tryaudex_core/

azure.rs

use std::sync::Arc;
use std::time::Duration;

use azure_core::credentials::{AccessToken, TokenCredential};
use azure_identity::AzureCliCredential;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};

/// Temporary Azure credentials (short-lived OAuth2 access token).
/// Debug impl redacts the token to prevent accidental logging.
#[derive(Clone, Serialize, Deserialize)]
pub struct AzureTempCredentials {
    #[serde(skip_serializing)]
    pub access_token: String,
    pub expires_at: DateTime<Utc>,
}

impl std::fmt::Debug for AzureTempCredentials {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("AzureTempCredentials")
            .field("access_token", &"[REDACTED]")
            .field("expires_at", &self.expires_at)
            .finish()
    }
}

/// Issues short-lived Azure credentials via AzureCliCredential.
///
/// Works with Azure CLI credentials (`az login`).
/// For other auth methods (service principals, managed identity),
/// use the appropriate credential type from azure_identity.
pub struct AzureCredentialIssuer {
    credential: Arc<AzureCliCredential>,
}

impl AzureCredentialIssuer {
    /// Create a new issuer using AzureCliCredential.
    /// Requires `az login` to have been run.
    pub fn new() -> Result<Self> {
        let credential = AzureCliCredential::new(None).map_err(|e| {
            AvError::Azure(format!(
                "Failed to create Azure credential. Run `az login` first. Error: {}",
                e
            ))
        })?;

        Ok(Self { credential })
    }

    /// Get an access token for Azure Resource Manager.
    ///
    /// The token is scoped to the ARM management API. The endpoint is derived
    /// from the `AZURE_CLOUD` env var to support sovereign clouds:
    ///   - `AzureCloud` (default): management.azure.com
    ///   - `AzureUSGovernment`: management.usgovcloudapi.net
    ///   - `AzureChinaCloud`: management.chinacloudapi.cn
    ///
    /// Azure tokens are typically valid for 1 hour. The `ttl` parameter
    /// controls session metadata only — Azure does not support shorter-lived
    /// tokens on the client side. If `ttl` is shorter than the token's actual
    /// expiry, `expires_at` is set to `now + ttl` so audex treats the session
    /// as expired at the requested time.
    pub async fn issue(&self, ttl: Duration) -> Result<AzureTempCredentials> {
        let arm_scope = arm_scope_for_cloud()?;
        let scopes = &[arm_scope.as_str()];

        let token: AccessToken = self
            .credential
            .get_token(scopes, None)
            .await
            .map_err(|e| AvError::Azure(format!("Failed to get Azure access token: {}", e)))?;

        // Convert azure_core's OffsetDateTime to chrono::DateTime
        let token_expires_at = DateTime::from_timestamp(token.expires_on.unix_timestamp(), 0)
            .ok_or_else(|| {
                AvError::Azure(format!(
                    "Failed to convert Azure token expiry (unix timestamp {})",
                    token.expires_on.unix_timestamp()
                ))
            })?;

        // Azure issues tokens with a fixed lifetime (~3600s) that cannot be
        // shortened via the token request. If the caller requested a shorter
        // TTL, honour their intent by expiring the session early so audex
        // won't hand out a token the caller considers stale.
        let requested_expires_at =
            Utc::now() + chrono::Duration::from_std(ttl).unwrap_or(chrono::Duration::seconds(3600));
        let expires_at = token_expires_at.min(requested_expires_at);

        if requested_expires_at < token_expires_at {
            tracing::warn!(
                requested_ttl_secs = ttl.as_secs(),
                token_lifetime_secs = (token_expires_at - Utc::now()).num_seconds(),
                "Azure token TTL cannot be shortened at issuance; session expires_at \
                 set to requested TTL. The underlying token remains valid until its \
                 natural expiry — revoke it explicitly if needed."
            );
        }

        Ok(AzureTempCredentials {
            access_token: token.token.secret().to_string(),
            expires_at,
        })
    }

    /// Unified issuance that picks `issue_for_scope` when a scope is provided
    /// and `issue` otherwise. Used by the rotation closure so rotated tokens
    /// always target the same audience as the initially issued token (R6-H8).
    pub async fn issue_with_optional_scope(
        &self,
        scope: Option<&str>,
        ttl: Duration,
    ) -> Result<AzureTempCredentials> {
        match scope {
            Some(s) => self.issue_for_scope(s, ttl).await,
            None => self.issue(ttl).await,
        }
    }

