kovra_wrapper/allowlist.rs
1//! The executor allowlist (spec §5.1, invariant I15).
2//!
3//! Injecting a `high`/`prod` secret into a child process is only a containment
4//! boundary if the executable is **outside the agent's control** — a process the
5//! agent authored can read its own environment and print it (last-mile, §16).
6//! So `high`/`prod` injection is restricted to a configured allowlist of
7//! reviewed executables (e.g. a versioned `./deploy.sh`, a Makefile target);
8//! ad-hoc commands the agent improvises are not eligible.
9//!
10//! Matching is on the **resolved program path**, canonicalized (symlinks and
11//! relative components resolved) so `./deploy.sh`, `deploy.sh`, and the absolute
12//! path all compare equal when they name the same reviewed file.
13
14use std::collections::BTreeSet;
15use std::path::{Path, PathBuf};
16
17/// A set of reviewed executable paths eligible to receive `high`/`prod`
18/// injection. An empty allowlist refuses **every** `high`/`prod` command (fails
19/// safe); `low`/`medium` non-prod injection never consults it (§5.1).
20#[derive(Debug, Clone, Default)]
21pub struct Allowlist {
22 /// Canonicalized (where possible) absolute paths of reviewed executables.
23 entries: BTreeSet<PathBuf>,
24}
25
26impl Allowlist {
27 /// An empty allowlist — refuses all `high`/`prod` commands.
28 pub fn empty() -> Self {
29 Self::default()
30 }
31
32 /// Build an allowlist from a set of reviewed executable paths.
33 pub fn from_paths<I, P>(paths: I) -> Self
34 where
35 I: IntoIterator<Item = P>,
36 P: Into<PathBuf>,
37 {
38 Self {
39 entries: paths
40 .into_iter()
41 .map(|p| canonical_or_owned(&p.into()))
42 .collect(),
43 }
44 }
45
46 /// Add one reviewed executable to the allowlist.
47 pub fn allow(&mut self, path: impl Into<PathBuf>) {
48 self.entries.insert(canonical_or_owned(&path.into()));
49 }
50
51 /// Whether `program` is a reviewed, allowlisted executable.
52 pub fn allows(&self, program: &Path) -> bool {
53 self.entries.contains(&canonical_or_owned(program))
54 }
55
56 /// Whether the allowlist is empty (refuses every `high`/`prod` command).
57 pub fn is_empty(&self) -> bool {
58 self.entries.is_empty()
59 }
60}
61
62/// Canonicalize a path, falling back to the path as-given when it does not exist
63/// on disk (a non-existent command can never match a real reviewed file, so the
64/// fallback is safe — it simply will not be on the list).
65fn canonical_or_owned(p: &Path) -> PathBuf {
66 std::fs::canonicalize(p).unwrap_or_else(|_| p.to_path_buf())
67}
68
69#[cfg(test)]
70mod tests {
71 use super::*;
72
73 #[test]
74 fn empty_allowlist_refuses_everything() {
75 let a = Allowlist::empty();
76 assert!(a.is_empty());
77 assert!(!a.allows(Path::new("/usr/bin/env")));
78 }
79
80 #[test]
81 fn allowlisted_program_matches_through_canonicalization() {
82 // A real file so canonicalize succeeds on both sides.
83 let dir = tempfile::tempdir().unwrap();
84 let exe = dir.path().join("deploy.sh");
85 std::fs::write(&exe, b"#!/bin/sh\n").unwrap();
86
87 let a = Allowlist::from_paths([&exe]);
88 assert!(a.allows(&exe));
89
90 // A different file is not on the list.
91 let other = dir.path().join("evil.sh");
92 std::fs::write(&other, b"#!/bin/sh\n").unwrap();
93 assert!(!a.allows(&other));
94 }
95
96 #[test]
97 fn allow_adds_an_entry() {
98 let dir = tempfile::tempdir().unwrap();
99 let exe = dir.path().join("run.sh");
100 std::fs::write(&exe, b"#!/bin/sh\n").unwrap();
101 let mut a = Allowlist::empty();
102 assert!(!a.allows(&exe));
103 a.allow(&exe);
104 assert!(a.allows(&exe));
105 }
106}