[sandbox] environment policies have the same env as policy loader #596
Conversation
So policies can detect if they are being executed on the CLI and decide to do something different like not loading themselves. Because some might require shared dict that is not available.
mikz
force-pushed
the
apicast-sandbox-env
branch
from
3489fbf
to
8433f54
Compare
mikz
changed the title
arg
mikz
force-pushed
the
apicast-sandbox-env
branch
from
8433f54
to
228bf16
Compare
mikz
force-pushed
the
apicast-sandbox-env
branch
2 times, most recently
from
2855f21
to
de53506
Compare
| @@ -0,0 +1,255 @@ | |||
| --- Sandbox | |||
There was a problem hiding this comment.
Nice refactor 👍
I think this module does not contain any apicast-specific code so it could potentially be extracted into its own library, and that's why it's in the resty directory. However, there are some comments that mention apicast and policies. I think we should get rid of them. For example, the description of the module mentions APIcast, and the comment for local env mentions policies.
There was a problem hiding this comment.
Yep. I did not want to bother much with it now, but rather when it is extracted. Would that be ok?
| tonumber = tonumber, tostring = tostring, os = { getenv = resty_env.value }, | ||
| pcall = pcall, require = require, assert = assert, error = error, | ||
| }) | ||
| local box = sandbox.new() |
There was a problem hiding this comment.
I think this needs a comment explaining why we need the sandbox here.
There was a problem hiding this comment.
Yeah. We don't need one. But is is quite convenient way of adding some extra env and not using global variables. Will add it there.
* to split concerns of policy loading and a sandbox
mikz
force-pushed
the
apicast-sandbox-env
branch
from
de53506
to
df7011f
Compare
Extracts sandbox from policy loader to own module.
Load environment configurations with the same sandbox env as policies.
Expose
argin sandbox.Expose also
clias an alias toargwhen loading environment configurations.So policies can detect if they are being executed on the CLI
and decide to do something different like not loading themselves.
Because some might require shared dict that is not available.