissionProfile {
|
||||
PermissionProfile::from_legacy_sandbox_policy(sandbox_policy)
|
||||
}
|
||||
|
||||
fn with_unknown_source(toml: ConfigRequirementsToml) -> ConfigRequirementsWithSources {
|
||||
let ConfigRequirementsToml {
|
||||
allowed_approval_policies,
|
||||
@@ -1767,9 +1762,7 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::DangerFullAccess,
|
||||
)),
|
||||
.can_set(&PermissionProfile::Disabled),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "DangerFullAccess".into(),
|
||||
@@ -1914,9 +1907,7 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::new_read_only_policy()
|
||||
))
|
||||
.can_set(&PermissionProfile::read_only())
|
||||
.is_ok()
|
||||
);
|
||||
|
||||
@@ -1999,29 +1990,25 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::new_read_only_policy()
|
||||
))
|
||||
.can_set(&PermissionProfile::read_only())
|
||||
.is_ok()
|
||||
);
|
||||
let workspace_write_policy = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![AbsolutePathBuf::from_absolute_path(root)?],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: false,
|
||||
exclude_slash_tmp: false,
|
||||
};
|
||||
let workspace_write_profile = PermissionProfile::workspace_write_with(
|
||||
&[AbsolutePathBuf::from_absolute_path(root)?],
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
/*exclude_tmpdir_env_var*/ false,
|
||||
/*exclude_slash_tmp*/ false,
|
||||
);
|
||||
assert!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(&workspace_write_policy))
|
||||
.can_set(&workspace_write_profile)
|
||||
.is_ok()
|
||||
);
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::DangerFullAccess,
|
||||
)),
|
||||
.can_set(&PermissionProfile::Disabled),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "DangerFullAccess".into(),
|
||||
@@ -2032,11 +2019,9 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::ExternalSandbox {
|
||||
network_access: NetworkAccess::Restricted,
|
||||
}
|
||||
)),
|
||||
.can_set(&PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Restricted,
|
||||
}),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "ExternalSandbox".into(),
|
||||
@@ -2117,24 +2102,22 @@ allowed_approvals_reviewers = ["user"]
|
||||
|
||||
let requirements = ConfigRequirements::try_from(requirements_with_sources)?;
|
||||
let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };
|
||||
let workspace_write_policy = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![AbsolutePathBuf::from_absolute_path(root)?],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: false,
|
||||
exclude_slash_tmp: false,
|
||||
};
|
||||
let workspace_write_profile = PermissionProfile::workspace_write_with(
|
||||
&[AbsolutePathBuf::from_absolute_path(root)?],
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
/*exclude_tmpdir_env_var*/ false,
|
||||
/*exclude_slash_tmp*/ false,
|
||||
);
|
||||
assert!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(&workspace_write_policy))
|
||||
.can_set(&workspace_write_profile)
|
||||
.is_ok()
|
||||
);
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::DangerFullAccess,
|
||||
)),
|
||||
.can_set(&PermissionProfile::Disabled),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "DangerFullAccess".into(),
|
||||
@@ -2165,9 +2148,7 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::DangerFullAccess,
|
||||
)),
|
||||
.can_set(&PermissionProfile::Disabled),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "DangerFullAccess".into(),
|
||||
@@ -2206,9 +2187,7 @@ allowed_approvals_reviewers = ["user"]
|
||||
assert_eq!(
|
||||
requirements
|
||||
.permission_profile
|
||||
.can_set(&profile_from_sandbox_policy(
|
||||
&SandboxPolicy::new_workspace_write_policy(),
|
||||
)),
|
||||
.can_set(&PermissionProfile::workspace_write()),
|
||||
Err(ConstraintError::InvalidValue {
|
||||
field_name: "sandbox_mode",
|
||||
candidate: "WorkspaceWrite".into(),
|
||||
|
||||
@@ -5,13 +5,8 @@ use codex_network_proxy::NetworkDomainPermission;
|
||||
use codex_protocol::models::ManagedFileSystemPermissions;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use pretty_assertions::assert_eq;
|
||||
|
||||
fn permission_profile_for_sandbox_policy(sandbox_policy: &SandboxPolicy) -> PermissionProfile {
|
||||
PermissionProfile::from_legacy_sandbox_policy(sandbox_policy)
|
||||
}
|
||||
|
||||
fn domain_permissions(
|
||||
entries: impl IntoIterator<Item = (&'static str, NetworkDomainPermissionToml)>,
|
||||
) -> NetworkDomainPermissionsToml {
|
||||
@@ -62,7 +57,7 @@ fn requirements_allowed_domains_are_a_baseline_for_user_allowlist() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_read_only_policy()),
|
||||
&PermissionProfile::read_only(),
|
||||
)
|
||||
.expect("config should stay within the managed allowlist");
|
||||
|
||||
@@ -97,7 +92,7 @@ fn requirements_allowed_domains_do_not_override_user_denies_for_same_pattern() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed allowlist should not erase a user deny");
|
||||
|
||||
@@ -129,7 +124,7 @@ fn requirements_allowlist_expansion_keeps_user_entries_mutable() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed baseline should still allow user edits");
|
||||
|
||||
@@ -207,7 +202,7 @@ fn danger_full_access_keeps_managed_allowlist_and_denylist_fixed() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::DangerFullAccess),
|
||||
&PermissionProfile::Disabled,
|
||||
)
|
||||
.expect("yolo mode should pin the effective policy to the managed baseline");
|
||||
|
||||
@@ -241,7 +236,7 @@ fn managed_allowed_domains_only_disables_default_mode_allowlist_expansion() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed baseline should still load");
|
||||
|
||||
@@ -270,7 +265,7 @@ fn managed_allowed_domains_only_ignores_user_allowlist_and_hard_denies_misses()
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed-only allowlist should still load");
|
||||
|
||||
@@ -300,7 +295,7 @@ fn managed_allowed_domains_only_without_managed_allowlist_blocks_all_user_domain
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed-only mode should treat missing managed allowlist as empty");
|
||||
|
||||
@@ -324,7 +319,7 @@ fn managed_allowed_domains_only_blocks_all_user_domains_in_full_access_without_m
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::DangerFullAccess),
|
||||
&PermissionProfile::Disabled,
|
||||
)
|
||||
.expect("managed-only mode should treat missing managed allowlist as empty");
|
||||
|
||||
@@ -351,7 +346,7 @@ fn deny_only_requirements_do_not_create_allow_constraints_in_full_access() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::DangerFullAccess),
|
||||
&PermissionProfile::Disabled,
|
||||
)
|
||||
.expect("deny-only requirements should not constrain the allowlist");
|
||||
|
||||
@@ -384,7 +379,7 @@ fn allow_only_requirements_do_not_create_deny_constraints_in_full_access() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::DangerFullAccess),
|
||||
&PermissionProfile::Disabled,
|
||||
)
|
||||
.expect("allow-only requirements should not constrain the denylist");
|
||||
|
||||
@@ -417,7 +412,7 @@ fn requirements_denied_domains_are_a_baseline_for_default_mode() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("default mode should merge managed and user deny entries");
|
||||
|
||||
@@ -452,7 +447,7 @@ fn requirements_denylist_expansion_keeps_user_entries_mutable() {
|
||||
let spec = NetworkProxySpec::from_config_and_constraints(
|
||||
config,
|
||||
Some(requirements),
|
||||
&permission_profile_for_sandbox_policy(&SandboxPolicy::new_workspace_write_policy()),
|
||||
&PermissionProfile::workspace_write(),
|
||||
)
|
||||
.expect("managed baseline should still allow user edits");
|
||||
|
||||
|
||||
@@ -8,7 +8,6 @@ use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::AskForApproval;
|
||||
use codex_protocol::protocol::GranularApprovalConfig;
|
||||
use codex_protocol::protocol::NetworkAccess;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_protocol::protocol::WritableRoot;
|
||||
use codex_utils_template::Template;
|
||||
use std::path::Path;
|
||||
@@ -85,27 +84,6 @@ impl PermissionsInstructions {
|
||||
)
|
||||
}
|
||||
|
||||
/// Builds permissions instructions from a legacy sandbox policy.
