PyPI - mcp-souschef - Versions diffs - 3.0.0__py3-none-any.whl → 3.5.1__py3-none-any.whl - Mend

mcp-souschef 3.0.0py3-none-any.whl → 3.5.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

{mcp_souschef-3.0.0.dist-info → mcp_souschef-3.5.1.dist-info}/METADATA +241 -409
mcp_souschef-3.5.1.dist-info/RECORD +52 -0
{mcp_souschef-3.0.0.dist-info → mcp_souschef-3.5.1.dist-info}/WHEEL +1 -1
souschef/__init__.py +2 -10
souschef/assessment.py +417 -206
souschef/ci/common.py +1 -1
souschef/cli.py +302 -19
souschef/converters/playbook.py +530 -202
souschef/converters/template.py +122 -5
souschef/core/__init__.py +6 -1
souschef/core/ai_schemas.py +81 -0
souschef/core/http_client.py +394 -0
souschef/core/logging.py +344 -0
souschef/core/metrics.py +73 -6
souschef/core/path_utils.py +233 -19
souschef/core/url_validation.py +230 -0
souschef/deployment.py +10 -3
souschef/generators/__init__.py +13 -0
souschef/generators/repo.py +695 -0
souschef/parsers/attributes.py +1 -1
souschef/parsers/habitat.py +1 -1
souschef/parsers/inspec.py +25 -2
souschef/parsers/metadata.py +5 -3
souschef/parsers/recipe.py +1 -1
souschef/parsers/resource.py +1 -1
souschef/parsers/template.py +1 -1
souschef/server.py +556 -188
souschef/ui/app.py +44 -36
souschef/ui/pages/ai_settings.py +151 -30
souschef/ui/pages/chef_server_settings.py +300 -0
souschef/ui/pages/cookbook_analysis.py +903 -173
mcp_souschef-3.0.0.dist-info/RECORD +0 -46
souschef/converters/cookbook_specific.py.backup +0 -109
{mcp_souschef-3.0.0.dist-info → mcp_souschef-3.5.1.dist-info}/entry_points.txt +0 -0
{mcp_souschef-3.0.0.dist-info → mcp_souschef-3.5.1.dist-info}/licenses/LICENSE +0 -0

souschef/converters/playbook.py CHANGED Viewed

@@ -7,6 +7,7 @@ inventory scripts.
 """
 import json
+import os
 import re
 import shutil
 import subprocess
@@ -31,20 +32,25 @@ from souschef.core.constants import (
     REGEX_WHITESPACE_QUOTE,
     VALUE_PREFIX,
 )
-from souschef.core.path_utils import _normalize_path, _safe_join
+from souschef.core.path_utils import (
+    _normalize_path,
+    _safe_join,
+    safe_exists,
+    safe_glob,
+    safe_read_text,
+)
+from souschef.core.url_validation import validate_user_provided_url
 from souschef.parsers.attributes import parse_attributes
 from souschef.parsers.recipe import parse_recipe
 # Optional AI provider imports
 try:
-    import requests  # type: ignore[import-untyped]
+    import requests
 except ImportError:
-    requests = None
+    requests = None  # type: ignore[assignment]
 try:
-    from ibm_watsonx_ai import (  # type: ignore[import-not-found]
-        APIClient,
-    )
+    from ibm_watsonx_ai import APIClient  # type: ignore[import-not-found]
 except ImportError:
     APIClient = None
@@ -52,12 +58,13 @@ except ImportError:
 MAX_GUARD_LENGTH = 500
-def generate_playbook_from_recipe(recipe_path: str) -> str:
+def generate_playbook_from_recipe(recipe_path: str, cookbook_path: str = "") -> str:
     """
     Generate a complete Ansible playbook from a Chef recipe.
     Args:
         recipe_path: Path to the Chef recipe (.rb) file.
+        cookbook_path: Optional path to the cookbook root for path validation.
