tryaudex_core/

sso.rs

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};

/// SSO provider type.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum SsoProvider {
    Okta,
    Auth0,
    Google,
    /// Generic OIDC provider
    Oidc,
}

/// SSO configuration in `[sso]` config section.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SsoConfig {
    /// SSO provider type
    pub provider: SsoProvider,
    /// OIDC issuer URL (e.g. "https://myorg.okta.com", "https://accounts.google.com")
    pub issuer: String,
    /// OIDC client ID
    pub client_id: String,
    /// OIDC client secret (optional, for confidential clients)
    pub client_secret: Option<String>,
    /// Redirect URI for the device/local auth flow
    #[serde(default = "default_redirect")]
    pub redirect_uri: String,
    /// OIDC scopes to request
    #[serde(default = "default_scopes")]
    pub scopes: Vec<String>,
    /// Claim to use as the identity (default: "email")
    #[serde(default = "default_identity_claim")]
    pub identity_claim: String,
    /// Claim to use for group/team membership (default: "groups")
    #[serde(default = "default_groups_claim")]
    pub groups_claim: String,
    /// Whether SSO is required (if false, falls back to local identity)
    #[serde(default)]
    pub required: bool,
}

fn default_redirect() -> String {
    "http://localhost:8400/callback".to_string()
}

fn default_scopes() -> Vec<String> {
    vec![
        "openid".to_string(),
        "email".to_string(),
        "profile".to_string(),
    ]
}

fn default_identity_claim() -> String {
    "email".to_string()
}

fn default_groups_claim() -> String {
    "groups".to_string()
}

/// Token response from the OIDC provider.
#[derive(Debug, Deserialize)]
struct TokenResponse {
    access_token: String,
    id_token: Option<String>,
    #[allow(dead_code)]
    token_type: Option<String>,
    #[allow(dead_code)]
    expires_in: Option<u64>,
}

/// Decoded identity from an SSO token.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SsoIdentity {
    /// The user's identity (email, subject, etc.)
    pub identity: String,
    /// Group/team memberships from the SSO provider
    pub groups: Vec<String>,
    /// Raw claims from the ID token
    pub claims: serde_json::Value,
}

/// Cached SSO session stored on disk.
#[derive(Debug, Serialize, Deserialize)]
struct CachedSsoSession {
    identity: SsoIdentity,
    expires_at: i64,
}

fn cache_path() -> std::path::PathBuf {
    dirs::cache_dir()
        .unwrap_or_else(|| std::path::PathBuf::from("."))
        .join("audex")
        .join("sso_session.json")
}

/// Load cached SSO session if still valid (encrypted at rest).
pub fn load_cached_identity() -> Option<SsoIdentity> {
    let path = cache_path();
    let cached: CachedSsoSession = crate::keystore::decrypt_from_file(&path).ok()??;
    let now = chrono::Utc::now().timestamp();
    if now < cached.expires_at {
        Some(cached.identity)
    } else {
        None
    }
}

fn save_cached_identity(identity: &SsoIdentity, ttl_secs: u64) {
    let cached = CachedSsoSession {
        identity: identity.clone(),
        expires_at: chrono::Utc::now().timestamp() + ttl_secs as i64,
    };
    let path = cache_path();
    if let Some(parent) = path.parent() {
        let _ = std::fs::create_dir_all(parent);
    }
    let _ = crate::keystore::encrypt_to_file(&path, &cached);
}

/// Authenticate via SSO using the device authorization flow.
/// Opens a browser for login and listens on a local callback URL.
pub async fn authenticate(config: &SsoConfig) -> Result<SsoIdentity> {
    // Check cache first
    if let Some(cached) = load_cached_identity() {
        return Ok(cached);
    }

    let discovery_url = format!(
        "{}/.well-known/openid-configuration",
        config.issuer.trim_end_matches('/')
    );

    let client = reqwest::Client::new();