|
||||
pub fn from_policy(
|
||||
sandbox_policy: &SandboxPolicy,
|
||||
approval_policy: AskForApproval,
|
||||
approvals_reviewer: ApprovalsReviewer,
|
||||
exec_policy: &Policy,
|
||||
cwd: &Path,
|
||||
exec_permission_approvals_enabled: bool,
|
||||
request_permissions_tool_enabled: bool,
|
||||
) -> Self {
|
||||
Self::from_permission_profile(
|
||||
&PermissionProfile::from_legacy_sandbox_policy(sandbox_policy),
|
||||
approval_policy,
|
||||
approvals_reviewer,
|
||||
exec_policy,
|
||||
cwd,
|
||||
exec_permission_approvals_enabled,
|
||||
request_permissions_tool_enabled,
|
||||
)
|
||||
}
|
||||
|
||||
fn from_permissions_with_network(
|
||||
sandbox_mode: SandboxMode,
|
||||
network_access: NetworkAccess,
|
||||
|
||||
@@ -53,29 +53,6 @@ fn builds_permissions_with_network_access_override() {
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn builds_permissions_from_policy() {
|
||||
let policy = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: true,
|
||||
exclude_tmpdir_env_var: false,
|
||||
exclude_slash_tmp: false,
|
||||
};
|
||||
|
||||
let instructions = PermissionsInstructions::from_policy(
|
||||
&policy,
|
||||
AskForApproval::UnlessTrusted,
|
||||
ApprovalsReviewer::User,
|
||||
&Policy::empty(),
|
||||
&PathBuf::from("/tmp"),
|
||||
/*exec_permission_approvals_enabled*/ false,
|
||||
/*request_permissions_tool_enabled*/ false,
|
||||
);
|
||||
let text = instructions.body();
|
||||
assert!(text.contains("Network access is enabled."));
|
||||
assert!(text.contains("`approval_policy` is `unless-trusted`"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn builds_permissions_from_profile() {
|
||||
let cwd = PathBuf::from("/tmp");
|
||||
|
||||
@@ -1,18 +1,27 @@
|
||||
use super::*;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::protocol::FileSystemAccessMode;
|
||||
use codex_protocol::protocol::FileSystemPath;
|
||||
use codex_protocol::protocol::FileSystemSandboxEntry;
|
||||
use codex_protocol::protocol::FileSystemSpecialPath;
|
||||
use codex_protocol::permissions::FileSystemAccessMode;
|
||||
use codex_protocol::permissions::FileSystemPath;
|
||||
use codex_protocol::permissions::FileSystemSandboxEntry;
|
||||
use codex_protocol::permissions::FileSystemSpecialPath;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::GranularApprovalConfig;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_utils_absolute_path::AbsolutePathBuf;
|
||||
use core_test_support::PathExt;
|
||||
use pretty_assertions::assert_eq;
|
||||
use tempfile::TempDir;
|
||||
|
||||
fn permission_profile_for_policy(sandbox_policy: &SandboxPolicy) -> PermissionProfile {
|
||||
PermissionProfile::from_legacy_sandbox_policy(sandbox_policy)
|
||||
fn workspace_write_profile(writable_roots: &[AbsolutePathBuf]) -> PermissionProfile {
|
||||
PermissionProfile::workspace_write_with(
|
||||
writable_roots,
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
/*exclude_tmpdir_env_var*/ true,
|
||||
/*exclude_slash_tmp*/ true,
|
||||
)
|
||||
}
|
||||
|
||||
fn file_system_sandbox_policy(profile: &PermissionProfile) -> FileSystemSandboxPolicy {
|
||||
profile.to_runtime_permissions().0
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -30,38 +39,30 @@ fn test_writable_roots_constraint() {
|
||||
let add_inside = make_add_change(cwd.join("inner.txt"));
|
||||
let add_outside = make_add_change(parent.join("outside.txt"));
|
||||
|
||||
// Policy limited to the workspace only; exclude system temp roots so
|
||||
// only `cwd` is writable by default.
|
||||
let policy_workspace_only = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
};
|
||||
// Exclude system temp roots so only the project root is writable by default.
|
||||
let workspace_only_file_system_policy =
|
||||
file_system_sandbox_policy(&workspace_write_profile(&[]));
|
||||
|
||||
assert!(is_write_patch_constrained_to_writable_paths(
|
||||
&add_inside,
|
||||
&FileSystemSandboxPolicy::from(&policy_workspace_only),
|
||||
&workspace_only_file_system_policy,
|
||||
&cwd,
|
||||
));
|
||||
|
||||
assert!(!is_write_patch_constrained_to_writable_paths(
|
||||
&add_outside,
|
||||
&FileSystemSandboxPolicy::from(&policy_workspace_only),
|
||||
&workspace_only_file_system_policy,
|
||||
&cwd,
|
||||
));
|
||||
|
||||
// With the parent dir explicitly added as a writable root, the
|
||||
// outside write should be permitted.
