tryaudex_core/

broker.rs

use std::collections::HashMap;
use std::time::Duration;

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};
use crate::server::{CredentialRequest, CredentialResponse};

/// Broker client configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BrokerConfig {
    /// Audex server URL (e.g. "http://localhost:8080")
    pub url: String,
    /// API key for authentication
    pub api_key: Option<String>,
    /// Request timeout in seconds (default: 30)
    #[serde(default = "default_timeout")]
    pub timeout: u64,
    /// Default provider for requests
    pub default_provider: Option<String>,
    /// Default role ARN for requests
    pub default_role_arn: Option<String>,
}

fn default_timeout() -> u64 {
    30
}

impl Default for BrokerConfig {
    fn default() -> Self {
        Self {
            url: "http://localhost:8080".to_string(),
            api_key: None,
            timeout: default_timeout(),
            default_provider: None,
            default_role_arn: None,
        }
    }
}

/// Batch credential request — issue multiple scoped credentials in one call.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchCredentialRequest {
    pub requests: Vec<CredentialRequest>,
}

/// Batch credential response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchCredentialResponse {
    pub results: Vec<BatchResultItem>,
    pub total: usize,
    pub succeeded: usize,
    pub failed: usize,
}

/// Individual result in a batch response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchResultItem {
    pub index: usize,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credentials: Option<CredentialResponse>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
}

/// Token exchange request — exchange a short-lived broker token for credentials.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenExchangeRequest {
    /// Broker-issued token
    pub token: String,
}

/// Broker token — a short-lived, single-use token that can be exchanged for credentials.
/// Useful for passing to subprocesses without exposing the API key.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BrokerToken {
    pub token: String,
    pub expires_at: String,
    /// The pre-configured credential request bound to this token.
    pub request: CredentialRequest,
}

/// Credential revocation request.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RevokeRequest {
    pub session_id: String,
    pub reason: Option<String>,
}

/// Broker API client for programmatic credential requests.
pub struct BrokerClient {
    config: BrokerConfig,
}

impl BrokerClient {
    pub fn new(config: BrokerConfig) -> Self {
        Self { config }
    }

    /// Create from environment variables.
    /// Reads AUDEX_BROKER_URL and AUDEX_BROKER_API_KEY.
    pub fn from_env() -> Result<Self> {
        let url = std::env::var("AUDEX_BROKER_URL").unwrap_or_else(|_| {
            "http://localhost:8080".to_string()
        });
        let api_key = std::env::var("AUDEX_BROKER_API_KEY").ok();
        Ok(Self::new(BrokerConfig {
            url,
            api_key,
            ..Default::default()
        }))
    }

    /// Request scoped credentials from the broker.
    pub async fn get_credentials(&self, request: &CredentialRequest) -> Result<CredentialResponse> {
        let url = format!("{}/v1/credentials", self.config.url);
        let body = serde_json::to_string(request)
            .map_err(|e| AvError::Sts(format!("Failed to serialize request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse credential response: {}", e)))
    }

    /// Request credentials with simple parameters (convenience method).
    pub async fn get_credentials_simple(
        &self,
        allow: &str,
        ttl: &str,
    ) -> Result<CredentialResponse> {
        let request = CredentialRequest {
            allow: Some(allow.to_string()),
            profile: None,
            resource: None,
            provider: self.config.default_provider.clone().unwrap_or_else(|| "aws".to_string()),
            ttl: ttl.to_string(),
            role_arn: self.config.default_role_arn.clone(),
            command: vec![],
            agent_id: std::env::var("AUDEX_AGENT_ID").ok(),
        };
        self.get_credentials(&request).await
    }

    /// Batch request — issue multiple credentials in one API call.
    pub async fn batch_credentials(
        &self,
        requests: Vec<CredentialRequest>,
    ) -> Result<BatchCredentialResponse> {
        let url = format!("{}/v1/credentials/batch", self.config.url);
        let batch = BatchCredentialRequest { requests };
        let body = serde_json::to_string(&batch)
            .map_err(|e| AvError::Sts(format!("Failed to serialize batch request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse batch response: {}", e)))
    }

    /// Create a broker token — a single-use token that can be exchanged for credentials.
    /// Useful for passing to untrusted subprocesses.
    pub async fn create_token(&self, request: &CredentialRequest) -> Result<BrokerToken> {
        let url = format!("{}/v1/tokens", self.config.url);
        let body = serde_json::to_string(request)
            .map_err(|e| AvError::Sts(format!("Failed to serialize token request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse token response: {}", e)))
    }

