tryaudex_core/

dbaudit.rs

use serde::{Deserialize, Serialize};

use crate::audit::{AuditEntry, AuditEvent};
use crate::error::{AvError, Result};
use crate::session::Session;

/// Database audit backend type.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
#[serde(rename_all = "lowercase")]
pub enum DbBackend {
    Sqlite,
    Postgres,
}

impl std::fmt::Display for DbBackend {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Sqlite => write!(f, "sqlite"),
            Self::Postgres => write!(f, "postgres"),
        }
    }
}

/// Configuration for the database audit backend.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DbAuditConfig {
    /// Backend type: "sqlite" or "postgres"
    pub backend: DbBackend,
    /// Connection string.
    /// - SQLite: file path (e.g. "~/.local/share/audex/audit.db") or ":memory:"
    /// - Postgres: connection URI (e.g. "postgres://user:pass@localhost/audex")
    ///
    /// The env var `AUDEX_DB_CONNECTION` takes precedence if set, avoiding
    /// plaintext passwords in the config file.
    pub connection: String,
    /// Maximum number of connections in the pool (postgres only, default: 5)
    #[serde(default = "default_max_connections")]
    pub max_connections: u32,
    /// Enable WAL mode for SQLite (default: true)
    #[serde(default = "default_wal_mode")]
    pub wal_mode: bool,
    /// Retention period in days (0 = keep forever, default: 0)
    #[serde(default)]
    pub retention_days: u32,
}

fn default_max_connections() -> u32 {
    5
}

fn default_wal_mode() -> bool {
    true
}

impl Default for DbAuditConfig {
    fn default() -> Self {
        let path = dirs::data_local_dir()
            .unwrap_or_else(|| std::path::PathBuf::from("."))
            .join("audex")
            .join("audit.db");
        Self {
            backend: DbBackend::Sqlite,
            connection: path.to_string_lossy().to_string(),
            max_connections: default_max_connections(),
            wal_mode: default_wal_mode(),
            retention_days: 0,
        }
    }
}

impl DbAuditConfig {
    /// Return the effective connection string, preferring `AUDEX_DB_CONNECTION`
    /// env var over the config-file value so passwords need not be stored in
    /// plaintext on disk.
    pub fn resolve_connection(&self) -> String {
        std::env::var("AUDEX_DB_CONNECTION").unwrap_or_else(|_| self.connection.clone())
    }
}

/// SQL schema for audit tables.
pub const SQLITE_SCHEMA: &str = r#"
CREATE TABLE IF NOT EXISTS audit_entries (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    timestamp TEXT NOT NULL,
    session_id TEXT NOT NULL,
    provider TEXT NOT NULL DEFAULT 'aws',
    event_type TEXT NOT NULL,
    event_data TEXT NOT NULL,
    created_at TEXT NOT NULL DEFAULT (datetime('now'))
);

CREATE INDEX IF NOT EXISTS idx_audit_session_id ON audit_entries(session_id);
CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON audit_entries(timestamp);
CREATE INDEX IF NOT EXISTS idx_audit_provider ON audit_entries(provider);
CREATE INDEX IF NOT EXISTS idx_audit_event_type ON audit_entries(event_type);
"#;

pub const POSTGRES_SCHEMA: &str = r#"
CREATE TABLE IF NOT EXISTS audit_entries (
    id BIGSERIAL PRIMARY KEY,
    timestamp TIMESTAMPTZ NOT NULL,
    session_id TEXT NOT NULL,
    provider TEXT NOT NULL DEFAULT 'aws',
    event_type TEXT NOT NULL,
    event_data JSONB NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX IF NOT EXISTS idx_audit_session_id ON audit_entries(session_id);
CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON audit_entries(timestamp);
CREATE INDEX IF NOT EXISTS idx_audit_provider ON audit_entries(provider);
CREATE INDEX IF NOT EXISTS idx_audit_event_type ON audit_entries(event_type);
"#;