    // Fetch OIDC discovery document
    let discovery: serde_json::Value = client
        .get(&discovery_url)
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("SSO discovery failed: {}", e)))?
        .json()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("SSO discovery parse failed: {}", e)))?;

    let auth_endpoint = discovery["authorization_endpoint"]
        .as_str()
        .ok_or_else(|| {
            AvError::InvalidPolicy("Missing authorization_endpoint in OIDC discovery".to_string())
        })?;
    let token_endpoint = discovery["token_endpoint"].as_str().ok_or_else(|| {
        AvError::InvalidPolicy("Missing token_endpoint in OIDC discovery".to_string())
    })?;

    // Generate PKCE challenge
    let verifier = generate_pkce_verifier();
    let challenge = generate_pkce_challenge(&verifier);
    let state = generate_state();

    let scopes = config.scopes.join(" ");
    let auth_url = format!(
        "{}?client_id={}&redirect_uri={}&response_type=code&scope={}&state={}&code_challenge={}&code_challenge_method=S256",
        auth_endpoint,
        urlencoding::encode(&config.client_id),
        urlencoding::encode(&config.redirect_uri),
        urlencoding::encode(&scopes),
        urlencoding::encode(&state),
        urlencoding::encode(&challenge),
    );

    eprintln!("Opening browser for SSO login...");
    eprintln!("If the browser doesn't open, visit:\n  {}\n", auth_url);

    // Try to open browser
    let _ = open_browser(&auth_url);

    // Start local server to receive the callback
    let code = listen_for_callback(&config.redirect_uri, &state).await?;

    // Exchange code for tokens
    let mut token_params = vec![
        ("grant_type", "authorization_code".to_string()),
        ("code", code),
        ("redirect_uri", config.redirect_uri.clone()),
        ("client_id", config.client_id.clone()),
        ("code_verifier", verifier),
    ];
    if let Some(ref secret) = config.client_secret {
        token_params.push(("client_secret", secret.clone()));
    }

    let token_resp: TokenResponse = client
        .post(token_endpoint)
        .form(&token_params)
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("SSO token exchange failed: {}", e)))?
        .json()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("SSO token parse failed: {}", e)))?;

    // Decode the ID token (we only need the claims, not full validation)
    let claims = if let Some(ref id_token) = token_resp.id_token {
        decode_jwt_claims(id_token)?
    } else {
        // Use userinfo endpoint as fallback
        let userinfo_url = discovery["userinfo_endpoint"].as_str().ok_or_else(|| {
            AvError::InvalidPolicy("No id_token and no userinfo_endpoint".to_string())
        })?;

        client
            .get(userinfo_url)
            .bearer_auth(&token_resp.access_token)
            .send()
            .await
            .map_err(|e| AvError::InvalidPolicy(format!("SSO userinfo failed: {}", e)))?
            .json()
            .await
            .map_err(|e| AvError::InvalidPolicy(format!("SSO userinfo parse failed: {}", e)))?
    };

    let identity_str = claims[&config.identity_claim]
        .as_str()
        .unwrap_or("unknown")
        .to_string();

    let groups: Vec<String> = claims[&config.groups_claim]
        .as_array()
        .map(|arr| {
            arr.iter()
                .filter_map(|v| v.as_str().map(|s| s.to_string()))
                .collect()
        })
        .unwrap_or_default();

    let sso_identity = SsoIdentity {
        identity: identity_str,
        groups,
        claims,
    };

    // Cache for 1 hour
    save_cached_identity(&sso_identity, 3600);

    Ok(sso_identity)
}

/// Decode JWT claims without signature verification (we trust the HTTPS connection).
fn decode_jwt_claims(token: &str) -> Result<serde_json::Value> {
    let parts: Vec<&str> = token.split('.').collect();
    if parts.len() != 3 {
        return Err(AvError::InvalidPolicy("Invalid JWT format".to_string()));
    }

    use base64::Engine;
    let payload = base64::engine::general_purpose::URL_SAFE_NO_PAD
        .decode(parts[1])
        .map_err(|e| AvError::InvalidPolicy(format!("JWT base64 decode failed: {}", e)))?;

    serde_json::from_slice(&payload)
        .map_err(|e| AvError::InvalidPolicy(format!("JWT claims parse failed: {}", e)))
}

