tryaudex_core/

config.rs

use std::collections::HashMap;
use std::path::PathBuf;

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};

/// A named policy profile (e.g. `s3-readonly`, `lambda-deploy`).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Profile {
    /// Comma-separated IAM actions (same format as --allow)
    pub allow: String,
    /// Optional comma-separated resource ARNs
    pub resource: Option<String>,
    /// Optional description for display
    pub description: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct Config {
    /// Default cloud provider ("aws", "gcp", or "azure")
    pub provider: Option<String>,
    /// Default IAM role ARN to assume (AWS)
    pub role_arn: Option<String>,
    /// Default TTL for sessions (e.g. "15m")
    pub ttl: Option<String>,
    /// Default budget limit in USD
    pub budget: Option<f64>,
    /// Default AWS region
    pub region: Option<String>,
    /// Actions that are always denied regardless of --allow
    pub deny: Option<Vec<String>>,
    /// AWS permissions boundary policy ARN — applied to every AssumeRole call
    /// as an additional ceiling beyond the inline session policy.
    pub permissions_boundary: Option<String>,
    /// Network policy: restrict credentials to specific source IPs or VPCs.
    #[serde(default)]
    pub network: Option<crate::policy::NetworkPolicy>,
    /// Named policy profiles
    #[serde(default)]
    pub profiles: HashMap<String, Profile>,
    /// GCP service account email for impersonation
    pub gcp_service_account: Option<String>,
    /// GCP project ID
    pub gcp_project: Option<String>,
    /// Allow GCP access token TTLs beyond the default 1h (up to 12h).
    ///
    /// Requires the org policy
    /// `constraints/iam.allowServiceAccountCredentialLifetimeExtension` to be
    /// enabled for the target project. If that policy is not set, the IAM
    /// `generateAccessToken` API will reject requests for tokens with a
    /// lifetime exceeding 3600s with a `PERMISSION_DENIED` error. Verify the
    /// org policy is in place before enabling this flag — there is no
    /// pre-flight API check available for org policy constraints.
    ///
    /// To inspect the policy:
    /// ```text
    /// gcloud org-policies describe \
    ///   constraints/iam.allowServiceAccountCredentialLifetimeExtension \
    ///   --project=<PROJECT_ID>
    /// ```
    #[serde(default)]
    pub gcp_extended_lifetime: bool,
    /// Azure subscription ID
    pub azure_subscription: Option<String>,
    /// Azure tenant ID
    pub azure_tenant: Option<String>,
    /// Team policy configuration
    #[serde(default)]
    pub team: Option<crate::team::TeamConfig>,
    /// Approval workflow configuration
    #[serde(default)]
    pub approval: Option<crate::approval::ApprovalConfig>,
    /// Audit forwarding configuration
    #[serde(default)]
    pub audit: Option<crate::forward::ForwardConfig>,
    /// Role mapping configuration
    #[serde(default)]
    pub roles: Option<crate::roles::RoleMappingConfig>,
    /// Rate limiting configuration
    #[serde(default)]
    pub ratelimit: Option<crate::ratelimit::RateLimitConfig>,
    /// SSO configuration
    #[serde(default)]
    pub sso: Option<crate::sso::SsoConfig>,
    /// Vault credential backend configuration
    #[serde(default)]
    pub vault: Option<crate::vault::VaultConfig>,
    /// Multi-account configuration
    #[serde(default)]
    pub account: Option<crate::account::AccountConfig>,
    /// Credential broker configuration
    #[serde(default)]
    pub broker: Option<crate::broker::BrokerConfig>,
    /// MCP command allowlist — when set, only commands whose basename matches
    /// an entry in this list can be executed via the MCP `audex_run` tool.
    /// Example: `mcp_allowed_commands = ["aws", "terraform", "gcloud", "az"]`
    #[serde(default)]
    pub mcp_allowed_commands: Option<Vec<String>>,
    /// Database audit backend configuration (planned — parsed but not yet wired to a DB driver)
    #[serde(default)]
    pub dbaudit: Option<crate::dbaudit::DbAuditConfig>,
    /// High availability configuration (planned — parsed but not yet wired to Redis/etcd)
    #[serde(default)]
    pub ha: Option<crate::ha::HaConfig>,
}

impl Config {
    /// Load config from `~/.config/audex/config.toml`. Returns default if file doesn't exist.
    pub fn load() -> Result<Self> {
        let path = Self::path();
        if !path.exists() {
            return Ok(Self::default());
        }

        // R6-M61: warn if the config file is world-readable. The file can
        // contain api_key, client_secret, and other credential material
        // that must not be exposed to other users on the machine.
        #[cfg(unix)]
        {
            use std::os::unix::fs::MetadataExt;
            if let Ok(meta) = std::fs::metadata(&path) {
                let mode = meta.mode();
                if mode & 0o077 != 0 {
                    tracing::warn!(
                        path = %path.display(),
                        mode = format!("{:o}", mode & 0o777),
                        "Config file is accessible by group/other — it may contain secrets. \
                         Run: chmod 600 {}",
                        path.display()
                    );
                }
            }
        }

        let contents = std::fs::read_to_string(&path)?;
        let config: Self = toml::from_str(&contents).map_err(|e| {
            AvError::InvalidPolicy(format!("Invalid config at {}: {}", path.display(), e))
        })?;
        config.validate()?;
        Ok(config)
    }

    /// R6-M62/M63/M64: eagerly validate config values at load time so
    /// misconfigurations surface immediately rather than at first use
    /// (which may be minutes into a session, after authentication).
    fn validate(&self) -> Result<()> {
        // R6-M62: validate TTL string format.
        if let Some(ref ttl) = self.ttl {
            validate_ttl(ttl)?;
        }

        // R6-M63: reject NaN / Infinity budgets.
        if let Some(budget) = self.budget {
            if budget.is_nan() || budget.is_infinite() {
                return Err(AvError::InvalidPolicy(
                    "Config budget must be a finite number".to_string(),
                ));
            }
            if budget < 0.0 {
                return Err(AvError::InvalidPolicy(
                    "Config budget must not be negative".to_string(),
                ));
            }
        }

        // R6-M64: validate sub-configs eagerly.
        if let Some(ref ha) = self.ha {
            ha.leader.validate()?;
        }

        Ok(())
    }

    /// Get a profile by name. Checks community:// prefix, then user config, then built-in profiles.
    pub fn resolve_profile(&self, name: &str) -> Result<Profile> {
        // Community policy library: `community://nextjs-vercel-deploy`
        if name.starts_with("community://") {
            return crate::community::resolve(name);
        }
        // Team policy library: `team://deploy-lambda`
        if name.starts_with("team://") {
            return crate::team::resolve_cached(name);
        }
        if let Some(p) = self.profiles.get(name) {
            return Ok(p.clone());
        }
        if let Some(p) = builtin_profiles().get(name) {
            return Ok(p.clone());
        }
        // Also check community policies without prefix
        if let Ok(p) = crate::community::resolve(name) {
            return Ok(p);
        }
        let mut available: Vec<String> = self.profiles.keys().cloned().collect();
        available.extend(builtin_profiles().keys().cloned());
        available.sort();
        Err(AvError::InvalidPolicy(format!(
            "Unknown profile '{}'. Available: {} (also try community:// policies)",
            name,
            available.join(", ")
        )))
    }

    /// List all available profiles (user + built-in).
    pub fn all_profiles(&self) -> Vec<(String, Profile)> {
        let mut all: HashMap<String, Profile> = builtin_profiles();
        // User profiles override built-ins
        all.extend(self.profiles.clone());
        let mut sorted: Vec<(String, Profile)> = all.into_iter().collect();
        sorted.sort_by(|a, b| a.0.cmp(&b.0));
        sorted
    }

    /// Config file path: `~/.config/audex/config.toml`
    pub fn path() -> PathBuf {
        dirs::config_dir()
            .unwrap_or_else(|| PathBuf::from("."))
            .join("audex")
            .join("config.toml")
    }
}

/// R6-M62: validate that a TTL string is a positive duration in a
/// sensible range. Accepts `<number><unit>` where unit is s/m/h.
/// Rejects negative, zero, and excessively long durations (>12 h)
/// since AWS STS caps role sessions at 12 hours.
fn validate_ttl(ttl: &str) -> Result<()> {
    let ttl = ttl.trim();
    if ttl.is_empty() {
        return Err(AvError::InvalidPolicy("TTL must not be empty".to_string()));
    }
    let (num_str, unit) = if let Some(s) = ttl.strip_suffix('s') {
        (s, 's')
    } else if let Some(s) = ttl.strip_suffix('m') {
        (s, 'm')
    } else if let Some(s) = ttl.strip_suffix('h') {
        (s, 'h')
    } else {
        return Err(AvError::InvalidPolicy(format!(
            "TTL '{}' must end with s, m, or h",
            ttl
        )));
    };
    let num: u64 = num_str
        .parse()
        .map_err(|_| AvError::InvalidPolicy(format!("TTL '{}' has invalid numeric part", ttl)))?;
    if num == 0 {
        return Err(AvError::InvalidPolicy(
            "TTL must be greater than zero".to_string(),
        ));
    }
    let secs = match unit {
        's' => num,
        'm' => num.saturating_mul(60),
        'h' => num.saturating_mul(3600),
        _ => unreachable!(),
    };
    const MAX_TTL_SECS: u64 = 12 * 3600; // 12 hours — STS ceiling
    if secs > MAX_TTL_SECS {
        return Err(AvError::InvalidPolicy(format!(
            "TTL '{}' exceeds maximum of 12h ({}s > {}s)",
            ttl, secs, MAX_TTL_SECS
        )));
    }
    Ok(())
}

fn p(allow: &str, desc: &str) -> Profile {
    Profile {
        allow: allow.to_string(),
        resource: None,
        description: Some(desc.to_string()),
    }
}

