idprova-core 0.1.1

Core library for IDProva — AI agent identity, delegation, and audit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

//! Constraint inheritance validation for delegation chains.
//!
//! When a DAT delegates to a child, the child's constraints must be
//! **at least as restrictive** as the parent's. This module validates
//! that invariant for all constraint fields.

use crate::dat::constraints::DatConstraints;
use crate::{IdprovaError, Result};

/// Validate that child constraints are at least as restrictive as parent constraints.
///
/// Rules:
/// - Numeric limits: child <= parent (or child present when parent absent is fine)
/// - Trust level: child >= parent (higher minimum = more restrictive)
/// - IP lists: child allowed_ips ⊆ parent allowed_ips (narrower allowed set)
/// - Geofence: child ⊆ parent (fewer countries)
/// - Time windows: child ⊆ parent (fewer or narrower windows)
/// - Config attestation: child must match parent if parent is set
///
/// Returns `Ok(())` if inheritance is valid, or an error describing the violation.
pub fn validate_constraint_inheritance(
    parent: &DatConstraints,
    child: &DatConstraints,
) -> Result<()> {
    // Rate limit: child max_actions must be <= parent max_actions
    let parent_rl = parent.rate_limit.as_ref().map(|r| r.max_actions);
    let child_rl = child.rate_limit.as_ref().map(|r| r.max_actions);
    validate_numeric_le("rateLimit.maxActions", parent_rl, child_rl)?;

    // Delegation depth: child must be <= parent
    validate_numeric_le_u32(
        "maxDelegationDepth",
        parent.max_delegation_depth,
        child.max_delegation_depth,
    )?;

    // Trust level: child min_trust_level must be >= parent (more restrictive = higher ordinal)
    validate_trust_level(parent, child)?;

    // Geofence: child countries must be subset of parent countries
    validate_set_subset(
        "allowedCountries",
        &parent.allowed_countries,
        &child.allowed_countries,
    )?;

    // Config attestation: if parent requires it, child must require the same hash
    if let Some(ref parent_hash) = parent.required_config_hash {
        match child.required_config_hash {
            Some(ref child_hash) if child_hash == parent_hash => {} // OK
            Some(ref child_hash) => {
                return Err(IdprovaError::ConstraintViolated(format!(
                    "child config hash '{child_hash}' differs from parent '{parent_hash}'"
                )));
            }
            None => {
                return Err(IdprovaError::ConstraintViolated(
                    "child must require config hash when parent does".into(),
                ));
            }
        }
    }

    Ok(())
}

fn validate_numeric_le(name: &str, parent: Option<u64>, child: Option<u64>) -> Result<()> {
    if let Some(p) = parent {
        match child {
            Some(c) if c <= p => Ok(()),
            Some(c) => Err(IdprovaError::ConstraintViolated(format!(
                "child {name} ({c}) exceeds parent ({p})"
            ))),
            // Child has no limit but parent does — child is less restrictive
            None => Err(IdprovaError::ConstraintViolated(format!(
                "child must set {name} when parent limits to {p}"
            ))),
        }
    } else {
        Ok(()) // Parent has no limit, child can do anything
    }
}

fn validate_numeric_le_u32(name: &str, parent: Option<u32>, child: Option<u32>) -> Result<()> {
    if let Some(p) = parent {
        match child {
            Some(c) if c <= p => Ok(()),
            Some(c) => Err(IdprovaError::ConstraintViolated(format!(
                "child {name} ({c}) exceeds parent ({p})"
            ))),
            None => Err(IdprovaError::ConstraintViolated(format!(
                "child must set {name} when parent limits to {p}"
            ))),
        }
    } else {
        Ok(())
    }
}

fn validate_trust_level(parent: &DatConstraints, child: &DatConstraints) -> Result<()> {
    if let Some(parent_min) = parent.min_trust_level {
        match child.min_trust_level {
            Some(child_min) if child_min >= parent_min => Ok(()),
            Some(child_min) => Err(IdprovaError::ConstraintViolated(format!(
                "child min_trust_level ({child_min}) is less restrictive than parent ({parent_min})"
            ))),
            None => Err(IdprovaError::ConstraintViolated(
                "child must set min_trust_level when parent does".into(),
            )),
        }
    } else {
        Ok(())
    }
}