/// Generate a random PKCE code verifier.
fn generate_pkce_verifier() -> String {
    use rand::Rng;
    let mut rng = rand::rng();
    let bytes: Vec<u8> = (0..32).map(|_| rng.random::<u8>()).collect();
    use base64::Engine;
    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&bytes)
}

/// Generate PKCE code challenge from verifier (S256).
fn generate_pkce_challenge(verifier: &str) -> String {
    use sha2::Digest;
    let hash = sha2::Sha256::digest(verifier.as_bytes());
    use base64::Engine;
    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(hash)
}

/// Generate a random state parameter.
fn generate_state() -> String {
    use rand::Rng;
    let mut rng = rand::rng();
    let bytes: Vec<u8> = (0..16).map(|_| rng.random::<u8>()).collect();
    hex::encode(bytes)
}

/// Try to open a URL in the default browser.
fn open_browser(url: &str) -> std::io::Result<()> {
    #[cfg(target_os = "macos")]
    {
        std::process::Command::new("open").arg(url).spawn()?;
    }
    #[cfg(target_os = "linux")]
    {
        std::process::Command::new("xdg-open").arg(url).spawn()?;
    }
    #[cfg(target_os = "windows")]
    {
        std::process::Command::new("cmd")
            .args(["/c", "start", url])
            .spawn()?;
    }
    Ok(())
}

/// Listen on the callback URL for the authorization code.
async fn listen_for_callback(redirect_uri: &str, expected_state: &str) -> Result<String> {
    use tokio::io::AsyncReadExt;
    use tokio::io::AsyncWriteExt;

    // Parse port from redirect URI
    let url: url::Url = redirect_uri
        .parse()
        .map_err(|e| AvError::InvalidPolicy(format!("Invalid redirect URI: {}", e)))?;
    let port = url.port().unwrap_or(8400);

    let listener = tokio::net::TcpListener::bind(format!("127.0.0.1:{}", port))
        .await
        .map_err(|e| {
            AvError::InvalidPolicy(format!(
                "Failed to start callback listener on port {}: {}",
                port, e
            ))
        })?;

    eprintln!("Waiting for SSO callback on port {}...", port);

    let (mut stream, _) = listener
        .accept()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("Failed to accept callback: {}", e)))?;

    let mut buf = vec![0u8; 4096];
    let n = stream
        .read(&mut buf)
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("Failed to read callback: {}", e)))?;

    let request = String::from_utf8_lossy(&buf[..n]);

    // Parse the query string from GET request
    let first_line = request.lines().next().unwrap_or("");
    let path = first_line.split_whitespace().nth(1).unwrap_or("/");
    let query_url = format!("http://localhost{}", path);
    let parsed: url::Url = query_url
        .parse()
        .map_err(|_| AvError::InvalidPolicy("Failed to parse callback URL".to_string()))?;

    let params: std::collections::HashMap<String, String> = parsed
        .query_pairs()
        .map(|(k, v)| (k.to_string(), v.to_string()))
        .collect();

    // Verify state
    let state = params.get("state").cloned().unwrap_or_default();
    if state != expected_state {
        let response = "HTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\n\r\n<h1>SSO Error</h1><p>State mismatch. Please try again.</p>";
        let _ = stream.write_all(response.as_bytes()).await;
        return Err(AvError::InvalidPolicy(
            "SSO state mismatch — possible CSRF".to_string(),
        ));
    }

    // Check for error
    if let Some(error) = params.get("error") {
        let desc = params.get("error_description").cloned().unwrap_or_default();
        let response = format!("HTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\n\r\n<h1>SSO Error</h1><p>{}: {}</p>", error, desc);
        let _ = stream.write_all(response.as_bytes()).await;
        return Err(AvError::InvalidPolicy(format!(
            "SSO error: {}: {}",
            error, desc
        )));
    }

    let code = params
        .get("code")
        .cloned()
        .ok_or_else(|| AvError::InvalidPolicy("No authorization code in callback".to_string()))?;

