ruvector_security/
lib.rs

1//! RuVector Security Utilities
2//!
3//! This crate provides security primitives for the RuVector vector database:
4//!
5//! - **Path Validation**: Prevents path traversal attacks (S-3)
6//! - **Authentication**: Token-based authentication middleware (S-1)
7//! - **CORS Configuration**: Configurable CORS policies (S-2)
8//! - **Rate Limiting**: Token bucket rate limiter (S-5)
9//! - **FFI Safety**: Safe pointer handling utilities (S-4, S-6)
10//!
11//! # Example
12//!
13//! ```rust,no_run
14//! use ruvector_security::{PathValidator, SecurityConfig};
15//!
16//! let validator = PathValidator::new(vec!["/data".into()]);
17//! assert!(validator.validate("/data/vectors.db").is_ok());
18//! assert!(validator.validate("/etc/passwd").is_err());
19//! ```
20
21pub mod auth;
22pub mod cors;
23pub mod error;
24pub mod ffi;
25pub mod middleware;
26pub mod path;
27pub mod rate_limit;
28
29pub use auth::{AuthConfig, AuthMiddleware, AuthMode, BearerTokenValidator, TokenValidator};
30pub use cors::{CorsConfig, CorsMode};
31pub use error::{SecurityError, SecurityResult};
32pub use ffi::{validate_ptr, FfiError, TrackedAllocation};
33pub use middleware::{auth_layer, rate_limit_layer, security_layer, SecurityState};
34pub use path::PathValidator;
35pub use rate_limit::{OperationType, RateLimitConfig, RateLimiter};
36
37/// Security configuration combining all security settings
38#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
39pub struct SecurityConfig {
40    /// Authentication configuration
41    pub auth: AuthConfig,
42    /// CORS configuration
43    pub cors: CorsConfig,
44    /// Rate limiting configuration
45    pub rate_limit: RateLimitConfig,
46    /// Allowed paths for file operations
47    pub allowed_paths: Vec<std::path::PathBuf>,
48}
49
50impl Default for SecurityConfig {
51    fn default() -> Self {
52        Self {
53            auth: AuthConfig::default(),
54            cors: CorsConfig::default(),
55            rate_limit: RateLimitConfig::default(),
56            allowed_paths: vec![std::path::PathBuf::from(".")],
57        }
58    }
59}
60
61impl SecurityConfig {
62    /// Create a new security configuration for development
63    pub fn development() -> Self {
64        Self {
65            auth: AuthConfig {
66                mode: AuthMode::None,
67                ..Default::default()
68            },
69            cors: CorsConfig {
70                mode: CorsMode::Development,
71                ..Default::default()
72            },
73            rate_limit: RateLimitConfig::default(),
74            allowed_paths: vec![std::path::PathBuf::from(".")],
75        }
76    }
77
78    /// Create a new security configuration for production
79    pub fn production(token: String, allowed_origins: Vec<String>) -> Self {
80        Self {
81            auth: AuthConfig {
82                mode: AuthMode::Bearer,
83                token: Some(token),
84                ..Default::default()
85            },
86            cors: CorsConfig {
87                mode: CorsMode::Restrictive,
88                allowed_origins,
89                ..Default::default()
90            },
91            rate_limit: RateLimitConfig::default(),
92            allowed_paths: vec![std::path::PathBuf::from("./data")],
93        }
94    }
95
96    /// Create a path validator from this config
97    pub fn path_validator(&self) -> PathValidator {
98        PathValidator::new(self.allowed_paths.clone())
99    }
100}
ruvector_security/lib.rs

ruvector_security/
lib.rs
