bizteamai-smcp-biz 1.13.1__py3-none-any.whl

smcp/filters.py

@@ -0,0 +1,176 @@
+"""
+Input filtering and sanitization for prompts and parameters.
+"""
+
+import re
+from typing import Any, Dict, Union
+
+
+class InputValidationError(Exception):
+    """Raised when input fails validation."""
+    pass
+
+
+def sanitize_prompt(prompt: str, cfg: Dict[str, Union[str, int]]) -> None:
+    """
+    Sanitize and validate prompt input against configured rules.
+    
+    Args:
+        prompt: The prompt text to validate
+        cfg: Configuration dictionary containing validation rules
+        
+    Raises:
+        InputValidationError: If the prompt fails validation
+    """
+    # Length validation
+    max_len = cfg.get("MAX_LEN")
+    if max_len and len(prompt) > max_len:
+        raise InputValidationError(f"Prompt exceeds maximum length of {max_len}")
+    
+    # Pattern validation
+    safe_re = cfg.get("SAFE_RE")
+    if safe_re:
+        if not re.match(safe_re, prompt, re.DOTALL):
+            raise InputValidationError("Prompt contains invalid characters or patterns")
+    
+    # Blocked patterns check
+    blocked_patterns = cfg.get("BLOCKED_PATTERNS", [])
+    for pattern in blocked_patterns:
+        if re.search(pattern, prompt, re.IGNORECASE):
+            raise InputValidationError(f"Prompt contains blocked pattern")
+
+
+def sanitize_parameter(param_name: str, param_value: Any, cfg: Dict[str, Any]) -> Any:
+    """
+    Sanitize and validate a function parameter.
+    
+    Args:
+        param_name: Name of the parameter
+        param_value: Value of the parameter
+        cfg: Configuration dictionary containing validation rules
+        
+    Returns:
+        Sanitized parameter value
+        
+    Raises:
+        InputValidationError: If the parameter fails validation
+    """
+    # String parameter validation
+    if isinstance(param_value, str):
+        _validate_string_parameter(param_name, param_value, cfg)
+    
+    # Numeric parameter validation
+    elif isinstance(param_value, (int, float)):
+        _validate_numeric_parameter(param_name, param_value, cfg)
+    
+    # List parameter validation
+    elif isinstance(param_value, list):
+        _validate_list_parameter(param_name, param_value, cfg)
+    
+    return param_value
+
+
+def _validate_string_parameter(param_name: str, value: str, cfg: Dict[str, Any]) -> None:
+    """Validate string parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Length validation
+    max_len = param_rules.get("max_length", cfg.get("MAX_PARAM_LEN"))
+    if max_len and len(value) > max_len:
+        raise InputValidationError(f"Parameter '{param_name}' exceeds maximum length")
+    
+    # Pattern validation
+    pattern = param_rules.get("pattern", cfg.get("PARAM_SAFE_RE"))
+    if pattern and not re.match(pattern, value):
+        raise InputValidationError(f"Parameter '{param_name}' contains invalid characters")
+    
+    # Blocked content check
+    blocked = param_rules.get("blocked", cfg.get("BLOCKED_PARAM_PATTERNS", []))
+    for block_pattern in blocked:
+        if re.search(block_pattern, value, re.IGNORECASE):
+            raise InputValidationError(f"Parameter '{param_name}' contains blocked content")
+
+
+def _validate_numeric_parameter(param_name: str, value: Union[int, float], cfg: Dict[str, Any]) -> None:
+    """Validate numeric parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Range validation
+    min_val = param_rules.get("min_value")
+    max_val = param_rules.get("max_value")
+    
+    if min_val is not None and value < min_val:
+        raise InputValidationError(f"Parameter '{param_name}' below minimum value {min_val}")
+    
+    if max_val is not None and value > max_val:
+        raise InputValidationError(f"Parameter '{param_name}' exceeds maximum value {max_val}")
+
+
+def _validate_list_parameter(param_name: str, value: list, cfg: Dict[str, Any]) -> None:
+    """Validate list parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Length validation
+    max_items = param_rules.get("max_items", cfg.get("MAX_LIST_ITEMS"))
+    if max_items and len(value) > max_items:
+        raise InputValidationError(f"Parameter '{param_name}' has too many items")
+    
+    # Validate each item in the list
+    for i, item in enumerate(value):
+        try:
+            if isinstance(item, str):
+                _validate_string_parameter(f"{param_name}[{i}]", item, cfg)
+            elif isinstance(item, (int, float)):
+                _validate_numeric_parameter(f"{param_name}[{i}]", item, cfg)
+        except InputValidationError as e:
+            raise InputValidationError(f"List item validation failed: {e}")
+
+
+def create_safe_regex(allowed_chars: str = None) -> str:
+    """
+    Create a safe regex pattern for input validation.
