rusty_ems/auth/

manager.rs

//! Unified authentication manager implementation

use super::traits::{AuthenticationContext, AuthenticationManager, AuthenticationResult};
use crate::error::Result;
use async_trait::async_trait;
use parking_lot::RwLock;
use quanta::Clock;
use reqwest::header::HeaderMap;
use rusty_common::{SmartString, collections::FxHashMap};
use sha2::{Digest, Sha256};
use std::sync::Arc;
use std::time::Duration;

/// Unified authentication manager that wraps exchange-specific implementations
pub struct UnifiedAuthManager {
    /// Exchange name
    exchange_name: SmartString,
    /// Underlying authentication adapter
    adapter: Arc<dyn AuthenticationManager>,
    /// Last authentication time
    last_auth_time: Arc<RwLock<Option<u64>>>,
    /// Clock for high-precision timing
    clock: Clock,
    /// Cached authentication results for REST (keyed by cache key)
    cached_rest_auth: Arc<RwLock<FxHashMap<SmartString, (AuthenticationResult, u64)>>>,
    /// Cached authentication result for WebSocket
    cached_ws_auth: Arc<RwLock<Option<(AuthenticationResult, u64)>>>,
    /// Cache validity duration (nanoseconds)
    cache_validity_ns: u64,
}

impl UnifiedAuthManager {
    /// Create a new unified authentication manager
    pub fn new(
        exchange_name: impl Into<SmartString>,
        adapter: Arc<dyn AuthenticationManager>,
    ) -> Self {
        Self {
            exchange_name: exchange_name.into(),
            adapter,
            last_auth_time: Arc::new(RwLock::new(None)),
            clock: Clock::new(),
            cached_rest_auth: Arc::new(RwLock::new(FxHashMap::default())),
            cached_ws_auth: Arc::new(RwLock::new(None)),
            cache_validity_ns: 60_000_000_000, // 60 seconds default cache
        }
    }

    /// Set cache validity duration
    #[must_use]
    pub const fn with_cache_validity(mut self, duration: Duration) -> Self {
        self.cache_validity_ns = duration.as_nanos() as u64;
        self
    }

    /// Determine if a request should use cache based on method and sensitivity
    fn should_cache_request(&self, context: &AuthenticationContext) -> bool {
        // Cache GET requests and other idempotent requests
        // Avoid caching requests with sensitive data or that modify state
        match context.method.as_str() {
            "GET" | "HEAD" | "OPTIONS" => {
                // Don't cache if the request has sensitive timestamp info
                context.timestamp.is_none()
            }
            _ => false, // Don't cache POST, PUT, DELETE, etc.
        }
    }

    /// Clear all caches
    pub fn clear_cache(&self) {
        self.cached_rest_auth.write().clear();
        *self.cached_ws_auth.write() = None;
        *self.last_auth_time.write() = None;
    }

    /// Check if cache entry is still valid
    fn is_cache_valid(&self, timestamp: u64) -> bool {
        let now = self.clock.raw();
        now.saturating_sub(timestamp) < self.cache_validity_ns
    }

    /// Generate a deterministic cache key for REST authentication
    fn generate_rest_cache_key(&self, context: &AuthenticationContext) -> SmartString {
        let mut key = SmartString::new();
        key.push_str(&context.method);
        key.push(':');
        key.push_str(&context.path);

        // Include query parameters in deterministic order
        if let Some(ref params) = context.query_params
            && !params.is_empty()
        {
            key.push('?');
            let mut sorted_params = params.clone();
            sorted_params.sort_by(|a, b| a.0.cmp(&b.0));
            for (i, (k, v)) in sorted_params.iter().enumerate() {
                if i > 0 {
                    key.push('&');
                }
                key.push_str(k);
                key.push('=');
                key.push_str(v);
            }
        }

