tryaudex_core/

credentials.rs

use std::path::PathBuf;
use std::time::Duration;

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};
use crate::policy::ScopedPolicy;
use crate::session::Session;

/// Temporary AWS credentials returned by STS.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TempCredentials {
    pub access_key_id: String,
    pub secret_access_key: String,
    pub session_token: String,
    pub expires_at: chrono::DateTime<chrono::Utc>,
}

impl TempCredentials {
    /// Returns env vars to inject into the subprocess.
    pub fn as_env_vars(&self) -> Vec<(&str, &str)> {
        vec![
            ("AWS_ACCESS_KEY_ID", &self.access_key_id),
            ("AWS_SECRET_ACCESS_KEY", &self.secret_access_key),
            ("AWS_SESSION_TOKEN", &self.session_token),
        ]
    }
}

/// Issues scoped, short-lived AWS credentials via STS AssumeRole.
pub struct CredentialIssuer {
    sts_client: aws_sdk_sts::Client,
}

impl CredentialIssuer {
    pub async fn new() -> Result<Self> {
        Self::with_region(None).await
    }

    pub async fn with_region(region: Option<&str>) -> Result<Self> {
        let mut loader = aws_config::defaults(aws_config::BehaviorVersion::latest());
        if let Some(region) = region {
            loader = loader.region(aws_config::Region::new(region.to_string()));
        }
        let config = loader.load().await;
        Ok(Self {
            sts_client: aws_sdk_sts::Client::new(&config),
        })
    }

    /// Assume a role with an inline policy that restricts permissions to the scoped policy.
    /// Optionally attaches a permissions boundary ARN as an additional ceiling.
    pub async fn issue(
        &self,
        session: &Session,
        policy: &ScopedPolicy,
        ttl: Duration,
    ) -> Result<TempCredentials> {
        self.issue_with_boundary(session, policy, ttl, None).await
    }

    /// Assume a role with an inline policy and optional permissions boundary.
    pub async fn issue_with_boundary(
        &self,
        session: &Session,
        policy: &ScopedPolicy,
        ttl: Duration,
        permissions_boundary: Option<&str>,
    ) -> Result<TempCredentials> {
        self.issue_full(session, policy, ttl, permissions_boundary, None).await
    }

    /// Assume a role with inline policy, optional boundary, and optional network conditions.
    pub async fn issue_full(
        &self,
        session: &Session,
        policy: &ScopedPolicy,
        ttl: Duration,
        permissions_boundary: Option<&str>,
        network: Option<&crate::policy::NetworkPolicy>,
    ) -> Result<TempCredentials> {
        let policy_json = policy.to_iam_policy_json_with_network(network)?;
        let ttl_secs = ttl.as_secs().min(43200) as i32; // STS max is 12 hours

        tracing::info!(
            session_id = %session.id,
            role_arn = %session.role_arn,
            ttl_secs = ttl_secs,
            permissions_boundary = ?permissions_boundary,
            "Assuming role with scoped policy"
        );

        let mut request = self
            .sts_client
            .assume_role()
            .role_arn(&session.role_arn)
            .role_session_name(format!("av-{}", &session.id[..8]))
            .policy(&policy_json)
            .duration_seconds(ttl_secs);

        // Attach permissions boundary as a managed policy ARN ceiling
        if let Some(boundary_arn) = permissions_boundary {
            request = request.policy_arns(
                aws_sdk_sts::types::PolicyDescriptorType::builder()
                    .arn(boundary_arn)
                    .build(),
            );
        }

        let result = request
            .send()
            .await
            .map_err(|e| AvError::Sts(e.to_string()))?;

        let creds = result
            .credentials()
            .ok_or_else(|| AvError::Sts("No credentials returned by STS".to_string()))?;

        let exp = creds.expiration();
        let expires_at =
            chrono::DateTime::from_timestamp(exp.secs(), exp.subsec_nanos())
                .unwrap_or_else(chrono::Utc::now);

        Ok(TempCredentials {
            access_key_id: creds.access_key_id().to_string(),
            secret_access_key: creds.secret_access_key().to_string(),
            session_token: creds.session_token().to_string(),
            expires_at,
        })
    }
}

/// Caches credentials on disk, keyed by session ID.
pub struct CredentialCache {
    dir: PathBuf,
}

impl CredentialCache {
    pub fn new() -> Result<Self> {
        let dir = dirs::data_local_dir()
            .unwrap_or_else(|| PathBuf::from("."))
            .join("audex")
            .join("cred_cache");
        std::fs::create_dir_all(&dir)?;
        Ok(Self { dir })
    }

    /// Save credentials for a session (encrypted at rest).
    pub fn save(&self, session_id: &str, creds: &TempCredentials) -> Result<()> {
        let path = self.dir.join(format!("{}.json", session_id));
        crate::keystore::encrypt_to_file(&path, creds)
    }

    /// Load cached credentials for a session. Returns None if expired or missing.
    /// Handles both encrypted and legacy plaintext files for migration.
    pub fn load(&self, session_id: &str) -> Result<Option<TempCredentials>> {
        let path = self.dir.join(format!("{}.json", session_id));
        let creds: Option<TempCredentials> = crate::keystore::decrypt_from_file(&path)?;
        match creds {
            Some(c) if c.expires_at <= chrono::Utc::now() => {
                let _ = std::fs::remove_file(&path);
                Ok(None)
            }
            other => Ok(other),
        }
    }

    /// Remove cached credentials for a session.
    pub fn remove(&self, session_id: &str) {
        let path = self.dir.join(format!("{}.json", session_id));
        let _ = std::fs::remove_file(path);
    }
}