slack_rs/auth/

export_import.rs

//! Export and import commands for profile backup and migration

use crate::auth::crypto::{self, KdfParams};
use crate::auth::format::{self, ExportPayload, ExportProfile};
use crate::profile::{
    default_config_path, get_oauth_client_secret, load_config, make_token_key, save_config,
    store_oauth_client_secret, Profile, TokenStore, TokenStoreError,
};
use std::fs;
use std::io;
use std::path::Path;
use thiserror::Error;

#[derive(Debug, Error)]
pub enum ExportImportError {
    #[error("Profile not found: {0}")]
    ProfileNotFound(String),
    #[error("Token not found for profile: {0}")]
    TokenNotFound(String),
    #[error("No profiles to export")]
    NoProfiles,
    #[error("Export requires --yes flag for confirmation")]
    ConfirmationRequired,
    #[error("Profile already exists: {0} (use --force to overwrite)")]
    ProfileExists(String),
    #[error("Empty passphrase not allowed")]
    EmptyPassphrase,
    #[cfg(unix)]
    #[error("File permission error: {0}")]
    PermissionError(String),
    #[error("IO error: {0}")]
    Io(#[from] io::Error),
    #[error("Crypto error: {0}")]
    Crypto(#[from] crypto::CryptoError),
    #[error("Format error: {0}")]
    Format(#[from] format::FormatError),
    #[error("Storage error: {0}")]
    Storage(String),
    #[error("Token store error: {0}")]
    TokenStore(#[from] TokenStoreError),
}

pub type Result<T> = std::result::Result<T, ExportImportError>;

/// Options for export command
#[derive(Debug, Clone)]
pub struct ExportOptions {
    pub profile_name: Option<String>,
    pub all: bool,
    pub output_path: String,
    pub passphrase: String,
    pub yes: bool,
}

/// Options for import command
#[derive(Debug, Clone)]
pub struct ImportOptions {
    pub input_path: String,
    pub passphrase: String,
    pub yes: bool,
    pub force: bool,
}

/// Export profiles to encrypted file
pub fn export_profiles(token_store: &dyn TokenStore, options: &ExportOptions) -> Result<()> {
    // Require --yes confirmation
    if !options.yes {
        return Err(ExportImportError::ConfirmationRequired);
    }

    // Validate passphrase
    if options.passphrase.is_empty() {
        return Err(ExportImportError::EmptyPassphrase);
    }

    // Load profiles
    let config_path =
        default_config_path().map_err(|e| ExportImportError::Storage(e.to_string()))?;
    let config =
        load_config(&config_path).map_err(|e| ExportImportError::Storage(e.to_string()))?;

    // Select profiles to export
    let profiles_to_export: Vec<(String, &Profile)> = if options.all {
        config
            .profiles
            .iter()
            .map(|(k, v)| (k.clone(), v))
            .collect()
    } else if let Some(ref profile_name) = options.profile_name {
        let profile = config
            .get(profile_name)
            .ok_or_else(|| ExportImportError::ProfileNotFound(profile_name.clone()))?;
        vec![(profile_name.clone(), profile)]
    } else {
        // Default to "default" profile
        let profile = config
            .get("default")
            .ok_or_else(|| ExportImportError::ProfileNotFound("default".to_string()))?;
        vec![("default".to_string(), profile)]
    };

    if profiles_to_export.is_empty() {
        return Err(ExportImportError::NoProfiles);
    }

    // Build export payload
    let mut payload = ExportPayload::new();
    for (name, profile) in profiles_to_export {
        let token_key = make_token_key(&profile.team_id, &profile.user_id);
        let token = token_store
            .get(&token_key)
            .map_err(|_| ExportImportError::TokenNotFound(name.clone()))?;

        // Try to get OAuth credentials (non-fatal if not found)
        let client_id = profile.client_id.clone();
        let client_secret = get_oauth_client_secret(token_store, &name).ok();

        payload.profiles.insert(
            name,
            ExportProfile {
                team_id: profile.team_id.clone(),
                user_id: profile.user_id.clone(),
                team_name: profile.team_name.clone(),
                user_name: profile.user_name.clone(),
                token,
                client_id,
                client_secret,
            },
        );
    }

