mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cab0eb74d7267ff4c965d2ae53c4b611e6f5c656
agent-sandbox/src/config.rs

829 lines
24 KiB
Rust
Raw Blame History

use std::collections::HashMap;
use std::ffi::OsString;
use std::path::{Path, PathBuf};
use serde::Deserialize;
use crate::cli::Args;
use crate::{SandboxConfig, SandboxError, SandboxMode};
pub fn build(args: Args, file_config: Option<FileConfig>) -> Result<SandboxConfig, SandboxError> {
let (mut globals, mut profile) = match file_config {
Some(c) => {
let profile = c.resolve_profile(args.profile.as_deref())?;
(c.options, profile)
}
None => (Options::default(), Options::default()),
};
validate_mode(&globals)?;
validate_mode(&profile)?;
globals.validate_paths()?;
profile.validate_paths()?;
let (command, command_args) = resolve_command(args.command_and_args, &profile, &globals)?;
let command = resolve_binary(&command)
.ok_or_else(|| SandboxError::CommandNotFound(PathBuf::from(&command)))?;
Ok(SandboxConfig {
mode: merge_mode(args.blacklist, args.whitelist, &profile, &globals),
hardened: merge_flag(args.hardened, profile.hardened, globals.hardened),
no_net: merge_flag(args.no_net, profile.no_net, globals.no_net),
dry_run: merge_flag(args.dry_run, profile.dry_run, globals.dry_run),
chdir: resolve_chdir(args.chdir, profile.chdir, globals.chdir)?,
extra_rw: merge_paths(args.extra_rw, &profile.rw, &globals.rw)?,
extra_ro: merge_paths(args.extra_ro, &profile.ro, &globals.ro)?,
mask: merge_vecs(args.mask, &profile.mask, &globals.mask),
bwrap_args: split_bwrap_args(merge_vecs(
args.bwrap_args,
&profile.bwrap_args,
&globals.bwrap_args,
))?,
command,
command_args,
})
}
fn merge_mode(
cli_blacklist: bool,
cli_whitelist: bool,
profile: &Options,
globals: &Options,
) -> SandboxMode {
if cli_whitelist {
return SandboxMode::Whitelist;
}
if cli_blacklist {
return SandboxMode::Blacklist;
}
resolve_mode(profile)
.or_else(|| resolve_mode(globals))
.unwrap_or(SandboxMode::Blacklist)
}
fn resolve_mode(opts: &Options) -> Option<SandboxMode> {
match (opts.blacklist, opts.whitelist) {
(_, Some(true)) => Some(SandboxMode::Whitelist),
(Some(true), _) => Some(SandboxMode::Blacklist),
_ => None,
}
}
fn merge_flag(cli: bool, profile: Option<bool>, globals: Option<bool>) -> bool {
if cli {
return true;
}
profile.or(globals).unwrap_or(false)
}
fn resolve_chdir(
cli: Option<PathBuf>,
profile: Option<PathBuf>,
globals: Option<PathBuf>,
) -> Result<PathBuf, SandboxError> {
match cli.or(profile).or(globals) {
Some(p) => std::fs::canonicalize(&p).map_err(|_| SandboxError::ChdirMissing(p)),
None => std::env::current_dir().map_err(SandboxError::CurrentDirUnavailable),
}
}
fn merge_paths(
cli: Vec<PathBuf>,
profile: &[PathBuf],
globals: &[PathBuf],
) -> Result<Vec<PathBuf>, SandboxError> {
let config_paths = globals.iter().chain(profile).cloned();
let cli_paths = cli
.into_iter()
.map(|p| std::fs::canonicalize(&p).map_err(|_| SandboxError::PathMissing(p)))
.collect::<Result<Vec<_>, _>>()?;
Ok(config_paths.chain(cli_paths).collect())
}
fn split_bwrap_args(raw: Vec<String>) -> Result<Vec<String>, SandboxError> {
let mut out = Vec::new();
for value in &raw {
let words =
shlex::split(value).ok_or_else(|| SandboxError::InvalidBwrapArg(value.clone()))?;
out.extend(words);
}
Ok(out)
}
fn merge_vecs<T: Clone>(cli: Vec<T>, profile: &[T], globals: &[T]) -> Vec<T> {
globals.iter().chain(profile).cloned().chain(cli).collect()
}
fn resolve_command(
mut passthrough_args: Vec<OsString>,
profile: &Options,
globals: &Options,
) -> Result<(OsString, Vec<OsString>), SandboxError> {
let entrypoint = profile.entrypoint.clone().or(globals.entrypoint.clone());
let command = profile.command.clone().or(globals.command.clone());
if let Some(ep) = entrypoint {
let (cmd, mut args) = ep.into_binary_and_args();
if !passthrough_args.is_empty() {
args.extend(passthrough_args);
} else if let Some(default_cmd) = command {
args.extend(default_cmd.into_vec().into_iter().map(OsString::from));
}
return Ok((cmd, args));
}
if !passthrough_args.is_empty() {
return Ok((passthrough_args.remove(0), passthrough_args));
}
if let Some(config_cmd) = command {
return Ok(config_cmd.into_binary_and_args());
}
Err(SandboxError::NoCommand)
}
fn resolve_binary(name: &OsString) -> Option<PathBuf> {
let path = PathBuf::from(name);
if path.is_absolute() || path.components().count() > 1 {
return path.is_file().then_some(path);
}
std::env::var_os("PATH").and_then(|path_var| {
std::env::split_paths(&path_var)
.map(|dir| dir.join(name))
.find(|p| p.is_file())
})
}
#[derive(Deserialize, Default)]
pub struct FileConfig {
#[serde(flatten)]
pub options: Options,
#[serde(default)]
pub profile: HashMap<String, Options>,
// Collects unrecognized keys; deny_unknown_fields is incompatible with flatten.
