gac 3.10.3__py3-none-any.whl

gac/security.py

@@ -0,0 +1,293 @@
+#!/usr/bin/env python3
+"""Security utilities for detecting secrets and API keys in git diffs.
+
+This module provides functions to scan staged changes for potential secrets,
+API keys, and other sensitive information that should not be committed.
+"""
+
+import logging
+import re
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class DetectedSecret:
+    """Represents a detected secret in a file."""
+
+    file_path: str
+    line_number: int | None
+    secret_type: str
+    matched_text: str
+    context: str | None = None
+
+
+class SecretPatterns:
+    """Regex patterns for detecting various types of secrets and API keys."""
+
+    # AWS Access Keys
+    AWS_ACCESS_KEY_ID = re.compile(r"(?:AWS_ACCESS_KEY_ID|aws_access_key_id)[\s:=\"']+([A-Z0-9]{20})", re.IGNORECASE)
+    AWS_SECRET_ACCESS_KEY = re.compile(
+        r"(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)[\s:=\"']+([A-Za-z0-9/+=]{40})", re.IGNORECASE
+    )
+    AWS_SESSION_TOKEN = re.compile(r"(?:AWS_SESSION_TOKEN|aws_session_token)[\s:=\"']+([A-Za-z0-9/+=]+)", re.IGNORECASE)
+
+    # Generic API Keys
+    GENERIC_API_KEY = re.compile(
+        r"(?:api[-_]?key|api[-_]?secret|access[-_]?key|secret[-_]?key)[\s:=\"']+([A-Za-z0-9_\-]{20,})", re.IGNORECASE
+    )
+
+    # GitHub Tokens
+    GITHUB_TOKEN = re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}")
+
+    # OpenAI API Keys
+    OPENAI_API_KEY = re.compile(r"sk-[A-Za-z0-9]{20,}")
+
+    # Anthropic API Keys
+    ANTHROPIC_API_KEY = re.compile(r"sk-ant-[A-Za-z0-9\-_]{95,}")
+
+    # Stripe Keys
+    STRIPE_KEY = re.compile(r"(?:sk|pk|rk)_(?:live|test)_[A-Za-z0-9]{24,}")
+
+    # Private Keys (PEM format)
+    PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----")
+
+    # Bearer Tokens (require actual token with specific characteristics)
+    BEARER_TOKEN = re.compile(r"Bearer\s+[A-Za-z0-9]{20,}[/=]*(?:\s|$)", re.IGNORECASE)
+
+    # JWT Tokens
+    JWT_TOKEN = re.compile(r"eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+")
+
+    # Database URLs with credentials
+    DATABASE_URL = re.compile(
+        r"(?:postgresql|mysql|mongodb|redis)://[A-Za-z0-9_-]+:[A-Za-z0-9_@!#$%^&*()+-=]+@[A-Za-z0-9.-]+",
+        re.IGNORECASE,
+    )
+
+    # SSH Private Keys
+    SSH_PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----")
+
+    # Slack Tokens
+    SLACK_TOKEN = re.compile(r"xox[baprs]-[A-Za-z0-9-]+")
+
+    # Google API Keys
+    GOOGLE_API_KEY = re.compile(r"AIza[0-9A-Za-z_-]{35}")
+
+    # Twilio API Keys
+    TWILIO_API_KEY = re.compile(r"SK[a-f0-9]{32}")
+
+    # Generic Password Fields
+    PASSWORD = re.compile(r"(?:password|passwd|pwd)[\s:=\"']+([^\s\"']{8,})", re.IGNORECASE)
+
+    # Excluded patterns (common false positives)
+    EXCLUDED_PATTERNS = [
+        re.compile(r"(?:example|sample|dummy|placeholder|your[-_]?api[-_]?key)", re.IGNORECASE),
+        re.compile(r"(?:xxx+|yyy+|zzz+)", re.IGNORECASE),
+        re.compile(r"\b(?:123456|password|changeme|secret|testpass|admin)\b", re.IGNORECASE),  # Word boundaries
+        re.compile(r"ghp_[a-f0-9]{16}", re.IGNORECASE),  # Short GitHub tokens (examples)
+        re.compile(r"sk-[a-f0-9]{16}", re.IGNORECASE),  # Short OpenAI keys (examples)
+        re.compile(r"Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Add Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Test Bearer Token", re.IGNORECASE),  # Documentation text
+    ]
+
+    @classmethod
+    def get_all_patterns(cls) -> dict[str, re.Pattern[str]]:
+        """Get all secret detection patterns.
