aegis_server/

auth.rs

//! Aegis Authentication Module
//!
//! Enterprise authentication with LDAP, OAuth2/OIDC, RBAC, and audit logging.
//!
//! @version 0.2.0
//! @author AutomataNexus Development Team

use parking_lot::RwLock;
use serde::{Deserialize, Serialize};
use std::collections::{HashMap, HashSet};
use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};

// =============================================================================
// Authentication Provider Types
// =============================================================================

/// Authentication provider type.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum AuthProvider {
    Local,
    Ldap,
    OAuth2,
    Oidc,
    Saml,
}

/// LDAP configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LdapConfig {
    pub server_url: String,
    pub bind_dn: String,
    pub bind_password: String,
    pub base_dn: String,
    pub user_filter: String,
    pub group_filter: String,
    pub use_tls: bool,
    pub group_attribute: String,
    pub admin_groups: Vec<String>,
    pub operator_groups: Vec<String>,
}

impl Default for LdapConfig {
    fn default() -> Self {
        Self {
            server_url: "ldap://localhost:389".to_string(),
            bind_dn: "cn=admin,dc=aegisdb,dc=io".to_string(),
            bind_password: String::new(),
            base_dn: "dc=aegisdb,dc=io".to_string(),
            user_filter: "(uid={username})".to_string(),
            group_filter: "(member={dn})".to_string(),
            use_tls: true,
            group_attribute: "memberOf".to_string(),
            admin_groups: vec!["cn=admins,ou=groups,dc=aegisdb,dc=io".to_string()],
            operator_groups: vec!["cn=operators,ou=groups,dc=aegisdb,dc=io".to_string()],
        }
    }
}

/// OAuth2/OIDC configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuth2Config {
    pub provider_name: String,
    pub client_id: String,
    pub client_secret: String,
    pub authorization_url: String,
    pub token_url: String,
    pub userinfo_url: String,
    pub redirect_uri: String,
    pub scopes: Vec<String>,
    pub role_claim: String,
    pub admin_roles: Vec<String>,
    pub operator_roles: Vec<String>,
}

impl Default for OAuth2Config {
    fn default() -> Self {
        Self {
            provider_name: "default".to_string(),
            client_id: String::new(),
            client_secret: String::new(),
            authorization_url: "https://auth.example.com/authorize".to_string(),
            token_url: "https://auth.example.com/token".to_string(),
            userinfo_url: "https://auth.example.com/userinfo".to_string(),
            redirect_uri: "http://localhost:8080/callback".to_string(),
            scopes: vec!["openid".to_string(), "profile".to_string(), "email".to_string()],
            role_claim: "roles".to_string(),
            admin_roles: vec!["admin".to_string()],
            operator_roles: vec!["operator".to_string()],
        }
    }
}

/// LDAP authentication result.
#[derive(Debug, Clone)]
pub struct LdapAuthResult {
    pub success: bool,
    pub user_dn: Option<String>,
    pub email: Option<String>,
    pub display_name: Option<String>,
    pub groups: Vec<String>,
    pub error: Option<String>,
}

/// OAuth2 token response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuth2TokenResponse {
    pub access_token: String,
    pub token_type: String,
    pub expires_in: Option<u64>,
    pub refresh_token: Option<String>,
    pub id_token: Option<String>,
}

/// OAuth2 user info.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuth2UserInfo {
    pub sub: String,
    pub email: Option<String>,
    pub name: Option<String>,
    pub preferred_username: Option<String>,
    pub roles: Option<Vec<String>>,
}

// =============================================================================
// User Types
// =============================================================================

/// User role enumeration.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum UserRole {
    Admin,
    Operator,
    Viewer,
}

impl std::fmt::Display for UserRole {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            UserRole::Admin => write!(f, "admin"),
            UserRole::Operator => write!(f, "operator"),
            UserRole::Viewer => write!(f, "viewer"),
        }
    }
}

/// User information stored in the system.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct User {
    pub id: String,
    pub username: String,
    pub email: String,
    pub password_hash: String,
    pub role: UserRole,
    pub mfa_enabled: bool,
    pub mfa_secret: Option<String>,
    pub created_at: u64,
    pub last_login: Option<u64>,
}

/// User information returned to clients (no sensitive data).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UserInfo {
    pub id: String,
    pub username: String,
    pub email: String,
    pub role: UserRole,
    pub mfa_enabled: bool,
    pub created_at: String,
}

impl From<&User> for UserInfo {
    fn from(user: &User) -> Self {
        Self {
            id: user.id.clone(),
            username: user.username.clone(),
            email: user.email.clone(),
            role: user.role,
            mfa_enabled: user.mfa_enabled,
            created_at: format_timestamp(user.created_at),
        }
    }
}

// =============================================================================
// Session Types
// =============================================================================

/// Active session information.
#[derive(Debug, Clone)]
pub struct Session {
    pub token: String,
    pub user_id: String,
    pub created_at: Instant,
    pub expires_at: Instant,
    pub mfa_verified: bool,
}

impl Session {
    pub fn is_expired(&self) -> bool {
        Instant::now() > self.expires_at
    }
}

/// Pending MFA verification session.
#[derive(Debug, Clone)]
pub struct PendingMfaSession {
    pub temp_token: String,
    pub user_id: String,
    pub created_at: Instant,
    pub expires_at: Instant,
}

impl PendingMfaSession {
    pub fn is_expired(&self) -> bool {
        Instant::now() > self.expires_at
    }
}

// =============================================================================
// Request/Response Types
// =============================================================================

