PyPI - kekkai-cli - Versions diffs - 1.1.0__py3-none-any.whl → 2.0.0__py3-none-any.whl - Mend

kekkai-cli 1.1.0py3-none-any.whl → 2.0.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

kekkai/cli.py +238 -36
kekkai/dojo_import.py +9 -1
kekkai/output.py +2 -3
kekkai/report/unified.py +226 -0
kekkai/triage/__init__.py +54 -1
kekkai/triage/fix_screen.py +232 -0
kekkai/triage/loader.py +196 -0
kekkai/triage/screens.py +1 -0
kekkai_cli-2.0.0.dist-info/METADATA +317 -0
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/RECORD +13 -28
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/entry_points.txt +0 -1
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/top_level.txt +0 -1
kekkai_cli-1.1.0.dist-info/METADATA +0 -359
portal/__init__.py +0 -19
portal/api.py +0 -155
portal/auth.py +0 -103
portal/enterprise/__init__.py +0 -45
portal/enterprise/audit.py +0 -435
portal/enterprise/licensing.py +0 -408
portal/enterprise/rbac.py +0 -276
portal/enterprise/saml.py +0 -595
portal/ops/__init__.py +0 -53
portal/ops/backup.py +0 -553
portal/ops/log_shipper.py +0 -469
portal/ops/monitoring.py +0 -517
portal/ops/restore.py +0 -469
portal/ops/secrets.py +0 -408
portal/ops/upgrade.py +0 -591
portal/tenants.py +0 -340
portal/uploads.py +0 -259
portal/web.py +0 -393
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/WHEEL +0 -0

portal/enterprise/licensing.py DELETED Viewed

@@ -1,408 +0,0 @@
-"""Enterprise license validation and feature gating.
-Security controls:
-- Server-side license enforcement
-- Asymmetric (ECDSA P-256) signed license tokens to prevent tampering
-- Grace period handling for expiration
-- Private key for signing (admin only), public key for validation (distributed)
-"""
-from __future__ import annotations
-import base64
-import hashlib
-import json
-import logging
-import time
-from dataclasses import dataclass, field
-from datetime import UTC, datetime, timedelta
-from enum import Enum
-from typing import TYPE_CHECKING, Any
-from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import ec
-if TYPE_CHECKING:
-    pass
-logger = logging.getLogger(__name__)
-GRACE_PERIOD_DAYS = 7
-LICENSE_CHECK_INTERVAL = 3600
-class LicenseStatus(Enum):
-    """License validation status."""
-    VALID = "valid"
-    EXPIRED = "expired"
-    GRACE_PERIOD = "grace_period"
-    INVALID = "invalid"
-    MISSING = "missing"
-class LicenseTier(Enum):
-    """License tier levels."""
-    COMMUNITY = "community"
-    PROFESSIONAL = "professional"
-    ENTERPRISE = "enterprise"
-class EnterpriseFeature(Enum):
-    """Features available in enterprise tier."""
-    SSO_SAML = "sso_saml"
-    RBAC = "rbac"
-    AUDIT_LOGGING = "audit_logging"
-    CUSTOM_BRANDING = "custom_branding"
-    API_RATE_LIMIT_INCREASE = "api_rate_limit_increase"
-    PRIORITY_SUPPORT = "priority_support"
-    SLA_GUARANTEE = "sla_guarantee"
-    MULTI_REGION = "multi_region"
-    ADVANCED_REPORTS = "advanced_reports"
-TIER_FEATURES: dict[LicenseTier, frozenset[EnterpriseFeature]] = {
-    LicenseTier.COMMUNITY: frozenset(),
-    LicenseTier.PROFESSIONAL: frozenset(
-        {
-            EnterpriseFeature.AUDIT_LOGGING,
-            EnterpriseFeature.API_RATE_LIMIT_INCREASE,
-        }
-    ),
-    LicenseTier.ENTERPRISE: frozenset(
-        {
-            EnterpriseFeature.SSO_SAML,
-            EnterpriseFeature.RBAC,
-            EnterpriseFeature.AUDIT_LOGGING,
-            EnterpriseFeature.CUSTOM_BRANDING,
-            EnterpriseFeature.API_RATE_LIMIT_INCREASE,
-            EnterpriseFeature.PRIORITY_SUPPORT,
-            EnterpriseFeature.SLA_GUARANTEE,
-            EnterpriseFeature.MULTI_REGION,
-            EnterpriseFeature.ADVANCED_REPORTS,
-        }
-    ),
-}
-@dataclass(frozen=True)
-class EnterpriseLicense:
-    """Represents an enterprise license."""
