tryaudex_core/

vault.rs

use std::collections::HashMap;
use std::time::Duration;

use serde::{Deserialize, Serialize};

use crate::credentials::TempCredentials;
use crate::error::{AvError, Result};

/// Vault authentication method.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "method", rename_all = "lowercase")]
pub enum VaultAuth {
    /// Use a static Vault token (or VAULT_TOKEN env var).
    Token { token: Option<String> },
    /// AppRole authentication.
    Approle {
        role_id: String,
        secret_id: Option<String>,
        /// Auth mount path (default: "approle"). Change if mounted elsewhere.
        mount_path: Option<String>,
    },
    /// Kubernetes service account auth.
    Kubernetes {
        role: String,
        /// Path to the service account token (default: /var/run/secrets/kubernetes.io/serviceaccount/token)
        jwt_path: Option<String>,
        /// Auth mount path (default: "kubernetes"). Change if mounted elsewhere.
        mount_path: Option<String>,
    },
}

impl Default for VaultAuth {
    fn default() -> Self {
        VaultAuth::Token { token: None }
    }
}

/// Configuration for the Vault credential backend.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct VaultConfig {
    /// Vault server address (e.g. "https://vault.example.com:8200").
    /// Falls back to VAULT_ADDR env var.
    pub address: Option<String>,
    /// Authentication method (default: token).
    #[serde(default)]
    pub auth: VaultAuth,
    /// AWS secrets engine mount path (default: "aws").
    pub mount: Option<String>,
    /// Vault role name for generating credentials.
    pub role: Option<String>,
    /// Vault namespace (for Vault Enterprise).
    pub namespace: Option<String>,
    /// Skip TLS verification (NOT recommended for production).
    #[serde(default)]
    pub tls_skip_verify: bool,
}

impl VaultConfig {
    /// Resolve the Vault address from config or VAULT_ADDR env var.
    ///
    /// R6-M47: validate scheme. Accept `https://` unconditionally, and
    /// `http://` only when the host is a loopback literal or `localhost`.
    /// A plaintext HTTP endpoint to a non-loopback host would send the
    /// Vault auth token in the clear and is rejected outright.
    pub fn resolve_address(&self) -> Result<String> {
        let raw = self
            .address
            .clone()
            .or_else(|| std::env::var("VAULT_ADDR").ok())
            .ok_or_else(|| {
                AvError::InvalidPolicy(
                    "Vault address not set. Set vault.address in config or VAULT_ADDR env var"
                        .to_string(),
                )
            })?;
        validate_vault_address(&raw)?;
        Ok(raw)
    }

    /// Resolve the secrets engine mount path (default: "aws").
    pub fn mount_path(&self) -> &str {
        self.mount.as_deref().unwrap_or("aws")
    }
}

/// Validate a Vault address: scheme must be http/https, and http is only
/// permitted when the host is loopback.
fn validate_vault_address(raw: &str) -> Result<()> {
    use std::net::IpAddr;
    use std::str::FromStr;

    let (scheme_is_https, without_scheme) = if let Some(rest) = raw.strip_prefix("https://") {
        (true, rest)
    } else if let Some(rest) = raw.strip_prefix("http://") {
        (false, rest)
    } else {
        return Err(AvError::InvalidPolicy(format!(
            "Vault address must use http:// or https://: {}",
            raw
        )));
    };

    let host_port = match without_scheme.find('/') {
        Some(idx) => &without_scheme[..idx],
        None => without_scheme,
    };
    if host_port.is_empty() {
        return Err(AvError::InvalidPolicy(format!(
            "Vault address has empty host: {}",
            raw
        )));
    }

    // Strip optional port for the loopback check. IPv6 hosts must be bracketed.
    let host_only: String = if let Some(rest) = host_port.strip_prefix('[') {
        match rest.find(']') {
            Some(end) => rest[..end].to_string(),
            None => {
                return Err(AvError::InvalidPolicy(format!(
                    "Vault address has unterminated IPv6 bracket: {}",
                    raw
                )));
            }
        }
    } else {
        match host_port.rfind(':') {
            Some(idx) => host_port[..idx].to_string(),
            None => host_port.to_string(),
        }
    };

    if scheme_is_https {
        return Ok(());
    }

    let is_loopback = if let Ok(ip) = IpAddr::from_str(&host_only) {
        ip.is_loopback()
    } else {
        host_only.eq_ignore_ascii_case("localhost")
    };
    if !is_loopback {
        return Err(AvError::InvalidPolicy(format!(
            "Vault address '{}' uses plaintext HTTP to a non-loopback host. \
             The Vault auth token would be sent in cleartext. Use https:// \
             or a loopback address.",
            raw
        )));
    }
    Ok(())
}

