tandem-server 0.6.0

HTTP server for Tandem engine APIs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

use tandem_memory::types::{GovernedReadMode, MemoryAccessFilter};
use tandem_types::{RuntimeAuthMode, VerifiedTenantContext};

pub fn governed_memory_read_mode(
    runtime_auth_mode: RuntimeAuthMode,
    verified_tenant_context: Option<&VerifiedTenantContext>,
    has_grant_backed_access: bool,
) -> GovernedReadMode {
    let has_strict_projection = verified_tenant_context
        .and_then(|context| context.strict_projection.as_ref())
        .is_some();
    if runtime_auth_mode != RuntimeAuthMode::LocalSingleTenant
        || verified_tenant_context.is_some()
        || has_strict_projection
        || has_grant_backed_access
    {
        GovernedReadMode::GovernedStrict
    } else {
        GovernedReadMode::LocalNoop
    }
}

pub fn governed_memory_read_filter(
    runtime_auth_mode: RuntimeAuthMode,
    verified_tenant_context: Option<&VerifiedTenantContext>,
    has_grant_backed_access: bool,
    now_ms: u64,
) -> Option<MemoryAccessFilter> {
    match governed_memory_read_mode(
        runtime_auth_mode,
        verified_tenant_context,
        has_grant_backed_access,
    ) {
        GovernedReadMode::LocalNoop => None,
        GovernedReadMode::GovernedStrict => Some(MemoryAccessFilter::governed(
            verified_tenant_context.and_then(|context| context.strict_projection.clone()),
            now_ms,
        )),
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tandem_memory::types::GovernedReadMode;

    #[test]
    fn hosted_mode_without_verified_context_builds_fail_closed_filter() {
        let filter =
            governed_memory_read_filter(RuntimeAuthMode::HostedSingleTenant, None, false, 2_000)
                .expect("hosted reads are governed");

        assert_eq!(filter.mode, GovernedReadMode::GovernedStrict);
        assert!(filter.strict_context.is_none());
    }

    #[test]
    fn enterprise_mode_missing_assertion_builds_fail_closed_filter() {
        let filter =
            governed_memory_read_filter(RuntimeAuthMode::EnterpriseRequired, None, false, 2_000)
                .expect("enterprise reads are governed");

        assert_eq!(filter.mode, GovernedReadMode::GovernedStrict);
        assert!(filter.strict_context.is_none());
    }

    #[test]
    fn local_mode_without_enterprise_context_keeps_noop_filter() {
        let filter =
            governed_memory_read_filter(RuntimeAuthMode::LocalSingleTenant, None, false, 2_000);

        assert!(filter.is_none());
    }
}