attune-system/attune
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

working on runtime executions

Browse Source
This commit is contained in:
David Culbreth
2026-02-16 22:04:20 -06:00
parent f52320f889
commit 904ede04be
99 changed files with 6778 additions and 5929 deletions
Download Patch File Download Diff File Expand all files Collapse all files

762
crates/worker/tests/dependency_isolation_test.rs
View File

@@ -1,248 +1,542 @@
//! Integration tests for Python virtual environment dependency isolation
//! Integration tests for runtime environment and dependency isolation
//!
//! Tests the end-to-end flow of creating isolated Python environments
//! for packs with dependencies.
//! Tests the end-to-end flow of creating isolated runtime environments
//! for packs using the ProcessRuntime configuration-driven approach.
//!
//! Environment directories are placed at:
//! {runtime_envs_dir}/{pack_ref}/{runtime_name}
//! e.g., /tmp/.../runtime_envs/testpack/python
//! This keeps the pack directory clean and read-only.
use attune_worker::runtime::{
DependencyManager, DependencyManagerRegistry, DependencySpec, PythonVenvManager,
use attune_common::models::runtime::{
DependencyConfig, EnvironmentConfig, InterpreterConfig, RuntimeExecutionConfig,
};
use attune_worker::runtime::process::ProcessRuntime;
use attune_worker::runtime::ExecutionContext;
use attune_worker::runtime::Runtime;
use attune_worker::runtime::{OutputFormat, ParameterDelivery, ParameterFormat};
use std::collections::HashMap;
use std::path::PathBuf;
use tempfile::TempDir;
#[tokio::test]
async fn test_python_venv_creation() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
fn make_python_config() -> RuntimeExecutionConfig {
RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "python3".to_string(),
args: vec!["-u".to_string()],
file_extension: Some(".py".to_string()),
},
environment: Some(EnvironmentConfig {
env_type: "virtualenv".to_string(),
dir_name: ".venv".to_string(),
create_command: vec![
"python3".to_string(),
"-m".to_string(),
"venv".to_string(),
"{env_dir}".to_string(),
],
interpreter_path: Some("{env_dir}/bin/python3".to_string()),
}),
dependencies: Some(DependencyConfig {
manifest_file: "requirements.txt".to_string(),
install_command: vec![
"{interpreter}".to_string(),
"-m".to_string(),
"pip".to_string(),
"install".to_string(),
"-r".to_string(),
"{manifest_path}".to_string(),
],
}),
}
}
let spec = DependencySpec::new("python").with_dependency("requests==2.28.0");
fn make_shell_config() -> RuntimeExecutionConfig {
RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "/bin/bash".to_string(),
args: vec![],
file_extension: Some(".sh".to_string()),
},
environment: None,
dependencies: None,
}
}
let env_info = manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment");
assert_eq!(env_info.runtime, "python");
assert!(env_info.is_valid);
assert!(env_info.path.exists());
assert!(env_info.executable_path.exists());
fn make_context(action_ref: &str, entry_point: &str, runtime_name: &str) -> ExecutionContext {
ExecutionContext {
execution_id: 1,
action_ref: action_ref.to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(30),
working_dir: None,
entry_point: entry_point.to_string(),
code: None,
code_path: None,
runtime_name: Some(runtime_name.to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: ParameterDelivery::default(),
parameter_format: ParameterFormat::default(),
output_format: OutputFormat::default(),
}
}
#[tokio::test]
async fn test_venv_idempotency() {
async fn test_python_venv_creation_via_process_runtime() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let spec = DependencySpec::new("python").with_dependency("requests==2.28.0");
let env_dir = runtime_envs_dir.join("testpack").join("python");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Setup the pack environment (creates venv at external location)
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to create venv environment");
// Verify venv was created at the external runtime_envs location
assert!(env_dir.exists(), "Virtualenv directory should exist at external location");
let venv_python = env_dir.join("bin").join("python3");
assert!(
venv_python.exists(),
"Virtualenv python3 binary should exist"
);
// Verify pack directory was NOT modified
assert!(
!pack_dir.join(".venv").exists(),
"Pack directory should not contain .venv — environments are external"
);
}
#[tokio::test]
async fn test_venv_creation_is_idempotent() {
let temp_dir = TempDir::new().unwrap();
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let env_dir = runtime_envs_dir.join("testpack").join("python");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Create environment first time
let env_info1 = manager
.ensure_environment("test_pack", &spec)
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to create environment");
let created_at1 = env_info1.created_at;
assert!(env_dir.exists());
// Call ensure_environment again with same dependencies
let env_info2 = manager
.ensure_environment("test_pack", &spec)
// Create environment second time — should succeed without error
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to ensure environment");
.expect("Second setup should succeed (idempotent)");
// Should return existing environment (same created_at)
assert_eq!(env_info1.created_at, env_info2.created_at);
assert_eq!(created_at1, env_info2.created_at);
assert!(env_dir.exists());
}
#[tokio::test]
async fn test_venv_update_on_dependency_change() {
async fn test_dependency_installation() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let spec1 = DependencySpec::new("python").with_dependency("requests==2.28.0");
let env_dir = runtime_envs_dir.join("testpack").join("python");
// Create environment with first set of dependencies
let env_info1 = manager
.ensure_environment("test_pack", &spec1)
// Write a requirements.txt with a simple, fast-to-install package
std::fs::write(
pack_dir.join("requirements.txt"),
"pip>=21.0\n", // pip is already installed, so this is fast
)
.unwrap();
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Setup creates the venv and installs dependencies
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to setup environment with dependencies");
assert!(env_dir.exists());
