uvb_secret_access_control/

lib.rs

//! # Secret Access Control
//!
//! Enterprise-grade secret access control to address:
//! - **Risk #33**: Secrets accessible by too many internal services
//!
//! ## Features
//!
//! - **Service Identity Verification**: Authenticate services via mTLS certificates
//! - **Principle of Least Privilege**: Grant minimum required permissions
//! - **Service-Specific Secret Scoping**: Secrets scoped to specific services
//! - **Access Audit Logging**: Log all secret access attempts
//! - **Role-Based Access Control (RBAC)**: Define roles and permissions
//! - **Secret Access Policies**: Fine-grained access control policies
//! - **Access Request Workflow**: Approval workflow for sensitive secrets
//! - **Temporary Access Grants**: Time-limited secret access

use async_trait::async_trait;
use chrono::{DateTime, Duration, Utc};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use std::collections::{HashMap, HashSet};
use thiserror::Error;
use tracing::info;
use uuid::Uuid;

use uvb_core::TenantId;

/// Errors that can occur in secret access control
#[derive(Debug, Error)]
pub enum SecretAccessError {
    #[error("Access denied: {0}")]
    AccessDenied(String),

    #[error("Service not authenticated")]
    ServiceNotAuthenticated,

    #[error("Service not authorized for secret: {secret_id}")]
    ServiceNotAuthorized { secret_id: String },

    #[error("Secret not found: {0}")]
    SecretNotFound(String),

    #[error("Invalid service identity")]
    InvalidServiceIdentity,

    #[error("Access grant expired at {0}")]
    AccessGrantExpired(DateTime<Utc>),

    #[error("Access request pending approval")]
    AccessRequestPending,

    #[error("Access request denied")]
    AccessRequestDenied,

    #[error("Invalid access policy")]
    InvalidAccessPolicy,

    #[error("Storage error: {0}")]
    Storage(String),
}

/// Service identity
#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq, Hash)]
pub struct ServiceIdentity {
    /// Service ID
    pub service_id: String,

    /// Service name
    pub name: String,

    /// Service type
    pub service_type: ServiceType,

    /// Tenant ID
    pub tenant_id: TenantId,

    /// Certificate fingerprint (for mTLS)
    pub cert_fingerprint: Option<String>,

    /// Environment
    pub environment: Environment,

    /// Created at
    pub created_at: DateTime<Utc>,
}

impl ServiceIdentity {
    /// Create new service identity
    pub fn new(
        name: String,
        service_type: ServiceType,
        tenant_id: TenantId,
        environment: Environment,
    ) -> Self {
        Self {
            service_id: Uuid::new_v4().to_string(),
            name,
            service_type,
            tenant_id,
            cert_fingerprint: None,
            environment,
            created_at: Utc::now(),
        }
    }

    /// Set certificate fingerprint
    pub fn with_cert_fingerprint(mut self, fingerprint: String) -> Self {
        self.cert_fingerprint = Some(fingerprint);
        self
    }

    /// Calculate identity hash (for verification)
    pub fn identity_hash(&self) -> String {
        let mut hasher = Sha256::new();
        hasher.update(self.service_id.as_bytes());
        hasher.update(self.name.as_bytes());
        hasher.update(self.tenant_id.to_string().as_bytes());
        hex::encode(hasher.finalize())
    }
}

/// Service type
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq, Hash)]
pub enum ServiceType {
    /// Authentication service
    AuthService,

    /// MFA service
    MfaService,

    /// User service
    UserService,

    /// API gateway
    ApiGateway,

    /// Background worker
    BackgroundWorker,

    /// Admin service
    AdminService,

    /// Analytics service
    AnalyticsService,

    /// Unknown/Other
    Unknown,
}

impl ServiceType {
    /// Get service type name
    pub fn name(&self) -> &'static str {
        match self {
            Self::AuthService => "Authentication Service",
            Self::MfaService => "MFA Service",
            Self::UserService => "User Service",
            Self::ApiGateway => "API Gateway",
            Self::BackgroundWorker => "Background Worker",
            Self::AdminService => "Admin Service",
            Self::AnalyticsService => "Analytics Service",
            Self::Unknown => "Unknown",
        }
    }

