types

type AWSCredentials struct {
	AccessKeyID     string `json:"access_key_id,omitempty"`
	SecretAccessKey string `json:"secret_access_key,omitempty"`
	SessionToken    string `json:"session_token,omitempty"`
	Region          string `json:"region,omitempty"`
	Expiration      string `json:"expiration,omitempty"`
	MfaArn          string `json:"mfa_arn,omitempty"`
	SessionDuration string `json:"session_duration,omitempty"` // Duration string (e.g., "12h", "24h")
}

type AuthManager interface {
	// GetCachedCredentials retrieves valid cached credentials for the specified identity.
	// This is a passive check that does not trigger any authentication flows.
	// It checks:
	//   1. Keyring for cached credentials
	//   2. Identity-managed storage (AWS files, etc.)
	// Returns error if credentials are not found, expired, or invalid.
	// Use this when you want to use existing credentials without triggering authentication.
	GetCachedCredentials(ctx context.Context, identityName string) (*WhoamiInfo, error)

	// Authenticate performs full authentication for the specified identity.
	// This may trigger interactive authentication flows (SSO device prompts, etc.).
	// Use this when you want to force fresh authentication (e.g., `auth login` command).
	Authenticate(ctx context.Context, identityName string) (*WhoamiInfo, error)

	// AuthenticateProvider performs authentication directly with a provider.
	// This is used for provider-level operations like SSO auto-provisioning where
	// you want to authenticate to a provider without specifying a particular identity.
	// If the provider has auto_provision_identities enabled, this will trigger
	// automatic discovery and provisioning of all available identities.
	// Use this when you want to authenticate to a provider (e.g., `auth login --provider sso-prod`).
	AuthenticateProvider(ctx context.Context, providerName string) (*WhoamiInfo, error)

	// Whoami returns information about the specified identity's credentials.
	// First checks for cached credentials, then falls back to chain authentication
	// (using cached provider credentials to derive identity credentials).
	// This does NOT trigger interactive authentication flows (no SSO prompts).
	// Use this for user-facing "whoami" command and as a fallback check.
	Whoami(ctx context.Context, identityName string) (*WhoamiInfo, error)

	// Validate validates the entire auth configuration.
	Validate() error

	// GetDefaultIdentity returns the name of the default identity, if any.
	//
	// Parameters:
	//   - forceSelect: When true and terminal is interactive, always displays the identity
	//     selector even if a default identity is configured. This allows users to override
	//     the default choice interactively.
	//
	// Returns:
	//   - string: The name of the selected or default identity
	//   - error: An error if no identity is available or selection fails
	//
	// Behavior:
	//   - If forceSelect is true: Displays interactive selector (if terminal supports it)
	//   - If forceSelect is false: Returns configured default identity if available
	//   - If no default and not interactive: Returns error indicating no identity available
	GetDefaultIdentity(forceSelect bool) (string, error)

	// ListIdentities returns all available identity names.
	ListIdentities() []string

	// GetProviderForIdentity returns the root provider name for the given identity.
	// Recursively resolves through identity chains to find the root provider.
	GetProviderForIdentity(identityName string) string

	// GetFilesDisplayPath returns the display path for AWS files for a provider.
	// Returns the configured path if set, otherwise default ~/.aws/atmos.
	GetFilesDisplayPath(providerName string) string

	// GetProviderKindForIdentity returns the provider kind for the given identity.
	GetProviderKindForIdentity(identityName string) (string, error)

	// GetChain returns the most recently constructed authentication chain
	// in the format: [providerName, identity1, identity2, ..., targetIdentity].
	GetChain() []string

	// GetStackInfo returns the current stack info pointer associated with this manager.
	GetStackInfo() *schema.ConfigAndStacksInfo

	// GetRealm returns the computed realm information for this auth manager.
	// The realm provides credential isolation between different repositories.
	GetRealm() realm.RealmInfo

	// ListProviders returns all available provider names.
	ListProviders() []string

	// GetIdentities returns all available identity configurations.
	GetIdentities() map[string]schema.Identity

	// GetProviders returns all available provider configurations.
	GetProviders() map[string]schema.Provider

	// Logout removes credentials for the specified identity and its authentication chain.
	// If deleteKeychain is true, also removes credentials from system keychain.
	// Best-effort: continues cleanup even if individual steps fail.
	Logout(ctx context.Context, identityName string, deleteKeychain bool) error

	// LogoutProvider removes all credentials for the specified provider.
	// If deleteKeychain is true, also removes credentials from system keychain.
	// Best-effort: continues cleanup even if individual steps fail.
	LogoutProvider(ctx context.Context, providerName string, deleteKeychain bool) error

	// LogoutAll removes all cached credentials for all identities.
	// If deleteKeychain is true, also removes credentials from system keychain.
	// Best-effort: continues cleanup even if individual steps fail.
	LogoutAll(ctx context.Context, deleteKeychain bool) error

	// GetEnvironmentVariables returns the environment variables for an identity
	// without performing authentication or validation.
	// This is useful for commands like `atmos env` that just need to show what
	// environment variables would be set, without requiring valid credentials.
	GetEnvironmentVariables(identityName string) (map[string]string, error)

	// PrepareShellEnvironment prepares environment variables for subprocess execution.
	// Takes current environment list and returns it with auth credentials configured.
	// This calls identity.PrepareEnvironment() internally to configure file-based credentials,
	// credential paths, regions, and clear conflicting variables.
	// The input currentEnv should include any previous transformations (component env, workflow env, etc.).
	// Returns environment variables as a list of "KEY=VALUE" strings ready for subprocess.
	// Use this for all subprocess invocations: Terraform, Helmfile, Packer, workflows, custom commands, auth shell, etc.
	PrepareShellEnvironment(ctx context.Context, identityName string, currentEnv []string) ([]string, error)

	// ExecuteIntegration executes a named integration.
	// This authenticates the integration's linked identity first, then executes the integration.
	// Use this for explicit integration execution via `atmos auth ecr-login <integration>`.
	ExecuteIntegration(ctx context.Context, integrationName string) error

	// ExecuteIdentityIntegrations executes all linked integrations for an identity.
	// This authenticates the identity first, then executes all its linked integrations.
	// Use this for `atmos auth ecr-login --identity <identity>`.
	ExecuteIdentityIntegrations(ctx context.Context, identityName string) error

	// GetIntegration returns the integration config by name.
	GetIntegration(integrationName string) (*schema.Integration, error)

	// ResolvePrincipalSetting traverses the identity chain and returns the first
	// non-empty value for the given key in Principal configuration.
	// The chain is traversed from the target identity backwards through parent identities.
	// This is a provider-agnostic mechanism for inheriting settings through the chain.
	// Returns the value and true if found, nil and false otherwise.
	ResolvePrincipalSetting(identityName, key string) (interface{}, bool)

	// ResolveProviderConfig returns the provider configuration at the root of
	// the identity's authentication chain.
	// This allows identities to access provider-level settings without knowing
	// the specific provider name.
	// Returns the provider config and true if found, nil and false otherwise.
	ResolveProviderConfig(identityName string) (*schema.Provider, bool)
}

type AzureCredentials struct {
	AccessToken        string `json:"access_token,omitempty"`
	TokenType          string `json:"token_type,omitempty"`           // Usually "Bearer"
	Expiration         string `json:"expiration,omitempty"`           // RFC3339 timestamp
	TenantID           string `json:"tenant_id,omitempty"`            // Azure AD tenant ID
	SubscriptionID     string `json:"subscription_id,omitempty"`      // Azure subscription ID
	Location           string `json:"location,omitempty"`             // Azure region (e.g., "eastus")
	GraphAPIToken      string `json:"graph_api_token,omitempty"`      // Microsoft Graph API token
	GraphAPIExpiration string `json:"graph_api_expiration,omitempty"` // RFC3339 timestamp for Graph API token
	KeyVaultToken      string `json:"key_vault_token,omitempty"`      // Azure KeyVault API token
	KeyVaultExpiration string `json:"key_vault_expiration,omitempty"` // RFC3339 timestamp for KeyVault token
	// ClientID is set for service principal authentication (OIDC).
	// When set, MSAL cache uses client credentials format instead of user format.
	ClientID string `json:"client_id,omitempty"`
	// IsServicePrincipal indicates this is service principal auth (OIDC/client credentials).
	// Service principal tokens use a different MSAL cache format than user tokens.
	IsServicePrincipal bool `json:"is_service_principal,omitempty"`
	// TokenFilePath is the path to the OIDC token file (e.g., from GitHub Actions).
	// Used for Terraform ARM_USE_OIDC authentication.
	TokenFilePath string `json:"token_file_path,omitempty"`
	// FederatedToken is the actual OIDC/federated token value.
	// This is stored during authentication for use by Azure CLI.
	// In GitHub Actions, this is obtained dynamically, not from a file.
	FederatedToken string `json:"-"` // Don't persist - it's ephemeral.
}

type ConsoleAccessProvider interface {
	// GetConsoleURL generates a web console sign-in URL using the provided credentials.
	// Returns the sign-in URL, the duration for which the URL remains valid, and any error encountered.
	GetConsoleURL(ctx context.Context, creds ICredentials, options ConsoleURLOptions) (url string, duration time.Duration, err error)

