1use crate::cap_from_name;
12use std::collections::BTreeSet;
13
14pub const UNKNOWN: &str = "Unknown";
16
17#[derive(Debug, Clone)]
20pub struct PolicyRule {
21 pub effects: BTreeSet<&'static str>,
22 pub scope: Option<String>,
23 pub raw: String,
24}
25
26#[derive(Debug, Clone)]
31pub struct AllowRule {
32 pub effect: &'static str,
33 pub scope: Option<String>,
34 pub literals: BTreeSet<String>,
35 pub raw: String,
36}
37
38#[derive(Debug, Clone)]
41pub struct LayerRule {
42 pub from: String,
43 pub to: String,
44 pub raw: String,
45}
46
47#[derive(Default, Debug)]
49pub struct ParsedPolicy {
50 pub rules: Vec<PolicyRule>,
51 pub allow_rules: Vec<AllowRule>,
52 pub layer_rules: Vec<LayerRule>,
53}
54
55pub fn host_part(h: &str) -> &str {
61 if let Some(rest) = h.strip_prefix('[') {
62 return rest.split(']').next().unwrap_or(rest);
64 }
65 if h.matches(':').count() > 1 {
66 return h; }
68 h.split(':').next().unwrap_or(h)
69}
70
71pub fn cmd_base(c: &str) -> &str {
73 c.rsplit(['/', '\\']).next().unwrap_or(c)
74}
75
76pub fn fs_path_covered(a: &str, r: &str) -> bool {
81 if r.split(['/', '\\']).any(|c| c == "..") {
82 return false;
83 }
84 let absolute = |s: &str| s.starts_with('/') || s.starts_with('\\');
85 if absolute(a) != absolute(r) {
86 return false;
87 }
88 let norm = |s: &str| -> Vec<String> {
89 s.split(['/', '\\'])
90 .filter(|c| !c.is_empty() && *c != ".")
91 .map(|c| c.to_string())
92 .collect()
93 };
94 let (ac, rc) = (norm(a), norm(r));
95 ac.len() <= rc.len() && ac.iter().zip(&rc).all(|(x, y)| x == y)
96}
97
98pub fn db_table_covered(a: &str, r: &str) -> bool {
104 let (a, r) = (a.to_lowercase(), r.to_lowercase());
105 if let Some(schema) = a.strip_suffix(".*") {
106 return r.strip_prefix(schema).is_some_and(|rest| rest.starts_with('.'));
107 }
108 a == r
109}
110
111pub fn literal_allowed(effect: &str, reached: &str, allow: &BTreeSet<String>) -> bool {
115 match effect {
116 "Net" | "Llm" => allow.iter().any(|a| host_part(a) == host_part(reached)),
118 "Exec" => allow.iter().any(|a| cmd_base(a) == cmd_base(reached)),
119 "Fs" => allow.iter().any(|a| fs_path_covered(a, reached)),
120 "Db" => allow.iter().any(|a| db_table_covered(a, reached)),
121 _ => allow.contains(reached),
122 }
123}
124
125fn name_segments(s: &str) -> Vec<&str> {
133 s.split(['.', ':']).filter(|p| !p.is_empty()).collect()
134}
135
136pub fn scope_matches(name: &str, scope: &str) -> bool {
141 let segs = name_segments(name);
142 let parts = name_segments(scope);
143 if parts.is_empty() || parts.len() > segs.len() {
144 return false;
145 }
146 let (last, init) = parts.split_last().unwrap();
147 segs.windows(parts.len()).any(|w| {
148 let (w_last, w_init) = w.split_last().unwrap();
149 w_init == init && w_last.starts_with(last)
150 })
151}
152
153pub fn rule_and_upgrade(r: &PolicyRule) -> (String, String) {
158 let scope = r.scope.clone().unwrap_or_default();
159 let suffix = if scope.is_empty() { String::new() } else { format!(" {scope}") };
160 if r.effects.is_empty() {
161 (format!("pure{suffix}"), format!("deny Unknown{suffix}"))
163 } else {
164 let effs = r.effects.iter().copied().collect::<Vec<_>>().join(" ");
165 (format!("deny {effs}{suffix}"), format!("deny {effs} Unknown{suffix}"))
166 }
167}
168
169pub fn unverified_hole_rule<'a, S: AsRef<str>>(
177 name: &str,
178 effects: &[S],
179 rules: &'a [PolicyRule],
180) -> Option<&'a PolicyRule> {
