tryaudex_core/

drift.rs

use std::collections::HashSet;

use crate::policy::{ActionPattern, ScopedPolicy};

/// Result of comparing granted permissions against detected usage.
#[derive(Debug, Clone)]
pub struct DriftReport {
    /// Actions that were granted by the policy.
    pub granted: Vec<String>,
    /// Actions that were detected as actually used.
    pub used: Vec<String>,
    /// Actions granted but never detected as used (over-provisioned).
    pub unused: Vec<String>,
    /// Whether the policy appears over-provisioned.
    pub over_provisioned: bool,
    /// Suggested tighter policy string (for `--allow`).
    pub suggestion: Option<String>,
}

/// Analyze drift between granted policy and detected usage.
pub fn analyze(policy: &ScopedPolicy, used_actions: &[String]) -> DriftReport {
    let granted: Vec<String> = policy.actions.iter().map(|a| a.to_iam_action()).collect();

    let unused: Vec<String> = granted
        .iter()
        .filter(|g| {
            // A granted action is "unused" if no used action matches it
            // For wildcards like "s3:*", check if any used action is under that service
            if let Ok(pattern) = ActionPattern::parse(g) {
                !used_actions.iter().any(|u| {
                    if let Ok(used_pat) = ActionPattern::parse(u) {
                        // The granted pattern covers this used action
                        pattern.matches(&used_pat)
                    } else {
                        false
                    }
                })
            } else {
                true
            }
        })
        .cloned()
        .collect();

    let over_provisioned = !unused.is_empty() && !used_actions.is_empty();

    let suggestion = if over_provisioned && !used_actions.is_empty() {
        Some(used_actions.join(","))
    } else {
        None
    };

    DriftReport {
        granted,
        used: used_actions.to_vec(),
        unused,
        over_provisioned,
        suggestion,
    }
}

/// Detect which IAM actions were likely used by parsing the subprocess command
/// and its stderr output.
///
/// This uses heuristics — it can't catch every API call, but covers common
/// patterns from the AWS CLI, GCP gcloud, and verbose SDK output.
pub fn detect_used_actions(command: &[String], stderr: &str) -> Vec<String> {
    let mut actions = HashSet::new();

    // 1. Infer from the command itself
    if let Some(cmd_actions) = infer_from_command(command) {
        actions.extend(cmd_actions);
    }

    // 2. Parse stderr for AWS CLI/SDK debug output
    for line in stderr.lines() {
        // AWS CLI debug: "Making request for OperationModel(name=GetObject)"
        if let Some(pos) = line.find("OperationModel(name=") {
            let rest = &line[pos + 20..];
            if let Some(end) = rest.find(')') {
                let op = &rest[..end];
                if let Some(service) = guess_service_from_context(line) {
                    actions.insert(format!("{}:{}", service, op));
                }
            }
        }

        // AWS SDK: "Request: service/operation"
        if line.contains("Request:") || line.contains("request to") {
            if let Some(action) = parse_sdk_request_line(line) {
                actions.insert(action);
            }
        }

        // Pattern: "Calling service:Action" or "called service:Action"
        for prefix in &["Calling ", "called ", "invoking "] {
            if let Some(pos) = line.to_lowercase().find(prefix) {
                let rest = &line[pos + prefix.len()..];
                if let Some(action) = rest.split_whitespace().next() {
                    if action.contains(':') && action.len() > 3 {
                        let clean = action.trim_end_matches(|c: char| {
                            !c.is_alphanumeric() && c != ':' && c != '*'
                        });
                        actions.insert(clean.to_string());
                    }
                }
            }
        }
    }

    let mut result: Vec<String> = actions.into_iter().collect();
    result.sort();
    result
}

/// Infer IAM actions from the command line arguments.
fn infer_from_command(command: &[String]) -> Option<Vec<String>> {
    if command.is_empty() {
        return None;
    }

    let cmd = command[0].as_str();
    let args: Vec<&str> = command.iter().skip(1).map(|s| s.as_str()).collect();