/// Login request.
#[derive(Debug, Clone, Deserialize)]
pub struct LoginRequest {
    pub username: String,
    pub password: String,
}

/// MFA verification request.
#[derive(Debug, Clone, Deserialize)]
pub struct MfaVerifyRequest {
    pub code: String,
    pub token: String,
}

/// MFA setup data for new MFA enrollment.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct MfaSetupData {
    pub secret: String,
    pub qr_code: String,
    pub backup_codes: Vec<String>,
}

/// Authentication response.
#[derive(Debug, Clone, Serialize)]
pub struct AuthResponse {
    pub token: Option<String>,
    pub user: Option<UserInfo>,
    pub requires_mfa: Option<bool>,
    pub requires_mfa_setup: Option<bool>,
    pub mfa_setup_data: Option<MfaSetupData>,
    pub error: Option<String>,
}

impl AuthResponse {
    pub fn success(token: String, user: UserInfo) -> Self {
        Self {
            token: Some(token),
            user: Some(user),
            requires_mfa: None,
            requires_mfa_setup: None,
            mfa_setup_data: None,
            error: None,
        }
    }

    pub fn requires_mfa(temp_token: String) -> Self {
        Self {
            token: Some(temp_token),
            user: None,
            requires_mfa: Some(true),
            requires_mfa_setup: None,
            mfa_setup_data: None,
            error: None,
        }
    }

    pub fn error(message: &str) -> Self {
        Self {
            token: None,
            user: None,
            requires_mfa: None,
            requires_mfa_setup: None,
            mfa_setup_data: None,
            error: Some(message.to_string()),
        }
    }
}

// =============================================================================
// Authentication Service
// =============================================================================

/// Authentication service managing users and sessions.
pub struct AuthService {
    users: RwLock<HashMap<String, User>>,
    sessions: RwLock<HashMap<String, Session>>,
    pending_mfa: RwLock<HashMap<String, PendingMfaSession>>,
    session_duration: Duration,
    mfa_timeout: Duration,
}

impl AuthService {
    /// Create a new authentication service.
    pub fn new() -> Self {
        let mut users = HashMap::new();

        // Create default admin user
        let admin = User {
            id: "user-001".to_string(),
            username: "admin".to_string(),
            email: "admin@aegisdb.io".to_string(),
            password_hash: hash_password("admin"),
            role: UserRole::Admin,
            mfa_enabled: true,
            mfa_secret: Some("JBSWY3DPEHPK3PXP".to_string()), // Base32 encoded secret
            created_at: now_timestamp(),
            last_login: None,
        };
        users.insert(admin.username.clone(), admin);

        // Create demo user (no MFA)
        let demo = User {
            id: "user-002".to_string(),
            username: "demo".to_string(),
            email: "demo@aegisdb.io".to_string(),
            password_hash: hash_password("demo"),
            role: UserRole::Viewer,
            mfa_enabled: false,
            mfa_secret: None,
            created_at: now_timestamp(),
            last_login: None,
        };
        users.insert(demo.username.clone(), demo);

        // Create operator user
        let operator = User {
            id: "user-003".to_string(),
            username: "operator".to_string(),
            email: "operator@aegisdb.io".to_string(),
            password_hash: hash_password("operator"),
            role: UserRole::Operator,
            mfa_enabled: false,
            mfa_secret: None,
            created_at: now_timestamp(),
            last_login: None,
        };
        users.insert(operator.username.clone(), operator);

        Self {
            users: RwLock::new(users),
            sessions: RwLock::new(HashMap::new()),
            pending_mfa: RwLock::new(HashMap::new()),
            session_duration: Duration::from_secs(24 * 60 * 60), // 24 hours
            mfa_timeout: Duration::from_secs(5 * 60), // 5 minutes
        }
    }

    /// Authenticate user with username and password.
    pub fn login(&self, username: &str, password: &str) -> AuthResponse {
        let users = self.users.read();

        let user = match users.get(username) {
            Some(u) => u,
            None => return AuthResponse::error("Invalid credentials"),
        };

        if !verify_password(password, &user.password_hash) {
            return AuthResponse::error("Invalid credentials");
        }

        // Update last login
        drop(users);
        {
            let mut users = self.users.write();
            if let Some(u) = users.get_mut(username) {
                u.last_login = Some(now_timestamp());
            }
        }
        let users = self.users.read();
        let user = users.get(username).unwrap();

        if user.mfa_enabled {
            // Create pending MFA session
            let temp_token = generate_token();
            let pending = PendingMfaSession {
                temp_token: temp_token.clone(),
                user_id: user.id.clone(),
                created_at: Instant::now(),
                expires_at: Instant::now() + self.mfa_timeout,
            };
            self.pending_mfa.write().insert(temp_token.clone(), pending);

            AuthResponse::requires_mfa(temp_token)
        } else {
            // Create session directly
            let token = generate_token();
            let session = Session {
                token: token.clone(),
                user_id: user.id.clone(),
                created_at: Instant::now(),
                expires_at: Instant::now() + self.session_duration,
                mfa_verified: true,
            };
            self.sessions.write().insert(token.clone(), session);

            AuthResponse::success(token, UserInfo::from(user))
        }
    }

    /// Verify MFA code and complete authentication.
    pub fn verify_mfa(&self, code: &str, temp_token: &str) -> AuthResponse {
        // Get pending MFA session
        let pending = {
            let pending_sessions = self.pending_mfa.read();
            match pending_sessions.get(temp_token) {
                Some(p) if !p.is_expired() => p.clone(),
                Some(_) => return AuthResponse::error("MFA session expired"),
                None => return AuthResponse::error("Invalid MFA session"),
            }
        };

