mur_core/mcp/

trust.rs

//! Three-tier trust system for MCP servers.
//!
//! Trust levels:
//! - **Trusted**: Full access, no restrictions. Used for first-party servers.
//! - **Verified**: Checked against a known-good hash. Community servers.
//! - **Untrusted**: Sandboxed with strict limits. Unknown servers.

use anyhow::{Context, Result};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::{Path, PathBuf};
use std::sync::Mutex;

/// Trust level for an MCP server.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum TrustLevel {
    /// Full access — first-party or explicitly trusted by user.
    Trusted,
    /// Verified via checksum — community servers with known-good hashes.
    Verified,
    /// Untrusted — sandboxed with strict resource limits.
    Untrusted,
}

impl std::fmt::Display for TrustLevel {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            TrustLevel::Trusted => write!(f, "trusted"),
            TrustLevel::Verified => write!(f, "verified"),
            TrustLevel::Untrusted => write!(f, "untrusted"),
        }
    }
}

impl std::str::FromStr for TrustLevel {
    type Err = anyhow::Error;

    fn from_str(s: &str) -> Result<Self> {
        match s.to_lowercase().as_str() {
            "trusted" => Ok(TrustLevel::Trusted),
            "verified" => Ok(TrustLevel::Verified),
            "untrusted" => Ok(TrustLevel::Untrusted),
            _ => anyhow::bail!("Unknown trust level: '{}' (expected: trusted, verified, untrusted)", s),
        }
    }
}

/// Validated MCP capability enum.
///
/// Uses an allow-list pattern: only recognized capabilities are permitted.
/// Unrecognized capability strings are rejected at parse time.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum McpCapability {
    ReadFile,
    ListTools,
    Search,
    WriteFile,
    ExecuteSafe,
    NetworkHttp,
}

impl std::fmt::Display for McpCapability {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            McpCapability::ReadFile => write!(f, "read_file"),
            McpCapability::ListTools => write!(f, "list_tools"),
            McpCapability::Search => write!(f, "search"),
            McpCapability::WriteFile => write!(f, "write_file"),
            McpCapability::ExecuteSafe => write!(f, "execute_safe"),
            McpCapability::NetworkHttp => write!(f, "network_http"),
        }
    }
}

impl std::str::FromStr for McpCapability {
    type Err = anyhow::Error;

    fn from_str(s: &str) -> Result<Self> {
        match s {
            "read_file" => Ok(McpCapability::ReadFile),
            "list_tools" => Ok(McpCapability::ListTools),
            "search" => Ok(McpCapability::Search),
            "write_file" => Ok(McpCapability::WriteFile),
            "execute_safe" => Ok(McpCapability::ExecuteSafe),
            "network_http" => Ok(McpCapability::NetworkHttp),
            _ => anyhow::bail!(
                "Unknown MCP capability: '{}' (known: read_file, list_tools, search, write_file, execute_safe, network_http)",
                s
            ),
        }
    }
}

/// Trust entry for a specific MCP server.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TrustEntry {
    /// Name of the MCP server.
    pub server_name: String,
    /// Trust level assigned.
    pub level: TrustLevel,
    /// Optional SHA-256 checksum for verified servers.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub checksum: Option<String>,
    /// Who set this trust level.
    #[serde(default)]
    pub set_by: String,
    /// When this trust entry was last modified.
    #[serde(default)]
    pub updated_at: String,
}

/// Manages trust levels for MCP servers.
///
/// Renamed from `TrustStore` to distinguish from `SkillTrustStore` in `crate::trust`.
/// Entries are cached in memory and invalidated on `set_trust`/`revoke_trust`.
pub struct McpTrustStore {
    store_dir: PathBuf,
    /// In-memory cache of trust entries. `None` means cache is cold/invalidated.
    cache: Mutex<Option<HashMap<String, TrustEntry>>>,
}

impl McpTrustStore {
    /// Create a new trust store.
    pub fn new(store_dir: &Path) -> Self {
        Self {
            store_dir: store_dir.to_path_buf(),
            cache: Mutex::new(None),
        }
    }

    /// Get the trust level for a server. Defaults to Untrusted if not set.
    pub fn get_trust(&self, server_name: &str) -> Result<TrustLevel> {
        let entries = self.load_entries()?;
        Ok(entries
            .get(server_name)
            .map(|e| e.level)
            .unwrap_or(TrustLevel::Untrusted))
    }

