stacklok / toolhive / 28201026170
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 760
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.34% (-0.007%) from 67.347%
28201026170

push

github

web-flow 
Add tests for --allow-docker-gateway behavior (#5644)

* Add tests for --allow-docker-gateway behavior

The --allow-docker-gateway flag controls whether the egress proxy reaches
Docker gateway addresses (host.docker.internal, gateway.docker.internal,
the bridge gateway IP) under network isolation. Reviewers noted the flag's
end-to-end behavior was effectively untested, and the deny/allow interaction
with permission profiles is subtle (Squid is first-match-wins), so add
coverage that pins it down.

- squid_test: assert that listing host.docker.internal in allow_host without
  the flag is still blocked (deny precedes the ACL allow), and is allowed with
  the flag — the exact profile/flag interaction users hit.
- client_deploy_test: guard that AllowDockerGateway defaults to not-forwarded
  so the gateway deny rules stay in place, and that the DNS container is
  created on the isolation path.
- e2e: verify the egress squid.conf carries the gateway deny rules by default
  and drops them with the flag, and (where the bridge gateway routes to the
  host) that a fetch to the gateway succeeds only with the flag.

Relates to #5640

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on gateway e2e tests

- Drop the host.docker.internal runtime fetch leg: it could pass because DNS
  resolution fails (the isolated resolver can't resolve the name, per #5640)
  rather than because the egress deny fired, so it could not prove the
  security boundary. The gateway-IP leg is DNS-independent and genuinely
  exercises the deny; the hostname deny rule is pinned by the config test.
- Make the positive leg affirmatively assert the fetched body
  ("host-service-ok") instead of asserting nothing on the reachable branch.
- Pin the direct-IP deny (docker_gateway_ip) in the config test: assert it is
  present by default and absent with the flag, mirroring the hostname rule.
- Clarify that the config test complements (not duplicates) th... (continued)

69522 of 103241 relevant lines covered (67.34%)

63.98 hits per line

Coverage Regressions

Lines Coverage File
3
97.37
 -0.53% pkg/authz/authorizers/cedar/core.go
3
80.42
 -0.71% pkg/transport/proxy/httpsse/http_proxy.go
2
88.24
 -5.88% pkg/vmcp/backendregistry/registry.go
Jobs
ID Job ID Ran Files Coverage
1 28201026170.1 760
67.34
 GitHub Action Run
Source Files on build 28201026170