Default to whitelist mode and parallelize tests

Flips the default sandbox mode from blacklist to whitelist and replaces the global RUST_TEST_THREADS=1 with a targeted RwLock that only serializes blacklist sandboxes against tests mutating glob-matching host paths. A new Sandbox newtype acquires the guard automatically when --blacklist is in args.
2026-04-27 08:18:41 +02:00
parent c77dbc10c3
commit 6e81866226
12 changed files with 158 additions and 81 deletions
@@ -6,7 +6,7 @@ fn printenv_inside(args: &[&str], vars: &[(&str, &str)], query: &[&str]) -> Stri
        .map(|v| format!("printenv {v} || echo MISSING:{v}"))
        .collect::<Vec<_>>()
        .join("; ");
-    let mut cmd = sandbox(args);
+    let mut cmd = Sandbox::new(args);
    for (k, v) in vars {
        cmd.env(k, v);
    }
@@ -219,7 +219,7 @@ fn whitelist_unsetenv_overrides_kept_var() {
 #[test]
 fn blacklist_drops_token_and_secret_vars() {
    let stdout = printenv_inside(
-        &[],
+        &["--blacklist"],
        &[
            ("GH_TOKEN", "gh-secret"),
            ("AWS_SECRET_ACCESS_KEY", "aws-secret"),
@@ -252,7 +252,7 @@ fn blacklist_drops_token_and_secret_vars() {
 #[test]
 fn blacklist_carves_out_vendor_api_keys() {
    let stdout = printenv_inside(
-        &[],
+        &["--blacklist"],
        &[
            ("ANTHROPIC_API_KEY", "anthropic-key"),
            ("OPENAI_API_KEY", "openai-key"),
@@ -272,7 +272,7 @@ fn blacklist_carves_out_vendor_api_keys() {
 #[test]
 fn blacklist_suffix_match_does_not_catch_substring() {
    let stdout = printenv_inside(
-        &[],
+        &["--blacklist"],
        &[
            ("TOKENIZER_PATH", "/opt/tok"),
            ("MY_TOKEN_HOLDER", "holder"),
@@ -291,14 +291,18 @@ fn blacklist_suffix_match_does_not_catch_substring() {

 #[test]
 fn blacklist_keeps_unrelated_host_var() {
-    let stdout = printenv_inside(&[], &[("MY_NICE_VAR", "hello")], &["MY_NICE_VAR"]);
+    let stdout = printenv_inside(
+        &["--blacklist"],
+        &[("MY_NICE_VAR", "hello")],
+        &["MY_NICE_VAR"],
+    );
    assert!(stdout.contains("hello"), "MY_NICE_VAR stripped: {stdout}");
 }

 #[test]
 fn blacklist_keeps_dbus_vars() {
    let stdout = printenv_inside(
-        &[],
+        &["--blacklist"],
        &[
            ("DBUS_SESSION_BUS_ADDRESS", "unix:path=/tmp/fake"),
            ("DBUS_SYSTEM_BUS_ADDRESS", "unix:path=/tmp/fake-system"),
@@ -324,7 +328,11 @@ fn no_env_filter_whitelist_keeps_arbitrary_host_var() {

 #[test]
 fn no_env_filter_blacklist_keeps_secrets() {
-    let stdout = printenv_inside(&["--no-env-filter"], &[("GH_TOKEN", "kept")], &["GH_TOKEN"]);
+    let stdout = printenv_inside(
+        &["--blacklist", "--no-env-filter"],
+        &[("GH_TOKEN", "kept")],
+        &["GH_TOKEN"],
+    );
    assert!(
        stdout.contains("kept"),
        "expected --no-env-filter to pass secrets through, got: {stdout}"
@@ -347,7 +355,7 @@ fn no_env_filter_still_honors_user_env() {
 #[test]
 fn blacklist_env_overrides_builtin_deny() {
    let stdout = printenv_inside(
-        &["--env", "GH_TOKEN=overridden"],
+        &["--blacklist", "--env", "GH_TOKEN=overridden"],
        &[("GH_TOKEN", "original")],
        &["GH_TOKEN"],
    );