tryaudex_core/

audit.rs

use std::path::PathBuf;

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};

use crate::error::Result;
use crate::session::{CloudProvider, Session};

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEntry {
    pub timestamp: DateTime<Utc>,
    pub session_id: String,
    /// Cloud provider for this entry (defaults to "aws" for backwards compat).
    #[serde(default = "default_provider")]
    pub provider: String,
    pub event: AuditEvent,
}

fn default_provider() -> String {
    "aws".to_string()
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum AuditEvent {
    SessionCreated {
        /// "Role ARN" for AWS, "Service Account" for GCP, "Subscription" for Azure
        role_arn: String,
        ttl_seconds: u64,
        budget: Option<f64>,
        allowed_actions: Vec<String>,
        command: Vec<String>,
        /// AI agent/model identity (from AUDEX_AGENT_ID env var).
        #[serde(default, skip_serializing_if = "Option::is_none")]
        agent_id: Option<String>,
    },
    CredentialsIssued {
        /// Credential identifier: AWS access key ID, GCP token prefix, or Azure token prefix.
        /// Field name kept as `access_key_id` for backwards compatibility with existing logs.
        access_key_id: String,
        expires_at: DateTime<Utc>,
    },
    SessionEnded {
        status: String,
        duration_seconds: i64,
        exit_code: Option<i32>,
    },
    BudgetWarning {
        current_spend: f64,
        limit: f64,
    },
    BudgetExceeded {
        final_spend: f64,
        limit: f64,
    },
    /// A cloud resource created during this session (Phase 1 of the
    /// resource-lifecycle flow). Emitted once per resource after the wrapped
    /// subprocess exits successfully, parsed from the command args.
    ResourceCreated {
        service: String,
        resource_type: String,
        identifier: String,
    },
    /// The --allow policy is advisory-only (no enforcement) for this session.
    /// Logged when GCP CAB downscoping fails or Azure tokens cannot be scoped.
    PolicyAdvisoryOnly {
        reason: String,
    },
}

/// Append-only audit logger that writes to a local JSONL file.
pub struct AuditLog {
    path: PathBuf,
}

impl AuditLog {
    pub fn new() -> Result<Self> {
        let dir = dirs::data_local_dir()
            .unwrap_or_else(|| PathBuf::from("."))
            .join("audex")
            .join("audit");
        std::fs::create_dir_all(&dir)?;
        let path = dir.join("audit.jsonl");
        Ok(Self { path })
    }

    /// Construct an AuditLog at a caller-provided path. Used by tests so they
    /// don't pollute the real audit log at `~/.local/share/audex/audit/audit.jsonl`.
    pub fn with_path(path: PathBuf) -> Result<Self> {
        if let Some(parent) = path.parent() {
            std::fs::create_dir_all(parent)?;
        }
        Ok(Self { path })
    }

    pub fn log(&self, session_id: &str, event: AuditEvent) -> Result<()> {
        self.log_with_provider(session_id, "aws", event)
    }

    pub fn log_with_provider(
        &self,
        session_id: &str,
        provider: &str,
        event: AuditEvent,
    ) -> Result<()> {
        let entry = AuditEntry {
            timestamp: Utc::now(),
            session_id: session_id.to_string(),
            provider: provider.to_string(),
            event,
        };
        let json_line = serde_json::to_string(&entry)?;

        // Redact any credential material before persisting
        let json_line = crate::leakdetect::redact_secrets(&json_line);

        // Take an exclusive OS-level lock on the audit log for the entire
        // read-hash-then-append sequence. Without this, concurrent writers
        // (threads OR separate tryaudex processes) would each read the same
        // `previous_hash`, compute HMACs against it, and append — breaking
        // the chain for every line after the first one to hit disk.
        use fs4::fs_std::FileExt;
        use std::io::Write;
        let mut opts = std::fs::OpenOptions::new();
        opts.create(true).append(true).read(true);
        #[cfg(unix)]
        {
            use std::os::unix::fs::OpenOptionsExt;
            opts.mode(0o600);
        }
        let mut file = opts.open(&self.path)?;
        file.lock_exclusive()?;

        // Warn once if using the hardcoded default HMAC key.
        crate::integrity::warn_if_default_key();

        // Sign with chain HMAC for tamper detection — now inside the lock.
        let previous_hash = crate::integrity::last_chain_hash(&self.path);
        let signed_line = crate::integrity::sign_line(&json_line, &previous_hash);

        let mut output = signed_line;
        output.push('\n');

        let write_result = file.write_all(output.as_bytes());
        // Flush to disk before releasing lock so concurrent writers
        // cannot corrupt the HMAC chain.
        if write_result.is_ok() {
            let _ = file.sync_all();
        }
        // Always release the lock, even if the write failed.
        let _ = FileExt::unlock(&file);
        write_result?;

        Ok(())
    }

    pub fn log_session_created(&self, session: &Session) -> Result<()> {
        let allowed_actions: Vec<String> = match session.provider {
            CloudProvider::Gcp => session
                .policy
                .actions
                .iter()
                .map(|a| a.to_gcp_permission())
                .collect(),
            CloudProvider::Azure => session
                .policy
                .actions
                .iter()
                .map(|a| a.to_azure_permission())
                .collect(),
            CloudProvider::Aws => session
                .policy
                .actions
                .iter()
                .map(|a| a.to_iam_action())
                .collect(),
        };

        self.log_with_provider(
            &session.id,
            &session.provider.to_string(),
            AuditEvent::SessionCreated {
                role_arn: session.role_arn.clone(),
                ttl_seconds: session.ttl_seconds,
                budget: session.budget,
                allowed_actions,
                command: session.command.clone(),
                agent_id: session.agent_id.clone(),
            },
        )
    }

    pub fn log_session_ended(&self, session: &Session, exit_code: Option<i32>) -> Result<()> {
        let duration = (Utc::now() - session.created_at).num_seconds();
        self.log_with_provider(
            &session.id,
            &session.provider.to_string(),
            AuditEvent::SessionEnded {
                status: session.status.to_string(),
                duration_seconds: duration,
                exit_code,
            },
        )
    }