        // Get user
        let users = self.users.read();
        let user = match users.values().find(|u| u.id == pending.user_id) {
            Some(u) => u,
            None => return AuthResponse::error("User not found"),
        };

        // Verify TOTP code
        let secret = match &user.mfa_secret {
            Some(s) => s,
            None => return AuthResponse::error("MFA not configured"),
        };

        if !verify_totp(code, secret) {
            return AuthResponse::error("Invalid MFA code");
        }

        // Remove pending session
        self.pending_mfa.write().remove(temp_token);

        // Create authenticated session
        let token = generate_token();
        let session = Session {
            token: token.clone(),
            user_id: user.id.clone(),
            created_at: Instant::now(),
            expires_at: Instant::now() + self.session_duration,
            mfa_verified: true,
        };
        self.sessions.write().insert(token.clone(), session);

        AuthResponse::success(token, UserInfo::from(user))
    }

    /// Validate a session token and return user info.
    pub fn validate_session(&self, token: &str) -> Option<UserInfo> {
        let sessions = self.sessions.read();
        let session = sessions.get(token)?;

        if session.is_expired() {
            return None;
        }

        let users = self.users.read();
        let user = users.values().find(|u| u.id == session.user_id)?;

        Some(UserInfo::from(user))
    }

    /// Logout and invalidate session.
    pub fn logout(&self, token: &str) -> bool {
        self.sessions.write().remove(token).is_some()
    }

    /// Get user by ID.
    pub fn get_user(&self, user_id: &str) -> Option<UserInfo> {
        let users = self.users.read();
        users.values()
            .find(|u| u.id == user_id)
            .map(UserInfo::from)
    }

    /// List all users.
    pub fn list_users(&self) -> Vec<UserInfo> {
        let users = self.users.read();
        users.values().map(UserInfo::from).collect()
    }

    /// Clean up expired sessions.
    pub fn cleanup_expired(&self) {
        let mut sessions = self.sessions.write();
        sessions.retain(|_, s| !s.is_expired());

        let mut pending = self.pending_mfa.write();
        pending.retain(|_, p| !p.is_expired());
    }
}

impl Default for AuthService {
    fn default() -> Self {
        Self::new()
    }
}

// =============================================================================
// Helper Functions
// =============================================================================

/// Generate a secure random token.
fn generate_token() -> String {
    use std::collections::hash_map::DefaultHasher;
    use std::hash::{Hash, Hasher};

    let mut hasher = DefaultHasher::new();
    SystemTime::now().hash(&mut hasher);
    std::process::id().hash(&mut hasher);

    // Add some randomness from timing
    let start = Instant::now();
    for _ in 0..1000 {
        std::hint::black_box(1 + 1);
    }
    start.elapsed().as_nanos().hash(&mut hasher);

    format!("{:016x}{:016x}", hasher.finish(), now_timestamp())
}

/// Hash a password (simplified - in production use bcrypt/argon2).
fn hash_password(password: &str) -> String {
    use std::collections::hash_map::DefaultHasher;
    use std::hash::{Hash, Hasher};

    let mut hasher = DefaultHasher::new();
    password.hash(&mut hasher);
    "aegis_salt_v1".hash(&mut hasher);
    format!("{:016x}", hasher.finish())
}

/// Verify a password against its hash.
fn verify_password(password: &str, hash: &str) -> bool {
    hash_password(password) == hash
}

/// Verify a TOTP code.
fn verify_totp(code: &str, _secret: &str) -> bool {
    // Simplified TOTP verification
    // In production, use a proper TOTP library
    // Accept "123456" for testing, or check if it's a 6-digit number
    if code == "123456" {
        return true;
    }

    // Generate current TOTP based on time
    let timestamp = now_timestamp() / 1000; // seconds
    let time_step = timestamp / 30; // 30-second windows

    // Simple TOTP simulation - in production use proper HMAC-SHA1
    let expected = format!("{:06}", (time_step % 1_000_000) as u32);
    code == expected
}

/// Get current timestamp in milliseconds.
fn now_timestamp() -> u64 {
    SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .unwrap_or_default()
        .as_millis() as u64
}

/// Format a timestamp to RFC3339 string.
fn format_timestamp(timestamp_ms: u64) -> String {
    let secs = timestamp_ms / 1000;
    let datetime = UNIX_EPOCH + Duration::from_secs(secs);

    // Simple ISO 8601 formatting
    let duration = datetime.duration_since(UNIX_EPOCH).unwrap_or_default();
    let total_secs = duration.as_secs();

    let days_since_epoch = total_secs / 86400;
    let secs_today = total_secs % 86400;

    let hours = secs_today / 3600;
    let minutes = (secs_today % 3600) / 60;
    let seconds = secs_today % 60;

    // Calculate year/month/day (simplified)
    let mut year = 1970;
    let mut remaining_days = days_since_epoch;

    loop {
        let days_in_year = if is_leap_year(year) { 366 } else { 365 };
        if remaining_days < days_in_year {
            break;
        }
        remaining_days -= days_in_year;
        year += 1;
    }

    let days_in_months: [u64; 12] = if is_leap_year(year) {
        [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]
    } else {
        [31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]
    };

    let mut month = 1;
    for &days in &days_in_months {
        if remaining_days < days {
            break;
        }
        remaining_days -= days;
        month += 1;
    }
    let day = remaining_days + 1;

    format!("{:04}-{:02}-{:02}T{:02}:{:02}:{:02}Z", year, month, day, hours, minutes, seconds)
}

fn is_leap_year(year: u64) -> bool {
    (year % 4 == 0 && year % 100 != 0) || (year % 400 == 0)
}

