witmproxy 0.0.2-alpha

A WASM-in-the-middle proxy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

use std::fmt;

#[cfg(test)]
mod tests;

#[derive(Debug, Clone, PartialEq, Eq)]
pub enum Effect {
    Grant,
    Deny,
}

impl fmt::Display for Effect {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Effect::Grant => write!(f, "grant"),
            Effect::Deny => write!(f, "deny"),
        }
    }
}

impl std::str::FromStr for Effect {
    type Err = anyhow::Error;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "grant" => Ok(Effect::Grant),
            "deny" => Ok(Effect::Deny),
            _ => Err(anyhow::anyhow!("Invalid effect: {}", s)),
        }
    }
}

/// A parsed resource pattern with colon-delimited segments supporting `*` wildcards.
/// E.g. `plugins:noshorts:write` or `plugins:*:read`.
#[derive(Debug, Clone)]
pub struct ResourcePattern {
    segments: Vec<String>,
}

impl ResourcePattern {
    pub fn parse(pattern: &str) -> Self {
        Self {
            segments: pattern.split(':').map(|s| s.to_string()).collect(),
        }
    }

    /// Count of non-wildcard segments (used for specificity ranking).
    fn specificity(&self) -> usize {
        self.segments.iter().filter(|s| *s != "*").count()
    }

    /// Check if this pattern matches a resource string segment-by-segment.
    /// `*` matches any single segment. Segment count must match exactly.
    fn matches(&self, resource: &ResourcePattern) -> bool {
        if self.segments.len() != resource.segments.len() {
            return false;
        }
        self.segments
            .iter()
            .zip(resource.segments.iter())
            .all(|(pattern_seg, resource_seg)| pattern_seg == "*" || pattern_seg == resource_seg)
    }
}

impl fmt::Display for ResourcePattern {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.segments.join(":"))
    }
}

#[derive(Debug, Clone)]
pub struct Permission {
    pub effect: Effect,
    pub resource: ResourcePattern,
}

impl Permission {
    pub fn new(effect: Effect, resource: &str) -> Self {
        Self {
            effect,
            resource: ResourcePattern::parse(resource),
        }
    }

    pub fn grant(resource: &str) -> Self {
        Self::new(Effect::Grant, resource)
    }

    pub fn deny(resource: &str) -> Self {
        Self::new(Effect::Deny, resource)
    }
}

/// Evaluate permissions against a resource string.
///
/// Algorithm:
/// 1. Collect all matching rules (segment-by-segment, `*` matches any single segment)
/// 2. Rank by specificity (count of non-wildcard segments)
/// 3. Most-specific wins; deny breaks ties at equal specificity
/// 4. Default deny if no rules match
pub fn evaluate(permissions: &[Permission], resource: &str) -> bool {
    let resource_pattern = ResourcePattern::parse(resource);

    let matching: Vec<&Permission> = permissions
        .iter()
        .filter(|p| p.resource.matches(&resource_pattern))
        .collect();

    if matching.is_empty() {
        return false; // default deny
    }

    // Find the maximum specificity among matching rules
    let max_specificity = matching
        .iter()
        .map(|p| p.resource.specificity())
        .max()
        .unwrap();

    // Filter to only the most-specific rules
    let most_specific: Vec<&&Permission> = matching
        .iter()
        .filter(|p| p.resource.specificity() == max_specificity)
        .collect();

    // If any deny exists at the most specific level, deny wins (tie-breaking)
    let has_deny = most_specific.iter().any(|p| p.effect == Effect::Deny);
    if has_deny {
        return false;
    }

    // All most-specific rules are grants
    true
}