kailash 0.3.1__py3-none-any.whl → 0.4.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- kailash/__init__.py +33 -1
- kailash/access_control/__init__.py +129 -0
- kailash/access_control/managers.py +461 -0
- kailash/access_control/rule_evaluators.py +467 -0
- kailash/access_control_abac.py +825 -0
- kailash/config/__init__.py +27 -0
- kailash/config/database_config.py +359 -0
- kailash/database/__init__.py +28 -0
- kailash/database/execution_pipeline.py +499 -0
- kailash/middleware/__init__.py +306 -0
- kailash/middleware/auth/__init__.py +33 -0
- kailash/middleware/auth/access_control.py +436 -0
- kailash/middleware/auth/auth_manager.py +422 -0
- kailash/middleware/auth/jwt_auth.py +477 -0
- kailash/middleware/auth/kailash_jwt_auth.py +616 -0
- kailash/middleware/communication/__init__.py +37 -0
- kailash/middleware/communication/ai_chat.py +989 -0
- kailash/middleware/communication/api_gateway.py +802 -0
- kailash/middleware/communication/events.py +470 -0
- kailash/middleware/communication/realtime.py +710 -0
- kailash/middleware/core/__init__.py +21 -0
- kailash/middleware/core/agent_ui.py +890 -0
- kailash/middleware/core/schema.py +643 -0
- kailash/middleware/core/workflows.py +396 -0
- kailash/middleware/database/__init__.py +63 -0
- kailash/middleware/database/base.py +113 -0
- kailash/middleware/database/base_models.py +525 -0
- kailash/middleware/database/enums.py +106 -0
- kailash/middleware/database/migrations.py +12 -0
- kailash/{api/database.py → middleware/database/models.py} +183 -291
- kailash/middleware/database/repositories.py +685 -0
- kailash/middleware/database/session_manager.py +19 -0
- kailash/middleware/mcp/__init__.py +38 -0
- kailash/middleware/mcp/client_integration.py +585 -0
- kailash/middleware/mcp/enhanced_server.py +576 -0
- kailash/nodes/__init__.py +25 -3
- kailash/nodes/admin/__init__.py +35 -0
- kailash/nodes/admin/audit_log.py +794 -0
- kailash/nodes/admin/permission_check.py +864 -0
- kailash/nodes/admin/role_management.py +823 -0
- kailash/nodes/admin/security_event.py +1519 -0
- kailash/nodes/admin/user_management.py +944 -0
- kailash/nodes/ai/a2a.py +24 -7
- kailash/nodes/ai/ai_providers.py +1 -0
- kailash/nodes/ai/embedding_generator.py +11 -11
- kailash/nodes/ai/intelligent_agent_orchestrator.py +99 -11
- kailash/nodes/ai/llm_agent.py +407 -2
- kailash/nodes/ai/self_organizing.py +85 -10
- kailash/nodes/api/auth.py +287 -6
- kailash/nodes/api/rest.py +151 -0
- kailash/nodes/auth/__init__.py +17 -0
- kailash/nodes/auth/directory_integration.py +1228 -0
- kailash/nodes/auth/enterprise_auth_provider.py +1328 -0
- kailash/nodes/auth/mfa.py +2338 -0
- kailash/nodes/auth/risk_assessment.py +872 -0
- kailash/nodes/auth/session_management.py +1093 -0
- kailash/nodes/auth/sso.py +1040 -0
- kailash/nodes/base.py +344 -13
- kailash/nodes/base_cycle_aware.py +4 -2
- kailash/nodes/base_with_acl.py +1 -1
- kailash/nodes/code/python.py +293 -12
- kailash/nodes/compliance/__init__.py +9 -0
- kailash/nodes/compliance/data_retention.py +1888 -0
- kailash/nodes/compliance/gdpr.py +2004 -0
- kailash/nodes/data/__init__.py +22 -2
- kailash/nodes/data/async_connection.py +469 -0
- kailash/nodes/data/async_sql.py +757 -0
- kailash/nodes/data/async_vector.py +598 -0
- kailash/nodes/data/readers.py +767 -0
- kailash/nodes/data/retrieval.py +360 -1
- kailash/nodes/data/sharepoint_graph.py +397 -21
- kailash/nodes/data/sql.py +94 -5
- kailash/nodes/data/streaming.py +68 -8
- kailash/nodes/data/vector_db.py +54 -4
- kailash/nodes/enterprise/__init__.py +13 -0
