schema_registry_security/
lib.rs

1//! Security layer: RBAC, ABAC, signatures, audit logging, secrets management
2//!
3//! This module provides comprehensive security features including:
4//! - Authentication (JWT, OAuth, mTLS)
5//! - Authorization (RBAC, ABAC)
6//! - Audit logging (tamper-proof, hash-chained)
7//! - Secrets management (rotation, encryption)
8//! - SOC 2 Type II compliance (5 Trust Service Principles)
9
10pub mod rbac;
11pub mod abac;
12pub mod audit;
13pub mod secrets;
14pub mod auth;
15pub mod soc2;
16
17pub use audit::{AuditEvent, AuditEventType, AuditLogger, AuditResult, AuditSeverity};
18pub use auth::{JwtManager, TokenClaims, TokenRevocationList, TokenType};
19pub use secrets::{Secret, SecretMetadata, SecretsManager, RotationPolicy};
20pub use soc2::{
21    AllControls, AvailabilityControls, ComplianceMetrics, ComplianceMonitor, ComplianceReporter,
22    ConfidentialityControls, ControlStatus, EvidenceCollector, ProcessingIntegrityControls,
23    PrivacyControls, SecurityControls, SOC2Report,
24};
25
26use std::sync::Arc;
27use tokio::sync::RwLock;
28
29/// Unified security manager with SOC 2 compliance
30pub struct SecurityManager {
31    pub audit_logger: Arc<AuditLogger>,
32    pub jwt_manager: Arc<JwtManager>,
33    pub secrets_manager: Arc<SecretsManager>,
34    pub compliance_monitor: Option<Arc<ComplianceMonitor>>,
35    pub evidence_collector: Option<Arc<EvidenceCollector>>,
36    pub compliance_reporter: Option<Arc<ComplianceReporter>>,
37}
38
39impl SecurityManager {
40    pub fn new(
41        audit_logger: Arc<AuditLogger>,
42        jwt_manager: Arc<JwtManager>,
43        secrets_manager: Arc<SecretsManager>,
44    ) -> Self {
45        Self {
46            audit_logger,
47            jwt_manager,
48            secrets_manager,
49            compliance_monitor: None,
50            evidence_collector: None,
51            compliance_reporter: None,
52        }
53    }
54
55    /// Create a security manager with SOC 2 compliance capabilities
56    pub fn with_compliance(
57        audit_logger: Arc<AuditLogger>,
58        jwt_manager: Arc<JwtManager>,
59        secrets_manager: Arc<SecretsManager>,
60    ) -> Self {
61        use soc2::monitoring::MetricsCollector;
62
63        // Create SOC 2 components
64        let evidence_collector = Arc::new(EvidenceCollector::new(Arc::clone(&audit_logger)));
65
66        let controls = Arc::new(RwLock::new(AllControls::new()));
67        let metrics_collector = Arc::new(MetricsCollector::new());
68        let compliance_monitor = Arc::new(ComplianceMonitor::new(controls, metrics_collector));
69
70        let compliance_reporter = Arc::new(ComplianceReporter::new(
71            Arc::clone(&evidence_collector),
72            Arc::clone(&compliance_monitor),
73        ));
74
75        Self {
76            audit_logger,
77            jwt_manager,
78            secrets_manager,
79            compliance_monitor: Some(compliance_monitor),
80            evidence_collector: Some(evidence_collector),
81            compliance_reporter: Some(compliance_reporter),
82        }
83    }
84
85    /// Create a default security manager for testing
86    pub fn default_for_testing() -> Self {
87        use secrets::{InMemorySecretsBackend, RotationConfig};
88
89        let audit_logger = Arc::new(AuditLogger::new());
90        let revocation_list = Arc::new(TokenRevocationList::new());
91        let jwt_manager = Arc::new(JwtManager::new_hs256(
92            b"test-secret-key-minimum-32-bytes-long",
93            revocation_list,
94        ));
95        let secrets_backend = Arc::new(InMemorySecretsBackend::new());
96        let secrets_manager = Arc::new(SecretsManager::new(
97            secrets_backend,
98            RotationConfig::default(),
99        ));
100
101        Self::new(audit_logger, jwt_manager, secrets_manager)
102    }
103
104    /// Create a default security manager with compliance for testing
105    pub fn default_with_compliance_for_testing() -> Self {
106        use secrets::{InMemorySecretsBackend, RotationConfig};
107
108        let audit_logger = Arc::new(AuditLogger::new());
109        let revocation_list = Arc::new(TokenRevocationList::new());
110        let jwt_manager = Arc::new(JwtManager::new_hs256(
111            b"test-secret-key-minimum-32-bytes-long",
112            revocation_list,
113        ));
114        let secrets_backend = Arc::new(InMemorySecretsBackend::new());
115        let secrets_manager = Arc::new(SecretsManager::new(
116            secrets_backend,
117            RotationConfig::default(),
118        ));
119
120        Self::with_compliance(audit_logger, jwt_manager, secrets_manager)
121    }
122}
123
124#[cfg(test)]
125mod tests {
126    use super::*;
127
128    #[test]
129    fn test_security_manager_creation() {
130        use secrets::{InMemorySecretsBackend, RotationConfig};
131
132        let audit_logger = Arc::new(AuditLogger::new());
133        let revocation_list = Arc::new(TokenRevocationList::new());
134        let jwt_manager = Arc::new(JwtManager::new_hs256(