        // Include body hash if present (to avoid storing large bodies in cache key)
        if let Some(ref body) = context.body {
            key.push('#');
            key.push_str(&format!("{:016x}", self.hash_body(body)));
        }

        key
    }

    /// Generate a deterministic hash of the body content using SHA-256
    /// This ensures stable cache keys across different program runs
    fn hash_body(&self, body: &str) -> u64 {
        let mut hasher = Sha256::new();
        hasher.update(body.as_bytes());
        let hash_result = hasher.finalize();

        // Take the first 8 bytes of the SHA-256 hash as u64
        let mut bytes = [0u8; 8];
        bytes.copy_from_slice(&hash_result[..8]);
        u64::from_be_bytes(bytes)
    }

    /// Get cached REST authentication if valid
    fn get_cached_rest_auth(
        &self,
        context: &AuthenticationContext,
    ) -> Option<AuthenticationResult> {
        let cache_key = self.generate_rest_cache_key(context);
        let cache = self.cached_rest_auth.read();
        if let Some((result, timestamp)) = cache.get(&cache_key)
            && self.is_cache_valid(*timestamp)
        {
            return Some(result.clone());
        }
        None
    }

    /// Set cached REST authentication
    fn set_cached_rest_auth(&self, context: &AuthenticationContext, result: AuthenticationResult) {
        let cache_key = self.generate_rest_cache_key(context);
        let timestamp = self.clock.raw();
        self.cached_rest_auth
            .write()
            .insert(cache_key, (result, timestamp));
    }

    /// Get cached WebSocket authentication if valid
    fn get_cached_ws_auth(&self) -> Option<AuthenticationResult> {
        let cache = self.cached_ws_auth.read();
        if let Some((result, timestamp)) = cache.as_ref()
            && self.is_cache_valid(*timestamp)
        {
            return Some(result.clone());
        }
        None
    }

    /// Set cached WebSocket authentication
    fn set_cached_ws_auth(&self, result: AuthenticationResult) {
        let timestamp = self.clock.raw();
        *self.cached_ws_auth.write() = Some((result, timestamp));
    }

    /// Create a standard REST context for simple cases
    #[must_use]
    pub fn create_rest_context(
        &self,
        method: &str,
        path: &str,
        body: Option<&str>,
    ) -> AuthenticationContext {
        let mut context = AuthenticationContext::new(method, path);
        if let Some(body) = body {
            context = context.with_body(body);
        }
        context
    }

    /// Authenticate a simple REST request (convenience method)
    pub async fn authenticate_simple_rest(
        &self,
        method: &str,
        path: &str,
        body: Option<&str>,
    ) -> Result<HeaderMap> {
        let context = self.create_rest_context(method, path, body);
        let result = self.authenticate_rest_request(&context).await?;
        Ok(result.headers)
    }

    /// Get authentication statistics
    #[must_use]
    pub fn get_auth_stats(&self) -> AuthenticationStats {
        let last_auth = *self.last_auth_time.read();
        let now = self.clock.raw();

        let time_since_last_auth =
            last_auth.map(|time| Duration::from_nanos(now.saturating_sub(time)));

        let rest_cache_valid = {
            let cache = self.cached_rest_auth.read();
            cache
                .values()
                .any(|(_, timestamp)| self.is_cache_valid(*timestamp))
        };

        let ws_cache_valid = self
            .cached_ws_auth
            .read()
            .as_ref()
            .is_some_and(|(_, timestamp)| self.is_cache_valid(*timestamp));

        AuthenticationStats {
            exchange_name: self.exchange_name.clone(),
            last_authentication: time_since_last_auth,
            rest_cache_valid,
            websocket_cache_valid: ws_cache_valid,
            cache_validity_duration: Duration::from_nanos(self.cache_validity_ns),
            supports_websocket_trading: self.adapter.supports_websocket_trading(),
            requires_refresh: self.adapter.requires_refresh(),
        }
    }
}