+
+        Returns:
+            Dictionary mapping pattern names to compiled regex patterns
+        """
+        patterns = {}
+        for name, value in vars(cls).items():
+            if isinstance(value, re.Pattern) and not name.startswith("EXCLUDED"):
+                # Convert pattern name to human-readable format
+                readable_name = name.replace("_", " ").title()
+                patterns[readable_name] = value
+        return patterns
+
+
+def is_false_positive(matched_text: str, file_path: str = "") -> bool:
+    """Check if a matched secret is likely a false positive.
+
+    Args:
+        matched_text: The text that matched a secret pattern
+        file_path: The file path where the match was found (for context-based filtering)
+
+    Returns:
+        True if the match is likely a false positive
+    """
+    # Check against excluded patterns
+    for pattern in SecretPatterns.EXCLUDED_PATTERNS:
+        if pattern.search(matched_text):
+            return True
+
+    # Check for all-same characters (e.g., "xxxxxxxxxxxxxxxx")
+    if len(set(matched_text.lower())) <= 3 and len(matched_text) > 10:
+        return True
+
+    # Special handling for .env.example, .env.template, .env.sample files
+    if any(example_file in file_path for example_file in [".env.example", ".env.template", ".env.sample"]):
+        return True
+
+    return False
+
+
+def extract_file_path_from_diff_section(section: str) -> str | None:
+    """Extract the file path from a git diff section.
+
+    Args:
+        section: A git diff section
+
+    Returns:
+        The file path or None if not found
+    """
+    match = re.search(r"diff --git a/(.*?) b/", section)
+    if match:
+        return match.group(1)
+    return None
+
+
+def extract_line_number_from_hunk(line: str, hunk_header: str | None) -> int | None:
+    """Extract the line number from a diff hunk.
+
+    Args:
+        line: The diff line containing the secret
+        hunk_header: The most recent hunk header (e.g., "@@ -1,4 +1,5 @@")
+
+    Returns:
+        The line number or None if not determinable
+    """
+    if not hunk_header:
+        return None
+
+    # Parse hunk header to get starting line number: @@ -old_start,old_count +new_start,new_count @@
+    match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", hunk_header)
+    if not match:
+        return None
+
+    return int(match.group(1))
+
+
+def scan_diff_section(section: str) -> list[DetectedSecret]:
+    """Scan a single git diff section for secrets.
+
+    Args:
+        section: A git diff section to scan
+
+    Returns:
+        List of detected secrets
+    """
+    secrets: list[DetectedSecret] = []
+    file_path = extract_file_path_from_diff_section(section)
+
+    if not file_path:
+        return secrets
+
+    patterns = SecretPatterns.get_all_patterns()
+    lines = section.split("\n")
+    line_counter = 0
+
+    for line in lines:
+        # Track hunk headers for line number extraction
+        if line.startswith("@@"):
+            # Reset line counter based on hunk header (this is the starting line number in the new file)
+            match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", line)
+            if match:
+                line_counter = int(match.group(1)) - 1  # Start one line before, will increment correctly
+            continue
+
+        # Skip metadata lines
+        if line.startswith("+++") or line.startswith("---"):
+            continue
+
+        # Increment line counter for both added and context lines
+        if line.startswith("+") or line.startswith(" "):
+            line_counter += 1
+
+        # Only scan added lines (starting with '+')
+        if line.startswith("+") and not line.startswith("+++"):
+            # Check each pattern
+            content = line[1:]  # Remove the '+' prefix for pattern matching
+            for pattern_name, pattern in patterns.items():
+                matches = pattern.finditer(content)
+                for match in matches:
+                    matched_text = match.group(0)
+
+                    # Skip false positives
+                    if is_false_positive(matched_text, file_path):
+                        logger.debug(f"Skipping false positive: {matched_text}")
+                        continue
+
+                    # Truncate matched text for display (avoid showing full secrets)
+                    from gac.constants import Utility
+
+                    display_text = (
+                        matched_text[: Utility.MAX_DISPLAYED_SECRET_LENGTH] + "..."
+                        if len(matched_text) > Utility.MAX_DISPLAYED_SECRET_LENGTH
+                        else matched_text
+                    )
+
+                    secrets.append(
+                        DetectedSecret(
+                            file_path=file_path,
+                            line_number=line_counter,
+                            secret_type=pattern_name,
+                            matched_text=display_text,
+                            context=content.strip(),
+                        )
+                    )
+
+    return secrets
+
+
+def scan_staged_diff(diff: str) -> list[DetectedSecret]:
+    """Scan staged git diff for secrets and API keys.