}
#[tokio::test]
async fn test_no_environment_for_shell_runtime() {
let temp_dir = TempDir::new().unwrap();
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let env_dir = runtime_envs_dir.join("testpack").join("shell");
let runtime = ProcessRuntime::new(
"shell".to_string(),
make_shell_config(),
packs_base_dir,
runtime_envs_dir,
);
// Shell runtime has no environment config — should be a no-op
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Shell setup should succeed (no environment to create)");
// No environment should exist
assert!(!env_dir.exists());
assert!(!pack_dir.join(".venv").exists());
assert!(!pack_dir.join("node_modules").exists());
}
#[tokio::test]
async fn test_pack_has_dependencies_detection() {
let temp_dir = TempDir::new().unwrap();
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// No requirements.txt yet
assert!(
!runtime.pack_has_dependencies(&pack_dir),
"Should not detect dependencies without manifest file"
);
// Create requirements.txt
std::fs::write(pack_dir.join("requirements.txt"), "requests>=2.28.0\n").unwrap();
assert!(
runtime.pack_has_dependencies(&pack_dir),
"Should detect dependencies when manifest file exists"
);
}
#[tokio::test]
async fn test_environment_exists_detection() {
let temp_dir = TempDir::new().unwrap();
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let env_dir = runtime_envs_dir.join("testpack").join("python");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// No venv yet — environment_exists uses pack_ref string
assert!(
!runtime.environment_exists("testpack"),
"Environment should not exist before setup"
);
// Create the venv
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to create environment");
let created_at1 = env_info1.created_at;
// Give it a moment to ensure timestamp difference
tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
// Change dependencies
let spec2 = DependencySpec::new("python").with_dependency("requests==2.29.0");
// Should recreate environment
let env_info2 = manager
.ensure_environment("test_pack", &spec2)
.await
.expect("Failed to update environment");
// Updated timestamp should be newer
assert!(env_info2.updated_at >= created_at1);
assert!(
runtime.environment_exists("testpack"),
"Environment should exist after setup"
);
}
#[tokio::test]
async fn test_multiple_pack_isolation() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let spec1 = DependencySpec::new("python").with_dependency("requests==2.28.0");
let spec2 = DependencySpec::new("python").with_dependency("flask==2.3.0");
let pack_a_dir = packs_base_dir.join("pack_a");
let pack_b_dir = packs_base_dir.join("pack_b");
std::fs::create_dir_all(&pack_a_dir).unwrap();
std::fs::create_dir_all(&pack_b_dir).unwrap();
// Create environments for two different packs
let env1 = manager
.ensure_environment("pack_a", &spec1)
let env_dir_a = runtime_envs_dir.join("pack_a").join("python");
let env_dir_b = runtime_envs_dir.join("pack_b").join("python");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Setup environments for two different packs
runtime
.setup_pack_environment(&pack_a_dir, &env_dir_a)
.await
.expect("Failed to create environment for pack_a");
.expect("Failed to setup pack_a");
let env2 = manager
.ensure_environment("pack_b", &spec2)
runtime
.setup_pack_environment(&pack_b_dir, &env_dir_b)
.await
.expect("Failed to create environment for pack_b");
.expect("Failed to setup pack_b");
// Should have different paths
assert_ne!(env1.path, env2.path);
assert_ne!(env1.executable_path, env2.executable_path);
// Each pack should have its own venv at the external location
assert!(env_dir_a.exists(), "pack_a should have its own venv");
assert!(env_dir_b.exists(), "pack_b should have its own venv");
assert_ne!(env_dir_a, env_dir_b, "Venvs should be in different directories");
// Both should be valid
assert!(env1.is_valid);
assert!(env2.is_valid);
// Pack directories should remain clean
assert!(!pack_a_dir.join(".venv").exists(), "pack_a dir should not contain .venv");
assert!(!pack_b_dir.join(".venv").exists(), "pack_b dir should not contain .venv");
}
#[tokio::test]
async fn test_get_executable_path() {
async fn test_execute_python_action_with_venv() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
let actions_dir = pack_dir.join("actions");
std::fs::create_dir_all(&actions_dir).unwrap();
let spec = DependencySpec::new("python");
let env_dir = runtime_envs_dir.join("testpack").join("python");
manager
.ensure_environment("test_pack", &spec)
// Write a Python script
std::fs::write(
actions_dir.join("hello.py"),
r#"
import sys
print(f"Python from: {sys.executable}")
print("Hello from venv action!")
"#,
)
.unwrap();
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Setup the venv first
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to create environment");
.expect("Failed to setup venv");
let python_path = manager
.get_executable_path("test_pack")
.await
.expect("Failed to get executable path");
// Now execute the action
let mut context = make_context("testpack.hello", "hello.py", "python");
context.code_path = Some(actions_dir.join("hello.py"));
assert!(python_path.exists());
assert!(python_path.to_string_lossy().contains("test_pack"));
let result = runtime.execute(context).await.unwrap();
assert_eq!(result.exit_code, 0, "Action should succeed");
assert!(
result.stdout.contains("Hello from venv action!"),
"Should see output from action. Got: {}",
result.stdout
);
// Verify it's using the venv Python (at external runtime_envs location)
assert!(
result.stdout.contains("runtime_envs"),
"Should be using the venv python from external runtime_envs dir. Got: {}",
result.stdout
);
}
#[tokio::test]
async fn test_validate_environment() {
async fn test_execute_shell_action_no_venv() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
let actions_dir = pack_dir.join("actions");
std::fs::create_dir_all(&actions_dir).unwrap();
// Non-existent environment should not be valid
let is_valid = manager
.validate_environment("nonexistent")
.await
.expect("Validation check failed");
assert!(!is_valid);
std::fs::write(
actions_dir.join("greet.sh"),
"#!/bin/bash\necho 'Hello from shell!'",
)
.unwrap();
// Create environment
let spec = DependencySpec::new("python");
manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment");
let runtime = ProcessRuntime::new(
"shell".to_string(),
make_shell_config(),
packs_base_dir,
runtime_envs_dir,
);
// Should now be valid
let is_valid = manager
.validate_environment("test_pack")
.await
.expect("Validation check failed");
assert!(is_valid);
let mut context = make_context("testpack.greet", "greet.sh", "shell");
context.code_path = Some(actions_dir.join("greet.sh"));
let result = runtime.execute(context).await.unwrap();
assert_eq!(result.exit_code, 0);
assert!(result.stdout.contains("Hello from shell!"));
}
#[tokio::test]
async fn test_remove_environment() {
async fn test_working_directory_is_pack_dir() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
let actions_dir = pack_dir.join("actions");
std::fs::create_dir_all(&actions_dir).unwrap();
let spec = DependencySpec::new("python");
// Script that prints the working directory
std::fs::write(actions_dir.join("cwd.sh"), "#!/bin/bash\npwd").unwrap();
// Create environment
let env_info = manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment");
let runtime = ProcessRuntime::new(
"shell".to_string(),
make_shell_config(),
packs_base_dir,
runtime_envs_dir,
);
let path = env_info.path.clone();
assert!(path.exists());
let mut context = make_context("testpack.cwd", "cwd.sh", "shell");
context.code_path = Some(actions_dir.join("cwd.sh"));
// Remove environment
manager
.remove_environment("test_pack")
.await
.expect("Failed to remove environment");
let result = runtime.execute(context).await.unwrap();
assert!(!path.exists());
// Get environment should return None
let env = manager
.get_environment("test_pack")
.await
.expect("Failed to get environment");
assert!(env.is_none());
assert_eq!(result.exit_code, 0);
let output_path = result.stdout.trim();
assert_eq!(
output_path,
pack_dir.to_string_lossy().as_ref(),
"Working directory should be the pack directory"
);
}
#[tokio::test]
async fn test_list_environments() {
async fn test_interpreter_resolution_with_venv() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let spec = DependencySpec::new("python");
let env_dir = runtime_envs_dir.join("testpack").join("python");
// Create multiple environments
manager
.ensure_environment("pack_a", &spec)
let config = make_python_config();
let runtime = ProcessRuntime::new(
"python".to_string(),
config.clone(),
packs_base_dir,
runtime_envs_dir,
);
// Before venv creation — should resolve to system python
let interpreter = config.resolve_interpreter_with_env(&pack_dir, Some(&env_dir));
assert_eq!(
interpreter,
PathBuf::from("python3"),
"Without venv, should use system python"
);
// Create venv at external location
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Failed to create pack_a");
.expect("Failed to create venv");
manager
.ensure_environment("pack_b", &spec)
.await
.expect("Failed to create pack_b");
manager
.ensure_environment("pack_c", &spec)
.await
.expect("Failed to create pack_c");
// List should return all three
let environments = manager
.list_environments()
.await
.expect("Failed to list environments");
assert_eq!(environments.len(), 3);
// After venv creation — should resolve to venv python at external location
let interpreter = config.resolve_interpreter_with_env(&pack_dir, Some(&env_dir));
let expected_venv_python = env_dir.join("bin").join("python3");
assert_eq!(
interpreter, expected_venv_python,
"With venv, should use venv python from external runtime_envs dir"
);
}
#[tokio::test]
async fn test_dependency_manager_registry() {
async fn test_skip_deps_install_without_manifest() {
let temp_dir = TempDir::new().unwrap();
let mut registry = DependencyManagerRegistry::new();
let packs_base_dir = temp_dir.path().join("packs");
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let pack_dir = packs_base_dir.join("testpack");
std::fs::create_dir_all(&pack_dir).unwrap();
let python_manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
registry.register(Box::new(python_manager));
let env_dir = runtime_envs_dir.join("testpack").join("python");
// Should support python
assert!(registry.supports("python"));
assert!(!registry.supports("nodejs"));
// No requirements.txt — install_dependencies should be a no-op
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
packs_base_dir,
runtime_envs_dir,
);
// Should be able to get manager
let manager = registry.get("python");
assert!(manager.is_some());
assert_eq!(manager.unwrap().runtime_type(), "python");
// Setup should still create the venv but skip dependency installation
runtime
.setup_pack_environment(&pack_dir, &env_dir)
.await
.expect("Setup should succeed without manifest");
assert!(
env_dir.exists(),
"Venv should still be created at external location"
);
}
#[tokio::test]
async fn test_dependency_spec_builder() {
async fn test_runtime_config_matches_file_extension() {
let config = make_python_config();
assert!(config.matches_file_extension(std::path::Path::new("hello.py")));
assert!(config.matches_file_extension(std::path::Path::new(
"/opt/attune/packs/mypack/actions/script.py"
)));
assert!(!config.matches_file_extension(std::path::Path::new("hello.sh")));
assert!(!config.matches_file_extension(std::path::Path::new("hello.js")));
let shell_config = make_shell_config();
assert!(shell_config.matches_file_extension(std::path::Path::new("run.sh")));
assert!(!shell_config.matches_file_extension(std::path::Path::new("run.py")));
}
#[tokio::test]
async fn test_dependency_spec_builder_still_works() {
// The DependencySpec types are still available for generic use
use attune_worker::runtime::DependencySpec;
let spec = DependencySpec::new("python")
.with_dependency("requests==2.28.0")
.with_dependency("flask>=2.0.0")
@@ -256,122 +550,68 @@ async fn test_dependency_spec_builder() {
}
#[tokio::test]
async fn test_requirements_file_content() {
async fn test_process_runtime_setup_and_validate() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let runtime_envs_dir = temp_dir.path().join("runtime_envs");
let requirements = "requests==2.28.0\nflask==2.3.0\npydantic>=2.0.0";
let spec = DependencySpec::new("python").with_requirements_file(requirements.to_string());
let shell_runtime = ProcessRuntime::new(
"shell".to_string(),
make_shell_config(),
