vpg/

pgpass.rs

use core::fmt::Display;
use std::fs::File;
use std::fs::OpenOptions;
use std::io::Write;
use std::os::unix::fs::PermissionsExt;
use std::path::Path;
use std::path::PathBuf;

use rootcause::prelude::ResultExt;
use rootcause::report;

use crate::vault::VaultCreds;

/// A parsed `.pgpass` file with line references and connection entries.
///
/// Stores both raw lines (preserving comments and formatting) and validated connection entries.
/// Follows `PostgreSQL`'s password file format: `host:port:db:user:pwd` with colon-separated fields.
#[derive(Debug)]
pub struct PgpassFile<'a> {
    /// Original file lines with their 0-based indices, preserving comments and metadata.
    pub idx_lines: Vec<(usize, &'a str)>,
    /// Validated connection entries parsed from non-comment lines.
    pub entries: Vec<PgpassEntry>,
}

impl<'a> PgpassFile<'a> {
    /// Parses the raw `.pgpass` content into a [`PgpassFile`].
    ///
    /// Expects alternating metadata comment lines (prefixed with `#`) and connection lines.
    /// Non‑comment / non‑metadata lines are ignored except when part of metadata + connection pair.
    ///
    /// # Errors
    /// - A metadata line is not followed by a valid connection line.
    /// - A connection line cannot be parsed into [`ConnectionParams`].
    pub fn parse(pgpass_content: &'a str) -> rootcause::Result<Self> {
        let mut idx_lines = vec![];
        let mut entries = vec![];

        let mut file_lines = pgpass_content.lines().enumerate();
        while let Some(idx_line @ (_, line)) = file_lines.next() {
            idx_lines.push(idx_line);

            if line.is_empty() {
                continue;
            }

            if let Some((alias, vault_path)) = line.strip_prefix('#').and_then(|s| s.split_once(' ')) {
                let metadata = Metadata {
                    alias: alias.to_string(),
                    vault_path: vault_path.to_string(),
                };

                if let Some(idx_line) = file_lines.next() {
                    idx_lines.push(idx_line);

                    let conn = ConnectionParams::try_from(idx_line)?;
                    entries.push(PgpassEntry {
                        metadata,
                        connection_params: conn,
                    });

                    continue;
                }
                Err(report!("missing pgpass connection line after metadata"))
                    .attach_with(|| format!("metadata={metadata:#?} idx_line={idx_line:#?}"))?;
            }
        }

        Ok(Self { idx_lines, entries })
    }
}

/// A validated `.pgpass` entry with associated metadata and connection parameters.
#[derive(Clone, Debug)]
pub struct PgpassEntry {
    /// Parsed connection parameters from a valid `.pgpass` line.
    pub connection_params: ConnectionParams,
    /// Metadata from preceding comment lines (alias/vault references).
    pub metadata: Metadata,
}

impl Display for PgpassEntry {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        write!(f, "{}", self.metadata.alias)
    }
}

/// Metadata extracted from comment lines preceding a `.pgpass` entry.
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct Metadata {
    /// Human-readable identifier for the connection (from comments).
    pub alias: String,
    /// Vault path reference for secure password management (from comments).
    pub vault_path: String,
}

impl Display for Metadata {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        write!(f, "{}", self.alias)
    }
}

/// Connection parameters parsed from a `.pgpass` line.
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct ConnectionParams {
    /// Database name.
    db: String,
    /// Hostname.
    host: String,
    /// 0-based index referencing the original line in `PgpassFile.idx_lines`.
    idx: usize,
    /// TCP port number.
    port: u16,
    /// Password.
    pwd: String,
    /// Username.
    user: String,
}

impl ConnectionParams {
    /// Generates a `PostgreSQL` connection [`String`] URL from the connection parameters.
    pub fn db_url(&self) -> String {
        format!("postgres://{}@{}:{}/{}", self.user, self.host, self.port, self.db)
    }

