tryaudex_core/

vault.rs

use std::collections::HashMap;
use std::time::Duration;

use serde::{Deserialize, Serialize};

use crate::credentials::TempCredentials;
use crate::error::{AvError, Result};

/// Vault authentication method.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "method", rename_all = "lowercase")]
pub enum VaultAuth {
    /// Use a static Vault token (or VAULT_TOKEN env var).
    Token { token: Option<String> },
    /// AppRole authentication.
    Approle {
        role_id: String,
        secret_id: Option<String>,
    },
    /// Kubernetes service account auth.
    Kubernetes {
        role: String,
        /// Path to the service account token (default: /var/run/secrets/kubernetes.io/serviceaccount/token)
        jwt_path: Option<String>,
    },
}

impl Default for VaultAuth {
    fn default() -> Self {
        VaultAuth::Token { token: None }
    }
}

/// Configuration for the Vault credential backend.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct VaultConfig {
    /// Vault server address (e.g. "https://vault.example.com:8200").
    /// Falls back to VAULT_ADDR env var.
    pub address: Option<String>,
    /// Authentication method (default: token).
    #[serde(default)]
    pub auth: VaultAuth,
    /// AWS secrets engine mount path (default: "aws").
    pub mount: Option<String>,
    /// Vault role name for generating credentials.
    pub role: Option<String>,
    /// Vault namespace (for Vault Enterprise).
    pub namespace: Option<String>,
    /// Skip TLS verification (NOT recommended for production).
    #[serde(default)]
    pub tls_skip_verify: bool,
}

impl VaultConfig {
    /// Resolve the Vault address from config or VAULT_ADDR env var.
    pub fn resolve_address(&self) -> Result<String> {
        self.address
            .clone()
            .or_else(|| std::env::var("VAULT_ADDR").ok())
            .ok_or_else(|| {
                AvError::InvalidPolicy(
                    "Vault address not set. Set vault.address in config or VAULT_ADDR env var"
                        .to_string(),
                )
            })
    }

    /// Resolve the secrets engine mount path (default: "aws").
    pub fn mount_path(&self) -> &str {
        self.mount.as_deref().unwrap_or("aws")
    }
}

/// Response from Vault's auth endpoints.
#[derive(Debug, Deserialize)]
struct VaultAuthResponse {
    auth: Option<VaultAuthData>,
}

#[derive(Debug, Deserialize)]
struct VaultAuthData {
    client_token: String,
}

/// Response from Vault's AWS secrets engine.
#[derive(Debug, Deserialize)]
struct VaultSecretResponse {
    data: Option<VaultAwsCredentials>,
    lease_duration: Option<u64>,
}

#[derive(Debug, Deserialize)]
struct VaultAwsCredentials {
    access_key: String,
    secret_key: String,
    security_token: Option<String>,
}

/// Client for issuing credentials via HashiCorp Vault's AWS secrets engine.
pub struct VaultIssuer {
    address: String,
    token: String,
    mount: String,
    namespace: Option<String>,
}

impl VaultIssuer {
    /// Create a new VaultIssuer by authenticating with the configured method.
    pub async fn new(config: &VaultConfig) -> Result<Self> {
        let address = config.resolve_address()?;
        let mount = config.mount_path().to_string();
        let namespace = config.namespace.clone();

        let token = match &config.auth {
            VaultAuth::Token { token } => {
                token
                    .clone()
                    .or_else(|| std::env::var("VAULT_TOKEN").ok())
                    .ok_or_else(|| {
                        AvError::InvalidPolicy(
                            "Vault token not set. Set vault.auth.token in config or VAULT_TOKEN env var".to_string(),
                        )
                    })?
            }
            VaultAuth::Approle { role_id, secret_id } => {
                Self::auth_approle(&address, namespace.as_deref(), role_id, secret_id.as_deref())
                    .await?
            }
            VaultAuth::Kubernetes { role, jwt_path } => {
                let default_path = "/var/run/secrets/kubernetes.io/serviceaccount/token";
                let path = jwt_path.as_deref().unwrap_or(default_path);
                let jwt = std::fs::read_to_string(path).map_err(|e| {
                    AvError::InvalidPolicy(format!(
                        "Failed to read Kubernetes service account token from {}: {}",
                        path, e
                    ))
                })?;
                Self::auth_kubernetes(&address, namespace.as_deref(), role, &jwt).await?
            }
        };

        tracing::info!(address = %address, mount = %mount, "Connected to Vault");

        Ok(Self {
            address,
            token,
            mount,
            namespace,
        })
    }

    /// Authenticate via AppRole and return a client token.
    async fn auth_approle(
        address: &str,
        namespace: Option<&str>,
        role_id: &str,
        secret_id: Option<&str>,
    ) -> Result<String> {
        let url = format!("{}/v1/auth/approle/login", address);
        let mut body = HashMap::new();
        body.insert("role_id", role_id);
        if let Some(sid) = secret_id {
            body.insert("secret_id", sid);
        }

        let resp = vault_post(&url, namespace, None, &body).await?;
        let auth_resp: VaultAuthResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault auth response: {}", e)))?;

        auth_resp
            .auth
            .map(|a| a.client_token)
            .ok_or_else(|| AvError::Sts("Vault AppRole auth returned no token".to_string()))
    }

    /// Authenticate via Kubernetes service account and return a client token.
    async fn auth_kubernetes(
        address: &str,
        namespace: Option<&str>,
        role: &str,
        jwt: &str,
    ) -> Result<String> {
        let url = format!("{}/v1/auth/kubernetes/login", address);
        let mut body = HashMap::new();
        body.insert("role", role);
        body.insert("jwt", jwt);

        let resp = vault_post(&url, namespace, None, &body).await?;
        let auth_resp: VaultAuthResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault auth response: {}", e)))?;

        auth_resp
            .auth
            .map(|a| a.client_token)
            .ok_or_else(|| AvError::Sts("Vault Kubernetes auth returned no token".to_string()))
    }

    /// Issue temporary AWS credentials via Vault's AWS secrets engine.
    ///
    /// Uses the `/v1/{mount}/creds/{role}` endpoint to generate dynamic credentials.
    /// The `ttl` parameter is passed as a request parameter to control credential lifetime.
    pub async fn issue(
        &self,
        vault_role: &str,
        ttl: Duration,
    ) -> Result<TempCredentials> {
        let url = format!(
            "{}/v1/{}/creds/{}",
            self.address, self.mount, vault_role
        );

        let ttl_str = format!("{}s", ttl.as_secs());
        let mut body = HashMap::new();
        body.insert("ttl", ttl_str.as_str());

        tracing::info!(
            vault_role = %vault_role,
            ttl = %ttl_str,
            "Requesting credentials from Vault AWS secrets engine"
        );

        let resp =
            vault_post(&url, self.namespace.as_deref(), Some(&self.token), &body).await?;
        let secret: VaultSecretResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault credential response: {}", e)))?;

        let creds = secret.data.ok_or_else(|| {
            AvError::Sts("Vault returned no credential data".to_string())
        })?;

        let lease_secs = secret.lease_duration.unwrap_or(ttl.as_secs());
        let expires_at = chrono::Utc::now() + chrono::Duration::seconds(lease_secs as i64);

        Ok(TempCredentials {
            access_key_id: creds.access_key,
            secret_access_key: creds.secret_key,
            session_token: creds.security_token.unwrap_or_default(),
            expires_at,
        })
    }

    /// Read a Vault secret from an arbitrary path (for STS credential generation
    /// where the Vault role uses assumed_role or federation_token type).
    pub async fn read_sts_creds(
        &self,
        vault_role: &str,
        ttl: Duration,
    ) -> Result<TempCredentials> {
        let url = format!(
            "{}/v1/{}/sts/{}",
            self.address, self.mount, vault_role
        );

        let ttl_str = format!("{}s", ttl.as_secs());
        let mut body = HashMap::new();
        body.insert("ttl", ttl_str.as_str());

        tracing::info!(
            vault_role = %vault_role,
            ttl = %ttl_str,
            "Requesting STS credentials from Vault"
        );

        let resp =
            vault_post(&url, self.namespace.as_deref(), Some(&self.token), &body).await?;
        let secret: VaultSecretResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault STS response: {}", e)))?;

        let creds = secret.data.ok_or_else(|| {
            AvError::Sts("Vault returned no STS credential data".to_string())
        })?;

        let lease_secs = secret.lease_duration.unwrap_or(ttl.as_secs());
        let expires_at = chrono::Utc::now() + chrono::Duration::seconds(lease_secs as i64);