     Returns:
         Complete Ansible playbook in YAML format with tasks, handlers, and
@@ -73,10 +80,18 @@ def generate_playbook_from_recipe(recipe_path: str) -> str:
         # Parse the raw recipe file for advanced features
         recipe_file = _normalize_path(recipe_path)
-        if not recipe_file.exists():
-            return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
-        raw_content = recipe_file.read_text()
+        # Validate path if cookbook_path provided
+        base_path = (
+            Path(cookbook_path).resolve() if cookbook_path else recipe_file.parent
+        )
+        try:
+            if not safe_exists(recipe_file, base_path):
+                return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
+            raw_content = safe_read_text(recipe_file, base_path)
+        except ValueError:
+            return f"{ERROR_PREFIX} Path traversal attempt detected: {recipe_path}"
         # Generate playbook structure
         playbook: str = _generate_playbook_structure(
@@ -99,6 +114,7 @@ def generate_playbook_from_recipe_with_ai(
     project_id: str = "",
     base_url: str = "",
     project_recommendations: dict | None = None,
+    cookbook_path: str = "",
 ) -> str:
     """
     Generate an AI-enhanced Ansible playbook from a Chef recipe.
@@ -119,6 +135,7 @@ def generate_playbook_from_recipe_with_ai(
         base_url: Custom base URL for the AI provider.
         project_recommendations: Dictionary containing project-level analysis
             and recommendations from cookbook assessment.
+        cookbook_path: Optional path to the cookbook root for path validation.
     Returns:
         AI-generated Ansible playbook in YAML format.
@@ -127,10 +144,18 @@ def generate_playbook_from_recipe_with_ai(
     try:
         # Parse the recipe file
         recipe_file = _normalize_path(recipe_path)
-        if not recipe_file.exists():
-            return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
-        raw_content = recipe_file.read_text()
+        # Validate path if cookbook_path provided
+        base_path = (
+            Path(cookbook_path).resolve() if cookbook_path else recipe_file.parent
+        )
+        try:
+            if not safe_exists(recipe_file, base_path):
+                return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
+            raw_content = safe_read_text(recipe_file, base_path)
+        except ValueError:
+            return f"{ERROR_PREFIX} Path traversal attempt detected: {recipe_path}"
         # Get basic recipe parsing for context
         parsed_content = parse_recipe(recipe_path)
@@ -220,18 +245,36 @@ def _initialize_ai_client(
         if APIClient is None:
             return f"{ERROR_PREFIX} ibm_watsonx_ai library not available"
+        try:
+            validated_url = validate_user_provided_url(
+                base_url,
+                default_url="https://us-south.ml.cloud.ibm.com",
+            )
+        except ValueError as exc:
+            return f"{ERROR_PREFIX} Invalid Watsonx base URL: {exc}"
         return APIClient(
             api_key=api_key,
             project_id=project_id,
-            url=base_url or "https://us-south.ml.cloud.ibm.com",
+            url=validated_url,
         )
     elif ai_provider.lower() == "lightspeed":
         if requests is None:
             return f"{ERROR_PREFIX} requests library not available"
+        try:
+            validated_url = validate_user_provided_url(
+                base_url,
+                default_url="https://api.redhat.com",
+                allowed_hosts={"api.redhat.com"},
+                strip_path=True,
+            )
+        except ValueError as exc:
+            return f"{ERROR_PREFIX} Invalid Lightspeed base URL: {exc}"
         return {
             "api_key": api_key,
-            "base_url": base_url or "https://api.redhat.com",
+            "base_url": validated_url,
         }
     elif ai_provider.lower() == "github_copilot":
         return (
@@ -245,98 +288,227 @@ def _initialize_ai_client(
         return f"{ERROR_PREFIX} Unsupported AI provider: {ai_provider}"
-def _call_ai_api(
+def _call_anthropic_api(
     client: Any,
-    ai_provider: str,
     prompt: str,
     model: str,
     temperature: float,
     max_tokens: int,
+    response_format: dict[str, Any] | None = None,
 ) -> str:
-    """Call the appropriate AI API based on provider."""
-    if ai_provider.lower() == "anthropic":
+    """Call Anthropic API with optional structured output via tool calling."""
