pub trait Enforce: Send + Sync {
// Required methods
fn maybe_spawn_runner(
&self,
cmd: &str,
secret_mappings: &[SecretMapping],
string_mappings: &[StringMapping],
allow_private_connect: bool,
upstream_ca: &Option<PathBuf>,
connection_policies: &[ConnectionPolicy],
) -> Result<Option<ExitStatus>, Box<dyn Error + Send + Sync>>;
fn run_child(
&self,
cmd: &str,
proxy_url: &str,
env_vars_with_masked: &[(String, String)],
ssl_cert_file: &Path,
force: bool,
) -> Result<ExitStatus, Box<dyn Error + Send + Sync>>;
}Expand description
Platform-specific enforcement: run the child in a sandbox so all traffic is forced through the proxy.
Required Methods§
Sourcefn maybe_spawn_runner(
&self,
cmd: &str,
secret_mappings: &[SecretMapping],
string_mappings: &[StringMapping],
allow_private_connect: bool,
upstream_ca: &Option<PathBuf>,
connection_policies: &[ConnectionPolicy],
) -> Result<Option<ExitStatus>, Box<dyn Error + Send + Sync>>
fn maybe_spawn_runner( &self, cmd: &str, secret_mappings: &[SecretMapping], string_mappings: &[StringMapping], allow_private_connect: bool, upstream_ca: &Option<PathBuf>, connection_policies: &[ConnectionPolicy], ) -> Result<Option<ExitStatus>, Box<dyn Error + Send + Sync>>
If this platform enforces by spawning a runner process (e.g. Linux network namespace),
spawn it and return Ok(Some(status)). Otherwise return Ok(None) and the caller
will run proxy+child in-process.
Sourcefn run_child(
&self,
cmd: &str,
proxy_url: &str,
env_vars_with_masked: &[(String, String)],
ssl_cert_file: &Path,
force: bool,
) -> Result<ExitStatus, Box<dyn Error + Send + Sync>>
fn run_child( &self, cmd: &str, proxy_url: &str, env_vars_with_masked: &[(String, String)], ssl_cert_file: &Path, force: bool, ) -> Result<ExitStatus, Box<dyn Error + Send + Sync>>
Run the child process with proxy env vars. When force is true, wrap with platform
sandbox (e.g. sandbox-exec on macOS). Otherwise run normally (e.g. duct).