PyPI - kekkai-cli - Versions diffs - 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl - Mend

kekkai-cli 1.1.0py3-none-any.whl → 1.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

kekkai/cli.py +124 -33
kekkai/dojo_import.py +9 -1
kekkai/output.py +1 -1
kekkai/report/unified.py +226 -0
kekkai/triage/__init__.py +54 -1
kekkai/triage/loader.py +196 -0
{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/METADATA +33 -13
{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/RECORD +11 -27
{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/entry_points.txt +0 -1
{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/top_level.txt +0 -1
portal/__init__.py +0 -19
portal/api.py +0 -155
portal/auth.py +0 -103
portal/enterprise/__init__.py +0 -45
portal/enterprise/audit.py +0 -435
portal/enterprise/licensing.py +0 -408
portal/enterprise/rbac.py +0 -276
portal/enterprise/saml.py +0 -595
portal/ops/__init__.py +0 -53
portal/ops/backup.py +0 -553
portal/ops/log_shipper.py +0 -469
portal/ops/monitoring.py +0 -517
portal/ops/restore.py +0 -469
portal/ops/secrets.py +0 -408
portal/ops/upgrade.py +0 -591
portal/tenants.py +0 -340
portal/uploads.py +0 -259
portal/web.py +0 -393
{kekkai_cli-1.1.0.dist-info → kekkai_cli-1.1.1.dist-info}/WHEEL +0 -0

portal/tenants.py DELETED Viewed

@@ -1,340 +0,0 @@
-"""Tenant management for multi-tenant portal.
-Security controls:
-- ASVS V8.4.1: Cross-tenant controls via tenant_id boundary
-- ASVS V8.2.2: Data-specific authorization via product/engagement mapping
-- ASVS V6.8.2: SAML configuration for enterprise tenants
-"""
-from __future__ import annotations
-import hashlib
-import hmac
-import json
-import logging
-import secrets
-import string
-from dataclasses import asdict, dataclass
-from enum import Enum
-from pathlib import Path
-from typing import TYPE_CHECKING, Any
-if TYPE_CHECKING:
-    pass
-logger = logging.getLogger(__name__)
-API_KEY_LENGTH = 32
-API_KEY_PREFIX = "kek_"
-class AuthMethod(Enum):
-    """Authentication methods for tenants."""
-    API_KEY = "api_key"
-    SAML = "saml"
-    BOTH = "both"
-@dataclass(frozen=True)
-class SAMLTenantConfig:
-    """SAML configuration for a tenant."""
-    entity_id: str
-    sso_url: str
-    certificate: str
-    slo_url: str | None = None
-    certificate_fingerprint: str | None = None
-    name_id_format: str = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-    session_lifetime: int = 28800
-    role_attribute: str = "role"
-    default_role: str = "viewer"
-    def to_dict(self) -> dict[str, Any]:
-        return {
-            "entity_id": self.entity_id,
-            "sso_url": self.sso_url,
-            "certificate": self.certificate,
-            "slo_url": self.slo_url,
-            "certificate_fingerprint": self.certificate_fingerprint,
-            "name_id_format": self.name_id_format,
-            "session_lifetime": self.session_lifetime,
-            "role_attribute": self.role_attribute,
-            "default_role": self.default_role,
-        }
-    @classmethod
-    def from_dict(cls, data: dict[str, Any]) -> SAMLTenantConfig:
-        return cls(
-            entity_id=str(data["entity_id"]),
-            sso_url=str(data["sso_url"]),
-            certificate=str(data["certificate"]),
-            slo_url=data.get("slo_url"),
-            certificate_fingerprint=data.get("certificate_fingerprint"),
-            name_id_format=data.get(
-                "name_id_format",
-                "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-            ),
-            session_lifetime=int(data.get("session_lifetime", 28800)),
-            role_attribute=str(data.get("role_attribute", "role")),
-            default_role=str(data.get("default_role", "viewer")),
-        )
-@dataclass(frozen=True)
-class Tenant:
-    """Represents a portal tenant with DefectDojo product mapping."""