+    if response_format and response_format.get("type") == "json_object":
+        # Use tool calling for structured JSON responses
         response = client.messages.create(
             model=model,
             max_tokens=max_tokens,
             temperature=temperature,
             messages=[{"role": "user", "content": prompt}],
+            tools=[
+                {
+                    "name": "format_response",
+                    "description": "Format the response as structured JSON",
+                    "input_schema": {
+                        "type": "object",
+                        "properties": {
+                            "response": {
+                                "type": "string",
+                                "description": "The formatted response",
+                            }
+                        },
+                        "required": ["response"],
+                    },
+                }
+            ],
         )
+        # Extract from tool use or fallback to text
+        for block in response.content:
+            if hasattr(block, "type") and block.type == "tool_use":
+                return str(block.input.get("response", ""))
+        # Fallback to text content
         return str(response.content[0].text)
-    elif ai_provider.lower() == "watson":
-        response = client.generate_text(
-            model_id=model,
-            input=prompt,
-            parameters={
-                "max_new_tokens": max_tokens,
-                "temperature": temperature,
-                "min_new_tokens": 1,
-            },
+    else:
+        # Standard text response
+        response = client.messages.create(
+            model=model,
+            max_tokens=max_tokens,
+            temperature=temperature,
+            messages=[{"role": "user", "content": prompt}],
         )
-        return str(response["results"][0]["generated_text"])
-    elif ai_provider.lower() == "lightspeed":
-        if requests is None:
-            return f"{ERROR_PREFIX} requests library not available"
+        return str(response.content[0].text)
-        headers = {
-            "Authorization": f"Bearer {client['api_key']}",
-            "Content-Type": "application/json",
-        }
-        payload = {
-            "model": model,
-            "prompt": prompt,
-            "max_tokens": max_tokens,
+def _call_watson_api(
+    client: Any,
+    prompt: str,
+    model: str,
+    temperature: float,
+    max_tokens: int,
+) -> str:
+    """Call IBM Watsonx API."""
+    response = client.generate_text(
+        model_id=model,
+        input=prompt,
+        parameters={
+            "max_new_tokens": max_tokens,
             "temperature": temperature,
-        }
-        response = requests.post(
-            f"{client['base_url']}/v1/completions",
-            headers=headers,
-            json=payload,
-            timeout=60,
+            "min_new_tokens": 1,
+        },
+    )
+    return str(response["results"][0]["generated_text"])
+def _call_lightspeed_api(
+    client: dict[str, str],
+    prompt: str,
+    model: str,
+    temperature: float,
+    max_tokens: int,
+    response_format: dict[str, Any] | None = None,
+) -> str:
+    """Call Red Hat Lightspeed API."""
+    if requests is None:
+        return f"{ERROR_PREFIX} requests library not available"
+    headers = {
+        "Authorization": f"Bearer {client['api_key']}",
+        "Content-Type": "application/json",
+    }
+    payload = {
+        "model": model,
+        "prompt": prompt,
+        "max_tokens": max_tokens,
+        "temperature": temperature,
+    }
+    if response_format:
+        payload["response_format"] = response_format
+    response = requests.post(
+        f"{client['base_url']}/v1/completions",
+        headers=headers,
+        json=payload,
+        timeout=60,
+    )
+    if response.status_code == 200:
+        return str(response.json()["choices"][0]["text"])
+    else:
+        return (
+            f"{ERROR_PREFIX} Red Hat Lightspeed API error: "
+            f"{response.status_code} - {response.text}"
         )
-        if response.status_code == 200:
-            return str(response.json()["choices"][0]["text"])
-        else:
-            return (
-                f"{ERROR_PREFIX} Red Hat Lightspeed API error: "
-                f"{response.status_code} - {response.text}"
-            )
-    elif ai_provider.lower() == "github_copilot":
-        if requests is None:
-            return f"{ERROR_PREFIX} requests library not available"
-        headers = {
-            "Authorization": f"Bearer {client['api_key']}",
-            "Content-Type": "application/json",
-            "User-Agent": "SousChef/1.0",
-        }
-        payload = {
-            "model": model,
-            "messages": [{"role": "user", "content": prompt}],
-            "max_tokens": max_tokens,
-            "temperature": temperature,
-        }
-        # GitHub Copilot uses OpenAI-compatible chat completions endpoint
-        response = requests.post(
-            f"{client['base_url']}/copilot/chat/completions",
-            headers=headers,
-            json=payload,
-            timeout=60,
+def _call_github_copilot_api(
+    client: dict[str, str],
+    prompt: str,
+    model: str,
+    temperature: float,
+    max_tokens: int,
+    response_format: dict[str, Any] | None = None,
+) -> str:
+    """Call GitHub Copilot API."""
