openclaw/gogcli
openclaw/gogcli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
main
gogcli/internal/safetyprofile/parse_test.go
Drew Burchfield 46900109e0
fix(safety): compile baked policy to code to resist binary tampering 
Compile baked safety-profile policies into generated hash switches so the raw allow/deny rule strings are no longer embedded as a patchable YAML blob.

Verification before merge:
- `go test ./cmd/bake-safety-profile ./internal/safetyprofile ./internal/cmd`
- `make lint`
- `./build-safe.sh safety-profiles/agent-safe.yaml -o bin/gog-agent-safe-review`
- `./build-safe.sh safety-profiles/readonly.yaml -o bin/gog-readonly-review`
- runtime block checks for agent-safe and readonly baked binaries

Co-authored-by: drewburchfield <drewburchfield@gmail.com>
2026-05-04 05:55:05 +01:00

75 lines
1.9 KiB
Go
Raw Permalink Blame History

package safetyprofile
import (
"strings"
"testing"
)
func TestParseRejectsDenyWildcards(t *testing.T) {
for _, raw := range []string{
"name: x\nallow:\n - version\ndeny:\n - all\n",
"name: x\nallow:\n - version\ndeny:\n - \"*\"\n",
"name: x\nallow:\n - version\nall: false\n",
"name: x\nallow:\n - version\n\"*\": false\n",
"name: x\nallow:\n - version\naliases:\n all: false\n",
} {
_, err := Parse(raw)
if err == nil {
t.Fatalf("expected error parsing deny wildcard, got nil for: %s", raw)
}
if !strings.Contains(err.Error(), "wildcards") {
t.Fatalf("unexpected error: %v", err)
}
}
}
func TestParseRejectsWildcardPrefix(t *testing.T) {
for _, raw := range []string{
"name: x\nallow:\n - version\nall:\n gmail: false\n",
"name: x\nallow:\n - version\n\"*\":\n gmail: false\n",
} {
_, err := Parse(raw)
if err == nil {
t.Fatalf("expected error parsing wildcard prefix, got nil for: %s", raw)
}
if !strings.Contains(err.Error(), "wildcard") {
t.Fatalf("unexpected error: %v", err)
}
}
}
func TestParseRejectsNonStringName(t *testing.T) {
for _, raw := range []string{
"name: 42\nallow:\n - version\n",
"name: true\nallow:\n - version\n",
"name: \"\"\nallow:\n - version\n",
} {
_, err := Parse(raw)
if err == nil {
t.Fatalf("expected error for invalid name, got nil for: %s", raw)
}
if !strings.Contains(err.Error(), "name:") {
t.Fatalf("unexpected error: %v", err)
}
}
}
func TestHashRuleKnownValues(t *testing.T) {
cases := []struct {
rule string
want uint64
}{
{"version", HashRule("version")},
{"gmail.send", HashRule("gmail.send")},
}
for _, c := range cases {
got := HashRule(c.rule)
if got != c.want {
t.Fatalf("HashRule(%q) = %#x, want %#x", c.rule, got, c.want)
}
}
if HashRule("a") == HashRule("b") {
t.Fatalf("expected distinct hashes for distinct rules")
}
}
Reference in New Issue View Git Blame Copy Permalink