-    id: str
-    name: str
-    api_key_hash: str
-    dojo_product_id: int
-    dojo_engagement_id: int
-    enabled: bool = True
-    max_upload_size_mb: int = 10
-    auth_method: AuthMethod = AuthMethod.API_KEY
-    saml_config: SAMLTenantConfig | None = None
-    license_token: str | None = None
-    default_role: str = "viewer"
-    def to_dict(self) -> dict[str, object]:
-        result = asdict(self)
-        result["auth_method"] = self.auth_method.value
-        if self.saml_config:
-            result["saml_config"] = self.saml_config.to_dict()
-        return result
-    @classmethod
-    def from_dict(cls, data: dict[str, object]) -> Tenant:
-        dojo_product = data["dojo_product_id"]
-        dojo_engagement = data["dojo_engagement_id"]
-        max_size = data.get("max_upload_size_mb", 10)
-        auth_method_str = data.get("auth_method", "api_key")
-        auth_method = AuthMethod(str(auth_method_str))
-        saml_config = None
-        saml_data = data.get("saml_config")
-        if saml_data and isinstance(saml_data, dict):
-            saml_config = SAMLTenantConfig.from_dict(saml_data)
-        return cls(
-            id=str(data["id"]),
-            name=str(data["name"]),
-            api_key_hash=str(data["api_key_hash"]),
-            dojo_product_id=int(str(dojo_product)),
-            dojo_engagement_id=int(str(dojo_engagement)),
-            enabled=bool(data.get("enabled", True)),
-            max_upload_size_mb=int(str(max_size)),
-            auth_method=auth_method,
-            saml_config=saml_config,
-            license_token=data.get("license_token"),  # type: ignore[arg-type]
-            default_role=str(data.get("default_role", "viewer")),
-        )
-    def is_enterprise(self) -> bool:
-        """Check if tenant has enterprise features enabled."""
-        return self.auth_method in (AuthMethod.SAML, AuthMethod.BOTH)
-def generate_api_key() -> str:
-    """Generate a secure random API key with prefix."""
-    alphabet = string.ascii_letters + string.digits
-    key = "".join(secrets.choice(alphabet) for _ in range(API_KEY_LENGTH))
-    return f"{API_KEY_PREFIX}{key}"
-def hash_api_key(api_key: str) -> str:
-    """Hash an API key using SHA-256 for secure storage."""
-    return hashlib.sha256(api_key.encode()).hexdigest()
-def verify_api_key(api_key: str, api_key_hash: str) -> bool:
-    """Verify an API key against its hash using constant-time comparison."""
-    computed_hash = hash_api_key(api_key)
-    return hmac.compare_digest(computed_hash, api_key_hash)
-class TenantStore:
-    """File-based tenant storage for MVP.
-    Easily swappable for database storage in production.
-    """
-    def __init__(self, store_path: Path) -> None:
-        self._store_path = store_path
-        self._tenants: dict[str, Tenant] = {}
-        self._load()
-    def _load(self) -> None:
-        """Load tenants from storage file."""
-        if not self._store_path.exists():
-            self._tenants = {}
-            return
-        try:
-            data = json.loads(self._store_path.read_text())
-            self._tenants = {
-                tid: Tenant.from_dict(tdata) for tid, tdata in data.get("tenants", {}).items()
-            }
-        except (json.JSONDecodeError, KeyError, TypeError) as exc:
-            logger.warning("Failed to load tenant store: %s", exc)
-            self._tenants = {}
-    def _save(self) -> None:
-        """Persist tenants to storage file."""
-        self._store_path.parent.mkdir(parents=True, exist_ok=True)
-        data = {"tenants": {tid: t.to_dict() for tid, t in self._tenants.items()}}
-        self._store_path.write_text(json.dumps(data, indent=2))
-    def get_by_id(self, tenant_id: str) -> Tenant | None:
-        """Get tenant by ID."""
-        return self._tenants.get(tenant_id)
-    def get_by_api_key(self, api_key: str) -> Tenant | None:
-        """Find tenant by API key (constant-time for each tenant)."""
-        for tenant in self._tenants.values():
-            if verify_api_key(api_key, tenant.api_key_hash):
-                return tenant
-        return None
-    def create(
-        self,
-        tenant_id: str,
-        name: str,
-        dojo_product_id: int,
-        dojo_engagement_id: int,
-        max_upload_size_mb: int = 10,
-        auth_method: AuthMethod = AuthMethod.API_KEY,
-        saml_config: SAMLTenantConfig | None = None,
-        license_token: str | None = None,
-        default_role: str = "viewer",
-    ) -> tuple[Tenant, str]:
-        """Create a new tenant and return (tenant, api_key).
