diff --git a/README.md b/README.md index cb0577ba..472b32d9 100644 --- a/README.md +++ b/README.md @@ -166,9 +166,6 @@ httpjail --config rules.txt -- ./my-application ### Advanced Options ```bash -# Dry run - log what would be blocked without blocking -httpjail --dry-run --config rules.txt -- ./app - # Verbose logging httpjail -vvv -r "allow: .*" -- curl https://example.com diff --git a/src/main.rs b/src/main.rs index eb11402c..1d58514a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -28,10 +28,6 @@ struct Args { #[arg(short = 'c', long = "config", value_name = "FILE")] config: Option, - /// Log actions without blocking - #[arg(long = "dry-run")] - dry_run: bool, - /// Monitor without filtering #[arg(long = "log-only")] log_only: bool, @@ -304,7 +300,7 @@ async fn main() -> Result<()> { // Build rules from command line arguments let rules = build_rules(&args)?; - let rule_engine = RuleEngine::new(rules, args.dry_run, args.log_only); + let rule_engine = RuleEngine::new(rules, args.log_only); // Get ports from env vars (optional) let http_port = std::env::var("HTTPJAIL_HTTP_BIND") @@ -461,7 +457,7 @@ mod tests { Rule::new(Action::Deny, r".*").unwrap(), ]; - let engine = RuleEngine::new(rules, false, false); + let engine = RuleEngine::new(rules, false); // Test allow rule assert!(matches!( @@ -482,24 +478,11 @@ mod tests { )); } - #[test] - fn test_dry_run_mode() { - let rules = vec![Rule::new(Action::Deny, r".*").unwrap()]; - - let engine = RuleEngine::new(rules, true, false); - - // In dry-run mode, everything should be allowed - assert!(matches!( - engine.evaluate(Method::GET, "https://example.com"), - Action::Allow - )); - } - #[test] fn test_log_only_mode() { let rules = vec![Rule::new(Action::Deny, r".*").unwrap()]; - let engine = RuleEngine::new(rules, false, true); + let engine = RuleEngine::new(rules, true); // In log-only mode, everything should be allowed assert!(matches!( @@ -523,7 +506,6 @@ mod tests { let args = Args { rules: vec![], config: Some(file.path().to_str().unwrap().to_string()), - dry_run: false, log_only: false, interactive: false, weak: false, diff --git a/src/proxy.rs b/src/proxy.rs index 01183ee0..605abc3d 100644 --- a/src/proxy.rs +++ b/src/proxy.rs @@ -458,7 +458,7 @@ mod tests { Rule::new(Action::Deny, r".*").unwrap(), ]; - let rule_engine = RuleEngine::new(rules, false, false); + let rule_engine = RuleEngine::new(rules, false); let proxy = ProxyServer::new(Some(8080), Some(8443), rule_engine, None); assert_eq!(proxy.http_port, Some(8080)); @@ -469,7 +469,7 @@ mod tests { async fn test_proxy_server_auto_port() { let rules = vec![Rule::new(Action::Allow, r".*").unwrap()]; - let rule_engine = RuleEngine::new(rules, false, false); + let rule_engine = RuleEngine::new(rules, false); let mut proxy = ProxyServer::new(None, None, rule_engine, None); let (http_port, https_port) = proxy.start().await.unwrap(); diff --git a/src/proxy_tls.rs b/src/proxy_tls.rs index 928a29ed..bf9c837c 100644 --- a/src/proxy_tls.rs +++ b/src/proxy_tls.rs @@ -593,7 +593,7 @@ mod tests { Rule::new(Action::Deny, r".