kailash 0.3.2__py3-none-any.whl → 0.4.0__py3-none-any.whl

kailash/__init__.py

@@ -2,6 +2,10 @@
 
 The Kailash SDK provides a comprehensive framework for creating nodes and workflows
 that align with container-node architecture while allowing rapid prototyping.
+
+New in v0.4.0: Enterprise middleware architecture with real-time agent-frontend
+communication, dynamic workflows, AI chat integration, and production-ready
+session management. Complete refactor from monolithic to composable middleware.
 """
 
 from kailash.nodes.base import Node, NodeMetadata, NodeParameter
@@ -12,12 +16,28 @@ from kailash.workflow.builder import WorkflowBuilder
 from kailash.workflow.graph import Connection, NodeInstance, Workflow
 from kailash.workflow.visualization import WorkflowVisualizer
 
+# Import middleware components (enhanced in v0.4.0)
+try:
+    from kailash.middleware import (
+        AgentUIMiddleware,
+        AIChatMiddleware,
+        APIGateway,
+        RealtimeMiddleware,
+        create_gateway,
+    )
+
+    _MIDDLEWARE_AVAILABLE = True
+except ImportError:
+    _MIDDLEWARE_AVAILABLE = False
+    # Middleware dependencies not available
+
 # For backward compatibility
 WorkflowGraph = Workflow
 
-__version__ = "0.3.0"
+__version__ = "0.4.0"
 
 __all__ = [
+    # Core workflow components
     "Workflow",
     "WorkflowGraph",  # Backward compatibility
     "NodeInstance",
@@ -29,3 +49,15 @@ __all__ = [
     "NodeMetadata",
     "LocalRuntime",
 ]
+
+# Add middleware to exports if available
+if _MIDDLEWARE_AVAILABLE:
+    __all__.extend(
+        [
+            "AgentUIMiddleware",
+            "RealtimeMiddleware",
+            "APIGateway",
+            "AIChatMiddleware",
+            "create_gateway",
+        ]
+    )

