NASA-AMMOS · jeronstone · Apr 2, 2026 · Mar 26, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -1323,12 +1323,12 @@ int BSL_PolicyRegistry_FinalizeActions(const BSL_LibCtx_t *bsl, const BSL_Securi
                                        const BSL_BundleRef_t *bundle, const BSL_SecurityResponseSet_t *response_output);
 
 /// @brief Callback interface to query policy provider to populate the action set
-typedef int (*BSL_PolicyInspect_f)(const void *user_data, BSL_SecurityActionSet_t *output_action_set,
+typedef int (*BSL_PolicyInspect_f)(void *user_data, BSL_SecurityActionSet_t *output_action_set,
                                    const BSL_BundleRef_t *bundle, BSL_PolicyLocation_e location);
 
 /// @brief Callback interface to finalize policy provider over the action set. Finalize should ignore actions from
 /// different policy providers
-typedef int (*BSL_PolicyFinalize_f)(const void *user_data, const BSL_SecurityActionSet_t *output_action_set,
+typedef int (*BSL_PolicyFinalize_f)(void *user_data, const BSL_SecurityActionSet_t *output_action_set,
                                     const BSL_BundleRef_t *bundle, const BSL_SecurityResponseSet_t *response_output);
 
 /// @brief Callback interface for policy provider to shut down and release any resources
@@ -1337,10 +1337,10 @@ typedef void (*BSL_PolicyDeinit_f)(void *user_data);
 /// @brief Descriptor of opaque data and callbacks for Policy Provider.
 struct BSL_PolicyDesc_s
 {
-    void                *user_data;
+    void                *user_data;   ///< Reference to policy provider -specific data
     BSL_PolicyInspect_f  query_fn;    ///< Function pointer to query policy
     BSL_PolicyFinalize_f finalize_fn; ///< Function pointer to finalize policy
-    BSL_PolicyDeinit_f   deinit_fn;   ///< Function to deinit the policy provider at termination of BSL.
+    BSL_PolicyDeinit_f   deinit_fn;   ///< Function to deinit the policy provider at termination of BSL context
 };
 
 /** Call the underlying security context to perform the given action

@@ -439,7 +439,7 @@ BSL_HostDescriptors_t MockBPA_Agent_Descriptors(MockBPA_Agent_t *agent)
     return bpa;
 }
 
-int MockBPA_Agent_Init(MockBPA_Agent_t *agent)
+int MockBPA_Agent_Init(MockBPA_Agent_t *agent, BSLP_PolicyProvider_t **policy)
 {
     int retval = 0;
 
@@ -496,36 +496,35 @@ int MockBPA_Agent_Init(MockBPA_Agent_t *agent)
         ASSERT_PROPERTY(0 == BSL_API_RegisterSecurityContext(ctx->bsl, 2, bcb_sec_desc));
     }
     // TODO find a better way to deal with this
+
+    *policy              = BSLP_PolicyProvider_Init(1);
+    agent->appin.policy  = *policy;
+    agent->appout.policy = *policy;
+    agent->clin.policy   = *policy;
+    agent->clout.policy  = *policy;
+
     {
-        agent->appin.policy               = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
-        agent->appin.policy->pp_id        = 1;
         BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn   = BSLP_Deinit,
                                                                  .query_fn    = BSLP_QueryPolicy,
                                                                  .finalize_fn = BSLP_FinalizePolicy,
                                                                  .user_data   = agent->appin.policy };
         ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->appin.bsl, 1, policy_callbacks));
     }
     {
-        agent->appout.policy              = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
-        agent->appout.policy->pp_id       = 1;
         BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn   = BSLP_Deinit,
                                                                  .query_fn    = BSLP_QueryPolicy,
                                                                  .finalize_fn = BSLP_FinalizePolicy,
                                                                  .user_data   = agent->appout.policy };
         ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->appout.bsl, 1, policy_callbacks));
     }
     {
-        agent->clin.policy                = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
-        agent->clin.policy->pp_id         = 1;
         BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn   = BSLP_Deinit,
                                                                  .query_fn    = BSLP_QueryPolicy,
                                                                  .finalize_fn = BSLP_FinalizePolicy,
                                                                  .user_data   = agent->clin.policy };
         ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->clin.bsl, 1, policy_callbacks));
     }
     {
-        agent->clout.policy               = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
-        agent->clout.policy->pp_id        = 1;
         BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn   = BSLP_Deinit,
                                                                  .query_fn    = BSLP_QueryPolicy,
                                                                  .finalize_fn = BSLP_FinalizePolicy,

@@ -149,7 +149,7 @@ BSL_HostDescriptors_t MockBPA_Agent_Descriptors(MockBPA_Agent_t *agent);
  * @param[out] agent The agent to initialize.
  * @return Zero if successful.
  */
-int MockBPA_Agent_Init(MockBPA_Agent_t *agent);
+int MockBPA_Agent_Init(MockBPA_Agent_t *agent, BSLP_PolicyProvider_t **policy);
 