    // Encrypt payload
    let kdf_params = KdfParams {
        salt: crypto::generate_salt(),
        ..Default::default()
    };

    let key = crypto::derive_key(&options.passphrase, &kdf_params)?;
    let payload_json = serde_json::to_vec(&payload)
        .map_err(|e| ExportImportError::Format(format::FormatError::Json(e)))?;
    let encrypted = crypto::encrypt(&payload_json, &key)?;

    // Encode to binary format
    let encoded = format::encode_export(&payload, &encrypted, &kdf_params)?;

    // Check existing file permissions
    let output_path = Path::new(&options.output_path);
    if output_path.exists() {
        check_file_permissions(output_path)?;
    }

    // Write to file with 0600 permissions
    write_secure_file(output_path, &encoded)?;

    Ok(())
}

/// Import profiles from encrypted file
pub fn import_profiles(token_store: &dyn TokenStore, options: &ImportOptions) -> Result<()> {
    // Validate passphrase
    if options.passphrase.is_empty() {
        return Err(ExportImportError::EmptyPassphrase);
    }

    // Read and check file permissions
    let input_path = Path::new(&options.input_path);
    check_file_permissions(input_path)?;

    let encoded_data = fs::read(input_path)?;

    // Decode from binary format
    let decoded = format::decode_export(&encoded_data)?;

    // Decrypt payload
    let key = crypto::derive_key(&options.passphrase, &decoded.kdf_params)?;
    let payload_json = crypto::decrypt(&decoded.encrypted_data, &key)?;
    let payload: ExportPayload = serde_json::from_slice(&payload_json)
        .map_err(|e| ExportImportError::Format(format::FormatError::Json(e)))?;

    // Load existing profiles
    let config_path =
        default_config_path().map_err(|e| ExportImportError::Storage(e.to_string()))?;
    let mut config =
        load_config(&config_path).map_err(|e| ExportImportError::Storage(e.to_string()))?;

    // Check for conflicts
    // Force requires --yes
    if options.force && !options.yes {
        return Err(ExportImportError::Storage(
            "--force requires --yes to confirm overwrite".to_string(),
        ));
    }

    if !options.force {
        for (name, export_profile) in &payload.profiles {
            // Check if profile name exists
            if let Some(existing) = config.get(name) {
                // If same team_id, it's OK (update scenario)
                if existing.team_id != export_profile.team_id {
                    return Err(ExportImportError::ProfileExists(name.clone()));
                }
            }

            // Check if team_id exists under different name (conflict detection based on team_id only)
            for (existing_name, existing_profile) in &config.profiles {
                if existing_name != name && existing_profile.team_id == export_profile.team_id {
                    return Err(ExportImportError::ProfileExists(existing_name.clone()));
                }
            }
        }
    }

    // Import profiles
    for (name, export_profile) in payload.profiles {
        let profile = Profile {
            team_id: export_profile.team_id.clone(),
            user_id: export_profile.user_id.clone(),
            team_name: export_profile.team_name,
            user_name: export_profile.user_name,
            client_id: export_profile.client_id.clone(),
            redirect_uri: None, // Not exported/imported for security
            scopes: None,       // Not exported/imported for security
            bot_scopes: None,   // Not exported/imported for security
            user_scopes: None,  // Not exported/imported for security
            default_token_type: None,
        };

        config.set(name.clone(), profile);

        // Store token
        let token_key = make_token_key(&export_profile.team_id, &export_profile.user_id);
        token_store.set(&token_key, &export_profile.token)?;

        // Store OAuth client secret if present
        if let Some(client_secret) = export_profile.client_secret {
            store_oauth_client_secret(token_store, &name, &client_secret)?;
        }
    }

    // Save config
    save_config(&config_path, &config).map_err(|e| ExportImportError::Storage(e.to_string()))?;

    Ok(())
}

/// Check file permissions (Unix only)
#[cfg(unix)]
fn check_file_permissions(path: &Path) -> Result<()> {
    use std::os::unix::fs::PermissionsExt;

    if !path.exists() {
        return Ok(());
    }

    let metadata = fs::metadata(path)?;
    let permissions = metadata.permissions();
    let mode = permissions.mode();

