hiver-security 0.1.0-alpha.6

Security framework for Hiver Framework. Hiver框架的安全框架。 Equivalent to: Spring Security (@PreAuthorize, @Secured, @RolesAllowed) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

//! `PreAuthorize` module
//! PreAuthorize模块(@PreAuthorize等价物)

use crate::{Authority, SecurityContext};
use std::future::Future;
use std::pin::Pin;

/// Security expression for @`PreAuthorize`
/// @`PreAuthorize的安全表达式`
///
/// Equivalent to Spring Security's `SpEL` expressions in @`PreAuthorize`.
/// 等价于Spring Security在@PreAuthorize中的SpEL表达式。
///
/// # Spring Equivalent / Spring等价物
///
/// ```java
/// @PreAuthorize("hasRole('ADMIN') and #username == authentication.name")
/// @PreAuthorize("hasAuthority('USER:READ')")
/// @PreAuthorize("#userId == authentication.principal.id")
/// ```
#[derive(Debug, Clone)]
pub enum SecurityExpression {
    /// Has role
    /// 有角色
    HasRole(String),

    /// Has authority/permission
    /// 有权限/许可
    HasAuthority(String),

    /// Is authenticated
    /// 已认证
    IsAuthenticated,

    /// Is anonymous
    /// 是匿名
    IsAnonymous,

    /// Is fully authenticated (not remember-me)
    /// 完全认证(非记住我)
    IsFullyAuthenticated,

    /// Has permission on object
    /// 对对象有许可
    HasPermission(String, String),

    /// Custom expression
    /// 自定义表达式
    Custom(String),
}

impl SecurityExpression {
    /// Evaluate the expression
    /// 评估表达式
    pub async fn evaluate(&self, context: &SecurityContext) -> bool {
        match self {
            SecurityExpression::IsAuthenticated => context.is_authenticated().await,
            SecurityExpression::IsAnonymous => !context.is_authenticated().await,
            SecurityExpression::IsFullyAuthenticated => {
                // For now, same as authenticated
                context.is_authenticated().await
            },
            SecurityExpression::HasRole(role) => {
                let role = crate::Role::from_str(role);
                context.has_role(&role).await
            },
            SecurityExpression::HasAuthority(auth) => {
                let authority = Authority::Permission(auth.clone());
                context.has_authority(&authority).await
            },
            SecurityExpression::HasPermission(target, permission) => {
                let auth = Authority::Permission(format!("{}:{}", target, permission));
                context.has_authority(&auth).await
            },
            SecurityExpression::Custom(expr) => {
                // Custom expressions would need a full expression parser
                // For now, return false
                tracing::warn!("Custom security expression not implemented: {}", expr);
                false
            },
        }
    }

    /// Parse expression from string
    /// 从字符串解析表达式
    pub fn parse(input: &str) -> Vec<Self> {
        let mut expressions = Vec::new();

        // Simple parser for common patterns
        // In a full implementation, this would use a proper expression language

        // Try hasRole with single quotes first, then double quotes
        if input.contains("hasRole(") {
            if let Some(start) = input.find("hasRole('") {
                if let Some(end) = input[start..].find("')") {
                    let role = &input[start + 9..start + end];
                    expressions.push(SecurityExpression::HasRole(role.to_string()));
                }
            } else if let Some(start) = input.find("hasRole(\"")
                && let Some(end) = input[start..].find("\")")
            {
                let role = &input[start + 9..start + end];
                expressions.push(SecurityExpression::HasRole(role.to_string()));
            }
        }

        // Try hasAuthority with single quotes first, then double quotes
        if input.contains("hasAuthority(") {
            if let Some(start) = input.find("hasAuthority('") {
                if let Some(end) = input[start..].find("')") {
                    let auth = &input[start + 14..start + end];
                    expressions.push(SecurityExpression::HasAuthority(auth.to_string()));
                }
            } else if let Some(start) = input.find("hasAuthority(\"")
                && let Some(end) = input[start..].find("\")")
            {
                let auth = &input[start + 14..start + end];
                expressions.push(SecurityExpression::HasAuthority(auth.to_string()));
            }
        }

        if input.contains("isAuthenticated()") {
            expressions.push(SecurityExpression::IsAuthenticated);
        }

        if input.contains("isAnonymous()") {
            expressions.push(SecurityExpression::IsAnonymous);
        }

        if expressions.is_empty() {
            expressions.push(SecurityExpression::Custom(input.to_string()));
        }

        expressions
    }
}

/// `PreAuthorize` trait
/// `PreAuthorize` trait
///
/// Equivalent to Spring's @`PreAuthorize` annotation.
/// 等价于Spring的@PreAuthorize注解。
///
/// # Spring Equivalent / Spring等价物
///
/// ```java
/// @PreAuthorize("hasRole('ADMIN')")
/// public void deleteUser(Long id) { }
///
/// @PreAuthorize("hasAuthority('USER:WRITE') and #userId == authentication.principal.id")
/// public void updateUserProfile(Long userId, Profile profile) { }
/// ```
pub trait PreAuthorize {
    /// Check if access should be granted
    /// 检查是否应授予访问
    fn check_authorization(
        &self,
        context: &SecurityContext,
    ) -> Pin<Box<dyn Future<Output = bool> + Send>>;
}