	// SupportsConsoleAccess returns true if this provider supports web console access.
	SupportsConsoleAccess() bool
}

type ConsoleURLOptions struct {
	// Destination is the specific console page to navigate to (optional).
	// For AWS: "https://console.aws.amazon.com/s3" or similar.
	// For Azure: "https://portal.azure.com/#blade/...".
	// For GCP: "https://console.cloud.google.com/...".
	Destination string

	// SessionDuration is the requested duration for the console session (how long you stay logged in).
	// Providers may have maximum limits (e.g., AWS: 12 hours).
	// Note: AWS signin tokens themselves have a fixed 15-minute expiration (time to click the link).
	SessionDuration time.Duration

	// Issuer is an optional identifier shown in the console URL (used by AWS).
	Issuer string

	// OpenInBrowser if true, automatically opens the URL in the default browser.
	OpenInBrowser bool
}

type CredentialField struct {
	Name        string             // Field identifier (e.g., "access_key_id").
	Title       string             // Display title (e.g., "AWS Access Key ID").
	Description string             // Help text.
	Required    bool               // Must be non-empty.
	Secret      bool               // Mask input (password mode).
	Default     string             // Pre-populated value.
	Validator   func(string) error // Optional validation function.
}

type CredentialPromptFunc func(spec CredentialPromptSpec) (map[string]string, error)

type CredentialPromptResult struct {
	Values map[string]string // Field name -> value.
}

type CredentialPromptSpec struct {
	IdentityName string            // Name of the identity requiring credentials.
	CloudType    string            // Cloud provider: "aws", "azure", "gcp".
	Fields       []CredentialField // Fields to prompt for.
}

type CredentialStore interface {
	// Store stores credentials for the given alias within the specified realm.
	// The realm provides credential isolation - the same alias in different realms
	// refers to completely separate credentials.
	Store(alias string, creds ICredentials, realm string) error

	// Retrieve retrieves credentials for the given alias within the specified realm.
	// Returns error if no credentials exist for the alias in the given realm.
	Retrieve(alias string, realm string) (ICredentials, error)

	// Delete deletes credentials for the given alias within the specified realm.
	Delete(alias string, realm string) error

	// List returns all stored credential aliases within the specified realm.
	// Returns only aliases that belong to the given realm.
	List(realm string) ([]string, error)

	// IsExpired checks if credentials for the given alias are expired within the specified realm.
	IsExpired(alias string, realm string) (bool, error)

	// Type returns the type of credential store (e.g., "system-keyring", "noop").
	Type() string
}

type ICredentials interface {
	IsExpired() bool

	GetExpiration() (*time.Time, error)

	BuildWhoamiInfo(info *WhoamiInfo)

	// Validate validates credentials by making an API call to the provider.
	// Returns validation info including principal (ARN/ID) and expiration, or error if invalid.
	// Returns ErrNotImplemented if validation is not supported for this credential type.
	Validate(ctx context.Context) (*ValidationInfo, error)
}

type Identity interface {
	// Kind returns the identity kind (e.g., "aws/permission-set").
	Kind() string

	// GetProviderName returns the provider name for this identity.
	// AWS user identities return "aws-user", others return their via.provider.
	GetProviderName() (string, error)

	// Authenticate performs authentication using the provided base credentials.
	Authenticate(ctx context.Context, baseCreds ICredentials) (ICredentials, error)

	// Validate validates the identity configuration.
	Validate() error

	// Environment returns environment variables that should be set for this identity.
	Environment() (map[string]string, error)

	// Paths returns credential files/directories used by this identity.
	// Returns empty slice if identity doesn't use filesystem credentials.
	// Paths are in addition to provider paths (identities can add more files).
	Paths() ([]Path, error)

	// PrepareEnvironment prepares environment variables for external processes (Terraform, workflows, etc.).
	// Takes current environment (already modified by provider's PrepareEnvironment) and returns
	// modified environment with identity-specific overrides.
	// Implementations should:
	//   - Add identity-specific environment variables (e.g., role ARN, session name)
	//   - Override provider defaults if needed
	//   - Return a NEW map without mutating the input
	PrepareEnvironment(ctx context.Context, environ map[string]string) (map[string]string, error)

