clonebox 1.1.17__py3-none-any.whl → 1.1.19__py3-none-any.whl

clonebox/health/probes.py

@@ -8,6 +8,7 @@ from abc import ABC, abstractmethod
 from datetime import datetime
 from typing import Optional
 
+from clonebox.policies import PolicyEngine, PolicyViolationError
 from .models import HealthCheckResult, HealthStatus, ProbeConfig
 
 try:
@@ -57,6 +58,19 @@ class HTTPProbe(HealthProbe):
 
         start = time.time()
         try:
+            policy = PolicyEngine.load_effective()
+            if policy is not None:
+                try:
+                    policy.assert_url_allowed(config.url)
+                except PolicyViolationError as e:
+                    duration_ms = (time.time() - start) * 1000
+                    return self._create_result(
+                        config,
+                        HealthStatus.UNHEALTHY,
+                        duration_ms,
+                        error=str(e),
+                    )
+
             req = urllib.request.Request(
                 config.url,
                 method=config.method,

clonebox/policies/__init__.py

@@ -0,0 +1,13 @@
+from .engine import PolicyEngine, PolicyValidationError, PolicyViolationError
+from .models import PolicyFile, PolicySet, NetworkPolicy, OperationsPolicy, ResourcesPolicy
+
+__all__ = [
+    "PolicyEngine",
+    "PolicyValidationError",
+    "PolicyViolationError",
+    "PolicyFile",
+    "PolicySet",
+    "NetworkPolicy",
+    "OperationsPolicy",
+    "ResourcesPolicy",
+]

clonebox/policies/engine.py

@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+import fnmatch
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Optional
+
+import yaml
+
+from .models import PolicyFile
+from .validators import extract_hostname, is_host_allowed
+
+
+class PolicyValidationError(ValueError):
+    pass
+
+
+class PolicyViolationError(PermissionError):
+    pass
+
+
+DEFAULT_PROJECT_POLICY_FILES = (".clonebox-policy.yaml", ".clonebox-policy.yml")
+DEFAULT_GLOBAL_POLICY_FILE = Path.home() / ".clonebox.d" / "policy.yaml"
+
+
+@dataclass(frozen=True)
+class PolicyEngine:
+    policy: PolicyFile
+    source: Path
+
+    @classmethod
+    def load(cls, path: Path) -> "PolicyEngine":
+        try:
+            raw = yaml.safe_load(path.read_text())
+        except Exception as e:
+            raise PolicyValidationError(f"Failed to read policy file {path}: {e}")
+
+        if not isinstance(raw, dict):
+            raise PolicyValidationError("Policy file must be a YAML mapping")
+
+        try:
+            policy = PolicyFile.model_validate(raw)
+        except Exception as e:
+            raise PolicyValidationError(str(e))
+
+        return cls(policy=policy, source=path)
+
+    @classmethod
+    def find_policy_file(cls, start: Optional[Path] = None) -> Optional[Path]:
+        start_path = (start or Path.cwd()).expanduser().resolve()
+        if start_path.is_file():
+            start_path = start_path.parent
+
+        current = start_path
+        while True:
+            for name in DEFAULT_PROJECT_POLICY_FILES:
+                candidate = current / name
+                if candidate.exists() and candidate.is_file():
+                    return candidate
+
+            if current.parent == current:
+                break
+            current = current.parent
+
+        if DEFAULT_GLOBAL_POLICY_FILE.exists() and DEFAULT_GLOBAL_POLICY_FILE.is_file():
+            return DEFAULT_GLOBAL_POLICY_FILE
+
+        return None
+
+    @classmethod
+    def load_effective(cls, start: Optional[Path] = None) -> Optional["PolicyEngine"]:
+        policy_path = cls.find_policy_file(start=start)
+        if not policy_path:
+            return None
+        return cls.load(policy_path)
+
+    def assert_url_allowed(self, url: str) -> None:
+        network = self.policy.policies.network
+        if network is None:
+            return
+
+        hostname = extract_hostname(url)
+        if not hostname:
+            raise PolicyViolationError(f"URL has no hostname: {url}")
+
+        if not is_host_allowed(hostname, network.allowlist, network.blocklist):
+            raise PolicyViolationError(f"Network access denied by policy: {hostname}")
+
+    @staticmethod
+    def _operation_matches(operation: str, pattern: str) -> bool:
+        operation = (operation or "").strip().lower()
+        pattern = (pattern or "").strip().lower()
+        if not operation or not pattern:
+            return False
+        return fnmatch.fnmatch(operation, pattern)
+
+    def requires_approval(self, operation: str) -> bool:
+        ops = self.policy.policies.operations
+        if ops is None:
+            return False
+
+        if any(self._operation_matches(operation, p) for p in ops.auto_approve or []):
+            return False
+        return any(
+            self._operation_matches(operation, p) for p in ops.require_approval or []
+        )
+
+    def assert_operation_approved(self, operation: str, approved: bool) -> None:
+        if self.requires_approval(operation) and not approved:
+            raise PolicyViolationError(
+                f"Operation requires approval by policy: {operation} (pass --approve)"
+            )

clonebox/policies/models.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+from typing import List, Optional
+
+from pydantic import BaseModel, Field, field_validator
+
+
+class NetworkPolicy(BaseModel):
+    allowlist: List[str] = Field(default_factory=list)
+    blocklist: List[str] = Field(default_factory=list)
+
+    @field_validator("allowlist", "blocklist")
+    @classmethod
+    def _validate_patterns(cls, v: List[str]) -> List[str]:
+        if v is None:
+            return []
+        if not isinstance(v, list):
+            raise TypeError("must be a list")
+        for item in v:
+            if not isinstance(item, str) or not item.strip():
+                raise ValueError("patterns must be non-empty strings")
+        return v
+
+
+class OperationsPolicy(BaseModel):
+    require_approval: List[str] = Field(default_factory=list)
+    auto_approve: List[str] = Field(default_factory=list)
+
+    @field_validator("require_approval", "auto_approve")
+    @classmethod
+    def _validate_ops(cls, v: List[str]) -> List[str]:
+        if v is None:
+            return []
+        if not isinstance(v, list):
+            raise TypeError("must be a list")
+        for item in v:
+            if not isinstance(item, str) or not item.strip():
+                raise ValueError("operation names must be non-empty strings")
+        return v
+
+
+class ResourcesPolicy(BaseModel):
+    max_vms_per_user: Optional[int] = None
+    max_disk_gb: Optional[int] = None
+
+
+class PolicySet(BaseModel):
+    network: Optional[NetworkPolicy] = None
+    operations: Optional[OperationsPolicy] = None
+    resources: Optional[ResourcesPolicy] = None
+
+
+class PolicyFile(BaseModel):
+    version: str
+    policies: PolicySet

clonebox/policies/validators.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+import fnmatch
+from typing import List
+from urllib.parse import urlparse
+
+
+def extract_hostname(url: str) -> str:
+    parsed = urlparse(url)
+    return (parsed.hostname or "").strip().lower()
+
+
+def host_matches(hostname: str, pattern: str) -> bool:
+    hostname = (hostname or "").strip().lower()
+    pattern = (pattern or "").strip().lower()
+    if not hostname or not pattern:
+        return False
+    return fnmatch.fnmatch(hostname, pattern)
+
+
+def is_host_allowed(hostname: str, allowlist: List[str], blocklist: List[str]) -> bool:
+    if any(host_matches(hostname, p) for p in blocklist or []):
+        return False
+    if allowlist:
+        return any(host_matches(hostname, p) for p in allowlist)
+    return True