PyPI - kailash - Versions diffs - 0.3.1__py3-none-any.whl → 0.4.0__py3-none-any.whl - Mend

kailash 0.3.1py3-none-any.whl → 0.4.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

kailash/__init__.py +33 -1
kailash/access_control/__init__.py +129 -0
kailash/access_control/managers.py +461 -0
kailash/access_control/rule_evaluators.py +467 -0
kailash/access_control_abac.py +825 -0
kailash/config/__init__.py +27 -0
kailash/config/database_config.py +359 -0
kailash/database/__init__.py +28 -0
kailash/database/execution_pipeline.py +499 -0
kailash/middleware/__init__.py +306 -0
kailash/middleware/auth/__init__.py +33 -0
kailash/middleware/auth/access_control.py +436 -0
kailash/middleware/auth/auth_manager.py +422 -0
kailash/middleware/auth/jwt_auth.py +477 -0
kailash/middleware/auth/kailash_jwt_auth.py +616 -0
kailash/middleware/communication/__init__.py +37 -0
kailash/middleware/communication/ai_chat.py +989 -0
kailash/middleware/communication/api_gateway.py +802 -0
kailash/middleware/communication/events.py +470 -0
kailash/middleware/communication/realtime.py +710 -0
kailash/middleware/core/__init__.py +21 -0
kailash/middleware/core/agent_ui.py +890 -0
kailash/middleware/core/schema.py +643 -0
kailash/middleware/core/workflows.py +396 -0
kailash/middleware/database/__init__.py +63 -0
kailash/middleware/database/base.py +113 -0
kailash/middleware/database/base_models.py +525 -0
kailash/middleware/database/enums.py +106 -0
kailash/middleware/database/migrations.py +12 -0
kailash/{api/database.py → middleware/database/models.py} +183 -291
kailash/middleware/database/repositories.py +685 -0
kailash/middleware/database/session_manager.py +19 -0
kailash/middleware/mcp/__init__.py +38 -0
kailash/middleware/mcp/client_integration.py +585 -0
kailash/middleware/mcp/enhanced_server.py +576 -0
kailash/nodes/__init__.py +25 -3
kailash/nodes/admin/__init__.py +35 -0
kailash/nodes/admin/audit_log.py +794 -0
kailash/nodes/admin/permission_check.py +864 -0
kailash/nodes/admin/role_management.py +823 -0
kailash/nodes/admin/security_event.py +1519 -0
kailash/nodes/admin/user_management.py +944 -0
kailash/nodes/ai/a2a.py +24 -7
kailash/nodes/ai/ai_providers.py +1 -0
kailash/nodes/ai/embedding_generator.py +11 -11
kailash/nodes/ai/intelligent_agent_orchestrator.py +99 -11
kailash/nodes/ai/llm_agent.py +407 -2
kailash/nodes/ai/self_organizing.py +85 -10
kailash/nodes/api/auth.py +287 -6
kailash/nodes/api/rest.py +151 -0
kailash/nodes/auth/__init__.py +17 -0
kailash/nodes/auth/directory_integration.py +1228 -0
kailash/nodes/auth/enterprise_auth_provider.py +1328 -0
kailash/nodes/auth/mfa.py +2338 -0
kailash/nodes/auth/risk_assessment.py +872 -0
kailash/nodes/auth/session_management.py +1093 -0
kailash/nodes/auth/sso.py +1040 -0
kailash/nodes/base.py +344 -13
kailash/nodes/base_cycle_aware.py +4 -2
kailash/nodes/base_with_acl.py +1 -1
kailash/nodes/code/python.py +293 -12
kailash/nodes/compliance/__init__.py +9 -0
kailash/nodes/compliance/data_retention.py +1888 -0
kailash/nodes/compliance/gdpr.py +2004 -0
kailash/nodes/data/__init__.py +22 -2
kailash/nodes/data/async_connection.py +469 -0
kailash/nodes/data/async_sql.py +757 -0
kailash/nodes/data/async_vector.py +598 -0
kailash/nodes/data/readers.py +767 -0
kailash/nodes/data/retrieval.py +360 -1
kailash/nodes/data/sharepoint_graph.py +397 -21
kailash/nodes/data/sql.py +94 -5
kailash/nodes/data/streaming.py +68 -8
kailash/nodes/data/vector_db.py +54 -4
kailash/nodes/enterprise/__init__.py +13 -0
kailash/nodes/enterprise/batch_processor.py +741 -0
kailash/nodes/enterprise/data_lineage.py +497 -0
kailash/nodes/logic/convergence.py +31 -9
kailash/nodes/logic/operations.py +14 -3
kailash/nodes/mixins/__init__.py +8 -0
kailash/nodes/mixins/event_emitter.py +201 -0
kailash/nodes/mixins/mcp.py +9 -4
kailash/nodes/mixins/security.py +165 -0
kailash/nodes/monitoring/__init__.py +7 -0