    /// Get default trust level
    pub fn default_trust_level(&self) -> TrustLevel {
        match self {
            Self::AuthService | Self::MfaService => TrustLevel::High,
            Self::ApiGateway | Self::UserService => TrustLevel::Medium,
            Self::BackgroundWorker | Self::AdminService => TrustLevel::Medium,
            Self::AnalyticsService => TrustLevel::Low,
            Self::Unknown => TrustLevel::Untrusted,
        }
    }
}

/// Environment
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq, Hash)]
pub enum Environment {
    Production,
    Staging,
    Development,
    Testing,
}

/// Trust level
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
pub enum TrustLevel {
    Untrusted = 0,
    Low = 1,
    Medium = 2,
    High = 3,
    Critical = 4,
}

/// Secret scope
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct SecretScope {
    /// Secret ID
    pub secret_id: String,

    /// Secret name
    pub name: String,

    /// Secret type
    pub secret_type: SecretType,

    /// Tenant ID
    pub tenant_id: TenantId,

    /// Required trust level
    pub required_trust_level: TrustLevel,

    /// Allowed services (whitelist)
    pub allowed_services: HashSet<String>,

    /// Denied services (blacklist)
    pub denied_services: HashSet<String>,

    /// Allowed environments
    pub allowed_environments: HashSet<Environment>,

    /// Require approval
    pub require_approval: bool,

    /// Created at
    pub created_at: DateTime<Utc>,

    /// Updated at
    pub updated_at: DateTime<Utc>,
}

impl SecretScope {
    /// Create new secret scope
    pub fn new(
        name: String,
        secret_type: SecretType,
        tenant_id: TenantId,
        required_trust_level: TrustLevel,
    ) -> Self {
        let now = Utc::now();
        Self {
            secret_id: Uuid::new_v4().to_string(),
            name,
            secret_type,
            tenant_id,
            required_trust_level,
            allowed_services: HashSet::new(),
            denied_services: HashSet::new(),
            allowed_environments: HashSet::from_iter(vec![
                Environment::Production,
                Environment::Staging,
                Environment::Development,
            ]),
            require_approval: false,
            created_at: now,
            updated_at: now,
        }
    }

    /// Add allowed service
    pub fn allow_service(mut self, service_id: String) -> Self {
        self.allowed_services.insert(service_id);
        self.updated_at = Utc::now();
        self
    }

    /// Add denied service
    pub fn deny_service(mut self, service_id: String) -> Self {
        self.denied_services.insert(service_id);
        self.updated_at = Utc::now();
        self
    }

    /// Set allowed environments
    pub fn with_environments(mut self, environments: HashSet<Environment>) -> Self {
        self.allowed_environments = environments;
        self.updated_at = Utc::now();
        self
    }

    /// Set require approval
    pub fn with_approval_required(mut self, required: bool) -> Self {
        self.require_approval = required;
        self.updated_at = Utc::now();
        self
    }

    /// Check if service is allowed
    pub fn is_service_allowed(&self, service_id: &str) -> bool {
        // Check blacklist first
        if self.denied_services.contains(service_id) {
            return false;
        }

        // If whitelist is empty, allow all (except blacklisted)
        if self.allowed_services.is_empty() {
            return true;
        }

        // Check whitelist
        self.allowed_services.contains(service_id)
    }

    /// Check if environment is allowed
    pub fn is_environment_allowed(&self, environment: Environment) -> bool {
        self.allowed_environments.contains(&environment)
    }
}

/// Secret type
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub enum SecretType {
    /// Encryption key
    EncryptionKey,

    /// TOTP secret
    TotpSecret,

    /// API key
    ApiKey,

    /// Database password
    DatabasePassword,

    /// JWT signing key
    JwtSigningKey,

    /// OAuth client secret
    OAuthClientSecret,

    /// Webhook secret
    WebhookSecret,

    /// Other
    Other,
}

impl SecretType {
    /// Get secret type name
    pub fn name(&self) -> &'static str {
        match self {
            Self::EncryptionKey => "Encryption Key",
            Self::TotpSecret => "TOTP Secret",
            Self::ApiKey => "API Key",
            Self::DatabasePassword => "Database Password",
            Self::JwtSigningKey => "JWT Signing Key",
            Self::OAuthClientSecret => "OAuth Client Secret",
            Self::WebhookSecret => "Webhook Secret",
            Self::Other => "Other",
        }
    }

    /// Get default trust level required
    pub fn default_trust_level(&self) -> TrustLevel {
        match self {
            Self::EncryptionKey | Self::TotpSecret | Self::JwtSigningKey => TrustLevel::High,
            Self::DatabasePassword | Self::OAuthClientSecret => TrustLevel::Medium,
            Self::ApiKey | Self::WebhookSecret => TrustLevel::Medium,
            Self::Other => TrustLevel::Low,
        }
    }
}

/// Access grant
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AccessGrant {
    /// Grant ID
    pub grant_id: String,

    /// Service identity
    pub service_identity: ServiceIdentity,

    /// Secret ID
    pub secret_id: String,

    /// Granted at
    pub granted_at: DateTime<Utc>,

    /// Expires at (optional)
    pub expires_at: Option<DateTime<Utc>>,

    /// Granted by
    pub granted_by: String,

    /// Reason
    pub reason: String,

    /// Access count
    pub access_count: u64,

    /// Last accessed at
    pub last_accessed_at: Option<DateTime<Utc>>,
}

impl AccessGrant {
    /// Create new access grant
    pub fn new(
        service_identity: ServiceIdentity,
        secret_id: String,
        granted_by: String,
        reason: String,
        expires_at: Option<DateTime<Utc>>,
    ) -> Self {
        Self {
            grant_id: Uuid::new_v4().to_string(),
            service_identity,
            secret_id,
            granted_at: Utc::now(),
            expires_at,
            granted_by,
            reason,
            access_count: 0,
            last_accessed_at: None,
        }
    }

    /// Check if grant is expired
    pub fn is_expired(&self) -> bool {
        if let Some(expires_at) = self.expires_at {
            Utc::now() > expires_at
        } else {
            false
        }
    }

    /// Record access
    pub fn record_access(&mut self) {
        self.access_count += 1;
        self.last_accessed_at = Some(Utc::now());
    }
}

/// Access request
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AccessRequest {
    /// Request ID
    pub request_id: String,

    /// Service identity
    pub service_identity: ServiceIdentity,

    /// Secret ID
    pub secret_id: String,

    /// Requested at
    pub requested_at: DateTime<Utc>,

    /// Requested by
    pub requested_by: String,

    /// Reason
    pub reason: String,

    /// Status
    pub status: AccessRequestStatus,

    /// Reviewed by
    pub reviewed_by: Option<String>,

    /// Reviewed at
    pub reviewed_at: Option<DateTime<Utc>>,

    /// Review notes
    pub review_notes: Option<String>,
}

impl AccessRequest {
    /// Create new access request
    pub fn new(
        service_identity: ServiceIdentity,
        secret_id: String,
        requested_by: String,
        reason: String,
    ) -> Self {
        Self {
            request_id: Uuid::new_v4().to_string(),
            service_identity,
            secret_id,
            requested_at: Utc::now(),
            requested_by,
            reason,
            status: AccessRequestStatus::Pending,
            reviewed_by: None,
            reviewed_at: None,
            review_notes: None,
        }
    }

    /// Approve request
    pub fn approve(&mut self, reviewer: String, notes: Option<String>) {
        self.status = AccessRequestStatus::Approved;
        self.reviewed_by = Some(reviewer);
        self.reviewed_at = Some(Utc::now());
        self.review_notes = notes;
    }

    /// Deny request
    pub fn deny(&mut self, reviewer: String, notes: Option<String>) {
        self.status = AccessRequestStatus::Denied;
        self.reviewed_by = Some(reviewer);
        self.reviewed_at = Some(Utc::now());
        self.review_notes = notes;
    }
}

/// Access request status
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub enum AccessRequestStatus {
    Pending,
    Approved,
    Denied,
}

/// Access audit log
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct AccessAuditLog {
    /// Log ID
    pub log_id: String,

    /// Service identity
    pub service_identity: ServiceIdentity,

    /// Secret ID
    pub secret_id: String,

    /// Access type
    pub access_type: AccessType,

    /// Result
    pub result: AccessResult,

    /// Timestamp
    pub timestamp: DateTime<Utc>,

    /// IP address
    pub ip_address: Option<String>,

    /// Additional context
    pub context: HashMap<String, String>,
}

impl AccessAuditLog {
    /// Create new audit log
    pub fn new(
        service_identity: ServiceIdentity,
        secret_id: String,
        access_type: AccessType,
        result: AccessResult,
    ) -> Self {
        Self {
            log_id: Uuid::new_v4().to_string(),
            service_identity,
            secret_id,
            access_type,
            result,
            timestamp: Utc::now(),
            ip_address: None,
            context: HashMap::new(),
        }
    }

