tryaudex_core/

forward.rs

use serde::{Deserialize, Serialize};

use crate::audit::AuditEntry;
use crate::error::{AvError, Result};

/// Audit forwarding configuration in `[audit]` config section.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct ForwardConfig {
    /// Forwarding destinations. Each entry is a URL:
    /// - `s3://bucket-name/prefix/` — S3 with daily partitioned keys
    /// - `cloudwatch://log-group-name` — CloudWatch Logs
    /// - `https://...` — Generic webhook (POST JSON array)
    #[serde(default)]
    pub destinations: Vec<String>,
    /// Batch size before flushing (default: 10)
    pub batch_size: Option<usize>,
    /// Whether to forward synchronously on each event (default: false, batched)
    pub sync: Option<bool>,
    /// Bearer token to include in the `Authorization` header for webhook requests.
    /// If set, all `https://` destinations will receive `Authorization: Bearer <token>`.
    /// The env var `AUDEX_WEBHOOK_BEARER_TOKEN` takes precedence if set, avoiding
    /// plaintext secrets in the config file.
    pub webhook_bearer_token: Option<String>,
}

impl ForwardConfig {
    /// Return the effective webhook bearer token, preferring
    /// `AUDEX_WEBHOOK_BEARER_TOKEN` env var over the config-file value.
    pub fn resolve_bearer_token(&self) -> Option<String> {
        std::env::var("AUDEX_WEBHOOK_BEARER_TOKEN")
            .ok()
            .or_else(|| self.webhook_bearer_token.clone())
    }
}

/// In-memory buffer for batched forwarding.
pub struct ForwardBuffer {
    config: ForwardConfig,
    buffer: Vec<AuditEntry>,
}

impl ForwardBuffer {
    pub fn new(config: ForwardConfig) -> Self {
        Self {
            config,
            buffer: Vec::new(),
        }
    }

    /// Add an entry to the buffer. Flushes if batch size is reached.
    /// Returns Ok(true) if a flush happened.
    pub async fn push(&mut self, entry: AuditEntry) -> Result<bool> {
        if self.config.destinations.is_empty() {
            return Ok(false);
        }

        let sync = self.config.sync.unwrap_or(false);
        if sync {
            // R6-H14: resolve env override (`AUDEX_WEBHOOK_BEARER_TOKEN`)
            // instead of always using the config-file value.
            let bearer = self.config.resolve_bearer_token();
            forward_entries(&self.config.destinations, bearer.as_deref(), &[entry]).await?;
            return Ok(true);
        }

        self.buffer.push(entry);
        let batch_size = self.config.batch_size.unwrap_or(10);
        if self.buffer.len() >= batch_size {
            self.flush().await?;
            return Ok(true);
        }
        Ok(false)
    }

    /// Flush all buffered entries to all destinations.
    pub async fn flush(&mut self) -> Result<()> {
        if self.buffer.is_empty() || self.config.destinations.is_empty() {
            return Ok(());
        }
        let entries = std::mem::take(&mut self.buffer);
        // R6-H14: resolve env override (`AUDEX_WEBHOOK_BEARER_TOKEN`)
        // instead of always using the config-file value.
        let bearer = self.config.resolve_bearer_token();
        forward_entries(&self.config.destinations, bearer.as_deref(), &entries).await
    }
}

/// Forward entries to all configured destinations.
async fn forward_entries(
    destinations: &[String],
    webhook_bearer_token: Option<&str>,
    entries: &[AuditEntry],
) -> Result<()> {
    let mut errors = Vec::new();

    for dest in destinations {
        let result = if dest.starts_with("s3://") {
            forward_to_s3(dest, entries).await
        } else if dest.starts_with("cloudwatch://") {
            forward_to_cloudwatch(dest, entries).await
        } else if dest.starts_with("https://") {
            forward_to_webhook(dest, entries, webhook_bearer_token).await
        } else if dest.starts_with("http://") {
            Err(AvError::InvalidPolicy(format!(
                "Refusing to forward audit data over plaintext HTTP: {}. Use https:// instead.",
                dest
            )))
        } else {
            Err(AvError::InvalidPolicy(format!(
                "Unknown audit forwarding destination: {}. Expected s3://, cloudwatch://, or https://",
                dest
            )))
        };

        if let Err(e) = result {
            errors.push(format!("{}: {}", dest, e));
        }
    }

    if errors.is_empty() {
        Ok(())
    } else {
        Err(AvError::InvalidPolicy(format!(
            "Audit forwarding errors:\n{}",
            errors.join("\n")
        )))
    }
}

