promocrypt_core/

audit.rs

//! Audit trail for tracking .bin file history.
//!
//! Records creation, mastering, and generation events for compliance
//! and debugging purposes.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};

/// Record of a secret rotation event.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct SecretRotation {
    /// When the rotation occurred
    pub timestamp: DateTime<Utc>,
    /// Machine ID (hex) that performed the rotation
    pub machine_id: String,
    /// SHA256 hash of old secret (for verification)
    pub old_secret_hash: String,
    /// SHA256 hash of new secret
    pub new_secret_hash: String,
}

/// Record of a machine mastering event.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct MachineMastering {
    /// When the mastering occurred
    pub timestamp: DateTime<Utc>,
    /// Machine ID (hex) that was previously bound
    pub from_machine: String,
    /// Machine ID (hex) that is now bound
    pub to_machine: String,
    /// Machine ID (hex) that performed the mastering
    pub mastered_by: String,
}

/// Record of a configuration change.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct ConfigChange {
    /// When the change occurred
    pub timestamp: DateTime<Utc>,
    /// Machine ID (hex) that made the change
    pub machine_id: String,
    /// Field that was changed
    pub field: String,
    /// Old value (serialized)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub old_value: Option<String>,
    /// New value (serialized)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub new_value: Option<String>,
}

/// Record of a code generation event.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct GenerationLogEntry {
    /// When the generation occurred
    pub timestamp: DateTime<Utc>,
    /// Machine ID (hex) that generated codes
    pub machine_id: String,
    /// Number of codes generated
    pub count: u64,
    /// Starting counter value
    pub counter_start: u64,
    /// Ending counter value (exclusive)
    pub counter_end: u64,
}

/// History tracking for .bin files.
#[derive(Clone, Debug, Default, Serialize, Deserialize)]
pub struct History {
    /// Secret rotation events
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub secret_rotations: Vec<SecretRotation>,
    /// Machine mastering events
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub machine_masterings: Vec<MachineMastering>,
    /// Configuration change events
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub config_changes: Vec<ConfigChange>,
}

impl History {
    /// Create empty history.
    pub fn new() -> Self {
        Self::default()
    }

    /// Record a secret rotation.
    pub fn record_secret_rotation(
        &mut self,
        machine_id: &[u8; 32],
        old_secret_hash: &str,
        new_secret_hash: &str,
    ) {
        self.secret_rotations.push(SecretRotation {
            timestamp: Utc::now(),
            machine_id: hex::encode(machine_id),
            old_secret_hash: old_secret_hash.to_string(),
            new_secret_hash: new_secret_hash.to_string(),
        });
    }

    /// Record a machine mastering.
    pub fn record_machine_mastering(
        &mut self,
        from_machine: &[u8; 32],
        to_machine: &[u8; 32],
        mastered_by: &[u8; 32],
    ) {
        self.machine_masterings.push(MachineMastering {
            timestamp: Utc::now(),
            from_machine: hex::encode(from_machine),
            to_machine: hex::encode(to_machine),
            mastered_by: hex::encode(mastered_by),
        });
    }

    /// Record a configuration change.
    pub fn record_config_change(
        &mut self,
        machine_id: &[u8; 32],
        field: &str,
        old_value: Option<&str>,
        new_value: Option<&str>,
    ) {
        self.config_changes.push(ConfigChange {
            timestamp: Utc::now(),
            machine_id: hex::encode(machine_id),
            field: field.to_string(),
            old_value: old_value.map(String::from),
            new_value: new_value.map(String::from),
        });
    }

    /// Clear all history, optionally keeping the last N entries of each type.
    pub fn clear(&mut self, keep_last: Option<usize>) {
        if let Some(n) = keep_last {
            let sr_len = self.secret_rotations.len();
            if sr_len > n {
                self.secret_rotations = self.secret_rotations.split_off(sr_len - n);
            }

            let mm_len = self.machine_masterings.len();
            if mm_len > n {
                self.machine_masterings = self.machine_masterings.split_off(mm_len - n);
            }

            let cc_len = self.config_changes.len();
            if cc_len > n {
                self.config_changes = self.config_changes.split_off(cc_len - n);
            }
        } else {
            self.secret_rotations.clear();
            self.machine_masterings.clear();
            self.config_changes.clear();
        }
    }

    /// Export history as JSON string.
    pub fn to_json(&self) -> String {
        serde_json::to_string_pretty(self).unwrap_or_default()
    }
}

/// Audit trail information stored in .bin files.
///
/// Tracks the complete lifecycle of a promotional code configuration:
/// - When and where it was created
/// - When and to which machine it was mastered
/// - How many codes have been generated
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AuditInfo {
    /// When the .bin file was created
    pub created_at: DateTime<Utc>,

    /// Machine ID (hex) where the file was created
    pub created_machine: String,

    /// When the file was last mastered (bound to a machine)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mastered_at: Option<DateTime<Utc>>,

    /// Machine ID (hex) the file is currently bound to
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mastered_for: Option<String>,

    /// Total number of codes generated
    pub generation_count: u64,

    /// Timestamp of last code generation
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_generated_at: Option<DateTime<Utc>>,

    /// History of changes
    #[serde(default, skip_serializing_if = "History::is_empty")]
    pub history: History,

    /// Generation log entries
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub generation_log: Vec<GenerationLogEntry>,
}

impl History {
    /// Check if history is empty.
    pub fn is_empty(&self) -> bool {
        self.secret_rotations.is_empty()
            && self.machine_masterings.is_empty()
            && self.config_changes.is_empty()
    }
}

impl AuditInfo {
    /// Create new audit info for a newly created .bin file.
    ///
    /// # Arguments
    /// * `machine_id` - The 32-byte machine ID where creation occurs
    pub fn new(machine_id: &[u8; 32]) -> Self {
        Self {
            created_at: Utc::now(),
            created_machine: hex::encode(machine_id),
            mastered_at: None,
            mastered_for: None,
            generation_count: 0,
            last_generated_at: None,
            history: History::new(),
            generation_log: Vec::new(),
        }
    }

    /// Create audit info with a specific creation timestamp.
    ///
    /// Useful for testing or restoring from backup.
    pub fn with_timestamp(machine_id: &[u8; 32], created_at: DateTime<Utc>) -> Self {
        Self {
            created_at,
            created_machine: hex::encode(machine_id),
            mastered_at: None,
            mastered_for: None,
            generation_count: 0,
            last_generated_at: None,
            history: History::new(),
            generation_log: Vec::new(),
        }
    }

    /// Record a mastering event.
    ///
    /// Called when the .bin file is bound to a new machine.
    ///
    /// # Arguments
    /// * `target_machine` - The 32-byte machine ID being mastered to
    pub fn record_master(&mut self, target_machine: &[u8; 32]) {
        self.mastered_at = Some(Utc::now());
        self.mastered_for = Some(hex::encode(target_machine));
    }

    /// Record a mastering event with history tracking.
    pub fn record_master_with_history(
        &mut self,
        from_machine: &[u8; 32],
        target_machine: &[u8; 32],
        mastered_by: &[u8; 32],
    ) {
        self.history
            .record_machine_mastering(from_machine, target_machine, mastered_by);
        self.mastered_at = Some(Utc::now());
        self.mastered_for = Some(hex::encode(target_machine));
    }

    /// Record code generation.
    ///
    /// Called after successfully generating codes.
    ///
    /// # Arguments
    /// * `count` - Number of codes generated
    pub fn record_generation(&mut self, count: u64) {
        self.generation_count = self.generation_count.saturating_add(count);
        self.last_generated_at = Some(Utc::now());
    }

    /// Record code generation with log entry.
    pub fn record_generation_with_log(
        &mut self,
        machine_id: &[u8; 32],
        count: u64,
        counter_start: u64,
    ) {
        let counter_end = counter_start.saturating_add(count);
        self.generation_log.push(GenerationLogEntry {
            timestamp: Utc::now(),
            machine_id: hex::encode(machine_id),
            count,
            counter_start,
            counter_end,
        });
        self.generation_count = self.generation_count.saturating_add(count);
        self.last_generated_at = Some(Utc::now());
    }

    /// Check if the file has been mastered (bound to a machine).
    pub fn is_mastered(&self) -> bool {
        self.mastered_for.is_some()
    }

    /// Get the machine ID this file is bound to, if any.
    pub fn bound_machine(&self) -> Option<&str> {
        self.mastered_for.as_deref()
    }

    /// Get creation machine ID as bytes.
    pub fn created_machine_bytes(&self) -> Option<[u8; 32]> {
        Self::hex_to_machine_id(&self.created_machine)
    }

    /// Get mastered machine ID as bytes.
    pub fn mastered_machine_bytes(&self) -> Option<[u8; 32]> {
        self.mastered_for
            .as_ref()
            .and_then(|s| Self::hex_to_machine_id(s))
    }

    /// Convert hex string to machine ID bytes.
    fn hex_to_machine_id(hex_str: &str) -> Option<[u8; 32]> {
        let bytes = hex::decode(hex_str).ok()?;
        if bytes.len() != 32 {
            return None;
        }
        let mut arr = [0u8; 32];
        arr.copy_from_slice(&bytes);
        Some(arr)
    }

    /// Get total codes generated from generation log.
    pub fn total_codes_from_log(&self) -> u64 {
        self.generation_log.iter().map(|e| e.count).sum()
    }

    /// Get generation log.
    pub fn get_generation_log(&self) -> &[GenerationLogEntry] {
        &self.generation_log
    }

    /// Get history.
    pub fn get_history(&self) -> &History {
        &self.history
    }