	// PostAuthenticate is called after successful authentication with the final credentials.
	// It receives both authContext (to populate runtime credentials) and stackInfo (to read
	// stack-level auth configuration overrides and write environment variables).
	PostAuthenticate(ctx context.Context, params *PostAuthenticateParams) error

	// Logout removes identity-specific credential storage.
	// Best-effort: continue cleanup even if individual steps fail.
	Logout(ctx context.Context) error

	// CredentialsExist checks if credentials exist for this identity.
	// Used by whoami when noop keyring is active to verify credentials are present.
	// Returns true if credentials exist (in files, keyring, or other storage).
	CredentialsExist() (bool, error)

	// LoadCredentials loads credentials from identity-managed storage (files, etc.).
	// Used with noop keyring to enable credential validation in whoami.
	// Returns nil, nil if identity doesn't support loading credentials from storage.
	LoadCredentials(ctx context.Context) (ICredentials, error)

	// SetRealm sets the credential isolation realm for this identity.
	// Called by the auth manager after identity construction to propagate the realm
	// to all identities in the authentication chain.
	// The realm is used for all credential storage and file operations.
	SetRealm(realm string)
}

type MockAuthManager struct {
	// contains filtered or unexported fields
}

type MockAuthManagerMockRecorder struct {
	// contains filtered or unexported fields
}

type MockConsoleAccessProvider struct {
	// contains filtered or unexported fields
}

type MockConsoleAccessProviderMockRecorder struct {
	// contains filtered or unexported fields
}

type MockCredentialStore struct {
	// contains filtered or unexported fields
}

type MockCredentialStoreMockRecorder struct {
	// contains filtered or unexported fields
}

type MockICredentials struct {
	// contains filtered or unexported fields
}

type MockICredentialsMockRecorder struct {
	// contains filtered or unexported fields
}

type MockIdentity struct {
	// contains filtered or unexported fields
}

type MockIdentityMockRecorder struct {
	// contains filtered or unexported fields
}

type MockProvider struct {
	// contains filtered or unexported fields
}

type MockProviderMockRecorder struct {
	// contains filtered or unexported fields
}

type MockProvisioner struct {
	// contains filtered or unexported fields
}

type MockProvisionerMockRecorder struct {
	// contains filtered or unexported fields
}

type MockValidator struct {
	// contains filtered or unexported fields
}

type MockValidatorMockRecorder struct {
	// contains filtered or unexported fields
}

type OIDCCredentials struct {
	Token    string `json:"token,omitempty"`
	Provider string `json:"provider,omitempty"`
	Audience string `json:"audience,omitempty"`
}

type Path struct {
	// Location is the filesystem path (may contain ~ for home directory).
	Location string `json:"location"`

	// Type indicates if this is a file or directory.
	Type PathType `json:"type"`

	// Required indicates if path must exist for provider to function.
	// If false, missing paths are optional (provider works without them).
	Required bool `json:"required"`

	// Purpose describes what this path is used for (helps with debugging/logging).
	// Examples: "AWS credentials file", "Azure config directory", "GCP service account key"
	Purpose string `json:"purpose"`

	// Metadata holds optional provider-specific information.
	// Consumers can use this for advanced features without breaking interface.
	// Examples:
	//   - "selinux_label": "system_u:object_r:container_file_t:s0" (future SELinux support)
	//   - "read_only": "true" (hint that path should be read-only)
	//   - "mount_target": "/workspace/.aws" (suggested container path)
	Metadata map[string]string `json:"metadata,omitempty"`
}

type PathType string

type PostAuthenticateParams struct {
	AuthContext  *schema.AuthContext
	StackInfo    *schema.ConfigAndStacksInfo
	ProviderName string
	IdentityName string
	Credentials  ICredentials
	Manager      AuthManager // Auth manager for resolving provider chains.
	Realm        string      // Credential isolation realm for file storage.
}

type Provider interface {
	// Kind returns the provider kind (e.g., "aws/iam-identity-center").
	Kind() string
	// Name returns the provider name as defined in configuration.
	Name() string
	// PreAuthenticate allows the provider to inspect the authentication chain prior to authentication
	// so that it can set up any provider-specific preferences based on downstream identities (e.g.,
	// preferred role ARN for SAML based on the next identity in the chain).
	// Implementations should be side-effect free beyond local provider state.
	// Providers can access the current chain via manager.GetChain().
	PreAuthenticate(manager AuthManager) error
	// Authenticate performs provider-specific authentication and returns credentials.
	Authenticate(ctx context.Context) (ICredentials, error)

