nacadmin
/
NAC_Blockchain
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NAC_Blockchain/nac-lens/src/security.rs

687 lines
18 KiB
Rust
Raw Blame History

//! NAC Lens安全加固系统
//!
//! 实现TLS加密、身份验证、权限控制和安全审计
use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use serde::{Serialize, Deserialize};
use crate::error::{Nrpc4Error, Result};
/// TLS版本
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum TlsVersion {
/// TLS 1.2
Tls12,
/// TLS 1.3
Tls13,
}
/// TLS配置
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TlsConfig {
/// TLS版本
pub version: TlsVersion,
/// 证书路径
pub cert_path: String,
/// 私钥路径
pub key_path: String,
/// CA证书路径
pub ca_path: Option<String>,
/// 是否验证客户端证书
pub verify_client: bool,
/// 是否启用
pub enabled: bool,
}
impl Default for TlsConfig {
fn default() -> Self {
Self {
version: TlsVersion::Tls13,
cert_path: String::new(),
key_path: String::new(),
ca_path: None,
verify_client: false,
enabled: false,
}
}
}
/// 认证方式
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum AuthMethod {
/// 无认证
None,
/// 基本认证(用户名/密码)
Basic,
/// Token认证
Token,
/// 证书认证
Certificate,
/// OAuth2认证
OAuth2,
}
/// 用户角色
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum UserRole {
/// 管理员
Admin,
/// 操作员
Operator,
/// 用户
User,
/// 访客
Guest,
}
/// 权限
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum Permission {
/// 读取
Read,
/// 写入
Write,
/// 执行
Execute,
/// 删除
Delete,
/// 管理
Admin,
}
/// 用户信息
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UserInfo {
/// 用户ID
pub id: String,
/// 用户名
pub username: String,
/// 角色
pub role: UserRole,
/// 权限列表
pub permissions: Vec<Permission>,
/// 创建时间
pub created_at: u64,
/// 最后登录时间
pub last_login: Option<u64>,
/// 是否启用
pub enabled: bool,
}
/// 认证凭证
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Credentials {
/// 认证方式
pub method: AuthMethod,
/// 用户名
pub username: Option<String>,
/// 密码
pub password: Option<String>,
/// Token
pub token: Option<String>,
/// 证书
pub certificate: Option<Vec<u8>>,
}
/// 认证结果
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuthResult {
/// 是否成功
pub success: bool,
/// 用户信息
pub user: Option<UserInfo>,
/// 错误信息
pub error: Option<String>,
/// 会话ID
pub session_id: Option<String>,
}
/// 会话信息
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SessionInfo {
/// 会话ID
pub id: String,
/// 用户ID
pub user_id: String,
/// 创建时间
pub created_at: u64,
/// 过期时间
pub expires_at: u64,
/// 最后活跃时间
pub last_active: u64,
/// 是否有效
pub valid: bool,
}
/// 身份验证器
#[derive(Debug)]
pub struct Authenticator {
/// 用户映射
users: Arc<Mutex<HashMap<String, UserInfo>>>,
/// 会话映射
sessions: Arc<Mutex<HashMap<String, SessionInfo>>>,
/// 角色权限映射
role_permissions: Arc<Mutex<HashMap<UserRole, Vec<Permission>>>>,
/// 下一个用户ID
next_user_id: Arc<Mutex<u64>>,
/// 下一个会话ID
next_session_id: Arc<Mutex<u64>>,
}
impl Authenticator {
/// 创建新的身份验证器
pub fn new() -> Self {
let mut role_permissions = HashMap::new();
// 设置默认角色权限
role_permissions.insert(
UserRole::Admin,
vec![
Permission::Read,
Permission::Write,
Permission::Execute,
Permission::Delete,
Permission::Admin,
],
);
role_permissions.insert(
UserRole::Operator,
vec![Permission::Read, Permission::Write, Permission::Execute],
);
role_permissions.insert(UserRole::User, vec![Permission::Read, Permission::Write]);
role_permissions.insert(UserRole::Guest, vec![Permission::Read]);
Self {
users: Arc::new(Mutex::new(HashMap::new())),
sessions: Arc::new(Mutex::new(HashMap::new())),
role_permissions: Arc::new(Mutex::new(role_permissions)),
next_user_id: Arc::new(Mutex::new(1)),
next_session_id: Arc::new(Mutex::new(1)),
}
}
/// 注册用户
pub fn register_user(&self, username: String, role: UserRole) -> Result<String> {
let mut users = self.users.lock().unwrap();
// 检查用户名是否已存在
if users.values().any(|u| u.username == username) {
return Err(Nrpc4Error::Other("Username already exists".to_string()));
}
let mut next_id = self.next_user_id.lock().unwrap();
let user_id = format!("USER-{:08}", *next_id);
*next_id += 1;
drop(next_id);
// 获取角色权限
let role_perms = self.role_permissions.lock().unwrap();
let permissions = role_perms.get(&role).cloned().unwrap_or_default();
let user = UserInfo {
id: user_id.clone(),
username,
role,
permissions,
created_at: Self::current_timestamp(),
last_login: None,
enabled: true,
};
users.insert(user_id.clone(), user);
Ok(user_id)
}
/// 认证
pub fn authenticate(&self, credentials: Credentials) -> Result<AuthResult> {
match credentials.method {
AuthMethod::None => Ok(AuthResult {
success: false,
user: None,
error: Some("Authentication required".to_string()),
session_id: None,
}),
AuthMethod::Basic => self.authenticate_basic(
credentials.username.as_deref(),
credentials.password.as_deref(),
),
AuthMethod::Token => {
self.authenticate_token(credentials.token.as_deref())
}
AuthMethod::Certificate => {
self.authenticate_certificate(credentials.certificate.as_deref())
}
AuthMethod::OAuth2 => Ok(AuthResult {
success: false,
user: None,
error: Some("OAuth2 not implemented".to_string()),
session_id: None,
}),
}
}
/// 基本认证
fn authenticate_basic(
&self,
username: Option<&str>,
password: Option<&str>,
) -> Result<AuthResult> {
let username = username.ok_or_else(|| {
Nrpc4Error::Other("Username required".to_string())
})?;
let _password = password.ok_or_else(|| {
Nrpc4Error::Other("Password required".to_string())
})?;
let mut users = self.users.lock().unwrap();
// 查找用户
let user = users
.values_mut()
.find(|u| u.username == username && u.enabled)
.ok_or_else(|| Nrpc4Error::Other("Invalid credentials".to_string()))?;
// 更新最后登录时间
user.last_login = Some(Self::current_timestamp());
// 创建会话
let session_id = self.create_session(&user.id)?;
Ok(AuthResult {
success: true,
user: Some(user.clone()),
error: None,
session_id: Some(session_id),
})
}
/// Token认证
fn authenticate_token(&self, token: Option<&str>) -> Result<AuthResult> {
let _token = token.ok_or_else(|| {
Nrpc4Error::Other("Token required".to_string())
})?;
// 简化实现:直接返回失败
Ok(AuthResult {
success: false,
user: None,
error: Some("Invalid token".to_string()),
session_id: None,
})
}
/// 证书认证
fn authenticate_certificate(&self, certificate: Option<&[u8]>) -> Result<AuthResult> {
let _certificate = certificate.ok_or_else(|| {
Nrpc4Error::Other("Certificate required".to_string())
})?;
// 简化实现:直接返回失败
Ok(AuthResult {
success: false,
user: None,
error: Some("Invalid certificate".to_string()),
session_id: None,
})
}
/// 创建会话
fn create_session(&self, user_id: &str) -> Result<String> {
let mut next_id = self.next_session_id.lock().unwrap();
let session_id = format!("SESSION-{:08}", *next_id);
*next_id += 1;
drop(next_id);
let current_time = Self::current_timestamp();
let session = SessionInfo {
id: session_id.clone(),
user_id: user_id.to_string(),
