reposix-core 0.12.0

Shared types for reposix: BackendConnector trait, Record/Project/RemoteSpec, Tainted<T>.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374

//! Integration tests for `reposix_core::http`.
//!
//! Covers:
//!
//! - ROADMAP phase-1 SC #1 (named tests): `egress_to_non_allowlisted_host_is_rejected`.
//! - ROADMAP phase-1 SC #4 (env-override): `allowlist_default_and_env`.
//! - Plan-checker FIX 2: `redirect_target_is_rechecked_against_allowlist`.
//! - Origin classes (loopback default-allow, non-loopback default-deny, env override).
//! - Redirect refusal + timeout contract.

use std::sync::Mutex;
use std::time::{Duration, Instant};

use reposix_core::http::ClientOpts;
use reposix_core::http::{client, ALLOWLIST_ENV_VAR};
use reposix_core::Error;
use wiremock::matchers::any;
use wiremock::{Mock, MockServer, ResponseTemplate};

// Serialize env-var-touching tests — REPOSIX_ALLOWED_ORIGINS is a process-global.
static ENV_LOCK: Mutex<()> = Mutex::new(());

/// Scope guard: sets the env var for the life of the guard, restores on drop.
struct EnvGuard {
    _guard: std::sync::MutexGuard<'static, ()>,
    prev: Option<String>,
}

impl EnvGuard {
    fn set(value: &str) -> Self {
        let guard = ENV_LOCK
            .lock()
            .unwrap_or_else(std::sync::PoisonError::into_inner);
        let prev = std::env::var(ALLOWLIST_ENV_VAR).ok();
        // SAFETY: we are holding the mutex, so no other test mutates the env concurrently.
        std::env::set_var(ALLOWLIST_ENV_VAR, value);
        Self {
            _guard: guard,
            prev,
        }
    }

    fn unset() -> Self {
        let guard = ENV_LOCK
            .lock()
            .unwrap_or_else(std::sync::PoisonError::into_inner);
        let prev = std::env::var(ALLOWLIST_ENV_VAR).ok();
        std::env::remove_var(ALLOWLIST_ENV_VAR);
        Self {
            _guard: guard,
            prev,
        }
    }
}

impl Drop for EnvGuard {
    fn drop(&mut self) {
        match self.prev.take() {
            Some(v) => std::env::set_var(ALLOWLIST_ENV_VAR, v),
            None => std::env::remove_var(ALLOWLIST_ENV_VAR),
        }
    }
}

#[tokio::test]
async fn egress_to_non_allowlisted_host_is_rejected() {
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .request(reqwest::Method::GET, "https://evil.example/")
        .await
        .expect_err("non-allowlisted host must be rejected");
    let elapsed = t0.elapsed();
    assert!(matches!(err, Error::InvalidOrigin(_)), "got: {err:?}");
    // No DNS, no TCP — must short-circuit before I/O.
    assert!(
        elapsed < Duration::from_millis(500),
        "recheck must short-circuit; took {elapsed:?}"
    );
}

#[tokio::test]
async fn allowlist_default_and_env() {
    // Under default (env unset), loopback is allowed in-principle (we don't
    // actually connect — we assert the allowlist check passes).
    {
        let _g = EnvGuard::unset();
        let c = client(ClientOpts::default()).expect("client builds");
        // 127.0.0.1:0 — allowlisted, but no listener. Error should be a transport
        // error (Error::Http), NOT InvalidOrigin.
        let err = c
            .request(reqwest::Method::GET, "http://127.0.0.1:0/")
            .await
            .expect_err("no listener so connection must fail");
        assert!(
            !matches!(err, Error::InvalidOrigin(_)),
            "loopback must NOT be origin-rejected under default allowlist; got {err:?}"
        );
    }
    // Under env override, loopback is rejected and other.example would be allowed.
    {
        let _g = EnvGuard::set("http://other.example:8080");
        let c = client(ClientOpts::default()).expect("client builds");
        let err = c
            .request(reqwest::Method::GET, "http://127.0.0.1:7878/")
            .await
            .expect_err("loopback must be rejected under narrow env allowlist");
        assert!(
            matches!(err, Error::InvalidOrigin(_)),
            "expected InvalidOrigin, got {err:?}"
        );
    }
}