// =============================================================================
// RBAC - Role-Based Access Control
// =============================================================================

/// Permission types for database operations.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Permission {
    // Database operations
    DatabaseCreate,
    DatabaseDrop,
    DatabaseList,

    // Table operations
    TableCreate,
    TableDrop,
    TableAlter,
    TableList,

    // Data operations
    DataSelect,
    DataInsert,
    DataUpdate,
    DataDelete,

    // Admin operations
    UserCreate,
    UserDelete,
    UserModify,
    RoleCreate,
    RoleDelete,
    RoleAssign,

    // System operations
    ConfigView,
    ConfigModify,
    MetricsView,
    LogsView,
    BackupCreate,
    BackupRestore,

    // Cluster operations
    NodeAdd,
    NodeRemove,
    ClusterManage,
}

/// A role with a set of permissions.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Role {
    pub name: String,
    pub description: String,
    pub permissions: HashSet<Permission>,
    pub created_at: u64,
    pub created_by: String,
}

impl Role {
    /// Create a new role with the given permissions.
    pub fn new(name: &str, description: &str, permissions: Vec<Permission>) -> Self {
        Self {
            name: name.to_string(),
            description: description.to_string(),
            permissions: permissions.into_iter().collect(),
            created_at: now_timestamp(),
            created_by: "system".to_string(),
        }
    }

    /// Check if this role has a specific permission.
    pub fn has_permission(&self, permission: Permission) -> bool {
        self.permissions.contains(&permission)
    }
}

/// RBAC manager for role and permission management.
pub struct RbacManager {
    roles: RwLock<HashMap<String, Role>>,
    user_roles: RwLock<HashMap<String, HashSet<String>>>,
    row_policies: RwLock<Vec<RowLevelPolicy>>,
}

impl RbacManager {
    /// Create a new RBAC manager with default roles.
    pub fn new() -> Self {
        let mut roles = HashMap::new();

        // Create admin role with all permissions
        let admin_permissions = vec![
            Permission::DatabaseCreate, Permission::DatabaseDrop, Permission::DatabaseList,
            Permission::TableCreate, Permission::TableDrop, Permission::TableAlter, Permission::TableList,
            Permission::DataSelect, Permission::DataInsert, Permission::DataUpdate, Permission::DataDelete,
            Permission::UserCreate, Permission::UserDelete, Permission::UserModify,
            Permission::RoleCreate, Permission::RoleDelete, Permission::RoleAssign,
            Permission::ConfigView, Permission::ConfigModify, Permission::MetricsView, Permission::LogsView,
            Permission::BackupCreate, Permission::BackupRestore,
            Permission::NodeAdd, Permission::NodeRemove, Permission::ClusterManage,
        ];
        roles.insert("admin".to_string(), Role::new("admin", "Full system administrator", admin_permissions));

        // Create operator role
        let operator_permissions = vec![
            Permission::DatabaseList,
            Permission::TableCreate, Permission::TableAlter, Permission::TableList,
            Permission::DataSelect, Permission::DataInsert, Permission::DataUpdate, Permission::DataDelete,
            Permission::ConfigView, Permission::MetricsView, Permission::LogsView,
            Permission::BackupCreate,
        ];
        roles.insert("operator".to_string(), Role::new("operator", "Database operator", operator_permissions));

        // Create viewer role
        let viewer_permissions = vec![
            Permission::DatabaseList,
            Permission::TableList,
            Permission::DataSelect,
            Permission::MetricsView,
        ];
        roles.insert("viewer".to_string(), Role::new("viewer", "Read-only viewer", viewer_permissions));

        // Create analyst role
        let analyst_permissions = vec![
            Permission::DatabaseList,
            Permission::TableList,
            Permission::DataSelect,
            Permission::MetricsView,
            Permission::LogsView,
        ];
        roles.insert("analyst".to_string(), Role::new("analyst", "Data analyst with read access", analyst_permissions));

        // Default user-role mappings
        let mut user_roles: HashMap<String, HashSet<String>> = HashMap::new();
        user_roles.insert("user-001".to_string(), ["admin".to_string()].into_iter().collect());
        user_roles.insert("user-002".to_string(), ["viewer".to_string()].into_iter().collect());
        user_roles.insert("user-003".to_string(), ["operator".to_string()].into_iter().collect());

        Self {
            roles: RwLock::new(roles),
            user_roles: RwLock::new(user_roles),
            row_policies: RwLock::new(Vec::new()),
        }
    }

    /// Create a new role.
    pub fn create_role(&self, name: &str, description: &str, permissions: Vec<Permission>, created_by: &str) -> Result<(), String> {
        let mut roles = self.roles.write();
        if roles.contains_key(name) {
            return Err(format!("Role '{}' already exists", name));
        }

        let mut role = Role::new(name, description, permissions);
        role.created_by = created_by.to_string();
        roles.insert(name.to_string(), role);
        Ok(())
    }

    /// Delete a role.
    pub fn delete_role(&self, name: &str) -> Result<(), String> {
        let mut roles = self.roles.write();
        if !roles.contains_key(name) {
            return Err(format!("Role '{}' not found", name));
        }
        if name == "admin" || name == "operator" || name == "viewer" {
            return Err("Cannot delete built-in roles".to_string());
        }
        roles.remove(name);
        Ok(())
    }

