asec 0.1.0__py3-none-any.whl

asec/__init__.py

@@ -0,0 +1 @@
+"""asec - AgenticSec DevSecOps CLI."""

asec/api_client.py

@@ -0,0 +1,186 @@
+"""HTTP client for API communication."""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+import httpx
+
+from asec.config import Credentials, load_credentials
+
+
+class ApiClientError(Exception):
+    """API client error."""
+
+    def __init__(self, status_code: int, message: str):
+        self.status_code = status_code
+        self.message = message
+        super().__init__(f"HTTP {status_code}: {message}")
+
+
+class LicenseError(ApiClientError):
+    """Raised when the organization lacks a required license (AUTH_LICENSE_REQUIRED)."""
+
+    def __init__(self, detail: str):
+        self.detail = detail
+        message = f"{detail}\nPlease contact your organization administrator."
+        super().__init__(400, message)
+
+
+def resolve_credentials(
+    credentials: Credentials | None = None,
+    profile: str | None = None,
+) -> Credentials:
+    """Resolve credentials from profile, then apply environment variable overrides.
+
+    Resolution order:
+    1. Explicit credentials argument (if provided)
+    2. Load from profile (saved credentials file)
+    3. ASEC_API_KEY / ASEC_ORG_ID / ASEC_API_URL env vars override profile values
+
+    Args:
+        credentials: Explicit credentials (takes priority over profile)
+        profile: Profile name to load from
+
+    Returns:
+        Resolved Credentials
+
+    Raises:
+        ApiClientError: If resolved credentials are not valid
+    """
+    creds = credentials or load_credentials(profile)
+
+    # Environment variables override profile values. ASEC_API_KEY additionally switches to
+    # api-key auth, but ASEC_ORG_ID / ASEC_API_URL apply in ANY auth mode (incl. OIDC) so
+    # callers can pin the target Hub/org without mutating the shared credentials.toml
+    # profile (e.g. multi-worktree dev / E2E, where the global `dev` profile is racy).
+    env_api_key = os.environ.get("ASEC_API_KEY", "")
+    if env_api_key:
+        creds.api_key = env_api_key
+    env_org = os.environ.get("ASEC_ORG_ID", "")
+    if env_org:
+        creds.org_id = env_org
+    env_url = os.environ.get("ASEC_API_URL", "")
+    if env_url:
+        creds.api_url = env_url
+
+    if not creds.is_valid():
+        raise ApiClientError(0, "Not authenticated. Run 'asec auth login' or set ASEC_API_KEY.")
+
+    return creds
+
+
+class ApiClient:
+    """HTTP client for API."""
+
+    def __init__(self, credentials: Credentials | None = None, profile: str | None = None):
+        self._creds = resolve_credentials(credentials, profile)
+        self.base_url = self._creds.api_url.rstrip("/")
+
+    def _headers(self) -> dict[str, str]:
+        if self._creds.api_key:
+            headers: dict[str, str] = {"X-API-Key": self._creds.api_key}
+            if self._creds.org_id:
+                headers["X-Org-Id"] = self._creds.org_id
+            return headers
+        headers = {"Authorization": f"Bearer {self._creds.id_token}"}
+        if self._creds.org_id:
+            headers["X-Org-Id"] = self._creds.org_id
+        if self._creds.dev_oidc_sub:
+            headers["X-Oidc-Sub"] = self._creds.dev_oidc_sub
+        return headers
+
+    def _api_url(self, path: str) -> str:
+        if not path.startswith("/"):
+            path = "/" + path
+        prefix = "/api/cli-apikey/v1" if self._creds.api_key else "/api/cli-oidc/v1"
+        return f"{self.base_url}{prefix}{path}"
+
+    @staticmethod
+    def _parse_json(response: httpx.Response) -> dict:
+        """Return parsed JSON body, or {} for empty bodies (e.g. 204 No Content)."""
+        if response.status_code == 204 or not response.content:
+            return {}
+        return response.json()
+
+    @staticmethod
+    def _raise_for_status(response: httpx.Response) -> None:
+        """Raise an appropriate error for non-2xx responses."""
+        if response.status_code < 400:
+            return
+
+        detail = response.text
+        error_code = ""
+        try:
+            body = response.json()
+            if isinstance(body, dict):
+                if "error_code" in body:
+                    error_code = body["error_code"]
+                    detail = body.get("message", detail)
+                elif "detail" in body:
+                    detail = body["detail"]
+        except Exception:
+            pass
+
+        if error_code == "AUTH_LICENSE_REQUIRED":
+            raise LicenseError(detail)
+
+        raise ApiClientError(response.status_code, detail)
+
+    def get(self, path: str, params: dict | None = None) -> dict:
+        with httpx.Client(timeout=30) as client:
+            response = client.get(self._api_url(path), headers=self._headers(), params=params)
+            self._raise_for_status(response)
+            return self._parse_json(response)
+
+    def patch(self, path: str, json_data: dict | None = None) -> dict:
+        with httpx.Client(timeout=30) as client:
+            response = client.patch(self._api_url(path), headers=self._headers(), json=json_data)
+            self._raise_for_status(response)
+            return self._parse_json(response)
+
+    def put(self, path: str, json_data: dict | None = None) -> dict:
+        with httpx.Client(timeout=30) as client:
+            response = client.put(self._api_url(path), headers=self._headers(), json=json_data)
+            self._raise_for_status(response)
+            return self._parse_json(response)
+
+    def post(self, path: str, json_data: dict | None = None) -> dict:
+        with httpx.Client(timeout=30) as client:
+            response = client.post(self._api_url(path), headers=self._headers(), json=json_data)
+            self._raise_for_status(response)
+            return self._parse_json(response)
+
+    def upload_file(self, path: str, file_path: Path, form_data: dict) -> dict:
+        with httpx.Client(timeout=120) as client:
+            with open(file_path, "rb") as f:
+                files = {"file": (file_path.name, f, "application/json")}
+                response = client.post(self._api_url(path), headers=self._headers(), data=form_data, files=files)
+                self._raise_for_status(response)
+                return self._parse_json(response)
+
+    def download_from_url(self, url: str, output_path: Path) -> None:
+        """Stream a binary response from an arbitrary URL to a local file.
+
+        Used for two-step download flows (e.g. Run Report PDF): the API
+        first returns a short-lived signed URL via ``GET /reports/.../download``,
+        and the caller follows up with this method to fetch the bytes
+        directly from object storage.
+
+        No auth headers are sent — the URL itself is the authorization
+        token, which keeps API credentials out of the cross-origin hop.
+
+        Raises:
+            ApiClientError: For non-2xx responses from the storage backend.
+        """
+        output_path.parent.mkdir(parents=True, exist_ok=True)
+        with httpx.Client(timeout=300) as client:
+            with client.stream("GET", url) as response:
+                if response.status_code >= 400:
+                    # ``stream`` mode requires explicit read before .text/.json
+                    response.read()
+                    raise ApiClientError(response.status_code, response.text)
+                with output_path.open("wb") as f:
+                    for chunk in response.iter_bytes():
+                        f.write(chunk)

