aaai-core 0.1.0

Core engine for aaai — audit for asset integrity
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328

//! Audit definition — the "expected values" YAML document.
//!
//! The on-disk format is versioned YAML.  Each [`AuditEntry`] describes one
//! expected file-level difference plus the content-audit [`AuditStrategy`]
//! and the mandatory human-readable `reason`.
//!
//! # File shape
//!
//! ```yaml
//! version: "1"
//! meta:
//!   description: "Release v2.3.0 audit"
//! entries:
//!   - path: "config/server.toml"
//!     diff_type: Modified
//!     reason: "ポート番号の仕様変更"
//!     strategy:
//!       type: LineMatch
//!       rules:
//!         - action: Removed
//!           line: "port = 80"
//!         - action: Added
//!           line: "port = 8080"
//!     enabled: true
//!     note: "本番環境への適用に伴う変更"
//! ```

use serde::{Deserialize, Serialize};

use crate::diff::entry::DiffType;

// ── Top-level document ────────────────────────────────────────────────────

/// The root of an audit definition file.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditDefinition {
    /// Schema version.  Currently `"1"`.
    pub version: String,

    /// Optional human-readable metadata for the definition file itself.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub meta: Option<AuditMeta>,

    /// Ordered list of expected-value entries.
    #[serde(default)]
    pub entries: Vec<AuditEntry>,
}

impl AuditDefinition {
    /// Construct a new, empty definition at the current schema version.
    pub fn new_empty() -> Self {
        Self {
            version: "1".to_string(),
            meta: None,
            entries: Vec::new(),
        }
    }

    /// Return the entry for `path`, if any.  Comparison is
    /// case-sensitive and uses Unix-style forward-slash separators.
    pub fn find_entry(&self, path: &str) -> Option<&AuditEntry> {
        self.entries.iter().find(|e| e.path == path)
    }

    /// Mutable variant of [`find_entry`].
    pub fn find_entry_mut(&mut self, path: &str) -> Option<&mut AuditEntry> {
        self.entries.iter_mut().find(|e| e.path == path)
    }

    /// Upsert an entry: replace the existing entry for the same path or
    /// append a new one.  Preserves the sort-stable order of existing
    /// entries so that repeated saves do not produce spurious diffs.
    pub fn upsert_entry(&mut self, entry: AuditEntry) {
        if let Some(existing) = self.find_entry_mut(&entry.path.clone()) {
            *existing = entry;
        } else {
            self.entries.push(entry);
        }
    }
}

// ── Metadata ─────────────────────────────────────────────────────────────

/// Free-form metadata attached to the definition file.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct AuditMeta {
    /// A short description of what this audit covers.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,
}

// ── Per-file entry ────────────────────────────────────────────────────────

/// One expected-value record for a single path.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEntry {
    /// Root-relative path using forward slashes (`config/server.toml`).
    pub path: String,

    /// The difference type this entry expects to see.
    pub diff_type: DiffType,

    /// Mandatory human-readable justification.  Empty strings are
    /// rejected at validation time.
    pub reason: String,

    /// Content-audit strategy.
    #[serde(default)]
    pub strategy: AuditStrategy,

    /// Whether this entry participates in auditing.
    /// Disabled entries produce [`crate::audit::result::AuditStatus::Ignored`].
    #[serde(default = "default_true")]
    pub enabled: bool,

    /// Optional free-form note (stored but not used for judgement).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub note: Option<String>,
}

fn default_true() -> bool {
    true
}

impl AuditEntry {
    /// Return `true` when the entry is complete enough for a valid approval:
    /// non-empty path, non-empty reason, and a strategy that passes its own
    /// validation.
    pub fn is_approvable(&self) -> Result<(), String> {
        if self.path.trim().is_empty() {
            return Err("Path must not be empty.".into());
        }
        if self.reason.trim().is_empty() {
            return Err("Reason must not be empty.".into());
        }
        self.strategy.validate()?;
        Ok(())
    }
}

// ── Content-audit strategy ────────────────────────────────────────────────

/// The content-level audit strategy to apply to a matched entry.
///
/// Each variant carries its own parameters.  The engine dispatches on this
/// enum to produce a per-file content verdict.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type")]
pub enum AuditStrategy {
    /// Check only that the expected diff kind occurred.  No content
    /// inspection.
    None,

    /// Verify that the file's SHA-256 digest matches `expected_sha256`.
    Checksum {
        /// Expected lowercase hex SHA-256 digest.
        expected_sha256: String,
    },

    /// Verify that specific lines were added and/or removed.
    LineMatch {
        /// Ordered list of expected line changes.
        rules: Vec<LineRule>,
    },