-    license_id: str
-    tenant_id: str
-    tier: LicenseTier
-    issued_at: datetime
-    expires_at: datetime
-    features: frozenset[EnterpriseFeature] = field(default_factory=frozenset)
-    max_users: int = 0
-    max_projects: int = 0
-    metadata: dict[str, Any] = field(default_factory=dict)
-    def is_expired(self) -> bool:
-        """Check if license is expired (without grace period)."""
-        return datetime.now(UTC) > self.expires_at
-    def is_in_grace_period(self) -> bool:
-        """Check if license is in grace period."""
-        now = datetime.now(UTC)
-        if now <= self.expires_at:
-            return False
-        grace_end = self.expires_at + timedelta(days=GRACE_PERIOD_DAYS)
-        return now <= grace_end
-    def has_feature(self, feature: EnterpriseFeature) -> bool:
-        """Check if license includes a specific feature."""
-        tier_features = TIER_FEATURES.get(self.tier, frozenset())
-        return feature in self.features or feature in tier_features
-    def to_dict(self) -> dict[str, Any]:
-        return {
-            "license_id": self.license_id,
-            "tenant_id": self.tenant_id,
-            "tier": self.tier.value,
-            "issued_at": self.issued_at.isoformat(),
-            "expires_at": self.expires_at.isoformat(),
-            "features": [f.value for f in self.features],
-            "max_users": self.max_users,
-            "max_projects": self.max_projects,
-            "metadata": self.metadata,
-        }
-    @classmethod
-    def from_dict(cls, data: dict[str, Any]) -> EnterpriseLicense:
-        features = frozenset(EnterpriseFeature(f) for f in data.get("features", []))
-        return cls(
-            license_id=str(data["license_id"]),
-            tenant_id=str(data["tenant_id"]),
-            tier=LicenseTier(data["tier"]),
-            issued_at=datetime.fromisoformat(str(data["issued_at"])),
-            expires_at=datetime.fromisoformat(str(data["expires_at"])),
-            features=features,
-            max_users=int(data.get("max_users", 0)),
-            max_projects=int(data.get("max_projects", 0)),
-            metadata=data.get("metadata", {}),
-        )
-@dataclass
-class LicenseCheckResult:
-    """Result of a license check."""
-    status: LicenseStatus
-    license: EnterpriseLicense | None = None
-    message: str | None = None
-    days_until_expiry: int | None = None
-    grace_days_remaining: int | None = None
-def generate_keypair() -> tuple[bytes, bytes]:
-    """Generate a new ECDSA P-256 keypair for license signing.
-    Returns:
-        Tuple of (private_key_pem, public_key_pem) as bytes.
-        Keep private_key_pem SECRET - only used for signing licenses.
-        Distribute public_key_pem with the application for verification.
-    """
-    private_key = ec.generate_private_key(ec.SECP256R1())
-    private_pem = private_key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.PKCS8,
-        encryption_algorithm=serialization.NoEncryption(),
-    )
-    public_pem = private_key.public_key().public_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PublicFormat.SubjectPublicKeyInfo,
-    )
-    return private_pem, public_pem
-class LicenseSigner:
-    """Signs enterprise licenses using ECDSA private key.
-    This class should only be used server-side by administrators
-    to generate license tokens. Never distribute the private key.
-    """
-    _private_key: ec.EllipticCurvePrivateKey
-    def __init__(self, private_key_pem: bytes) -> None:
-        loaded_key = serialization.load_pem_private_key(private_key_pem, password=None)
-        if not isinstance(loaded_key, ec.EllipticCurvePrivateKey):
-            raise ValueError("Expected ECDSA private key")
-        self._private_key = loaded_key
-    def create_license_token(self, license: EnterpriseLicense) -> str:
-        """Create a signed license token using ECDSA.
