MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-03-25 05:21:03 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
440a74cdac85689f9652f3d337dfef9221599647
gemini-cli/packages/core/src/policy/config.test.ts

1190 lines
37 KiB
TypeScript
Raw Blame History

/**
* @license
* Copyright 2025 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
import nodePath from 'node:path';
import {
ApprovalMode,
PolicyDecision,
InProcessCheckerType,
type PolicySettings,
} from './types.js';
import { isDirectorySecure } from '../utils/security.js';
vi.unmock('../config/storage.js');
vi.mock('../utils/security.js', () => ({
isDirectorySecure: vi.fn().mockResolvedValue({ secure: true }),
}));
afterEach(() => {
vi.clearAllMocks();
vi.restoreAllMocks();
vi.doUnmock('node:fs/promises');
});
describe('createPolicyEngineConfig', () => {
beforeEach(async () => {
vi.resetModules();
const { Storage } = await import('../config/storage.js');
// Mock Storage to avoid picking up real user/system policies from the host environment
vi.spyOn(Storage, 'getUserPoliciesDir').mockReturnValue(
'/non/existent/user/policies',
);
vi.spyOn(Storage, 'getSystemPoliciesDir').mockReturnValue(
'/non/existent/system/policies',
);
// Reset security check to default secure
vi.mocked(isDirectorySecure).mockResolvedValue({ secure: true });
});
it('should filter out insecure system policy directories', async () => {
const { Storage } = await import('../config/storage.js');
const systemPolicyDir = '/insecure/system/policies';
vi.spyOn(Storage, 'getSystemPoliciesDir').mockReturnValue(systemPolicyDir);
vi.mocked(isDirectorySecure).mockImplementation(async (path: string) => {
if (nodePath.resolve(path) === nodePath.resolve(systemPolicyDir)) {
return { secure: false, reason: 'Insecure directory' };
}
return { secure: true };
});
// We need to spy on loadPoliciesFromToml to verify which directories were passed
// But it is not exported from config.js, it is imported.
// We can spy on the module it comes from.
const tomlLoader = await import('./toml-loader.js');
const loadPoliciesSpy = vi.spyOn(tomlLoader, 'loadPoliciesFromToml');
loadPoliciesSpy.mockResolvedValue({
rules: [],
checkers: [],
errors: [],
});
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
// Verify loadPoliciesFromToml was called
expect(loadPoliciesSpy).toHaveBeenCalled();
const calledDirs = loadPoliciesSpy.mock.calls[0][0];
// The system directory should NOT be in the list
expect(calledDirs).not.toContain(systemPolicyDir);
// But other directories (user, default) should be there
expect(calledDirs).toContain('/non/existent/user/policies');
expect(calledDirs).toContain('/tmp/mock/default/policies');
});
it('should return ASK_USER for write tools and ALLOW for read-only tools by default', async () => {
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async (
path: string | Buffer | URL,
options?: Parameters<typeof actualFs.readdir>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
// Return empty array for user policies
return [] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return actualFs.readdir(
path,
options as Parameters<typeof actualFs.readdir>[1],
);
},
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: { ...actualFs, readdir: mockReaddir },
readdir: mockReaddir,
}));
// Mock Storage to avoid actual filesystem access for policy dirs during tests if needed,
// but for now relying on the fs mock above might be enough if it catches the right paths.
// Let's see if we need to mock Storage.getUserPoliciesDir etc.
vi.resetModules();
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
// Pass a dummy default policies dir to avoid it trying to resolve __dirname relative to the test file in a weird way
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
expect(config.defaultDecision).toBe(PolicyDecision.ASK_USER);
// The order of the rules is not guaranteed, so we sort them by tool name.
config.rules?.sort((a, b) =>
(a.toolName ?? '').localeCompare(b.toolName ?? ''),
);
// Since we are mocking an empty policy directory, we expect NO rules from TOML.
// Wait, the CLI test expected a bunch of default rules. Those must have come from
// the actual default policies directory in the CLI package.
// In the core package, we don't necessarily have those default policy files yet
// or we need to point to them.
// For this unit test, if we mock the default dir as empty, we should get NO rules
// if no settings are provided.
// Actually, let's look at how CLI test gets them. It uses `__dirname` in `policy.ts`.
// If we want to test default rules, we need to provide them.
// For now, let's assert it's empty if we provide no TOML files, to ensure the *mechanism* works.