    /// Read all audit entries, optionally filtered by session ID.
    pub fn read(&self, session_id: Option<&str>) -> Result<Vec<AuditEntry>> {
        self.read_filtered(session_id, None)
    }

    /// Read audit entries with optional session ID and provider filters.
    pub fn read_filtered(
        &self,
        session_id: Option<&str>,
        provider: Option<&str>,
    ) -> Result<Vec<AuditEntry>> {
        if !self.path.exists() {
            return Ok(Vec::new());
        }
        let content = std::fs::read_to_string(&self.path)?;
        let entries: Vec<AuditEntry> = content
            .lines()
            .filter(|l| !l.trim().is_empty())
            .filter_map(|l| {
                // Strip HMAC signature if present before parsing JSON
                let (json_content, _) = crate::integrity::parse_line(l);
                serde_json::from_str(json_content).ok()
            })
            .filter(|e: &AuditEntry| session_id.is_none_or(|id| e.session_id == id))
            .filter(|e: &AuditEntry| provider.is_none_or(|p| e.provider == p))
            .collect();
        Ok(entries)
    }

    /// Read at most `max_entries` recent audit entries without loading the
    /// entire log into memory.  Reads the last `max_bytes` of the file
    /// (default 1 MB) and parses only those lines.
    ///
    /// Takes a shared file lock for the duration of the read so concurrent
    /// writers in `log_with_provider` cannot tear a line mid-flush
    /// (R6-H20), verifies the HMAC chain before returning any data and
    /// refuses to serve entries from a tampered log (R6-H21), and uses a
    /// byte-oriented tail reader so seeks landing inside a multi-byte
    /// UTF-8 character or a pathological log with no newlines no longer
    /// silently return zero entries (R6-H19).
    pub fn read_recent(&self, max_entries: usize) -> Result<Vec<AuditEntry>> {
        use fs4::fs_std::FileExt;
        use std::io::{Read, Seek, SeekFrom};

        if !self.path.exists() {
            return Ok(Vec::new());
        }

        const MAX_TAIL_BYTES: u64 = 1_048_576; // 1 MB
        let mut file = std::fs::File::open(&self.path)?;

        // R6-H20: shared OS lock prevents reading a half-flushed line that
        // a concurrent `log_with_provider` writer has not yet sync_all'd.
        // The writer holds an exclusive lock across write+flush, so our
        // shared lock will block until the writer finishes.
        file.lock_shared()?;

        // R6-H21: verify the tamper-evidence chain before returning any
        // entries.  Previously MCP and the server's /v1/audit endpoint
        // called this path and cheerfully served forged lines with no
        // warning — an attacker who could write to the audit file could
        // plant arbitrary entries visible via the admin view.  `parse_line`
        // strips the HMAC silently, so a bad actor only had to replace
        // the tail with unsigned JSON and wait for an admin to look.
        //
        // We run the full-chain verification inside the lock so a writer
        // cannot race our check.  Audit logs are bounded by rotation so
        // O(n) verification on an admin-facing endpoint is acceptable.
        let verification = crate::integrity::verify_audit_log(&self.path)?;
        if !verification.tampered_lines.is_empty() {
            let _ = FileExt::unlock(&file);
            return Err(crate::error::AvError::InvalidPolicy(format!(
                "Audit log integrity check failed — {} tampered line(s) detected at {:?}. \
                 Refusing to return recent entries. Run `audex audit verify` to investigate.",
                verification.tampered_lines.len(),
                verification.tampered_lines
            )));
        }

        let file_len = file.metadata()?.len();

        // R6-H19: read as bytes, locate the first full line after the
        // tail cut-point, then decode lossily.  The old code used
        // `read_to_string` directly after byte-wise skipping to a newline,
        // which errored out when the 1 MB seek point landed inside a
        // multi-byte UTF-8 character (JSON escapes/unicode in log bodies)
        // and returned zero entries when the tail contained a single
        // huge line with no newline at all.
        let tail_start = file_len.saturating_sub(MAX_TAIL_BYTES);
        file.seek(SeekFrom::Start(tail_start))?;
        let mut bytes = Vec::with_capacity((file_len - tail_start) as usize);
        file.read_to_end(&mut bytes)?;
        let _ = FileExt::unlock(&file);

        // When we cut the file mid-line, drop the leading partial line;
        // when there is no newline in the slice, keep the whole thing —
        // `from_utf8_lossy` + per-line JSON parsing will naturally drop
        // any garbled prefix rather than silently returning nothing.
        let slice: &[u8] = if tail_start > 0 {
            match bytes.iter().position(|b| *b == b'\n') {
                Some(pos) => &bytes[pos + 1..],
                None => &bytes[..],
            }
        } else {
            &bytes[..]
        };

        let tail = String::from_utf8_lossy(slice);
        let entries: Vec<AuditEntry> = tail
            .lines()
            .rev()
            .filter(|l| !l.trim().is_empty())
            .take(max_entries)
            .filter_map(|l| {
                let (json_content, _) = crate::integrity::parse_line(l);
                serde_json::from_str(json_content).ok()
            })
            .collect();

        Ok(entries)
    }

    /// Verify the integrity of the audit log using chain HMACs.
    pub fn verify(&self) -> Result<crate::integrity::VerificationResult> {
        crate::integrity::verify_audit_log(&self.path)
    }

    pub fn path(&self) -> &PathBuf {
        &self.path
    }
}