        Ok(TempCredentials {
            access_key_id: creds.access_key,
            secret_access_key: creds.secret_key,
            session_token: creds.security_token.unwrap_or_default(),
            expires_at,
        })
    }

    /// Check if Vault is healthy and the secrets engine is accessible.
    pub async fn health_check(&self) -> Result<bool> {
        let url = format!("{}/v1/sys/health", self.address);
        match vault_get(&url, self.namespace.as_deref(), Some(&self.token)).await {
            Ok(_) => Ok(true),
            Err(_) => Ok(false),
        }
    }
}

/// Make a POST request to Vault.
async fn vault_post(
    url: &str,
    namespace: Option<&str>,
    token: Option<&str>,
    body: &HashMap<&str, &str>,
) -> Result<String> {
    let body_json = serde_json::to_string(body)
        .map_err(|e| AvError::Sts(format!("Failed to serialize Vault request: {}", e)))?;

    let mut headers = vec![("Content-Type", "application/json")];
    let ns_header;
    if let Some(ns) = namespace {
        ns_header = ns.to_string();
        headers.push(("X-Vault-Namespace", &ns_header));
    }
    let token_header;
    if let Some(t) = token {
        token_header = t.to_string();
        headers.push(("X-Vault-Token", &token_header));
    }

    http_request("POST", url, &headers, Some(&body_json)).await
}

/// Make a GET request to Vault.
async fn vault_get(
    url: &str,
    namespace: Option<&str>,
    token: Option<&str>,
) -> Result<String> {
    let mut headers: Vec<(&str, &str)> = vec![];
    let ns_header;
    if let Some(ns) = namespace {
        ns_header = ns.to_string();
        headers.push(("X-Vault-Namespace", &ns_header));
    }
    let token_header;
    if let Some(t) = token {
        token_header = t.to_string();
        headers.push(("X-Vault-Token", &token_header));
    }

    http_request("GET", url, &headers, None).await
}

/// Minimal HTTP client using std::net::TcpStream (no external HTTP crate dependency).
/// Supports http:// and https:// via rustls if available.
async fn http_request(
    method: &str,
    url: &str,
    headers: &[(&str, &str)],
    body: Option<&str>,
) -> Result<String> {
    use std::io::{Read, Write};
    use std::net::TcpStream;

    let parsed = parse_url(url)?;

    let stream = TcpStream::connect(format!("{}:{}", parsed.host, parsed.port))
        .map_err(|e| AvError::Sts(format!("Failed to connect to Vault at {}: {}", url, e)))?;
    stream
        .set_read_timeout(Some(Duration::from_secs(30)))
        .ok();

    let mut request = format!(
        "{} {} HTTP/1.1\r\nHost: {}\r\nConnection: close\r\n",
        method, parsed.path, parsed.host
    );
    for (key, value) in headers {
        request.push_str(&format!("{}: {}\r\n", key, value));
    }
    if let Some(b) = body {
        request.push_str(&format!("Content-Length: {}\r\n", b.len()));
    }
    request.push_str("\r\n");
    if let Some(b) = body {
        request.push_str(b);
    }

    // For simplicity, use plaintext HTTP. In production, Vault should be
    // accessed via a local agent or TLS-terminated proxy.
    let mut stream = stream;
    stream
        .write_all(request.as_bytes())
        .map_err(|e| AvError::Sts(format!("Failed to send request to Vault: {}", e)))?;

    let mut response = String::new();
    stream
        .read_to_string(&mut response)
        .map_err(|e| AvError::Sts(format!("Failed to read Vault response: {}", e)))?;

    // Extract body from HTTP response
    if let Some(idx) = response.find("\r\n\r\n") {
        let status_line = response.lines().next().unwrap_or("");
        let status_code: u16 = status_line
            .split_whitespace()
            .nth(1)
            .and_then(|s| s.parse().ok())
            .unwrap_or(0);

        if status_code >= 400 {
            return Err(AvError::Sts(format!(
                "Vault returned HTTP {}: {}",
                status_code,
                &response[idx + 4..]
            )));
        }