/// Extract event type string from an AuditEvent.
pub fn event_type_str(event: &AuditEvent) -> &'static str {
    match event {
        AuditEvent::SessionCreated { .. } => "session_created",
        AuditEvent::CredentialsIssued { .. } => "credentials_issued",
        AuditEvent::SessionEnded { .. } => "session_ended",
        AuditEvent::BudgetWarning { .. } => "budget_warning",
        AuditEvent::BudgetExceeded { .. } => "budget_exceeded",
        AuditEvent::ResourceCreated { .. } => "resource_created",
        AuditEvent::PolicyAdvisoryOnly { .. } => "policy_advisory_only",
    }
}

/// SQL statements for common operations.
pub struct SqlStatements;

impl SqlStatements {
    /// Insert an audit entry.
    pub fn insert(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "INSERT INTO audit_entries (timestamp, session_id, provider, event_type, event_data) VALUES (?, ?, ?, ?, ?)"
            }
            DbBackend::Postgres => {
                "INSERT INTO audit_entries (timestamp, session_id, provider, event_type, event_data) VALUES ($1, $2, $3, $4, $5::jsonb)"
            }
        }
    }

    /// Query entries by session ID.
    pub fn by_session(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE session_id = ? ORDER BY timestamp ASC"
            }
            DbBackend::Postgres => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE session_id = $1 ORDER BY timestamp ASC"
            }
        }
    }

    /// Query recent entries with optional limit.
    pub fn recent(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries ORDER BY timestamp DESC LIMIT ?"
            }
            DbBackend::Postgres => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries ORDER BY timestamp DESC LIMIT $1"
            }
        }
    }

    /// Query entries by provider.
    pub fn by_provider(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE provider = ? ORDER BY timestamp DESC LIMIT ?"
            }
            DbBackend::Postgres => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE provider = $1 ORDER BY timestamp DESC LIMIT $2"
            }
        }
    }

    /// Count entries.
    pub fn count(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => "SELECT COUNT(*) FROM audit_entries",
            DbBackend::Postgres => "SELECT COUNT(*) FROM audit_entries",
        }
    }

    /// Count entries by event type.
    pub fn count_by_type(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "SELECT event_type, COUNT(*) as count FROM audit_entries GROUP BY event_type ORDER BY count DESC"
            }
            DbBackend::Postgres => {
                "SELECT event_type, COUNT(*) as count FROM audit_entries GROUP BY event_type ORDER BY count DESC"
            }
        }
    }

    /// Delete entries older than N days.
    pub fn prune(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "DELETE FROM audit_entries WHERE timestamp < datetime('now', '-' || ? || ' days')"
            }
            DbBackend::Postgres => {
                "DELETE FROM audit_entries WHERE timestamp < NOW() - ($1 || ' days')::INTERVAL"
            }
        }
    }

    /// Search event data with text matching.
    pub fn search(backend: &DbBackend) -> &'static str {
        match backend {
            DbBackend::Sqlite => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE event_data LIKE ? ORDER BY timestamp DESC LIMIT ?"
            }
            DbBackend::Postgres => {
                "SELECT timestamp, session_id, provider, event_type, event_data FROM audit_entries WHERE event_data::text ILIKE $1 ORDER BY timestamp DESC LIMIT $2"
            }
        }
    }
}

/// Convert an AuditEntry to database row values.
pub fn entry_to_row(entry: &AuditEntry) -> Result<DbRow> {
    let event_data = serde_json::to_string(&entry.event)
        .map_err(|e| AvError::Sts(format!("Failed to serialize event: {}", e)))?;

    // Redact secrets before storing
    let event_data = crate::leakdetect::redact_secrets(&event_data);

    Ok(DbRow {
        timestamp: entry.timestamp.to_rfc3339(),
        session_id: entry.session_id.clone(),
        provider: entry.provider.clone(),
        event_type: event_type_str(&entry.event).to_string(),
        event_data,
    })
}