    /// Exchange a broker token for credentials.
    pub async fn exchange_token(&self, token: &str) -> Result<CredentialResponse> {
        let url = format!("{}/v1/tokens/exchange", self.config.url);
        let req = TokenExchangeRequest {
            token: token.to_string(),
        };
        let body = serde_json::to_string(&req)
            .map_err(|e| AvError::Sts(format!("Failed to serialize exchange request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse exchange response: {}", e)))
    }

    /// Revoke a session's credentials.
    pub async fn revoke(&self, session_id: &str, reason: Option<&str>) -> Result<()> {
        let url = format!("{}/v1/sessions/{}/revoke", self.config.url, session_id);
        let req = RevokeRequest {
            session_id: session_id.to_string(),
            reason: reason.map(|r| r.to_string()),
        };
        let body = serde_json::to_string(&req)
            .map_err(|e| AvError::Sts(format!("Failed to serialize revoke request: {}", e)))?;

        self.http_post(&url, &body).await?;
        Ok(())
    }

    /// List active sessions from the broker.
    pub async fn list_sessions(&self) -> Result<String> {
        let url = format!("{}/v1/sessions", self.config.url);
        self.http_get(&url).await
    }

    /// Get server health status.
    pub async fn health(&self) -> Result<String> {
        let url = format!("{}/v1/health", self.config.url);
        self.http_get(&url).await
    }

    /// Make an HTTP POST request to the broker.
    async fn http_post(&self, url: &str, body: &str) -> Result<String> {
        use std::io::{Read, Write};
        use std::net::TcpStream;

        let parsed = parse_url(url)?;
        let stream = TcpStream::connect(format!("{}:{}", parsed.host, parsed.port))
            .map_err(|e| AvError::Sts(format!("Failed to connect to broker at {}: {}", url, e)))?;
        stream
            .set_read_timeout(Some(Duration::from_secs(self.config.timeout)))
            .ok();

        let mut headers = vec![
            ("Content-Type", "application/json"),
            ("Connection", "close"),
        ];
        let auth_header;
        if let Some(ref key) = self.config.api_key {
            auth_header = format!("Bearer {}", key);
            headers.push(("Authorization", &auth_header));
        }
        let agent_header;
        if let Ok(agent_id) = std::env::var("AUDEX_AGENT_ID") {
            agent_header = agent_id;
            headers.push(("X-Audex-Agent-Id", &agent_header));
        }

        let mut request = format!(
            "POST {} HTTP/1.1\r\nHost: {}\r\nContent-Length: {}\r\n",
            parsed.path, parsed.host, body.len()
        );
        for (key, value) in &headers {
            request.push_str(&format!("{}: {}\r\n", key, value));
        }
        request.push_str("\r\n");
        request.push_str(body);

        let mut stream = stream;
        stream
            .write_all(request.as_bytes())
            .map_err(|e| AvError::Sts(format!("Failed to send broker request: {}", e)))?;

        let mut response = String::new();
        stream
            .read_to_string(&mut response)
            .map_err(|e| AvError::Sts(format!("Failed to read broker response: {}", e)))?;

        extract_http_body(&response)
    }

    /// Make an HTTP GET request to the broker.
    async fn http_get(&self, url: &str) -> Result<String> {
        use std::io::{Read, Write};
        use std::net::TcpStream;

        let parsed = parse_url(url)?;
        let stream = TcpStream::connect(format!("{}:{}", parsed.host, parsed.port))
            .map_err(|e| AvError::Sts(format!("Failed to connect to broker at {}: {}", url, e)))?;
        stream
            .set_read_timeout(Some(Duration::from_secs(self.config.timeout)))
            .ok();

        let mut headers: Vec<(&str, &str)> = vec![("Connection", "close")];
        let auth_header;
        if let Some(ref key) = self.config.api_key {
            auth_header = format!("Bearer {}", key);
            headers.push(("Authorization", &auth_header));
        }

        let mut request = format!(
            "GET {} HTTP/1.1\r\nHost: {}\r\n",
            parsed.path, parsed.host
        );
        for (key, value) in &headers {
            request.push_str(&format!("{}: {}\r\n", key, value));
        }
        request.push_str("\r\n");

        let mut stream = stream;
        stream
            .write_all(request.as_bytes())
            .map_err(|e| AvError::Sts(format!("Failed to send broker request: {}", e)))?;

        let mut response = String::new();
        stream
            .read_to_string(&mut response)
            .map_err(|e| AvError::Sts(format!("Failed to read broker response: {}", e)))?;

        extract_http_body(&response)
    }
}

struct ParsedUrl {
    host: String,
    port: u16,
    path: String,
}

fn parse_url(url: &str) -> Result<ParsedUrl> {
    let without_scheme = url
        .strip_prefix("https://")
        .or_else(|| url.strip_prefix("http://"))
        .ok_or_else(|| AvError::InvalidPolicy(format!("Invalid broker URL: {}", url)))?;

