hdp-integrity (#17), hdp-spec (#16): HDPPolicyLoad dataclass improved

EticaAI · Mar 30, 2021 · c2c9db0 · c2c9db0
1 parent 4db8ab7
commit c2c9db0
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 6 deletions.
diff --git a/hxlm/core/hdp/datamodel.py b/hxlm/core/hdp/datamodel.py
@@ -13,10 +13,12 @@
 
 from typing import (
     List,
+    Tuple,
     Union
 )
 
 from hxlm.core.types import (
+    EntryPointType,
     ResourceWrapper
 )
 
@@ -101,9 +103,61 @@ class HDPPolicyLoad:
     Used by hxlm.core.hdp.hazmat to abstract not just what already is cached
     but also what should not be loaded without user request
     """
+
+    # TODO: move the rest of the hxlm.core.model.hdp rules to here and to
+    #       hxlm.core.hdp.hazmat (Emerson Rocha, 2021-03-30 17:57 UTC)
+
+    allowed_entrypoint_type: InitVar[Tuple] = [
+        EntryPointType.FTP,
+        EntryPointType.GIT,
+        EntryPointType.HTTP,
+        EntryPointType.LOCAL_DIR,  # air-gapped compliant
+        EntryPointType.LOCAL_FILE,  # air-gapped compliant
+        EntryPointType.NETWORK_DIR,  # air-gapped compliant
+        EntryPointType.NETWORK_FILE,  # air-gapped compliant
+        EntryPointType.PYDICT,  # air-gapped compliant
+        EntryPointType.PYLIST,  # air-gapped compliant
+        EntryPointType.SSH,
+        EntryPointType.STREAM,
+        EntryPointType.STRING,  # air-gapped compliant
+        # EntryPointType.UNKNOW,
+        EntryPointType.URN  # air-gapped compliant (it's an resolver)
+    ]
+    """Tuple of EntryPointType"""
+
+    debug_no_restrictions: bool = False
+    """Debug Mode. This ask policy checkers to not enforce any other rule"""
+
+    enforce_startup_generic_tests: bool = False
+    """If, and only if, implementations could do generic check EVERY time
+    an library start, this variable is the way to give a hint.
+
+    The use case is, even if an HDP implementation like this python library
+    would try to comply, actually do generic tests like if no network access
+    is allowed, try to test if is possible to do HTTP requests and then refuse
+    to run until this is fixed.
+    """
+
     log: InitVar[list] = []
     """Log of messages (if any)"""
 
+    safer_zones_hosts: InitVar[Tuple] = (
+        'localhost'
+    )
+    """Tuple of hostnames that even if under restrictions are considered safe
+    The name 'safer' does not mean that is 100% safe if an resource on the
+    listed item already is compromised
+    """
+
+    safer_zone_list: InitVar[Tuple] = [
+        '127.0.0.1',
+        '::1'
+    ]
+    """Tuple of IPv4 or IPv6 that even if under restrictions are considered safe
+    The name 'safer' does not mean that is 100% safe if an resource on the
+    listed item already is compromised.
+    """
+
 
 @dataclass(init=True, eq=True)
 class HDPRaw:

diff --git a/hxlm/core/hdp/hazmat/check.py b/hxlm/core/hdp/hazmat/check.py
@@ -0,0 +1,13 @@
+"""hxlm.core.hdp.hazmat.check is a draft
+
+"""
+
+# TODO: Since HDPPolicyLoad have an flag 'enforce_startup_generic_tests'
+#       We could choose some server (or a list of servers), and use files
+#       like this one https://www.un.org/robots.txt as check if network is
+#       enabled when an Policy is so high that this would need to be blocked
+#       at network level.
+#       I'm not sure if do exist some other more neutral server, but it's
+#       important any (even if as example), check is done, the server should
+#       not be something that could be used to track users.
+#       (Emerson Rocha, 2021-03-30 16:16 UTC)
diff --git a/hxlm/core/hdp/hazmat/policy.py b/hxlm/core/hdp/hazmat/policy.py
@@ -24,8 +24,30 @@
 _IS_DEBUG = bool(os.getenv('HDP_DEBUG', ''))
 
 
+def _get_bunker() -> HDPPolicyLoad:
+    """bunker"""
+    policy = HDPPolicyLoad
+    return policy
+
+
+def _get_debug() -> HDPPolicyLoad:
+    """debug"""
+    policy = HDPPolicyLoad
+    return policy
+
+
+def _get_user_know_what_is_doing() -> HDPPolicyLoad:
+    """user_know_what_is_doing assumes user trust all files it's loading"""
+    policy = HDPPolicyLoad
+    return policy
+
+
 def get_policy_HDSL1() -> HDPPolicyLoad:
-    """Generate an HDPPolicyLoad for the internal constant 'HDSL1'
+    """Syntatic sugar to generate an generic optionated policy for 'HDSL1'
+
+    Very important notes:
+      - Implementers very likely would want to create HDPPolicyLoad directly
+        that would align with the specific needs
 
     See:
       - hxlm/core/constant.py
@@ -36,13 +58,16 @@ def get_policy_HDSL1() -> HDPPolicyLoad:
     """
     # pylint: disable=invalid-name
 
-    policy = HDPPolicyLoad
-    return policy
+    return _get_user_know_what_is_doing()
 
 
 def get_policy_HDSL4() -> HDPPolicyLoad:
     """Generate an HDPPolicyLoad for the internal constant 'HDSL4'
 
+    Very important notes:
+      - Implementers very likely would want to create HDPPolicyLoad directly
+        that would align with the specific needs
+
     See:
       - hxlm/core/constant.py
         - HDSL4: Severe Sensitivity
@@ -51,6 +76,4 @@ def get_policy_HDSL4() -> HDPPolicyLoad:
         [HDPPolicyLoad]: HDPPolicyLoad
     """
     # pylint: disable=invalid-name
-
-    policy = HDPPolicyLoad
-    return policy
+    return _get_bunker()