-        The token format is: base64(payload).base64(signature)
-        """
-        payload = license.to_dict()
-        payload_json = json.dumps(payload, separators=(",", ":"), sort_keys=True)
-        payload_b64 = base64.urlsafe_b64encode(payload_json.encode()).decode().rstrip("=")
-        signature = self._private_key.sign(
-            payload_b64.encode(),
-            ec.ECDSA(hashes.SHA256()),
-        )
-        signature_b64 = base64.urlsafe_b64encode(signature).decode().rstrip("=")
-        return f"{payload_b64}.{signature_b64}"
-class LicenseValidator:
-    """Validates enterprise licenses using ECDSA public key.
-    This class can be safely distributed with the application.
-    It only requires the public key for verification.
-    """
-    _public_key: ec.EllipticCurvePublicKey
-    def __init__(self, public_key_pem: bytes) -> None:
-        loaded_key = serialization.load_pem_public_key(public_key_pem)
-        if not isinstance(loaded_key, ec.EllipticCurvePublicKey):
-            raise ValueError("Expected ECDSA public key")
-        self._public_key = loaded_key
-        self._cache: dict[str, tuple[float, LicenseCheckResult]] = {}
-    @classmethod
-    def from_public_key_string(cls, public_key_str: str) -> LicenseValidator:
-        """Create validator from PEM string (convenience method)."""
-        return cls(public_key_str.encode())
-    def validate_token(self, token: str) -> LicenseCheckResult:
-        """Validate a license token and return the license if valid.
-        Args:
-            token: The signed license token
-        Returns:
-            LicenseCheckResult with status and license details
-        """
-        if not token:
-            return LicenseCheckResult(
-                status=LicenseStatus.MISSING,
-                message="No license token provided",
-            )
-        parts = token.split(".")
-        if len(parts) != 2:
-            logger.warning("license.invalid_format")
-            return LicenseCheckResult(
-                status=LicenseStatus.INVALID,
-                message="Invalid license token format",
-            )
-        payload_b64, signature_b64 = parts
-        try:
-            sig_padding = 4 - len(signature_b64) % 4
-            if sig_padding != 4:
-                signature_b64 += "=" * sig_padding
-            signature = base64.urlsafe_b64decode(signature_b64)
-            self._public_key.verify(
-                signature,
-                payload_b64.encode(),
-                ec.ECDSA(hashes.SHA256()),
-            )
-        except InvalidSignature:
-            logger.warning("license.invalid_signature")
-            return LicenseCheckResult(
-                status=LicenseStatus.INVALID,
-                message="Invalid license signature",
-            )
-        except Exception as e:
-            logger.warning("license.signature_error: %s", e)
-            return LicenseCheckResult(
-                status=LicenseStatus.INVALID,
-                message="Failed to verify license signature",
-            )
-        try:
-            padding = 4 - len(payload_b64) % 4
-            if padding != 4:
-                payload_b64 += "=" * padding
-            payload_json = base64.urlsafe_b64decode(payload_b64).decode()
-            payload = json.loads(payload_json)
-            license = EnterpriseLicense.from_dict(payload)
-        except (ValueError, json.JSONDecodeError, KeyError) as e:
-            logger.warning("license.decode_error: %s", e)
-            return LicenseCheckResult(
-                status=LicenseStatus.INVALID,
-                message="Failed to decode license",
-            )
-        now = datetime.now(UTC)
-        days_until_expiry = (license.expires_at - now).days
-        if license.is_expired():
-            if license.is_in_grace_period():
-                grace_end = license.expires_at + timedelta(days=GRACE_PERIOD_DAYS)
-                grace_days = (grace_end - now).days
-                logger.warning(
-                    "license.grace_period license_id=%s days_remaining=%d",
-                    license.license_id,
-                    grace_days,
-                )
-                return LicenseCheckResult(
-                    status=LicenseStatus.GRACE_PERIOD,
-                    license=license,
-                    message=f"License expired, {grace_days} days of grace period remaining",
-                    days_until_expiry=days_until_expiry,
-                    grace_days_remaining=grace_days,
-                )
-            else:
-                logger.warning("license.expired license_id=%s", license.license_id)
-                return LicenseCheckResult(
-                    status=LicenseStatus.EXPIRED,
-                    license=license,
-                    message="License has expired",
-                    days_until_expiry=days_until_expiry,
-                )
-        logger.debug(
-            "license.valid license_id=%s tier=%s expires_in=%d",
-            license.license_id,
-            license.tier.value,
-            days_until_expiry,
-        )
-        return LicenseCheckResult(
-            status=LicenseStatus.VALID,
-            license=license,
-            days_until_expiry=days_until_expiry,
-        )
-    def check_cached(self, tenant_id: str, token: str) -> LicenseCheckResult:
-        """Check license with caching to reduce validation overhead."""
