nacadmin
/
NAC_Blockchain
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NAC_Blockchain/nac-multi-jurisdiction/src/isolation.rs

168 lines
4.7 KiB
Rust
Raw Blame History

// nac-multi-jurisdiction/src/isolation.rs
// Issue #59: 逻辑隔离层 - 确保不同辖区规则互不干扰
use serde::{Serialize, Deserialize};
use crate::jurisdiction::JurisdictionId;
/// 隔离策略级别
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub enum IsolationLevel {
/// 严格隔离:完全独立的执行环境(默认)
Strict,
/// 受控共享:允许只读数据共享
ControlledSharing,
/// 联合模式:辖区间协商后的有限互操作
Federated,
}
/// 隔离策略
#[derive(Debug, Clone)]
pub struct IsolationPolicy {
pub level: IsolationLevel,
/// 是否强制规则隔离
pub enforce_rule_isolation: bool,
/// 是否强制数据隔离
pub enforce_data_isolation: bool,
/// 是否强制网络隔离
pub enforce_network_isolation: bool,
/// 是否强制存储隔离
pub enforce_storage_isolation: bool,
/// 允许的跨辖区数据类型(白名单)
pub allowed_cross_data_types: Vec<String>,
}
impl IsolationPolicy {
/// 创建严格隔离策略(推荐默认)
pub fn strict() -> Self {
IsolationPolicy {
level: IsolationLevel::Strict,
enforce_rule_isolation: true,
enforce_data_isolation: true,
enforce_network_isolation: false, // 网络层允许路由
enforce_storage_isolation: true,
allowed_cross_data_types: vec![
"ConstitutionalReceipt".to_string(),
"BlockHeader".to_string(),
],
}
}
/// 创建受控共享策略
pub fn controlled_sharing() -> Self {
IsolationPolicy {
level: IsolationLevel::ControlledSharing,
enforce_rule_isolation: true,
enforce_data_isolation: false,
enforce_network_isolation: false,
enforce_storage_isolation: false,
allowed_cross_data_types: vec![
"ConstitutionalReceipt".to_string(),
"BlockHeader".to_string(),
"PublicAssetMetadata".to_string(),
],
}
}
pub fn enforces_rule_isolation(&self) -> bool {
self.enforce_rule_isolation
}
pub fn enforces_data_isolation(&self) -> bool {
self.enforce_data_isolation
}
/// 检查数据类型是否允许跨辖区传输
pub fn is_allowed_cross_type(&self, data_type: &str) -> bool {
self.allowed_cross_data_types.iter().any(|t| t == data_type)
}
}
/// 隔离违规事件
#[derive(Debug, Clone)]
pub struct IsolationViolation {
pub source_jurisdiction: JurisdictionId,
pub target_jurisdiction: JurisdictionId,
pub violation_type: ViolationType,
pub data_type: String,
pub timestamp: u64,
pub severity: ViolationSeverity,
}
#[derive(Debug, Clone, PartialEq)]
pub enum ViolationType {
UnauthorizedDataAccess,
RuleConflict,
NetworkBypass,
StorageLeak,
}
#[derive(Debug, Clone, PartialEq)]
pub enum ViolationSeverity {
Low,
Medium,
High,
Critical,
}
/// 隔离层执行器
pub struct IsolationLayer {
policies: std::collections::HashMap<JurisdictionId, IsolationPolicy>,
violations: Vec<IsolationViolation>,
}
impl IsolationLayer {
pub fn new() -> Self {
IsolationLayer {
policies: std::collections::HashMap::new(),
violations: Vec::new(),
}
}
/// 为辖区设置隔离策略
pub fn set_policy(&mut self, jid: JurisdictionId, policy: IsolationPolicy) {
self.policies.insert(jid, policy);
}
/// 检查跨辖区操作是否合规
pub fn check_cross_operation(
&mut self,
from: &JurisdictionId,
to: &JurisdictionId,
data_type: &str,
) -> Result<(), IsolationViolation> {
let policy = self.policies.get(from)
.cloned()
.unwrap_or_else(IsolationPolicy::strict);
if policy.enforce_data_isolation && !policy.is_allowed_cross_type(data_type) {
let violation = IsolationViolation {
source_jurisdiction: from.clone(),
target_jurisdiction: to.clone(),
violation_type: ViolationType::UnauthorizedDataAccess,
data_type: data_type.to_string(),
timestamp: 0,
severity: ViolationSeverity::High,
};
self.violations.push(violation.clone());
return Err(violation);
}
Ok(())
}
/// 获取违规记录
pub fn get_violations(&self) -> &[IsolationViolation] {
&self.violations
}
/// 清除已处理的违规记录
pub fn clear_violations(&mut self) {
self.violations.clear();
}
}
impl Default for IsolationLayer {
fn default() -> Self {
Self::new()
}
}
Reference in New Issue View Git Blame Copy Permalink