28201026170

Committed 25 Jun 2026 09:16PM UTC coverage: 67.34% (-0.007%) from 67.347%

Build # 28201026170

Build Type

push

github

Committed by

web-flow

Commit Message

Add tests for --allow-docker-gateway behavior (#5644)

* Add tests for --allow-docker-gateway behavior

The --allow-docker-gateway flag controls whether the egress proxy reaches
Docker gateway addresses (host.docker.internal, gateway.docker.internal,
the bridge gateway IP) under network isolation. Reviewers noted the flag's
end-to-end behavior was effectively untested, and the deny/allow interaction
with permission profiles is subtle (Squid is first-match-wins), so add
coverage that pins it down.

- squid_test: assert that listing host.docker.internal in allow_host without
  the flag is still blocked (deny precedes the ACL allow), and is allowed with
  the flag — the exact profile/flag interaction users hit.
- client_deploy_test: guard that AllowDockerGateway defaults to not-forwarded
  so the gateway deny rules stay in place, and that the DNS container is
  created on the isolation path.
- e2e: verify the egress squid.conf carries the gateway deny rules by default
  and drops them with the flag, and (where the bridge gateway routes to the
  host) that a fetch to the gateway succeeds only with the flag.

Relates to #5640

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on gateway e2e tests

- Drop the host.docker.internal runtime fetch leg: it could pass because DNS
  resolution fails (the isolated resolver can't resolve the name, per #5640)
  rather than because the egress deny fired, so it could not prove the
  security boundary. The gateway-IP leg is DNS-independent and genuinely
  exercises the deny; the hostname deny rule is pinned by the config test.
- Make the positive leg affirmatively assert the fetched body
  ("host-service-ok") instead of asserting nothing on the reachable branch.
- Pin the direct-IP deny (docker_gateway_ip) in the config test: assert it is
  present by default and absent with the flag, mirroring the hostname rule.
- Clarify that the config test complements (not duplicates) th... (continued)

Coverage Stats

69522 of 103241 relevant lines covered (67.34%)

63.98 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.42

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 28201026170

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous