raps_kernel/

storage.rs

// SPDX-License-Identifier: Apache-2.0
// Copyright 2024-2025 Dmytro Yemelianov

//! Token storage abstraction supporting both file-based and OS keychain storage

use anyhow::{Context, Result};
use std::path::PathBuf;

use crate::types::StoredToken;

/// Storage backend type
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum StorageBackend {
    /// File-based storage (DEPRECATED - use only as fallback)
    File,
    /// OS keychain storage (Windows Credential Manager, macOS Keychain, Linux Secret Service) - DEFAULT
    Keychain,
}

impl StorageBackend {
    /// Determine storage backend from profile configuration or environment
    /// Defaults to Keychain for security, falls back to File only if explicitly disabled
    pub fn from_env() -> Self {
        // First check profile configuration
        if is_keychain_disabled_in_profile() {
            tracing::warn!(
                "File-based token storage enabled in profile. \
                 Tokens will be stored in plaintext. \
                 Consider: raps config set use_keychain true"
            );
            return StorageBackend::File;
        }

        // Fall back to environment variable for backward compatibility
        let use_file = std::env::var("RAPS_USE_FILE_STORAGE")
            .ok()
            .map(|v| matches!(v.to_lowercase().as_str(), "true" | "1" | "yes" | "on"))
            .unwrap_or(false);

        if use_file {
            tracing::warn!(
                "File-based token storage via RAPS_USE_FILE_STORAGE. \
                 Tokens will be stored in plaintext. \
                 Remove the env var to use keychain storage."
            );
            StorageBackend::File
        } else {
            // Default to keychain for security
            StorageBackend::Keychain
        }
    }
}

/// Helper function to check if keychain is disabled in profile configuration
fn is_keychain_disabled_in_profile() -> bool {
    // Avoid circular dependency by checking the profile file directly
    let proj_dirs = match directories::ProjectDirs::from("com", "autodesk", "raps") {
        Some(dirs) => dirs,
        None => return false,
    };

    let profiles_path = proj_dirs.config_dir().join("profiles.json");
    if !profiles_path.exists() {
        return false;
    }

    let content = match std::fs::read_to_string(&profiles_path) {
        Ok(c) => c,
        Err(_) => return false,
    };

    // Parse JSON to check use_keychain setting
    if let Ok(data) = serde_json::from_str::<serde_json::Value>(&content)
        && let Some(active) = data["active_profile"].as_str()
        && let Some(profile) = data["profiles"][active].as_object()
        && let Some(use_keychain) = profile.get("use_keychain")
    {
        return use_keychain.as_bool() == Some(false);
    }

    false
}

/// Token storage abstraction
pub struct TokenStorage {
    backend: StorageBackend,
    service_name: String,
    username: String,
}

impl TokenStorage {
    /// Create a new token storage instance
    pub fn new(backend: StorageBackend) -> Self {
        Self {
            backend,
            service_name: "raps".to_string(),
            username: "aps_token".to_string(),
        }
    }

    /// Get the file path for file-based storage
    fn token_file_path() -> Result<PathBuf> {
        let dirs = directories::ProjectDirs::from("com", "autodesk", "raps").ok_or_else(|| {
            anyhow::anyhow!("Failed to determine project directories (no home directory?)")
        })?;
        Ok(dirs.config_dir().join("tokens.json"))
    }

    /// Save token using the configured backend
    pub fn save(&self, token: &StoredToken) -> Result<()> {
        match self.backend {
            StorageBackend::File => self.save_file(token),
            StorageBackend::Keychain => self.save_keychain(token),
        }
    }

    /// Load token using the configured backend
    pub fn load(&self) -> Result<Option<StoredToken>> {
        match self.backend {
            StorageBackend::File => self.load_file(),
            StorageBackend::Keychain => self.load_keychain(),
        }
    }

    /// Delete token using the configured backend
    pub fn delete(&self) -> Result<()> {
        match self.backend {
            StorageBackend::File => self.delete_file(),
            StorageBackend::Keychain => self.delete_keychain(),
        }
    }

