Codex Handbook
core/src/network_policy_decision_tests.rs 192 lines
use super::*;use codex_network_proxy::BlockedRequest;use codex_network_proxy::NetworkDecisionSource;use codex_protocol::approvals::NetworkPolicyAmendment;use codex_protocol::approvals::NetworkPolicyRuleAction;use pretty_assertions::assert_eq;#[test]fn network_approval_context_requires_ask_from_decider() {    let payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Deny,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Https),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(443),    };    assert_eq!(network_approval_context_from_payload(&payload), None);}#[test]fn network_approval_context_maps_http_https_and_socks_protocols() {    let http_payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Ask,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Http),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(80),    };    assert_eq!(        network_approval_context_from_payload(&http_payload),        Some(NetworkApprovalContext {            host: "example.com".to_string(),            protocol: NetworkApprovalProtocol::Http,        })    );    let https_payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Ask,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Https),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(443),    };    assert_eq!(        network_approval_context_from_payload(&https_payload),        Some(NetworkApprovalContext {            host: "example.com".to_string(),            protocol: NetworkApprovalProtocol::Https,        })    );    let http_connect_payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Ask,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Https),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(443),    };    assert_eq!(        network_approval_context_from_payload(&http_connect_payload),        Some(NetworkApprovalContext {            host: "example.com".to_string(),            protocol: NetworkApprovalProtocol::Https,        })    );    let socks5_tcp_payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Ask,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Socks5Tcp),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(443),    };    assert_eq!(        network_approval_context_from_payload(&socks5_tcp_payload),        Some(NetworkApprovalContext {            host: "example.com".to_string(),            protocol: NetworkApprovalProtocol::Socks5Tcp,        })    );    let socks5_udp_payload = NetworkPolicyDecisionPayload {        decision: NetworkPolicyDecision::Ask,        source: NetworkDecisionSource::Decider,        protocol: Some(NetworkApprovalProtocol::Socks5Udp),        host: Some("example.com".to_string()),        reason: Some("not_allowed".to_string()),        port: Some(443),    };    assert_eq!(        network_approval_context_from_payload(&socks5_udp_payload),        Some(NetworkApprovalContext {            host: "example.com".to_string(),            protocol: NetworkApprovalProtocol::Socks5Udp,        })    );}#[test]fn network_policy_decision_payload_deserializes_proxy_protocol_aliases() {    let payload: NetworkPolicyDecisionPayload = serde_json::from_str(        r#"{                "decision":"ask",                "source":"decider",                "protocol":"https_connect",                "host":"example.com",                "reason":"not_allowed",                "port":443            }"#,    )    .expect("payload should deserialize");    assert_eq!(payload.protocol, Some(NetworkApprovalProtocol::Https));    let payload: NetworkPolicyDecisionPayload = serde_json::from_str(        r#"{                "decision":"ask",                "source":"decider",                "protocol":"http-connect",                "host":"example.com",                "reason":"not_allowed",                "port":443            }"#,    )    .expect("payload should deserialize");    assert_eq!(payload.protocol, Some(NetworkApprovalProtocol::Https));}#[test]fn execpolicy_network_rule_amendment_maps_protocol_action_and_justification() {    let amendment = NetworkPolicyAmendment {        action: NetworkPolicyRuleAction::Deny,        host: "example.com".to_string(),    };    let context = NetworkApprovalContext {        host: "example.com".to_string(),        protocol: NetworkApprovalProtocol::Socks5Udp,    };    assert_eq!(        execpolicy_network_rule_amendment(&amendment, &context, "example.com"),        ExecPolicyNetworkRuleAmendment {            protocol: ExecPolicyNetworkRuleProtocol::Socks5Udp,            decision: ExecPolicyDecision::Forbidden,            justification: "Deny socks5_udp access to example.com".to_string(),        }    );}#[test]fn denied_network_policy_message_requires_deny_decision() {    let blocked = BlockedRequest {        host: "example.com".to_string(),        reason: "not_allowed".to_string(),        client: None,        method: Some("GET".to_string()),        mode: None,        protocol: "http".to_string(),        decision: Some("ask".to_string()),        source: Some("decider".to_string()),        port: Some(80),        timestamp: 0,    };    assert_eq!(denied_network_policy_message(&blocked), None);}#[test]fn denied_network_policy_message_for_denylist_block_is_explicit() {    let blocked = BlockedRequest {        host: "example.com".to_string(),        reason: "denied".to_string(),        client: None,        method: Some("GET".to_string()),        mode: None,        protocol: "http".to_string(),        decision: Some("deny".to_string()),        source: Some("baseline_policy".to_string()),        port: Some(80),        timestamp: 0,    };    assert_eq!(            denied_network_policy_message(&blocked),            Some(                "Network access to \"example.com\" was blocked: domain is explicitly denied by policy and cannot be approved from this prompt.".to_string()            )        );}