bizteamai-smcp-biz 1.13.1__py3-none-any.whl

smcp/cli/approve.py

@@ -0,0 +1,261 @@
+#!/usr/bin/env python3
+"""
+Action approval tool for SMCP.
+
+Allows administrators to approve or reject queued destructive actions.
+"""
+
+import argparse
+import json
+import sys
+import time
+from pathlib import Path
+from typing import Dict, List, Optional
+
+try:
+    import yaml
+    YAML_AVAILABLE = True
+except ImportError:
+    YAML_AVAILABLE = False
+
+from ..confirm import ActionQueue, format_action_summary
+
+
+def load_config(config_path: Optional[str] = None) -> Dict:
+    """Load configuration from file or environment."""
+    config = {}
+    
+    # Try to load from config file
+    if config_path:
+        config_file = Path(config_path)
+        if config_file.exists():
+            if config_file.suffix.lower() in ['.yaml', '.yml'] and YAML_AVAILABLE:
+                with open(config_file, 'r') as f:
+                    config = yaml.safe_load(f) or {}
+            elif config_file.suffix.lower() == '.json':
+                with open(config_file, 'r') as f:
+                    config = json.load(f)
+    
+    # Override with environment variables
+    import os
+    env_config = {
+        "QUEUE_FILE": os.getenv("SMCP_QUEUE_FILE"),
+        "LOG_PATH": os.getenv("SMCP_LOG_PATH"),
+    }
+    
+    # Add non-None environment variables
+    for key, value in env_config.items():
+        if value is not None:
+            config[key] = value
+    
+    return config
+
+
+def list_pending_actions(queue: ActionQueue) -> List[Dict]:
+    """List all pending actions."""
+    return queue.get_pending_actions()
+
+
+def display_action_details(action: Dict) -> None:
+    """Display detailed information about an action."""
+    print("=" * 60)
+    print(format_action_summary(action))
+    print("=" * 60)
+
+
+def approve_action(queue: ActionQueue, action_id: str) -> bool:
+    """Approve an action."""
+    action = queue.approve_action(action_id)
+    if action:
+        print(f"✓ Action {action_id} approved")
+        return True
+    else:
+        print(f"✗ Action {action_id} not found or already processed")
+        return False
+
+
+def reject_action(queue: ActionQueue, action_id: str) -> bool:
+    """Reject an action."""
+    if queue.reject_action(action_id):
+        print(f"✗ Action {action_id} rejected")
+        return True
+    else:
+        print(f"✗ Action {action_id} not found or already processed")
+        return False
+
+
+def interactive_approval(queue: ActionQueue) -> None:
+    """Interactive approval mode."""
+    print("Interactive approval mode. Type 'help' for commands.")
+    
+    while True:
+        try:
+            command = input("\nsmcp-approve> ").strip().lower()
+            
+            if command in ['quit', 'exit', 'q']:
+                break
+            elif command == 'help':
+                print("Commands:")
+                print("  list                    - List all pending actions")
+                print("  show <action-id>        - Show action details")
+                print("  approve <action-id>     - Approve an action")
+                print("  reject <action-id>      - Reject an action")
+                print("  cleanup [hours]         - Clean up old actions")
+                print("  quit/exit/q             - Exit interactive mode")
+            elif command == 'list':
+                actions = list_pending_actions(queue)
+                if not actions:
+                    print("No pending actions")
+                else:
+                    print(f"\n{len(actions)} pending action(s):")
+                    for action in actions:
+                        timestamp = time.strftime("%H:%M:%S", time.localtime(action["timestamp"]))
+                        print(f"  {action['id'][:8]}... - {action['function_name']} ({timestamp})")
+            elif command.startswith('show '):
+                action_id = command[5:].strip()
+                actions = list_pending_actions(queue)
+                action = next((a for a in actions if a['id'].startswith(action_id)), None)
+                if action:
+                    display_action_details(action)
+                else:
+                    print(f"Action not found: {action_id}")
+            elif command.startswith('approve '):
+                action_id = command[8:].strip()
+                # Find full action ID from partial
+                actions = list_pending_actions(queue)
+                action = next((a for a in actions if a['id'].startswith(action_id)), None)
+                if action:
+                    approve_action(queue, action['id'])
+                else:
+                    print(f"Action not found: {action_id}")
+            elif command.startswith('reject '):
+                action_id = command[7:].strip()
+                # Find full action ID from partial
+                actions = list_pending_actions(queue)
+                action = next((a for a in actions if a['id'].startswith(action_id)), None)
+                if action:
+                    reject_action(queue, action['id'])
+                else:
+                    print(f"Action not found: {action_id}")
+            elif command.startswith('cleanup'):
+                parts = command.split()
+                hours = int(parts[1]) if len(parts) > 1 else 24
+                removed = queue.cleanup_old_actions(hours)
+                print(f"Removed {removed} old action(s)")
+            else:
+                print(f"Unknown command: {command}. Type 'help' for available commands.")
