ash-rpc 4.1.5

A comprehensive JSON-RPC 2.0 implementation with multiple transport layers and advanced features
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361

//! Security audit logging for ash-rpc
//!
//! Provides structured, tamper-evident audit logging for security events including
//! authentication, authorization, method invocations, and policy violations.
//!
//! Features: append-only logs, integrity verification, pluggable backends, compliance-ready.

mod backends;
mod integrity;
mod processor;

pub use backends::*;
pub use integrity::*;
pub use processor::*;

use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::net::SocketAddr;
use std::time::SystemTime;

/// A security audit event representing a significant action or decision
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    /// Precise timestamp with nanosecond precision
    #[serde(with = "system_time_format")]
    pub timestamp: SystemTime,

    /// Type of audit event
    pub event_type: AuditEventType,

    /// Unique correlation ID spanning the request chain
    pub correlation_id: Option<String>,

    /// Remote address of the client
    pub remote_addr: Option<SocketAddr>,

    /// Principal identifier (user ID, API key, certificate DN, etc.)
    pub principal: Option<String>,

    /// Method or action being performed
    pub method: Option<String>,

    /// Result of the action
    pub result: AuditResult,

    /// Event severity level
    pub severity: AuditSeverity,

    /// Additional context and metadata
    pub metadata: HashMap<String, serde_json::Value>,

    /// Request parameters (sanitized)
    pub params: Option<serde_json::Value>,

    /// Error message if result is Failure or Denied
    pub error: Option<String>,
}

/// Types of security-significant events
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventType {
    /// Connection established
    ConnectionEstablished,

    /// Connection closed
    ConnectionClosed,

    /// Authentication attempt (login, certificate validation, etc.)
    AuthenticationAttempt,

    /// Authorization check (access control decision)
    AuthorizationCheck,

    /// RPC method invocation
    MethodInvocation,

    /// Error occurred during processing
    ErrorOccurred,

    /// Security policy violation (rate limit, size limit, banned IP, etc.)
    SecurityViolation,

    /// Configuration change (admin action)
    ConfigurationChange,

    /// System administrative action
    AdminAction,
}

/// Result of an audited action
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditResult {
    /// Action succeeded
    Success,

    /// Action failed due to error
    Failure,

    /// Action denied by policy
    Denied,

    /// Action resulted in security violation
    Violation,
}

/// Severity level of audit event
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditSeverity {
    /// Informational event
    Info,

    /// Warning event
    Warning,

    /// Critical security event
    Critical,
}

impl AuditEvent {
    /// Create a new audit event builder
    #[must_use]
    pub fn builder() -> AuditEventBuilder {
        AuditEventBuilder::default()
    }

    /// Add a metadata entry
    pub fn add_metadata<K: Into<String>, V: Into<serde_json::Value>>(&mut self, key: K, value: V) {
        self.metadata.insert(key.into(), value.into());
    }

    /// Set the correlation ID from a request
    #[must_use]
    pub fn with_correlation_id(mut self, correlation_id: Option<String>) -> Self {
        self.correlation_id = correlation_id;
        self
    }

    /// Set the principal from connection context
    #[must_use]
    pub fn with_principal<S: Into<String>>(mut self, principal: S) -> Self {
        self.principal = Some(principal.into());
        self
    }

    /// Set the remote address
    #[must_use]
    pub fn with_remote_addr(mut self, addr: SocketAddr) -> Self {
        self.remote_addr = Some(addr);
        self
    }
}

/// Builder for creating audit events
#[derive(Debug, Default)]
pub struct AuditEventBuilder {
    event_type: Option<AuditEventType>,
    correlation_id: Option<String>,
    remote_addr: Option<SocketAddr>,
    principal: Option<String>,
    method: Option<String>,
    result: Option<AuditResult>,
    severity: Option<AuditSeverity>,
    metadata: HashMap<String, serde_json::Value>,
    params: Option<serde_json::Value>,
    error: Option<String>,
}

impl AuditEventBuilder {
    /// Set event type
    #[must_use]
    pub fn event_type(mut self, event_type: AuditEventType) -> Self {
        self.event_type = Some(event_type);
        self
    }

    /// Set correlation ID
    #[must_use]
    pub fn correlation_id<S: Into<String>>(mut self, id: S) -> Self {
        self.correlation_id = Some(id.into());
        self
    }

    /// Set remote address
    #[must_use]
    pub fn remote_addr(mut self, addr: SocketAddr) -> Self {
        self.remote_addr = Some(addr);
        self
    }

    /// Set principal
    #[must_use]
    pub fn principal<S: Into<String>>(mut self, principal: S) -> Self {
        self.principal = Some(principal.into());
        self
    }