#[tokio::test]
async fn loopback_is_allowed_by_default() {
    let _g = EnvGuard::unset();
    let server = MockServer::start().await;
    Mock::given(any())
        .respond_with(ResponseTemplate::new(200))
        .mount(&server)
        .await;

    let c = client(ClientOpts::default()).expect("client builds");
    let resp = c
        .request(reqwest::Method::GET, &server.uri())
        .await
        .expect("loopback under default allowlist must succeed");
    assert_eq!(resp.status().as_u16(), 200);
}

#[tokio::test]
async fn non_loopback_is_denied_by_default() {
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    // 93.184.216.34 is example.com's long-standing IP; using the literal
    // avoids DNS resolution entirely.
    let err = c
        .request(reqwest::Method::GET, "http://93.184.216.34/")
        .await
        .expect_err("non-loopback IP must be rejected by default");
    assert!(matches!(err, Error::InvalidOrigin(_)), "got {err:?}");
}

#[tokio::test]
async fn env_override_redefines_allowlist() {
    let _g = EnvGuard::set("http://other.example:8080");
    let c = client(ClientOpts::default()).expect("client builds");
    let err = c
        .request(reqwest::Method::GET, "http://127.0.0.1:7878/")
        .await
        .expect_err("loopback must be rejected when env narrows the allowlist");
    assert!(matches!(err, Error::InvalidOrigin(_)), "got {err:?}");
}

#[tokio::test]
async fn http_redirects_are_not_followed() {
    let _g = EnvGuard::unset();
    let server = MockServer::start().await;
    Mock::given(any())
        .respond_with(
            ResponseTemplate::new(302).insert_header("Location", "https://attacker.example/"),
        )
        .mount(&server)
        .await;

    let c = client(ClientOpts::default()).expect("client builds");
    let resp = c
        .request(reqwest::Method::GET, &server.uri())
        .await
        .expect("302 must surface as-is, not cause a connect error");
    assert_eq!(resp.status().as_u16(), 302);
    let loc = resp
        .headers()
        .get("Location")
        .expect("Location header present")
        .to_str()
        .expect("ASCII");
    assert_eq!(loc, "https://attacker.example/");
}

#[tokio::test]
async fn redirect_target_is_rechecked_against_allowlist() {
    let _g = EnvGuard::unset();
    let server = MockServer::start().await;
    Mock::given(any())
        .respond_with(
            ResponseTemplate::new(302).insert_header("Location", "https://attacker.example/"),
        )
        .mount(&server)
        .await;

    let c = client(ClientOpts::default()).expect("client builds");

    // Step 1: hit the allowlisted loopback fixture; observe the 302.
    let resp = c
        .request(reqwest::Method::GET, &server.uri())
        .await
        .expect("loopback request succeeds");
    assert_eq!(resp.status().as_u16(), 302);
    let location = resp
        .headers()
        .get("Location")
        .expect("Location header present")
        .to_str()
        .expect("Location is ASCII")
        .to_owned();
    assert_eq!(location, "https://attacker.example/");

    // Step 2: re-feed the redirect target through HttpClient::request().
    // The per-request recheck MUST reject it BEFORE any I/O to
    // attacker.example.
    let t0 = Instant::now();
    let err = c
        .request(reqwest::Method::GET, location.as_str())
        .await
        .expect_err("redirect target must be rejected by allowlist recheck");
    let elapsed = t0.elapsed();
    assert!(
        matches!(err, Error::InvalidOrigin(_)),
        "expected InvalidOrigin, got: {err:?}"
    );
    assert!(
        elapsed < Duration::from_millis(500),
        "recheck must short-circuit before I/O; took {elapsed:?}"
    );
}

#[tokio::test]
async fn request_with_headers_rechecks_allowlist() {
    // Same fast-reject invariant as `egress_to_non_allowlisted_host_is_rejected`,
    // but exercised through the header-carrying variant. Must short-circuit
    // BEFORE any header is attached and BEFORE any I/O.
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .request_with_headers(
            reqwest::Method::GET,
            "https://evil.example/",
            &[("X-Reposix-Agent", "reposix-fuse-1")],
        )
        .await
        .expect_err("non-allowlisted host must be rejected");
    let elapsed = t0.elapsed();
    assert!(matches!(err, Error::InvalidOrigin(_)), "got: {err:?}");
    assert!(
        elapsed < Duration::from_millis(500),
        "recheck must short-circuit; took {elapsed:?}"
    );
}

