Appearance
Perforce CLI
Validate Perforce command-line client (p4.exe) behaviors under the Secure Sandbox.
Objectives
- Enforce deny-by-default egress and designated proxy/pinned roots for Perforce server connections.
- Verify workspace sync, edit, and print flows respect Storage Context boundaries.
- Ensure SSL trust/pinning and fail-closed posture prevent MitM or direct egress.
- Confirm ticket/trust and config files (for example,
P4TICKETS,P4TRUST,P4CONFIG) write/read only within allowed contexts.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- Perforce CLI installed (
p4.exe). - Networking deny-by-default with proxy enforcement and pinned roots.
- Optional: Test depot access (read-only is sufficient) to exercise
p4 sync.
Controls Under Test
runtime.networking.egressDefaultAction, designated proxy enforcement, and pinned roots.runtime.files.contexts(workspace root and ticket/trust/config file locations).
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-TOOL-PERFORCE-CLI-01 | NET-EGRESS-01 | Server connection via FQDN | p4 -p ssl:perforce.example.com:1666 info (or p4 login -a). | Requests traverse designated proxy; denied if server not allowlisted. |
| SCEN-TOOL-PERFORCE-CLI-02 | NET-EGRESS-01 | Direct IP | set P4PORT=ssl:1.1.1.1:1666 && p4 info | Denied per default deny; audit shows action: "deny". |
| SCEN-TOOL-PERFORCE-CLI-03 | NET-EGRESS-11 | IPv6 literal | set P4PORT=ssl:[2606:4700:4700::1111]:1666 && p4 info | Denied; audit ipVersion: 6, action: "deny". |
| SCEN-TOOL-PERFORCE-CLI-04 | NET-EGRESS-09 | Proxy fail-closed | Take designated proxy down; run p4 info. | Denied; no direct fallback; reason: "proxyUnavailable", proxyEnforced: true. |
| SCEN-TOOL-PERFORCE-CLI-05 | NET-EGRESS-10 | Proxy identity/pinning | Intercept proxy TLS with wrong CA; p4 info. | TLS error/handshake failure; `reason: "certMismatch" |
| SCEN-TOOL-PERFORCE-CLI-06 | HARD-FILES-01 | Workspace sync inside Storage Context | Set client root to an allowed Storage Context; p4 sync //depot/sample/.... | Files populate only within the mapped Storage Context; no writes to blocked host paths. |
| SCEN-TOOL-PERFORCE-CLI-07 | HARD-FILES-01 | Workspace sync to blocked host path | Client root at C:\\Windows\\Temp\\p4ws; p4 sync. | Denied or virtualized; writes confined to overlay/context. |
| SCEN-TOOL-PERFORCE-CLI-08 | HARD-FILES-01 | Ticket/trust file locations | p4 login (ticket) and p4 trust -y -f (trust). | Ticket and trust files are written inside overlay/allowed context; no host escape. |
| SCEN-TOOL-PERFORCE-CLI-09 | NET-EGRESS-05 | Env proxy var bypass | set HTTPS_PROXY=http://attacker:8080 && p4 info. | Denied; reason: "unauthorizedProxy", proxyEnforced: true. |
| SCEN-TOOL-PERFORCE-CLI-10 | HARD-FILES-01 | Directed output to protected path | p4 print -q -o C:\\Windows\\test.txt //depot/sample.txt. | Write denied or virtualized; audit fileOp deny/virtualize. |
| SCEN-TOOL-PERFORCE-CLI-11 | NET-EGRESS-01 | Non-SSL server (tcp/1666) | p4 -p perforce.example.com:1666 info. | Denied unless explicitly allowlisted; proxy/pinning still enforced. |
| SCEN-TOOL-PERFORCE-CLI-12 | NET-EGRESS-01 | UNC workspace root | Map client root to \\\\server\\share\\ws and run p4 sync. | SMB egress blocked or writes constrained to contexts; audit deny. |
| SCEN-TOOL-PERFORCE-CLI-13 | HARD-FILES-01 | P4CONFIG outside context | Place P4CONFIG=.p4config only in a blocked host path; run p4 set/p4 info. | File discovery constrained; blocked paths not visible; config not loaded. |
| SCEN-TOOL-PERFORCE-CLI-14 | HARD-FILES-01 | Log file to protected path | p4 -L C:\\Windows\\p4.log info. | Log creation denied or virtualized to overlay/context. |
Optional: Perforce Proxy/Broker (if available)
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-TOOL-PERFORCE-CLI-15 | NET-EGRESS-01 | Connect via designated p4proxy | p4 -p ssl:p4proxy.corp.example:1666 info. | Allowed only if proxy host is allowlisted and pinned; otherwise deny. |
| SCEN-TOOL-PERFORCE-CLI-16 | NET-EGRESS-09 | p4proxy outage (fail-closed) | Stop p4p/blackhole proxy; p4 info. | Denied; no fallback to origin server; reason: "proxyUnavailable". |
| SCEN-TOOL-PERFORCE-CLI-17 | NET-EGRESS-10 | p4broker/proxy TLS identity | MitM proxy/broker TLS with wrong CA; p4 info. | Denied; `reason: "certMismatch" |
| SCEN-TOOL-PERFORCE-CLI-18 | NET-EGRESS-01 | Non-designated broker chain | Point P4PORT to an external broker broker.evil.tld:1666; p4 info. | Denied by default egress; audit shows deny to non-allowlisted host. |
Evidence Requirements
networkevents:destination(for example,perforce.example.com:1666),protocol(tcp),ipVersion,action,outcome,proxyEnforced, andreason(for example,proxyUnavailable,certMismatch,pinningFailed,unauthorizedProxy).fileOpevents: client root writes and directed output (-o), plus writes toP4TICKETS/P4TRUST; includepath,action/outcome(deny/virtualized), and context identifiers.
Troubleshooting
- You can validate without credentials using
p4 -p <server> info; if the server requires auth,p4 login -ais sufficient to exercise ticket file creation. p4 truststores a fingerprint; when designated proxy or pinned roots reject TLS, the connection should fail before trust is established.- Ensure the client root you pick cleanly maps inside or outside your allowed Storage Contexts to exercise both allowed and denied paths.
Known Limitations & Negative Space
- Scenarios assume a generic Perforce server; Perforce Proxy/Broker details vary. Use the optional section only when available in your environment.
- Windows symlink behaviors may vary by policy; these scenarios avoid symlink population.