-        cache_key = f"{tenant_id}:{hashlib.sha256(token.encode()).hexdigest()[:16]}"
-        now = time.time()
-        if cache_key in self._cache:
-            cached_time, cached_result = self._cache[cache_key]
-            if now - cached_time < LICENSE_CHECK_INTERVAL:
-                return cached_result
-        result = self.validate_token(token)
-        self._cache[cache_key] = (now, result)
-        return result
-    def clear_cache(self, tenant_id: str | None = None) -> None:
-        """Clear license validation cache."""
-        if tenant_id:
-            self._cache = {
-                k: v for k, v in self._cache.items() if not k.startswith(f"{tenant_id}:")
-            }
-        else:
-            self._cache.clear()
-def require_feature(
-    license_result: LicenseCheckResult,
-    feature: EnterpriseFeature,
-) -> tuple[bool, str | None]:
-    """Check if a license allows access to a feature.
-    Returns:
-        Tuple of (allowed, error_message)
-    """
-    if license_result.status == LicenseStatus.MISSING:
-        return False, "Enterprise license required"
-    if license_result.status == LicenseStatus.INVALID:
-        return False, "Invalid license"
-    if license_result.status == LicenseStatus.EXPIRED:
-        return False, "License has expired"
-    if not license_result.license:
-        return False, "No license data"
-    if not license_result.license.has_feature(feature):
-        return False, f"Feature {feature.value} not included in license"
-    return True, None
-def require_enterprise(
-    license_result: LicenseCheckResult,
-) -> tuple[bool, str | None]:
-    """Check if license is enterprise tier.
-    Returns:
-        Tuple of (allowed, error_message)
-    """
-    if license_result.status not in (LicenseStatus.VALID, LicenseStatus.GRACE_PERIOD):
-        return False, "Enterprise license required"
-    if not license_result.license:
-        return False, "No license data"
-    if license_result.license.tier != LicenseTier.ENTERPRISE:
-        return False, "Enterprise tier license required"
-    return True, None

portal/enterprise/rbac.py DELETED Viewed

@@ -1,276 +0,0 @@
-"""Role-Based Access Control (RBAC) for enterprise portal.
-Security controls:
-- ASVS V8.2.1: Function-level authorization
-- Deterministic role mapping from SAML attributes
-- No default admin accounts
-"""
-from __future__ import annotations
-import logging
-from dataclasses import dataclass, field
-from enum import Enum
-from typing import TYPE_CHECKING
-from kekkai_core import redact
-if TYPE_CHECKING:
-    pass
-logger = logging.getLogger(__name__)
-class Permission(Enum):
-    """Available permissions in the system."""
