holmesgpt 0.11.5__py3-none-any.whl

holmes/plugins/toolsets/bash/kubectl/__init__.py

@@ -0,0 +1,100 @@
+from typing import Any, Optional
+from holmes.plugins.toolsets.bash.common.config import BashExecutorConfig
+from holmes.plugins.toolsets.bash.kubectl.constants import (
+    SAFE_NAME_PATTERN,
+    SAFE_NAMESPACE_PATTERN,
+    SAFE_SELECTOR_PATTERN,
+    VALID_RESOURCE_TYPES,
+)
+from holmes.plugins.toolsets.bash.kubectl.kubectl_describe import (
+    create_kubectl_describe_parser,
+    stringify_describe_command,
+)
+from holmes.plugins.toolsets.bash.kubectl.kubectl_events import (
+    create_kubectl_events_parser,
+    stringify_events_command,
+)
+from holmes.plugins.toolsets.bash.kubectl.kubectl_logs import (
+    create_kubectl_logs_parser,
+    stringify_logs_command,
+)
+from holmes.plugins.toolsets.bash.kubectl.kubectl_top import (
+    create_kubectl_top_parser,
+    stringify_top_command,
+)
+from holmes.plugins.toolsets.bash.kubectl.kubectl_get import (
+    create_kubectl_get_parser,
+    stringify_get_command,
+)
+
+
+def create_kubectl_parser(parent_parser: Any):
+    kubectl_parser = parent_parser.add_parser(
+        "kubectl", help="Kubernetes command-line tool", exit_on_error=False
+    )
+    action_subparsers = kubectl_parser.add_subparsers(
+        dest="action",
+        required=True,
+        help="Action to perform (e.g., get, apply, delete)",
+    )
+    create_kubectl_get_parser(action_subparsers)
+    create_kubectl_describe_parser(action_subparsers)
+    create_kubectl_top_parser(action_subparsers)
+    create_kubectl_events_parser(action_subparsers)
+    create_kubectl_logs_parser(action_subparsers)
+
+
+def validate_kubectl_command(cmd: Any) -> None:
+    """
+    Validate common kubectl command fields to prevent injection attacks.
+    Raises ValueError if validation fails.
+    """
+
+    # Validate resource type
+    if (
+        hasattr(cmd, "resource_type")
+        and cmd.resource_type.lower() not in VALID_RESOURCE_TYPES
+    ):
+        raise ValueError(f"Invalid resource type: {cmd.resource_type}")
+
+    # Validate resource name if provided
+    if hasattr(cmd, "resource_name") and cmd.resource_name:
+        if not SAFE_NAME_PATTERN.match(cmd.resource_name):
+            raise ValueError(f"Invalid resource name: {cmd.resource_name}")
+        if len(cmd.resource_name) > 253:
+            raise ValueError("Resource name too long")
+
+    # Validate namespace if provided
+    if hasattr(cmd, "namespace") and cmd.namespace:
+        if not SAFE_NAMESPACE_PATTERN.match(cmd.namespace):
+            raise ValueError(f"Invalid namespace: {cmd.namespace}")
+        if len(cmd.namespace) > 63:
+            raise ValueError("Namespace name too long")
+
+    # Validate selectors if provided
+    if hasattr(cmd, "selector") and cmd.selector:
+        if not SAFE_SELECTOR_PATTERN.match(cmd.selector):
+            raise ValueError(f"Invalid label selector: {cmd.selector}")
+        if len(cmd.selector) > 1000:
+            raise ValueError("Label selector too long")
+
+
+def stringify_kubectl_command(command: Any, config: Optional[BashExecutorConfig]):
+    if command.cmd == "kubectl":
+        validate_kubectl_command(command)
+        if command.action == "get":
+            return stringify_get_command(command)
+        elif command.action == "describe":
+            return stringify_describe_command(command)
+        elif command.action == "top":
+            return stringify_top_command(command)
+        elif command.action == "events":
+            return stringify_events_command(command)
+        elif command.action == "logs":
+            return stringify_logs_command(command)
+        else:
+            raise ValueError(
+                f"Unsupported {command.tool_name} action {command.action}. Supported actions are: get, describe, events, top, run"
+            )
+    else:
+        raise ValueError(f"Unsupported command {command.tool_name}")