*").unwrap(), ] }; - Arc::new(RuleEngine::new(rules, false, false)) + Arc::new(RuleEngine::new(rules, false)) } /// Create a TLS client config that trusts any certificate (for testing) diff --git a/src/rules.rs b/src/rules.rs index 24641650..f3344921 100644 --- a/src/rules.rs +++ b/src/rules.rs @@ -48,17 +48,12 @@ impl Rule { #[derive(Clone)] pub struct RuleEngine { pub rules: Vec, - pub dry_run: bool, pub log_only: bool, } impl RuleEngine { - pub fn new(rules: Vec, dry_run: bool, log_only: bool) -> Self { - RuleEngine { - rules, - dry_run, - log_only, - } + pub fn new(rules: Vec, log_only: bool) -> Self { + RuleEngine { rules, log_only } } pub fn evaluate(&self, method: Method, url: &str) -> Action { @@ -77,9 +72,7 @@ impl RuleEngine { url, rule.pattern.as_str() ); - if !self.dry_run { - return Action::Allow; - } + return Action::Allow; } Action::Deny => { warn!( @@ -88,9 +81,7 @@ impl RuleEngine { url, rule.pattern.as_str() ); - if !self.dry_run { - return Action::Deny; - } + return Action::Deny; } } } @@ -98,11 +89,7 @@ impl RuleEngine { // Default deny if no rules match warn!("DENY: {} {} (no matching rules)", method, url); - if self.dry_run { - Action::Allow - } else { - Action::Deny - } + Action::Deny } } @@ -138,7 +125,7 @@ mod tests { Rule::new(Action::Deny, r".*").unwrap(), ]; - let engine = RuleEngine::new(rules, false, false); + let engine = RuleEngine::new(rules, false); // Test allow rule assert!(matches!( @@ -168,7 +155,7 @@ mod tests { Rule::new(Action::Deny, r".*").unwrap(), ]; - let engine = RuleEngine::new(rules, false, false); + let engine = RuleEngine::new(rules, false); // GET should be allowed assert!(matches!( @@ -183,24 +170,11 @@ mod tests { )); } - #[test] - fn test_dry_run_mode() { - let rules = vec![Rule::new(Action::Deny, r".*").unwrap()]; - - let engine = RuleEngine::new(rules, true, false); - - // In dry-run mode, everything should be allowed - assert!(matches!( - engine.evaluate(Method::GET, "https://example.com"), - Action::Allow - )); - } - #[test] fn test_log_only_mode() { let rules = vec![Rule::new(Action::Deny, r".*").unwrap()]; - let engine = RuleEngine::new(rules, false, true); + let engine = RuleEngine::new(rules, true); // In log-only mode, everything should be allowed assert!(matches!( diff --git a/tests/platform_test_macro.rs b/tests/platform_test_macro.rs index 1500c897..c693c0b9 100644 --- a/tests/platform_test_macro.rs +++ b/tests/platform_test_macro.rs @@ -32,12 +32,6 @@ macro_rules! platform_tests { system_integration::test_jail_log_only_mode::<$platform>(); } - #[test] - #[::serial_test::serial] - fn test_jail_dry_run_mode() { - system_integration::test_jail_dry_run_mode::<$platform>(); - } - #[test] #[::serial_test::serial] fn test_jail_requires_command() { diff --git a/tests/system_integration.rs b/tests/system_integration.rs index 6ec9bee4..32155257 100644 --- a/tests/system_integration.rs +++ b/tests/system_integration.rs @@ -224,34 +224,6 @@ pub fn test_jail_log_only_mode() { ); } -/// Test dry-run mode -pub fn test_jail_dry_run_mode() { - P::require_privileges(); - - let mut cmd = httpjail_cmd(); - cmd.arg("--dry-run") - .arg("-r") - .arg("deny: .*") // Deny everything - .arg("--"); - curl_http_status_args(&mut cmd, "http://ifconfig.me"); - - let output = cmd.output().expect("Failed to execute httpjail"); - - let stdout = String::from_utf8_lossy(&output.stdout); - let stderr = String::from_utf8_lossy(&output.stderr); - if !stderr.is_empty() { - eprintln!("[{}] stderr: {}", P::platform_name(), stderr); - } - - // In dry-run mode, even deny rules should not block - assert_eq!( - stdout.trim(), - "200", - "Request should be allowed in dry-run mode" - ); - assert!(output.status.success()); -} - /// Test that jail requires a command pub fn test_jail_requires_command() { // This test doesn't require root