|
||||
let policy_with_parent = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![parent],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
};
|
||||
let parent = AbsolutePathBuf::from_absolute_path(parent).expect("absolute parent");
|
||||
let file_system_policy_with_parent =
|
||||
file_system_sandbox_policy(&workspace_write_profile(&[parent]));
|
||||
assert!(is_write_patch_constrained_to_writable_paths(
|
||||
&add_outside,
|
||||
&FileSystemSandboxPolicy::from(&policy_with_parent),
|
||||
&file_system_policy_with_parent,
|
||||
&cwd,
|
||||
));
|
||||
}
|
||||
@@ -73,16 +74,17 @@ fn external_sandbox_auto_approves_in_on_request() {
|
||||
let add_inside_path = cwd.join("inner.txt");
|
||||
let add_inside = ApplyPatchAction::new_add_for_test(&add_inside_path, "".to_string());
|
||||
|
||||
let policy = SandboxPolicy::ExternalSandbox {
|
||||
network_access: codex_protocol::protocol::NetworkAccess::Enabled,
|
||||
let permission_profile = PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Enabled,
|
||||
};
|
||||
let file_system_sandbox_policy = file_system_sandbox_policy(&permission_profile);
|
||||
|
||||
assert_eq!(
|
||||
assess_patch_safety(
|
||||
&add_inside,
|
||||
AskForApproval::OnRequest,
|
||||
&permission_profile_for_policy(&policy),
|
||||
&FileSystemSandboxPolicy::from(&policy),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled
|
||||
),
|
||||
@@ -100,19 +102,15 @@ fn granular_with_all_flags_true_matches_on_request_for_out_of_root_patch() {
|
||||
let parent = cwd.parent().unwrap();
|
||||
let outside_path = parent.join("outside.txt");
|
||||
let add_outside = ApplyPatchAction::new_add_for_test(&outside_path, "".to_string());
|
||||
let policy_workspace_only = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
};
|
||||
let permission_profile = workspace_write_profile(&[]);
|
||||
let file_system_sandbox_policy = file_system_sandbox_policy(&permission_profile);
|
||||
|
||||
assert_eq!(
|
||||
assess_patch_safety(
|
||||
&add_outside,
|
||||
AskForApproval::OnRequest,
|
||||
&permission_profile_for_policy(&policy_workspace_only),
|
||||
&FileSystemSandboxPolicy::from(&policy_workspace_only),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
),
|
||||
@@ -128,8 +126,8 @@ fn granular_with_all_flags_true_matches_on_request_for_out_of_root_patch() {
|
||||
request_permissions: true,
|
||||
mcp_elicitations: true,
|
||||
}),
|
||||
&permission_profile_for_policy(&policy_workspace_only),
|
||||
&FileSystemSandboxPolicy::from(&policy_workspace_only),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
),
|
||||
@@ -144,12 +142,8 @@ fn granular_sandbox_approval_false_rejects_out_of_root_patch() {
|
||||
let parent = cwd.parent().unwrap();
|
||||
let outside_path = parent.join("outside.txt");
|
||||
let add_outside = ApplyPatchAction::new_add_for_test(&outside_path, "".to_string());
|
||||
let policy_workspace_only = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
};
|
||||
let permission_profile = workspace_write_profile(&[]);
|
||||
let file_system_sandbox_policy = file_system_sandbox_policy(&permission_profile);
|
||||
|
||||
assert_eq!(
|
||||
assess_patch_safety(
|
||||
@@ -161,8 +155,8 @@ fn granular_sandbox_approval_false_rejects_out_of_root_patch() {
|
||||
request_permissions: true,
|
||||
mcp_elicitations: true,
|
||||
}),
|
||||
&permission_profile_for_policy(&policy_workspace_only),
|
||||
&FileSystemSandboxPolicy::from(&policy_workspace_only),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
),
|
||||
@@ -178,9 +172,8 @@ fn read_only_policy_rejects_patch_with_read_only_reason() {
|
||||
let cwd = tmp.path().abs();
|
||||
let inside_path = cwd.join("inside.txt");
|
||||
let action = ApplyPatchAction::new_add_for_test(&inside_path, "".to_string());
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
let file_system_sandbox_policy =
|
||||
FileSystemSandboxPolicy::from_legacy_sandbox_policy_for_cwd(&sandbox_policy, &cwd);
|
||||
let permission_profile = PermissionProfile::read_only();
|
||||
let file_system_sandbox_policy = file_system_sandbox_policy(&permission_profile);
|
||||
|
||||
assert!(!is_write_patch_constrained_to_writable_paths(
|
||||
&action,
|
||||
@@ -191,7 +184,7 @@ fn read_only_policy_rejects_patch_with_read_only_reason() {
|
||||
assess_patch_safety(
|
||||
&action,
|
||||
AskForApproval::Never,
|
||||
&permission_profile_for_policy(&sandbox_policy),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
@@ -208,8 +201,8 @@ fn explicit_unreadable_paths_prevent_auto_approval_for_external_sandbox() {
|
||||
let blocked_path = cwd.join("blocked.txt");
|
||||
let blocked_absolute = blocked_path;
|
||||
let action = ApplyPatchAction::new_add_for_test(&blocked_absolute, "".to_string());
|
||||
let sandbox_policy = SandboxPolicy::ExternalSandbox {
|
||||
network_access: codex_protocol::protocol::NetworkAccess::Restricted,
|
||||
let permission_profile = PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Restricted,
|
||||
};
|
||||
let file_system_sandbox_policy = FileSystemSandboxPolicy::restricted(vec![
|
||||
FileSystemSandboxEntry {
|
||||
@@ -235,7 +228,7 @@ fn explicit_unreadable_paths_prevent_auto_approval_for_external_sandbox() {
|
||||
assess_patch_safety(
|
||||
&action,
|
||||
AskForApproval::OnRequest,
|
||||
&permission_profile_for_policy(&sandbox_policy),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
@@ -252,8 +245,8 @@ fn explicit_read_only_subpaths_prevent_auto_approval_for_external_sandbox() {
|
||||
let blocked_absolute = blocked_path;
|
||||
let docs_absolute = AbsolutePathBuf::resolve_path_against_base("docs", &cwd);
|
||||
let action = ApplyPatchAction::new_add_for_test(&blocked_absolute, "".to_string());
|
||||
let sandbox_policy = SandboxPolicy::ExternalSandbox {
|
||||
network_access: codex_protocol::protocol::NetworkAccess::Restricted,
|
||||