holmes/plugins/toolsets/bash/kubectl/constants.py

@@ -0,0 +1,96 @@
+import re
+
+
+SAFE_NAME_PATTERN = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9\-_.]*$")
+SAFE_NAMESPACE_PATTERN = re.compile(r"^[a-z0-9][a-z0-9\-]*$")
+SAFE_SELECTOR_PATTERN = re.compile(r"^[a-zA-Z0-9\-_.=,!()]+$")
+SAFE_JQ_PATTERN = re.compile(r"^[a-zA-Z0-9.][a-zA-Z0-9\-_.]*$")
+
+
+VALID_RESOURCE_TYPES = {
+    "pods",
+    "pod",
+    "po",
+    "services",
+    "service",
+    "svc",
+    "deployments",
+    "deployment",
+    "deploy",
+    "replicasets",
+    "replicaset",
+    "rs",
+    "statefulsets",
+    "statefulset",
+    "sts",
+    "daemonsets",
+    "daemonset",
+    "ds",
+    "jobs",
+    "job",
+    "cronjobs",
+    "cronjob",
+    "cj",
+    "configmaps",
+    "configmap",
+    "cm",
+    "persistentvolumes",
+    "persistentvolume",
+    "pv",
+    "persistentvolumeclaims",
+    "persistentvolumeclaim",
+    "pvc",
+    "nodes",
+    "node",
+    "no",
+    "namespaces",
+    "namespace",
+    "ns",
+    "ingresses",
+    "ingress",
+    "ing",
+    "networkpolicies",
+    "networkpolicy",
+    "netpol",
+    "serviceaccounts",
+    "serviceaccount",
+    "sa",
+    "roles",
+    "role",
+    "rolebindings",
+    "rolebinding",
+    "clusterroles",
+    "clusterrole",
+    "clusterrolebindings",
+    "clusterrolebinding",
+    "endpoints",
+    "endpoint",
+    "ep",
+    "events",
+    "event",
+    "ev",
+    "horizontalpodautoscalers",
+    "horizontalpodautoscaler",
+    "hpa",
+    "verticalpodautoscalers",
+    "verticalpodautoscaler",
+    "vpa",
+    "poddisruptionbudgets",
+    "poddisruptionbudget",
+    "pdb",
+    "all",
+}
+
+
+VALID_OUTPUT_FORMATS = {
+    "yaml",
+    "json",
+    "wide",
+    "name",
+    "custom-columns",
+    "custom-columns-file",
+    "go-template",
+    "go-template-file",
+    "jsonpath",
+    "jsonpath-file",
+}

holmes/plugins/toolsets/bash/kubectl/kubectl_describe.py

@@ -0,0 +1,66 @@
+from typing import Any
+
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import (
+    regex_validator,
+    whitelist_validator,
+)
+from holmes.plugins.toolsets.bash.kubectl.constants import (
+    SAFE_NAME_PATTERN,
+    SAFE_NAMESPACE_PATTERN,
+    SAFE_SELECTOR_PATTERN,
+    VALID_RESOURCE_TYPES,
+)
+
+
+def create_kubectl_describe_parser(kubectl_parser: Any):
+    parser = kubectl_parser.add_parser(
+        "describe",
+        help="Show details of a specific resource or group of resources",
+        exit_on_error=False,  # Important for library use
+    )
+    parser.add_argument(
+        "resource_type", type=whitelist_validator("resource type", VALID_RESOURCE_TYPES)
+    )
+    parser.add_argument(
+        "resource_name",
+        nargs="?",
+        default=None,
+        type=regex_validator("resource name", SAFE_NAME_PATTERN),
+    )
+    parser.add_argument(
+        "-n", "--namespace", type=regex_validator("namespace", SAFE_NAMESPACE_PATTERN)
+    )
+    parser.add_argument("-A", "--all-namespaces", action="store_true")
+    parser.add_argument(
+        "-l", "--selector", type=regex_validator("selector", SAFE_SELECTOR_PATTERN)
+    )
+    parser.add_argument(
+        "--field-selector",
+        type=regex_validator("field selector", SAFE_SELECTOR_PATTERN),
+    )
+    parser.add_argument("--include-uninitialized", action="store_true")
+
+
+def stringify_describe_command(cmd: Any) -> str:
+    parts = ["kubectl", "describe", cmd.resource_type]
+
+    # Add resource name if specified
+    if cmd.resource_name:
+        parts.append(cmd.resource_name)
+
+    if cmd.all_namespaces:
+        parts.append("--all-namespaces")
+    elif cmd.namespace:
+        parts.extend(["--namespace", cmd.namespace])
+
+    if cmd.selector:
+        parts.extend(["--selector", cmd.selector])
+
+    if cmd.field_selector:
+        parts.extend(["--field-selector", cmd.field_selector])
+
+    if cmd.include_uninitialized:
+        parts.append("--include-uninitialized")
+
+    return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/kubectl/kubectl_events.py

