genxai-framework 0.1.0__py3-none-any.whl

genxai/security/oauth.py

@@ -0,0 +1,226 @@
+"""OAuth 2.0 integration for GenXAI."""
+
+import requests
+from typing import Dict, Any, Optional
+from abc import ABC, abstractmethod
+from urllib.parse import urlencode
+
+
+class OAuthProvider(ABC):
+    """Base OAuth 2.0 provider."""
+    
+    def __init__(self, client_id: str, client_secret: str, redirect_uri: str):
+        """Initialize OAuth provider.
+        
+        Args:
+            client_id: OAuth client ID
+            client_secret: OAuth client secret
+            redirect_uri: Redirect URI after authentication
+        """
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.redirect_uri = redirect_uri
+    
+    @abstractmethod
+    def get_authorization_url(self, state: Optional[str] = None) -> str:
+        """Get OAuth authorization URL.
+        
+        Args:
+            state: Optional state parameter
+            
+        Returns:
+            Authorization URL
+        """
+        pass
+    
+    @abstractmethod
+    def exchange_code(self, code: str) -> Dict[str, Any]:
+        """Exchange authorization code for tokens.
+        
+        Args:
+            code: Authorization code
+            
+        Returns:
+            Token response with access_token, refresh_token, etc.
+        """
+        pass
+    
+    @abstractmethod
+    def get_user_info(self, access_token: str) -> Dict[str, Any]:
+        """Get user information.
+        
+        Args:
+            access_token: Access token
+            
+        Returns:
+            User information
+        """
+        pass
+
+
+class GoogleOAuthProvider(OAuthProvider):
+    """Google OAuth 2.0 provider."""
+    
+    AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
+    TOKEN_URL = "https://oauth2.googleapis.com/token"
+    USER_INFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo"
+    
+    def get_authorization_url(self, state: Optional[str] = None) -> str:
+        """Get Google OAuth authorization URL."""
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "response_type": "code",
+            "scope": "openid email profile",
+            "access_type": "offline",
+        }
+        
+        if state:
+            params["state"] = state
+        
+        return f"{self.AUTH_URL}?{urlencode(params)}"
+    
+    def exchange_code(self, code: str) -> Dict[str, Any]:
+        """Exchange authorization code for tokens."""
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "code": code,
+            "redirect_uri": self.redirect_uri,
+            "grant_type": "authorization_code",
+        }
+        
+        response = requests.post(self.TOKEN_URL, data=data)
+        response.raise_for_status()
+        
+        return response.json()
+    
+    def get_user_info(self, access_token: str) -> Dict[str, Any]:
+        """Get user information from Google."""
+        headers = {"Authorization": f"Bearer {access_token}"}
+        response = requests.get(self.USER_INFO_URL, headers=headers)
+        response.raise_for_status()
+        
+        return response.json()
+
+
+class GitHubOAuthProvider(OAuthProvider):
+    """GitHub OAuth 2.0 provider."""
+    
+    AUTH_URL = "https://github.com/login/oauth/authorize"
+    TOKEN_URL = "https://github.com/login/oauth/access_token"
+    USER_INFO_URL = "https://api.github.com/user"
+    
+    def get_authorization_url(self, state: Optional[str] = None) -> str:
+        """Get GitHub OAuth authorization URL."""
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "scope": "read:user user:email",
+        }
+        
+        if state:
+            params["state"] = state
+        
+        return f"{self.AUTH_URL}?{urlencode(params)}"
+    
+    def exchange_code(self, code: str) -> Dict[str, Any]:
+        """Exchange authorization code for tokens."""
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "code": code,
+            "redirect_uri": self.redirect_uri,
+        }
+        
+        headers = {"Accept": "application/json"}
+        response = requests.post(self.TOKEN_URL, data=data, headers=headers)
+        response.raise_for_status()
+        
+        return response.json()
+    
+    def get_user_info(self, access_token: str) -> Dict[str, Any]:
+        """Get user information from GitHub."""
+        headers = {
+            "Authorization": f"Bearer {access_token}",
+            "Accept": "application/json"
+        }
+        response = requests.get(self.USER_INFO_URL, headers=headers)
+        response.raise_for_status()
+        
+        return response.json()
+
+
+class MicrosoftOAuthProvider(OAuthProvider):
+    """Microsoft OAuth 2.0 provider."""
+    
+    AUTH_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+    TOKEN_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+    USER_INFO_URL = "https://graph.microsoft.com/v1.0/me"
+    
+    def get_authorization_url(self, state: Optional[str] = None) -> str:
+        """Get Microsoft OAuth authorization URL."""
