hyperstack-auth 0.2.2

Authentication and authorization utilities for Hyperstack
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273

use serde::{Deserialize, Serialize};
use std::net::SocketAddr;
use std::time::SystemTime;

/// Security audit event severity levels
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum AuditSeverity {
    /// Informational - normal operations
    Info,
    /// Warning - suspicious but not necessarily malicious
    Warning,
    /// Critical - potential security incident
    Critical,
}

impl std::fmt::Display for AuditSeverity {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            AuditSeverity::Info => write!(f, "info"),
            AuditSeverity::Warning => write!(f, "warning"),
            AuditSeverity::Critical => write!(f, "critical"),
        }
    }
}

/// Security audit event types
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "event_type", rename_all = "snake_case")]
pub enum AuditEvent {
    /// Authentication attempt (success or failure)
    AuthAttempt {
        success: bool,
        reason: Option<String>,
        error_code: Option<String>,
    },
    /// Token minted
    TokenMinted {
        key_id: String,
        key_class: String,
        ttl_seconds: u64,
    },
    /// Suspicious pattern detected
    SuspiciousPattern {
        pattern_type: String,
        details: String,
    },
    /// Rate limit exceeded
    RateLimitExceeded {
        limit_type: String,
        current_count: u32,
        limit: u32,
    },
    /// Origin validation failure
    OriginValidationFailed {
        expected: Option<String>,
        actual: Option<String>,
    },
    /// Key rotation event
    KeyRotation {
        old_key_id: Option<String>,
        new_key_id: String,
    },
}

/// Security audit event
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecurityAuditEvent {
    /// Unique event ID
    pub event_id: String,
    /// Timestamp when event occurred
    pub timestamp_ms: u64,
    /// Event severity
    pub severity: AuditSeverity,
    /// Event type with details
    pub event: AuditEvent,
    /// Client IP address
    pub client_ip: Option<String>,
    /// Client origin
    pub origin: Option<String>,
    /// User agent string
    pub user_agent: Option<String>,
    /// Request path
    pub path: Option<String>,
    /// Deployment ID if applicable
    pub deployment_id: Option<String>,
    /// Subject identifier if authenticated
    pub subject: Option<String>,
    /// Metering key if available
    pub metering_key: Option<String>,
}

impl SecurityAuditEvent {
    /// Create a new security audit event
    pub fn new(severity: AuditSeverity, event: AuditEvent) -> Self {
        Self {
            event_id: uuid::Uuid::new_v4().to_string(),
            timestamp_ms: SystemTime::now()
                .duration_since(SystemTime::UNIX_EPOCH)
                .unwrap_or_default()
                .as_millis() as u64,
            severity,
            event,
            client_ip: None,
            origin: None,
            user_agent: None,
            path: None,
            deployment_id: None,
            subject: None,
            metering_key: None,
        }
    }

    /// Add client IP address
    pub fn with_client_ip(mut self, ip: SocketAddr) -> Self {
        self.client_ip = Some(ip.ip().to_string());
        self
    }

    /// Add origin
    pub fn with_origin(mut self, origin: impl Into<String>) -> Self {
        self.origin = Some(origin.into());
        self
    }

    /// Add user agent
    pub fn with_user_agent(mut self, user_agent: impl Into<String>) -> Self {
        self.user_agent = Some(user_agent.into());
        self
    }

    /// Add request path
    pub fn with_path(mut self, path: impl Into<String>) -> Self {
        self.path = Some(path.into());
        self
    }

    /// Add deployment ID
    pub fn with_deployment_id(mut self, deployment_id: impl Into<String>) -> Self {
        self.deployment_id = Some(deployment_id.into());
        self
    }

    /// Add subject
    pub fn with_subject(mut self, subject: impl Into<String>) -> Self {
        self.subject = Some(subject.into());
        self
    }

    /// Add metering key
    pub fn with_metering_key(mut self, metering_key: impl Into<String>) -> Self {
        self.metering_key = Some(metering_key.into());
        self
    }
}

/// Trait for security audit loggers
#[async_trait::async_trait]
pub trait SecurityAuditLogger: Send + Sync {
    /// Log a security audit event
    async fn log(&self, event: SecurityAuditEvent);
}

/// No-op audit logger for development/testing
pub struct NoOpAuditLogger;

#[async_trait::async_trait]
impl SecurityAuditLogger for NoOpAuditLogger {
    async fn log(&self, _event: SecurityAuditEvent) {
        // No-op
    }
}

/// Channel-based audit logger for async event streaming
pub struct ChannelAuditLogger {
    sender: tokio::sync::mpsc::UnboundedSender<SecurityAuditEvent>,
}

impl ChannelAuditLogger {
    /// Create a new channel audit logger
    pub fn new() -> (
        Self,
        tokio::sync::mpsc::UnboundedReceiver<SecurityAuditEvent>,
    ) {
        let (sender, receiver) = tokio::sync::mpsc::unbounded_channel();
        (Self { sender }, receiver)
    }
}

#[async_trait::async_trait]
impl SecurityAuditLogger for ChannelAuditLogger {
    async fn log(&self, event: SecurityAuditEvent) {
        let _ = self.sender.send(event);
    }
}

/// Helper function to create an auth failure audit event
pub fn auth_failure_event(error_code: &crate::AuthErrorCode, reason: &str) -> SecurityAuditEvent {
    SecurityAuditEvent::new(
        AuditSeverity::Warning,
        AuditEvent::AuthAttempt {
            success: false,
            reason: Some(reason.to_string()),
            error_code: Some(error_code.to_string()),
        },
    )
}

/// Helper function to create an auth success audit event
pub fn auth_success_event(subject: &str) -> SecurityAuditEvent {
    SecurityAuditEvent::new(
        AuditSeverity::Info,
        AuditEvent::AuthAttempt {
            success: true,
            reason: None,
            error_code: None,
        },
    )
    .with_subject(subject)
}

/// Helper function to create a rate limit exceeded audit event
pub fn rate_limit_event(limit_type: &str, current: u32, limit: u32) -> SecurityAuditEvent {
    SecurityAuditEvent::new(
        AuditSeverity::Warning,
        AuditEvent::RateLimitExceeded {
            limit_type: limit_type.to_string(),
            current_count: current,
            limit,
        },
    )
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_audit_event_builder() {
        let event = SecurityAuditEvent::new(
            AuditSeverity::Warning,
            AuditEvent::AuthAttempt {
                success: false,
                reason: Some("Token expired".to_string()),
                error_code: Some("token-expired".to_string()),
            },
        )
        .with_client_ip("192.168.1.1:12345".parse().unwrap())
        .with_origin("https://example.com")
        .with_subject("user-123");

        assert_eq!(event.severity, AuditSeverity::Warning);
        assert_eq!(event.client_ip, Some("192.168.1.1".to_string()));
        assert_eq!(event.origin, Some("https://example.com".to_string()));
        assert_eq!(event.subject, Some("user-123".to_string()));
    }

    #[tokio::test]
    async fn test_channel_audit_logger() {
        let (logger, mut receiver) = ChannelAuditLogger::new();

        let event = auth_failure_event(&crate::AuthErrorCode::TokenExpired, "Token has expired");

        logger.log(event.clone()).await;

        let received = receiver.recv().await.expect("Should receive event");
        match received.event {
            AuditEvent::AuthAttempt { success, .. } => {
                assert!(!success);
            }
            _ => panic!("Expected AuthAttempt event"),
        }
    }
}