@@ -0,0 +1,88 @@
+import argparse
+import re
+from typing import Any
+
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import regex_validator
+
+MAX_FOR_OBJ_SIZE = 253
+for_object_pattern = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9\-_./:]*$")
+VALID_EVENT_TYPES = {"Normal", "Warning"}
+
+
+def create_kubectl_events_parser(kubectl_parser: Any):
+    parser = kubectl_parser.add_parser(
+        "events",
+        help="List events",
+        exit_on_error=False,  # Important for library use
+    )
+    parser.add_argument(
+        "-n",
+        "--namespace",
+        type=regex_validator("namespace", re.compile(r"^[a-z0-9][a-z0-9\-]*$")),
+    )
+    parser.add_argument("-A", "--all-namespaces", action="store_true")
+    parser.add_argument(
+        "-l",
+        "--selector",
+        type=regex_validator("selector", re.compile(r"^[a-zA-Z0-9\-_.=,!()]+$")),
+    )
+    parser.add_argument(
+        "--field-selector",
+        type=regex_validator("field selector", re.compile(r"^[a-zA-Z0-9\-_.=,!()]+$")),
+    )
+    parser.add_argument("--for", dest="for_object", type=_validate_for_object)
+    parser.add_argument("--types", type=_validate_event_types)
+    parser.add_argument("-w", "--watch", action="store_true")
+    parser.add_argument("--no-headers", action="store_true")
+
+
+def _validate_for_object(value: str) -> str:
+    """Validate the --for object parameter."""
+
+    if not for_object_pattern.match(value):
+        raise argparse.ArgumentTypeError(f"Invalid for_object: {value}")
+    if len(value) > MAX_FOR_OBJ_SIZE:
+        raise argparse.ArgumentTypeError(
+            f"for_object too long. Max allowed size is {MAX_FOR_OBJ_SIZE} but received {len(value)}"
+        )
+    return value
+
+
+def _validate_event_types(value: str) -> str:
+    """Validate the --types parameter."""
+    type_list = [t.strip() for t in value.split(",")]
+
+    for event_type in type_list:
+        if event_type not in VALID_EVENT_TYPES:
+            raise argparse.ArgumentTypeError(f"Invalid event type: {event_type}")
+    return value
+
+
+def stringify_events_command(cmd: Any) -> str:
+    parts = ["kubectl", "events"]
+
+    if cmd.all_namespaces:
+        parts.append("--all-namespaces")
+    elif cmd.namespace:
+        parts.extend(["--namespace", cmd.namespace])
+
+    if cmd.selector:
+        parts.extend(["--selector", cmd.selector])
+
+    if cmd.field_selector:
+        parts.extend(["--field-selector", cmd.field_selector])
+
+    if cmd.for_object:
+        parts.extend(["--for", cmd.for_object])
+
+    if cmd.types:
+        parts.extend(["--types", cmd.types])
+
+    if cmd.watch:
+        parts.append("--watch")
+
+    if cmd.no_headers:
+        parts.append("--no-headers")
+
+    return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/kubectl/kubectl_get.py