- kailash/nodes/enterprise/batch_processor.py +741 -0
- kailash/nodes/enterprise/data_lineage.py +497 -0
- kailash/nodes/logic/convergence.py +31 -9
- kailash/nodes/logic/operations.py +14 -3
- kailash/nodes/mixins/__init__.py +8 -0
- kailash/nodes/mixins/event_emitter.py +201 -0
- kailash/nodes/mixins/mcp.py +9 -4
- kailash/nodes/mixins/security.py +165 -0
- kailash/nodes/monitoring/__init__.py +7 -0
- kailash/nodes/monitoring/performance_benchmark.py +2497 -0
- kailash/nodes/rag/__init__.py +284 -0
- kailash/nodes/rag/advanced.py +1615 -0
- kailash/nodes/rag/agentic.py +773 -0
- kailash/nodes/rag/conversational.py +999 -0
- kailash/nodes/rag/evaluation.py +875 -0
- kailash/nodes/rag/federated.py +1188 -0
- kailash/nodes/rag/graph.py +721 -0
- kailash/nodes/rag/multimodal.py +671 -0
- kailash/nodes/rag/optimized.py +933 -0
- kailash/nodes/rag/privacy.py +1059 -0
- kailash/nodes/rag/query_processing.py +1335 -0
- kailash/nodes/rag/realtime.py +764 -0
- kailash/nodes/rag/registry.py +547 -0
- kailash/nodes/rag/router.py +837 -0
- kailash/nodes/rag/similarity.py +1854 -0
- kailash/nodes/rag/strategies.py +566 -0
- kailash/nodes/rag/workflows.py +575 -0
- kailash/nodes/security/__init__.py +19 -0
- kailash/nodes/security/abac_evaluator.py +1411 -0
- kailash/nodes/security/audit_log.py +91 -0
- kailash/nodes/security/behavior_analysis.py +1893 -0
- kailash/nodes/security/credential_manager.py +401 -0
- kailash/nodes/security/rotating_credentials.py +760 -0
- kailash/nodes/security/security_event.py +132 -0
- kailash/nodes/security/threat_detection.py +1103 -0
- kailash/nodes/testing/__init__.py +9 -0
- kailash/nodes/testing/credential_testing.py +499 -0
- kailash/nodes/transform/__init__.py +10 -2
- kailash/nodes/transform/chunkers.py +592 -1
- kailash/nodes/transform/processors.py +484 -14
- kailash/nodes/validation.py +321 -0
- kailash/runtime/access_controlled.py +1 -1
- kailash/runtime/async_local.py +41 -7
- kailash/runtime/docker.py +1 -1
- kailash/runtime/local.py +474 -55
- kailash/runtime/parallel.py +1 -1
- kailash/runtime/parallel_cyclic.py +1 -1
- kailash/runtime/testing.py +210 -2
- kailash/utils/migrations/__init__.py +25 -0
- kailash/utils/migrations/generator.py +433 -0
- kailash/utils/migrations/models.py +231 -0
- kailash/utils/migrations/runner.py +489 -0
- kailash/utils/secure_logging.py +342 -0
- kailash/workflow/__init__.py +16 -0
- kailash/workflow/cyclic_runner.py +3 -4
- kailash/workflow/graph.py +70 -2
- kailash/workflow/resilience.py +249 -0
- kailash/workflow/templates.py +726 -0
- {kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/METADATA +253 -20
- kailash-0.4.0.dist-info/RECORD +223 -0
- kailash/api/__init__.py +0 -17
- kailash/api/__main__.py +0 -6
- kailash/api/studio_secure.py +0 -893
- kailash/mcp/__main__.py +0 -13
- kailash/mcp/server_new.py +0 -336
- kailash/mcp/servers/__init__.py +0 -12
- kailash-0.3.1.dist-info/RECORD +0 -136
- {kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/WHEEL +0 -0
- {kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/entry_points.txt +0 -0
- {kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/licenses/LICENSE +0 -0
- {kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/top_level.txt +0 -0
|
@@ -0,0 +1,436 @@
|
|
|
1
|
+
"""
|
|
2
|
+
Enterprise Access Control for Kailash Middleware
|
|
3
|
+
|
|
4
|
+
Consolidates existing Kailash access control implementations (RBAC/ABAC)
|
|
5
|
+
into the middleware layer for unified authentication and authorization.