kailash/access_control/__init__.py

@@ -0,0 +1,129 @@
+"""Access control package with composition-based architecture.
+
+This package provides clean, testable access control components:
+- Rule evaluators for RBAC, ABAC, and hybrid strategies
+- Composable access control managers
+- Backward compatibility with existing code
+"""
+
+import os
+
+# Import core types first (avoiding circular imports)
+import sys
+from typing import Any, Dict, List
+
+# Add parent directory to path for imports
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+# Import core access control components directly
+import importlib.util
+import os
+
+# Load the original access_control module to avoid import conflicts
+_spec = importlib.util.spec_from_file_location(
+    "original_access_control",
+    os.path.join(os.path.dirname(os.path.dirname(__file__)), "access_control.py"),
+)
+_original_module = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(_original_module)
+
+# Import core types from original module
+NodePermission = _original_module.NodePermission
+WorkflowPermission = _original_module.WorkflowPermission
+PermissionEffect = _original_module.PermissionEffect
+PermissionRule = _original_module.PermissionRule
+UserContext = _original_module.UserContext
+AccessDecision = _original_module.AccessDecision
+ConditionEvaluator = _original_module.ConditionEvaluator
+
+# Import utility functions from original module
+get_access_control_manager = _original_module.get_access_control_manager
+set_access_control_manager = _original_module.set_access_control_manager
+
+# Import new composition-based components
+from kailash.access_control.managers import AccessControlManager  # noqa: E402
+from kailash.access_control.rule_evaluators import (  # noqa: E402
+    ABACRuleEvaluator,
+    HybridRuleEvaluator,
+    RBACRuleEvaluator,
+    RuleEvaluator,
+    create_rule_evaluator,
+)
+
+# ABAC components are available directly from kailash.access_control_abac
+# Not imported here to avoid circular import issues
+
+# Export all components
+__all__ = [
+    # Core types
+    "NodePermission",
+    "WorkflowPermission",
+    "PermissionEffect",
+    "PermissionRule",
+    "UserContext",
+    "AccessDecision",
+    "ConditionEvaluator",
+    # Composition-based components
+    "AccessControlManager",
+    "RuleEvaluator",
+    "RBACRuleEvaluator",
+    "ABACRuleEvaluator",
+    "HybridRuleEvaluator",
+    "create_rule_evaluator",
+    # ABAC components available from kailash.access_control_abac
+    # Utility functions
+    "get_access_control_manager",
+    "set_access_control_manager",
+    # ABAC helper functions
+    "create_attribute_condition",
+    "create_complex_condition",
+]
+
+
+# Helper functions for creating ABAC conditions
+def create_attribute_condition(
+    path: str, operator: str, value: Any, case_sensitive: bool = True
+) -> Dict[str, Any]:
+    """Create an attribute condition configuration.
+
+    Helper function to create properly formatted attribute conditions
+    for use in permission rules.
+
+    Args:
+        path: Attribute path (e.g., "user.attributes.department")
+        operator: Comparison operator
+        value: Value to compare against
+        case_sensitive: Whether comparison is case sensitive
+
+    Returns:
+        Condition configuration dict
+    """
+    return {
+        "type": "attribute_expression",
+        "value": {
+            "attribute_path": path,
+            "operator": operator,
+            "value": value,
+            "case_sensitive": case_sensitive,
+        },
+    }
+
+
+def create_complex_condition(
+    operator: str, conditions: List[Dict[str, Any]]
+) -> Dict[str, Any]:
+    """Create a complex attribute condition with logical operators.
+
+    Helper function to create AND/OR/NOT conditions.
+
+    Args:
+        operator: Logical operator (and/or/not)
+        conditions: List of conditions to combine
+
+    Returns:
+        Complex condition configuration dict
+    """
+    return {
+        "type": "attribute_expression",
+        "value": {"operator": operator, "conditions": conditions},
+    }

