parlov-analysis 0.7.0

Analysis engine trait and signal detection for parlov.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

//! Precondition gate logic for evidence modifiers.
//!
//! Detects when a Contradictory outcome is "phantom" — produced by a technique whose
//! mutation never reached the layer where it would matter. Auth gates, method-level
//! rejection, and parser failures are the most common phantom sources.
//!
//! The auth check uses a two-stage classifier (see [`super::auth_classifier`]) that suppresses
//! only non-differential same-layer auth blocks; status/body/header/location/challenge
//! differentials are preserved as evidence.

use parlov_core::{Applicability, BlockFamily, DifferentialSet, ProbeExchange, Technique};

use super::auth_equivalence::auth_gate_decision;
use super::auth_types::{AuthGateDecision, CredentialBlockKind};

/// Layer at which an auth block fired. Determines the operator-facing reason.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AuthBlockLayer {
    /// Origin server (401 / 403 with explicit auth signal).
    Origin,
    /// Proxy in front of origin (407).
    Proxy,
    /// Network gatekeeper / captive portal (511).
    Network,
    /// Heuristic 3xx-to-login redirect.
    LoginRedirect,
}

/// Structured reason a Contradictory outcome was downgraded.
///
/// Carried in `Inapplicable(reason)` to give operators an actionable diagnosis instead of an
/// opaque "no signal."
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum PreconditionBlock {
    /// Auth gate fired before the technique reached the oracle layer. Carries the credential
    /// state (why the credential failed) and the layer at which the gate fired.
    AuthGateBeforeTechnique {
        /// Why the credential failed or was not provided.
        credential_state: CredentialBlockKind,
        /// Layer at which the auth block fired.
        layer: AuthBlockLayer,
    },
    /// Both responses were 405 — method-level rejection before resource lookup.
    MethodGateBeforeResource,
    /// Both responses were 4xx parser/validator rejection and the technique is downstream of parse.
    BlockedByParser,
    /// Required applicability marker absent (e.g. `ETag` missing for `If-None-Match`).
    ApplicabilityMarkerMissing,
    /// Differential observed on a surface this technique does not test (e.g. body/headers differ
    /// on a Status-surface technique).
    SurfaceMismatch,
    /// Route-mutating technique broke baseline routing — canonical 2xx with mutated baseline
    /// non-2xx, or canonical 301/308 (server canonicalized away from the mutated path).
    MutationDestroyedControl,
}

impl PreconditionBlock {
    /// Coarse block family used for observability classification.
    #[must_use]
    pub fn block_family(self) -> BlockFamily {
        match self {
            Self::AuthGateBeforeTechnique { .. } => BlockFamily::Authorization,
            Self::MethodGateBeforeResource => BlockFamily::Method,
            Self::BlockedByParser => BlockFamily::Parser,
            Self::ApplicabilityMarkerMissing | Self::MutationDestroyedControl => {
                BlockFamily::TechniqueLocal
            }
            Self::SurfaceMismatch => BlockFamily::Surface,
        }
    }

    /// Operator-facing reason string surfaced in the `Inapplicable` outcome.
    #[must_use]
    pub fn as_str(self) -> &'static str {
        match self {
            Self::AuthGateBeforeTechnique {
                credential_state,
                layer,
            } => auth_block_reason(credential_state, layer),
            Self::MethodGateBeforeResource => "method-level rejection before resource lookup",
            Self::BlockedByParser => "parser/validator rejection before technique evaluated",
            Self::ApplicabilityMarkerMissing => "technique applicability marker not observed",
            Self::SurfaceMismatch => {
                "differential observed on a surface this technique does not test"
            }
            Self::MutationDestroyedControl => {
                "mutation broke baseline route — control reference destroyed"
            }
        }
    }
}

/// Maps an `(credential_state, layer)` pair to the operator-facing reason string.
#[must_use]
fn auth_block_reason(credential_state: CredentialBlockKind, layer: AuthBlockLayer) -> &'static str {
    match (credential_state, layer) {
        (CredentialBlockKind::NoCredential, AuthBlockLayer::Origin) => {
            "auth gate fired before technique (no credential provided)"
        }
        (CredentialBlockKind::CredentialRejected, AuthBlockLayer::Origin) => {
            "auth gate fired before technique (credential rejected — token invalid/expired)"
        }
        (CredentialBlockKind::InsufficientScope, AuthBlockLayer::Origin) => {
            "auth gate fired before technique (credential lacks required scope)"
        }
        (CredentialBlockKind::UnknownAuthFailure, AuthBlockLayer::Origin) => {
            "auth gate fired before technique (specific failure not identified)"
        }
        (CredentialBlockKind::NotApplicable, AuthBlockLayer::Origin) => {
            "auth gate fired before technique reached oracle layer"
        }
        (_, AuthBlockLayer::Proxy) => "proxy auth required before technique reached origin",
        (_, AuthBlockLayer::Network) => "network/captive-portal auth required",
        (_, AuthBlockLayer::LoginRedirect) => "login-redirect fired before technique",
    }
}