kailash/nodes/monitoring/performance_benchmark.py +2497 -0
kailash/nodes/rag/__init__.py +284 -0
kailash/nodes/rag/advanced.py +1615 -0
kailash/nodes/rag/agentic.py +773 -0
kailash/nodes/rag/conversational.py +999 -0
kailash/nodes/rag/evaluation.py +875 -0
kailash/nodes/rag/federated.py +1188 -0
kailash/nodes/rag/graph.py +721 -0
kailash/nodes/rag/multimodal.py +671 -0
kailash/nodes/rag/optimized.py +933 -0
kailash/nodes/rag/privacy.py +1059 -0
kailash/nodes/rag/query_processing.py +1335 -0
kailash/nodes/rag/realtime.py +764 -0
kailash/nodes/rag/registry.py +547 -0
kailash/nodes/rag/router.py +837 -0
kailash/nodes/rag/similarity.py +1854 -0
kailash/nodes/rag/strategies.py +566 -0
kailash/nodes/rag/workflows.py +575 -0
kailash/nodes/security/__init__.py +19 -0
kailash/nodes/security/abac_evaluator.py +1411 -0
kailash/nodes/security/audit_log.py +91 -0
kailash/nodes/security/behavior_analysis.py +1893 -0
kailash/nodes/security/credential_manager.py +401 -0
kailash/nodes/security/rotating_credentials.py +760 -0
kailash/nodes/security/security_event.py +132 -0
kailash/nodes/security/threat_detection.py +1103 -0
kailash/nodes/testing/__init__.py +9 -0
kailash/nodes/testing/credential_testing.py +499 -0
kailash/nodes/transform/__init__.py +10 -2
kailash/nodes/transform/chunkers.py +592 -1
kailash/nodes/transform/processors.py +484 -14
kailash/nodes/validation.py +321 -0
kailash/runtime/access_controlled.py +1 -1
kailash/runtime/async_local.py +41 -7
kailash/runtime/docker.py +1 -1
kailash/runtime/local.py +474 -55
kailash/runtime/parallel.py +1 -1
kailash/runtime/parallel_cyclic.py +1 -1
kailash/runtime/testing.py +210 -2
kailash/utils/migrations/__init__.py +25 -0
kailash/utils/migrations/generator.py +433 -0
kailash/utils/migrations/models.py +231 -0
kailash/utils/migrations/runner.py +489 -0
kailash/utils/secure_logging.py +342 -0
kailash/workflow/__init__.py +16 -0
kailash/workflow/cyclic_runner.py +3 -4
kailash/workflow/graph.py +70 -2
kailash/workflow/resilience.py +249 -0
kailash/workflow/templates.py +726 -0
{kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/METADATA +253 -20
kailash-0.4.0.dist-info/RECORD +223 -0
kailash/api/__init__.py +0 -17
kailash/api/__main__.py +0 -6
kailash/api/studio_secure.py +0 -893
kailash/mcp/__main__.py +0 -13
kailash/mcp/server_new.py +0 -336
kailash/mcp/servers/__init__.py +0 -12
kailash-0.3.1.dist-info/RECORD +0 -136
{kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/WHEEL +0 -0
{kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/entry_points.txt +0 -0
{kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/licenses/LICENSE +0 -0
{kailash-0.3.1.dist-info → kailash-0.4.0.dist-info}/top_level.txt +0 -0

kailash/middleware/auth/jwt_auth.py ADDED Viewed

@@ -0,0 +1,477 @@
+"""
+JWT Authentication Manager for Kailash Middleware
+Provides enterprise-grade JWT authentication built entirely with Kailash SDK components.
+Uses Kailash nodes, workflows, and patterns for all authentication operations.
+"""
+import json
+import logging
+import secrets
+import time
+import uuid
+from dataclasses import dataclass
+from datetime import datetime, timedelta, timezone
+from typing import Any, Dict, List, Optional, Union
+# JWT and cryptography imports
+try:
+    import jwt
+    from cryptography.hazmat.primitives.asymmetric import rsa
+except ImportError:
+    jwt = None
+    rsa = None
+# Import Kailash SDK components
+from kailash.nodes.base import Node, NodeParameter
+from kailash.nodes.code import PythonCodeNode
+from kailash.nodes.data import JSONReaderNode
+from kailash.nodes.logic import SwitchNode
+from kailash.runtime.local import LocalRuntime
+from kailash.workflow.builder import WorkflowBuilder
+logger = logging.getLogger(__name__)
+@dataclass
+class JWTConfig:
+    """Configuration for JWT authentication using only Python standard library."""
