quetty-server 0.1.7

Core Azure Service Bus client library for Quetty terminal application
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

use crate::encryption::{ClientSecretEncryption, ConnectionStringEncryption, EncryptionError};
use serde::{Deserialize, Serialize};
use std::time::{Duration, Instant};

/// Authentication method types supported by the application.
///
/// This enum defines the different ways the application can authenticate
/// with Azure Service Bus resources.
#[derive(Clone, Debug, Serialize, Deserialize, PartialEq)]
#[serde(rename_all = "snake_case")]
pub enum AuthType {
    /// Direct connection using Service Bus connection string
    ConnectionString,
    /// Azure Active Directory authentication (Device Code or Client Credentials)
    AzureAd,
}

/// Complete authentication configuration for the application.
///
/// This struct contains all authentication-related settings including
/// the primary authentication method and fallback options.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AuthConfig {
    /// The primary authentication method to use
    pub primary_method: AuthType,
    /// Whether to enable fallback to alternative authentication methods
    pub fallback_enabled: bool,
    /// Connection string configuration (if using ConnectionString auth)
    pub connection_string: Option<ConnectionStringConfig>,
    /// Azure AD authentication configuration (if using AzureAd auth)
    pub azure_ad: Option<AzureAdAuthConfig>,
}

impl AuthConfig {
    /// Returns true if any encrypted data is present in this config
    pub fn has_encrypted_data(&self) -> bool {
        let connection_string_encrypted = self
            .connection_string
            .as_ref()
            .map(|cs| cs.is_encrypted())
            .unwrap_or(false);

        let azure_ad_encrypted = self
            .azure_ad
            .as_ref()
            .map(|ad| ad.has_encrypted_data())
            .unwrap_or(false);

        connection_string_encrypted || azure_ad_encrypted
    }

    /// Returns a list of authentication methods that require password decryption
    pub fn get_encrypted_auth_methods(&self) -> Vec<String> {
        let mut methods = Vec::new();

        if let Some(cs) = &self.connection_string {
            if cs.is_encrypted() {
                methods.push("Connection String".to_string());
            }
        }

        if let Some(ad) = &self.azure_ad {
            if ad.has_encrypted_client_secret() {
                methods.push("Azure AD Client Secret".to_string());
            }
        }

        methods
    }
}

/// Configuration for connection string authentication.
///
/// Contains the Service Bus connection string used for direct authentication
/// using Shared Access Signatures (SAS). This is the simplest authentication
/// method but requires managing connection strings securely.
///
/// # Required Fields
///
/// - `value` - Complete Azure Service Bus connection string with access credentials
///
/// # Connection String Format
///
/// The connection string must include:
/// - `Endpoint` - Service Bus namespace endpoint
/// - `SharedAccessKeyName` - Name of the shared access key
/// - `SharedAccessKey` - The shared access key value
///
/// # Examples
///
/// ```no_run
/// use quetty_server::auth::types::ConnectionStringConfig;
///
/// let config = ConnectionStringConfig {
///     value: "Endpoint=sb://my-namespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abcd1234...".to_string(),
/// };
/// ```
///
/// # Security Considerations
///
/// - Store connection strings securely (environment variables, key vault, etc.)
/// - Use principle of least privilege - avoid "RootManageSharedAccessKey" in production
/// - Rotate access keys regularly
/// - Consider using Azure AD authentication for enhanced security
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct ConnectionStringConfig {
    /// The Azure Service Bus connection string (REQUIRED)
    /// Must include Endpoint, SharedAccessKeyName, and SharedAccessKey
    pub value: String,
    /// Encrypted connection string (alternative to value)
    pub encrypted_value: Option<String>,
    /// Salt for connection string encryption (required when encrypted_value is used)
    pub encryption_salt: Option<String>,
}

impl ConnectionStringConfig {
    /// Returns the actual connection string, decrypting if necessary
    pub fn get_connection_string(&self, password: Option<&str>) -> Result<String, EncryptionError> {
        // If we have an encrypted value, decrypt it
        if let (Some(encrypted), Some(salt)) = (&self.encrypted_value, &self.encryption_salt) {
            let password = password.ok_or_else(|| {
                EncryptionError::InvalidData(
                    "Password required for encrypted connection string".to_string(),
                )
            })?;

            let encryption = ConnectionStringEncryption::from_salt_base64(salt)?;
            encryption.decrypt_connection_string(encrypted, password)
        } else {
            // Return plain text value
            Ok(self.value.clone())
        }
    }