/// Forward audit entries to S3 as a JSONL file with daily partitioned keys.
/// Format: s3://bucket/prefix/YYYY/MM/DD/audex-{timestamp}.jsonl
///
/// Uses the AWS CLI for proper SigV4-signed requests, inheriting ambient
/// credentials from the environment (same approach as cleanup.rs).
async fn forward_to_s3(dest: &str, entries: &[AuditEntry]) -> Result<()> {
    let path = dest.strip_prefix("s3://").unwrap();
    let (bucket, prefix) = path.split_once('/').unwrap_or((path, ""));

    let now = chrono::Utc::now();
    let key = format!(
        "{}{}/audex-{}.jsonl",
        if prefix.is_empty() { "" } else { prefix },
        now.format("%Y/%m/%d"),
        now.format("%Y%m%dT%H%M%SZ"),
    );

    let body = entries
        .iter()
        .filter_map(|e| serde_json::to_string(e).ok())
        .collect::<Vec<_>>()
        .join("\n");

    let s3_uri = format!("s3://{}/{}", bucket, key);

    // Write body to a temp file for `aws s3 cp` to read.
    // Use UUID to avoid predictable names (symlink attack risk).
    let tmp = std::env::temp_dir().join(format!("audex-fwd-{}.jsonl", uuid::Uuid::new_v4()));
    std::fs::write(&tmp, &body)?;

    let tmp_path = tmp.clone();
    let output = tokio::task::spawn_blocking(move || {
        std::process::Command::new("aws")
            .args([
                "s3",
                "cp",
                tmp_path.to_str().unwrap_or("-"),
                &s3_uri,
                "--content-type",
                "application/x-ndjson",
            ])
            .output()
    })
    .await
    .map_err(|e| AvError::InvalidPolicy(format!("S3 upload task panicked: {}", e)))?
    .map_err(|e| AvError::InvalidPolicy(format!("Failed to run aws s3 cp: {}", e)))?;

    // Clean up temp file regardless of outcome.
    let _ = std::fs::remove_file(&tmp);

    if !output.status.success() {
        let stderr = String::from_utf8_lossy(&output.stderr);
        return Err(AvError::InvalidPolicy(format!(
            "S3 upload failed: {}",
            &stderr[..stderr.len().min(200)]
        )));
    }

    Ok(())
}

/// Forward audit entries to CloudWatch Logs.
/// Format: cloudwatch://log-group-name
///
/// Uses the AWS CLI for proper SigV4-signed requests.
async fn forward_to_cloudwatch(dest: &str, entries: &[AuditEntry]) -> Result<()> {
    let log_group = dest.strip_prefix("cloudwatch://").unwrap();
    let log_stream = format!("audex/{}", chrono::Utc::now().format("%Y/%m/%d"));

    // Ensure the log stream exists (create is idempotent).
    let lg = log_group.to_string();
    let ls = log_stream.clone();
    let _ = tokio::task::spawn_blocking(move || {
        std::process::Command::new("aws")
            .args([
                "logs",
                "create-log-stream",
                "--log-group-name",
                &lg,
                "--log-stream-name",
                &ls,
            ])
            .output()
    })
    .await;

    let events: Vec<serde_json::Value> = entries
        .iter()
        .map(|e| {
            serde_json::json!({
                "timestamp": e.timestamp.timestamp_millis(),
                "message": serde_json::to_string(e).unwrap_or_default()
            })
        })
        .collect();

    let events_json = serde_json::to_string(&events)
        .map_err(|e| AvError::InvalidPolicy(format!("Failed to serialize events: {}", e)))?;

