aura_effects/

secure.rs

//! Layer 3: Secure Storage Effect Handlers - Production Only
//!
//! Stateless single-party implementation of SecureStorageEffects from aura-core (Layer 1).
//! This handler implements pure secure storage effect operations, delegating to platform APIs.
//!
//! **Layer Constraint**: No mock handlers - those belong in aura-testkit (Layer 8).
//! This module contains only production stateless handlers.

#[cfg(target_arch = "wasm32")]
use crate::storage::FilesystemStorageHandler;
use async_trait::async_trait;
use aura_core::effects::{
    SecureStorageCapability, SecureStorageEffects, SecureStorageError, SecureStorageLocation,
};
#[cfg(target_arch = "wasm32")]
use aura_core::effects::{StorageCoreEffects, StorageExtendedEffects};
use cfg_if::cfg_if;
#[cfg(not(target_arch = "wasm32"))]
use std::fs;
#[cfg(not(target_arch = "wasm32"))]
use std::io::Write;
use std::path::PathBuf;

cfg_if! {
    if #[cfg(target_arch = "wasm32")] {
        use js_sys::Date;
    } else {
        use std::time::{SystemTime, UNIX_EPOCH};
    }
}

/// Real secure storage handler for production use
#[derive(Debug)]
pub struct RealSecureStorageHandler {
    platform_config: String,
    base_path: PathBuf,
}

impl RealSecureStorageHandler {
    /// Create a secure storage handler with a custom base path.
    ///
    /// The secure storage files will be placed in `base_path/secure_store/`.
    pub fn with_base_path(base_path: PathBuf) -> Self {
        Self {
            platform_config: "filesystem-fallback".to_string(),
            base_path: base_path.join("secure_store"),
        }
    }

    /// Create a handler for testing with an ephemeral temp directory.
    #[cfg(test)]
    pub fn for_testing() -> Self {
        let suffix = fastrand::u64(..);
        let temp_dir = std::env::temp_dir().join(format!("aura-secure-test-{suffix}"));
        Self::with_base_path(temp_dir)
    }

    fn require_capability(
        &self,
        caps: &[SecureStorageCapability],
        required: SecureStorageCapability,
    ) -> Result<(), SecureStorageError> {
        if caps.contains(&required) {
            Ok(())
        } else {
            Err(SecureStorageError::permission_denied(format!(
                "missing capability: {required:?}"
            )))
        }
    }

    #[cfg(not(target_arch = "wasm32"))]
    fn path_for(&self, location: &SecureStorageLocation) -> PathBuf {
        let mut path = self.base_path.join(&location.namespace).join(&location.key);
        if let Some(sub) = &location.sub_key {
            path = path.join(sub);
        }
        path
    }

    #[allow(clippy::disallowed_methods)] // Effect implementation reads wall clock directly
    fn current_time_ms(&self) -> Result<u64, SecureStorageError> {
        #[cfg(target_arch = "wasm32")]
        {
            Ok(Date::now() as u64)
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            Ok(SystemTime::now()
                .duration_since(UNIX_EPOCH)
                .map_err(|e| SecureStorageError::storage(e.to_string()))?
                .as_millis() as u64)
        }
    }

    #[cfg(target_arch = "wasm32")]
    fn wasm_storage(&self) -> FilesystemStorageHandler {
        FilesystemStorageHandler::new(self.base_path.clone())
    }
}

#[async_trait]
impl SecureStorageEffects for RealSecureStorageHandler {
    async fn secure_store(
        &self,
        location: &SecureStorageLocation,
        key: &[u8],
        caps: &[aura_core::effects::SecureStorageCapability],
    ) -> Result<(), SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::Write)?;
        #[cfg(target_arch = "wasm32")]
        {
            return self
                .wasm_storage()
                .store(&location.full_path(), key.to_vec())
                .await
                .map_err(|e| SecureStorageError::storage(e.to_string()));
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            let path = self.path_for(location);
            if let Some(dir) = path.parent() {
                fs::create_dir_all(dir).map_err(|e| SecureStorageError::storage(e.to_string()))?;
            }
            let mut file = fs::OpenOptions::new()
                .create(true)
                .write(true)
                .truncate(true)
                .open(&path)
                .map_err(|e| SecureStorageError::storage(e.to_string()))?;
            file.write_all(key)
                .map_err(|e| SecureStorageError::storage(e.to_string()))?;
            Ok(())
        }
    }

    async fn secure_retrieve(
        &self,
        location: &SecureStorageLocation,
        caps: &[aura_core::effects::SecureStorageCapability],
    ) -> Result<Vec<u8>, SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::Read)?;
        #[cfg(target_arch = "wasm32")]
        {
            return self
                .wasm_storage()
                .retrieve(&location.full_path())
                .await
                .map_err(|e| SecureStorageError::storage(e.to_string()))?
                .ok_or_else(|| SecureStorageError::storage("secure key not found"));
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            let path = self.path_for(location);
            fs::read(&path).map_err(|e| SecureStorageError::storage(e.to_string()))
        }
    }

    async fn secure_delete(
        &self,
        location: &SecureStorageLocation,
        caps: &[aura_core::effects::SecureStorageCapability],
    ) -> Result<(), SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::Delete)?;
        #[cfg(target_arch = "wasm32")]
        {
            let _ = self
                .wasm_storage()
                .remove(&location.full_path())
                .await
                .map_err(|e| SecureStorageError::storage(e.to_string()))?;
            return Ok(());
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            let path = self.path_for(location);
            if path.exists() {
                fs::remove_file(&path).map_err(|e| SecureStorageError::storage(e.to_string()))?;
            }
            Ok(())
        }
    }

