1use crate::cap_from_name;
12use std::collections::BTreeSet;
13
14pub const UNKNOWN: &str = "Unknown";
16
17#[derive(Debug, Clone)]
20pub struct PolicyRule {
21 pub effects: BTreeSet<&'static str>,
22 pub scope: Option<String>,
23 pub raw: String,
24}
25
26#[derive(Debug, Clone)]
31pub struct AllowRule {
32 pub effect: &'static str,
33 pub scope: Option<String>,
34 pub literals: BTreeSet<String>,
35 pub raw: String,
36}
37
38#[derive(Debug, Clone)]
41pub struct LayerRule {
42 pub from: String,
43 pub to: String,
44 pub raw: String,
45}
46
47#[derive(Default, Debug)]
49pub struct ParsedPolicy {
50 pub rules: Vec<PolicyRule>,
51 pub allow_rules: Vec<AllowRule>,
52 pub layer_rules: Vec<LayerRule>,
53}
54
55pub fn host_part(h: &str) -> &str {
61 if let Some(rest) = h.strip_prefix('[') {
62 return rest.split(']').next().unwrap_or(rest);
64 }
65 if h.matches(':').count() > 1 {
66 return h; }
68 h.split(':').next().unwrap_or(h)
69}
70
71pub fn cmd_base(c: &str) -> &str {
73 c.rsplit(['/', '\\']).next().unwrap_or(c)
74}
75
76pub fn fs_path_covered(a: &str, r: &str) -> bool {
81 if r.split(['/', '\\']).any(|c| c == "..") {
82 return false;
83 }
84 let absolute = |s: &str| s.starts_with('/') || s.starts_with('\\');
85 if absolute(a) != absolute(r) {
86 return false;
87 }
88 let norm = |s: &str| -> Vec<String> {
89 s.split(['/', '\\'])
90 .filter(|c| !c.is_empty() && *c != ".")
91 .map(|c| c.to_string())
92 .collect()
93 };
94 let (ac, rc) = (norm(a), norm(r));
95 ac.len() <= rc.len() && ac.iter().zip(&rc).all(|(x, y)| x == y)
96}
97
98pub fn db_table_covered(a: &str, r: &str) -> bool {
104 let (a, r) = (a.to_lowercase(), r.to_lowercase());
105 if let Some(schema) = a.strip_suffix(".*") {
106 return r.strip_prefix(schema).is_some_and(|rest| rest.starts_with('.'));
107 }
108 a == r
109}
110
111pub fn literal_allowed(effect: &str, reached: &str, allow: &BTreeSet<String>) -> bool {
115 match effect {
116 "Net" => allow.iter().any(|a| host_part(a) == host_part(reached)),
117 "Exec" => allow.iter().any(|a| cmd_base(a) == cmd_base(reached)),
118 "Fs" => allow.iter().any(|a| fs_path_covered(a, reached)),
119 "Db" => allow.iter().any(|a| db_table_covered(a, reached)),
120 _ => allow.contains(reached),
121 }
122}
123
124fn name_segments(s: &str) -> Vec<&str> {
132 s.split(['.', ':']).filter(|p| !p.is_empty()).collect()
133}
134
135pub fn scope_matches(name: &str, scope: &str) -> bool {
140 let segs = name_segments(name);
141 let parts = name_segments(scope);
142 if parts.is_empty() || parts.len() > segs.len() {
143 return false;
144 }
145 let (last, init) = parts.split_last().unwrap();
146 segs.windows(parts.len()).any(|w| {
147 let (w_last, w_init) = w.split_last().unwrap();
148 w_init == init && w_last.starts_with(last)
149 })
150}
151
152pub fn rule_and_upgrade(r: &PolicyRule) -> (String, String) {
157 let scope = r.scope.clone().unwrap_or_default();
158 let suffix = if scope.is_empty() { String::new() } else { format!(" {scope}") };
159 if r.effects.is_empty() {
160 (format!("pure{suffix}"), format!("deny Unknown{suffix}"))
162 } else {
163 let effs = r.effects.iter().copied().collect::<Vec<_>>().join(" ");
164 (format!("deny {effs}{suffix}"), format!("deny {effs} Unknown{suffix}"))
165 }
166}
167
168pub fn unverified_hole_rule<'a, S: AsRef<str>>(
176 name: &str,
177 effects: &[S],
178 rules: &'a [PolicyRule],