    let lg2 = log_group.to_string();
    let ls2 = log_stream;
    let output = tokio::task::spawn_blocking(move || {
        std::process::Command::new("aws")
            .args([
                "logs",
                "put-log-events",
                "--log-group-name",
                &lg2,
                "--log-stream-name",
                &ls2,
                "--log-events",
                &events_json,
            ])
            .output()
    })
    .await
    .map_err(|e| AvError::InvalidPolicy(format!("CloudWatch task panicked: {}", e)))?
    .map_err(|e| AvError::InvalidPolicy(format!("Failed to run aws logs: {}", e)))?;

    if !output.status.success() {
        let stderr = String::from_utf8_lossy(&output.stderr);
        return Err(AvError::InvalidPolicy(format!(
            "CloudWatch Logs forward failed: {}",
            &stderr[..stderr.len().min(200)]
        )));
    }

    Ok(())
}

/// Forward audit entries to a generic webhook endpoint (SIEM, Splunk, etc).
/// POSTs a JSON array of audit entries. If `bearer_token` is provided it is
/// sent as `Authorization: Bearer <token>`.
async fn forward_to_webhook(
    url: &str,
    entries: &[AuditEntry],
    bearer_token: Option<&str>,
) -> Result<()> {
    let client = reqwest::Client::new();
    let mut req = client
        .post(url)
        .header("Content-Type", "application/json")
        .header("User-Agent", "audex-audit-forwarder/0.1")
        .json(&entries);
    if let Some(token) = bearer_token {
        req = req.bearer_auth(token);
    }
    let resp = req
        .send()
        .await
        .map_err(|e| AvError::InvalidPolicy(format!("Webhook forward failed: {}", e)))?;

    if !resp.status().is_success() {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        return Err(AvError::InvalidPolicy(format!(
            "Webhook returned {}: {}",
            status,
            &body[..body.len().min(200)]
        )));
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::audit::{AuditEntry, AuditEvent};
    use chrono::Utc;

    fn sample_entry() -> AuditEntry {
        AuditEntry {
            timestamp: Utc::now(),
            session_id: "test-session-123".to_string(),
            provider: "aws".to_string(),
            event: AuditEvent::SessionCreated {
                role_arn: "arn:aws:iam::123456789012:role/TestRole".to_string(),
                ttl_seconds: 900,
                budget: None,
                allowed_actions: vec!["s3:GetObject".to_string()],
                command: vec!["aws".to_string(), "s3".to_string(), "ls".to_string()],
                agent_id: None,
            },
        }
    }

    #[test]
    fn test_forward_config_default() {
        let config = ForwardConfig::default();
        assert!(config.destinations.is_empty());
        assert!(config.batch_size.is_none());
        assert!(config.sync.is_none());
    }

    #[test]
    fn test_forward_config_deserialize() {
        let toml_str = r#"
destinations = ["s3://my-audit-bucket/audex/", "https://siem.example.com/ingest"]
batch_size = 5
sync = false
"#;
        let config: ForwardConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.destinations.len(), 2);
        assert_eq!(config.batch_size, Some(5));
        assert_eq!(config.sync, Some(false));
    }

    #[tokio::test]
    async fn test_buffer_no_destinations() {
        let config = ForwardConfig::default();
        let mut buffer = ForwardBuffer::new(config);
        let flushed = buffer.push(sample_entry()).await.unwrap();
        assert!(!flushed);
        assert!(buffer.buffer.is_empty());
    }

    #[tokio::test]
    async fn test_buffer_batching() {
        let config = ForwardConfig {
            // Use a webhook that won't actually be called since we test buffer logic
            destinations: vec![],
            batch_size: Some(3),
            sync: Some(false),
            ..Default::default()
        };
        let mut buffer = ForwardBuffer::new(config);

        // With no destinations, push returns false
        buffer.push(sample_entry()).await.unwrap();
        buffer.push(sample_entry()).await.unwrap();
        assert_eq!(buffer.buffer.len(), 0); // no destinations = no buffering
    }

    #[test]
    fn test_entry_serialization() {
        let entry = sample_entry();
        let json = serde_json::to_string(&entry).unwrap();
        assert!(json.contains("test-session-123"));
        assert!(json.contains("session_created"));
        // Roundtrip
        let parsed: AuditEntry = serde_json::from_str(&json).unwrap();
        assert_eq!(parsed.session_id, "test-session-123");
    }
}