Skip to content

test(server): cover service endpoint plaintext security#1352

Merged
TaylorMutch merged 2 commits into
mainfrom
test/service-endpoint-security
May 20, 2026
Merged

test(server): cover service endpoint plaintext security#1352
TaylorMutch merged 2 commits into
mainfrom
test/service-endpoint-security

Conversation

@drew
Copy link
Copy Markdown
Collaborator

@drew drew commented May 13, 2026

Summary

Add listener-level coverage for TLS gateways that allow loopback plaintext service HTTP. The tests exercise real TCP connections through the gateway listener to verify plaintext service endpoints stay loopback-only, reject cross-origin browser contexts, and do not expose the gRPC gateway surface.

Related Issue

None.

Changes

  • Added gateway listener tests for non-loopback plaintext service HTTP rejection.
  • Added CSRF-oriented service endpoint tests for Sec-Fetch-Site, Origin, and Referer rejection behavior.
  • Added a regression test proving plaintext service HTTP does not allow successful gateway gRPC calls.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated

Additional targeted runs:

  • cargo test -p openshell-server plaintext_service_http -- --nocapture
  • cargo test -p openshell-server --lib
  • cargo test -p openshell-server

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@drew drew requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners May 13, 2026 01:57
TaylorMutch
TaylorMutch previously approved these changes May 13, 2026
View reviewed changes
@drew drew linked an issue May 15, 2026 that may be closed by this pull request
Runtime Reliability #1047
Closed
drew and others added 2 commits May 20, 2026 14:25
@drew @TaylorMutch
test(server): cover service endpoint plaintext security
9610791
@TaylorMutch
test(server): align tls test with from_files Option<&Path> signature
126545f 
TlsAcceptor::from_files now accepts the client CA path as Option<&Path>
(per the require_client_auth refactor on main). Wrap the helper's CA
path in Some(...) so the new plaintext-service-http tests compile after
rebasing onto current main.
@TaylorMutch TaylorMutch force-pushed the test/service-endpoint-security branch from 20213d2 to 126545f Compare May 20, 2026 21:34
@TaylorMutch TaylorMutch merged commit 77e6c7a into main May 20, 2026
35 checks passed
@TaylorMutch TaylorMutch deleted the test/service-endpoint-security branch May 20, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Runtime Reliability

2 participants

@drew @TaylorMutch