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "response_type": "code",
+            "scope": "openid email profile User.Read",
+        }
+        
+        if state:
+            params["state"] = state
+        
+        return f"{self.AUTH_URL}?{urlencode(params)}"
+    
+    def exchange_code(self, code: str) -> Dict[str, Any]:
+        """Exchange authorization code for tokens."""
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "code": code,
+            "redirect_uri": self.redirect_uri,
+            "grant_type": "authorization_code",
+        }
+        
+        response = requests.post(self.TOKEN_URL, data=data)
+        response.raise_for_status()
+        
+        return response.json()
+    
+    def get_user_info(self, access_token: str) -> Dict[str, Any]:
+        """Get user information from Microsoft."""
+        headers = {"Authorization": f"Bearer {access_token}"}
+        response = requests.get(self.USER_INFO_URL, headers=headers)
+        response.raise_for_status()
+        
+        return response.json()
+
+
+def create_oauth_provider(
+    provider: str,
+    client_id: str,
+    client_secret: str,
+    redirect_uri: str
+) -> OAuthProvider:
+    """Create OAuth provider instance.
+    
+    Args:
+        provider: Provider name (google, github, microsoft)
+        client_id: OAuth client ID
+        client_secret: OAuth client secret
+        redirect_uri: Redirect URI
+        
+    Returns:
+        OAuthProvider instance
+    """
+    providers = {
+        "google": GoogleOAuthProvider,
+        "github": GitHubOAuthProvider,
+        "microsoft": MicrosoftOAuthProvider,
+    }
+    
+    provider_class = providers.get(provider.lower())
+    if not provider_class:
+        raise ValueError(f"Unknown OAuth provider: {provider}")
+    
+    return provider_class(client_id, client_secret, redirect_uri)

genxai/security/pii.py

@@ -0,0 +1,366 @@
+"""PII detection and redaction for GenXAI."""
+
+import re
+from typing import List, Dict, Any, Optional
+from dataclasses import dataclass
+from datetime import datetime
+
+
+# PII patterns
+PII_PATTERNS = {
+    "email": r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',
+    "phone": r'\b(?:\+?1[-.]?)?\(?([0-9]{3})\)?[-.]?([0-9]{3})[-.]?([0-9]{4})\b',
+    "ssn": r'\b\d{3}-\d{2}-\d{4}\b',
+    "credit_card": r'\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b',
+    "ip_address": r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b',
+    "api_key": r'\b[A-Za-z0-9]{32,}\b',
+    "passport": r'\b[A-Z]{1,2}\d{6,9}\b',
+    "driver_license": r'\b[A-Z]{1,2}\d{5,8}\b',
+}
+
+
+@dataclass
+class PIIMatch:
+    """PII match result."""
+    pii_type: str
+    value: str
+    start: int
+    end: int
+
+
+class PIIDetector:
+    """Detect PII in text."""
+    
+    def __init__(self, patterns: Optional[Dict[str, str]] = None):
+        """Initialize PII detector.
+        
+        Args:
+            patterns: Custom PII patterns (default: use built-in patterns)
+        """
+        self.patterns = patterns or PII_PATTERNS
+    
+    def detect(self, text: str) -> List[PIIMatch]:
+        """Detect all PII in text.
+        
+        Args:
+            text: Text to scan
+            
+        Returns:
+            List of PII matches
+        """
+        matches = []
+        
+        for pii_type, pattern in self.patterns.items():
+            for match in re.finditer(pattern, text):
+                matches.append(PIIMatch(
+                    pii_type=pii_type,
+                    value=match.group(),
+                    start=match.start(),
+                    end=match.end()
+                ))
+        
+        # Sort by position
+        matches.sort(key=lambda x: x.start)
+        
+        return matches
+    
+    def detect_type(self, text: str, pii_type: str) -> List[PIIMatch]:
+        """Detect specific PII type.
+        
+        Args:
+            text: Text to scan
+            pii_type: PII type to detect
+            
+        Returns:
+            List of PII matches
+        """
+        if pii_type not in self.patterns:
+            return []
+        
+        pattern = self.patterns[pii_type]
+        matches = []
+        
+        for match in re.finditer(pattern, text):
+            matches.append(PIIMatch(
+                pii_type=pii_type,
+                value=match.group(),
+                start=match.start(),
+                end=match.end()
+            ))
+        
+        return matches
+    
+    def has_pii(self, text: str) -> bool:
+        """Check if text contains PII.