    /// Returns true if this config contains encrypted data
    pub fn is_encrypted(&self) -> bool {
        self.encrypted_value.is_some() && self.encryption_salt.is_some()
    }

    /// Encrypts the connection string with the given password
    pub fn encrypt_with_password(&mut self, password: &str) -> Result<(), EncryptionError> {
        if self.value.trim().is_empty() {
            return Err(EncryptionError::InvalidData(
                "Connection string cannot be empty".to_string(),
            ));
        }

        let encryption = ConnectionStringEncryption::new();
        let encrypted = encryption.encrypt_connection_string(&self.value, password)?;

        self.encrypted_value = Some(encrypted);
        self.encryption_salt = Some(encryption.salt_base64());

        // Clear the plain text value for security
        self.value.clear();

        Ok(())
    }
}

/// Configuration for Azure Active Directory authentication.
///
/// Contains all necessary parameters for Azure AD authentication flows
/// including Device Code Flow and Client Credentials Flow.
///
/// # Required Fields
///
/// - `auth_method` - Must be "device_code" or "client_secret"
///
/// # Required for Device Code Flow
///
/// - `tenant_id` - Azure AD tenant ID
/// - `client_id` - Azure AD application (client) ID
///
/// # Required for Client Credentials Flow
///
/// - `tenant_id` - Azure AD tenant ID
/// - `client_id` - Azure AD application (client) ID
/// - `client_secret` - Azure AD application client secret
///
/// # Optional Fields
///
/// - `subscription_id` - For resource discovery (defaults to env AZURE_SUBSCRIPTION_ID)
/// - `resource_group` - For resource discovery (defaults to auto-discovery)
/// - `namespace` - Service Bus namespace (defaults to auto-discovery)
/// - `authority_host` - Azure AD authority host (defaults to https://login.microsoftonline.com)
/// - `scope` - OAuth scope (defaults to https://servicebus.azure.net/.default)
///
/// # Examples
///
/// ## Device Code Flow Configuration
/// ```no_run
/// use quetty_server::auth::types::AzureAdAuthConfig;
///
/// let config = AzureAdAuthConfig {
///     auth_method: "device_code".to_string(),
///     tenant_id: Some("your-tenant-id".to_string()),
///     client_id: Some("your-client-id".to_string()),
///     client_secret: None, // Not needed for device code flow
///     subscription_id: Some("your-subscription-id".to_string()),
///     resource_group: Some("your-resource-group".to_string()),
///     namespace: Some("your-servicebus-namespace".to_string()),
///     authority_host: None, // Uses default
///     scope: None, // Uses default
/// };
/// ```
///
/// ## Client Credentials Flow Configuration
/// ```no_run
/// use quetty_server::auth::types::AzureAdAuthConfig;
///
/// let config = AzureAdAuthConfig {
///     auth_method: "client_secret".to_string(),
///     tenant_id: Some("your-tenant-id".to_string()),
///     client_id: Some("your-client-id".to_string()),
///     client_secret: Some("your-client-secret".to_string()), // Required
///     subscription_id: None, // Optional
///     resource_group: None, // Optional
///     namespace: None, // Optional
///     authority_host: None, // Uses default
///     scope: None, // Uses default
/// };
/// ```
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct AzureAdAuthConfig {
    /// Authentication method: "device_code" or "client_secret" (REQUIRED)
    #[serde(default = "default_auth_method")]
    pub auth_method: String,
    /// Azure AD tenant ID (REQUIRED for all flows)
    pub tenant_id: Option<String>,
    /// Azure AD application (client) ID (REQUIRED for all flows)
    pub client_id: Option<String>,
    /// Azure AD application client secret (REQUIRED for client_secret flow)
    pub client_secret: Option<String>,
    /// Encrypted client secret (alternative to client_secret)
    pub encrypted_client_secret: Option<String>,
    /// Salt for client secret encryption (required when encrypted_client_secret is used)
    pub client_secret_encryption_salt: Option<String>,
    /// Azure subscription ID (OPTIONAL - defaults to env AZURE_SUBSCRIPTION_ID)
    pub subscription_id: Option<String>,
    /// Resource group name (OPTIONAL - defaults to auto-discovery)
    pub resource_group: Option<String>,
    /// Service Bus namespace name (OPTIONAL - defaults to auto-discovery)
    pub namespace: Option<String>,
    /// Azure AD authority host URL (OPTIONAL - defaults to https://login.microsoftonline.com)
    pub authority_host: Option<String>,
    /// OAuth scope for token requests (OPTIONAL - defaults to https://servicebus.azure.net/.default)
    pub scope: Option<String>,
}