/// R6-M49: cap lease durations received from Vault so a hostile or
/// misconfigured server cannot return `u64::MAX` seconds (which would
/// wrap when cast to i64 for chrono::Duration and produce a past expiry
/// that the auto-renewal logic would interpret as "token valid forever").
/// 90 days is more than any real Vault lease configuration and well
/// under i64::MAX seconds.
const MAX_LEASE_DURATION_SECS: u64 = 90 * 24 * 60 * 60;

fn validated_lease_duration(raw: u64, context: &str) -> Result<u64> {
    if raw > MAX_LEASE_DURATION_SECS {
        return Err(AvError::Sts(format!(
            "Vault {} lease_duration {} exceeds max allowed ({}s)",
            context, raw, MAX_LEASE_DURATION_SECS
        )));
    }
    Ok(raw)
}

/// R6-M50: reject CR/LF/NUL in a Vault token before putting it on the
/// X-Vault-Token header. A VAULT_TOKEN env var containing CRLF could
/// otherwise smuggle additional headers into every Vault request.
fn validate_vault_token(token: &str) -> Result<()> {
    if token.is_empty() {
        return Err(AvError::InvalidPolicy("Vault token is empty".to_string()));
    }
    if token.bytes().any(|b| b == b'\r' || b == b'\n' || b == 0) {
        return Err(AvError::InvalidPolicy(
            "Vault token contains forbidden characters (CR/LF/NUL)".to_string(),
        ));
    }
    Ok(())
}

/// R6-M48: bounded read of the Kubernetes service-account JWT. The file
/// lives at an attacker-controllable path if the pod is compromised, and
/// symlinks or FIFOs could point at /dev/urandom or a terabyte log.
/// Real service-account tokens are a few KB; 64 KiB is generous.
fn read_k8s_jwt_capped(path: &str) -> Result<String> {
    use std::io::Read;
    const MAX_JWT_BYTES: u64 = 64 * 1024;

    let mut f = std::fs::File::open(path).map_err(|e| {
        AvError::InvalidPolicy(format!(
            "Failed to open Kubernetes service account token {}: {}",
            path, e
        ))
    })?;
    let mut buf = String::new();
    f.by_ref()
        .take(MAX_JWT_BYTES + 1)
        .read_to_string(&mut buf)
        .map_err(|e| {
            AvError::InvalidPolicy(format!(
                "Failed to read Kubernetes service account token {}: {}",
                path, e
            ))
        })?;
    if buf.len() as u64 > MAX_JWT_BYTES {
        return Err(AvError::InvalidPolicy(format!(
            "Kubernetes service account token {} exceeds {} bytes",
            path, MAX_JWT_BYTES
        )));
    }
    Ok(buf)
}

/// Response from Vault's auth endpoints.
#[derive(Debug, Deserialize)]
struct VaultAuthResponse {
    auth: Option<VaultAuthData>,
}

#[derive(Debug, Deserialize)]
struct VaultAuthData {
    client_token: String,
    #[serde(default)]
    lease_duration: u64,
    #[serde(default)]
    renewable: bool,
}

/// Response from Vault's AWS secrets engine.
#[derive(Debug, Deserialize)]
struct VaultSecretResponse {
    data: Option<VaultAwsCredentials>,
    lease_duration: Option<u64>,
}

#[derive(Debug, Deserialize)]
struct VaultAwsCredentials {
    access_key: String,
    secret_key: String,
    security_token: Option<String>,
}

/// Client for issuing credentials via HashiCorp Vault's AWS secrets engine.
pub struct VaultIssuer {
    address: String,
    token: String,
    mount: String,
    namespace: Option<String>,
    /// When the auth token expires (None for static tokens).
    token_expires_at: Option<chrono::DateTime<chrono::Utc>>,
    /// Original token lease duration in seconds (for computing renewal threshold).
    token_lease_duration: Option<u64>,
    /// Whether the token is renewable.
    token_renewable: bool,
    /// Whether to skip TLS certificate verification.
    tls_skip_verify: bool,
    /// Original auth config for re-authentication if renewal fails.
    auth_config: Option<VaultAuth>,
}

impl VaultIssuer {
    /// Create a new VaultIssuer by authenticating with the configured method.
    pub async fn new(config: &VaultConfig) -> Result<Self> {
        let address = config.resolve_address()?;
        let mount = config.mount_path().to_string();
        let namespace = config.namespace.clone();

