ciris-agent 1.7.7__py3-none-any.whl

ciris_engine/logic/audit/hash_chain.py

@@ -0,0 +1,313 @@
+"""
+Hash chain manager for signed audit trail system.
+
+Provides cryptographic integrity through hash chaining and ensures
+tamper-evident audit logs for the CIRIS Agent system.
+"""
+
+import hashlib
+import json
+import logging
+import sqlite3
+import threading
+from typing import List, Optional
+
+from ciris_engine.logic.utils.jsondict_helpers import get_int, get_str
+from ciris_engine.schemas.audit.hash_chain import ChainSummary, HashChainVerificationResult
+from ciris_engine.schemas.types import JSONDict
+
+logger = logging.getLogger(__name__)
+
+
+class AuditHashChain:
+    """Manages the cryptographic hash chain for audit entries"""
+
+    def __init__(self, db_path: str) -> None:
+        self.db_path = db_path
+        self._last_hash: Optional[str] = None
+        self._sequence_number: int = 0
+        self._initialized = False
+        self._lock = threading.Lock()
+
+    def initialize(self, force: bool = False) -> None:
+        """Initialize the hash chain by loading the last entry"""
+        if self._initialized and not force:
+            return
+
+        last_entry = self.get_last_entry()
+        if last_entry:
+            entry_hash_val = get_str(last_entry, "entry_hash", "")
+            self._last_hash = entry_hash_val if entry_hash_val else None
+            self._sequence_number = get_int(last_entry, "sequence_number", 0)
+        else:
+            self._last_hash = None
+            self._sequence_number = 0
+
+        self._initialized = True
+        logger.info(f"Hash chain initialized at sequence {self._sequence_number}")
+
+    def compute_entry_hash(self, entry: JSONDict) -> str:
+        """Compute deterministic hash of entry content.
+
+        Args:
+            entry: Audit entry as JSON-compatible dict
+
+        Returns:
+            SHA-256 hash of the canonical entry representation
+        """
+        # Create canonical representation for hashing
+        canonical = {
+            "event_id": entry["event_id"],
+            "event_timestamp": entry["event_timestamp"],
+            "event_type": entry["event_type"],
+            "originator_id": entry["originator_id"],
+            "event_payload": entry.get("event_payload", ""),
+            "sequence_number": entry["sequence_number"],
+            "previous_hash": entry["previous_hash"],
+        }
+
+        # Convert to deterministic JSON
+        canonical_json = json.dumps(canonical, sort_keys=True, separators=(",", ":"))
+
+        # Compute SHA-256 hash
+        return hashlib.sha256(canonical_json.encode("utf-8")).hexdigest()
+
+    def prepare_entry(self, entry: JSONDict) -> JSONDict:
+        """Prepare an entry for the hash chain by adding chain fields.
+
+        Args:
+            entry: Audit entry to prepare
+
+        Returns:
+            Entry with sequence_number, previous_hash, and entry_hash added
+        """
+        if not self._initialized:
+            self.initialize()
+
+        with self._lock:
+            # Re-read the last entry inside the lock to ensure we have the latest
+            last_entry = self.get_last_entry()
+            if last_entry:
+                entry_hash_val = get_str(last_entry, "entry_hash", "")
+                self._last_hash = entry_hash_val if entry_hash_val else None
+                self._sequence_number = get_int(last_entry, "sequence_number", 0)
+
+            self._sequence_number += 1
+            entry["sequence_number"] = self._sequence_number
+            entry["previous_hash"] = self._last_hash or "genesis"
+
+            entry_hash = self.compute_entry_hash(entry)
+            entry["entry_hash"] = entry_hash
+
+            self._last_hash = entry_hash
+
+        return entry
+
+    def get_last_entry(self) -> Optional[JSONDict]:
+        """Retrieve the last entry from the chain.
+
+        Returns:
+            Last audit entry as JSON-compatible dict, or None if chain is empty
+        """
+        try:
+            conn = sqlite3.connect(self.db_path)
+            conn.row_factory = sqlite3.Row
+            cursor = conn.cursor()
+
+            cursor.execute(
+                """
+                SELECT * FROM audit_log
+                ORDER BY sequence_number DESC
+                LIMIT 1
+            """
+            )
+
+            row = cursor.fetchone()
+            conn.close()
+
+            if row:
+                return dict(row)
+            return None
+
+        except sqlite3.Error as e:
+            logger.error(f"Failed to get last entry: {e}")
+            return None
+
+    def verify_chain_integrity(self, start_seq: int = 1, end_seq: Optional[int] = None) -> HashChainVerificationResult:
+        """Verify the integrity of the hash chain"""
+        conn = None
+        result = None
+        try:
+            conn = sqlite3.connect(self.db_path)
+            conn.row_factory = sqlite3.Row
+            cursor = conn.cursor()
+
+            # Build query
+            if end_seq:
+                cursor.execute(
+                    """
+                    SELECT * FROM audit_log
+                    WHERE sequence_number >= ? AND sequence_number <= ?
+                    ORDER BY sequence_number
+                """,
+                    (start_seq, end_seq),
+                )
+            else:
+                cursor.execute(
+                    """
+                    SELECT * FROM audit_log
+                    WHERE sequence_number >= ?
+                    ORDER BY sequence_number
+                """,
+                    (start_seq,),
+                )
+
+            entries = [dict(row) for row in cursor.fetchall()]
+
+            if not entries:
+                result = HashChainVerificationResult(
+                    valid=True, entries_checked=0, errors=[], last_sequence=0, tampering_location=None
+                )
+            else:
+                errors: List[str] = []
+                previous_hash: Optional[str] = None
+
+                # If not starting from sequence 1, get the previous entry's hash
+                if start_seq > 1:
+                    cursor.execute(
+                        """
+                        SELECT entry_hash FROM audit_log
+                        WHERE sequence_number = ?
+                    """,
+                        (start_seq - 1,),
+                    )
+                    prev_row = cursor.fetchone()
+                    if prev_row:
+                        previous_hash = prev_row[0]
+
+                for i, entry in enumerate(entries):
+                    expected_seq = start_seq + i
+                    if entry["sequence_number"] != expected_seq:
+                        errors.append(f"Sequence gap at {entry['sequence_number']}, expected {expected_seq}")
+
+                    if i == 0 and start_seq == 1:
+                        expected_prev = "genesis"
+                    else:
+                        expected_prev = previous_hash or ""
+
+                    if entry["previous_hash"] != expected_prev:
+                        errors.append(f"Hash chain break at sequence {entry['sequence_number']}")
+
+                    computed_hash = self.compute_entry_hash(entry)
+                    if computed_hash != entry["entry_hash"]:
+                        errors.append(f"Entry hash mismatch at sequence {entry['sequence_number']}")
+
+                    previous_hash = entry["entry_hash"]
+
+                result = HashChainVerificationResult(
+                    valid=len(errors) == 0,
+                    entries_checked=len(entries),
+                    errors=errors,
+                    last_sequence=entries[-1]["sequence_number"] if entries else 0,
+                    tampering_location=None,
+                )
+
+        except sqlite3.Error as e:
+            logger.error(f"Chain verification failed: {e}")
+            result = HashChainVerificationResult(
+                valid=False,
+                entries_checked=0,
+                errors=[f"Database error: {e}"],
+                last_sequence=0,
+                tampering_location=None,
+            )
+        finally:
+            if conn:
+                conn.close()
+
+        return result
+
+    def find_tampering(self) -> Optional[int]:
+        """Find the first tampered entry in the chain using linear search"""
+        if not self._initialized:
+            self.initialize()
+
+        if self._sequence_number == 0:
+            return None  # Empty chain
+
+        # Do a full chain verification to find errors
+        result = self.verify_chain_integrity(1, self._sequence_number)
+
+        if result.valid:
+            return None  # No tampering found
+
+        # Parse errors to find first tampered sequence
+        errors = result.errors
+        if not errors:
+            return 1  # Found tampering but no specific errors
+
+        # Sort to find the first error by sequence number
+        tampered_sequences: List[int] = []
+        for error in errors:
+            # Look for specific error patterns
+            import re
+