#[async_trait]
impl AuthenticationManager for UnifiedAuthManager {
    async fn authenticate_rest_request(
        &self,
        context: &AuthenticationContext,
    ) -> Result<AuthenticationResult> {
        // Determine if this request should use cache
        let use_cache = self.should_cache_request(context);

        if use_cache && let Some(cached) = self.get_cached_rest_auth(context) {
            return Ok(cached);
        }

        // Delegate to underlying adapter
        let result = self.adapter.authenticate_rest_request(context).await?;

        // Update last auth time
        *self.last_auth_time.write() = Some(self.clock.raw());

        // Cache the result if appropriate
        if use_cache {
            self.set_cached_rest_auth(context, result.clone());
        }

        Ok(result)
    }

    async fn authenticate_websocket(&self) -> Result<AuthenticationResult> {
        // Check cache first
        if let Some(cached) = self.get_cached_ws_auth() {
            return Ok(cached);
        }

        // Delegate to underlying adapter
        let result = self.adapter.authenticate_websocket().await?;

        // Update last auth time
        *self.last_auth_time.write() = Some(self.clock.raw());

        // Cache the result
        self.set_cached_ws_auth(result.clone());

        Ok(result)
    }

    async fn authenticate_websocket_trading(
        &self,
        timestamp: Option<u64>,
    ) -> Result<AuthenticationResult> {
        // WebSocket trading auth typically shouldn't be cached due to timestamps
        let result = self
            .adapter
            .authenticate_websocket_trading(timestamp)
            .await?;

        // Update last auth time
        *self.last_auth_time.write() = Some(self.clock.raw());

        Ok(result)
    }

    fn is_authentication_valid(&self) -> bool {
        self.adapter.is_authentication_valid()
    }

    fn time_until_expiration(&self) -> Option<Duration> {
        self.adapter.time_until_expiration()
    }

    async fn refresh_authentication(&self) -> Result<()> {
        // Clear caches before refresh
        self.clear_cache();

        // Delegate to underlying adapter
        self.adapter.refresh_authentication().await?;

        // Update last auth time
        *self.last_auth_time.write() = Some(self.clock.raw());

        Ok(())
    }

    fn exchange_name(&self) -> &str {
        &self.exchange_name
    }

    fn api_key(&self) -> &str {
        self.adapter.api_key()
    }

    fn supports_websocket_trading(&self) -> bool {
        self.adapter.supports_websocket_trading()
    }

    fn requires_refresh(&self) -> bool {
        self.adapter.requires_refresh()
    }

    fn refresh_interval(&self) -> Option<Duration> {
        self.adapter.refresh_interval()
    }
}

/// Authentication statistics for monitoring
#[derive(Debug, Clone)]
pub struct AuthenticationStats {
    /// Exchange name
    pub exchange_name: SmartString,
    /// Time since last authentication
    pub last_authentication: Option<Duration>,
    /// Whether REST cache is valid
    pub rest_cache_valid: bool,
    /// Whether WebSocket cache is valid
    pub websocket_cache_valid: bool,
    /// Cache validity duration
    pub cache_validity_duration: Duration,
    /// Whether the exchange supports WebSocket trading
    pub supports_websocket_trading: bool,
    /// Whether authentication requires periodic refresh
    pub requires_refresh: bool,
}

impl AuthenticationStats {
    /// Check if authentication health is good
    #[must_use]
    pub fn is_healthy(&self) -> bool {
        // Consider authentication healthy if we have recent auth activity
        // and caches are working as expected
        if let Some(last_auth) = self.last_authentication {
            // If last auth was within 5 minutes, consider healthy
            last_auth < Duration::from_secs(300)
        } else {
            // No authentication activity yet
            false
        }
    }

    /// Get health status message
    #[must_use]
    pub fn health_status(&self) -> SmartString {
        if self.is_healthy() {
            "Healthy".into()
        } else if self.last_authentication.is_none() {
            "Not authenticated".into()
        } else {
            "Stale authentication".into()
        }
    }
}