temp_dir.path().to_path_buf(),
runtime_envs_dir.clone(),
);
let env_info = manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment with requirements file");
// Setup and validate should succeed for shell
shell_runtime.setup().await.unwrap();
shell_runtime.validate().await.unwrap();
assert!(env_info.is_valid);
assert!(env_info.installed_dependencies.len() > 0);
let python_runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
temp_dir.path().to_path_buf(),
runtime_envs_dir,
);
// Setup and validate should succeed for python (warns if not available)
python_runtime.setup().await.unwrap();
python_runtime.validate().await.unwrap();
}
#[tokio::test]
async fn test_pack_ref_sanitization() {
async fn test_can_execute_by_runtime_name() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let spec = DependencySpec::new("python");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
temp_dir.path().to_path_buf(),
temp_dir.path().join("runtime_envs"),
);
// Pack refs with special characters should be sanitized
let env_info = manager
.ensure_environment("core.http", &spec)
.await
.expect("Failed to create environment");
let context = make_context("mypack.hello", "hello.py", "python");
assert!(runtime.can_execute(&context));
// Path should not contain dots
let path_str = env_info.path.to_string_lossy();
assert!(path_str.contains("core_http"));
assert!(!path_str.contains("core.http"));
let wrong_context = make_context("mypack.hello", "hello.py", "shell");
assert!(!runtime.can_execute(&wrong_context));
}
#[tokio::test]
async fn test_needs_update_detection() {
async fn test_can_execute_by_file_extension() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let spec1 = DependencySpec::new("python").with_dependency("requests==2.28.0");
let runtime = ProcessRuntime::new(
"python".to_string(),
make_python_config(),
temp_dir.path().to_path_buf(),
temp_dir.path().join("runtime_envs"),
);
// Non-existent environment needs update
let needs_update = manager
.needs_update("test_pack", &spec1)
.await
.expect("Failed to check update status");
assert!(needs_update);
let mut context = make_context("mypack.hello", "hello.py", "");
context.runtime_name = None;
context.code_path = Some(PathBuf::from("/tmp/packs/mypack/actions/hello.py"));
assert!(runtime.can_execute(&context));
// Create environment
manager
.ensure_environment("test_pack", &spec1)
.await
.expect("Failed to create environment");
// Same spec should not need update
let needs_update = manager
.needs_update("test_pack", &spec1)
.await
.expect("Failed to check update status");
assert!(!needs_update);
// Different spec should need update
let spec2 = DependencySpec::new("python").with_dependency("requests==2.29.0");
let needs_update = manager
.needs_update("test_pack", &spec2)
.await
.expect("Failed to check update status");
assert!(needs_update);
}
#[tokio::test]
async fn test_empty_dependencies() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
// Pack with no dependencies should still create venv
let spec = DependencySpec::new("python");
assert!(!spec.has_dependencies());
let env_info = manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment without dependencies");
assert!(env_info.is_valid);
assert!(env_info.path.exists());
}
#[tokio::test]
async fn test_get_environment_caching() {
let temp_dir = TempDir::new().unwrap();
let manager = PythonVenvManager::new(temp_dir.path().to_path_buf());
let spec = DependencySpec::new("python");
// Create environment
manager
.ensure_environment("test_pack", &spec)
.await
.expect("Failed to create environment");
// First get_environment should read from disk
let env1 = manager
.get_environment("test_pack")
.await
.expect("Failed to get environment")
.expect("Environment not found");
// Second get_environment should use cache
let env2 = manager
.get_environment("test_pack")
.await
.expect("Failed to get environment")
.expect("Environment not found");
assert_eq!(env1.id, env2.id);
assert_eq!(env1.path, env2.path);
context.code_path = Some(PathBuf::from("/tmp/packs/mypack/actions/hello.sh"));
context.entry_point = "hello.sh".to_string();
assert!(!runtime.can_execute(&context));
}

310
crates/worker/tests/log_truncation_test.rs
View File

@@ -3,89 +3,99 @@
//! Tests that verify stdout/stderr are properly truncated when they exceed
//! configured size limits, preventing OOM issues with large output.
use attune_worker::runtime::{ExecutionContext, PythonRuntime, Runtime, ShellRuntime};
use attune_common::models::runtime::{InterpreterConfig, RuntimeExecutionConfig};
use attune_worker::runtime::process::ProcessRuntime;
use attune_worker::runtime::{ExecutionContext, Runtime, ShellRuntime};
use std::collections::HashMap;
use std::path::PathBuf;
use tempfile::TempDir;
#[tokio::test]
async fn test_python_stdout_truncation() {
let runtime = PythonRuntime::new();
fn make_python_process_runtime(packs_base_dir: PathBuf) -> ProcessRuntime {
let config = RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "python3".to_string(),
args: vec!["-u".to_string()],
file_extension: Some(".py".to_string()),
},
environment: None,
dependencies: None,
};
ProcessRuntime::new("python".to_string(), config, packs_base_dir.clone(), packs_base_dir.join("../runtime_envs"))
}
// Create a Python script that outputs more than the limit
let code = r#"
import sys
# Output 1KB of data (will exceed 500 byte limit)
for i in range(100):
print("x" * 10)
"#;
let context = ExecutionContext {
execution_id: 1,
action_ref: "test.large_output".to_string(),
fn make_python_context(
execution_id: i64,
action_ref: &str,
code: &str,
max_stdout_bytes: usize,
max_stderr_bytes: usize,
) -> ExecutionContext {
ExecutionContext {
execution_id,
action_ref: action_ref.to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "test_script".to_string(),
entry_point: "inline".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 500, // Small limit to trigger truncation
max_stderr_bytes: 1024,
max_stdout_bytes,
max_stderr_bytes,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
};
output_format: attune_worker::runtime::OutputFormat::default(),
}
}
#[tokio::test]
async fn test_python_stdout_truncation() {
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Create a Python one-liner that outputs more than the limit
