netbear 0.1.3__py3-none-any.whl

api/__init__.py

@@ -0,0 +1 @@
+"""FastAPI application package for NetBear."""

api/access.py

@@ -0,0 +1,82 @@
+import json
+import secrets
+from datetime import datetime, timezone
+from typing import Any
+
+import netbear.config as config
+from netbear.core.shared.utils import ensure_dir, sanitize_filename
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def _default_registry() -> dict[str, Any]:
+    return {"clients": []}
+
+
+def load_registry() -> dict[str, Any]:
+    ensure_dir(config.APP_DATA_DIR)
+    try:
+        with open(config.API_KEYS_FILE, encoding="utf-8") as handle:
+            data = json.load(handle)
+            if isinstance(data, dict) and isinstance(data.get("clients"), list):
+                return data
+    except FileNotFoundError:
+        pass
+    except Exception:
+        pass
+    return _default_registry()
+
+
+def save_registry(registry: dict[str, Any]) -> None:
+    ensure_dir(config.APP_DATA_DIR)
+    with open(config.API_KEYS_FILE, "w", encoding="utf-8") as handle:
+        json.dump(registry, handle, indent=2)
+
+
+def get_allowed_api_keys() -> set[str]:
+    keys = set(config.API_KEYS)
+    registry = load_registry()
+    for client in registry.get("clients", []):
+        if client.get("enabled", True) and client.get("api_key"):
+            keys.add(client["api_key"])
+    return keys
+
+
+def build_client_bundle(
+    *,
+    client_name: str,
+    base_url: str,
+    description: str = "",
+    scopes: list[str] | None = None,
+    commands: list[dict[str, str]] | None = None,
+) -> dict[str, Any]:
+    client_slug = sanitize_filename(client_name.strip().lower()) or "client"
+    client_id = f"{client_slug}_{secrets.token_hex(4)}"
+    api_key = secrets.token_urlsafe(24)
+    created_at = _now()
+
+    return {
+        "client_id": client_id,
+        "client_name": client_name,
+        "description": description,
+        "enabled": True,
+        "created_at": created_at,
+        "base_url": base_url.rstrip("/"),
+        "api_key": api_key,
+        "scopes": scopes or [],
+        "commands": commands or [],
+    }
+
+
+def register_client_bundle(bundle: dict[str, Any]) -> str:
+    registry = load_registry()
+    registry.setdefault("clients", []).append(bundle)
+    save_registry(registry)
+
+    ensure_dir(config.CLIENT_BUNDLES_DIR)
+    bundle_path = f"{config.CLIENT_BUNDLES_DIR}/{bundle['client_id']}.json"
+    with open(bundle_path, "w", encoding="utf-8") as handle:
+        json.dump(bundle, handle, indent=2)
+    return bundle_path