+        
+        except (KeyboardInterrupt, EOFError):
+            print("\nExiting...")
+            break
+        except Exception as e:
+            print(f"Error: {e}")
+
+
+def main() -> None:
+    """Main entry point for the approve CLI tool."""
+    parser = argparse.ArgumentParser(
+        description="Approve or reject queued SMCP actions"
+    )
+    parser.add_argument(
+        "action_id",
+        nargs="?",
+        help="Action ID to approve (if not provided, enters interactive mode)"
+    )
+    parser.add_argument(
+        "--reject", "-r",
+        action="store_true",
+        help="Reject the action instead of approving it"
+    )
+    parser.add_argument(
+        "--list", "-l",
+        action="store_true",
+        help="List all pending actions and exit"
+    )
+    parser.add_argument(
+        "--config", "-c",
+        help="Path to configuration file"
+    )
+    parser.add_argument(
+        "--queue-file",
+        help="Path to the action queue file (overrides config)"
+    )
+    parser.add_argument(
+        "--cleanup",
+        type=int,
+        metavar="HOURS",
+        help="Clean up actions older than specified hours"
+    )
+    parser.add_argument(
+        "--interactive", "-i",
+        action="store_true",
+        help="Enter interactive approval mode"
+    )
+    
+    args = parser.parse_args()
+    
+    # Load configuration
+    config = load_config(args.config)
+    
+    # Override queue file if specified
+    if args.queue_file:
+        config["QUEUE_FILE"] = args.queue_file
+    
+    # Initialize action queue
+    queue_file = config.get("QUEUE_FILE", "/tmp/smcp_queue.json")
+    queue = ActionQueue(queue_file)
+    
+    try:
+        # Handle cleanup
+        if args.cleanup:
+            removed = queue.cleanup_old_actions(args.cleanup)
+            print(f"Removed {removed} old action(s)")
+            return
+        
+        # Handle list command
+        if args.list:
+            actions = list_pending_actions(queue)
+            if not actions:
+                print("No pending actions")
+            else:
+                print(f"{len(actions)} pending action(s):")
+                for action in actions:
+                    timestamp = time.strftime("%Y-%m-%d %H:%M:%S", 
+                                            time.localtime(action["timestamp"]))
+                    print(f"  {action['id']} - {action['function_name']} ({timestamp})")
+            return
+        
+        # Handle interactive mode
+        if args.interactive or not args.action_id:
+            interactive_approval(queue)
+            return
+        
+        # Handle specific action approval/rejection
+        if args.action_id:
+            # Find action (support partial IDs)
+            actions = list_pending_actions(queue)
+            action = next((a for a in actions if a['id'].startswith(args.action_id)), None)
+            
+            if not action:
+                print(f"Action not found: {args.action_id}")
+                sys.exit(1)
+            
+            action_id = action['id']
+            
+            # Show action details
+            display_action_details(action)
+            
+            if args.reject:
+                success = reject_action(queue, action_id)
+            else:
+                success = approve_action(queue, action_id)
+            
+            sys.exit(0 if success else 1)
+    
+    except Exception as e:
+        print(f"Error: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

smcp/cli/gen_key.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+"""
+License key generation utility for SMCP Business Edition.
