Skip to main content

vtcode_core/exec_policy/
parser.rs

1//! Parser for policy rule files.
2//!
3//! Parses policy files in a simple line-based format similar to Codex's approach.
4//! Each line specifies a command prefix and a decision.
5
6use super::policy::{Decision, Policy, PrefixRule};
7use crate::utils::file_utils::{parse_json_with_context, read_file_with_context};
8use anyhow::{Context, Result};
9use serde::{Deserialize, Serialize};
10use std::path::Path;
11
12/// A serializable policy file format.
13#[derive(Debug, Clone, Serialize, Deserialize)]
14pub struct PolicyFile {
15    /// Format version for compatibility.
16    #[serde(default = "default_version")]
17    pub version: u32,
18
19    /// Policy rules.
20    pub rules: Vec<PolicyRule>,
21}
22
23fn default_version() -> u32 {
24    1
25}
26
27/// A single rule in the policy file.
28#[derive(Debug, Clone, Serialize, Deserialize)]
29pub struct PolicyRule {
30    /// Command pattern (space-separated components).
31    pub pattern: String,
32
33    /// Decision for this pattern.
34    pub decision: Decision,
35
36    /// Optional comment explaining the rule.
37    #[serde(skip_serializing_if = "Option::is_none")]
38    pub comment: Option<String>,
39}
40
41/// Parser for policy files.
42#[derive(Debug, Default)]
43pub struct PolicyParser;
44
45impl PolicyParser {
46    /// Create a new parser.
47    pub fn new() -> Self {
48        Self
49    }
50
51    /// Parse a TOML policy file.
52    pub fn parse_toml(&self, content: &str) -> Result<PolicyFile> {
53        toml::from_str(content).context("Failed to parse policy TOML")
54    }
55
56    /// Parse a JSON policy file.
57    pub fn parse_json(&self, content: &str) -> Result<PolicyFile> {
58        parse_json_with_context(content, "policy JSON")
59    }
60
61    /// Parse a simple line-based format.
62    /// Format: "decision: pattern" or "pattern = decision"
63    pub fn parse_simple(&self, content: &str) -> Result<Vec<PrefixRule>> {
64        let mut rules = Vec::new();
65
66        for (line_num, line) in content.lines().enumerate() {
67            let line = line.trim();
68
69            // Skip empty lines and comments
70            if line.is_empty() || line.starts_with('#') || line.starts_with("//") {
71                continue;
72            }
73
74            let rule = self
75                .parse_rule_line(line)
76                .with_context(|| format!("Failed to parse line {}: {}", line_num + 1, line))?;
77
78            rules.push(rule);
79        }
80
81        Ok(rules)
82    }
83
84    /// Parse a single rule line.
85    fn parse_rule_line(&self, line: &str) -> Result<PrefixRule> {
86        // Try "decision: pattern" format
87        if let Some((decision_str, pattern)) = line.split_once(':') {
88            let decision = self.parse_decision(decision_str.trim())?;
89            let pattern = self.parse_pattern(pattern.trim());
90            return Ok(PrefixRule::new(pattern, decision));
91        }
92
93        // Try "pattern = decision" format
94        if let Some((pattern, decision_str)) = line.split_once('=') {
95            let decision = self.parse_decision(decision_str.trim())?;
96            let pattern = self.parse_pattern(pattern.trim());
97            return Ok(PrefixRule::new(pattern, decision));
98        }
99
100        anyhow::bail!("Invalid rule format. Expected 'decision: pattern' or 'pattern = decision'")
101    }
102
103    /// Parse a decision string.
104    fn parse_decision(&self, s: &str) -> Result<Decision> {
105        match s.to_lowercase().as_str() {
106            "allow" | "yes" | "true" | "1" => Ok(Decision::Allow),
107            "prompt" | "ask" | "confirm" => Ok(Decision::Prompt),
108            "forbidden" | "forbid" | "deny" | "no" | "false" | "0" => Ok(Decision::Forbidden),
109            _ => anyhow::bail!("Invalid decision: {}", s),
110        }
111    }
112
113    /// Parse a pattern string into components.