    /// Clear generation log, optionally keeping the last N entries.
    pub fn clear_generation_log(&mut self, keep_last: Option<usize>) {
        if let Some(n) = keep_last {
            let len = self.generation_log.len();
            if len > n {
                self.generation_log = self.generation_log.split_off(len - n);
            }
        } else {
            self.generation_log.clear();
        }
    }

    /// Clear history.
    pub fn clear_history(&mut self, keep_last: Option<usize>) {
        self.history.clear(keep_last);
    }

    /// Export generation log as JSON.
    pub fn export_generation_log(&self) -> String {
        serde_json::to_string_pretty(&self.generation_log).unwrap_or_default()
    }

    /// Export history as JSON.
    pub fn export_history(&self) -> String {
        self.history.to_json()
    }

    /// Create a human-readable summary of the audit info.
    pub fn summary(&self) -> String {
        let mut lines = Vec::new();

        lines.push(format!(
            "Created: {}",
            self.created_at.format("%Y-%m-%d %H:%M:%S UTC")
        ));
        lines.push(format!("Created on: {}...", &self.created_machine[..16]));

        if let Some(mastered_at) = &self.mastered_at {
            lines.push(format!(
                "Mastered: {}",
                mastered_at.format("%Y-%m-%d %H:%M:%S UTC")
            ));
        }

        if let Some(mastered_for) = &self.mastered_for {
            lines.push(format!("Bound to: {}...", &mastered_for[..16]));
        }

        lines.push(format!("Codes generated: {}", self.generation_count));

        if let Some(last) = &self.last_generated_at {
            lines.push(format!(
                "Last generated: {}",
                last.format("%Y-%m-%d %H:%M:%S UTC")
            ));
        }

        if !self.generation_log.is_empty() {
            lines.push(format!(
                "Generation log entries: {}",
                self.generation_log.len()
            ));
        }

        if !self.history.is_empty() {
            lines.push(format!(
                "History: {} rotations, {} masterings, {} config changes",
                self.history.secret_rotations.len(),
                self.history.machine_masterings.len(),
                self.history.config_changes.len()
            ));
        }

        lines.join("\n")
    }
}

impl Default for AuditInfo {
    fn default() -> Self {
        Self {
            created_at: Utc::now(),
            created_machine: "0".repeat(64),
            mastered_at: None,
            mastered_for: None,
            generation_count: 0,
            last_generated_at: None,
            history: History::new(),
            generation_log: Vec::new(),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_new_audit() {
        let machine_id = [0xABu8; 32];
        let audit = AuditInfo::new(&machine_id);

        assert_eq!(audit.created_machine, "ab".repeat(32));
        assert!(!audit.is_mastered());
        assert_eq!(audit.generation_count, 0);
        assert!(audit.last_generated_at.is_none());
    }

    #[test]
    fn test_record_master() {
        let machine_id = [0xABu8; 32];
        let mut audit = AuditInfo::new(&machine_id);

        let target_machine = [0xCDu8; 32];
        audit.record_master(&target_machine);

        assert!(audit.is_mastered());
        assert!(audit.mastered_at.is_some());
        assert_eq!(audit.mastered_for, Some("cd".repeat(32)));
    }

    #[test]
    fn test_record_generation() {
        let machine_id = [0xABu8; 32];
        let mut audit = AuditInfo::new(&machine_id);

        audit.record_generation(100);
        assert_eq!(audit.generation_count, 100);
        assert!(audit.last_generated_at.is_some());

        audit.record_generation(50);
        assert_eq!(audit.generation_count, 150);
    }

    #[test]
    fn test_generation_count_overflow() {
        let machine_id = [0xABu8; 32];
        let mut audit = AuditInfo::new(&machine_id);

        audit.generation_count = u64::MAX - 10;
        audit.record_generation(100);

        // Should saturate, not overflow
        assert_eq!(audit.generation_count, u64::MAX);
    }

    #[test]
    fn test_machine_id_conversion() {
        let machine_id = [0xABu8; 32];
        let audit = AuditInfo::new(&machine_id);

        let recovered = audit.created_machine_bytes().unwrap();
        assert_eq!(recovered, machine_id);
    }

    #[test]
    fn test_serialization() {
        let machine_id = [0xABu8; 32];
        let mut audit = AuditInfo::new(&machine_id);
        audit.record_generation(42);

        let json = serde_json::to_string(&audit).unwrap();
        let recovered: AuditInfo = serde_json::from_str(&json).unwrap();

        assert_eq!(recovered.created_machine, audit.created_machine);
        assert_eq!(recovered.generation_count, 42);
    }

    #[test]
    fn test_summary() {
        let machine_id = [0xABu8; 32];
        let mut audit = AuditInfo::new(&machine_id);
        audit.record_generation(100);

        let summary = audit.summary();
        assert!(summary.contains("Created:"));
        assert!(summary.contains("Codes generated: 100"));
    }
}