ostruct-cli 0.2.0__py3-none-any.whl → 0.4.0__py3-none-any.whl

ostruct/cli/security.py

@@ -1,323 +0,0 @@
-"""Security management for file access.
-
-This module provides security checks for file access, including:
-- Base directory restrictions
-- Allowed directory validation
-- Path traversal prevention
-- Temporary directory handling
-"""
-
-import logging
-import os
-import tempfile
-from pathlib import Path
-from typing import List, Optional, Set
-
-from .errors import DirectoryNotFoundError, PathSecurityError
-from .security_types import SecurityManagerProtocol
-
-
-def is_temp_file(path: str) -> bool:
-    """Check if a file is in a temporary directory.
-
-    Args:
-        path: Path to check (will be converted to absolute path)
-
-    Returns:
-        True if the path is in a temporary directory, False otherwise
-
-    Note:
-        This function handles platform-specific path normalization, including symlinks
-        (e.g., on macOS where /var is symlinked to /private/var).
-    """
-    # Normalize the input path (resolve symlinks)
-    abs_path = os.path.realpath(path)
-
-    # Get all potential temp directories and normalize them
-    temp_dirs = set()
-    # System temp dir (platform independent)
-    temp_dirs.add(os.path.realpath(tempfile.gettempdir()))
-
-    # Common Unix/Linux/macOS temp locations
-    unix_temp_dirs = ["/tmp", "/var/tmp", "/var/folders"]
-    for temp_dir in unix_temp_dirs:
-        if os.path.exists(temp_dir):
-            temp_dirs.add(os.path.realpath(temp_dir))
-
-    # Windows temp locations (if on Windows)
-    if os.name == "nt":
-        if "TEMP" in os.environ:
-            temp_dirs.add(os.path.realpath(os.environ["TEMP"]))
-        if "TMP" in os.environ:
-            temp_dirs.add(os.path.realpath(os.environ["TMP"]))
-
-    # Check if file is in any temp directory using normalized paths
-    abs_path_parts = os.path.normpath(abs_path).split(os.sep)
-    for temp_dir in temp_dirs:
-        temp_dir_parts = os.path.normpath(temp_dir).split(os.sep)
-        # Check if the path starts with the temp directory components
-        if len(abs_path_parts) >= len(temp_dir_parts) and all(
-            a == b
-            for a, b in zip(
-                abs_path_parts[: len(temp_dir_parts)], temp_dir_parts
-            )
-        ):
-            return True
-
-    return False
-
-
-class SecurityManager(SecurityManagerProtocol):
-    """Manages security for file access.
-
-    Validates all file access against a base directory and optional
-    allowed directories. Prevents unauthorized access and directory
-    traversal attacks.
-
-    The security model is based on:
-    1. A base directory that serves as the root for all file operations
-    2. A set of explicitly allowed directories that can be accessed outside the base directory
-    3. Special handling for temporary directories that are always allowed
-
-    All paths are normalized using realpath() to handle symlinks consistently across platforms.
-    """
-
-    def __init__(
-        self,
-        base_dir: Optional[str] = None,
-        allowed_dirs: Optional[List[str]] = None,
-    ):
-        """Initialize security manager.
-
-        Args:
-            base_dir: Base directory for file access. Defaults to current working directory.
-            allowed_dirs: Optional list of additional allowed directories
-
-        All paths are normalized using realpath to handle symlinks
-        and relative paths consistently across platforms.
-        """
-        logger = logging.getLogger("ostruct")
-        logger.debug("Initializing SecurityManager")
-        self._base_dir = Path(os.path.realpath(base_dir or os.getcwd()))
-        logger.debug("Base directory set to: %s", self._base_dir)
-
-        self._allowed_dirs: Set[Path] = set()
-        if allowed_dirs:
-            for directory in allowed_dirs:
-                logger.debug("Adding allowed directory: %s", directory)
-                self.add_allowed_dir(directory)
-
-    @property
-    def base_dir(self) -> Path:
-        """Get the base directory."""
-        return self._base_dir
-
-    @property
-    def allowed_dirs(self) -> List[Path]:
-        """Get the list of allowed directories."""
-        return sorted(self._allowed_dirs)  # Sort for consistent ordering
-
-    def add_allowed_dir(self, directory: str) -> None:
-        """Add a directory to the set of allowed directories.
