fakecloud_iam/

state.rs

use chrono::{DateTime, Utc};
use parking_lot::RwLock;
use std::collections::HashMap;

#[derive(Debug, Clone)]
pub struct IamUser {
    pub user_name: String,
    pub user_id: String,
    pub arn: String,
    pub path: String,
    pub created_at: DateTime<Utc>,
    pub tags: Vec<Tag>,
    pub permissions_boundary: Option<String>,
}

#[derive(Debug, Clone)]
pub struct IamAccessKey {
    pub access_key_id: String,
    pub secret_access_key: String,
    pub user_name: String,
    pub status: String,
    pub created_at: DateTime<Utc>,
}

#[derive(Debug, Clone)]
pub struct IamRole {
    pub role_name: String,
    pub role_id: String,
    pub arn: String,
    pub path: String,
    pub assume_role_policy_document: String,
    pub created_at: DateTime<Utc>,
    pub description: Option<String>,
    pub max_session_duration: i32,
    pub tags: Vec<Tag>,
    pub permissions_boundary: Option<String>,
}

#[derive(Debug, Clone)]
pub struct IamPolicy {
    pub policy_name: String,
    pub policy_id: String,
    pub arn: String,
    pub path: String,
    pub description: String,
    pub created_at: DateTime<Utc>,
    pub tags: Vec<Tag>,
    pub default_version_id: String,
    pub versions: Vec<PolicyVersion>,
    pub next_version_num: u32,
    pub attachment_count: u32,
}

#[derive(Debug, Clone)]
pub struct PolicyVersion {
    pub version_id: String,
    pub document: String,
    pub is_default: bool,
    pub created_at: DateTime<Utc>,
}

#[derive(Debug, Clone)]
pub struct IamGroup {
    pub group_name: String,
    pub group_id: String,
    pub arn: String,
    pub path: String,
    pub created_at: DateTime<Utc>,
    pub members: Vec<String>,                     // user names
    pub inline_policies: HashMap<String, String>, // policy_name -> document
    pub attached_policies: Vec<String>,           // policy ARNs
}

#[derive(Debug, Clone)]
pub struct IamInstanceProfile {
    pub instance_profile_name: String,
    pub instance_profile_id: String,
    pub arn: String,
    pub path: String,
    pub created_at: DateTime<Utc>,
    pub roles: Vec<String>, // role names
    pub tags: Vec<Tag>,
}

#[derive(Debug, Clone)]
pub struct Tag {
    pub key: String,
    pub value: String,
}

#[derive(Debug, Clone)]
pub struct LoginProfile {
    pub user_name: String,
    pub created_at: DateTime<Utc>,
    pub password_reset_required: bool,
}

#[derive(Debug, Clone)]
pub struct SamlProvider {
    pub arn: String,
    pub name: String,
    pub saml_metadata_document: String,
    pub created_at: DateTime<Utc>,
    pub valid_until: DateTime<Utc>,
    pub tags: Vec<Tag>,
}

#[derive(Debug, Clone)]
pub struct OidcProvider {
    pub arn: String,
    pub url: String,
    pub client_id_list: Vec<String>,
    pub thumbprint_list: Vec<String>,
    pub created_at: DateTime<Utc>,
    pub tags: Vec<Tag>,
}

#[derive(Debug, Clone)]
pub struct ServerCertificate {
    pub server_certificate_name: String,
    pub server_certificate_id: String,
    pub arn: String,
    pub path: String,
    pub certificate_body: String,
    pub certificate_chain: Option<String>,
    pub upload_date: DateTime<Utc>,
    pub expiration: DateTime<Utc>,
    pub tags: Vec<Tag>,
}

#[derive(Debug, Clone)]
pub struct SigningCertificate {
    pub certificate_id: String,
    pub user_name: String,
    pub certificate_body: String,
    pub status: String,
    pub upload_date: DateTime<Utc>,
}

#[derive(Debug, Clone)]
pub struct AccountPasswordPolicy {
    pub minimum_password_length: u32,
    pub require_symbols: bool,
    pub require_numbers: bool,
    pub require_uppercase_characters: bool,
    pub require_lowercase_characters: bool,
    pub allow_users_to_change_password: bool,
    pub max_password_age: u32,
    pub password_reuse_prevention: u32,
    pub hard_expiry: bool,
}

impl Default for AccountPasswordPolicy {
    fn default() -> Self {
        Self {
            minimum_password_length: 6,
            require_symbols: false,
            require_numbers: false,
            require_uppercase_characters: false,
            require_lowercase_characters: false,
            allow_users_to_change_password: false,
            max_password_age: 0,
            password_reuse_prevention: 0,
            hard_expiry: false,
        }
    }
}