-        The plaintext API key is only returned once during creation.
-        """
-        if tenant_id in self._tenants:
-            raise ValueError(f"Tenant {tenant_id} already exists")
-        api_key = generate_api_key()
-        tenant = Tenant(
-            id=tenant_id,
-            name=name,
-            api_key_hash=hash_api_key(api_key),
-            dojo_product_id=dojo_product_id,
-            dojo_engagement_id=dojo_engagement_id,
-            enabled=True,
-            max_upload_size_mb=max_upload_size_mb,
-            auth_method=auth_method,
-            saml_config=saml_config,
-            license_token=license_token,
-            default_role=default_role,
-        )
-        self._tenants[tenant_id] = tenant
-        self._save()
-        logger.info("Created tenant: %s", tenant_id)
-        return tenant, api_key
-    def update(self, tenant: Tenant) -> None:
-        """Update an existing tenant."""
-        if tenant.id not in self._tenants:
-            raise ValueError(f"Tenant {tenant.id} does not exist")
-        self._tenants[tenant.id] = tenant
-        self._save()
-        logger.info("Updated tenant: %s", tenant.id)
-    def delete(self, tenant_id: str) -> bool:
-        """Delete a tenant by ID."""
-        if tenant_id not in self._tenants:
-            return False
-        del self._tenants[tenant_id]
-        self._save()
-        logger.info("Deleted tenant: %s", tenant_id)
-        return True
-    def list_all(self) -> list[Tenant]:
-        """List all tenants."""
-        return list(self._tenants.values())
-    def rotate_api_key(self, tenant_id: str) -> str | None:
-        """Generate a new API key for a tenant."""
-        tenant = self._tenants.get(tenant_id)
-        if not tenant:
-            return None
-        new_api_key = generate_api_key()
-        updated = Tenant(
-            id=tenant.id,
-            name=tenant.name,
-            api_key_hash=hash_api_key(new_api_key),
-            dojo_product_id=tenant.dojo_product_id,
-            dojo_engagement_id=tenant.dojo_engagement_id,
-            enabled=tenant.enabled,
-            max_upload_size_mb=tenant.max_upload_size_mb,
-            auth_method=tenant.auth_method,
-            saml_config=tenant.saml_config,
-            license_token=tenant.license_token,
-            default_role=tenant.default_role,
-        )
-        self._tenants[tenant_id] = updated
-        self._save()
-        logger.info("Rotated API key for tenant: %s", tenant_id)
-        return new_api_key
-    def update_saml_config(
-        self,
-        tenant_id: str,
-        saml_config: SAMLTenantConfig,
-        auth_method: AuthMethod = AuthMethod.SAML,
-    ) -> Tenant | None:
-        """Update SAML configuration for a tenant."""
-        tenant = self._tenants.get(tenant_id)
-        if not tenant:
-            return None
-        updated = Tenant(
-            id=tenant.id,
-            name=tenant.name,
-            api_key_hash=tenant.api_key_hash,
-            dojo_product_id=tenant.dojo_product_id,
-            dojo_engagement_id=tenant.dojo_engagement_id,
-            enabled=tenant.enabled,
-            max_upload_size_mb=tenant.max_upload_size_mb,
-            auth_method=auth_method,
-            saml_config=saml_config,
-            license_token=tenant.license_token,
-            default_role=tenant.default_role,
-        )
-        self._tenants[tenant_id] = updated
-        self._save()
-        logger.info("Updated SAML config for tenant: %s", tenant_id)
-        return updated
-    def update_license(self, tenant_id: str, license_token: str) -> Tenant | None:
-        """Update license token for a tenant."""
