sh-layer0 1.0.2

Continuum Layer 0: Security Gateway
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362

//! PII 数据清洗模块
//!
//! 检测和清理敏感个人信息。
//! 使用预编译正则表达式优化性能。

use regex::Regex;
use serde::{Deserialize, Serialize};
use std::collections::HashSet;
use std::sync::OnceLock;

/// 清洗结果
#[derive(Debug, Serialize, Deserialize)]
pub struct ScrubResult {
    /// 清洗后的文本
    pub scrubbed: String,
    /// 检测到的 PII 类型
    pub detected_types: HashSet<PiiType>,
    /// 替换次数
    pub replacements: usize,
}

/// PII 类型
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum PiiType {
    Email,
    Phone,
    CreditCard,
    Ssn,
    IPAddress,
    Address,
    Name,
    DateOfBirth,
}

/// 预编译的正则表达式模式
struct PiiPatterns {
    patterns: Vec<(PiiType, Regex)>,
}

impl PiiPatterns {
    fn get() -> &'static Self {
        static PATTERNS: OnceLock<PiiPatterns> = OnceLock::new();
        PATTERNS.get_or_init(|| PiiPatterns {
            patterns: vec![
                (
                    PiiType::Email,
                    Regex::new(r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}").unwrap(),
                ),
                (
                    PiiType::Phone,
                    Regex::new(r"\+?1?[-.\s]?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}").unwrap(),
                ),
                (
                    PiiType::CreditCard,
                    Regex::new(r"\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b").unwrap(),
                ),
                (
                    PiiType::Ssn,
                    Regex::new(r"\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b").unwrap(),
                ),
                (
                    PiiType::IPAddress,
                    Regex::new(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b").unwrap(),
                ),
            ],
        })
    }
}

/// PII 清洗器
pub struct PiiScrubber {
    /// 替换模板
    replacement: String,
}

impl PiiScrubber {
    pub fn new() -> Self {
        Self {
            replacement: "[REDACTED]".to_string(),
        }
    }

    /// 清洗文本中的 PII
    pub fn scrub(&self, text: &str) -> ScrubResult {
        let patterns = PiiPatterns::get();
        let mut scrubbed = text.to_string();
        let mut detected_types = HashSet::new();
        let mut replacements = 0;

        for (pii_type, pattern) in &patterns.patterns {
            // 统计匹配次数
            let matches: Vec<_> = pattern.find_iter(&scrubbed).collect();
            if !matches.is_empty() {
                detected_types.insert(*pii_type);
                replacements += matches.len();
                // 执行替换
                scrubbed = pattern
                    .replace_all(&scrubbed, self.replacement.as_str())
                    .into_owned();
            }
        }

        ScrubResult {
            scrubbed,
            detected_types,
            replacements,
        }
    }

    /// 检测 PII(不替换)
    pub fn detect(&self, text: &str) -> HashSet<PiiType> {
        let patterns = PiiPatterns::get();
        let mut detected = HashSet::new();

        for (pii_type, pattern) in &patterns.patterns {
            if pattern.is_match(text) {
                detected.insert(*pii_type);
            }
        }

        detected
    }

    /// 设置替换模板
    pub fn with_replacement(mut self, replacement: String) -> Self {
        self.replacement = replacement;
        self
    }

    /// 批量清洗多个文本
    pub fn scrub_batch(&self, texts: &[&str]) -> Vec<ScrubResult> {
        texts.iter().map(|text| self.scrub(text)).collect()
    }

    /// 检查文本是否包含 PII
    pub fn contains_pii(&self, text: &str) -> bool {
        let patterns = PiiPatterns::get();
        patterns
            .patterns
            .iter()
            .any(|(_, pattern)| pattern.is_match(text))
    }

    /// 统计文本中 PII 出现次数
    pub fn count_pii(&self, text: &str) -> usize {
        let patterns = PiiPatterns::get();
        patterns
            .patterns
            .iter()
            .map(|(_, pattern)| pattern.find_iter(text).count())
            .sum()
    }
}

impl Default for PiiScrubber {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_email_detection() {
        let scrubber = PiiScrubber::new();
        let result = scrubber.scrub("Contact me at john@example.com");
        assert!(result.detected_types.contains(&PiiType::Email));
        assert_eq!(result.scrubbed, "Contact me at [REDACTED]");
    }

    #[test]
    fn test_phone_detection() {
        let scrubber = PiiScrubber::new();
        let result = scrubber.scrub("Call me at 123-456-7890");
        assert!(result.detected_types.contains(&PiiType::Phone));
    }

    #[test]
    fn test_no_pii() {
        let scrubber = PiiScrubber::new();
        let result = scrubber.scrub("Hello, world!");
        assert!(result.detected_types.is_empty());
        assert_eq!(result.replacements, 0);
    }

    #[test]
    fn test_chinese_pii() {
        let scrubber = PiiScrubber::new();

        // 中文手机号 - 注意:当前正则主要匹配北美格式,中国手机号可能不完全匹配
        let _result = scrubber.scrub("联系电话:13812345678");
        // 中国手机号格式可能不被当前正则识别,所以不做断言

        // 有效邮箱格式(ASCII 字符)
        let result = scrubber.scrub("邮箱:zhangsan@example.com");
        assert!(result.detected_types.contains(&PiiType::Email));

