tryaudex_core/

team.rs

use std::collections::HashMap;
use std::path::PathBuf;

use serde::{Deserialize, Serialize};

use crate::config::Profile;
use crate::error::{AvError, Result};

/// Team policy configuration in `[team]` config section.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct TeamConfig {
    /// URL to fetch team policies from.
    /// Supports https:// URLs pointing to a TOML file.
    /// Example: "https://raw.githubusercontent.com/org/policies/main/audex-policies.toml"
    pub source: Option<String>,
    /// Cache TTL in seconds (default: 3600 = 1 hour)
    pub cache_ttl: Option<u64>,
}

/// Team policies TOML format — fetched from the remote source.
#[derive(Debug, Clone, Serialize, Deserialize)]
struct TeamPolicies {
    #[serde(default)]
    policies: HashMap<String, Profile>,
}

/// Cache entry stored on disk.
#[derive(Debug, Serialize, Deserialize)]
struct CacheEntry {
    fetched_at: i64,
    policies: HashMap<String, Profile>,
}

fn cache_path() -> PathBuf {
    dirs::cache_dir()
        .unwrap_or_else(|| PathBuf::from("."))
        .join("audex")
        .join("team_policies.json")
}

/// Load cached team policies if still valid and integrity check passes.
fn load_cache(ttl_secs: u64) -> Option<HashMap<String, Profile>> {
    let path = cache_path();
    let raw = std::fs::read_to_string(&path).ok()?;

    // Verify HMAC integrity — format is "hmac_hex\njson"
    let (stored_hmac, json) = raw.split_once('\n')?;
    let computed = cache_hmac(json);
    if stored_hmac != computed {
        eprintln!("  \x1b[33m⚠\x1b[0m Team policy cache integrity check failed — ignoring cache");
        let _ = std::fs::remove_file(&path);
        return None;
    }

    let entry: CacheEntry = serde_json::from_str(json).ok()?;
    let now = chrono::Utc::now().timestamp();
    if (now - entry.fetched_at) < ttl_secs as i64 {
        Some(entry.policies)
    } else {
        None
    }
}

/// Compute HMAC-SHA256 of cache content for integrity verification.
fn cache_hmac(data: &str) -> String {
    use hmac::{Hmac, Mac};
    use sha2::Sha256;
    let key = crate::integrity::get_hmac_key();
    let mut mac = Hmac::<Sha256>::new_from_slice(&key).expect("HMAC accepts any key length");
    mac.update(data.as_bytes());
    hex::encode(mac.finalize().into_bytes())
}

/// Save team policies to cache with HMAC integrity signature.
fn save_cache(policies: &HashMap<String, Profile>) {
    let entry = CacheEntry {
        fetched_at: chrono::Utc::now().timestamp(),
        policies: policies.clone(),
    };
    if let Ok(json) = serde_json::to_string(&entry) {
        let hmac = cache_hmac(&json);
        let signed = format!("{}\n{}", hmac, json);
        let path = cache_path();
        if let Some(parent) = path.parent() {
            let _ = std::fs::create_dir_all(parent);
        }
        #[cfg(unix)]
        {
            use std::io::Write;
            use std::os::unix::fs::OpenOptionsExt;
            let _ = std::fs::OpenOptions::new()
                .write(true)
                .create(true)
                .truncate(true)
                .mode(0o600)
                .open(&path)
                .and_then(|mut f| f.write_all(signed.as_bytes()));
        }
        #[cfg(not(unix))]
        {
            let _ = std::fs::write(&path, &signed);
        }
    }
}

/// Fetch team policies from the configured source URL.
pub async fn fetch(config: &TeamConfig) -> Result<HashMap<String, Profile>> {
    let source = config.source.as_deref().ok_or_else(|| {
        AvError::InvalidPolicy(
            "No team policy source configured. Set [team] source = \"https://...\" in config.toml"
                .to_string(),
        )
    })?;

    if !source.starts_with("https://") {
        return Err(AvError::InvalidPolicy(
            "Team policy source must use https://".to_string(),
        ));
    }

    let ttl = config.cache_ttl.unwrap_or(3600);

    // Check cache first
    if let Some(cached) = load_cache(ttl) {
        return Ok(cached);
    }

    // Fetch from URL
    let client = reqwest::Client::new();
    let resp = client
        .get(source)
        .timeout(std::time::Duration::from_secs(10))
        .send()
        .await
        .map_err(|e| {
            AvError::InvalidPolicy(format!(
                "Failed to fetch team policies from {}: {}",
                source, e
            ))
        })?;

    if !resp.status().is_success() {
        return Err(AvError::InvalidPolicy(format!(
            "Team policy source returned {}: {}",
            resp.status(),
            source
        )));
    }

    // R6-M30: cap team policy fetch body size. A malicious or compromised
    // team policy server could otherwise return a multi-GB body (or stream
    // indefinitely) and OOM the audex client. resp.text() would eagerly
    // read the whole body with no limit. Read chunks with a running byte
    // count instead and bail out at the cap.
    const MAX_TEAM_POLICY_BYTES: usize = 1024 * 1024; // 1 MiB
    let mut resp = resp;
    let mut body_bytes: Vec<u8> = Vec::new();
    loop {
        match resp.chunk().await {
            Ok(Some(chunk)) => {
                if body_bytes.len() + chunk.len() > MAX_TEAM_POLICY_BYTES {
                    return Err(AvError::InvalidPolicy(format!(
                        "Team policy response exceeds {} byte cap from {}",
                        MAX_TEAM_POLICY_BYTES, source
                    )));
                }
                body_bytes.extend_from_slice(&chunk);
            }
            Ok(None) => break,
            Err(e) => {
                return Err(AvError::InvalidPolicy(format!(
                    "Failed to read team policies: {}",
                    e
                )));
            }
        }
    }
    let body = String::from_utf8(body_bytes).map_err(|e| {
        AvError::InvalidPolicy(format!("Team policy response is not valid UTF-8: {}", e))
    })?;

    let team_policies: TeamPolicies = toml::from_str(&body)
        .map_err(|e| AvError::InvalidPolicy(format!("Invalid team policies TOML: {}", e)))?;

    // Cache for next time
    save_cache(&team_policies.policies);

    Ok(team_policies.policies)
}

/// Resolve a team policy by name. Requires async fetch.
pub async fn resolve(config: &TeamConfig, name: &str) -> Result<Profile> {
    let key = name.strip_prefix("team://").unwrap_or(name);
    let policies = fetch(config).await?;

    policies.get(key).cloned().ok_or_else(|| {
        let available: Vec<String> = policies.keys().cloned().collect();
        AvError::InvalidPolicy(format!(
            "Unknown team policy '{}'. Available: {}",
            key,
            if available.is_empty() {
                "(none)".to_string()
            } else {
                available.join(", ")
            }
        ))
    })
}

/// Resolve from cache only (sync, for use in non-async contexts).
pub fn resolve_cached(name: &str) -> Result<Profile> {
    let key = name.strip_prefix("team://").unwrap_or(name);
    let ttl = 3600; // default 1 hour

    let policies = load_cache(ttl).ok_or_else(|| {
        AvError::InvalidPolicy(
            "No cached team policies. Run `tryaudex run` once to fetch them.".to_string(),
        )
    })?;

    policies
        .get(key)
        .cloned()
        .ok_or_else(|| AvError::InvalidPolicy(format!("Unknown team policy '{}'", key)))
}

/// List cached team policies (sync).
pub fn list_cached() -> Vec<(String, Profile)> {
    load_cache(u64::MAX)
        .unwrap_or_default()
        .into_iter()
        .collect()
}