fn validate_set_subset(
    name: &str,
    parent: &Option<Vec<String>>,
    child: &Option<Vec<String>>,
) -> Result<()> {
    if let Some(ref parent_set) = parent {
        match child {
            Some(ref child_set) => {
                let parent_upper: Vec<String> =
                    parent_set.iter().map(|s| s.to_uppercase()).collect();
                for c in child_set {
                    if !parent_upper.contains(&c.to_uppercase()) {
                        return Err(IdprovaError::ConstraintViolated(format!(
                            "child {name} contains '{c}' which is not in parent set"
                        )));
                    }
                }
                Ok(())
            }
            // Child has no restriction but parent does — child is wider
            None => Err(IdprovaError::ConstraintViolated(format!(
                "child must set {name} when parent restricts it"
            ))),
        }
    } else {
        Ok(()) // Parent has no restriction
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::dat::constraints::RateLimit;

    fn empty() -> DatConstraints {
        DatConstraints::default()
    }

    fn rl(max: u64) -> Option<RateLimit> {
        Some(RateLimit {
            max_actions: max,
            window_secs: 3600,
        })
    }

    #[test]
    fn test_both_empty_is_valid() {
        assert!(validate_constraint_inheritance(&empty(), &empty()).is_ok());
    }

    #[test]
    fn test_child_narrower_rate_limit() {
        let parent = DatConstraints {
            rate_limit: rl(100),
            ..Default::default()
        };
        let child = DatConstraints {
            rate_limit: rl(50),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_ok());
    }

    #[test]
    fn test_child_wider_rate_limit_rejected() {
        let parent = DatConstraints {
            rate_limit: rl(100),
            ..Default::default()
        };
        let child = DatConstraints {
            rate_limit: rl(200),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_child_missing_rate_limit_rejected() {
        let parent = DatConstraints {
            rate_limit: rl(100),
            ..Default::default()
        };
        let child = empty();
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_child_narrower_delegation_depth() {
        let parent = DatConstraints {
            max_delegation_depth: Some(5),
            ..Default::default()
        };
        let child = DatConstraints {
            max_delegation_depth: Some(3),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_ok());
    }

    #[test]
    fn test_child_wider_delegation_depth_rejected() {
        let parent = DatConstraints {
            max_delegation_depth: Some(3),
            ..Default::default()
        };
        let child = DatConstraints {
            max_delegation_depth: Some(5),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_child_higher_trust_level_ok() {
        let parent = DatConstraints {
            min_trust_level: Some(1),
            ..Default::default()
        };
        let child = DatConstraints {
            min_trust_level: Some(3),
            ..Default::default()
        }; // more restrictive
        assert!(validate_constraint_inheritance(&parent, &child).is_ok());
    }

    #[test]
    fn test_child_lower_trust_level_rejected() {
        let parent = DatConstraints {
            min_trust_level: Some(2),
            ..Default::default()
        };
        let child = DatConstraints {
            min_trust_level: Some(0),
            ..Default::default()
        }; // less restrictive
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_child_missing_trust_level_rejected() {
        let parent = DatConstraints {
            min_trust_level: Some(1),
            ..Default::default()
        };
        let child = empty();
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_geofence_subset_ok() {
        let parent = DatConstraints {
            allowed_countries: Some(vec!["AU".into(), "NZ".into(), "US".into()]),
            ..Default::default()
        };
        let child = DatConstraints {
            allowed_countries: Some(vec!["AU".into()]),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_ok());
    }

    #[test]
    fn test_geofence_superset_rejected() {
        let parent = DatConstraints {
            allowed_countries: Some(vec!["AU".into()]),
            ..Default::default()
        };
        let child = DatConstraints {
            allowed_countries: Some(vec!["AU".into(), "US".into()]),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_geofence_missing_child_rejected() {
        let parent = DatConstraints {
            allowed_countries: Some(vec!["AU".into()]),
            ..Default::default()
        };
        let child = empty();
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_config_attestation_same_ok() {
        let parent = DatConstraints {
            required_config_hash: Some("sha256:abc".into()),
            ..Default::default()
        };
        let child = DatConstraints {
            required_config_hash: Some("sha256:abc".into()),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_ok());
    }

    #[test]
    fn test_config_attestation_different_rejected() {
        let parent = DatConstraints {
            required_config_hash: Some("sha256:abc".into()),
            ..Default::default()
        };
        let child = DatConstraints {
            required_config_hash: Some("sha256:xyz".into()),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_config_attestation_missing_child_rejected() {
        let parent = DatConstraints {
            required_config_hash: Some("sha256:abc".into()),
            ..Default::default()
        };
        let child = empty();
        assert!(validate_constraint_inheritance(&parent, &child).is_err());
    }

    #[test]
    fn test_parent_unrestricted_child_anything_ok() {
        let child = DatConstraints {
            rate_limit: rl(10),
            allowed_countries: Some(vec!["AU".into()]),
            min_trust_level: Some(3),
            ..Default::default()
        };
        assert!(validate_constraint_inheritance(&empty(), &child).is_ok());
    }
}