tryaudex_core/

forward.rs

use serde::{Deserialize, Serialize};

use crate::audit::AuditEntry;
use crate::error::{AvError, Result};

/// Audit forwarding configuration in `[audit]` config section.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct ForwardConfig {
    /// Forwarding destinations. Each entry is a URL:
    /// - `s3://bucket-name/prefix/` — S3 with daily partitioned keys
    /// - `cloudwatch://log-group-name` — CloudWatch Logs
    /// - `https://...` — Generic webhook (POST JSON array)
    #[serde(default)]
    pub destinations: Vec<String>,
    /// Batch size before flushing (default: 10)
    pub batch_size: Option<usize>,
    /// Whether to forward synchronously on each event (default: false, batched)
    pub sync: Option<bool>,
}

/// In-memory buffer for batched forwarding.
pub struct ForwardBuffer {
    config: ForwardConfig,
    buffer: Vec<AuditEntry>,
}

impl ForwardBuffer {
    pub fn new(config: ForwardConfig) -> Self {
        Self {
            config,
            buffer: Vec::new(),
        }
    }

    /// Add an entry to the buffer. Flushes if batch size is reached.
    /// Returns Ok(true) if a flush happened.
    pub async fn push(&mut self, entry: AuditEntry) -> Result<bool> {
        if self.config.destinations.is_empty() {
            return Ok(false);
        }

        let sync = self.config.sync.unwrap_or(false);
        if sync {
            forward_entries(&self.config.destinations, &[entry]).await?;
            return Ok(true);
        }

        self.buffer.push(entry);
        let batch_size = self.config.batch_size.unwrap_or(10);
        if self.buffer.len() >= batch_size {
            self.flush().await?;
            return Ok(true);
        }
        Ok(false)
    }

    /// Flush all buffered entries to all destinations.
    pub async fn flush(&mut self) -> Result<()> {
        if self.buffer.is_empty() || self.config.destinations.is_empty() {
            return Ok(());
        }
        let entries = std::mem::take(&mut self.buffer);
        forward_entries(&self.config.destinations, &entries).await
    }
}

/// Forward entries to all configured destinations.
async fn forward_entries(destinations: &[String], entries: &[AuditEntry]) -> Result<()> {
    let mut errors = Vec::new();

    for dest in destinations {
        let result = if dest.starts_with("s3://") {
            forward_to_s3(dest, entries).await
        } else if dest.starts_with("cloudwatch://") {
            forward_to_cloudwatch(dest, entries).await
        } else if dest.starts_with("https://") || dest.starts_with("http://") {
            forward_to_webhook(dest, entries).await
        } else {
            Err(AvError::InvalidPolicy(format!(
                "Unknown audit forwarding destination: {}. Expected s3://, cloudwatch://, or https://",
                dest
            )))
        };

        if let Err(e) = result {
            errors.push(format!("{}: {}", dest, e));
        }
    }

    if errors.is_empty() {
        Ok(())
    } else {
        Err(AvError::InvalidPolicy(format!(
            "Audit forwarding errors:\n{}",
            errors.join("\n")
        )))
    }
}

/// Forward audit entries to S3 as a JSONL file with daily partitioned keys.
/// Format: s3://bucket/prefix/YYYY/MM/DD/audex-{timestamp}.jsonl
async fn forward_to_s3(dest: &str, entries: &[AuditEntry]) -> Result<()> {
    let path = dest.strip_prefix("s3://").unwrap();
    let (bucket, prefix) = path.split_once('/').unwrap_or((path, ""));

    let now = chrono::Utc::now();
    let key = format!(
        "{}{}/audex-{}.jsonl",
        if prefix.is_empty() { "" } else { prefix },
        now.format("%Y/%m/%d"),
        now.format("%Y%m%dT%H%M%SZ"),
    );

    let body = entries
        .iter()
        .filter_map(|e| serde_json::to_string(e).ok())
        .collect::<Vec<_>>()
        .join("\n");

    // Use AWS SDK PutObject via presigned URL or direct SDK
    // For now, use the AWS CLI approach via the aws_sdk_s3 isn't a dep,
    // so we use reqwest with SigV4-style — but simplest is just shelling out.
    // Instead, we use the S3 PutObject REST API with credentials from env.
    let region = std::env::var("AWS_REGION")
        .or_else(|_| std::env::var("AWS_DEFAULT_REGION"))
        .unwrap_or_else(|_| "us-east-1".to_string());

    let endpoint = format!("https://{}.s3.{}.amazonaws.com/{}", bucket, region, key);

    let client = reqwest::Client::new();
    let resp = client
        .put(&endpoint)
        .header("Content-Type", "application/x-ndjson")
        .body(body)
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("S3 upload failed: {}", e)))?;

    if !resp.status().is_success() {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        return Err(AvError::InvalidPolicy(format!(
            "S3 upload returned {}: {}",
            status,
            &body[..body.len().min(200)]
        )));
    }