/// Decision returned by [`precondition_confidence`]. Carries either a confidence value or a
/// structured block reason.
#[derive(Debug, Clone, Copy, PartialEq)]
pub enum PreconditionDecision {
    /// Request reached the relevant layer. Confidence in `[0.0, 1.0]`.
    Reached(f64),
    /// Hard block — Contradictory must be downgraded to Inapplicable.
    Blocked(PreconditionBlock),
}

impl PreconditionDecision {
    /// Confidence value for the modifier. `Blocked` → 0.0; `Reached(c)` → `c`.
    #[must_use]
    pub fn confidence(self) -> f64 {
        match self {
            Self::Reached(c) => c,
            Self::Blocked(_) => 0.0,
        }
    }

    /// Block reason if decision is blocked, else `None`.
    #[must_use]
    pub fn block_reason(self) -> Option<PreconditionBlock> {
        match self {
            Self::Blocked(reason) => Some(reason),
            Self::Reached(_) => None,
        }
    }
}

/// True when both responses are 405 Method Not Allowed.
fn same_method_gate(differential: &DifferentialSet) -> bool {
    let Some((b, p)) = first_pair(differential) else {
        return false;
    };
    b.response.status.as_u16() == 405 && p.response.status.as_u16() == 405
}

/// True when both responses are 400 or 422 with the same status code.
///
/// Parser failures are oracle-relevant for some techniques (`uniqueness`, `state-transition`,
/// `content-type`, `empty-body`, `dependency-delete`) and phantom for others (cache
/// validators, content negotiation, etc.) — the caller uses `Technique::parser_relevant`
/// to decide.
fn same_parser_failure(differential: &DifferentialSet) -> bool {
    let Some((b, p)) = first_pair(differential) else {
        return false;
    };
    let bs = b.response.status.as_u16();
    let ps = p.response.status.as_u16();
    matches!(bs, 400 | 422) && bs == ps
}

/// First baseline+probe exchange pair, or `None` if either side is empty.
fn first_pair(differential: &DifferentialSet) -> Option<(&ProbeExchange, &ProbeExchange)> {
    let b = differential.baseline.first()?;
    let p = differential.probe.first()?;
    Some((b, p))
}

/// Computes the precondition confidence for a technique against a probe pair.
///
/// Pipeline:
/// 1. Auth-gate decision via the two-stage classifier — gates only on equivalent same-layer
///    auth blocks; preserves auth-related differentials as evidence.
/// 2. Method-gate check — same 405 unless technique is method-relevant.
/// 3. Parser-failure check — same 400/422 unless technique is parser-relevant.
/// 4. Applicability marker check — calls `technique.applicability` to grade the response pair.
///
/// Returns `Reached(c)` with the applicability confidence, or `Blocked(reason)` when any gate
/// fires.
#[must_use]
pub fn precondition_confidence(
    technique: &Technique,
    differential: &DifferentialSet,
) -> PreconditionDecision {
    match auth_gate_decision(differential) {
        AuthGateDecision::Gate(reason) => return PreconditionDecision::Blocked(reason),
        AuthGateDecision::DoNotGate => return PreconditionDecision::Reached(1.0),
        AuthGateDecision::NoAuthInvolvement => {}
    }
    if same_method_gate(differential) && !technique.method_relevant {
        return PreconditionDecision::Blocked(PreconditionBlock::MethodGateBeforeResource);
    }
    if same_parser_failure(differential) && !technique.parser_relevant {
        return PreconditionDecision::Blocked(PreconditionBlock::BlockedByParser);
    }
    let Some((b, p)) = first_pair(differential) else {
        return PreconditionDecision::Reached(1.0);
    };
    let app = (technique.applicability)(&b.response, &p.response);
    if app == Applicability::Missing {
        return PreconditionDecision::Blocked(PreconditionBlock::ApplicabilityMarkerMissing);
    }
    PreconditionDecision::Reached(app.confidence())
}

#[cfg(test)]
#[path = "precondition_tests.rs"]
mod tests;