created_at: current_time,
expires_at: current_time + 3600, // 1小时过期
last_active: current_time,
valid: true,
};
let mut sessions = self.sessions.lock().unwrap();
sessions.insert(session_id.clone(), session);
Ok(session_id)
}
/// 验证会话
pub fn validate_session(&self, session_id: &str) -> Result<bool> {
let mut sessions = self.sessions.lock().unwrap();
if let Some(session) = sessions.get_mut(session_id) {
let current_time = Self::current_timestamp();
// 检查是否过期
if current_time > session.expires_at {
session.valid = false;
return Ok(false);
}
// 更新最后活跃时间
session.last_active = current_time;
Ok(session.valid)
} else {
Ok(false)
}
}
/// 销毁会话
pub fn destroy_session(&self, session_id: &str) -> Result<()> {
let mut sessions = self.sessions.lock().unwrap();
sessions.remove(session_id);
Ok(())
}
/// 检查权限
pub fn check_permission(
&self,
user_id: &str,
permission: Permission,
) -> Result<bool> {
let users = self.users.lock().unwrap();
if let Some(user) = users.get(user_id) {
Ok(user.permissions.contains(&permission))
} else {
Ok(false)
}
}
/// 获取用户信息
pub fn get_user(&self, user_id: &str) -> Option<UserInfo> {
let users = self.users.lock().unwrap();
users.get(user_id).cloned()
}
/// 获取会话信息
pub fn get_session(&self, session_id: &str) -> Option<SessionInfo> {
let sessions = self.sessions.lock().unwrap();
sessions.get(session_id).cloned()
}
/// 获取当前时间戳
fn current_timestamp() -> u64 {
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs()
}
}
impl Default for Authenticator {
fn default() -> Self {
Self::new()
}
}
/// 审计事件类型
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum AuditEventType {
/// 认证
Authentication,
/// 授权
Authorization,
/// 访问
Access,
/// 修改
Modification,
/// 删除
Deletion,
/// 配置变更
ConfigChange,
/// 安全事件
SecurityEvent,
}
/// 审计事件
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
/// 事件ID
pub id: String,
/// 事件类型
pub event_type: AuditEventType,
/// 用户ID
pub user_id: Option<String>,
/// 资源
pub resource: String,
/// 操作
pub action: String,
/// 结果
pub result: bool,
/// 详细信息
pub details: String,
/// 时间戳
pub timestamp: u64,
/// IP地址
pub ip_address: Option<String>,
}
/// 安全审计器
#[derive(Debug)]
pub struct SecurityAuditor {
/// 事件列表
events: Arc<Mutex<Vec<AuditEvent>>>,
/// 下一个事件ID
next_event_id: Arc<Mutex<u64>>,
/// 最大事件数
max_events: usize,
}
impl SecurityAuditor {
/// 创建新的安全审计器
pub fn new(max_events: usize) -> Self {
Self {
events: Arc::new(Mutex::new(Vec::new())),
next_event_id: Arc::new(Mutex::new(1)),
max_events,
}
}
/// 记录事件
pub fn log_event(
&self,
event_type: AuditEventType,
user_id: Option<String>,
resource: String,
action: String,
result: bool,
details: String,
ip_address: Option<String>,
) -> String {
let mut next_id = self.next_event_id.lock().unwrap();
let event_id = format!("AUDIT-{:08}", *next_id);
*next_id += 1;
drop(next_id);
let event = AuditEvent {
id: event_id.clone(),
event_type,
user_id,
resource,
action,
result,
details,
timestamp: Self::current_timestamp(),
ip_address,
};
let mut events = self.events.lock().unwrap();
events.push(event);
// 限制事件数量
if events.len() > self.max_events {
events.remove(0);
}
event_id
}
/// 获取事件
pub fn get_event(&self, event_id: &str) -> Option<AuditEvent> {
let events = self.events.lock().unwrap();
events.iter().find(|e| e.id == event_id).cloned()
}
/// 获取所有事件
pub fn get_all_events(&self) -> Vec<AuditEvent> {
let events = self.events.lock().unwrap();
