baseid_pctf/

policy.rs

//! PCTF policy engine for validating credential operations against
//! Pan-Canadian Trust Framework requirements.
//!
//! Combines assurance level checks, consent validation, and audit enforcement
//! into a single policy evaluation.

use baseid_core::types::AssuranceLevel;
use serde::{Deserialize, Serialize};

use crate::consent::ConsentManager;

/// PCTF policy configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PctfPolicy {
    /// Minimum assurance level required for credential acceptance.
    pub min_assurance_level: AssuranceLevel,
    /// Whether consent records are required for presentations.
    pub require_consent: bool,
    /// Whether audit logging is mandatory.
    pub require_audit: bool,
    /// Accepted credential types (empty = accept all).
    pub accepted_types: Vec<String>,
    /// Trusted issuer DIDs (empty = accept all).
    pub trusted_issuers: Vec<String>,
}

impl Default for PctfPolicy {
    fn default() -> Self {
        Self {
            min_assurance_level: AssuranceLevel::Substantial,
            require_consent: true,
            require_audit: true,
            accepted_types: vec![],
            trusted_issuers: vec![],
        }
    }
}

/// Result of a policy validation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PolicyResult {
    /// Whether the operation satisfies the policy.
    pub compliant: bool,
    /// Individual check results.
    pub checks: Vec<PolicyCheck>,
}

impl PolicyResult {
    /// Get all failing checks.
    pub fn violations(&self) -> Vec<&PolicyCheck> {
        self.checks.iter().filter(|c| !c.passed).collect()
    }
}

/// A single policy check result.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PolicyCheck {
    /// Name of the check.
    pub name: String,
    /// Whether the check passed.
    pub passed: bool,
    /// Description of the result.
    pub message: String,
}

/// Context for evaluating a credential presentation against PCTF policy.
#[derive(Debug, Clone)]
pub struct PresentationContext {
    /// Assurance level of the credential.
    pub assurance_level: AssuranceLevel,
    /// Credential type(s).
    pub credential_types: Vec<String>,
    /// Issuer DID.
    pub issuer: String,
    /// Verifier DID (recipient).
    pub verifier: String,
    /// Purpose of presentation.
    pub purpose: String,
    /// Data elements being shared.
    pub data_elements: Vec<String>,
    /// Current timestamp (RFC 3339).
    pub now: String,
}

/// Validates credential operations against PCTF policy.
pub struct PctfValidator;

impl PctfValidator {
    /// Validate a presentation context against a PCTF policy.
    pub fn validate_presentation(
        policy: &PctfPolicy,
        context: &PresentationContext,
        consent_manager: Option<&ConsentManager>,
    ) -> PolicyResult {
        let mut checks = Vec::new();

        // Check 1: Assurance level
        let assurance_ok = context.assurance_level >= policy.min_assurance_level;
        checks.push(PolicyCheck {
            name: "assurance_level".to_string(),
            passed: assurance_ok,
            message: if assurance_ok {
                format!(
                    "Assurance level {} meets minimum {}",
                    context.assurance_level.pctf_name(),
                    policy.min_assurance_level.pctf_name()
                )
            } else {
                format!(
                    "Assurance level {} below minimum {} / Le niveau d'assurance {} est inférieur au minimum {}",
                    context.assurance_level.pctf_name(),
                    policy.min_assurance_level.pctf_name(),
                    context.assurance_level.pctf_name(),
                    policy.min_assurance_level.pctf_name()
                )
            },
        });

        // Check 2: Credential type
        let type_ok = policy.accepted_types.is_empty()
            || context
                .credential_types
                .iter()
                .any(|t| policy.accepted_types.contains(t));
        checks.push(PolicyCheck {
            name: "credential_type".to_string(),
            passed: type_ok,
            message: if type_ok {
                "Credential type accepted".to_string()
            } else {
                format!(
                    "Credential type not accepted. Expected one of: {:?}",
                    policy.accepted_types
                )
            },
        });

        // Check 3: Trusted issuer
        let issuer_ok =
            policy.trusted_issuers.is_empty() || policy.trusted_issuers.contains(&context.issuer);
        checks.push(PolicyCheck {
            name: "trusted_issuer".to_string(),
            passed: issuer_ok,
            message: if issuer_ok {
                "Issuer is trusted".to_string()
            } else {
                format!(
                    "Issuer {} not in trusted list / L'émetteur {} n'est pas dans la liste de confiance",
                    context.issuer, context.issuer
                )
            },
        });

        // Check 4: Consent
        let consent_ok = if policy.require_consent {
            if let Some(mgr) = consent_manager {
                let valid =
                    mgr.find_valid_consents(&context.verifier, &context.purpose, &context.now);
                // Check that at least one consent covers the data elements
                let data_refs: Vec<&str> =
                    context.data_elements.iter().map(|s| s.as_str()).collect();
                valid.iter().any(|c| c.covers(&data_refs, &context.purpose))
            } else {
                false
            }
        } else {
            true
        };
        checks.push(PolicyCheck {
            name: "consent".to_string(),
            passed: consent_ok,
            message: if consent_ok {
                "Valid consent exists for this presentation".to_string()
            } else {
                "No valid consent found for this presentation / Aucun consentement valide trouvé"
                    .to_string()
            },
        });

