mecha10_core/

auth.rs

//! Authorization and Access Control
//!
//! Provides role-based access control (RBAC) for pub/sub topics.
//! Enables controlling which nodes can publish/subscribe to specific topics.
//!
//! # Architecture
//!
//! - Simple role-based permissions
//! - Wildcard pattern matching for topics
//! - Policies stored in Redis
//! - Optional enforcement (can be disabled for development)
//!
//! # Example
//!
//! ```rust
//! use mecha10::prelude::*;
//! use mecha10::auth::{AuthExt, Policy, Permission};
//!
//! # async fn example(ctx: &Context) -> Result<()> {
//! // Define a policy
//! let policy = Policy::new("camera_driver")
//!     .allow(Permission::Publish, "/sensors/camera/*")
//!     .allow(Permission::Subscribe, "/control/camera/*");
//!
//! ctx.register_policy(&policy).await?;
//!
//! // Assign role to node
//! ctx.assign_role("camera-1", "camera_driver").await?;
//!
//! // Check permission (automatically done in pub/sub)
//! let allowed = ctx.check_permission(
//!     "camera-1",
//!     Permission::Publish,
//!     "/sensors/camera/rgb"
//! ).await?;
//!
//! # Ok(())
//! # }
//! ```

use crate::context::Context;
use crate::error::{Mecha10Error, Result};
use serde::{Deserialize, Serialize};

/// Permission type
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum Permission {
    /// Permission to publish to a topic
    Publish,
    /// Permission to subscribe to a topic
    Subscribe,
}

impl Permission {
    #[allow(dead_code)]
    fn as_str(&self) -> &str {
        match self {
            Permission::Publish => "publish",
            Permission::Subscribe => "subscribe",
        }
    }
}

/// Access control rule
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Rule {
    /// Permission type
    pub permission: Permission,

    /// Topic pattern (supports wildcards: /sensors/*)
    pub topic_pattern: String,
}

impl Rule {
    /// Create a new rule
    pub fn new(permission: Permission, topic_pattern: impl Into<String>) -> Self {
        Self {
            permission,
            topic_pattern: topic_pattern.into(),
        }
    }

    /// Check if a topic matches this rule's pattern
    pub fn matches(&self, topic: &str) -> bool {
        matches_pattern(&self.topic_pattern, topic)
    }
}

/// Policy defining permissions for a role
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Policy {
    /// Role name
    pub role: String,

    /// Access control rules
    pub rules: Vec<Rule>,

    /// Policy description
    #[serde(default)]
    pub description: String,
}

impl Policy {
    /// Create a new policy for a role
    pub fn new(role: impl Into<String>) -> Self {
        Self {
            role: role.into(),
            rules: Vec::new(),
            description: String::new(),
        }
    }

    /// Set description
    pub fn with_description(mut self, description: impl Into<String>) -> Self {
        self.description = description.into();
        self
    }

    /// Add a permission rule
    pub fn allow(mut self, permission: Permission, topic_pattern: impl Into<String>) -> Self {
        self.rules.push(Rule::new(permission, topic_pattern));
        self
    }

    /// Add publish permission
    pub fn allow_publish(self, topic_pattern: impl Into<String>) -> Self {
        self.allow(Permission::Publish, topic_pattern)
    }

    /// Add subscribe permission
    pub fn allow_subscribe(self, topic_pattern: impl Into<String>) -> Self {
        self.allow(Permission::Subscribe, topic_pattern)
    }

    /// Check if this policy allows a specific action
    pub fn allows(&self, permission: Permission, topic: &str) -> bool {
        self.rules
            .iter()
            .any(|rule| rule.permission == permission && rule.matches(topic))
    }

    /// Get Redis key for this policy
    fn redis_key(&self) -> String {
        format!("mecha10:auth:policies:{}", self.role)
    }

    /// Get Redis key for policies list
    fn redis_list_key() -> String {
        "mecha10:auth:policies:list".to_string()
    }