let permission_profile = PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Restricted,
|
||||
};
|
||||
let file_system_sandbox_policy = FileSystemSandboxPolicy::restricted(vec![
|
||||
FileSystemSandboxEntry {
|
||||
@@ -279,7 +272,7 @@ fn explicit_read_only_subpaths_prevent_auto_approval_for_external_sandbox() {
|
||||
assess_patch_safety(
|
||||
&action,
|
||||
AskForApproval::OnRequest,
|
||||
&permission_profile_for_policy(&sandbox_policy),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
@@ -294,14 +287,8 @@ fn missing_project_dot_codex_config_requires_approval() {
|
||||
let cwd = tmp.path().abs();
|
||||
let config_path = cwd.join(".codex").join("config.toml");
|
||||
let action = ApplyPatchAction::new_add_for_test(&config_path, "".to_string());
|
||||
let sandbox_policy = SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
};
|
||||
let file_system_sandbox_policy =
|
||||
FileSystemSandboxPolicy::from_legacy_sandbox_policy_for_cwd(&sandbox_policy, &cwd);
|
||||
let permission_profile = workspace_write_profile(&[]);
|
||||
let file_system_sandbox_policy = file_system_sandbox_policy(&permission_profile);
|
||||
|
||||
assert!(!is_write_patch_constrained_to_writable_paths(
|
||||
&action,
|
||||
@@ -312,7 +299,7 @@ fn missing_project_dot_codex_config_requires_approval() {
|
||||
assess_patch_safety(
|
||||
&action,
|
||||
AskForApproval::OnRequest,
|
||||
&permission_profile_for_policy(&sandbox_policy),
|
||||
&permission_profile,
|
||||
&file_system_sandbox_policy,
|
||||
&cwd,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
|
||||
@@ -1,24 +1,10 @@
|
||||
use codex_protocol::config_types::WindowsSandboxLevel;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
#[cfg(test)]
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_sandboxing::SandboxType;
|
||||
use codex_sandboxing::get_platform_sandbox;
|
||||
use codex_sandboxing::policy_transforms::should_require_platform_sandbox;
|
||||
use std::path::Path;
|
||||
|
||||
#[cfg(test)]
|
||||
pub(crate) fn sandbox_tag(
|
||||
policy: &SandboxPolicy,
|
||||
windows_sandbox_level: WindowsSandboxLevel,
|
||||
) -> &'static str {
|
||||
permission_profile_sandbox_tag(
|
||||
&PermissionProfile::from_legacy_sandbox_policy(policy),
|
||||
windows_sandbox_level,
|
||||
/*enforce_managed_network*/ false,
|
||||
)
|
||||
}
|
||||
|
||||
pub(crate) fn permission_profile_sandbox_tag(
|
||||
profile: &PermissionProfile,
|
||||
windows_sandbox_level: WindowsSandboxLevel,
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
use super::permission_profile_policy_tag;
|
||||
use super::permission_profile_sandbox_tag;
|
||||
use super::sandbox_tag;
|
||||
use codex_protocol::config_types::WindowsSandboxLevel;
|
||||
use codex_protocol::models::ManagedFileSystemPermissions;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
@@ -10,8 +9,6 @@ use codex_protocol::permissions::FileSystemSandboxEntry;
|
||||
use codex_protocol::permissions::FileSystemSandboxKind;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::NetworkAccess;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_sandboxing::SandboxType;
|
||||
use codex_sandboxing::get_platform_sandbox;
|
||||
use codex_utils_absolute_path::AbsolutePathBuf;
|
||||
@@ -20,29 +17,32 @@ use std::path::Path;
|
||||
|
||||
#[test]
|
||||
fn danger_full_access_is_untagged_even_when_linux_sandbox_defaults_apply() {
|
||||
let actual = sandbox_tag(
|
||||
&SandboxPolicy::DangerFullAccess,
|
||||
let actual = permission_profile_sandbox_tag(
|
||||
&PermissionProfile::Disabled,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
/*enforce_managed_network*/ false,
|
||||
);
|
||||
assert_eq!(actual, "none");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn external_sandbox_keeps_external_tag_when_linux_sandbox_defaults_apply() {
|
||||
let actual = sandbox_tag(
|
||||
&SandboxPolicy::ExternalSandbox {
|
||||
network_access: NetworkAccess::Enabled,
|
||||
let actual = permission_profile_sandbox_tag(
|
||||
&PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Enabled,
|
||||
},
|
||||
WindowsSandboxLevel::Disabled,
|
||||
/*enforce_managed_network*/ false,
|
||||
);
|
||||
assert_eq!(actual, "external");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn default_linux_sandbox_uses_platform_sandbox_tag() {
|
||||
let actual = sandbox_tag(
|
||||
&SandboxPolicy::new_read_only_policy(),
|
||||
let actual = permission_profile_sandbox_tag(
|
||||
&PermissionProfile::read_only(),
|
||||
WindowsSandboxLevel::Disabled,
|
||||
/*enforce_managed_network*/ false,
|
||||
);
|
||||
let expected = get_platform_sandbox(/*windows_sandbox_enabled*/ false)
|
||||
.map(SandboxType::as_metric_tag)
|
||||
|
||||
@@ -3,7 +3,6 @@ use codex_apply_patch::MaybeApplyPatchVerified;
|
||||
use codex_exec_server::LOCAL_FS;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::protocol::FileChange;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use core_test_support::PathBufExt;
|
||||
use core_test_support::PathExt;
|
||||
use pretty_assertions::assert_eq;
|
||||
@@ -237,12 +236,11 @@ fn write_permissions_for_paths_skip_dirs_already_writable_under_workspace_root()
|
||||
std::fs::create_dir_all(&nested).expect("create nested dir");
|
||||
let file_path = AbsolutePathBuf::try_from(nested.join("file.txt"))
|
||||
.expect("nested file path should be absolute");
|
||||
let sandbox_policy = FileSystemSandboxPolicy::from(&SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: false,
|
||||
});
|
||||
let sandbox_policy = FileSystemSandboxPolicy::workspace_write(
|
||||
&[],
|
||||
/*exclude_tmpdir_env_var*/ true,
|
||||
/*exclude_slash_tmp*/ false,
|
||||
);
|
||||
|
||||
let permissions = write_permissions_for_paths(&[file_path], &sandbox_policy, &cwd);
|
||||
|
||||
@@ -259,12 +257,11 @@ fn write_permissions_for_paths_keep_dirs_outside_workspace_root() {
|
||||
let file_path = AbsolutePathBuf::try_from(outside.join("file.txt"))
|
||||