181 if !effects.iter().any(|e| e.as_ref() == UNKNOWN) {
182 return None;
183 }
184 rules.iter().find(|r| {
185 if let Some(s) = &r.scope {
187 if !scope_matches(name, s) {
188 return false;
189 }
190 }
191 let violates = if r.effects.is_empty() {
193 effects.iter().any(|e| e.as_ref() != UNKNOWN)
194 } else {
195 effects.iter().any(|e| r.effects.contains(e.as_ref()))
196 };
197 !violates
198 })
199}
200
201fn is_ascii_ws(c: char) -> bool {
220 matches!(c, ' ' | '\t' | '\n' | '\x0b' | '\x0c' | '\r')
221}
222
223pub fn parse_policy(text: &str) -> ParsedPolicy {
224 let mut out = ParsedPolicy::default();
225 let normalized;
231 let text = if text.contains('\r') {
232 normalized = text.replace("\r\n", "\n").replace('\r', "\n");
233 normalized.as_str()
234 } else {
235 text
236 };
237 for raw_line in text.lines() {
238 let line = raw_line.split('#').next().unwrap_or("").trim_matches(is_ascii_ws);
239 if line.is_empty() {
240 continue;
241 }
242 let mut toks = line.split(is_ascii_ws).filter(|s| !s.is_empty());
243 match toks.next().unwrap_or("") {
244 "allow" => {
245 let effect = match toks.next().unwrap_or("") {
246 "Net" => "Net",
247 "Llm" => "Llm",
251 "Exec" => "Exec",
252 "Fs" => "Fs",
253 "Db" => "Db",
254 _ => {
255 eprintln!(
256 "candor: ignoring policy rule (allow supports only Net hosts / Llm hosts / Exec commands / Fs paths / Db tables): {line}"
257 );
258 continue;
259 }
260 };
261 let mut rest: Vec<&str> = toks.collect();
262 let scope = if rest.first() == Some(&"in") {
263 let s = rest.get(1).map(|s| s.to_string());
264 rest.drain(..2.min(rest.len()));
265 s
266 } else {
267 None
268 };
269 let literals: BTreeSet<String> = rest.iter().map(|h| h.to_string()).collect();
270 if literals.is_empty() {
271 eprintln!("candor: ignoring policy rule (allow {effect} names no values): {line}");
272 continue;
273 }
274 out.allow_rules.push(AllowRule { effect, scope, literals, raw: line.to_string() });
275 }
276 "deny" => {
277 let mut effects = BTreeSet::new();
278 let mut scope = None;
279 for t in toks {
280 let e = if t == UNKNOWN { Some(UNKNOWN) } else { cap_from_name(t) };
281 match e {
282 Some(e) => {
283 effects.insert(e);
284 }
285 None => {
286 scope = Some(t.to_string());
287 break;
288 }
289 }
290 }
291 if effects.is_empty() {
292 eprintln!("candor: ignoring policy rule (no known effect named): {line}");
293 continue;
294 }
295 out.rules.push(PolicyRule { effects, scope, raw: line.to_string() });
296 }
297 "pure" => out.rules.push(PolicyRule {
298 effects: BTreeSet::new(),
299 scope: toks.next().map(str::to_string),
300 raw: line.to_string(),
301 }),
302 "forbid" => {
303 let a = toks.next().unwrap_or("");
304 let arrow = toks.next().unwrap_or("");
305 let b = toks.next().unwrap_or("");
306 if a.is_empty() || arrow != "->" || b.is_empty() {
307 eprintln!("candor: ignoring layering rule (want `forbid <scope> -> <scope>`): {line}");
308 continue;
309 }
310 out.layer_rules.push(LayerRule {
311 from: a.to_string(),
312 to: b.to_string(),
313 raw: line.to_string(),
314 });
315 }
316 other => eprintln!("candor: ignoring policy rule (unknown kind `{other}`): {line}"),
317 }
318 }
319 out
320}
321
322#[cfg(test)]
323mod tests {
324 #[test]
325 fn db_table_covering_is_strict() {
326 use super::db_table_covered as c;
