feat(sandbox): auto-detect TLS and terminate unconditionally for credential injection#544
Open
johntmyers wants to merge 7 commits intomainfrom
Open
feat(sandbox): auto-detect TLS and terminate unconditionally for credential injection#544johntmyers wants to merge 7 commits intomainfrom
johntmyers wants to merge 7 commits intomainfrom
Conversation
…ential injection Closes #533 The proxy now auto-detects TLS by peeking the first bytes of each connection. When TLS is detected, it terminates unconditionally — enabling credential injection and optional L7 inspection without requiring explicit 'tls: terminate' in the policy. - Add looks_like_tls() detection (TLS ClientHello: 0x16 0x03 0x0N) - Replace TlsMode::Passthrough/Terminate with Auto/Skip - Restructure proxy dispatch: peek → auto-detect → terminate/relay - Add relay_passthrough_with_credentials for terminate-but-no-L7 path - Deprecate 'tls: terminate' and 'tls: passthrough' (log warnings) - Add 'tls: skip' as explicit opt-out escape hatch - Update validation, tests, docs, examples, and skill references
…dependent query The tls field was only parsed when an L7 protocol was configured, so tls: skip on L4-only endpoints was silently ignored. Fix: - Add parse_tls_mode() independent of parse_l7_config() - Add query_tls_mode() in proxy.rs - Add endpoint_has_extended_config rule for tls field in Rego - Update smoke test to verify credential injection and tls: skip
…urce location output
…y pending keep-alive fix
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The sandbox proxy now auto-detects TLS by peeking the first bytes of every allowed connection. When TLS is detected, it terminates unconditionally -- enabling credential injection and optional L7 inspection without requiring explicit
tls: terminatein the policy.Related Issue
Closes #533
UX Changes
Before: Users had to add
tls: terminateto each HTTPS endpoint for L7 inspection and credential injection to work. Missing it caused silent 401s or protocol mismatch errors.After: TLS termination is automatic. Users write L4 rules (host + port) and get credential injection for free. L7 rules add request-level enforcement on top.
tls: terminate/tls: passthrough-- deprecated (log warning), treated as auto-detecttls: skip-- new explicit opt-out for raw tunnelingChanges
l7/tls.rs--looks_like_tls()detection (TLS ClientHello peek)l7/mod.rs--TlsMode::Auto/Skip,parse_tls_mode(), deprecation warnings, validation updatesl7/relay.rs--relay_passthrough_with_credentials()for auto-terminated L4 trafficproxy.rs-- Restructured: peek -> auto-detect -> terminate/relay. Fixed CONNECT log message.sandbox-policy.rego--endpoint_has_extended_configmatchestlsfieldmechanistic_mapper.rs-- Removed auto-generatedtls: terminatescripts/smoke-test-network-policy.sh-- 8 e2e tests (L4, L7, cred injection, tls:skip)Testing
Checklist