mirror of
https://github.com/HKUDS/nanobot.git
synced 2026-06-13 22:34:06 +00:00
3a420136bb
* feat(webui): add project workspaces and access controls * feat(webui): add project workspaces and access controls * refactor(tools): centralize workspace access resolution * refactor(webui): remove unused workspace host state * fix(webui): hide estimated file edit label * fix(webui): clarify file edit deletion feedback * fix(webui): label deleted file activity * fix(webui): flatten file edit activity rows * fix(core): remove path-only patch deletion * fix(core): keep apply patch non-destructive * refactor(webui): trim workspace host plumbing * fix(tools): register exec with tools config
69 lines
2.0 KiB
Python
69 lines
2.0 KiB
Python
from pathlib import Path
|
|
|
|
from nanobot.security.workspace_access import workspace_sandbox_status
|
|
|
|
|
|
def test_workspace_sandbox_disabled(tmp_path: Path) -> None:
|
|
status = workspace_sandbox_status(
|
|
restrict_to_workspace=False,
|
|
workspace=tmp_path,
|
|
environ={},
|
|
)
|
|
|
|
assert status.level == "off"
|
|
assert status.enforced is False
|
|
assert status.provider == "none"
|
|
assert status.as_dict()["workspace_root"] == str(tmp_path.resolve())
|
|
|
|
|
|
def test_workspace_sandbox_application_guard(tmp_path: Path) -> None:
|
|
status = workspace_sandbox_status(
|
|
restrict_to_workspace=True,
|
|
workspace=tmp_path,
|
|
environ={},
|
|
)
|
|
|
|
assert status.level == "application"
|
|
assert status.enforced is False
|
|
assert status.provider == "none"
|
|
assert "application-level" in status.summary
|
|
|
|
|
|
def test_workspace_sandbox_system_provider_from_compact_env(tmp_path: Path) -> None:
|
|
status = workspace_sandbox_status(
|
|
restrict_to_workspace=True,
|
|
workspace=tmp_path,
|
|
environ={"NANOBOT_SANDBOX_ENFORCED": "macos_app_sandbox"},
|
|
)
|
|
|
|
assert status.level == "system"
|
|
assert status.enforced is True
|
|
assert status.provider == "macos_app_sandbox"
|
|
assert status.provider_label == "macOS App Sandbox"
|
|
|
|
|
|
def test_workspace_sandbox_system_provider_from_boolean_env(tmp_path: Path) -> None:
|
|
status = workspace_sandbox_status(
|
|
restrict_to_workspace=True,
|
|
workspace=tmp_path,
|
|
environ={
|
|
"NANOBOT_WORKSPACE_SANDBOX_ENFORCED": "true",
|
|
"NANOBOT_WORKSPACE_SANDBOX_PROVIDER": "macOS App Sandbox",
|
|
},
|
|
)
|
|
|
|
assert status.level == "system"
|
|
assert status.enforced is True
|
|
assert status.provider == "macos_app_sandbox"
|
|
|
|
|
|
def test_workspace_sandbox_false_env_does_not_enforce(tmp_path: Path) -> None:
|
|
status = workspace_sandbox_status(
|
|
restrict_to_workspace=True,
|
|
workspace=tmp_path,
|
|
environ={"NANOBOT_WORKSPACE_SANDBOX_ENFORCED": "false"},
|
|
)
|
|
|
|
assert status.level == "application"
|
|
assert status.enforced is False
|