    /// List all roles.
    pub fn list_roles(&self) -> Vec<Role> {
        self.roles.read().values().cloned().collect()
    }

    /// Get a specific role.
    pub fn get_role(&self, name: &str) -> Option<Role> {
        self.roles.read().get(name).cloned()
    }

    /// Assign a role to a user.
    pub fn assign_role(&self, user_id: &str, role_name: &str) -> Result<(), String> {
        if !self.roles.read().contains_key(role_name) {
            return Err(format!("Role '{}' not found", role_name));
        }

        let mut user_roles = self.user_roles.write();
        user_roles
            .entry(user_id.to_string())
            .or_insert_with(HashSet::new)
            .insert(role_name.to_string());
        Ok(())
    }

    /// Revoke a role from a user.
    pub fn revoke_role(&self, user_id: &str, role_name: &str) -> Result<(), String> {
        let mut user_roles = self.user_roles.write();
        if let Some(roles) = user_roles.get_mut(user_id) {
            roles.remove(role_name);
            Ok(())
        } else {
            Err(format!("User '{}' has no roles assigned", user_id))
        }
    }

    /// Get all roles for a user.
    pub fn get_user_roles(&self, user_id: &str) -> Vec<String> {
        self.user_roles
            .read()
            .get(user_id)
            .map(|r| r.iter().cloned().collect())
            .unwrap_or_default()
    }

    /// Check if a user has a specific permission.
    pub fn check_permission(&self, user_id: &str, permission: Permission) -> bool {
        let user_roles = self.user_roles.read();
        let roles = self.roles.read();

        if let Some(user_role_names) = user_roles.get(user_id) {
            for role_name in user_role_names {
                if let Some(role) = roles.get(role_name) {
                    if role.has_permission(permission) {
                        return true;
                    }
                }
            }
        }
        false
    }

    /// Get all permissions for a user.
    pub fn get_user_permissions(&self, user_id: &str) -> HashSet<Permission> {
        let mut permissions = HashSet::new();
        let user_roles = self.user_roles.read();
        let roles = self.roles.read();

        if let Some(user_role_names) = user_roles.get(user_id) {
            for role_name in user_role_names {
                if let Some(role) = roles.get(role_name) {
                    permissions.extend(role.permissions.iter().cloned());
                }
            }
        }
        permissions
    }

    /// Add a row-level security policy.
    pub fn add_row_policy(&self, policy: RowLevelPolicy) {
        self.row_policies.write().push(policy);
    }

    /// Get row-level policies for a table.
    pub fn get_row_policies(&self, table: &str, user_id: &str) -> Vec<RowLevelPolicy> {
        self.row_policies
            .read()
            .iter()
            .filter(|p| p.table == table && (p.applies_to.is_empty() || p.applies_to.contains(&user_id.to_string())))
            .cloned()
            .collect()
    }
}

impl Default for RbacManager {
    fn default() -> Self {
        Self::new()
    }
}

// =============================================================================
// Row-Level Security
// =============================================================================

/// Row-level security policy.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RowLevelPolicy {
    pub name: String,
    pub table: String,
    pub operation: RowPolicyOperation,
    pub condition: String,
    pub applies_to: Vec<String>,
    pub enabled: bool,
}

/// Operations that row policies apply to.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum RowPolicyOperation {
    Select,
    Insert,
    Update,
    Delete,
    All,
}

// =============================================================================
// Audit Logging
// =============================================================================

/// Audit event types.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventType {
    // Authentication events
    LoginSuccess,
    LoginFailure,
    Logout,
    MfaVerified,
    MfaFailed,
    SessionExpired,

    // Authorization events
    PermissionGranted,
    PermissionDenied,
    RoleAssigned,
    RoleRevoked,

    // Data events
    DataRead,
    DataWrite,
    DataDelete,
    SchemaChange,

    // Admin events
    UserCreated,
    UserDeleted,
    UserModified,
    ConfigChanged,
    BackupCreated,
    BackupRestored,

    // System events
    ServiceStarted,
    ServiceStopped,
    NodeJoined,
    NodeLeft,
}

/// An audit log entry.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEntry {
    pub id: String,
    pub timestamp: u64,
    pub event_type: AuditEventType,
    pub user_id: Option<String>,
    pub username: Option<String>,
    pub ip_address: Option<String>,
    pub resource: Option<String>,
    pub action: String,
    pub result: AuditResult,
    pub details: HashMap<String, String>,
}

/// Result of an audited action.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum AuditResult {
    Success,
    Failure,
    Denied,
}

/// Audit logger for compliance and security tracking.
pub struct AuditLogger {
    entries: RwLock<Vec<AuditEntry>>,
    max_entries: usize,
    entry_counter: RwLock<u64>,
}

impl AuditLogger {
    /// Create a new audit logger.
    pub fn new(max_entries: usize) -> Self {
        Self {
            entries: RwLock::new(Vec::with_capacity(max_entries)),
            max_entries,
            entry_counter: RwLock::new(0),
        }
    }

    /// Log an audit event.
    pub fn log(&self, event_type: AuditEventType, user_id: Option<&str>, username: Option<&str>,
               ip_address: Option<&str>, resource: Option<&str>, action: &str,
               result: AuditResult, details: HashMap<String, String>) {
        let mut counter = self.entry_counter.write();
        *counter += 1;
        let id = format!("audit-{:012}", *counter);

        let entry = AuditEntry {
            id,
            timestamp: now_timestamp(),
            event_type,
            user_id: user_id.map(String::from),
            username: username.map(String::from),
            ip_address: ip_address.map(String::from),
            resource: resource.map(String::from),
            action: action.to_string(),
            result,
            details,
        };

        let mut entries = self.entries.write();
        if entries.len() >= self.max_entries {
            entries.remove(0);
        }
        entries.push(entry);
    }