    /// Set the trust level for a server. Invalidates the in-memory cache.
    pub fn set_trust(
        &self,
        server_name: &str,
        level: TrustLevel,
        checksum: Option<String>,
    ) -> Result<()> {
        let mut entries = self.load_entries()?;

        entries.insert(
            server_name.to_string(),
            TrustEntry {
                server_name: server_name.to_string(),
                level,
                checksum,
                set_by: whoami(),
                updated_at: chrono::Utc::now().to_rfc3339(),
            },
        );

        self.save_entries(&entries)?;
        self.invalidate_cache();
        Ok(())
    }

    /// Remove a trust entry (reverts to Untrusted). Invalidates the in-memory cache.
    pub fn revoke_trust(&self, server_name: &str) -> Result<()> {
        let mut entries = self.load_entries()?;
        entries.remove(server_name);
        self.save_entries(&entries)?;
        self.invalidate_cache();
        Ok(())
    }

    /// List all trust entries.
    pub fn list(&self) -> Result<Vec<TrustEntry>> {
        let entries = self.load_entries()?;
        Ok(entries.into_values().collect())
    }

    /// Verify a server's checksum matches its stored entry.
    /// Returns Ok(true) if verified, Ok(false) if no checksum stored, Err if mismatch.
    pub fn verify_checksum(&self, server_name: &str, command_path: &std::path::Path) -> Result<bool> {
        let entries = self.load_entries()?;
        let entry = match entries.get(server_name) {
            Some(e) => e,
            None => return Ok(false),
        };
        let stored = match &entry.checksum {
            Some(c) => c,
            None => return Ok(false),
        };
        // Compute SHA-256 of the server binary
        let bytes = std::fs::read(command_path)
            .with_context(|| format!("Reading server binary: {:?}", command_path))?;
        use sha2::{Sha256, Digest};
        let hash = format!("{:x}", Sha256::digest(&bytes));
        if hash != *stored {
            anyhow::bail!(
                "Checksum mismatch for '{}': expected {}, got {}. Server binary may have been tampered with.",
                server_name, stored, hash
            );
        }
        Ok(true)
    }

    /// Compute SHA-256 checksum of a file (for use when setting trust).
    pub fn compute_checksum(path: &std::path::Path) -> Result<String> {
        let bytes = std::fs::read(path)?;
        use sha2::{Sha256, Digest};
        Ok(format!("{:x}", Sha256::digest(&bytes)))
    }

    /// Check whether a server's trust level permits a given validated capability.
    pub fn check_permission(&self, server_name: &str, capability: McpCapability) -> Result<bool> {
        let level = self.get_trust(server_name)?;
        Ok(match level {
            TrustLevel::Trusted => true,
            TrustLevel::Verified => matches!(
                capability,
                McpCapability::ReadFile
                    | McpCapability::ListTools
                    | McpCapability::Search
                    | McpCapability::WriteFile
                    | McpCapability::ExecuteSafe
                    | McpCapability::NetworkHttp
            ),
            TrustLevel::Untrusted => matches!(
                capability,
                McpCapability::ReadFile | McpCapability::ListTools | McpCapability::Search
            ),
        })
    }

    /// Check permission using a string capability name.
    ///
    /// Parses the string into an `McpCapability` first. Unknown capability
    /// strings are denied (returns `Ok(false)`) rather than causing an error,
    /// following the allow-list pattern.
    pub fn check_permission_str(&self, server_name: &str, capability: &str) -> Result<bool> {
        match capability.parse::<McpCapability>() {
            Ok(cap) => self.check_permission(server_name, cap),
            Err(_) => Ok(false), // Unknown capabilities are denied
        }
    }

    fn store_path(&self) -> PathBuf {
        self.store_dir.join("trust.json")
    }

    /// Load entries, using the in-memory cache if available.
    fn load_entries(&self) -> Result<HashMap<String, TrustEntry>> {
        let mut cache = self.cache.lock().unwrap_or_else(|e| e.into_inner());
        if let Some(ref entries) = *cache {
            return Ok(entries.clone());
        }
        let entries = self.load_entries_from_disk()?;
        *cache = Some(entries.clone());
        Ok(entries)
    }

