diff --git a/pkg/workflow/frontmatter_extraction_security.go b/pkg/workflow/frontmatter_extraction_security.go index a9f8ceeead3..dd9b591712e 100644 --- a/pkg/workflow/frontmatter_extraction_security.go +++ b/pkg/workflow/frontmatter_extraction_security.go @@ -62,88 +62,6 @@ func (c *Compiler) extractNetworkPermissions(frontmatter map[string]any) *Networ return nil } -// extractFirewallConfig extracts firewall configuration from various formats -func (c *Compiler) extractFirewallConfig(firewall any) *FirewallConfig { - // Handle null/empty object format: firewall: or firewall: {} - if firewall == nil { - return &FirewallConfig{ - Enabled: true, - } - } - - // Handle boolean format: firewall: true or firewall: false - if firewallBool, ok := firewall.(bool); ok { - return &FirewallConfig{ - Enabled: firewallBool, - } - } - - // Handle string format: firewall: "disable" - if firewallStr, ok := firewall.(string); ok { - if firewallStr == "disable" { - return &FirewallConfig{ - Enabled: false, - } - } - // Unknown string format, return nil - return nil - } - - // Handle object format: firewall: { args: [...], version: "..." } - if firewallObj, ok := firewall.(map[string]any); ok { - config := &FirewallConfig{ - Enabled: true, // Default to enabled when object is specified - } - - // Extract args if present - if args, hasArgs := firewallObj["args"]; hasArgs { - if argsSlice, ok := args.([]any); ok { - for _, arg := range argsSlice { - if argStr, ok := arg.(string); ok { - config.Args = append(config.Args, argStr) - } - } - } - } - - // Extract version if present - if version, hasVersion := firewallObj["version"]; hasVersion { - if versionStr, ok := version.(string); ok { - config.Version = versionStr - } - } - - // Extract log-level if present - if logLevel, hasLogLevel := firewallObj["log-level"]; hasLogLevel { - if logLevelStr, ok := logLevel.(string); ok { - config.LogLevel = logLevelStr - } - } - - // Extract ssl-bump if present - if sslBump, hasSslBump := firewallObj["ssl-bump"]; hasSslBump { - if sslBumpBool, ok := sslBump.(bool); ok { - config.SSLBump = sslBumpBool - } - } - - // Extract allow-urls if present - if allowUrls, hasAllowUrls := firewallObj["allow-urls"]; hasAllowUrls { - if urlsSlice, ok := allowUrls.([]any); ok { - for _, url := range urlsSlice { - if urlStr, ok := url.(string); ok { - config.AllowURLs = append(config.AllowURLs, urlStr) - } - } - } - } - - return config - } - - return nil -} - // extractSandboxConfig extracts sandbox configuration from front matter func (c *Compiler) extractSandboxConfig(frontmatter map[string]any) *SandboxConfig { frontmatterExtractionSecurityLog.Print("Extracting sandbox configuration from frontmatter") diff --git a/pkg/workflow/frontmatter_extraction_security_test.go b/pkg/workflow/frontmatter_extraction_security_test.go index 68aec9991fc..ee12b26b171 100644 --- a/pkg/workflow/frontmatter_extraction_security_test.go +++ b/pkg/workflow/frontmatter_extraction_security_test.go @@ -9,115 +9,6 @@ import ( "github.com/stretchr/testify/require" ) -// TestExtractFirewallConfig tests the extraction of firewall configuration from frontmatter -func TestExtractFirewallConfig(t *testing.T) { - compiler := &Compiler{} - - t.Run("extracts ssl-bump boolean field", func(t *testing.T) { - firewallObj := map[string]any{ - "ssl-bump": true, - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.True(t, config.Enabled, "Should be enabled") - assert.True(t, config.SSLBump, "Should have ssl-bump enabled") - }) - - t.Run("extracts allow-urls string array", func(t *testing.T) { - firewallObj := map[string]any{ - "ssl-bump": true, - "allow-urls": []any{ - "https://github.com/githubnext/*", - "https://api.github.com/repos/*", - }, - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.True(t, config.SSLBump, "Should have ssl-bump enabled") - assert.Len(t, config.AllowURLs, 2, "Should have 2 allow-urls") - assert.Equal(t, "https://github.com/githubnext/*", config.AllowURLs[0], "First URL should match") - assert.Equal(t, "https://api.github.com/repos/*", config.AllowURLs[1], "Second URL should match") - }) - - t.Run("extracts all fields together", func(t *testing.T) { - firewallObj := map[string]any{ - "args": []any{"--custom-arg", "value"}, - "version": "v1.0.0", - "log-level": "debug", - "ssl-bump": true, - "allow-urls": []any{"https://example.com/*"}, - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.True(t, config.Enabled, "Should be enabled") - assert.Len(t, config.Args, 2, "Should have 2 args") - assert.Equal(t, "v1.0.0", config.Version, "Should extract version") - assert.Equal(t, "debug", config.LogLevel, "Should extract log-level") - assert.True(t, config.SSLBump, "Should have ssl-bump enabled") - assert.Len(t, config.AllowURLs, 1, "Should have 1 allow-url") - assert.Equal(t, "https://example.com/*", config.AllowURLs[0], "Should extract allow-url") - }) - - t.Run("ssl-bump defaults to false when not specified", func(t *testing.T) { - firewallObj := map[string]any{ - "version": "v1.0.0", - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.False(t, config.SSLBump, "ssl-bump should default to false") - }) - - t.Run("allow-urls defaults to empty when not specified", func(t *testing.T) { - firewallObj := map[string]any{ - "ssl-bump": true, - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.Nil(t, config.AllowURLs, "allow-urls should be nil when not specified") - }) - - t.Run("handles non-string values in allow-urls gracefully", func(t *testing.T) { - firewallObj := map[string]any{ - "allow-urls": []any{ - "https://github.com/*", - 123, // Invalid: number instead of string - "https://api.github.com/*", - }, - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.Len(t, config.AllowURLs, 2, "Should skip non-string values") - assert.Equal(t, "https://github.com/*", config.AllowURLs[0], "First valid URL should be extracted") - assert.Equal(t, "https://api.github.com/*", config.AllowURLs[1], "Second valid URL should be extracted") - }) - - t.Run("handles non-boolean ssl-bump gracefully", func(t *testing.T) { - firewallObj := map[string]any{ - "ssl-bump": "true", // String instead of boolean - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.False(t, config.SSLBump, "Should ignore non-boolean ssl-bump value") - }) - - t.Run("handles non-array allow-urls gracefully", func(t *testing.T) { - firewallObj := map[string]any{ - "allow-urls": "https://github.com/*", // String instead of array - } - - config := compiler.extractFirewallConfig(firewallObj) - require.NotNil(t, config, "Should extract firewall config") - assert.Nil(t, config.AllowURLs, "Should ignore non-array allow-urls value") - }) -} - func TestExtractAgentSandboxConfigVersion(t *testing.T) { compiler := &Compiler{}