#[derive(Debug, Clone)]
pub struct VirtualMfaDevice {
    pub serial_number: String,
    pub base32_string_seed: String,
    pub qr_code_png: String,
    pub enable_date: Option<DateTime<Utc>>,
    pub user: Option<String>,
    pub tags: Vec<Tag>,
}

#[derive(Debug, Clone)]
pub struct ServiceLinkedRoleDeletion {
    pub deletion_task_id: String,
    pub status: String,
}

/// Identity associated with a set of credentials, for GetCallerIdentity resolution.
#[derive(Debug, Clone)]
pub struct CredentialIdentity {
    pub arn: String,
    pub user_id: String,
    pub account_id: String,
}

/// A temporary credential issued by STS (`AssumeRole`, `AssumeRoleWithWebIdentity`,
/// `AssumeRoleWithSAML`, `GetSessionToken`, `GetFederationToken`).
///
/// Unlike [`CredentialIdentity`], which only remembers the principal ARN for
/// `GetCallerIdentity`, this struct also retains the secret access key and
/// session token so that SigV4 verification and IAM enforcement (added in
/// later batches) can look them up when a client signs a request with
/// temporary credentials. `expiration` is the absolute wall-clock time at
/// which the credential becomes invalid.
#[derive(Debug, Clone)]
pub struct StsTempCredential {
    pub access_key_id: String,
    pub secret_access_key: String,
    pub session_token: String,
    pub principal_arn: String,
    pub user_id: String,
    pub account_id: String,
    pub expiration: DateTime<Utc>,
}

/// Result of looking up a set of credentials by access key ID.
///
/// Carries the secret + resolved principal + owning account id. The account
/// id is intentionally read from the credential itself rather than from
/// global config, so that once #381 (multi-account isolation) lands, the same
/// lookup already returns the correct account for the credential.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct SecretLookup {
    pub secret_access_key: String,
    pub session_token: Option<String>,
    pub principal_arn: String,
    pub user_id: String,
    pub account_id: String,
}

#[derive(Debug, Clone)]
pub struct SshPublicKey {
    pub ssh_public_key_id: String,
    pub user_name: String,
    pub ssh_public_key_body: String,
    pub status: String,
    pub upload_date: DateTime<Utc>,
    pub fingerprint: String,
}

/// Tracks when an access key was last used.
#[derive(Debug, Clone)]
pub struct AccessKeyLastUsed {
    pub last_used_date: DateTime<Utc>,
    pub service_name: String,
    pub region: String,
}

pub struct IamState {
    pub account_id: String,
    pub users: HashMap<String, IamUser>,
    pub access_keys: HashMap<String, Vec<IamAccessKey>>, // username -> keys
    pub roles: HashMap<String, IamRole>,
    pub policies: HashMap<String, IamPolicy>, // arn -> policy
    pub role_policies: HashMap<String, Vec<String>>, // role_name -> managed policy arns
    pub role_inline_policies: HashMap<String, HashMap<String, String>>, // role_name -> {policy_name -> doc}
    pub user_policies: HashMap<String, Vec<String>>, // user_name -> managed policy arns
    pub user_inline_policies: HashMap<String, HashMap<String, String>>, // user_name -> {policy_name -> doc}
    pub groups: HashMap<String, IamGroup>,
    pub instance_profiles: HashMap<String, IamInstanceProfile>,
    pub login_profiles: HashMap<String, LoginProfile>,
    pub saml_providers: HashMap<String, SamlProvider>, // arn -> provider
    pub oidc_providers: HashMap<String, OidcProvider>, // arn -> provider
    pub server_certificates: HashMap<String, ServerCertificate>, // name -> cert
    pub signing_certificates: HashMap<String, Vec<SigningCertificate>>, // user_name -> certs
    pub account_aliases: Vec<String>,
    pub account_password_policy: Option<AccountPasswordPolicy>,
    pub virtual_mfa_devices: HashMap<String, VirtualMfaDevice>, // serial_number -> device
    pub service_linked_role_deletions: HashMap<String, ServiceLinkedRoleDeletion>,
    /// Maps access key ID to the identity that should be returned by GetCallerIdentity.
    pub credential_identities: HashMap<String, CredentialIdentity>,
    /// Temporary credentials issued by STS, keyed by access key ID. Includes
    /// the secret access key and session token — required for SigV4
    /// verification and IAM enforcement. Expired entries are purged lazily on
    /// lookup.
    pub sts_temp_credentials: HashMap<String, StsTempCredential>,
    pub credential_report_generated: bool,
    pub ssh_public_keys: HashMap<String, Vec<SshPublicKey>>, // user_name -> keys
    pub access_key_last_used: HashMap<String, AccessKeyLastUsed>,
}

