Add trust_tier type for status alongside trust_vector

HarshvMahawar · HarshvMahawar · commit 8023a337df9a · 2025-03-16T05:19:40.000+05:30
Signed-off-by: HarshvMahawar &lt;hv062727@gmail.com&gt;
diff --git a/src/claims.py b/src/claims.py
@@ -2,19 +2,18 @@
 from dataclasses import dataclass, field
 from typing import Any, Dict
 
+from src.trust_tier import to_trust_tier
 from src.trust_vector import TrustVector
 from src.verifier_id import VerifierID
 
 
-# Represents the EAR Claims set that will be populated
 @dataclass
 class EARClaims:
     profile: str
     issued_at: int
     verifier_id: VerifierID
     submods: Dict[str, Dict[str, Any]] = field(default_factory=dict)
 
-    # Returns a python dictionary that will be used for serializing to JWT
     def to_dict(self) -> Dict[str, Any]:
         return {
             "eat_profile": self.profile,
@@ -23,7 +22,7 @@ def to_dict(self) -> Dict[str, Any]:
             "submods": {
                 key: {
                     "trust_vector": value["trust_vector"].to_dict(),
-                    "status": value["status"],
+                    "status": value["status"].value,
                 }
                 for key, value in self.submods.items()
             },
@@ -40,8 +39,8 @@ def from_dict(cls, data: Dict[str, Any]):
             verifier_id=VerifierID.from_dict(data.get("ear.verifier-id", {})),
             submods={
                 key: {
-                    "trust_vector": TrustVector.from_dict(value["trust_vector"]),  # noqa: E501
-                    "status": value["status"],
+                    "trust_vector": TrustVector.from_dict(value["trust_vector"]),
+                    "status": to_trust_tier(value["status"]),
                 }
                 for key, value in data.get("submods", {}).items()
             },
diff --git a/src/trust_tier.py b/src/trust_tier.py
@@ -0,0 +1,42 @@
+from dataclasses import dataclass
+from typing import Any, Dict
+
+
+@dataclass(frozen=True)
+class TrustTier:
+    value: int
+
+
+def to_trust_tier(value: Any) -> TrustTier:
+    # Converts an integer or string to a TrustTier instance, defaulting to TrustTierNone on failure
+    if isinstance(value, int):
+        return IntToTrustTier.get(value, TrustTierNone)
+    if isinstance(value, str):
+        return StringToTrustTier.get(value, TrustTierNone)
+    raise ValueError(f"Cannot convert {value} (type {type(value)}) to TrustTier")
+
+
+# Defining trust tiers
+TrustTierNone = TrustTier(0)
+TrustTierAffirming = TrustTier(2)
+TrustTierWarning = TrustTier(32)
+TrustTierContraindicated = TrustTier(96)
+
+# Mapping from TrustTier to string representation
+TrustTierToString: Dict[TrustTier, str] = {
+    TrustTierNone: "none",
+    TrustTierAffirming: "affirming",
+    TrustTierWarning: "warning",
+    TrustTierContraindicated: "contraindicated",
+}
+
+# Reverse mapping from string to TrustTier
+StringToTrustTier: Dict[str, TrustTier] = {v: k for k, v in TrustTierToString.items()}
+
+# Mapping from integer value to TrustTier
+IntToTrustTier: Dict[int, TrustTier] = {
+    TrustTierNone.value: TrustTierNone,
+    TrustTierAffirming.value: TrustTierAffirming,
+    TrustTierWarning.value: TrustTierWarning,
+    TrustTierContraindicated.value: TrustTierContraindicated,
+}
diff --git a/src/validation.py b/src/validation.py
@@ -0,0 +1,80 @@
+from typing import Dict
+
+from src.claims import EARClaims
+from src.trust_claims import TrustClaim
+from src.trust_vector import TrustVector
+from src.verifier_id import VerifierID
+
+
+class EARValidationError(Exception):
+    """Custom exception for validation errors in EARClaims"""
+
+    pass
+
+
+def validate_trust_claim(trust_claim: TrustClaim):
+    # Validates a TrustClaim object
+    if not isinstance(trust_claim.value, int) or not -128 <= trust_claim.value <= 127:
+        raise EARValidationError(
+            f"Invalid value in TrustClaim: {trust_claim.value}. Must be in range [-128, 127]"
+        )
+    if not isinstance(trust_claim.tag, str):
+        raise EARValidationError("TrustClaim tag must be a string")
+    if not isinstance(trust_claim.short, str):
+        raise EARValidationError("TrustClaim short description must be a string")
+    if not isinstance(trust_claim.long, str):
+        raise EARValidationError("TrustClaim long description must be a string")
+
+
+def validate_trust_vector(trust_vector: TrustVector):
+    # Validates a TrustVector object
+    if not isinstance(trust_vector, TrustVector):
+        raise EARValidationError("Invalid TrustVector object")
+
+    for claim in trust_vector.__dict__.values():
+        if claim is not None:
+            validate_trust_claim(claim)
+
+
+def validate_verifier_id(verifier_id: VerifierID):
+    # Validates a VerifierID object
+    if not isinstance(verifier_id, VerifierID):
+        raise EARValidationError("Invalid VerifierID object")
+    if not verifier_id.developer or not isinstance(verifier_id.developer, str):
+        raise EARValidationError("VerifierID developer must be a non-empty string")
+    if not verifier_id.build or not isinstance(verifier_id.build, str):
+        raise EARValidationError("VerifierID build must be a non-empty string")
+
+
+def validate_ear_claims(ear_claims: EARClaims):
+    # Validates an EARClaims object
+    if not isinstance(ear_claims, EARClaims):
+        raise EARValidationError("Invalid EARClaims object")
+    if not isinstance(ear_claims.profile, str) or not ear_claims.profile:
+        raise EARValidationError("EARClaims profile must be a non-empty string")
+    if not isinstance(ear_claims.issued_at, int) or ear_claims.issued_at <= 0:
+        raise EARValidationError("EARClaims issued_at must be a positive integer")
+
+    validate_verifier_id(ear_claims.verifier_id)
+
+    for submod, details in ear_claims.submods.items():
+        if (
+            not isinstance(details, Dict)
+            or "trust_vector" not in details
+            or "status" not in details
+        ):
+            raise EARValidationError(
+                f"Submodule {submod} must contain a valid trust_vector and status"
+            )
+        validate_trust_vector(details["trust_vector"])
+        if not isinstance(details["status"], str):
+            raise EARValidationError(f"Submodule {submod} status must be a string")
+
+
+def validate_all(ear_claims: EARClaims):
+    # Runs all validation checks on the provided EARClaims object
+    try:
+        validate_ear_claims(ear_claims)
+        print("EARClaims validation successful.")
+    except EARValidationError as e:
+        print(f"Validation failed: {e}")
diff --git a/tests/test_claims.py b/tests/test_claims.py
@@ -1,16 +1,13 @@
 import pytest
 