    /// Load entries directly from disk (bypasses cache).
    fn load_entries_from_disk(&self) -> Result<HashMap<String, TrustEntry>> {
        let path = self.store_path();
        if !path.exists() {
            return Ok(HashMap::new());
        }
        let content =
            std::fs::read_to_string(&path).context("Reading trust store")?;
        let entries: HashMap<String, TrustEntry> =
            serde_json::from_str(&content).context("Parsing trust store")?;
        Ok(entries)
    }

    /// Invalidate the in-memory cache, forcing the next read to hit disk.
    fn invalidate_cache(&self) {
        let mut cache = self.cache.lock().unwrap_or_else(|e| e.into_inner());
        *cache = None;
    }

    fn save_entries(&self, entries: &HashMap<String, TrustEntry>) -> Result<()> {
        std::fs::create_dir_all(&self.store_dir)?;
        let json = serde_json::to_string_pretty(entries)?;
        let tmp_path = self.store_path().with_extension("json.tmp");
        std::fs::write(&tmp_path, &json)?;
        std::fs::rename(&tmp_path, self.store_path())?;
        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let _ = std::fs::set_permissions(
                self.store_path(),
                std::fs::Permissions::from_mode(0o600),
            );
        }
        Ok(())
    }
}

fn whoami() -> String {
    std::env::var("USER").unwrap_or_else(|_| "unknown".into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_trust_level_display() {
        assert_eq!(TrustLevel::Trusted.to_string(), "trusted");
        assert_eq!(TrustLevel::Verified.to_string(), "verified");
        assert_eq!(TrustLevel::Untrusted.to_string(), "untrusted");
    }

    #[test]
    fn test_trust_level_parse() {
        assert_eq!("trusted".parse::<TrustLevel>().unwrap(), TrustLevel::Trusted);
        assert_eq!("Verified".parse::<TrustLevel>().unwrap(), TrustLevel::Verified);
        assert_eq!("UNTRUSTED".parse::<TrustLevel>().unwrap(), TrustLevel::Untrusted);
        assert!("invalid".parse::<TrustLevel>().is_err());
    }

    #[test]
    fn test_mcp_capability_parse() {
        assert_eq!("read_file".parse::<McpCapability>().unwrap(), McpCapability::ReadFile);
        assert_eq!("list_tools".parse::<McpCapability>().unwrap(), McpCapability::ListTools);
        assert_eq!("search".parse::<McpCapability>().unwrap(), McpCapability::Search);
        assert_eq!("write_file".parse::<McpCapability>().unwrap(), McpCapability::WriteFile);
        assert_eq!("execute_safe".parse::<McpCapability>().unwrap(), McpCapability::ExecuteSafe);
        assert_eq!("network_http".parse::<McpCapability>().unwrap(), McpCapability::NetworkHttp);
        assert!("unknown_cap".parse::<McpCapability>().is_err());
    }

    #[test]
    fn test_mcp_capability_display() {
        assert_eq!(McpCapability::ReadFile.to_string(), "read_file");
        assert_eq!(McpCapability::ListTools.to_string(), "list_tools");
        assert_eq!(McpCapability::Search.to_string(), "search");
        assert_eq!(McpCapability::WriteFile.to_string(), "write_file");
        assert_eq!(McpCapability::ExecuteSafe.to_string(), "execute_safe");
        assert_eq!(McpCapability::NetworkHttp.to_string(), "network_http");
    }

    #[test]
    fn test_default_untrusted() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());
        assert_eq!(store.get_trust("unknown-server").unwrap(), TrustLevel::Untrusted);
    }

    #[test]
    fn test_set_and_get_trust() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        store.set_trust("my-server", TrustLevel::Trusted, None).unwrap();
        assert_eq!(store.get_trust("my-server").unwrap(), TrustLevel::Trusted);

        store.set_trust("my-server", TrustLevel::Verified, Some("abc123".into())).unwrap();
        assert_eq!(store.get_trust("my-server").unwrap(), TrustLevel::Verified);
    }

    #[test]
    fn test_revoke_trust() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        store.set_trust("temp", TrustLevel::Trusted, None).unwrap();
        assert_eq!(store.get_trust("temp").unwrap(), TrustLevel::Trusted);

        store.revoke_trust("temp").unwrap();
        assert_eq!(store.get_trust("temp").unwrap(), TrustLevel::Untrusted);
    }