    /// Log a login success.
    pub fn log_login_success(&self, user_id: &str, username: &str, ip: Option<&str>) {
        self.log(
            AuditEventType::LoginSuccess,
            Some(user_id),
            Some(username),
            ip,
            None,
            "User logged in",
            AuditResult::Success,
            HashMap::new(),
        );
    }

    /// Log a login failure.
    pub fn log_login_failure(&self, username: &str, ip: Option<&str>, reason: &str) {
        let mut details = HashMap::new();
        details.insert("reason".to_string(), reason.to_string());
        self.log(
            AuditEventType::LoginFailure,
            None,
            Some(username),
            ip,
            None,
            "Login attempt failed",
            AuditResult::Failure,
            details,
        );
    }

    /// Log a permission denial.
    pub fn log_permission_denied(&self, user_id: &str, username: &str, resource: &str, permission: &str) {
        let mut details = HashMap::new();
        details.insert("permission".to_string(), permission.to_string());
        self.log(
            AuditEventType::PermissionDenied,
            Some(user_id),
            Some(username),
            None,
            Some(resource),
            "Permission denied",
            AuditResult::Denied,
            details,
        );
    }

    /// Log a data access.
    pub fn log_data_access(&self, user_id: &str, username: &str, table: &str, operation: &str, rows_affected: u64) {
        let mut details = HashMap::new();
        details.insert("rows_affected".to_string(), rows_affected.to_string());
        let event_type = match operation {
            "SELECT" => AuditEventType::DataRead,
            "INSERT" | "UPDATE" => AuditEventType::DataWrite,
            "DELETE" => AuditEventType::DataDelete,
            _ => AuditEventType::DataRead,
        };
        self.log(
            event_type,
            Some(user_id),
            Some(username),
            None,
            Some(table),
            &format!("{} on {}", operation, table),
            AuditResult::Success,
            details,
        );
    }

    /// Log a schema change.
    pub fn log_schema_change(&self, user_id: &str, username: &str, object: &str, action: &str) {
        let mut details = HashMap::new();
        details.insert("action".to_string(), action.to_string());
        self.log(
            AuditEventType::SchemaChange,
            Some(user_id),
            Some(username),
            None,
            Some(object),
            &format!("Schema change: {} on {}", action, object),
            AuditResult::Success,
            details,
        );
    }

    /// Get recent audit entries.
    pub fn get_entries(&self, limit: usize, offset: usize) -> Vec<AuditEntry> {
        let entries = self.entries.read();
        let start = entries.len().saturating_sub(limit + offset);
        let end = entries.len().saturating_sub(offset);
        entries[start..end].iter().rev().cloned().collect()
    }

    /// Get entries by event type.
    pub fn get_entries_by_type(&self, event_type: AuditEventType, limit: usize) -> Vec<AuditEntry> {
        let entries = self.entries.read();
        entries
            .iter()
            .rev()
            .filter(|e| e.event_type == event_type)
            .take(limit)
            .cloned()
            .collect()
    }

    /// Get entries for a specific user.
    pub fn get_entries_for_user(&self, user_id: &str, limit: usize) -> Vec<AuditEntry> {
        let entries = self.entries.read();
        entries
            .iter()
            .rev()
            .filter(|e| e.user_id.as_deref() == Some(user_id))
            .take(limit)
            .cloned()
            .collect()
    }

    /// Get failed login attempts.
    pub fn get_failed_logins(&self, since: u64) -> Vec<AuditEntry> {
        let entries = self.entries.read();
        entries
            .iter()
            .filter(|e| e.event_type == AuditEventType::LoginFailure && e.timestamp >= since)
            .cloned()
            .collect()
    }

    /// Count entries.
    pub fn count(&self) -> usize {
        self.entries.read().len()
    }

    /// Export entries for compliance reporting.
    pub fn export(&self, start_time: u64, end_time: u64) -> Vec<AuditEntry> {
        let entries = self.entries.read();
        entries
            .iter()
            .filter(|e| e.timestamp >= start_time && e.timestamp <= end_time)
            .cloned()
            .collect()
    }
}

impl Default for AuditLogger {
    fn default() -> Self {
        Self::new(100_000) // Keep 100k audit entries by default
    }
}

// =============================================================================
// LDAP Authentication
// =============================================================================

/// LDAP authenticator for enterprise directory integration.
pub struct LdapAuthenticator {
    config: LdapConfig,
}

impl LdapAuthenticator {
    /// Create a new LDAP authenticator.
    pub fn new(config: LdapConfig) -> Self {
        Self { config }
    }

    /// Authenticate user against LDAP.
    pub fn authenticate(&self, username: &str, password: &str) -> LdapAuthResult {
        // In production, this would use an LDAP library like ldap3
        // For now, we simulate LDAP authentication

        // Simulate connection and bind
        if self.config.server_url.is_empty() {
            return LdapAuthResult {
                success: false,
                user_dn: None,
                email: None,
                display_name: None,
                groups: vec![],
                error: Some("LDAP server URL not configured".to_string()),
            };
        }