|
|
6
|
+
"""
|
|
7
|
+
|
|
8
|
+
from typing import Any, Dict, List, Optional
|
|
9
|
+
|
|
10
|
+
# Import existing Kailash access control components
|
|
11
|
+
from kailash.access_control import AccessControlManager as BaseAccessControlManager
|
|
12
|
+
from kailash.access_control import (
|
|
13
|
+
AccessDecision,
|
|
14
|
+
NodePermission,
|
|
15
|
+
PermissionEffect,
|
|
16
|
+
PermissionRule,
|
|
17
|
+
UserContext,
|
|
18
|
+
WorkflowPermission,
|
|
19
|
+
)
|
|
20
|
+
from kailash.access_control_abac import AttributeOperator, EnhancedAccessControlManager
|
|
21
|
+
from kailash.nodes.admin import (
|
|
22
|
+
AuditLogNode,
|
|
23
|
+
PermissionCheckNode,
|
|
24
|
+
RoleManagementNode,
|
|
25
|
+
SecurityEventNode,
|
|
26
|
+
UserManagementNode,
|
|
27
|
+
)
|
|
28
|
+
|
|
29
|
+
# Import Kailash security nodes
|
|
30
|
+
from kailash.nodes.security import CredentialManagerNode, RotatingCredentialNode
|
|
31
|
+
|
|
32
|
+
# Import middleware event system
|
|
33
|
+
from ..communication.events import EventStream, EventType
|
|
34
|
+
from ..core.agent_ui import AgentUIMiddleware
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
class MiddlewareAccessControlManager:
|
|
38
|
+
"""
|
|
39
|
+
Enterprise access control manager for Kailash middleware.
|
|
40
|
+
|
|
41
|
+
Consolidates existing Kailash RBAC/ABAC implementations with
|
|
42
|
+
middleware-specific features like session management, real-time
|
|
43
|
+
events, and multi-tenant isolation.
|
|
44
|
+
"""
|
|
45
|
+
|
|
46
|
+
def __init__(
|
|
47
|
+
self,
|
|
48
|
+
event_stream: EventStream = None,
|
|
49
|
+
enable_abac: bool = True,
|
|
50
|
+
enable_audit: bool = True,
|
|
51
|
+
):
|
|
52
|
+
# Use existing Kailash access control implementations
|
|
53
|
+
if enable_abac:
|
|
54
|
+
self.access_manager = EnhancedAccessControlManager()
|
|
55
|
+
else:
|
|
56
|
+
self.access_manager = BaseAccessControlManager()
|
|
57
|
+
|
|
58
|
+
# Middleware integration
|
|
59
|
+
self.event_stream = event_stream
|
|
60
|
+
self.enable_audit = enable_audit
|
|
61
|
+
|
|
62
|
+
# Kailash nodes for operations
|
|
63
|
+
self.user_mgmt_node = UserManagementNode("middleware_user_mgmt")
|
|
64
|
+
self.role_mgmt_node = RoleManagementNode("middleware_role_mgmt")
|
|
65
|
+
self.permission_check_node = PermissionCheckNode("middleware_perm_check")
|
|
66
|
+
self.audit_node = AuditLogNode("middleware_audit") if enable_audit else None
|
|
67
|
+
self.security_event_node = SecurityEventNode("middleware_security")
|
|
68
|
+
|
|
69
|
+
async def check_session_access(
|
|
70
|
+
self, user_context: UserContext, session_id: str, action: str = "access"
|
|
71
|
+
) -> AccessDecision:
|
|
72
|
+
"""Check if user can access a specific session."""