-    # Viewer permissions
-    VIEW_FINDINGS = "view_findings"
-    VIEW_DASHBOARD = "view_dashboard"
-    VIEW_REPORTS = "view_reports"
-    # Analyst permissions
-    CREATE_UPLOAD = "create_upload"
-    UPDATE_FINDING_STATUS = "update_finding_status"
-    EXPORT_FINDINGS = "export_findings"
-    # Admin permissions
-    MANAGE_USERS = "manage_users"
-    MANAGE_INTEGRATIONS = "manage_integrations"
-    VIEW_AUDIT_LOGS = "view_audit_logs"
-    # Tenant Admin permissions
-    MANAGE_TENANT = "manage_tenant"
-    MANAGE_SAML_CONFIG = "manage_saml_config"
-    ROTATE_API_KEY = "rotate_api_key"
-    DELETE_TENANT = "delete_tenant"
-class Role(Enum):
-    """Available roles in the system."""
-    VIEWER = "viewer"
-    ANALYST = "analyst"
-    ADMIN = "admin"
-    TENANT_ADMIN = "tenant_admin"
-# Permission matrix: defines which roles have which permissions
-ROLE_PERMISSIONS: dict[Role, frozenset[Permission]] = {
-    Role.VIEWER: frozenset(
-        {
-            Permission.VIEW_FINDINGS,
-            Permission.VIEW_DASHBOARD,
-            Permission.VIEW_REPORTS,
-        }
-    ),
-    Role.ANALYST: frozenset(
-        {
-            Permission.VIEW_FINDINGS,
-            Permission.VIEW_DASHBOARD,
-            Permission.VIEW_REPORTS,
-            Permission.CREATE_UPLOAD,
-            Permission.UPDATE_FINDING_STATUS,
-            Permission.EXPORT_FINDINGS,
-        }
-    ),
-    Role.ADMIN: frozenset(
-        {
-            Permission.VIEW_FINDINGS,
-            Permission.VIEW_DASHBOARD,
-            Permission.VIEW_REPORTS,
-            Permission.CREATE_UPLOAD,
-            Permission.UPDATE_FINDING_STATUS,
-            Permission.EXPORT_FINDINGS,
-            Permission.MANAGE_USERS,
-            Permission.MANAGE_INTEGRATIONS,
-            Permission.VIEW_AUDIT_LOGS,
-        }
-    ),
-    Role.TENANT_ADMIN: frozenset(
-        {
-            Permission.VIEW_FINDINGS,
-            Permission.VIEW_DASHBOARD,
-            Permission.VIEW_REPORTS,
-            Permission.CREATE_UPLOAD,
-            Permission.UPDATE_FINDING_STATUS,
-            Permission.EXPORT_FINDINGS,
-            Permission.MANAGE_USERS,
-            Permission.MANAGE_INTEGRATIONS,
-            Permission.VIEW_AUDIT_LOGS,
-            Permission.MANAGE_TENANT,
-            Permission.MANAGE_SAML_CONFIG,
-            Permission.ROTATE_API_KEY,
-            Permission.DELETE_TENANT,
-        }
-    ),
-}
-# SAML attribute to role mapping
-DEFAULT_ROLE_MAPPING: dict[str, Role] = {
-    "viewer": Role.VIEWER,
-    "analyst": Role.ANALYST,
-    "admin": Role.ADMIN,
-    "tenant_admin": Role.TENANT_ADMIN,
-    "tenant-admin": Role.TENANT_ADMIN,
-    "tenantadmin": Role.TENANT_ADMIN,
-}
-@dataclass(frozen=True)
-class AuthorizationResult:
-    """Result of an authorization check."""
-    allowed: bool
-    role: Role | None = None
-    permission: Permission | None = None
-    reason: str | None = None
-@dataclass
-class UserContext:
-    """Context for the current user session."""
-    user_id: str
-    tenant_id: str
-    role: Role
-    email: str | None = None
-    display_name: str | None = None
-    session_id: str | None = None
-    permissions: frozenset[Permission] = field(default_factory=frozenset)
-    def __post_init__(self) -> None:
-        if not self.permissions:
-            object.__setattr__(self, "permissions", ROLE_PERMISSIONS.get(self.role, frozenset()))
-class RBACManager:
-    """Manages role-based access control decisions."""
-    def __init__(
-        self,
-        role_mapping: dict[str, Role] | None = None,
-    ) -> None:
-        self._role_mapping = role_mapping or DEFAULT_ROLE_MAPPING.copy()
-    def map_role_from_attribute(self, role_attribute: str) -> Role | None:
-        """Map a SAML role attribute to a system role.
