cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/cli/can.py

@@ -0,0 +1,307 @@
+"""
+can command - Test if a principal can access a resource.
+
+Usage:
+    cyntrisec can PRINCIPAL access RESOURCE [OPTIONS]
+
+Examples:
+    cyntrisec can ECforS access s3://secret-bucket
+    cyntrisec can arn:aws:iam::123:role/MyRole access s3://data-bucket
+    cyntrisec can MyRole access MyAdminRole --action sts:AssumeRole
+"""
+
+from __future__ import annotations
+
+import logging
+
+import typer
+from rich import box
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from cyntrisec.cli.errors import EXIT_CODE_MAP, CyntriError, ErrorCode, handle_errors
+from cyntrisec.cli.output import emit_agent_or_json, resolve_format, suggested_actions
+from cyntrisec.cli.schemas import CanResponse
+from cyntrisec.storage import FileSystemStorage
+
+console = Console()
+status_console = Console(stderr=True)
+log = logging.getLogger(__name__)
+
+
+@handle_errors
+def can_cmd(
+    principal: str = typer.Argument(
+        ...,
+        help="IAM principal (role/user name or ARN)",
+    ),
+    access: str = typer.Argument(
+        ...,
+        help="Literal 'access' keyword",
+    ),
+    resource: str = typer.Argument(
+        ...,
+        help="Target resource (ARN, bucket name, or s3://path)",
+    ),
+    action: str | None = typer.Option(
+        None,
+        "--action",
+        "-a",
+        help="Specific action to test (auto-detected if not provided)",
+    ),
+    live: bool = typer.Option(
+        False,
+        "--live",
+        "-l",
+        help="Use AWS Policy Simulator API (requires IAM permissions)",
+    ),
+    role_arn: str | None = typer.Option(
+        None,
+        "--role-arn",
+        "-r",
+        help="AWS role to assume for live simulation",
+    ),
+    external_id: str | None = typer.Option(
+        None,
+        "--external-id",
+        "-e",
+        help="External ID for role assumption",
+    ),
+    format: str | None = typer.Option(
+        None,
+        "--format",
+        "-f",
+        help="Output format: text, json, agent (defaults to json when piped)",
+    ),
+    snapshot_id: str | None = typer.Option(
+        None,
+        "--snapshot",
+        "-s",
+        help="Snapshot UUID (default: latest; scan_id accepted)",
+    ),
+):
+    """
+    Test if a principal can access a resource.
+
+    Uses natural language syntax: "can PRINCIPAL access RESOURCE"
+
+    Without --live, uses scan data and graph relationships.
+    With --live, queries AWS IAM Policy Simulator for ground truth.
+
+    Examples:
+        cyntrisec can ECforS access s3://bucket
+        cyntrisec can MyRole access arn:aws:secretsmanager:...:secret
+        cyntrisec can AdminRole access ProdDB --action rds:CreateDBSnapshot
+    """
+    if access.lower() != "access":
+        raise CyntriError(
+            error_code=ErrorCode.INVALID_QUERY,
+            message="Expected 'access' keyword. Usage: cyntrisec can PRINCIPAL access RESOURCE",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    output_format = resolve_format(
+        format,
+        default_tty="text",
+        allowed=["text", "json", "agent"],
+    )
+
+    storage = FileSystemStorage()
+    assets = storage.get_assets(snapshot_id)
+    relationships = storage.get_relationships(snapshot_id)
+    snapshot = storage.get_snapshot(snapshot_id)
+
+    if not assets or not snapshot:
+        raise CyntriError(
+            error_code=ErrorCode.SNAPSHOT_NOT_FOUND,
+            message="No scan data found. Run 'cyntrisec scan' first.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    # Resolve principal to ARN
+    principal_arn = _resolve_principal(principal, assets)
+
+    if live:
+        try:
+            live_console = console if output_format == "text" else status_console
+            result = _simulate_live(
+                principal_arn,
+                resource,
+                action,
+                role_arn,
+                external_id,
+                status_console=live_console,
+            )
+        except PermissionError as e:
+            raise CyntriError(
+                error_code=ErrorCode.AWS_ACCESS_DENIED,
+                message=str(e),
+                exit_code=EXIT_CODE_MAP["usage"],
+            )
+    else:
+        result = _simulate_offline(principal_arn, resource, action, assets, relationships)
+
+    # Get scan_id and snapshot_id for suggested actions
+    scan_id = storage.resolve_scan_id(snapshot_id)
+    snapshot_uuid = str(snapshot.id) if snapshot else None
+
+    if output_format in {"json", "agent"}:
+        payload = _build_payload(result, snapshot)
+        followups = suggested_actions(
+            [
+                (
+                    f"cyntrisec cuts --snapshot {snapshot_uuid}"
+                    if snapshot_uuid and result.can_access
+                    else "",
+                    "Identify changes that would block this access"
+                    if snapshot_uuid and result.can_access
+                    else "",
+                ),
+                (
+                    f"cyntrisec analyze paths --scan {scan_id}"
+                    if scan_id and not result.can_access
+                    else "",
+                    "Review other risky paths from the latest scan"
+                    if scan_id and not result.can_access
+                    else "",
+                ),
+                (
+                    f"cyntrisec can {principal_arn} access {resource} --live" if not live else "",
+                    "Validate against live IAM policy simulation" if not live else "",
+                ),
+            ]
+        )
+        emit_agent_or_json(output_format, payload, suggested=followups, schema=CanResponse)
+    else:
+        _output_text(result, snapshot)
+
+    # Exit with code based on result
+    raise typer.Exit(0 if result.can_access else 1)
+
+
+def _resolve_principal(principal: str, assets) -> str:
+    """Resolve principal name to ARN."""
+    if principal.startswith("arn:"):
+        return principal
+
+    # Find by name in assets
+    for asset in assets:
+        if asset.asset_type == "iam:role" and asset.name == principal:
+            return asset.arn or asset.aws_resource_id
+        if asset.asset_type == "iam:user" and asset.name == principal:
+            return asset.arn or asset.aws_resource_id
+
+    # Return as-is and let the simulator handle it
+    return principal
+
+
+def _simulate_live(principal_arn, resource, action, role_arn, external_id, *, status_console):
+    """Run live simulation using AWS API."""
+    from cyntrisec.aws import CredentialProvider
+    from cyntrisec.core.simulator import PolicySimulator
+
+    status_console.print("[cyan]Running live policy simulation...[/cyan]")
+
+    provider = CredentialProvider()
+    if role_arn:
+        session = provider.assume_role(role_arn, external_id=external_id)
+    else:
+        session = provider.default_session()
+
+    simulator = PolicySimulator(session)
+    return simulator.can_access(principal_arn, resource, action=action)
+
+
+def _simulate_offline(principal_arn, resource, action, assets, relationships):
+    """Run offline simulation using scan data."""
+    from cyntrisec.core.simulator import OfflineSimulator
+
+    simulator = OfflineSimulator(assets, relationships)
+    return simulator.can_access(principal_arn, resource, action=action)
+
+
+def _output_text(result, snapshot):
+    """Display result as formatted text."""
+    console.print()
+
+    if result.can_access:
+        icon = "ALLOW"
+        color = "green"
+        status = "YES"
+    else:
+        icon = "DENY"
+        color = "red"
+        status = "NO"
+
+    console.print(
+        Panel(
+            f"[bold {color}]{icon} {status}[/bold {color}]: "
+            f"[white]{result.principal_arn.split('/')[-1]}[/white] can "
+            f"{'access' if result.can_access else '[dim]NOT[/dim] access'} "
+            f"[cyan]{result.target_resource}[/cyan]",
+            title="cyntrisec can",
+            border_style=color,
+        )
+    )
+
+    # Show proof
+    if result.simulations:
+        console.print()
+        table = Table(box=box.ROUNDED, show_header=True, header_style="bold")
+        table.add_column("Action", style="cyan")
+        table.add_column("Decision", width=15)
+        table.add_column("Matched", justify="right")
+
+        for sim in result.simulations:
+            if sim.decision.value == "allowed":
+                decision = "[green]ALLOWED[/green]"
+            elif sim.decision.value == "explicitDeny":
+                decision = "[red]EXPLICIT DENY[/red]"
+            else:
+                decision = "[yellow]IMPLICIT DENY[/yellow]"
+
+            table.add_row(
+                sim.action,
+                decision,
+                str(len(sim.matched_statements)),
+            )
+
+        console.print(table)
+    elif result.proof:
+        console.print()
+        console.print(f"[dim]Via: {result.proof.get('relationship_type', 'graph analysis')}[/dim]")
+
+    console.print()
+
+
+def _build_payload(result, snapshot):
+    """Build structured output for JSON/agent formats."""