        // R6-H25: validate all mount paths up front rather than letting
        // them surface inside auth/issue calls later.  Previously:
        //
        //   - `self.mount` (the secrets engine mount) was only validated
        //     inside `read_sts_creds`/`issue`, so a config with mount = ""
        //     or mount = "/" would authenticate successfully, hand out
        //     a live token, then fail every `issue()` call — leaving the
        //     caller with a half-authed issuer whose `token_expires_at`
        //     marched toward expiry without any credential ever flowing.
        //
        //   - The auth-method mount_path was validated inside
        //     `auth_approle`/`auth_kubernetes`, which meant a renewal
        //     triggered after the original auth ticket expired could
        //     suddenly start rejecting the same mount_path that the
        //     initial auth had accepted — any intermediate code path
        //     that constructed the mount differently (trimming, env
        //     expansion, future refactors) would produce a silent
        //     post-renewal outage instead of a clear startup error.
        //
        // Do the validation here so the issuer either works for its
        // whole lifetime or refuses to come up at all.
        crate::validate::path_component(&mount, "vault secrets engine mount")?;
        match &config.auth {
            VaultAuth::Approle { mount_path, .. } => {
                let m = mount_path.as_deref().unwrap_or("approle");
                crate::validate::path_component(m, "vault approle auth mount")?;
            }
            VaultAuth::Kubernetes { mount_path, .. } => {
                let m = mount_path.as_deref().unwrap_or("kubernetes");
                crate::validate::path_component(m, "vault kubernetes auth mount")?;
            }
            VaultAuth::Token { .. } => {}
        }

        // Validate tls_skip_verify *before* any auth request so that the
        // confirmation gate applies to the initial auth call as well.
        if config.tls_skip_verify {
            if std::env::var("AUDEX_DANGER_SKIP_TLS").as_deref() != Ok("1") {
                return Err(AvError::InvalidPolicy(
                    "tls_skip_verify requires AUDEX_DANGER_SKIP_TLS=1 environment variable as confirmation"
                        .to_string(),
                ));
            }
            // R3-L14: Emit a structured security warning so that TLS bypass is
            // visible in log aggregators and audit trails. The env-var gate
            // above requires explicit operator opt-in, but this warn ensures
            // the decision is recorded with context.
            tracing::warn!(
                security_event = "tls_verification_disabled",
                vault_address = %config.resolve_address().unwrap_or_default(),
                "Vault TLS verification disabled via AUDEX_DANGER_SKIP_TLS — \
                 connections are vulnerable to MITM attacks and this action is being logged"
            );
        }

        let (token, token_expires_at, token_lease_duration, token_renewable) = match &config.auth {
            VaultAuth::Token { token } => {
                let t = token
                    .clone()
                    .or_else(|| std::env::var("VAULT_TOKEN").ok())
                    .ok_or_else(|| {
                        AvError::InvalidPolicy(
                            "Vault token not set. Set vault.auth.token in config or VAULT_TOKEN env var".to_string(),
                        )
                    })?;
                // R6-M50: catch a bad token at construction time rather
                // than on the first request — avoids the confusing "half-
                // authed issuer" pattern.
                validate_vault_token(&t)?;
                (t, None, None, false)
            }
            VaultAuth::Approle {
                role_id,
                secret_id,
                mount_path,
            } => {
                let mount = mount_path.as_deref().unwrap_or("approle");
                Self::auth_approle(
                    &address,
                    namespace.as_deref(),
                    role_id,
                    secret_id.as_deref(),
                    mount,
                    config.tls_skip_verify,
                )
                .await?
            }
            VaultAuth::Kubernetes {
                role,
                jwt_path,
                mount_path,
            } => {
                let auth_mount = mount_path.as_deref().unwrap_or("kubernetes");
                let default_path = "/var/run/secrets/kubernetes.io/serviceaccount/token";
                let path = jwt_path.as_deref().unwrap_or(default_path);
                let jwt = read_k8s_jwt_capped(path)?;
                Self::auth_kubernetes(
                    &address,
                    namespace.as_deref(),
                    role,
                    &jwt,
                    auth_mount,
                    config.tls_skip_verify,
                )
                .await?
            }
        };

        tracing::info!(address = %address, mount = %mount, "Connected to Vault");

        Ok(Self {
            address,
            token,
            mount,
            namespace,
            token_expires_at,
            token_lease_duration,
            token_renewable,
            tls_skip_verify: config.tls_skip_verify,
            auth_config: Some(config.auth.clone()),
        })
    }

