kekkai-cli 1.0.4__py3-none-any.whl → 1.1.0__py3-none-any.whl

portal/enterprise/licensing.py

@@ -2,15 +2,15 @@
 
 Security controls:
 - Server-side license enforcement
-- Signed license tokens to prevent tampering
+- Asymmetric (ECDSA P-256) signed license tokens to prevent tampering
 - Grace period handling for expiration
+- Private key for signing (admin only), public key for validation (distributed)
 """
 
 from __future__ import annotations
 
 import base64
 import hashlib
-import hmac
 import json
 import logging
 import time
@@ -19,6 +19,10 @@ from datetime import UTC, datetime, timedelta
 from enum import Enum
 from typing import TYPE_CHECKING, Any
 
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+
 if TYPE_CHECKING:
     pass
 
@@ -155,29 +159,80 @@ class LicenseCheckResult:
     grace_days_remaining: int | None = None
 
 
-class LicenseValidator:
-    """Validates enterprise licenses."""
+def generate_keypair() -> tuple[bytes, bytes]:
+    """Generate a new ECDSA P-256 keypair for license signing.
 
-    def __init__(self, signing_key: str) -> None:
-        self._signing_key = signing_key
-        self._cache: dict[str, tuple[float, LicenseCheckResult]] = {}
+    Returns:
+        Tuple of (private_key_pem, public_key_pem) as bytes.
+        Keep private_key_pem SECRET - only used for signing licenses.
+        Distribute public_key_pem with the application for verification.
+    """
+    private_key = ec.generate_private_key(ec.SECP256R1())
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    public_pem = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    )
+    return private_pem, public_pem
+
+
+class LicenseSigner:
+    """Signs enterprise licenses using ECDSA private key.
+
+    This class should only be used server-side by administrators
+    to generate license tokens. Never distribute the private key.
+    """
+
+    _private_key: ec.EllipticCurvePrivateKey
+
+    def __init__(self, private_key_pem: bytes) -> None:
+        loaded_key = serialization.load_pem_private_key(private_key_pem, password=None)
+        if not isinstance(loaded_key, ec.EllipticCurvePrivateKey):
+            raise ValueError("Expected ECDSA private key")
+        self._private_key = loaded_key
 
     def create_license_token(self, license: EnterpriseLicense) -> str:
-        """Create a signed license token.
+        """Create a signed license token using ECDSA.
 
-        The token format is: base64(payload).signature
+        The token format is: base64(payload).base64(signature)
         """
         payload = license.to_dict()
         payload_json = json.dumps(payload, separators=(",", ":"), sort_keys=True)
         payload_b64 = base64.urlsafe_b64encode(payload_json.encode()).decode().rstrip("=")
 
-        signature = hmac.new(
-            self._signing_key.encode(),
+        signature = self._private_key.sign(
             payload_b64.encode(),
-            hashlib.sha256,
-        ).hexdigest()
+            ec.ECDSA(hashes.SHA256()),
+        )
+        signature_b64 = base64.urlsafe_b64encode(signature).decode().rstrip("=")
+
+        return f"{payload_b64}.{signature_b64}"
+
+
+class LicenseValidator:
+    """Validates enterprise licenses using ECDSA public key.
 
-        return f"{payload_b64}.{signature}"
+    This class can be safely distributed with the application.
+    It only requires the public key for verification.
+    """
+
+    _public_key: ec.EllipticCurvePublicKey
+
+    def __init__(self, public_key_pem: bytes) -> None:
+        loaded_key = serialization.load_pem_public_key(public_key_pem)
+        if not isinstance(loaded_key, ec.EllipticCurvePublicKey):
+            raise ValueError("Expected ECDSA public key")
+        self._public_key = loaded_key
+        self._cache: dict[str, tuple[float, LicenseCheckResult]] = {}
+
+    @classmethod
+    def from_public_key_string(cls, public_key_str: str) -> LicenseValidator:
+        """Create validator from PEM string (convenience method)."""
+        return cls(public_key_str.encode())
 
     def validate_token(self, token: str) -> LicenseCheckResult:
         """Validate a license token and return the license if valid.
@@ -202,20 +257,31 @@ class LicenseValidator:
                 message="Invalid license token format",
             )
 
-        payload_b64, signature = parts
+        payload_b64, signature_b64 = parts
 
-        expected_sig = hmac.new(
-            self._signing_key.encode(),
-            payload_b64.encode(),
-            hashlib.sha256,
-        ).hexdigest()
-
-        if not hmac.compare_digest(signature, expected_sig):
+        try:
+            sig_padding = 4 - len(signature_b64) % 4
+            if sig_padding != 4:
+                signature_b64 += "=" * sig_padding
+            signature = base64.urlsafe_b64decode(signature_b64)
+
+            self._public_key.verify(
+                signature,
+                payload_b64.encode(),
+                ec.ECDSA(hashes.SHA256()),
+            )
+        except InvalidSignature:
             logger.warning("license.invalid_signature")
             return LicenseCheckResult(
                 status=LicenseStatus.INVALID,
                 message="Invalid license signature",
             )
+        except Exception as e:
+            logger.warning("license.signature_error: %s", e)
+            return LicenseCheckResult(
+                status=LicenseStatus.INVALID,
+                message="Failed to verify license signature",
+            )
 
         try:
             padding = 4 - len(payload_b64) % 4

portal/web.py

@@ -23,6 +23,15 @@ from .auth import authenticate_request
 from .tenants import Tenant, TenantStore
 from .uploads import process_upload, validate_upload
 