/// Convert a Session to an AuditEntry for session_created events.
pub fn session_created_entry(session: &Session) -> AuditEntry {
    use crate::session::CloudProvider;

    let allowed_actions: Vec<String> = match session.provider {
        CloudProvider::Gcp => session
            .policy
            .actions
            .iter()
            .map(|a| a.to_gcp_permission())
            .collect(),
        CloudProvider::Azure => session
            .policy
            .actions
            .iter()
            .map(|a| a.to_azure_permission())
            .collect(),
        CloudProvider::Aws => session
            .policy
            .actions
            .iter()
            .map(|a| a.to_iam_action())
            .collect(),
    };

    AuditEntry {
        timestamp: chrono::Utc::now(),
        session_id: session.id.clone(),
        provider: session.provider.to_string(),
        event: AuditEvent::SessionCreated {
            role_arn: session.role_arn.clone(),
            ttl_seconds: session.ttl_seconds,
            budget: session.budget,
            allowed_actions,
            command: session.command.clone(),
            agent_id: session.agent_id.clone(),
        },
    }
}

/// Database row representation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DbRow {
    pub timestamp: String,
    pub session_id: String,
    pub provider: String,
    pub event_type: String,
    pub event_data: String,
}

impl DbRow {
    /// Convert back to an AuditEntry.
    pub fn to_entry(&self) -> Result<AuditEntry> {
        let timestamp = chrono::DateTime::parse_from_rfc3339(&self.timestamp)
            .map(|dt| dt.with_timezone(&chrono::Utc))
            .map_err(|e| AvError::Sts(format!("Invalid timestamp: {}", e)))?;

        let event: AuditEvent = serde_json::from_str(&self.event_data)
            .map_err(|e| AvError::Sts(format!("Invalid event data: {}", e)))?;

        Ok(AuditEntry {
            timestamp,
            session_id: self.session_id.clone(),
            provider: self.provider.clone(),
            event,
        })
    }
}

/// Statistics about the audit database.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DbAuditStats {
    pub total_entries: u64,
    pub entries_by_type: Vec<(String, u64)>,
    pub backend: String,
    pub connection: String,
}

/// Migration helper — import JSONL audit log into database.
pub fn parse_jsonl_for_import(content: &str) -> Vec<AuditEntry> {
    content
        .lines()
        .filter(|l| !l.trim().is_empty())
        .filter_map(|l| {
            let (json_content, _) = crate::integrity::parse_line(l);
            serde_json::from_str(json_content).ok()
        })
        .collect()
}

/// Escape a string for safe inclusion in a SQL literal.
///
/// Doubles single quotes (standard SQL) and escapes backslashes for
/// PostgreSQL configurations with `standard_conforming_strings = off`.
fn sql_escape(s: &str) -> String {
    s.replace('\\', "\\\\").replace('\'', "''")
}

/// Generate a migration script to import existing JSONL data.
pub fn generate_import_sql(entries: &[AuditEntry], backend: &DbBackend) -> Result<String> {
    let mut sql = String::new();

    match backend {
        DbBackend::Sqlite => {
            sql.push_str("BEGIN TRANSACTION;\n");
        }
        DbBackend::Postgres => {
            sql.push_str("BEGIN;\n");
        }
    }

    for entry in entries {
        let row = entry_to_row(entry)?;
        sql.push_str(&format!(
            "INSERT INTO audit_entries (timestamp, session_id, provider, event_type, event_data) VALUES ('{}', '{}', '{}', '{}', '{}');\n",
            sql_escape(&row.timestamp),
            sql_escape(&row.session_id),
            sql_escape(&row.provider),
            sql_escape(&row.event_type),
            sql_escape(&row.event_data),
        ));
    }

    sql.push_str("COMMIT;\n");
    Ok(sql)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::audit::AuditEvent;