    /// Save token to file (INSECURE - logs warning)
    ///
    /// Uses synchronous I/O intentionally: token files are ~200 bytes and written
    /// at most once per CLI invocation. The sub-microsecond I/O cost is far less
    /// than the overhead of `spawn_blocking` thread-pool scheduling.
    fn save_file(&self, token: &StoredToken) -> Result<()> {
        tracing::warn!("Storing token in plaintext file. Use keychain for better security.");
        let path = Self::token_file_path()?;
        if let Some(parent) = path.parent() {
            std::fs::create_dir_all(parent)?;
        }

        // Add a warning to the file itself
        let json = serde_json::json!({
            "_warning": "This file contains sensitive authentication tokens in plaintext. Consider using keychain storage.",
            "access_token": token.access_token,
            "refresh_token": token.refresh_token,
            "expires_at": token.expires_at,
            "scopes": token.scopes,
        });

        let json_string = serde_json::to_string_pretty(&json)?;
        std::fs::write(&path, json_string)?;

        // Set restrictive permissions on Unix-like systems
        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mut perms = std::fs::metadata(&path)?.permissions();
            perms.set_mode(0o600); // Read/write for owner only
            std::fs::set_permissions(&path, perms)?;
        }

        Ok(())
    }

    /// Load token from file
    fn load_file(&self) -> Result<Option<StoredToken>> {
        let path = Self::token_file_path()?;
        if !path.exists() {
            return Ok(None);
        }

        tracing::warn!(
            "Loading token from plaintext file. Consider migrating to keychain storage."
        );

        let contents = std::fs::read_to_string(&path)?;

        // Try to parse as our new format with warning field
        if let Ok(json_value) = serde_json::from_str::<serde_json::Value>(&contents) {
            // Extract the token fields, ignoring the _warning field
            let token = StoredToken {
                access_token: json_value["access_token"]
                    .as_str()
                    .ok_or_else(|| anyhow::anyhow!("Missing access_token"))?
                    .to_string(),
                refresh_token: json_value["refresh_token"].as_str().map(|s| s.to_string()),
                expires_at: json_value["expires_at"].as_i64().unwrap_or(0),
                scopes: json_value["scopes"]
                    .as_array()
                    .and_then(|arr| {
                        arr.iter()
                            .map(|v| v.as_str().map(|s| s.to_string()))
                            .collect::<Option<Vec<_>>>()
                    })
                    .unwrap_or_default(),
            };
            return Ok(Some(token));
        }

        // Fall back to parsing as the old format
        let token: StoredToken =
            serde_json::from_str(&contents).context("Failed to parse token file")?;
        Ok(Some(token))
    }

    /// Delete token file
    fn delete_file(&self) -> Result<()> {
        let path = Self::token_file_path()?;
        if path.exists() {
            std::fs::remove_file(&path)?;
        }
        Ok(())
    }

    /// Save token to OS keychain
    fn save_keychain(&self, token: &StoredToken) -> Result<()> {
        // Serialize token to JSON
        let json = serde_json::to_string(token).context("Failed to serialize token")?;

        // Store in keychain
        let entry = match keyring::Entry::new(&self.service_name, &self.username) {
            Ok(e) => e,
            Err(e) => {
                // If keyring is not available, fall back to file storage
                tracing::warn!(error = %e, "Keychain not available, using file storage instead. This is normal on headless servers and CI/CD. To silence this, set RAPS_STORAGE_BACKEND=file");
                return self.save_file(token);
            }
        };

        match entry.set_password(&json) {
            Ok(()) => Ok(()),
            Err(e) => {
                // If keychain save fails, fall back to file storage
                tracing::warn!(error = %e, "Keychain save failed, using file storage instead. This is normal on headless servers and CI/CD. To silence this, set RAPS_STORAGE_BACKEND=file");
                self.save_file(token)
            }
        }
    }

    /// Load token from OS keychain
    fn load_keychain(&self) -> Result<Option<StoredToken>> {
        let entry = match keyring::Entry::new(&self.service_name, &self.username) {
            Ok(e) => e,
            Err(e) => {
                tracing::warn!(error = %e, "Keychain not available, using file storage instead. This is normal on headless servers and CI/CD. To silence this, set RAPS_STORAGE_BACKEND=file");
                return self.load_file();
            }
        };

        match entry.get_password() {
            Ok(json) => {
                let token: StoredToken =
                    serde_json::from_str(&json).context("Failed to parse token from keychain")?;
                Ok(Some(token))
            }
            Err(keyring::Error::NoEntry) => {
                // If not in keychain, it might be in the file fallback
                self.load_file()
            }
            Err(e) => {
                tracing::warn!(error = %e, "Keychain load failed, using file storage instead. This is normal on headless servers and CI/CD. To silence this, set RAPS_STORAGE_BACKEND=file");
                self.load_file()
            }
        }
    }