+    
+    Args:
+        allowed_chars: Additional characters to allow beyond basic alphanumeric
+        
+    Returns:
+        Regex pattern string for safe input validation
+    """
+    base_chars = r"\w\s"  # alphanumeric and whitespace
+    
+    if allowed_chars:
+        # Escape special regex characters
+        escaped_chars = re.escape(allowed_chars)
+        base_chars += escaped_chars
+    
+    return f"^[{base_chars}]*$"
+
+
+def strip_dangerous_content(text: str, cfg: Dict[str, Any]) -> str:
+    """
+    Strip potentially dangerous content from text.
+    
+    Args:
+        text: Text to sanitize
+        cfg: Configuration dictionary
+        
+    Returns:
+        Sanitized text with dangerous content removed
+    """
+    # Remove common injection patterns
+    dangerous_patterns = [
+        r'<script[^>]*>.*?</script>',  # Script tags
+        r'javascript:',                # JavaScript URLs
+        r'data:',                     # Data URLs
+        r'vbscript:',                 # VBScript URLs
+    ]
+    
+    # Add custom dangerous patterns from config
+    custom_patterns = cfg.get("DANGEROUS_PATTERNS", [])
+    dangerous_patterns.extend(custom_patterns)
+    
+    sanitized = text
+    for pattern in dangerous_patterns:
+        sanitized = re.sub(pattern, '', sanitized, flags=re.IGNORECASE)
+    
+    return sanitized

smcp/license.py

@@ -0,0 +1,232 @@
+"""
+License parsing, verification, and management for SMCP Business Edition.
+"""
+import os
+import hmac
+import hashlib
+import logging
+import requests
+from datetime import datetime, timezone
+from typing import Optional, Dict, Any
+
+logger = logging.getLogger(__name__)
+
+# Global license state
+_license_info: Optional[Dict[str, Any]] = None
+_server_secret = "default-dev-secret-change-in-production"  # Should be from env in production
+
+class LicenseError(Exception):
+    """License validation error."""
+    pass
+
+def parse_license_key(key: str) -> Dict[str, Any]:
+    """
+    Parse a license key in format: BZT.<custID>.<cores>.<expiryUTC>.<nonce>.<sig>
+    
+    Args:
+        key: License key string
+        
+    Returns:
+        Dictionary with parsed components
+        
+    Raises:
+        LicenseError: If key format is invalid
+    """
+    parts = key.strip().split('.')
+    if len(parts) != 6 or parts[0] != 'BZT':
+        raise LicenseError("Invalid license key format")
+    
+    try:
+        return {
+            'prefix': parts[0],
+            'customer_id': parts[1],
+            'cores': int(parts[2]),
+            'expiry': parts[3],
+            'nonce': parts[4],
+            'signature': parts[5]
+        }
+    except ValueError as e:
+        raise LicenseError(f"Invalid license key data: {e}")
+
+def verify_signature(license_data: Dict[str, Any], secret: str) -> bool:
+    """
+    Verify the HMAC signature of a license key.
+    
+    Args:
+        license_data: Parsed license data
+        secret: Server secret for verification
+        
+    Returns:
+        True if signature is valid
+    """
+    payload = f"BZT.{license_data['customer_id']}.{license_data['cores']}.{license_data['expiry']}.{license_data['nonce']}"
+    
+    expected_sig = hmac.new(
+        secret.encode('utf-8'),
+        payload.encode('utf-8'),
+        hashlib.sha256
+    ).hexdigest()
+    
+    return hmac.compare_digest(expected_sig, license_data['signature'])
+
+def check_expiry(license_data: Dict[str, Any]) -> bool:
+    """
+    Check if license has expired (with 24h grace period).