// Or better, mock one default rule to ensure it's loaded.
expect(config.rules).toEqual([]);
vi.doUnmock('node:fs/promises');
}, 30000);
it('should allow tools in tools.allowed', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
tools: { allowed: ['run_shell_command'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.ALLOW,
);
expect(rule).toBeDefined();
expect(rule?.priority).toBeCloseTo(4.3, 5); // Command line allow
});
it('should deny tools in tools.exclude', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
tools: { exclude: ['run_shell_command'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.DENY,
);
expect(rule).toBeDefined();
expect(rule?.priority).toBeCloseTo(4.4, 5); // Command line exclude
});
it('should allow tools from allowed MCP servers', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcp: { allowed: ['my-server'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) => r.mcpName === 'my-server' && r.decision === PolicyDecision.ALLOW,
);
expect(rule).toBeDefined();
expect(rule?.priority).toBe(4.1); // MCP allowed server
});
it('should deny tools from excluded MCP servers', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcp: { excluded: ['my-server'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) => r.mcpName === 'my-server' && r.decision === PolicyDecision.DENY,
);
expect(rule).toBeDefined();
expect(rule?.priority).toBe(4.9); // MCP excluded server
});
it('should allow tools from trusted MCP servers', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcpServers: {
'trusted-server': {
trust: true,
},
'untrusted-server': {
trust: false,
},
},
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const trustedRule = config.rules?.find(
(r) =>
r.mcpName === 'trusted-server' && r.decision === PolicyDecision.ALLOW,
);
expect(trustedRule).toBeDefined();
expect(trustedRule?.priority).toBe(4.2); // MCP trusted server
// Untrusted server should not have an allow rule
const untrustedRule = config.rules?.find(
(r) =>
r.mcpName === 'untrusted-server' && r.decision === PolicyDecision.ALLOW,
);
expect(untrustedRule).toBeUndefined();
});
it('should handle multiple MCP server configurations together', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcp: {
allowed: ['allowed-server'],
excluded: ['excluded-server'],
},
mcpServers: {
'trusted-server': {
trust: true,
},
},
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
// Check allowed server
const allowedRule = config.rules?.find(
(r) =>
r.mcpName === 'allowed-server' && r.decision === PolicyDecision.ALLOW,
);
expect(allowedRule).toBeDefined();
expect(allowedRule?.priority).toBe(4.1); // MCP allowed server
// Check trusted server
const trustedRule = config.rules?.find(
(r) =>
r.mcpName === 'trusted-server' && r.decision === PolicyDecision.ALLOW,
);
expect(trustedRule).toBeDefined();
expect(trustedRule?.priority).toBe(4.2); // MCP trusted server
// Check excluded server
const excludedRule = config.rules?.find(
(r) =>
r.mcpName === 'excluded-server' && r.decision === PolicyDecision.DENY,
);
expect(excludedRule).toBeDefined();
expect(excludedRule?.priority).toBe(4.9); // MCP excluded server
});
it('should allow all tools in YOLO mode', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(settings, ApprovalMode.YOLO);
const rule = config.rules?.find(
(r) => r.decision === PolicyDecision.ALLOW && !r.toolName,
);
expect(rule).toBeDefined();
// Priority 998 in default tier → 1.998 (999 reserved for ask_user exception)
expect(rule?.priority).toBeCloseTo(1.998, 5);
});
it('should allow edit tool in AUTO_EDIT mode', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.AUTO_EDIT,
);
const rule = config.rules?.find(
(r) =>
r.toolName === 'replace' &&
r.decision === PolicyDecision.ALLOW &&
r.modes?.includes(ApprovalMode.AUTO_EDIT),
);
expect(rule).toBeDefined();
// Priority 15 in default tier → 1.015
expect(rule?.priority).toBeCloseTo(1.015, 5);
});
it('should prioritize exclude over allow', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
tools: { allowed: ['run_shell_command'], exclude: ['run_shell_command'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const denyRule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.DENY,
);
const allowRule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.ALLOW,
);
expect(denyRule).toBeDefined();
expect(allowRule).toBeDefined();
expect(denyRule!.priority).toBeGreaterThan(allowRule!.priority!);
});
it('should prioritize specific tool allows over MCP server excludes', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcp: { excluded: ['my-server'] },