    Ok(())
}

/// Forward audit entries to CloudWatch Logs.
/// Format: cloudwatch://log-group-name
async fn forward_to_cloudwatch(dest: &str, entries: &[AuditEntry]) -> Result<()> {
    let log_group = dest.strip_prefix("cloudwatch://").unwrap();
    let log_stream = format!("audex/{}", chrono::Utc::now().format("%Y/%m/%d"));

    // CloudWatch Logs PutLogEvents via REST API
    let region = std::env::var("AWS_REGION")
        .or_else(|_| std::env::var("AWS_DEFAULT_REGION"))
        .unwrap_or_else(|_| "us-east-1".to_string());

    let events: Vec<serde_json::Value> = entries
        .iter()
        .map(|e| {
            serde_json::json!({
                "timestamp": e.timestamp.timestamp_millis(),
                "message": serde_json::to_string(e).unwrap_or_default()
            })
        })
        .collect();

    let payload = serde_json::json!({
        "logGroupName": log_group,
        "logStreamName": log_stream,
        "logEvents": events
    });

    let endpoint = format!("https://logs.{}.amazonaws.com", region);

    let client = reqwest::Client::new();
    let resp = client
        .post(&endpoint)
        .header("Content-Type", "application/x-amz-json-1.1")
        .header("X-Amz-Target", "Logs_20140328.PutLogEvents")
        .json(&payload)
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("CloudWatch Logs forward failed: {}", e)))?;

    if !resp.status().is_success() {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        return Err(AvError::InvalidPolicy(format!(
            "CloudWatch Logs returned {}: {}",
            status,
            &body[..body.len().min(200)]
        )));
    }

    Ok(())
}

/// Forward audit entries to a generic webhook endpoint (SIEM, Splunk, etc).
/// POSTs a JSON array of audit entries.
async fn forward_to_webhook(url: &str, entries: &[AuditEntry]) -> Result<()> {
    let client = reqwest::Client::new();
    let resp = client
        .post(url)
        .header("Content-Type", "application/json")
        .header("User-Agent", "audex-audit-forwarder/0.1")
        .json(&entries)
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("Webhook forward failed: {}", e)))?;

    if !resp.status().is_success() {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        return Err(AvError::InvalidPolicy(format!(
            "Webhook returned {}: {}",
            status,
            &body[..body.len().min(200)]
        )));
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::audit::{AuditEntry, AuditEvent};
    use chrono::Utc;

    fn sample_entry() -> AuditEntry {
        AuditEntry {
            timestamp: Utc::now(),
            session_id: "test-session-123".to_string(),
            provider: "aws".to_string(),
            event: AuditEvent::SessionCreated {
                role_arn: "arn:aws:iam::123456789012:role/TestRole".to_string(),
                ttl_seconds: 900,
                budget: None,
                allowed_actions: vec!["s3:GetObject".to_string()],
                command: vec!["aws".to_string(), "s3".to_string(), "ls".to_string()],
                agent_id: None,
            },
        }
    }

    #[test]
    fn test_forward_config_default() {
        let config = ForwardConfig::default();
        assert!(config.destinations.is_empty());
        assert!(config.batch_size.is_none());
        assert!(config.sync.is_none());
    }

    #[test]
    fn test_forward_config_deserialize() {
        let toml_str = r#"
destinations = ["s3://my-audit-bucket/audex/", "https://siem.example.com/ingest"]
batch_size = 5
sync = false
"#;
        let config: ForwardConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.destinations.len(), 2);
        assert_eq!(config.batch_size, Some(5));
        assert_eq!(config.sync, Some(false));
    }

    #[tokio::test]
    async fn test_buffer_no_destinations() {
        let config = ForwardConfig::default();
        let mut buffer = ForwardBuffer::new(config);
        let flushed = buffer.push(sample_entry()).await.unwrap();
        assert!(!flushed);
        assert!(buffer.buffer.is_empty());
    }

    #[tokio::test]
    async fn test_buffer_batching() {
        let config = ForwardConfig {
            // Use a webhook that won't actually be called since we test buffer logic
            destinations: vec![],
            batch_size: Some(3),
            sync: Some(false),
        };
        let mut buffer = ForwardBuffer::new(config);

        // With no destinations, push returns false
        buffer.push(sample_entry()).await.unwrap();
        buffer.push(sample_entry()).await.unwrap();
        assert_eq!(buffer.buffer.len(), 0); // no destinations = no buffering
    }

    #[test]
    fn test_entry_serialization() {
        let entry = sample_entry();
        let json = serde_json::to_string(&entry).unwrap();
        assert!(json.contains("test-session-123"));
        assert!(json.contains("session_created"));
        // Roundtrip
        let parsed: AuditEntry = serde_json::from_str(&json).unwrap();
        assert_eq!(parsed.session_id, "test-session-123");
    }
}