    #[test]
    fn test_list_entries() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        store.set_trust("a", TrustLevel::Trusted, None).unwrap();
        store.set_trust("b", TrustLevel::Verified, None).unwrap();

        let entries = store.list().unwrap();
        assert_eq!(entries.len(), 2);
    }

    #[test]
    fn test_check_permission_trusted() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());
        store.set_trust("full", TrustLevel::Trusted, None).unwrap();

        // Trusted servers get access to all known capabilities
        assert!(store.check_permission("full", McpCapability::ReadFile).unwrap());
        assert!(store.check_permission("full", McpCapability::ExecuteSafe).unwrap());
        assert!(store.check_permission("full", McpCapability::NetworkHttp).unwrap());

        // Trusted servers also pass unknown strings via check_permission_str (still denied for unknowns)
        assert!(store.check_permission_str("full", "read_file").unwrap());
        // Unknown capabilities are denied even for trusted (via check_permission_str)
        // but trusted servers get all *known* capabilities via check_permission
    }

    #[test]
    fn test_check_permission_str_unknown_denied() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());
        store.set_trust("full", TrustLevel::Trusted, None).unwrap();

        // Unknown capability strings are denied via check_permission_str
        assert!(!store.check_permission_str("full", "execute_arbitrary").unwrap());
        assert!(!store.check_permission_str("full", "system_config").unwrap());
    }

    #[test]
    fn test_check_permission_verified() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());
        store.set_trust("community", TrustLevel::Verified, None).unwrap();

        assert!(store.check_permission("community", McpCapability::ReadFile).unwrap());
        assert!(store.check_permission("community", McpCapability::WriteFile).unwrap());
        assert!(store.check_permission("community", McpCapability::ExecuteSafe).unwrap());

        // Unknown capabilities denied
        assert!(!store.check_permission_str("community", "execute_arbitrary").unwrap());
        assert!(!store.check_permission_str("community", "system_config").unwrap());
    }

    #[test]
    fn test_check_permission_untrusted() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        assert!(store.check_permission("unknown", McpCapability::ReadFile).unwrap());
        assert!(store.check_permission("unknown", McpCapability::Search).unwrap());
        assert!(!store.check_permission("unknown", McpCapability::WriteFile).unwrap());
        assert!(!store.check_permission("unknown", McpCapability::ExecuteSafe).unwrap());

        // Unknown capabilities denied
        assert!(!store.check_permission_str("unknown", "execute_arbitrary").unwrap());
        assert!(!store.check_permission_str("unknown", "network_unrestricted").unwrap());
    }

    #[test]
    fn test_cache_invalidation_on_set() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        // Prime cache
        assert_eq!(store.get_trust("srv").unwrap(), TrustLevel::Untrusted);

        // Set trust (should invalidate cache)
        store.set_trust("srv", TrustLevel::Trusted, None).unwrap();

        // Should see updated value
        assert_eq!(store.get_trust("srv").unwrap(), TrustLevel::Trusted);
    }

    #[test]
    fn test_cache_invalidation_on_revoke() {
        let dir = tempfile::TempDir::new().unwrap();
        let store = McpTrustStore::new(dir.path());

        store.set_trust("srv", TrustLevel::Trusted, None).unwrap();
        assert_eq!(store.get_trust("srv").unwrap(), TrustLevel::Trusted);

        // Revoke (should invalidate cache)
        store.revoke_trust("srv").unwrap();
        assert_eq!(store.get_trust("srv").unwrap(), TrustLevel::Untrusted);
    }

    #[test]
    fn test_trust_entry_serialization() {
        let entry = TrustEntry {
            server_name: "test".into(),
            level: TrustLevel::Verified,
            checksum: Some("sha256:abc".into()),
            set_by: "user".into(),
            updated_at: "2025-01-01T00:00:00Z".into(),
        };
        let json = serde_json::to_string(&entry).unwrap();
        let parsed: TrustEntry = serde_json::from_str(&json).unwrap();
        assert_eq!(parsed.level, TrustLevel::Verified);
        assert_eq!(parsed.checksum.as_deref(), Some("sha256:abc"));
    }
}