    #[test]
    fn test_config_default() {
        let config = DbAuditConfig::default();
        assert_eq!(config.backend, DbBackend::Sqlite);
        assert!(config.connection.contains("audit.db"));
        assert_eq!(config.max_connections, 5);
        assert!(config.wal_mode);
    }

    #[test]
    fn test_config_deserialize_sqlite() {
        let toml_str = r#"
backend = "sqlite"
connection = "/data/audex/audit.db"
wal_mode = true
retention_days = 90
"#;
        let config: DbAuditConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.backend, DbBackend::Sqlite);
        assert_eq!(config.connection, "/data/audex/audit.db");
        assert_eq!(config.retention_days, 90);
    }

    #[test]
    fn test_config_deserialize_postgres() {
        let toml_str = r#"
backend = "postgres"
connection = "postgres://audex:password@db.internal:5432/audex"
max_connections = 10
"#;
        let config: DbAuditConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.backend, DbBackend::Postgres);
        assert_eq!(config.max_connections, 10);
    }

    #[test]
    fn test_event_type_str() {
        assert_eq!(
            event_type_str(&AuditEvent::SessionCreated {
                role_arn: "arn".into(),
                ttl_seconds: 900,
                budget: None,
                allowed_actions: vec![],
                command: vec![],
                agent_id: None,
            }),
            "session_created"
        );
        assert_eq!(
            event_type_str(&AuditEvent::SessionEnded {
                status: "ok".into(),
                duration_seconds: 60,
                exit_code: Some(0),
            }),
            "session_ended"
        );
        assert_eq!(
            event_type_str(&AuditEvent::BudgetWarning {
                current_spend: 1.0,
                limit: 5.0,
            }),
            "budget_warning"
        );
    }

    #[test]
    fn test_entry_to_row() {
        let entry = AuditEntry {
            timestamp: chrono::Utc::now(),
            session_id: "test-123".to_string(),
            provider: "aws".to_string(),
            event: AuditEvent::SessionCreated {
                role_arn: "arn:aws:iam::123:role/Test".to_string(),
                ttl_seconds: 900,
                budget: Some(5.0),
                allowed_actions: vec!["s3:GetObject".to_string()],
                command: vec!["aws".to_string(), "s3".to_string(), "ls".to_string()],
                agent_id: Some("claude".to_string()),
            },
        };
        let row = entry_to_row(&entry).unwrap();
        assert_eq!(row.session_id, "test-123");
        assert_eq!(row.provider, "aws");
        assert_eq!(row.event_type, "session_created");
        assert!(row.event_data.contains("s3:GetObject"));
    }

    #[test]
    fn test_row_roundtrip() {
        let entry = AuditEntry {
            timestamp: chrono::Utc::now(),
            session_id: "rt-456".to_string(),
            provider: "gcp".to_string(),
            event: AuditEvent::SessionEnded {
                status: "completed".to_string(),
                duration_seconds: 120,
                exit_code: Some(0),
            },
        };
        let row = entry_to_row(&entry).unwrap();
        let restored = row.to_entry().unwrap();
        assert_eq!(restored.session_id, "rt-456");
        assert_eq!(restored.provider, "gcp");
    }

    #[test]
    fn test_sql_statements_sqlite() {
        let b = DbBackend::Sqlite;
        assert!(SqlStatements::insert(&b).contains("?"));
        assert!(SqlStatements::by_session(&b).contains("session_id = ?"));
        assert!(SqlStatements::recent(&b).contains("LIMIT ?"));
        assert!(SqlStatements::prune(&b).contains("datetime"));
    }

    #[test]
    fn test_sql_statements_postgres() {
        let b = DbBackend::Postgres;
        assert!(SqlStatements::insert(&b).contains("$1"));
        assert!(SqlStatements::by_session(&b).contains("session_id = $1"));
        assert!(SqlStatements::recent(&b).contains("LIMIT $1"));
        assert!(SqlStatements::prune(&b).contains("INTERVAL"));
    }