asec/cli.py

@@ -0,0 +1,38 @@
+"""asec CLI - AgenticSec command line interface."""
+
+import click
+
+from asec.cli_auth import auth
+from asec.cli_devsecops import devsecops
+from asec.cli_pentest import pentest
+from asec.cli_profile import profile
+
+
+@click.group()
+@click.version_option(package_name="asec", prog_name="asec")
+@click.option(
+    "--profile",
+    envvar="ASEC_PROFILE",
+    default=None,
+    help="Profile name (default: active profile)",
+)
+@click.pass_context
+def cli(ctx, profile):
+    """asec - AgenticSec CLI."""
+    ctx.ensure_object(dict)
+    ctx.obj["profile"] = profile
+
+
+cli.add_command(auth)
+cli.add_command(profile)
+cli.add_command(devsecops)
+cli.add_command(pentest)
+
+
+def main():
+    """Main entry point."""
+    cli()
+
+
+if __name__ == "__main__":
+    main()

asec/cli_api_key.py

@@ -0,0 +1,64 @@
+"""API Key configuration CLI commands."""
+
+import click
+
+from asec.config import (
+    Credentials,
+    save_credentials,
+    set_active_profile,
+)
+from asec.output import output_json
+
+
+@click.group("api-key")
+def api_key():
+    """Configure API key for non-interactive authentication."""
+    pass
+
+
+@api_key.command("configure")
+@click.argument("api_url")
+@click.argument("key_value", required=False)
+@click.option("--org", required=True, help="Organization ID")
+@click.pass_context
+def configure(ctx, api_url: str, key_value: str | None, org: str):
+    """Configure API key for non-interactive authentication.
+
+    API_URL: API base URL (e.g., https://api.agenticsec.tech)
+    KEY_VALUE: API Key value (obtain from organization admin).
+               If omitted, you will be prompted securely.
+
+    Examples:
+
+        # Interactive (key is hidden):
+        asec auth api-key configure https://api.agenticsec.tech --org org-acme
+
+        # Non-interactive (argument):
+        asec auth api-key configure https://api.agenticsec.tech KEY --org org-acme
+
+        # Non-interactive (pipe):
+        echo $ASEC_API_KEY | asec auth api-key configure https://api.agenticsec.tech --org org-acme
+    """
+    if not key_value:
+        # Prompt goes to stderr so stdout stays pure JSON.
+        key_value = click.prompt("API Key", hide_input=True, err=True)
+
+    api_url = api_url.rstrip("/")
+    profile_name = ctx.obj.get("profile") if ctx.obj else None
+    if not profile_name:
+        profile_name = "ci"
+
+    creds = Credentials(
+        api_url=api_url,
+        api_key=key_value,
+        org_id=org,
+    )
+    save_credentials(creds, profile_name)
+    set_active_profile(profile_name)
+    output_json(
+        {
+            "profile": profile_name,
+            "api_url": api_url,
+            "org_id": org,
+        }
+    )