+
+    Args:
+        diff: The staged git diff to scan
+
+    Returns:
+        List of detected secrets
+    """
+    if not diff:
+        return []
+
+    # Split diff into sections (one per file)
+    sections = re.split(r"(?=^diff --git )", diff, flags=re.MULTILINE)
+    all_secrets = []
+
+    for section in sections:
+        if not section.strip():
+            continue
+
+        # Validate that this is a real git diff section
+        # Real diff sections must have diff --git header followed by --- and +++ lines
+        if not re.search(r"^diff --git ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^--- ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^\+\+\+ ", section, flags=re.MULTILINE):
+            continue
+
+        secrets = scan_diff_section(section)
+        all_secrets.extend(secrets)
+
+    logger.info(f"Secret scan complete: found {len(all_secrets)} potential secrets")
+    return all_secrets
+
+
+def get_affected_files(secrets: list[DetectedSecret]) -> list[str]:
+    """Get unique list of files containing detected secrets.
+
+    Args:
+        secrets: List of detected secrets
+
+    Returns:
+        Sorted list of unique file paths
+    """
+    files = {secret.file_path for secret in secrets}
+    return sorted(files)

gac/utils.py

@@ -0,0 +1,401 @@
+"""Utility functions for gac."""
+
+import locale
+import logging
+import os
+import subprocess
+import sys
+from functools import lru_cache
+from typing import Any
+
+from rich.console import Console
+from rich.theme import Theme
+
+from gac.constants import EnvDefaults, Logging
+from gac.errors import GacError
+
+
+@lru_cache(maxsize=1)
+def should_skip_ssl_verification() -> bool:
+    """Return True when SSL certificate verification should be skipped.
+
+    This is useful for corporate environments with proxy servers that
+    intercept SSL traffic and cause certificate verification failures.
+
+    Can be enabled via:
+    - GAC_NO_VERIFY_SSL=true environment variable
+    - --no-verify-ssl CLI flag (which sets the env var)
+
+    Returns:
+        True if SSL verification should be skipped, False otherwise.
+    """
+    value = os.getenv("GAC_NO_VERIFY_SSL", str(EnvDefaults.NO_VERIFY_SSL))
+    return value.lower() in ("true", "1", "yes", "on")
+
+
+def get_ssl_verify() -> bool:
+    """Get the SSL verification setting for httpx requests.
+
+    Returns:
+        True to verify SSL certificates (default), False to skip verification.
+    """
+    return not should_skip_ssl_verification()
+
+
+def setup_logging(
+    log_level: int | str = Logging.DEFAULT_LEVEL,
+    quiet: bool = False,
+    force: bool = False,
+    suppress_noisy: bool = False,
+) -> None:
+    """Configure logging for the application.
+
+    Args:
+        log_level: Log level to use (DEBUG, INFO, WARNING, ERROR)
+        quiet: If True, suppress all output except errors
+        force: If True, force reconfiguration of logging
+        suppress_noisy: If True, suppress noisy third-party loggers
+    """
+    if isinstance(log_level, str):
+        log_level = getattr(logging, log_level.upper(), logging.WARNING)
+
+    if quiet:
+        log_level = logging.ERROR
+
+    kwargs: dict[str, Any] = {"force": force} if force else {}
+
+    logging.basicConfig(
+        level=log_level,
+        format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+        datefmt="%Y-%m-%d %H:%M:%S",
+        **kwargs,
+    )
+
+    if suppress_noisy:
+        for noisy_logger in ["requests", "urllib3"]:
+            logging.getLogger(noisy_logger).setLevel(logging.WARNING)
+
+    logger.info(f"Logging initialized with level: {logging.getLevelName(log_level)}")
+
+
+theme = Theme(
+    {
+        "success": "green bold",
+        "info": "blue",
+        "warning": "yellow",
+        "error": "red bold",
+        "header": "magenta",
+        "notification": "bright_cyan bold",
+    }
+)
+console = Console(theme=theme)
+logger = logging.getLogger(__name__)
+
+
+def print_message(message: str, level: str = "info") -> None:
+    """Print a styled message with the specified level."""
+    console.print(message, style=level)
+
+
+def get_safe_encodings() -> list[str]:
+    """Get a list of safe encodings to try for subprocess calls, in order of preference.