327 assert!(c("ledger.entries", "Ledger.Entries")); assert!(c("ledger.*", "ledger.entries")); assert!(!c("ledger.*", "ledgerx.entries")); assert!(!c("entries", "ledger.entries")); assert!(c("entries", "entries"));
332 }
333
334 #[test]
335 fn allow_db_parses_and_gates() {
336 let p = super::parse_policy("allow Db in billing ledger.* customers\n");
337 assert_eq!(p.allow_rules.len(), 1);
338 assert_eq!(p.allow_rules[0].effect, "Db");
339 assert!(super::literal_allowed("Db", "ledger.entries", &p.allow_rules[0].literals));
340 assert!(super::literal_allowed("Db", "customers", &p.allow_rules[0].literals));
341 assert!(!super::literal_allowed("Db", "audit.log", &p.allow_rules[0].literals));
342 }
343
344 use super::*;
345
346 #[test]
347 fn policy_parses() {
348 let p = parse_policy(
349 "# the domain layer must stay pure of I/O\n\
350 deny Net Db domain\n\
351 deny Exec\n\
352 pure parse\n\
353 nonsense line\n\
354 deny notaneffect\n",
355 );
356 let rules = &p.rules;
357 assert_eq!(rules.len(), 3);
358 assert_eq!(rules[0].effects, ["Db", "Net"].into_iter().collect::<BTreeSet<_>>());
359 assert_eq!(rules[0].scope.as_deref(), Some("domain"));
360 assert!(rules[1].effects.contains("Exec") && rules[1].scope.is_none());
361 assert!(rules[2].effects.is_empty() && rules[2].scope.as_deref() == Some("parse"));
362 let cr = parse_policy("deny Net a\rdeny Exec b\rdeny Db c\r");
364 assert_eq!(cr.rules.len(), 3, "bare-CR lines must each parse");
365 assert!(cr.rules.iter().any(|r| r.effects.contains("Exec") && r.scope.as_deref() == Some("b")));
366 assert_eq!(parse_policy("deny Net a\r\ndeny Exec b\r").rules.len(), 2);
368 assert_eq!(parse_policy("deny Unknown core").rules[0].effects, ["Unknown"].into_iter().collect());
370 assert!(parse_policy("deny\ndeny \n").rules.is_empty());
371 assert!(parse_policy("deny notaneffect scope").rules.is_empty());
373 let p2 = parse_policy("deny Net foo Db");
375 assert_eq!(p2.rules[0].effects, ["Net"].into_iter().collect::<BTreeSet<_>>());
376 assert_eq!(p2.rules[0].scope.as_deref(), Some("foo"));
377 assert!(parse_policy("deny\u{a0}Net core").rules.is_empty(),
382 "an NBSP between deny and the effect must NOT split into separate tokens");
383 let nb = parse_policy("deny Net \u{a0}domain");
386 assert_eq!(nb.rules.len(), 1);
387 assert_eq!(nb.rules[0].effects, ["Net"].into_iter().collect::<BTreeSet<_>>());
388 assert_eq!(nb.rules[0].scope.as_deref(), Some("\u{a0}domain"));
389 }
390
391 #[test]
392 fn allowlist_parses() {
393 let p = parse_policy(
394 "allow Net in billing api.stripe.com hooks.stripe.com\n\
395 allow Exec in ci git\n\
396 allow Fs in config /etc/app\n\
397 allow Net github.com\n\
398 allow Clock whatever\n\
399 allow Net in nohosts\n\
400 allow\n",
401 );
402 assert_eq!(p.allow_rules.len(), 4); assert_eq!((p.allow_rules[0].effect, p.allow_rules[0].scope.as_deref()), ("Net", Some("billing")));
404 assert_eq!(
405 p.allow_rules[0].literals,
406 ["api.stripe.com", "hooks.stripe.com"].iter().map(|s| s.to_string()).collect()
407 );
408 assert_eq!((p.allow_rules[1].effect, p.allow_rules[1].scope.as_deref()), ("Exec", Some("ci")));
409 assert!(p.allow_rules[1].literals.contains("git"));
410 assert_eq!((p.allow_rules[2].effect, p.allow_rules[2].scope.as_deref()), ("Fs", Some("config")));
411 assert_eq!((p.allow_rules[3].effect, p.allow_rules[3].scope.is_none()), ("Net", true));
412
413 let set = |xs: &[&str]| xs.iter().map(|s| s.to_string()).collect::<BTreeSet<_>>();
