axum_acl/

rule.rs

//! ACL rule definitions and matching logic.
//!
//! This module provides the core [`AclRuleFilter`] struct that defines access control rules
//! using a 5-tuple: (endpoint, role, time, ip, id).
//!
//! - **Endpoint**: Used as HashMap key for O(1) lookup
//! - **Role**: `u32` bitmask for efficient role matching (up to 32 roles)
//! - **Time**: Time window filter (start < now < end)
//! - **IP**: IP address/CIDR filter (ip & mask == network)
//! - **ID**: Exact match or "*" wildcard

use chrono::{Datelike, NaiveTime, Utc};
use http::Method;
use ipnetwork::IpNetwork;
use std::collections::HashMap;
use std::net::IpAddr;

/// Request context for ACL evaluation.
#[derive(Debug, Clone)]
pub struct RequestContext<'a> {
    /// User's role bitmask (up to 32 roles).
    pub roles: u32,
    /// Client IP address.
    pub ip: IpAddr,
    /// User/session ID.
    pub id: &'a str,
}

impl<'a> RequestContext<'a> {
    /// Create a new request context.
    pub fn new(roles: u32, ip: IpAddr, id: &'a str) -> Self {
        Self { roles, ip, id }
    }
}

/// The legacy bitmask-based auth context.
///
/// Wraps the old `(roles: u32, id: String)` pair for use with the generic
/// `RuleMatcher<A>` system. `AclRuleFilter` implements `RuleMatcher<BitmaskAuth>`.
#[derive(Debug, Clone)]
pub struct BitmaskAuth {
    /// Role bitmask (u32).
    pub roles: u32,
    /// User/session ID.
    pub id: String,
}

/// Metadata about the incoming HTTP request, available to all matchers.
#[derive(Debug, Clone)]
pub struct RequestMeta {
    /// HTTP method (GET, POST, etc.)
    pub method: Method,
    /// Request path.
    pub path: String,
    /// Named path parameters extracted from the matching `EndpointPattern`.
    pub path_params: HashMap<String, String>,
    /// Client IP address.
    pub ip: IpAddr,
}

/// Trait for matching a rule against an auth context and request metadata.
///
/// `A` is the application-specific auth type (e.g., `BitmaskAuth`, or a custom
/// scoped-role struct). Implementations decide how to check authorization.
pub trait RuleMatcher<A>: Send + Sync + std::fmt::Debug {
    /// Check if this matcher allows the given auth context for the request.
    fn matches(&self, auth: &A, meta: &RequestMeta) -> bool;

    /// The action to take if this matcher matches.
    fn action(&self) -> &AclAction;

    /// Optional human-readable description for logging.
    fn description(&self) -> Option<&str> {
        None
    }
}

/// Action to take when a rule matches.
#[derive(Debug, Clone, PartialEq, Eq, Default)]
pub enum AclAction {
    /// Allow the request to proceed.
    #[default]
    Allow,
    /// Deny the request with 403 Forbidden.
    Deny,
    /// Return a custom error response.
    Error {
        /// HTTP status code (default: 403).
        code: u16,
        /// Custom error message.
        message: Option<String>,
    },
    /// Reroute to a different path.
    Reroute {
        /// Target path to reroute to.
        target: String,
        /// Whether to preserve original path in X-Original-Path header.
        preserve_path: bool,
    },
    /// Rate limit (placeholder - requires external state).
    RateLimit {
        /// Maximum requests per window.
        max_requests: u32,
        /// Window duration in seconds.
        window_secs: u64,
    },
    /// Log and allow (for monitoring/auditing).
    Log {
        /// Log level: "trace", "debug", "info", "warn", "error".
        level: String,
        /// Custom log message.
        message: Option<String>,
    },
}

impl AclAction {
    /// Create a deny action (alias for Deny variant).
    pub fn deny() -> Self {
        Self::Deny
    }

