agentd 0.1.2

Agent daemon for secure capability execution with pluggable isolation backends
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281

//! Policy Loader Module
//!
//! Handles loading capability bundles, signatures, and provenance from various locations.

use anyhow::Result;
use smith_attestation::{Signature, SlsaProvenance};
use std::path::{Path, PathBuf};
use tracing::debug;

/// Policy loader for attestation files
pub struct PolicyLoader {
    signature_search_paths: Vec<PathBuf>,
    provenance_search_paths: Vec<PathBuf>,
}

impl PolicyLoader {
    /// Create new policy loader with default search paths
    pub fn new() -> Self {
        Self {
            signature_search_paths: vec![
                PathBuf::from("build/attestation/policy_signature.json"),
                PathBuf::from("policy_signature.json"),
                PathBuf::from(".attestation/policy_signature.json"),
            ],
            provenance_search_paths: vec![
                PathBuf::from("build/attestation/build-provenance.json"),
                PathBuf::from("build-provenance.json"),
                PathBuf::from(".attestation/build-provenance.json"),
            ],
        }
    }

    /// Create policy loader with custom search paths
    pub fn with_custom_paths(
        signature_paths: Vec<PathBuf>,
        provenance_paths: Vec<PathBuf>,
    ) -> Self {
        Self {
            signature_search_paths: signature_paths,
            provenance_search_paths: provenance_paths,
        }
    }

    /// Load capability bundle from path
    pub async fn load_capability_bundle(&self, path: &Path) -> Result<Vec<u8>> {
        if !path.exists() {
            return Err(anyhow::anyhow!(
                "Capability bundle does not exist: {}",
                path.display()
            ));
        }

        let bundle_bytes = tokio::fs::read(path).await?;
        debug!("Loaded capability bundle from: {}", path.display());
        Ok(bundle_bytes)
    }

    /// Load policy signature from search paths
    pub async fn load_policy_signature(&self) -> Result<Signature> {
        for path in &self.signature_search_paths {
            match self.try_load_signature(path).await {
                Ok(signature) => {
                    debug!("Loaded policy signature from: {}", path.display());
                    return Ok(signature);
                }
                Err(_) => continue,
            }
        }

        Err(anyhow::anyhow!("Policy signature not found in any search path"))
    }

    /// Load policy provenance from search paths
    pub async fn load_policy_provenance(&self) -> Result<SlsaProvenance> {
        for path in &self.provenance_search_paths {
            match self.try_load_provenance(path).await {
                Ok(provenance) => {
                    debug!("Loaded policy provenance from: {}", path.display());
                    return Ok(provenance);
                }
                Err(_) => continue,
            }
        }

        Err(anyhow::anyhow!("Policy provenance not found in any search path"))
    }

    /// Try to load signature from a specific path
    async fn try_load_signature(&self, path: &Path) -> Result<Signature> {
        let signature_bytes = tokio::fs::read(path).await?;
        let signature: Signature = serde_json::from_slice(&signature_bytes)?;
        Ok(signature)
    }

    /// Try to load provenance from a specific path
    async fn try_load_provenance(&self, path: &Path) -> Result<SlsaProvenance> {
        let provenance_bytes = tokio::fs::read(path).await?;
        let provenance: SlsaProvenance = serde_json::from_slice(&provenance_bytes)?;
        Ok(provenance)
    }

    /// Check if capability bundle exists and is readable
    pub fn validate_capability_bundle_path(&self, path: &Path) -> Result<()> {
        if !path.exists() {
            return Err(anyhow::anyhow!(
                "Capability bundle does not exist: {}",
                path.display()
            ));
        }

        if !path.is_file() {
            return Err(anyhow::anyhow!(
                "Capability bundle path is not a file: {}",
                path.display()
            ));
        }

        // Check if file is readable (basic permission check)
        match std::fs::metadata(path) {
            Ok(metadata) => {
                if metadata.len() == 0 {
                    return Err(anyhow::anyhow!(
                        "Capability bundle is empty: {}",
                        path.display()
                    ));
                }
            }
            Err(e) => {
                return Err(anyhow::anyhow!(
                    "Cannot read capability bundle metadata: {}: {}",
                    path.display(),
                    e
                ));
            }
        }