    async fn secure_exists(
        &self,
        location: &SecureStorageLocation,
    ) -> Result<bool, SecureStorageError> {
        #[cfg(target_arch = "wasm32")]
        {
            return self
                .wasm_storage()
                .exists(&location.full_path())
                .await
                .map_err(|e| SecureStorageError::storage(e.to_string()));
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            let path = self.path_for(location);
            Ok(path.exists())
        }
    }

    async fn secure_list_keys(
        &self,
        namespace: &str,
        caps: &[aura_core::effects::SecureStorageCapability],
    ) -> Result<Vec<String>, SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::List)?;
        #[cfg(target_arch = "wasm32")]
        {
            return self
                .wasm_storage()
                .list_keys(Some(&format!("{namespace}/")))
                .await
                .map_err(|e| SecureStorageError::storage(e.to_string()));
        }
        #[cfg(not(target_arch = "wasm32"))]
        {
            let ns_path = self.base_path.join(namespace);
            if !ns_path.exists() {
                return Ok(Vec::new());
            }
            let mut keys = Vec::new();
            for entry in
                fs::read_dir(&ns_path).map_err(|e| SecureStorageError::storage(e.to_string()))?
            {
                let entry = entry.map_err(|e| SecureStorageError::storage(e.to_string()))?;
                if let Some(name) = entry.file_name().to_str() {
                    keys.push(name.to_string());
                }
            }
            Ok(keys)
        }
    }

    async fn secure_generate_key(
        &self,
        location: &SecureStorageLocation,
        context: &str,
        caps: &[aura_core::effects::SecureStorageCapability],
    ) -> Result<Option<Vec<u8>>, SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::Write)?;
        let mut key = [0u8; 32];
        getrandom::getrandom(&mut key).map_err(|e| SecureStorageError::storage(e.to_string()))?;
        let mut material = key.to_vec();
        material.extend_from_slice(context.as_bytes());
        self.secure_store(location, &material, caps).await?;
        Ok(Some(material))
    }

    async fn secure_create_time_bound_token(
        &self,
        location: &SecureStorageLocation,
        caps: &[aura_core::effects::SecureStorageCapability],
        expires_at: &aura_core::time::PhysicalTime,
    ) -> Result<Vec<u8>, SecureStorageError> {
        self.require_capability(caps, SecureStorageCapability::Read)?;
        let token = format!(
            "{}:{}:{}",
            location.full_path(),
            expires_at.ts_ms,
            self.platform_config
        );
        Ok(token.into_bytes())
    }

    async fn secure_access_with_token(
        &self,
        token: &[u8],
        _location: &SecureStorageLocation,
    ) -> Result<Vec<u8>, SecureStorageError> {
        let token_str = std::str::from_utf8(token)
            .map_err(|e| SecureStorageError::serialization(e.to_string()))?;
        let parts: Vec<&str> = token_str.splitn(3, ':').collect();
        if parts.len() != 3 {
            return Err(SecureStorageError::invalid("invalid secure access token"));
        }
        let expires_at_ms: u64 = parts[1].parse().map_err(|e: std::num::ParseIntError| {
            SecureStorageError::serialization(e.to_string())
        })?;

        let now_ms = self.current_time_ms()?;
        if now_ms > expires_at_ms {
            return Err(SecureStorageError::permission_denied(
                "secure access token expired",
            ));
        }

        Ok(parts[0].as_bytes().to_vec())
    }

    async fn get_device_attestation(&self) -> Result<Vec<u8>, SecureStorageError> {
        #[derive(serde::Serialize)]
        struct Attestation<'a> {
            platform: &'a str,
            issued_at_ms: u64,
            capabilities: Vec<String>,
        }

        let issued_at_ms = self.current_time_ms()?;

        let attestation = Attestation {
            platform: &self.platform_config,
            issued_at_ms,
            capabilities: self.get_secure_storage_capabilities(),
        };

        serde_json::to_vec(&attestation)
            .map_err(|e| SecureStorageError::serialization(e.to_string()))
    }

    async fn is_secure_storage_available(&self) -> bool {
        true
    }

    fn get_secure_storage_capabilities(&self) -> Vec<String> {
        vec![
            "filesystem-fallback".to_string(),
            "time-bound-token".to_string(),
        ]
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::tempdir;

    #[tokio::test]
    async fn test_real_secure_storage_store_and_retrieve() {
        let temp = match tempdir() {
            Ok(dir) => dir,
            Err(err) => panic!("create tempdir: {err}"),
        };
        let handler = RealSecureStorageHandler::with_base_path(temp.path().to_path_buf());
        let location = SecureStorageLocation::new("test_namespace", "test_key");
        let capabilities = vec![
            SecureStorageCapability::Read,
            SecureStorageCapability::Write,
            SecureStorageCapability::Delete,
            SecureStorageCapability::List,
        ];

        handler
            .secure_store(&location, b"data", &capabilities)
            .await
            .unwrap();
        let data = handler
            .secure_retrieve(&location, &capabilities)
            .await
            .unwrap();
        assert_eq!(data, b"data");
        assert!(handler.secure_exists(&location).await.unwrap());
        handler
            .secure_delete(&location, &capabilities)
            .await
            .unwrap();
    }
}