let code = "import sys\nfor i in range(100):\n print('x' * 10)";
let context = make_python_context(1, "test.large_output", code, 500, 1024);
let result = runtime.execute(context).await.unwrap();
// Should succeed but with truncated output
assert!(result.is_success());
assert_eq!(result.exit_code, 0);
assert!(result.stdout_truncated);
assert!(result.stdout.contains("[OUTPUT TRUNCATED"));
assert!(
result.stdout.contains("[OUTPUT TRUNCATED"),
"Expected truncation marker in stdout, got: {}",
result.stdout
);
assert!(result.stdout_bytes_truncated > 0);
assert!(result.stdout.len() <= 500);
assert!(result.stdout.len() <= 600); // some overhead for the truncation message
}
#[tokio::test]
async fn test_python_stderr_truncation() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Create a Python script that outputs to stderr
let code = r#"
import sys
# Output 1KB of data to stderr
for i in range(100):
sys.stderr.write("error message line\n")
"#;
// Python one-liner that outputs to stderr
let code = "import sys\nfor i in range(100):\n sys.stderr.write('error message line\\n')";
let context = ExecutionContext {
execution_id: 2,
action_ref: "test.large_stderr".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "test_script".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 300, // Small limit for stderr
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
};
let context = make_python_context(2, "test.large_stderr", code, 10 * 1024 * 1024, 300);
let result = runtime.execute(context).await.unwrap();
// Should succeed but with truncated stderr
assert!(result.is_success());
assert_eq!(result.exit_code, 0);
assert!(!result.stdout_truncated);
assert!(result.stderr_truncated);
assert!(result.stderr.contains("[OUTPUT TRUNCATED"));
assert!(result.stderr.contains("stderr exceeded size limit"));
assert!(
result.stderr.contains("[OUTPUT TRUNCATED"),
"Expected truncation marker in stderr, got: {}",
result.stderr
);
assert!(result.stderr_bytes_truncated > 0);
assert!(result.stderr.len() <= 300);
}
#[tokio::test]
@@ -94,7 +104,7 @@ async fn test_shell_stdout_truncation() {
// Shell script that outputs more than the limit
let code = r#"
for i in {1..100}; do
for i in $(seq 1 100); do
echo "This is a long line of text that will add up quickly"
done
"#;
@@ -115,177 +125,167 @@ done
max_stderr_bytes: 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
let result = runtime.execute(context).await.unwrap();
// Should succeed but with truncated output
assert!(result.is_success());
assert_eq!(result.exit_code, 0);
assert!(result.stdout_truncated);
assert!(result.stdout.contains("[OUTPUT TRUNCATED"));
assert!(
result.stdout.contains("[OUTPUT TRUNCATED"),
"Expected truncation marker, got: {}",
result.stdout
);
assert!(result.stdout_bytes_truncated > 0);
assert!(result.stdout.len() <= 400);
}
#[tokio::test]
async fn test_no_truncation_under_limit() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Small output that won't trigger truncation
let code = r#"
print("Hello, World!")
"#;
let code = "print('Hello, World!')";
let context = ExecutionContext {
execution_id: 4,
action_ref: "test.small_output".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "test_script".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024, // Large limit
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
};
let context = make_python_context(
4,
"test.small_output",
code,
10 * 1024 * 1024,
10 * 1024 * 1024,
);
let result = runtime.execute(context).await.unwrap();
// Should succeed without truncation
assert!(result.is_success());
assert_eq!(result.exit_code, 0);
assert!(!result.stdout_truncated);
assert!(!result.stderr_truncated);
assert_eq!(result.stdout_bytes_truncated, 0);
assert_eq!(result.stderr_bytes_truncated, 0);
assert!(result.stdout.contains("Hello, World!"));
assert!(
result.stdout.contains("Hello, World!"),
"Expected Hello, World! in stdout, got: {}",
result.stdout
);
}
#[tokio::test]
async fn test_both_streams_truncated() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Script that outputs to both stdout and stderr
let code = r#"
import sys
# Output to both streams
for i in range(50):
print("stdout line " + str(i))
sys.stderr.write("stderr line " + str(i) + "\n")
"#;
let code = "import sys\nfor i in range(50):\n print('stdout line ' + str(i))\n sys.stderr.write('stderr line ' + str(i) + '\\n')";
let context = ExecutionContext {
execution_id: 5,
action_ref: "test.dual_truncation".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "test_script".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 300, // Both limits are small
max_stderr_bytes: 300,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
};
let context = make_python_context(5, "test.dual_truncation", code, 300, 300);
let result = runtime.execute(context).await.unwrap();
// Should succeed but with both streams truncated
assert!(result.is_success());
assert_eq!(result.exit_code, 0);
assert!(result.stdout_truncated);
assert!(result.stderr_truncated);
assert!(result.stdout.contains("[OUTPUT TRUNCATED"));
assert!(result.stderr.contains("[OUTPUT TRUNCATED"));
assert!(result.stdout_bytes_truncated > 0);
assert!(result.stderr_bytes_truncated > 0);
assert!(result.stdout.len() <= 300);
assert!(result.stderr.len() <= 300);
}
#[tokio::test]
async fn test_truncation_with_timeout() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Script that times out but should still capture truncated logs
let code = r#"
import time
for i in range(1000):
print(f"Line {i}")
time.sleep(30) # Will timeout before this
"#;
// Script that produces output then times out
let code = "import time\nfor i in range(1000):\n print(f'Line {i}')\ntime.sleep(30)";
let context = ExecutionContext {
execution_id: 6,
action_ref: "test.timeout_truncation".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(2), // Short timeout
working_dir: None,
entry_point: "test_script".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 500,
max_stderr_bytes: 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
};
let mut context = make_python_context(6, "test.timeout_truncation", code, 500, 1024);
context.timeout = Some(2); // Short timeout
let result = runtime.execute(context).await.unwrap();
