mockforge-core 0.3.114

Shared logic for MockForge - routing, validation, latency, proxy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! Multi-factor authentication (MFA) tracking for privileged users
//!
//! This module provides MFA status tracking and enforcement for privileged access management.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::sync::Arc;
use tokio::sync::RwLock;
use uuid::Uuid;

/// MFA method types
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum MfaMethod {
    /// Time-based one-time password (TOTP)
    Totp,
    /// SMS-based verification
    Sms,
    /// Email-based verification
    Email,
    /// Hardware security key (FIDO2/WebAuthn)
    HardwareKey,
    /// Push notification
    Push,
}

/// MFA status for a user
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct MfaStatus {
    /// User ID
    pub user_id: Uuid,
    /// Whether MFA is enabled
    pub enabled: bool,
    /// MFA methods configured
    pub methods: Vec<MfaMethod>,
    /// When MFA was enabled
    pub enabled_at: Option<DateTime<Utc>>,
    /// Last MFA verification
    pub last_verification: Option<DateTime<Utc>>,
    /// Backup codes remaining
    pub backup_codes_remaining: u32,
}

/// MFA storage trait
#[async_trait::async_trait]
pub trait MfaStorage: Send + Sync {
    /// Get MFA status for a user
    async fn get_mfa_status(&self, user_id: Uuid) -> Result<Option<MfaStatus>, crate::Error>;

    /// Set MFA status for a user
    async fn set_mfa_status(&self, status: MfaStatus) -> Result<(), crate::Error>;

    /// Get all users with MFA enabled
    async fn get_users_with_mfa(&self) -> Result<Vec<Uuid>, crate::Error>;

    /// Get all privileged users without MFA
    async fn get_privileged_users_without_mfa(
        &self,
        privileged_user_ids: &[Uuid],
    ) -> Result<Vec<Uuid>, crate::Error>;
}

/// In-memory MFA storage (for development/testing)
pub struct InMemoryMfaStorage {
    mfa_statuses: Arc<RwLock<HashMap<Uuid, MfaStatus>>>,
}

impl InMemoryMfaStorage {
    /// Create a new in-memory MFA storage
    pub fn new() -> Self {
        Self {
            mfa_statuses: Arc::new(RwLock::new(HashMap::new())),
        }
    }
}

impl Default for InMemoryMfaStorage {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait::async_trait]
impl MfaStorage for InMemoryMfaStorage {
    async fn get_mfa_status(&self, user_id: Uuid) -> Result<Option<MfaStatus>, crate::Error> {
        let statuses = self.mfa_statuses.read().await;
        Ok(statuses.get(&user_id).cloned())
    }

    async fn set_mfa_status(&self, status: MfaStatus) -> Result<(), crate::Error> {
        let mut statuses = self.mfa_statuses.write().await;
        statuses.insert(status.user_id, status);
        Ok(())
    }

    async fn get_users_with_mfa(&self) -> Result<Vec<Uuid>, crate::Error> {
        let statuses = self.mfa_statuses.read().await;
        Ok(statuses
            .iter()
            .filter(|(_, status)| status.enabled)
            .map(|(user_id, _)| *user_id)
            .collect())
    }

    async fn get_privileged_users_without_mfa(
        &self,
        privileged_user_ids: &[Uuid],
    ) -> Result<Vec<Uuid>, crate::Error> {
        let statuses = self.mfa_statuses.read().await;
        Ok(privileged_user_ids
            .iter()
            .filter(|user_id| {
                statuses.get(user_id).map(|s| !s.enabled).unwrap_or(true) // If no status, assume MFA not enabled
            })
            .copied()
            .collect())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_mfa_storage() {
        let storage = InMemoryMfaStorage::new();
        let user_id = Uuid::new_v4();
        let status = MfaStatus {
            user_id,
            enabled: true,
            methods: vec![MfaMethod::Totp],
            enabled_at: Some(Utc::now()),
            last_verification: Some(Utc::now()),
            backup_codes_remaining: 5,
        };

        storage.set_mfa_status(status).await.unwrap();
        let retrieved = storage.get_mfa_status(user_id).await.unwrap();
        assert!(retrieved.is_some());
        assert!(retrieved.unwrap().enabled);
    }
}