tryaudex_core/

compliance.rs

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};

use crate::audit::{AuditEntry, AuditEvent, AuditLog};
use crate::error::Result;

/// Compliance report format.
#[derive(Debug, Clone, Copy)]
pub enum ReportFormat {
    /// JSON report with full audit detail
    Json,
    /// CSV for spreadsheet import
    Csv,
}

/// A flattened audit record suitable for compliance reporting.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ComplianceRecord {
    pub timestamp: DateTime<Utc>,
    pub session_id: String,
    pub provider: String,
    pub event_type: String,
    pub identity: String,
    pub ttl_seconds: Option<u64>,
    pub allowed_actions: Option<String>,
    pub command: Option<String>,
    pub status: Option<String>,
    pub duration_seconds: Option<i64>,
    pub exit_code: Option<i32>,
}

/// Compliance report wrapper.
#[derive(Debug, Serialize, Deserialize)]
pub struct ComplianceReport {
    pub generated_at: DateTime<Utc>,
    pub period_start: DateTime<Utc>,
    pub period_end: DateTime<Utc>,
    pub total_records: usize,
    pub total_sessions: usize,
    pub failed_sessions: usize,
    pub providers_used: Vec<String>,
    pub records: Vec<ComplianceRecord>,
}

/// Flatten an audit entry into a compliance record.
fn flatten(entry: &AuditEntry) -> ComplianceRecord {
    match &entry.event {
        AuditEvent::SessionCreated {
            role_arn,
            ttl_seconds,
            allowed_actions,
            command,
            ..
        } => ComplianceRecord {
            timestamp: entry.timestamp,
            session_id: entry.session_id.clone(),
            provider: entry.provider.clone(),
            event_type: "session_created".to_string(),
            identity: role_arn.clone(),
            ttl_seconds: Some(*ttl_seconds),
            allowed_actions: Some(allowed_actions.join(", ")),
            command: Some(command.join(" ")),
            status: None,
            duration_seconds: None,
            exit_code: None,
        },
        AuditEvent::CredentialsIssued {
            access_key_id,
            expires_at,
        } => ComplianceRecord {
            timestamp: entry.timestamp,
            session_id: entry.session_id.clone(),
            provider: entry.provider.clone(),
            event_type: "credentials_issued".to_string(),
            identity: access_key_id.clone(),
            ttl_seconds: None,
            allowed_actions: None,
            command: None,
            status: Some(format!("expires: {}", expires_at.to_rfc3339())),
            duration_seconds: None,
            exit_code: None,
        },
        AuditEvent::SessionEnded {
            status,
            duration_seconds,
            exit_code,
        } => ComplianceRecord {
            timestamp: entry.timestamp,
            session_id: entry.session_id.clone(),
            provider: entry.provider.clone(),
            event_type: "session_ended".to_string(),
            identity: String::new(),
            ttl_seconds: None,
            allowed_actions: None,
            command: None,
            status: Some(status.clone()),
            duration_seconds: Some(*duration_seconds),
            exit_code: *exit_code,
        },
        AuditEvent::BudgetWarning {
            current_spend,
            limit,
        } => ComplianceRecord {
            timestamp: entry.timestamp,
            session_id: entry.session_id.clone(),
            provider: entry.provider.clone(),
            event_type: "budget_warning".to_string(),
            identity: String::new(),
            ttl_seconds: None,
            allowed_actions: None,
            command: None,
            status: Some(format!("${:.2}/${:.2}", current_spend, limit)),
            duration_seconds: None,
            exit_code: None,
        },
        AuditEvent::BudgetExceeded { final_spend, limit } => ComplianceRecord {
            timestamp: entry.timestamp,
            session_id: entry.session_id.clone(),
            provider: entry.provider.clone(),
            event_type: "budget_exceeded".to_string(),
            identity: String::new(),
            ttl_seconds: None,
            allowed_actions: None,
            command: None,
            status: Some(format!("${:.2}/${:.2}", final_spend, limit)),
            duration_seconds: None,
            exit_code: None,
        },
    }
}

/// Generate a compliance report from audit logs for a given time period.
pub fn generate(audit: &AuditLog, days: u32) -> Result<ComplianceReport> {
    let now = Utc::now();
    let cutoff = now - chrono::Duration::days(days as i64);

    let entries = audit.read(None)?;
    let filtered: Vec<&AuditEntry> = entries.iter().filter(|e| e.timestamp >= cutoff).collect();

    let records: Vec<ComplianceRecord> = filtered.iter().map(|e| flatten(e)).collect();

    let mut providers: Vec<String> = filtered
        .iter()
        .map(|e| e.provider.clone())
        .collect::<std::collections::HashSet<_>>()
        .into_iter()
        .collect();
    providers.sort();

    let total_sessions = records
        .iter()
        .filter(|r| r.event_type == "session_created")
        .count();
    let failed_sessions = records
        .iter()
        .filter(|r| r.event_type == "session_ended" && r.status.as_deref() == Some("failed"))
        .count();