    #[test]
    fn test_parse_jsonl_for_import() {
        let jsonl = r#"{"timestamp":"2026-01-01T00:00:00Z","session_id":"s1","provider":"aws","event":{"type":"session_ended","status":"ok","duration_seconds":60,"exit_code":0}}"#;
        let entries = parse_jsonl_for_import(jsonl);
        assert_eq!(entries.len(), 1);
        assert_eq!(entries[0].session_id, "s1");
    }

    #[test]
    fn test_generate_import_sql_sqlite() {
        let entries = vec![AuditEntry {
            timestamp: chrono::DateTime::parse_from_rfc3339("2026-01-01T00:00:00Z")
                .unwrap()
                .with_timezone(&chrono::Utc),
            session_id: "s1".to_string(),
            provider: "aws".to_string(),
            event: AuditEvent::SessionEnded {
                status: "ok".to_string(),
                duration_seconds: 60,
                exit_code: Some(0),
            },
        }];
        let sql = generate_import_sql(&entries, &DbBackend::Sqlite).unwrap();
        assert!(sql.contains("BEGIN TRANSACTION"));
        assert!(sql.contains("INSERT INTO audit_entries"));
        assert!(sql.contains("COMMIT"));
    }

    #[test]
    fn test_generate_import_sql_postgres() {
        let entries = vec![AuditEntry {
            timestamp: chrono::DateTime::parse_from_rfc3339("2026-01-01T00:00:00Z")
                .unwrap()
                .with_timezone(&chrono::Utc),
            session_id: "s2".to_string(),
            provider: "gcp".to_string(),
            event: AuditEvent::CredentialsIssued {
                access_key_id: "AKID".to_string(),
                expires_at: chrono::DateTime::parse_from_rfc3339("2026-01-01T00:15:00Z")
                    .unwrap()
                    .with_timezone(&chrono::Utc),
            },
        }];
        let sql = generate_import_sql(&entries, &DbBackend::Postgres).unwrap();
        assert!(sql.contains("BEGIN;"));
        assert!(sql.contains("COMMIT;"));
    }

    #[test]
    fn test_db_backend_display() {
        assert_eq!(DbBackend::Sqlite.to_string(), "sqlite");
        assert_eq!(DbBackend::Postgres.to_string(), "postgres");
    }

    #[test]
    fn test_db_audit_stats_serialization() {
        let stats = DbAuditStats {
            total_entries: 1000,
            entries_by_type: vec![
                ("session_created".to_string(), 400),
                ("credentials_issued".to_string(), 400),
                ("session_ended".to_string(), 200),
            ],
            backend: "sqlite".to_string(),
            connection: "/data/audit.db".to_string(),
        };
        let json = serde_json::to_string(&stats).unwrap();
        assert!(json.contains("1000"));
        assert!(json.contains("session_created"));
    }

    #[test]
    fn test_sql_escape_prevents_injection() {
        assert_eq!(sql_escape("normal"), "normal");
        assert_eq!(sql_escape("it's"), "it''s");
        assert_eq!(
            sql_escape("'); DROP TABLE audit_entries; --"),
            "''); DROP TABLE audit_entries; --"
        );
    }

    #[test]
    fn test_generate_import_sql_escapes_all_fields() {
        let entries = vec![AuditEntry {
            timestamp: chrono::DateTime::parse_from_rfc3339("2026-01-01T00:00:00Z")
                .unwrap()
                .with_timezone(&chrono::Utc),
            session_id: "it's-a-trap".to_string(),
            provider: "aw's".to_string(),
            event: AuditEvent::SessionEnded {
                status: "ok".to_string(),
                duration_seconds: 60,
                exit_code: Some(0),
            },
        }];
        let sql = generate_import_sql(&entries, &DbBackend::Sqlite).unwrap();
        // Single quotes in session_id and provider must be doubled
        assert!(sql.contains("it''s-a-trap"));
        assert!(sql.contains("aw''s"));
        // Must not contain unescaped injection
        assert!(!sql.contains("it's-a-trap',"));
    }
}