|
|
73
|
+
|
|
74
|
+
# Use Kailash permission check node
|
|
75
|
+
result = self.permission_check_node.process(
|
|
76
|
+
{
|
|
77
|
+
"user_context": user_context,
|
|
78
|
+
"resource_type": "session",
|
|
79
|
+
"resource_id": session_id,
|
|
80
|
+
"action": action,
|
|
81
|
+
}
|
|
82
|
+
)
|
|
83
|
+
|
|
84
|
+
decision = AccessDecision(
|
|
85
|
+
allowed=result.get("allowed", False),
|
|
86
|
+
reason=result.get("reason", "Session access denied"),
|
|
87
|
+
user_id=user_context.user_id,
|
|
88
|
+
resource_id=session_id,
|
|
89
|
+
permission=f"session.{action}",
|
|
90
|
+
)
|
|
91
|
+
|
|
92
|
+
# Emit middleware event
|
|
93
|
+
if self.event_stream:
|
|
94
|
+
await self._emit_access_event(decision, "session", user_context)
|
|
95
|
+
|
|
96
|
+
return decision
|
|
97
|
+
|
|
98
|
+
async def check_workflow_access(
|
|
99
|
+
self,
|
|
100
|
+
user_context: UserContext,
|
|
101
|
+
workflow_id: str,
|
|
102
|
+
permission: WorkflowPermission,
|
|
103
|
+
) -> AccessDecision:
|
|
104
|
+
"""Check workflow access using existing Kailash RBAC/ABAC."""
|
|
105
|
+
|
|
106
|
+
# Use existing Kailash access control
|
|
107
|
+
decision = self.access_manager.check_workflow_access(
|
|
108
|
+
user_context, workflow_id, permission
|
|
109
|
+
)
|
|
110
|
+
|
|
111
|
+
# Emit middleware event
|
|
112
|
+
if self.event_stream:
|
|
113
|
+
await self._emit_access_event(decision, "workflow", user_context)
|
|
114
|
+
|
|
115
|
+
# Audit logging using Kailash audit node
|
|
116
|
+
if self.enable_audit and self.audit_node:
|
|
117
|
+
self.audit_node.process(
|
|
118
|
+
{
|
|
119
|
+
"event_type": "workflow_access_check",
|
|
120
|
+
"user_id": user_context.user_id,
|
|
121
|
+
"resource_id": workflow_id,
|
|
122
|
+
"permission": permission.value,
|
|
123
|
+
"allowed": decision.allowed,
|
|
124
|
+
"reason": decision.reason,
|
|
125
|
+
}
|
|
126
|
+
)
|
|
127
|
+
|
|
128
|
+
return decision
|
|
129
|
+
|
|
130
|
+
async def check_node_access(
|
|
131
|
+
self, user_context: UserContext, node_id: str, permission: NodePermission
|
|
132
|
+
) -> AccessDecision:
|
|
133
|
+
"""Check node access using existing Kailash RBAC/ABAC."""
|
|
134
|
+
|
|
135
|
+
# Use existing Kailash access control
|
|
136
|
+
decision = self.access_manager.check_node_access(
|
|
137
|
+
user_context, node_id, permission
|
|
138
|
+
)
|
|
139
|
+
|
|
140
|
+
# Emit middleware event
|
|
141
|
+
if self.event_stream:
|
|
142
|
+
await self._emit_access_event(decision, "node", user_context)
|
|
143
|
+
|
|
144
|
+
return decision
|
|
145
|
+
|
|
146
|
+
async def check_api_access(
|
|
147
|
+
self, user_context: UserContext, endpoint: str, method: str = "GET"
|
|
148
|
+
) -> AccessDecision:
|
|
149
|
+
"""Check API endpoint access (middleware-specific)."""
|
|
150
|
+
|
|
151
|
+
# Create custom permission for API endpoints
|
|
152
|
+
api_permission = f"api.{method.lower()}.{endpoint.replace('/', '.')}"
|
|
153
|
+
|
|
154
|
+
# Use existing Kailash permission rules
|
|
155
|
+
rules = self.access_manager.get_user_permissions(user_context)
|
|
156
|
+
|
|
157
|
+
allowed = any(
|
|
158
|
+
rule.permission == api_permission and rule.effect == PermissionEffect.ALLOW
|
|
159
|
+
for rule in rules
|
|
160
|
+
)
|
|
161
|
+
|
|
162
|
+
decision = AccessDecision(
|
|
163
|
+
allowed=allowed,
|
|
164
|
+
reason=f"API access {'granted' if allowed else 'denied'} for {endpoint}",
|
|
165
|
+
user_id=user_context.user_id,
|
|
166
|
+
resource_id=endpoint,
|
|
167
|
+
permission=api_permission,
|
|
168
|
+
)
|
|
169
|
+
|
|
170
|
+
# Emit middleware event
|
|
171
|
+
if self.event_stream:
|
|
172
|
+
await self._emit_access_event(decision, "api", user_context)
|
|
173
|
+
|
|
174
|
+
return decision
|
|
175
|
+
|
|
176
|
+
async def create_user_context_from_token(
|
|
177
|
+
self, token_payload: Dict[str, Any]
|
|
178
|
+
) -> UserContext:
|
|
179
|
+
"""Create UserContext from JWT token payload."""