+        
+        Args:
+            text: Text to check
+            
+        Returns:
+            True if PII detected
+        """
+        for pattern in self.patterns.values():
+            if re.search(pattern, text):
+                return True
+        
+        return False
+
+
+class PIIRedactor:
+    """Redact PII from text."""
+    
+    def __init__(self, detector: Optional[PIIDetector] = None):
+        """Initialize PII redactor.
+        
+        Args:
+            detector: PII detector (default: create new detector)
+        """
+        self.detector = detector or PIIDetector()
+    
+    def redact(
+        self,
+        text: str,
+        replacement: str = "***REDACTED***",
+        pii_types: Optional[List[str]] = None
+    ) -> str:
+        """Redact all PII.
+        
+        Args:
+            text: Text to redact
+            replacement: Replacement string
+            pii_types: Specific PII types to redact (default: all)
+            
+        Returns:
+            Redacted text
+        """
+        matches = self.detector.detect(text)
+        
+        # Filter by PII types if specified
+        if pii_types:
+            matches = [m for m in matches if m.pii_type in pii_types]
+        
+        # Redact from end to start to preserve positions
+        for match in reversed(matches):
+            text = text[:match.start] + replacement + text[match.end:]
+        
+        return text
+    
+    def mask(self, text: str, pii_types: Optional[List[str]] = None) -> str:
+        """Mask PII (show last 4 characters).
+        
+        Args:
+            text: Text to mask
+            pii_types: Specific PII types to mask (default: all)
+            
+        Returns:
+            Masked text
+        """
+        matches = self.detector.detect(text)
+        
+        # Filter by PII types if specified
+        if pii_types:
+            matches = [m for m in matches if m.pii_type in pii_types]
+        
+        # Mask from end to start to preserve positions
+        for match in reversed(matches):
+            value = match.value
+            
+            if match.pii_type == "email":
+                # email@example.com -> e***@example.com
+                parts = value.split('@')
+                if len(parts) == 2:
+                    masked = parts[0][0] + '***@' + parts[1]
+                else:
+                    masked = '***'
+            
+            elif match.pii_type in ["phone", "ssn", "credit_card"]:
+                # Show last 4 digits
+                masked = '***-***-' + value[-4:]
+            
+            elif match.pii_type == "ip_address":
+                # Show first octet
+                parts = value.split('.')
+                masked = parts[0] + '.***.***.***'
+            
+            else:
+                # Default: show last 4 characters
+                if len(value) > 4:
+                    masked = '***' + value[-4:]
+                else:
+                    masked = '***'
+            
+            text = text[:match.start] + masked + text[match.end:]
+        
+        return text
+    
+    def redact_dict(
+        self,
+        data: Dict[str, Any],
+        replacement: str = "***REDACTED***"
+    ) -> Dict[str, Any]:
+        """Redact PII from dictionary recursively.
+        
+        Args:
+            data: Dictionary to redact
+            replacement: Replacement string
+            
+        Returns:
+            Redacted dictionary
+        """
+        result = {}
+        
+        for key, value in data.items():
+            if isinstance(value, str):
+                result[key] = self.redact(value, replacement)
+            elif isinstance(value, dict):
+                result[key] = self.redact_dict(value, replacement)
+            elif isinstance(value, list):
+                result[key] = [
+                    self.redact(item, replacement) if isinstance(item, str)
+                    else self.redact_dict(item, replacement) if isinstance(item, dict)
+                    else item
+                    for item in value
+                ]
+            else:
+                result[key] = value
+        
+        return result
+
+
+class PIIAuditLogger:
+    """Log PII access for compliance."""
+    
+    def __init__(self, log_file: str = "pii_audit.log"):
+        """Initialize PII audit logger.
+        
+        Args:
+            log_file: Path to audit log file
+        """
+        self.log_file = log_file
+    
+    def log_access(
+        self,
+        user_id: str,
+        pii_type: str,
+        action: str,
+        context: Dict[str, Any]
+    ):
+        """Log PII access.
+        
+        Args:
+            user_id: User ID
+            pii_type: PII type accessed
+            action: Action performed (read, write, delete)
+            context: Additional context
+        """
+        log_entry = {
+            "timestamp": datetime.utcnow().isoformat(),
+            "user_id": user_id,
+            "pii_type": pii_type,
+            "action": action,
+            "context": context
+        }
+        
+        with open(self.log_file, 'a') as f:
+            import json
+            f.write(json.dumps(log_entry) + '\n')
+    
+    def get_logs(
+        self,
+        user_id: Optional[str] = None,
+        pii_type: Optional[str] = None,
+        start_time: Optional[datetime] = None,
+        end_time: Optional[datetime] = None
+    ) -> List[Dict[str, Any]]:
+        """Get audit logs with filters.