+    if requests is None:
+        return f"{ERROR_PREFIX} requests library not available"
+    headers = {
+        "Authorization": f"Bearer {client['api_key']}",
+        "Content-Type": "application/json",
+        "User-Agent": "SousChef/1.0",
+    }
+    payload = {
+        "model": model,
+        "messages": [{"role": "user", "content": prompt}],
+        "max_tokens": max_tokens,
+        "temperature": temperature,
+    }
+    if response_format:
+        payload["response_format"] = response_format
+    # GitHub Copilot uses OpenAI-compatible chat completions endpoint
+    response = requests.post(
+        f"{client['base_url']}/copilot/chat/completions",
+        headers=headers,
+        json=payload,
+        timeout=60,
+    )
+    if response.status_code == 200:
+        return str(response.json()["choices"][0]["message"]["content"])
+    else:
+        return (
+            f"{ERROR_PREFIX} GitHub Copilot API error: "
+            f"{response.status_code} - {response.text}"
+        )
+def _call_openai_api(
+    client: Any,
+    prompt: str,
+    model: str,
+    temperature: float,
+    max_tokens: int,
+    response_format: dict[str, Any] | None = None,
+) -> str:
+    """Call OpenAI API."""
+    kwargs = {
+        "model": model,
+        "max_tokens": max_tokens,
+        "temperature": temperature,
+        "messages": [{"role": "user", "content": prompt}],
+    }
+    if response_format:
+        kwargs["response_format"] = response_format
+    response = client.chat.completions.create(**kwargs)
+    return str(response.choices[0].message.content)
+def _call_ai_api(
+    client: Any,
+    ai_provider: str,
+    prompt: str,
+    model: str,
+    temperature: float,
+    max_tokens: int,
+    response_format: dict[str, Any] | None = None,
+) -> str:
+    """
+    Call the appropriate AI API based on provider.
+    Args:
+        client: Initialized AI client.
+        ai_provider: AI provider name.
+        prompt: Prompt text.
+        model: Model identifier.
+        temperature: Sampling temperature.
+        max_tokens: Maximum tokens in response.
+        response_format: Optional response format specification for structured
+            outputs. For OpenAI: {"type": "json_object"}. For Anthropic: Use
+            tool calling instead.
+    Returns:
+        AI-generated response text.
+    """
+    provider = ai_provider.lower()
+    if provider == "anthropic":
+        return _call_anthropic_api(
+            client, prompt, model, temperature, max_tokens, response_format
+        )
+    elif provider == "watson":
+        return _call_watson_api(client, prompt, model, temperature, max_tokens)
+    elif provider == "lightspeed":
+        return _call_lightspeed_api(
+            client, prompt, model, temperature, max_tokens, response_format
+        )
+    elif provider == "github_copilot":
+        return _call_github_copilot_api(
+            client, prompt, model, temperature, max_tokens, response_format
         )
-        if response.status_code == 200:
-            return str(response.json()["choices"][0]["message"]["content"])
-        else:
-            return (
-                f"{ERROR_PREFIX} GitHub Copilot API error: "
-                f"{response.status_code} - {response.text}"
-            )
     else:  # OpenAI
-        response = client.chat.completions.create(
-            model=model,
-            max_tokens=max_tokens,
-            temperature=temperature,
-            messages=[{"role": "user", "content": prompt}],
+        return _call_openai_api(
+            client, prompt, model, temperature, max_tokens, response_format
         )
-        return str(response.choices[0].message.content)
 def _create_ai_conversion_prompt(
@@ -499,6 +671,10 @@ def _build_conversion_requirements_parts() -> list[str]:
         "",
         "7. **Conditionals**: Convert Chef guards (only_if/not_if) to Ansible when",
         "   conditions.",
+        "   - For file or directory checks, add a stat task with register,",
+        "     then use a boolean when expression like 'stat_result.stat.exists'.",
+        "   - Do NOT put module names or task mappings under when.",
+        "   - Keep when expressions as valid YAML scalars (strings or lists).",
         "",
         "8. **Notifications**: Convert Chef notifications to Ansible handlers",
         "   where appropriate.",
@@ -594,7 +770,7 @@ def _build_output_format_parts() -> list[str]:
 def _clean_ai_playbook_response(ai_response: str) -> str:
-    """Clean and validate the AI-generated playbook response."""