kailash/access_control/managers.py

@@ -0,0 +1,461 @@
+"""Composition-based access control managers.
+
+This module provides clean, testable access control managers using composition
+instead of inheritance, solving the architectural issues with the previous design.
+"""
+
+import logging
+import threading
+from typing import Any, Dict, List, Optional, Union
+
+# Import base access control components
+try:
+    from kailash.access_control import (
+        AccessDecision,
+        NodePermission,
+        PermissionRule,
+        UserContext,
+        WorkflowPermission,
+    )
+except ImportError:
+    # Local definitions to handle circular import during initial setup
+    from dataclasses import dataclass
+    from datetime import datetime
+    from enum import Enum
+
+    class NodePermission(Enum):
+        EXECUTE = "execute"
+        READ_OUTPUT = "read_output"
+        WRITE_INPUT = "write_input"
+
+    class WorkflowPermission(Enum):
+        VIEW = "view"
+        EXECUTE = "execute"
+        MODIFY = "modify"
+
+    class PermissionEffect(Enum):
+        ALLOW = "allow"
+        DENY = "deny"
+        CONDITIONAL = "conditional"
+
+    @dataclass
+    class UserContext:
+        user_id: str
+        tenant_id: str
+        email: str
+        roles: List[str]
+        attributes: Dict[str, Any]
+
+    @dataclass
+    class AccessDecision:
+        allowed: bool
+        reason: str
+        applied_rules: List[str]
+        conditions_met: Optional[Dict[str, bool]] = None
+        masked_fields: Optional[List[str]] = None
+
+    @dataclass
+    class PermissionRule:
+        id: str
+        resource_type: str
+        resource_id: str
+        permission: Union[NodePermission, WorkflowPermission]
+        effect: PermissionEffect
+        user_id: Optional[str] = None
+        role: Optional[str] = None
+        tenant_id: Optional[str] = None
+        conditions: Optional[Dict[str, Any]] = None
+        priority: int = 0
+        expires_at: Optional[datetime] = None
+
+
+from kailash.access_control.rule_evaluators import RuleEvaluator, create_rule_evaluator
+
+logger = logging.getLogger(__name__)
+
+
+class AccessControlManager:
+    """Access control manager using composition pattern.
+
+    This manager separates rule storage from rule evaluation, allowing:
+    - Easy testing with mock evaluators
+    - Flexible evaluation strategies (RBAC, ABAC, Hybrid)
+    - Clear separation of concerns
+    - No inheritance-related bugs
+
+    Example:
+        >>> # Create with hybrid evaluation (RBAC + ABAC)
+        >>> manager = AccessControlManager()
+
+        >>> # Or specify evaluation strategy
+        >>> rbac_manager = AccessControlManager(strategy="rbac")
+        >>> abac_manager = AccessControlManager(strategy="abac")
+
+        >>> # Add rules
+        >>> manager.add_rule(PermissionRule(...))
+
+        >>> # Check access
+        >>> decision = manager.check_node_access(user, "node_id", NodePermission.EXECUTE)
+    """
+
+    def __init__(
+        self,
+        rule_evaluator: Optional[RuleEvaluator] = None,
+        strategy: str = "hybrid",
+        enabled: bool = True,
+    ):
+        """Initialize access control manager.
+
+        Args:
+            rule_evaluator: Custom rule evaluator (overrides strategy)
+            strategy: Evaluation strategy ('rbac', 'abac', 'hybrid')
+            enabled: Whether access control is enabled
+        """
+        self.enabled = enabled
+        self.rules: List[PermissionRule] = []
+
+        # Use provided evaluator or create one based on strategy
+        if rule_evaluator:
+            self.rule_evaluator = rule_evaluator
+        else:
+            self.rule_evaluator = create_rule_evaluator(strategy)
+
+        # Cache for performance
+        self._cache: Dict[str, AccessDecision] = {}
+        self._cache_lock = threading.Lock()
+
+        # Audit logging
+        self.audit_logger = logging.getLogger("kailash.access_control.audit")
+
+        # Data masking for ABAC (only needed for abac/hybrid strategies)
+        self._masking_rules: Dict[str, List[Any]] = {}
+        if strategy in ["abac", "hybrid"]:
+            self._init_abac_components()
+
+        logger.info(
+            f"Initialized AccessControlManager with {type(self.rule_evaluator).__name__}"
+        )
+
+    def _init_abac_components(self) -> None:
+        """Initialize ABAC-specific components."""
+        try:
+            from kailash.access_control_abac import AttributeEvaluator, DataMasker
+
+            self.attribute_evaluator = AttributeEvaluator()
+            self.data_masker = DataMasker(self.attribute_evaluator)
+        except ImportError:
+            logger.warning("ABAC components not available, data masking disabled")
+            self.attribute_evaluator = None
+            self.data_masker = None
+
+    def add_rule(self, rule: PermissionRule) -> None:
+        """Add a permission rule.
+
+        Args:
+            rule: Permission rule to add
