test(proxy): verify L4 deny enqueues a DenialEvent

mesutoezdil · mesutoezdil · commit 2bcc30e9ceba · 2026-05-23T19:46:24.000+03:00
Signed-off-by: mesutoezdil &lt;mesudozdil@gmail.com&gt;
diff --git a/crates/openshell-sandbox/src/proxy.rs b/crates/openshell-sandbox/src/proxy.rs
@@ -6443,4 +6443,28 @@ network_policies:
             }
         }
     }
+
+    #[test]
+    fn test_emit_denial_enqueues_denial_event() {
+        let (tx, mut rx) = tokio::sync::mpsc::unbounded_channel::<crate::denial_aggregator::DenialEvent>();
+        let decision = ConnectDecision {
+            action: NetworkAction::Deny { reason: "no matching policy".into() },
+            generation: 0,
+            binary: Some(std::path::PathBuf::from("/usr/bin/curl")),
+            binary_pid: Some(1234),
+            ancestors: vec![],
+            cmdline_paths: vec![],
+        };
+
+        emit_denial(&Some(tx), "blocked.invalid", 443, "/usr/bin/curl", &decision, "no matching policy", "connect");
+
+        let event = rx.try_recv().expect("DenialEvent should be enqueued after L4 deny");
+        assert_eq!(event.host, "blocked.invalid");
+        assert_eq!(event.port, 443);
+        assert_eq!(event.binary, "/usr/bin/curl");
+        assert_eq!(event.denial_stage, "connect");
+        assert_eq!(event.deny_reason, "no matching policy");
+        assert!(event.l7_method.is_none());
+        assert!(event.l7_path.is_none());
+    }
 }