// Should timeout with truncated logs
assert!(!result.is_success());
assert!(result.error.is_some());
assert!(result.error.as_ref().unwrap().contains("timed out"));
// Logs may or may not be truncated depending on how fast it runs
assert!(
result.error.as_ref().unwrap().contains("timed out"),
"Expected timeout error, got: {:?}",
result.error
);
}
#[tokio::test]
async fn test_exact_limit_no_truncation() {
let runtime = PythonRuntime::new();
async fn test_small_output_no_truncation() {
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Output a small amount that won't trigger truncation
// The Python wrapper adds JSON result output, so we need headroom
let code = r#"
import sys
sys.stdout.write("Small output")
"#;
let code = "import sys; sys.stdout.write('Small output')";
let context = make_python_context(
7,
"test.exact_limit",
code,
10 * 1024 * 1024,
10 * 1024 * 1024,
);
let result = runtime.execute(context).await.unwrap();
// Should succeed without truncation
assert_eq!(result.exit_code, 0);
assert!(!result.stdout_truncated);
assert!(
result.stdout.contains("Small output"),
"Expected 'Small output' in stdout, got: {:?}",
result.stdout
);
}
#[tokio::test]
async fn test_shell_process_runtime_truncation() {
// Test truncation through ProcessRuntime with shell config too
let tmp = TempDir::new().unwrap();
let config = RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "/bin/bash".to_string(),
args: vec![],
file_extension: Some(".sh".to_string()),
},
environment: None,
dependencies: None,
};
let runtime = ProcessRuntime::new("shell".to_string(), config, tmp.path().to_path_buf(), tmp.path().join("runtime_envs"));
let context = ExecutionContext {
execution_id: 7,
action_ref: "test.exact_limit".to_string(),
execution_id: 8,
action_ref: "test.shell_process_truncation".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "test_script".to_string(),
code: Some(code.to_string()),
entry_point: "inline".to_string(),
code: Some(
"for i in $(seq 1 200); do echo \"output line $i padding text here\"; done".to_string(),
),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024, // Large limit to avoid truncation
max_stderr_bytes: 10 * 1024 * 1024,
runtime_name: Some("shell".to_string()),
max_stdout_bytes: 500,
max_stderr_bytes: 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
let result = runtime.execute(context).await.unwrap();
// Should succeed without truncation
eprintln!(
"test_exact_limit_no_truncation: exit_code={}, error={:?}, stdout={:?}, stderr={:?}",
result.exit_code, result.error, result.stdout, result.stderr
);
assert!(result.is_success());
assert!(!result.stdout_truncated);
assert!(result.stdout.contains("Small output"));
assert_eq!(result.exit_code, 0);
assert!(result.stdout_truncated);
assert!(result.stdout.contains("[OUTPUT TRUNCATED"));
assert!(result.stdout_bytes_truncated > 0);
}

393
crates/worker/tests/security_tests.rs
View File

@@ -3,14 +3,50 @@
//! These tests verify that secrets are NOT exposed in process environment
//! or command-line arguments, ensuring secure secret passing via stdin.
use attune_worker::runtime::python::PythonRuntime;
use attune_common::models::runtime::{InterpreterConfig, RuntimeExecutionConfig};
use attune_worker::runtime::process::ProcessRuntime;
use attune_worker::runtime::shell::ShellRuntime;
use attune_worker::runtime::{ExecutionContext, Runtime};
use std::collections::HashMap;
use std::path::PathBuf;
use tempfile::TempDir;
fn make_python_process_runtime(packs_base_dir: PathBuf) -> ProcessRuntime {
let config = RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "python3".to_string(),
args: vec!["-u".to_string()],
file_extension: Some(".py".to_string()),
},
environment: None,
dependencies: None,
};
let runtime_envs_dir = packs_base_dir.parent().unwrap_or(&packs_base_dir).join("runtime_envs");
ProcessRuntime::new("python".to_string(), config, packs_base_dir, runtime_envs_dir)
}
#[tokio::test]
async fn test_python_secrets_not_in_environ() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// Inline Python code that checks environment for secrets
let code = r#"
import os, json
environ_str = str(os.environ)
# Secrets should NOT be in environment
has_secret_in_env = 'super_secret_key_do_not_expose' in environ_str
has_password_in_env = 'secret_pass_123' in environ_str
has_secret_prefix = any(k.startswith('SECRET_') for k in os.environ)
result = {
'secrets_in_environ': has_secret_in_env or has_password_in_env or has_secret_prefix,
'environ_check': 'SECRET_' not in environ_str
}
print(json.dumps(result))
"#;
let context = ExecutionContext {
execution_id: 1,
@@ -28,69 +64,36 @@ async fn test_python_secrets_not_in_environ() {
},
timeout: Some(10),
working_dir: None,
entry_point: "run".to_string(),
code: Some(
r#"
import os
def run():
# Check if secrets are in environment variables
environ_str = str(os.environ)
# Secrets should NOT be in environment
has_secret_in_env = 'super_secret_key_do_not_expose' in environ_str
has_password_in_env = 'secret_pass_123' in environ_str
has_secret_prefix = 'SECRET_API_KEY' in os.environ or 'SECRET_PASSWORD' in os.environ
# But they SHOULD be accessible via get_secret()
api_key_accessible = get_secret('api_key') == 'super_secret_key_do_not_expose'
password_accessible = get_secret('password') == 'secret_pass_123'
return {
'secrets_in_environ': has_secret_in_env or has_password_in_env or has_secret_prefix,
'api_key_accessible': api_key_accessible,
'password_accessible': password_accessible,
'environ_check': 'SECRET_' not in environ_str
}
"#
.to_string(),
),
entry_point: "inline".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::Json,
};
let result = runtime.execute(context).await.unwrap();
assert!(result.is_success(), "Execution should succeed");
assert_eq!(
result.exit_code, 0,
"Execution should succeed. stderr: {}",
result.stderr
);
let result_data = result.result.unwrap();
let result_obj = result_data.get("result").unwrap();
let result_data = result.result.expect("Should have parsed JSON result");
// Critical security check: secrets should NOT be in environment
assert_eq!(
result_obj.get("secrets_in_environ").unwrap(),
result_data.get("secrets_in_environ").unwrap(),
&serde_json::json!(false),
"SECURITY FAILURE: Secrets found in process environment!"