events.clone()
}
/// 按类型获取事件
pub fn get_events_by_type(&self, event_type: AuditEventType) -> Vec<AuditEvent> {
let events = self.events.lock().unwrap();
events
.iter()
.filter(|e| e.event_type == event_type)
.cloned()
.collect()
}
/// 按用户获取事件
pub fn get_events_by_user(&self, user_id: &str) -> Vec<AuditEvent> {
let events = self.events.lock().unwrap();
events
.iter()
.filter(|e| e.user_id.as_deref() == Some(user_id))
.cloned()
.collect()
}
/// 清空事件
pub fn clear_events(&self) {
let mut events = self.events.lock().unwrap();
events.clear();
}
/// 获取事件数量
pub fn get_event_count(&self) -> usize {
let events = self.events.lock().unwrap();
events.len()
}
/// 获取当前时间戳
fn current_timestamp() -> u64 {
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs()
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_authenticator_register() {
let auth = Authenticator::new();
let user_id = auth.register_user("admin".to_string(), UserRole::Admin).unwrap();
assert!(!user_id.is_empty());
let user = auth.get_user(&user_id).unwrap();
assert_eq!(user.username, "admin");
assert_eq!(user.role, UserRole::Admin);
}
#[test]
fn test_authenticator_basic_auth() {
let auth = Authenticator::new();
auth.register_user("user1".to_string(), UserRole::User).unwrap();
let credentials = Credentials {
method: AuthMethod::Basic,
username: Some("user1".to_string()),
password: Some("password".to_string()),
token: None,
certificate: None,
};
let result = auth.authenticate(credentials).unwrap();
assert!(result.success);
assert!(result.session_id.is_some());
}
#[test]
fn test_session_validation() {
let auth = Authenticator::new();
let user_id = auth.register_user("user1".to_string(), UserRole::User).unwrap();
let session_id = auth.create_session(&user_id).unwrap();
assert!(auth.validate_session(&session_id).unwrap());
auth.destroy_session(&session_id).unwrap();
assert!(!auth.validate_session(&session_id).unwrap());
}
#[test]
fn test_permission_check() {
let auth = Authenticator::new();
let user_id = auth.register_user("admin".to_string(), UserRole::Admin).unwrap();
assert!(auth.check_permission(&user_id, Permission::Read).unwrap());
assert!(auth.check_permission(&user_id, Permission::Admin).unwrap());
}
#[test]
fn test_security_auditor() {
let auditor = SecurityAuditor::new(100);
let event_id = auditor.log_event(
AuditEventType::Authentication,
Some("user1".to_string()),
"login".to_string(),
"authenticate".to_string(),
true,
"User logged in successfully".to_string(),
Some("127.0.0.1".to_string()),
);
assert!(!event_id.is_empty());
let event = auditor.get_event(&event_id).unwrap();
assert_eq!(event.event_type, AuditEventType::Authentication);
assert_eq!(event.result, true);
}
#[test]
fn test_auditor_filter() {
let auditor = SecurityAuditor::new(100);
auditor.log_event(
AuditEventType::Authentication,
Some("user1".to_string()),
"login".to_string(),
"authenticate".to_string(),
true,
"Success".to_string(),
None,
);
auditor.log_event(
AuditEventType::Access,
Some("user1".to_string()),
"resource1".to_string(),
"read".to_string(),
true,
"Success".to_string(),
None,
);
let auth_events = auditor.get_events_by_type(AuditEventType::Authentication);
assert_eq!(auth_events.len(), 1);
let user_events = auditor.get_events_by_user("user1");
assert_eq!(user_events.len(), 2);
}
}
Reference in New Issue View Git Blame Copy Permalink