+    """Clean the AI-generated playbook response."""
     if not ai_response or not ai_response.strip():
         return f"{ERROR_PREFIX} AI returned empty response"
@@ -606,15 +782,19 @@ def _clean_ai_playbook_response(ai_response: str) -> str:
     if not cleaned.startswith("---") and not cleaned.startswith("- name:"):
         return f"{ERROR_PREFIX} AI response does not appear to be valid YAML playbook"
-    # Try to parse as YAML to validate structure
+    return cleaned
+def _validate_playbook_yaml(playbook_content: str) -> str | None:
+    """Validate YAML syntax and return an error message if invalid."""
     try:
         import yaml
-        yaml.safe_load(cleaned)
-    except Exception as e:
-        return f"{ERROR_PREFIX} AI generated invalid YAML: {e}"
+        yaml.safe_load(playbook_content)
+    except Exception as exc:
+        return str(exc)
-    return cleaned
+    return None
 def _validate_and_fix_playbook(
@@ -629,7 +809,13 @@ def _validate_and_fix_playbook(
     if playbook_content.startswith(ERROR_PREFIX):
         return playbook_content
-    validation_error = _run_ansible_lint(playbook_content)
+    yaml_error = _validate_playbook_yaml(playbook_content)
+    validation_error: str | None
+    if yaml_error:
+        validation_error = f"YAML parse error: {yaml_error}"
+    else:
+        validation_error = _run_ansible_lint(playbook_content)
     if not validation_error:
         return playbook_content
@@ -663,6 +849,10 @@ Just the YAML content.
             # rather than returning an error string
             return playbook_content
+        fixed_yaml_error = _validate_playbook_yaml(cleaned_response)
+        if fixed_yaml_error:
+            return f"{ERROR_PREFIX} AI generated invalid YAML: {fixed_yaml_error}"
         return cleaned_response
     except Exception:
         # If fix fails, return original with warning (or original error)
@@ -677,9 +867,16 @@ def _run_ansible_lint(playbook_content: str) -> str | None:
     tmp_path = None
     try:
-        with tempfile.NamedTemporaryFile(mode="w", suffix=".yml", delete=False) as tmp:
-            tmp.write(playbook_content)
-            tmp_path = tmp.name
+        # Create temp file with secure permissions (0o600 = rw-------)
+        # Use os.open with secure flags instead of NamedTemporaryFile for better control
+        tmp_fd, tmp_path = tempfile.mkstemp(suffix=".yml", text=True)
+        try:
+            # Write content to file descriptor (atomic operation)
+            with os.fdopen(tmp_fd, "w") as tmp:
+                tmp.write(playbook_content)
+        except Exception:
+            os.close(tmp_fd)
+            raise
         # Run ansible-lint
         # We ignore return code because we want to capture output even on failure
@@ -768,8 +965,9 @@ def analyse_chef_search_patterns(recipe_or_cookbook_path: str) -> str:
         path_obj = _normalize_path(recipe_or_cookbook_path)
         if path_obj.is_file():
-            # Single recipe file
-            search_patterns = _extract_search_patterns_from_file(path_obj)
+            # Single recipe file - use parent directory as base path
+            base_path = path_obj.parent
+            search_patterns = _extract_search_patterns_from_file(path_obj, base_path)
         elif path_obj.is_dir():
             # Cookbook directory
             search_patterns = _extract_search_patterns_from_cookbook(path_obj)
@@ -1048,7 +1246,18 @@ def _generate_ansible_inventory_from_search(
 def _generate_inventory_script_content(queries_data: list[dict[str, str]]) -> str:
     """Generate Python dynamic inventory script content."""
-    script_template = '''#!/usr/bin/env python3
+    # Convert queries_data to JSON string for embedding
+    queries_json = json.dumps(  # nosonar
+        {
+            item.get("group_name", f"group_{i}"): (
+                item.get("search_query") or item.get("query", "")
+            )
+            for i, item in enumerate(queries_data)
+        },
+        indent=4,
+    )
+    script_template = f'''#!/usr/bin/env python3
 """Dynamic Ansible Inventory Script.
 Generated from Chef search queries by SousChef
@@ -1057,96 +1266,118 @@ This script converts Chef search queries to Ansible inventory groups.
