codex-rs/execpolicy/tests/head.rs

use codex_execpolicy::ArgMatcher;
use codex_execpolicy::ArgType;
use codex_execpolicy::Error;
use codex_execpolicy::ExecCall;
use codex_execpolicy::MatchedArg;
use codex_execpolicy::MatchedExec;
use codex_execpolicy::MatchedOpt;
use codex_execpolicy::Policy;
use codex_execpolicy::Result;
use codex_execpolicy::ValidExec;
use codex_execpolicy::get_default_policy;

extern crate codex_execpolicy;

fn setup() -> Policy {
    get_default_policy().expect("failed to load default policy")
}

#[test]
fn test_head_no_args() {
    let policy = setup();
    let head = ExecCall::new("head", &[]);
    // It is actually valid to call `head` without arguments: it will read from
    // stdin instead of from a file. Though recall that a command rejected by
    // the policy is not "unsafe:" it just means that this library cannot
    // *guarantee* that the command is safe.
    //
    // If we start verifying individual components of a shell command, such as:
    // `find . -name | head -n 10`, then it might be important to allow the
    // no-arg case.
    assert_eq!(
        Err(Error::VarargMatcherDidNotMatchAnything {
            program: "head".to_string(),
            matcher: ArgMatcher::ReadableFiles,
        }),
        policy.check(&head)
    )
}

#[test]
fn test_head_one_file_no_flags() -> Result<()> {
    let policy = setup();
    let head = ExecCall::new("head", &["src/extension.ts"]);
    assert_eq!(
        Ok(MatchedExec::Match {
            exec: ValidExec::new(
                "head",
                vec![MatchedArg::new(
                    0,
                    ArgType::ReadableFile,
                    "src/extension.ts"
                )?],
                &["/bin/head", "/usr/bin/head"]
            )
        }),
        policy.check(&head)
    );
    Ok(())
}

#[test]
fn test_head_one_flag_one_file() -> Result<()> {
    let policy = setup();
    let head = ExecCall::new("head", &["-n", "100", "src/extension.ts"]);
    assert_eq!(
        Ok(MatchedExec::Match {
            exec: ValidExec {
                program: "head".to_string(),
                flags: vec![],
                opts: vec![MatchedOpt::new("-n", "100", ArgType::PositiveInteger).unwrap()],
                args: vec![MatchedArg::new(
                    2,
                    ArgType::ReadableFile,
                    "src/extension.ts"
                )?],
                system_path: vec!["/bin/head".to_string(), "/usr/bin/head".to_string()],
            }
        }),
        policy.check(&head)
    );
    Ok(())
}

#[test]
fn test_head_invalid_n_as_0() {
    let policy = setup();
    let head = ExecCall::new("head", &["-n", "0", "src/extension.ts"]);
    assert_eq!(
        Err(Error::InvalidPositiveInteger {
            value: "0".to_string(),
        }),
        policy.check(&head)
    )
}

#[test]
fn test_head_invalid_n_as_nonint_float() {
    let policy = setup();
    let head = ExecCall::new("head", &["-n", "1.5", "src/extension.ts"]);
    assert_eq!(
        Err(Error::InvalidPositiveInteger {
            value: "1.5".to_string(),
        }),
        policy.check(&head)
    )
}

#[test]
fn test_head_invalid_n_as_float() {
    let policy = setup();
    let head = ExecCall::new("head", &["-n", "1.0", "src/extension.ts"]);
    assert_eq!(
        Err(Error::InvalidPositiveInteger {
            value: "1.0".to_string(),
        }),
        policy.check(&head)
    )
}

#[test]
fn test_head_invalid_n_as_negative_int() {
    let policy = setup();
    let head = ExecCall::new("head", &["-n", "-1", "src/extension.ts"]);
    assert_eq!(
        Err(Error::OptionFollowedByOptionInsteadOfValue {
            program: "head".to_string(),
            option: "-n".to_string(),
            value: "-1".to_string(),
        }),
        policy.check(&head)
    )
}
feat: introduce codex_execpolicy crate for defining "safe" commands (#634) As described in detail in `codex-rs/execpolicy/README.md` introduced in this PR, `execpolicy` is a tool that lets you define a set of _patterns_ used to match [`execv(3)`](https://linux.die.net/man/3/execv) invocations. When a pattern is matched, `execpolicy` returns the parsed version in a structured form that is amenable to static analysis. The primary use case is to define patterns match commands that should be auto-approved by a tool such as Codex. This supports a richer pattern matching mechanism that the sort of prefix-matching we have done to date, e.g.: https://github.com/openai/codex/blob/5e40d9d2211737f46136610497bcd9a8271009e0/codex-cli/src/approvals.ts#L333-L354 Note we are still playing with the API and the `system_path` option in particular still needs some work. 2025-04-24 17:14:47 -07:00			`use codex_execpolicy::ArgMatcher;`
			`use codex_execpolicy::ArgType;`
			`use codex_execpolicy::Error;`
			`use codex_execpolicy::ExecCall;`
			`use codex_execpolicy::MatchedArg;`
			`use codex_execpolicy::MatchedExec;`
			`use codex_execpolicy::MatchedOpt;`
			`use codex_execpolicy::Policy;`
			`use codex_execpolicy::Result;`
			`use codex_execpolicy::ValidExec;`
Update cargo to 2024 edition (#842) Some effects of this change: - New formatting changes across many files. No functionality changes should occur from that. - Calls to `set_env` are considered unsafe, since this only happens in tests we wrap them in `unsafe` blocks 2025-05-07 08:37:48 -07:00			`use codex_execpolicy::get_default_policy;`
feat: introduce codex_execpolicy crate for defining "safe" commands (#634) As described in detail in `codex-rs/execpolicy/README.md` introduced in this PR, `execpolicy` is a tool that lets you define a set of _patterns_ used to match [`execv(3)`](https://linux.die.net/man/3/execv) invocations. When a pattern is matched, `execpolicy` returns the parsed version in a structured form that is amenable to static analysis. The primary use case is to define patterns match commands that should be auto-approved by a tool such as Codex. This supports a richer pattern matching mechanism that the sort of prefix-matching we have done to date, e.g.: https://github.com/openai/codex/blob/5e40d9d2211737f46136610497bcd9a8271009e0/codex-cli/src/approvals.ts#L333-L354 Note we are still playing with the API and the `system_path` option in particular still needs some work. 2025-04-24 17:14:47 -07:00
			`extern crate codex_execpolicy;`