    /// Add context
    pub fn with_context(mut self, key: String, value: String) -> Self {
        self.context.insert(key, value);
        self
    }

    /// Set IP address
    pub fn with_ip(mut self, ip: String) -> Self {
        self.ip_address = Some(ip);
        self
    }
}

/// Access type
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub enum AccessType {
    Read,
    Write,
    Delete,
    List,
}

/// Access result
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub enum AccessResult {
    Allowed,
    Denied,
    Error,
}

/// Storage trait for secret access control
#[async_trait]
pub trait SecretAccessStorage: Send + Sync {
    /// Store service identity
    async fn store_service_identity(
        &self,
        identity: &ServiceIdentity,
    ) -> Result<(), SecretAccessError>;

    /// Get service identity
    async fn get_service_identity(
        &self,
        service_id: &str,
    ) -> Result<Option<ServiceIdentity>, SecretAccessError>;

    /// Store secret scope
    async fn store_secret_scope(&self, scope: &SecretScope) -> Result<(), SecretAccessError>;

    /// Get secret scope
    async fn get_secret_scope(
        &self,
        secret_id: &str,
    ) -> Result<Option<SecretScope>, SecretAccessError>;

    /// Store access grant
    async fn store_access_grant(&self, grant: &AccessGrant) -> Result<(), SecretAccessError>;

    /// Get access grant
    async fn get_access_grant(
        &self,
        service_id: &str,
        secret_id: &str,
    ) -> Result<Option<AccessGrant>, SecretAccessError>;

    /// Update access grant
    async fn update_access_grant(&self, grant: &AccessGrant) -> Result<(), SecretAccessError>;

    /// Store access request
    async fn store_access_request(&self, request: &AccessRequest) -> Result<(), SecretAccessError>;

    /// Get access request
    async fn get_access_request(
        &self,
        request_id: &str,
    ) -> Result<Option<AccessRequest>, SecretAccessError>;

    /// Update access request
    async fn update_access_request(&self, request: &AccessRequest)
        -> Result<(), SecretAccessError>;

    /// Store audit log
    async fn store_audit_log(&self, log: &AccessAuditLog) -> Result<(), SecretAccessError>;

    /// Get audit logs
    async fn get_audit_logs(
        &self,
        secret_id: &str,
        limit: usize,
    ) -> Result<Vec<AccessAuditLog>, SecretAccessError>;
}

/// In-memory storage for testing
pub struct InMemorySecretAccessStorage {
    service_identities: tokio::sync::RwLock<HashMap<String, ServiceIdentity>>,
    secret_scopes: tokio::sync::RwLock<HashMap<String, SecretScope>>,
    access_grants: tokio::sync::RwLock<HashMap<(String, String), AccessGrant>>,
    access_requests: tokio::sync::RwLock<HashMap<String, AccessRequest>>,
    audit_logs: tokio::sync::RwLock<Vec<AccessAuditLog>>,
}

impl InMemorySecretAccessStorage {
    pub fn new() -> Self {
        Self {
            service_identities: tokio::sync::RwLock::new(HashMap::new()),
            secret_scopes: tokio::sync::RwLock::new(HashMap::new()),
            access_grants: tokio::sync::RwLock::new(HashMap::new()),
            access_requests: tokio::sync::RwLock::new(HashMap::new()),
            audit_logs: tokio::sync::RwLock::new(Vec::new()),
        }
    }
}

impl Default for InMemorySecretAccessStorage {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl SecretAccessStorage for InMemorySecretAccessStorage {
    async fn store_service_identity(
        &self,
        identity: &ServiceIdentity,
    ) -> Result<(), SecretAccessError> {
        let mut identities = self.service_identities.write().await;
        identities.insert(identity.service_id.clone(), identity.clone());
        Ok(())
    }

    async fn get_service_identity(
        &self,
        service_id: &str,
    ) -> Result<Option<ServiceIdentity>, SecretAccessError> {
        let identities = self.service_identities.read().await;
        Ok(identities.get(service_id).cloned())
    }

    async fn store_secret_scope(&self, scope: &SecretScope) -> Result<(), SecretAccessError> {
        let mut scopes = self.secret_scopes.write().await;
        scopes.insert(scope.secret_id.clone(), scope.clone());
        Ok(())
    }