impl IamState {
    pub fn new(account_id: &str) -> Self {
        Self {
            account_id: account_id.to_string(),
            users: HashMap::new(),
            access_keys: HashMap::new(),
            roles: HashMap::new(),
            policies: HashMap::new(),
            role_policies: HashMap::new(),
            role_inline_policies: HashMap::new(),
            user_policies: HashMap::new(),
            user_inline_policies: HashMap::new(),
            groups: HashMap::new(),
            instance_profiles: HashMap::new(),
            login_profiles: HashMap::new(),
            saml_providers: HashMap::new(),
            oidc_providers: HashMap::new(),
            server_certificates: HashMap::new(),
            signing_certificates: HashMap::new(),
            account_aliases: Vec::new(),
            account_password_policy: None,
            virtual_mfa_devices: HashMap::new(),
            service_linked_role_deletions: HashMap::new(),
            credential_identities: HashMap::new(),
            sts_temp_credentials: HashMap::new(),
            credential_report_generated: false,
            ssh_public_keys: HashMap::new(),
            access_key_last_used: HashMap::new(),
        }
    }

    pub fn reset(&mut self) {
        let account_id = self.account_id.clone();
        *self = Self::new(&account_id);
    }

    /// Look up the secret access key, session token, and resolved principal
    /// for a given access key ID.
    ///
    /// Searches IAM user access keys first, then STS temporary credentials.
    /// Expired STS temporary credentials are purged in-place and skipped.
    ///
    /// Returns `None` if the AKID is unknown or its STS credential has
    /// expired.
    ///
    /// Required for SigV4 signature verification (batch 3) and principal
    /// resolution (batch 4). Callers must hold a write lock on
    /// [`IamState`] to allow the lazy purge; read-only callers should use
    /// [`IamState::credential_secret_readonly`].
    pub fn credential_secret(&mut self, access_key_id: &str) -> Option<SecretLookup> {
        // IAM user access keys: look up by scanning (same pattern the
        // existing GetCallerIdentity path uses).
        for keys in self.access_keys.values() {
            for key in keys {
                if key.access_key_id == access_key_id {
                    if let Some(user) = self.users.get(&key.user_name) {
                        return Some(SecretLookup {
                            secret_access_key: key.secret_access_key.clone(),
                            session_token: None,
                            principal_arn: user.arn.clone(),
                            user_id: user.user_id.clone(),
                            account_id: self.account_id.clone(),
                        });
                    }
                }
            }
        }

        // STS temporary credentials: direct hash lookup, with lazy expiry
        // purging so expired entries don't accumulate.
        let now = Utc::now();
        if let Some(temp) = self.sts_temp_credentials.get(access_key_id) {
            if temp.expiration > now {
                return Some(SecretLookup {
                    secret_access_key: temp.secret_access_key.clone(),
                    session_token: Some(temp.session_token.clone()),
                    principal_arn: temp.principal_arn.clone(),
                    user_id: temp.user_id.clone(),
                    account_id: temp.account_id.clone(),
                });
            }
            self.sts_temp_credentials.remove(access_key_id);
        }
        None
    }

    /// Read-only variant of [`IamState::credential_secret`] that does not
    /// purge expired entries. Prefer the mutable variant wherever possible
    /// to keep the temp-credential table small.
    pub fn credential_secret_readonly(&self, access_key_id: &str) -> Option<SecretLookup> {
        for keys in self.access_keys.values() {
            for key in keys {
                if key.access_key_id == access_key_id {
                    if let Some(user) = self.users.get(&key.user_name) {
                        return Some(SecretLookup {
                            secret_access_key: key.secret_access_key.clone(),
                            session_token: None,
                            principal_arn: user.arn.clone(),
                            user_id: user.user_id.clone(),
                            account_id: self.account_id.clone(),
                        });
                    }
                }
            }
        }

        let now = Utc::now();
        let temp = self.sts_temp_credentials.get(access_key_id)?;
        if temp.expiration <= now {
            return None;
        }
        Some(SecretLookup {
            secret_access_key: temp.secret_access_key.clone(),
            session_token: Some(temp.session_token.clone()),
            principal_arn: temp.principal_arn.clone(),
            user_id: temp.user_id.clone(),
            account_id: temp.account_id.clone(),
        })
    }
}

pub type SharedIamState = std::sync::Arc<RwLock<IamState>>;

