harness_core/

eval.rs

// SPDX-License-Identifier: Apache-2.0 OR MIT
//! Rule + pack evaluator.
//!
//! Direct port of the Python reference:
//!   `_get_dotpath`, `_match_action`, `_eval_rego_subset`, `_eval_rego_allowlist`,
//!   `_eval_jsonlogic`, `evaluate_rule`, `evaluate_packs`.
//!
//! Semantics are documented in `policy-pack-format.md` section "Evaluation
//! semantics": any DENY wins, else WARN, else ALLOW.

use regex::Regex;
use serde_json::Value;
use std::sync::OnceLock;

use crate::pack::{PolicyPack, Rule};

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Decision {
    Allow,
    Warn,
    Deny,
}

impl Decision {
    pub fn as_str(self) -> &'static str {
        match self {
            Decision::Allow => "ALLOW",
            Decision::Warn => "WARN",
            Decision::Deny => "DENY",
        }
    }
}

/// Aggregate result returned by `evaluate_packs`.
#[derive(Debug, Clone, Default)]
pub struct DecisionResult {
    pub decision: &'static str,
    pub deciding_pack: Option<String>,
    pub deciding_rule: Option<String>,
    pub deciding_layer: Option<String>,
    pub reason: Option<String>,
}

/// Walk a dot-path through nested JSON objects.
///
/// Ports `_get_dotpath`. Returns `None` if any intermediate is not an object,
/// or if a final key is absent.
pub fn get_dotpath<'a>(d: &'a Value, path: &str) -> Option<&'a Value> {
    let mut cur = d;
    for part in path.split('.') {
        let obj = cur.as_object()?;
        cur = obj.get(part)?;
    }
    Some(cur)
}

/// Does the rule's `match.action` cover the inbound action?
///
/// Ports `_match_action`. Accepts a string ("*", glob "tool.*", or exact match)
/// OR a list of strings (any-match).
pub fn match_action(rule_match_action: &Value, action: &str) -> bool {
    match rule_match_action {
        Value::String(s) => {
            if s == "*" {
                return true;
            }
            if let Some(prefix) = s.strip_suffix(".*") {
                // Python: action.startswith(rule_match_action[:-1])  i.e. include the dot.
                return action.starts_with(&format!("{prefix}."));
            }
            s == action
        }
        Value::Array(arr) => arr.iter().any(|p| match_action(p, action)),
        _ => false,
    }
}

/// Minimal Rego subset — supports the SINGLE pattern shipped in the example
/// PII pack:
///
/// ```rego
/// default decision := "ALLOW"
/// decision := "DENY" { re_match(`<regex>`, input.value) }
/// ```
///
/// Anything more complex falls through to the default (fail-open in the
/// reference, fail-closed in prod). Ports `_eval_rego_subset`.
pub fn eval_rego_subset(module: &str, value_to_test: &str) -> &'static str {
    static DEFAULT_RE: OnceLock<Regex> = OnceLock::new();
    static DENY_RE: OnceLock<Regex> = OnceLock::new();

    let default_re = DEFAULT_RE.get_or_init(|| {
        Regex::new(r#"default\s+decision\s*:=\s*"(ALLOW|WARN|DENY)""#).unwrap()
    });
    let deny_re = DENY_RE.get_or_init(|| {
        // Python pattern uses backticks to delimit the regex literal:
        //   decision := "DENY" { re_match(`<regex>`, input.value) }
        Regex::new(r#"decision\s*:=\s*"DENY"\s*\{\s*re_match\(\s*`([^`]+)`\s*,\s*input\.value\s*\)\s*\}"#).unwrap()
    });

    let default = match default_re.captures(module).and_then(|c| c.get(1)) {
        Some(m) => match m.as_str() {
            "ALLOW" => "ALLOW",
            "WARN" => "WARN",
            "DENY" => "DENY",
            _ => "ALLOW",
        },
        None => "ALLOW",
    };

    if let Some(c) = deny_re.captures(module) {
        let pattern = c.get(1).unwrap().as_str();
        match Regex::new(pattern) {
            Ok(re) => {
                if re.is_match(value_to_test) {
                    return "DENY";
                }
            }
            Err(e) => {
                tracing::warn!("rego_regex_error: {} in pattern {:?}", e, pattern);
            }
        }
    }
    default
}