asec/cli_auth.py

@@ -0,0 +1,220 @@
+"""Auth CLI commands."""
+
+import os
+import time
+
+import click
+import httpx
+
+from asec.cli_api_key import api_key
+from asec.config import (
+    Credentials,
+    clear_credentials,
+    get_active_profile,
+    load_credentials,
+    resolve_profile_for_login,
+    save_credentials,
+    set_active_profile,
+)
+from asec.oidc_auth import AuthorizationError, perform_oidc_login
+from asec.output import output_json
+
+
+def _fetch_orgs(api_url: str, id_token: str) -> list[dict]:
+    """Fetch organizations the user belongs to from API.
+
+    Returns a list of org dicts with keys: org_id, org_name, role, status, licenses.
+    Returns empty list on error.
+    """
+    url = f"{api_url}/api/cli-oidc/v1/user/organizations"
+    try:
+        with httpx.Client(timeout=10) as client:
+            res = client.get(url, headers={"Authorization": f"Bearer {id_token}"})
+            if res.status_code != 200:
+                click.echo(f"Warning: Could not fetch organizations (HTTP {res.status_code})", err=True)
+                return []
+            return res.json().get("organizations", [])
+    except httpx.RequestError as e:
+        click.echo(f"Warning: Could not fetch organizations: {e}", err=True)
+        return []
+
+
+def _resolve_org_id(orgs: list[dict], explicit_org: str | None) -> str | None:
+    """Resolve org_id from explicit flag or org list.
+
+    Returns:
+        org_id string, or None if no org could be resolved.
+
+    Raises:
+        SystemExit: If multiple orgs exist and --org is not specified.
+    """
+    if explicit_org:
+        return explicit_org
+
+    if not orgs:
+        return None
+
+    # Filter to active orgs
+    active_orgs = [o for o in orgs if o.get("status") == "active"]
+    if not active_orgs:
+        active_orgs = orgs
+
+    if len(active_orgs) == 1:
+        org = active_orgs[0]
+        click.echo(f"Organization: {org['org_name']} ({org['org_id']})", err=True)
+        return org["org_id"]
+
+    # Multiple orgs: show list and exit
+    click.echo("Multiple organizations found. Specify one with --org:", err=True)
+    for org in active_orgs:
+        licenses = org.get("licenses", {})
+        flags = []
+        if licenses.get("pentest"):
+            flags.append("pentest")
+        if licenses.get("devsecops"):
+            flags.append("devsecops")
+        license_info = f" [{', '.join(flags)}]" if flags else ""
+        click.echo(f"  {org['org_id']}  {org['org_name']}{license_info}", err=True)
+    raise SystemExit(1)
+
+
+@click.group()
+def auth():
+    """Manage authentication."""
+    pass
+
+
+auth.add_command(api_key)
+
+
+@auth.command()
+@click.argument("api_url", required=False)
+@click.option("--org", "explicit_org", default=None, help="Organization ID to use for this profile")
+@click.pass_context
+def login(ctx, api_url: str | None, explicit_org: str | None):
+    """Log in to AgenticSec.
+
+    API_URL: API base URL (e.g., https://api-stg.agenticsec.tech).
+    If omitted, uses the saved URL from the current profile.
+    """
+    explicit_profile = ctx.obj.get("profile") if ctx.obj else None
+
+    # Resolve api_url: argument > env > saved profile > default (prd)
+    if not api_url:
+        api_url = os.environ.get("ASEC_API_URL")
+    if not api_url:
+        existing_creds = load_credentials(explicit_profile)
+        if existing_creds.api_url:
+            api_url = existing_creds.api_url
+    if not api_url:
+        api_url = "https://api.agenticsec.tech"
+
+    api_url = api_url.rstrip("/")
+
+    # Resolve profile: explicit > existing match by URL > auto-derived from URL
+    profile_name = resolve_profile_for_login(explicit_profile, api_url)