+"""
+import sys
+import hmac
+import hashlib
+import secrets
+import argparse
+from datetime import datetime, timedelta, timezone
+
+def generate_license_key(customer_id: str, cores: int, days: int, secret: str) -> str:
+    """Generate a new license key."""
+    # Generate expiry date
+    expiry_date = datetime.now(timezone.utc) + timedelta(days=days)
+    expiry_str = expiry_date.strftime('%Y%m%d')
+    
+    # Generate random nonce
+    nonce = secrets.token_hex(8)
+    
+    # Create payload for signing
+    payload = f"BZT.{customer_id}.{cores}.{expiry_str}.{nonce}"
+    
+    # Generate HMAC signature
+    signature = hmac.new(
+        secret.encode('utf-8'),
+        payload.encode('utf-8'),
+        hashlib.sha256
+    ).hexdigest()
+    
+    return f"{payload}.{signature}"
+
+def main():
+    parser = argparse.ArgumentParser(description='Generate SMCP Business Edition license keys')
+    parser.add_argument('--customer', '-c', required=True, help='Customer ID')
+    parser.add_argument('--cores', '-n', type=int, required=True, help='Number of cores')
+    parser.add_argument('--days', '-d', type=int, required=True, help='Validity period in days')
+    parser.add_argument('--secret', '-s', help='Server secret (default: use BIZTEAM_SERVER_SECRET env var)')
+    parser.add_argument('--output', '-o', help='Output file (default: stdout)')
+    
+    args = parser.parse_args()
+    
+    # Get server secret
+    secret = args.secret
+    if not secret:
+        import os
+        secret = os.getenv('BIZTEAM_SERVER_SECRET')
+        if not secret:
+            print("Error: Server secret required. Use --secret or set BIZTEAM_SERVER_SECRET", file=sys.stderr)
+            sys.exit(1)
+    
+    # Generate key
+    try:
+        license_key = generate_license_key(args.customer, args.cores, args.days, secret)
+        
+        # Output
+        if args.output:
+            with open(args.output, 'w') as f:
+                f.write(license_key + '\n')
+            print(f"License key written to {args.output}")
+        else:
+            print(license_key)
+            
+        # Log for audit (in production, this would go to a database)
+        key_hash = hashlib.sha256(license_key.encode()).hexdigest()
+        print(f"# Audit: Customer={args.customer}, Cores={args.cores}, Days={args.days}, Hash={key_hash}", file=sys.stderr)
+        
+    except Exception as e:
+        print(f"Error generating license key: {e}", file=sys.stderr)
+        sys.exit(1)
+
+if __name__ == '__main__':
+    main()

smcp/cli/mkcert.py

@@ -0,0 +1,327 @@
+#!/usr/bin/env python3
+"""
+Certificate generation tool for SMCP.
+
+Creates a private CA and generates server/client certificates for mutual TLS.
+"""
+
+import argparse
+import os
+import sys
+from pathlib import Path
+from typing import Optional
+
+try:
+    from cryptography import x509
+    from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import rsa
+    from datetime import datetime, timedelta
+    CRYPTOGRAPHY_AVAILABLE = True
+except ImportError:
+    CRYPTOGRAPHY_AVAILABLE = False
+
+
+def generate_private_key() -> "rsa.RSAPrivateKey":
+    """Generate a new RSA private key."""
+    return rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
+
+
+def create_ca_certificate(
+    private_key: "rsa.RSAPrivateKey", 
+    ca_name: str, 
+    days: int = 365
+) -> "x509.Certificate":
+    """Create a self-signed CA certificate."""