+    
+    Args:
+        license_data: Parsed license data
+        
+    Returns:
+        True if license is still valid
+    """
+    try:
+        expiry_date = datetime.strptime(license_data['expiry'], '%Y%m%d')
+        expiry_date = expiry_date.replace(tzinfo=timezone.utc)
+        
+        # Add 24 hour grace period
+        from datetime import timedelta
+        grace_expiry = expiry_date + timedelta(hours=24)
+        
+        now = datetime.now(timezone.utc)
+        return now <= grace_expiry
+    except ValueError:
+        return False
+
+def check_revocation(license_key: str) -> bool:
+    """
+    Check if license key is revoked by querying remote revocation list.
+    
+    Args:
+        license_key: Full license key
+        
+    Returns:
+        True if license is NOT revoked
+    """
+    try:
+        # Calculate key hash
+        key_hash = hashlib.sha256(license_key.encode()).hexdigest()
+        
+        # Check if revocation checking is disabled
+        if os.getenv('BIZTEAM_SKIP_REVOCATION') == '1':
+            logger.debug("Revocation checking disabled")
+            return True
+        
+        # Fetch revocation list (with timeout)
+        revocation_url = os.getenv('BIZTEAM_REVOCATION_URL', 'https://revocation.bizteam.com/v1/list')
+        response = requests.get(revocation_url, timeout=5)
+        
+        if response.status_code == 200:
+            revoked_hashes = response.json().get('revoked', [])
+            if key_hash in revoked_hashes:
+                logger.warning(f"License key is revoked: {key_hash[:16]}...")
+                return False
+        else:
+            logger.warning(f"Could not check revocation list: HTTP {response.status_code}")
+        
+        return True
+        
+    except requests.RequestException as e:
+        logger.warning(f"Revocation check failed: {e}")
+        # Fail open - allow license if revocation check fails
+        return True
+    except Exception as e:
+        logger.error(f"Unexpected error during revocation check: {e}")
+        return True
+
+def load_license_key() -> Optional[str]:
+    """
+    Load license key from environment or file.
+    
+    Returns:
+        License key string or None if not found
+    """
+    # Try environment variable first
+    key = os.getenv('BIZTEAM_LICENSE_KEY')
+    if key:
+        return key.strip()
+    
+    # Try license file
+    license_file = os.getenv('BIZTEAM_LICENSE_FILE', '/etc/bizteam/license.txt')
+    try:
+        with open(license_file, 'r') as f:
+            return f.read().strip()
+    except FileNotFoundError:
+        logger.error(f"License file not found: {license_file}")
+        return None
+    except Exception as e:
+        logger.error(f"Error reading license file: {e}")
+        return None
+
+def verify_license() -> Optional[Dict[str, Any]]:
+    """
+    Load and verify the license key.
+    
+    Returns:
+        Verified license data or None if invalid
+    """
+    global _license_info
+    
+    # Load license key
+    key = load_license_key()
+    if not key:
+        logger.error("No license key found")
+        return None
+    
+    try:
+        # Parse license
+        license_data = parse_license_key(key)
+        
+        # Get server secret
+        secret = os.getenv('BIZTEAM_SERVER_SECRET', _server_secret)
+        
+        # Verify signature
+        if not verify_signature(license_data, secret):
+            logger.error("License signature verification failed")
+            return None
+        
+        # Check expiry
+        if not check_expiry(license_data):
+            logger.error("License has expired")
+            return None
+        
+        # Check revocation
+        if not check_revocation(key):
+            logger.error("License has been revoked")
+            return None
+        
+        # Cache license info
+        _license_info = license_data
+        logger.info(f"License verified for customer {license_data['customer_id']}")
+        return license_data
+        
+    except LicenseError as e:
+        logger.error(f"License validation failed: {e}")
+        return None
+
+def get_licensed_cores() -> int:
+    """
+    Get the number of cores licensed.