    /// Create an allow action (alias for Allow variant).
    pub fn allow() -> Self {
        Self::Allow
    }

    /// Create a custom error action.
    pub fn error(code: u16, message: impl Into<Option<String>>) -> Self {
        Self::Error {
            code,
            message: message.into(),
        }
    }

    /// Create a reroute action.
    pub fn reroute(target: impl Into<String>) -> Self {
        Self::Reroute {
            target: target.into(),
            preserve_path: false,
        }
    }

    /// Create a reroute action that preserves the original path.
    pub fn reroute_with_preserve(target: impl Into<String>) -> Self {
        Self::Reroute {
            target: target.into(),
            preserve_path: true,
        }
    }

    /// Check if this action allows the request to proceed.
    pub fn is_allow(&self) -> bool {
        matches!(self, Self::Allow | Self::Log { .. })
    }

    /// Check if this action denies/blocks the request.
    pub fn is_deny(&self) -> bool {
        matches!(self, Self::Deny | Self::Error { .. })
    }
}

/// ACL rule filter for the 5-tuple matching system.
///
/// Filters are applied after endpoint lookup (endpoint is the HashMap key).
/// Match priority: id → roles → ip → time
#[derive(Debug, Clone)]
pub struct AclRuleFilter {
    /// ID matcher: "*" for any, or exact match.
    pub id: String,
    /// Role bitmask: `(rule.role_mask & ctx.roles) != 0` to match.
    pub role_mask: u32,
    /// HTTP methods this rule applies to. Empty means all methods.
    pub methods: Vec<Method>,
    /// Time window: start < now < end.
    pub time: TimeWindow,
    /// IP matcher: CIDR-style matching.
    pub ip: IpMatcher,
    /// Action to take when this filter matches.
    pub action: AclAction,
    /// Optional description for logging/debugging.
    pub description: Option<String>,
}

impl AclRuleFilter {
    /// Create a new filter that matches any ID and all roles.
    pub fn new() -> Self {
        Self {
            id: "*".to_string(),
            role_mask: u32::MAX, // all roles
            methods: Vec::new(),
            time: TimeWindow::default(),
            ip: IpMatcher::Any,
            action: AclAction::Allow,
            description: None,
        }
    }

    /// Set the ID matcher (exact match or "*" for any).
    pub fn id(mut self, id: impl Into<String>) -> Self {
        self.id = id.into();
        self
    }

    /// Set the role bitmask.
    pub fn role_mask(mut self, mask: u32) -> Self {
        self.role_mask = mask;
        self
    }

    /// Set a single role bit.
    pub fn role(mut self, role_id: u8) -> Self {
        self.role_mask = 1 << role_id;
        self
    }

    /// Add a role bit to the mask.
    pub fn add_role(mut self, role_id: u8) -> Self {
        self.role_mask |= 1 << role_id;
        self
    }

    /// Set the HTTP methods this rule applies to. Empty means all methods.
    pub fn methods(mut self, methods: Vec<Method>) -> Self {
        self.methods = methods;
        self
    }

    /// Add an HTTP method this rule applies to.
    pub fn method(mut self, method: Method) -> Self {
        self.methods.push(method);
        self
    }

    /// Set the time window.
    pub fn time(mut self, window: TimeWindow) -> Self {
        self.time = window;
        self
    }

    /// Set the IP matcher.
    pub fn ip(mut self, matcher: IpMatcher) -> Self {
        self.ip = matcher;
        self
    }

    /// Set the action.
    pub fn action(mut self, action: AclAction) -> Self {
        self.action = action;
        self
    }

    /// Set a description.
    pub fn description(mut self, desc: impl Into<String>) -> Self {
        self.description = Some(desc.into());
        self
    }

    /// Check if this filter matches the given context.
    ///
    /// Match order: id → roles → ip → time
    #[inline]
    pub fn matches(&self, ctx: &RequestContext) -> bool {
        // 1. ID match (exact or wildcard)
        (self.id == "*" || self.id == ctx.id)
            // 2. Role match (any bit overlap)
            && (self.role_mask & ctx.roles) != 0
            // 3. IP match
            && self.ip.matches(&ctx.ip)
            // 4. Time match
            && self.time.matches_now()
    }
}

impl Default for AclRuleFilter {
    fn default() -> Self {
        Self::new()
    }
}

impl RuleMatcher<BitmaskAuth> for AclRuleFilter {
    fn matches(&self, auth: &BitmaskAuth, meta: &RequestMeta) -> bool {
        (self.methods.is_empty() || self.methods.contains(&meta.method))
            && (self.id == "*" || self.id == auth.id)
            && (self.role_mask & auth.roles) != 0
            && self.ip.matches(&meta.ip)
            && self.time.matches_now()
    }

    fn action(&self) -> &AclAction {
        &self.action
    }

    fn description(&self) -> Option<&str> {
        self.description.as_deref()
    }
}

/// Time window specification for rule matching.
///
/// Defines a time range during which a rule is active.
/// Times are evaluated in UTC.
#[derive(Debug, Clone, Default)]
pub struct TimeWindow {
    /// Start time (inclusive). None means from midnight.
    pub start: Option<NaiveTime>,
    /// End time (inclusive). None means until midnight.
    pub end: Option<NaiveTime>,
    /// Days of the week when this window is active (0 = Monday, 6 = Sunday).
    /// Empty means all days.
    pub days: Vec<u32>,
}

impl TimeWindow {
    /// Create a time window that matches any time.
    pub fn any() -> Self {
        Self::default()
    }

    /// Create a time window for specific hours (24-hour format, UTC).
    ///
    /// # Example
    /// ```
    /// use axum_acl::TimeWindow;
    ///
    /// // Active from 9 AM to 5 PM UTC
    /// let window = TimeWindow::hours(9, 17);
    /// ```
    pub fn hours(start_hour: u32, end_hour: u32) -> Self {
        Self {
            start: Some(NaiveTime::from_hms_opt(start_hour, 0, 0).unwrap_or_default()),
            end: Some(NaiveTime::from_hms_opt(end_hour, 0, 0).unwrap_or_default()),
            days: Vec::new(),
        }
    }

    /// Create a time window for specific hours on specific days.
    ///
    /// # Arguments
    /// * `start_hour` - Start hour (0-23)
    /// * `end_hour` - End hour (0-23)
    /// * `days` - Days of week (0 = Monday, 6 = Sunday)
    ///
    /// # Example
    /// ```
    /// use axum_acl::TimeWindow;
    ///
    /// // Active Mon-Fri 9 AM to 5 PM UTC
    /// let window = TimeWindow::hours_on_days(9, 17, vec![0, 1, 2, 3, 4]);
    /// ```
    pub fn hours_on_days(start_hour: u32, end_hour: u32, days: Vec<u32>) -> Self {
        Self {
            start: Some(NaiveTime::from_hms_opt(start_hour, 0, 0).unwrap_or_default()),
            end: Some(NaiveTime::from_hms_opt(end_hour, 0, 0).unwrap_or_default()),
            days,
        }
    }

    /// Check if the current time falls within this window.
    pub fn matches_now(&self) -> bool {
        let now = Utc::now();
        let current_time = now.time();
        let current_day = now.weekday().num_days_from_monday();

        // Check day of week
        if !self.days.is_empty() && !self.days.contains(&current_day) {
            return false;
        }

        // Check time range
        match (&self.start, &self.end) {
            (Some(start), Some(end)) => {
                if start <= end {
                    // Normal range: 9:00 - 17:00
                    current_time >= *start && current_time <= *end
                } else {
                    // Overnight range: 22:00 - 06:00
                    current_time >= *start || current_time <= *end
                }
            }
            (Some(start), None) => current_time >= *start,
            (None, Some(end)) => current_time <= *end,
            (None, None) => true,
        }
    }
}

/// IP address specification for rule matching.
#[derive(Debug, Clone, Default)]
pub enum IpMatcher {
    /// Match any IP address.
    #[default]
    Any,
    /// Match a single IP address.
    Single(IpAddr),
    /// Match an IP network (CIDR notation).
    Network(IpNetwork),
    /// Match multiple IP addresses or networks.
    List(Vec<IpMatcher>),
}

impl IpMatcher {
    /// Create a matcher for any IP address.
    pub fn any() -> Self {
        Self::Any
    }

    /// Create a matcher for a single IP address.
    ///
    /// # Example
    /// ```
    /// use axum_acl::IpMatcher;
    /// use std::net::IpAddr;
    ///
    /// let matcher = IpMatcher::single("192.168.1.1".parse().unwrap());
    /// ```
    pub fn single(ip: IpAddr) -> Self {
        Self::Single(ip)
    }

    /// Create a matcher for a CIDR network.
    ///
    /// # Example
    /// ```
    /// use axum_acl::IpMatcher;
    ///
    /// let matcher = IpMatcher::cidr("192.168.1.0/24".parse().unwrap());
    /// ```
    pub fn cidr(network: IpNetwork) -> Self {
        Self::Network(network)
    }

    /// Parse an IP matcher from a string.
    ///
    /// Accepts:
    /// - `*` or `any` for any IP
    /// - A single IP address (e.g., `192.168.1.1`)
    /// - A CIDR network (e.g., `192.168.1.0/24`)
    ///
    /// # Example
    /// ```
    /// use axum_acl::IpMatcher;
    ///
    /// let any = IpMatcher::parse("*").unwrap();
    /// let single = IpMatcher::parse("10.0.0.1").unwrap();
    /// let network = IpMatcher::parse("10.0.0.0/8").unwrap();
    /// ```
    pub fn parse(s: &str) -> Result<Self, String> {
        let s = s.trim();
        if s == "*" || s.eq_ignore_ascii_case("any") {
            return Ok(Self::Any);
        }

        // Try as CIDR first
        if s.contains('/') {
            return s
                .parse::<IpNetwork>()
                .map(Self::Network)
                .map_err(|e| format!("Invalid CIDR: {}", e));
        }

        // Try as single IP
        s.parse::<IpAddr>()
            .map(Self::Single)
            .map_err(|e| format!("Invalid IP address: {}", e))
    }

    /// Check if an IP address matches this matcher.
    pub fn matches(&self, ip: &IpAddr) -> bool {
        match self {
            Self::Any => true,
            Self::Single(addr) => addr == ip,
            Self::Network(network) => network.contains(*ip),
            Self::List(matchers) => matchers.iter().any(|m| m.matches(ip)),
        }
    }
}

/// Endpoint pattern for rule matching.
///
/// Supports path parameters like `{id}` that match against the user's ID:
/// - `/api/boat/{id}` matches `/api/boat/boat-123` if user ID is "boat-123"
/// - `/api/user/{id}/**` matches any path under `/api/user/{user_id}/`
#[derive(Debug, Clone, Default)]
pub enum EndpointPattern {
    /// Match any endpoint.
    #[default]
    Any,
    /// Match an exact path.
    Exact(String),
    /// Match a path prefix (e.g., `/api/` matches `/api/users`).
    Prefix(String),
    /// Match using a glob pattern (e.g., `/api/*/users`).
    /// Also supports `{id}` to match against user ID.
    Glob(String),
}

impl EndpointPattern {
    /// Create a pattern that matches any endpoint.
    pub fn any() -> Self {
        Self::Any
    }

    /// Create a pattern for an exact path match.
    pub fn exact(path: impl Into<String>) -> Self {
        Self::Exact(path.into())
    }

    /// Create a pattern for a prefix match.
    pub fn prefix(path: impl Into<String>) -> Self {
        Self::Prefix(path.into())
    }

    /// Create a glob pattern.
    ///
    /// Supported wildcards:
    /// - `*` matches any single path segment
    /// - `**` matches any number of path segments
    pub fn glob(pattern: impl Into<String>) -> Self {
        Self::Glob(pattern.into())
    }

    /// Parse an endpoint pattern from a string.
    ///
    /// - `*` or `any` - matches any endpoint
    /// - Paths ending with `*` or `**` - glob pattern
    /// - Paths ending with `/` - prefix match
    /// - Other paths - exact match
    pub fn parse(s: &str) -> Self {
        let s = s.trim();
        if s == "*" || s.eq_ignore_ascii_case("any") {
            return Self::Any;
        }

        if s.contains('*') {
            return Self::Glob(s.to_string());
        }

        if s.ends_with('/') {
            return Self::Prefix(s.to_string());
        }

        Self::Exact(s.to_string())
    }

    /// Check if a path matches this pattern (without ID context).
    pub fn matches(&self, path: &str) -> bool {
        self.matches_with_id(path, None)
    }

    /// Check if a path matches this pattern with optional ID context.
    ///
    /// When `user_id` is provided, `{id}` in the pattern is matched against it.
    /// When `user_id` is None, `{id}` is treated like `*` (matches any segment).
    ///
    /// # Example
    /// ```
    /// use axum_acl::EndpointPattern;
    ///
    /// let pattern = EndpointPattern::glob("/api/boat/{id}/details");
    ///
    /// // With matching user ID
    /// assert!(pattern.matches_with_id("/api/boat/boat-123/details", Some("boat-123")));
    ///
    /// // With non-matching user ID
    /// assert!(!pattern.matches_with_id("/api/boat/boat-456/details", Some("boat-123")));
    ///
    /// // Without ID context, {id} matches any segment
    /// assert!(pattern.matches_with_id("/api/boat/anything/details", None));
    /// ```
    pub fn matches_with_id(&self, path: &str, user_id: Option<&str>) -> bool {
        match self {
            Self::Any => true,
            Self::Exact(p) => p == path,
            Self::Prefix(prefix) => path.starts_with(prefix),
            Self::Glob(pattern) => Self::glob_matches_with_id(pattern, path, user_id),
        }
    }

    fn glob_matches_with_id(pattern: &str, path: &str, user_id: Option<&str>) -> bool {
        let pattern_parts: Vec<&str> = pattern.split('/').filter(|s| !s.is_empty()).collect();
        let path_parts: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();

        Self::glob_match_parts_with_id(&pattern_parts, &path_parts, user_id)
    }

    fn glob_match_parts_with_id(pattern: &[&str], path: &[&str], user_id: Option<&str>) -> bool {
        if pattern.is_empty() {
            return path.is_empty();
        }

        let (first_pattern, rest_pattern) = (pattern[0], &pattern[1..]);

        if first_pattern == "**" {
            // ** matches zero or more segments
            if rest_pattern.is_empty() {
                return true;
            }
            // Try matching ** against 0, 1, 2, ... path segments
            for i in 0..=path.len() {
                if Self::glob_match_parts_with_id(rest_pattern, &path[i..], user_id) {
                    return true;
                }
            }
            false
        } else if path.is_empty() {
            false
        } else {
            let (first_path, rest_path) = (path[0], &path[1..]);

            // Check if this is an {id} parameter
            let segment_matches = if first_pattern == "{id}" {
                // Match against user ID if provided, otherwise treat as wildcard
                match user_id {
                    Some(id) => first_path == id,
                    None => true, // No ID context, treat as wildcard
                }
            } else if first_pattern.starts_with('{') && first_pattern.ends_with('}') {
                // Other path parameters like {user_id}, {boat_id} - treat as wildcards
                true
            } else {
                first_pattern == "*" || first_pattern == first_path
            };

            segment_matches && Self::glob_match_parts_with_id(rest_pattern, rest_path, user_id)
        }
    }