    Ok(ComplianceReport {
        generated_at: now,
        period_start: cutoff,
        period_end: now,
        total_records: records.len(),
        total_sessions,
        failed_sessions,
        providers_used: providers,
        records,
    })
}

/// Export report as JSON.
pub fn export_json(report: &ComplianceReport) -> Result<String> {
    serde_json::to_string_pretty(report).map_err(|e| {
        crate::error::AvError::InvalidPolicy(format!("Failed to serialize report: {}", e))
    })
}

/// Export report as CSV.
pub fn export_csv(report: &ComplianceReport) -> String {
    let mut out = String::new();
    out.push_str("timestamp,session_id,provider,event_type,identity,ttl_seconds,allowed_actions,command,status,duration_seconds,exit_code\n");

    for r in &report.records {
        out.push_str(&format!(
            "{},{},{},{},{},{},{},{},{},{},{}\n",
            r.timestamp.to_rfc3339(),
            csv_escape(&r.session_id),
            csv_escape(&r.provider),
            csv_escape(&r.event_type),
            csv_escape(&r.identity),
            r.ttl_seconds.map_or(String::new(), |v| v.to_string()),
            r.allowed_actions
                .as_deref()
                .map_or(String::new(), csv_escape),
            r.command.as_deref().map_or(String::new(), csv_escape),
            r.status.as_deref().map_or(String::new(), csv_escape),
            r.duration_seconds.map_or(String::new(), |v| v.to_string()),
            r.exit_code.map_or(String::new(), |v| v.to_string()),
        ));
    }

    out
}

fn csv_escape(s: &str) -> String {
    if s.contains(',') || s.contains('"') || s.contains('\n') {
        format!("\"{}\"", s.replace('"', "\"\""))
    } else {
        s.to_string()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::audit::{AuditEntry, AuditEvent};

    fn sample_entries() -> Vec<AuditEntry> {
        vec![
            AuditEntry {
                timestamp: Utc::now(),
                session_id: "sess-001".to_string(),
                provider: "aws".to_string(),
                event: AuditEvent::SessionCreated {
                    role_arn: "arn:aws:iam::123:role/TestRole".to_string(),
                    ttl_seconds: 900,
                    budget: None,
                    allowed_actions: vec!["s3:GetObject".to_string(), "s3:ListBucket".to_string()],
                    command: vec!["aws".to_string(), "s3".to_string(), "ls".to_string()],
                    agent_id: None,
                },
            },
            AuditEntry {
                timestamp: Utc::now(),
                session_id: "sess-001".to_string(),
                provider: "aws".to_string(),
                event: AuditEvent::SessionEnded {
                    status: "completed".to_string(),
                    duration_seconds: 45,
                    exit_code: Some(0),
                },
            },
        ]
    }

    #[test]
    fn test_flatten_session_created() {
        let entry = &sample_entries()[0];
        let record = flatten(entry);
        assert_eq!(record.event_type, "session_created");
        assert_eq!(record.identity, "arn:aws:iam::123:role/TestRole");
        assert_eq!(record.ttl_seconds, Some(900));
        assert!(record.allowed_actions.unwrap().contains("s3:GetObject"));
    }

    #[test]
    fn test_flatten_session_ended() {
        let entry = &sample_entries()[1];
        let record = flatten(entry);
        assert_eq!(record.event_type, "session_ended");
        assert_eq!(record.status, Some("completed".to_string()));
        assert_eq!(record.duration_seconds, Some(45));
        assert_eq!(record.exit_code, Some(0));
    }

    #[test]
    fn test_csv_escape() {
        assert_eq!(csv_escape("hello"), "hello");
        assert_eq!(csv_escape("hello,world"), "\"hello,world\"");
        assert_eq!(csv_escape("he said \"hi\""), "\"he said \"\"hi\"\"\"");
    }

    #[test]
    fn test_compliance_report_serialize() {
        let report = ComplianceReport {
            generated_at: Utc::now(),
            period_start: Utc::now() - chrono::Duration::days(90),
            period_end: Utc::now(),
            total_records: 2,
            total_sessions: 1,
            failed_sessions: 0,
            providers_used: vec!["aws".to_string()],
            records: sample_entries().iter().map(flatten).collect(),
        };

        let json = export_json(&report).unwrap();
        assert!(json.contains("total_sessions"));
        assert!(json.contains("sess-001"));

        let csv = export_csv(&report);
        assert!(csv.starts_with("timestamp,"));
        assert!(csv.contains("session_created"));
        assert!(csv.contains("session_ended"));
    }
}