mintrt 0.1.2

Security-featured runtime for lua.
Documentation
//     <<*>> Revenge of snowflake.
//     -^v-  SASWE
//     @ This source code is licensed under a dual license model:
//       1. MPL-2.0 for non-commercial use only
//       2. Commercial License for commercial use
//       See LICENSE and LICENSE_COMMERCIAL files for details.
use std::collections::HashMap;
use crate::security::{Permission, SAuthBasicCtrl};

/// 获取默认安全配置(全部禁用致命和高风险权限)
pub fn get_default_auth_config() -> SAuthBasicCtrl {
    let mut config = SAuthBasicCtrl::new();

    // 默认禁用所有致命风险权限
    config.insert(Permission::Dofile, false);
    config.insert(Permission::Load, false);
    config.insert(Permission::Loadfile, false);
    config.insert(Permission::Require, false);

    config.insert(Permission::OsExecute, false);
    config.insert(Permission::OsExit, false);
    config.insert(Permission::OsGetenv, false);
    config.insert(Permission::OsRemove, false);
    config.insert(Permission::OsRename, false);
    config.insert(Permission::OsSetenv, false);

    config.insert(Permission::IoOpen, false);
    config.insert(Permission::IoRead, false);
    config.insert(Permission::IoWrite, false);
    config.insert(Permission::IoPopen, false);

    config.insert(Permission::DebugGetinfo, false);
    config.insert(Permission::DebugGetlocal, false);
    config.insert(Permission::DebugGetmetatable, false);
    config.insert(Permission::DebugGetregistry, false);
    config.insert(Permission::DebugGetupvalue, false);
    config.insert(Permission::DebugGetuservalue, false);
    config.insert(Permission::DebugSethook, false);
    config.insert(Permission::DebugSetlocal, false);
    config.insert(Permission::DebugSetupvalue, false);
    config.insert(Permission::DebugSetuservalue, false);

    config.insert(Permission::PackageLoadlib, false);

    // 默认禁用高风险权限
    config.insert(Permission::PackagePath, false);
    config.insert(Permission::PackageLoaded, false);
    config.insert(Permission::PackagePreload, false);
    config.insert(Permission::PackageSearchpath, false);

    // 中等风险权限默认启用但受限
    config.insert(Permission::MathRandom, true);
    config.insert(Permission::MathRandomseed, true);
    config.insert(Permission::StringDump, false);

    config
}

pub fn get_authorized_auth_config(changes: SAuthBasicCtrl) -> SAuthBasicCtrl {
    let mut default = get_default_auth_config();
    for (permission, enabled) in changes {
        default.insert(permission, enabled);
    }
    default
}