 Requires: python-requests (for Chef server API)
 """
 import json
+import os
 import sys
 import argparse
+import ipaddress
+from urllib.parse import urlparse, urlunparse
 from typing import Dict, List, Any
-# Chef server configuration
-CHEF_SERVER_URL = "https://your-chef-server"
-CLIENT_NAME = "your-client-name"
-CLIENT_KEY_PATH = "/path/to/client.pem"
 # Search query to group mappings
-SEARCH_QUERIES = {search_queries_json}
+SEARCH_QUERIES = {queries_json}
+def validate_chef_server_url(server_url: str) -> str:
+    """Validate Chef Server URL to avoid unsafe requests."""
+    url_value = str(server_url).strip()
+    if not url_value:
+        raise ValueError("Chef Server URL is required")
-def get_chef_nodes(search_query: str) -> List[Dict[str, Any]]:
-    """Query Chef server for nodes matching search criteria.
+    if "://" not in url_value:
+        url_value = f"https://{{url_value}}"
-    Args:
-        search_query: Chef search query string
+    parsed = urlparse(url_value)
+    if parsed.scheme.lower() != "https":
+        raise ValueError("Chef Server URL must use HTTPS")
-    Returns:
-        List of node objects from Chef server
-    """
-    # TODO: Implement Chef server API client
-    # This is a placeholder - implement Chef server communication
-    # using python-chef library or direct API calls
+    if not parsed.hostname:
+        raise ValueError("Chef Server URL must include a hostname")
-    # Example structure of what this should return:
-    return [
-        {
-            "name": "web01.example.com",
-            "roles": ["web"],
-            "environment": "production",
-            "platform": "ubuntu",
-            "ipaddress": "10.0.1.10"
-        }
-    ]
+    hostname = parsed.hostname.lower()
+    local_suffixes = (".localhost", ".local", ".localdomain", ".internal")
+    if hostname == "localhost" or hostname.endswith(local_suffixes):
+        raise ValueError("Chef Server URL must use a public hostname")
+    try:
+        ip_address = ipaddress.ip_address(hostname)
+    except ValueError:
+        ip_address = None
+    if ip_address and (
+        ip_address.is_private
+        or ip_address.is_loopback
+        or ip_address.is_link_local
+        or ip_address.is_reserved
+        or ip_address.is_multicast
+        or ip_address.is_unspecified
+    ):
+        raise ValueError("Chef Server URL must use a public hostname")
-def build_inventory() -> Dict[str, Any]:
-    """Build Ansible inventory from Chef searches.
+    cleaned = parsed._replace(params="", query="", fragment="")
+    return urlunparse(cleaned).rstrip("/")
-    Returns:
-        Ansible inventory dictionary
-    """
-    inventory = {
-        "_meta": {
-            "hostvars": {}
-        }
-    }
+def get_chef_nodes(search_query: str) -> List[Dict[str, Any]]:
+    """Query Chef server for nodes matching search criteria."""
+    import requests
+    chef_server_url = os.environ.get("CHEF_SERVER_URL", "").rstrip("/")
+    if not chef_server_url:
+        return []
+    try:
+        chef_server_url = validate_chef_server_url(chef_server_url)
+    except ValueError:
+        return []
+    try:
+        search_url = f"{{chef_server_url}}/search/node?q={{search_query}}"
+        response = requests.get(search_url, timeout=10)
+        response.raise_for_status()
+        search_result = response.json()
+        nodes_data = []
+        for row in search_result.get("rows", []):
+            node_obj = {{
+                "name": row.get("name", "unknown"),
+                "roles": row.get("run_list", []),
+                "environment": row.get("chef_environment", "_default"),
+                "platform": row.get("platform", "unknown"),
+                "ipaddress": row.get("ipaddress", ""),
+                "fqdn": row.get("fqdn", ""),
+            }}
+            nodes_data.append(node_obj)
+        return nodes_data
+    except Exception:
+        return []
+def build_inventory() -> Dict[str, Any]:
+    """Build Ansible inventory from Chef searches."""
