kailash 0.1.5__py3-none-any.whl → 0.2.0__py3-none-any.whl

kailash/nodes/base_with_acl.py

@@ -0,0 +1,338 @@
+"""
+Base Node with Optional Access Control Layer
+
+This module extends the base Node class with optional access control capabilities.
+The access control is completely transparent and disabled by default, ensuring
+no interference with existing SDK usage.
+
+Key Design Principles:
+- Access control is OFF by default
+- Zero performance impact when disabled
+- Fully backward compatible
+- Opt-in at workflow or node level
+- No changes required to existing code
+"""
+
+import logging
+from typing import Any, Dict, Optional
+
+from kailash.access_control import (
+    AccessDecision,
+    NodePermission,
+    UserContext,
+    get_access_control_manager,
+)
+from kailash.nodes.base import Node
+from kailash.nodes.base_async import AsyncNode
+
+logger = logging.getLogger(__name__)
+
+
+class NodeWithAccessControl(Node):
+    """
+    Base node class with optional access control capabilities.
+
+    Extends the standard Node class with transparent access control features
+    that can be enabled on demand without affecting existing functionality.
+    Access control is completely disabled by default for backward compatibility.
+
+    Design Purpose:
+        Provides a foundation for nodes that need access control while
+        maintaining complete backward compatibility. Enables fine-grained
+        permissions, data masking, and conditional execution.
+
+    Upstream Dependencies:
+        - AccessControlManager for permission evaluation
+        - UserContext from authentication systems
+        - PermissionRule definitions from configuration
+
+    Downstream Consumers:
+        - AccessControlledRuntime for secure execution
+        - Audit systems for logging access attempts
+        - Data masking systems for output filtering
+
+    Usage Patterns:
+        - Extended by nodes requiring access control
+        - Configured with permission requirements
+        - Used in conjunction with AccessControlledRuntime
+        - Transparent to existing node implementations
+
+    Implementation Details:
+        Access control is evaluated only when explicitly enabled.
+        Permissions checked before node execution.
+        Output masking applied based on user roles.
+        Fallback execution for denied access scenarios.
+
+    Error Handling:
+        - Access denied returns user-friendly error messages
+        - Missing permissions default to deny
+        - Configuration errors are logged and treated as disabled
+        - Execution errors maintain standard Node behavior
+
+    Side Effects:
+        - Logs access attempts for audit purposes
+        - May redirect execution to fallback nodes
+        - Applies data masking to sensitive outputs
+
+    Example:
+        >>> class SecureProcessorNode(NodeWithAccessControl):
+        ...     def _execute(self, **inputs):
+        ...         return {"result": "processed"}
+        >>>
+        >>> node = SecureProcessorNode(
+        ...     enable_access_control=True,
+        ...     required_permission=NodePermission.EXECUTE,
+        ...     mask_output_fields=["sensitive_data"]
+        ... )
+    """
+
+    def __init__(self, **config):
+        super().__init__(**config)
+        # Access control is disabled by default
+        self._access_control_enabled = config.get("enable_access_control", False)
+        self._required_permission = config.get(
+            "required_permission", NodePermission.EXECUTE
+        )
+        self._fallback_node = config.get("fallback_node", None)
+        self._mask_output_fields = config.get("mask_output_fields", [])
+
+    def run(self, **inputs) -> Any:
+        """
+        Execute node with optional access control checks.
+
+        If access control is disabled or no user context is present,
+        this behaves exactly like the standard Node.run() method.
+        """
+        # Extract runtime context if present
+        runtime_context = inputs.pop("_runtime_context", None)
+        user_context = inputs.pop("_user_context", None)
+
+        # If no access control needed, run normally
+        if not self._should_check_access(user_context):
+            return self._execute(**inputs)
+
+        # Perform access check
+        acm = get_access_control_manager()
+        decision = acm.check_node_access(
+            user_context,
+            self._get_node_id(),
+            self._required_permission,
+            runtime_context or {},
+        )
+
+        # Handle access decision
+        if decision.allowed:
+            # Execute node
+            result = self._execute(**inputs)
+
+            # Apply output masking if needed
+            if decision.masked_fields and isinstance(result, dict):
+                result = self._mask_fields(result, decision.masked_fields)
+
+            return result
+        else:
+            # Access denied
+            return self._handle_access_denied(decision, inputs)
+
+    def _execute(self, **inputs) -> Any:
+        """
+        The actual node execution logic.
+        Override this method in subclasses instead of run().
+        """
+        # Default implementation calls parent run()
+        # This maintains compatibility with existing nodes
+        if hasattr(super(), "run"):
+            return super().run(**inputs)
+        else:
+            raise NotImplementedError("Node must implement _execute() method")
+
+    def _should_check_access(self, user_context: Optional[UserContext]) -> bool:
+        """
+        Determine if access control should be checked.
+
+        Returns False (no check) if:
+        - Access control is disabled globally
+        - No user context is provided
+        - Node has explicitly disabled access control
+        """
+        # Global check
+        acm = get_access_control_manager()
+        if not acm or not getattr(acm, "enabled", False):
+            return False
+
+        # Node-level check
+        if not self._access_control_enabled:
+            return False
+
+        # User context check
+        if not user_context:
+            return False