+        """
+        self.rules.append(rule)
+        self._clear_cache()
+        logger.debug(
+            f"Added rule {rule.id} for {rule.resource_type}:{rule.resource_id}"
+        )
+
+    def remove_rule(self, rule_id: str) -> bool:
+        """Remove a permission rule.
+
+        Args:
+            rule_id: ID of rule to remove
+
+        Returns:
+            True if rule was found and removed
+        """
+        initial_count = len(self.rules)
+        self.rules = [r for r in self.rules if r.id != rule_id]
+        removed = len(self.rules) < initial_count
+
+        if removed:
+            self._clear_cache()
+            logger.debug(f"Removed rule {rule_id}")
+
+        return removed
+
+    def check_workflow_access(
+        self,
+        user: UserContext,
+        workflow_id: str,
+        permission: WorkflowPermission,
+        runtime_context: Optional[Dict[str, Any]] = None,
+    ) -> AccessDecision:
+        """Check if user has permission on workflow.
+
+        Args:
+            user: User requesting access
+            workflow_id: Workflow to access
+            permission: Permission being requested
+            runtime_context: Additional runtime context
+
+        Returns:
+            AccessDecision with allow/deny and reasoning
+        """
+        if not self.enabled:
+            return AccessDecision(
+                allowed=True,
+                reason="Access control disabled",
+                applied_rules=[],
+            )
+
+        cache_key = f"workflow:{workflow_id}:{user.user_id}:{permission.value}"
+
+        # Check cache (if no runtime context)
+        if not runtime_context:
+            with self._cache_lock:
+                if cache_key in self._cache:
+                    cached_decision = self._cache[cache_key]
+                    logger.debug(f"Cache hit for {cache_key}")
+                    return cached_decision
+
+        # Get applicable rules
+        applicable_rules = self._get_applicable_rules(
+            "workflow", workflow_id, permission
+        )
+
+        # Evaluate using configured strategy
+        decision = self.rule_evaluator.evaluate_rules(
+            applicable_rules,
+            user,
+            "workflow",
+            workflow_id,
+            permission,
+            runtime_context or {},
+        )
+
+        # Cache decision (if no runtime context)
+        if not runtime_context:
+            with self._cache_lock:
+                self._cache[cache_key] = decision
+
+        # Audit log
+        self._audit_log(user, "workflow", workflow_id, permission, decision)
+
+        return decision
+
+    def check_node_access(
+        self,
+        user: UserContext,
+        node_id: str,
+        permission: NodePermission,
+        runtime_context: Optional[Dict[str, Any]] = None,
+    ) -> AccessDecision:
+        """Check if user has permission on node.
+
+        Args:
+            user: User requesting access
+            node_id: Node to access
+            permission: Permission being requested
+            runtime_context: Additional runtime context
+
+        Returns:
+            AccessDecision with allow/deny and reasoning
+        """
+        if not self.enabled:
+            return AccessDecision(
+                allowed=True,
+                reason="Access control disabled",
+                applied_rules=[],
+            )
+
+        cache_key = f"node:{node_id}:{user.user_id}:{permission.value}"
+
+        # Check cache (if no runtime context)
+        if not runtime_context:
+            with self._cache_lock:
+                if cache_key in self._cache:
+                    cached_decision = self._cache[cache_key]
+                    logger.debug(f"Cache hit for {cache_key}")
+                    return cached_decision
+
+        # Get applicable rules
+        applicable_rules = self._get_applicable_rules("node", node_id, permission)
+
+        # Evaluate using configured strategy
+        decision = self.rule_evaluator.evaluate_rules(
+            applicable_rules,
+            user,
+            "node",
+            node_id,
+            permission,
+            runtime_context or {},
+        )
+
+        # Cache decision (if no runtime context)
+        if not runtime_context:
+            with self._cache_lock:
+                self._cache[cache_key] = decision
+
+        # Audit log
+        self._audit_log(user, "node", node_id, permission, decision)
+
+        return decision
+
+    def get_accessible_nodes(
+        self, user: UserContext, workflow_id: str, permission: NodePermission
+    ) -> set[str]:
+        """Get all nodes user can access in a workflow.
+
+        Args:
+            user: User to check access for
+            workflow_id: Workflow containing nodes
+            permission: Permission type to check
+
+        Returns:
+            Set of accessible node IDs
+        """
+        # Get all node rules for this workflow
