Sandbox-Guide/scripts/generate-egress-token.py at main · NeaByteLab/Sandbox-Guide · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
# generate_egress_token.py

import jwt
import time
from datetime import datetime, timedelta

# EC private key (ES256)
PRIVATE_KEY = """
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJ... (your private key)
-----END EC PRIVATE KEY-----
"""

def generate_egress_token(container_id, user_id, allowed_hosts, duration_hours=4):
    """Generate egress control JWT"""

    now = int(time.time())
    payload = {
        "iss": "secure-egress-control",
        "iat": now,
        "exp": now + (duration_hours * 3600),
        "container_id": container_id,
        "organization_uuid": user_id,
        "allowed_hosts": ",".join(allowed_hosts),
        "is_hipaa_regulated": "false",
        "use_egress_gateway": "true",
        "enforce_container_binding": "true", # RECOMMENDED: Set to true
        "enforce_centralized_egress": "false"
    }

    token = jwt.encode(
        payload,
        PRIVATE_KEY,
        algorithm="ES256",
        headers={"kid": "your-ecdsa-key-id"}
    )

    return token

# Example usage
if __name__ == "__main__":
    allowed_hosts = [
        "api.example.com",
        "github.com",
        "npmjs.com",
        "pypi.org",
        "archive.ubuntu.com"
    ]

    token = generate_egress_token(
        container_id="sandbox_session_abc123",
        user_id="user_123",
        allowed_hosts=allowed_hosts
    )

    print(f"JWT Token: {token}")