 from src.claims import EARClaims
-from src.trust_claims import (
-    ApprovedConfigClaim,
-    ApprovedFilesClaim,
-    ApprovedRuntimeClaim,
-    EncryptedMemoryRuntimeClaim,
-    GenuineHardwareClaim,
-    HwKeysEncryptedSecretsClaim,
-    TrustedSourcesClaim,
-    TrustworthyInstanceClaim,
-)
+from src.trust_claims import (ApprovedConfigClaim, ApprovedFilesClaim,
+                              ApprovedRuntimeClaim,
+                              EncryptedMemoryRuntimeClaim,
+                              GenuineHardwareClaim,
+                              HwKeysEncryptedSecretsClaim, TrustedSourcesClaim,
+                              TrustworthyInstanceClaim)
+from src.trust_tier import TrustTierAffirming
 from src.trust_vector import TrustVector
 from src.verifier_id import VerifierID
 
@@ -33,7 +30,7 @@ def sample_ear_claims():
                     storage_opaque=HwKeysEncryptedSecretsClaim,
                     sourced_data=TrustedSourcesClaim,
                 ),
-                "status": "affirming",
+                "status": TrustTierAffirming,
             }
         },
     )
@@ -56,7 +53,7 @@ def test_ear_claims_to_dict(sample_ear_claims):
                     "storage_opaque": HwKeysEncryptedSecretsClaim.to_dict(),
                     "sourced_data": TrustedSourcesClaim.to_dict(),
                 },
-                "status": "affirming",
+                "status": TrustTierAffirming.value,
             }
         },
     }
@@ -86,7 +83,7 @@ def test_ear_claims_from_dict():
                     "storage_opaque": HwKeysEncryptedSecretsClaim.to_dict(),
                     "sourced_data": TrustedSourcesClaim.to_dict(),
                 },
-                "status": "affirming",
+                "status": TrustTierAffirming.value,
             }
         },
     }
diff --git a/tests/test_trust_tier.py b/tests/test_trust_tier.py
@@ -0,0 +1,34 @@
+import pytest
+
+from src.trust_tier import (TrustTierAffirming, TrustTierContraindicated,
+                            TrustTierNone, TrustTierWarning, to_trust_tier)
+
+
+def test_to_trust_tier_valid_int():
+    assert to_trust_tier(0) == TrustTierNone
+    assert to_trust_tier(2) == TrustTierAffirming
+    assert to_trust_tier(32) == TrustTierWarning
+    assert to_trust_tier(96) == TrustTierContraindicated
+
+
+def test_to_trust_tier_valid_str():
+    assert to_trust_tier("none") == TrustTierNone
+    assert to_trust_tier("affirming") == TrustTierAffirming
+    assert to_trust_tier("warning") == TrustTierWarning
+    assert to_trust_tier("contraindicated") == TrustTierContraindicated
+
+
+def test_to_trust_tier_invalid_int():
+    assert to_trust_tier(100) == TrustTierNone  # Default fallback
+
+
+def test_to_trust_tier_invalid_str():
+    assert to_trust_tier("invalid_string") == TrustTierNone  # Default fallback
+
+
+def test_to_trust_tier_invalid_type():
+    with pytest.raises(ValueError):
+        to_trust_tier([1, 2, 3])
+
+    with pytest.raises(ValueError):
+        to_trust_tier({"tier": "affirming"})
diff --git a/tests/test_trust_vector.py b/tests/test_trust_vector.py
@@ -2,16 +2,11 @@
 