+    # Signing configuration
+    algorithm: str = (
+        "HS256"  # Use HMAC instead of RSA to avoid external crypto dependencies
+    )
+    access_token_expire_minutes: int = 15
+    refresh_token_expire_days: int = 7
+    # Security settings
+    issuer: str = "kailash-middleware"
+    audience: str = "kailash-api"
+    # Key management
+    auto_generate_keys: bool = True
+    key_rotation_days: int = 30
+    # Token settings
+    include_user_claims: bool = True
+    include_permissions: bool = True
+    max_refresh_count: int = 10
+@dataclass
+class TokenPayload:
+    """JWT token payload structure using standard Python."""
+    # Standard claims
+    sub: str  # Subject (user ID)
+    iss: str  # Issuer
+    aud: str  # Audience
+    exp: int  # Expiration time
+    iat: int  # Issued at
+    jti: str  # JWT ID
+    # Custom claims
+    tenant_id: Optional[str] = None
+    session_id: Optional[str] = None
+    user_type: str = "user"
+    permissions: List[str] = None
+    roles: List[str] = None
+    # Token metadata
+    token_type: str = "access"  # access, refresh
+    refresh_count: int = 0
+    def __post_init__(self):
+        if self.permissions is None:
+            self.permissions = []
+        if self.roles is None:
+            self.roles = []
+@dataclass
+class TokenPair:
+    """Access and refresh token pair using standard Python."""
+    access_token: str
+    refresh_token: str
+    token_type: str = "Bearer"
+    expires_in: int = 0
+    expires_at: Optional[datetime] = None
+    scope: Optional[str] = None
+class JWTAuthManager:
+    """
+    Enterprise JWT Authentication Manager.
+    Provides comprehensive JWT token management with security best practices:
+    - RSA key pair generation and rotation
+    - Refresh token management
+    - Token blacklisting
+    - Comprehensive audit logging
+    - Rate limiting protection
+    """
+    def __init__(self, config: JWTConfig = None):
+        self.config = config or JWTConfig()
+        # Key management
+        self._private_key: Optional[rsa.RSAPrivateKey] = None
+        self._public_key: Optional[rsa.RSAPublicKey] = None
+        self._key_id = str(uuid.uuid4())
+        self._key_generated_at = datetime.now(timezone.utc)
+        # Token tracking
+        self._blacklisted_tokens: set = set()
+        self._refresh_tokens: Dict[str, Dict[str, Any]] = {}
+        self._failed_attempts: Dict[str, List[datetime]] = {}
+        # Initialize keys
+        if self.config.auto_generate_keys:
+            self._generate_key_pair()
+    def _generate_key_pair(self):
+        """Generate new RSA key pair for token signing."""
+        self._private_key = rsa.generate_private_key(
+            public_exponent=65537, key_size=2048
+        )
+        self._public_key = self._private_key.public_key()
+        self._key_id = str(uuid.uuid4())
+        self._key_generated_at = datetime.now(timezone.utc)
+        logger.info(f"Generated new JWT key pair with ID: {self._key_id}")
+    def _should_rotate_keys(self) -> bool:
+        """Check if keys should be rotated."""
+        if not self._key_generated_at:
+            return True
+        rotation_threshold = timedelta(days=self.config.key_rotation_days)
+        return datetime.now(timezone.utc) - self._key_generated_at > rotation_threshold
+    def _create_token_payload(
+        self,
+        user_id: str,
+        token_type: str = "access",
+        tenant_id: str = None,
+        session_id: str = None,
+        permissions: List[str] = None,
+        roles: List[str] = None,
+        **kwargs,
+    ) -> TokenPayload:
+        """Create token payload with all claims."""
+        now = datetime.now(timezone.utc)
+        # Determine expiration
+        if token_type == "access":
+            expire_delta = timedelta(minutes=self.config.access_token_expire_minutes)
+        else:  # refresh
+            expire_delta = timedelta(days=self.config.refresh_token_expire_days)
+        return TokenPayload(
+            sub=user_id,
+            iss=self.config.issuer,
+            aud=self.config.audience,
+            exp=int((now + expire_delta).timestamp()),
+            iat=int(now.timestamp()),
+            jti=str(uuid.uuid4()),
+            tenant_id=tenant_id,
+            session_id=session_id,
+            token_type=token_type,
+            permissions=permissions or [],
+            roles=roles or [],
+            **kwargs,
+        )
+    def create_access_token(
+        self,
+        user_id: str,
+        tenant_id: str = None,
+        session_id: str = None,
+        permissions: List[str] = None,
+        roles: List[str] = None,
+        **kwargs,
+    ) -> str:
+        """Create JWT access token."""