tools: { allowed: ['mcp_my-server_specific-tool'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const serverDenyRule = config.rules?.find(
(r) => r.mcpName === 'my-server' && r.decision === PolicyDecision.DENY,
);
const toolAllowRule = config.rules?.find(
(r) =>
r.toolName === 'mcp_my-server_specific-tool' &&
r.decision === PolicyDecision.ALLOW,
);
expect(serverDenyRule).toBeDefined();
expect(serverDenyRule?.priority).toBe(4.9); // MCP excluded server
expect(toolAllowRule).toBeDefined();
expect(toolAllowRule?.priority).toBeCloseTo(4.3, 5); // Command line allow
// Server deny (4.9) has higher priority than tool allow (4.3),
// so server deny wins (this is expected behavior - server-level blocks are security critical)
});
it('should handle MCP server allows and tool excludes', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcp: { allowed: ['my-server'] },
mcpServers: {
'my-server': {
trust: true,
},
},
tools: { exclude: ['mcp_my-server_dangerous-tool'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const serverAllowRule = config.rules?.find(
(r) => r.mcpName === 'my-server' && r.decision === PolicyDecision.ALLOW,
);
const toolDenyRule = config.rules?.find(
(r) =>
r.toolName === 'mcp_my-server_dangerous-tool' &&
r.decision === PolicyDecision.DENY,
);
expect(serverAllowRule).toBeDefined();
expect(toolDenyRule).toBeDefined();
// Command line exclude (4.4) has higher priority than MCP server trust (4.2)
// This is the correct behavior - specific exclusions should beat general server trust
expect(toolDenyRule!.priority).toBeGreaterThan(serverAllowRule!.priority!);
});
it('should handle complex priority scenarios correctly', async () => {
const settings: PolicySettings = {
tools: {
allowed: ['mcp_trusted-server_tool1', 'other-tool'], // Priority 4.3
exclude: ['mcp_trusted-server_tool2', 'glob'], // Priority 4.4
},
mcp: {
allowed: ['allowed-server'], // Priority 4.1
excluded: ['excluded-server'], // Priority 4.9
},
mcpServers: {
'trusted-server': {
trust: true, // Priority 4.2
},
},
};
// Mock a default policy for 'glob' to test priority override
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(async (p, _o) => {
if (typeof p === 'string' && p.includes('/tmp/mock/default/policies')) {
return [
{
name: 'default.toml',
isFile: () => true,
isDirectory: () => false,
},
] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return [];
});
const mockStat = vi.fn(async (p) => {
if (typeof p === 'string' && p.includes('/tmp/mock/default/policies')) {
return {
isDirectory: () => true,
isFile: () => false,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
if (typeof p === 'string' && p.includes('default.toml')) {
return {
isDirectory: () => false,
isFile: () => true,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
return actualFs.stat(p);
});
const mockReadFile = vi.fn(async (p, _o) => {
if (typeof p === 'string' && p.includes('default.toml')) {
return '[[rule]]\ntoolName = "glob"\ndecision = "allow"\npriority = 50\n';
}
return '';
});
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: {
...actualFs,
readdir: mockReaddir,
readFile: mockReadFile,
stat: mockStat,
},
readdir: mockReaddir,
readFile: mockReadFile,
stat: mockStat,
}));
vi.resetModules();
const { createPolicyEngineConfig: createConfig } = await import(
'./config.js'
);
const config = await createConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
// Verify glob is denied even though default would allow it
const globDenyRule = config.rules?.find(
(r) => r.toolName === 'glob' && r.decision === PolicyDecision.DENY,
);
const globAllowRule = config.rules?.find(
(r) => r.toolName === 'glob' && r.decision === PolicyDecision.ALLOW,
);
expect(globDenyRule).toBeDefined();
expect(globAllowRule).toBeDefined();
// Deny from settings (user tier)
expect(globDenyRule!.priority).toBeCloseTo(4.4, 5); // Command line exclude
// Allow from default TOML: 1 + 50/1000 = 1.05
expect(globAllowRule!.priority).toBeCloseTo(1.05, 5);
// Verify all priority levels are correct
const priorities = config.rules
?.map((r) => ({
tool: r.toolName,
decision: r.decision,
priority: r.priority,
}))
.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
// Check that the highest priority items are the excludes (user tier: 4.4 and 4.9)
const highestPriorityExcludes = priorities?.filter(
(p) =>
Math.abs(p.priority! - 4.4) < 0.01 ||
Math.abs(p.priority! - 4.9) < 0.01,
);
expect(
highestPriorityExcludes?.every((p) => p.decision === PolicyDecision.DENY),
).toBe(true);
vi.doUnmock('node:fs/promises');
});