    /// Set method name
    #[must_use]
    pub fn method<S: Into<String>>(mut self, method: S) -> Self {
        self.method = Some(method.into());
        self
    }

    /// Set result
    #[must_use]
    pub fn result(mut self, result: AuditResult) -> Self {
        self.result = Some(result);
        self
    }

    /// Set severity
    #[must_use]
    pub fn severity(mut self, severity: AuditSeverity) -> Self {
        self.severity = Some(severity);
        self
    }

    /// Add metadata entry
    #[must_use]
    pub fn metadata<K: Into<String>, V: Into<serde_json::Value>>(
        mut self,
        key: K,
        value: V,
    ) -> Self {
        self.metadata.insert(key.into(), value.into());
        self
    }

    /// Set sanitized parameters
    #[must_use]
    pub fn params(mut self, params: serde_json::Value) -> Self {
        self.params = Some(params);
        self
    }

    /// Set error message
    #[must_use]
    pub fn error<S: Into<String>>(mut self, error: S) -> Self {
        self.error = Some(error.into());
        self
    }

    /// Build the audit event
    ///
    /// # Panics
    /// Panics if `event_type` or `result` were not set
    #[must_use]
    #[allow(clippy::panic)]
    pub fn build(self) -> AuditEvent {
        let event_type = self
            .event_type
            .unwrap_or_else(|| panic!("event_type is required for AuditEvent"));
        let result = self
            .result
            .unwrap_or_else(|| panic!("result is required for AuditEvent"));

        // Determine default severity based on result
        let severity = self.severity.unwrap_or(match result {
            AuditResult::Success => AuditSeverity::Info,
            AuditResult::Failure => AuditSeverity::Warning,
            AuditResult::Denied | AuditResult::Violation => AuditSeverity::Critical,
        });

        AuditEvent {
            timestamp: SystemTime::now(),
            event_type,
            correlation_id: self.correlation_id,
            remote_addr: self.remote_addr,
            principal: self.principal,
            method: self.method,
            result,
            severity,
            metadata: self.metadata,
            params: self.params,
            error: self.error,
        }
    }
}

/// Custom serialization for `SystemTime` to include nanosecond precision
mod system_time_format {
    use serde::{Deserialize, Deserializer, Serializer};
    use std::time::{SystemTime, UNIX_EPOCH};

    pub fn serialize<S>(time: &SystemTime, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: Serializer,
    {
        let duration = time
            .duration_since(UNIX_EPOCH)
            .map_err(serde::ser::Error::custom)?;
        #[allow(clippy::arithmetic_side_effects)] // Nanosecond calculation for timestamp
        let nanos = duration.as_secs() * 1_000_000_000 + u64::from(duration.subsec_nanos());
        serializer.serialize_u64(nanos)
    }

    #[allow(clippy::arithmetic_side_effects, clippy::as_conversions)] // Timestamp serialization math
    pub fn deserialize<'de, D>(deserializer: D) -> Result<SystemTime, D::Error>
    where
        D: Deserializer<'de>,
    {
        let nanos = u64::deserialize(deserializer)?;
        let secs = nanos / 1_000_000_000;
        // Safe: modulo operation ensures value < 1_000_000_000, fits in u32
        let subsec_nanos = (nanos % 1_000_000_000) as u32;
        Ok(UNIX_EPOCH + std::time::Duration::new(secs, subsec_nanos))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_audit_event_builder() {
        let event = AuditEvent::builder()
            .event_type(AuditEventType::AuthenticationAttempt)
            .principal("user@example.com")
            .method("login")
            .result(AuditResult::Success)
            .build();

        assert_eq!(event.event_type, AuditEventType::AuthenticationAttempt);
        assert_eq!(event.principal, Some("user@example.com".to_string()));
        assert_eq!(event.result, AuditResult::Success);
        assert_eq!(event.severity, AuditSeverity::Info);
    }

    #[test]
    fn test_audit_event_serialization() {
        let event = AuditEvent::builder()
            .event_type(AuditEventType::MethodInvocation)
            .principal("test_user")
            .method("get_balance")
            .result(AuditResult::Success)
            .build();

        let json = serde_json::to_string(&event).unwrap();
        assert!(json.contains("method_invocation"));
        assert!(json.contains("test_user"));
        assert!(json.contains("success"));
    }

    #[test]
    fn test_severity_defaults() {
        let success = AuditEvent::builder()
            .event_type(AuditEventType::MethodInvocation)
            .result(AuditResult::Success)
            .build();
        assert_eq!(success.severity, AuditSeverity::Info);

        let denied = AuditEvent::builder()
            .event_type(AuditEventType::AuthorizationCheck)
            .result(AuditResult::Denied)
            .build();
        assert_eq!(denied.severity, AuditSeverity::Critical);
    }
}