0ef5fcb1c5
Security / Dependency audit (pip-audit) (push) Has been cancelled
Security / CodeQL (javascript-typescript) (push) Has been cancelled
Security / CodeQL (python) (push) Has been cancelled
Security / Secret scan (gitleaks) (push) Has been cancelled
rust / test (ubuntu) (push) Has been cancelled
rust / simulator e2e (macos-latest) (push) Has been cancelled
rust / simulator e2e (ubuntu-latest) (push) Has been cancelled
rust / simulator e2e (windows-latest) (push) Has been cancelled
rust / wheels (aarch64-apple-darwin) (push) Has been cancelled
rust / wheels (x86_64-unknown-linux-gnu) (push) Has been cancelled
rust / wheels (x86_64-apple-darwin) (push) Has been cancelled
rust / audit (push) Has been cancelled
rust / parity (nightly, allowed to fail during Phase 0) (push) Has been cancelled
CI / commitlint (push) Has been skipped
Dev Containers / validate (.devcontainer/devcontainer.json, default) (push) Failing after 0s
Dev Containers / validate (.devcontainer/memory-stack/devcontainer.json, memory-stack) (push) Failing after 0s
Dev Containers / validate-worktree (push) Failing after 0s
CI / changes (push) Failing after 4s
Deploy Documentation / validate (push) Has been skipped
Deploy Documentation / deploy (push) Failing after 1s
Init Native E2E / init-native (ubuntu-latest, claude) (push) Failing after 1s
Init Native E2E / init-native (ubuntu-latest, codex) (push) Failing after 1s
Install Native E2E / install-native (ubuntu-latest) (push) Failing after 1s
OpenCode Plugin / typecheck + build + test (push) Failing after 1s
Init Native E2E / init-native (ubuntu-latest, copilot) (push) Failing after 1s
Release Please / release-please (push) Failing after 1s
Wrap E2E / docker-wrap-e2e (push) Failing after 1s
Wrap Native E2E / wrap-native (ubuntu-latest) (push) Failing after 1s
Init E2E / docker-init-e2e (push) Failing after 4s
Merge Conflicts / merge-conflicts (push) Failing after 4s
CI / lint (push) Has been cancelled
CI / build-wheel (push) Has been cancelled
CI / build-wheel-windows (push) Has been cancelled
CI / prefetch-model (push) Has been cancelled
CI / test-dashboard-ui (push) Has been cancelled
CI / test (1) (push) Has been cancelled
CI / test (2) (push) Has been cancelled
CI / test (3) (push) Has been cancelled
CI / test (4) (push) Has been cancelled
CI / test-extras (push) Has been cancelled
CI / test-agno (push) Has been cancelled
CI / build (push) Has been cancelled
CI / workflow-validation (push) Has been cancelled
CI / docker-native-e2e (push) Has been cancelled
CI / windows-native-wrapper (push) Has been cancelled
CI / macos-native-wrapper (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-code-nonroot name:code-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-code-slim name:code-slim]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-code-slim-nonroot name:code-slim-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-nonroot name:nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-slim name:slim]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-slim-nonroot name:slim-nonroot]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime name:]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-code name:code]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-code-nonroot name:code-nonroot]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-code-slim name:code-slim]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-code-slim-nonroot name:code-slim-nonroot]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-nonroot name:nonroot]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-slim name:slim]) (push) Has been cancelled
Docker / docker-manifest (map[bake_target:runtime-slim-nonroot name:slim-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime name:]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-code name:code]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-code-nonroot name:code-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-code-slim name:code-slim]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-code-slim-nonroot name:code-slim-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-nonroot name:nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-slim name:slim]) (push) Has been cancelled
Docker / docker-build (map[name:amd64 platform:linux/amd64 runs_on:ubuntu-24.04], map[bake_target:runtime-slim-nonroot name:slim-nonroot]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime name:]) (push) Has been cancelled
Docker / docker-build (map[name:arm64 platform:linux/arm64 runs_on:ubuntu-24.04-arm], map[bake_target:runtime-code name:code]) (push) Has been cancelled
Docker / promote-latest (push) Has been cancelled
Init Native E2E / init-native (macos-latest, claude) (push) Has been cancelled
Init Native E2E / init-native (macos-latest, codex) (push) Has been cancelled
Init Native E2E / init-native (macos-latest, copilot) (push) Has been cancelled
Install Native E2E / install-native (macos-latest) (push) Has been cancelled
Wrap Native E2E / wrap-native (macos-latest) (push) Has been cancelled
188 lines
7.1 KiB
Python
188 lines
7.1 KiB
Python
"""Loopback-gating tests for state-mutating / content-leaking endpoints.