it('should handle MCP servers with undefined trust property', async () => {
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
mcpServers: {
'no-trust-property': {
// trust property is undefined/missing
},
'explicit-false': {
trust: false,
},
},
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
// Neither server should have an allow rule
const noTrustRule = config.rules?.find(
(r) =>
r.mcpName === 'no-trust-property' &&
r.decision === PolicyDecision.ALLOW,
);
const explicitFalseRule = config.rules?.find(
(r) =>
r.mcpName === 'explicit-false' && r.decision === PolicyDecision.ALLOW,
);
expect(noTrustRule).toBeUndefined();
expect(explicitFalseRule).toBeUndefined();
});
it('should have YOLO allow-all rule beat write tool rules in YOLO mode', async () => {
vi.resetModules();
vi.doUnmock('node:fs/promises');
const { createPolicyEngineConfig: createConfig } = await import(
'./config.js'
);
// Re-mock Storage after resetModules because it was reloaded
const { Storage: FreshStorage } = await import('../config/storage.js');
vi.spyOn(FreshStorage, 'getUserPoliciesDir').mockReturnValue(
'/non/existent/user/policies',
);
vi.spyOn(FreshStorage, 'getSystemPoliciesDir').mockReturnValue(
'/non/existent/system/policies',
);
const settings: PolicySettings = {
tools: { exclude: ['dangerous-tool'] },
};
// Use default policy dir (no third arg) to load real yolo.toml and write.toml
const config = await createConfig(settings, ApprovalMode.YOLO);
// Should have the wildcard allow rule
const wildcardRule = config.rules?.find(
(r) => !r.toolName && r.decision === PolicyDecision.ALLOW,
);
expect(wildcardRule).toBeDefined();
// Priority 998 in default tier → 1.998 (999 reserved for ask_user exception)
expect(wildcardRule?.priority).toBeCloseTo(1.998, 5);
// Write tool ASK_USER rules are present (from write.toml)
const writeToolRules = config.rules?.filter(
(r) =>
['run_shell_command'].includes(r.toolName || '') &&
r.decision === PolicyDecision.ASK_USER,
);
expect(writeToolRules).toBeDefined();
expect(writeToolRules?.length).toBeGreaterThan(0);
// But YOLO allow-all rule has higher priority than all write tool rules
writeToolRules?.forEach((writeRule) => {
expect(wildcardRule!.priority).toBeGreaterThan(writeRule.priority!);
});
// Should still have the exclude rule (from settings, user tier)
const excludeRule = config.rules?.find(
(r) =>
r.toolName === 'dangerous-tool' && r.decision === PolicyDecision.DENY,
);
expect(excludeRule).toBeDefined();
expect(excludeRule?.priority).toBeCloseTo(4.4, 5); // Command line exclude
});
it('should support argsPattern in policy rules', async () => {
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async (
path: string | Buffer | URL,
options?: Parameters<typeof actualFs.readdir>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return [
{
name: 'write.toml',
isFile: () => true,
isDirectory: () => false,
},
] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return actualFs.readdir(
path,
options as Parameters<typeof actualFs.readdir>[1],
);
},
);
const mockReadFile = vi.fn(
async (
path: Parameters<typeof actualFs.readFile>[0],
options: Parameters<typeof actualFs.readFile>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies/write.toml'))
) {
return `
[[rule]]
toolName = "run_shell_command"
argsPattern = "\\"command\\":\\"git (status|diff|log)\\""
decision = "allow"
priority = 150
`;
}
return actualFs.readFile(path, options);
},
);
const mockStat = vi.fn(
async (
path: Parameters<typeof actualFs.stat>[0],
options?: Parameters<typeof actualFs.stat>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return {
isDirectory: () => true,
isFile: () => false,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
return actualFs.stat(path, options);
},
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: {
...actualFs,
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
},
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
}));
vi.resetModules();
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.ALLOW,
);
expect(rule).toBeDefined();
// Priority 150 in user tier → 4.150
expect(rule?.priority).toBeCloseTo(4.15, 5);
expect(rule?.argsPattern).toBeInstanceOf(RegExp);
expect(rule?.argsPattern?.test('{"command":"git status"}')).toBe(true);
expect(rule?.argsPattern?.test('{"command":"git diff"}')).toBe(true);
expect(rule?.argsPattern?.test('{"command":"git log"}')).toBe(true);
expect(rule?.argsPattern?.test('{"command":"git commit"}')).toBe(false);
expect(rule?.argsPattern?.test('{"command":"git push"}')).toBe(false);
vi.doUnmock('node:fs/promises');
});
