@@ -30,6 +30,29 @@ const BootResponseSchema = z.object({
3030type BootInfo = z . infer < typeof BootInfoSchema > ;
3131type BootResponse = z . infer < typeof BootResponseSchema > ;
3232
33+ // authorization policy - configurable via environment variables
34+ // MOCK_POLICY: "allow-all" (default), "deny-kms", "deny-app", "deny-all",
35+ // "allowlist-device", "allowlist-mr"
36+ // MOCK_ALLOWED_DEVICE_IDS: comma-separated device IDs (for allowlist-device policy)
37+ // MOCK_ALLOWED_MR_AGGREGATED: comma-separated MR aggregated values (for allowlist-mr policy)
38+
39+ type MockPolicy = 'allow-all' | 'deny-kms' | 'deny-app' | 'deny-all' | 'allowlist-device' | 'allowlist-mr' ;
40+
41+ function getPolicy ( ) : MockPolicy {
42+ const policy = process . env . MOCK_POLICY || 'allow-all' ;
43+ const valid : MockPolicy [ ] = [ 'allow-all' , 'deny-kms' , 'deny-app' , 'deny-all' , 'allowlist-device' , 'allowlist-mr' ] ;
44+ if ( ! valid . includes ( policy as MockPolicy ) ) {
45+ console . warn ( `unknown MOCK_POLICY "${ policy } ", falling back to allow-all` ) ;
46+ return 'allow-all' ;
47+ }
48+ return policy as MockPolicy ;
49+ }
50+
51+ function parseList ( envVar : string ) : Set < string > {
52+ const raw = process . env [ envVar ] || '' ;
53+ return new Set ( raw . split ( ',' ) . map ( s => s . trim ( ) . toLowerCase ( ) ) . filter ( Boolean ) ) ;
54+ }
55+
3356// mock backend class - no blockchain interaction
3457class MockBackend {
3558 private mockGatewayAppId : string ;
@@ -44,14 +67,45 @@ class MockBackend {
4467 }
4568
4669 async checkBoot ( bootInfo : BootInfo , isKms : boolean ) : Promise < BootResponse > {
47- // always return success for mock backend
48- const reason = isKms ? 'mock KMS always allowed' : 'mock app always allowed' ;
49-
50- return {
70+ const policy = getPolicy ( ) ;
71+ const deny = ( reason : string ) : BootResponse => ( {
72+ isAllowed : false ,
73+ reason,
74+ gatewayAppId : '' ,
75+ } ) ;
76+ const allow = ( reason : string ) : BootResponse => ( {
5177 isAllowed : true ,
5278 reason,
5379 gatewayAppId : this . mockGatewayAppId ,
54- } ;
80+ } ) ;
81+
82+ switch ( policy ) {
83+ case 'deny-all' :
84+ return deny ( `mock policy: deny-all` ) ;
85+ case 'deny-kms' :
86+ if ( isKms ) return deny ( `mock policy: deny-kms` ) ;
87+ return allow ( 'mock app allowed (deny-kms policy)' ) ;
88+ case 'deny-app' :
89+ if ( ! isKms ) return deny ( `mock policy: deny-app` ) ;
90+ return allow ( 'mock KMS allowed (deny-app policy)' ) ;
91+ case 'allowlist-device' : {
92+ const allowed = parseList ( 'MOCK_ALLOWED_DEVICE_IDS' ) ;
93+ const deviceId = bootInfo . deviceId . toLowerCase ( ) . replace ( / ^ 0 x / , '' ) ;
94+ if ( allowed . size === 0 ) return deny ( 'mock policy: allowlist-device with empty list' ) ;
95+ if ( ! allowed . has ( deviceId ) ) return deny ( `mock policy: device ${ bootInfo . deviceId } not in allowlist` ) ;
96+ return allow ( `mock policy: device ${ bootInfo . deviceId } allowed` ) ;
97+ }
98+ case 'allowlist-mr' : {
99+ const allowed = parseList ( 'MOCK_ALLOWED_MR_AGGREGATED' ) ;
100+ const mr = bootInfo . mrAggregated . toLowerCase ( ) . replace ( / ^ 0 x / , '' ) ;
101+ if ( allowed . size === 0 ) return deny ( 'mock policy: allowlist-mr with empty list' ) ;
102+ if ( ! allowed . has ( mr ) ) return deny ( `mock policy: mrAggregated ${ bootInfo . mrAggregated } not in allowlist` ) ;
103+ return allow ( `mock policy: mrAggregated ${ bootInfo . mrAggregated } allowed` ) ;
104+ }
105+ case 'allow-all' :
106+ default :
107+ return allow ( isKms ? 'mock KMS always allowed' : 'mock app always allowed' ) ;
108+ }
55109 }
56110
57111 async getGatewayAppId ( ) : Promise < string > {
@@ -156,8 +210,8 @@ app.post('/bootAuth/kms',
156210
157211// start server
158212const port = parseInt ( process . env . PORT || '3000' ) ;
159- console . log ( `starting mock auth server on port ${ port } ` ) ;
160- console . log ( 'note: this is a mock backend - all authentications will succeed' ) ;
213+ const policy = getPolicy ( ) ;
214+ console . log ( `starting mock auth server on port ${ port } (policy: ${ policy } )` ) ;
161215
162216export default {
163217 port,
0 commit comments