tryaudex_core/

resource_parser.rs

//! Parses wrapped subprocess commands to identify cloud resources being
//! created, so the audit trail can record what each session left behind.
//!
//! This is the foundation for the cleanup flow (Phase 1 of Resource Lifecycle):
//! audex knows the agent ran `aws s3api create-bucket --bucket foo`, so it
//! records that `foo` was created under this session. Later, `tryaudex cleanup
//! <session-id>` enumerates + deletes these resources.
//!
//! Coverage is intentionally **command-args only** — we don't parse stdout
//! yet, so creates where AWS assigns the name (ec2 run-instances, kms
//! create-key) are a known gap filled in Phase 2.

use serde::{Deserialize, Serialize};

/// A single cloud resource created during a wrapped session.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct CreatedResource {
    /// Provider: "aws" | "gcp" | "azure"
    pub provider: String,
    /// Service: "s3", "dynamodb", "sqs", etc.
    pub service: String,
    /// Resource kind within the service: "bucket", "table", "queue", etc.
    pub resource_type: String,
    /// User-visible identifier: name, ARN, URL, or key as parsed from args.
    pub identifier: String,
}

impl CreatedResource {
    fn aws(service: &str, resource_type: &str, identifier: &str) -> Self {
        Self {
            provider: "aws".to_string(),
            service: service.to_string(),
            resource_type: resource_type.to_string(),
            identifier: identifier.to_string(),
        }
    }
}

/// Parse a subprocess command and return every resource the command appears
/// to create. Empty vec if none recognized.
///
/// The command is the full argv the user passed to `tryaudex run`, e.g.
/// `["aws", "s3api", "create-bucket", "--bucket", "my-bucket"]`.
pub fn parse(command: &[String]) -> Vec<CreatedResource> {
    if command.is_empty() {
        return Vec::new();
    }
    match command[0].as_str() {
        "aws" => parse_aws(&command[1..]),
        _ => Vec::new(),
    }
}

/// Parse an `aws <service> <verb> [flags]` invocation.
fn parse_aws(args: &[String]) -> Vec<CreatedResource> {
    if args.len() < 2 {
        return Vec::new();
    }
    let service = args[0].as_str();
    let verb = args[1].as_str();
    let flags = &args[2..];

    match (service, verb) {
        // S3 high-level CLI
        ("s3", "mb") => parse_s3_mb(flags),
        ("s3", "cp") | ("s3", "sync") | ("s3", "mv") => parse_s3_cp(flags),
        // S3 API
        ("s3api", "create-bucket") => flag("--bucket", flags)
            .map(|v| vec![CreatedResource::aws("s3", "bucket", v)])
            .unwrap_or_default(),
        ("s3api", "put-object") => {
            let mut out = Vec::new();
            if let (Some(bucket), Some(key)) = (flag("--bucket", flags), flag("--key", flags)) {
                out.push(CreatedResource::aws(
                    "s3",
                    "object",
                    &format!("s3://{bucket}/{key}"),
                ));
            }
            out
        }
        // DynamoDB
        ("dynamodb", "create-table") => flag("--table-name", flags)
            .map(|v| vec![CreatedResource::aws("dynamodb", "table", v)])
            .unwrap_or_default(),
        // SQS
        ("sqs", "create-queue") => flag("--queue-name", flags)
            .map(|v| vec![CreatedResource::aws("sqs", "queue", v)])
            .unwrap_or_default(),
        // SNS
        ("sns", "create-topic") => flag("--name", flags)
            .map(|v| vec![CreatedResource::aws("sns", "topic", v)])
            .unwrap_or_default(),
        // SSM
        ("ssm", "put-parameter") => flag("--name", flags)
            .map(|v| vec![CreatedResource::aws("ssm", "parameter", v)])
            .unwrap_or_default(),
        // Secrets Manager
        ("secretsmanager", "create-secret") => flag("--name", flags)
            .map(|v| vec![CreatedResource::aws("secretsmanager", "secret", v)])
            .unwrap_or_default(),
        // Lambda
        ("lambda", "create-function") => flag("--function-name", flags)
            .map(|v| vec![CreatedResource::aws("lambda", "function", v)])
            .unwrap_or_default(),
        // RDS
        ("rds", "create-db-instance") => flag("--db-instance-identifier", flags)
            .map(|v| vec![CreatedResource::aws("rds", "db-instance", v)])
            .unwrap_or_default(),
        ("rds", "create-db-cluster") => flag("--db-cluster-identifier", flags)
            .map(|v| vec![CreatedResource::aws("rds", "db-cluster", v)])
            .unwrap_or_default(),
        // CloudFormation
        ("cloudformation", "create-stack") => flag("--stack-name", flags)
            .map(|v| vec![CreatedResource::aws("cloudformation", "stack", v)])
            .unwrap_or_default(),
        // ECR
        ("ecr", "create-repository") => flag("--repository-name", flags)
            .map(|v| vec![CreatedResource::aws("ecr", "repository", v)])
            .unwrap_or_default(),
        // ECS
        ("ecs", "create-cluster") => flag("--cluster-name", flags)
            .map(|v| vec![CreatedResource::aws("ecs", "cluster", v)])
            .unwrap_or_default(),
        // IAM (will typically be denied, but track if attempted+granted)
        ("iam", "create-role") => flag("--role-name", flags)
            .map(|v| vec![CreatedResource::aws("iam", "role", v)])
            .unwrap_or_default(),
        ("iam", "create-user") => flag("--user-name", flags)
            .map(|v| vec![CreatedResource::aws("iam", "user", v)])
            .unwrap_or_default(),
        ("iam", "create-policy") => flag("--policy-name", flags)
            .map(|v| vec![CreatedResource::aws("iam", "policy", v)])
            .unwrap_or_default(),
        // CloudWatch Logs
        ("logs", "create-log-group") => flag("--log-group-name", flags)
            .map(|v| vec![CreatedResource::aws("logs", "log-group", v)])
            .unwrap_or_default(),
        ("logs", "create-log-stream") => {
            let mut out = Vec::new();
            if let (Some(group), Some(stream)) = (
                flag("--log-group-name", flags),
                flag("--log-stream-name", flags),
            ) {
                out.push(CreatedResource::aws(
                    "logs",
                    "log-stream",
                    &format!("{group}/{stream}"),
                ));
            }
            out
        }
        // Route53
        ("route53", "create-hosted-zone") => flag("--name", flags)
            .map(|v| vec![CreatedResource::aws("route53", "hosted-zone", v)])
            .unwrap_or_default(),
        _ => Vec::new(),
    }
}