179) -> Option<&'a PolicyRule> {
180 if !effects.iter().any(|e| e.as_ref() == UNKNOWN) {
181 return None;
182 }
183 rules.iter().find(|r| {
184 if let Some(s) = &r.scope {
186 if !scope_matches(name, s) {
187 return false;
188 }
189 }
190 let violates = if r.effects.is_empty() {
192 effects.iter().any(|e| e.as_ref() != UNKNOWN)
193 } else {
194 effects.iter().any(|e| r.effects.contains(e.as_ref()))
195 };
196 !violates
197 })
198}
199
200fn is_ascii_ws(c: char) -> bool {
219 matches!(c, ' ' | '\t' | '\n' | '\x0b' | '\x0c' | '\r')
220}
221
222pub fn parse_policy(text: &str) -> ParsedPolicy {
223 let mut out = ParsedPolicy::default();
224 let normalized;
230 let text = if text.contains('\r') {
231 normalized = text.replace("\r\n", "\n").replace('\r', "\n");
232 normalized.as_str()
233 } else {
234 text
235 };
236 for raw_line in text.lines() {
237 let line = raw_line.split('#').next().unwrap_or("").trim_matches(is_ascii_ws);
238 if line.is_empty() {
239 continue;
240 }
241 let mut toks = line.split(is_ascii_ws).filter(|s| !s.is_empty());
242 match toks.next().unwrap_or("") {
243 "allow" => {
244 let effect = match toks.next().unwrap_or("") {
245 "Net" => "Net",
246 "Exec" => "Exec",
247 "Fs" => "Fs",
248 "Db" => "Db",
249 _ => {
250 eprintln!(
251 "candor: ignoring policy rule (allow supports only Net hosts / Exec commands / Fs paths / Db tables): {line}"
252 );
253 continue;
254 }
255 };
256 let mut rest: Vec<&str> = toks.collect();
257 let scope = if rest.first() == Some(&"in") {
258 let s = rest.get(1).map(|s| s.to_string());
259 rest.drain(..2.min(rest.len()));
260 s
261 } else {
262 None
263 };
264 let literals: BTreeSet<String> = rest.iter().map(|h| h.to_string()).collect();
265 if literals.is_empty() {
266 eprintln!("candor: ignoring policy rule (allow {effect} names no values): {line}");
267 continue;
268 }
269 out.allow_rules.push(AllowRule { effect, scope, literals, raw: line.to_string() });
270 }
271 "deny" => {
272 let mut effects = BTreeSet::new();
273 let mut scope = None;
274 for t in toks {
275 let e = if t == UNKNOWN { Some(UNKNOWN) } else { cap_from_name(t) };
276 match e {
277 Some(e) => {
278 effects.insert(e);
279 }
280 None => {
281 scope = Some(t.to_string());
282 break;
283 }
284 }
285 }
286 if effects.is_empty() {
287 eprintln!("candor: ignoring policy rule (no known effect named): {line}");
288 continue;
289 }
290 out.rules.push(PolicyRule { effects, scope, raw: line.to_string() });
291 }
292 "pure" => out.rules.push(PolicyRule {
293 effects: BTreeSet::new(),
294 scope: toks.next().map(str::to_string),
295 raw: line.to_string(),
296 }),
297 "forbid" => {
298 let a = toks.next().unwrap_or("");
299 let arrow = toks.next().unwrap_or("");
300 let b = toks.next().unwrap_or("");
301 if a.is_empty() || arrow != "->" || b.is_empty() {
302 eprintln!("candor: ignoring layering rule (want `forbid <scope> -> <scope>`): {line}");
303 continue;
304 }
305 out.layer_rules.push(LayerRule {
306 from: a.to_string(),
307 to: b.to_string(),
308 raw: line.to_string(),
309 });
310 }
311 other => eprintln!("candor: ignoring policy rule (unknown kind `{other}`): {line}"),
312 }
313 }
314 out
315}
316
317#[cfg(test)]
318mod tests {
319 #[test]
320 fn db_table_covering_is_strict() {
321 use super::db_table_covered as c;
322 assert!(c("ledger.entries", "Ledger.Entries")); assert!(c("ledger.*", "ledger.entries")); assert!(!c("ledger.*", "ledgerx.entries")); assert!(!c("entries", "ledger.entries")); assert!(c("entries", "entries"));