/// Rego allowlist pattern (used by `tool-allowlist.json`).
///
/// Pattern:
///
/// ```rego
/// allowed := { "tool.read_file", ... }
/// default decision := "DENY"
/// decision := "ALLOW" { input.action in allowed }
/// ```
///
/// Ports `_eval_rego_allowlist`. If the module doesn't look like an allowlist
/// (no `input.action in allowed` literal), falls back to `eval_rego_subset`.
pub fn eval_rego_allowlist(module: &str, action: &str) -> &'static str {
    if !module.contains("input.action in allowed") {
        return eval_rego_subset(module, action);
    }
    static ALLOWED_RE: OnceLock<Regex> = OnceLock::new();
    static MEMBER_RE: OnceLock<Regex> = OnceLock::new();
    static DEFAULT_RE: OnceLock<Regex> = OnceLock::new();
    // (?s) = dotall so `.` matches newlines, mirroring Python's re.DOTALL.
    let allowed_re = ALLOWED_RE
        .get_or_init(|| Regex::new(r"(?s)allowed\s*:=\s*\{([^}]+)\}").unwrap());
    let member_re = MEMBER_RE.get_or_init(|| Regex::new(r#""([^"]+)""#).unwrap());
    let default_re = DEFAULT_RE.get_or_init(|| {
        Regex::new(r#"default\s+decision\s*:=\s*"(ALLOW|DENY)""#).unwrap()
    });

    let allowed_block = match allowed_re.captures(module) {
        Some(c) => c.get(1).unwrap().as_str().to_owned(),
        None => return "ALLOW",
    };
    let allowed: Vec<&str> = member_re
        .captures_iter(&allowed_block)
        .filter_map(|c| c.get(1).map(|m| m.as_str()))
        .collect();
    // We need owned strings to outlive the borrow; clone into Vec<String>.
    let allowed_owned: Vec<String> = allowed.into_iter().map(String::from).collect();

    let default = match default_re.captures(module).and_then(|c| c.get(1)) {
        Some(m) => match m.as_str() {
            "ALLOW" => "ALLOW",
            "DENY" => "DENY",
            _ => "ALLOW",
        },
        None => "ALLOW",
    };

    if allowed_owned.iter().any(|a| a == action) {
        "ALLOW"
    } else {
        default
    }
}

/// Minimal JSONLogic — supports the SINGLE pattern shipped in `rate-limit.json`:
///
/// ```json
/// {"and": [{"<=": [{"var": "X"}, N]}]}
/// ```
///
/// Ports `_eval_jsonlogic`. Anything else falls through to ALLOW.
pub fn eval_jsonlogic(module: &str, context: &Value) -> &'static str {
    let rule: Value = match serde_json::from_str(module) {
        Ok(v) => v,
        Err(_) => return "ALLOW",
    };
    let ctx_obj = context.as_object();
    if let Some(and_arr) = rule.get("and").and_then(|v| v.as_array()) {
        for child in and_arr {
            if let Some(args) = child.get("<=").and_then(|v| v.as_array()) {
                if args.len() < 2 {
                    continue;
                }
                let var_name = args[0].get("var").and_then(|v| v.as_str());
                let threshold = args[1].as_f64();
                let var_name = match var_name {
                    Some(n) => n,
                    None => continue,
                };
                let threshold = match threshold {
                    Some(t) => t,
                    None => continue,
                };
                let cur = ctx_obj
                    .and_then(|o| o.get(var_name))
                    .and_then(|v| v.as_f64())
                    .unwrap_or(0.0);
                if cur > threshold {
                    return "DENY";
                }
            }
        }
    }
    "ALLOW"
}

/// Evaluate a single rule. Returns `(decision, deny_reason)`.
///
/// Ports `evaluate_rule`. `decision` is "ALLOW" / "WARN" / "DENY".
pub fn evaluate_rule(
    rule: &Rule,
    action_payload: &Value,
    daemon_state: &Value,
) -> (&'static str, Option<String>) {
    let action = action_payload
        .get("action")
        .and_then(|v| v.as_str())
        .unwrap_or("");
    let match_action_val = match &rule.r#match.action {
        Value::Null => Value::String("*".into()),
        v => v.clone(),
    };
    if !match_action(&match_action_val, action) {
        return ("ALLOW", None);
    }

    let lang = rule.policy.language.as_str();
    let module = rule.policy.module.as_str();
    let deny_reason = rule
        .deny_reason
        .clone()
        .unwrap_or_else(|| "rule_match".into());
    let warn_only = rule.warn_only;