.expect("outside file path should be absolute");
|
||||
let cwd_abs = cwd.abs();
|
||||
let sandbox_policy = FileSystemSandboxPolicy::from(&SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![],
|
||||
network_access: false,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
});
|
||||
let sandbox_policy = FileSystemSandboxPolicy::workspace_write(
|
||||
&[],
|
||||
/*exclude_tmpdir_env_var*/ true,
|
||||
/*exclude_slash_tmp*/ true,
|
||||
);
|
||||
|
||||
let permissions = write_permissions_for_paths(&[file_path], &sandbox_policy, &cwd_abs);
|
||||
let expected_outside =
|
||||
|
||||
@@ -4,7 +4,6 @@ use codex_network_proxy::BlockedRequestArgs;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::AskForApproval;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use core_test_support::PathBufExt;
|
||||
use core_test_support::test_path_buf;
|
||||
use pretty_assertions::assert_eq;
|
||||
@@ -189,10 +188,10 @@ fn only_never_policy_disables_network_approval_flow() {
|
||||
#[test]
|
||||
fn network_approval_flow_is_limited_to_restricted_sandbox_modes() {
|
||||
assert!(permission_profile_allows_network_approval_flow(
|
||||
&PermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::new_read_only_policy())
|
||||
&PermissionProfile::read_only()
|
||||
));
|
||||
assert!(permission_profile_allows_network_approval_flow(
|
||||
&PermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::new_workspace_write_policy())
|
||||
&PermissionProfile::workspace_write()
|
||||
));
|
||||
assert!(!permission_profile_allows_network_approval_flow(
|
||||
&PermissionProfile::Disabled
|
||||
|
||||
@@ -4,10 +4,8 @@ use codex_protocol::config_types::WindowsSandboxLevel;
|
||||
use codex_protocol::models::AdditionalPermissionProfile;
|
||||
use codex_protocol::models::FileSystemPermissions;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use codex_protocol::protocol::GranularApprovalConfig;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_sandboxing::SandboxManager;
|
||||
use codex_sandboxing::SandboxType;
|
||||
use codex_sandboxing::policy_transforms::effective_file_system_sandbox_policy;
|
||||
@@ -136,8 +134,7 @@ fn file_system_sandbox_context_uses_active_attempt() {
|
||||
additional_permissions: Some(additional_permissions.clone()),
|
||||
permissions_preapproved: false,
|
||||
};
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
let file_system_policy = FileSystemSandboxPolicy::from(&sandbox_policy);
|
||||
let file_system_policy = PermissionProfile::read_only().file_system_sandbox_policy();
|
||||
let permissions = PermissionProfile::from_runtime_permissions(
|
||||
&file_system_policy,
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
|
||||
@@ -19,8 +19,6 @@ use codex_protocol::permissions::FileSystemSandboxKind;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::protocol::AskForApproval;
|
||||
use codex_protocol::protocol::ReviewDecision;
|
||||
#[cfg(test)]
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_sandboxing::SandboxCommand;
|
||||
use codex_sandboxing::SandboxManager;
|
||||
use codex_sandboxing::SandboxTransformError;
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
use super::*;
|
||||
use crate::sandboxing::SandboxPermissions;
|
||||
use crate::tools::hook_names::HookToolName;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::protocol::GranularApprovalConfig;
|
||||
use codex_protocol::protocol::NetworkAccess;
|
||||
use pretty_assertions::assert_eq;
|
||||
use serde_json::json;
|
||||
|
||||
@@ -36,13 +37,10 @@ fn bash_permission_request_payload_includes_description_when_present() {
|
||||
|
||||
#[test]
|
||||
fn external_sandbox_skips_exec_approval_on_request() {
|
||||
let sandbox_policy = SandboxPolicy::ExternalSandbox {
|
||||
network_access: NetworkAccess::Restricted,
|
||||
};
|
||||
assert_eq!(
|
||||
default_exec_approval_requirement(
|
||||
AskForApproval::OnRequest,
|
||||
&FileSystemSandboxPolicy::from(&sandbox_policy),
|
||||
&FileSystemSandboxPolicy::external_sandbox(),
|
||||
),
|
||||
ExecApprovalRequirement::Skip {
|
||||
bypass_sandbox: false,
|
||||
@@ -53,11 +51,10 @@ fn external_sandbox_skips_exec_approval_on_request() {
|
||||
|
||||
#[test]
|
||||
fn restricted_sandbox_requires_exec_approval_on_request() {
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
assert_eq!(
|
||||
default_exec_approval_requirement(
|
||||
AskForApproval::OnRequest,
|
||||
&FileSystemSandboxPolicy::from(&sandbox_policy)
|
||||
&PermissionProfile::read_only().file_system_sandbox_policy()
|
||||
),
|
||||
ExecApprovalRequirement::NeedsApproval {
|
||||
reason: None,
|
||||
@@ -76,9 +73,10 @@ fn default_exec_approval_requirement_rejects_sandbox_prompt_when_granular_disabl
|
||||
mcp_elicitations: true,
|
||||
});
|
||||
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
let requirement =
|
||||
default_exec_approval_requirement(policy, &FileSystemSandboxPolicy::from(&sandbox_policy));
|
||||
let requirement = default_exec_approval_requirement(
|
||||
policy,
|
||||
&PermissionProfile::read_only().file_system_sandbox_policy(),
|
||||
);
|
||||
|
||||
assert_eq!(
|
||||
requirement,
|
||||
@@ -98,9 +96,10 @@ fn default_exec_approval_requirement_keeps_prompt_when_granular_allows_sandbox_a
|
||||
mcp_elicitations: false,
|
||||
});
|
||||
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
let requirement =
|
||||
default_exec_approval_requirement(policy, &FileSystemSandboxPolicy::from(&sandbox_policy));
|
||||
let requirement = default_exec_approval_requirement(
|
||||
policy,
|
||||
&PermissionProfile::read_only().file_system_sandbox_policy(),
|
||||
);
|
||||
|
||||
assert_eq!(
|
||||
requirement,
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
use super::*;
|
||||
|
||||
use crate::sandbox_tags::sandbox_tag;
|
||||
use crate::sandbox_tags::permission_profile_sandbox_tag;
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_protocol::protocol::SessionSource;