+
+        return True
+
+    def _get_node_id(self) -> str:
+        """Get the node ID for access control checks"""
+        # Try to get from config first
+        if "node_id" in self.config:
+            return self.config["node_id"]
+
+        # Fall back to class name
+        return self.__class__.__name__
+
+    def _mask_fields(self, data: Dict[str, Any], fields: list[str]) -> Dict[str, Any]:
+        """Mask specified fields in output data"""
+        masked_data = data.copy()
+        for field in fields:
+            if field in masked_data:
+                masked_data[field] = "***MASKED***"
+        return masked_data
+
+    def _handle_access_denied(
+        self, decision: AccessDecision, inputs: Dict[str, Any]
+    ) -> Any:
+        """
+        Handle access denied scenarios.
+
+        Can be overridden by subclasses for custom behavior.
+        """
+        # Log access denial
+        logger.warning(
+            f"Access denied for node {self._get_node_id()}: {decision.reason}"
+        )
+
+        # If a fallback node is configured, return a marker for the runtime
+        if self._fallback_node:
+            return {
+                "_access_denied": True,
+                "_redirect_to": self._fallback_node,
+                "_original_inputs": inputs,
+            }
+
+        # Return empty result by default
+        return {}
+
+
+class AsyncNodeWithAccessControl(AsyncNode):
+    """Async version of NodeWithAccessControl"""
+
+    def __init__(self, **config):
+        super().__init__(**config)
+        self._access_control_enabled = config.get("enable_access_control", False)
+        self._required_permission = config.get(
+            "required_permission", NodePermission.EXECUTE
+        )
+        self._fallback_node = config.get("fallback_node", None)
+        self._mask_output_fields = config.get("mask_output_fields", [])
+
+    async def run(self, **inputs) -> Any:
+        """Async execution with optional access control"""
+        runtime_context = inputs.pop("_runtime_context", None)
+        user_context = inputs.pop("_user_context", None)
+
+        if not self._should_check_access(user_context):
+            return await self._execute(**inputs)
+
+        acm = get_access_control_manager()
+        decision = acm.check_node_access(
+            user_context,
+            self._get_node_id(),
+            self._required_permission,
+            runtime_context or {},
+        )
+
+        if decision.allowed:
+            result = await self._execute(**inputs)
+
+            if decision.masked_fields and isinstance(result, dict):
+                result = self._mask_fields(result, decision.masked_fields)
+
+            return result
+        else:
+            return self._handle_access_denied(decision, inputs)
+
+    async def _execute(self, **inputs) -> Any:
+        """Async execution logic"""
+        if hasattr(super(), "run"):
+            return await super().run(**inputs)
+        else:
+            raise NotImplementedError("Node must implement _execute() method")
+
+    # Reuse other methods from sync version
+    _should_check_access = NodeWithAccessControl._should_check_access
+    _get_node_id = NodeWithAccessControl._get_node_id
+    _mask_fields = NodeWithAccessControl._mask_fields
+    _handle_access_denied = NodeWithAccessControl._handle_access_denied
+
+
+def make_node_access_controlled(node_class, **acl_config):
+    """
+    Factory function to add access control to any existing node class.
+
+    This allows adding access control to nodes without modifying their code:
+
+    >>> from kailash.nodes.data.readers import CSVReaderNode
+    >>> SecureCSVReader = make_node_access_controlled(
+    ...     CSVReaderNode,
+    ...     enable_access_control=True,
+    ...     required_permission=NodePermission.READ_OUTPUT
+    ... )
+    """
+
+    class AccessControlledNode(NodeWithAccessControl, node_class):
+        def __init__(self, **config):
+            # Merge ACL config with node config
+            full_config = {**acl_config, **config}
+            super().__init__(**full_config)
+
+        def _execute(self, **inputs):
+            # Call the original node's run method
+            return node_class.run(self, **inputs)
+
+    # Preserve the original class name and module
+    AccessControlledNode.__name__ = f"Secure{node_class.__name__}"
+    AccessControlledNode.__module__ = node_class.__module__
+
+    return AccessControlledNode
+
+
+def add_access_control(node_instance, **acl_config):
+    """
+    Add access control to an existing node instance.
+
+    This function adds access control attributes to a node instance.
+    For simplicity in this example, we'll just add the attributes
+    and let the AccessControlledRuntime handle the actual access control.
+
+    Args:
+        node_instance: The node instance to wrap
+        **acl_config: Access control configuration
+            - enable_access_control: Whether to enable access control (default: True)
+            - required_permission: Permission required to execute the node
+            - node_id: Unique identifier for access control rules
+            - mask_output_fields: List of fields to mask in output for non-admin users
+            - fallback_node: Node ID to execute if access is denied
+
+    Returns:
+        Node instance with access control capabilities
+
+    Example:
+        >>> reader = CSVReaderNode(file_path="data.csv")
+        >>> secure_reader = add_access_control(
+        ...     reader,
+        ...     enable_access_control=True,
+        ...     required_permission=NodePermission.EXECUTE,
+        ...     node_id="secure_csv_reader"
+        ... )
+    """
+    # If access control is disabled, return the original node
+    if not acl_config.get("enable_access_control", True):
+        return node_instance
+
+    # Add access control attributes to the node instance
+    for key, value in acl_config.items():
+        setattr(node_instance, key, value)
+
+    # Mark this node as access-controlled
+    setattr(node_instance, "_access_controlled", True)
+
+    return node_instance