    /// Extract the value of `{id}` from a path given this pattern.
    ///
    /// Returns None if the pattern doesn't contain `{id}` or the path doesn't match.
    ///
    /// # Example
    /// ```
    /// use axum_acl::EndpointPattern;
    ///
    /// let pattern = EndpointPattern::glob("/api/boat/{id}/details");
    /// assert_eq!(pattern.extract_id("/api/boat/boat-123/details"), Some("boat-123".to_string()));
    /// assert_eq!(pattern.extract_id("/api/boat/xyz/details"), Some("xyz".to_string()));
    /// assert_eq!(pattern.extract_id("/api/wrong/path"), None);
    /// ```
    pub fn extract_id(&self, path: &str) -> Option<String> {
        match self {
            Self::Glob(pattern) => Self::extract_id_from_glob(pattern, path),
            _ => None,
        }
    }

    fn extract_id_from_glob(pattern: &str, path: &str) -> Option<String> {
        let pattern_parts: Vec<&str> = pattern.split('/').filter(|s| !s.is_empty()).collect();
        let path_parts: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();

        Self::extract_id_from_parts(&pattern_parts, &path_parts)
    }

    /// Extract all named path parameters from a path given this pattern.
    ///
    /// Returns a map of parameter names to their values.
    ///
    /// # Example
    /// ```
    /// use axum_acl::EndpointPattern;
    ///
    /// let pattern = EndpointPattern::glob("/api/{resource}/{id}");
    /// let params = pattern.extract_named_params("/api/boat/123");
    /// assert_eq!(params.get("resource").map(|s| s.as_str()), Some("boat"));
    /// assert_eq!(params.get("id").map(|s| s.as_str()), Some("123"));
    /// ```
    pub fn extract_named_params(&self, path: &str) -> HashMap<String, String> {
        match self {
            Self::Glob(pattern) => {
                let pattern_parts: Vec<&str> =
                    pattern.split('/').filter(|s| !s.is_empty()).collect();
                let path_parts: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();
                let mut params = HashMap::new();
                Self::collect_named_params(&pattern_parts, &path_parts, &mut params);
                params
            }
            _ => HashMap::new(),
        }
    }

    fn collect_named_params<'a>(
        pattern: &[&str],
        path: &[&'a str],
        params: &mut HashMap<String, String>,
    ) {
        let mut pi = 0;
        let mut qi = 0;
        while pi < pattern.len() && qi < path.len() {
            let seg = pattern[pi];
            if seg == "**" {
                if pi + 1 >= pattern.len() {
                    return;
                }
                // skip ahead in path until remaining pattern matches
                for skip in qi..=path.len() {
                    let mut trial = HashMap::new();
                    Self::collect_named_params(&pattern[pi + 1..], &path[skip..], &mut trial);
                    if !trial.is_empty() || (pi + 1 == pattern.len() - 1 && skip < path.len()) {
                        params.extend(trial);
                        return;
                    }
                }
                return;
            }
            if seg.starts_with('{') && seg.ends_with('}') {
                let name = &seg[1..seg.len() - 1];
                params.insert(name.to_string(), path[qi].to_string());
            }
            pi += 1;
            qi += 1;
        }
    }

    fn extract_id_from_parts(pattern: &[&str], path: &[&str]) -> Option<String> {
        if pattern.is_empty() || path.is_empty() {
            return None;
        }

        for (i, &p) in pattern.iter().enumerate() {
            if p == "{id}" {
                if i < path.len() {
                    return Some(path[i].to_string());
                }
                return None;
            }
            if p == "**" {
                // Can't reliably extract after **
                continue;
            }
            if i >= path.len() {
                return None;
            }
            // Check if pattern segment matches (for non-{id} segments)
            if p != "*" && p != path[i] && !p.starts_with('{') {
                return None;
            }
        }
        None
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_ip_matcher_single() {
        let ip: IpAddr = "192.168.1.1".parse().unwrap();
        let matcher = IpMatcher::single(ip);
        assert!(matcher.matches(&ip));
        assert!(!matcher.matches(&"192.168.1.2".parse().unwrap()));
    }

