tryaudex_core/

drift.rs

use std::collections::HashSet;

use crate::policy::{ActionPattern, ScopedPolicy};
use crate::session::CloudProvider;

/// Result of comparing granted permissions against detected usage.
#[derive(Debug, Clone)]
pub struct DriftReport {
    /// Actions that were granted by the policy.
    pub granted: Vec<String>,
    /// Actions that were detected as actually used.
    pub used: Vec<String>,
    /// Actions granted but never detected as used (over-provisioned).
    pub unused: Vec<String>,
    /// Whether the policy appears over-provisioned.
    pub over_provisioned: bool,
    /// Suggested tighter policy string (for `--allow`).
    pub suggestion: Option<String>,
}

/// Analyze drift between granted policy and detected usage.
/// Uses provider-appropriate action format for comparison.
pub fn analyze(
    policy: &ScopedPolicy,
    used_actions: &[String],
    provider: CloudProvider,
) -> DriftReport {
    let granted: Vec<String> = policy
        .actions
        .iter()
        .map(|a| match provider {
            CloudProvider::Gcp => a.to_gcp_permission(),
            CloudProvider::Azure => a.to_azure_permission(),
            CloudProvider::Aws => a.to_iam_action(),
        })
        .collect();

    // R6-M5: `ActionPattern::parse` is AWS-specific (`service:action` with
    // a single colon delimiter). Calling it on GCP permissions like
    // `storage.objects.get` or Azure actions like
    // `Microsoft.Storage/storageAccounts/read` fails, so the old code
    // flagged every GCP/Azure granted permission as "unused" and drift
    // detection was silently broken for non-AWS. Branch on provider and
    // do a format-appropriate wildcard/exact comparison for the other
    // two clouds.
    let unused: Vec<String> = granted
        .iter()
        .filter(|g| match provider {
            CloudProvider::Aws => {
                if let Ok(pattern) = ActionPattern::parse(g) {
                    !used_actions.iter().any(|u| {
                        if let Ok(used_pat) = ActionPattern::parse(u) {
                            pattern.matches(&used_pat)
                        } else {
                            false
                        }
                    })
                } else {
                    true
                }
            }
            CloudProvider::Gcp => !used_actions.iter().any(|u| gcp_matches(g, u)),
            CloudProvider::Azure => !used_actions.iter().any(|u| azure_matches(g, u)),
        })
        .cloned()
        .collect();

    let over_provisioned = !unused.is_empty() && !used_actions.is_empty();

    let suggestion = if over_provisioned && !used_actions.is_empty() {
        Some(used_actions.join(","))
    } else {
        None
    };

    DriftReport {
        granted,
        used: used_actions.to_vec(),
        unused,
        over_provisioned,
        suggestion,
    }
}

/// GCP permission wildcard/exact match. GCP permissions are `service.resource.verb`,
/// e.g. `storage.objects.get`. A trailing `*` (e.g. `storage.objects.*`) matches
/// any permission that starts with the prefix up to the last `.`.
fn gcp_matches(granted: &str, used: &str) -> bool {
    if granted == used {
        return true;
    }
    if let Some(prefix) = granted.strip_suffix(".*") {
        used.starts_with(prefix) && used[prefix.len()..].starts_with('.')
    } else if let Some(prefix) = granted.strip_suffix('*') {
        used.starts_with(prefix)
    } else {
        false
    }
}

/// Azure RBAC action wildcard/exact match. Azure actions use `/` separators
/// (e.g. `Microsoft.Storage/storageAccounts/read`) and support `*` as a
/// segment wildcard — a trailing `/*` matches any suffix segments.
fn azure_matches(granted: &str, used: &str) -> bool {
    if granted == used {
        return true;
    }
    if let Some(prefix) = granted.strip_suffix("/*") {
        used.starts_with(prefix) && used[prefix.len()..].starts_with('/')
    } else if let Some(prefix) = granted.strip_suffix('*') {
        used.starts_with(prefix)
    } else {
        false
    }
}

