feat(call): retire remote_safe/trusted_peer/RemoteFilter (call/retire-remote-safe)
This commit is contained in:
@@ -193,36 +193,6 @@ pub fn services_list_handler(registry: Arc<OperationRegistry>) -> Handler {
|
||||
})
|
||||
}
|
||||
|
||||
/// Peer-scoped `services/list` handler (ADR-028 Assumption 2). When
|
||||
/// `trusted_peer` is false (default-deny mode for a `CallClient`), ops with
|
||||
/// `remote_safe: false` are hidden from the remote peer in addition to the
|
||||
/// existing `Visibility::External` filter — a peer should not see ops it
|
||||
/// cannot call, so discovery and dispatch filters agree. When `trusted_peer`
|
||||
/// is true, all `External` ops are listed regardless of `remote_safe`.
|
||||
pub fn services_list_handler_peer_scoped(
|
||||
registry: Arc<OperationRegistry>,
|
||||
trusted_peer: bool,
|
||||
) -> Handler {
|
||||
Arc::new(move |input: Value, ctx: OperationContext| {
|
||||
let registry = Arc::clone(®istry);
|
||||
Box::pin(async move {
|
||||
let _ = input;
|
||||
let ops: Vec<Value> = registry
|
||||
.list_operations_peer_scoped(trusted_peer)
|
||||
.into_iter()
|
||||
.map(|s| {
|
||||
json!({
|
||||
"name": s.name,
|
||||
"namespace": s.namespace,
|
||||
"op_type": op_type_str(s.op_type),
|
||||
})
|
||||
})
|
||||
.collect();
|
||||
ResponseEnvelope::ok(ctx.request_id, json!({ "operations": ops }))
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
pub fn services_schema_handler(registry: Arc<OperationRegistry>) -> Handler {
|
||||
Arc::new(move |input: Value, ctx: OperationContext| {
|
||||
let registry = Arc::clone(®istry);
|
||||
@@ -535,106 +505,6 @@ mod tests {
|
||||
assert!(output.get("operations").is_some());
|
||||
}
|
||||
|
||||
fn registry_with_remote_safe_ops() -> Arc<OperationRegistry> {
|
||||
let mut registry = OperationRegistry::new();
|
||||
registry.register(HandlerRegistration::new(
|
||||
external_spec("fs/readFile"),
|
||||
echo_handler(),
|
||||
OperationProvenance::Local,
|
||||
None,
|
||||
None,
|
||||
Capabilities::new(),
|
||||
));
|
||||
// remote_safe: false (default)
|
||||
registry.register(HandlerRegistration::new(
|
||||
external_spec("admin/run"),
|
||||
echo_handler(),
|
||||
OperationProvenance::Local,
|
||||
None,
|
||||
None,
|
||||
Capabilities::new(),
|
||||
));
|
||||
// remote_safe: true
|
||||
registry.register(
|
||||
HandlerRegistration::new(
|
||||
external_spec("pub/status"),
|
||||
echo_handler(),
|
||||
OperationProvenance::Local,
|
||||
None,
|
||||
None,
|
||||
Capabilities::new(),
|
||||
)
|
||||
.remote_safe(true),
|
||||
);
|
||||
Arc::new(registry)
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn services_list_peer_scoped_default_deny_hides_non_remote_safe() {
|
||||
let registry = registry_with_remote_safe_ops();
|
||||
let handler = services_list_handler_peer_scoped(Arc::clone(®istry), false);
|
||||
let ctx = root_context("req-ps1");
|
||||
let response = handler(serde_json::json!({}), ctx).await;
|
||||
let output = response.result.expect("ok");
|
||||
let ops = output
|
||||
.get("operations")
|
||||
.and_then(|v| v.as_array())
|
||||
.expect("operations array");
|
||||
let names: Vec<&str> = ops
|
||||
.iter()
|
||||
.filter_map(|o| o.get("name").and_then(|n| n.as_str()))
|
||||
.collect();
|
||||
assert!(
|
||||
names.contains(&"pub/status"),
|
||||
"remote_safe ops must be listed in default-deny mode"
|
||||
);
|
||||
assert!(
|
||||
!names.contains(&"fs/readFile"),
|
||||
"non-remote-safe ops must be hidden in default-deny mode (ADR-028 Assumption 2)"
|
||||
);
|
||||
assert!(
|
||||
!names.contains(&"admin/run"),
|
||||
"non-remote-safe ops must be hidden in default-deny mode"
|
||||
);
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn services_list_peer_scoped_trusted_peer_lists_all_external() {
|
||||
let registry = registry_with_remote_safe_ops();
|
||||
let handler = services_list_handler_peer_scoped(Arc::clone(®istry), true);
|
||||
let ctx = root_context("req-ps2");
|
||||
let response = handler(serde_json::json!({}), ctx).await;
|
||||
let output = response.result.expect("ok");
|
||||
let ops = output
|
||||
.get("operations")
|
||||
.and_then(|v| v.as_array())
|
||||
.expect("operations array");
|
||||
let names: Vec<&str> = ops
|
||||
.iter()
|
||||
.filter_map(|o| o.get("name").and_then(|n| n.as_str()))
|
||||
.collect();
|
||||
assert!(names.contains(&"fs/readFile"));
|
||||
assert!(names.contains(&"admin/run"));
|
||||
assert!(names.contains(&"pub/status"));
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn services_list_peer_scoped_default_deny_with_no_remote_safe_returns_empty() {
|
||||
let registry = registry_with_ops(); // no remote_safe ops
|
||||
let handler = services_list_handler_peer_scoped(Arc::clone(®istry), false);
|
||||
let ctx = root_context("req-ps3");
|
||||
let response = handler(serde_json::json!({}), ctx).await;
|
||||
let output = response.result.expect("ok");
|
||||
let ops = output
|
||||
.get("operations")
|
||||
.and_then(|v| v.as_array())
|
||||
.expect("operations array");
|
||||
assert!(
|
||||
ops.is_empty(),
|
||||
"default-deny with no remote_safe ops lists nothing"
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn normalize_name_strips_leading_slash() {
|
||||
assert_eq!(normalize_name("/fs/readFile"), "fs/readFile");
|
||||
|
||||
Reference in New Issue
Block a user