+            # Pattern for "Entry hash mismatch at sequence X"
+            match = re.search(r"at sequence (\d+)", error)
+            if match:
+                tampered_sequences.append(int(match.group(1)))
+                continue
+            # Pattern for "Hash chain break at sequence X"
+            match = re.search(r"sequence (\d+)", error)
+            if match:
+                tampered_sequences.append(int(match.group(1)))
+
+        if tampered_sequences:
+            return min(tampered_sequences)  # Return the first tampered sequence
+
+        # If we can't parse specific sequence, return 1 as fallback
+        return 1
+
+    def get_chain_summary(self) -> ChainSummary:
+        """Get a summary of the current chain state"""
+        if not self._initialized:
+            self.initialize()
+
+        try:
+            conn = sqlite3.connect(self.db_path)
+            cursor = conn.cursor()
+
+            cursor.execute("SELECT COUNT(*), MIN(sequence_number), MAX(sequence_number) FROM audit_log")
+            count, min_seq, max_seq = cursor.fetchone()
+
+            cursor.execute("SELECT event_timestamp FROM audit_log ORDER BY sequence_number LIMIT 1")
+            oldest_row = cursor.fetchone()
+            oldest = oldest_row[0] if oldest_row else None
+
+            cursor.execute("SELECT event_timestamp FROM audit_log ORDER BY sequence_number DESC LIMIT 1")
+            newest_row = cursor.fetchone()
+            newest = newest_row[0] if newest_row else None
+
+            conn.close()
+
+            return ChainSummary(
+                total_entries=count or 0,
+                sequence_range=[min_seq, max_seq] if min_seq else [0, 0],
+                current_sequence=self._sequence_number,
+                current_hash=self._last_hash,
+                oldest_entry=oldest,
+                newest_entry=newest,
+                error=None,
+            )
+
+        except sqlite3.Error as e:
+            logger.error(f"Failed to get chain summary: {e}")
+            return ChainSummary(
+                total_entries=0,
+                sequence_range=[0, 0],
+                current_sequence=0,
+                current_hash=None,
+                oldest_entry=None,
+                newest_entry=None,
+                error=str(e),
+            )

ciris_engine/logic/audit/signature_manager.py

@@ -0,0 +1,352 @@
+"""
+Signature manager for signed audit trail system.
+
+Manages RSA keys and digital signatures for audit entry non-repudiation.
+Designed for resource-constrained deployments with minimal overhead.
+"""
+
+import base64
+import hashlib
+import logging
+import os
+import sqlite3
+from pathlib import Path
+from typing import Optional
+
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
+
+from ciris_engine.protocols.services.lifecycle.time import TimeServiceProtocol
+from ciris_engine.schemas.types import JSONDict
+
+logger = logging.getLogger(__name__)
+
+
+class AuditSignatureManager:
+    """Manages signing keys and signatures for audit entries"""
+
+    def __init__(self, key_path: str, db_path: str, time_service: TimeServiceProtocol) -> None:
+        self.key_path = Path(key_path)
+        self.db_path = db_path
+        self._time_service = time_service
+        self._private_key: Optional[PrivateKeyTypes] = None
+        self._public_key: Optional[PublicKeyTypes] = None
+        self._key_id: Optional[str] = None
+
+        # Ensure key directory exists
+        self.key_path.mkdir(parents=True, exist_ok=True)
+
+    def initialize(self) -> None:
+        """Initialize the signature manager by loading or generating keys"""
+        if self.key_path == Path("/") or not os.access(self.key_path, os.W_OK):
+            raise PermissionError(f"Key path {self.key_path} is not writable")
+        try:
+            self._load_or_generate_keys()
+            self._register_public_key()
+            logger.info(f"Signature manager initialized with key ID: {self._key_id}")
+        except Exception as e:
+            logger.error(f"Failed to initialize signature manager: {e}")
+            raise
+
+    def _load_or_generate_keys(self) -> None:
+        """Load existing keys or generate new ones"""
+        private_key_path = self.key_path / "audit_signing_private.pem"
+        public_key_path = self.key_path / "audit_signing_public.pem"
+
+        try:
+            # Try to load existing keys
+            if private_key_path.exists() and public_key_path.exists():
+                logger.info("Loading existing audit signing keys")
+
+                with open(private_key_path, "rb") as f:
+                    self._private_key = serialization.load_pem_private_key(f.read(), password=None)
+
+                with open(public_key_path, "rb") as f:
+                    self._public_key = serialization.load_pem_public_key(f.read())
+
+            else:
+                # Generate new key pair
+                logger.info("Generating new audit signing keys")
+                self._generate_new_keypair()
+
+        except Exception as e:
+            logger.warning(f"Failed to load keys, generating new ones: {e}")
+            self._generate_new_keypair()
+
+        # Compute key ID from public key
+        self._key_id = self._compute_key_id()