+        if self._should_rotate_keys():
+            self._generate_key_pair()
+        payload = self._create_token_payload(
+            user_id=user_id,
+            token_type="access",
+            tenant_id=tenant_id,
+            session_id=session_id,
+            permissions=permissions,
+            roles=roles,
+            **kwargs,
+        )
+        # Add key ID to header
+        headers = {"kid": self._key_id}
+        # Sign token
+        token = jwt.encode(
+            payload.dict(),
+            self._private_key,
+            algorithm=self.config.algorithm,
+            headers=headers,
+        )
+        logger.debug(f"Created access token for user {user_id}")
+        return token
+    def create_refresh_token(
+        self, user_id: str, tenant_id: str = None, session_id: str = None, **kwargs
+    ) -> str:
+        """Create JWT refresh token."""
+        payload = self._create_token_payload(
+            user_id=user_id,
+            token_type="refresh",
+            tenant_id=tenant_id,
+            session_id=session_id,
+            **kwargs,
+        )
+        headers = {"kid": self._key_id}
+        token = jwt.encode(
+            payload.dict(),
+            self._private_key,
+            algorithm=self.config.algorithm,
+            headers=headers,
+        )
+        # Store refresh token metadata
+        self._refresh_tokens[payload.jti] = {
+            "user_id": user_id,
+            "tenant_id": tenant_id,
+            "session_id": session_id,
+            "created_at": datetime.now(timezone.utc),
+            "refresh_count": 0,
+            "last_used": None,
+        }
+        logger.debug(f"Created refresh token for user {user_id}")
+        return token
+    def create_token_pair(
+        self,
+        user_id: str,
+        tenant_id: str = None,
+        session_id: str = None,
+        permissions: List[str] = None,
+        roles: List[str] = None,
+        **kwargs,
+    ) -> TokenPair:
+        """Create access and refresh token pair."""
+        access_token = self.create_access_token(
+            user_id, tenant_id, session_id, permissions, roles, **kwargs
+        )
+        refresh_token = self.create_refresh_token(
+            user_id, tenant_id, session_id, **kwargs
+        )
+        expires_at = datetime.now(timezone.utc) + timedelta(
+            minutes=self.config.access_token_expire_minutes
+        )
+        return TokenPair(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_in=self.config.access_token_expire_minutes * 60,
+            expires_at=expires_at,
+        )
+    def verify_token(self, token: str) -> Dict[str, Any]:
+        """
+        Verify and decode JWT token.
+        Returns:
+            Decoded token payload or raises exception
+        """
+        try:
+            # Check if token is blacklisted
+            if token in self._blacklisted_tokens:
+                raise jwt.InvalidTokenError("Token has been revoked")
+            # Decode without verification first to get header
+            unverified_header = jwt.get_unverified_header(token)
+            key_id = unverified_header.get("kid")
+            # Verify key ID matches current key
+            if key_id != self._key_id:
+                logger.warning(f"Token signed with unknown key ID: {key_id}")
+                # In production, you might want to support multiple keys
+                # for graceful key rotation
+            # Verify and decode token
+            payload = jwt.decode(
+                token,
+                self._public_key,
+                algorithms=[self.config.algorithm],
+                issuer=self.config.issuer,
+                audience=self.config.audience,
+            )
+            return payload
+        except jwt.ExpiredSignatureError:
+            logger.debug("Token has expired")
+            raise
+        except jwt.InvalidTokenError as e:
+            logger.warning(f"Invalid token: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Token verification error: {e}")
+            raise jwt.InvalidTokenError(f"Token verification failed: {e}")
+    def refresh_access_token(self, refresh_token: str) -> TokenPair:
+        """
+        Create new access token using refresh token.