327 }
328
329 #[test]
330 fn allow_db_parses_and_gates() {
331 let p = super::parse_policy("allow Db in billing ledger.* customers\n");
332 assert_eq!(p.allow_rules.len(), 1);
333 assert_eq!(p.allow_rules[0].effect, "Db");
334 assert!(super::literal_allowed("Db", "ledger.entries", &p.allow_rules[0].literals));
335 assert!(super::literal_allowed("Db", "customers", &p.allow_rules[0].literals));
336 assert!(!super::literal_allowed("Db", "audit.log", &p.allow_rules[0].literals));
337 }
338
339 use super::*;
340
341 #[test]
342 fn policy_parses() {
343 let p = parse_policy(
344 "# the domain layer must stay pure of I/O\n\
345 deny Net Db domain\n\
346 deny Exec\n\
347 pure parse\n\
348 nonsense line\n\
349 deny notaneffect\n",
350 );
351 let rules = &p.rules;
352 assert_eq!(rules.len(), 3);
353 assert_eq!(rules[0].effects, ["Db", "Net"].into_iter().collect::<BTreeSet<_>>());
354 assert_eq!(rules[0].scope.as_deref(), Some("domain"));
355 assert!(rules[1].effects.contains("Exec") && rules[1].scope.is_none());
356 assert!(rules[2].effects.is_empty() && rules[2].scope.as_deref() == Some("parse"));
357 let cr = parse_policy("deny Net a\rdeny Exec b\rdeny Db c\r");
359 assert_eq!(cr.rules.len(), 3, "bare-CR lines must each parse");
360 assert!(cr.rules.iter().any(|r| r.effects.contains("Exec") && r.scope.as_deref() == Some("b")));
361 assert_eq!(parse_policy("deny Net a\r\ndeny Exec b\r").rules.len(), 2);
363 assert_eq!(parse_policy("deny Unknown core").rules[0].effects, ["Unknown"].into_iter().collect());
365 assert!(parse_policy("deny\ndeny \n").rules.is_empty());
366 assert!(parse_policy("deny notaneffect scope").rules.is_empty());
368 let p2 = parse_policy("deny Net foo Db");
370 assert_eq!(p2.rules[0].effects, ["Net"].into_iter().collect::<BTreeSet<_>>());
371 assert_eq!(p2.rules[0].scope.as_deref(), Some("foo"));
372 assert!(parse_policy("deny\u{a0}Net core").rules.is_empty(),
377 "an NBSP between deny and the effect must NOT split into separate tokens");
378 let nb = parse_policy("deny Net \u{a0}domain");
381 assert_eq!(nb.rules.len(), 1);
382 assert_eq!(nb.rules[0].effects, ["Net"].into_iter().collect::<BTreeSet<_>>());
383 assert_eq!(nb.rules[0].scope.as_deref(), Some("\u{a0}domain"));
384 }
385
386 #[test]
387 fn allowlist_parses() {
388 let p = parse_policy(
389 "allow Net in billing api.stripe.com hooks.stripe.com\n\
390 allow Exec in ci git\n\
391 allow Fs in config /etc/app\n\
392 allow Net github.com\n\
393 allow Clock whatever\n\
394 allow Net in nohosts\n\
395 allow\n",
396 );
397 assert_eq!(p.allow_rules.len(), 4); assert_eq!((p.allow_rules[0].effect, p.allow_rules[0].scope.as_deref()), ("Net", Some("billing")));
399 assert_eq!(
400 p.allow_rules[0].literals,
401 ["api.stripe.com", "hooks.stripe.com"].iter().map(|s| s.to_string()).collect()
402 );
403 assert_eq!((p.allow_rules[1].effect, p.allow_rules[1].scope.as_deref()), ("Exec", Some("ci")));
404 assert!(p.allow_rules[1].literals.contains("git"));
405 assert_eq!((p.allow_rules[2].effect, p.allow_rules[2].scope.as_deref()), ("Fs", Some("config")));
406 assert_eq!((p.allow_rules[3].effect, p.allow_rules[3].scope.is_none()), ("Net", true));
407
408 let set = |xs: &[&str]| xs.iter().map(|s| s.to_string()).collect::<BTreeSet<_>>();
