feat(supervisor-middleware): add network egress middleware#2027
feat(supervisor-middleware): add network egress middleware#2027pimlock wants to merge 59 commits into
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
595191e to
97b750f
Compare
358906a to
1fbcdbc
Compare
|
🌿 Preview your docs: https://nvidia-preview-pr-2027.docs.buildwithfern.com/openshell |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
2 similar comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
/ok to test c4b0dcf |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
…are outages An unreachable operator-registered middleware service previously aborted sandbox startup via a hard error in load_policy, contradicting the per-request on_error contract and the resilient live-reload path. Retry the initial connect and, on failure, degrade to the built-in registry so matched requests are governed by each config's on_error (deny for fail_closed, allow for fail_open) instead of blocking the whole sandbox. The policy poll loop now reconciles the registry on every poll while an install is pending, so a recovered service is adopted without waiting for a config change; a failed reconcile also no longer blocks unrelated policy updates. Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
…limit A chain entry whose binding did not resolve reported a zero body limit, which dragged the whole chain's buffer cap to zero and spuriously failed body-bearing requests over capacity even when a resolved middleware could have processed them. Exclude unresolved entries from the limit via a new DescribedChainEntry::is_resolved(); when no entry resolves, skip buffering and apply each entry's on_error directly. Also fix two parallel-test flakes found while validating the change: - Build middleware OCSF events into a Vec and assert on it directly instead of capturing through the global tracing pipeline, whose callsite-interest cache is process-global and raced under parallel runs. - Accumulate the websocket deny response until the reason marker arrives rather than assuming a single read returns the full body. Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
c4b0dcf to
2b7cf4e
Compare
Re-check After Author UpdateThanks @pimlock. I re-evaluated head What I checked: the current PR diff against Review findings:
Docs: Fern docs and Checks: Branch Checks and required Next state: |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
|
Thanks for the re-review. I addressed both current findings in
Proxy hardening trace from supervisor middleware workSupervisor middleware added an inspect-and-transform boundary to the HTTP proxy. Review of that boundary also exposed pre-existing proxy behavior. The invariant behind the changes below is: policy and middleware must evaluate the same effective request that OpenShell sends upstream.
Tracked or accepted follow-ups:
Validation completed:
|
BlockedThanks @pimlock. I saw your latest update on head Head SHA: GitHub currently reports Next action: @pimlock needs to rebase or merge |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
|
Follow-up compatibility refinement in
Added Validation:
|
BlockedGator is blocked by merge conflicts against Head SHA: GitHub currently reports Next action: @pimlock needs to rebase or merge |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
|
Merged current Conflict resolution:
Validation:
|
Re-check After Author UpdateThanks @pimlock. I re-evaluated head What I checked: the current PR diff against Review findings:
Docs: Fern docs and Checks: Branch Checks, DCO, and Helm Lint are green. Required Next state: |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
|
Addressed the remaining P2 authority finding in
This follows RFC 9112 section 3.2.2:
Implementation details:
Regression coverage includes mismatch, repeated fields, missing fields, non-default ports, IPv6, body read-ahead preservation, and an active middleware-selected request whose captured outbound bytes contain only the canonical authority. Validation:
No follow-up is needed to close this finding. A separate follow-up would still be useful for broader structured absolute-URI parsing and auditing CONNECT/TLS-inspected authority consistency; those are beyond this specific absolute-form |
Re-check After Author UpdateThanks @pimlock. I re-evaluated head What I checked: the current forward-proxy authority canonicalization, L7/middleware-visible request construction, final origin-form rewrite, credential-processing path, and regression coverage for missing, repeated, mismatched, non-default-port, IPv6, and middleware-selected Disposition: resolved. Review findings:
Docs: Fern docs and Checks: Branch Checks, DCO, and Helm Lint are green. Required Next state: |
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Review follow-up: middleware attachment identityAddressed the middleware identity and binding-model follow-up in
Validation:
|
Re-check After Author UpdateThanks @pimlock. I re-evaluated head What I checked: the current-head delta from Disposition: resolved. Review findings:
Docs: Fern docs and Checks: Branch Checks, DCO, and Helm Lint are green. Required Next state: |
Summary
Implements the first usable RFC 0009 supervisor middleware slice: proto-backed, host-selected HTTP egress middleware for
HttpRequest/pre_credentials, with both in-process built-ins and statically registered operator-run gRPC services.The implementation covers RFC 0009 Phase 1 and adds basic external-service support from Phase 2. It establishes the contract, policy plumbing, ordered chain execution, built-in secret redaction, static gateway registration, relay integration, validation before policy persistence, body limits, audit events, and user-facing configuration and operations documentation.
Tip
See example middleware implementation: #2169
See high-level overview with interactive walk-through: https://gistpreview.github.io/?1f07f93cab1dab587d114fa6eec59c11/pr-2027-middleware-overview.html#request-lab
Related Issue
Closes #2010
Part of #1733
Design/RFC: #1738
Changes
openshell/secretsredactor and statically registered operator-run gRPC services.network_middlewarespolicy configuration and validation, independent of the network policy rule that admits a request.Testing
mise run pre-commitpassesChecklist