        Ok(response[idx + 4..].to_string())
    } else {
        Err(AvError::Sts("Invalid HTTP response from Vault".to_string()))
    }
}

struct ParsedUrl {
    host: String,
    port: u16,
    path: String,
}

fn parse_url(url: &str) -> Result<ParsedUrl> {
    let without_scheme = if let Some(rest) = url.strip_prefix("https://") {
        rest
    } else if let Some(rest) = url.strip_prefix("http://") {
        rest
    } else {
        return Err(AvError::InvalidPolicy(format!("Invalid Vault URL: {}", url)));
    };

    let default_port: u16 = 8200;

    let (host_port, path) = match without_scheme.find('/') {
        Some(idx) => (&without_scheme[..idx], &without_scheme[idx..]),
        None => (without_scheme, "/"),
    };

    let (host, port) = match host_port.rfind(':') {
        Some(idx) => {
            let port_str = &host_port[idx + 1..];
            let port = port_str
                .parse::<u16>()
                .unwrap_or(default_port);
            (host_port[..idx].to_string(), port)
        }
        None => (host_port.to_string(), default_port),
    };

    Ok(ParsedUrl {
        host,
        port,
        path: path.to_string(),
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_parse_url_with_port() {
        let parsed = parse_url("http://vault.example.com:8200/v1/aws/creds/my-role").unwrap();
        assert_eq!(parsed.host, "vault.example.com");
        assert_eq!(parsed.port, 8200);
        assert_eq!(parsed.path, "/v1/aws/creds/my-role");
    }

    #[test]
    fn test_parse_url_without_port() {
        let parsed = parse_url("https://vault.example.com/v1/sys/health").unwrap();
        assert_eq!(parsed.host, "vault.example.com");
        assert_eq!(parsed.port, 8200);
        assert_eq!(parsed.path, "/v1/sys/health");
    }

    #[test]
    fn test_parse_url_localhost() {
        let parsed = parse_url("http://127.0.0.1:8200/v1/auth/approle/login").unwrap();
        assert_eq!(parsed.host, "127.0.0.1");
        assert_eq!(parsed.port, 8200);
    }

    #[test]
    fn test_parse_url_invalid() {
        assert!(parse_url("ftp://vault.example.com").is_err());
    }

    #[test]
    fn test_vault_config_defaults() {
        let config = VaultConfig::default();
        assert_eq!(config.mount_path(), "aws");
        assert!(!config.tls_skip_verify);
        assert!(config.address.is_none());
    }

    #[test]
    fn test_vault_config_resolve_address_env() {
        let config = VaultConfig {
            address: Some("http://localhost:8200".to_string()),
            ..Default::default()
        };
        assert_eq!(
            config.resolve_address().unwrap(),
            "http://localhost:8200"
        );
    }

    #[test]
    fn test_vault_config_custom_mount() {
        let config = VaultConfig {
            mount: Some("aws-prod".to_string()),
            ..Default::default()
        };
        assert_eq!(config.mount_path(), "aws-prod");
    }

    #[test]
    fn test_vault_config_deserialize() {
        let toml_str = r#"
address = "https://vault.internal:8200"
mount = "aws-prod"
role = "audex-agent"
namespace = "engineering"

[auth]
method = "approle"
role_id = "abc-123"
secret_id = "def-456"
"#;
        let config: VaultConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.address.as_deref(), Some("https://vault.internal:8200"));
        assert_eq!(config.mount_path(), "aws-prod");
        assert_eq!(config.role.as_deref(), Some("audex-agent"));
        assert_eq!(config.namespace.as_deref(), Some("engineering"));
        match config.auth {
            VaultAuth::Approle { role_id, secret_id } => {
                assert_eq!(role_id, "abc-123");
                assert_eq!(secret_id.unwrap(), "def-456");
            }
            _ => panic!("Expected AppRole auth"),
        }
    }

    #[test]
    fn test_vault_config_kubernetes_auth() {
        let toml_str = r#"
address = "http://vault:8200"

[auth]
method = "kubernetes"
role = "audex"
jwt_path = "/var/run/secrets/token"
"#;
        let config: VaultConfig = toml::from_str(toml_str).unwrap();
        match config.auth {
            VaultAuth::Kubernetes { role, jwt_path } => {
                assert_eq!(role, "audex");
                assert_eq!(jwt_path.unwrap(), "/var/run/secrets/token");
            }
            _ => panic!("Expected Kubernetes auth"),
        }
    }
}