			`fn setup() -> Policy {`
			`get_default_policy().expect("failed to load default policy")`
			`}`

			`#[test]`
			`fn test_head_no_args() {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &[]);`
			// It is actually valid to call `head` without arguments: it will read from
			`// stdin instead of from a file. Though recall that a command rejected by`
			`// the policy is not "unsafe:" it just means that this library cannot`
			`// guarantee that the command is safe.`
			`//`
			`// If we start verifying individual components of a shell command, such as:`
			// `find . -name \| head -n 10`, then it might be important to allow the
			`// no-arg case.`
			`assert_eq!(`
			`Err(Error::VarargMatcherDidNotMatchAnything {`
			`program: "head".to_string(),`
			`matcher: ArgMatcher::ReadableFiles,`
			`}),`
			`policy.check(&head)`
			`)`
			`}`

			`#[test]`
			`fn test_head_one_file_no_flags() -> Result<()> {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["src/extension.ts"]);`
			`assert_eq!(`
			`Ok(MatchedExec::Match {`
			`exec: ValidExec::new(`
			`"head",`
			`vec![MatchedArg::new(`
			`0,`
			`ArgType::ReadableFile,`
			`"src/extension.ts"`
			`)?],`
			`&["/bin/head", "/usr/bin/head"]`
			`)`
			`}),`
			`policy.check(&head)`
			`);`
			`Ok(())`
			`}`

			`#[test]`
			`fn test_head_one_flag_one_file() -> Result<()> {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["-n", "100", "src/extension.ts"]);`
			`assert_eq!(`
			`Ok(MatchedExec::Match {`
			`exec: ValidExec {`
			`program: "head".to_string(),`
			`flags: vec![],`
			`opts: vec![MatchedOpt::new("-n", "100", ArgType::PositiveInteger).unwrap()],`
			`args: vec![MatchedArg::new(`
			`2,`
			`ArgType::ReadableFile,`
			`"src/extension.ts"`
			`)?],`
			`system_path: vec!["/bin/head".to_string(), "/usr/bin/head".to_string()],`
			`}`
			`}),`
			`policy.check(&head)`
			`);`
			`Ok(())`
			`}`

			`#[test]`
			`fn test_head_invalid_n_as_0() {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["-n", "0", "src/extension.ts"]);`
			`assert_eq!(`
			`Err(Error::InvalidPositiveInteger {`
			`value: "0".to_string(),`
			`}),`
			`policy.check(&head)`
			`)`
			`}`

			`#[test]`
			`fn test_head_invalid_n_as_nonint_float() {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["-n", "1.5", "src/extension.ts"]);`
			`assert_eq!(`
			`Err(Error::InvalidPositiveInteger {`
			`value: "1.5".to_string(),`
			`}),`
			`policy.check(&head)`
			`)`
			`}`

			`#[test]`
			`fn test_head_invalid_n_as_float() {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["-n", "1.0", "src/extension.ts"]);`
			`assert_eq!(`
			`Err(Error::InvalidPositiveInteger {`
			`value: "1.0".to_string(),`
			`}),`
			`policy.check(&head)`
			`)`
			`}`

			`#[test]`
			`fn test_head_invalid_n_as_negative_int() {`
			`let policy = setup();`
			`let head = ExecCall::new("head", &["-n", "-1", "src/extension.ts"]);`
			`assert_eq!(`
			`Err(Error::OptionFollowedByOptionInsteadOfValue {`
			`program: "head".to_string(),`
			`option: "-n".to_string(),`
			`value: "-1".to_string(),`
			`}),`
			`policy.check(&head)`
			`)`
			`}`