|
|
180
|
+
|
|
181
|
+
return UserContext(
|
|
182
|
+
user_id=token_payload.get("sub"),
|
|
183
|
+
tenant_id=token_payload.get("tenant_id"),
|
|
184
|
+
email=token_payload.get("email"),
|
|
185
|
+
roles=token_payload.get("roles", []),
|
|
186
|
+
attributes=token_payload.get("attributes", {}),
|
|
187
|
+
session_id=token_payload.get("session_id"),
|
|
188
|
+
)
|
|
189
|
+
|
|
190
|
+
async def assign_role_to_user(
|
|
191
|
+
self, user_id: str, role: str, assigned_by: str, tenant_id: str = None
|
|
192
|
+
) -> Dict[str, Any]:
|
|
193
|
+
"""Assign role to user using Kailash role management node."""
|
|
194
|
+
|
|
195
|
+
result = self.role_mgmt_node.process(
|
|
196
|
+
{
|
|
197
|
+
"action": "assign_role",
|
|
198
|
+
"user_id": user_id,
|
|
199
|
+
"role": role,
|
|
200
|
+
"assigned_by": assigned_by,
|
|
201
|
+
"tenant_id": tenant_id,
|
|
202
|
+
}
|
|
203
|
+
)
|
|
204
|
+
|
|
205
|
+
# Emit security event
|
|
206
|
+
if self.event_stream:
|
|
207
|
+
from ..events import WorkflowEvent
|
|
208
|
+
|
|
209
|
+
event = WorkflowEvent(
|
|
210
|
+
type=EventType.SYSTEM_STATUS,
|
|
211
|
+
workflow_id="access_control",
|
|
212
|
+
data={
|
|
213
|
+
"action": "role_assigned",
|
|
214
|
+
"user_id": user_id,
|
|
215
|
+
"role": role,
|
|
216
|
+
"assigned_by": assigned_by,
|
|
217
|
+
},
|
|
218
|
+
)
|
|
219
|
+
await self.event_stream.emit(event)
|
|
220
|
+
|
|
221
|
+
return result
|
|
222
|
+
|
|
223
|
+
async def create_permission_rule(
|
|
224
|
+
self, rule_data: Dict[str, Any], created_by: str
|
|
225
|
+
) -> Dict[str, Any]:
|
|
226
|
+
"""Create permission rule using existing Kailash patterns."""
|
|
227
|
+
|
|
228
|
+
# Use existing access control manager
|
|
229
|
+
rule = PermissionRule(
|
|
230
|
+
user_id=rule_data.get("user_id"),
|
|
231
|
+
role=rule_data.get("role"),
|
|
232
|
+
permission=rule_data.get("permission"),
|
|
233
|
+
resource_pattern=rule_data.get("resource_pattern"),
|
|
234
|
+
effect=PermissionEffect(rule_data.get("effect", "allow")),
|
|
235
|
+
conditions=rule_data.get("conditions", {}),
|
|
236
|
+
)
|
|
237
|
+
|
|
238
|
+
self.access_manager.add_permission_rule(rule)
|
|
239
|
+
|
|
240
|
+
# Audit the rule creation
|
|
241
|
+
if self.enable_audit and self.audit_node:
|
|
242
|
+
self.audit_node.process(
|
|
243
|
+
{
|
|
244
|
+
"event_type": "permission_rule_created",
|
|
245
|
+
"rule_data": rule_data,
|
|
246
|
+
"created_by": created_by,
|
|
247
|
+
}
|
|
248
|
+
)
|
|
249
|
+
|
|
250
|
+
return {"success": True, "rule_id": str(hash(str(rule)))}
|
|
251
|
+
|
|
252
|
+
async def get_user_effective_permissions(
|
|
253
|
+
self, user_context: UserContext
|
|
254
|
+
) -> List[Dict[str, Any]]:
|
|
255
|
+
"""Get effective permissions for user using Kailash access control."""