    /// Get Redis key for node role assignment
    fn redis_role_key(node_id: &str) -> String {
        format!("mecha10:auth:roles:{}", node_id)
    }
}

/// Authorization extension trait for Context
pub trait AuthExt {
    /// Register a policy
    ///
    /// # Arguments
    ///
    /// * `policy` - Policy to register
    ///
    /// # Example
    ///
    /// ```rust
    /// use mecha10::prelude::*;
    /// use mecha10::auth::{AuthExt, Policy, Permission};
    ///
    /// # async fn example(ctx: &Context) -> Result<()> {
    /// let policy = Policy::new("camera_driver")
    ///     .allow_publish("/sensors/camera/*")
    ///     .allow_subscribe("/control/camera/*");
    ///
    /// ctx.register_policy(&policy).await?;
    /// # Ok(())
    /// # }
    /// ```
    fn register_policy(&self, policy: &Policy) -> impl std::future::Future<Output = Result<()>> + Send;

    /// Get a policy by role name
    ///
    /// # Arguments
    ///
    /// * `role` - Role name
    fn get_policy(&self, role: &str) -> impl std::future::Future<Output = Result<Option<Policy>>> + Send;

    /// List all registered policies
    fn list_policies(&self) -> impl std::future::Future<Output = Result<Vec<Policy>>> + Send;

    /// Assign a role to a node
    ///
    /// # Arguments
    ///
    /// * `node_id` - Node identifier
    /// * `role` - Role to assign
    fn assign_role(&self, node_id: &str, role: &str) -> impl std::future::Future<Output = Result<()>> + Send;

    /// Get the role assigned to a node
    ///
    /// # Arguments
    ///
    /// * `node_id` - Node identifier
    fn get_role(&self, node_id: &str) -> impl std::future::Future<Output = Result<Option<String>>> + Send;

    /// Check if a node has permission to perform an action on a topic
    ///
    /// # Arguments
    ///
    /// * `node_id` - Node identifier
    /// * `permission` - Permission type (Publish/Subscribe)
    /// * `topic` - Topic path
    ///
    /// # Returns
    ///
    /// `true` if permission is granted, `false` otherwise
    fn check_permission(
        &self,
        node_id: &str,
        permission: Permission,
        topic: &str,
    ) -> impl std::future::Future<Output = Result<bool>> + Send;

    /// Delete a policy
    ///
    /// # Arguments
    ///
    /// * `role` - Role name
    fn delete_policy(&self, role: &str) -> impl std::future::Future<Output = Result<()>> + Send;

    /// Remove role assignment from a node
    ///
    /// # Arguments
    ///
    /// * `node_id` - Node identifier
    fn unassign_role(&self, node_id: &str) -> impl std::future::Future<Output = Result<()>> + Send;
}

impl AuthExt for Context {
    async fn register_policy(&self, policy: &Policy) -> Result<()> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            // Serialize policy
            let policy_json = serde_json::to_string(&policy)
                .map_err(|e| Mecha10Error::Other(format!("Failed to serialize policy: {}", e)))?;

            // Store policy
            let key = policy.redis_key();
            conn.set::<_, _, ()>(&key, &policy_json)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to register policy: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            // Add to policies list
            let list_key = Policy::redis_list_key();
            conn.sadd::<_, _, ()>(&list_key, &policy.role)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to update policy list: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            Ok(())
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn get_policy(&self, role: &str) -> Result<Option<Policy>> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            let key = format!("mecha10:auth:policies:{}", role);
            let json: Option<String> = conn.get(&key).await.map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to get policy: {}", e),
                suggestion: "Check Redis connection".to_string(),
            })?;

            if let Some(json) = json {
                let policy = serde_json::from_str::<Policy>(&json)
                    .map_err(|e| Mecha10Error::Other(format!("Failed to parse policy: {}", e)))?;
                Ok(Some(policy))
            } else {
                Ok(None)
            }
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn list_policies(&self) -> Result<Vec<Policy>> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            // Get all role names
            let list_key = Policy::redis_list_key();
            let roles: Vec<String> = conn
                .smembers(&list_key)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to get policy list: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            // Get each policy
            let mut policies = Vec::new();
            for role in roles {
                if let Some(policy) = self.get_policy(&role).await? {
                    policies.push(policy);
                }
            }

