test(cli): HTTP policy e2e tests + warn on unused fs.deny

GamePad64 · GamePad64 · commit ed0411c319d9 · 2026-04-19T23:33:19.000+03:00
Integration tests spawn the act binary against the http-client
component and exercise phase A + phase C2 end-to-end:
- default deny blocks outgoing HTTP
- --http-allow matching the request host succeeds against example.com
- --http-allow mismatched host blocks
- --http-policy open allows arbitrary hosts
- info emits the declared-but-denied warning when policy is deny

Tests skip if the http-client wasm is not built; set
ACT_TEST_HTTP_CLIENT_WASM to override the default path
(../../components/http-client/target/wasm32-wasip2/release/
component_http_client.wasm).

Also: warn_missing_capabilities now flags FsConfig.deny entries that
were parsed but cannot be enforced in phase C2 — preopens can't
express path-level deny overlays, so users get a heads-up until the
custom wasi:filesystem impl lands in phase C1.
diff --git a/act-cli/src/runtime.rs b/act-cli/src/runtime.rs
@@ -259,6 +259,17 @@ pub fn warn_missing_capabilities(
             "component declares wasi:http but policy denies all HTTP access"
         );
     }
+
+    // Phase C2 limitation: FsConfig.deny is parsed but not enforced —
+    // preopens can't express path-level deny overlays. Warn so users know
+    // their overlay is silently inactive until the custom wasi:filesystem
+    // impl lands in phase C1.
+    if !fs.deny.is_empty() {
+        tracing::warn!(
+            component = %info.std.name,
+            "fs deny entries are ignored in this release; use narrower allow entries instead"
+        );
+    }
 }
 
 /// Spawn the component actor task. Owns the Store and ActWorld.
diff --git a/act-cli/tests/http_policy_e2e.rs b/act-cli/tests/http_policy_e2e.rs
@@ -0,0 +1,163 @@
+//! End-to-end HTTP policy tests using a real ACT component.
+//!
+//! Requires a built `http-client` component. Set the `ACT_TEST_HTTP_CLIENT_WASM`
+//! env var to its path, or rely on the default location under
+//! `../components/http-client/target/wasm32-wasip2/release/`. Tests skip with a
+//! message when the component isn't available — running the full suite requires
+//! a reachable `example.com` over HTTPS.
+//!
+//! Run with `cargo test -p act-cli --test http_policy_e2e -- --nocapture` after
+//! building the http-client component with `just build` in its directory.
+
+use std::path::PathBuf;
+use std::process::Command;
+
+const DEFAULT_PATH: &str =
+    "../../components/http-client/target/wasm32-wasip2/release/component_http_client.wasm";
+
+fn fixture_wasm() -> Option<PathBuf> {
+    if let Ok(env_path) = std::env::var("ACT_TEST_HTTP_CLIENT_WASM") {
+        let p = PathBuf::from(env_path);
+        if p.exists() {
+            return Some(p);
+        }
+    }
+    let default = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join(DEFAULT_PATH);
+    if default.exists() {
+        return Some(default);
+    }
+    None
+}
+
+fn skip_if_missing() -> Option<PathBuf> {
+    match fixture_wasm() {
+        Some(p) => Some(p),
+        None => {
+            eprintln!(
+                "skipping: set ACT_TEST_HTTP_CLIENT_WASM or build components/http-client first"
+            );
+            None
+        }
+    }
+}
+
+fn run_call(args: &[&str]) -> (bool, String, String) {
+    let output = Command::new(env!("CARGO_BIN_EXE_act"))
+        .args(args)
+        .output()
+        .expect("failed to spawn act");
+    (
+        output.status.success(),
+        String::from_utf8_lossy(&output.stdout).to_string(),
+        String::from_utf8_lossy(&output.stderr).to_string(),
+    )
+}
+
+#[test]
+fn default_deny_blocks_http() {
+    let Some(wasm) = skip_if_missing() else {
+        return;
+    };
+    let wasm_s = wasm.to_string_lossy().to_string();
+    let (ok, _stdout, stderr) = run_call(&[
+        "call",
+        &wasm_s,
+        "fetch",
+        "--args",
+        r#"{"url":"https://example.com"}"#,
+    ]);
+    assert!(!ok, "expected call to fail under default deny policy");
+    assert!(
+        stderr.contains("HttpRequestDenied") || stderr.contains("blocked by ACT policy"),
+        "stderr should explain denial; got: {stderr}"
+    );
+}
+
+#[test]
+fn http_allow_matching_host_succeeds() {
+    let Some(wasm) = skip_if_missing() else {
+        return;
+    };
+    let wasm_s = wasm.to_string_lossy().to_string();
+    let (ok, stdout, stderr) = run_call(&[
+        "call",
+        "--http-allow",
+        "example.com",
+        &wasm_s,
+        "fetch",
+        "--args",
+        r#"{"url":"https://example.com"}"#,
+    ]);
+    assert!(
+        ok,
+        "expected call to succeed with --http-allow example.com; stderr: {stderr}"
+    );
+    assert!(
+        stdout.contains("Example Domain") || stdout.contains("example"),
+        "expected response body; got stdout: {stdout}"
+    );
+}
+
+#[test]
+fn http_allow_mismatched_host_blocks() {
+    let Some(wasm) = skip_if_missing() else {
+        return;
+    };
+    let wasm_s = wasm.to_string_lossy().to_string();
+    let (ok, _stdout, stderr) = run_call(&[
+        "call",
+        "--http-allow",
+        "evil.example",
+        &wasm_s,
+        "fetch",
+        "--args",
+        r#"{"url":"https://example.com"}"#,
+    ]);
+    assert!(
+        !ok,
+        "expected deny when allow rule's host doesn't match request host"
+    );
+    assert!(
+        stderr.contains("HttpRequestDenied") || stderr.contains("blocked by ACT policy"),
+        "stderr should explain denial; got: {stderr}"
+    );
+}
+
+#[test]
+fn http_policy_open_allows_any_host() {
+    let Some(wasm) = skip_if_missing() else {
+        return;
+    };
+    let wasm_s = wasm.to_string_lossy().to_string();
+    let (ok, stdout, stderr) = run_call(&[
+        "call",
+        "--http-policy",
+        "open",
+        &wasm_s,
+        "fetch",
+        "--args",
+        r#"{"url":"https://example.com"}"#,
+    ]);
+    assert!(
+        ok,
+        "expected open policy to allow the request; stderr: {stderr}"
+    );
+    assert!(
+        stdout.contains("Example Domain") || stdout.contains("example"),
+        "expected response body; got stdout: {stdout}"
+    );
+}
+
+#[test]
+fn declaration_warning_when_policy_deny() {
+    let Some(wasm) = skip_if_missing() else {
+        return;
+    };
+    let wasm_s = wasm.to_string_lossy().to_string();
+    // info doesn't need the network; should still emit the capability warning
+    let (_ok, _stdout, stderr) = run_call(&["info", "--tools", &wasm_s]);
+    assert!(
+        stderr.contains("component declares wasi:http but policy denies"),
+        "expected capability warning; got: {stderr}"
+    );
+}
