mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
58f0e5ab74
As described in detail in `codex-rs/execpolicy/README.md` introduced in this PR, `execpolicy` is a tool that lets you define a set of _patterns_ used to match [`execv(3)`](https://linux.die.net/man/3/execv) invocations. When a pattern is matched, `execpolicy` returns the parsed version in a structured form that is amenable to static analysis. The primary use case is to define patterns match commands that should be auto-approved by a tool such as Codex. This supports a richer pattern matching mechanism that the sort of prefix-matching we have done to date, e.g.: https://github.com/openai/codex/blob/5e40d9d2211737f46136610497bcd9a8271009e0/codex-cli/src/approvals.ts#L333-L354 Note we are still playing with the API and the `system_path` option in particular still needs some work.
86 lines
2.2 KiB
Rust
86 lines
2.2 KiB
Rust
extern crate codex_execpolicy;
|
|
|
|
use codex_execpolicy::get_default_policy;
|
|
use codex_execpolicy::ArgMatcher;
|
|
use codex_execpolicy::ArgType;
|
|
use codex_execpolicy::Error;
|
|
use codex_execpolicy::ExecCall;
|
|
use codex_execpolicy::MatchedArg;
|
|
use codex_execpolicy::MatchedExec;
|
|
use codex_execpolicy::Policy;
|
|
use codex_execpolicy::Result;
|
|
use codex_execpolicy::ValidExec;
|
|
|
|
fn setup() -> Policy {
|
|
get_default_policy().expect("failed to load default policy")
|
|
}
|
|
|
|
#[test]
|
|
fn test_cp_no_args() {
|
|
let policy = setup();
|
|
let cp = ExecCall::new("cp", &[]);
|
|
assert_eq!(
|
|
Err(Error::NotEnoughArgs {
|
|
program: "cp".to_string(),
|
|
args: vec![],
|
|
arg_patterns: vec![ArgMatcher::ReadableFiles, ArgMatcher::WriteableFile]
|
|
}),
|
|
policy.check(&cp)
|
|
)
|
|
}
|
|
|
|
#[test]
|
|
fn test_cp_one_arg() {
|
|
let policy = setup();
|
|
let cp = ExecCall::new("cp", &["foo/bar"]);
|
|
|
|
assert_eq!(
|
|
Err(Error::VarargMatcherDidNotMatchAnything {
|
|
program: "cp".to_string(),
|
|
matcher: ArgMatcher::ReadableFiles,
|
|
}),
|
|
policy.check(&cp)
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn test_cp_one_file() -> Result<()> {
|
|
let policy = setup();
|
|
let cp = ExecCall::new("cp", &["foo/bar", "../baz"]);
|
|
assert_eq!(
|
|
Ok(MatchedExec::Match {
|
|
exec: ValidExec::new(
|
|
"cp",
|
|
vec![
|
|
MatchedArg::new(0, ArgType::ReadableFile, "foo/bar")?,
|
|
MatchedArg::new(1, ArgType::WriteableFile, "../baz")?,
|
|
],
|
|
&["/bin/cp", "/usr/bin/cp"]
|
|
)
|
|
}),
|
|
policy.check(&cp)
|
|
);
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn test_cp_multiple_files() -> Result<()> {
|
|
let policy = setup();
|
|
let cp = ExecCall::new("cp", &["foo", "bar", "baz"]);
|
|
assert_eq!(
|
|
Ok(MatchedExec::Match {
|
|
exec: ValidExec::new(
|
|
"cp",
|
|
vec![
|
|
MatchedArg::new(0, ArgType::ReadableFile, "foo")?,
|
|
MatchedArg::new(1, ArgType::ReadableFile, "bar")?,
|
|
MatchedArg::new(2, ArgType::WriteableFile, "baz")?,
|
|
],
|
|
&["/bin/cp", "/usr/bin/cp"]
|
|
)
|
|
}),
|
|
policy.check(&cp)
|
|
);
|
|
Ok(())
|
|
}
|