Simple file presence based policy evaluation

Signed-off-by: John Andersen <[email protected]>

README.md

@@ -123,6 +123,7 @@ The `service_parameters.json` file gets created when starting a service using `.
     "serviceId": "emulator",
     "treeAlgorithm": "CCF",
     "signatureAlgorithm": "ES256",
+    "insertPolicy": "*",
     "serviceCertificate": "-----BEGIN CERTIFICATE-----..."
 }
 ```

scitt_emulator/scitt.py

@@ -22,6 +22,10 @@
 COSE_Headers_Tree_Alg = "tree_alg"
 COSE_Headers_Issued_At = "issued_at"
 
+# permissive insert policy
+MOST_PERMISSIVE_INSERT_POLICY = "*"
+DEFAULT_INSERT_POLICY = MOST_PERMISSIVE_INSERT_POLICY
+
 
 class ClaimInvalidError(Exception):
     pass
@@ -94,8 +98,14 @@ def get_claim(self, entry_id: str) -> bytes:
         return claim
 
     def submit_claim(self, claim: bytes, long_running=True) -> dict:
+        insert_policy = self.service_parameters.get("insertPolicy", DEFAULT_INSERT_POLICY)
+
         if long_running:
             return self._create_operation(claim)
+        elif insert_policy != MOST_PERMISSIVE_INSERT_POLICY:
+            raise NotImplementedError(
+                f"non-* insertPolicy only works with long_running=True: {insert_policy!r}"
+            )
         else:
             return self._create_entry(claim)
 
@@ -142,11 +152,45 @@ def _create_operation(self, claim: bytes):
 
         return operation
 
+    def _sync_policy_result(self, operation: dict):
+        operation_id = operation["operationId"]
+        policy_insert_path = self.operations_path / f"{operation_id}.policy.insert"
+        policy_denied_path = self.operations_path / f"{operation_id}.policy.denied"
+        policy_failed_path = self.operations_path / f"{operation_id}.policy.failed"
+        insert_policy = self.service_parameters.get("insertPolicy", DEFAULT_INSERT_POLICY)
+
+        policy_result = {"status": operation["status"]}
+
+        if (
+            insert_policy == MOST_PERMISSIVE_INSERT_POLICY
+            or policy_insert_path.exists()
+        ):
+            policy_result["status"] = "succeeded"
+            policy_insert_path.unlink()
+        if policy_failed_path.exists():
+            policy_result["status"] = "failed"
+            policy_failed_path.unlink()
+        if policy_denied_path.exists():
+            policy_result["status"] = "denied"
+            policy_denied_path.unlink()
+
+        return policy_result
+
     def _finish_operation(self, operation: dict):
         operation_id = operation["operationId"]
         operation_path = self.operations_path / f"{operation_id}.json"
         claim_src_path = self.operations_path / f"{operation_id}.cose"
 
+        policy_result = self._sync_policy_result(operation)
+        if policy_result["status"] == "running":
+            return operation
+        if policy_result["status"] != "succeeded":
+            operation["status"] = "failed"
+            operation["error"] = policy_result
+            operation_path.unlink()
+            claim_src_path.unlink()
+            return operation
+
         claim = claim_src_path.read_bytes()
         entry = self._create_entry(claim)
         claim_src_path.unlink()