    /// Delete token from OS keychain
    fn delete_keychain(&self) -> Result<()> {
        let entry = match keyring::Entry::new(&self.service_name, &self.username) {
            Ok(e) => e,
            Err(_) => {
                // If keyring is not available, try deleting file storage
                return self.delete_file();
            }
        };

        match entry.delete_password() {
            Ok(()) => {
                // Also delete file storage if it exists (for migration)
                self.delete_file().ok();
                Ok(())
            }
            Err(keyring::Error::NoEntry) => {
                // Already deleted, also try file storage
                self.delete_file()
            }
            Err(e) => {
                // If keychain delete fails, try file storage
                tracing::warn!(error = %e, "Keychain delete failed, using file storage instead. This is normal on headless servers and CI/CD. To silence this, set RAPS_STORAGE_BACKEND=file");
                self.delete_file()
            }
        }
    }

    /// Get the current backend being used
    #[allow(dead_code)]
    pub fn backend(&self) -> StorageBackend {
        self.backend
    }

    /// Migrate tokens from file storage to keychain storage
    #[allow(dead_code)]
    pub fn migrate_to_keychain() -> Result<()> {
        println!("Migrating tokens from file storage to secure keychain storage...");

        // First, try to load from file storage
        let file_storage = TokenStorage::new(StorageBackend::File);
        let token = match file_storage.load()? {
            Some(t) => t,
            None => {
                println!("No tokens found in file storage.");
                return Ok(());
            }
        };

        // Save to keychain
        let keychain_storage = TokenStorage::new(StorageBackend::Keychain);
        keychain_storage.save(&token)?;
        println!("Token successfully migrated to keychain storage.");

        // Delete the file storage
        file_storage.delete_file()?;
        println!("Removed plaintext token file.");

        println!("Migration complete! Your tokens are now securely stored in the OS keychain.");
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    // ==================== StorageBackend Tests ====================
    // Note: StorageBackend::from_env() tests are skipped because they depend on
    // user's profile configuration (use_keychain setting) which takes precedence
    // over environment variables. We test the enum values and TokenStorage directly.

    #[test]
    fn test_storage_backend_enum_values() {
        // Verify enum variants exist and can be created
        let file = StorageBackend::File;
        let keychain = StorageBackend::Keychain;
        assert_ne!(file, keychain);
    }

    // ==================== TokenStorage Tests ====================

    #[test]
    fn test_token_storage_new_file() {
        let storage = TokenStorage::new(StorageBackend::File);
        assert_eq!(storage.backend(), StorageBackend::File);
    }

    #[test]
    fn test_token_storage_new_keychain() {
        let storage = TokenStorage::new(StorageBackend::Keychain);
        assert_eq!(storage.backend(), StorageBackend::Keychain);
    }

    #[test]
    fn test_token_storage_service_name() {
        let storage = TokenStorage::new(StorageBackend::Keychain);
        assert_eq!(storage.service_name, "raps");
    }

    #[test]
    fn test_token_storage_username() {
        let storage = TokenStorage::new(StorageBackend::Keychain);
        assert_eq!(storage.username, "aps_token");
    }

    #[test]
    fn test_token_file_path_exists() {
        let path = TokenStorage::token_file_path().expect("should resolve project dirs");
        assert!(path.ends_with("tokens.json"));
        assert!(path.to_string_lossy().contains("raps"));
    }

    // ==================== StorageBackend Equality Tests ====================

    #[test]
    fn test_storage_backend_equality() {
        assert_eq!(StorageBackend::File, StorageBackend::File);
        assert_eq!(StorageBackend::Keychain, StorageBackend::Keychain);
        assert_ne!(StorageBackend::File, StorageBackend::Keychain);
    }

    #[test]
    fn test_storage_backend_clone() {
        let backend = StorageBackend::File;
        let cloned = backend;
        assert_eq!(backend, cloned);
    }

    #[test]
    fn test_storage_backend_debug() {
        let backend = StorageBackend::Keychain;
        let debug_str = format!("{:?}", backend);
        assert!(debug_str.contains("Keychain"));
    }
}