 /** Clean up the mock BPA for the current process.
  *

@@ -44,7 +44,8 @@
 static BSL_HostEID_t app_eid;
 static BSL_HostEID_t sec_eid;
 /// Agent for this process
-static MockBPA_Agent_t agent;
+static MockBPA_Agent_t        agent;
+static BSLP_PolicyProvider_t *policy;
 
 static int ingest_netaddr(struct sockaddr_in *addr, const char *arg)
 {
@@ -115,7 +116,7 @@ int main(int argc, char **argv)
     }
     mock_bpa_LogOpen();
     BSL_CryptoInit();
-    if ((res = MockBPA_Agent_Init(&agent)))
+    if ((res = MockBPA_Agent_Init(&agent, &policy)))
     {
         BSL_LOG_ERR("Failed to initialize mock BPA, error %d", res);
         retval = 2;
@@ -172,30 +173,12 @@ int main(int argc, char **argv)
                     break;
                 case 'p':
                 {
-                    // TODO better way to handle this
-                    int anyerr = 0;
-                    anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.appin.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.appout.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.clin.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.clout.policy, &policy_registry));
-                    if (anyerr)
-                    {
-                        retval = 1;
-                    }
-
+                    retval = !!(mock_bpa_handle_policy_config(optarg, policy, &policy_registry));
                     break;
                 }
                 case 'j':
                 {
-                    int anyerr = 0;
-                    anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.appin.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.appout.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.clin.policy, &policy_registry));
-                    anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.clout.policy, &policy_registry));
-                    if (anyerr)
-                    {
-                        retval = 1;
-                    }
+                    retval = !!(mock_bpa_register_policy_from_json(optarg, policy, &policy_registry));
                     break;
                 }
                 case 'k':
@@ -251,6 +234,7 @@ int main(int argc, char **argv)
     }
 
     mock_bpa_policy_registry_deinit(&policy_registry);
+    BSLP_PolicyProvider_Deinit(policy);
     MockBPA_Agent_Deinit(&agent);
     BSL_HostEID_Deinit(&sec_eid);
     BSL_HostEID_Deinit(&app_eid);

@@ -28,14 +28,6 @@
 #include "policy_config.h"
 #include "text_util.h"
 
-static BSL_HostEIDPattern_t mock_bpa_util_get_eid_pattern_from_text(const char *text)
-{
-    BSL_HostEIDPattern_t pat;
-    BSL_HostEIDPattern_Init(&pat);
-    ASSERT_PROPERTY(0 == BSL_HostEIDPattern_DecodeFromText(&pat, text));
-    return pat;
-}
-
 int mock_bpa_rfc9173_bcb_cek(unsigned char *buf, int len)
 {
     if (len == 12) // IV
@@ -66,12 +58,9 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
     BSL_PolicyLocation_e policy_loc_enum;
     BSL_PolicyAction_e   policy_action_enum;
 
-    const char          *src_str;
-    const char          *dest_str;
-    const char          *sec_src_str;
-    BSL_HostEIDPattern_t src_eid;
-    BSL_HostEIDPattern_t dest_eid;
-    BSL_HostEIDPattern_t sec_src_eid;
+    const char *src_str;
+    const char *dest_str;
+    const char *sec_src_str;
 
     const char *rule_id_str;
 
@@ -170,35 +159,32 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
             {
                 src_str = json_string_value(src);
                 BSL_LOG_DEBUG("     src    : %s", src_str);
-                src_eid = mock_bpa_util_get_eid_pattern_from_text(src_str);
             }
             else
             {
-                src_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
+                src_str = "*:**";
             }
 
             json_t *dest = json_object_get(filter, "dest");
             if (dest)
             {
                 dest_str = json_string_value(dest);
                 BSL_LOG_DEBUG("     dest    : %s", dest_str);
-                dest_eid = mock_bpa_util_get_eid_pattern_from_text(dest_str);
             }
             else
             {
-                dest_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
+                dest_str = "*:**";
             }
 
             json_t *sec_src = json_object_get(filter, "sec_src");
             if (sec_src)
             {
                 sec_src_str = json_string_value(sec_src);
                 BSL_LOG_DEBUG("     sec_src    : %s", sec_src_str);
-                sec_src_eid = mock_bpa_util_get_eid_pattern_from_text(sec_src_str);
             }
             else
             {
-                sec_src_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
+                sec_src_str = "*:**";
             }
 
             // check tgt (target block type)
@@ -522,32 +508,34 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
             }
         }
 
-        BSLP_PolicyPredicate_t *predicate = &policy->predicates[policy->predicate_count++];
-        BSLP_PolicyPredicate_Init(predicate, policy_loc_enum, src_eid, sec_src_eid, dest_eid);
+        BSLP_PolicyPredicate_t predicate;
+        BSLP_PolicyPredicate_InitFrom(&predicate, policy_loc_enum, src_str, sec_src_str, dest_str);
 
-        BSLP_PolicyRule_t *rule = &policy->rules[policy->rule_count++];
-        BSLP_PolicyRule_Init(rule, rule_id_str, predicate, sec_ctx_id, sec_role, sec_block_type, target_block_type,
-                             policy_action_enum);
+        BSLP_PolicyRule_t rule;
+        BSLP_PolicyRule_InitFrom(&rule, rule_id_str, sec_ctx_id, sec_role, sec_block_type, target_block_type,
+                                 policy_action_enum);
 