    #[test]
    fn test_ip_matcher_cidr() {
        let matcher = IpMatcher::cidr("192.168.1.0/24".parse().unwrap());
        assert!(matcher.matches(&"192.168.1.1".parse().unwrap()));
        assert!(matcher.matches(&"192.168.1.255".parse().unwrap()));
        assert!(!matcher.matches(&"192.168.2.1".parse().unwrap()));
    }

    #[test]
    fn test_endpoint_exact() {
        let pattern = EndpointPattern::exact("/api/users");
        assert!(pattern.matches("/api/users"));
        assert!(!pattern.matches("/api/users/"));
        assert!(!pattern.matches("/api/users/1"));
    }

    #[test]
    fn test_endpoint_prefix() {
        let pattern = EndpointPattern::prefix("/api/");
        assert!(pattern.matches("/api/users"));
        assert!(pattern.matches("/api/users/1"));
        assert!(!pattern.matches("/admin/users"));
    }

    #[test]
    fn test_endpoint_glob() {
        let pattern = EndpointPattern::glob("/api/*/users");
        assert!(pattern.matches("/api/v1/users"));
        assert!(pattern.matches("/api/v2/users"));
        assert!(!pattern.matches("/api/v1/posts"));

        let pattern = EndpointPattern::glob("/api/**");
        assert!(pattern.matches("/api/users"));
        assert!(pattern.matches("/api/v1/users/1"));
    }

    #[test]
    fn test_endpoint_glob_with_id() {
        let pattern = EndpointPattern::glob("/api/boat/{id}/details");

        // Without ID context, {id} matches any segment
        assert!(pattern.matches("/api/boat/boat-123/details"));
        assert!(pattern.matches("/api/boat/anything/details"));

        // With matching user ID
        assert!(pattern.matches_with_id("/api/boat/boat-123/details", Some("boat-123")));

        // With non-matching user ID
        assert!(!pattern.matches_with_id("/api/boat/boat-456/details", Some("boat-123")));

        // More complex pattern
        let pattern = EndpointPattern::glob("/api/user/{id}/**");
        assert!(pattern.matches_with_id("/api/user/user-1/profile", Some("user-1")));
        assert!(pattern.matches_with_id("/api/user/user-1/boats/123", Some("user-1")));
        assert!(!pattern.matches_with_id("/api/user/user-2/profile", Some("user-1")));
    }

    #[test]
    fn test_extract_id_from_path() {
        let pattern = EndpointPattern::glob("/api/boat/{id}/details");
        assert_eq!(pattern.extract_id("/api/boat/boat-123/details"), Some("boat-123".to_string()));
        assert_eq!(pattern.extract_id("/api/boat/xyz/details"), Some("xyz".to_string()));
        assert_eq!(pattern.extract_id("/api/wrong/path"), None);

        let pattern = EndpointPattern::glob("/users/{id}");
        assert_eq!(pattern.extract_id("/users/123"), Some("123".to_string()));
        assert_eq!(pattern.extract_id("/users/"), None);
    }

    #[test]
    fn test_filter_matches() {
        let filter = AclRuleFilter::new()
            .role_mask(0b001)  // admin role
            .ip(IpMatcher::any());

        let ip: IpAddr = "10.0.0.1".parse().unwrap();

        // Admin matches
        let ctx = RequestContext::new(0b001, ip, "*");
        assert!(filter.matches(&ctx));

        // User (0b010) doesn't match admin filter (0b001)
        let ctx = RequestContext::new(0b010, ip, "*");
        assert!(!filter.matches(&ctx));