#[serde(flatten)]
_unknown: HashMap<String, toml::Value>,
}
impl FileConfig {
pub fn load(path: &Path) -> Result<Self, SandboxError> {
let contents = std::fs::read_to_string(path).map_err(|e| SandboxError::ConfigRead {
path: path.to_path_buf(),
source: e,
})?;
Self::parse(&contents).map_err(|e| match e {
SandboxError::ConfigParse { source, .. } => SandboxError::ConfigParse {
path: path.to_path_buf(),
source,
},
other => other,
})
}
fn parse(contents: &str) -> Result<Self, SandboxError> {
let config: Self = toml::from_str(contents).map_err(|e| SandboxError::ConfigParse {
path: PathBuf::new(),
source: e,
})?;
if let Some(key) = config._unknown.keys().next() {
return Err(SandboxError::UnknownConfigKey(key.clone()));
}
Ok(config)
}
fn resolve_profile(&self, name: Option<&str>) -> Result<Options, SandboxError> {
match name {
Some(n) => self
.profile
.get(n)
.cloned()
.ok_or_else(|| SandboxError::ProfileNotFound(n.to_string())),
None => Ok(Options::default()),
}
}
}
#[derive(Deserialize, Default, Clone)]
#[serde(rename_all = "kebab-case", deny_unknown_fields)]
pub struct Options {
pub blacklist: Option<bool>,
pub whitelist: Option<bool>,
pub hardened: Option<bool>,
pub no_net: Option<bool>,
pub entrypoint: Option<CommandValue>,
pub command: Option<CommandValue>,
pub dry_run: Option<bool>,
pub chdir: Option<PathBuf>,
#[serde(default)]
pub rw: Vec<PathBuf>,
#[serde(default)]
pub ro: Vec<PathBuf>,
#[serde(default)]
pub mask: Vec<PathBuf>,
#[serde(default)]
pub bwrap_args: Vec<String>,
}
impl Options {
fn validate_paths(&mut self) -> Result<(), SandboxError> {
for p in &mut self.rw {
*p = expand_and_canonicalize(p)?;
}
for p in &mut self.ro {
*p = expand_and_canonicalize(p)?;
}
if let Some(ref chdir) = self.chdir {
self.chdir = Some(expand_and_canonicalize(chdir)?);
}
for p in &mut self.mask {
*p = expand_and_require_absolute(p)?;
}
Ok(())
}
}
fn expand_and_require_absolute(path: &Path) -> Result<PathBuf, SandboxError> {
let expanded = expand_tilde(path)?;
require_absolute(&expanded)?;
Ok(expanded)
}
#[derive(Deserialize, Clone)]
#[serde(untagged)]
pub enum CommandValue {
Simple(String),
WithArgs(Vec<String>),
}
impl CommandValue {
pub fn into_vec(self) -> Vec<String> {
match self {
Self::Simple(s) => vec![s],
Self::WithArgs(v) => v,
}
}
fn into_binary_and_args(self) -> (OsString, Vec<OsString>) {
let mut parts = self.into_vec();
let binary = OsString::from(parts.remove(0));
let args = parts.into_iter().map(OsString::from).collect();
(binary, args)
}
}
pub fn find_config_path(explicit: Option<&Path>) -> Option<PathBuf> {
if let Some(p) = explicit {
return Some(p.to_path_buf());
}
let config_dir = std::env::var("XDG_CONFIG_HOME")
.ok()
.filter(|s| !s.is_empty())
.map(PathBuf::from)
.or_else(|| {
std::env::var("HOME")
.ok()
.filter(|s| !s.is_empty())
.map(|h| PathBuf::from(h).join(".config"))
})?;
let path = config_dir.join("agent-sandbox/config.toml");
path.exists().then_some(path)
}
fn validate_mode(opts: &Options) -> Result<(), SandboxError> {
if opts.blacklist == Some(true) && opts.whitelist == Some(true) {
return Err(SandboxError::ConflictingMode);
}
Ok(())
}
fn expand_tilde(path: &Path) -> Result<PathBuf, SandboxError> {
let s = path.to_string_lossy();
if !s.starts_with('~') {
return Ok(path.to_path_buf());
}
if s.len() > 1 && !s.starts_with("~/") {
return Err(SandboxError::ConfigPathNotAbsolute(path.to_path_buf()));
}
let home = std::env::var("HOME")
.ok()
.filter(|h| !h.is_empty())
.ok_or(SandboxError::HomeNotSet)?;