#[tokio::test]
async fn request_with_headers_attaches_header() {
    // When the origin IS allowlisted, the provided header pair must land on
    // the outgoing request. wiremock's header() matcher enforces this: absent
    // the expected header, the mock returns its default 404.
    let _g = EnvGuard::unset();
    let server = MockServer::start().await;
    Mock::given(any())
        .and(wiremock::matchers::header(
            "X-Reposix-Agent",
            "reposix-fuse-123",
        ))
        .respond_with(ResponseTemplate::new(200))
        .mount(&server)
        .await;

    let c = client(ClientOpts::default()).expect("client builds");
    let resp = c
        .request_with_headers(
            reqwest::Method::GET,
            server.uri(),
            &[("X-Reposix-Agent", "reposix-fuse-123")],
        )
        .await
        .expect("allowlisted request with matching header succeeds");
    assert_eq!(resp.status().as_u16(), 200);
}

#[tokio::test]
async fn egress_post_to_non_allowlisted_host_is_rejected() {
    // Mirror of `egress_to_non_allowlisted_host_is_rejected`, but exercised
    // through the `post()` convenience wrapper. Locks the contract that
    // every wrapper goes through the same allowlist gate as `request()`.
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .post("http://evil.example/")
        .await
        .expect_err("non-allowlisted host must be rejected");
    let elapsed = t0.elapsed();
    assert!(matches!(err, Error::InvalidOrigin(_)), "got: {err:?}");
    assert!(
        format!("{err}").contains("evil.example"),
        "error message must name the offending host; got: {err}"
    );
    assert!(
        elapsed < Duration::from_millis(500),
        "post() must short-circuit before I/O; took {elapsed:?}"
    );
}

#[tokio::test]
async fn egress_patch_to_non_allowlisted_host_is_rejected() {
    // Mirror of `egress_to_non_allowlisted_host_is_rejected`, but exercised
    // through the `patch()` convenience wrapper.
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .patch("http://evil.example/")
        .await
        .expect_err("non-allowlisted host must be rejected");
    let elapsed = t0.elapsed();
    assert!(matches!(err, Error::InvalidOrigin(_)), "got: {err:?}");
    assert!(
        format!("{err}").contains("evil.example"),
        "error message must name the offending host; got: {err}"
    );
    assert!(
        elapsed < Duration::from_millis(500),
        "patch() must short-circuit before I/O; took {elapsed:?}"
    );
}

#[tokio::test]
async fn egress_delete_to_non_allowlisted_host_is_rejected() {
    // Mirror of `egress_to_non_allowlisted_host_is_rejected`, but exercised
    // through the `delete()` convenience wrapper.
    let _g = EnvGuard::unset();
    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .delete("http://evil.example/")
        .await
        .expect_err("non-allowlisted host must be rejected");
    let elapsed = t0.elapsed();
    assert!(matches!(err, Error::InvalidOrigin(_)), "got: {err:?}");
    assert!(
        format!("{err}").contains("evil.example"),
        "error message must name the offending host; got: {err}"
    );
    assert!(
        elapsed < Duration::from_millis(500),
        "delete() must short-circuit before I/O; took {elapsed:?}"
    );
}

#[tokio::test]
#[ignore = "sleeps ~5s to exercise the timeout; run with --ignored in CI"]
async fn request_times_out_after_5_seconds() {
    let _g = EnvGuard::unset();
    let server = MockServer::start().await;
    Mock::given(any())
        .respond_with(ResponseTemplate::new(200).set_delay(Duration::from_secs(10)))
        .mount(&server)
        .await;

    let c = client(ClientOpts::default()).expect("client builds");
    let t0 = Instant::now();
    let err = c
        .request(reqwest::Method::GET, &server.uri())
        .await
        .expect_err("request must time out");
    let elapsed = t0.elapsed();
    assert!(elapsed < Duration::from_secs(6), "took {elapsed:?}");
    match err {
        Error::Http(e) => assert!(e.is_timeout(), "expected timeout, got {e:?}"),
        other => panic!("expected Error::Http(timeout), got {other:?}"),
    }
}