-        tenant = self._tenants.get(tenant_id)
-        if not tenant:
-            return None
-        updated = Tenant(
-            id=tenant.id,
-            name=tenant.name,
-            api_key_hash=tenant.api_key_hash,
-            dojo_product_id=tenant.dojo_product_id,
-            dojo_engagement_id=tenant.dojo_engagement_id,
-            enabled=tenant.enabled,
-            max_upload_size_mb=tenant.max_upload_size_mb,
-            auth_method=tenant.auth_method,
-            saml_config=tenant.saml_config,
-            license_token=license_token,
-            default_role=tenant.default_role,
-        )
-        self._tenants[tenant_id] = updated
-        self._save()
-        logger.info("Updated license for tenant: %s", tenant_id)
-        return updated

portal/uploads.py DELETED Viewed

@@ -1,259 +0,0 @@
-"""File upload handling with validation and security controls.
-Security controls:
-- ASVS V5.2.2: Validate file uploads (type, content)
-- ASVS V5.2.4: Enforce file size limits
-- Files stored outside web root in secure temp location
-"""
-from __future__ import annotations
-import hashlib
-import json
-import logging
-import os
-import re
-import secrets
-import tempfile
-from dataclasses import dataclass
-from pathlib import Path
-from typing import TYPE_CHECKING
-from kekkai_core import redact
-if TYPE_CHECKING:
-    from .tenants import Tenant
-logger = logging.getLogger(__name__)
-ALLOWED_EXTENSIONS = frozenset({".json", ".sarif"})
-ALLOWED_CONTENT_TYPES = frozenset(
-    {
-        "application/json",
-        "application/sarif+json",
-        "application/octet-stream",
-    }
-)
-DEFAULT_MAX_SIZE_BYTES = 10 * 1024 * 1024
-MIN_FILE_SIZE = 2
-FILENAME_PATTERN = re.compile(r"^[\w\-. ]{1,255}$")
-UPLOAD_ID_LENGTH = 24
-@dataclass(frozen=True)
-class UploadResult:
-    """Result of upload validation/processing."""
-    success: bool
-    upload_id: str | None = None
-    file_path: Path | None = None
-    file_hash: str | None = None
-    error: str | None = None
-@dataclass(frozen=True)
-class UploadValidation:
-    """Validated upload metadata."""
-    filename: str
-    extension: str
-    content_type: str
-    size: int
-    content: bytes
-def validate_upload(
-    filename: str | None,
-    content_type: str | None,
-    content: bytes,
-    tenant: Tenant,
-) -> UploadResult:
-    """Validate an uploaded file.
-    Args:
-        filename: Original filename
-        content_type: MIME type from request
-        content: File content bytes
-        tenant: Tenant performing upload (for size limits)
-    Returns:
-        UploadResult with error if validation fails
-    """
-    if not filename:
-        return UploadResult(success=False, error="Missing filename")
-    safe_filename = _sanitize_filename(filename)
-    if not safe_filename:
-        logger.warning("upload.invalid_filename original=%s", redact(filename))
-        return UploadResult(success=False, error="Invalid filename")
-    extension = _get_extension(safe_filename)
-    if extension not in ALLOWED_EXTENSIONS:
-        logger.warning(
-            "upload.invalid_extension filename=%s extension=%s",
-            redact(safe_filename),
-            extension,
-        )
-        return UploadResult(
-            success=False,
-            error=f"Invalid file type. Allowed: {', '.join(sorted(ALLOWED_EXTENSIONS))}",
-        )
-    max_size = tenant.max_upload_size_mb * 1024 * 1024
-    if len(content) > max_size:
-        logger.warning(
-            "upload.size_exceeded tenant=%s size=%d max=%d",
-            tenant.id,
-            len(content),
-            max_size,
-        )
-        return UploadResult(
-            success=False,
-            error=f"File too large. Maximum: {tenant.max_upload_size_mb}MB",
-        )
-    if len(content) < MIN_FILE_SIZE:
-        return UploadResult(success=False, error="File is empty or too small")
-    if not _validate_json_content(content):
-        logger.warning(
-            "upload.invalid_json tenant=%s filename=%s", tenant.id, redact(safe_filename)
-        )
-        return UploadResult(success=False, error="Invalid JSON content")
-    return UploadResult(success=True)
-def process_upload(
-    filename: str,
-    content: bytes,
-    tenant: Tenant,
-    upload_dir: Path | None = None,
-) -> UploadResult:
-    """Process and store a validated upload.
-    Files are stored outside web root in a secure temp directory.