    let default_port: u16 = if url.starts_with("https://") { 443 } else { 8080 };

    let (host_port, path) = match without_scheme.find('/') {
        Some(idx) => (&without_scheme[..idx], &without_scheme[idx..]),
        None => (without_scheme, "/"),
    };

    let (host, port) = match host_port.rfind(':') {
        Some(idx) => {
            let port = host_port[idx + 1..].parse::<u16>().unwrap_or(default_port);
            (host_port[..idx].to_string(), port)
        }
        None => (host_port.to_string(), default_port),
    };

    Ok(ParsedUrl {
        host,
        port,
        path: path.to_string(),
    })
}

fn extract_http_body(response: &str) -> Result<String> {
    if let Some(idx) = response.find("\r\n\r\n") {
        let status_line = response.lines().next().unwrap_or("");
        let status_code: u16 = status_line
            .split_whitespace()
            .nth(1)
            .and_then(|s| s.parse().ok())
            .unwrap_or(0);

        let body = &response[idx + 4..];

        if status_code >= 400 {
            return Err(AvError::Sts(format!(
                "Broker returned HTTP {}: {}",
                status_code, body
            )));
        }

        Ok(body.to_string())
    } else {
        Err(AvError::Sts("Invalid HTTP response from broker".to_string()))
    }
}

/// Generate environment variable export commands for credentials.
/// Useful for shell integration and subprocess injection.
pub fn credentials_to_env_script(resp: &CredentialResponse, shell: &str) -> String {
    let mut lines = Vec::new();
    let export = match shell {
        "fish" => "set -gx",
        "powershell" | "pwsh" => "$env:",
        _ => "export",
    };

    let creds = &resp.credentials;
    if let Some(ref key) = creds.aws_access_key_id {
        lines.push(format_env(export, "AWS_ACCESS_KEY_ID", key, shell));
    }
    if let Some(ref key) = creds.aws_secret_access_key {
        lines.push(format_env(export, "AWS_SECRET_ACCESS_KEY", key, shell));
    }
    if let Some(ref token) = creds.aws_session_token {
        lines.push(format_env(export, "AWS_SESSION_TOKEN", token, shell));
    }
    if let Some(ref token) = creds.gcp_access_token {
        lines.push(format_env(export, "CLOUDSDK_AUTH_ACCESS_TOKEN", token, shell));
    }
    if let Some(ref token) = creds.azure_token {
        lines.push(format_env(export, "AZURE_ACCESS_TOKEN", token, shell));
    }

    lines.join("\n")
}

fn format_env(export: &str, key: &str, value: &str, shell: &str) -> String {
    match shell {
        "powershell" | "pwsh" => format!("{}{}=\"{}\"", export, key, value),
        "fish" => format!("{} {} \"{}\"", export, key, value),
        _ => format!("{} {}=\"{}\"", export, key, value),
    }
}

/// Generate a JSON credentials document suitable for file-based injection.
pub fn credentials_to_json(resp: &CredentialResponse) -> Result<String> {
    let mut map = HashMap::new();
    map.insert("session_id", resp.session_id.as_str());
    map.insert("provider", resp.provider.as_str());
    map.insert("expires_at", resp.expires_at.as_str());

    let creds = &resp.credentials;
    if let Some(ref v) = creds.aws_access_key_id {
        map.insert("aws_access_key_id", v);
    }
    if let Some(ref v) = creds.aws_secret_access_key {
        map.insert("aws_secret_access_key", v);
    }
    if let Some(ref v) = creds.aws_session_token {
        map.insert("aws_session_token", v);
    }
    if let Some(ref v) = creds.gcp_access_token {
        map.insert("gcp_access_token", v);
    }
    if let Some(ref v) = creds.azure_token {
        map.insert("azure_token", v);
    }

    serde_json::to_string_pretty(&map)
        .map_err(|e| AvError::Sts(format!("Failed to serialize credentials: {}", e)))
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::server::CredentialEnvVars;

    #[test]
    fn test_broker_config_default() {
        let config = BrokerConfig::default();
        assert_eq!(config.url, "http://localhost:8080");
        assert_eq!(config.timeout, 30);
        assert!(config.api_key.is_none());
    }