    // AWS CLI commands
    if cmd == "aws" || cmd.ends_with("/aws") {
        return infer_aws_cli_actions(&args);
    }

    // Terraform
    if (cmd == "terraform" || cmd.ends_with("/terraform")) && args.first() == Some(&"plan") {
        return Some(vec!["sts:GetCallerIdentity".into()]);
    }

    None
}

/// Map AWS CLI subcommands to IAM actions.
fn infer_aws_cli_actions(args: &[&str]) -> Option<Vec<String>> {
    if args.len() < 2 {
        return None;
    }

    let service = args[0];
    let operation = args[1];

    let strs: Vec<&str> = match (service, operation) {
        ("s3", "ls") => vec!["s3:ListBucket", "s3:ListAllMyBuckets"],
        ("s3", "cp") => {
            if args.iter().any(|a| a.starts_with("s3://")) {
                if args.len() > 3 && args[3].starts_with("s3://") {
                    vec!["s3:GetObject", "s3:PutObject"]
                } else if args.get(2).is_some_and(|a| a.starts_with("s3://")) {
                    vec!["s3:GetObject"]
                } else {
                    vec!["s3:PutObject"]
                }
            } else {
                vec!["s3:GetObject", "s3:PutObject"]
            }
        }
        ("s3", "rm") => vec!["s3:DeleteObject"],
        ("s3", "sync") => vec!["s3:ListBucket", "s3:GetObject", "s3:PutObject"],
        ("s3", "mb") => vec!["s3:CreateBucket"],
        ("s3api", op) => return Some(vec![format!("s3:{}", op)]),
        ("lambda", "invoke") => vec!["lambda:InvokeFunction"],
        ("lambda", "update-function-code") => vec!["lambda:UpdateFunctionCode"],
        ("lambda", "get-function") => vec!["lambda:GetFunction"],
        ("lambda", "list-functions") => vec!["lambda:ListFunctions"],
        ("dynamodb", "get-item") => vec!["dynamodb:GetItem"],
        ("dynamodb", "put-item") => vec!["dynamodb:PutItem"],
        ("dynamodb", "query") => vec!["dynamodb:Query"],
        ("dynamodb", "scan") => vec!["dynamodb:Scan"],
        ("ec2", "describe-instances") => vec!["ec2:DescribeInstances"],
        ("sts", "get-caller-identity") => vec!["sts:GetCallerIdentity"],
        _ => return None,
    };

    Some(strs.into_iter().map(|s| s.to_string()).collect())
}

/// Try to guess the AWS service from context in a log line.
fn guess_service_from_context(line: &str) -> Option<&'static str> {
    let lower = line.to_lowercase();
    if lower.contains("s3") {
        return Some("s3");
    }
    if lower.contains("lambda") {
        return Some("lambda");
    }
    if lower.contains("dynamodb") {
        return Some("dynamodb");
    }
    if lower.contains("ec2") {
        return Some("ec2");
    }
    if lower.contains("iam") {
        return Some("iam");
    }
    if lower.contains("sts") {
        return Some("sts");
    }
    if lower.contains("sqs") {
        return Some("sqs");
    }
    if lower.contains("sns") {
        return Some("sns");
    }
    if lower.contains("cloudwatch") || lower.contains("logs") {
        return Some("logs");
    }
    if lower.contains("cloudformation") {
        return Some("cloudformation");
    }
    None
}

/// Parse a line that looks like "Request: service/operation" or similar patterns.
fn parse_sdk_request_line(line: &str) -> Option<String> {
    // Pattern: "service/OperationName"
    for sep in &["Request: ", "request to "] {
        if let Some(pos) = line.find(sep) {
            let rest = &line[pos + sep.len()..];
            let token = rest.split_whitespace().next()?;
            if token.contains('/') {
                let parts: Vec<&str> = token.splitn(2, '/').collect();
                if parts.len() == 2 {
                    return Some(format!("{}:{}", parts[0], parts[1]));
                }
            }
        }
    }
    None
}