    /// Authenticate via AppRole and return a client token with TTL info.
    async fn auth_approle(
        address: &str,
        namespace: Option<&str>,
        role_id: &str,
        secret_id: Option<&str>,
        mount: &str,
        tls_skip_verify: bool,
    ) -> Result<(
        String,
        Option<chrono::DateTime<chrono::Utc>>,
        Option<u64>,
        bool,
    )> {
        crate::validate::path_component(mount, "vault auth mount")?;
        let url = format!("{}/v1/auth/{}/login", address, mount);
        let mut body = HashMap::new();
        body.insert("role_id", role_id);
        if let Some(sid) = secret_id {
            body.insert("secret_id", sid);
        }

        let resp = vault_post(&url, namespace, None, &body, tls_skip_verify).await?;
        let auth_resp: VaultAuthResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault auth response: {}", e)))?;

        let auth_data = auth_resp
            .auth
            .ok_or_else(|| AvError::Sts("Vault AppRole auth returned no token".to_string()))?;

        let (expires_at, lease_dur) = if auth_data.lease_duration > 0 {
            // R6-M49: cap before casting u64→i64.
            let lease = validated_lease_duration(auth_data.lease_duration, "auth")?;
            let expires = chrono::Utc::now() + chrono::Duration::seconds(lease as i64);
            (Some(expires), Some(lease))
        } else {
            (None, None)
        };

        Ok((
            auth_data.client_token,
            expires_at,
            lease_dur,
            auth_data.renewable,
        ))
    }

    /// Authenticate via Kubernetes service account and return a client token with TTL info.
    async fn auth_kubernetes(
        address: &str,
        namespace: Option<&str>,
        role: &str,
        jwt: &str,
        mount: &str,
        tls_skip_verify: bool,
    ) -> Result<(
        String,
        Option<chrono::DateTime<chrono::Utc>>,
        Option<u64>,
        bool,
    )> {
        crate::validate::path_component(mount, "vault auth mount")?;
        let url = format!("{}/v1/auth/{}/login", address, mount);
        let mut body = HashMap::new();
        body.insert("role", role);
        body.insert("jwt", jwt);

        let resp = vault_post(&url, namespace, None, &body, tls_skip_verify).await?;
        let auth_resp: VaultAuthResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault auth response: {}", e)))?;

        let auth_data = auth_resp
            .auth
            .ok_or_else(|| AvError::Sts("Vault Kubernetes auth returned no token".to_string()))?;

        let (expires_at, lease_dur) = if auth_data.lease_duration > 0 {
            // R6-M49: cap before casting u64→i64.
            let lease = validated_lease_duration(auth_data.lease_duration, "auth")?;
            let expires = chrono::Utc::now() + chrono::Duration::seconds(lease as i64);
            (Some(expires), Some(lease))
        } else {
            (None, None)
        };

        Ok((
            auth_data.client_token,
            expires_at,
            lease_dur,
            auth_data.renewable,
        ))
    }

    /// Ensure the Vault auth token is still valid, renewing or re-authenticating
    /// if it has reached 80% of its TTL.
    async fn ensure_token_valid(&mut self) -> Result<()> {
        let expires_at = match self.token_expires_at {
            Some(e) => e,
            None => return Ok(()), // static token, no expiry
        };

        let now = chrono::Utc::now();
        if now >= expires_at {
            // Token expired — try re-authentication
            tracing::warn!("Vault auth token expired — attempting re-authentication");
            return self.re_authenticate().await;
        }

        // Renew at 80% of original TTL
        let threshold_secs = self
            .token_lease_duration
            .map(|d| (d as f64 * 0.2) as i64)
            .unwrap_or(300);
        let remaining = (expires_at - now).num_seconds();

        if remaining < threshold_secs {
            if self.token_renewable {
                match self.renew_token().await {
                    Ok(()) => {
                        tracing::info!("Vault auth token renewed successfully");
                        return Ok(());
                    }
                    Err(e) => {
                        tracing::warn!(error = %e, "Token renewal failed — attempting re-authentication");
                        return self.re_authenticate().await;
                    }
                }
            } else {
                // Not renewable — try re-authentication
                tracing::warn!(
                    remaining_secs = remaining,
                    "Vault auth token expires soon and is not renewable — re-authenticating"
                );
                return self.re_authenticate().await;
            }
        }

        Ok(())
    }

    /// Renew the current token via `/v1/auth/token/renew-self`.
    async fn renew_token(&mut self) -> Result<()> {
        let url = format!("{}/v1/auth/token/renew-self", self.address);
        let body = HashMap::new();

        let resp = vault_post(
            &url,
            self.namespace.as_deref(),
            Some(&self.token),
            &body,
            self.tls_skip_verify,
        )
        .await?;

        let auth_resp: VaultAuthResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse token renewal response: {}", e)))?;

        let auth_data = auth_resp
            .auth
            .ok_or_else(|| AvError::Sts("Token renewal returned no auth data".to_string()))?;

        self.token = auth_data.client_token;
        self.token_renewable = auth_data.renewable;
        if auth_data.lease_duration > 0 {
            // R6-M49: cap before casting u64→i64.
            let lease = validated_lease_duration(auth_data.lease_duration, "renew")?;
            self.token_lease_duration = Some(lease);
            self.token_expires_at =
                Some(chrono::Utc::now() + chrono::Duration::seconds(lease as i64));
        }