+try:
+    from .enterprise import ENTERPRISE_AVAILABLE
+    from .enterprise import rbac as enterprise_rbac
+    from .enterprise import saml as enterprise_saml
+except ImportError:
+    ENTERPRISE_AVAILABLE = False
+    enterprise_saml = None  # type: ignore[assignment]
+    enterprise_rbac = None  # type: ignore[assignment]
+
 logger = logging.getLogger(__name__)
 
 Environ = dict[str, Any]

kekkai_cli-1.0.4.dist-info/METADATA

@@ -1,135 +0,0 @@
-Metadata-Version: 2.4
-Name: kekkai-cli
-Version: 1.0.4
-Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
-Requires-Python: >=3.12
-Description-Content-Type: text/markdown
-Requires-Dist: rich>=13.0.0
-Requires-Dist: jsonschema>=4.20.0
-Requires-Dist: textual>=0.50.0
-Requires-Dist: httpx>=0.24.0
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
-</p>
-<p align="center"><i>One command. Clean AppSec reports.</i></p>
-<p align="center">
-  <img src="https://img.shields.io/badge/license-MIT-blue.svg"/>
-  <img src="https://img.shields.io/badge/status-active-brightgreen"/>
-</p>
-
-# Kekkai 🛡️
-
-**Security that moves at developer speed.**
-*Local-first orchestration for Trivy, Semgrep, and DefectDojo.*
-
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-recording.gif)
-
----
-
-## ⚡ Quick Start
-
-Stop fighting with Docker Compose. Start scanning in 30 seconds.
-
-### Installation
-
-**Option 1: pipx (Recommended - Isolated Environment)**
-
-```bash
-pipx install kekkai-cli
-```
-
-**Option 2: Homebrew (macOS/Linux)**
-
-```bash
-brew tap kademoslabs/tap
-brew install kekkai
-```
-
-**Option 3: Docker (No Python Required)**
-
-```bash
-# Build image
-docker build -t kademoslabs/kekkai:latest -f apps/kekkai/Dockerfile .
-
-# Run via wrapper script
-./scripts/kekkai-docker --help
-
-# Or set up alias
-alias kekkai="$(pwd)/scripts/kekkai-docker"
-```
-
-**Option 4: Scoop (Windows)**
-
-```powershell
-scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
-scoop install kekkai
-```
-
-**Option 5: pip (Traditional)**
-
-```bash
-pip install kekkai-cli
-```
-
-
-
-### 1. Scan your project (Local)
-
-Run industry-standard scanners (Trivy, Semgrep, Gitleaks) in unified Docker containers without installing them individually.
-
-```bash
-cd your-repo
-kekkai scan
-
-```
-
-### 2. Spin up DefectDojo
-
-Launch a full local vulnerability management platform (Nginx, Postgres, Redis, Celery) with one command.
-
-```bash
-kekkai dojo up --wait --open
-
-```
-
-### 3. Generate a Threat Model (AI)
-
-Generate a STRIDE threat model and Data Flow Diagram using your local LLM.
-
-```bash
-kekkai threatflow --repo . --model-mode local
-
-```
-
----
-
-## 🛑 The Problem vs. Kekkai
-
-| Feature | The Old Way | The Kekkai Way |
-| --- | --- | --- |
-| **Tooling** | Manually install/update 5+ tools (Trivy, Semgrep, etc.) | **One Binary.** `kekkai scan` auto-pulls and runs the latest scanner containers. |
-| **Reporting** | Parse 5 different JSON formats manually. | **Unified Output.** One deduplicated `kekkai-report.json` for all findings. |
-| **DefectDojo** | Write a 200-line `docker-compose.yml` and debug networking. | **One Command.** `kekkai dojo up` automates the entire stack setup. |
-| **Threat Modeling** | Expensive consultants or manual whiteboarding. | **AI Agent.** `kekkai threatflow` generates `THREATS.md` locally. |
-| **CI/CD** | Write complex bash scripts to break builds. | **Policy Engine.** `kekkai scan --ci --fail-on high`. |
-
----
-
-## 🔒 Enterprise Features (Portal)
-
-For teams that need centralized management, **Kekkai Portal** offers:
-
-* **SAML 2.0 SSO** with Replay Protection
-* **Role-Based Access Control (RBAC)**
-* **Cryptographically Signed Audit Logs**
-
-*Built by Kademos Labs.*
-
----
-
-## 📚 Documentation
-
-- **[Automated Distribution Updates](docs/ci/automated-distributions.md)** - CI/CD distribution triggers
-- **[CI Architecture](/.docs/development/ci-architecture.md)** - Developer guide for distribution automation
-- **[Homebrew Maintenance](docs/ci/homebrew-maintenance.md)** - Homebrew tap management