/// Format a drift report as human-readable text.
pub fn format_report(report: &DriftReport) -> String {
    let mut out = String::new();

    if !report.over_provisioned {
        out.push_str("No policy drift detected.\n");
        return out;
    }

    out.push_str(&format!(
        "Policy drift detected: {} of {} granted actions unused\n",
        report.unused.len(),
        report.granted.len()
    ));

    if !report.used.is_empty() {
        out.push_str("  Used:   ");
        out.push_str(&report.used.join(", "));
        out.push('\n');
    }

    if !report.unused.is_empty() {
        out.push_str("  Unused: ");
        out.push_str(&report.unused.join(", "));
        out.push('\n');
    }

    if let Some(ref suggestion) = report.suggestion {
        out.push_str(&format!("  Suggested --allow: \"{}\"\n", suggestion));
    }

    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_no_drift_when_all_used() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:ListBucket").unwrap();
        let used = vec!["s3:GetObject".to_string(), "s3:ListBucket".to_string()];
        let report = analyze(&policy, &used);
        assert!(!report.over_provisioned);
        assert!(report.unused.is_empty());
        assert!(report.suggestion.is_none());
    }

    #[test]
    fn test_drift_with_unused_actions() {
        let policy =
            ScopedPolicy::from_allow_str("s3:GetObject,s3:PutObject,s3:DeleteObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used);
        assert!(report.over_provisioned);
        assert_eq!(report.unused.len(), 2);
        assert!(report.unused.contains(&"s3:PutObject".to_string()));
        assert!(report.unused.contains(&"s3:DeleteObject".to_string()));
        assert_eq!(report.suggestion, Some("s3:GetObject".to_string()));
    }

    #[test]
    fn test_wildcard_covers_specific_action() {
        let policy = ScopedPolicy::from_allow_str("s3:*").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used);
        // s3:* covers s3:GetObject, so it's not "unused"
        assert!(!report.over_provisioned);
    }

    #[test]
    fn test_no_drift_when_no_usage_detected() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let used: Vec<String> = vec![];
        let report = analyze(&policy, &used);
        // No usage detected — can't determine drift
        assert!(!report.over_provisioned);
    }

    #[test]
    fn test_infer_aws_s3_ls() {
        let cmd = vec!["aws".to_string(), "s3".to_string(), "ls".to_string()];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"s3:ListBucket".to_string()));
        assert!(actions.contains(&"s3:ListAllMyBuckets".to_string()));
    }

    #[test]
    fn test_infer_aws_s3_cp() {
        let cmd = vec![
            "aws".to_string(),
            "s3".to_string(),
            "cp".to_string(),
            "s3://bucket/key".to_string(),
            "local.txt".to_string(),
        ];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"s3:GetObject".to_string()));
    }

    #[test]
    fn test_infer_lambda_invoke() {
        let cmd = vec![
            "aws".to_string(),
            "lambda".to_string(),
            "invoke".to_string(),
            "--function-name".to_string(),
            "my-func".to_string(),
            "out.json".to_string(),
        ];
        let actions = detect_used_actions(&cmd, "");
        assert!(actions.contains(&"lambda:InvokeFunction".to_string()));
    }

    #[test]
    fn test_detect_from_stderr_debug() {
        let stderr =
            r#"2024-01-15 DEBUG Making request for OperationModel(name=GetObject) with S3 client"#;
        let actions = detect_used_actions(&[], stderr);
        assert!(actions.contains(&"s3:GetObject".to_string()));
    }

    #[test]
    fn test_format_report_no_drift() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used);
        let text = format_report(&report);
        assert!(text.contains("No policy drift"));
    }

    #[test]
    fn test_format_report_with_drift() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:PutObject").unwrap();
        let used = vec!["s3:GetObject".to_string()];
        let report = analyze(&policy, &used);
        let text = format_report(&report);
        assert!(text.contains("drift detected"));
        assert!(text.contains("s3:PutObject"));
    }
}