|
||||
use codex_protocol::protocol::SubAgentSource;
|
||||
use core_test_support::PathBufExt;
|
||||
@@ -82,7 +81,6 @@ async fn build_turn_metadata_header_includes_has_changes_for_clean_repo() {
|
||||
fn turn_metadata_state_uses_platform_sandbox_tag() {
|
||||
let temp_dir = TempDir::new().expect("temp dir");
|
||||
let cwd = temp_dir.path().abs();
|
||||
let sandbox_policy = SandboxPolicy::new_read_only_policy();
|
||||
let permission_profile = PermissionProfile::read_only();
|
||||
|
||||
let state = TurnMetadataState::new(
|
||||
@@ -101,7 +99,11 @@ fn turn_metadata_state_uses_platform_sandbox_tag() {
|
||||
let session_id = json.get("session_id").and_then(Value::as_str);
|
||||
let thread_source = json.get("thread_source").and_then(Value::as_str);
|
||||
|
||||
let expected_sandbox = sandbox_tag(&sandbox_policy, WindowsSandboxLevel::Disabled);
|
||||
let expected_sandbox = permission_profile_sandbox_tag(
|
||||
&permission_profile,
|
||||
WindowsSandboxLevel::Disabled,
|
||||
/*enforce_managed_network*/ false,
|
||||
);
|
||||
assert_eq!(sandbox_name, Some(expected_sandbox));
|
||||
assert_eq!(session_id, Some("session-a"));
|
||||
assert_eq!(thread_source, Some("user"));
|
||||
|
||||
@@ -575,9 +575,8 @@ async fn permissions_message_includes_writable_roots() -> Result<()> {
|
||||
let permissions = permissions_texts(&req.single_request());
|
||||
let normalize_line_endings = |s: &str| s.replace("\r\n", "\n");
|
||||
let exec_policy = load_exec_policy(&test.config.config_layer_stack).await?;
|
||||
let sandbox_policy = test.config.legacy_sandbox_policy();
|
||||
let expected = PermissionsInstructions::from_policy(
|
||||
&sandbox_policy,
|
||||
let expected = PermissionsInstructions::from_permission_profile(
|
||||
&test.config.permissions.permission_profile(),
|
||||
AskForApproval::OnRequest,
|
||||
test.config.approvals_reviewer,
|
||||
&exec_policy,
|
||||
|
||||
@@ -83,6 +83,27 @@ fn write_plugin_mcp_plugin(home: &TempDir, command: &str) {
|
||||
.expect("write plugin mcp config");
|
||||
}
|
||||
|
||||
fn copy_stdio_server_for_plugin_test(home: &TempDir) -> Result<Option<String>> {
|
||||
let rmcp_test_server_bin = match stdio_server_bin() {
|
||||
Ok(bin) => bin,
|
||||
Err(err) => {
|
||||
eprintln!("test_stdio_server binary not available, skipping test: {err}");
|
||||
return Ok(None);
|
||||
}
|
||||
};
|
||||
let target = home.path().join("test_stdio_server");
|
||||
std::fs::copy(std::path::Path::new(&rmcp_test_server_bin), &target)?;
|
||||
#[cfg(unix)]
|
||||
{
|
||||
use std::os::unix::fs::PermissionsExt as _;
|
||||
|
||||
let mut permissions = std::fs::metadata(&target)?.permissions();
|
||||
permissions.set_mode(0o755);
|
||||
std::fs::set_permissions(&target, permissions)?;
|
||||
}
|
||||
Ok(Some(target.to_string_lossy().to_string()))
|
||||
}
|
||||
|
||||
fn write_plugin_app_plugin(home: &TempDir) {
|
||||
let plugin_root = write_sample_plugin_manifest_and_config(home);
|
||||
std::fs::write(
|
||||
@@ -293,12 +314,8 @@ async fn explicit_plugin_mentions_inject_plugin_guidance() -> Result<()> {
|
||||
.await;
|
||||
|
||||
let codex_home = Arc::new(TempDir::new()?);
|
||||
let rmcp_test_server_bin = match stdio_server_bin() {
|
||||
Ok(bin) => bin,
|
||||
Err(err) => {
|
||||
eprintln!("test_stdio_server binary not available, skipping test: {err}");
|
||||
return Ok(());
|
||||
}
|
||||
let Some(rmcp_test_server_bin) = copy_stdio_server_for_plugin_test(codex_home.as_ref())? else {
|
||||
return Ok(());
|
||||
};
|
||||
write_plugin_skill_plugin(codex_home.as_ref());
|
||||
write_plugin_mcp_plugin(codex_home.as_ref(), &rmcp_test_server_bin);
|
||||
@@ -453,7 +470,9 @@ async fn plugin_mcp_tools_are_listed() -> Result<()> {
|
||||
skip_if_no_network!(Ok(()));
|
||||
let server = start_mock_server().await;
|
||||
let codex_home = Arc::new(TempDir::new()?);
|
||||
let rmcp_test_server_bin = stdio_server_bin()?;
|
||||
let Some(rmcp_test_server_bin) = copy_stdio_server_for_plugin_test(codex_home.as_ref())? else {
|
||||
return Ok(());
|
||||
};
|
||||
write_plugin_mcp_plugin(codex_home.as_ref(), &rmcp_test_server_bin);
|
||||
let codex = build_plugin_test_codex(&server, codex_home).await?;
|
||||
wait_for_sample_mcp_ready(&codex).await?;
|
||||
|
||||
@@ -528,6 +528,7 @@ async fn status_snapshot_shows_auto_review_permissions() {
|
||||
async fn status_permissions_full_disk_managed_with_network_is_danger_full_access() {
|
||||
let temp_home = TempDir::new().expect("temp home");
|
||||
let mut config = test_config(&temp_home).await;
|
||||
config.approvals_reviewer = ApprovalsReviewer::User;
|
||||
config
|
||||
.permissions
|
||||
.approval_policy
|
||||
@@ -548,9 +549,10 @@ async fn status_permissions_full_disk_managed_with_network_is_danger_full_access
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn status_permissions_full_disk_managed_without_network_is_external_sandbox() {
|
||||
async fn status_permissions_full_disk_managed_without_network_is_custom_permissions() {
|
||||
let temp_home = TempDir::new().expect("temp home");
|
||||
let mut config = test_config(&temp_home).await;
|
||||
config.approvals_reviewer = ApprovalsReviewer::User;
|
||||
config
|
||||
.permissions
|
||||
.approval_policy
|
||||
@@ -566,7 +568,7 @@ async fn status_permissions_full_disk_managed_without_network_is_external_sandbo
|
||||
|
||||
assert_eq!(
|
||||
permissions_text_for(&config).as_deref(),
|
||||
Some("Custom (external-sandbox, on-request)")
|
||||
Some("Custom (custom permissions, on-request)")
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
use codex_core::config::Config;
|
||||
use codex_model_provider_info::WireApi;
|
||||
|
||||
use crate::sandbox_summary::summarize_sandbox_policy;
|
||||
use crate::sandbox_summary::summarize_permission_profile;
|
||||
|
||||
/// Build a list of key/value pairs summarizing the effective configuration.