api/app.py

@@ -0,0 +1,346 @@
+from pathlib import Path
+
+from fastapi import Depends, FastAPI, Header, HTTPException
+from fastapi.responses import FileResponse
+from fastapi.staticfiles import StaticFiles
+
+import netbear.config as config
+from api.access import get_allowed_api_keys
+from api.db import db
+from api.job_store import create_job_store
+from api.schemas import ArtifactManifest, CrawlJobRequest, CrawlJobResponse
+from api.schemas import Finding as FindingSchema
+from api.schemas import (
+    HarExtractRequest,
+    HarExtractResponse,
+    HealthResponse,
+    JobStatusResponse,
+    NucleiJobRequest,
+    NucleiJobResponse,
+    VersionResponse,
+)
+from services.crawl_service import run_crawl_service
+from services.har_service import extract_har_service
+from services.nuclei_service import run_nuclei_service
+
+app = FastAPI(title="NetBear API", version="0.1.0")
+jobs = create_job_store()
+STATIC_DIR = Path(__file__).resolve().parent / "static"
+BRANDING_IMAGE = (
+    Path(__file__).resolve().parent.parent
+    / "insert_operation_images"
+    / "IMG_20260401_074509.jpg"
+)
+app.mount("/static", StaticFiles(directory=STATIC_DIR), name="static")
+REPORTS_ROOT = Path(config.REPORTS_DIR).resolve()
+
+
+def _build_crawl_response(data: dict) -> CrawlJobResponse:
+    artifacts = ArtifactManifest(
+        run_dir=data.get("run_dir"),
+        summary_path=data.get("summary_path"),
+        har_path=data.get("har_path"),
+        curl_path=data.get("curl_path"),
+        filtered_curl_path=data.get("filtered_curl_path"),
+        filtered_summary_path=data.get("filtered_summary_path"),
+        fuzzing_report=data.get("fuzzing_report"),
+    )
+    return CrawlJobResponse(
+        run_id=data["run_id"],
+        run_dir=data["run_dir"],
+        stats=data["stats"],
+        targets=data["targets"],
+        scopes=data["scopes"],
+        domains=data["domains"],
+        nuclei_results=data["nuclei_results"],
+        artifacts=artifacts,
+    )
+
+
+def require_api_key(
+    x_api_key: str | None = Header(default=None, alias=config.API_AUTH_HEADER)
+):
+    allowed_keys = get_allowed_api_keys()
+    if not allowed_keys:
+        return
+    if x_api_key not in allowed_keys:
+        raise HTTPException(status_code=401, detail="Invalid or missing API key")
+
+
+def _safe_path(path: str, base_dir: Path) -> Path:
+    candidate = Path(path).resolve()
+    base_resolved = base_dir.resolve()
+    if candidate != base_resolved and base_resolved not in candidate.parents:
+        raise HTTPException(
+            status_code=403, detail="Artifact path is outside the allowed directory"
+        )
+    if not candidate.exists() or not candidate.is_file():
+        raise HTTPException(status_code=404, detail="Artifact not found")
+    return candidate
+
+
+def _artifact_manifest_for_job(job: dict) -> dict:
+    result = job.get("result") or {}
+    if job["job_type"] == "crawl":
+        artifacts = {
+            key: value
+            for key, value in {
+                "summary_path": result.get("summary_path"),
+                "har_path": result.get("har_path"),
+                "curl_path": result.get("curl_path"),
+                "filtered_curl_path": result.get("filtered_curl_path"),
+                "filtered_summary_path": result.get("filtered_summary_path"),
+                "fuzzing_report": result.get("fuzzing_report"),
+            }.items()
+            if value
+        }
+        run_dir = result.get("run_dir")
+        return {"base_dir": run_dir, "artifacts": artifacts}
+
+    if job["job_type"] == "nuclei":
+        output_dir = result.get("output_dir")
+        report_dir = result.get("report_dir")
+        artifacts = {}
+        if output_dir:
+            output_path = Path(output_dir)
+            for filename in [
+                "results.txt",
+                "results.json",
+                "report.html",
+                "targets.txt",
+            ]:
+                candidate = output_path / filename
+                if candidate.exists():
+                    artifacts[filename] = str(candidate)
+        return {"base_dir": output_dir or report_dir, "artifacts": artifacts}
+
+    return {"base_dir": None, "artifacts": {}}
+
+
+@app.get("/health", response_model=HealthResponse)
+def health() -> HealthResponse:
+    return HealthResponse(status="ok", service="netbear-api")
+
+
+@app.get("/version", response_model=VersionResponse)
+def version() -> VersionResponse:
+    return VersionResponse(service="netbear-api", version="0.1.0")
+
+
+@app.get("/")
+def dashboard_index():
+    return FileResponse(STATIC_DIR / "index.html")
+
+
+@app.get("/dashboard")
+def dashboard():
+    return FileResponse(STATIC_DIR / "index.html")
+
+
+@app.get("/monitor/jobs")
+def jobs_dashboard():
+    return FileResponse(STATIC_DIR / "jobs.html")
+
+
+@app.get("/monitor/admin")
+def admin_dashboard():
+    return FileResponse(STATIC_DIR / "admin.html")
+
+
+@app.get("/branding/logo")
+def branding_logo():
+    if not BRANDING_IMAGE.exists():
+        raise HTTPException(status_code=404, detail="Branding image not available")
+    return FileResponse(BRANDING_IMAGE)
+
+
+@app.get("/findings", response_model=list[FindingSchema])
+def list_findings(
+    severity: str | None = None, _: None = Depends(require_api_key)
+) -> list[FindingSchema]:
+    with db.connection() as conn:
+        with conn.cursor() as cur:
+            if severity:
+                cur.execute(
+                    "SELECT * FROM findings WHERE severity = %s ORDER BY created_at DESC",
+                    (severity,),
+                )
+            else:
+                cur.execute("SELECT * FROM findings ORDER BY created_at DESC")
+            rows = cur.fetchall()