+    subject = issuer = x509.Name([
+        x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),
+        x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"),
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "SMCP"),
+        x509.NameAttribute(NameOID.COMMON_NAME, ca_name),
+    ])
+    
+    cert = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        issuer
+    ).public_key(
+        private_key.public_key()
+    ).serial_number(
+        x509.random_serial_number()
+    ).not_valid_before(
+        datetime.utcnow()
+    ).not_valid_after(
+        datetime.utcnow() + timedelta(days=days)
+    ).add_extension(
+        x509.SubjectAlternativeName([
+            x509.DNSName(ca_name),
+        ]),
+        critical=False,
+    ).add_extension(
+        x509.BasicConstraints(ca=True, path_length=None),
+        critical=True,
+    ).add_extension(
+        x509.KeyUsage(
+            digital_signature=True,
+            content_commitment=False,
+            key_encipherment=False,
+            data_encipherment=False,
+            key_agreement=False,
+            key_cert_sign=True,
+            crl_sign=True,
+            encipher_only=False,
+            decipher_only=False,
+        ),
+        critical=True,
+    ).sign(private_key, hashes.SHA256())
+    
+    return cert
+
+
+def create_server_certificate(
+    private_key: "rsa.RSAPrivateKey",
+    ca_cert: "x509.Certificate",
+    ca_private_key: "rsa.RSAPrivateKey",
+    server_name: str,
+    days: int = 365
+) -> "x509.Certificate":
+    """Create a server certificate signed by the CA."""
+    subject = x509.Name([
+        x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),
+        x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"),
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "SMCP"),
+        x509.NameAttribute(NameOID.COMMON_NAME, server_name),
+    ])
+    
+    cert = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        ca_cert.subject
+    ).public_key(
+        private_key.public_key()
+    ).serial_number(
+        x509.random_serial_number()
+    ).not_valid_before(
+        datetime.utcnow()
+    ).not_valid_after(
+        datetime.utcnow() + timedelta(days=days)
+    ).add_extension(
+        x509.SubjectAlternativeName([
+            x509.DNSName(server_name),
+            x509.DNSName("localhost"),
+            x509.IPAddress("127.0.0.1"),
+        ]),
+        critical=False,
+    ).add_extension(
+        x509.BasicConstraints(ca=False, path_length=None),
+        critical=True,
+    ).add_extension(
+        x509.KeyUsage(
+            digital_signature=True,
+            content_commitment=False,
+            key_encipherment=True,
+            data_encipherment=False,
+            key_agreement=False,
+            key_cert_sign=False,
+            crl_sign=False,
+            encipher_only=False,
+            decipher_only=False,
+        ),
+        critical=True,
+    ).add_extension(
+        x509.ExtendedKeyUsage([
+            ExtendedKeyUsageOID.SERVER_AUTH,
+        ]),
+        critical=True,
+    ).sign(ca_private_key, hashes.SHA256())
+    
+    return cert
+
+
+def create_client_certificate(
+    private_key: "rsa.RSAPrivateKey",
+    ca_cert: "x509.Certificate", 
+    ca_private_key: "rsa.RSAPrivateKey",
+    client_name: str,
+    days: int = 365
+) -> "x509.Certificate":
+    """Create a client certificate signed by the CA."""
+    subject = x509.Name([
+        x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),
+        x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"),
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "SMCP"),
+        x509.NameAttribute(NameOID.COMMON_NAME, client_name),
+    ])
+    
+    cert = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        ca_cert.subject
+    ).public_key(
+        private_key.public_key()
+    ).serial_number(
+        x509.random_serial_number()
+    ).not_valid_before(
+        datetime.utcnow()
+    ).not_valid_after(
+        datetime.utcnow() + timedelta(days=days)
+    ).add_extension(
+        x509.BasicConstraints(ca=False, path_length=None),
+        critical=True,
+    ).add_extension(
+        x509.KeyUsage(
+            digital_signature=True,
+            content_commitment=False,
+            key_encipherment=True,
+            data_encipherment=False,
+            key_agreement=False,
+            key_cert_sign=False,
+            crl_sign=False,
+            encipher_only=False,
+            decipher_only=False,
+        ),
+        critical=True,
+    ).add_extension(
+        x509.ExtendedKeyUsage([
+            ExtendedKeyUsageOID.CLIENT_AUTH,
+        ]),
+        critical=True,
+    ).sign(ca_private_key, hashes.SHA256())
+    
+    return cert
+
+
+def save_private_key(private_key: "rsa.RSAPrivateKey", path: Path) -> None:
+    """Save a private key to a PEM file."""