409 assert!(literal_allowed("Net", "api.stripe.com:443", &set(&["api.stripe.com"])));
410 assert!(literal_allowed("Net", "2001:db8::aa", &set(&["2001:db8::aa"])));
413 assert!(!literal_allowed("Net", "2001:db8::ff", &set(&["2001:db8::aa"])));
414 assert!(!literal_allowed("Net", "2001:dead::1", &set(&["2001:db8::aa"])));
415 assert!(literal_allowed("Net", "[2001:db8::aa]:443", &set(&["2001:db8::aa"])));
416 assert_eq!(host_part("2001:db8::aa"), "2001:db8::aa");
417 assert_eq!(host_part("[2001:db8::aa]:443"), "2001:db8::aa");
418 assert_eq!(host_part("api.stripe.com:443"), "api.stripe.com");
419 assert!(literal_allowed("Exec", "/usr/bin/git", &set(&["git"])));
420 assert!(!literal_allowed("Exec", "/usr/bin/curl", &set(&["git"])));
421 assert!(literal_allowed("Fs", "/etc/app/conf.toml", &set(&["/etc/app"])));
422 assert!(!literal_allowed("Fs", "/etc/shadow", &set(&["/etc/app"])));
423 assert_eq!(cmd_base("/usr/bin/git"), "git");
424 }
425
426 #[test]
427 fn layering_rule_parses() {
428 let p = parse_policy(
429 "forbid domain -> infra\n\
430 forbid app::web -> app::db \n\
431 forbid domain infra\n\
432 forbid domain ->\n\
433 forbid\n",
434 );
435 assert_eq!(p.layer_rules.len(), 2);
436 assert_eq!((p.layer_rules[0].from.as_str(), p.layer_rules[0].to.as_str()), ("domain", "infra"));
437 assert_eq!((p.layer_rules[1].from.as_str(), p.layer_rules[1].to.as_str()), ("app::web", "app::db"));
438 }
439
440 #[test]
441 fn scope_matches_by_segment_not_substring() {
442 assert!(scope_matches("app::domain::handle", "domain"));
443 assert!(scope_matches("domain::handle", "domain"));
444 assert!(scope_matches("app::domain", "domain"));
445 assert!(scope_matches("crate::domain_logic", "domain"));
446 assert!(!scope_matches("app::subdomain::handle", "domain"));
447 assert!(!scope_matches("app::not_my_domain::f", "domain"));
448 assert!(scope_matches("crate::net::client::send", "net::client"));
450 assert!(scope_matches("crate::net::client_pool::get", "net::client"));
451 assert!(!scope_matches("crate::net::server::send", "net::client"));
452 assert!(!scope_matches("crate::network::client::send", "net::client"));
453 assert!(!scope_matches("crate::net::x::client", "net::client"));
454 assert!(!scope_matches("net", "net::client"));
455 assert!(scope_matches("com.acme.domain.Pricing.quote", "domain"));
459 assert!(scope_matches("com.acme.domain.Pricing.quote", "acme.domain"));
460 assert!(scope_matches("com.acme.domain.Pricing.quote", "acme::domain"));
461 assert!(scope_matches("com.acme.infra.Net.fetch", "infra.Net"));
462 assert!(!scope_matches("com.acme.subdomain.h", "domain"));
463 assert!(!scope_matches("com.acme.domain.h", "infra"));
464 }
465
466 #[test]
467 fn fs_path_covered_respects_boundaries() {
468 assert!(fs_path_covered("/etc/app", "/etc/app"));
469 assert!(fs_path_covered("/etc/app", "/etc/app/cfg.toml"));
470 assert!(fs_path_covered("/etc/app/", "/etc/app/cfg"));
471 assert!(!fs_path_covered("/etc/app", "/etc/apppwned"));
472 assert!(!fs_path_covered("/etc/app", "/etc/application/x"));
473 assert!(!fs_path_covered("/etc/app/cfg", "/etc/app"));
474 assert!(!fs_path_covered("/etc/app", "/etc/app/../passwd"));
475 assert!(fs_path_covered("/", "/etc/app/x"));
476 assert!(!fs_path_covered("etc/app", "/etc/app/cfg"));
477 assert!(!fs_path_covered("/etc/app", "etc/app/cfg"));
478 assert!(fs_path_covered("etc/app", "etc/app/cfg"));
479 }
480}