tryaudex_core/

server.rs

use serde::{Deserialize, Serialize};

/// Request to issue scoped credentials via the server API.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialRequest {
    /// IAM actions to allow (e.g. "s3:GetObject,s3:ListBucket")
    pub allow: Option<String>,
    /// Named policy profile (e.g. "s3-readonly")
    pub profile: Option<String>,
    /// Resource ARN restriction
    pub resource: Option<String>,
    /// Cloud provider (aws, gcp, azure)
    #[serde(default = "default_provider")]
    pub provider: String,
    /// TTL for credentials (e.g. "15m", "1h")
    #[serde(default = "default_ttl")]
    pub ttl: String,
    /// IAM role ARN to assume
    pub role_arn: Option<String>,
    /// Command that will use these credentials (for audit)
    #[serde(default)]
    pub command: Vec<String>,
    /// Agent identity
    pub agent_id: Option<String>,
}

fn default_provider() -> String {
    "aws".to_string()
}

fn default_ttl() -> String {
    "15m".to_string()
}

/// Response from the credential issuance endpoint.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialResponse {
    pub session_id: String,
    pub provider: String,
    pub expires_at: String,
    pub ttl_seconds: u64,
    pub credentials: CredentialEnvVars,
}

/// Credential environment variables returned by the server.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialEnvVars {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aws_access_key_id: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aws_secret_access_key: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aws_session_token: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub gcp_access_token: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub azure_token: Option<String>,
}

/// Server configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ServerConfig {
    /// Port to listen on
    #[serde(default = "default_port")]
    pub port: u16,
    /// Bind address
    #[serde(default = "default_bind")]
    pub bind: String,
    /// Optional API key for authentication
    pub api_key: Option<String>,
}

fn default_port() -> u16 {
    8080
}

fn default_bind() -> String {
    "0.0.0.0".to_string()
}

impl Default for ServerConfig {
    fn default() -> Self {
        Self {
            port: default_port(),
            bind: default_bind(),
            api_key: None,
        }
    }
}

/// API error response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ApiError {
    pub error: String,
    pub code: u16,
}

/// Simple HTTP response builder.
pub fn http_response(status: u16, status_text: &str, content_type: &str, body: &str) -> String {
    format!(
        "HTTP/1.1 {} {}\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: *\r\n\r\n{}",
        status, status_text, content_type, body.len(), body
    )
}

pub fn json_ok(body: &str) -> String {
    http_response(200, "OK", "application/json", body)
}

pub fn json_error(code: u16, message: &str) -> String {
    let err = ApiError {
        error: message.to_string(),
        code,
    };
    let body = serde_json::to_string(&err)
        .unwrap_or_else(|_| format!("{{\"error\":\"{}\",\"code\":{}}}", message, code));
    let status_text = match code {
        400 => "Bad Request",
        401 => "Unauthorized",
        404 => "Not Found",
        405 => "Method Not Allowed",
        500 => "Internal Server Error",
        _ => "Error",
    };
    http_response(code, status_text, "application/json", &body)
}

/// Parse a minimal HTTP request: returns (method, path, body).
pub fn parse_http_request(raw: &str) -> Option<(&str, &str, &str)> {
    let mut lines = raw.split("\r\n");
    let first_line = lines.next()?;
    let mut parts = first_line.split_whitespace();
    let method = parts.next()?;
    let path = parts.next()?;

    // Find body after double CRLF
    let body = raw.split("\r\n\r\n").nth(1).unwrap_or("");

    Some((method, path, body))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_parse_http_request_get() {
        let raw = "GET /v1/sessions HTTP/1.1\r\nHost: localhost\r\n\r\n";
        let (method, path, body) = parse_http_request(raw).unwrap();
        assert_eq!(method, "GET");
        assert_eq!(path, "/v1/sessions");
        assert_eq!(body, "");
    }

    #[test]
    fn test_parse_http_request_post() {
        let raw = "POST /v1/credentials HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"allow\":\"s3:GetObject\"}";
        let (method, path, body) = parse_http_request(raw).unwrap();
        assert_eq!(method, "POST");
        assert_eq!(path, "/v1/credentials");
        assert_eq!(body, "{\"allow\":\"s3:GetObject\"}");
    }

    #[test]
    fn test_json_ok() {
        let resp = json_ok("{\"status\":\"ok\"}");
        assert!(resp.contains("200 OK"));
        assert!(resp.contains("application/json"));
    }

    #[test]
    fn test_json_error() {
        let resp = json_error(400, "bad request");
        assert!(resp.contains("400 Bad Request"));
        assert!(resp.contains("bad request"));
    }

    #[test]
    fn test_credential_request_defaults() {
        let json = r#"{"allow":"s3:GetObject"}"#;
        let req: CredentialRequest = serde_json::from_str(json).unwrap();
        assert_eq!(req.provider, "aws");
        assert_eq!(req.ttl, "15m");
        assert!(req.role_arn.is_none());
    }

    #[test]
    fn test_server_config_default() {
        let config = ServerConfig::default();
        assert_eq!(config.port, 8080);
        assert_eq!(config.bind, "0.0.0.0");
        assert!(config.api_key.is_none());
    }
}