kailash/nodes/code/python.py

@@ -1,29 +1,56 @@
-"""Python code execution node implementation.
-
-This module provides nodes that can execute arbitrary Python code, allowing users
-to create custom processing logic without defining new node classes. It supports
-both function-based and class-based code execution with automatic type inference
-and error handling.
-
-Design Principles:
-1. Safety - Code execution is sandboxed with proper error handling
-2. Flexibility - Support functions, classes, and inline code
-3. Type Safety - Automatic type inference with validation
-4. Composability - Works seamlessly with other nodes in workflows
-5. Simplicity - Easy to use for non-technical users
-
-Components:
-- PythonCodeNode: Main node for code execution
-- CodeExecutor: Safe code execution environment
-- FunctionWrapper: Converts functions to nodes
-- ClassWrapper: Converts classes to nodes
-- SafeCodeChecker: AST-based security validation
+"""Advanced Python Code Execution Node with Cycle Support.
+
+This module provides sophisticated nodes for executing arbitrary Python code,
+allowing users to create custom processing logic without defining new node classes.
+It supports both function-based and class-based code execution with automatic type
+inference, comprehensive error handling, and advanced cycle-aware capabilities.
+
+Examples:
+    Basic code execution:
+
+    >>> node = PythonCodeNode(
+    ...     name="processor",
+    ...     code="result = {'value': input_value * 2, 'status': 'processed'}"
+    ... )
+
+    Cycle-aware execution:
+
+    >>> cycle_node = PythonCodeNode(
+    ...     name="accumulator",
+    ...     code='''
+    ...     # Safe cycle parameter access
+    ...     try:
+    ...         count = count
+    ...         total = total
+    ...     except NameError:
+    ...         count = 0
+    ...         total = 0
+    ...
+    ...     count += 1
+    ...     total += input_value
+    ...     average = total / count
+    ...
+    ...     result = {
+    ...         'count': count,
+    ...         'total': total,
+    ...         'average': average,
+    ...         'converged': average > 10.0
+    ...     }
+    ...     '''
+    ... )
+
+    Function integration:
+
+    >>> def custom_processor(data: dict) -> dict:
+    ...     return {'processed': data['value'] * 2}
+    >>> node = PythonCodeNode.from_function(custom_processor)
 """
 
