clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-25 15:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
55e49a8016dc024a975c30c0cfa64872db6e7463
codex/codex-rs/execpolicy2/tests/basic.rs
kevin zhao 55e49a8016 remove extraneous test
2025-11-13 22:07:37 -05:00

197 lines
5.7 KiB
Rust
Raw Blame History

use codex_execpolicy2::Decision;
use codex_execpolicy2::PolicyParser;
use codex_execpolicy2::RuleMatch;
use codex_execpolicy2::rule::PatternToken;
fn tokens(cmd: &[&str]) -> Vec<String> {
cmd.iter().map(|token| token.to_string()).collect()
}
#[test]
fn matches_default_git_status() {
let policy = codex_execpolicy2::load_default_policy().expect("parse");
let cmd = tokens(&["git", "status"]);
let eval = policy.evaluate(&cmd).expect("match");
assert_eq!(eval.decision, Decision::Allow);
assert_eq!(
eval.matched_rules,
vec![RuleMatch {
rule_id: "git_status".to_string(),
matched_prefix: vec!["git".to_string(), "status".to_string()],
decision: Decision::Allow,
}]
);
}
#[test]
fn pattern_expands_alternatives() {
let policy_src = r#"
prefix_rule(
id = "npm_install",
pattern = ["npm", ["i", "install"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
for (cmd, matched_prefix) in [
(tokens(&["npm", "i"]), tokens(&["npm", "i"])),
(tokens(&["npm", "install"]), tokens(&["npm", "install"])),
] {
let eval = policy.evaluate(&cmd).expect("match");
assert_eq!(
eval.matched_rules,
vec![RuleMatch {
rule_id: "npm_install".to_string(),
matched_prefix,
decision: Decision::Allow,
}]
);
}
let no_match = tokens(&["npmx", "install"]);
assert!(policy.evaluate(&no_match).is_none());
}
#[test]
fn only_first_token_alias_expands_to_multiple_rules() {
let policy_src = r#"
prefix_rule(
id = "shell",
pattern = [["bash", "sh"], ["-c", "-l"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
let bash_rules = policy.rules().get_vec("bash").expect("bash rules");
let sh_rules = policy.rules().get_vec("sh").expect("sh rules");
assert_eq!(bash_rules.len(), 1);
assert_eq!(sh_rules.len(), 1);
for (cmd, prefix) in [
(
tokens(&["bash", "-c", "echo", "hi"]),
tokens(&["bash", "-c"]),
),
(tokens(&["sh", "-l", "echo", "hi"]), tokens(&["sh", "-l"])),
] {
let eval = policy.evaluate(&cmd).expect("match");
assert_eq!(eval.matched_rules[0].matched_prefix, prefix);
}
}
#[test]
fn tail_aliases_are_not_cartesian_expanded() {
let policy_src = r#"
prefix_rule(
id = "npm_install_variants",
pattern = ["npm", ["i", "install"], ["--legacy-peer-deps", "--no-save"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
let rules = policy.rules().get_vec("npm").expect("npm rules");
assert_eq!(rules.len(), 1);
let rule = &rules[0];
assert_eq!(
rule.pattern.rest,
vec![
PatternToken::Alts(vec!["i".to_string(), "install".to_string()]),
PatternToken::Alts(vec![
"--legacy-peer-deps".to_string(),
"--no-save".to_string()
]),
],
);
for cmd in [
tokens(&["npm", "i", "--legacy-peer-deps"]),
tokens(&["npm", "install", "--no-save", "leftpad"]),
] {
assert!(policy.evaluate(&cmd).is_some());
}
}
#[test]
fn match_and_not_match_examples_are_enforced() {
let policy_src = r#"
prefix_rule(
id = "git_status",
pattern = ["git", "status"],
match = [["git", "status"]],
not_match = [["git", "reset", "--hard"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
assert!(policy.evaluate(&tokens(&["git", "status"])).is_some());
assert!(
policy
.evaluate(&tokens(&["git", "reset", "--hard"]))
.is_none()
);
}
#[test]
fn strictest_decision_wins_across_matches() {
let policy_src = r#"
prefix_rule(
id = "allow_git_status",
pattern = ["git", "status"],
decision = "allow",
)
prefix_rule(
id = "prompt_git",
pattern = ["git"],
decision = "prompt",
)
prefix_rule(
id = "forbid_git_commit",
pattern = ["git", "commit"],
decision = "forbidden",
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
let status = tokens(&["git", "status"]);
let status_eval = policy.evaluate(&status).expect("match");
assert_eq!(status_eval.decision, Decision::Prompt);
assert_eq!(
status_eval.matched_rules,
vec![
RuleMatch {
rule_id: "allow_git_status".to_string(),
matched_prefix: vec!["git".to_string(), "status".to_string()],
decision: Decision::Allow,
},
RuleMatch {
rule_id: "prompt_git".to_string(),
matched_prefix: vec!["git".to_string()],
decision: Decision::Prompt,
}
]
);
let commit = tokens(&["git", "commit", "-m", "hi"]);
let commit_eval = policy.evaluate(&commit).expect("match");
assert_eq!(commit_eval.decision, Decision::Forbidden);
assert_eq!(
commit_eval.matched_rules,
vec![
RuleMatch {
rule_id: "prompt_git".to_string(),
matched_prefix: vec!["git".to_string()],
decision: Decision::Prompt,
},
RuleMatch {
rule_id: "forbid_git_commit".to_string(),
matched_prefix: vec!["git".to_string(), "commit".to_string()],
decision: Decision::Forbidden,
}
]
);
}
Reference in New Issue View Git Blame Copy Permalink