/// Detect which IAM actions were likely used by parsing the subprocess command
/// and its stderr output.
///
/// This uses heuristics — it can't catch every API call, but covers common
/// patterns from the AWS CLI, GCP gcloud, and verbose SDK output.
pub fn detect_used_actions(command: &[String], stderr: &str) -> Vec<String> {
    let mut actions = HashSet::new();

    // 1. Infer from the command itself
    if let Some(cmd_actions) = infer_from_command(command) {
        actions.extend(cmd_actions);
    }

    // 2. Parse stderr for AWS CLI/SDK debug output
    for line in stderr.lines() {
        // AWS CLI debug: "Making request for OperationModel(name=GetObject)"
        if let Some(pos) = line.find("OperationModel(name=") {
            let rest = &line[pos + 20..];
            if let Some(end) = rest.find(')') {
                let op = &rest[..end];
                if let Some(service) = guess_service_from_context(line) {
                    actions.insert(format!("{}:{}", service, op));
                }
            }
        }

        // AWS SDK: "Request: service/operation"
        if line.contains("Request:") || line.contains("request to") {
            if let Some(action) = parse_sdk_request_line(line) {
                actions.insert(action);
            }
        }

        // Pattern: "Calling service:Action" or "called service:Action"
        for prefix in &["Calling ", "called ", "invoking "] {
            if let Some(pos) = line.to_lowercase().find(prefix) {
                let rest = &line[pos + prefix.len()..];
                if let Some(action) = rest.split_whitespace().next() {
                    if action.contains(':') && action.len() > 3 {
                        let clean = action.trim_end_matches(|c: char| {
                            !c.is_alphanumeric() && c != ':' && c != '*'
                        });
                        actions.insert(clean.to_string());
                    }
                }
            }
        }
    }

    let mut result: Vec<String> = actions.into_iter().collect();
    result.sort();
    result
}

/// Infer IAM actions from the command line arguments.
fn infer_from_command(command: &[String]) -> Option<Vec<String>> {
    if command.is_empty() {
        return None;
    }

    let cmd = command[0].as_str();
    let args: Vec<&str> = command.iter().skip(1).map(|s| s.as_str()).collect();

    // AWS CLI commands
    if cmd == "aws" || cmd.ends_with("/aws") {
        return infer_aws_cli_actions(&args);
    }

    // gcloud CLI commands
    if cmd == "gcloud" || cmd.ends_with("/gcloud") {
        return infer_gcloud_cli_actions(&args);
    }

    // Terraform
    if (cmd == "terraform" || cmd.ends_with("/terraform")) && args.first() == Some(&"plan") {
        return Some(vec!["sts:GetCallerIdentity".into()]);
    }

    None
}

/// Map AWS CLI subcommands to IAM actions.
fn infer_aws_cli_actions(args: &[&str]) -> Option<Vec<String>> {
    if args.len() < 2 {
        return None;
    }

    let service = args[0];
    let operation = args[1];

    let strs: Vec<&str> = match (service, operation) {
        ("s3", "ls") => vec!["s3:ListBucket", "s3:ListAllMyBuckets"],
        ("s3", "cp") => {
            if args.iter().any(|a| a.starts_with("s3://")) {
                if args.len() > 3 && args[3].starts_with("s3://") {
                    vec!["s3:GetObject", "s3:PutObject"]
                } else if args.get(2).is_some_and(|a| a.starts_with("s3://")) {
                    vec!["s3:GetObject"]
                } else {
                    vec!["s3:PutObject"]
                }
            } else {
                vec!["s3:GetObject", "s3:PutObject"]
            }
        }
        ("s3", "rm") => vec!["s3:DeleteObject"],
        ("s3", "sync") => vec!["s3:ListBucket", "s3:GetObject", "s3:PutObject"],
        ("s3", "mb") => vec!["s3:CreateBucket"],
        ("s3api", op) => return Some(vec![format!("s3:{}", op)]),
        ("lambda", "invoke") => vec!["lambda:InvokeFunction"],
        ("lambda", "update-function-code") => vec!["lambda:UpdateFunctionCode"],
        ("lambda", "get-function") => vec!["lambda:GetFunction"],
        ("lambda", "list-functions") => vec!["lambda:ListFunctions"],
        ("dynamodb", "get-item") => vec!["dynamodb:GetItem"],
        ("dynamodb", "put-item") => vec!["dynamodb:PutItem"],
        ("dynamodb", "query") => vec!["dynamodb:Query"],
        ("dynamodb", "scan") => vec!["dynamodb:Scan"],
        ("ec2", "describe-instances") => vec!["ec2:DescribeInstances"],
        ("sts", "get-caller-identity") => vec!["sts:GetCallerIdentity"],
        _ => return None,
    };