    let mut decision: &'static str = "ALLOW";
    match lang {
        "rego" => {
            if module.contains("input.action in allowed") {
                decision = eval_rego_allowlist(module, action);
            } else {
                let fields = rule
                    .r#match
                    .fields
                    .clone()
                    .unwrap_or_else(|| vec!["input".to_string()]);
                for field in &fields {
                    // Python: value = _get_dotpath(action_payload, field) or ""
                    // then coerce non-strings via json.dumps with compact separators.
                    let value_node = get_dotpath(action_payload, field);
                    let value_str: String = match value_node {
                        None => String::new(),
                        Some(Value::String(s)) => s.clone(),
                        Some(Value::Null) => String::new(),
                        Some(other) => serde_json::to_string(other).unwrap_or_default(),
                    };
                    if eval_rego_subset(module, &value_str) == "DENY" {
                        decision = "DENY";
                        break;
                    }
                }
            }
        }
        "jsonlogic" => {
            // Python merges action_payload with daemon_state via dict-spread.
            let mut ctx = serde_json::Map::new();
            if let Some(o) = action_payload.as_object() {
                for (k, v) in o {
                    ctx.insert(k.clone(), v.clone());
                }
            }
            if let Some(o) = daemon_state.as_object() {
                for (k, v) in o {
                    ctx.insert(k.clone(), v.clone());
                }
            }
            decision = eval_jsonlogic(module, &Value::Object(ctx));
        }
        other => {
            tracing::warn!(
                "unsupported_policy_language={} rule={}",
                other,
                rule.rule_id
            );
            return ("ALLOW", None);
        }
    }

    if decision == "DENY" && warn_only {
        return ("WARN", Some(deny_reason));
    }
    let reason = if decision == "ALLOW" { None } else { Some(deny_reason) };
    (decision, reason)
}

/// Run an action through every loaded pack in pack-load order.
///
/// Aggregate semantics (per `policy-pack-format.md`): any DENY short-circuits +
/// wins; else any WARN; else ALLOW.
pub fn evaluate_packs(
    packs: &[PolicyPack],
    action_payload: &Value,
    daemon_state: &Value,
) -> DecisionResult {
    let mut result = DecisionResult {
        decision: "ALLOW",
        ..Default::default()
    };

    for pack in packs {
        for rule in &pack.rules {
            let (decision, reason) = evaluate_rule(rule, action_payload, daemon_state);
            match decision {
                "DENY" => {
                    return DecisionResult {
                        decision: "DENY",
                        deciding_pack: Some(pack.pack_id.clone()),
                        deciding_rule: Some(rule.rule_id.clone()),
                        deciding_layer: Some(
                            rule.layer.clone().unwrap_or_else(|| "L?".into()),
                        ),
                        reason,
                    };
                }
                "WARN" if result.decision == "ALLOW" => {
                    result.decision = "WARN";
                    result.deciding_pack = Some(pack.pack_id.clone());
                    result.deciding_rule = Some(rule.rule_id.clone());
                    result.deciding_layer = Some(
                        rule.layer.clone().unwrap_or_else(|| "L?".into()),
                    );
                    result.reason = reason;
                }
                _ => {}
            }
        }
    }
    result
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    #[test]
    fn dotpath_simple() {
        let v = json!({"a": {"b": "ok"}});
        assert_eq!(get_dotpath(&v, "a.b"), Some(&Value::String("ok".into())));
        assert!(get_dotpath(&v, "a.c").is_none());
        assert!(get_dotpath(&v, "x.y").is_none());
    }

    #[test]
    fn action_glob() {
        assert!(match_action(&Value::String("*".into()), "anything"));
        assert!(match_action(&Value::String("tool.*".into()), "tool.read"));
        assert!(!match_action(&Value::String("tool.*".into()), "toolread"));
        assert!(!match_action(&Value::String("tool.*".into()), "function.x"));
        assert!(match_action(&Value::String("exact".into()), "exact"));
        assert!(match_action(
            &json!(["tool.*", "function.*"]),
            "function.call"
        ));
    }

    #[test]
    fn rego_subset_default_allow_no_match() {
        let module = "default decision := \"ALLOW\"\ndecision := \"DENY\" { re_match(`\\d+`, input.value) }";
        assert_eq!(eval_rego_subset(module, "no digits"), "ALLOW");
        assert_eq!(eval_rego_subset(module, "abc123"), "DENY");
    }

    #[test]
    fn rego_allowlist_membership() {
        let module = "allowed := {\n  \"tool.read_file\",\n  \"tool.search\"\n}\ndefault decision := \"DENY\"\ndecision := \"ALLOW\" { input.action in allowed }";
        assert_eq!(eval_rego_allowlist(module, "tool.read_file"), "ALLOW");
        assert_eq!(eval_rego_allowlist(module, "tool.write_file"), "DENY");
    }

    #[test]
    fn jsonlogic_rate_cap() {
        let module = r#"{"and": [{"<=": [{"var": "agent_actions_last_minute"}, 60]}]}"#;
        assert_eq!(
            eval_jsonlogic(module, &json!({"agent_actions_last_minute": 1})),
            "ALLOW"
        );
        assert_eq!(
            eval_jsonlogic(module, &json!({"agent_actions_last_minute": 61})),
            "DENY"
        );
    }
}