|
|
256
|
+
|
|
257
|
+
# Use existing Kailash implementation
|
|
258
|
+
rules = self.access_manager.get_user_permissions(user_context)
|
|
259
|
+
|
|
260
|
+
return [
|
|
261
|
+
{
|
|
262
|
+
"permission": rule.permission,
|
|
263
|
+
"resource_pattern": rule.resource_pattern,
|
|
264
|
+
"effect": rule.effect.value,
|
|
265
|
+
"conditions": rule.conditions,
|
|
266
|
+
}
|
|
267
|
+
for rule in rules
|
|
268
|
+
]
|
|
269
|
+
|
|
270
|
+
async def _emit_access_event(
|
|
271
|
+
self, decision: AccessDecision, resource_type: str, user_context: UserContext
|
|
272
|
+
):
|
|
273
|
+
"""Emit access control event to middleware event stream."""
|
|
274
|
+
|
|
275
|
+
from ..events import WorkflowEvent
|
|
276
|
+
|
|
277
|
+
event = WorkflowEvent(
|
|
278
|
+
type=(
|
|
279
|
+
EventType.SYSTEM_STATUS
|
|
280
|
+
if decision.allowed
|
|
281
|
+
else EventType.SYSTEM_WARNING
|
|
282
|
+
),
|
|
283
|
+
workflow_id="access_control",
|
|
284
|
+
data={
|
|
285
|
+
"access_decision": {
|
|
286
|
+
"allowed": decision.allowed,
|
|
287
|
+
"reason": decision.reason,
|
|
288
|
+
"user_id": decision.user_id,
|
|
289
|
+
"resource_id": decision.resource_id,
|
|
290
|
+
"permission": decision.permission,
|
|
291
|
+
"resource_type": resource_type,
|
|
292
|
+
},
|
|
293
|
+
"user_context": {
|
|
294
|
+
"user_id": user_context.user_id,
|
|
295
|
+
"tenant_id": user_context.tenant_id,
|
|
296
|
+
"roles": user_context.roles,
|
|
297
|
+
"session_id": getattr(user_context, "session_id", None),
|
|
298
|
+
},
|
|
299
|
+
},
|
|
300
|
+
)
|
|
301
|
+
|
|
302
|
+
await self.event_stream.emit(event)
|
|
303
|
+
|
|
304
|
+
def get_stats(self) -> Dict[str, Any]:
|
|
305
|
+
"""Get access control statistics."""
|
|
306
|
+
base_stats = (
|
|
307
|
+
self.access_manager.get_stats()
|
|
308
|
+
if hasattr(self.access_manager, "get_stats")
|
|
309
|
+
else {}
|
|
310
|
+
)
|
|
311
|
+
|
|
312
|
+
return {
|
|
313
|
+
**base_stats,
|
|
314
|
+
"middleware_features": {
|
|
315
|
+
"abac_enabled": isinstance(
|
|
316
|
+
self.access_manager, EnhancedAccessControlManager
|
|
317
|
+
),
|
|
318
|
+
"audit_enabled": self.enable_audit,
|
|
319
|
+
"event_stream_connected": self.event_stream is not None,
|
|
320
|
+
"kailash_nodes_used": [
|
|
321
|
+
"UserManagementNode",
|
|
322
|
+
"RoleManagementNode",
|
|
323
|
+
"PermissionCheckNode",
|
|
324
|
+
"AuditLogNode",
|
|
325
|
+
"SecurityEventNode",
|
|
326
|
+
],
|
|
327
|
+
},
|
|
328
|
+
}
|
|
329
|
+
|
|
330
|
+
|
|
331
|
+
class MiddlewareAuthenticationMiddleware:
|
|
332
|
+
"""
|
|
333
|
+
Authentication middleware that integrates with Kailash security components.
|
|
334
|
+
"""
|
|
335
|
+
|
|
336
|
+
def __init__(
|
|
337
|
+
self,
|
|
338
|
+
access_control_manager: MiddlewareAccessControlManager,
|
|
339
|
+
credential_manager: CredentialManagerNode = None,
|
|
340
|
+
):
|
|
341
|
+
self.access_manager = access_control_manager
|
|
342
|
+
self.credential_manager = credential_manager or CredentialManagerNode(
|
|
343
|
+
name="middleware_credentials",
|
|
344
|
+
credential_name="jwt_secret",
|
|
345
|
+
credential_type="api_key",
|
|
346
|
+
)
|
|
347
|
+
|
|
348
|
+
async def authenticate_request(
|
|
349
|
+
self, headers: Dict[str, str], session_id: str = None
|
|
350
|
+
) -> tuple[bool, UserContext]:
|
|
351
|
+
"""
|
|
352
|
+
Authenticate incoming request using Kailash security patterns.