@@ -0,0 +1,108 @@
+from typing import Any
+
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import (
+    regex_validator,
+    whitelist_validator,
+)
+from holmes.plugins.toolsets.bash.kubectl.constants import (
+    SAFE_JQ_PATTERN,
+    SAFE_NAME_PATTERN,
+    SAFE_NAMESPACE_PATTERN,
+    SAFE_SELECTOR_PATTERN,
+    VALID_OUTPUT_FORMATS,
+    VALID_RESOURCE_TYPES,
+)
+
+
+def create_kubectl_get_parser(kubectl_parser: Any):
+    parser = kubectl_parser.add_parser(
+        "get",
+        help="Display one or many resources",
+        exit_on_error=False,  # Important for library use
+    )
+    parser.add_argument(
+        "resource_type", type=whitelist_validator("resource type", VALID_RESOURCE_TYPES)
+    )
+    parser.add_argument(
+        "resource_name",
+        nargs="?",
+        default=None,
+        type=regex_validator("resource_name", SAFE_NAME_PATTERN),
+    )
+    parser.add_argument(
+        "-n", "--namespace", type=regex_validator("namespace", SAFE_NAMESPACE_PATTERN)
+    )
+    parser.add_argument("-A", "--all-namespaces", action="store_true")
+    parser.add_argument(
+        "-l", "--selector", type=regex_validator("selector", SAFE_SELECTOR_PATTERN)
+    )
+    parser.add_argument(
+        "--field-selector",
+        type=regex_validator("field-selector", SAFE_SELECTOR_PATTERN),
+    )
+    parser.add_argument(
+        "-o", "--output", type=whitelist_validator("output", VALID_OUTPUT_FORMATS)
+    )
+    parser.add_argument("--sort-by", type=regex_validator("sort-by", SAFE_JQ_PATTERN))
+    parser.add_argument(
+        "--show-labels",
+        action="store_true",
+    )
+    parser.add_argument(
+        "--show-managed-fields",
+        action="store_true",
+    )
+    parser.add_argument(
+        "--no-headers",
+        action="store_false",
+    )
+    parser.add_argument(
+        "--include-uninitialized",
+        action="store_true",
+    )
+    parser.add_argument(
+        "--ignore-not-found",
+        action="store_true",
+    )
+
+
+def stringify_get_command(cmd: Any) -> str:
+    parts = ["kubectl", "get", cmd.resource_type]
+
+    # Add resource name if specified
+    if cmd.resource_name:
+        parts.append(cmd.resource_name)
+
+    if cmd.all_namespaces:
+        parts.append("--all-namespaces")
+    if cmd.namespace:
+        parts.extend(["--namespace", cmd.namespace])
+
+    if cmd.selector:
+        parts.extend(["--selector", cmd.selector])
+
+    if cmd.field_selector:
+        parts.extend(["--field-selector", cmd.field_selector])
+
+    if cmd.output:
+        parts.extend(["--output", cmd.output])
+    if cmd.sort_by:
+        parts.extend(["--sort-by", cmd.sort_by])
+
+    if cmd.show_labels:
+        parts.append("--show-labels")
+
+    if cmd.show_managed_fields:
+        parts.append("--show-managed-fields")
+
+    if cmd.no_headers is not None and not cmd.no_headers:
+        parts.append("--no-headers")
+
+    if cmd.include_uninitialized:
+        parts.append("--include-uninitialized")
+
+    if cmd.ignore_not_found:
+        parts.append("--ignore-not-found")
+
+    return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/kubectl/kubectl_logs.py

@@ -0,0 +1,20 @@
+import argparse
+from typing import Any
+
+
+def create_kubectl_logs_parser(kubectl_parser: Any):
+    parser = kubectl_parser.add_parser(
+        "logs",
+        exit_on_error=False,
+    )
+    parser.add_argument(
+        "options",
+        nargs=argparse.REMAINDER,  # Captures all remaining arguments
+        default=[],  # Default to an empty list
+    )
+
+
+def stringify_logs_command(cmd: Any) -> str:
+    raise ValueError(
+        "Use the tool `fetch_pod_logs` to fetch logs instead of running `kubectl logs` commands"
+    )

