// nac-multi-jurisdiction/src/isolation.rs // Issue #59: 逻辑隔离层 - 确保不同辖区规则互不干扰 use serde::{Serialize, Deserialize}; use crate::jurisdiction::JurisdictionId; /// 隔离策略级别 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)] pub enum IsolationLevel { /// 严格隔离:完全独立的执行环境(默认) Strict, /// 受控共享:允许只读数据共享 ControlledSharing, /// 联合模式:辖区间协商后的有限互操作 Federated, } /// 隔离策略 #[derive(Debug, Clone)] pub struct IsolationPolicy { pub level: IsolationLevel, /// 是否强制规则隔离 pub enforce_rule_isolation: bool, /// 是否强制数据隔离 pub enforce_data_isolation: bool, /// 是否强制网络隔离 pub enforce_network_isolation: bool, /// 是否强制存储隔离 pub enforce_storage_isolation: bool, /// 允许的跨辖区数据类型(白名单) pub allowed_cross_data_types: Vec, } impl IsolationPolicy { /// 创建严格隔离策略(推荐默认) pub fn strict() -> Self { IsolationPolicy { level: IsolationLevel::Strict, enforce_rule_isolation: true, enforce_data_isolation: true, enforce_network_isolation: false, // 网络层允许路由 enforce_storage_isolation: true, allowed_cross_data_types: vec![ "ConstitutionalReceipt".to_string(), "BlockHeader".to_string(), ], } } /// 创建受控共享策略 pub fn controlled_sharing() -> Self { IsolationPolicy { level: IsolationLevel::ControlledSharing, enforce_rule_isolation: true, enforce_data_isolation: false, enforce_network_isolation: false, enforce_storage_isolation: false, allowed_cross_data_types: vec![ "ConstitutionalReceipt".to_string(), "BlockHeader".to_string(), "PublicAssetMetadata".to_string(), ], } } pub fn enforces_rule_isolation(&self) -> bool { self.enforce_rule_isolation } pub fn enforces_data_isolation(&self) -> bool { self.enforce_data_isolation } /// 检查数据类型是否允许跨辖区传输 pub fn is_allowed_cross_type(&self, data_type: &str) -> bool { self.allowed_cross_data_types.iter().any(|t| t == data_type) } } /// 隔离违规事件 #[derive(Debug, Clone)] pub struct IsolationViolation { pub source_jurisdiction: JurisdictionId, pub target_jurisdiction: JurisdictionId, pub violation_type: ViolationType, pub data_type: String, pub timestamp: u64, pub severity: ViolationSeverity, } #[derive(Debug, Clone, PartialEq)] pub enum ViolationType { UnauthorizedDataAccess, RuleConflict, NetworkBypass, StorageLeak, } #[derive(Debug, Clone, PartialEq)] pub enum ViolationSeverity { Low, Medium, High, Critical, } /// 隔离层执行器 pub struct IsolationLayer { policies: std::collections::HashMap, violations: Vec, } impl IsolationLayer { pub fn new() -> Self { IsolationLayer { policies: std::collections::HashMap::new(), violations: Vec::new(), } } /// 为辖区设置隔离策略 pub fn set_policy(&mut self, jid: JurisdictionId, policy: IsolationPolicy) { self.policies.insert(jid, policy); } /// 检查跨辖区操作是否合规 pub fn check_cross_operation( &mut self, from: &JurisdictionId, to: &JurisdictionId, data_type: &str, ) -> Result<(), IsolationViolation> { let policy = self.policies.get(from) .cloned() .unwrap_or_else(IsolationPolicy::strict); if policy.enforce_data_isolation && !policy.is_allowed_cross_type(data_type) { let violation = IsolationViolation { source_jurisdiction: from.clone(), target_jurisdiction: to.clone(), violation_type: ViolationType::UnauthorizedDataAccess, data_type: data_type.to_string(), timestamp: 0, severity: ViolationSeverity::High, }; self.violations.push(violation.clone()); return Err(violation); } Ok(()) } /// 获取违规记录 pub fn get_violations(&self) -> &[IsolationViolation] { &self.violations } /// 清除已处理的违规记录 pub fn clear_violations(&mut self) { self.violations.clear(); } } impl Default for IsolationLayer { fn default() -> Self { Self::new() } }