it('should load safety_checker configuration from TOML', async () => {
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async (
path: string | Buffer | URL,
options?: Parameters<typeof actualFs.readdir>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return [
{
name: 'safety.toml',
isFile: () => true,
isDirectory: () => false,
},
] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return actualFs.readdir(
path,
options as Parameters<typeof actualFs.readdir>[1],
);
},
);
const mockReadFile = vi.fn(
async (
path: Parameters<typeof actualFs.readFile>[0],
options: Parameters<typeof actualFs.readFile>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies/safety.toml'))
) {
return `
[[rule]]
toolName = "write_file"
decision = "allow"
priority = 10
[[rule]]
toolName = "write_file"
decision = "allow"
priority = 10
[[safety_checker]]
toolName = "write_file"
priority = 10
[safety_checker.checker]
type = "in-process"
name = "allowed-path"
required_context = ["environment"]
[safety_checker.checker.config]
`;
}
return actualFs.readFile(path, options);
},
);
const mockStat = vi.fn(
async (
path: Parameters<typeof actualFs.stat>[0],
options?: Parameters<typeof actualFs.stat>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return {
isDirectory: () => true,
isFile: () => false,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
return actualFs.stat(path, options);
},
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: {
...actualFs,
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
},
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
}));
vi.resetModules();
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) => r.toolName === 'write_file' && r.decision === PolicyDecision.ALLOW,
);
expect(rule).toBeDefined();
const checker = config.checkers?.find(
(c) => c.toolName === 'write_file' && c.checker.type === 'in-process',
);
expect(checker).toBeDefined();
expect(checker?.checker.type).toBe('in-process');
expect(checker?.checker.name).toBe(InProcessCheckerType.ALLOWED_PATH);
expect(checker?.checker.required_context).toEqual(['environment']);
vi.doUnmock('node:fs/promises');
});
it('should reject invalid in-process checker names', async () => {
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async (
path: string | Buffer | URL,
options?: Parameters<typeof actualFs.readdir>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return [
{
name: 'invalid_safety.toml',
isFile: () => true,
isDirectory: () => false,
},
] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return actualFs.readdir(
path,
options as Parameters<typeof actualFs.readdir>[1],
);
},
);
const mockReadFile = vi.fn(
async (
path: Parameters<typeof actualFs.readFile>[0],
options: Parameters<typeof actualFs.readFile>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(
nodePath.normalize('.gemini/policies/invalid_safety.toml'),
)
) {
return `
[[rule]]
toolName = "write_file"
decision = "allow"
priority = 10
[[safety_checker]]
toolName = "write_file"
priority = 10
[safety_checker.checker]
type = "in-process"
name = "invalid-name"
`;
}
return actualFs.readFile(path, options);
},
);
const mockStat = vi.fn(
async (
path: Parameters<typeof actualFs.stat>[0],
options?: Parameters<typeof actualFs.stat>[1],
) => {
if (
typeof path === 'string' &&
nodePath
.normalize(path)
.includes(nodePath.normalize('.gemini/policies'))
) {
return {
isDirectory: () => true,
isFile: () => false,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
return actualFs.stat(path, options);
},
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: {
...actualFs,
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
},
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
}));
vi.resetModules();
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
// The rule should be rejected because 'invalid-name' is not in the enum
const rule = config.rules?.find((r) => r.toolName === 'write_file');
expect(rule).toBeUndefined();
vi.doUnmock('node:fs/promises');
});
it('should have default ASK_USER rule for discovered tools', async () => {
vi.resetModules();
vi.doUnmock('node:fs/promises');
const { createPolicyEngineConfig: createConfig } = await import(
'./config.js'
);
// Re-mock Storage after resetModules because it was reloaded
const { Storage: FreshStorage } = await import('../config/storage.js');
vi.spyOn(FreshStorage, 'getUserPoliciesDir').mockReturnValue(
'/non/existent/user/policies',
);
vi.spyOn(FreshStorage, 'getSystemPoliciesDir').mockReturnValue(
'/non/existent/system/policies',
);
const settings: PolicySettings = {};
// Use default policy dir to load real discovered.toml
