Skip to content

fix(sandbox): allow first-label L7 host wildcards#1304

Open
mjamiv wants to merge 2 commits into
NVIDIA:mainfrom
mjamiv:fix/l7-intra-label-host-wildcards
Open

fix(sandbox): allow first-label L7 host wildcards#1304
mjamiv wants to merge 2 commits into
NVIDIA:mainfrom
mjamiv:fix/l7-intra-label-host-wildcards

Conversation

@mjamiv
Copy link
Copy Markdown
Contributor

@mjamiv mjamiv commented May 11, 2026
edited
Loading

Summary

  • allow L7 host validation to accept single-star globs inside the first DNS label, such as *-aiplatform.googleapis.com
  • keep rejecting bare global wildcards, TLD/single-label wildcards, wildcards outside the first DNS label, and recursive ** inside a label
  • add regression coverage for accepted and rejected wildcard host patterns

Related Issue

Fixes #1303

Changes

  • Extracted L7 host wildcard validation into a helper.
  • Replaced the stricter *. / **. prefix requirement with label-position validation that matches the OPA glob.match(..., ["."]) boundary model.
  • Added unit coverage for *-aiplatform.googleapis.com, **.example.com, foo.*.example.com, foo**.example.com, *com, bare */**, and TLD wildcards.

Testing

  • mise run pre-commit
  • cargo fmt --all -- --check
  • git diff --check
  • cargo test -p openshell-sandbox validate_wildcard_host -- --nocapture
  • cargo test -p openshell-sandbox
  • cargo clippy -p openshell-sandbox --all-targets -- -D warnings

Checklist

  • Tests added or updated
  • Formatting checked
  • Related issue linked

@mjamiv mjamiv requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners May 11, 2026 10:21
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 11, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@johntmyers
Copy link
Copy Markdown
Collaborator

johntmyers commented May 11, 2026
edited
Loading

This changes the documented host wildcard contract, but architecture/security-policy.md still says host wildcard patterns must start with *. or **. and still documents TLD wildcards as a warning. Please update the Host Wildcards section and validation tables to include first-label intra-label patterns like *-aiplatform.googleapis.com, and to match the current error behavior for TLD/single-label wildcard patterns.

The validator test covers *-aiplatform.googleapis.com, but the OPA runtime tests still only cover *.example.com-style host wildcards. Please add a runtime test asserting *-aiplatform.googleapis.com allows a host like us-central1-aiplatform.googleapis.com and does not cross . boundaries. That would lock the validator/runtime alignment this PR is fixing.

@benoitf
Copy link
Copy Markdown
Contributor

benoitf commented May 12, 2026

@mjamiv are you gonna enhance the PR ? I created the issue so I can also create the PR if this one becomes stuck.

@mjamiv
Copy link
Copy Markdown
Contributor Author

mjamiv commented May 13, 2026

Thanks for the nudge — I'm enhancing the PR now. @johntmyers's review asks are clear: a Host Wildcards section in architecture/security-policy.md documenting the new contract + validation table, and an OPA runtime test asserting *-aiplatform.googleapis.com allows us-central1-aiplatform.googleapis.com and does not cross . boundaries. Pushing today.

@mjamiv
docs(sandbox): document L7 host wildcard contract + add OPA runtime t…
7ebc2e6 
…ests

- Add Host Wildcards section to architecture/security-policy.md
  describing accepted (first-label *, **, intra-label *-X) and
  rejected (bare, TLD, non-first-label, recursive-in-label) forms,
  and noting that wildcards never cross '.' boundaries.
- Expand the policy-schema.mdx 'host' field description to reflect
  the same contract instead of only mentioning '*.example.com'.
- Add OPA runtime tests asserting '*-aiplatform.googleapis.com'
  matches 'us-central1-aiplatform.googleapis.com' and does not match
  'us-central1.aiplatform.googleapis.com' (cross-dot boundary). Locks
  validator/runtime alignment for intra-label wildcards.
@mjamiv
Copy link
Copy Markdown
Contributor Author

mjamiv commented May 13, 2026

Addressed in 7ebc2e6b.

Docs (architecture/security-policy.md): added a Host Wildcards section with a validation table covering accepted (*.example.com, **.example.com, intra-label *-aiplatform.googleapis.com) and rejected (bare */**, TLD wildcards, non-first-label wildcards, recursive ** mixed inside a label) forms, plus a note that wildcards never cross . boundaries.

Docs (docs/reference/policy-schema.mdx): expanded the host field description from *.example.com only to the full contract.

OPA runtime tests: added two tests in crates/openshell-sandbox/src/opa.rs:

  • wildcard_host_intra_label_matches — asserts *-aiplatform.googleapis.com allows us-central1-aiplatform.googleapis.com.
  • wildcard_host_intra_label_does_not_cross_dot — asserts *-aiplatform.googleapis.com does not allow us-central1.aiplatform.googleapis.com (would cross a . label boundary).

Local validation:

  • cargo test -p openshell-sandbox wildcard_host — 20/20 pass (10 validator + 10 runtime).
  • cargo test -p openshell-sandbox — 661 pass / 0 fail / 2 ignored.
  • cargo fmt --all -- --check and cargo clippy -p openshell-sandbox --all-targets -- -D warnings clean.
  • mise run pre-commit clean.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

L7 policy validation rejects valid intra-label host wildcards

3 participants

@mjamiv @johntmyers @benoitf