        Ok(())
    }

    /// Re-authenticate using the stored auth config.
    async fn re_authenticate(&mut self) -> Result<()> {
        let auth =
            match &self.auth_config {
                Some(a) => a.clone(),
                None => return Err(AvError::Sts(
                    "Vault auth token expired and no auth config available for re-authentication"
                        .to_string(),
                )),
            };

        let (token, expires_at, lease_dur, renewable) = match &auth {
            VaultAuth::Token { .. } => {
                return Err(AvError::Sts(
                    "Vault static token expired. Provide a new token or use AppRole/Kubernetes auth."
                        .to_string(),
                ));
            }
            VaultAuth::Approle {
                role_id,
                secret_id,
                mount_path,
            } => {
                let mount = mount_path.as_deref().unwrap_or("approle");
                Self::auth_approle(
                    &self.address,
                    self.namespace.as_deref(),
                    role_id,
                    secret_id.as_deref(),
                    mount,
                    self.tls_skip_verify,
                )
                .await?
            }
            VaultAuth::Kubernetes {
                role,
                jwt_path,
                mount_path,
            } => {
                let auth_mount = mount_path.as_deref().unwrap_or("kubernetes");
                let default_path = "/var/run/secrets/kubernetes.io/serviceaccount/token";
                let path = jwt_path.as_deref().unwrap_or(default_path);
                let jwt = read_k8s_jwt_capped(path)?;
                Self::auth_kubernetes(
                    &self.address,
                    self.namespace.as_deref(),
                    role,
                    &jwt,
                    auth_mount,
                    self.tls_skip_verify,
                )
                .await?
            }
        };

        self.token = token;
        self.token_expires_at = expires_at;
        self.token_lease_duration = lease_dur;
        self.token_renewable = renewable;
        tracing::info!("Vault re-authentication successful");

        Ok(())
    }

    /// Issue temporary AWS credentials via Vault's AWS secrets engine.
    ///
    /// Uses the `/v1/{mount}/creds/{role}` endpoint to generate dynamic credentials.
    /// The `ttl` parameter is passed as a request parameter to control credential lifetime.
    pub async fn issue(&mut self, vault_role: &str, ttl: Duration) -> Result<TempCredentials> {
        self.ensure_token_valid().await?;
        crate::validate::path_component(&self.mount, "vault mount")?;
        crate::validate::path_component(vault_role, "vault role")?;
        let url = format!("{}/v1/{}/creds/{}", self.address, self.mount, vault_role);

        let ttl_str = format!("{}s", ttl.as_secs());
        let mut body = HashMap::new();
        body.insert("ttl", ttl_str.as_str());

        tracing::info!(
            vault_role = %vault_role,
            ttl = %ttl_str,
            "Requesting credentials from Vault AWS secrets engine"
        );

        let resp = vault_post(
            &url,
            self.namespace.as_deref(),
            Some(&self.token),
            &body,
            self.tls_skip_verify,
        )
        .await?;
        let secret: VaultSecretResponse = serde_json::from_str(&resp).map_err(|e| {
            AvError::Sts(format!("Failed to parse Vault credential response: {}", e))
        })?;

        let creds = secret
            .data
            .ok_or_else(|| AvError::Sts("Vault returned no credential data".to_string()))?;

        let lease_secs =
            validated_lease_duration(secret.lease_duration.unwrap_or(ttl.as_secs()), "creds")?;
        let expires_at = chrono::Utc::now() + chrono::Duration::seconds(lease_secs as i64);

        Ok(TempCredentials {
            access_key_id: creds.access_key,
            secret_access_key: creds.secret_key,
            session_token: creds.security_token.unwrap_or_default(),
            expires_at,
        })
    }