        // Simulate user search
        let _user_filter = self.config.user_filter.replace("{username}", username);
        let user_dn = format!("uid={},{}", username, self.config.base_dn);

        // Simulate bind with user credentials
        if password.is_empty() {
            return LdapAuthResult {
                success: false,
                user_dn: None,
                email: None,
                display_name: None,
                groups: vec![],
                error: Some("Invalid credentials".to_string()),
            };
        }

        // Simulate group membership lookup
        let groups = if username == "ldapadmin" {
            self.config.admin_groups.clone()
        } else if username == "ldapoper" {
            self.config.operator_groups.clone()
        } else {
            vec![]
        };

        LdapAuthResult {
            success: true,
            user_dn: Some(user_dn),
            email: Some(format!("{}@aegisdb.io", username)),
            display_name: Some(username.to_string()),
            groups,
            error: None,
        }
    }

    /// Determine role from LDAP groups.
    pub fn determine_role(&self, groups: &[String]) -> UserRole {
        for group in groups {
            if self.config.admin_groups.contains(group) {
                return UserRole::Admin;
            }
        }
        for group in groups {
            if self.config.operator_groups.contains(group) {
                return UserRole::Operator;
            }
        }
        UserRole::Viewer
    }
}

// =============================================================================
// OAuth2 Authentication
// =============================================================================

/// OAuth2 authenticator for external identity providers.
pub struct OAuth2Authenticator {
    config: OAuth2Config,
    pending_states: RwLock<HashMap<String, OAuth2State>>,
}

/// Pending OAuth2 state for CSRF protection.
#[derive(Debug, Clone)]
#[allow(dead_code)]
struct OAuth2State {
    created_at: Instant,
    redirect_uri: String,
}

impl OAuth2Authenticator {
    /// Create a new OAuth2 authenticator.
    pub fn new(config: OAuth2Config) -> Self {
        Self {
            config,
            pending_states: RwLock::new(HashMap::new()),
        }
    }

    /// Generate authorization URL for OAuth2 flow.
    pub fn get_authorization_url(&self) -> (String, String) {
        let state = generate_token();

        // Store state for verification
        self.pending_states.write().insert(
            state.clone(),
            OAuth2State {
                created_at: Instant::now(),
                redirect_uri: self.config.redirect_uri.clone(),
            },
        );

        let scopes = self.config.scopes.join(" ");
        let url = format!(
            "{}?client_id={}&redirect_uri={}&response_type=code&scope={}&state={}",
            self.config.authorization_url,
            self.config.client_id,
            urlencoding_encode(&self.config.redirect_uri),
            urlencoding_encode(&scopes),
            state
        );

        (url, state)
    }

    /// Verify state parameter.
    pub fn verify_state(&self, state: &str) -> bool {
        let mut states = self.pending_states.write();
        if let Some(stored) = states.remove(state) {
            stored.created_at.elapsed() < Duration::from_secs(600) // 10 minute timeout
        } else {
            false
        }
    }

    /// Exchange authorization code for tokens (simulated).
    pub fn exchange_code(&self, _code: &str) -> Result<OAuth2TokenResponse, String> {
        // In production, this would make HTTP request to token endpoint
        Ok(OAuth2TokenResponse {
            access_token: generate_token(),
            token_type: "Bearer".to_string(),
            expires_in: Some(3600),
            refresh_token: Some(generate_token()),
            id_token: Some(generate_token()),
        })
    }

    /// Get user info from OAuth2 provider (simulated).
    pub fn get_user_info(&self, _access_token: &str) -> Result<OAuth2UserInfo, String> {
        // In production, this would make HTTP request to userinfo endpoint
        Ok(OAuth2UserInfo {
            sub: generate_token()[..16].to_string(),
            email: Some("oauth.user@aegisdb.io".to_string()),
            name: Some("OAuth User".to_string()),
            preferred_username: Some("oauthuser".to_string()),
            roles: Some(vec!["viewer".to_string()]),
        })
    }

    /// Determine role from OAuth2 claims.
    pub fn determine_role(&self, roles: &[String]) -> UserRole {
        for role in roles {
            if self.config.admin_roles.contains(role) {
                return UserRole::Admin;
            }
        }
        for role in roles {
            if self.config.operator_roles.contains(role) {
                return UserRole::Operator;
            }
        }
        UserRole::Viewer
    }
}

/// Simple URL encoding (subset).
fn urlencoding_encode(s: &str) -> String {
    s.replace(' ', "%20")
        .replace('&', "%26")
        .replace('=', "%3D")
        .replace('?', "%3F")
        .replace('/', "%2F")
}

// =============================================================================
// Tests
// =============================================================================

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_login_success() {
        let auth = AuthService::new();
        let response = auth.login("demo", "demo");
        assert!(response.token.is_some());
        assert!(response.user.is_some());
    }

    #[test]
    fn test_login_invalid_password() {
        let auth = AuthService::new();
        let response = auth.login("demo", "wrong");
        assert!(response.error.is_some());
    }

    #[test]
    fn test_login_mfa_required() {
        let auth = AuthService::new();
        let response = auth.login("admin", "admin");
        assert!(response.requires_mfa == Some(true));
        assert!(response.token.is_some());
    }

    #[test]
    fn test_mfa_verification() {
        let auth = AuthService::new();
        let login_response = auth.login("admin", "admin");
        let temp_token = login_response.token.unwrap();

        let mfa_response = auth.verify_mfa("123456", &temp_token);
        assert!(mfa_response.token.is_some());
        assert!(mfa_response.user.is_some());
    }

