//! NAC Lens安全加固系统 //! //! 实现TLS加密、身份验证、权限控制和安全审计 use std::collections::HashMap; use std::sync::{Arc, Mutex}; use serde::{Serialize, Deserialize}; use crate::error::{Nrpc4Error, Result}; /// TLS版本 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)] pub enum TlsVersion { /// TLS 1.2 Tls12, /// TLS 1.3 Tls13, } /// TLS配置 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct TlsConfig { /// TLS版本 pub version: TlsVersion, /// 证书路径 pub cert_path: String, /// 私钥路径 pub key_path: String, /// CA证书路径 pub ca_path: Option, /// 是否验证客户端证书 pub verify_client: bool, /// 是否启用 pub enabled: bool, } impl Default for TlsConfig { fn default() -> Self { Self { version: TlsVersion::Tls13, cert_path: String::new(), key_path: String::new(), ca_path: None, verify_client: false, enabled: false, } } } /// 认证方式 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)] pub enum AuthMethod { /// 无认证 None, /// 基本认证(用户名/密码) Basic, /// Token认证 Token, /// 证书认证 Certificate, /// OAuth2认证 OAuth2, } /// 用户角色 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)] pub enum UserRole { /// 管理员 Admin, /// 操作员 Operator, /// 用户 User, /// 访客 Guest, } /// 权限 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)] pub enum Permission { /// 读取 Read, /// 写入 Write, /// 执行 Execute, /// 删除 Delete, /// 管理 Admin, } /// 用户信息 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct UserInfo { /// 用户ID pub id: String, /// 用户名 pub username: String, /// 角色 pub role: UserRole, /// 权限列表 pub permissions: Vec, /// 创建时间 pub created_at: u64, /// 最后登录时间 pub last_login: Option, /// 是否启用 pub enabled: bool, } /// 认证凭证 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct Credentials { /// 认证方式 pub method: AuthMethod, /// 用户名 pub username: Option, /// 密码 pub password: Option, /// Token pub token: Option, /// 证书 pub certificate: Option>, } /// 认证结果 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct AuthResult { /// 是否成功 pub success: bool, /// 用户信息 pub user: Option, /// 错误信息 pub error: Option, /// 会话ID pub session_id: Option, } /// 会话信息 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct SessionInfo { /// 会话ID pub id: String, /// 用户ID pub user_id: String, /// 创建时间 pub created_at: u64, /// 过期时间 pub expires_at: u64, /// 最后活跃时间 pub last_active: u64, /// 是否有效 pub valid: bool, } /// 身份验证器 #[derive(Debug)] pub struct Authenticator { /// 用户映射 users: Arc>>, /// 会话映射 sessions: Arc>>, /// 角色权限映射 role_permissions: Arc>>>, /// 下一个用户ID next_user_id: Arc>, /// 下一个会话ID next_session_id: Arc>, } impl Authenticator { /// 创建新的身份验证器 pub fn new() -> Self { let mut role_permissions = HashMap::new(); // 设置默认角色权限 role_permissions.insert( UserRole::Admin, vec![ Permission::Read, Permission::Write, Permission::Execute, Permission::Delete, Permission::Admin, ], ); role_permissions.insert( UserRole::Operator, vec![Permission::Read, Permission::Write, Permission::Execute], ); role_permissions.insert(UserRole::User, vec![Permission::Read, Permission::Write]); role_permissions.insert(UserRole::Guest, vec![Permission::Read]); Self { users: Arc::new(Mutex::new(HashMap::new())), sessions: Arc::new(Mutex::new(HashMap::new())), role_permissions: Arc::new(Mutex::new(role_permissions)), next_user_id: Arc::new(Mutex::new(1)), next_session_id: Arc::new(Mutex::new(1)), } } /// 注册用户 pub fn register_user(&self, username: String, role: UserRole) -> Result { let mut users = self.users.lock().unwrap(); // 检查用户名是否已存在 if users.values().any(|u| u.username == username) { return Err(Nrpc4Error::Other("Username already exists".to_string())); } let mut next_id = self.next_user_id.lock().unwrap(); let user_id = format!("USER-{:08}", *next_id); *next_id += 1; drop(next_id); // 获取角色权限 let role_perms = self.role_permissions.lock().unwrap(); let permissions = role_perms.get(&role).cloned().unwrap_or_default(); let user = UserInfo { id: user_id.clone(), username, role, permissions, created_at: Self::current_timestamp(), last_login: None, enabled: true, }; users.insert(user_id.clone(), user); Ok(user_id) } /// 认证 pub fn authenticate(&self, credentials: Credentials) -> Result { match credentials.method { AuthMethod::None => Ok(AuthResult { success: false, user: None, error: Some("Authentication required".to_string()), session_id: None, }), AuthMethod::Basic => self.authenticate_basic( credentials.username.as_deref(), credentials.password.as_deref(), ), AuthMethod::Token => { self.authenticate_token(credentials.token.as_deref()) } AuthMethod::Certificate => { self.authenticate_certificate(credentials.certificate.as_deref()) } AuthMethod::OAuth2 => Ok(AuthResult { success: false, user: None, error: Some("OAuth2 not implemented".to_string()), session_id: None, }), } } /// 基本认证 fn authenticate_basic( &self, username: Option<&str>, password: Option<&str>, ) -> Result { let username = username.ok_or_else(|| { Nrpc4Error::Other("Username required".to_string()) })?; let _password = password.ok_or_else(|| { Nrpc4Error::Other("Password required".to_string()) })?; let mut users = self.users.lock().unwrap(); // 查找用户 let user = users .values_mut() .find(|u| u.username == username && u.enabled) .ok_or_else(|| Nrpc4Error::Other("Invalid credentials".to_string()))?; // 更新最后登录时间 user.last_login = Some(Self::current_timestamp()); // 创建会话 let session_id = self.create_session(&user.id)?; Ok(AuthResult { success: true, user: Some(user.clone()), error: None, session_id: Some(session_id), }) } /// Token认证 fn authenticate_token(&self, token: Option<&str>) -> Result { let _token = token.ok_or_else(|| { Nrpc4Error::Other("Token required".to_string()) })?; // 简化实现:直接返回失败 Ok(AuthResult { success: false, user: None, error: Some("Invalid token".to_string()), session_id: None, }) } /// 证书认证 fn authenticate_certificate(&self, certificate: Option<&[u8]>) -> Result { let _certificate = certificate.ok_or_else(|| { Nrpc4Error::Other("Certificate required".to_string()) })?; // 简化实现:直接返回失败 Ok(AuthResult { success: false, user: None, error: Some("Invalid certificate".to_string()), session_id: None, }) } /// 创建会话 fn create_session(&self, user_id: &str) -> Result { let mut next_id = self.next_session_id.lock().unwrap(); let session_id = format!("SESSION-{:08}", *next_id); *next_id += 1; drop(next_id); let current_time = Self::current_timestamp(); let session = SessionInfo { id: session_id.clone(), user_id: user_id.to_string(), created_at: current_time, expires_at: current_time + 3600, // 1小时过期 last_active: current_time, valid: true, }; let mut sessions = self.sessions.lock().unwrap(); sessions.insert(session_id.clone(), session); Ok(session_id) } /// 验证会话 pub fn validate_session(&self, session_id: &str) -> Result { let mut sessions = self.sessions.lock().unwrap(); if let Some(session) = sessions.get_mut(session_id) { let current_time = Self::current_timestamp(); // 检查是否过期 if current_time > session.expires_at { session.valid = false; return Ok(false); } // 更新最后活跃时间 session.last_active = current_time; Ok(session.valid) } else { Ok(false) } } /// 销毁会话 pub fn destroy_session(&self, session_id: &str) -> Result<()> { let mut sessions = self.sessions.lock().unwrap(); sessions.remove(session_id); Ok(()) } /// 检查权限 pub fn check_permission( &self, user_id: &str, permission: Permission, ) -> Result { let users = self.users.lock().unwrap(); if let Some(user) = users.get(user_id) { Ok(user.permissions.contains(&permission)) } else { Ok(false) } } /// 获取用户信息 pub fn get_user(&self, user_id: &str) -> Option { let users = self.users.lock().unwrap(); users.get(user_id).cloned() } /// 获取会话信息 pub fn get_session(&self, session_id: &str) -> Option { let sessions = self.sessions.lock().unwrap(); sessions.get(session_id).cloned() } /// 获取当前时间戳 fn current_timestamp() -> u64 { std::time::SystemTime::now() .duration_since(std::time::UNIX_EPOCH) .unwrap() .as_secs() } } impl Default for Authenticator { fn default() -> Self { Self::new() } } /// 审计事件类型 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)] pub enum AuditEventType { /// 认证 Authentication, /// 授权 Authorization, /// 访问 Access, /// 修改 Modification, /// 删除 Deletion, /// 配置变更 ConfigChange, /// 安全事件 SecurityEvent, } /// 审计事件 #[derive(Debug, Clone, Serialize, Deserialize)] pub struct AuditEvent { /// 事件ID pub id: String, /// 事件类型 pub event_type: AuditEventType, /// 用户ID pub user_id: Option, /// 资源 pub resource: String, /// 操作 pub action: String, /// 结果 pub result: bool, /// 详细信息 pub details: String, /// 时间戳 pub timestamp: u64, /// IP地址 pub ip_address: Option, } /// 安全审计器 #[derive(Debug)] pub struct SecurityAuditor { /// 事件列表 events: Arc>>, /// 下一个事件ID next_event_id: Arc>, /// 最大事件数 max_events: usize, } impl SecurityAuditor { /// 创建新的安全审计器 pub fn new(max_events: usize) -> Self { Self { events: Arc::new(Mutex::new(Vec::new())), next_event_id: Arc::new(Mutex::new(1)), max_events, } } /// 记录事件 pub fn log_event( &self, event_type: AuditEventType, user_id: Option, resource: String, action: String, result: bool, details: String, ip_address: Option, ) -> String { let mut next_id = self.next_event_id.lock().unwrap(); let event_id = format!