+
+    # Dev environment shortcut
+    dev_oidc_sub = os.environ.get("ASEC_DEV_OIDC_SUB")
+    if dev_oidc_sub:
+        dev_org_id = os.environ.get("ASEC_DEV_ORG_ID", "")
+        creds = Credentials(
+            api_url=api_url,
+            id_token="dev-token",
+            refresh_token="",
+            expires_at=time.time() + 86400 * 365,
+            user_email="dev@agenticsec.local",
+            org_id=dev_org_id,
+            dev_oidc_sub=dev_oidc_sub,
+        )
+        save_credentials(creds, profile_name)
+        set_active_profile(profile_name)
+        output_json(
+            {
+                "profile": profile_name,
+                "api_url": api_url,
+                "user_email": creds.user_email,
+                "org_id": creds.org_id or None,
+            }
+        )
+        return
+
+    # Discover auth config from server
+    auth_config_url = f"{api_url}/api/cli-oidc/v1/auth-config"
+    click.echo(f"Fetching auth config from {auth_config_url}...", err=True)
+    try:
+        with httpx.Client(timeout=10) as client:
+            res = client.get(auth_config_url)
+            if res.status_code != 200:
+                click.echo(f"Error: Failed to fetch auth config (HTTP {res.status_code})", err=True)
+                click.echo("The server may not be configured for CLI authentication.", err=True)
+                raise SystemExit(1)
+            auth_config = res.json()
+    except httpx.RequestError as e:
+        click.echo(f"Error: Cannot connect to {auth_config_url}: {e}", err=True)
+        raise SystemExit(1) from None
+
+    cognito_domain = auth_config["cognito_domain"]
+    client_id = auth_config["client_id"]
+
+    try:
+        tokens = perform_oidc_login(cognito_domain=cognito_domain, client_id=client_id)
+        creds = Credentials(
+            api_url=api_url,
+            id_token=tokens["id_token"],
+            refresh_token=tokens.get("refresh_token", ""),
+            expires_at=time.time() + tokens.get("expires_in", 3600),
+            cognito_domain=cognito_domain,
+            client_id=client_id,
+        )
+
+        # Resolve organization
+        orgs = _fetch_orgs(api_url, creds.id_token)
+        org_id = _resolve_org_id(orgs, explicit_org)
+        if org_id:
+            creds.org_id = org_id
+
+        save_credentials(creds, profile_name)
+        set_active_profile(profile_name)
+        output_json(
+            {
+                "profile": profile_name,
+                "api_url": api_url,
+                "user_email": creds.user_email or None,
+                "org_id": creds.org_id or None,
+            }
+        )
+    except AuthorizationError as e:
+        click.echo(f"Login failed: {e}", err=True)
+        raise SystemExit(1) from None
+
+
+@auth.command()
+@click.pass_context
+def status(ctx):
+    """Show current authentication status."""
+    profile_name = ctx.obj.get("profile") if ctx.obj else None
+    resolved = get_active_profile(profile_name)
+    creds = load_credentials(profile_name)
+    authenticated = creds.is_valid()
+
+    output_json(
+        {
+            "profile": resolved,
+            "authenticated": authenticated,
+            "api_url": creds.api_url or None,
+            "user_email": creds.user_email or None,
+            "org_id": creds.org_id or None,
+            "expires_at": creds.expires_at if creds.expires_at > 0 else None,
+        }
+    )
+
+
+@auth.command()
+@click.pass_context
+def logout(ctx):
+    """Clear stored credentials."""
+    profile_name = ctx.obj.get("profile") if ctx.obj else None
+    resolved = get_active_profile(profile_name)
+    clear_credentials(profile_name)
+    output_json({"profile": resolved})

