tartarus-api 0.1.0

Structured API for sandboxing system (currently utilizing `bubblewrap`)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

#[cfg(feature = "opencode")]
use crate::config::overrides::opencode::OpenCodeSettings;
#[cfg(feature = "zed")]
use crate::config::overrides::zed::ZedSettings;
use crate::{
    SandboxType,
    config::{
        Override, OverrideFile, OverrideHomeDir, SandboxConfig,
        overrides::ExternalTool as ExternalToolOverride,
    },
    error::{Result, with_io_context},
};
use serde::{Deserialize, Serialize};
use std::{collections::HashMap, ffi::OsStr, fmt::Debug, path::PathBuf};

/// Description of sandbox executions suitable for storage in a config file.
#[derive(Debug, Deserialize, Serialize)]
pub struct ConfigFile {
    pub default_sandbox: Option<Sandbox>,
    pub sandboxes: HashMap<String, Sandbox>,
}

/// Description of a sandbox execution.
#[derive(Debug, Deserialize, Serialize)]
pub struct Sandbox {
    /// The type of sandbox to use.
    #[serde(rename = "type")]
    pub sandbox_type: SandboxType,

    /// The directory to launch the sandbox from.
    pub working_dir: Option<PathBuf>,

    /// Whether to allow network access in the sandbox.
    pub allow_network_access: Option<bool>,

    /// Directories to make writable in the sandbox.
    pub writable_dirs: Option<Vec<PathBuf>>,

    /// Directories to override in a fake home directory in the sandbox.
    pub override_home_dirs: Option<Vec<OverrideHomeDirDescription>>,

    /// Directories to passthrough to a fake home directory in the sandbox without overriding.
    pub passthrough_home_dirs: Option<Vec<PathBuf>>,

    /// The default command to run in the sandbox if none is specified.
    pub default_command: Option<DefaultCommand>,
}

impl Sandbox {
    /// Executes a process in the sandbox.
    ///
    /// # Arguments
    ///
    /// * `process` - The process to execute.
    /// * `args` - The arguments to pass to the process.
    ///
    /// # Errors
    ///
    /// Returns an error if the command cannot be constructed or executed.
    pub fn exec<'a, S>(
        self,
        process: &OsStr,
        args: impl Iterator<Item = &'a S>,
        dry_run: bool,
    ) -> Result<()>
    where
        S: AsRef<OsStr> + 'a,
    {
        let mut config = SandboxConfig {
            allow_network_access: self.allow_network_access.unwrap_or_default(),
            writable_dirs: self.writable_dirs,
            override_home_dirs: self.override_home_dirs.map(|overrides| {
                overrides
                    .into_iter()
                    .map(OverrideHomeDirDescription::into_override_home_dir)
                    .collect()
            }),
            passthrough_home_dirs: self.passthrough_home_dirs,
        };

        if let Some(working_dir) = self.working_dir {
            std::env::set_current_dir(&working_dir).map_err(|e| {
                with_io_context(process.display(), "setting working directory in sandbox", e)
            })?;
        }

        let current_dir = std::env::current_dir().map_err(|e| {
            with_io_context(
                process.display(),
                "getting current directory for process in sandbox",
                e,
            )
        })?;

        config
            .writable_dirs
            .get_or_insert_default()
            .push(current_dir);

        let sandbox = config.build_sandbox(self.sandbox_type);
        let args = args.map(S::as_ref);

        if dry_run {
            sandbox.dry_run(process, args)?;
        } else {
            sandbox.exec(process, args)?;
        }

        Ok(())
    }
}

/// Description of an overridden home directory for use in sandbox executions.
#[derive(Debug, Deserialize, Serialize)]
pub struct OverrideHomeDirDescription {
    pub subpath: PathBuf,
    pub overrides: Option<Vec<OverrideDescription>>,
}

impl OverrideHomeDirDescription {
    pub fn into_override_home_dir(self) -> OverrideHomeDir {
        OverrideHomeDir {
            subpath: self.subpath,
            overrides: self.overrides.map(|overrides| {
                overrides
                    .into_iter()
                    .map(OverrideDescription::into_override_file)
                    .collect()
            }),
        }
    }
}

#[derive(Debug, Deserialize, Serialize)]
pub struct OverrideDescription {
    pub file: PathBuf,
    #[serde(rename = "type")]
    pub override_type: OverrideType,
}

impl OverrideDescription {
    pub fn into_override_file(self) -> OverrideFile<Box<dyn Override>> {
        OverrideFile {
            path: self.file,
            behavior: self.override_type.into_override(),
        }
    }
}

/// Description of an override for use in sandbox executions.
#[derive(Debug, Deserialize, Serialize)]
#[non_exhaustive]
pub enum OverrideType {
    #[cfg(feature = "zed")]
    Zed(ZedSettings),
    #[cfg(feature = "opencode")]
    OpenCode(OpenCodeSettings),
    ExternalTool(ExternalToolOverride),
}

impl OverrideType {
    fn into_override(self) -> Box<dyn Override> {
        match self {
            #[cfg(feature = "zed")]
            Self::Zed(settings) => Box::new(settings),
            #[cfg(feature = "opencode")]
            Self::OpenCode(settings) => Box::new(settings),
            Self::ExternalTool(tool) => Box::new(tool),
        }
    }
}

/// Description of a default command to execute in a sandbox.
#[derive(Debug, Deserialize, Serialize)]
pub struct DefaultCommand {
    /// The command to run.
    pub name: String,

    /// The arguments to pass to the command.
    pub args: Option<Vec<String>>,
}