|
||||
pub fn create_config_summary_entries(config: &Config, model: &str) -> Vec<(&'static str, String)> {
|
||||
@@ -15,10 +15,9 @@ pub fn create_config_summary_entries(config: &Config, model: &str) -> Vec<(&'sta
|
||||
),
|
||||
(
|
||||
"sandbox",
|
||||
summarize_sandbox_policy(
|
||||
&config
|
||||
.permissions
|
||||
.legacy_sandbox_policy(config.cwd.as_path()),
|
||||
summarize_permission_profile(
|
||||
&config.permissions.permission_profile(),
|
||||
config.cwd.as_path(),
|
||||
),
|
||||
),
|
||||
];
|
||||
|
||||
@@ -3,4 +3,3 @@ mod sandbox_summary;
|
||||
|
||||
pub use config_summary::create_config_summary_entries;
|
||||
pub use sandbox_summary::summarize_permission_profile;
|
||||
pub use sandbox_summary::summarize_sandbox_policy;
|
||||
|
||||
@@ -1,109 +1,185 @@
|
||||
use codex_protocol::models::PermissionProfile;
|
||||
use codex_protocol::protocol::NetworkAccess;
|
||||
use codex_protocol::protocol::SandboxPolicy;
|
||||
use codex_protocol::permissions::FileSystemSandboxPolicy;
|
||||
use codex_protocol::permissions::NetworkSandboxPolicy;
|
||||
use std::path::Path;
|
||||
|
||||
pub fn summarize_sandbox_policy(sandbox_policy: &SandboxPolicy) -> String {
|
||||
match sandbox_policy {
|
||||
SandboxPolicy::DangerFullAccess => "danger-full-access".to_string(),
|
||||
SandboxPolicy::ReadOnly { network_access, .. } => {
|
||||
let mut summary = "read-only".to_string();
|
||||
if *network_access {
|
||||
summary.push_str(" (network access enabled)");
|
||||
}
|
||||
summary
|
||||
}
|
||||
SandboxPolicy::ExternalSandbox { network_access } => {
|
||||
let mut summary = "external-sandbox".to_string();
|
||||
if matches!(network_access, NetworkAccess::Enabled) {
|
||||
summary.push_str(" (network access enabled)");
|
||||
}
|
||||
summary
|
||||
}
|
||||
SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots,
|
||||
network_access,
|
||||
exclude_tmpdir_env_var,
|
||||
exclude_slash_tmp,
|
||||
} => {
|
||||
let mut summary = "workspace-write".to_string();
|
||||
|
||||
let mut writable_entries = Vec::<String>::new();
|
||||
writable_entries.push("workdir".to_string());
|
||||
if !*exclude_slash_tmp {
|
||||
writable_entries.push("/tmp".to_string());
|
||||
}
|
||||
if !*exclude_tmpdir_env_var {
|
||||
writable_entries.push("$TMPDIR".to_string());
|
||||
}
|
||||
writable_entries.extend(
|
||||
writable_roots
|
||||
.iter()
|
||||
.map(|p| p.to_string_lossy().to_string()),
|
||||
);
|
||||
|
||||
summary.push_str(&format!(" [{}]", writable_entries.join(", ")));
|
||||
if *network_access {
|
||||
summary.push_str(" (network access enabled)");
|
||||
}
|
||||
summary
|
||||
pub fn summarize_permission_profile(permission_profile: &PermissionProfile, cwd: &Path) -> String {
|
||||
match permission_profile {
|
||||
PermissionProfile::Disabled => "danger-full-access".to_string(),
|
||||
PermissionProfile::External { network } => {
|
||||
summary_with_network("external-sandbox", network.is_enabled())
|
||||
}
|
||||
PermissionProfile::Managed {
|
||||
file_system,
|
||||
network,
|
||||
} => summarize_managed_profile(&file_system.to_sandbox_policy(), *network, cwd),
|
||||
}
|
||||
}
|
||||
|
||||
pub fn summarize_permission_profile(permission_profile: &PermissionProfile, cwd: &Path) -> String {
|
||||
match permission_profile.to_legacy_sandbox_policy(cwd) {
|
||||
Ok(policy) => summarize_sandbox_policy(&policy),
|
||||
Err(_) => {
|
||||
if permission_profile.network_sandbox_policy().is_enabled() {
|
||||
"custom permissions (network access enabled)".to_string()
|
||||
} else {
|
||||
"custom permissions".to_string()
|
||||
}
|
||||
fn summarize_managed_profile(
|
||||
file_system: &FileSystemSandboxPolicy,
|
||||
network: NetworkSandboxPolicy,
|
||||
cwd: &Path,
|
||||
) -> String {
|
||||
let network_enabled = network.is_enabled();
|
||||
if file_system.has_full_disk_write_access() {
|
||||
if network_enabled {
|
||||
return "danger-full-access".to_string();
|
||||
}
|
||||
return custom_summary(network_enabled);
|
||||
}
|
||||
|
||||
let writable_roots = file_system.get_writable_roots_with_cwd(cwd);
|
||||
if writable_roots.is_empty() {
|
||||
if file_system.has_full_disk_read_access() {
|
||||
return summary_with_network("read-only", network_enabled);
|
||||
}
|
||||
return custom_summary(network_enabled);
|
||||
}
|
||||
if !file_system.can_write_path_with_cwd(cwd, cwd) {
|
||||
return custom_summary(network_enabled);
|
||||
}
|
||||
|
||||
let writable_entries = writable_roots
|
||||
.iter()
|
||||
.map(|root| writable_root_display(root.root.as_path(), cwd))
|
||||
.collect::<Vec<_>>();
|
||||
summary_with_network(
|
||||
&format!("workspace-write [{}]", writable_entries.join(", ")),
|
||||
network_enabled,
|
||||
)
|
||||
}
|
||||
|
||||
fn writable_root_display(root: &Path, cwd: &Path) -> String {
|
||||
if root == cwd {
|
||||
return "workdir".to_string();
|
||||
}
|
||||
if cfg!(unix) && root == Path::new("/tmp") {
|
||||
return "/tmp".to_string();