414 assert!(literal_allowed("Net", "api.stripe.com:443", &set(&["api.stripe.com"])));
415 assert!(literal_allowed("Net", "2001:db8::aa", &set(&["2001:db8::aa"])));
418 assert!(!literal_allowed("Net", "2001:db8::ff", &set(&["2001:db8::aa"])));
419 assert!(!literal_allowed("Net", "2001:dead::1", &set(&["2001:db8::aa"])));
420 assert!(literal_allowed("Net", "[2001:db8::aa]:443", &set(&["2001:db8::aa"])));
421 assert_eq!(host_part("2001:db8::aa"), "2001:db8::aa");
422 assert_eq!(host_part("[2001:db8::aa]:443"), "2001:db8::aa");
423 assert_eq!(host_part("api.stripe.com:443"), "api.stripe.com");
424 assert!(literal_allowed("Exec", "/usr/bin/git", &set(&["git"])));
425 assert!(!literal_allowed("Exec", "/usr/bin/curl", &set(&["git"])));
426 assert!(literal_allowed("Fs", "/etc/app/conf.toml", &set(&["/etc/app"])));
427 assert!(!literal_allowed("Fs", "/etc/shadow", &set(&["/etc/app"])));
428 assert_eq!(cmd_base("/usr/bin/git"), "git");
429 }
430
431 #[test]
432 fn layering_rule_parses() {
433 let p = parse_policy(
434 "forbid domain -> infra\n\
435 forbid app::web -> app::db \n\
436 forbid domain infra\n\
437 forbid domain ->\n\
438 forbid\n",
439 );
440 assert_eq!(p.layer_rules.len(), 2);
441 assert_eq!((p.layer_rules[0].from.as_str(), p.layer_rules[0].to.as_str()), ("domain", "infra"));
442 assert_eq!((p.layer_rules[1].from.as_str(), p.layer_rules[1].to.as_str()), ("app::web", "app::db"));
443 }
444
445 #[test]
446 fn scope_matches_by_segment_not_substring() {
447 assert!(scope_matches("app::domain::handle", "domain"));
448 assert!(scope_matches("domain::handle", "domain"));
449 assert!(scope_matches("app::domain", "domain"));
450 assert!(scope_matches("crate::domain_logic", "domain"));
451 assert!(!scope_matches("app::subdomain::handle", "domain"));
452 assert!(!scope_matches("app::not_my_domain::f", "domain"));
453 assert!(scope_matches("crate::net::client::send", "net::client"));
455 assert!(scope_matches("crate::net::client_pool::get", "net::client"));
456 assert!(!scope_matches("crate::net::server::send", "net::client"));
457 assert!(!scope_matches("crate::network::client::send", "net::client"));
458 assert!(!scope_matches("crate::net::x::client", "net::client"));
459 assert!(!scope_matches("net", "net::client"));
460 assert!(scope_matches("com.acme.domain.Pricing.quote", "domain"));
464 assert!(scope_matches("com.acme.domain.Pricing.quote", "acme.domain"));
465 assert!(scope_matches("com.acme.domain.Pricing.quote", "acme::domain"));
466 assert!(scope_matches("com.acme.infra.Net.fetch", "infra.Net"));
467 assert!(!scope_matches("com.acme.subdomain.h", "domain"));
468 assert!(!scope_matches("com.acme.domain.h", "infra"));
469 }
470
471 #[test]
472 fn fs_path_covered_respects_boundaries() {
473 assert!(fs_path_covered("/etc/app", "/etc/app"));
474 assert!(fs_path_covered("/etc/app", "/etc/app/cfg.toml"));
475 assert!(fs_path_covered("/etc/app/", "/etc/app/cfg"));
476 assert!(!fs_path_covered("/etc/app", "/etc/apppwned"));
477 assert!(!fs_path_covered("/etc/app", "/etc/application/x"));
478 assert!(!fs_path_covered("/etc/app/cfg", "/etc/app"));
479 assert!(!fs_path_covered("/etc/app", "/etc/app/../passwd"));
480 assert!(fs_path_covered("/", "/etc/app/x"));
481 assert!(!fs_path_covered("etc/app", "/etc/app/cfg"));
482 assert!(!fs_path_covered("/etc/app", "etc/app/cfg"));
483 assert!(fs_path_covered("etc/app", "etc/app/cfg"));
484 }
485}