rust-guard: remove dead permissions.rs and deduplicate username lookup (#2851)

lpcox · web-flow · commit eab98ed30ab7 · 2026-03-30T08:40:36.000-07:00
Two small cleanups to the Rust guard: delete a 426-line module that was never wired into production code paths, and collapse three structurally identical username-membership functions into a single private helper. ## Remove dead `permissions.rs` `permissions.rs` was explicitly annotated as scaffolding (`#![allow(dead_code)]`), never imported beyond `mod permissions;` in `lib.rs`, and has no effect on the compiled WASM. Deletes the file and removes the `mod` declaration. ## Deduplicate case-insensitive username lookup `is_blocked_user`, `is_configured_trusted_bot`, and `is_trusted_user` all had identical bodies. Extracted into a private helper that also avoids per-item `String` allocations by using `eq_ignore_ascii_case`: ```rust // Before — repeated three times with local allocation per list item let lower = username.to_lowercase(); ctx.blocked_users.iter().any(|u| u.to_lowercase() == lower) // After fn username_in_list(username: &str, list: &[String]) -> bool { list.iter().any(|u| u.eq_ignore_ascii_case(username)) } pub fn is_blocked_user(username: &str, ctx: &PolicyContext) -> bool { username_in_list(username, &ctx.blocked_users) } // …same for is_configured_trusted_bot, is_trusted_user ``` Public API and all existing tests are unchanged. > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build3156076384/b338/launcher.test /tmp/go-build3156076384/b338/launcher.test -test.testlogfile=/tmp/go-build3156076384/b338/testlog.txt -test.paniconexit0 -test.timeout=10m0s ache�� -Wl,--no-undefined-version 13ODHFGfB x_amd64/vet gci-lint failed /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /home/REDACTED/wor-atomic` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3156076384/b320/config.test /tmp/go-build3156076384/b320/config.test -test.testlogfile=/tmp/go-build3156076384/b320/testlog.txt -test.paniconexit0 -test.timeout=10m0s c4d6�� ternal/engine/wa-p ternal/engine/wagithub.com/stretchr/testify/require x_amd64/compile -gnu/lib/libobje/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -gnu/lib/libmemc-unsafeptr=false -gnu/lib/libaddr-unreachable=false x_amd64/compile -gnu�� ache/go/1.25.8/x-c=4 _cgo_.o x_amd64/vet -gnu/lib/librust/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet zevo/backend de/node/bin/git x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build3156076384/b338/launcher.test /tmp/go-build3156076384/b338/launcher.test -test.testlogfile=/tmp/go-build3156076384/b338/testlog.txt -test.paniconexit0 -test.timeout=10m0s ache�� -Wl,--no-undefined-version 13ODHFGfB x_amd64/vet gci-lint failed /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /home/REDACTED/wor-atomic` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build3156076384/b338/launcher.test /tmp/go-build3156076384/b338/launcher.test -test.testlogfile=/tmp/go-build3156076384/b338/testlog.txt -test.paniconexit0 -test.timeout=10m0s ache�� -Wl,--no-undefined-version 13ODHFGfB x_amd64/vet gci-lint failed /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /home/REDACTED/wor-atomic` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3156076384/b347/mcp.test /tmp/go-build3156076384/b347/mcp.test -test.testlogfile=/tmp/go-build3156076384/b347/testlog.txt -test.paniconexit0 -test.timeout=10m0s 3791�� 64/src/net -trimpath x_amd64/vet -p crypto/internal//usr/bin/runc -lang=go1.25 x_amd64/vet -qui�� -I o_.o x_amd64/vet 01.o 02.o 03.o x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/labels/helpers.rs b/guards/github-guard/rust-guard/src/labels/helpers.rs
@@ -227,13 +227,14 @@ pub fn blocked_integrity(scope: &str, ctx: &PolicyContext) -> Vec<String> {
     )]
 }
 
+/// Returns true if `username` matches any entry in `list` (case-insensitive).
+fn username_in_list(username: &str, list: &[String]) -> bool {
+    list.iter().any(|u| u.eq_ignore_ascii_case(username))
+}
+
 /// Check if a username appears in the configured blocked-users list (case-insensitive).
 pub fn is_blocked_user(username: &str, ctx: &PolicyContext) -> bool {
-    if ctx.blocked_users.is_empty() {
-        return false;
-    }
-    let lower = username.to_lowercase();
-    ctx.blocked_users.iter().any(|u| u.to_lowercase() == lower)
+    username_in_list(username, &ctx.blocked_users)
 }
 
 /// Extract GitHub label names from a content item's `labels` array.
@@ -1353,11 +1354,7 @@ pub fn is_trusted_first_party_bot(username: &str) -> bool {
 /// the gateway configuration's `trustedBots` field. Comparison is case-insensitive.
 /// This list is additive and cannot remove entries from the built-in trusted bot list.
 pub fn is_configured_trusted_bot(username: &str, ctx: &PolicyContext) -> bool {
-    if ctx.trusted_bots.is_empty() {
-        return false;
-    }
-    let lower = username.to_lowercase();
-    ctx.trusted_bots.iter().any(|b| b.to_lowercase() == lower)
+    username_in_list(username, &ctx.trusted_bots)
 }
 
 /// Check if a user is in the gateway-configured trusted users list.
@@ -1367,11 +1364,7 @@ pub fn is_configured_trusted_bot(username: &str, ctx: &PolicyContext) -> bool {
 /// (writer) integrity regardless of their `author_association`. Comparison is
 /// case-insensitive. `blocked_users` takes precedence over `trusted_users`.
 pub fn is_trusted_user(username: &str, ctx: &PolicyContext) -> bool {
-    if ctx.trusted_users.is_empty() {
-        return false;
-    }
-    let lower = username.to_lowercase();
-    ctx.trusted_users.iter().any(|u| u.to_lowercase() == lower)
+    username_in_list(username, &ctx.trusted_users)
 }
 
 /// Check if a user appears to be a bot (broad detection).
diff --git a/guards/github-guard/rust-guard/src/lib.rs b/guards/github-guard/rust-guard/src/lib.rs
@@ -10,7 +10,6 @@
 //!   target/wasm32-wasip1/release/github_guard.wasm
 
 mod labels;
-mod permissions;
 mod tools;
 
 use labels::constants::policy_integrity;
diff --git a/guards/github-guard/rust-guard/src/permissions.rs b/guards/github-guard/rust-guard/src/permissions.rs
