agentd 0.1.2

Agent daemon for secure capability execution with pluggable isolation backends
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

//! Attestation Types Module
//!
//! Contains shared types and structures used across attestation modules.

use serde::{Deserialize, Serialize};
use std::collections::HashMap;

/// Runtime attestation results included in execution outputs
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RuntimeAttestationResults {
    /// Capability bundle digest verification
    pub capability_digest: String,
    /// Executor image digest (if available)
    pub executor_image_digest: Option<String>,
    /// Capability bundle signature verification result
    pub bundle_sig_ok: bool,
    /// SLSA provenance verification result
    pub provenance_ok: bool,
    /// Overall attestation verification status
    pub attestation_verified: bool,
    /// Timestamp of attestation verification
    pub verified_at: chrono::DateTime<chrono::Utc>,
    /// Verification details for audit trail
    pub verification_details: VerificationDetails,
}

/// Detailed verification information for audit purposes
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerificationDetails {
    /// Individual check results
    pub checks: HashMap<String, bool>,
    /// Verification warnings (non-fatal issues)
    pub warnings: Vec<String>,
    /// Verification errors (fatal issues)
    pub errors: Vec<String>,
    /// Verification context metadata
    pub context: HashMap<String, String>,
}

impl RuntimeAttestationResults {
    /// Create new attestation results
    pub fn new(
        capability_digest: String,
        executor_image_digest: Option<String>,
        bundle_sig_ok: bool,
        provenance_ok: bool,
        attestation_verified: bool,
        verification_details: VerificationDetails,
    ) -> Self {
        Self {
            capability_digest,
            executor_image_digest,
            bundle_sig_ok,
            provenance_ok,
            attestation_verified,
            verified_at: chrono::Utc::now(),
            verification_details,
        }
    }

    /// Check if attestation is fully verified
    pub fn is_fully_verified(&self) -> bool {
        self.attestation_verified && self.bundle_sig_ok && self.provenance_ok
    }

    /// Get verification summary
    pub fn get_summary(&self) -> String {
        format!(
            "Attestation: {}, Signature: {}, Provenance: {}",
            if self.attestation_verified { "" } else { "" },
            if self.bundle_sig_ok { "" } else { "" },
            if self.provenance_ok { "" } else { "" }
        )
    }
}

impl VerificationDetails {
    /// Create new verification details
    pub fn new(
        checks: HashMap<String, bool>,
        warnings: Vec<String>,
        errors: Vec<String>,
        context: HashMap<String, String>,
    ) -> Self {
        Self {
            checks,
            warnings,
            errors,
            context,
        }
    }

    /// Create verification details from verification result
    pub fn from_verification_result(
        result: &smith_attestation::VerificationResult,
        context: HashMap<String, String>,
    ) -> Self {
        Self {
            checks: result.checks.clone(),
            warnings: result.warnings.clone(),
            errors: result.errors.clone(),
            context,
        }
    }

    /// Check if there are any errors
    pub fn has_errors(&self) -> bool {
        !self.errors.is_empty()
    }

    /// Check if there are any warnings
    pub fn has_warnings(&self) -> bool {
        !self.warnings.is_empty()
    }

    /// Get the number of passed checks
    pub fn passed_checks_count(&self) -> usize {
        self.checks.values().filter(|&&passed| passed).count()
    }

    /// Get the number of failed checks
    pub fn failed_checks_count(&self) -> usize {
        self.checks.values().filter(|&&passed| !passed).count()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_runtime_attestation_results_creation() {
        let details = VerificationDetails::new(
            HashMap::new(),
            vec!["Warning message".to_string()],
            vec![],
            HashMap::new(),
        );

        let results = RuntimeAttestationResults::new(
            "digest123".to_string(),
            Some("image_digest456".to_string()),
            true,
            true,
            true,
            details,
        );

        assert_eq!(results.capability_digest, "digest123");
        assert_eq!(results.executor_image_digest, Some("image_digest456".to_string()));
        assert!(results.bundle_sig_ok);
        assert!(results.provenance_ok);
        assert!(results.attestation_verified);
        assert!(results.is_fully_verified());
    }

    #[test]
    fn test_runtime_attestation_results_partial_failure() {
        let details = VerificationDetails::new(
            HashMap::new(),
            vec![],
            vec!["Signature failed".to_string()],
            HashMap::new(),
        );

        let results = RuntimeAttestationResults::new(
            "digest123".to_string(),
            None,
            false, // signature failed
            true,
            false, // overall failed
            details,
        );

        assert!(!results.is_fully_verified());
        assert!(results.get_summary().contains(""));
    }

    #[test]
    fn test_verification_details() {
        let mut checks = HashMap::new();
        checks.insert("signature_valid".to_string(), true);
        checks.insert("digest_valid".to_string(), false);

        let details = VerificationDetails::new(
            checks,
            vec!["Warning".to_string()],
            vec!["Error".to_string()],
            HashMap::new(),
        );

        assert!(details.has_warnings());
        assert!(details.has_errors());
        assert_eq!(details.passed_checks_count(), 1);
        assert_eq!(details.failed_checks_count(), 1);
    }
}