+    
+    Returns:
+        Number of licensed cores, or 0 if no valid license
+    """
+    if _license_info:
+        return _license_info['cores']
+    
+    # Try to verify license if not cached
+    license_data = verify_license()
+    return license_data['cores'] if license_data else 0
+
+def get_customer_id() -> Optional[str]:
+    """
+    Get the customer ID from the license.
+    
+    Returns:
+        Customer ID or None if no valid license
+    """
+    if _license_info:
+        return _license_info['customer_id']
+    
+    # Try to verify license if not cached
+    license_data = verify_license()
+    return license_data['customer_id'] if license_data else None

smcp/logchain.py

@@ -0,0 +1,270 @@
+"""
+Tamper-proof logging with SHA-256 chaining for audit trails.
+"""
+
+import hashlib
+import json
+import time
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Tuple
+
+
+class LogChain:
+    """
+    Append-only logger with SHA-256 chaining for tamper detection.
+    
+    Each log entry contains a hash of the previous entry, creating
+    a chain that can detect tampering anywhere in the log.
+    """
+    
+    def __init__(self, log_path: str):
+        """
+        Initialize the log chain.
+        
+        Args:
+            log_path: Path to the log file
+        """
+        self.log_path = Path(log_path)
+        self.log_path.parent.mkdir(parents=True, exist_ok=True)
+        self._initialize_log()
+    
+    def _initialize_log(self) -> None:
+        """Initialize the log file if it doesn't exist."""
+        if not self.log_path.exists():
+            # Create genesis entry
+            genesis_entry = {
+                "sequence": 0,
+                "timestamp": time.time(),
+                "event_type": "genesis",
+                "data": "Log chain initialized",
+                "previous_hash": "0" * 64,  # Genesis has no previous hash
+            }
+            genesis_entry["hash"] = self._calculate_hash(genesis_entry)
+            
+            with open(self.log_path, 'w') as f:
+                json.dump([genesis_entry], f, indent=2)
+    
+    def _calculate_hash(self, entry: Dict[str, Any]) -> str:
+        """Calculate SHA-256 hash for a log entry."""
+        # Create a copy without the hash field for calculation
+        entry_copy = {k: v for k, v in entry.items() if k != "hash"}
+        entry_json = json.dumps(entry_copy, sort_keys=True, separators=(',', ':'))
+        return hashlib.sha256(entry_json.encode()).hexdigest()
+    
+    def _load_log(self) -> List[Dict[str, Any]]:
+        """Load the current log entries."""
+        try:
+            with open(self.log_path, 'r') as f:
+                return json.load(f)
+        except (FileNotFoundError, json.JSONDecodeError):
+            return []
+    
+    def _save_log(self, entries: List[Dict[str, Any]]) -> None:
+        """Save log entries to disk."""
+        with open(self.log_path, 'w') as f:
+            json.dump(entries, f, indent=2, default=str)
+    
+    def _get_last_hash(self) -> str:
+        """Get the hash of the last log entry."""
+        entries = self._load_log()
+        return entries[-1]["hash"] if entries else "0" * 64
+    
+    def append(self, event_type: str, data: Any) -> str:
+        """
+        Append a new entry to the log chain.
+        
+        Args:
+            event_type: Type of event being logged
+            data: Event data to log
+            
+        Returns:
+            Hash of the new entry
+        """
+        entries = self._load_log()
+        sequence = len(entries)
+        previous_hash = self._get_last_hash()
+        
+        entry = {
+            "sequence": sequence,
+            "timestamp": time.time(),
+            "event_type": event_type,
+            "data": data,
+            "previous_hash": previous_hash,
+        }
+        entry["hash"] = self._calculate_hash(entry)
+        
+        entries.append(entry)
+        self._save_log(entries)
+        
+        return entry["hash"]
+    
+    def verify_chain(self) -> Tuple[bool, Optional[int]]:
+        """
+        Verify the integrity of the log chain.