 import pytest
 
-from src.trust_claims import (
-    ApprovedFilesClaim,
-    ApprovedRuntimeClaim,
-    EncryptedMemoryRuntimeClaim,
-    GenuineHardwareClaim,
-    HwKeysEncryptedSecretsClaim,
-    TrustedSourcesClaim,
-    TrustworthyInstanceClaim,
-    UnsafeConfigClaim,
-)
+from src.trust_claims import (ApprovedFilesClaim, ApprovedRuntimeClaim,
+                              EncryptedMemoryRuntimeClaim,
+                              GenuineHardwareClaim,
+                              HwKeysEncryptedSecretsClaim, TrustedSourcesClaim,
+                              TrustworthyInstanceClaim, UnsafeConfigClaim)
 from src.trust_vector import TrustVector
 
 
@@ -90,4 +85,6 @@ def test_trust_vector_from_cbor():
         7: TrustedSourcesClaim.to_dict(),
     }
     parsed_vector = TrustVector.from_cbor(cbor_data)
-    assert parsed_vector.to_dict() == TrustVector.from_cbor(cbor_data).to_dict()  # noqa: E501
+    assert (
+        parsed_vector.to_dict() == TrustVector.from_cbor(cbor_data).to_dict()
+    )  # noqa: E501
diff --git a/tests/test_validation.py b/tests/test_validation.py
@@ -0,0 +1,96 @@
+import pytest
+
+from src.claims import EARClaims
+from src.trust_claims import (TrustClaim, TrustworthyInstanceClaim,
+                              UnsafeConfigClaim)
+from src.trust_vector import TrustVector
+from src.validation import (EARValidationError, validate_ear_claims,
+                            validate_trust_claim, validate_trust_vector,
+                            validate_verifier_id)
+from src.verifier_id import VerifierID
+
+
+@pytest.fixture
+def valid_trust_claim():
+    return TrustClaim(
+        value=2,
+        tag="approved_config",
+        short="Approved",
+        long="Configuration is approved.",
+    )
+
+
+@pytest.fixture
+def valid_trust_vector():
+    return TrustVector(
+        instance_identity=TrustworthyInstanceClaim,
+        configuration=UnsafeConfigClaim,
+    )
+
+
+@pytest.fixture
+def valid_verifier_id():
+    return VerifierID(developer="Acme Inc.", build="v1.0.0")
+
+
+@pytest.fixture
+def valid_ear_claims(valid_trust_vector, valid_verifier_id):
+    return EARClaims(
+        profile="test_profile",
+        issued_at=1234567890,
+        verifier_id=valid_verifier_id,
+        submods={
+            "submod1": {
+                "trust_vector": valid_trust_vector,
+                "status": "affirming",
+            }
+        },
+    )
+
+
+def test_validate_trust_claim(valid_trust_claim):
+    # Should not raise an error
+    validate_trust_claim(valid_trust_claim)
+
+
+def test_validate_trust_claim_invalid():
+    with pytest.raises(EARValidationError):
+        validate_trust_claim(
+            TrustClaim(value=200, tag="invalid", short="", long="")
+        )  # Invalid value (>127)
+
+
+def test_validate_trust_vector(valid_trust_vector):
+    # Should not raise an error
+    validate_trust_vector(valid_trust_vector)
+
+
+def test_validate_trust_vector_invalid():
+    with pytest.raises(EARValidationError):
+        invalid_vector = TrustVector(
+            configuration=TrustClaim(value=200, tag="invalid", short="", long="")
+        )
+        validate_trust_vector(invalid_vector)
+
+
+def test_validate_verifier_id(valid_verifier_id):
+    # Should not raise an error
+    validate_verifier_id(valid_verifier_id)
+
+
+def test_validate_verifier_id_invalid():
+    with pytest.raises(EARValidationError):
+        validate_verifier_id(VerifierID(developer="", build=""))  # Invalid empty fields
+
+
+def test_validate_ear_claims(valid_ear_claims):
+    # Should not raise an error
+    validate_ear_claims(valid_ear_claims)
+
+
+def test_validate_ear_claims_invalid():
+    with pytest.raises(EARValidationError):
+        invalid_claims = EARClaims(
+            profile="", issued_at=-1, verifier_id=VerifierID(developer="", build="")
+        )
+        validate_ear_claims(invalid_claims)