    /// Updates the user and password fields with the provided [`VaultCreds`].
    pub fn update(&mut self, creds: &VaultCreds) {
        self.user.clone_from(&creds.username);
        self.pwd.clone_from(&creds.password);
    }
}

impl TryFrom<(usize, &str)> for ConnectionParams {
    type Error = rootcause::Report;

    fn try_from(idx_line @ (idx, line): (usize, &str)) -> Result<Self, Self::Error> {
        // Use splitn to avoid Vec allocation; pgpass format is exactly 5 colon-separated fields
        let mut parts = line.splitn(5, ':');
        let (Some(host), Some(port_str), Some(db), Some(user), Some(pwd)) =
            (parts.next(), parts.next(), parts.next(), parts.next(), parts.next())
        else {
            return Err(report!("malformed pgpass connection line")).attach_with(|| format!("idx_line={idx_line:#?}"));
        };
        let port = port_str
            .parse()
            .context("unexpected port")
            .attach_with(|| format!("port={port_str}"))?;
        Ok(Self {
            idx,
            host: host.to_string(),
            port,
            db: db.to_string(),
            user: user.to_string(),
            pwd: pwd.to_string(),
        })
    }
}

impl Display for ConnectionParams {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        write!(f, "{}:{}:{}:{}:{}", self.host, self.port, self.db, self.user, self.pwd)
    }
}

/// Saves updated `PostgreSQL` `.pgpass` to a temporary file, replaces the original, and sets permissions.
///
/// # Errors
/// - A filesystem operation (open/read/write/remove) fails.
pub fn save_new_pgpass_file(
    pgpass_idx_lines: Vec<(usize, &str)>,
    updated_conn_params: &ConnectionParams,
    pgpass_path: &Path,
) -> rootcause::Result<()> {
    let mut tmp_path = PathBuf::from(pgpass_path);
    tmp_path.set_file_name(".pgpass.tmp");
    let mut tmp_file = File::create(&tmp_path)?;

    for (idx, pgpass_line) in pgpass_idx_lines {
        let file_line = if idx == updated_conn_params.idx {
            updated_conn_params.to_string()
        } else {
            pgpass_line.to_string()
        };
        writeln!(tmp_file, "{file_line}")?;
    }

    std::fs::rename(&tmp_path, pgpass_path)?;

    let file = OpenOptions::new().read(true).open(pgpass_path)?;
    let mut permissions = file.metadata()?.permissions();
    permissions.set_mode(0o600);
    file.set_permissions(permissions)?;

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn creds_try_from_returns_the_expected_creds() {
        assert2::assert!(let Ok(actual) = ConnectionParams::try_from((42, "host:5432:db:user:pwd")));
        assert_eq!(
            actual,
            ConnectionParams {
                idx: 42,
                host: "host".into(),
                port: 5432,
                db: "db".into(),
                user: "user".into(),
                pwd: "pwd".into(),
            }
        );
    }

    #[test]
    fn creds_try_from_returns_an_error_if_port_is_not_a_number() {
        assert2::assert!(let Err(err) = ConnectionParams::try_from((42, "host:foo:db:user:pwd")));
        assert_eq!(err.format_current_context().to_string(), "unexpected port");
    }

    #[test]
    fn creds_try_from_returns_an_error_if_str_is_malformed() {
        assert2::assert!(let Err(err) = ConnectionParams::try_from((42, "host:5432:db:user")));
        assert_eq!(
            err.format_current_context().to_string(),
            "malformed pgpass connection line"
        );
    }

    #[test]
    fn creds_db_url_returns_the_expected_output() {
        assert_eq!(
            ConnectionParams {
                idx: 42,
                host: "host".into(),
                port: 5432,
                db: "db".into(),
                user: "user".into(),
                pwd: "whatever".into()
            }
            .db_url(),
            "postgres://user@host:5432/db".to_string()
        );
    }
}