 import ast
 import importlib.util
 import inspect
 import logging
+import resource
 import traceback
 from pathlib import Path
 from typing import Any, Callable, Dict, List, Optional, Type, Union, get_type_hints
@@ -34,6 +61,14 @@ from kailash.sdk_exceptions import (
     NodeExecutionError,
     SafetyViolationError,
 )
+from kailash.security import (
+    ExecutionTimeoutError,
+    MemoryLimitError,
+    SecurityConfig,
+    execution_timeout,
+    get_security_config,
+    validate_node_parameters,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -48,7 +83,9 @@ ALLOWED_MODULES = {
     "collections",
     "functools",
     "string",
+    "time",
     "re",
+    "os",  # For file operations in cycles
     "pandas",
     "numpy",
     "scipy",
@@ -94,7 +131,7 @@ class SafeCodeChecker(ast.NodeVisitor):
         if isinstance(node.func, ast.Name):
             func_name = node.func.id
             # Check for dangerous built-in functions
-            if func_name in {"eval", "exec", "compile", "__import__"}:
+            if func_name in {"eval", "exec", "compile"}:
                 self.violations.append(f"Call to '{func_name}' is not allowed")
         elif isinstance(node.func, ast.Attribute):
             # Check for dangerous method calls
@@ -126,14 +163,20 @@ class CodeExecutor:
     - Memory limits (future enhancement)
     """
 
-    def __init__(self, allowed_modules: Optional[List[str]] = None):
+    def __init__(
+        self,
+        allowed_modules: Optional[List[str]] = None,
+        security_config: Optional[SecurityConfig] = None,
+    ):
         """Initialize the code executor.
 
         Args:
             allowed_modules: List of module names allowed for import.
                            Defaults to common data processing modules.
+            security_config: Security configuration for execution limits.
         """
         self.allowed_modules = set(allowed_modules or ALLOWED_MODULES)
+        self.security_config = security_config or get_security_config()
         self.allowed_builtins = {
             "abs",
             "all",
@@ -159,6 +202,43 @@ class CodeExecutor:
             "type",
             "zip",
             "print",  # Allow print for debugging
+            "hasattr",  # For attribute checking
+            # Exception classes for proper error handling
+            "Exception",
+            "ValueError",
+            "TypeError",
+            "KeyError",
+            "NameError",
+            "AttributeError",
+            "IndexError",
+            "RuntimeError",
+            "StopIteration",
+            "ImportError",
+            "OSError",
+            "IOError",
+            "FileNotFoundError",
+            "ZeroDivisionError",
+            "ArithmeticError",
+            "AssertionError",
+            # Useful built-ins for data science
+            "set",
+            "frozenset",
+            "bytes",
+            "bytearray",
+            "complex",
+            "divmod",
+            "pow",
+            "hex",
+            "oct",
+            "bin",
+            "format",
+            "ord",
+            "chr",
+            "repr",
+            "vars",  # For debugging
+            "getattr",  # For attribute access
+            "open",  # For file operations
+            "__import__",  # For imports (controlled by ALLOWED_MODULES)
         }
         self._execution_namespace = {}
 
@@ -195,10 +275,15 @@ class CodeExecutor:
 
         Raises:
             NodeExecutionError: If code execution fails
+            ExecutionTimeoutError: If execution exceeds timeout
+            MemoryLimitError: If memory usage exceeds limit
         """
         # Check code safety first
         self.check_code_safety(code)
 