    #[test]
    fn test_broker_config_deserialize() {
        let toml_str = r#"
url = "https://audex.internal:8443"
api_key = "secret-key-123"
timeout = 60
default_provider = "gcp"
default_role_arn = "arn:aws:iam::123:role/MyRole"
"#;
        let config: BrokerConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.url, "https://audex.internal:8443");
        assert_eq!(config.api_key.as_deref(), Some("secret-key-123"));
        assert_eq!(config.timeout, 60);
        assert_eq!(config.default_provider.as_deref(), Some("gcp"));
    }

    #[test]
    fn test_batch_request_serialization() {
        let batch = BatchCredentialRequest {
            requests: vec![
                CredentialRequest {
                    allow: Some("s3:GetObject".to_string()),
                    profile: None,
                    resource: None,
                    provider: "aws".to_string(),
                    ttl: "15m".to_string(),
                    role_arn: None,
                    command: vec![],
                    agent_id: None,
                },
            ],
        };
        let json = serde_json::to_string(&batch).unwrap();
        assert!(json.contains("s3:GetObject"));
    }

    #[test]
    fn test_batch_response_deserialization() {
        let json = r#"{"results":[{"index":0,"credentials":{"session_id":"abc","provider":"aws","expires_at":"2026-01-01T00:00:00Z","ttl_seconds":900,"credentials":{"aws_access_key_id":"AKID"}},"error":null}],"total":1,"succeeded":1,"failed":0}"#;
        let resp: BatchCredentialResponse = serde_json::from_str(json).unwrap();
        assert_eq!(resp.total, 1);
        assert_eq!(resp.succeeded, 1);
    }

    #[test]
    fn test_credentials_to_env_script_bash() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "bash");
        assert!(script.contains("export AWS_ACCESS_KEY_ID=\"AKID123\""));
        assert!(script.contains("export AWS_SECRET_ACCESS_KEY=\"secret\""));
        assert!(script.contains("export AWS_SESSION_TOKEN=\"token\""));
    }

    #[test]
    fn test_credentials_to_env_script_fish() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "fish");
        assert!(script.contains("set -gx AWS_ACCESS_KEY_ID \"AKID123\""));
    }

    #[test]
    fn test_credentials_to_env_script_powershell() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "powershell");
        assert!(script.contains("$env:AWS_ACCESS_KEY_ID=\"AKID123\""));
    }

    #[test]
    fn test_credentials_to_json() {
        let resp = mock_credential_response();
        let json = credentials_to_json(&resp).unwrap();
        assert!(json.contains("AKID123"));
        assert!(json.contains("session_id"));
    }

    #[test]
    fn test_parse_url_with_port() {
        let parsed = parse_url("http://localhost:9090/v1/credentials").unwrap();
        assert_eq!(parsed.host, "localhost");
        assert_eq!(parsed.port, 9090);
        assert_eq!(parsed.path, "/v1/credentials");
    }

    #[test]
    fn test_parse_url_default_port() {
        let parsed = parse_url("http://localhost/v1/health").unwrap();
        assert_eq!(parsed.port, 8080);
    }

    #[test]
    fn test_parse_url_https_default_port() {
        let parsed = parse_url("https://audex.internal/v1/health").unwrap();
        assert_eq!(parsed.port, 443);
    }

    #[test]
    fn test_extract_http_body_success() {
        let resp = "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\n\r\n{\"ok\":true}";
        let body = extract_http_body(resp).unwrap();
        assert_eq!(body, "{\"ok\":true}");
    }

    #[test]
    fn test_extract_http_body_error() {
        let resp = "HTTP/1.1 401 Unauthorized\r\n\r\n{\"error\":\"invalid key\"}";
        assert!(extract_http_body(resp).is_err());
    }

    #[test]
    fn test_broker_token_serialization() {
        let token = BrokerToken {
            token: "tok_abc123".to_string(),
            expires_at: "2026-01-01T00:15:00Z".to_string(),
            request: CredentialRequest {
                allow: Some("s3:GetObject".to_string()),
                profile: None,
                resource: None,
                provider: "aws".to_string(),
                ttl: "15m".to_string(),
                role_arn: None,
                command: vec![],
                agent_id: None,
            },
        };
        let json = serde_json::to_string(&token).unwrap();
        assert!(json.contains("tok_abc123"));
        assert!(json.contains("s3:GetObject"));
    }

    fn mock_credential_response() -> CredentialResponse {
        CredentialResponse {
            session_id: "test-session-123".to_string(),
            provider: "aws".to_string(),
            expires_at: "2026-01-01T00:15:00Z".to_string(),
            ttl_seconds: 900,
            credentials: CredentialEnvVars {
                aws_access_key_id: Some("AKID123".to_string()),
                aws_secret_access_key: Some("secret".to_string()),
                aws_session_token: Some("token".to_string()),
                gcp_access_token: None,
                azure_token: None,
            },
        }
    }
}