zoey-core 0.1.1

ZoeyAI core runtime and types — privacy-first AI agent framework optimized for local models
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

//! Authentication for Agent API
//!
//! Provides secure token-based authentication and authorization

use super::types::{ApiPermission, ApiToken};
use crate::{ZoeyError, Result};
use sha2::{Digest, Sha256};
use std::collections::HashMap;
use std::sync::Arc;
use tokio::sync::RwLock;
use tracing::{debug, warn};

/// Authentication manager for agent API
pub struct ApiAuthManager {
    /// Token hash -> ApiToken mapping
    tokens: Arc<RwLock<HashMap<String, ApiToken>>>,
}

impl ApiAuthManager {
    /// Create new authentication manager
    pub fn new(tokens: Vec<ApiToken>) -> Self {
        let token_map: HashMap<String, ApiToken> =
            tokens.into_iter().map(|t| (t.token.clone(), t)).collect();

        Self {
            tokens: Arc::new(RwLock::new(token_map)),
        }
    }

    /// Create with no tokens (authentication disabled)
    pub fn disabled() -> Self {
        Self {
            tokens: Arc::new(RwLock::new(HashMap::new())),
        }
    }

    /// Hash a token for secure storage
    pub fn hash_token(token: &str) -> String {
        let mut hasher = Sha256::new();
        hasher.update(token.as_bytes());
        format!("{:x}", hasher.finalize())
    }

    /// Validate an authentication token and return permissions
    pub async fn validate_token(&self, token: &str) -> Result<Vec<ApiPermission>> {
        let token_hash = Self::hash_token(token);

        let tokens = self.tokens.read().await;

        // If no tokens configured, allow access (authentication disabled)
        if tokens.is_empty() {
            debug!("Authentication disabled, allowing access");
            return Ok(vec![
                ApiPermission::Read,
                ApiPermission::Write,
                ApiPermission::Execute,
            ]);
        }

        let api_token = tokens.get(&token_hash).ok_or_else(|| {
            warn!("Authentication failed: invalid token");
            ZoeyError::Config("Invalid authentication token".to_string())
        })?;

        // Check if token is expired
        if let Some(expires_at) = api_token.expires_at {
            let now = chrono::Utc::now().timestamp();
            if now > expires_at {
                warn!("Authentication failed: token expired");
                return Err(ZoeyError::Config(
                    "Authentication token has expired".to_string(),
                ));
            }
        }

        debug!(
            "Token validated successfully: {} (permissions: {:?})",
            api_token.name, api_token.permissions
        );

        Ok(api_token.permissions.clone())
    }

    /// Check if token has specific permission
    pub async fn has_permission(&self, token: &str, permission: ApiPermission) -> Result<bool> {
        let permissions = self.validate_token(token).await?;

        // Admin has all permissions
        if permissions.contains(&ApiPermission::Admin) {
            return Ok(true);
        }

        Ok(permissions.contains(&permission))
    }

    /// Add a new token
    pub async fn add_token(&self, token: ApiToken) {
        let mut tokens = self.tokens.write().await;
        tokens.insert(token.token.clone(), token);
    }

    /// Remove a token
    pub async fn remove_token(&self, token_hash: &str) -> bool {
        let mut tokens = self.tokens.write().await;
        tokens.remove(token_hash).is_some()
    }

    /// List all tokens (without sensitive data)
    pub async fn list_tokens(&self) -> Vec<String> {
        let tokens = self.tokens.read().await;
        tokens.values().map(|t| t.name.clone()).collect()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use uuid::Uuid;

    #[tokio::test]
    async fn test_authentication() {
        let token = ApiToken {
            token: ApiAuthManager::hash_token("test-token"),
            name: "Test Token".to_string(),
            permissions: vec![ApiPermission::Read, ApiPermission::Write],
            expires_at: None,
            agent_id: Some(Uuid::new_v4()),
        };

        let auth = ApiAuthManager::new(vec![token]);

        // Valid token
        let perms = auth.validate_token("test-token").await.unwrap();
        assert_eq!(perms.len(), 2);
        assert!(perms.contains(&ApiPermission::Read));

        // Invalid token
        assert!(auth.validate_token("invalid").await.is_err());
    }

    #[tokio::test]
    async fn test_disabled_auth() {
        let auth = ApiAuthManager::disabled();
        let perms = auth.validate_token("any-token").await.unwrap();
        assert!(perms.contains(&ApiPermission::Read));
    }

    #[tokio::test]
    async fn test_has_permission() {
        let admin_token = ApiToken {
            token: ApiAuthManager::hash_token("admin-token"),
            name: "Admin Token".to_string(),
            permissions: vec![ApiPermission::Admin],
            expires_at: None,
            agent_id: None,
        };

        let auth = ApiAuthManager::new(vec![admin_token]);

        // Admin has all permissions
        assert!(auth
            .has_permission("admin-token", ApiPermission::Execute)
            .await
            .unwrap());
    }

    #[test]
    fn test_token_hashing() {
        let hash1 = ApiAuthManager::hash_token("test");
        let hash2 = ApiAuthManager::hash_token("test");
        let hash3 = ApiAuthManager::hash_token("different");

        assert_eq!(hash1, hash2);
        assert_ne!(hash1, hash3);
    }
}