    /// Verify that added/removed lines match a regular expression.
    Regex {
        /// The regular expression pattern (applied per changed line).
        pattern: String,
        /// Which side of the diff to apply the pattern to.
        #[serde(default)]
        target: RegexTarget,
    },

    /// Verify that the *after* file's full content exactly matches
    /// `expected_content`.
    Exact {
        /// Expected full file content.
        expected_content: String,
    },
}

impl Default for AuditStrategy {
    fn default() -> Self {
        AuditStrategy::None
    }
}

impl AuditStrategy {
    /// Human-readable short label for UI display.
    pub fn label(&self) -> &'static str {
        match self {
            AuditStrategy::None => "None",
            AuditStrategy::Checksum { .. } => "Checksum",
            AuditStrategy::LineMatch { .. } => "LineMatch",
            AuditStrategy::Regex { .. } => "Regex",
            AuditStrategy::Exact { .. } => "Exact",
        }
    }

    /// Brief description shown in the inspector UI.
    pub fn description(&self) -> &'static str {
        match self {
            AuditStrategy::None =>
                "Checks only that the expected change type occurred. \
                 No content inspection is performed.",
            AuditStrategy::Checksum { .. } =>
                "Verifies the file's SHA-256 digest. \
                 Suitable for binaries, images, and archives.",
            AuditStrategy::LineMatch { .. } =>
                "Verifies that specific lines were added or removed. \
                 The primary strategy for config-value changes.",
            AuditStrategy::Regex { .. } =>
                "Verifies that changed lines match a regular expression. \
                 Useful when the exact value is environment-dependent.",
            AuditStrategy::Exact { .. } =>
                "Verifies that the file's full content exactly matches \
                 the expected text. Avoid for large files.",
        }
    }

    /// Validate strategy-specific parameters.  Returns `Err` with a
    /// human-readable message when the strategy is misconfigured.
    pub fn validate(&self) -> Result<(), String> {
        match self {
            AuditStrategy::None => Ok(()),

            AuditStrategy::Checksum { expected_sha256 } => {
                if expected_sha256.trim().is_empty() {
                    return Err("Checksum: expected_sha256 must not be empty.".into());
                }
                if !expected_sha256.chars().all(|c| c.is_ascii_hexdigit()) {
                    return Err(
                        "Checksum: expected_sha256 must be a valid hex string.".into()
                    );
                }
                if expected_sha256.len() != 64 {
                    return Err(
                        "Checksum: expected_sha256 must be a 64-character SHA-256 hex digest."
                            .into(),
                    );
                }
                Ok(())
            }

            AuditStrategy::LineMatch { rules } => {
                if rules.is_empty() {
                    return Err("LineMatch: at least one rule is required.".into());
                }
                for (i, r) in rules.iter().enumerate() {
                    if r.line.trim().is_empty() {
                        return Err(format!("LineMatch rule {}: line must not be empty.", i + 1));
                    }
                }
                Ok(())
            }

            AuditStrategy::Regex { pattern, .. } => {
                if pattern.trim().is_empty() {
                    return Err("Regex: pattern must not be empty.".into());
                }
                regex::Regex::new(pattern)
                    .map(|_| ())
                    .map_err(|e| format!("Regex: invalid pattern — {e}"))
            }

            AuditStrategy::Exact { expected_content } => {
                if expected_content.is_empty() {
                    return Err("Exact: expected_content must not be empty.".into());
                }
                Ok(())
            }
        }
    }
}

// ── LineMatch rule ────────────────────────────────────────────────────────

/// One expected line change in a [`AuditStrategy::LineMatch`] strategy.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LineRule {
    /// Whether this line is expected to have been added or removed.
    pub action: LineAction,
    /// The exact line content (without a trailing newline).
    pub line: String,
}

/// Direction of a line change in [`LineRule`].
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum LineAction {
    /// Line is expected to be present only in the *after* folder (added).
    Added,
    /// Line is expected to be present only in the *before* folder (removed).
    Removed,
}

impl std::fmt::Display for LineAction {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            LineAction::Added => write!(f, "Added"),
            LineAction::Removed => write!(f, "Removed"),
        }
    }
}

// ── Regex target ──────────────────────────────────────────────────────────

/// Which lines the [`AuditStrategy::Regex`] pattern is applied to.
#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
pub enum RegexTarget {
    /// Apply to added lines (present in *after* but not *before*).
    #[default]
    AddedLines,
    /// Apply to removed lines (present in *before* but not *after*).
    RemovedLines,
    /// Apply to all changed lines (union of added and removed).
    AllChangedLines,
}

impl std::fmt::Display for RegexTarget {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            RegexTarget::AddedLines => write!(f, "Added lines"),
            RegexTarget::RemovedLines => write!(f, "Removed lines"),
            RegexTarget::AllChangedLines => write!(f, "All changed lines"),
        }
    }
}