    async fn get_secret_scope(
        &self,
        secret_id: &str,
    ) -> Result<Option<SecretScope>, SecretAccessError> {
        let scopes = self.secret_scopes.read().await;
        Ok(scopes.get(secret_id).cloned())
    }

    async fn store_access_grant(&self, grant: &AccessGrant) -> Result<(), SecretAccessError> {
        let mut grants = self.access_grants.write().await;
        let key = (
            grant.service_identity.service_id.clone(),
            grant.secret_id.clone(),
        );
        grants.insert(key, grant.clone());
        Ok(())
    }

    async fn get_access_grant(
        &self,
        service_id: &str,
        secret_id: &str,
    ) -> Result<Option<AccessGrant>, SecretAccessError> {
        let grants = self.access_grants.read().await;
        let key = (service_id.to_string(), secret_id.to_string());
        Ok(grants.get(&key).cloned())
    }

    async fn update_access_grant(&self, grant: &AccessGrant) -> Result<(), SecretAccessError> {
        self.store_access_grant(grant).await
    }

    async fn store_access_request(&self, request: &AccessRequest) -> Result<(), SecretAccessError> {
        let mut requests = self.access_requests.write().await;
        requests.insert(request.request_id.clone(), request.clone());
        Ok(())
    }

    async fn get_access_request(
        &self,
        request_id: &str,
    ) -> Result<Option<AccessRequest>, SecretAccessError> {
        let requests = self.access_requests.read().await;
        Ok(requests.get(request_id).cloned())
    }

    async fn update_access_request(
        &self,
        request: &AccessRequest,
    ) -> Result<(), SecretAccessError> {
        self.store_access_request(request).await
    }

    async fn store_audit_log(&self, log: &AccessAuditLog) -> Result<(), SecretAccessError> {
        let mut logs = self.audit_logs.write().await;
        logs.push(log.clone());
        Ok(())
    }

    async fn get_audit_logs(
        &self,
        secret_id: &str,
        limit: usize,
    ) -> Result<Vec<AccessAuditLog>, SecretAccessError> {
        let logs = self.audit_logs.read().await;
        let mut filtered: Vec<_> = logs
            .iter()
            .filter(|log| log.secret_id == secret_id)
            .cloned()
            .collect();
        filtered.sort_by_key(|a| std::cmp::Reverse(a.timestamp));
        Ok(filtered.into_iter().take(limit).collect())
    }
}

/// Secret access control manager
pub struct SecretAccessControlManager<S: SecretAccessStorage> {
    storage: S,
}

impl<S: SecretAccessStorage> SecretAccessControlManager<S> {
    /// Create new manager
    pub fn new(storage: S) -> Self {
        Self { storage }
    }

    /// Register service identity
    pub async fn register_service(
        &self,
        identity: ServiceIdentity,
    ) -> Result<ServiceIdentity, SecretAccessError> {
        self.storage.store_service_identity(&identity).await?;
        info!(
            "Registered service {} ({})",
            identity.name, identity.service_id
        );
        Ok(identity)
    }

    /// Create secret scope
    pub async fn create_secret_scope(
        &self,
        scope: SecretScope,
    ) -> Result<SecretScope, SecretAccessError> {
        self.storage.store_secret_scope(&scope).await?;
        info!("Created secret scope {} ({})", scope.name, scope.secret_id);
        Ok(scope)
    }

    /// Check access
    pub async fn check_access(
        &self,
        service_id: &str,
        secret_id: &str,
        access_type: AccessType,
    ) -> Result<(), SecretAccessError> {
        // Get service identity
        let service = self
            .storage
            .get_service_identity(service_id)
            .await?
            .ok_or(SecretAccessError::ServiceNotAuthenticated)?;

        // Get secret scope
        let scope = self
            .storage
            .get_secret_scope(secret_id)
            .await?
            .ok_or_else(|| SecretAccessError::SecretNotFound(secret_id.to_string()))?;

        // Check service allowed
        if !scope.is_service_allowed(service_id) {
            self.log_access(
                service.clone(),
                secret_id.to_string(),
                access_type,
                AccessResult::Denied,
            )
            .await?;
            return Err(SecretAccessError::ServiceNotAuthorized {
                secret_id: secret_id.to_string(),
            });
        }