+
+    Returns:
+        List of encoding strings to try, with UTF-8 first
+    """
+    encodings = ["utf-8"]
+
+    # Add locale encoding as fallback
+    locale_encoding = locale.getpreferredencoding(False)
+    if locale_encoding and locale_encoding not in encodings:
+        encodings.append(locale_encoding)
+
+    # Windows-specific fallbacks
+    if sys.platform == "win32":
+        windows_encodings = ["cp65001", "cp936", "cp1252"]  # UTF-8, GBK, Windows-1252
+        for enc in windows_encodings:
+            if enc not in encodings:
+                encodings.append(enc)
+
+    # Final fallback to system default
+    if "utf-8" not in encodings:
+        encodings.append("utf-8")
+
+    return encodings
+
+
+def run_subprocess_with_encoding(
+    command: list[str],
+    encoding: str,
+    silent: bool = False,
+    timeout: int = 60,
+    check: bool = True,
+    strip_output: bool = True,
+    raise_on_error: bool = True,
+) -> str:
+    """Run subprocess with a specific encoding, handling encoding errors gracefully.
+
+    Args:
+        command: List of command arguments
+        encoding: Specific encoding to use
+        silent: If True, suppress debug logging
+        timeout: Command timeout in seconds
+        check: Whether to check return code (for compatibility)
+        strip_output: Whether to strip whitespace from output
+        raise_on_error: Whether to raise an exception on error
+
+    Returns:
+        Command output as string
+
+    Raises:
+        GacError: If the command times out
+        subprocess.CalledProcessError: If the command fails and raise_on_error is True
+    """
+    if not silent:
+        logger.debug(f"Running command: {' '.join(command)} (encoding: {encoding})")
+
+    try:
+        result = subprocess.run(
+            command,
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=timeout,
+            encoding=encoding,
+            errors="replace",  # Replace problematic characters instead of crashing
+        )
+
+        should_raise = result.returncode != 0 and (check or raise_on_error)
+
+        if should_raise:
+            if not silent:
+                logger.debug(f"Command stderr: {result.stderr}")
+            raise subprocess.CalledProcessError(result.returncode, command, result.stdout, result.stderr)
+
+        output = result.stdout
+        if strip_output:
+            output = output.strip()
+
+        return output
+    except subprocess.TimeoutExpired as e:
+        logger.error(f"Command timed out after {timeout} seconds: {' '.join(command)}")
+        raise GacError(f"Command timed out: {' '.join(command)}") from e
+    except subprocess.CalledProcessError as e:
+        if not silent:
+            logger.error(f"Command failed: {e.stderr.strip() if e.stderr else str(e)}")
+        if raise_on_error:
+            raise
+        return ""
+    except UnicodeError as e:
+        # This should be rare with errors="replace", but handle it just in case
+        if not silent:
+            logger.debug(f"Encoding error with {encoding}: {e}")
+        raise
+    except Exception as e:
+        if not silent:
+            logger.debug(f"Command error: {e}")
+        if raise_on_error:
+            # Convert generic exceptions to CalledProcessError for consistency
+            raise subprocess.CalledProcessError(1, command, "", str(e)) from e
+        return ""
+
+
+def run_subprocess(
+    command: list[str],
+    silent: bool = False,
+    timeout: int = 60,
+    check: bool = True,
+    strip_output: bool = True,
+    raise_on_error: bool = True,
+) -> str:
+    """Run a subprocess command safely and return the output, trying multiple encodings.
+
+    Args:
+        command: List of command arguments
+        silent: If True, suppress debug logging
+        timeout: Command timeout in seconds
+        check: Whether to check return code (for compatibility)
+        strip_output: Whether to strip whitespace from output
+        raise_on_error: Whether to raise an exception on error
+
+    Returns:
+        Command output as string
+
+    Raises:
+        GacError: If the command times out
+        subprocess.CalledProcessError: If the command fails and raise_on_error is True
+
+    Note:
+        Tries multiple encodings in order: utf-8, locale encoding, platform-specific fallbacks
+        This prevents UnicodeDecodeError on systems with non-UTF-8 locales (e.g., Chinese Windows)
+    """
+    encodings = get_safe_encodings()
+    last_exception = None
+
+    for encoding in encodings:
+        try:
+            return run_subprocess_with_encoding(
+                command=command,
+                encoding=encoding,
+                silent=silent,
+                timeout=timeout,
+                check=check,
+                strip_output=strip_output,
+                raise_on_error=raise_on_error,
+            )
+        except UnicodeError as e:
+            last_exception = e
+            if not silent:
+                logger.debug(f"Failed to decode with {encoding}: {e}")
+            continue
+        except (subprocess.CalledProcessError, GacError, subprocess.TimeoutExpired):
+            # These are not encoding-related errors, so don't retry with other encodings
+            raise
+
+    # If we get here, all encodings failed with UnicodeError
+    if not silent:
+        logger.error(f"Failed to decode command output with any encoding: {encodings}")
+
+    # Raise the last UnicodeError we encountered
+    if last_exception:
+        raise subprocess.CalledProcessError(1, command, "", f"Encoding error: {last_exception}") from last_exception
+    else:
+        raise subprocess.CalledProcessError(1, command, "", "All encoding attempts failed")
+
+
+def edit_commit_message_inplace(message: str) -> str | None:
+    """Edit commit message in-place using rich terminal editing.