+    with open(path, "wb") as f:
+        f.write(private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption()
+        ))
+    os.chmod(path, 0o600)  # Make private key readable only by owner
+
+
+def save_certificate(cert: "x509.Certificate", path: Path) -> None:
+    """Save a certificate to a PEM file."""
+    with open(path, "wb") as f:
+        f.write(cert.public_bytes(serialization.Encoding.PEM))
+
+
+def generate_certificates(
+    output_dir: Path,
+    ca_name: str,
+    server_name: str,
+    client_name: Optional[str] = None,
+    days: int = 365
+) -> None:
+    """Generate a complete certificate set."""
+    output_dir.mkdir(parents=True, exist_ok=True)
+    
+    print(f"Generating certificates in {output_dir}")
+    
+    # Generate CA
+    print("1. Generating CA private key...")
+    ca_private_key = generate_private_key()
+    save_private_key(ca_private_key, output_dir / "ca-key.pem")
+    
+    print("2. Creating CA certificate...")
+    ca_cert = create_ca_certificate(ca_private_key, ca_name, days)
+    save_certificate(ca_cert, output_dir / "ca.pem")
+    
+    # Generate server certificate
+    print("3. Generating server private key...")
+    server_private_key = generate_private_key()
+    save_private_key(server_private_key, output_dir / "server-key.pem")
+    
+    print("4. Creating server certificate...")
+    server_cert = create_server_certificate(
+        server_private_key, ca_cert, ca_private_key, server_name, days
+    )
+    save_certificate(server_cert, output_dir / "server.pem")
+    
+    # Generate client certificate if requested
+    if client_name:
+        print("5. Generating client private key...")
+        client_private_key = generate_private_key()
+        save_private_key(client_private_key, output_dir / "client-key.pem")
+        
+        print("6. Creating client certificate...")
+        client_cert = create_client_certificate(
+            client_private_key, ca_cert, ca_private_key, client_name, days
+        )
+        save_certificate(client_cert, output_dir / "client.pem")
+    
+    print("\nCertificate generation complete!")
+    print(f"Files created in {output_dir}:")
+    print("  ca.pem           - CA certificate")
+    print("  ca-key.pem       - CA private key")
+    print("  server.pem       - Server certificate")
+    print("  server-key.pem   - Server private key")
+    if client_name:
+        print("  client.pem       - Client certificate")
+        print("  client-key.pem   - Client private key")
+    
+    print(f"\nCertificates valid for {days} days")
+
+
+def main() -> None:
+    """Main entry point for the mkcert CLI tool."""
+    if not CRYPTOGRAPHY_AVAILABLE:
+        print("Error: cryptography package is required for certificate generation")
+        print("Install it with: pip install cryptography")
+        sys.exit(1)
+    
+    parser = argparse.ArgumentParser(
+        description="Generate certificates for SMCP mutual TLS"
+    )
+    parser.add_argument(
+        "--output-dir", "-o",
+        type=Path,
+        default=Path("./certs"),
+        help="Output directory for certificates (default: ./certs)"
+    )
+    parser.add_argument(
+        "--ca-name",
+        default="SMCP-CA",
+        help="Name for the Certificate Authority (default: SMCP-CA)"
+    )
+    parser.add_argument(
+        "--server-name",
+        default="smcp-server",
+        help="Server name for certificate (default: smcp-server)"
+    )
+    parser.add_argument(
+        "--client-name",
+        help="Client name for certificate (optional)"
+    )
+    parser.add_argument(
+        "--days",
+        type=int,
+        default=365,
+        help="Certificate validity period in days (default: 365)"
+    )
+    
+    args = parser.parse_args()
+    
+    try:
+        generate_certificates(
+            output_dir=args.output_dir,
+            ca_name=args.ca_name,
+            server_name=args.server_name,
+            client_name=args.client_name,
+            days=args.days
+        )
+    except Exception as e:
+        print(f"Error generating certificates: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()