#[cfg(test)]
mod tests {
    use super::*;

    fn iam_user(name: &str, account_id: &str) -> IamUser {
        IamUser {
            user_name: name.to_string(),
            user_id: format!("AIDA{}", name.to_uppercase()),
            arn: format!("arn:aws:iam::{}:user/{}", account_id, name),
            path: "/".to_string(),
            created_at: Utc::now(),
            tags: Vec::new(),
            permissions_boundary: None,
        }
    }

    fn iam_key(user: &str, akid: &str, secret: &str) -> IamAccessKey {
        IamAccessKey {
            access_key_id: akid.to_string(),
            secret_access_key: secret.to_string(),
            user_name: user.to_string(),
            status: "Active".to_string(),
            created_at: Utc::now(),
        }
    }

    #[test]
    fn credential_secret_returns_iam_user_key() {
        let mut state = IamState::new("123456789012");
        state
            .users
            .insert("alice".to_string(), iam_user("alice", "123456789012"));
        state.access_keys.insert(
            "alice".to_string(),
            vec![iam_key("alice", "FKIAALICE", "secret-alice")],
        );
        let lookup = state.credential_secret("FKIAALICE").unwrap();
        assert_eq!(lookup.secret_access_key, "secret-alice");
        assert_eq!(lookup.principal_arn, "arn:aws:iam::123456789012:user/alice");
        assert_eq!(lookup.account_id, "123456789012");
        assert_eq!(lookup.session_token, None);
    }

    #[test]
    fn credential_secret_returns_sts_temp_credential_when_unexpired() {
        let mut state = IamState::new("123456789012");
        state.sts_temp_credentials.insert(
            "FSIATEMPKEY".to_string(),
            StsTempCredential {
                access_key_id: "FSIATEMPKEY".to_string(),
                secret_access_key: "temp-secret".to_string(),
                session_token: "temp-token".to_string(),
                principal_arn: "arn:aws:sts::123456789012:assumed-role/R/s".to_string(),
                user_id: "AROA:session".to_string(),
                account_id: "123456789012".to_string(),
                expiration: Utc::now() + chrono::Duration::minutes(30),
            },
        );
        let lookup = state.credential_secret("FSIATEMPKEY").unwrap();
        assert_eq!(lookup.secret_access_key, "temp-secret");
        assert_eq!(lookup.session_token.as_deref(), Some("temp-token"));
        assert_eq!(
            lookup.principal_arn,
            "arn:aws:sts::123456789012:assumed-role/R/s"
        );
    }

    #[test]
    fn credential_secret_purges_expired_sts_credentials() {
        let mut state = IamState::new("123456789012");
        state.sts_temp_credentials.insert(
            "FSIAOLD".to_string(),
            StsTempCredential {
                access_key_id: "FSIAOLD".to_string(),
                secret_access_key: "s".to_string(),
                session_token: "t".to_string(),
                principal_arn: "arn".to_string(),
                user_id: "id".to_string(),
                account_id: "123456789012".to_string(),
                expiration: Utc::now() - chrono::Duration::seconds(1),
            },
        );
        assert!(state.credential_secret("FSIAOLD").is_none());
        assert!(!state.sts_temp_credentials.contains_key("FSIAOLD"));
    }

    #[test]
    fn credential_secret_readonly_does_not_purge() {
        let mut state = IamState::new("123456789012");
        state.sts_temp_credentials.insert(
            "FSIAOLD".to_string(),
            StsTempCredential {
                access_key_id: "FSIAOLD".to_string(),
                secret_access_key: "s".to_string(),
                session_token: "t".to_string(),
                principal_arn: "arn".to_string(),
                user_id: "id".to_string(),
                account_id: "123456789012".to_string(),
                expiration: Utc::now() - chrono::Duration::seconds(1),
            },
        );
        assert!(state.credential_secret_readonly("FSIAOLD").is_none());
        assert!(state.sts_temp_credentials.contains_key("FSIAOLD"));
    }

    #[test]
    fn credential_secret_returns_none_for_unknown_akid() {
        let mut state = IamState::new("123456789012");
        assert!(state.credential_secret("FKIAUNKNOWN").is_none());
    }
}