+
+    Uses prompt_toolkit to provide a rich editing experience with:
+    - Multi-line editing
+    - Vi/Emacs key bindings
+    - Line editing capabilities
+    - Esc+Enter or Ctrl+S to submit
+    - Ctrl+C to cancel
+
+    Args:
+        message: The initial commit message
+
+    Returns:
+        The edited commit message, or None if editing was cancelled
+
+    Example:
+        >>> edited = edit_commit_message_inplace("feat: add feature")
+        >>> # User can edit the message using vi/emacs key bindings
+        >>> # Press Esc+Enter or Ctrl+S to submit
+    """
+    from prompt_toolkit import Application
+    from prompt_toolkit.buffer import Buffer
+    from prompt_toolkit.document import Document
+    from prompt_toolkit.enums import EditingMode
+    from prompt_toolkit.key_binding import KeyBindings
+    from prompt_toolkit.layout import HSplit, Layout, Window
+    from prompt_toolkit.layout.controls import BufferControl, FormattedTextControl
+    from prompt_toolkit.layout.margins import ScrollbarMargin
+    from prompt_toolkit.styles import Style
+
+    try:
+        console.print("\n[info]Edit commit message:[/info]")
+        console.print()
+
+        # Create buffer for text editing
+        text_buffer = Buffer(
+            document=Document(text=message, cursor_position=0),
+            multiline=True,
+            enable_history_search=False,
+        )
+
+        # Track submission state
+        cancelled = {"value": False}
+        submitted = {"value": False}
+
+        # Create text editor window
+        text_window = Window(
+            content=BufferControl(
+                buffer=text_buffer,
+                focus_on_click=True,
+            ),
+            height=lambda: max(5, message.count("\n") + 3),
+            wrap_lines=True,
+            right_margins=[ScrollbarMargin()],
+        )
+
+        # Create hint window
+        hint_window = Window(
+            content=FormattedTextControl(
+                text=[("class:hint", " Esc+Enter or Ctrl+S to submit | Ctrl+C to cancel ")],
+            ),
+            height=1,
+            dont_extend_height=True,
+        )
+
+        # Create layout
+        root_container = HSplit(
+            [
+                text_window,
+                hint_window,
+            ]
+        )
+
+        layout = Layout(root_container, focused_element=text_window)
+
+        # Create key bindings
+        kb = KeyBindings()
+
+        @kb.add("c-s")
+        def _(event: Any) -> None:
+            """Submit with Ctrl+S."""
+            submitted["value"] = True
+            event.app.exit()
+
+        @kb.add("c-c")
+        def _(event: Any) -> None:
+            """Cancel editing."""
+            cancelled["value"] = True
+            event.app.exit()
+
+        @kb.add("escape", "enter")
+        def _(event: Any) -> None:
+            """Submit with Esc+Enter."""
+            submitted["value"] = True
+            event.app.exit()
+
+        # Create and run application
+        custom_style = Style.from_dict(
+            {
+                "hint": "#888888",
+            }
+        )
+
+        app: Application[None] = Application(
+            layout=layout,
+            key_bindings=kb,
+            full_screen=False,
+            mouse_support=False,
+            editing_mode=EditingMode.VI,  # Enable vi key bindings
+            style=custom_style,
+        )
+
+        app.run()
+
+        # Handle result
+        if cancelled["value"]:
+            console.print("\n[yellow]Edit cancelled.[/yellow]")
+            return None
+
+        if submitted["value"]:
+            edited_message = text_buffer.text.strip()
+            if not edited_message:
+                console.print("[yellow]Commit message cannot be empty. Edit cancelled.[/yellow]")
+                return None
+            return edited_message
+
+        return None
+
+    except (EOFError, KeyboardInterrupt):
+        console.print("\n[yellow]Edit cancelled.[/yellow]")
+        return None
+    except Exception as e:
+        logger.error(f"Error during in-place editing: {e}")
+        console.print(f"[error]Failed to edit commit message: {e}[/error]")
+        return None