|
|
|
|
``/transformations/feed`` can return full prompt + completion bodies (when
|
|
``log_full_messages`` is on) and ``/cache/clear`` mutates server state. With the
|
|
default ``--host 0.0.0.0`` Docker bind, neither should be reachable by an
|
|
arbitrary network client — they are gated to the loopback interface via
|
|
``require_loopback`` (the same guard already used for ``/admin/*`` and
|
|
``/debug/*``). See #863.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
from fastapi import FastAPI
|
|
from fastapi.testclient import TestClient
|
|
|
|
from headroom.cache.backends import InMemoryBackend
|
|
from headroom.cache.compression_store import get_compression_store, reset_compression_store
|
|
from headroom.proxy.server import ProxyConfig, create_app
|
|
|
|
GATED = [
|
|
("get", "/transformations/feed"),
|
|
("post", "/cache/clear"),
|
|
]
|
|
|
|
|
|
def _make_app() -> FastAPI:
|
|
return create_app(
|
|
ProxyConfig(
|
|
optimize=False,
|
|
cache_enabled=False,
|
|
rate_limit_enabled=False,
|
|
cost_tracking_enabled=False,
|
|
log_requests=False,
|
|
ccr_inject_tool=False,
|
|
ccr_handle_responses=False,
|
|
ccr_context_tracking=False,
|
|
image_optimize=False,
|
|
)
|
|
)
|
|
|
|
|
|
def _loopback_client() -> TestClient:
|
|
# A real loopback peer + a loopback Host header — passes both guard gates
|
|
# (client-IP check and the DNS-rebinding Host-header check).
|
|
return TestClient(_make_app(), base_url="http://127.0.0.1", client=("127.0.0.1", 12345))
|
|
|
|
|
|
def _seed_ccr_entry() -> str:
|
|
reset_compression_store()
|
|
store = get_compression_store(backend=InMemoryBackend())
|
|
return store.store(
|
|
"seeded-ccr-content",
|
|
"<<ccr:seeded>>",
|
|
original_tokens=3,
|
|
compressed_tokens=1,
|
|
tool_name="seeded-test",
|
|
)
|
|
|
|
|
|
@pytest.mark.parametrize("method,path", GATED)
|
|
def test_non_loopback_caller_gets_404(method: str, path: str) -> None:
|
|
# A vanilla TestClient presents client.host="testclient", which is not a
|
|
# loopback IP, so the guard returns 404 (invisible, not 403).
|
|
client = TestClient(_make_app())
|
|
resp = client.request(method, path)
|
|
assert resp.status_code == 404, resp.text
|
|
|
|
|
|
@pytest.mark.parametrize("method,path", GATED)
|
|
def test_loopback_caller_allowed(method: str, path: str) -> None:
|
|
client = _loopback_client()
|
|
resp = client.request(method, path)
|
|
assert resp.status_code == 200, resp.text
|
|
|
|
|
|
# CCR data endpoints — cached session content, gated to 404 off-loopback (#1227).
|
|
CCR_GATED = [
|
|
("post", "/v1/retrieve"),
|
|
("get", "/v1/retrieve/stats"),
|
|
("get", "/v1/retrieve/somehash"),
|
|
("post", "/v1/retrieve/tool_call"),
|
|
("post", "/v1/compress"),
|
|
]
|
|
|
|
|
|
@pytest.mark.parametrize("method,path", CCR_GATED)
|
|
def test_ccr_non_loopback_gets_404(method: str, path: str) -> None:
|
|
resp = TestClient(_make_app()).request(method, path, json={})
|
|
assert resp.status_code == 404, resp.text
|
|
|
|
|
|
def test_ccr_retrieve_hash_route_blocks_valid_hash_for_non_loopback() -> None:
|
|
ccr_hash = _seed_ccr_entry()
|
|
try:
|
|
loopback = _loopback_client()
|
|
loopback_resp = loopback.get(f"/v1/retrieve/{ccr_hash}")
|
|
assert loopback_resp.status_code == 200, loopback_resp.text
|
|
assert loopback_resp.json()["original_content"] == "seeded-ccr-content"
|
|
|
|
network_resp = TestClient(_make_app()).get(f"/v1/retrieve/{ccr_hash}")
|
|
assert network_resp.status_code == 404, network_resp.text
|
|
finally:
|
|
reset_compression_store()
|
|
|
|
|
|
def test_dns_rebinding_host_header_rejected() -> None:
|
|
# Loopback peer IP but an attacker-controlled Host header (the DNS-rebinding
|
|
# shape) must still be rejected by the second gate.
|
|
client = TestClient(_make_app(), base_url="http://127.0.0.1", client=("127.0.0.1", 12345))
|
|
resp = client.get("/transformations/feed", headers={"host": "attacker.example"})
|
|
assert resp.status_code == 404, resp.text
|
|
|
|
|
|
def _client(*, loopback: bool) -> TestClient:
|
|
app = _make_app()
|
|
if loopback:
|
|
return TestClient(app, base_url="http://127.0.0.1", client=("127.0.0.1", 12345))
|
|
# Default TestClient presents client.host="testclient" — not loopback.
|
|
return TestClient(app)
|
|
|
|
|
|
def test_health_config_block_is_loopback_only(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
"""/health stays reachable for monitors but hides the `config` block (which
|
|
echoes upstream API URLs + backend settings) from non-loopback callers."""
|
|
monkeypatch.setenv("HEADROOM_SKIP_UPSTREAM_CHECK", "1")
|
|
|
|
network = _client(loopback=False).get("/health")
|
|
assert network.status_code == 200
|
|
assert "config" not in network.json()
|
|
# Basic health is still visible to monitors.
|
|
assert network.json()["status"] in {"healthy", "unhealthy"}
|
|
|
|
local = _client(loopback=True).get("/health")
|
|
assert local.status_code == 200
|
|
assert "config" in local.json()
|
|
|
|
|
|
def test_stats_per_request_metadata_is_loopback_only() -> None:
|
|
"""/stats keeps aggregate counters public but restricts per-request metadata
|
|
(recent_requests / request_logs) and `config` to loopback callers."""
|
|
network = _client(loopback=False).get("/stats")
|
|
assert network.status_code == 200
|
|
payload = network.json()
|
|
assert "tokens" in payload # aggregate counters still served
|
|
assert "recent_requests" not in payload
|
|
assert "request_logs" not in payload
|
|
assert "config" not in payload
|
|
|
|
local = _client(loopback=True).get("/stats").json()
|
|
assert "recent_requests" in local
|
|
assert "config" in local
|
|
|
|
|
|
def test_stats_metadata_served_to_trusted_gateway_peer(
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
"""Containerized dashboards: a browser on the host reaches a bridge-network
|
|
container via the gateway IP, so the peer isn't 127.0.0.1 and per-request
|
|
metadata gets stripped. When the operator allow-lists the gateway CIDR via
|
|
HEADROOM_PROXY_TRUSTED_GATEWAY_CIDRS, the peer is treated as
|
|
loopback-equivalent and the metadata is served again."""
|
|
gateway_ip = "172.18.0.1" # typical docker/mocker bridge gateway
|
|
app = _make_app()
|
|
|
|
def _gateway_client() -> TestClient:
|
|
# Loopback Host header (the operator browses http://127.0.0.1:8787) but
|
|
# the peer IP is the container gateway, not loopback.
|
|
return TestClient(app, base_url="http://127.0.0.1", client=(gateway_ip, 54321))
|
|
|
|
# Without the allow-list, the gateway peer is untrusted → metadata stripped.
|
|
monkeypatch.delenv("HEADROOM_PROXY_TRUSTED_GATEWAY_CIDRS", raising=False)
|
|
stripped = _gateway_client().get("/stats").json()
|
|
assert "recent_requests" not in stripped
|
|
assert "config" not in stripped
|
|
|
|
# Allow-list the gateway CIDR → peer trusted → metadata served.
|
|
monkeypatch.setenv("HEADROOM_PROXY_TRUSTED_GATEWAY_CIDRS", "172.18.0.0/16")
|
|
served = _gateway_client().get("/stats").json()
|
|
assert "recent_requests" in served
|
|
assert "config" in served
|
|
|
|
# DNS-rebinding defence still applies even for a trusted gateway peer: a
|
|
# non-loopback Host header must be rejected.
|
|
rebind = TestClient(app, base_url="http://attacker.example", client=(gateway_ip, 54321))
|
|
payload = rebind.get("/stats").json()
|
|
assert "recent_requests" not in payload
|