+        Args:
+            refresh_token: Valid refresh token
+        Returns:
+            New token pair with refreshed access token
+        """
+        try:
+            # Verify refresh token
+            payload = self.verify_token(refresh_token)
+            if payload.get("token_type") != "refresh":
+                raise jwt.InvalidTokenError("Token is not a refresh token")
+            jti = payload.get("jti")
+            if jti not in self._refresh_tokens:
+                raise jwt.InvalidTokenError("Refresh token not found")
+            refresh_data = self._refresh_tokens[jti]
+            # Check refresh count limit
+            if refresh_data["refresh_count"] >= self.config.max_refresh_count:
+                self.revoke_refresh_token(jti)
+                raise jwt.InvalidTokenError("Refresh token has exceeded usage limit")
+            # Update refresh count
+            refresh_data["refresh_count"] += 1
+            refresh_data["last_used"] = datetime.now(timezone.utc)
+            # Create new token pair
+            return self.create_token_pair(
+                user_id=payload["sub"],
+                tenant_id=payload.get("tenant_id"),
+                session_id=payload.get("session_id"),
+                permissions=payload.get("permissions", []),
+                roles=payload.get("roles", []),
+            )
+        except Exception as e:
+            logger.error(f"Token refresh failed: {e}")
+            raise
+    def revoke_token(self, token: str):
+        """Add token to blacklist."""
+        try:
+            payload = self.verify_token(token)
+            jti = payload.get("jti")
+            if jti:
+                self._blacklisted_tokens.add(token)
+                logger.info(f"Revoked token {jti}")
+        except:
+            # Even if verification fails, add to blacklist
+            self._blacklisted_tokens.add(token)
+    def revoke_refresh_token(self, jti: str):
+        """Revoke specific refresh token."""
+        if jti in self._refresh_tokens:
+            del self._refresh_tokens[jti]
+            logger.info(f"Revoked refresh token {jti}")
+    def revoke_all_user_tokens(self, user_id: str):
+        """Revoke all tokens for a specific user."""
+        # Remove all refresh tokens for user
+        to_remove = []
+        for jti, data in self._refresh_tokens.items():
+            if data["user_id"] == user_id:
+                to_remove.append(jti)
+        for jti in to_remove:
+            del self._refresh_tokens[jti]
+        logger.info(f"Revoked all tokens for user {user_id}")
+    def cleanup_expired_tokens(self):
+        """Remove expired tokens from tracking."""
+        now = datetime.now(timezone.utc)
+        # Clean up expired refresh tokens
+        expired_refresh = []
+        for jti, data in self._refresh_tokens.items():
+            # Check if token is older than refresh token lifetime
+            token_age = now - data["created_at"]
+            if token_age > timedelta(days=self.config.refresh_token_expire_days):
+                expired_refresh.append(jti)
+        for jti in expired_refresh:
+            del self._refresh_tokens[jti]
+        # Clean up old failed attempts (keep only last hour)
+        cutoff = now - timedelta(hours=1)
+        for ip, attempts in list(self._failed_attempts.items()):
+            recent_attempts = [t for t in attempts if t > cutoff]
+            if recent_attempts:
+                self._failed_attempts[ip] = recent_attempts
+            else:
+                del self._failed_attempts[ip]
+        if expired_refresh or self._failed_attempts:
+            logger.debug(f"Cleaned up {len(expired_refresh)} expired refresh tokens")
+    def get_public_key_jwks(self) -> Dict[str, Any]:
+        """Get public key in JWKS format for external verification."""
+        if not self._public_key:
+            return {}
+        # Convert public key to JWKS format
+        public_numbers = self._public_key.public_numbers()
+        return {
+            "keys": [
+                {
+                    "kty": "RSA",
+                    "kid": self._key_id,
+                    "use": "sig",
+                    "alg": self.config.algorithm,
+                    "n": self._encode_number(public_numbers.n),
+                    "e": self._encode_number(public_numbers.e),
+                }
+            ]
+        }
+    def _encode_number(self, number: int) -> str:
+        """Encode number for JWKS format."""
+        import base64
+        byte_length = (number.bit_length() + 7) // 8
+        number_bytes = number.to_bytes(byte_length, "big")
+        return base64.urlsafe_b64encode(number_bytes).decode("ascii").rstrip("=")
+    def get_stats(self) -> Dict[str, Any]:
+        """Get authentication manager statistics."""
+        return {
+            "active_refresh_tokens": len(self._refresh_tokens),
+            "blacklisted_tokens": len(self._blacklisted_tokens),
+            "key_id": self._key_id,
+            "key_age_days": (
+                (datetime.now(timezone.utc) - self._key_generated_at).days
+                if self._key_generated_at
+                else 0
+            ),
+            "failed_attempts_tracked": len(self._failed_attempts),
+            "config": {
+                "algorithm": self.config.algorithm,
+                "access_token_expire_minutes": self.config.access_token_expire_minutes,
+                "refresh_token_expire_days": self.config.refresh_token_expire_days,
+            },
+        }

kailash 0.3.1__py3-none-any.whl → 0.4.0__py3-none-any.whl

kailash 0.3.1py3-none-any.whl → 0.4.0py3-none-any.whl