/// Built-in policy profiles that ship with Audex.
pub fn builtin_profiles() -> HashMap<String, Profile> {
    HashMap::from([
        ("s3-readonly".into(), p(
            "s3:GetObject,s3:ListBucket,s3:GetBucketLocation,s3:ListAllMyBuckets",
            "Read-only S3 access",
        )),
        ("s3-readwrite".into(), p(
            "s3:GetObject,s3:PutObject,s3:DeleteObject,s3:ListBucket,s3:GetBucketLocation,s3:ListAllMyBuckets",
            "Read/write S3 access",
        )),
        ("lambda-deploy".into(), p(
            "lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:GetFunction,lambda:ListFunctions",
            "Deploy and manage Lambda functions",
        )),
        ("dynamodb-query".into(), p(
            "dynamodb:GetItem,dynamodb:Query,dynamodb:Scan,dynamodb:BatchGetItem,dynamodb:DescribeTable,dynamodb:ListTables",
            "Read-only DynamoDB access",
        )),
        ("dynamodb-readwrite".into(), p(
            "dynamodb:GetItem,dynamodb:PutItem,dynamodb:UpdateItem,dynamodb:DeleteItem,dynamodb:Query,dynamodb:Scan,dynamodb:BatchGetItem,dynamodb:BatchWriteItem,dynamodb:DescribeTable,dynamodb:ListTables",
            "Read/write DynamoDB access",
        )),
        ("ec2-readonly".into(), p(
            "ec2:DescribeInstances,ec2:DescribeSecurityGroups,ec2:DescribeSubnets,ec2:DescribeVpcs,ec2:DescribeImages",
            "Read-only EC2 access",
        )),
        ("cloudwatch-logs".into(), p(
            "logs:GetLogEvents,logs:DescribeLogGroups,logs:DescribeLogStreams,logs:FilterLogEvents",
            "Read CloudWatch Logs",
        )),
        ("ssm-readonly".into(), p(
            "ssm:GetParameter,ssm:GetParameters,ssm:GetParametersByPath,ssm:DescribeParameters",
            "Read SSM Parameter Store",
        )),
        ("sqs-readwrite".into(), p(
            "sqs:SendMessage,sqs:ReceiveMessage,sqs:DeleteMessage,sqs:GetQueueAttributes,sqs:ListQueues",
            "Read/write SQS access",
        )),
        ("sns-publish".into(), p(
            "sns:Publish,sns:ListTopics,sns:GetTopicAttributes",
            "Publish to SNS topics",
        )),
        ("ecr-push".into(), p(
            "ecr:GetAuthorizationToken,ecr:BatchCheckLayerAvailability,ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:PutImage,ecr:InitiateLayerUpload,ecr:UploadLayerPart,ecr:CompleteLayerUpload,ecr:DescribeRepositories,ecr:CreateRepository",
            "Push Docker images to ECR",
        )),
        ("ecr-pull".into(), p(
            "ecr:GetAuthorizationToken,ecr:BatchCheckLayerAvailability,ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:DescribeRepositories",
            "Pull Docker images from ECR",
        )),
        ("terraform-plan".into(), p(
            "sts:GetCallerIdentity,s3:GetObject,s3:ListBucket,s3:GetBucketLocation,dynamodb:GetItem,dynamodb:PutItem,ec2:Describe*,iam:GetRole,iam:GetPolicy,iam:GetPolicyVersion,iam:ListRolePolicies,iam:ListAttachedRolePolicies,lambda:GetFunction,lambda:ListFunctions,logs:DescribeLogGroups,cloudformation:DescribeStacks,cloudformation:ListStacks",
            "Terraform plan (read-only state + describe resources)",
        )),
        ("terraform-apply".into(), p(
            "sts:GetCallerIdentity,s3:GetObject,s3:PutObject,s3:ListBucket,s3:GetBucketLocation,dynamodb:GetItem,dynamodb:PutItem,ec2:*,iam:GetRole,iam:GetPolicy,iam:GetPolicyVersion,iam:CreateRole,iam:DeleteRole,iam:AttachRolePolicy,iam:DetachRolePolicy,iam:PassRole,iam:ListRolePolicies,iam:ListAttachedRolePolicies,iam:PutRolePolicy,iam:DeleteRolePolicy,lambda:*,logs:*,cloudformation:*,apigateway:*",
            "Terraform apply (full infrastructure management)",
        )),
        // GCP profiles
        ("gcs-readonly".into(), p(
            "storage.objects.get,storage.objects.list,storage.buckets.get,storage.buckets.list",
            "Read-only Google Cloud Storage access",
        )),
        ("gcs-readwrite".into(), p(
            "storage.objects.get,storage.objects.list,storage.objects.create,storage.objects.delete,storage.buckets.get,storage.buckets.list",
            "Read/write Google Cloud Storage access",
        )),
        ("gce-readonly".into(), p(
            "compute.instances.get,compute.instances.list,compute.zones.list,compute.regions.list",
            "Read-only Compute Engine access",
        )),
        ("gcf-deploy".into(), p(
            "cloudfunctions.functions.get,cloudfunctions.functions.list,cloudfunctions.functions.update,cloudfunctions.functions.create",
            "Deploy Google Cloud Functions",
        )),
        ("bigquery-readonly".into(), p(
            "bigquery.jobs.create,bigquery.tables.getData,bigquery.tables.list,bigquery.datasets.get",
            "Read-only BigQuery access",
        )),
        // Azure profiles
        ("azure-storage-readonly".into(), p(
            "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/listKeys/action,Microsoft.Storage/storageAccounts/blobServices/containers/read",
            "Read-only Azure Storage access",
        )),
        ("azure-storage-readwrite".into(), p(
            "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/write,Microsoft.Storage/storageAccounts/listKeys/action,Microsoft.Storage/storageAccounts/blobServices/containers/read,Microsoft.Storage/storageAccounts/blobServices/containers/write",
            "Read/write Azure Storage access",
        )),
        ("azure-compute-readonly".into(), p(
            "Microsoft.Compute/virtualMachines/read,Microsoft.Compute/virtualMachines/instanceView/read,Microsoft.Network/networkInterfaces/read,Microsoft.Network/publicIPAddresses/read",
            "Read-only Azure Compute access",
        )),
        ("azure-keyvault-readonly".into(), p(
            "Microsoft.KeyVault/vaults/read,Microsoft.KeyVault/vaults/secrets/read",
            "Read-only Azure Key Vault access",
        )),
        ("azure-functions-deploy".into(), p(
            "Microsoft.Web/sites/read,Microsoft.Web/sites/write,Microsoft.Web/sites/functions/read,Microsoft.Web/sites/functions/write,Microsoft.Web/sites/restart/action",
            "Deploy Azure Functions",
        )),
        ("azure-aks-readonly".into(), p(
            "Microsoft.ContainerService/managedClusters/read,Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
            "Read-only Azure Kubernetes Service access",
        )),
    ])
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_builtin_profile_resolve() {
        let config = Config::default();
        let profile = config.resolve_profile("s3-readonly").unwrap();
        assert!(profile.allow.contains("s3:GetObject"));
        assert!(profile.allow.contains("s3:ListBucket"));
    }