    /// Read a Vault secret from an arbitrary path (for STS credential generation
    /// where the Vault role uses assumed_role or federation_token type).
    pub async fn read_sts_creds(
        &mut self,
        vault_role: &str,
        ttl: Duration,
    ) -> Result<TempCredentials> {
        crate::validate::path_component(&self.mount, "vault mount")?;
        crate::validate::path_component(vault_role, "vault role")?;
        self.ensure_token_valid().await?;
        let url = format!("{}/v1/{}/sts/{}", self.address, self.mount, vault_role);

        let ttl_str = format!("{}s", ttl.as_secs());
        let mut body = HashMap::new();
        body.insert("ttl", ttl_str.as_str());

        tracing::info!(
            vault_role = %vault_role,
            ttl = %ttl_str,
            "Requesting STS credentials from Vault"
        );

        let resp = vault_post(
            &url,
            self.namespace.as_deref(),
            Some(&self.token),
            &body,
            self.tls_skip_verify,
        )
        .await?;
        let secret: VaultSecretResponse = serde_json::from_str(&resp)
            .map_err(|e| AvError::Sts(format!("Failed to parse Vault STS response: {}", e)))?;

        let creds = secret
            .data
            .ok_or_else(|| AvError::Sts("Vault returned no STS credential data".to_string()))?;

        let lease_secs =
            validated_lease_duration(secret.lease_duration.unwrap_or(ttl.as_secs()), "creds")?;
        let expires_at = chrono::Utc::now() + chrono::Duration::seconds(lease_secs as i64);

        Ok(TempCredentials {
            access_key_id: creds.access_key,
            secret_access_key: creds.secret_key,
            session_token: creds.security_token.unwrap_or_default(),
            expires_at,
        })
    }

    /// Check if Vault is healthy and the secrets engine is accessible.
    pub async fn health_check(&self) -> Result<bool> {
        let url = format!("{}/v1/sys/health", self.address);
        match vault_get(
            &url,
            self.namespace.as_deref(),
            Some(&self.token),
            self.tls_skip_verify,
        )
        .await
        {
            Ok(_) => Ok(true),
            Err(_) => Ok(false),
        }
    }
}

/// Make a POST request to Vault.
async fn vault_post(
    url: &str,
    namespace: Option<&str>,
    token: Option<&str>,
    body: &HashMap<&str, &str>,
    tls_skip_verify: bool,
) -> Result<String> {
    let body_json = serde_json::to_string(body)
        .map_err(|e| AvError::Sts(format!("Failed to serialize Vault request: {}", e)))?;

    let mut headers = vec![("Content-Type", "application/json")];
    let ns_header;
    if let Some(ns) = namespace {
        if ns.contains('\r') || ns.contains('\n') || ns.contains('\0') {
            return Err(AvError::InvalidPolicy(
                "Vault namespace contains invalid characters (CR, LF, or NUL)".to_string(),
            ));
        }
        crate::validate::path_component(ns, "vault namespace")?;
        ns_header = ns.to_string();
        headers.push(("X-Vault-Namespace", &ns_header));
    }
    let token_header;
    if let Some(t) = token {
        // R6-M50: CRLF/NUL in an attacker-controlled VAULT_TOKEN would
        // allow header injection into every Vault request. Validate at
        // the boundary — reqwest rejects most bad values but we want a
        // clear error with the right blame attribution.
        validate_vault_token(t)?;
        token_header = t.to_string();
        headers.push(("X-Vault-Token", &token_header));
    }

    http_request("POST", url, &headers, Some(&body_json), tls_skip_verify).await
}

/// Make a GET request to Vault.
async fn vault_get(
    url: &str,
    namespace: Option<&str>,
    token: Option<&str>,
    tls_skip_verify: bool,
) -> Result<String> {
    let mut headers: Vec<(&str, &str)> = vec![];
    let ns_header;
    if let Some(ns) = namespace {
        if ns.contains('\r') || ns.contains('\n') || ns.contains('\0') {
            return Err(AvError::InvalidPolicy(
                "Vault namespace contains invalid characters (CR, LF, or NUL)".to_string(),
            ));
        }
        crate::validate::path_component(ns, "vault namespace")?;
        ns_header = ns.to_string();
        headers.push(("X-Vault-Namespace", &ns_header));
    }
    let token_header;
    if let Some(t) = token {
        // R6-M50: CRLF/NUL in an attacker-controlled VAULT_TOKEN would
        // allow header injection into every Vault request. Validate at
        // the boundary — reqwest rejects most bad values but we want a
        // clear error with the right blame attribution.
        validate_vault_token(t)?;
        token_header = t.to_string();
        headers.push(("X-Vault-Token", &token_header));
    }

    http_request("GET", url, &headers, None, tls_skip_verify).await
}

/// HTTP client using reqwest with proper TLS support for https:// URLs.
async fn http_request(
    method: &str,
    url: &str,
    headers: &[(&str, &str)],
    body: Option<&str>,
    danger_accept_invalid_certs: bool,
) -> Result<String> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(30))
        .danger_accept_invalid_certs(danger_accept_invalid_certs)
        .build()
        .map_err(|e| AvError::Sts(format!("Failed to create HTTP client: {}", e)))?;

    let mut req = match method {
        "POST" => client.post(url),
        "PUT" => client.put(url),
        "DELETE" => client.delete(url),
        _ => client.get(url),
    };

    for (key, value) in headers {
        req = req.header(*key, *value);
    }

    if let Some(b) = body {
        req = req.body(b.to_string());
    }

    let response = req
        .send()
        .await
        .map_err(|e| AvError::Sts(format!("Failed to connect to Vault at {}: {}", url, e)))?;

    let status = response.status().as_u16();