        // Check 5: Audit requirement (informational — we can't check if audit was logged
        // since that happens after the presentation, but we flag the requirement).
        checks.push(PolicyCheck {
            name: "audit".to_string(),
            passed: true, // Always passes — it's a reminder, not a gate
            message: if policy.require_audit {
                "Audit logging required for this operation".to_string()
            } else {
                "Audit logging not required".to_string()
            },
        });

        let compliant = checks.iter().all(|c| c.passed);
        PolicyResult { compliant, checks }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::consent::ConsentRecord;

    fn default_context() -> PresentationContext {
        PresentationContext {
            assurance_level: AssuranceLevel::Substantial,
            credential_types: vec!["VerifiableCredential".into(), "CanadianDigitalID".into()],
            issuer: "did:web:gov.ca".to_string(),
            verifier: "did:key:z6MkVerifier".to_string(),
            purpose: "age-verification".to_string(),
            data_elements: vec!["givenName".into(), "dateOfBirth".into()],
            now: "2026-03-15T10:00:00Z".to_string(),
        }
    }

    fn consent_manager_with_valid_consent() -> ConsentManager {
        let mut mgr = ConsentManager::new();
        mgr.record_consent(ConsentRecord::new(
            "c-1",
            "did:key:z6MkHolder",
            "did:key:z6MkVerifier",
            vec!["givenName".into(), "dateOfBirth".into()],
            "age-verification",
            "2026-03-01T00:00:00Z",
            Some("2026-12-31T23:59:59Z".into()),
        ));
        mgr
    }

    #[test]
    fn fully_compliant_presentation() {
        let policy = PctfPolicy::default();
        let ctx = default_context();
        let mgr = consent_manager_with_valid_consent();
        let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&mgr));
        assert!(result.compliant);
        assert!(result.violations().is_empty());
    }

    #[test]
    fn assurance_level_too_low() {
        let policy = PctfPolicy {
            min_assurance_level: AssuranceLevel::High,
            ..Default::default()
        };
        let ctx = default_context(); // Substantial
        let mgr = consent_manager_with_valid_consent();
        let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&mgr));
        assert!(!result.compliant);
        let violations = result.violations();
        assert!(violations.iter().any(|v| v.name == "assurance_level"));
    }

    #[test]
    fn wrong_credential_type() {
        let policy = PctfPolicy {
            accepted_types: vec!["DriverLicense".into()],
            ..Default::default()
        };
        let ctx = default_context(); // CanadianDigitalID
        let mgr = consent_manager_with_valid_consent();
        let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&mgr));
        assert!(!result.compliant);
        assert!(result
            .violations()
            .iter()
            .any(|v| v.name == "credential_type"));
    }

    #[test]
    fn untrusted_issuer() {
        let policy = PctfPolicy {
            trusted_issuers: vec!["did:web:ontario.ca".into()],
            ..Default::default()
        };
        let ctx = default_context(); // issuer = did:web:gov.ca
        let mgr = consent_manager_with_valid_consent();
        let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&mgr));
        assert!(!result.compliant);
        assert!(result
            .violations()
            .iter()
            .any(|v| v.name == "trusted_issuer"));
    }

    #[test]
    fn missing_consent() {
        let policy = PctfPolicy::default();
        let ctx = default_context();
        // No consent manager
        let result = PctfValidator::validate_presentation(&policy, &ctx, None);
        assert!(!result.compliant);
        assert!(result.violations().iter().any(|v| v.name == "consent"));
    }

    #[test]
    fn consent_not_required() {
        let policy = PctfPolicy {
            require_consent: false,
            ..Default::default()
        };
        let ctx = default_context();
        let result = PctfValidator::validate_presentation(&policy, &ctx, None);
        assert!(result.compliant);
    }

    #[test]
    fn empty_accepted_types_accepts_all() {
        let policy = PctfPolicy {
            accepted_types: vec![],
            ..Default::default()
        };
        let ctx = default_context();
        let mgr = consent_manager_with_valid_consent();
        let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&mgr));
        assert!(
            result
                .checks
                .iter()
                .find(|c| c.name == "credential_type")
                .unwrap()
                .passed
        );
    }

    #[test]
    fn policy_result_violations() {
        let policy = PctfPolicy {
            min_assurance_level: AssuranceLevel::High,
            accepted_types: vec!["Passport".into()],
            ..Default::default()
        };
        let ctx = default_context();
        let result = PctfValidator::validate_presentation(&policy, &ctx, None);
        assert!(!result.compliant);
        // Should have 3 violations: assurance, type, consent
        assert_eq!(result.violations().len(), 3);
    }
}