From 07f69115499c4b5c1939807b2b61e13a07069b29 Mon Sep 17 00:00:00 2001 From: Ashwin Bhat Date: Wed, 23 Jul 2025 18:57:14 -0700 Subject: [PATCH] Revert "refactor: extract squid setup into standalone script" This reverts commit b18aa2821d2156ebb3b7a8cb0058add8970eeed2. --- action.yml | 99 ++++++++++++++++++++- scripts/setup-network-restrictions.sh | 123 -------------------------- 2 files changed, 95 insertions(+), 127 deletions(-) delete mode 100755 scripts/setup-network-restrictions.sh diff --git a/action.yml b/action.yml index 021e846..9cd043a 100644 --- a/action.yml +++ b/action.yml @@ -168,10 +168,101 @@ runs: if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != '' shell: bash run: | - chmod +x ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh - ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh - env: - EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }} + SQUID_START_TIME=$(date +%s.%N) + + # Create whitelist file + echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt + + # Ensure each domain has proper format + # If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching + mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig + while IFS= read -r domain; do + if [ -n "$domain" ]; then + # Trim whitespace + domain=$(echo "$domain" | xargs) + # If it's not empty and doesn't start with a dot, add one + if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo ".$domain" >> $RUNNER_TEMP/whitelist.txt + else + echo "$domain" >> $RUNNER_TEMP/whitelist.txt + fi + fi + done < $RUNNER_TEMP/whitelist.txt.orig + + # Create Squid config with whitelist + echo "http_port 3128" > $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf + echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf + echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf + echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf + echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf + echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf + echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf + echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf + echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf + echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf + echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf + echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf + echo "" >> $RUNNER_TEMP/squid.conf + echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf + echo "http_access deny all" >> $RUNNER_TEMP/squid.conf + + echo "Starting Squid proxy..." + # First, remove any existing container + sudo docker rm -f squid-proxy 2>/dev/null || true + + # Ensure whitelist file is not empty (Squid fails with empty files) + if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then + echo "WARNING: Whitelist file is empty, adding a dummy entry" + echo ".example.com" >> $RUNNER_TEMP/whitelist.txt + fi + + # Use sudo to prevent Claude from stopping the container + CONTAINER_ID=$(sudo docker run -d \ + --name squid-proxy \ + -p 127.0.0.1:3128:3128 \ + -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \ + -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \ + ubuntu/squid:latest 2>&1) || { + echo "ERROR: Failed to start Squid container" + exit 1 + } + + # Wait for proxy to be ready (usually < 1 second) + READY=false + for i in {1..30}; do + if nc -z 127.0.0.1 3128 2>/dev/null; then + TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc) + echo "Squid proxy ready in ${TOTAL_TIME}s" + READY=true + break + fi + sleep 0.1 + done + + if [ "$READY" != "true" ]; then + echo "ERROR: Squid proxy failed to start within 3 seconds" + echo "Container logs:" + sudo docker logs squid-proxy 2>&1 || true + echo "Container status:" + sudo docker ps -a | grep squid-proxy || true + exit 1 + fi + + # Set proxy environment variables + echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV + echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV - name: Run Claude Code id: claude-code diff --git a/scripts/setup-network-restrictions.sh b/scripts/setup-network-restrictions.sh deleted file mode 100755 index 2b8712f..0000000 --- a/scripts/setup-network-restrictions.sh +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/bash - -# Setup Network Restrictions with Squid Proxy -# This script sets up a Squid proxy to restrict network access to whitelisted domains only. - -set -e - -# Check if experimental_allowed_domains is provided -if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then - echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required" - exit 1 -fi - -# Check required environment variables -if [ -z "$RUNNER_TEMP" ]; then - echo "ERROR: RUNNER_TEMP environment variable is required" - exit 1 -fi - -if [ -z "$GITHUB_ENV" ]; then - echo "ERROR: GITHUB_ENV environment variable is required" - exit 1 -fi - -echo "Setting up network restrictions with Squid proxy..." - -SQUID_START_TIME=$(date +%s.%N) - -# Create whitelist file -echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt - -# Ensure each domain has proper format -# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching -mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig -while IFS= read -r domain; do - if [ -n "$domain" ]; then - # Trim whitespace - domain=$(echo "$domain" | xargs) - # If it's not empty and doesn't start with a dot, add one - if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo ".$domain" >> $RUNNER_TEMP/whitelist.txt - else - echo "$domain" >> $RUNNER_TEMP/whitelist.txt - fi - fi -done < $RUNNER_TEMP/whitelist.txt.orig - -# Create Squid config with whitelist -echo "http_port 3128" > $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf -echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf -echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf -echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf -echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf -echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf -echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf -echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf -echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf -echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf -echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf -echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf -echo "" >> $RUNNER_TEMP/squid.conf -echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf -echo "http_access deny all" >> $RUNNER_TEMP/squid.conf - -echo "Starting Squid proxy..." -# First, remove any existing container -sudo docker rm -f squid-proxy 2>/dev/null || true - -# Ensure whitelist file is not empty (Squid fails with empty files) -if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then - echo "WARNING: Whitelist file is empty, adding a dummy entry" - echo ".example.com" >> $RUNNER_TEMP/whitelist.txt -fi - -# Use sudo to prevent Claude from stopping the container -CONTAINER_ID=$(sudo docker run -d \ - --name squid-proxy \ - -p 127.0.0.1:3128:3128 \ - -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \ - -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \ - ubuntu/squid:latest 2>&1) || { - echo "ERROR: Failed to start Squid container" - exit 1 -} - -# Wait for proxy to be ready (usually < 1 second) -READY=false -for i in {1..30}; do - if nc -z 127.0.0.1 3128 2>/dev/null; then - TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc) - echo "Squid proxy ready in ${TOTAL_TIME}s" - READY=true - break - fi - sleep 0.1 -done - -if [ "$READY" != "true" ]; then - echo "ERROR: Squid proxy failed to start within 3 seconds" - echo "Container logs:" - sudo docker logs squid-proxy 2>&1 || true - echo "Container status:" - sudo docker ps -a | grep squid-proxy || true - exit 1 -fi - -# Set proxy environment variables -echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV -echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV -echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV -echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV - -echo "Network restrictions setup completed successfully" \ No newline at end of file