    // Guard against unbounded response bodies from a compromised Vault.
    const MAX_VAULT_RESPONSE: u64 = 2 * 1024 * 1024; // 2 MB
    if let Some(len) = response.content_length() {
        if len > MAX_VAULT_RESPONSE {
            return Err(AvError::Sts(format!(
                "Vault response too large: {} bytes (max {})",
                len, MAX_VAULT_RESPONSE
            )));
        }
    }
    let body_bytes = response
        .bytes()
        .await
        .map_err(|e| AvError::Sts(format!("Failed to read Vault response: {}", e)))?;
    if body_bytes.len() as u64 > MAX_VAULT_RESPONSE {
        return Err(AvError::Sts(format!(
            "Vault response too large: {} bytes (max {})",
            body_bytes.len(),
            MAX_VAULT_RESPONSE
        )));
    }
    let body_text = String::from_utf8_lossy(&body_bytes).into_owned();

    if status >= 400 {
        return Err(AvError::Sts(format!(
            "Vault returned HTTP {}: {}",
            status, body_text
        )));
    }

    Ok(body_text)
}

#[cfg(test)]
struct ParsedUrl {
    host: String,
    port: u16,
    path: String,
}

#[cfg(test)]
fn parse_url(url: &str) -> Result<ParsedUrl> {
    let without_scheme = if let Some(rest) = url.strip_prefix("https://") {
        rest
    } else if let Some(rest) = url.strip_prefix("http://") {
        rest
    } else {
        return Err(AvError::InvalidPolicy(format!(
            "Invalid Vault URL: {}",
            url
        )));
    };

    let default_port: u16 = 8200;

    let (host_port, path) = match without_scheme.find('/') {
        Some(idx) => (&without_scheme[..idx], &without_scheme[idx..]),
        None => (without_scheme, "/"),
    };

    let (host, port) = match host_port.rfind(':') {
        Some(idx) => {
            let port_str = &host_port[idx + 1..];
            let port = port_str.parse::<u16>().unwrap_or(default_port);
            (host_port[..idx].to_string(), port)
        }
        None => (host_port.to_string(), default_port),
    };

    Ok(ParsedUrl {
        host,
        port,
        path: path.to_string(),
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_parse_url_with_port() {
        let parsed = parse_url("http://vault.example.com:8200/v1/aws/creds/my-role").unwrap();
        assert_eq!(parsed.host, "vault.example.com");
        assert_eq!(parsed.port, 8200);
        assert_eq!(parsed.path, "/v1/aws/creds/my-role");
    }

    #[test]
    fn test_parse_url_without_port() {
        let parsed = parse_url("https://vault.example.com/v1/sys/health").unwrap();
        assert_eq!(parsed.host, "vault.example.com");
        assert_eq!(parsed.port, 8200);
        assert_eq!(parsed.path, "/v1/sys/health");
    }

    #[test]
    fn test_parse_url_localhost() {
        let parsed = parse_url("http://127.0.0.1:8200/v1/auth/approle/login").unwrap();
        assert_eq!(parsed.host, "127.0.0.1");
        assert_eq!(parsed.port, 8200);
    }

    #[test]
    fn test_parse_url_invalid() {
        assert!(parse_url("ftp://vault.example.com").is_err());
    }

    #[test]
    fn test_vault_config_defaults() {
        let config = VaultConfig::default();
        assert_eq!(config.mount_path(), "aws");
        assert!(!config.tls_skip_verify);
        assert!(config.address.is_none());
    }

    #[test]
    fn test_vault_config_resolve_address_env() {
        let config = VaultConfig {
            address: Some("http://localhost:8200".to_string()),
            ..Default::default()
        };
        assert_eq!(config.resolve_address().unwrap(), "http://localhost:8200");
    }

    #[test]
    fn test_vault_config_custom_mount() {
        let config = VaultConfig {
            mount: Some("aws-prod".to_string()),
            ..Default::default()
        };
        assert_eq!(config.mount_path(), "aws-prod");
    }