         // TODO validate params_got
         (void)params_got;
 
         if (sec_ctx_id == 2) // BCB
         {
-            BSLP_PolicyRule_CopyParam(rule, params->param_aes_variant);
+            BSLP_PolicyRule_CopyParam(&rule, params->param_aes_variant);
             if (sec_role == BSL_SECROLE_SOURCE)
             {
-                BSLP_PolicyRule_CopyParam(rule, params->param_aad_scope_flag);
+                BSLP_PolicyRule_CopyParam(&rule, params->param_aad_scope_flag);
                 BSL_Crypto_SetRngGenerator(mock_bpa_rfc9173_bcb_cek);
             }
         }
         else
         {
-            BSLP_PolicyRule_CopyParam(rule, params->param_sha_variant);
-            BSLP_PolicyRule_CopyParam(rule, params->param_integ_scope_flag);
+            BSLP_PolicyRule_CopyParam(&rule, params->param_sha_variant);
+            BSLP_PolicyRule_CopyParam(&rule, params->param_integ_scope_flag);
         }
-        BSLP_PolicyRule_CopyParam(rule, params->param_test_key);
-        BSLP_PolicyRule_CopyParam(rule, params->param_use_wrapped_key);
+        BSLP_PolicyRule_CopyParam(&rule, params->param_test_key);
+        BSLP_PolicyRule_CopyParam(&rule, params->param_use_wrapped_key);
+
+        BSLP_PolicyProvider_AddRule(policy, &rule, &predicate);
     }
 
     json_decref(root);
@@ -688,44 +676,46 @@ static void mock_bpa_register_policy(const bsl_mock_policy_configuration_t polic
             break;
     }
 
-    BSL_HostEIDPattern_t eid_src_pat;
+    const char *eid_src_pat_str;
     if (policy_ignore)
     {
         BSL_LOG_INFO("Creating src eid pattern to match none - bundle should be ignored!");
-        eid_src_pat = mock_bpa_util_get_eid_pattern_from_text("");
+        eid_src_pat_str = "";
     }
     else
     {
-        eid_src_pat = mock_bpa_util_get_eid_pattern_from_text("*:**");
+        eid_src_pat_str = "*:**";
     }
 
     // Create a rule to verify security block at APP/CLA Ingress
     char policybits_str[100];
     snprintf(policybits_str, 100, "Policy: %x", policy_bits);
-    BSLP_PolicyPredicate_t *predicate_all_in = &policy->predicates[policy->predicate_count++];
-    BSLP_PolicyPredicate_Init(predicate_all_in, policy_loc_enum, eid_src_pat,
-                              mock_bpa_util_get_eid_pattern_from_text("*:**"),
-                              mock_bpa_util_get_eid_pattern_from_text("*:**"));
-    BSLP_PolicyRule_t *rule_all_in = &policy->rules[policy->rule_count++];
-    BSLP_PolicyRule_Init(rule_all_in, policybits_str, predicate_all_in, sec_context, sec_role_enum, sec_block_emum,
-                         bundle_block_enum, policy_action_enum);
+
+    BSLP_PolicyPredicate_t predicate_all_in;
+    BSLP_PolicyPredicate_InitFrom(&predicate_all_in, policy_loc_enum, eid_src_pat_str, "*:**", "*:**");
+
+    BSLP_PolicyRule_t rule_all_in;
+    BSLP_PolicyRule_InitFrom(&rule_all_in, policybits_str, sec_context, sec_role_enum, sec_block_emum,
+                             bundle_block_enum, policy_action_enum);
 
     if (sec_block_emum == BSL_SECBLOCKTYPE_BCB)
     {
-        BSLP_PolicyRule_CopyParam(rule_all_in, params->param_aes_variant);
+        BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_aes_variant);
         if (sec_role_enum == BSL_SECROLE_SOURCE)
         {
-            BSLP_PolicyRule_CopyParam(rule_all_in, params->param_aad_scope_flag);
+            BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_aad_scope_flag);
             BSL_Crypto_SetRngGenerator(mock_bpa_rfc9173_bcb_cek);
         }
     }
     else
     {
-        BSLP_PolicyRule_CopyParam(rule_all_in, params->param_sha_variant);
-        BSLP_PolicyRule_CopyParam(rule_all_in, params->param_integ_scope_flag);
+        BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_sha_variant);
+        BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_integ_scope_flag);
     }
-    BSLP_PolicyRule_CopyParam(rule_all_in, params->param_use_wrapped_key);
-    BSLP_PolicyRule_CopyParam(rule_all_in, params->param_test_key);
+    BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_use_wrapped_key);
+    BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_test_key);
+
+    BSLP_PolicyProvider_AddRule(policy, &rule_all_in, &predicate_all_in);
 }
 
 int mock_bpa_handle_policy_config(const char *policies, BSLP_PolicyProvider_t *policy, mock_bpa_policy_registry_t *reg)