    /// Get an access token for a specific Azure service scope.
    /// Scope must be an https:// URL whose domain is an allowed Azure authority
    /// (see `AZURE_ALLOWED_SCOPE_DOMAINS`).
    pub async fn issue_for_scope(
        &self,
        scope: &str,
        ttl: Duration,
    ) -> Result<AzureTempCredentials> {
        // R6-M15: use a real URL parser rather than `trim_start_matches`
        // + `split('/')`, which accepted inputs like
        // `https://management.azure.com/../../attacker.com/.default`
        // — the naive parser extracted `management.azure.com` as the
        // host and waved it through, but path-normalising clients (or
        // any downstream consumer that treats the scope as a URL and
        // resolves `..`) could redirect the request to `attacker.com`.
        // Reject any scope whose path contains `..` or percent-encoded
        // segments, and require a well-formed https URL.
        let parsed = url::Url::parse(scope).map_err(|e| {
            AvError::Azure(format!(
                "Invalid Azure scope '{}': {}. Expected an https:// URL \
                 (e.g. 'https://management.azure.com/.default')",
                scope, e
            ))
        })?;
        if parsed.scheme() != "https" {
            return Err(AvError::Azure(format!(
                "Invalid Azure scope '{}': scheme must be https, got '{}'",
                scope,
                parsed.scheme()
            )));
        }
        let host = parsed
            .host_str()
            .ok_or_else(|| AvError::Azure(format!("Azure scope '{}' has no host", scope)))?
            .to_ascii_lowercase();
        let path = parsed.path();
        if path.split('/').any(|seg| seg == "..") || path.contains('%') {
            return Err(AvError::Azure(format!(
                "Azure scope '{}' contains path traversal or percent-encoded \
                 segments; reject to avoid SSRF to unintended hosts",
                scope
            )));
        }
        if !AZURE_ALLOWED_SCOPE_DOMAINS
            .iter()
            .any(|allowed| host == *allowed || host.ends_with(&format!(".{}", allowed)))
        {
            return Err(AvError::Azure(format!(
                "Azure scope '{}' targets an unrecognised domain '{}'. \
                 Allowed domains: {}",
                scope,
                host,
                AZURE_ALLOWED_SCOPE_DOMAINS.join(", ")
            )));
        }

        let scopes = &[scope];

        let token: AccessToken = self.credential.get_token(scopes, None).await.map_err(|e| {
            AvError::Azure(format!(
                "Failed to get Azure access token for {}: {}",
                scope, e
            ))
        })?;

        let token_expires_at = DateTime::from_timestamp(token.expires_on.unix_timestamp(), 0)
            .ok_or_else(|| {
                AvError::Azure(format!(
                    "Failed to convert Azure token expiry (unix timestamp {})",
                    token.expires_on.unix_timestamp()
                ))
            })?;

        let requested_expires_at =
            Utc::now() + chrono::Duration::from_std(ttl).unwrap_or(chrono::Duration::seconds(3600));
        let expires_at = token_expires_at.min(requested_expires_at);

        Ok(AzureTempCredentials {
            access_token: token.token.secret().to_string(),
            expires_at,
        })
    }
}

/// Known Azure authority domains allowed as token scope targets.
///
/// Used to prevent SSRF via attacker-controlled scope URLs in
/// `issue_for_scope`. A scope domain must equal one of these entries or be a
/// subdomain of one.
const AZURE_ALLOWED_SCOPE_DOMAINS: &[&str] = &[
    "management.azure.com",
    "management.chinacloudapi.cn",
    "management.microsoftazure.de",
    "management.usgovcloudapi.net",
    "vault.azure.net",
    "database.windows.net",
    "graph.microsoft.com",
    "storage.azure.com",
    "dev.azure.com",
];

/// Return the ARM scope URL for the configured Azure cloud environment.
/// Reads `AZURE_CLOUD` (or `AZURE_ENVIRONMENT`) to support sovereign clouds.
///
/// R6-M20: returns `Err` for `AzureGermanCloud`. The Microsoft Cloud
/// Deutschland was retired on 29 October 2021 and its ARM endpoint no
/// longer issues tokens. Previously this path logged a warning and
/// returned the dead endpoint anyway, so a session would be created
/// and the subprocess would fail mid-run when the token request hit
/// the dead cloud. Erroring at issuance prevents the session from
/// being recorded at all.
fn arm_scope_for_cloud() -> Result<String> {
    let cloud = std::env::var("AZURE_CLOUD")
        .or_else(|_| std::env::var("AZURE_ENVIRONMENT"))
        .unwrap_or_else(|_| "AzureCloud".to_string());

    match cloud.as_str() {
        "AzureUSGovernment" => Ok("https://management.usgovcloudapi.net/.default".to_string()),
        "AzureChinaCloud" => Ok("https://management.chinacloudapi.cn/.default".to_string()),
        "AzureGermanCloud" => Err(AvError::Azure(
            "AzureGermanCloud (Microsoft Cloud Deutschland) was retired on \
             29 October 2021 and its ARM endpoint no longer issues tokens. \
             Set AZURE_CLOUD=AzureCloud (or unset the variable) to use the \
             standard Azure global cloud."
                .to_string(),
        )),
        _ => Ok("https://management.azure.com/.default".to_string()),
    }
}