asec/cli_devsecops/__init__.py

@@ -0,0 +1,28 @@
+"""DevSecOps CLI command group."""
+
+import click
+
+from asec.cli_devsecops.asset import asset
+from asec.cli_devsecops.issue import issue
+from asec.cli_devsecops.product import product
+from asec.cli_devsecops.revision import revision
+from asec.cli_devsecops.upload import upload
+from asec.cli_scanners import scanners
+
+
+@click.group()
+@click.pass_context
+def devsecops(ctx):
+    """Manage DevSecOps products, assets, and security issues."""
+    ctx.ensure_object(dict)
+
+
+devsecops.add_command(product)
+devsecops.add_command(asset)
+devsecops.add_command(upload)
+devsecops.add_command(issue)
+devsecops.add_command(revision)
+devsecops.add_command(scanners)
+
+
+__all__ = ["devsecops"]

asec/cli_devsecops/asset.py

@@ -0,0 +1,103 @@
+"""Asset CLI commands."""
+
+import click
+
+from asec.api_client import ApiClient, ApiClientError
+from asec.output import output_json
+
+
+def _get_profile(ctx: click.Context) -> str | None:
+    return ctx.obj.get("profile") if ctx.obj else None
+
+
+@click.group()
+def asset():
+    """Manage assets."""
+    pass
+
+
+@asset.command()
+@click.option("--product", "product_id", required=True, help="Product ID")
+@click.option("--type", "asset_type", required=True, help="Asset type (repository, container_image, cloud_account)")
+@click.option("--name", required=True, help="Asset name")
+@click.option("--description", default=None, help="Description (also used as context for security analysis)")
+@click.option("--version", default=None, help="Asset version")
+@click.pass_context
+def create(ctx, product_id: str, asset_type: str, name: str, description: str | None, version: str | None):
+    """Create a new asset."""
+    try:
+        client = ApiClient(profile=_get_profile(ctx))
+        result = client.post(
+            "/assets",
+            {
+                "product_id": product_id,
+                "asset_type": asset_type,
+                "name": name,
+                "description": description,
+                "version": version,
+            },
+        )
+        output_json(result)
+    except ApiClientError as e:
+        click.echo(f"Error: {e.message}", err=True)
+        raise SystemExit(1) from None
+
+
+@asset.command("list")
+@click.option("--product", "product_id", required=True, help="Product ID")
+@click.option("--include-inactive", is_flag=True, default=False, help="Include inactive assets")
+@click.pass_context
+def list_assets(ctx, product_id: str, include_inactive: bool):
+    """List assets for a product."""
+    try:
+        client = ApiClient(profile=_get_profile(ctx))
+        params: dict = {"product_id": product_id}
+        if include_inactive:
+            params["include_inactive"] = "true"
+        result = client.get("/assets", params=params)
+        output_json(result.get("assets", []))
+    except ApiClientError as e:
+        click.echo(f"Error: {e.message}", err=True)
+        raise SystemExit(1) from None
+
+
+@asset.command()
+@click.argument("asset_id")
+@click.pass_context
+def show(ctx, asset_id: str):
+    """Show asset details."""
+    try:
+        client = ApiClient(profile=_get_profile(ctx))
+        result = client.get(f"/assets/{asset_id}")
+        output_json(result)
+    except ApiClientError as e:
+        click.echo(f"Error: {e.message}", err=True)
+        raise SystemExit(1) from None
+
+
+@asset.command()
+@click.argument("asset_id")
+@click.pass_context
+def deactivate(ctx, asset_id: str):
+    """Deactivate an asset."""
+    try:
+        client = ApiClient(profile=_get_profile(ctx))
+        client.patch(f"/assets/{asset_id}/deactivate")
+        output_json({"asset_id": asset_id})
+    except ApiClientError as e:
+        click.echo(f"Error: {e.message}", err=True)
+        raise SystemExit(1) from None
+
+
+@asset.command()
+@click.argument("asset_id")
+@click.pass_context
+def activate(ctx, asset_id: str):
+    """Activate an asset."""
+    try:
+        client = ApiClient(profile=_get_profile(ctx))
+        client.patch(f"/assets/{asset_id}/activate")
+        output_json({"asset_id": asset_id})
+    except ApiClientError as e:
+        click.echo(f"Error: {e.message}", err=True)
+        raise SystemExit(1) from None