+        
+        Returns:
+            Tuple of (is_valid, first_invalid_sequence)
+            is_valid is False if tampering is detected
+            first_invalid_sequence is the sequence number of the first invalid entry
+        """
+        entries = self._load_log()
+        
+        if not entries:
+            return True, None
+        
+        # Verify genesis entry
+        if entries[0]["previous_hash"] != "0" * 64:
+            return False, 0
+        
+        # Verify each entry's hash and chain
+        for i, entry in enumerate(entries):
+            # Verify the entry's own hash
+            calculated_hash = self._calculate_hash(entry)
+            if calculated_hash != entry["hash"]:
+                return False, i
+            
+            # Verify the chain (except for genesis)
+            if i > 0:
+                if entry["previous_hash"] != entries[i-1]["hash"]:
+                    return False, i
+        
+        return True, None
+    
+    def get_entries(self, start_sequence: int = 0, end_sequence: Optional[int] = None) -> List[Dict[str, Any]]:
+        """
+        Get log entries in a range.
+        
+        Args:
+            start_sequence: Starting sequence number (inclusive)
+            end_sequence: Ending sequence number (inclusive, None for all)
+            
+        Returns:
+            List of log entries in the specified range
+        """
+        entries = self._load_log()
+        
+        if end_sequence is None:
+            end_sequence = len(entries) - 1
+        
+        return [entry for entry in entries 
+                if start_sequence <= entry["sequence"] <= end_sequence]
+    
+    def get_stats(self) -> Dict[str, Any]:
+        """Get statistics about the log chain."""
+        entries = self._load_log()
+        
+        if not entries:
+            return {"total_entries": 0, "chain_valid": True}
+        
+        is_valid, invalid_seq = self.verify_chain()
+        
+        event_types = {}
+        for entry in entries:
+            event_type = entry["event_type"]
+            event_types[event_type] = event_types.get(event_type, 0) + 1
+        
+        return {
+            "total_entries": len(entries),
+            "chain_valid": is_valid,
+            "first_invalid_sequence": invalid_seq,
+            "first_entry_time": entries[0]["timestamp"] if entries else None,
+            "last_entry_time": entries[-1]["timestamp"] if entries else None,
+            "event_type_counts": event_types,
+        }
+
+
+# Global logger instance
+_logger = None
+
+
+def get_logger(cfg: Dict[str, Any]) -> Optional[LogChain]:
+    """Get or create the global logger if logging is enabled."""
+    global _logger
+    
+    log_path = cfg.get("LOG_PATH")
+    if not log_path:
+        return None
+    
+    if _logger is None:
+        _logger = LogChain(log_path)
+    
+    return _logger
+
+
+def log_event(function_name: str, args: Tuple, kwargs: Dict[str, Any], result: Any, cfg: Dict[str, Any]) -> None:
+    """
+    Log a function execution event.
+    
+    Args:
+        function_name: Name of the executed function
+        args: Function arguments
+        kwargs: Function keyword arguments
+        result: Function result
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    # Remove sensitive data from kwargs for logging
+    safe_kwargs = {k: v for k, v in kwargs.items() if not k.startswith("_")}
+    
+    event_data = {
+        "function": function_name,
+        "args": args,
+        "kwargs": safe_kwargs,
+        "result_type": type(result).__name__,
+        "result_size": len(str(result)) if result is not None else 0,
+        "success": True,
+    }
+    
+    logger.append("function_execution", event_data)
+
+
+def log_security_event(event_type: str, details: Dict[str, Any], cfg: Dict[str, Any]) -> None:
+    """
+    Log a security-related event.
+    
+    Args:
+        event_type: Type of security event
+        details: Event details
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    event_data = {
+        "security_event_type": event_type,
+        "details": details,
+    }
+    
+    logger.append("security_event", event_data)
+
+
+def log_error(function_name: str, error: Exception, args: Tuple, kwargs: Dict[str, Any], cfg: Dict[str, Any]) -> None:
+    """
+    Log an error event.
+    
+    Args:
+        function_name: Name of the function that errored
+        error: The exception that occurred
+        args: Function arguments
+        kwargs: Function keyword arguments
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    safe_kwargs = {k: v for k, v in kwargs.items() if not k.startswith("_")}
+    
+    event_data = {
+        "function": function_name,
+        "error_type": type(error).__name__,
+        "error_message": str(error),
+        "args": args,
+        "kwargs": safe_kwargs,
+    }
+    
+    logger.append("function_error", event_data)