        Ok(())
    }

    /// Get signature search paths
    pub fn get_signature_search_paths(&self) -> &[PathBuf] {
        &self.signature_search_paths
    }

    /// Get provenance search paths
    pub fn get_provenance_search_paths(&self) -> &[PathBuf] {
        &self.provenance_search_paths
    }
}

impl Default for PolicyLoader {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::{tempdir, NamedTempFile};
    use std::io::Write;

    #[test]
    fn test_policy_loader_creation() {
        let loader = PolicyLoader::new();
        
        assert!(!loader.signature_search_paths.is_empty());
        assert!(!loader.provenance_search_paths.is_empty());
        
        // Check default paths are present
        assert!(loader.signature_search_paths.iter()
            .any(|p| p.to_string_lossy().contains("policy_signature.json")));
        assert!(loader.provenance_search_paths.iter()
            .any(|p| p.to_string_lossy().contains("build-provenance.json")));
    }

    #[test]
    fn test_policy_loader_with_custom_paths() {
        let custom_sig_paths = vec![PathBuf::from("/custom/signature.json")];
        let custom_prov_paths = vec![PathBuf::from("/custom/provenance.json")];

        let loader = PolicyLoader::with_custom_paths(
            custom_sig_paths.clone(),
            custom_prov_paths.clone(),
        );

        assert_eq!(loader.get_signature_search_paths(), &custom_sig_paths);
        assert_eq!(loader.get_provenance_search_paths(), &custom_prov_paths);
    }

    #[tokio::test]
    async fn test_load_capability_bundle_success() {
        let temp_dir = tempdir().unwrap();
        let bundle_path = temp_dir.path().join("capability_bundle.json");
        
        let test_content = b"{\"policies\": []}";
        tokio::fs::write(&bundle_path, test_content).await.unwrap();

        let loader = PolicyLoader::new();
        let result = loader.load_capability_bundle(&bundle_path).await;

        assert!(result.is_ok());
        assert_eq!(result.unwrap(), test_content);
    }

    #[tokio::test]
    async fn test_load_capability_bundle_not_found() {
        let loader = PolicyLoader::new();
        let non_existent_path = PathBuf::from("/non/existent/path.json");
        
        let result = loader.load_capability_bundle(&non_existent_path).await;
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("does not exist"));
    }

    #[test]
    fn test_validate_capability_bundle_path_success() {
        let mut temp_file = NamedTempFile::new().unwrap();
        writeln!(temp_file, "{{\"test\": \"content\"}}").unwrap();

        let loader = PolicyLoader::new();
        let result = loader.validate_capability_bundle_path(temp_file.path());
        
        assert!(result.is_ok());
    }

    #[test]
    fn test_validate_capability_bundle_path_not_found() {
        let loader = PolicyLoader::new();
        let non_existent_path = PathBuf::from("/non/existent/path.json");
        
        let result = loader.validate_capability_bundle_path(&non_existent_path);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("does not exist"));
    }

    #[test]
    fn test_validate_capability_bundle_path_empty_file() {
        let temp_file = NamedTempFile::new().unwrap();
        // Don't write anything, file remains empty

        let loader = PolicyLoader::new();
        let result = loader.validate_capability_bundle_path(temp_file.path());
        
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("is empty"));
    }

    #[test]
    fn test_validate_capability_bundle_path_directory() {
        let temp_dir = tempdir().unwrap();
        
        let loader = PolicyLoader::new();
        let result = loader.validate_capability_bundle_path(temp_dir.path());
        
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("not a file"));
    }

    #[tokio::test]
    async fn test_load_policy_signature_not_found() {
        // Create loader with non-existent paths
        let custom_paths = vec![PathBuf::from("/non/existent/signature.json")];
        let loader = PolicyLoader::with_custom_paths(custom_paths, vec![]);
        
        let result = loader.load_policy_signature().await;
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("not found in any search path"));
    }

    #[tokio::test]
    async fn test_load_policy_provenance_not_found() {
        // Create loader with non-existent paths
        let custom_paths = vec![PathBuf::from("/non/existent/provenance.json")];
        let loader = PolicyLoader::with_custom_paths(vec![], custom_paths);
        
        let result = loader.load_policy_provenance().await;
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("not found in any search path"));
    }
}