    #[test]
    fn test_unknown_profile_error() {
        let config = Config::default();
        assert!(config.resolve_profile("nonexistent").is_err());
    }

    #[test]
    fn test_user_profile_overrides_builtin() {
        let mut config = Config::default();
        config.profiles.insert(
            "s3-readonly".into(),
            Profile {
                allow: "s3:GetObject".to_string(),
                resource: Some("arn:aws:s3:::my-bucket/*".to_string()),
                description: Some("Custom s3 readonly".to_string()),
            },
        );
        let profile = config.resolve_profile("s3-readonly").unwrap();
        // Should get user's version, not built-in
        assert_eq!(profile.allow, "s3:GetObject");
        assert!(profile.resource.is_some());
    }

    #[test]
    fn test_all_profiles_includes_builtins() {
        let config = Config::default();
        let all = config.all_profiles();
        assert!(all.len() >= 10);
        assert!(all.iter().any(|(name, _)| name == "s3-readonly"));
        assert!(all.iter().any(|(name, _)| name == "lambda-deploy"));
    }

    #[test]
    fn test_config_toml_with_profiles() {
        let toml_str = r#"
role_arn = "arn:aws:iam::123456789012:role/MyRole"
ttl = "30m"

[profiles.my-custom]
allow = "s3:GetObject,s3:PutObject"
resource = "arn:aws:s3:::my-bucket/*"
description = "Custom profile"
"#;
        let config: Config = toml::from_str(toml_str).unwrap();
        assert_eq!(
            config.role_arn.unwrap(),
            "arn:aws:iam::123456789012:role/MyRole"
        );
        assert_eq!(config.ttl.unwrap(), "30m");
        let profile = config.profiles.get("my-custom").unwrap();
        assert!(profile.allow.contains("s3:GetObject"));
        assert!(profile.resource.is_some());
    }

    #[test]
    fn test_validate_ttl_valid() {
        assert!(validate_ttl("15m").is_ok());
        assert!(validate_ttl("900s").is_ok());
        assert!(validate_ttl("1h").is_ok());
        assert!(validate_ttl("12h").is_ok());
    }

    #[test]
    fn test_validate_ttl_rejects_bad_values() {
        // R6-M62
        assert!(validate_ttl("").is_err());
        assert!(validate_ttl("0m").is_err());
        assert!(validate_ttl("13h").is_err());
        assert!(validate_ttl("99999h").is_err());
        assert!(validate_ttl("abc").is_err());
        assert!(validate_ttl("-5m").is_err());
        assert!(validate_ttl("15").is_err());
    }

    #[test]
    fn test_validate_budget_rejects_nan() {
        // R6-M63
        let mut config = Config::default();
        config.budget = Some(f64::NAN);
        assert!(config.validate().is_err());

        config.budget = Some(f64::INFINITY);
        assert!(config.validate().is_err());

        config.budget = Some(-1.0);
        assert!(config.validate().is_err());

        config.budget = Some(10.0);
        assert!(config.validate().is_ok());

        config.budget = None;
        assert!(config.validate().is_ok());
    }
}