    Some(strs.into_iter().map(|s| s.to_string()).collect())
}

/// Map gcloud CLI subcommands to GCP IAM permissions.
fn infer_gcloud_cli_actions(args: &[&str]) -> Option<Vec<String>> {
    if args.len() < 2 {
        return None;
    }

    let service = args[0];
    let operation = args[1];
    let sub_op = args.get(2).copied().unwrap_or("");

    let perms: Vec<&str> = match (service, operation, sub_op) {
        ("storage", "ls", _) => vec!["storage.objects.list", "storage.buckets.list"],
        ("storage", "cp", _) => vec!["storage.objects.get", "storage.objects.create"],
        ("storage", "rm", _) => vec!["storage.objects.delete"],
        ("storage", "cat", _) => vec!["storage.objects.get"],
        ("compute", "instances", "list") => vec!["compute.instances.list"],
        ("compute", "instances", "create") => vec!["compute.instances.create"],
        ("compute", "instances", "delete") => vec!["compute.instances.delete"],
        ("compute", "instances", "describe") => vec!["compute.instances.get"],
        ("functions", "deploy", _) => {
            vec![
                "cloudfunctions.functions.create",
                "cloudfunctions.functions.update",
            ]
        }
        ("functions", "list", _) => vec!["cloudfunctions.functions.list"],
        ("functions", "call", _) => vec!["cloudfunctions.functions.call"],
        ("run", "deploy", _) => vec!["run.services.create", "run.services.update"],
        ("run", "services", "list") => vec!["run.services.list"],
        ("pubsub", "topics", "publish") => vec!["pubsub.topics.publish"],
        ("pubsub", "topics", "list") => vec!["pubsub.topics.list"],
        _ => return None,
    };

    Some(perms.into_iter().map(|s| s.to_string()).collect())
}

/// Try to guess the AWS service from context in a log line.
fn guess_service_from_context(line: &str) -> Option<&'static str> {
    let lower = line.to_lowercase();
    if lower.contains("s3") {
        return Some("s3");
    }
    if lower.contains("lambda") {
        return Some("lambda");
    }
    if lower.contains("dynamodb") {
        return Some("dynamodb");
    }
    if lower.contains("ec2") {
        return Some("ec2");
    }
    if lower.contains("iam") {
        return Some("iam");
    }
    if lower.contains("sts") {
        return Some("sts");
    }
    if lower.contains("sqs") {
        return Some("sqs");
    }
    if lower.contains("sns") {
        return Some("sns");
    }
    if lower.contains("cloudwatch") || lower.contains("logs") {
        return Some("logs");
    }
    if lower.contains("cloudformation") {
        return Some("cloudformation");
    }
    None
}

/// Parse a line that looks like "Request: service/operation" or similar patterns.
fn parse_sdk_request_line(line: &str) -> Option<String> {
    // Pattern: "service/OperationName"
    for sep in &["Request: ", "request to "] {
        if let Some(pos) = line.find(sep) {
            let rest = &line[pos + sep.len()..];
            let token = rest.split_whitespace().next()?;
            if token.contains('/') {
                let parts: Vec<&str> = token.splitn(2, '/').collect();
                if parts.len() == 2 {
                    return Some(format!("{}:{}", parts[0], parts[1]));
                }
            }
        }
    }
    None
}

