trust-tasks-rs 0.1.1

Reference Rust library for the Trust Tasks framework — transport-agnostic, JSON-based descriptions of verifiable work between parties.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

//! ACL policy guards.
//!
//! Pure functions a maintainer calls from inside an `acl/*` handler to
//! enforce policy checks the spec names but does not implement. Each
//! returns an `Option<&'static str>` where `Some(error_code)` is the
//! extended error code the maintainer should respond with — slot it
//! straight into [`RejectReason::TaskFailed`](crate::RejectReason::TaskFailed)
//! or directly into the error payload's `code`.

/// Detect whether revoking `subject` from the entries iterator would
/// empty the maintainer's privileged-role set, per the
/// `acl/revoke:last_authority_protected` error code declared by
/// [`acl/revoke/0.1`](https://trusttasks.org/spec/acl/revoke/0.1).
///
/// `entries` yields the maintainer's current ACL entries (or any
/// ecosystem-flavoured subtype that exposes role + subject identity via
/// the two closures). `is_protected` returns `true` for entries whose
/// role is part of the "must always have at least one of" set
/// (typically `admin`, `owner`, …). `is_target_subject` returns `true`
/// for the entry being revoked.
///
/// Returns `Some("acl/revoke:last_authority_protected")` when the
/// revocation would leave zero protected entries; otherwise `None`.
///
/// The function is generic in the entry type so consumers that carry
/// ecosystem extension fields (webvh's `AclEntry.ext.vnd.affinidi.webvh.*`,
/// etc.) pass their own type without conversion.
///
/// ```rust
/// use trust_tasks_rs::guards::acl::reject_last_authority;
///
/// struct LocalEntry { subject: &'static str, role: &'static str }
///
/// let entries = [
///     LocalEntry { subject: "did:web:alice.example", role: "admin" },
///     LocalEntry { subject: "did:web:bob.example",   role: "member" },
/// ];
///
/// // Revoking the only admin trips the guard.
/// assert_eq!(
///     reject_last_authority(
///         entries.iter(),
///         |e: &&LocalEntry| e.role == "admin",
///         |e: &&LocalEntry| e.subject == "did:web:alice.example",
///     ),
///     Some("acl/revoke:last_authority_protected"),
/// );
///
/// // Revoking a non-admin does not trip the guard.
/// assert_eq!(
///     reject_last_authority(
///         entries.iter(),
///         |e: &&LocalEntry| e.role == "admin",
///         |e: &&LocalEntry| e.subject == "did:web:bob.example",
///     ),
///     None,
/// );
/// ```
pub fn reject_last_authority<E, F, G>(
    entries: impl IntoIterator<Item = E>,
    is_protected: F,
    is_target_subject: G,
) -> Option<&'static str>
where
    F: Fn(&E) -> bool,
    G: Fn(&E) -> bool,
{
    let mut target_is_protected = false;
    let mut other_protected = 0usize;
    for entry in entries {
        let protected = is_protected(&entry);
        let target = is_target_subject(&entry);
        if protected && target {
            target_is_protected = true;
        } else if protected {
            other_protected += 1;
        }
    }
    if target_is_protected && other_protected == 0 {
        Some("acl/revoke:last_authority_protected")
    } else {
        None
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    struct E {
        subject: &'static str,
        role: &'static str,
    }

    fn is_admin(e: &&E) -> bool {
        e.role == "admin"
    }

    fn target_alice(e: &&E) -> bool {
        e.subject == "did:web:alice.example"
    }

    #[test]
    fn single_admin_revocation_trips_guard() {
        let entries = [
            E {
                subject: "did:web:alice.example",
                role: "admin",
            },
            E {
                subject: "did:web:bob.example",
                role: "member",
            },
        ];
        assert_eq!(
            reject_last_authority(entries.iter(), is_admin, target_alice),
            Some("acl/revoke:last_authority_protected")
        );
    }

    #[test]
    fn two_admins_revocation_does_not_trip_guard() {
        let entries = [
            E {
                subject: "did:web:alice.example",
                role: "admin",
            },
            E {
                subject: "did:web:bob.example",
                role: "admin",
            },
        ];
        assert_eq!(
            reject_last_authority(entries.iter(), is_admin, target_alice),
            None
        );
    }

    #[test]
    fn revoking_non_admin_does_not_trip_guard_even_if_only_one_admin() {
        let entries = [
            E {
                subject: "did:web:alice.example",
                role: "admin",
            },
            E {
                subject: "did:web:bob.example",
                role: "member",
            },
        ];
        // Target is bob — a non-admin. Even though revoking him would
        // leave alice as the sole admin (which is fine), this guard is
        // about emptying the protected set, not about reducing it.
        assert_eq!(
            reject_last_authority(entries.iter(), is_admin, |e: &&E| e.subject
                == "did:web:bob.example"),
            None
        );
    }

    #[test]
    fn revoking_target_not_in_acl_does_not_trip_guard() {
        let entries = [E {
            subject: "did:web:alice.example",
            role: "admin",
        }];
        assert_eq!(
            reject_last_authority(entries.iter(), is_admin, |e: &&E| e.subject
                == "did:web:nobody.example"),
            None
        );
    }

    #[test]
    fn empty_acl_does_not_trip_guard() {
        let entries: [E; 0] = [];
        assert_eq!(
            reject_last_authority(entries.iter(), is_admin, target_alice),
            None
        );
    }

    /// Worked example mirroring webvh's likely usage: AclEntry carries an
    /// ecosystem `ext` field, and the protected predicate checks the
    /// generated AclEntry's `role` directly.
    #[test]
    fn works_with_codegen_acl_entry_shape() {
        use crate::specs::acl::grant::v0_1 as grant;

        let admin = grant::AclEntry {
            subject: "did:web:alice.example".into(),
            role: "admin".into(),
            scopes: vec![],
            label: None,
            created_at: None,
            created_by: None,
            updated_at: None,
            updated_by: None,
            expires_at: None,
            ext: None,
        };
        let member = grant::AclEntry {
            subject: "did:web:bob.example".into(),
            role: "member".into(),
            scopes: vec![],
            label: None,
            created_at: None,
            created_by: None,
            updated_at: None,
            updated_by: None,
            expires_at: None,
            ext: None,
        };
        let entries = [admin, member];

        assert_eq!(
            reject_last_authority(
                entries.iter(),
                |e: &&grant::AclEntry| e.role == "admin",
                |e: &&grant::AclEntry| e.subject == "did:web:alice.example",
            ),
            Some("acl/revoke:last_authority_protected")
        );
    }
}