Ok(PathBuf::from(home).join(s.strip_prefix("~/").unwrap_or("")))
}
fn require_absolute(path: &Path) -> Result<(), SandboxError> {
if !path.is_absolute() {
return Err(SandboxError::ConfigPathNotAbsolute(path.to_path_buf()));
}
Ok(())
}
fn expand_and_canonicalize(path: &Path) -> Result<PathBuf, SandboxError> {
let expanded = expand_tilde(path)?;
require_absolute(&expanded)?;
std::fs::canonicalize(&expanded).map_err(|e| SandboxError::ConfigRead {
path: expanded,
source: e,
})
}
#[cfg(test)]
mod tests {
use std::sync::LazyLock;
use super::*;
const FULL_CONFIG_TOML: &str = r#"
hardened = true
no-net = true
rw = ["/tmp/a", "/tmp/b"]
command = "zsh"
[profile.claude]
rw = ["/home/user/.config/claude"]
ro = ["/etc/claude", "/etc/shared"]
entrypoint = ["claude", "--dangerously-skip-permissions"]
command = ["bash", "-c", "echo hi"]
[profile.codex]
whitelist = true
dry-run = true
chdir = "/home/user/project"
rw = ["/home/user/.codex"]
"#;
static CONFIG: LazyLock<FileConfig> =
LazyLock::new(|| toml::from_str(FULL_CONFIG_TOML).unwrap());
#[test]
fn globals_scalars() {
assert_eq!(CONFIG.options.hardened, Some(true));
assert_eq!(CONFIG.options.no_net, Some(true));
}
#[test]
fn globals_multi_element_vecs() {
assert_paths(&CONFIG.options.rw, &["/tmp/a", "/tmp/b"]);
}
#[test]
fn globals_simple_command() {
assert_command(&CONFIG.options.command, &["zsh"]);
}
#[test]
fn unset_vecs_default_empty() {
assert!(CONFIG.options.ro.is_empty());
}
#[test]
fn unset_scalars_are_none() {
assert_eq!(CONFIG.profile["claude"].hardened, None);
}
#[test]
fn profile_multi_element_vecs() {
assert_paths(
&CONFIG.profile["claude"].ro,
&["/etc/claude", "/etc/shared"],
);
}
#[test]
fn profile_entrypoint_with_args() {
assert_command(
&CONFIG.profile["claude"].entrypoint,
&["claude", "--dangerously-skip-permissions"],
);
}
#[test]
fn profile_command_with_args() {
assert_command(
&CONFIG.profile["claude"].command,
&["bash", "-c", "echo hi"],
);
}
#[test]
fn profile_kebab_case_scalars() {
let codex = &CONFIG.profile["codex"];
assert_eq!(codex.whitelist, Some(true));
assert_eq!(codex.dry_run, Some(true));
assert_eq!(codex.chdir, Some(PathBuf::from("/home/user/project")));
}
fn args_with_command() -> Args {
Args {
command_and_args: vec!["/usr/bin/true".into()],
..Args::default()
}
}
#[test]
fn build_hardened_from_globals() {
let file_config = FileConfig {
options: Options {
hardened: Some(true),
..Options::default()
},
..FileConfig::default()
};
let config = build(args_with_command(), Some(file_config)).unwrap();
assert!(config.hardened);
}
#[test]
fn build_profile_overrides_globals() {
let file_config = FileConfig {
options: Options {
hardened: Some(true),
..Options::default()
},
profile: HashMap::from([(
"relaxed".into(),
Options {
hardened: Some(false),
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("relaxed".into()),
..args_with_command()
};
let config = build(args, Some(file_config)).unwrap();
assert!(!config.hardened);
}
#[test]
fn build_cli_flag_overrides_profile() {
let file_config = FileConfig {
profile: HashMap::from([(
"nonet".into(),
Options {
no_net: Some(false),
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("nonet".into()),
no_net: true,
..args_with_command()
};
let config = build(args, Some(file_config)).unwrap();
assert!(config.no_net);
}
#[test]
fn build_cli_mode_overrides_profile() {
let file_config = FileConfig {
profile: HashMap::from([(
"wl".into(),
Options {
whitelist: Some(true),
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("wl".into()),