    // Check if file is 0600 (owner read/write only)
    if mode & 0o777 != 0o600 {
        return Err(ExportImportError::PermissionError(format!(
            "File must have 0600 permissions, found: {:o}",
            mode & 0o777
        )));
    }

    Ok(())
}

/// Check file permissions (non-Unix - always succeeds)
#[cfg(not(unix))]
fn check_file_permissions(_path: &Path) -> Result<()> {
    Ok(())
}

/// Write file with secure permissions (Unix: 0600)
#[cfg(unix)]
fn write_secure_file(path: &Path, data: &[u8]) -> Result<()> {
    use std::os::unix::fs::PermissionsExt;

    // Write file
    fs::write(path, data)?;

    // Set permissions to 0600
    let mut permissions = fs::metadata(path)?.permissions();
    permissions.set_mode(0o600);
    fs::set_permissions(path, permissions)?;

    Ok(())
}

/// Write file with secure permissions (non-Unix - no permission setting)
#[cfg(not(unix))]
fn write_secure_file(path: &Path, data: &[u8]) -> Result<()> {
    fs::write(path, data)?;
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::profile::{InMemoryTokenStore, ProfilesConfig};
    use tempfile::TempDir;

    #[test]
    fn test_export_requires_yes_flag() {
        let token_store = InMemoryTokenStore::new();
        let options = ExportOptions {
            profile_name: None,
            all: false,
            output_path: "/tmp/test.export".to_string(),
            passphrase: "password".to_string(),
            yes: false,
        };

        let result = export_profiles(&token_store, &options);
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ExportImportError::ConfirmationRequired
        ));
    }

    #[test]
    fn test_export_empty_passphrase() {
        let token_store = InMemoryTokenStore::new();
        let options = ExportOptions {
            profile_name: None,
            all: false,
            output_path: "/tmp/test.export".to_string(),
            passphrase: "".to_string(),
            yes: true,
        };

        let result = export_profiles(&token_store, &options);
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ExportImportError::EmptyPassphrase
        ));
    }

    #[test]
    fn test_import_empty_passphrase() {
        let token_store = InMemoryTokenStore::new();
        let options = ImportOptions {
            input_path: "/tmp/test.export".to_string(),
            passphrase: "".to_string(),
            yes: false,
            force: false,
        };

        let result = import_profiles(&token_store, &options);
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ExportImportError::EmptyPassphrase
        ));
    }

    #[test]
    fn test_export_import_round_trip() {
        let temp_dir = TempDir::new().unwrap();
        let config_path = temp_dir.path().join("profiles.json");
        let _export_path = temp_dir.path().join("export.dat");

        // Set up test profile
        let mut config = ProfilesConfig::new();
        config.set(
            "test".to_string(),
            Profile {
                team_id: "T123".to_string(),
                user_id: "U456".to_string(),
                team_name: Some("Test Team".to_string()),
                user_name: Some("Test User".to_string()),
                client_id: None,
                redirect_uri: None,
                scopes: None,
                bot_scopes: None,
                user_scopes: None,
                default_token_type: None,
            },
        );
        save_config(&config_path, &config).unwrap();

        // Set up token store
        let token_store = InMemoryTokenStore::new();
        let token_key = make_token_key("T123", "U456");
        token_store.set(&token_key, "xoxb-test-token").unwrap();

        // Export (this will use default_config_path, so we need to work around that)
        // For now, skip the full integration test as it requires mocking config path
        // This is covered by crypto and format tests
    }

    #[cfg(unix)]
    #[test]
    fn test_write_secure_file_permissions() {
        use std::os::unix::fs::PermissionsExt;

        let temp_dir = TempDir::new().unwrap();
        let file_path = temp_dir.path().join("secure.dat");

        write_secure_file(&file_path, b"test data").unwrap();

        let metadata = fs::metadata(&file_path).unwrap();
        let mode = metadata.permissions().mode();

        assert_eq!(mode & 0o777, 0o600, "File should have 0600 permissions");
    }
}