feat(l7): add JSON-RPC policy enforcement#1865
Open
krishicks wants to merge 9 commits into
Open
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
🌿 Preview your docs: https://nvidia-preview-pr-1865.docs.buildwithfern.com/openshell |
Add a Rust e2e test that drives MCP-style JSON-RPC requests through both the forward proxy and CONNECT tunnel paths. Cover method rules, params rules, batch handling, and invalid JSON denial expectations so the JSON-RPC implementation can be built against one failing scenario. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Add json-rpc as a policy protocol and carry JSON-RPC rule fields through policy parsing and validation. Wire the protocol into the L7 dispatcher with a passthrough placeholder so later commits can add enforcement without changing endpoint recognition. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Move HTTP request body buffering and chunked-body normalization out of the GraphQL module so other HTTP-carried L7 protocols can inspect request bodies without depending on GraphQL internals. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Add the JSON-RPC HTTP parser and relay path, extract request methods, and pass JSON-RPC metadata into L7 policy evaluation. Wire rpc_method through proto and policy conversion, add Rego matching for JSON-RPC methods, and inspect forward-proxy JSON-RPC bodies before relaying upstream. Signed-off-by: Kris Hicks <khicks@nvidia.com>
krishicks
force-pushed
the
hicks/push-nvuozlywzuwu
branch
from
8d0925f to
62da29d
Compare
Carry JSON-RPC max body bytes from policy into runtime endpoint config and use it on both CONNECT and forward JSON-RPC inspection paths instead of hardcoding 64 KiB. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Add JSON-RPC params matcher maps to proto and YAML policy conversion, including shared matcher conversion helpers. Flatten object params into dot-separated keys for policy input and extend Rego allow and deny matching to filter JSON-RPC calls by params. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Parse JSON-RPC batch arrays into per-call metadata and evaluate each batch item with the existing method and params policy rules. Deny the whole batch when any call is denied. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Log JSON-RPC endpoint, RPC methods, params SHA-256 digest, and policy version without recording raw params. Use <empty> when no params are present. Signed-off-by: Kris Hicks <khicks@nvidia.com>
Document JSON-RPC endpoint configuration, rpc_method and params matchers, batch denial behavior, current directionality limits, matcher scope, and the current policy update CLI limitation. Signed-off-by: Kris Hicks <khicks@nvidia.com>
krishicks
force-pushed
the
hicks/push-nvuozlywzuwu
branch
from
62da29d to
8dc2a54
Compare
krishicks
requested review from
a team,
derekwaynecarr and
mrunalp
as code owners
johntmyers
added
the
gator:in-review
Collaborator
PR Review StatusValidation: This maintainer-authored PR is project-valid because it implements the JSON-RPC/MCP method-level policy work discussed in #1793, with documented v1 scope around sandbox-to-server HTTP request inspection. Review findings:
Docs: Fern docs were updated for the new policy schema and sandbox policy behavior. Next state: |
2 tasks
Collaborator
PR Review Follow-UpHead SHA: The required independent reviewer pass confirmed the two blocking findings from the previous gator review:
Additional non-blocking warning from the independent review:
The earlier warnings also still apply: forward-proxy JSON-RPC audit logs are less detailed than CONNECT logs, and Next state: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds JSON-RPC L7 policy enforcement for sandbox proxy traffic. The implementation supports JSON-RPC endpoint configuration,
rpc_methodmatching, scalar objectparamsmatching, forward-proxy inspection, CONNECT tunnel inspection, and deny-if-any-denied batch handling.JSON-RPC enforcement applies to sandbox-to-server HTTP request bodies sent to the configured endpoint. It does not yet enforce policy on server-to-client JSON-RPC messages carried on MCP SSE streams or response bodies. Tool results continue to pass because responses are relayed, not matched against
rpc_method.Related Issue
Closes #1793
Changes
rpc_methodand flattened scalar objectparamsmatchers for allow and deny rules.Testing
mise run pre-commitpassesAdditional targeted checks:
cargo test -p openshell-sandbox jsonrpcmise run e2e:rust -- --test forward_proxy_jsonrpc_l7Checklist