-
Notifications
You must be signed in to change notification settings - Fork 424
Expand file tree
/
Copy pathdemo.sh
More file actions
executable file
·166 lines (136 loc) · 5.53 KB
/
demo.sh
File metadata and controls
executable file
·166 lines (136 loc) · 5.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/usr/bin/env bash
# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
# Sandbox Policy Quickstart — automated demo
#
# Runs the full walkthrough non-interactively:
# 1. Creates a sandbox with default-deny networking
# 2. Attempts a request (denied)
# 3. Applies a read-only GitHub API policy
# 4. Retries the request (allowed)
# 5. Attempts a POST (blocked by L7)
# 6. Shows logs and cleans up
#
# Usage: bash examples/sandbox-policy-quickstart/demo.sh
set -euo pipefail
SANDBOX_NAME="policy-demo"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
POLICY_FILE="${SCRIPT_DIR}/policy.yaml"
SSH_CONFIG=$(mktemp)
cleanup() {
rm -f "$SSH_CONFIG"
printf '\n'
step "Cleaning up"
openshell sandbox delete "$SANDBOX_NAME" 2>/dev/null || true
}
trap cleanup EXIT
BOLD='\033[1m'
DIM='\033[2m'
CYAN='\033[36m'
GREEN='\033[32m'
RED='\033[31m'
YELLOW='\033[33m'
MAGENTA='\033[35m'
RESET='\033[0m'
STEP_PAUSE="${DEMO_PAUSE:-1}"
step() {
sleep "$STEP_PAUSE"
printf "\n${BOLD}${CYAN}▸ %s${RESET}\n\n" "$1"
}
run() {
printf " ${BOLD}\$ %s${RESET}\n" "$*"
"$@" 2>&1 | sed 's/^/ /'
return "${PIPESTATUS[0]}"
}
colorize_logs() {
sed \
-e "s/action=deny/$(printf '\033[1;31m')action=deny$(printf '\033[0m')/g" \
-e "s/action=allow/$(printf '\033[1;32m')action=allow$(printf '\033[0m')/g" \
-e "s/dst_host=[^ ]*/$(printf '\033[36m')&$(printf '\033[0m')/g" \
-e "s/dst_port=[^ ]*/$(printf '\033[36m')&$(printf '\033[0m')/g" \
-e "s/binary=[^ ]*/$(printf '\033[1m')&$(printf '\033[0m')/g" \
-e "s/reason=[^\"]*/$(printf '\033[33m')&$(printf '\033[0m')/g" \
-e "s/policy=[^ ]*/$(printf '\033[35m')&$(printf '\033[0m')/g" \
-e "s/\[CONNECT\]/$(printf '\033[1m')[CONNECT]$(printf '\033[0m')/g" \
-e "s/\[FORWARD\]/$(printf '\033[1m')[FORWARD]$(printf '\033[0m')/g"
}
sandbox_exec() {
ssh -F "$SSH_CONFIG" "$SSH_HOST" "$@" 2>&1
}
wait_for_ssh() {
local retries=15
for i in $(seq 1 "$retries"); do
if ssh -F "$SSH_CONFIG" "$SSH_HOST" true >/dev/null 2>&1; then
return 0
fi
sleep 2
done
printf " ${RED}✗ SSH connection to sandbox timed out${RESET}\n"
exit 1
}
# ------------------------------------------------------------------
step "1/7 Creating sandbox \"${SANDBOX_NAME}\" (default-deny networking)"
run openshell sandbox create \
--name "$SANDBOX_NAME" \
--keep \
--no-auto-providers \
--no-tty \
-- echo "sandbox ready"
step "Connecting to sandbox"
openshell sandbox ssh-config "$SANDBOX_NAME" > "$SSH_CONFIG"
SSH_HOST=$(awk '/^Host / { print $2; exit }' "$SSH_CONFIG")
wait_for_ssh
# ------------------------------------------------------------------
step "2/7 Attempting to reach api.github.com — should be DENIED"
printf " ${BOLD}\$ curl -sS https://api.github.com/zen${RESET}\n"
if sandbox_exec curl -sSf --max-time 5 https://api.github.com/zen 2>&1 | sed 's/^/ /'; then
printf " ${RED}✗ Expected request to be denied, but it succeeded.${RESET}\n"
exit 1
fi
printf " ${RED}✗ Blocked by default-deny policy.${RESET}\n"
# ------------------------------------------------------------------
step "3/7 Checking deny log"
sleep 2
printf " ${BOLD}\$ openshell logs ${SANDBOX_NAME} --since 1m -n 10${RESET}\n"
openshell logs "$SANDBOX_NAME" --since 1m -n 10 2>&1 \
| grep -i 'connect\|forward\|deny\|allow' \
| colorize_logs \
| sed 's/^/ /'
# ------------------------------------------------------------------
step "4/7 Applying read-only GitHub API policy"
printf " Policy file: %s\n\n" "$POLICY_FILE"
run openshell policy set "$SANDBOX_NAME" \
--policy "$POLICY_FILE" \
--wait
# ------------------------------------------------------------------
step "5/7 Retrying GET — should be ALLOWED"
sleep 1
printf " ${BOLD}\$ curl -sS https://api.github.com/zen${RESET}\n"
ZEN=$(sandbox_exec curl -sS --max-time 10 https://api.github.com/zen)
printf " ${GREEN}%s${RESET}\n" "$ZEN"
printf '\n'
printf " ${BOLD}\$ curl -sS https://api.github.com/octocat${RESET}\n"
sandbox_exec curl -sS --max-time 10 https://api.github.com/octocat | sed 's/^/ /'
# ------------------------------------------------------------------
step "6/7 Attempting POST — should be BLOCKED by L7"
printf " ${BOLD}\$ curl -sS -X POST https://api.github.com/repos/octocat/hello-world/issues -d '{\"title\":\"oops\"}'${RESET}\n"
RESPONSE=$(sandbox_exec curl -sS --max-time 10 -X POST \
https://api.github.com/repos/octocat/hello-world/issues \
-H "Content-Type: application/json" \
-d '{"title":"oops"}')
printf " ${YELLOW}%s${RESET}\n" "$RESPONSE"
# ------------------------------------------------------------------
step "7/7 Checking L7 deny log"
sleep 2
printf " ${BOLD}\$ openshell logs ${SANDBOX_NAME} --level warn --since 1m -n 10${RESET}\n"
openshell logs "$SANDBOX_NAME" --level warn --since 1m -n 10 2>&1 \
| grep -i 'connect\|forward\|deny\|allow\|l7\|rest' \
| colorize_logs \
| sed 's/^/ /'
# ------------------------------------------------------------------
printf "\n${BOLD}${GREEN}✓ Demo complete.${RESET}\n\n"
printf " What you saw:\n"
printf " 1. Default deny — minimal outbound access, explicit approval required\n"
printf " 2. L7 read-only — GET allowed, POST blocked at the HTTP method level\n"
printf " 3. Audit trail — every request logged with method, path, and decision\n\n"
printf " The policy is %s lines of YAML.\n" "$(wc -l < "$POLICY_FILE" | tr -d ' ')"