fn default_auth_method() -> String {
    "device_code".to_string()
}

impl AzureAdAuthConfig {
    /// Returns the actual client secret, decrypting if necessary
    pub fn get_client_secret(
        &self,
        password: Option<&str>,
    ) -> Result<Option<String>, EncryptionError> {
        // If we have an encrypted client secret, decrypt it
        if let (Some(encrypted), Some(salt)) = (
            &self.encrypted_client_secret,
            &self.client_secret_encryption_salt,
        ) {
            let password = password.ok_or_else(|| {
                EncryptionError::InvalidData(
                    "Password required for encrypted client secret".to_string(),
                )
            })?;

            let encryption = ClientSecretEncryption::from_salt_base64(salt)?;
            let decrypted = encryption.decrypt_client_secret(encrypted, password)?;
            Ok(Some(decrypted))
        } else {
            // Return plain text client secret
            Ok(self.client_secret.clone())
        }
    }

    /// Returns true if this config contains encrypted client secret
    pub fn has_encrypted_client_secret(&self) -> bool {
        self.encrypted_client_secret.is_some() && self.client_secret_encryption_salt.is_some()
    }

    /// Returns true if any encrypted data is present in this config
    pub fn has_encrypted_data(&self) -> bool {
        self.has_encrypted_client_secret()
    }

    /// Encrypts the client secret with the given password
    pub fn encrypt_client_secret_with_password(
        &mut self,
        password: &str,
    ) -> Result<(), EncryptionError> {
        let client_secret = match &self.client_secret {
            Some(secret) if !secret.trim().is_empty() => secret,
            _ => {
                return Err(EncryptionError::InvalidData(
                    "Client secret cannot be empty".to_string(),
                ));
            }
        };

        let encryption = ClientSecretEncryption::new();
        let encrypted = encryption.encrypt_client_secret(client_secret, password)?;

        self.encrypted_client_secret = Some(encrypted);
        self.client_secret_encryption_salt = Some(encryption.salt_base64());

        // Clear the plain text value for security
        self.client_secret = None;

        Ok(())
    }
}

/// A cached authentication token with expiration tracking.
///
/// This struct holds an authentication token along with its expiration time
/// to enable efficient token caching and refresh logic.
#[derive(Clone, Debug)]
pub struct CachedToken {
    /// The authentication token string
    pub token: String,
    /// When the token expires
    pub expires_at: Instant,
    /// The type of token (e.g., "Bearer")
    pub token_type: String,
}

impl CachedToken {
    /// Creates a new cached token with the given parameters.
    ///
    /// # Arguments
    ///
    /// * `token` - The authentication token string
    /// * `expires_in` - Duration until the token expires
    /// * `token_type` - The type of token (e.g., "Bearer")
    pub fn new(token: String, expires_in: Duration, token_type: String) -> Self {
        Self {
            token,
            expires_at: Instant::now() + expires_in,
            token_type,
        }
    }

    /// Checks if the token has expired.
    ///
    /// # Returns
    ///
    /// `true` if the token has passed its expiration time, `false` otherwise.
    pub fn is_expired(&self) -> bool {
        Instant::now() >= self.expires_at
    }

    /// Checks if the token needs to be refreshed soon.
    ///
    /// Uses a 5-minute buffer before expiration to ensure tokens are
    /// refreshed before they actually expire.
    ///
    /// # Returns
    ///
    /// `true` if the token should be refreshed, `false` otherwise.
    pub fn needs_refresh(&self) -> bool {
        let buffer = Duration::from_secs(300); // 5 minute buffer
        Instant::now() + buffer >= self.expires_at
    }
}

/// Information required for Azure AD Device Code Flow authentication.
///
/// This struct contains the user code and verification URL that the user
/// needs to complete the device code authentication flow.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct DeviceCodeInfo {
    /// The user code to be entered on the verification page
    pub user_code: String,
    /// The URL where the user should enter the code
    pub verification_uri: String,
    /// Human-readable message with authentication instructions
    pub message: String,
}