fix: allow sub2api http upstream URLs
This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
import { readFileSync } from "node:fs";
|
||||
import { rootPath } from "./src/config";
|
||||
|
||||
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
|
||||
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
|
||||
}
|
||||
|
||||
const sub2apiConfigPath = rootPath("config", "platform-infra", "sub2api.yaml");
|
||||
const codexPoolConfigPath = rootPath("config", "platform-infra", "sub2api-codex-pool.yaml");
|
||||
const manifestPath = rootPath("src", "components", "platform-infra", "sub2api", "sub2api.k8s.yaml");
|
||||
|
||||
const sub2api = Bun.YAML.parse(readFileSync(sub2apiConfigPath, "utf8")) as {
|
||||
security?: {
|
||||
urlAllowlist?: {
|
||||
enabled?: boolean;
|
||||
allowInsecureHttp?: boolean;
|
||||
allowPrivateHosts?: boolean;
|
||||
upstreamHosts?: string[];
|
||||
};
|
||||
};
|
||||
};
|
||||
const codexPool = Bun.YAML.parse(readFileSync(codexPoolConfigPath, "utf8")) as {
|
||||
profiles?: {
|
||||
entries?: Array<{
|
||||
accountName?: string;
|
||||
}>;
|
||||
};
|
||||
};
|
||||
const manifest = readFileSync(manifestPath, "utf8");
|
||||
|
||||
assertCondition((codexPool.profiles?.entries ?? []).length > 0, "Codex pool must have YAML-selected upstream accounts", codexPool.profiles);
|
||||
assertCondition(sub2api.security?.urlAllowlist?.enabled === false, "Sub2API URL allowlist must be disabled for current HTTP upstream pool policy", sub2api.security);
|
||||
assertCondition(sub2api.security?.urlAllowlist?.allowInsecureHttp === true, "Sub2API must allow http:// upstream base URLs for account tests and normal scheduling", {
|
||||
security: sub2api.security,
|
||||
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
|
||||
});
|
||||
assertCondition(sub2api.security?.urlAllowlist?.allowPrivateHosts === false, "Sub2API must not allow private hosts for this public HTTP upstream exception", sub2api.security);
|
||||
assertCondition(Array.isArray(sub2api.security?.urlAllowlist?.upstreamHosts), "Sub2API upstreamHosts must be YAML-controlled even when empty", sub2api.security);
|
||||
assertCondition(manifest.includes('SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP: "__SUB2API_SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP__"'), "Sub2API manifest must render allowInsecureHttp from YAML", manifest);
|
||||
|
||||
console.log(JSON.stringify({
|
||||
ok: true,
|
||||
checks: [
|
||||
"Sub2API runtime URL policy explicitly allows http:// upstream base URLs",
|
||||
"Sub2API manifest renders URL policy from YAML instead of hardcoding the old value",
|
||||
],
|
||||
accounts: (codexPool.profiles?.entries ?? []).map((entry) => entry.accountName),
|
||||
}));
|
||||
Reference in New Issue
Block a user