        // Check environment allowed
        if !scope.is_environment_allowed(service.environment) {
            self.log_access(
                service.clone(),
                secret_id.to_string(),
                access_type,
                AccessResult::Denied,
            )
            .await?;
            return Err(SecretAccessError::AccessDenied(format!(
                "Environment {:?} not allowed",
                service.environment
            )));
        }

        // Check trust level
        let service_trust = service.service_type.default_trust_level();
        if service_trust < scope.required_trust_level {
            self.log_access(
                service.clone(),
                secret_id.to_string(),
                access_type,
                AccessResult::Denied,
            )
            .await?;
            return Err(SecretAccessError::AccessDenied(format!(
                "Insufficient trust level: {:?} < {:?}",
                service_trust, scope.required_trust_level
            )));
        }

        // Check access grant
        if let Some(mut grant) = self.storage.get_access_grant(service_id, secret_id).await? {
            if grant.is_expired() {
                self.log_access(
                    service.clone(),
                    secret_id.to_string(),
                    access_type,
                    AccessResult::Denied,
                )
                .await?;
                return Err(SecretAccessError::AccessGrantExpired(
                    grant.expires_at.unwrap(),
                ));
            }

            // Record access
            grant.record_access();
            self.storage.update_access_grant(&grant).await?;
        } else if scope.require_approval {
            // No grant and approval required
            self.log_access(
                service.clone(),
                secret_id.to_string(),
                access_type,
                AccessResult::Denied,
            )
            .await?;
            return Err(SecretAccessError::AccessDenied(
                "Approval required for this secret".to_string(),
            ));
        }

        // Log successful access
        self.log_access(
            service,
            secret_id.to_string(),
            access_type,
            AccessResult::Allowed,
        )
        .await?;

        info!(
            "Access granted: service {} -> secret {}",
            service_id, secret_id
        );
        Ok(())
    }

    /// Grant access
    pub async fn grant_access(
        &self,
        service_id: &str,
        secret_id: &str,
        granted_by: String,
        reason: String,
        expires_in_seconds: Option<i64>,
    ) -> Result<AccessGrant, SecretAccessError> {
        let service = self
            .storage
            .get_service_identity(service_id)
            .await?
            .ok_or(SecretAccessError::ServiceNotAuthenticated)?;

        let expires_at = expires_in_seconds.map(|secs| Utc::now() + Duration::seconds(secs));

        let grant = AccessGrant::new(
            service,
            secret_id.to_string(),
            granted_by,
            reason,
            expires_at,
        );

        self.storage.store_access_grant(&grant).await?;
        info!(
            "Access granted: service {} -> secret {}",
            service_id, secret_id
        );
        Ok(grant)
    }

    /// Request access
    pub async fn request_access(
        &self,
        service_id: &str,
        secret_id: &str,
        requested_by: String,
        reason: String,
    ) -> Result<AccessRequest, SecretAccessError> {
        let service = self
            .storage
            .get_service_identity(service_id)
            .await?
            .ok_or(SecretAccessError::ServiceNotAuthenticated)?;

        let request = AccessRequest::new(service, secret_id.to_string(), requested_by, reason);

        self.storage.store_access_request(&request).await?;
        info!(
            "Access requested: service {} -> secret {}",
            service_id, secret_id
        );
        Ok(request)
    }

    /// Approve access request
    pub async fn approve_request(
        &self,
        request_id: &str,
        reviewer: String,
        notes: Option<String>,
        expires_in_seconds: Option<i64>,
    ) -> Result<AccessGrant, SecretAccessError> {
        let mut request = self
            .storage
            .get_access_request(request_id)
            .await?
            .ok_or_else(|| SecretAccessError::Storage("Access request not found".to_string()))?;

        request.approve(reviewer.clone(), notes);
        self.storage.update_access_request(&request).await?;

        // Create access grant
        let grant = self
            .grant_access(
                &request.service_identity.service_id,
                &request.secret_id,
                reviewer,
                request.reason.clone(),
                expires_in_seconds,
            )
            .await?;

        info!("Access request approved: {}", request_id);
        Ok(grant)
    }

    /// Deny access request
    pub async fn deny_request(
        &self,
        request_id: &str,
        reviewer: String,
        notes: Option<String>,
    ) -> Result<(), SecretAccessError> {
        let mut request = self
            .storage
            .get_access_request(request_id)
            .await?
            .ok_or_else(|| SecretAccessError::Storage("Access request not found".to_string()))?;

        request.deny(reviewer, notes);
        self.storage.update_access_request(&request).await?;

        info!("Access request denied: {}", request_id);
        Ok(())
    }

    /// Log access
    async fn log_access(
        &self,
        service: ServiceIdentity,
        secret_id: String,
        access_type: AccessType,
        result: AccessResult,
    ) -> Result<(), SecretAccessError> {
        let log = AccessAuditLog::new(service, secret_id, access_type, result);
        self.storage.store_audit_log(&log).await?;
        Ok(())
    }