114    fn parse_pattern(&self, s: &str) -> Vec<String> {
115        s.split_whitespace().map(String::from).collect()
116    }
117
118    /// Load a policy from a file.
119    pub async fn load_file(&self, path: &Path) -> Result<Policy> {
120        let content = read_file_with_context(path, "policy file").await?;
121
122        self.load_from_content(&content, path)
123    }
124
125    /// Load a policy from file content.
126    pub fn load_from_content(&self, content: &str, path: &Path) -> Result<Policy> {
127        let extension = path.extension().and_then(|e| e.to_str()).unwrap_or("");
128
129        let rules = match extension {
130            "toml" => {
131                let file = self.parse_toml(content)?;
132                file.rules
133                    .into_iter()
134                    .map(|r| {
135                        PrefixRule::new(
136                            r.pattern.split_whitespace().map(String::from).collect(),
137                            r.decision,
138                        )
139                    })
140                    .collect()
141            }
142            "json" => {
143                let file = self.parse_json(content)?;
144                file.rules
145                    .into_iter()
146                    .map(|r| {
147                        PrefixRule::new(
148                            r.pattern.split_whitespace().map(String::from).collect(),
149                            r.decision,
150                        )
151                    })
152                    .collect()
153            }
154            _ => self.parse_simple(content)?,
155        };
156
157        let mut policy = Policy::empty();
158        for rule in rules {
159            policy.add_prefix_rule(&rule.pattern, rule.decision)?;
160        }
161
162        Ok(policy)
163    }
164}
165
166#[cfg(test)]
167mod tests {
168    use super::*;
169
170    #[test]
171    fn test_parse_simple_format() {
172        let parser = PolicyParser::new();
173        let content = r#"
174# Allow cargo commands
175allow: cargo build
176allow: cargo test
177
178# Forbid dangerous commands
179forbidden: rm -rf
180prompt: git push
181"#;
182
183        let rules = parser.parse_simple(content).unwrap();
184        assert_eq!(rules.len(), 4);
185
186        assert_eq!(rules[0].pattern, vec!["cargo", "build"]);
187        assert_eq!(rules[0].decision, Decision::Allow);
188
189        assert_eq!(rules[3].pattern, vec!["git", "push"]);
190        assert_eq!(rules[3].decision, Decision::Prompt);
191    }
192
193    #[test]
194    fn test_parse_equals_format() {
195        let parser = PolicyParser::new();
196        let content = r#"
197cargo build = allow
198rm -rf = deny
199"#;
200
201        let rules = parser.parse_simple(content).unwrap();
202        assert_eq!(rules.len(), 2);
203
204        assert_eq!(rules[0].decision, Decision::Allow);
205        assert_eq!(rules[1].decision, Decision::Forbidden);
206    }
207
208    #[test]
209    fn test_parse_toml() {
210        let parser = PolicyParser::new();
211        let content = r#"
212version = 1
213
214[[rules]]
215pattern = "cargo build"
216decision = "allow"
217
218[[rules]]
219pattern = "rm -rf"
220decision = "forbidden"
221comment = "Never allow recursive delete"
222"#;
223
224        let file = parser.parse_toml(content).unwrap();
225        assert_eq!(file.rules.len(), 2);
226        assert_eq!(file.rules[0].decision, Decision::Allow);
227        assert_eq!(
228            file.rules[1].comment,
229            Some("Never allow recursive delete".to_string())
230        );
231    }
232
233    #[test]
234    fn test_parse_json() {
235        let parser = PolicyParser::new();
236        let content = r#"{
237			"version": 1,
238			"rules": [
239				{"pattern": "cargo test", "decision": "allow"},
240				{"pattern": "git push", "decision": "prompt"}
241			]
242		}"#;
243
244        let file = parser.parse_json(content).unwrap();
245        assert_eq!(file.rules.len(), 2);
246    }
247}