tryaudex_core/

account.rs

use std::collections::HashMap;

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};

/// Configuration for multi-account support.
/// Maps account aliases to role ARNs and metadata.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct AccountConfig {
    /// Default account alias to use when --account is not specified.
    pub default: Option<String>,
    /// Map of alias -> account definition.
    #[serde(default)]
    pub accounts: HashMap<String, AccountDef>,
}

/// Definition of a single account alias.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AccountDef {
    /// The IAM role ARN to assume in this account.
    pub role_arn: String,
    /// Optional human-readable description.
    pub description: Option<String>,
    /// AWS region override for this account.
    pub region: Option<String>,
    /// External ID required for cross-account assumption.
    pub external_id: Option<String>,
    /// GCP service account email (for GCP accounts).
    pub gcp_service_account: Option<String>,
    /// GCP project ID (for GCP accounts).
    pub gcp_project: Option<String>,
    /// Azure subscription ID (for Azure accounts).
    pub azure_subscription: Option<String>,
    /// Azure tenant ID (for Azure accounts).
    pub azure_tenant: Option<String>,
    /// Max TTL override for this account.
    pub max_ttl: Option<String>,
    /// Deny list override for this account.
    pub deny: Option<Vec<String>>,
}

/// Resolved account details ready for use in credential issuance.
#[derive(Debug, Clone)]
pub struct ResolvedAccount {
    pub alias: String,
    pub role_arn: String,
    pub region: Option<String>,
    pub external_id: Option<String>,
    pub gcp_service_account: Option<String>,
    pub gcp_project: Option<String>,
    pub azure_subscription: Option<String>,
    pub azure_tenant: Option<String>,
    pub max_ttl: Option<String>,
    pub deny: Option<Vec<String>>,
}

/// Resolve an account alias to its full definition.
/// Supports:
///   - Named aliases from config (e.g. "production", "staging")
///   - Direct ARN passthrough (if the value looks like an ARN)
///   - AWS account ID shorthand (12-digit number → uses a role name pattern)
pub fn resolve(config: &AccountConfig, alias: &str) -> Result<ResolvedAccount> {
    // Direct ARN passthrough (supports all partitions: aws, aws-cn, aws-us-gov)
    if alias.starts_with("arn:") {
        return Ok(ResolvedAccount {
            alias: alias.to_string(),
            role_arn: alias.to_string(),
            region: None,
            external_id: None,
            gcp_service_account: None,
            gcp_project: None,
            azure_subscription: None,
            azure_tenant: None,
            max_ttl: None,
            deny: None,
        });
    }

    // AWS account ID shorthand (12-digit number)
    if alias.len() == 12 && alias.chars().all(|c| c.is_ascii_digit()) {
        // R6-H4: derive ARN partition from the AWS region so GovCloud/China
        // users don't get a cryptic STS error from a hardcoded commercial ARN.
        let region = std::env::var("AWS_REGION")
            .or_else(|_| std::env::var("AWS_DEFAULT_REGION"))
            .unwrap_or_default();
        let partition = if region.starts_with("us-gov-") {
            "aws-us-gov"
        } else if region.starts_with("cn-") {
            "aws-cn"
        } else {
            "aws"
        };
        return Ok(ResolvedAccount {
            alias: alias.to_string(),
            role_arn: format!("arn:{}:iam::{}:role/AudexAgentRole", partition, alias),
            region: None,
            external_id: None,
            gcp_service_account: None,
            gcp_project: None,
            azure_subscription: None,
            azure_tenant: None,
            max_ttl: None,
            deny: None,
        });
    }

    // Azure subscription ID passthrough (UUID format or /subscriptions/ prefix)
    if alias.starts_with("/subscriptions/")
        || (alias.len() == 36
            && alias.chars().filter(|c| *c == '-').count() == 4
            && alias.chars().all(|c| c.is_ascii_hexdigit() || c == '-'))
    {
        return Ok(ResolvedAccount {
            alias: alias.to_string(),
            role_arn: String::new(),
            region: None,
            external_id: None,
            gcp_service_account: None,
            gcp_project: None,
            azure_subscription: Some(alias.trim_start_matches("/subscriptions/").to_string()),
            azure_tenant: None,
            max_ttl: None,
            deny: None,
        });
    }

    // Named alias lookup
    if let Some(acct) = config.accounts.get(alias) {
        return Ok(ResolvedAccount {
            alias: alias.to_string(),
            role_arn: acct.role_arn.clone(),
            region: acct.region.clone(),
            external_id: acct.external_id.clone(),
            gcp_service_account: acct.gcp_service_account.clone(),
            gcp_project: acct.gcp_project.clone(),
            azure_subscription: acct.azure_subscription.clone(),
            azure_tenant: acct.azure_tenant.clone(),
            max_ttl: acct.max_ttl.clone(),
            deny: acct.deny.clone(),
        });
    }

    let available: Vec<&str> = config.accounts.keys().map(|k| k.as_str()).collect();
    Err(AvError::InvalidPolicy(format!(
        "Unknown account '{}'. Available: {}. You can also pass a full ARN or 12-digit account ID.",
        alias,
        if available.is_empty() {
            "none configured (add [account.accounts.<name>] to config)".to_string()
        } else {
            available.join(", ")
        }
    )))
}

