Default to whitelist mode and parallelize tests
Flips the default sandbox mode from blacklist to whitelist and replaces the global RUST_TEST_THREADS=1 with a targeted RwLock that only serializes blacklist sandboxes against tests mutating glob-matching host paths. A new Sandbox newtype acquires the guard automatically when --blacklist is in args.
This commit is contained in:
+14
-14
@@ -2,7 +2,7 @@ use crate::common::*;
|
||||
|
||||
#[test]
|
||||
fn dry_run_prints_and_exits() {
|
||||
let output = sandbox(&["--dry-run"])
|
||||
let output = Sandbox::new(&["--dry-run"])
|
||||
.args(["--", "bash", "-c", "exit 42"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -20,7 +20,7 @@ fn dry_run_prints_and_exits() {
|
||||
|
||||
#[test]
|
||||
fn dry_run_output_is_copy_pasteable_shell() {
|
||||
let dry = sandbox(&["--dry-run"])
|
||||
let dry = Sandbox::new(&["--dry-run"])
|
||||
.args(["--", "bash", "-c", "echo $HOME"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -34,7 +34,7 @@ fn dry_run_output_is_copy_pasteable_shell() {
|
||||
|
||||
#[test]
|
||||
fn empty_home_rejected() {
|
||||
let output = sandbox(&[])
|
||||
let output = Sandbox::new(&[])
|
||||
.env("HOME", "")
|
||||
.args(["--", "true"])
|
||||
.output()
|
||||
@@ -53,7 +53,7 @@ fn empty_home_rejected() {
|
||||
|
||||
#[test]
|
||||
fn config_missing_file_errors() {
|
||||
let output = sandbox_withconfig(&["--config", "/nonexistent/config.toml"])
|
||||
let output = Sandbox::new_with_config(&["--config", "/nonexistent/config.toml"])
|
||||
.args(["--", "true"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -70,7 +70,7 @@ fn config_missing_file_errors() {
|
||||
fn config_invalid_toml_errors() {
|
||||
let cfg = ConfigFile::new("not valid {{{{ toml");
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg])
|
||||
.args(["--", "true"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -87,7 +87,7 @@ fn config_invalid_toml_errors() {
|
||||
fn config_unknown_key_errors() {
|
||||
let cfg = ConfigFile::new("hardened = true\nbogus = \"nope\"\n");
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg])
|
||||
.args(["--", "true"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -102,7 +102,7 @@ fn config_unknown_key_errors() {
|
||||
|
||||
#[test]
|
||||
fn bwrap_arg_setenv_passes_through() {
|
||||
let output = sandbox(&["--bwrap-arg", "--setenv MYVAR hello"])
|
||||
let output = Sandbox::new(&["--bwrap-arg", "--setenv MYVAR hello"])
|
||||
.args(["--", "bash", "-c", "echo $MYVAR"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -123,7 +123,7 @@ fn config_entrypoint_appends_passthrough_args() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--profile", "test"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--profile", "test"])
|
||||
.args(["--", "echo entrypoint-works"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -145,7 +145,7 @@ fn config_entrypoint_falls_back_to_command_defaults() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--profile", "test"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--profile", "test"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
|
||||
@@ -165,7 +165,7 @@ fn config_entrypoint_alone_without_command_or_passthrough() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--profile", "test"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--profile", "test"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
|
||||
@@ -178,7 +178,7 @@ fn config_entrypoint_alone_without_command_or_passthrough() {
|
||||
|
||||
#[test]
|
||||
fn cli_entrypoint_appends_passthrough_args() {
|
||||
let output = sandbox(&["--entrypoint", "bash"])
|
||||
let output = Sandbox::new(&["--entrypoint", "bash"])
|
||||
.args(["--", "-c", "echo cli-entrypoint-works"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -198,7 +198,7 @@ fn cli_entrypoint_overrides_config_entrypoint() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--entrypoint", "bash"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--entrypoint", "bash"])
|
||||
.args(["--", "-c", "echo override-works"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
@@ -219,7 +219,7 @@ fn config_command_alone_without_passthrough() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--profile", "test"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--profile", "test"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
|
||||
@@ -239,7 +239,7 @@ fn config_command_replaced_by_passthrough() {
|
||||
"#,
|
||||
);
|
||||
|
||||
let output = sandbox_withconfig(&["--config", &cfg, "--profile", "test"])
|
||||
let output = Sandbox::new_with_config(&["--config", &cfg, "--profile", "test"])
|
||||
.args(["--", "bash", "-c", "echo replaced"])
|
||||
.output()
|
||||
.expect("failed to execute");
|
||||
|
||||
Reference in New Issue
Block a user