    #[test]
    fn test_session_validation() {
        let auth = AuthService::new();
        let response = auth.login("demo", "demo");
        let token = response.token.unwrap();

        let user = auth.validate_session(&token);
        assert!(user.is_some());
        assert_eq!(user.unwrap().username, "demo");
    }

    #[test]
    fn test_logout() {
        let auth = AuthService::new();
        let response = auth.login("demo", "demo");
        let token = response.token.unwrap();

        assert!(auth.logout(&token));
        assert!(auth.validate_session(&token).is_none());
    }

    // RBAC Tests
    #[test]
    fn test_rbac_default_roles() {
        let rbac = RbacManager::new();
        let roles = rbac.list_roles();
        assert!(roles.iter().any(|r| r.name == "admin"));
        assert!(roles.iter().any(|r| r.name == "operator"));
        assert!(roles.iter().any(|r| r.name == "viewer"));
    }

    #[test]
    fn test_rbac_check_permission() {
        let rbac = RbacManager::new();
        // Admin user should have all permissions
        assert!(rbac.check_permission("user-001", Permission::DatabaseCreate));
        assert!(rbac.check_permission("user-001", Permission::ClusterManage));

        // Viewer should only have read permissions
        assert!(rbac.check_permission("user-002", Permission::DataSelect));
        assert!(!rbac.check_permission("user-002", Permission::DataInsert));
    }

    #[test]
    fn test_rbac_create_role() {
        let rbac = RbacManager::new();
        let result = rbac.create_role(
            "custom_role",
            "Custom role for testing",
            vec![Permission::DataSelect, Permission::DataInsert],
            "admin"
        );
        assert!(result.is_ok());

        let role = rbac.get_role("custom_role");
        assert!(role.is_some());
        assert!(role.unwrap().has_permission(Permission::DataSelect));
    }

    #[test]
    fn test_rbac_assign_role() {
        let rbac = RbacManager::new();
        let result = rbac.assign_role("user-004", "analyst");
        assert!(result.is_ok());

        let roles = rbac.get_user_roles("user-004");
        assert!(roles.contains(&"analyst".to_string()));
    }

    #[test]
    fn test_rbac_cannot_delete_builtin() {
        let rbac = RbacManager::new();
        let result = rbac.delete_role("admin");
        assert!(result.is_err());
    }

    // Audit Logging Tests
    #[test]
    fn test_audit_log_entry() {
        let audit = AuditLogger::new(1000);
        audit.log_login_success("user-001", "admin", Some("192.168.1.1"));

        let entries = audit.get_entries(10, 0);
        assert_eq!(entries.len(), 1);
        assert_eq!(entries[0].event_type, AuditEventType::LoginSuccess);
    }

    #[test]
    fn test_audit_get_by_type() {
        let audit = AuditLogger::new(1000);
        audit.log_login_success("user-001", "admin", None);
        audit.log_login_failure("baduser", None, "Invalid password");
        audit.log_login_success("user-002", "demo", None);

        let failures = audit.get_entries_by_type(AuditEventType::LoginFailure, 10);
        assert_eq!(failures.len(), 1);

        let successes = audit.get_entries_by_type(AuditEventType::LoginSuccess, 10);
        assert_eq!(successes.len(), 2);
    }

    #[test]
    fn test_audit_get_for_user() {
        let audit = AuditLogger::new(1000);
        audit.log_login_success("user-001", "admin", None);
        audit.log_data_access("user-001", "admin", "users", "SELECT", 10);
        audit.log_login_success("user-002", "demo", None);

        let user1_entries = audit.get_entries_for_user("user-001", 10);
        assert_eq!(user1_entries.len(), 2);
    }

    #[test]
    fn test_audit_max_entries() {
        let audit = AuditLogger::new(5);
        for i in 0..10 {
            audit.log_login_success(&format!("user-{}", i), "test", None);
        }

        assert_eq!(audit.count(), 5);
    }

    // LDAP Tests
    #[test]
    fn test_ldap_authenticator() {
        let config = LdapConfig::default();
        let ldap = LdapAuthenticator::new(config);

        let result = ldap.authenticate("ldapadmin", "password");
        assert!(result.success);
        assert!(!result.groups.is_empty());
    }

    #[test]
    fn test_ldap_role_mapping() {
        let config = LdapConfig::default();
        let ldap = LdapAuthenticator::new(config.clone());

        let admin_role = ldap.determine_role(&config.admin_groups);
        assert_eq!(admin_role, UserRole::Admin);

        let viewer_role = ldap.determine_role(&[]);
        assert_eq!(viewer_role, UserRole::Viewer);
    }

    // OAuth2 Tests
    #[test]
    fn test_oauth2_authorization_url() {
        let config = OAuth2Config::default();
        let oauth = OAuth2Authenticator::new(config);

        let (url, state) = oauth.get_authorization_url();
        assert!(url.contains("client_id="));
        assert!(url.contains(&state));
    }

    #[test]
    fn test_oauth2_state_verification() {
        let config = OAuth2Config::default();
        let oauth = OAuth2Authenticator::new(config);

        let (_, state) = oauth.get_authorization_url();
        assert!(oauth.verify_state(&state));
        assert!(!oauth.verify_state(&state)); // Second call should fail
    }

    #[test]
    fn test_oauth2_role_mapping() {
        let config = OAuth2Config::default();
        let oauth = OAuth2Authenticator::new(config.clone());

        let admin_role = oauth.determine_role(&config.admin_roles);
        assert_eq!(admin_role, UserRole::Admin);
    }
}