    #[test]
    fn test_vault_config_deserialize() {
        let toml_str = r#"
address = "https://vault.internal:8200"
mount = "aws-prod"
role = "audex-agent"
namespace = "engineering"

[auth]
method = "approle"
role_id = "abc-123"
secret_id = "def-456"
"#;
        let config: VaultConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(
            config.address.as_deref(),
            Some("https://vault.internal:8200")
        );
        assert_eq!(config.mount_path(), "aws-prod");
        assert_eq!(config.role.as_deref(), Some("audex-agent"));
        assert_eq!(config.namespace.as_deref(), Some("engineering"));
        match config.auth {
            VaultAuth::Approle {
                role_id,
                secret_id,
                mount_path,
            } => {
                assert_eq!(role_id, "abc-123");
                assert_eq!(secret_id.unwrap(), "def-456");
                assert!(mount_path.is_none()); // defaults to "approle"
            }
            _ => panic!("Expected AppRole auth"),
        }
    }

    #[test]
    fn test_vault_config_kubernetes_auth() {
        let toml_str = r#"
address = "http://vault:8200"

[auth]
method = "kubernetes"
role = "audex"
jwt_path = "/var/run/secrets/token"
"#;
        let config: VaultConfig = toml::from_str(toml_str).unwrap();
        match config.auth {
            VaultAuth::Kubernetes {
                role,
                jwt_path,
                mount_path,
            } => {
                assert_eq!(role, "audex");
                assert_eq!(jwt_path.unwrap(), "/var/run/secrets/token");
                assert!(mount_path.is_none()); // defaults to "kubernetes"
            }
            _ => panic!("Expected Kubernetes auth"),
        }
    }

    #[test]
    fn test_validate_vault_address_https_ok() {
        assert!(validate_vault_address("https://vault.example.com:8200").is_ok());
        assert!(validate_vault_address("https://vault.example.com").is_ok());
    }

    #[test]
    fn test_validate_vault_address_http_loopback_ok() {
        assert!(validate_vault_address("http://localhost:8200").is_ok());
        assert!(validate_vault_address("http://127.0.0.1:8200").is_ok());
        assert!(validate_vault_address("http://127.0.0.2:8200").is_ok());
        assert!(validate_vault_address("http://[::1]:8200").is_ok());
    }

    #[test]
    fn test_validate_vault_address_http_non_loopback_rejected() {
        // R6-M47: plain http to a non-loopback host would send the Vault
        // token in cleartext.
        let err = validate_vault_address("http://vault.internal:8200").unwrap_err();
        assert!(err.to_string().contains("plaintext HTTP"));

        let err = validate_vault_address("http://10.0.0.5:8200").unwrap_err();
        assert!(err.to_string().contains("plaintext HTTP"));
    }

    #[test]
    fn test_validate_vault_address_bad_scheme_rejected() {
        assert!(validate_vault_address("ftp://vault").is_err());
        assert!(validate_vault_address("file:///etc/passwd").is_err());
        assert!(validate_vault_address("javascript:alert(1)").is_err());
    }

    #[test]
    fn test_validate_vault_token_rejects_crlf() {
        // R6-M50
        assert!(validate_vault_token("s.abcdef").is_ok());
        assert!(validate_vault_token("abc\r\nX-Evil: 1").is_err());
        assert!(validate_vault_token("abc\nevil").is_err());
        assert!(validate_vault_token("abc\0nul").is_err());
        assert!(validate_vault_token("").is_err());
    }

    #[test]
    fn test_validated_lease_duration_cap() {
        // R6-M49: attacker-controlled huge leases are rejected before
        // the u64→i64 cast that would wrap.
        assert_eq!(validated_lease_duration(3600, "test").unwrap(), 3600);
        assert_eq!(
            validated_lease_duration(MAX_LEASE_DURATION_SECS, "test").unwrap(),
            MAX_LEASE_DURATION_SECS
        );
        assert!(validated_lease_duration(MAX_LEASE_DURATION_SECS + 1, "test").is_err());
        assert!(validated_lease_duration(u64::MAX, "test").is_err());
    }

    #[test]
    fn test_read_k8s_jwt_capped_enforces_size() {
        // R6-M48
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("token");
        std::fs::write(&path, b"valid.jwt.token").unwrap();
        let jwt = read_k8s_jwt_capped(path.to_str().unwrap()).unwrap();
        assert_eq!(jwt, "valid.jwt.token");

        // Oversize rejected.
        let big_path = dir.path().join("big");
        let big = vec![b'a'; 65 * 1024];
        std::fs::write(&big_path, &big).unwrap();
        assert!(read_k8s_jwt_capped(big_path.to_str().unwrap()).is_err());
    }
}