valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f87f4c69fbb85b231bfbd261608170a9c13c3d3
llmx/codex-rs/execpolicy/tests/cp.rs
Michael Bolin 58f0e5ab74 feat: introduce codex_execpolicy crate for defining "safe" commands (#634) 
As described in detail in `codex-rs/execpolicy/README.md` introduced in
this PR, `execpolicy` is a tool that lets you define a set of _patterns_
used to match [`execv(3)`](https://linux.die.net/man/3/execv)
invocations. When a pattern is matched, `execpolicy` returns the parsed
version in a structured form that is amenable to static analysis.

The primary use case is to define patterns match commands that should be
auto-approved by a tool such as Codex. This supports a richer pattern
matching mechanism that the sort of prefix-matching we have done to
date, e.g.:


5e40d9d221/codex-cli/src/approvals.ts (L333-L354)

Note we are still playing with the API and the `system_path` option in
particular still needs some work.
2025-04-24 17:14:47 -07:00

86 lines
2.2 KiB
Rust
Raw Blame History

extern crate codex_execpolicy;
use codex_execpolicy::get_default_policy;
use codex_execpolicy::ArgMatcher;
use codex_execpolicy::ArgType;
use codex_execpolicy::Error;
use codex_execpolicy::ExecCall;
use codex_execpolicy::MatchedArg;
use codex_execpolicy::MatchedExec;
use codex_execpolicy::Policy;
use codex_execpolicy::Result;
use codex_execpolicy::ValidExec;
fn setup() -> Policy {
get_default_policy().expect("failed to load default policy")
}
#[test]
fn test_cp_no_args() {
let policy = setup();
let cp = ExecCall::new("cp", &[]);
assert_eq!(
Err(Error::NotEnoughArgs {
program: "cp".to_string(),
args: vec![],
arg_patterns: vec![ArgMatcher::ReadableFiles, ArgMatcher::WriteableFile]
}),
policy.check(&cp)
)
}
#[test]
fn test_cp_one_arg() {
let policy = setup();
let cp = ExecCall::new("cp", &["foo/bar"]);
assert_eq!(
Err(Error::VarargMatcherDidNotMatchAnything {
program: "cp".to_string(),
matcher: ArgMatcher::ReadableFiles,
}),
policy.check(&cp)
);
}
#[test]
fn test_cp_one_file() -> Result<()> {
let policy = setup();
let cp = ExecCall::new("cp", &["foo/bar", "../baz"]);
assert_eq!(
Ok(MatchedExec::Match {
exec: ValidExec::new(
"cp",
vec![
MatchedArg::new(0, ArgType::ReadableFile, "foo/bar")?,
MatchedArg::new(1, ArgType::WriteableFile, "../baz")?,
],
&["/bin/cp", "/usr/bin/cp"]
)
}),
policy.check(&cp)
);
Ok(())
}
#[test]
fn test_cp_multiple_files() -> Result<()> {
let policy = setup();
let cp = ExecCall::new("cp", &["foo", "bar", "baz"]);
assert_eq!(
Ok(MatchedExec::Match {
exec: ValidExec::new(
"cp",
vec![
MatchedArg::new(0, ArgType::ReadableFile, "foo")?,
MatchedArg::new(1, ArgType::ReadableFile, "bar")?,
MatchedArg::new(2, ArgType::WriteableFile, "baz")?,
],
&["/bin/cp", "/usr/bin/cp"]
)
}),
policy.check(&cp)
);
Ok(())
}
Reference in New Issue View Git Blame Copy Permalink