blacklist: true,
..args_with_command()
};
let config = build(args, Some(file_config)).unwrap();
assert!(matches!(config.mode, SandboxMode::Blacklist));
}
#[test]
fn build_rw_paths_accumulate() {
let file_config = FileConfig {
options: Options {
rw: vec![PathBuf::from("/tmp")],
..Options::default()
},
profile: HashMap::from([(
"extra".into(),
Options {
rw: vec![PathBuf::from("/usr")],
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("extra".into()),
extra_rw: vec![PathBuf::from("/var")],
..args_with_command()
};
let config = build(args, Some(file_config)).unwrap();
assert_eq!(config.extra_rw.len(), 3);
}
#[test]
fn build_command_from_profile() {
let file_config = FileConfig {
profile: HashMap::from([(
"test".into(),
Options {
command: Some(CommandValue::WithArgs(vec![
"/usr/bin/true".into(),
"--flag".into(),
])),
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("test".into()),
..Args::default()
};
let config = build(args, Some(file_config)).unwrap();
assert_eq!(config.command, PathBuf::from("/usr/bin/true"));
assert_eq!(config.command_args, vec![OsString::from("--flag")]);
}
#[test]
fn build_cli_command_overrides_config() {
let file_config = FileConfig {
options: Options {
command: Some(CommandValue::Simple("/usr/bin/false".into())),
..Options::default()
},
..FileConfig::default()
};
let args = Args {
command_and_args: vec!["/usr/bin/true".into()],
..Args::default()
};
let config = build(args, Some(file_config)).unwrap();
assert_eq!(config.command, PathBuf::from("/usr/bin/true"));
}
#[test]
fn build_no_file_config() {
let config = build(args_with_command(), None).unwrap();
assert!(matches!(config.mode, SandboxMode::Blacklist));
assert!(!config.hardened);
}
#[test]
fn build_missing_profile_errors() {
let args = Args {
profile: Some("nope".into()),
..args_with_command()
};
assert!(matches!(
build(args, Some(FileConfig::default())),
Err(SandboxError::ProfileNotFound(_))
));
}
#[test]
fn build_conflicting_mode_errors() {
let file_config = FileConfig {
options: Options {
blacklist: Some(true),
whitelist: Some(true),
..Options::default()
},
..FileConfig::default()
};
assert!(matches!(
build(args_with_command(), Some(file_config)),
Err(SandboxError::ConflictingMode)
));
}
#[test]
fn build_tilde_expansion_in_config_paths() {
let home = std::env::var("HOME").unwrap();
let file_config = FileConfig {
options: Options {
rw: vec![PathBuf::from("~/")],
..Options::default()
},
..FileConfig::default()
};
let config = build(args_with_command(), Some(file_config)).unwrap();
assert_eq!(config.extra_rw, vec![PathBuf::from(&home)]);
}
#[test]
fn build_relative_config_path_rejected() {
let file_config = FileConfig {
options: Options {
rw: vec![PathBuf::from("relative/path")],
..Options::default()
},
..FileConfig::default()
};
assert!(matches!(
build(args_with_command(), Some(file_config)),
Err(SandboxError::ConfigPathNotAbsolute(_))
));
}
#[test]
fn build_chdir_from_config() {
let file_config = FileConfig {
options: Options {
chdir: Some(PathBuf::from("/tmp")),
..Options::default()
},
..FileConfig::default()
};
let config = build(args_with_command(), Some(file_config)).unwrap();
assert_eq!(config.chdir, std::fs::canonicalize("/tmp").unwrap());
}
#[test]
fn build_mask_accumulates() {
let file_config = FileConfig {
options: Options {
mask: vec![PathBuf::from("/tmp/a")],
..Options::default()
},
profile: HashMap::from([(
"extra".into(),
Options {
mask: vec![PathBuf::from("/tmp/b")],
..Options::default()
},
)]),