+            return [
+                FindingSchema(
+                    **{
+                        **row,
+                        "id": str(row["id"]),
+                        "scan_id": str(row["scan_id"]),
+                        "created_at": row["created_at"].isoformat(),
+                    }
+                )
+                for row in rows
+            ]
+
+
+@app.get("/jobs/{job_id}/findings", response_model=list[FindingSchema])
+def list_job_findings(
+    job_id: str, _: None = Depends(require_api_key)
+) -> list[FindingSchema]:
+    with db.connection() as conn:
+        with conn.cursor() as cur:
+            cur.execute(
+                "SELECT * FROM findings WHERE scan_id = %s ORDER BY created_at DESC",
+                (job_id,),
+            )
+            rows = cur.fetchall()
+            return [
+                FindingSchema(
+                    **{
+                        **row,
+                        "id": str(row["id"]),
+                        "scan_id": str(row["scan_id"]),
+                        "created_at": row["created_at"].isoformat(),
+                    }
+                )
+                for row in rows
+            ]
+
+
+@app.post("/jobs/crawl", response_model=JobStatusResponse)
+def create_crawl_job(
+    request: CrawlJobRequest, _: None = Depends(require_api_key)
+) -> JobStatusResponse:
+    job = jobs.create_job("crawl")
+    jobs.run_background(
+        job["job_id"],
+        run_crawl_service,
+        request.targets,
+        request.scopes,
+        request.max_depth,
+        request.max_pages_per_domain,
+        request.delay_sec,
+        request.run_nuclei_after_crawl,
+        auth_config=request.auth_config,
+    )
+    return JobStatusResponse(**job)
+
+
+@app.post("/jobs/nuclei", response_model=JobStatusResponse)
+def create_nuclei_job(
+    request: NucleiJobRequest, _: None = Depends(require_api_key)
+) -> JobStatusResponse:
+    job = jobs.create_job("nuclei")
+    jobs.run_background(
+        job["job_id"],
+        run_nuclei_service,
+        request.site_dir,
+        request.domain,
+        request.report_path,
+        request.severity,
+        request.templates,
+        request.timeout,
+    )
+    return JobStatusResponse(**job)
+
+
+@app.get("/jobs/{job_id}", response_model=JobStatusResponse)
+def get_job(job_id: str, _: None = Depends(require_api_key)) -> JobStatusResponse:
+    job = jobs.get_job(job_id)
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    return JobStatusResponse(**job)
+
+
+@app.get("/jobs")
+def list_jobs(_: None = Depends(require_api_key)):
+    return {"jobs": jobs.list_jobs()}
+
+
+@app.delete("/jobs")
+def clear_jobs(
+    include_running: bool = False,
+    force: bool = False,
+    _: None = Depends(require_api_key),
+):
+    if include_running and not force:
+        raise HTTPException(
+            status_code=409, detail="Force confirmation required to clear running jobs"
+        )
+    deleted = jobs.clear_jobs(include_running=include_running)
+    return {"deleted": deleted}
+
+
+@app.get("/jobs/{job_id}/results")
+def get_job_results(job_id: str, _: None = Depends(require_api_key)):
+    job = jobs.get_job(job_id)
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    if job["status"] != "completed":
+        raise HTTPException(status_code=409, detail="Job has not completed")
+
+    if job["job_type"] == "crawl":
+        return _build_crawl_response(job["result"])
+    if job["job_type"] == "nuclei":
+        return NucleiJobResponse(**job["result"])
+    return job["result"]
+
+
+@app.delete("/jobs/{job_id}")
+def delete_job(job_id: str, force: bool = False, _: None = Depends(require_api_key)):
+    job = jobs.get_job(job_id)
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    if job["status"] == "running" and not force:
+        raise HTTPException(status_code=409, detail="Cannot delete a running job")
+    deleted = jobs.delete_job(job_id)
+    return {"deleted": deleted, "job_id": job_id}
+
+
+@app.get("/jobs/{job_id}/artifacts")
+def list_job_artifacts(job_id: str, _: None = Depends(require_api_key)):
+    job = jobs.get_job(job_id)
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    if job["status"] != "completed":
+        raise HTTPException(status_code=409, detail="Job has not completed")
+    return _artifact_manifest_for_job(job)
+
+
+@app.get("/artifacts/{job_id}/{artifact_name}")
+def download_artifact(
+    job_id: str, artifact_name: str, _: None = Depends(require_api_key)
+):
+    job = jobs.get_job(job_id)
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    if job["status"] != "completed":
+        raise HTTPException(status_code=409, detail="Job has not completed")
+
+    manifest = _artifact_manifest_for_job(job)
+    artifact_path = manifest["artifacts"].get(artifact_name)
+    if not artifact_path:
+        raise HTTPException(status_code=404, detail="Artifact not available")
+
+    base_dir = manifest["base_dir"]
+    if not base_dir:
+        raise HTTPException(
+            status_code=404, detail="Artifact base directory unavailable"
+        )
+
+    safe_artifact = _safe_path(artifact_path, Path(base_dir))
+    _safe_path(str(safe_artifact), REPORTS_ROOT)
+    return FileResponse(safe_artifact)
+
+
+@app.post("/extract/har", response_model=HarExtractResponse)
+def extract_har(
+    request: HarExtractRequest, _: None = Depends(require_api_key)
+) -> HarExtractResponse:
+    result = extract_har_service(
+        har_file=request.har_file,
+        api_prefix=request.api_prefix,
+        status_filter=request.status_filter,
+        output_txt=request.output_txt,
+        output_json=request.output_json,
+        output_report=request.output_report,
+    )
+    return HarExtractResponse(**result)