            Ok(policies)
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn assign_role(&self, node_id: &str, role: &str) -> Result<()> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            let key = Policy::redis_role_key(node_id);
            conn.set::<_, _, ()>(&key, role)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to assign role: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            Ok(())
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn get_role(&self, node_id: &str) -> Result<Option<String>> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            let key = Policy::redis_role_key(node_id);
            let role: Option<String> = conn.get(&key).await.map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to get role: {}", e),
                suggestion: "Check Redis connection".to_string(),
            })?;

            Ok(role)
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn check_permission(&self, node_id: &str, permission: Permission, topic: &str) -> Result<bool> {
        // Get node's role
        let role = match self.get_role(node_id).await? {
            Some(role) => role,
            None => return Ok(false), // No role = no permissions
        };

        // Get policy for role
        let policy = match self.get_policy(&role).await? {
            Some(policy) => policy,
            None => return Ok(false), // No policy = no permissions
        };

        // Check if policy allows this action
        Ok(policy.allows(permission, topic))
    }

    async fn delete_policy(&self, role: &str) -> Result<()> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            // Delete policy
            let key = format!("mecha10:auth:policies:{}", role);
            conn.del::<_, ()>(&key)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to delete policy: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            // Remove from list
            let list_key = Policy::redis_list_key();
            conn.srem::<_, _, ()>(&list_key, role)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to update policy list: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            Ok(())
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }

    async fn unassign_role(&self, node_id: &str) -> Result<()> {
        #[cfg(feature = "messaging")]
        {
            use redis::AsyncCommands;

            let redis_url = Context::get_redis_url()?;
            let client = redis::Client::open(redis_url.as_str()).map_err(|e| Mecha10Error::MessagingError {
                message: format!("Failed to connect to Redis: {}", e),
                suggestion: "Ensure Redis is running".to_string(),
            })?;

            let mut conn =
                client
                    .get_multiplexed_async_connection()
                    .await
                    .map_err(|e| Mecha10Error::MessagingError {
                        message: format!("Failed to get Redis connection: {}", e),
                        suggestion: "Ensure Redis is running".to_string(),
                    })?;

            let key = Policy::redis_role_key(node_id);
            conn.del::<_, ()>(&key)
                .await
                .map_err(|e| Mecha10Error::MessagingError {
                    message: format!("Failed to unassign role: {}", e),
                    suggestion: "Check Redis connection".to_string(),
                })?;

            Ok(())
        }

        #[cfg(not(feature = "messaging"))]
        {
            Err(Mecha10Error::Other("Messaging feature not enabled".to_string()))
        }
    }
}

/// Check if a topic matches a pattern
///
/// Uses the same glob matching implementation as aggregated topics,
/// supporting full glob syntax including *, **, ?, [abc], {a,b}, etc.
///
/// # Examples
///
/// ```
/// # use mecha10_core::auth::matches_pattern;
/// assert!(matches_pattern("/sensors/*", "/sensors/camera"));
/// assert!(matches_pattern("/sensors/*/rgb", "/sensors/camera/rgb"));
/// assert!(!matches_pattern("/sensors/*", "/control/motor"));
///
/// // Advanced patterns
/// assert!(matches_pattern("/sensors/**", "/sensors/camera/left/rgb"));
/// assert!(matches_pattern("/sensors/camera?", "/sensors/camera1"));
/// assert!(matches_pattern("/sensors/{left,right}", "/sensors/left"));
/// ```
pub fn matches_pattern(pattern: &str, topic: &str) -> bool {
    // Use the centralized glob matching from aggregated module
    crate::aggregated::pattern::matches_pattern(topic, pattern)
}