135            b"test-secret-key-minimum-32-bytes-long",
136            revocation_list,
137        ));
138        let secrets_backend = Arc::new(InMemorySecretsBackend::new());
139        let secrets_manager = Arc::new(SecretsManager::new(
140            secrets_backend,
141            RotationConfig::default(),
142        ));
143
144        let manager = SecurityManager::new(audit_logger, jwt_manager, secrets_manager);
145        assert!(Arc::strong_count(&manager.audit_logger) >= 1);
146        assert!(Arc::strong_count(&manager.jwt_manager) >= 1);
147        assert!(Arc::strong_count(&manager.secrets_manager) >= 1);
148    }
149
150    #[test]
151    fn test_security_manager_default_for_testing() {
152        let manager = SecurityManager::default_for_testing();
153        assert!(Arc::strong_count(&manager.audit_logger) >= 1);
154        assert!(Arc::strong_count(&manager.jwt_manager) >= 1);
155        assert!(Arc::strong_count(&manager.secrets_manager) >= 1);
156    }
157
158    #[test]
159    fn test_security_manager_has_all_components() {
160        let manager = SecurityManager::default_for_testing();
161        assert!(Arc::strong_count(&manager.audit_logger) > 0);
162        assert!(Arc::strong_count(&manager.jwt_manager) > 0);
163        assert!(Arc::strong_count(&manager.secrets_manager) > 0);
164    }
165
166    #[test]
167    fn test_multiple_security_managers() {
168        let manager1 = SecurityManager::default_for_testing();
169        let manager2 = SecurityManager::default_for_testing();
170
171        // They should be independent instances
172        assert!(Arc::as_ptr(&manager1.audit_logger) != Arc::as_ptr(&manager2.audit_logger));
173    }
174
175    #[test]
176    fn test_audit_logger_component() {
177        let manager = SecurityManager::default_for_testing();
178        let logger = &manager.audit_logger;
179        // Logger should be functional
180        assert!(Arc::strong_count(logger) >= 1);
181    }
182
183    #[test]
184    fn test_jwt_manager_component() {
185        let manager = SecurityManager::default_for_testing();
186        let jwt_mgr = &manager.jwt_manager;
187        assert!(Arc::strong_count(jwt_mgr) >= 1);
188    }
189
190    #[test]
191    fn test_secrets_manager_component() {
192        let manager = SecurityManager::default_for_testing();
193        let secrets_mgr = &manager.secrets_manager;
194        assert!(Arc::strong_count(secrets_mgr) >= 1);
195    }
196
197    #[test]
198    fn test_security_manager_arc_cloning() {
199        let manager = SecurityManager::default_for_testing();
200        let audit_clone = Arc::clone(&manager.audit_logger);
201        let jwt_clone = Arc::clone(&manager.jwt_manager);
202        let secrets_clone = Arc::clone(&manager.secrets_manager);
203
204        assert!(Arc::ptr_eq(&audit_clone, &manager.audit_logger));
205        assert!(Arc::ptr_eq(&jwt_clone, &manager.jwt_manager));
206        assert!(Arc::ptr_eq(&secrets_clone, &manager.secrets_manager));
207    }
208
209    #[test]
210    fn test_security_manager_components_independent() {
211        use secrets::{InMemorySecretsBackend, RotationConfig};
212
213        let audit1 = Arc::new(AuditLogger::new());
214        let audit2 = Arc::new(AuditLogger::new());
215
216        let revocation_list = Arc::new(TokenRevocationList::new());
217        let jwt = Arc::new(JwtManager::new_hs256(
218            b"test-secret-key-minimum-32-bytes-long",
219            revocation_list,
220        ));
221
222        let backend = Arc::new(InMemorySecretsBackend::new());
223        let secrets = Arc::new(SecretsManager::new(backend, RotationConfig::default()));
224
225        let manager1 = SecurityManager::new(audit1.clone(), jwt.clone(), secrets.clone());
226        let manager2 = SecurityManager::new(audit2.clone(), jwt.clone(), secrets.clone());
227
228        // audit_logger should be different
229        assert!(!Arc::ptr_eq(&manager1.audit_logger, &manager2.audit_logger));
230
231        // but jwt_manager and secrets_manager should be same
232        assert!(Arc::ptr_eq(&manager1.jwt_manager, &manager2.jwt_manager));
233        assert!(Arc::ptr_eq(&manager1.secrets_manager, &manager2.secrets_manager));
234    }
235
236    #[test]
237    fn test_security_manager_with_compliance() {
238        let manager = SecurityManager::default_with_compliance_for_testing();
239        assert!(manager.compliance_monitor.is_some());
240        assert!(manager.evidence_collector.is_some());
241        assert!(manager.compliance_reporter.is_some());
242    }
243
244    #[test]
245    fn test_soc2_exports() {
246        // Verify all SOC2 types are exported
247        let _controls: Option<AllControls> = None;
248        let _security: Option<SecurityControls> = None;
249        let _availability: Option<AvailabilityControls> = None;
250        let _processing: Option<ProcessingIntegrityControls> = None;
251        let _confidentiality: Option<ConfidentialityControls> = None;
252        let _privacy: Option<PrivacyControls> = None;
253    }
254}
schema_registry_security/lib.rs

schema_registry_security/
lib.rs