+
+    def _generate_new_keypair(self) -> None:
+        """Generate a new RSA key pair"""
+        self._private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+
+        self._public_key = self._private_key.public_key()
+
+        self._save_keys()
+
+    def _save_keys(self) -> None:
+        """Save the key pair to disk"""
+        if not self._private_key or not self._public_key:
+            raise RuntimeError("Keys not initialized")
+
+        private_key_path = self.key_path / "audit_signing_private.pem"
+        public_key_path = self.key_path / "audit_signing_public.pem"
+
+        # Save private key
+        private_pem = self._private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        with open(private_key_path, "wb") as f:
+            f.write(private_pem)
+
+        # Set restrictive permissions on private key
+        os.chmod(private_key_path, 0o600)
+
+        # Save public key
+        public_pem = self._public_key.public_bytes(
+            encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+        with open(public_key_path, "wb") as f:
+            f.write(public_pem)
+
+        logger.info("Audit signing keys saved to disk")
+
+    def _compute_key_id(self) -> str:
+        """Compute a unique identifier for the public key"""
+        if not self._public_key:
+            raise RuntimeError("Public key not initialized")
+
+        public_pem = self._public_key.public_bytes(
+            encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+        hash_bytes = hashlib.sha256(public_pem).digest()
+        return base64.b64encode(hash_bytes[:16]).decode("ascii")
+
+    def _register_public_key(self) -> None:
+        """Register the public key in the database"""
+        if not self._public_key or not self._key_id:
+            raise RuntimeError("Keys not initialized for registration")
+
+        try:
+            conn = sqlite3.connect(self.db_path)
+            cursor = conn.cursor()
+
+            # Check if key already exists
+            cursor.execute("SELECT key_id FROM audit_signing_keys WHERE key_id = ?", (self._key_id,))
+
+            if cursor.fetchone():
+                logger.debug(f"Key {self._key_id} already registered")
+                conn.close()
+                return
+
+            # Insert new key
+            public_pem = self._public_key.public_bytes(
+                encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
+            ).decode("ascii")
+
+            cursor.execute(
+                """
+                INSERT INTO audit_signing_keys
+                (key_id, public_key, algorithm, key_size, created_at)
+                VALUES (?, ?, ?, ?, ?)
+            """,
+                (self._key_id, public_pem, "rsa-pss", 2048, self._time_service.now_iso()),
+            )
+
+            conn.commit()
+            conn.close()
+
+            logger.info(f"Registered public key in database: {self._key_id}")
+
+        except sqlite3.Error as e:
+            logger.error(f"Failed to register public key: {e}")
+
+    def sign_entry(self, entry_hash: str) -> str:
+        """Sign an entry hash and return base64 encoded signature"""
+        if not self._private_key:
+            raise RuntimeError("Signature manager not initialized")
+
+        # Ensure we have an RSA key for signing
+        if not isinstance(self._private_key, rsa.RSAPrivateKey):
+            raise RuntimeError("Only RSA keys are supported for signing")
+
+        try:
+            # Sign the hash using RSA-PSS
+            signature = self._private_key.sign(
+                entry_hash.encode("utf-8"),
+                padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
+                hashes.SHA256(),
+            )
+
+            # Return base64 encoded signature
+            return base64.b64encode(signature).decode("ascii")
+
+        except Exception as e:
+            logger.error(f"Failed to sign entry: {e}")
+            raise
+
+    def verify_signature(self, entry_hash: str, signature: str, key_id: Optional[str] = None) -> bool:
+        """Verify a signature against an entry hash"""
+        try:
+            if key_id is None or key_id == self._key_id:
+                public_key = self._public_key
+            else:
+                public_key = self._load_public_key(key_id)
+                if not public_key:
+                    logger.error(f"Public key not found: {key_id}")
+                    return False
+
+            if not public_key:
+                logger.error("No public key available for verification")
+                return False
+
+            if not isinstance(public_key, rsa.RSAPublicKey):
+                logger.error("Only RSA keys are supported for verification")
+                return False
+
+            signature_bytes = base64.b64decode(signature.encode("ascii"))
+
+            public_key.verify(
+                signature_bytes,
+                entry_hash.encode("utf-8"),
+                padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
+                hashes.SHA256(),
+            )
+
+            return True
+
+        except InvalidSignature:
+            logger.warning(f"Invalid signature for entry hash: {entry_hash[:16]}...")