const config = await createConfig(settings, ApprovalMode.DEFAULT);
const discoveredRule = config.rules?.find(
(r) =>
r.toolName === 'discovered_tool_*' &&
r.decision === PolicyDecision.ASK_USER,
);
expect(discoveredRule).toBeDefined();
// Priority 10 in default tier → 1.010
expect(discoveredRule?.priority).toBeCloseTo(1.01, 5);
});
it('should normalize legacy "ShellTool" alias to "run_shell_command"', async () => {
vi.resetModules();
// Mock fs to return empty for policies
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async () => [] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>,
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: { ...actualFs, readdir: mockReaddir },
readdir: mockReaddir,
}));
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {
tools: { allowed: ['ShellTool'] },
};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.DEFAULT,
'/tmp/mock/default/policies',
);
const rule = config.rules?.find(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.ALLOW,
);
expect(rule).toBeDefined();
expect(rule?.priority).toBeCloseTo(4.3, 5); // Command line allow
vi.doUnmock('node:fs/promises');
});
it('should allow overriding Plan Mode deny with user policy', async () => {
const actualFs =
await vi.importActual<typeof import('node:fs/promises')>(
'node:fs/promises',
);
const mockReaddir = vi.fn(
async (
path: string | Buffer | URL,
options?: Parameters<typeof actualFs.readdir>[1],
) => {
const normalizedPath = nodePath.normalize(path.toString());
if (normalizedPath.includes('gemini-cli-test/user/policies')) {
return [
{
name: 'user-plan.toml',
isFile: () => true,
isDirectory: () => false,
},
] as unknown as Awaited<ReturnType<typeof actualFs.readdir>>;
}
return actualFs.readdir(
path,
options as Parameters<typeof actualFs.readdir>[1],
);
},
);
const mockStat = vi.fn(
async (
path: Parameters<typeof actualFs.stat>[0],
options?: Parameters<typeof actualFs.stat>[1],
) => {
const normalizedPath = nodePath.normalize(path.toString());
if (normalizedPath.includes('gemini-cli-test/user/policies')) {
return {
isDirectory: () => true,
isFile: () => false,
} as unknown as Awaited<ReturnType<typeof actualFs.stat>>;
}
return actualFs.stat(path, options);
},
);
const mockReadFile = vi.fn(
async (
path: Parameters<typeof actualFs.readFile>[0],
options: Parameters<typeof actualFs.readFile>[1],
) => {
const normalizedPath = nodePath.normalize(path.toString());
if (normalizedPath.includes('user-plan.toml')) {
return `
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["git status", "git diff"]
decision = "allow"
priority = 100
modes = ["plan"]
[[rule]]
toolName = "codebase_investigator"
decision = "allow"
priority = 100
modes = ["plan"]
`;
}
return actualFs.readFile(path, options);
},
);
vi.doMock('node:fs/promises', () => ({
...actualFs,
default: {
...actualFs,
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
},
readFile: mockReadFile,
readdir: mockReaddir,
stat: mockStat,
}));
vi.resetModules();
// Robustly mock Storage using doMock to ensure it persists through imports in config.js
vi.doMock('../config/storage.js', async () => {
const actual = await vi.importActual<
typeof import('../config/storage.js')
>('../config/storage.js');
class MockStorage extends actual.Storage {
static override getUserPoliciesDir() {
return '/tmp/gemini-cli-test/user/policies';
}
static override getSystemPoliciesDir() {
return '/tmp/gemini-cli-test/system/policies';
}
}
return { ...actual, Storage: MockStorage };
});
const { createPolicyEngineConfig } = await import('./config.js');
const settings: PolicySettings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.PLAN,
nodePath.join(__dirname, 'policies'),
);
const shellRules = config.rules?.filter(
(r) =>
r.toolName === 'run_shell_command' &&
r.decision === PolicyDecision.ALLOW &&
r.modes?.includes(ApprovalMode.PLAN) &&
r.argsPattern,
);
expect(shellRules).toHaveLength(2);
expect(
shellRules?.some((r) => r.argsPattern?.test('{"command":"git status"}')),
).toBe(true);
expect(
shellRules?.some((r) => r.argsPattern?.test('{"command":"git diff"}')),
).toBe(true);
expect(
shellRules?.every(
(r) => !r.argsPattern?.test('{"command":"git commit"}'),
),
).toBe(true);
const subagentRule = config.rules?.find(
(r) =>
r.toolName === 'codebase_investigator' &&
r.decision === PolicyDecision.ALLOW &&
r.modes?.includes(ApprovalMode.PLAN),
);
expect(subagentRule).toBeDefined();
expect(subagentRule?.priority).toBeCloseTo(4.1, 5);
vi.doUnmock('node:fs/promises');
});
});
Reference in New Issue View Git Blame Copy Permalink