/// List all configured account aliases.
pub fn list(config: &AccountConfig) -> Vec<(String, String, Option<String>)> {
    let mut accounts: Vec<(String, String, Option<String>)> = config
        .accounts
        .iter()
        .map(|(alias, def)| (alias.clone(), def.role_arn.clone(), def.description.clone()))
        .collect();
    accounts.sort_by(|a, b| a.0.cmp(&b.0));
    accounts
}

#[cfg(test)]
mod tests {
    use super::*;

    fn test_config() -> AccountConfig {
        let mut accounts = HashMap::new();
        accounts.insert(
            "production".to_string(),
            AccountDef {
                role_arn: "arn:aws:iam::111111111111:role/ProdAgentRole".to_string(),
                description: Some("Production AWS account".to_string()),
                region: Some("us-east-1".to_string()),
                external_id: Some("audex-prod-xyz".to_string()),
                gcp_service_account: None,
                gcp_project: None,
                azure_subscription: None,
                azure_tenant: None,
                max_ttl: Some("15m".to_string()),
                deny: Some(vec!["iam:*".to_string()]),
            },
        );
        accounts.insert(
            "staging".to_string(),
            AccountDef {
                role_arn: "arn:aws:iam::222222222222:role/StagingAgentRole".to_string(),
                description: Some("Staging AWS account".to_string()),
                region: None,
                external_id: None,
                gcp_service_account: None,
                gcp_project: None,
                azure_subscription: None,
                azure_tenant: None,
                max_ttl: None,
                deny: None,
            },
        );
        AccountConfig {
            default: Some("staging".to_string()),
            accounts,
        }
    }

    #[test]
    fn test_resolve_named_alias() {
        let config = test_config();
        let resolved = resolve(&config, "production").unwrap();
        assert_eq!(resolved.alias, "production");
        assert_eq!(
            resolved.role_arn,
            "arn:aws:iam::111111111111:role/ProdAgentRole"
        );
        assert_eq!(resolved.region.as_deref(), Some("us-east-1"));
        assert_eq!(resolved.external_id.as_deref(), Some("audex-prod-xyz"));
        assert_eq!(resolved.max_ttl.as_deref(), Some("15m"));
        assert!(resolved.deny.is_some());
    }

    #[test]
    fn test_resolve_arn_passthrough() {
        let config = test_config();
        let arn = "arn:aws:iam::999999999999:role/DirectRole";
        let resolved = resolve(&config, arn).unwrap();
        assert_eq!(resolved.role_arn, arn);
    }

    #[test]
    fn test_resolve_account_id_shorthand() {
        let config = test_config();
        let resolved = resolve(&config, "333333333333").unwrap();
        assert_eq!(
            resolved.role_arn,
            "arn:aws:iam::333333333333:role/AudexAgentRole"
        );
    }

    #[test]
    fn test_resolve_unknown_alias() {
        let config = test_config();
        assert!(resolve(&config, "nonexistent").is_err());
    }

    #[test]
    fn test_list_accounts() {
        let config = test_config();
        let accounts = list(&config);
        assert_eq!(accounts.len(), 2);
        // Sorted alphabetically
        assert_eq!(accounts[0].0, "production");
        assert_eq!(accounts[1].0, "staging");
    }

    #[test]
    fn test_config_deserialize() {
        let toml_str = r#"
default = "dev"

[accounts.dev]
role_arn = "arn:aws:iam::123456789012:role/DevRole"
description = "Development account"
region = "us-west-2"

[accounts.prod]
role_arn = "arn:aws:iam::987654321098:role/ProdRole"
external_id = "audex-12345"
max_ttl = "10m"
deny = ["iam:*", "organizations:*"]
"#;
        let config: AccountConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.default.as_deref(), Some("dev"));
        assert_eq!(config.accounts.len(), 2);
        let dev = config.accounts.get("dev").unwrap();
        assert_eq!(dev.region.as_deref(), Some("us-west-2"));
        let prod = config.accounts.get("prod").unwrap();
        assert_eq!(prod.external_id.as_deref(), Some("audex-12345"));
        assert_eq!(prod.deny.as_ref().unwrap().len(), 2);
    }

    #[test]
    fn test_empty_config() {
        let config = AccountConfig::default();
        assert!(resolve(&config, "anything").is_err());
        assert!(list(&config).is_empty());
    }
}