+        node_rules = [
+            rule
+            for rule in self.rules
+            if rule.resource_type == "node" and rule.permission == permission
+        ]
+
+        accessible = set()
+
+        for rule in node_rules:
+            decision = self.check_node_access(user, rule.resource_id, permission)
+            if decision.allowed:
+                accessible.add(rule.resource_id)
+
+        return accessible
+
+    def add_masking_rule(self, node_id: str, rule: Any) -> None:
+        """Add attribute-based masking rule for a node."""
+        if not hasattr(self, "data_masker") or self.data_masker is None:
+            logger.warning("Data masking not available - use ABAC or hybrid strategy")
+            return
+
+        if node_id not in self._masking_rules:
+            self._masking_rules[node_id] = []
+
+        self._masking_rules[node_id].append(rule)
+        logger.info(f"Added masking rule for node {node_id}")
+
+    def apply_data_masking(
+        self, user: UserContext, node_id: str, data: Dict[str, Any]
+    ) -> Dict[str, Any]:
+        """Apply attribute-based data masking to node output."""
+        # Check if ABAC components are available
+        if not hasattr(self, "data_masker") or self.data_masker is None:
+            logger.warning("Data masking not available - returning original data")
+            return data
+
+        # Get masking rules for node
+        rules = self._masking_rules.get(node_id, [])
+        if not rules:
+            return data
+
+        # Build context for evaluation
+        context = {"user": user, "node_id": node_id, "data": data}
+
+        # Apply masking
+        return self.data_masker.apply_masking(data, rules, context)
+
+    def supports_conditions(self) -> bool:
+        """Check if current evaluator supports conditional rules.
+
+        Returns:
+            True if complex conditions are supported
+        """
+        return self.rule_evaluator.supports_conditions()
+
+    def get_strategy_info(self) -> Dict[str, Any]:
+        """Get information about the current evaluation strategy.
+
+        Returns:
+            Dictionary with strategy details
+        """
+        return {
+            "evaluator_type": type(self.rule_evaluator).__name__,
+            "supports_conditions": self.supports_conditions(),
+            "enabled": self.enabled,
+            "rule_count": len(self.rules),
+        }
+
+    def _get_applicable_rules(
+        self,
+        resource_type: str,
+        resource_id: str,
+        permission: Union[NodePermission, WorkflowPermission],
+    ) -> List[PermissionRule]:
+        """Get rules that apply to a specific resource and permission.
+
+        Args:
+            resource_type: Type of resource (node/workflow)
+            resource_id: Specific resource ID
+            permission: Permission being checked
+
+        Returns:
+            List of applicable rules
+        """
+        applicable_rules = []
+
+        for rule in self.rules:
+            # Check resource type, ID, and permission match
+            if (
+                rule.resource_type == resource_type
+                and rule.resource_id == resource_id
+                and rule.permission == permission
+            ):
+
+                # Check expiration
+                if rule.expires_at:
+                    from datetime import UTC, datetime
+
+                    if rule.expires_at < datetime.now(UTC):
+                        continue
+
+                applicable_rules.append(rule)
+
+        return applicable_rules
+
+    def _clear_cache(self) -> None:
+        """Clear the access decision cache."""
+        with self._cache_lock:
+            self._cache.clear()
+        logger.debug("Cleared access control cache")
+
+    def _audit_log(
+        self,
+        user: UserContext,
+        resource_type: str,
+        resource_id: str,
+        permission: Union[NodePermission, WorkflowPermission],
+        decision: AccessDecision,
+    ) -> None:
+        """Log access control decision for auditing.
+
+        Args:
+            user: User who made the request
+            resource_type: Type of resource accessed
+            resource_id: ID of resource accessed
+            permission: Permission that was checked
+            decision: Access control decision
+        """
+        self.audit_logger.info(
+            "Access decision",
+            extra={
+                "user_id": user.user_id,
+                "tenant_id": user.tenant_id,
+                "resource_type": resource_type,
+                "resource_id": resource_id,
+                "permission": permission.value,
+                "allowed": decision.allowed,
+                "reason": decision.reason,
+                "applied_rules": decision.applied_rules,
+                "evaluator": type(self.rule_evaluator).__name__,
+            },
+        )
+
+
+# Export components
+__all__ = [
+    "AccessControlManager",
+]