    // Send success response
    let response = "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n<h1>Audex SSO Login Successful</h1><p>You can close this window and return to the terminal.</p>";
    let _ = stream.write_all(response.as_bytes()).await;

    Ok(code)
}

/// Clear the cached SSO session.
pub fn logout() {
    let path = cache_path();
    let _ = std::fs::remove_file(path);
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_sso_config_deserialize() {
        let toml_str = r#"
provider = "okta"
issuer = "https://myorg.okta.com"
client_id = "0oa1234567890"
scopes = ["openid", "email", "groups"]
identity_claim = "email"
groups_claim = "groups"
required = true
"#;
        let config: SsoConfig = toml::from_str(toml_str).unwrap();
        assert!(matches!(config.provider, SsoProvider::Okta));
        assert_eq!(config.issuer, "https://myorg.okta.com");
        assert_eq!(config.client_id, "0oa1234567890");
        assert!(config.required);
        assert_eq!(config.scopes.len(), 3);
    }

    #[test]
    fn test_sso_config_google() {
        let toml_str = r#"
provider = "google"
issuer = "https://accounts.google.com"
client_id = "12345.apps.googleusercontent.com"
client_secret = "GOCSPX-secret"
"#;
        let config: SsoConfig = toml::from_str(toml_str).unwrap();
        assert!(matches!(config.provider, SsoProvider::Google));
        assert!(config.client_secret.is_some());
        // Defaults
        assert_eq!(config.identity_claim, "email");
        assert_eq!(config.groups_claim, "groups");
        assert_eq!(config.redirect_uri, "http://localhost:8400/callback");
        assert!(!config.required);
    }

    #[test]
    fn test_sso_identity_serialize() {
        let identity = SsoIdentity {
            identity: "alice@example.com".to_string(),
            groups: vec!["backend-team".to_string(), "devops".to_string()],
            claims: serde_json::json!({"email": "alice@example.com", "sub": "user123"}),
        };
        let json = serde_json::to_string(&identity).unwrap();
        assert!(json.contains("alice@example.com"));
        assert!(json.contains("backend-team"));
        // Roundtrip
        let parsed: SsoIdentity = serde_json::from_str(&json).unwrap();
        assert_eq!(parsed.identity, "alice@example.com");
        assert_eq!(parsed.groups.len(), 2);
    }

    #[test]
    fn test_pkce_verifier_and_challenge() {
        let verifier = generate_pkce_verifier();
        assert!(!verifier.is_empty());
        let challenge = generate_pkce_challenge(&verifier);
        assert!(!challenge.is_empty());
        assert_ne!(verifier, challenge);
    }

    #[test]
    fn test_state_generation() {
        let state1 = generate_state();
        let state2 = generate_state();
        assert_ne!(state1, state2);
        assert_eq!(state1.len(), 32); // 16 bytes = 32 hex chars
    }

    #[test]
    fn test_decode_jwt_claims() {
        // Create a minimal JWT with base64url-encoded payload
        use base64::Engine;
        let claims = serde_json::json!({"email": "test@example.com", "groups": ["admin"]});
        let payload = base64::engine::general_purpose::URL_SAFE_NO_PAD
            .encode(serde_json::to_vec(&claims).unwrap());
        let fake_jwt = format!("header.{}.signature", payload);

        let decoded = decode_jwt_claims(&fake_jwt).unwrap();
        assert_eq!(decoded["email"], "test@example.com");
        assert_eq!(decoded["groups"][0], "admin");
    }

    #[test]
    fn test_decode_jwt_invalid() {
        assert!(decode_jwt_claims("not-a-jwt").is_err());
        assert!(decode_jwt_claims("a.b").is_err());
    }
}