api/db.py

@@ -0,0 +1,79 @@
+import logging
+from collections.abc import Generator
+from contextlib import contextmanager
+
+import psycopg
+from psycopg.rows import dict_row
+
+import netbear.config as config
+
+logger = logging.getLogger(__name__)
+
+
+class Database:
+    def __init__(self, url: str = config.DATABASE_URL):
+        self.url = url
+        self._pool = None
+
+    def get_conn(self):
+        # In a real production app we'd use a connection pool (psycopg_pool)
+        # For V1 modular monolith, we'll start with direct connections or a simple wrapper
+        return psycopg.connect(self.url, row_factory=dict_row)
+
+    @contextmanager
+    def connection(self) -> Generator[psycopg.Connection, None, None]:
+        conn = self.get_conn()
+        try:
+            yield conn
+            conn.commit()
+        except Exception:
+            conn.rollback()
+            raise
+        finally:
+            conn.close()
+
+    def init_db(self):
+        """Initialize the database schema."""
+        logger.info("Initializing database schema...")
+        with self.connection() as conn:
+            with conn.cursor() as cur:
+                # Jobs table
+                cur.execute("""
+                    CREATE TABLE IF NOT EXISTS jobs (
+                        job_id UUID PRIMARY KEY,
+                        job_type TEXT NOT NULL,
+                        status TEXT NOT NULL,
+                        created_at TIMESTAMPTZ NOT NULL,
+                        updated_at TIMESTAMPTZ NOT NULL,
+                        error TEXT,
+                        result JSONB,
+                        task TEXT,
+                        args JSONB,
+                        kwargs JSONB
+                    );
+                """)
+
+                # Findings table (V1 Requirement)
+                cur.execute("""
+                    CREATE TABLE IF NOT EXISTS findings (
+                        id UUID PRIMARY KEY,
+                        scan_id UUID REFERENCES jobs(job_id) ON DELETE CASCADE,
+                        target_url TEXT NOT NULL,
+                        title TEXT NOT NULL,
+                        severity TEXT NOT NULL,
+                        evidence JSONB DEFAULT '[]',
+                        reproducibility JSONB DEFAULT '{}',
+                        created_at TIMESTAMPTZ DEFAULT NOW()
+                    );
+                """)
+
+                # Index for findings
+                cur.execute(
+                    "CREATE INDEX IF NOT EXISTS idx_findings_scan_id ON findings(scan_id);"
+                )
+                cur.execute(
+                    "CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);"
+                )
+
+
+db = Database()