-    Args:
-        filename: Sanitized filename
-        content: Validated file content
-        tenant: Tenant performing upload
-        upload_dir: Override upload directory (for testing)
-    Returns:
-        UploadResult with file path and hash if successful
-    """
-    validation = validate_upload(filename, None, content, tenant)
-    if not validation.success:
-        return validation
-    safe_filename = _sanitize_filename(filename)
-    if not safe_filename:
-        return UploadResult(success=False, error="Invalid filename")
-    upload_id = _generate_upload_id()
-    file_hash = hashlib.sha256(content).hexdigest()
-    base_dir = upload_dir or _get_upload_dir()
-    tenant_dir = base_dir / tenant.id
-    tenant_dir.mkdir(parents=True, exist_ok=True)
-    extension = _get_extension(safe_filename)
-    stored_filename = f"{upload_id}{extension}"
-    file_path = tenant_dir / stored_filename
-    file_path.write_bytes(content)
-    os.chmod(file_path, 0o600)
-    logger.info(
-        "upload.stored tenant=%s upload_id=%s hash=%s size=%d",
-        tenant.id,
-        upload_id,
-        file_hash[:16],
-        len(content),
-    )
-    return UploadResult(
-        success=True,
-        upload_id=upload_id,
-        file_path=file_path,
-        file_hash=file_hash,
-    )
-def get_upload_path(tenant: Tenant, upload_id: str, upload_dir: Path | None = None) -> Path | None:
-    """Get the path to an upload file for a specific tenant.
-    Enforces tenant boundary - only returns path if upload belongs to tenant.
-    """
-    if not _is_valid_upload_id(upload_id):
-        return None
-    base_dir = upload_dir or _get_upload_dir()
-    tenant_dir = base_dir / tenant.id
-    for ext in ALLOWED_EXTENSIONS:
-        file_path = tenant_dir / f"{upload_id}{ext}"
-        if file_path.exists() and file_path.is_file():
-            resolved = file_path.resolve()
-            if resolved.is_relative_to(tenant_dir.resolve()):
-                return resolved
-    return None
-def delete_upload(tenant: Tenant, upload_id: str, upload_dir: Path | None = None) -> bool:
-    """Delete an upload file."""
-    file_path = get_upload_path(tenant, upload_id, upload_dir)
-    if file_path and file_path.exists():
-        file_path.unlink()
-        logger.info("upload.deleted tenant=%s upload_id=%s", tenant.id, upload_id)
-        return True
-    return False
-def _sanitize_filename(filename: str) -> str | None:
-    """Sanitize filename to prevent path traversal."""
-    basename = Path(filename).name
-    if not basename or ".." in basename:
-        return None
-    basename = basename.replace("\x00", "")
-    if not FILENAME_PATTERN.match(basename):
-        cleaned = re.sub(r"[^\w\-. ]", "_", basename)
-        if not cleaned or len(cleaned) > 255:
-            return None
-        return cleaned
-    return basename
-def _get_extension(filename: str) -> str:
-    """Get lowercase file extension."""
-    return Path(filename).suffix.lower()
-def _validate_json_content(content: bytes) -> bool:
-    """Validate that content is valid JSON."""
-    try:
-        json.loads(content.decode("utf-8"))
-        return True
-    except (json.JSONDecodeError, UnicodeDecodeError):
-        return False
-def _generate_upload_id() -> str:
-    """Generate a secure random upload ID."""
-    return secrets.token_urlsafe(UPLOAD_ID_LENGTH)[:UPLOAD_ID_LENGTH]
-def _is_valid_upload_id(upload_id: str) -> bool:
-    """Validate upload ID format."""
-    if not upload_id or len(upload_id) != UPLOAD_ID_LENGTH:
-        return False
-    return all(c.isalnum() or c in "-_" for c in upload_id)
-def _get_upload_dir() -> Path:
-    """Get the secure upload directory outside web root."""
-    base = os.environ.get("PORTAL_UPLOAD_DIR")
-    if base:
-        return Path(base)
-    return Path(tempfile.gettempdir()) / "kekkai-portal-uploads"

kekkai-cli 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl

kekkai-cli 1.1.0py3-none-any.whl → 1.1.1py3-none-any.whl