anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 06:54:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

test: add network restrictions verification test

Browse Source
This commit is contained in:
km-anthropic
2025-07-13 08:36:02 -07:00
parent b49014e105
commit dbf69fe645
2 changed files with 62 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/claude.yml vendored
View File

@@ -29,35 +29,34 @@ jobs:
with: with:
fetch-depth: 1 fetch-depth: 1
- name: Setup Network Restrictions - name: Setup Network Restrictions
if: ${{ vars.DISABLE_NETWORK_RESTRICTIONS != 'true' }} if: ${{ vars.DISABLE_NETWORK_RESTRICTIONS != 'true' }}
run: | run: |
# Install and configure Squid proxy # Install and configure Squid proxy
sudo apt-get update && sudo apt-get install -y squid sudo apt-get update && sudo apt-get install -y squid
# Create whitelist for allowed domains # Create whitelist for allowed domains
cat > /tmp/whitelist.txt << 'EOF' cat > /tmp/whitelist.txt << 'EOF'
# Claude API # Claude API
.anthropic.com .anthropic.com
# GitHub (covers github.com, api.github.com, gist.github.com, etc.) # GitHub (covers github.com, api.github.com, gist.github.com, etc.)
.github.com .github.com
# GitHub raw content and user uploads # GitHub raw content and user uploads
.githubusercontent.com .githubusercontent.com
# GitHub Container Registry # GitHub Container Registry
ghcr.io ghcr.io
# Package registries # Package registries
registry.npmjs.org registry.npmjs.org
bun.sh bun.sh
# Azure storage for GitHub Actions cache # Azure storage for GitHub Actions cache
.blob.core.windows.net .blob.core.windows.net
EOF EOF
# Configure Squid # Configure Squid
sudo tee /etc/squid/squid.conf << 'EOF' sudo tee /etc/squid/squid.conf << 'EOF'
http_port 127.0.0.1:3128 http_port 127.0.0.1:3128
@@ -67,7 +66,7 @@ jobs:
http_access deny all http_access deny all
cache deny all cache deny all
EOF EOF
# Stop any existing squid instance and start with our config # Stop any existing squid instance and start with our config
sudo squid -k shutdown || true sudo squid -k shutdown || true
sleep 2 sleep 2

54
test/network-restrictions.test.ts Normal file
View File

@@ -0,0 +1,54 @@
import { describe, it, expect } from "bun:test";
describe("Network Restrictions", () => {
it("should block access to unauthorized domains", async () => {
// This test verifies that the proxy blocks unauthorized domains
const unauthorizedUrls = [
"https://example.com/api/data",
"https://jsonplaceholder.typicode.com/posts",
"https://httpbin.org/get",
"https://pastebin.com/raw/example123",
"https://google.com",
];
for (const url of unauthorizedUrls) {
try {
const response = await fetch(url, {
timeout: 5000,
// Force through proxy if set
agent: undefined,
});
// If we reach here, the proxy didn't block it - test should fail
expect(response.ok).toBe(false);
throw new Error(`Unauthorized domain ${url} was not blocked by proxy`);
} catch (error) {
// We expect an error (connection refused, timeout, etc)
// This is the desired behavior - proxy blocked the request
expect(error).toBeDefined();
console.log(`✓ Successfully blocked: ${url}`);
}
}
});
it("should allow access to whitelisted domains", async () => {
// These should work through the proxy
const allowedUrls = [
"https://api.github.com/zen",
"https://registry.npmjs.org/-/ping",
];
for (const url of allowedUrls) {
try {
const response = await fetch(url, { timeout: 5000 });
expect(response.ok).toBe(true);
console.log(`✓ Successfully allowed: ${url}`);
} catch (error) {
// If whitelisted domains fail, something is wrong
throw new Error(
`Whitelisted domain ${url} was blocked: ${error.message}`,
);
}
}
});
});