holmes/plugins/toolsets/bash/kubectl/kubectl_run.py

@@ -0,0 +1,46 @@
+import re
+from typing import Optional
+
+from holmes.plugins.toolsets.bash.common.config import (
+    BashExecutorConfig,
+    KubectlImageConfig,
+)
+
+
+def validate_image_and_commands(
+    image: str, container_command: str, config: Optional[BashExecutorConfig]
+) -> None:
+    """
+    Validate that the image is in the whitelist and commands are allowed.
+    Raises ArgumentTypeError if validation fails.
+    """
+    if not config or not config.kubectl or not config.kubectl.allowed_images:
+        raise ValueError(
+            "The command `kubectl run` is not allowed. The user must whitelist specific images and commands but none have been configured."
+        )
+
+    # Find matching image config
+    image_config: Optional[KubectlImageConfig] = None
+    for img_config in config.kubectl.allowed_images:
+        if img_config.image == image:
+            image_config = img_config
+            break
+
+    if not image_config:
+        allowed_images = [img.image for img in config.kubectl.allowed_images]
+        raise ValueError(
+            f"Image '{image}' not allowed. Allowed images: {', '.join(allowed_images)}"
+        )
+
+    # Validate commands against allowed patterns
+    command_allowed = False
+    for allowed_pattern in image_config.allowed_commands:
+        if re.match(allowed_pattern, container_command):
+            command_allowed = True
+            break
+
+    if not command_allowed:
+        raise ValueError(
+            f"Command '{container_command}' not allowed for image '{image}'. "
+            f"Allowed patterns: {', '.join(image_config.allowed_commands)}"
+        )

holmes/plugins/toolsets/bash/kubectl/kubectl_top.py

@@ -0,0 +1,81 @@
+from typing import Any
+
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import regex_validator
+from holmes.plugins.toolsets.bash.kubectl.constants import (
+    SAFE_NAME_PATTERN,
+    SAFE_NAMESPACE_PATTERN,
+    SAFE_SELECTOR_PATTERN,
+)
+
+
+def create_kubectl_top_parser(kubectl_parser: Any):
+    parser = kubectl_parser.add_parser(
+        "top",
+        help="Display resource (CPU/memory) usage",
+        exit_on_error=False,
+    )
+    parser.add_argument(
+        "resource_type",
+        choices=["nodes", "node", "pods", "pod"],
+        help="Resource type to get usage for",
+    )
+    parser.add_argument(
+        "resource_name",
+        nargs="?",
+        default=None,
+        type=regex_validator("resource name", SAFE_NAME_PATTERN),
+    )
+    parser.add_argument(
+        "-n", "--namespace", type=regex_validator("namespace", SAFE_NAMESPACE_PATTERN)
+    )
+    parser.add_argument("-A", "--all-namespaces", action="store_true")
+    parser.add_argument(
+        "-l", "--selector", type=regex_validator("selector", SAFE_SELECTOR_PATTERN)
+    )
+    parser.add_argument(
+        "--containers",
+        action="store_true",
+        help="Display containers along with pods (for pods resource type)",
+    )
+    parser.add_argument(
+        "--use-protocol-buffers",
+        action="store_true",
+        help="Use protocol buffers for fetching metrics",
+    )
+    parser.add_argument(
+        "--sort-by",
+        type=regex_validator("sort field", SAFE_NAME_PATTERN),
+        help="Sort by cpu or memory",
+    )
+    parser.add_argument("--no-headers", action="store_true")
+
+
+def stringify_top_command(cmd: Any) -> str:
+    parts = ["kubectl", "top", cmd.resource_type]
+
+    # Add resource name if specified
+    if cmd.resource_name:
+        parts.append(cmd.resource_name)
+
+    if cmd.all_namespaces:
+        parts.append("--all-namespaces")
+    elif cmd.namespace:
+        parts.extend(["--namespace", cmd.namespace])
+
+    if cmd.selector:
+        parts.extend(["--selector", cmd.selector])
+
+    if cmd.containers:
+        parts.append("--containers")
+
+    if cmd.use_protocol_buffers:
+        parts.append("--use-protocol-buffers")
+
+    if cmd.sort_by:
+        parts.extend(["--sort-by", cmd.sort_by])
+
+    if cmd.no_headers:
+        parts.append("--no-headers")
+
+    return " ".join(escape_shell_args(parts))