/// Format a drift report as human-readable text.
pub fn format_report(report: &DriftReport) -> String {
    let mut out = String::new();

    if !report.over_provisioned {
        out.push_str("No policy drift detected.\n");
        return out;
    }

    out.push_str(&format!(
        "Policy drift detected: {} of {} granted actions unused\n",
        report.unused.len(),
        report.granted.len()
    ));

    if !report.used.is_empty() {
        out.push_str("  Used:   ");
        out.push_str(&report.used.join(", "));
        out.push('\n');
    }

    if !report.unused.is_empty() {
        out.push_str("  Unused: ");
        out.push_str(&report.unused.join(", "));
        out.push('\n');
    }

    if let Some(ref suggestion) = report.suggestion {
        out.push_str(&format!("  Suggested --allow: \"{}\"\n", suggestion));
    }

    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_no_drift_when_all_used() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:ListBucket").unwrap();
        let used = vec!["s3:GetObject".to_string(), "s3:ListBucket".to_string()];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        assert!(!report.over_provisioned);
        assert!(report.unused.is_empty());
        assert!(report.suggestion.is_none());
    }

    #[test]
    fn test_drift_with_unused_actions() {
        let policy =
            ScopedPolicy::from_allow_str("s3:GetObject,s3:PutObject,s3:DeleteObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        assert!(report.over_provisioned);
        assert_eq!(report.unused.len(), 2);
        assert!(report.unused.contains(&"s3:PutObject".to_string()));
        assert!(report.unused.contains(&"s3:DeleteObject".to_string()));
        assert_eq!(report.suggestion, Some("s3:GetObject".to_string()));
    }

    #[test]
    fn test_wildcard_covers_specific_action() {
        let policy = ScopedPolicy::from_allow_str("s3:*").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        // s3:* covers s3:GetObject, so it's not "unused"
        assert!(!report.over_provisioned);
    }

    #[test]
    fn test_no_drift_when_no_usage_detected() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let used: Vec<String> = vec![];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        // No usage detected — can't determine drift
        assert!(!report.over_provisioned);
    }

    #[test]
    fn test_infer_aws_s3_ls() {
        let cmd = vec!["aws".to_string(), "s3".to_string(), "ls".to_string()];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"s3:ListBucket".to_string()));
        assert!(actions.contains(&"s3:ListAllMyBuckets".to_string()));
    }

    #[test]
    fn test_infer_aws_s3_cp() {
        let cmd = vec![
            "aws".to_string(),
            "s3".to_string(),
            "cp".to_string(),
            "s3://bucket/key".to_string(),
            "local.txt".to_string(),
        ];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"s3:GetObject".to_string()));
    }

    #[test]
    fn test_infer_lambda_invoke() {
        let cmd = vec![
            "aws".to_string(),
            "lambda".to_string(),
            "invoke".to_string(),
            "--function-name".to_string(),
            "my-func".to_string(),
            "out.json".to_string(),
        ];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"lambda:InvokeFunction".to_string()));
    }

    #[test]
    fn test_detect_from_stderr_debug() {
        let stderr =
            r#"2024-01-15 DEBUG Making request for OperationModel(name=GetObject) with S3 client"#;
        let actions = detect_used_actions(&[], stderr);
        assert!(actions.contains(&"s3:GetObject".to_string()));
    }

    #[test]
    fn test_format_report_no_drift() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        let text = format_report(&report);
        assert!(text.contains("No policy drift"));
    }

    #[test]
    fn test_format_report_with_drift() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:PutObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used, CloudProvider::Aws);
        let text = format_report(&report);
        assert!(text.contains("drift detected"));
        assert!(text.contains("s3:PutObject"));
    }
}