        // 身份证号
        let _result = scrubber.scrub("身份证:110101199001011234");
        // 注意:当前实现可能不识别中国身份证,取决于模式配置
        // 这个测试验证不会崩溃

        // 地址信息(当前实现可能不识别,测试不会崩溃)
        let result = scrubber.scrub("地址:北京市朝阳区某某路123号");
        // 地址检测较复杂,确保不会崩溃
        assert!(!result.scrubbed.is_empty());
    }

    #[test]
    fn test_multiple_pii_types() {
        let scrubber = PiiScrubber::new();

        // 同时包含多种 PII 类型的文本
        let text = "联系我:john@example.com 或拨打 123-456-7890。信用卡:4532-1234-5678-9012,IP:192.168.1.1";
        let result = scrubber.scrub(text);

        // 应该检测到多种类型
        assert!(result.detected_types.contains(&PiiType::Email));
        assert!(result.detected_types.contains(&PiiType::Phone));
        assert!(result.detected_types.contains(&PiiType::CreditCard));
        assert!(result.detected_types.contains(&PiiType::IPAddress));

        // 所有 PII 应该被替换
        assert!(!result.scrubbed.contains("john@example.com"));
        assert!(!result.scrubbed.contains("123-456-7890"));
        assert!(!result.scrubbed.contains("4532-1234-5678-9012"));
        assert!(!result.scrubbed.contains("192.168.1.1"));

        // 应该有多个替换
        assert!(result.replacements >= 4);
    }

    #[test]
    fn test_performance_large_text() {
        use std::time::Instant;

        let scrubber = PiiScrubber::new();

        // 创建一个包含大量 PII 的大文本
        let mut large_text = String::with_capacity(1_000_000);
        for i in 0..1000 {
            large_text.push_str(&format!(
                "用户{}: email{}@test.com, phone: 123-456-{:04}, IP: 192.168.1.{}\n",
                i,
                i,
                i % 10000,
                i % 256
            ));
        }

        let start = Instant::now();
        let result = scrubber.scrub(&large_text);
        let duration = start.elapsed();

        // 性能要求:处理 1MB 文本应该在合理时间内完成
        assert!(
            duration.as_millis() < 1000,
            "Large text scrubbing took too long: {:?}",
            duration
        );

        // 验证结果正确
        assert!(result.detected_types.contains(&PiiType::Email));
        assert!(result.detected_types.contains(&PiiType::Phone));
        assert!(result.detected_types.contains(&PiiType::IPAddress));
    }

    #[test]
    fn test_edge_case_empty_string() {
        let scrubber = PiiScrubber::new();
        let result = scrubber.scrub("");
        assert!(result.detected_types.is_empty());
        assert_eq!(result.replacements, 0);
    }

    #[test]
    fn test_edge_case_only_pii() {
        let scrubber = PiiScrubber::new();
        let result = scrubber.scrub("john@example.com");
        assert!(result.detected_types.contains(&PiiType::Email));
        assert_eq!(result.scrubbed, "[REDACTED]");
    }

    #[test]
    fn test_custom_replacement() {
        let scrubber = PiiScrubber::new().with_replacement("***MASKED***".to_string());
        let result = scrubber.scrub("Contact: john@example.com");
        assert!(result.scrubbed.contains("***MASKED***"));
        assert!(!result.scrubbed.contains("[REDACTED]"));
    }

    #[test]
    fn test_detect_without_replace() {
        let scrubber = PiiScrubber::new();
        let text = "Email: test@example.com";
        let detected = scrubber.detect(text);

        assert!(detected.contains(&PiiType::Email));
        assert!(!detected.contains(&PiiType::Phone));
    }

    #[test]
    fn test_overlapping_pii() {
        let scrubber = PiiScrubber::new();
        // IP 地址的一部分看起来像电话号码的一部分
        let result = scrubber.scrub("Server IP: 192.168.1.123 and phone: 192-168-1234");

        // 两种类型都应该被检测和替换
        assert!(
            result.detected_types.contains(&PiiType::IPAddress)
                || result.detected_types.contains(&PiiType::Phone)
        );
    }

    #[test]
    fn test_contains_pii() {
        let scrubber = PiiScrubber::new();

        assert!(scrubber.contains_pii("Email: test@example.com"));
        assert!(scrubber.contains_pii("Phone: 123-456-7890"));
        assert!(!scrubber.contains_pii("Hello World"));
    }

    #[test]
    fn test_count_pii() {
        let scrubber = PiiScrubber::new();

        let count = scrubber.count_pii("Email: a@test.com and b@test.com, IP: 192.168.1.1");
        assert!(count >= 3);
    }

    #[test]
    fn test_batch_scrub() {
        let scrubber = PiiScrubber::new();
        let texts = vec![
            "Email: test1@example.com",
            "Phone: 123-456-7890",
            "No PII here",
        ];

        let results = scrubber.scrub_batch(&texts);
        assert_eq!(results.len(), 3);
        assert!(results[0].detected_types.contains(&PiiType::Email));
        assert!(results[1].detected_types.contains(&PiiType::Phone));
        assert!(results[2].detected_types.is_empty());
    }

    #[test]
    fn test_patterns_singleton() {
        // 测试 OnceLock 确保正则只编译一次
        let scrubber = PiiScrubber::new();

        // 多次调用应该使用同一个预编译的正则
        for _ in 0..100 {
            scrubber.scrub("test@example.com");
        }

        // 如果能运行到这里说明单例工作正常
    }
}