	// Validate validates the provider configuration.
	Validate() error

	// Environment returns environment variables that should be set for this provider.
	Environment() (map[string]string, error)

	// Paths returns credential files/directories used by this provider.
	// Returns empty slice if provider doesn't use filesystem credentials (e.g., GitHub tokens).
	// Consumers decide how to use these paths (mount, copy, delete, etc.).
	Paths() ([]Path, error)

	// PrepareEnvironment prepares environment variables for external processes (Terraform, workflows, etc.).
	// Takes current environment and returns modified environment suitable for the provider's SDK/CLI.
	// Implementations should:
	//   - Clear conflicting credential environment variables
	//   - Set provider-specific configuration (credential files, profiles, regions)
	//   - Return a NEW map without mutating the input
	PrepareEnvironment(ctx context.Context, environ map[string]string) (map[string]string, error)

	// Logout removes provider-specific credential storage (files, cache, etc.).
	// Returns error only if cleanup fails for critical resources.
	// Best-effort: continue cleanup even if individual steps fail.
	Logout(ctx context.Context) error

	// GetFilesDisplayPath returns the display path for credential files.
	// Returns the configured path if set, otherwise a default path.
	// For display purposes only (may use ~ for home directory).
	GetFilesDisplayPath() string

	// SetRealm sets the credential isolation realm for this provider.
	// Called by the auth manager after provider construction to propagate the realm
	// to all providers. The realm is used for credential file paths.
	SetRealm(realm string)
}

type Provisioner interface {
	// ProvisionIdentities provisions identities from the external source.
	// Returns provisioned identities and metadata, or error if provisioning fails.
	// Implementations should be non-fatal - errors are logged but don't block authentication.
	ProvisionIdentities(ctx context.Context, creds ICredentials) (*ProvisioningResult, error)
}

type ProvisioningCounts = provisioning.Counts

type ProvisioningMetadata = provisioning.Metadata

type ProvisioningResult = provisioning.Result

type ProvisioningWriter = provisioning.Writer

type ValidationInfo struct {
	// Principal is the authenticated principal identifier.
	// For AWS: ARN (e.g., "arn:aws:iam::123456789012:user/username").
	// For Azure: Object ID or User Principal Name.
	// For GCP: Service account email or user email.
	Principal string

	// Account is the account/organization identifier.
	// For AWS: Account ID (e.g., "123456789012").
	// For Azure: Tenant ID.
	// For GCP: Project ID.
	Account string

	// Expiration is when the credentials expire (if temporary).
	Expiration *time.Time
}

type Validator interface {
	// ValidateAuthConfig validates the entire auth configuration.
	ValidateAuthConfig(config *schema.AuthConfig) error

	// ValidateProvider validates a provider configuration.
	ValidateProvider(name string, provider *schema.Provider) error

	// ValidateIdentity validates an identity configuration.
	ValidateIdentity(name string, identity *schema.Identity, providers map[string]*schema.Provider) error

	// ValidateChains validates identity chains for cycles and invalid references.
	ValidateChains(identities map[string]*schema.Identity, providers map[string]*schema.Provider) error
}

type WhoamiInfo struct {
	// Realm is the credential isolation boundary for this authentication context.
	// Credentials from different realms are completely isolated.
	Realm string `json:"realm,omitempty"`

	// RealmSource indicates how the realm was determined: "env", "config", or "auto".
	RealmSource string `json:"realm_source,omitempty"`

	Provider    string            `json:"provider"`
	Identity    string            `json:"identity"`
	Principal   string            `json:"principal"`
	Account     string            `json:"account,omitempty"`
	Region      string            `json:"region,omitempty"`
	Expiration  *time.Time        `json:"expiration,omitempty"`
	Environment map[string]string `json:"environment,omitempty"`

	// Paths contains combined paths from provider and identity chains.
	// Later paths override earlier ones if Location matches.
	Paths []Path `json:"paths,omitempty"`

	// Credentials holds raw credential material and must never be serialized.
	// Ensure secrets/tokens are not exposed via JSON or YAML outputs.
	Credentials ICredentials `json:"-" yaml:"-"`

	// CredentialsRef holds an opaque keystore handle for rehydrating credentials without exposing secrets.
	CredentialsRef string    `json:"credentials_ref,omitempty" yaml:"credentials_ref,omitempty"`
	LastUpdated    time.Time `json:"last_updated"`
}