..FileConfig::default()
};
let args = Args {
profile: Some("extra".into()),
mask: vec![PathBuf::from("/tmp/c")],
..args_with_command()
};
let config = build(args, Some(file_config)).unwrap();
assert_eq!(config.mask.len(), 3);
}
#[test]
fn unknown_option_rejected() {
let toml = r#"
hardened = true
bogus = "nope"
"#;
assert!(matches!(
FileConfig::parse(toml),
Err(SandboxError::UnknownConfigKey(_))
));
}
#[test]
fn unknown_profile_option_rejected() {
let toml = r#"
[profile.test]
hardened = true
frobnicate = 42
"#;
assert!(matches!(
FileConfig::parse(toml),
Err(SandboxError::ConfigParse { .. })
));
}
#[test]
fn entrypoint_with_passthrough_args() {
let (cmd, args) = resolve_command(
vec!["--verbose".into(), "--model".into(), "opus".into()],
&Options {
entrypoint: Some(CommandValue::WithArgs(vec![
"claude".into(),
"--dangerously-skip-permissions".into(),
])),
command: Some(CommandValue::Simple("--default-flag".into())),
..Options::default()
},
&Options::default(),
)
.unwrap();
assert_eq!(cmd, "claude");
assert_eq!(
args,
vec![
"--dangerously-skip-permissions",
"--verbose",
"--model",
"opus"
]
.into_iter()
.map(OsString::from)
.collect::<Vec<_>>()
);
}
#[test]
fn entrypoint_without_passthrough_uses_command_defaults() {
let (cmd, args) = resolve_command(
vec![],
&Options {
entrypoint: Some(CommandValue::Simple("claude".into())),
command: Some(CommandValue::WithArgs(vec![
"--dangerously-skip-permissions".into(),
"--verbose".into(),
])),
..Options::default()
},
&Options::default(),
)
.unwrap();
assert_eq!(cmd, "claude");
assert_eq!(
args,
vec!["--dangerously-skip-permissions", "--verbose"]
.into_iter()
.map(OsString::from)
.collect::<Vec<_>>()
);
}
#[test]
fn entrypoint_without_passthrough_or_command() {
let (cmd, args) = resolve_command(
vec![],
&Options {
entrypoint: Some(CommandValue::WithArgs(vec![
"claude".into(),
"--dangerously-skip-permissions".into(),
])),
..Options::default()
},
&Options::default(),
)
.unwrap();
assert_eq!(cmd, "claude");
assert_eq!(args, vec![OsString::from("--dangerously-skip-permissions")]);
}
#[test]
fn profile_entrypoint_overrides_global() {
let (cmd, _) = resolve_command(
vec![],
&Options {
entrypoint: Some(CommandValue::Simple("claude".into())),
..Options::default()
},
&Options {
entrypoint: Some(CommandValue::Simple("codex".into())),
..Options::default()
},
)
.unwrap();
assert_eq!(cmd, "claude");
}
#[test]
fn global_entrypoint_with_profile_command() {
let (cmd, args) = resolve_command(
vec![],
&Options {
command: Some(CommandValue::WithArgs(vec![
"--dangerously-skip-permissions".into(),
"--verbose".into(),
])),
..Options::default()
},
&Options {
entrypoint: Some(CommandValue::Simple("claude".into())),
..Options::default()
},
)
.unwrap();
assert_eq!(cmd, "claude");
assert_eq!(
args,
vec!["--dangerously-skip-permissions", "--verbose"]
.into_iter()
.map(OsString::from)
.collect::<Vec<_>>()
);
}
#[test]
fn no_command_errors() {
let result = resolve_command(vec![], &Options::default(), &Options::default());
assert!(matches!(result, Err(SandboxError::NoCommand)));
}
fn assert_paths(actual: &[PathBuf], expected: &[&str]) {
let expected: Vec<PathBuf> = expected.iter().map(PathBuf::from).collect();
assert_eq!(actual, &expected);
}
fn assert_command(cmd: &Option<CommandValue>, expected: &[&str]) {
let actual = cmd.clone().unwrap().into_vec();
let expected: Vec<String> = expected.iter().map(|s| s.to_string()).collect();
assert_eq!(actual, expected);
}
}
Reference in New Issue View Git Blame Copy Permalink