/// `PreAuthorize` options
/// `PreAuthorize选项`
#[derive(Debug, Clone)]
pub struct PreAuthorizeOptions {
    /// Security expressions
    /// 安全表达式
    pub expressions: Vec<SecurityExpression>,

    /// All expressions must pass (AND logic)
    /// 所有表达式必须通过(AND逻辑)
    pub require_all: bool,
}

impl PreAuthorizeOptions {
    /// Create new options
    /// 创建新选项
    pub fn new() -> Self {
        Self {
            expressions: Vec::new(),
            require_all: true,
        }
    }

    /// Add expression
    /// 添加表达式
    pub fn add_expression(mut self, expr: SecurityExpression) -> Self {
        self.expressions.push(expr);
        self
    }

    /// Parse and add expression string
    /// 解析并添加表达式字符串
    pub fn add_expression_string(mut self, expr: impl Into<String>) -> Self {
        let parsed = SecurityExpression::parse(&expr.into());
        self.expressions.extend(parsed);
        self
    }

    /// Set require all (AND) or require any (OR)
    /// 设置需要全部(AND)或需要任一(OR)
    pub fn require_all(mut self, require_all: bool) -> Self {
        self.require_all = require_all;
        self
    }

    /// Evaluate all expressions
    /// 评估所有表达式
    pub async fn evaluate(&self, context: &SecurityContext) -> bool {
        if self.expressions.is_empty() {
            return true;
        }

        if self.require_all {
            // All must pass
            for expr in &self.expressions {
                if !expr.evaluate(context).await {
                    return false;
                }
            }
            true
        } else {
            // Any can pass
            for expr in &self.expressions {
                if expr.evaluate(context).await {
                    return true;
                }
            }
            false
        }
    }
}

impl Default for PreAuthorizeOptions {
    fn default() -> Self {
        Self::new()
    }
}

/// Helper function to check pre-authorize
/// 检查pre-authorize的助手函数
pub async fn check_pre_authorize(
    context: &SecurityContext,
    expression: &str,
) -> Result<bool, crate::SecurityError> {
    let options = PreAuthorizeOptions::new().add_expression_string(expression);
    Ok(options.evaluate(context).await)
}

/// Common security expressions
/// 常用安全表达式
pub struct Expressions;

impl Expressions {
    /// Has role expression
    /// 有角色表达式
    pub fn has_role(role: impl Into<String>) -> SecurityExpression {
        SecurityExpression::HasRole(role.into())
    }

    /// Has authority expression
    /// 有权限表达式
    pub fn has_authority(auth: impl Into<String>) -> SecurityExpression {
        SecurityExpression::HasAuthority(auth.into())
    }

    /// Is authenticated expression
    /// 已认证表达式
    pub fn is_authenticated() -> SecurityExpression {
        SecurityExpression::IsAuthenticated
    }

    /// Is anonymous expression
    /// 是匿名表达式
    pub fn is_anonymous() -> SecurityExpression {
        SecurityExpression::IsAnonymous
    }

    /// Has permission expression
    /// 有许可表达式
    pub fn has_permission(
        target: impl Into<String>,
        permission: impl Into<String>,
    ) -> SecurityExpression {
        SecurityExpression::HasPermission(target.into(), permission.into())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_security_expression_parse() {
        let exprs = SecurityExpression::parse("hasRole('ADMIN')");
        assert_eq!(exprs.len(), 1);
        match &exprs[0] {
            SecurityExpression::HasRole(role) => assert_eq!(role, "ADMIN"),
            _ => panic!("Expected HasRole"),
        }
    }

    #[tokio::test]
    async fn test_pre_authorize_options() {
        let context = SecurityContext::new();

        let options = PreAuthorizeOptions::new()
            .add_expression(SecurityExpression::IsAuthenticated)
            .add_expression_string("hasRole('ADMIN')");

        // Should return false because context is empty (no auth)
        assert!(!options.evaluate(&context).await);
    }
}