+        
+        Args:
+            user_id: Filter by user ID
+            pii_type: Filter by PII type
+            start_time: Filter by start time
+            end_time: Filter by end time
+            
+        Returns:
+            List of log entries
+        """
+        import json
+        logs = []
+        
+        try:
+            with open(self.log_file, 'r') as f:
+                for line in f:
+                    try:
+                        entry = json.loads(line.strip())
+                        
+                        # Apply filters
+                        if user_id and entry.get("user_id") != user_id:
+                            continue
+                        
+                        if pii_type and entry.get("pii_type") != pii_type:
+                            continue
+                        
+                        timestamp = datetime.fromisoformat(entry["timestamp"])
+                        
+                        if start_time and timestamp < start_time:
+                            continue
+                        
+                        if end_time and timestamp > end_time:
+                            continue
+                        
+                        logs.append(entry)
+                    
+                    except json.JSONDecodeError:
+                        continue
+        
+        except FileNotFoundError:
+            pass
+        
+        return logs
+
+
+# Global instances
+_pii_detector = None
+_pii_redactor = None
+_pii_audit_logger = None
+
+
+def get_pii_detector() -> PIIDetector:
+    """Get global PII detector.
+    
+    Returns:
+        PIIDetector instance
+    """
+    global _pii_detector
+    
+    if _pii_detector is None:
+        _pii_detector = PIIDetector()
+    
+    return _pii_detector
+
+
+def get_pii_redactor() -> PIIRedactor:
+    """Get global PII redactor.
+    
+    Returns:
+        PIIRedactor instance
+    """
+    global _pii_redactor
+    
+    if _pii_redactor is None:
+        _pii_redactor = PIIRedactor()
+    
+    return _pii_redactor
+
+
+def get_pii_audit_logger() -> PIIAuditLogger:
+    """Get global PII audit logger.
+    
+    Returns:
+        PIIAuditLogger instance
+    """
+    global _pii_audit_logger
+    
+    if _pii_audit_logger is None:
+        _pii_audit_logger = PIIAuditLogger()
+    
+    return _pii_audit_logger

genxai/security/policy_engine.py

@@ -0,0 +1,82 @@
+"""Resource-level policy engine for GenXAI."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from enum import Enum
+from typing import Dict, Optional, Set
+
+from genxai.security.rbac import Permission, User, PermissionDenied
+from genxai.security.audit import get_approval_service
+
+
+class ResourceType(str, Enum):
+    """Resource types covered by policy engine."""
+
+    AGENT = "agent"
+    TOOL = "tool"
+    WORKFLOW = "workflow"
+    MEMORY = "memory"
+
+
+@dataclass
+class AccessRule:
+    """ACL rule for a resource."""
+
+    permissions: Set[Permission]
+    allowed_users: Optional[Set[str]] = None
+    requires_approval: bool = False
+    approval_request_id: Optional[str] = None
+
+
+class PolicyEngine:
+    """Simple ACL-based policy engine."""
+
+    def __init__(self) -> None:
+        self._rules: Dict[str, AccessRule] = {}
+
+    def add_rule(self, resource_id: str, rule: AccessRule) -> None:
+        self._rules[resource_id] = rule
+
+    def check(self, user: User, resource_id: str, permission: Permission) -> None:
+        rule = self._rules.get(resource_id)
+        if rule is None:
+            if not user.has_permission(permission):
+                raise PermissionDenied(
+                    f"User {user.user_id} missing permission: {permission.value}"
+                )
+            return
+
+        if rule.requires_approval:
+            if not rule.approval_request_id:
+                approval = get_approval_service().submit(
+                    f"{permission.value}",
+                    resource_id,
+                    user.user_id,
+                )
+                rule.approval_request_id = approval.request_id
+            approval = get_approval_service().get(rule.approval_request_id)
+            if not approval or approval.status != "approved":
+                raise PermissionDenied(
+                    f"Approval required for resource {resource_id}"
+                )
+
+        if rule.allowed_users and user.user_id not in rule.allowed_users:
+            raise PermissionDenied(
+                f"User {user.user_id} not allowed for resource {resource_id}"
+            )
+
+        if permission not in rule.permissions:
+            raise PermissionDenied(
+                f"Permission {permission.value} denied for resource {resource_id}"
+            )
+
+
+_policy_engine: Optional[PolicyEngine] = None
+
+
+def get_policy_engine() -> PolicyEngine:
+    global _policy_engine
+    if _policy_engine is None:
+        _policy_engine = PolicyEngine()
+    return _policy_engine