/// `aws s3 mb s3://bucket-name` → create a bucket.
fn parse_s3_mb(flags: &[String]) -> Vec<CreatedResource> {
    flags
        .iter()
        .find(|a| a.starts_with("s3://"))
        .and_then(|uri| uri.strip_prefix("s3://"))
        .map(|bucket| {
            // `s3 mb s3://foo` uses just the bucket name (no key)
            let name = bucket.trim_end_matches('/').split('/').next().unwrap_or("");
            if name.is_empty() {
                Vec::new()
            } else {
                vec![CreatedResource::aws("s3", "bucket", name)]
            }
        })
        .unwrap_or_default()
}

/// `aws s3 cp src s3://bucket/key` → create an object (destination is the s3://).
fn parse_s3_cp(flags: &[String]) -> Vec<CreatedResource> {
    // Find all s3:// URIs; the last one is conventionally the destination for
    // cp/sync/mv. `s3 sync src s3://bucket/prefix` → object(s) under prefix.
    let s3_uris: Vec<&String> = flags.iter().filter(|a| a.starts_with("s3://")).collect();
    if let Some(dest) = s3_uris.last() {
        // Don't count source-only ops (s3 cp s3://a s3://b — both are s3 URIs,
        // but the dest is still the last one, which is correct).
        if let Some(rest) = dest.strip_prefix("s3://") {
            if !rest.is_empty() && rest.contains('/') {
                return vec![CreatedResource::aws("s3", "object", dest)];
            }
        }
    }
    Vec::new()
}

/// Extract the value following a CLI flag (`--bucket my-name` → "my-name").
/// Returns None if the flag isn't present or has no value.
fn flag<'a>(name: &str, args: &'a [String]) -> Option<&'a str> {
    let mut iter = args.iter();
    while let Some(arg) = iter.next() {
        if arg == name {
            return iter.next().map(|s| s.as_str());
        }
        // Support --flag=value form
        if let Some(rest) = arg.strip_prefix(&format!("{name}=")) {
            return Some(rest);
        }
    }
    None
}

#[cfg(test)]
mod tests {
    use super::*;

    fn cmd(parts: &[&str]) -> Vec<String> {
        parts.iter().map(|s| s.to_string()).collect()
    }

    #[test]
    fn parses_s3api_create_bucket() {
        let c = cmd(&[
            "aws",
            "s3api",
            "create-bucket",
            "--bucket",
            "foo",
            "--region",
            "us-east-1",
        ]);
        let r = parse(&c);
        assert_eq!(r.len(), 1);
        assert_eq!(r[0].service, "s3");
        assert_eq!(r[0].resource_type, "bucket");
        assert_eq!(r[0].identifier, "foo");
    }

    #[test]
    fn parses_s3_mb() {
        let c = cmd(&["aws", "s3", "mb", "s3://my-bucket"]);
        let r = parse(&c);
        assert_eq!(r.len(), 1);
        assert_eq!(r[0].identifier, "my-bucket");
    }