|
||||
}
|
||||
if root == std::env::temp_dir() {
|
||||
return "$TMPDIR".to_string();
|
||||
}
|
||||
root.display().to_string()
|
||||
}
|
||||
|
||||
fn summary_with_network(base: &str, network_enabled: bool) -> String {
|
||||
if network_enabled {
|
||||
format!("{base} (network access enabled)")
|
||||
} else {
|
||||
base.to_string()
|
||||
}
|
||||
}
|
||||
|
||||
fn custom_summary(network_enabled: bool) -> String {
|
||||
summary_with_network("custom permissions", network_enabled)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
use codex_protocol::permissions::FileSystemAccessMode;
|
||||
use codex_protocol::permissions::FileSystemPath;
|
||||
use codex_protocol::permissions::FileSystemSandboxEntry;
|
||||
use codex_protocol::permissions::FileSystemSpecialPath;
|
||||
use codex_utils_absolute_path::AbsolutePathBuf;
|
||||
use pretty_assertions::assert_eq;
|
||||
|
||||
#[test]
|
||||
fn summarizes_external_sandbox_without_network_access_suffix() {
|
||||
let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {
|
||||
network_access: NetworkAccess::Restricted,
|
||||
});
|
||||
let summary = summarize_permission_profile(
|
||||
&PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Restricted,
|
||||
},
|
||||
Path::new("/repo"),
|
||||
);
|
||||
assert_eq!(summary, "external-sandbox");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn summarizes_external_sandbox_with_enabled_network() {
|
||||
let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {
|
||||
network_access: NetworkAccess::Enabled,
|
||||
});
|
||||
let summary = summarize_permission_profile(
|
||||
&PermissionProfile::External {
|
||||
network: NetworkSandboxPolicy::Enabled,
|
||||
},
|
||||
Path::new("/repo"),
|
||||
);
|
||||
assert_eq!(summary, "external-sandbox (network access enabled)");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn summarizes_read_only_with_enabled_network() {
|
||||
let summary = summarize_sandbox_policy(&SandboxPolicy::ReadOnly {
|
||||
network_access: true,
|
||||
});
|
||||
let file_system = FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
|
||||
path: FileSystemPath::Special {
|
||||
value: FileSystemSpecialPath::Root,
|
||||
},
|
||||
access: FileSystemAccessMode::Read,
|
||||
}]);
|
||||
let profile = PermissionProfile::from_runtime_permissions(
|
||||
&file_system,
|
||||
NetworkSandboxPolicy::Enabled,
|
||||
);
|
||||
let summary = summarize_permission_profile(&profile, Path::new("/repo"));
|
||||
assert_eq!(summary, "read-only (network access enabled)");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn unrestricted_filesystem_without_network_is_custom_permissions() {
|
||||
let profile = PermissionProfile::from_runtime_permissions(
|
||||
&FileSystemSandboxPolicy::unrestricted(),
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
);
|
||||
let summary = summarize_permission_profile(&profile, Path::new("/repo"));
|
||||
assert_eq!(summary, "custom permissions");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn explicit_writable_root_outside_cwd_is_custom_permissions() {
|
||||
let writable_root = AbsolutePathBuf::try_from(if cfg!(windows) {
|
||||
"C:\\outside"
|
||||
} else {
|
||||
"/outside"
|
||||
})
|
||||
.unwrap();
|
||||
let file_system = FileSystemSandboxPolicy::restricted(vec![
|
||||
FileSystemSandboxEntry {
|
||||
path: FileSystemPath::Special {
|
||||
value: FileSystemSpecialPath::Root,
|
||||
},
|
||||
access: FileSystemAccessMode::Read,
|
||||
},
|
||||
FileSystemSandboxEntry {
|
||||
path: FileSystemPath::Path {
|
||||
path: writable_root,
|
||||
},
|
||||
access: FileSystemAccessMode::Write,
|
||||
},
|
||||
]);
|
||||
let profile = PermissionProfile::from_runtime_permissions(
|
||||
&file_system,
|
||||
NetworkSandboxPolicy::Restricted,
|
||||
);
|
||||
let cwd = if cfg!(windows) { "C:\\repo" } else { "/repo" };
|
||||
let summary = summarize_permission_profile(&profile, Path::new(cwd));
|
||||
assert_eq!(summary, "custom permissions");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn workspace_write_summary_still_includes_network_access() {
|
||||
let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };
|
||||
let writable_root = AbsolutePathBuf::try_from(root).unwrap();
|
||||
let summary = summarize_sandbox_policy(&SandboxPolicy::WorkspaceWrite {
|
||||
writable_roots: vec![writable_root.clone()],
|
||||
network_access: true,
|
||||
exclude_tmpdir_env_var: true,
|
||||
exclude_slash_tmp: true,
|
||||
});
|
||||
let cwd = if cfg!(windows) {
|
||||
"C:\\workdir"
|
||||
} else {
|
||||
"/workdir"
|
||||
};
|
||||
let profile = PermissionProfile::workspace_write_with(
|
||||
std::slice::from_ref(&writable_root),
|
||||
NetworkSandboxPolicy::Enabled,
|
||||
/*exclude_tmpdir_env_var*/ true,
|
||||
/*exclude_slash_tmp*/ true,
|
||||
);
|
||||
let summary = summarize_permission_profile(&profile, Path::new(cwd));
|
||||
assert_eq!(
|
||||
summary,
|
||||
format!(
|
||||
|
||||
Reference in New Issue
Block a user