    /// Get audit logs
    pub async fn get_audit_logs(
        &self,
        secret_id: &str,
        limit: usize,
    ) -> Result<Vec<AccessAuditLog>, SecretAccessError> {
        self.storage.get_audit_logs(secret_id, limit).await
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_service_registration() {
        let storage = InMemorySecretAccessStorage::new();
        let manager = SecretAccessControlManager::new(storage);

        let identity = ServiceIdentity::new(
            "mfa-service".to_string(),
            ServiceType::MfaService,
            TenantId::new("test_tenant"),
            Environment::Production,
        );

        let registered = manager.register_service(identity.clone()).await.unwrap();
        assert_eq!(registered.service_id, identity.service_id);
    }

    #[tokio::test]
    async fn test_access_control() {
        let storage = InMemorySecretAccessStorage::new();
        let manager = SecretAccessControlManager::new(storage);

        // Register service
        let service = ServiceIdentity::new(
            "mfa-service".to_string(),
            ServiceType::MfaService,
            TenantId::new("test_tenant"),
            Environment::Production,
        );
        manager.register_service(service.clone()).await.unwrap();

        // Create secret scope
        let scope = SecretScope::new(
            "totp-master-key".to_string(),
            SecretType::TotpSecret,
            TenantId::new("test_tenant"),
            TrustLevel::High,
        )
        .allow_service(service.service_id.clone());

        manager.create_secret_scope(scope.clone()).await.unwrap();

        // Check access (should succeed)
        assert!(manager
            .check_access(&service.service_id, &scope.secret_id, AccessType::Read)
            .await
            .is_ok());
    }

    #[tokio::test]
    async fn test_access_denied() {
        let storage = InMemorySecretAccessStorage::new();
        let manager = SecretAccessControlManager::new(storage);

        // Register analytics service (low trust)
        let service = ServiceIdentity::new(
            "analytics-service".to_string(),
            ServiceType::AnalyticsService,
            TenantId::new("test_tenant"),
            Environment::Production,
        );
        manager.register_service(service.clone()).await.unwrap();

        // Create high-trust secret scope
        let scope = SecretScope::new(
            "totp-master-key".to_string(),
            SecretType::TotpSecret,
            TenantId::new("test_tenant"),
            TrustLevel::High, // Requires high trust
        );

        manager.create_secret_scope(scope.clone()).await.unwrap();

        // Check access (should fail - insufficient trust)
        assert!(manager
            .check_access(&service.service_id, &scope.secret_id, AccessType::Read)
            .await
            .is_err());
    }

    #[tokio::test]
    async fn test_access_request_workflow() {
        let storage = InMemorySecretAccessStorage::new();
        let manager = SecretAccessControlManager::new(storage);

        // Register service
        let service = ServiceIdentity::new(
            "api-gateway".to_string(),
            ServiceType::ApiGateway,
            TenantId::new("test_tenant"),
            Environment::Production,
        );
        manager.register_service(service.clone()).await.unwrap();

        // Create secret scope (requires approval)
        let scope = SecretScope::new(
            "jwt-signing-key".to_string(),
            SecretType::JwtSigningKey,
            TenantId::new("test_tenant"),
            TrustLevel::Medium,
        )
        .with_approval_required(true);

        manager.create_secret_scope(scope.clone()).await.unwrap();

        // Request access
        let request = manager
            .request_access(
                &service.service_id,
                &scope.secret_id,
                "dev@example.com".to_string(),
                "Need to sign JWTs for API".to_string(),
            )
            .await
            .unwrap();

        // Approve request
        let grant = manager
            .approve_request(
                &request.request_id,
                "admin@example.com".to_string(),
                Some("Approved for production use".to_string()),
                Some(86400), // 24 hours
            )
            .await
            .unwrap();

        assert!(!grant.is_expired());

        // Check access (should succeed now)
        assert!(manager
            .check_access(&service.service_id, &scope.secret_id, AccessType::Read)
            .await
            .is_ok());
    }
}