    #[test]
    fn parses_s3_cp_to_object() {
        let c = cmd(&["aws", "s3", "cp", "/tmp/file.txt", "s3://my-bucket/key.txt"]);
        let r = parse(&c);
        assert_eq!(r.len(), 1);
        assert_eq!(r[0].service, "s3");
        assert_eq!(r[0].resource_type, "object");
        assert_eq!(r[0].identifier, "s3://my-bucket/key.txt");
    }

    #[test]
    fn parses_dynamodb_create_table() {
        let c = cmd(&["aws", "dynamodb", "create-table", "--table-name", "users"]);
        let r = parse(&c);
        assert_eq!(r.len(), 1);
        assert_eq!(r[0].service, "dynamodb");
        assert_eq!(r[0].identifier, "users");
    }

    #[test]
    fn parses_sqs_sns_ssm() {
        assert_eq!(
            parse(&cmd(&["aws", "sqs", "create-queue", "--queue-name", "q"]))[0].identifier,
            "q"
        );
        assert_eq!(
            parse(&cmd(&["aws", "sns", "create-topic", "--name", "t"]))[0].identifier,
            "t"
        );
        assert_eq!(
            parse(&cmd(&[
                "aws",
                "ssm",
                "put-parameter",
                "--name",
                "/p",
                "--value",
                "x"
            ]))[0]
                .identifier,
            "/p"
        );
    }

    #[test]
    fn parses_secrets_and_lambda() {
        assert_eq!(
            parse(&cmd(&[
                "aws",
                "secretsmanager",
                "create-secret",
                "--name",
                "s"
            ]))[0]
                .identifier,
            "s"
        );
        assert_eq!(
            parse(&cmd(&[
                "aws",
                "lambda",
                "create-function",
                "--function-name",
                "f"
            ]))[0]
                .identifier,
            "f"
        );
    }

    #[test]
    fn unknown_verb_returns_empty() {
        assert!(parse(&cmd(&["aws", "s3", "ls"])).is_empty());
        assert!(parse(&cmd(&["aws", "s3api", "list-buckets"])).is_empty());
        assert!(parse(&cmd(&["aws", "dynamodb", "scan", "--table-name", "t"])).is_empty());
    }

    #[test]
    fn missing_name_flag_returns_empty() {
        assert!(parse(&cmd(&["aws", "s3api", "create-bucket"])).is_empty());
        assert!(parse(&cmd(&["aws", "dynamodb", "create-table"])).is_empty());
    }

    #[test]
    fn empty_command_returns_empty() {
        let empty: Vec<String> = Vec::new();
        assert!(parse(&empty).is_empty());
        assert!(parse(&cmd(&["aws"])).is_empty());
        assert!(parse(&cmd(&["aws", "s3"])).is_empty());
    }

    #[test]
    fn non_aws_command_returns_empty() {
        assert!(parse(&cmd(&["gcloud", "storage", "buckets", "create"])).is_empty());
        assert!(parse(&cmd(&["terraform", "apply"])).is_empty());
    }

    #[test]
    fn handles_flag_equals_value_form() {
        let c = cmd(&["aws", "s3api", "create-bucket", "--bucket=my-bucket"]);
        let r = parse(&c);
        assert_eq!(r.len(), 1);
        assert_eq!(r[0].identifier, "my-bucket");
    }

    #[test]
    fn s3_cp_bucket_only_dest_not_counted_as_object() {
        // "s3 cp file s3://bucket" (no key) — unclear semantics, ignore.
        let c = cmd(&["aws", "s3", "cp", "/tmp/file", "s3://bucket"]);
        let r = parse(&c);
        assert!(r.is_empty());
    }

    #[test]
    fn parses_iam_create_role() {
        let r = parse(&cmd(&[
            "aws",
            "iam",
            "create-role",
            "--role-name",
            "MyRole",
        ]));
        assert_eq!(r[0].service, "iam");
        assert_eq!(r[0].resource_type, "role");
        assert_eq!(r[0].identifier, "MyRole");
    }

    #[test]
    fn parses_cloudformation_stack() {
        let r = parse(&cmd(&[
            "aws",
            "cloudformation",
            "create-stack",
            "--stack-name",
            "prod-stack",
            "--template-body",
            "file://t.yaml",
        ]));
        assert_eq!(r[0].identifier, "prod-stack");
    }

    #[test]
    fn parses_logs_create_log_stream_composite() {
        let r = parse(&cmd(&[
            "aws",
            "logs",
            "create-log-stream",
            "--log-group-name",
            "g",
            "--log-stream-name",
            "s",
        ]));
        assert_eq!(r[0].identifier, "g/s");
    }
}