);
// Verify secrets ARE accessible via secure method
assert_eq!(
result_obj.get("api_key_accessible").unwrap(),
&serde_json::json!(true),
"Secrets should be accessible via get_secret()"
);
assert_eq!(
result_obj.get("password_accessible").unwrap(),
&serde_json::json!(true),
"Secrets should be accessible via get_secret()"
);
// Verify no SECRET_ prefix in environment
assert_eq!(
result_obj.get("environ_check").unwrap(),
result_data.get("environ_check").unwrap(),
&serde_json::json!(true),
"Environment should not contain SECRET_ prefix variables"
);
@@ -159,30 +162,47 @@ echo "SECURITY_PASS: Secrets not in environment but accessible via get_secret"
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
let result = runtime.execute(context).await.unwrap();
// Check execution succeeded
assert!(result.is_success(), "Execution should succeed");
assert!(
result.is_success(),
"Execution should succeed. stderr: {}",
result.stderr
);
assert_eq!(result.exit_code, 0, "Exit code should be 0");
// Verify security pass message
assert!(
result.stdout.contains("SECURITY_PASS"),
"Security checks should pass"
"Security checks should pass. stdout: {}",
result.stdout
);
assert!(
!result.stdout.contains("SECURITY_FAIL"),
"Should not have security failures"
"Should not have security failures. stdout: {}",
result.stdout
);
}
#[tokio::test]
async fn test_python_secret_isolation_between_actions() {
let runtime = PythonRuntime::new();
async fn test_python_secrets_isolated_between_actions() {
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// First action with secret A — read it from stdin
let code1 = r#"
import sys, json
# Read secrets from stdin (the process executor writes them as JSON on stdin)
secrets_line = sys.stdin.readline().strip()
secrets = json.loads(secrets_line) if secrets_line else {}
print(json.dumps({'secret_a': secrets.get('secret_a')}))
"#;
// First action with secret A
let context1 = ExecutionContext {
execution_id: 3,
action_ref: "security.action1".to_string(),
@@ -195,26 +215,36 @@ async fn test_python_secret_isolation_between_actions() {
},
timeout: Some(10),
working_dir: None,
entry_point: "run".to_string(),
code: Some(
r#"
def run():
return {'secret_a': get_secret('secret_a')}
"#
.to_string(),
),
entry_point: "inline".to_string(),
code: Some(code1.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::Json,
};
let result1 = runtime.execute(context1).await.unwrap();
assert!(result1.is_success());
assert_eq!(
result1.exit_code, 0,
"First action should succeed. stderr: {}",
result1.stderr
);
// Second action with secret B — should NOT see secret A
let code2 = r#"
import sys, json
secrets_line = sys.stdin.readline().strip()
secrets = json.loads(secrets_line) if secrets_line else {}
print(json.dumps({
'secret_a_leaked': secrets.get('secret_a') is not None,
'secret_b_present': secrets.get('secret_b') == 'value_b'
}))
"#;
// Second action with secret B (should not see secret A)
let context2 = ExecutionContext {
execution_id: 4,
action_ref: "security.action2".to_string(),
@@ -227,42 +257,34 @@ def run():
},
timeout: Some(10),
working_dir: None,
entry_point: "run".to_string(),
code: Some(
r#"
def run():
# Should NOT see secret_a from previous action
secret_a = get_secret('secret_a')
secret_b = get_secret('secret_b')
return {
'secret_a_leaked': secret_a is not None,
'secret_b_present': secret_b == 'value_b'
}
"#
.to_string(),
),
entry_point: "inline".to_string(),
code: Some(code2.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::Json,
};
let result2 = runtime.execute(context2).await.unwrap();
assert!(result2.is_success());
assert_eq!(
result2.exit_code, 0,
"Second action should succeed. stderr: {}",
result2.stderr
);
let result_data = result2.result.unwrap();
let result_obj = result_data.get("result").unwrap();
let result_data = result2.result.expect("Should have parsed JSON result");
// Verify secrets don't leak between actions
assert_eq!(
result_obj.get("secret_a_leaked").unwrap(),
result_data.get("secret_a_leaked").unwrap(),
&serde_json::json!(false),
"Secret from previous action should not leak"
);
assert_eq!(
result_obj.get("secret_b_present").unwrap(),
result_data.get("secret_b_present").unwrap(),
&serde_json::json!(true),
"Current action's secret should be present"
);
@@ -270,43 +292,44 @@ def run():
#[tokio::test]
async fn test_python_empty_secrets() {
let runtime = PythonRuntime::new();
let tmp = TempDir::new().unwrap();
let runtime = make_python_process_runtime(tmp.path().to_path_buf());
// With no secrets, stdin should have nothing (or empty) — action should still work
let code = r#"
print("ok")
"#;
let context = ExecutionContext {
execution_id: 5,
action_ref: "security.no_secrets".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(), // No secrets
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "run".to_string(),
code: Some(
r#"
def run():
# get_secret should return None for non-existent secrets
result = get_secret('nonexistent')
return {'result': result}
"#
.to_string(),
),
entry_point: "inline".to_string(),
code: Some(code.to_string()),
code_path: None,
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
let result = runtime.execute(context).await.unwrap();
assert!(
result.is_success(),
"Should handle empty secrets gracefully"
assert_eq!(
result.exit_code, 0,
"Should handle empty secrets gracefully. stderr: {}",
result.stderr
);
assert!(
result.stdout.contains("ok"),
"Should produce expected output. stdout: {}",
result.stdout
);
let result_data = result.result.unwrap();
let result_obj = result_data.get("result").unwrap();
assert_eq!(result_obj.get("result").unwrap(), &serde_json::Value::Null);
}
#[tokio::test]
@@ -318,7 +341,7 @@ async fn test_shell_empty_secrets() {
