ci: run the adversarial security suite (+ fix capability drift it surfaces)#95
Merged
Conversation
…aces The integration test binaries under crates/barbacane-test/tests/ (including the entire adversarial security suite) were never run in CI — the "Integration Tests" job runs only `cargo test -p barbacane-test --lib`. That meant the security harness central to the recent hardening work gated nothing. - Add a "Security Suite" CI job: PostgreSQL service (for the authz category), downloads the build artifacts (data-plane binary + WASM plugins), builds the control-plane binary, and runs `cargo test -p barbacane-test --test security`. - TestGateway now sets BARBACANE_ALLOW_INTERNAL_EGRESS explicitly instead of inheriting the ambient env: default allow (so tests can reach loopback mocks), with `from_spec_blocked_egress` for the SSRF tests so the egress guard is what they actually observe. This also fixes local runs that previously 502'd on loopback upstreams. Fixes the suite immediately flagged: - jwt-auth and oidc-auth import host_log (the no-audience warning added earlier) but did not declare the `log` capability, so they failed to load under WASM capability enforcement. Declare `log` in both manifests. Audited all 33 plugins: no other capability drift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Belt and suspenders: the security suite now runs in CI
The integration test binaries under
crates/barbacane-test/tests/— including the entire adversarial security suite (tests/security/) — were never executed in CI. The "Integration Tests" job runs onlycargo test -p barbacane-test --lib, so the harness that's central to the recent hardening work (PRs #91–#94) gated nothing. The header-timer hang I hit while working on #94 would not have been caught by CI.What this does
authzcategory, which boots the control plane), downloads the build artifacts (data-plane binary + WASM plugins, already produced by the Build job), builds the control-plane binary, and runscargo test -p barbacane-test --test security.TestGatewaynow setsBARBACANE_ALLOW_INTERNAL_EGRESSexplicitly instead of inheriting the ambient env — default allow (so tests reach loopback wiremock upstreams), with a newfrom_spec_blocked_egressused by the SSRF tests so the guard is what they actually observe. This also fixes local runs that previously 502'd on loopback upstreams.Real bug the new job immediately caught
jwt-authandoidc-authimporthost_log(the one-time no-audiencewarning added in #92) but never declared thelogcapability, so they fail to load under WASM capability enforcement. Both manifests now declarelog. I audited all 33 plugins against their built wasm — no other capability drift.Verification
Full security suite green locally: 21 passed, 4 ignored (the 4 are blocked-by-design, e.g. needing an adversarial fixture plugin).
cargo fmt --all --checkclean;ci.ymlvalidated.Follow-up (not in this PR)
Broadening CI to the rest of the integration binaries (proxy/plugins/streaming/workload) is a larger effort — some need Kafka/NATS services and a flakiness pass. Filing separately.