-        Uses deterministic mapping - no user-configurable escalation.
-        """
-        normalized = role_attribute.lower().strip()
-        return self._role_mapping.get(normalized)
-    def map_role_from_attributes(self, attributes: dict[str, list[str]]) -> Role:
-        """Map role from SAML attributes, defaulting to viewer."""
-        role_attrs = attributes.get("role", []) + attributes.get("roles", [])
-        role_attrs += attributes.get("group", []) + attributes.get("groups", [])
-        for attr in role_attrs:
-            mapped = self.map_role_from_attribute(attr)
-            if mapped:
-                return mapped
-        return Role.VIEWER
-    def get_permissions(self, role: Role) -> frozenset[Permission]:
-        """Get all permissions for a role."""
-        return ROLE_PERMISSIONS.get(role, frozenset())
-    def has_permission(self, role: Role, permission: Permission) -> bool:
-        """Check if a role has a specific permission."""
-        return permission in ROLE_PERMISSIONS.get(role, frozenset())
-    def authorize(
-        self,
-        user_context: UserContext,
-        required_permission: Permission,
-        resource_tenant_id: str | None = None,
-    ) -> AuthorizationResult:
-        """Authorize an action for a user.
-        Args:
-            user_context: Current user context with role
-            required_permission: Permission needed for the action
-            resource_tenant_id: Tenant owning the resource (for cross-tenant checks)
-        Returns:
-            AuthorizationResult indicating if access is allowed
-        """
-        if resource_tenant_id and resource_tenant_id != user_context.tenant_id:
-            logger.warning(
-                "authz.denied.cross_tenant user_id=%s tenant=%s target_tenant=%s permission=%s",
-                redact(user_context.user_id),
-                user_context.tenant_id,
-                resource_tenant_id,
-                required_permission.value,
-            )
-            return AuthorizationResult(
-                allowed=False,
-                role=user_context.role,
-                permission=required_permission,
-                reason="Cross-tenant access denied",
-            )
-        if not self.has_permission(user_context.role, required_permission):
-            logger.warning(
-                "authz.denied.permission user_id=%s tenant=%s role=%s permission=%s",
-                redact(user_context.user_id),
-                user_context.tenant_id,
-                user_context.role.value,
-                required_permission.value,
-            )
-            return AuthorizationResult(
-                allowed=False,
-                role=user_context.role,
-                permission=required_permission,
-                reason=f"Role {user_context.role.value} lacks {required_permission.value}",
-            )
-        logger.debug(
-            "authz.allowed user_id=%s tenant=%s role=%s permission=%s",
-            redact(user_context.user_id),
-            user_context.tenant_id,
-            user_context.role.value,
-            required_permission.value,
-        )
-        return AuthorizationResult(
-            allowed=True,
-            role=user_context.role,
-            permission=required_permission,
-        )
-    def create_user_context(
-        self,
-        user_id: str,
-        tenant_id: str,
-        role: Role,
-        email: str | None = None,
-        display_name: str | None = None,
-        session_id: str | None = None,
-    ) -> UserContext:
-        """Create a user context with permissions derived from role."""
-        return UserContext(
-            user_id=user_id,
-            tenant_id=tenant_id,
-            role=role,
-            email=email,
-            display_name=display_name,
-            session_id=session_id,
-            permissions=self.get_permissions(role),
-        )
-def require_permission(permission: Permission) -> AuthorizationResult:
-    """Decorator helper to check permission before function execution.
-    Usage in web handlers:
-        result = require_permission(Permission.CREATE_UPLOAD)
-        if not result.allowed:
-            return unauthorized_response(result.reason)
-    """
-    return AuthorizationResult(
-        allowed=False,
-        permission=permission,
-        reason=f"Permission {permission.value} required",
-    )

kekkai-cli 1.1.0__py3-none-any.whl → 2.0.0__py3-none-any.whl

kekkai-cli 1.1.0py3-none-any.whl → 2.0.0py3-none-any.whl