action_ref: "security.no_secrets".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: HashMap::new(), // No secrets
secrets: HashMap::new(),
timeout: Some(10),
working_dir: None,
entry_point: "shell".to_string(),
@@ -341,89 +364,155 @@ fi
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
let result = runtime.execute(context).await.unwrap();
assert!(
result.is_success(),
"Should handle empty secrets gracefully"
"Should handle empty secrets gracefully. stderr: {}",
result.stderr
);
assert!(
result.stdout.contains("PASS"),
"Should pass. stdout: {}",
result.stdout
);
assert!(result.stdout.contains("PASS"));
}
#[tokio::test]
async fn test_python_special_characters_in_secrets() {
let runtime = PythonRuntime::new();
async fn test_process_runtime_secrets_not_in_environ() {
// Verify ProcessRuntime (used for all runtimes now) doesn't leak secrets to env
let tmp = TempDir::new().unwrap();
let pack_dir = tmp.path().join("testpack");
let actions_dir = pack_dir.join("actions");
std::fs::create_dir_all(&actions_dir).unwrap();
// Write a script that dumps environment
std::fs::write(
actions_dir.join("check_env.sh"),
r#"#!/bin/bash
if printenv | grep -q "SUPER_SECRET_VALUE"; then
echo "FAIL: Secret leaked to environment"
exit 1
fi
echo "PASS: No secrets in environment"
"#,
)
.unwrap();
let config = RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "/bin/bash".to_string(),
args: vec![],
file_extension: Some(".sh".to_string()),
},
environment: None,
dependencies: None,
};
let runtime = ProcessRuntime::new("shell".to_string(), config, tmp.path().to_path_buf(), tmp.path().join("runtime_envs"));
let context = ExecutionContext {
execution_id: 7,
action_ref: "security.special_chars".to_string(),
action_ref: "testpack.check_env".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: {
let mut s = HashMap::new();
s.insert("special_chars".to_string(), "test!@#$%^&*()".to_string());
s.insert("with_newline".to_string(), "line1\nline2".to_string());
s.insert("db_password".to_string(), "SUPER_SECRET_VALUE".to_string());
s
},
timeout: Some(10),
working_dir: None,
entry_point: "run".to_string(),
code: Some(
r#"
def run():
special = get_secret('special_chars')
newline = get_secret('with_newline')
entry_point: "check_env.sh".to_string(),
code: None,
code_path: Some(actions_dir.join("check_env.sh")),
runtime_name: Some("shell".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::default(),
};
newline_char = chr(10)
newline_parts = newline.split(newline_char) if newline else []
let result = runtime.execute(context).await.unwrap();
assert_eq!(
result.exit_code, 0,
"Check should pass. stdout: {}, stderr: {}",
result.stdout, result.stderr
);
assert!(
result.stdout.contains("PASS"),
"Should confirm no secrets in env. stdout: {}",
result.stdout
);
}
return {
'special_correct': special == 'test!@#$%^&*()',
'newline_has_two_parts': len(newline_parts) == 2,
'newline_first_part': newline_parts[0] if len(newline_parts) > 0 else '',
'newline_second_part': newline_parts[1] if len(newline_parts) > 1 else '',
'special_len': len(special) if special else 0
}
"#
.to_string(),
),
code_path: None,
#[tokio::test]
async fn test_python_process_runtime_secrets_not_in_environ() {
// Same check but via ProcessRuntime with Python interpreter
let tmp = TempDir::new().unwrap();
let pack_dir = tmp.path().join("testpack");
let actions_dir = pack_dir.join("actions");
std::fs::create_dir_all(&actions_dir).unwrap();
std::fs::write(
actions_dir.join("check_env.py"),
r#"
import os, json
env_dump = str(os.environ)
leaked = "TOP_SECRET_API_KEY" in env_dump
print(json.dumps({"leaked": leaked}))
"#,
)
.unwrap();
let config = RuntimeExecutionConfig {
interpreter: InterpreterConfig {
binary: "python3".to_string(),
args: vec!["-u".to_string()],
file_extension: Some(".py".to_string()),
},
environment: None,
dependencies: None,
};
let runtime = ProcessRuntime::new("python".to_string(), config, tmp.path().to_path_buf(), tmp.path().join("runtime_envs"));
let context = ExecutionContext {
execution_id: 8,
action_ref: "testpack.check_env".to_string(),
parameters: HashMap::new(),
env: HashMap::new(),
secrets: {
let mut s = HashMap::new();
s.insert("api_key".to_string(), "TOP_SECRET_API_KEY".to_string());
s
},
timeout: Some(10),
working_dir: None,
entry_point: "check_env.py".to_string(),
code: None,
code_path: Some(actions_dir.join("check_env.py")),
runtime_name: Some("python".to_string()),
max_stdout_bytes: 10 * 1024 * 1024,
max_stderr_bytes: 10 * 1024 * 1024,
parameter_delivery: attune_worker::runtime::ParameterDelivery::default(),
parameter_format: attune_worker::runtime::ParameterFormat::default(),
output_format: attune_worker::runtime::OutputFormat::Json,
};
let result = runtime.execute(context).await.unwrap();
assert!(
result.is_success(),
"Should handle special characters: {:?}",
result.error
assert_eq!(
result.exit_code, 0,
"Python env check should succeed. stderr: {}",
result.stderr
);
let result_data = result.result.unwrap();
let result_obj = result_data.get("result").unwrap();
let result_data = result.result.expect("Should have parsed JSON result");
assert_eq!(
result_obj.get("special_correct").unwrap(),
&serde_json::json!(true),
"Special characters should be preserved"
);
assert_eq!(
result_obj.get("newline_has_two_parts").unwrap(),
&serde_json::json!(true),
"Newline should split into two parts"
);
assert_eq!(
result_obj.get("newline_first_part").unwrap(),
&serde_json::json!("line1"),
"First part should be 'line1'"
);
assert_eq!(
result_obj.get("newline_second_part").unwrap(),
&serde_json::json!("line2"),
"Second part should be 'line2'"
result_data.get("leaked").unwrap(),
&serde_json::json!(false),
"SECURITY FAILURE: Secret leaked to Python process environment!"
);
}