|
|
353
|
+
|
|
354
|
+
Returns:
|
|
355
|
+
Tuple of (authenticated, user_context)
|
|
356
|
+
"""
|
|
357
|
+
|
|
358
|
+
# Extract token from headers
|
|
359
|
+
auth_header = headers.get("Authorization", "")
|
|
360
|
+
if not auth_header.startswith("Bearer "):
|
|
361
|
+
return False, None
|
|
362
|
+
|
|
363
|
+
token = auth_header[7:] # Remove "Bearer " prefix
|
|
364
|
+
|
|
365
|
+
# Use Kailash credential manager for token validation
|
|
366
|
+
try:
|
|
367
|
+
# This would typically validate JWT token
|
|
368
|
+
# For now, simulating with credential manager
|
|
369
|
+
cred_result = self.credential_manager.process(
|
|
370
|
+
{"action": "validate_token", "token": token}
|
|
371
|
+
)
|
|
372
|
+
|
|
373
|
+
if not cred_result.get("valid", False):
|
|
374
|
+
return False, None
|
|
375
|
+
|
|
376
|
+
# Create user context from token data
|
|
377
|
+
token_data = cred_result.get("token_data", {})
|
|
378
|
+
user_context = UserContext(
|
|
379
|
+
user_id=token_data.get("user_id"),
|
|
380
|
+
tenant_id=token_data.get("tenant_id"),
|
|
381
|
+
email=token_data.get("email"),
|
|
382
|
+
roles=token_data.get("roles", []),
|
|
383
|
+
attributes=token_data.get("attributes", {}),
|
|
384
|
+
session_id=session_id,
|
|
385
|
+
)
|
|
386
|
+
|
|
387
|
+
return True, user_context
|
|
388
|
+
|
|
389
|
+
except Exception as e:
|
|
390
|
+
# Log security event using Kailash security event node
|
|
391
|
+
self.access_manager.security_event_node.process(
|
|
392
|
+
{
|
|
393
|
+
"event_type": "authentication_failure",
|
|
394
|
+
"error": str(e),
|
|
395
|
+
"token_preview": token[:10] + "..." if len(token) > 10 else token,
|
|
396
|
+
}
|
|
397
|
+
)
|
|
398
|
+
|
|
399
|
+
return False, None
|
|
400
|
+
|
|
401
|
+
async def authorize_request(
|
|
402
|
+
self,
|
|
403
|
+
user_context: UserContext,
|
|
404
|
+
resource_type: str,
|
|
405
|
+
resource_id: str,
|
|
406
|
+
action: str,
|
|
407
|
+
) -> AccessDecision:
|
|
408
|
+
"""Authorize request using Kailash access control."""
|
|
409
|
+
|
|
410
|
+
if resource_type == "session":
|
|
411
|
+
return await self.access_manager.check_session_access(
|
|
412
|
+
user_context, resource_id, action
|
|
413
|
+
)
|
|
414
|
+
elif resource_type == "workflow":
|
|
415
|
+
permission = WorkflowPermission(action)
|
|
416
|
+
return await self.access_manager.check_workflow_access(
|
|
417
|
+
user_context, resource_id, permission
|
|
418
|
+
)
|
|
419
|
+
elif resource_type == "node":
|
|
420
|
+
permission = NodePermission(action)
|
|
421
|
+
return await self.access_manager.check_node_access(
|
|
422
|
+
user_context, resource_id, permission
|
|
423
|
+
)
|
|
424
|
+
elif resource_type == "api":
|
|
425
|
+
return await self.access_manager.check_api_access(
|
|
426
|
+
user_context, resource_id, action
|
|
427
|
+
)
|
|
428
|
+
else:
|
|
429
|
+
# Default deny for unknown resource types
|
|
430
|
+
return AccessDecision(
|
|
431
|
+
allowed=False,
|
|
432
|
+
reason=f"Unknown resource type: {resource_type}",
|
|
433
|
+
user_id=user_context.user_id,
|
|
434
|
+
resource_id=resource_id,
|
|
435
|
+
permission=f"{resource_type}.{action}",
|
|
436
|
+
)
|