+    inventory = {{"_meta": {{"hostvars": {{}}}}}}
     for group_name, search_query in SEARCH_QUERIES.items():
-        inventory[group_name] = {
+        inventory[group_name] = {{
             "hosts": [],
-            "vars": {
-                "chef_search_query": search_query
-            }
-        }
+            "vars": {{"chef_search_query": search_query}},
+        }}
         try:
             nodes = get_chef_nodes(search_query)
             for node in nodes:
                 hostname = node.get("name", node.get("fqdn", "unknown"))
                 inventory[group_name]["hosts"].append(hostname)
-                # Add host variables
-                inventory["_meta"]["hostvars"][hostname] = {
+                inventory["_meta"]["hostvars"][hostname] = {{
                     "chef_roles": node.get("roles", []),
                     "chef_environment": node.get("environment", ""),
                     "chef_platform": node.get("platform", ""),
                     "ansible_host": node.get("ipaddress", hostname)
-                }
-        except Exception as e:
-            print(
-                f"Error querying Chef server for group {group_name}: {e}",
-                file=sys.stderr,
-            )
+                }}
+        except Exception:
+            pass
     return inventory
 def main():
     """Main entry point for dynamic inventory script."""
-    parser = argparse.ArgumentParser(
-        description="Dynamic Ansible Inventory from Chef"
-    )
-    parser.add_argument(
-        "--list", action="store_true", help="List all groups and hosts"
-    )
+    parser = argparse.ArgumentParser(description="Dynamic Ansible Inventory from Chef")
+    parser.add_argument("--list", action="store_true", help="List all groups")
     parser.add_argument("--host", help="Get variables for specific host")
     args = parser.parse_args()
@@ -1155,65 +1386,149 @@ def main():
         inventory = build_inventory()
         print(json.dumps(inventory, indent=2))
     elif args.host:
-        # Return empty dict for host-specific queries
-        # All host vars are included in _meta/hostvars
-        print(json.dumps({}))
+        print(json.dumps({{}}))
     else:
         parser.print_help()
 if __name__ == "__main__":
     main()
 '''
+    return script_template
-    # Convert queries_data to JSON string for embedding
-    queries_json = json.dumps(
-        {
-            item.get("group_name", f"group_{i}"): item.get("search_query", "")
-            for i, item in enumerate(queries_data)
-        },
-        indent=4,
-    )
-    return script_template.replace("{search_queries_json}", queries_json)
+def get_chef_nodes(search_query: str) -> list[dict[str, Any]]:
+    """
+    Query Chef server for nodes matching search criteria.
+    Communicates with Chef server API to search for nodes.
+    Falls back to empty list if Chef server is unavailable.
+    Args:
+        search_query: Chef search query string
+    Returns:
+        List of node objects from Chef server
+    """
+    if not requests:
+        return []
+    chef_server_url = os.environ.get("CHEF_SERVER_URL", "").rstrip("/")
+    if not chef_server_url:
+        # Chef server not configured - return empty list
+        return []
+    try:
+        chef_server_url = validate_user_provided_url(chef_server_url)
+    except ValueError:
+        return []
+    try:
+        # Using Chef Server REST API search endpoint
+        # Search endpoint: GET /search/node?q=<query>
+        search_url = f"{chef_server_url}/search/node?q={search_query}"
+        # Note: Proper authentication requires Chef API signing
+        # For unauthenticated access, this may work on open Chef servers
+        # For production, use python-chef library for proper authentication
+        response = requests.get(search_url, timeout=10)
+        response.raise_for_status()
+        search_result = response.json()
+        nodes_data = []
+        for row in search_result.get("rows", []):
+            node_obj = {
+                "name": row.get("name", "unknown"),
+                "roles": row.get("run_list", []),
+                "environment": row.get("chef_environment", "_default"),
+                "platform": row.get("platform", "unknown"),
+                "ipaddress": row.get("ipaddress", ""),
+                "fqdn": row.get("fqdn", ""),
+                "automatic": row.get("automatic", {}),
+            }
+            nodes_data.append(node_obj)
+        return nodes_data
+    except requests.exceptions.Timeout:
+        # Chef server not responding within timeout
+        return []
+    except requests.exceptions.ConnectionError:
+        # Cannot reach Chef server
+        return []
+    except requests.exceptions.HTTPError:
+        # HTTP error (404, 403, 500, etc.)