("AUDIT-{:08}", *next_id); *next_id += 1; drop(next_id); let event = AuditEvent { id: event_id.clone(), event_type, user_id, resource, action, result, details, timestamp: Self::current_timestamp(), ip_address, }; let mut events = self.events.lock().unwrap(); events.push(event); // 限制事件数量 if events.len() > self.max_events { events.remove(0); } event_id } /// 获取事件 pub fn get_event(&self, event_id: &str) -> Option { let events = self.events.lock().unwrap(); events.iter().find(|e| e.id == event_id).cloned() } /// 获取所有事件 pub fn get_all_events(&self) -> Vec { let events = self.events.lock().unwrap(); events.clone() } /// 按类型获取事件 pub fn get_events_by_type(&self, event_type: AuditEventType) -> Vec { let events = self.events.lock().unwrap(); events .iter() .filter(|e| e.event_type == event_type) .cloned() .collect() } /// 按用户获取事件 pub fn get_events_by_user(&self, user_id: &str) -> Vec { let events = self.events.lock().unwrap(); events .iter() .filter(|e| e.user_id.as_deref() == Some(user_id)) .cloned() .collect() } /// 清空事件 pub fn clear_events(&self) { let mut events = self.events.lock().unwrap(); events.clear(); } /// 获取事件数量 pub fn get_event_count(&self) -> usize { let events = self.events.lock().unwrap(); events.len() } /// 获取当前时间戳 fn current_timestamp() -> u64 { std::time::SystemTime::now() .duration_since(std::time::UNIX_EPOCH) .unwrap() .as_secs() } } #[cfg(test)] mod tests { use super::*; #[test] fn test_authenticator_register() { let auth = Authenticator::new(); let user_id = auth.register_user("admin".to_string(), UserRole::Admin).unwrap(); assert!(!user_id.is_empty()); let user = auth.get_user(&user_id).unwrap(); assert_eq!(user.username, "admin"); assert_eq!(user.role, UserRole::Admin); } #[test] fn test_authenticator_basic_auth() { let auth = Authenticator::new(); auth.register_user("user1".to_string(), UserRole::User).unwrap(); let credentials = Credentials { method: AuthMethod::Basic, username: Some("user1".to_string()), password: Some("password".to_string()), token: None, certificate: None, }; let result = auth.authenticate(credentials).unwrap(); assert!(result.success); assert!(result.session_id.is_some()); } #[test] fn test_session_validation() { let auth = Authenticator::new(); let user_id = auth.register_user("user1".to_string(), UserRole::User).unwrap(); let session_id = auth.create_session(&user_id).unwrap(); assert!(auth.validate_session(&session_id).unwrap()); auth.destroy_session(&session_id).unwrap(); assert!(!auth.validate_session(&session_id).unwrap()); } #[test] fn test_permission_check() { let auth = Authenticator::new(); let user_id = auth.register_user("admin".to_string(), UserRole::Admin).unwrap(); assert!(auth.check_permission(&user_id, Permission::Read).unwrap()); assert!(auth.check_permission(&user_id, Permission::Admin).unwrap()); } #[test] fn test_security_auditor() { let auditor = SecurityAuditor::new(100); let event_id = auditor.log_event( AuditEventType::Authentication, Some("user1".to_string()), "login".to_string(), "authenticate".to_string(), true, "User logged in successfully".to_string(), Some("127.0.0.1".to_string()), ); assert!(!event_id.is_empty()); let event = auditor.get_event(&event_id).unwrap(); assert_eq!(event.event_type, AuditEventType::Authentication); assert_eq!(event.result, true); } #[test] fn test_auditor_filter() { let auditor = SecurityAuditor::new(100); auditor.log_event( AuditEventType::Authentication, Some("user1".to_string()), "login".to_string(), "authenticate".to_string(), true, "Success".to_string(), None, ); auditor.log_event( AuditEventType::Access, Some("user1".to_string()), "resource1".to_string(), "read".to_string(), true, "Success".to_string(), None, ); let auth_events = auditor.get_events_by_type(AuditEventType::Authentication); assert_eq!(auth_events.len(), 1); let user_events = auditor.get_events_by_user("user1"); assert_eq!(user_events.len(), 2); } }