+        # Sanitize inputs
+        sanitized_inputs = validate_node_parameters(inputs, self.security_config)
+
         # Create isolated namespace
         import builtins
 
@@ -218,19 +303,42 @@ class CodeExecutor:
             except ImportError:
                 logger.warning(f"Module {module_name} not available")
 
-        # Add inputs
-        namespace.update(inputs)
+        # Add sanitized inputs
+        namespace.update(sanitized_inputs)
 
         try:
-            exec(code, namespace)
+            # Set memory limit if supported (Unix systems)
+            if hasattr(resource, "RLIMIT_AS") and self.security_config.memory_limit:
+                try:
+                    resource.setrlimit(
+                        resource.RLIMIT_AS,
+                        (
+                            self.security_config.memory_limit,
+                            self.security_config.memory_limit,
+                        ),
+                    )
+                except (OSError, ValueError):
+                    logger.warning(
+                        "Could not set memory limit - continuing without limit"
+                    )
+
+            # Execute with timeout
+            with execution_timeout(
+                self.security_config.execution_timeout, self.security_config
+            ):
+                exec(code, namespace)
             # Return all non-private variables that weren't in inputs
             return {
                 k: v
                 for k, v in namespace.items()
                 if not k.startswith("_")
-                and k not in inputs
+                and k not in sanitized_inputs
                 and k not in self.allowed_modules
             }
+        except ExecutionTimeoutError:
+            raise
+        except MemoryLimitError:
+            raise
         except Exception as e:
             error_msg = f"Code execution failed: {str(e)}\n{traceback.format_exc()}"
             logger.error(error_msg)
@@ -328,7 +436,7 @@ class FunctionWrapper:
         """Extract output type from function signature.
 
         Returns:
-            Return type annotation or Any
+            Return type annotation or Any.
         """
         return self.type_hints.get("return", Any)
 

kailash/nodes/data/readers.py

@@ -33,6 +33,7 @@ import json
 from typing import Any, Dict
 
 from kailash.nodes.base import Node, NodeParameter, register_node
+from kailash.security import safe_open, validate_file_path
 
 
 @register_node()
@@ -245,7 +246,7 @@ class CSVReaderNode(Node):
             - Analyzers can process row-by-row
             - data_indexed is useful for lookups and joins
         """
-        file_path = kwargs["file_path"]
+        file_path = kwargs.get("file_path") or self.config.get("file_path")
         headers = kwargs.get("headers", True)
         delimiter = kwargs.get("delimiter", ",")
         index_column = kwargs.get("index_column")
@@ -253,7 +254,10 @@ class CSVReaderNode(Node):
         data = []
         data_indexed = {}
 
-        with open(file_path, "r", encoding="utf-8") as f:
+        # Validate file path for security
+        validated_path = validate_file_path(file_path, operation="CSV read")
+
+        with safe_open(validated_path, "r", encoding="utf-8") as f:
             reader = csv.reader(f, delimiter=delimiter)
 
             if headers:
@@ -402,9 +406,12 @@ class JSONReaderNode(Node):
             - Compatible with JSONWriter for round-trip
             - Transform nodes can process nested data
         """
-        file_path = kwargs["file_path"]
+        file_path = kwargs.get("file_path") or self.config.get("file_path")
+
+        # Validate file path for security
+        validated_path = validate_file_path(file_path, operation="JSON read")
 
-        with open(file_path, "r", encoding="utf-8") as f:
+        with safe_open(validated_path, "r", encoding="utf-8") as f:
             data = json.load(f)
 
         return {"data": data}
@@ -540,10 +547,13 @@ class TextReaderNode(Node):
             - Pattern nodes can search content
             - Writers can save processed text
         """
-        file_path = kwargs["file_path"]
+        file_path = kwargs.get("file_path") or self.config.get("file_path")
         encoding = kwargs.get("encoding", "utf-8")
 
-        with open(file_path, "r", encoding=encoding) as f:
+        # Validate file path for security
+        validated_path = validate_file_path(file_path, operation="text read")
+
+        with safe_open(validated_path, "r", encoding=encoding) as f:
             text = f.read()
 
         return {"text": text}