+    payload = {
+        "snapshot_id": str(snapshot.id) if snapshot else None,
+        "principal": result.principal_arn,
+        "resource": result.target_resource,
+        "action": result.action,
+        "can_access": result.can_access,
+        "simulations": [
+            {
+                "action": s.action,
+                "resource": s.resource,
+                "decision": s.decision.value,
+                "matched_statements": len(s.matched_statements),
+            }
+            for s in result.simulations
+        ]
+        if result.simulations
+        else [],
+        "proof": result.proof,
+    }
+
+    # Add mode and disclaimer for offline simulation
+    if not result.simulations:
+        payload["mode"] = "offline"
+        payload["disclaimer"] = "Offline results are based on graph relationships only. Use --live for authoritative policy simulation."
+    else:
+        payload["mode"] = "live"
+
+    return payload

cyntrisec/cli/comply.py

@@ -0,0 +1,226 @@
+"""
+comply command - Check compliance against security frameworks.
+"""
+
+from __future__ import annotations
+
+import logging
+
+import typer
+from rich import box
+from rich.console import Console
+from rich.panel import Panel
+from rich.progress import BarColumn, Progress, TextColumn
+from rich.table import Table
+
+from cyntrisec.cli.errors import EXIT_CODE_MAP, CyntriError, ErrorCode, handle_errors
+from cyntrisec.cli.output import (
+    build_artifact_paths,
+    emit_agent_or_json,
+    resolve_format,
+    suggested_actions,
+)
+from cyntrisec.cli.schemas import ComplyResponse
+from cyntrisec.core.compliance import ComplianceChecker, Framework
+from cyntrisec.storage import FileSystemStorage
+
+console = Console()
+log = logging.getLogger(__name__)
+
+
+@handle_errors
+def comply_cmd(
+    framework: str = typer.Option(
+        "cis-aws",
+        "--framework",
+        "-fw",
+        help="Compliance framework: cis-aws, soc2",
+    ),
+    format: str | None = typer.Option(
+        None,
+        "--format",
+        "-f",
+        help="Output format: table, json, agent (defaults to json when piped)",
+    ),
+    show_passing: bool = typer.Option(
+        False,
+        "--show-passing",
+        "-p",
+        help="Show passing controls (default: only failing)",
+    ),
+    snapshot_id: str | None = typer.Option(
+        None,
+        "--snapshot",
+        "-s",
+        help="Snapshot UUID (default: latest; scan_id accepted)",
+    ),
+):
+    """
+    Check compliance against security frameworks.