+        return []
+    except Exception:
+        # Fallback for any other errors
+        return []
 # Search pattern extraction
-def _extract_search_patterns_from_file(file_path: Path) -> list[dict[str, str]]:
-    """Extract Chef search patterns from a single recipe file."""
+def _extract_search_patterns_from_file(
+    file_path: Path, base_path: Path
+) -> list[dict[str, str]]:
+    """
+    Extract Chef search patterns from a single recipe file.
+    Args:
+        file_path: Path to the file to parse.
+        base_path: Base directory for path validation.
+    Returns:
+        List of search patterns found in the file.
+    """
     try:
-        content = file_path.read_text()
+        content = safe_read_text(file_path, base_path)
         return _find_search_patterns_in_content(content, str(file_path))
     except Exception:
         return []
 def _extract_search_patterns_from_cookbook(cookbook_path: Path) -> list[dict[str, str]]:
-    """Extract Chef search patterns from all files in a cookbook."""
+    """
+    Extract Chef search patterns from all files in a cookbook.
+    Args:
+        cookbook_path: Path to the cookbook directory.
+    Returns:
+        List of all search patterns found in the cookbook.
+    """
     patterns = []
-    # Search in recipes directory
+    # Search in recipes directory using safe_glob
     recipes_dir = _safe_join(cookbook_path, "recipes")
-    if recipes_dir.exists():
-        for recipe_file in recipes_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(recipe_file)
-            patterns.extend(file_patterns)
+    if safe_exists(recipes_dir, cookbook_path):
+        for recipe_file in safe_glob(recipes_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                recipe_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
-    # Search in libraries directory
+    # Search in libraries directory using safe_glob
     libraries_dir = _safe_join(cookbook_path, "libraries")
-    if libraries_dir.exists():
-        for library_file in libraries_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(library_file)
-            patterns.extend(file_patterns)
+    if safe_exists(libraries_dir, cookbook_path):
+        for library_file in safe_glob(libraries_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                library_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
-    # Search in resources directory
+    # Search in resources directory using safe_glob
     resources_dir = _safe_join(cookbook_path, "resources")
-    if resources_dir.exists():
-        for resource_file in resources_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(resource_file)
-            patterns.extend(file_patterns)
+    if safe_exists(resources_dir, cookbook_path):
+        for resource_file in safe_glob(resources_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                resource_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
     return patterns
@@ -1430,19 +1745,32 @@ def _build_playbook_header(recipe_name: str) -> list[str]:
 def _add_playbook_variables(
     playbook_lines: list[str], raw_content: str, recipe_file: Path
 ) -> None:
-    """Extract and add variables section to playbook."""
+    """
+    Extract and add variables section to playbook.
+    Args:
+        playbook_lines: List of playbook lines to add variables to.
+        raw_content: Raw recipe file content.
+        recipe_file: Path to the recipe file, normalized and contained within cookbook.
+    """
     variables = _extract_recipe_variables(raw_content)
-    # Try to parse attributes file
-    attributes_path = recipe_file.parent.parent / "attributes" / "default.rb"
-    if attributes_path.exists():
-        attributes_content = parse_attributes(str(attributes_path))
-        if not attributes_content.startswith(
-            "Error:"
-        ) and not attributes_content.startswith("Warning:"):
-            # Parse the resolved attributes
-            attr_vars = _extract_attribute_variables(attributes_content)
-            variables.update(attr_vars)
+    # Try to parse attributes file - validate it stays within cookbook
+    cookbook_path = recipe_file.parent.parent
+    attributes_path = _safe_join(cookbook_path, "attributes", "default.rb")
+    try:
+        if safe_exists(attributes_path, cookbook_path):
+            attributes_content = parse_attributes(str(attributes_path))
+            if not attributes_content.startswith(
+                "Error:"
+            ) and not attributes_content.startswith("Warning:"):
+                # Parse the resolved attributes
+                attr_vars = _extract_attribute_variables(attributes_content)
+                variables.update(attr_vars)
+    except ValueError:
+        # Path traversal attempt detected - skip safely
+        pass
     for var_name, var_value in variables.items():
         playbook_lines.append(f"    {var_name}: {var_value}")

mcp-souschef 3.0.0__py3-none-any.whl → 3.5.1__py3-none-any.whl

mcp-souschef 3.0.0py3-none-any.whl → 3.5.1py3-none-any.whl