        // Admin + User (0b011) matches because admin bit is set
        let ctx = RequestContext::new(0b011, ip, "*");
        assert!(filter.matches(&ctx));
    }

    #[test]
    fn test_filter_id_match() {
        let filter = AclRuleFilter::new()
            .id("user123")
            .role_mask(u32::MAX);

        let ip: IpAddr = "10.0.0.1".parse().unwrap();

        // Exact ID match
        let ctx = RequestContext::new(0b1, ip, "user123");
        assert!(filter.matches(&ctx));

        // Different ID doesn't match
        let ctx = RequestContext::new(0b1, ip, "user456");
        assert!(!filter.matches(&ctx));
    }

    #[test]
    fn test_filter_wildcard_id() {
        let filter = AclRuleFilter::new()
            .id("*")
            .role_mask(u32::MAX);

        let ip: IpAddr = "10.0.0.1".parse().unwrap();

        // Wildcard matches any ID
        let ctx = RequestContext::new(0b1, ip, "anyone");
        assert!(filter.matches(&ctx));
    }

    #[test]
    fn test_extract_named_params() {
        let pattern = EndpointPattern::glob("/api/{resource}/{id}/details");
        let params = pattern.extract_named_params("/api/boat/123/details");
        assert_eq!(params.get("resource").map(|s| s.as_str()), Some("boat"));
        assert_eq!(params.get("id").map(|s| s.as_str()), Some("123"));

        let pattern = EndpointPattern::glob("/api/groups/{group_id}/factions/{faction_id}");
        let params = pattern.extract_named_params("/api/groups/abc-123/factions/def-456");
        assert_eq!(params.get("group_id").map(|s| s.as_str()), Some("abc-123"));
        assert_eq!(params.get("faction_id").map(|s| s.as_str()), Some("def-456"));

        // Non-glob returns empty
        let pattern = EndpointPattern::exact("/api/users");
        let params = pattern.extract_named_params("/api/users");
        assert!(params.is_empty());
    }

    #[test]
    fn test_rule_matcher_bitmask_auth() {
        let filter = AclRuleFilter::new()
            .role_mask(0b001)
            .action(AclAction::Allow);

        let ip: IpAddr = "10.0.0.1".parse().unwrap();
        let meta = RequestMeta {
            method: Method::GET,
            path: "/api/users".to_string(),
            path_params: HashMap::new(),
            ip,
        };

        let auth = BitmaskAuth { roles: 0b001, id: "*".to_string() };
        assert!(RuleMatcher::matches(&filter, &auth, &meta));

        let auth = BitmaskAuth { roles: 0b010, id: "*".to_string() };
        assert!(!RuleMatcher::matches(&filter, &auth, &meta));
    }

    #[test]
    fn test_rule_matcher_method_filtering() {
        let filter = AclRuleFilter::new()
            .role_mask(u32::MAX)
            .method(Method::POST)
            .action(AclAction::Allow);

        let ip: IpAddr = "10.0.0.1".parse().unwrap();
        let auth = BitmaskAuth { roles: 0b1, id: "*".to_string() };

        let meta_post = RequestMeta {
            method: Method::POST,
            path: "/api/users".to_string(),
            path_params: HashMap::new(),
            ip,
        };
        assert!(RuleMatcher::matches(&filter, &auth, &meta_post));

        let meta_get = RequestMeta {
            method: Method::GET,
            path: "/api/users".to_string(),
            path_params: HashMap::new(),
            ip,
        };
        assert!(!RuleMatcher::matches(&filter, &auth, &meta_get));

        // Empty methods = all methods
        let filter_any = AclRuleFilter::new()
            .role_mask(u32::MAX)
            .action(AclAction::Allow);
        assert!(RuleMatcher::matches(&filter_any, &auth, &meta_get));
        assert!(RuleMatcher::matches(&filter_any, &auth, &meta_post));
    }
}