+    """
+    output_format = resolve_format(
+        format,
+        default_tty="table",
+        allowed=["table", "json", "agent"],
+    )
+
+    storage = FileSystemStorage()
+    findings = storage.get_findings(snapshot_id)
+    assets = storage.get_assets(snapshot_id)
+    snapshot = storage.get_snapshot(snapshot_id)
+
+    if not snapshot:
+        raise CyntriError(
+            error_code=ErrorCode.SNAPSHOT_NOT_FOUND,
+            message="No scan data found. Run 'cyntrisec scan' first.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    # Map CLI string to Framework enum
+    framework_map = {
+        "cis-aws": Framework.CIS_AWS,
+        "cis_aws": Framework.CIS_AWS,
+        "CIS-AWS": Framework.CIS_AWS,
+        "soc2": Framework.SOC2,
+        "SOC2": Framework.SOC2,
+    }
+    fw = framework_map.get(framework)
+    if not fw:
+        raise CyntriError(
+            error_code=ErrorCode.INVALID_QUERY,
+            message=f"Invalid framework: {framework}. Use 'cis-aws' or 'soc2'.",
+            exit_code=EXIT_CODE_MAP["usage"],
+        )
+
+    checker = ComplianceChecker()
+    results = checker.check(findings, assets, framework=fw, collection_errors=snapshot.errors)
+
+    # Get scan_id for suggested actions
+    scan_id = storage.resolve_scan_id(snapshot_id)
+
+    if output_format in {"json", "agent"}:
+        payload = _build_payload(results, fw, snapshot, show_passing)
+        # Generate appropriate suggested actions based on compliance status
+        if results.failing > 0:
+            first_failing = next((r for r in results.results if r.status != "pass"), None)
+            actions = suggested_actions(
+                [
+                    (
+                        f"cyntrisec explain control {first_failing.control.id}"
+                        if first_failing
+                        else "",
+                        "Explain top failing control" if first_failing else "",
+                    ),
+                    (
+                        f"cyntrisec cuts --snapshot {snapshot.id}" if snapshot else "",
+                        "Map compliance fixes to attack path cuts" if snapshot else "",
+                    ),
+                ]
+            )
+        else:
+            # Clean scan - no failing controls
+            actions = suggested_actions(
+                [
+                    (
+                        f"cyntrisec diff --old {scan_id}" if scan_id else "",
+                        "Monitor for compliance drift" if scan_id else "",
+                    ),
+                    (
+                        "cyntrisec scan",
+                        "Run periodic scans to maintain compliance",
+                    ),
+                ]
+            )
+        emit_agent_or_json(
+            output_format,
+            payload,
+            suggested=actions,
+            artifact_paths=build_artifact_paths(storage, snapshot_id),
+            schema=ComplyResponse,
+        )
+    else:
+        _output_table(results, fw, show_passing)
+
+    if results.failing == 0:
+        raise typer.Exit(0)
+    raise typer.Exit(1)
+
+
+def _output_table(results, framework: Framework, show_passing: bool):
+    """Render compliance results."""
+    passing = results.passing
+    failing = results.failing
+    unknown = results.unknown
+    evaluated = passing + failing
+    total = evaluated + unknown
+    score = results.compliance_score * 100
+
+    console.print()
+    console.print(
+        Panel(
+            f"[bold]Compliance Report[/bold]\n"
+            f"Framework: {framework.value}\n"
+            f"Score: {score:.0f}% ({passing}/{evaluated})"
+            + (f"  Unknown: {unknown}" if unknown else ""),
+            title="cyntrisec comply",
+            border_style="green" if failing == 0 else "red",
+        )
+    )
+    console.print()
+    with Progress(
+        TextColumn("[progress.description]{task.description}"),
+        BarColumn(),
+        TextColumn("{task.completed}/{task.total}"),
+    ) as progress:
+        task = progress.add_task("Controls", total=total)
+        progress.update(task, completed=passing)
+
+    table = Table(
+        title="Controls",
+        box=box.ROUNDED,
+        show_header=True,
+        header_style="bold cyan",
+    )
+    table.add_column("Status", width=10)
+    table.add_column("Control")
+    table.add_column("Severity", width=12)
+    table.add_column("Description", min_width=40)
+
+    for r in results.results:
+        if r.status == "pass" and not show_passing:
+            continue
+        if r.status == "pass":
+            status = "[green]PASS[/green]"
+        elif r.status == "fail":
+            status = "[red]FAIL[/red]"
+        else:
+            status = "[yellow]UNKNOWN[/yellow]"
+        table.add_row(status, r.control.id, r.control.severity, r.control.title[:60])
+
+    console.print(table)
+
+
+def _build_payload(results, framework: Framework, snapshot, show_passing: bool):
+    """Build structured payload for JSON/agent outputs."""
+    return {
+        "framework": framework.value,
+        "compliance_score": results.compliance_score,
+        "passing": results.passing,
+        "failing": results.failing,
+        "controls": [
+            {
+                "id": r.control.id,
+                "title": r.control.title,
+                "status": r.status,
+                "severity": r.control.severity,
+                "description": r.control.title,
+            }
+            for r in results.results
+            if show_passing or r.status != "pass"
+        ],
+        "data_gaps": [
+            {"control_id": ctrl_id, **gap} for ctrl_id, gap in results.data_gaps.items()
+        ]
+        if results.data_gaps
+        else [],
+    }