clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-26 07:35:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
eea9bff1fbc36f61d872b874f73539154d2a7d4e
codex/codex-rs/execpolicy2/tests/basic.rs
kevin zhao eea9bff1fb remove tokenize_command use cases
2025-11-13 22:07:37 -05:00

156 lines
4.4 KiB
Rust
Raw Blame History

use codex_execpolicy2::Decision;
use codex_execpolicy2::PolicyParser;
use codex_execpolicy2::RuleMatch;
fn tokens(cmd: &[&str]) -> Vec<String> {
cmd.iter().map(|token| token.to_string()).collect()
}
#[test]
fn matches_default_git_status() {
let policy = codex_execpolicy2::load_default_policy().expect("parse");
let cmd = tokens(&["git", "status"]);
let eval = policy.evaluate(&cmd).expect("match");
assert_eq!(eval.decision, Decision::Allow);
assert_eq!(
eval.matched_rules,
vec![RuleMatch {
rule_id: "git_status".to_string(),
matched_prefix: vec!["git".to_string(), "status".to_string()],
decision: Decision::Allow,
}]
);
}
#[test]
fn pattern_expands_alternatives() {
let policy_src = r#"
prefix_rule(
id = "npm_install",
pattern = ["npm", ["i", "install"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
for (cmd, matched_prefix) in [
(tokens(&["npm", "i"]), tokens(&["npm", "i"])),
(tokens(&["npm", "install"]), tokens(&["npm", "install"])),
] {
let eval = policy.evaluate(&cmd).expect("match");
assert_eq!(
eval.matched_rules,
vec![RuleMatch {
rule_id: "npm_install".to_string(),
matched_prefix,
decision: Decision::Allow,
}]
);
}
let no_match = tokens(&["npmx", "install"]);
assert!(policy.evaluate(&no_match).is_none());
}
#[test]
fn match_and_not_match_examples_are_enforced() {
let policy_src = r#"
prefix_rule(
id = "git_status",
pattern = ["git", "status"],
match = [["git", "status"]],
not_match = [["git", "reset", "--hard"]],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
assert!(policy.evaluate(&tokens(&["git", "status"])).is_some());
assert!(
policy
.evaluate(&tokens(&["git", "reset", "--hard"]))
.is_none()
);
}
#[test]
fn strictest_decision_wins_across_matches() {
let policy_src = r#"
prefix_rule(
id = "allow_git_status",
pattern = ["git", "status"],
decision = "allow",
)
prefix_rule(
id = "prompt_git",
pattern = ["git"],
decision = "prompt",
)
prefix_rule(
id = "forbid_git_commit",
pattern = ["git", "commit"],
decision = "forbidden",
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
let status = tokens(&["git", "status"]);
let status_eval = policy.evaluate(&status).expect("match");
assert_eq!(status_eval.decision, Decision::Prompt);
assert_eq!(
status_eval.matched_rules,
vec![
RuleMatch {
rule_id: "allow_git_status".to_string(),
matched_prefix: vec!["git".to_string(), "status".to_string()],
decision: Decision::Allow,
},
RuleMatch {
rule_id: "prompt_git".to_string(),
matched_prefix: vec!["git".to_string()],
decision: Decision::Prompt,
}
]
);
let commit = tokens(&["git", "commit", "-m", "hi"]);
let commit_eval = policy.evaluate(&commit).expect("match");
assert_eq!(commit_eval.decision, Decision::Forbidden);
assert_eq!(
commit_eval.matched_rules,
vec![
RuleMatch {
rule_id: "prompt_git".to_string(),
matched_prefix: vec!["git".to_string()],
decision: Decision::Prompt,
},
RuleMatch {
rule_id: "forbid_git_commit".to_string(),
matched_prefix: vec!["git".to_string(), "commit".to_string()],
decision: Decision::Forbidden,
}
]
);
}
#[test]
fn unnamed_rule_uses_source_as_name() {
let policy_src = r#"
prefix_rule(
id = "unnamed_rule",
pattern = ["echo"],
)
"#;
let parser = PolicyParser::new("test.policy", policy_src);
let policy = parser.parse().expect("parse policy");
let eval = policy.evaluate(&tokens(&["echo", "hi"])).expect("match");
assert_eq!(
eval.matched_rules,
vec![RuleMatch {
rule_id: "unnamed_rule".to_string(),
matched_prefix: vec!["echo".to_string()],
decision: Decision::Allow,
}]
);
}
Reference in New Issue View Git Blame Copy Permalink