+            return False
+        except Exception as e:
+            logger.error(f"Signature verification error: {e}")
+            return False
+
+    def _load_public_key(self, key_id: str) -> Optional[PublicKeyTypes]:
+        """Load a public key from the database by key ID"""
+        try:
+            conn = sqlite3.connect(self.db_path)
+            cursor = conn.cursor()
+
+            cursor.execute("SELECT public_key FROM audit_signing_keys WHERE key_id = ?", (key_id,))
+
+            row = cursor.fetchone()
+            conn.close()
+
+            if not row:
+                return None
+
+            # Load public key from PEM
+            return serialization.load_pem_public_key(row[0].encode("ascii"))
+
+        except Exception as e:
+            logger.error(f"Failed to load public key {key_id}: {e}")
+            return None
+
+    def rotate_keys(self) -> str:
+        """Rotate to a new key pair and return the new key ID"""
+        logger.info("Rotating audit signing keys")
+
+        if self._key_id:
+            self._revoke_key(self._key_id)
+
+        self._generate_new_keypair()
+        self._key_id = self._compute_key_id()
+
+        self._register_public_key()
+
+        logger.info(f"Key rotation complete, new key ID: {self._key_id}")
+        return self._key_id
+
+    def _revoke_key(self, key_id: str) -> None:
+        """Mark a key as revoked in the database"""
+        try:
+            conn = sqlite3.connect(self.db_path)
+            cursor = conn.cursor()
+
+            cursor.execute(
+                """
+                UPDATE audit_signing_keys
+                SET revoked_at = ?
+                WHERE key_id = ?
+            """,
+                (self._time_service.now_iso(), key_id),
+            )
+
+            conn.commit()
+            conn.close()
+
+            logger.info(f"Revoked signing key: {key_id}")
+
+        except sqlite3.Error as e:
+            logger.error(f"Failed to revoke key {key_id}: {e}")
+
+    def get_key_info(self) -> JSONDict:
+        """Get information about the current signing key.
+
+        Returns:
+            Dict containing key metadata (key_id, algorithm, key_size, etc.)
+        """
+        if not self._key_id:
+            return {"error": "Not initialized"}
+
+        try:
+            conn = sqlite3.connect(self.db_path)
+            cursor = conn.cursor()
+
+            cursor.execute(
+                """
+                SELECT key_id, algorithm, key_size, created_at, revoked_at
+                FROM audit_signing_keys
+                WHERE key_id = ?
+            """,
+                (self._key_id,),
+            )
+
+            row = cursor.fetchone()
+            conn.close()
+
+            if row:
+                return {
+                    "key_id": row[0],
+                    "algorithm": row[1],
+                    "key_size": row[2],
+                    "created_at": row[3],
+                    "revoked_at": row[4],
+                    "active": row[4] is None,
+                }
+            else:
+                return {"error": "Key not found in database"}
+
+        except sqlite3.Error as e:
+            return {"error": f"Database error: {e}"}
+
+    @property
+    def key_id(self) -> Optional[str]:
+        """Get the current key ID"""
+        return self._key_id
+
+    def test_signing(self) -> bool:
+        """Test that signing and verification work correctly"""
+        try:
+            test_data = "test_entry_hash_12345"
+            signature = self.sign_entry(test_data)
+            verified = self.verify_signature(test_data, signature)
+
+            if verified:
+                logger.debug("Signature test passed")
+                return True
+            else:
+                logger.error("Signature test failed - verification failed")
+                return False
+
+        except Exception as e:
+            logger.error(f"Signature test failed with exception: {e}")
+            return False