-
-        Args:
-            directory: Directory to allow access to
-
-        Raises:
-            DirectoryNotFoundError: If directory does not exist
-        """
-        logger = logging.getLogger("ostruct")
-        logger.debug("Adding allowed directory: %s", directory)
-        real_path = Path(os.path.realpath(directory))
-        logger.debug("Resolved real path: %s", real_path)
-
-        if not real_path.exists():
-            logger.debug("Directory not found: %s", directory)
-            raise DirectoryNotFoundError(f"Directory not found: {directory}")
-        if not real_path.is_dir():
-            logger.debug("Path is not a directory: %s", directory)
-            raise DirectoryNotFoundError(
-                f"Path is not a directory: {directory}"
-            )
-        self._allowed_dirs.add(real_path)
-        logger.debug("Successfully added allowed directory: %s", real_path)
-
-    def add_allowed_dirs_from_file(self, file_path: str) -> None:
-        """Add allowed directories from a file.
-
-        Args:
-            file_path: Path to file containing allowed directories (one per line)
-
-        Raises:
-            PathSecurityError: If file_path is outside allowed directories
-            FileNotFoundError: If file does not exist
-            ValueError: If file contains invalid directories
-        """
-        real_path = Path(os.path.realpath(file_path))
-
-        # First validate the file path itself
-        try:
-            self.validate_path(
-                str(real_path), purpose="read allowed directories"
-            )
-        except PathSecurityError:
-            raise PathSecurityError.from_expanded_paths(
-                original_path=file_path,
-                expanded_path=str(real_path),
-                error_logged=True,
-                base_dir=str(self._base_dir),
-                allowed_dirs=[str(d) for d in self._allowed_dirs],
-            )
-
-        if not real_path.exists():
-            raise FileNotFoundError(f"File not found: {file_path}")
-
-        with open(real_path) as f:
-            for line in f:
-                directory = line.strip()
-                if directory and not directory.startswith("#"):
-                    self.add_allowed_dir(directory)
-
-    def is_path_allowed(self, path: str) -> bool:
-        """Check if a path is allowed.
-
-        A path is allowed if it is:
-        1. Under the normalized base directory
-        2. Under any normalized allowed directory
-
-        The path must also exist.
-
-        Args:
-            path: Path to check
-
-        Returns:
-            bool: True if path exists and is allowed, False otherwise
-        """
-        logger = logging.getLogger("ostruct")
-        logger.debug("Checking if path is allowed: %s", path)
-        logger.debug("Base directory: %s", self._base_dir)
-        logger.debug("Allowed directories: %s", self._allowed_dirs)
-
-        try:
-            real_path = Path(os.path.realpath(path))
-            logger.debug("Resolved real path: %s", real_path)
-
-            # Check if the path exists
-            if not real_path.exists():
-                logger.debug("Path does not exist")
-                return False
-
-        except (ValueError, OSError) as e:
-            logger.debug("Failed to resolve real path: %s", e)
-            return False
-
-        try:
-            if real_path.is_relative_to(self._base_dir):
-                logger.debug("Path is relative to base directory")
-                return True
-        except ValueError:
-            logger.debug("Path is not relative to base directory")
-
-        for allowed_dir in self._allowed_dirs:
-            try:
-                if real_path.is_relative_to(allowed_dir):
-                    logger.debug(
-                        "Path is relative to allowed directory: %s",
-                        allowed_dir,
-                    )
-                    return True
-            except ValueError:
-                logger.debug(
-                    "Path is not relative to allowed directory: %s",
-                    allowed_dir,
-                )
-                continue
-
-        logger.debug("Path is not allowed")
-        return False
-
-    def validate_path(self, path: str, purpose: str = "access") -> Path:
-        """Validate and normalize a path.
-
-        Args:
-            path: Path to validate
-            purpose: Description of intended access (for error messages)
-
-        Returns:
-            Path: Normalized path if valid
-
-        Raises:
-            PathSecurityError: If path is not allowed
-        """
-        logger = logging.getLogger("ostruct")
-        logger.debug("Validating path for %s: %s", purpose, path)
-
-        try:
-            real_path = Path(os.path.realpath(path))
-            logger.debug("Resolved real path: %s", real_path)
-        except (ValueError, OSError) as e:
-            logger.error("Invalid path format: %s", e)
-            raise PathSecurityError(
-                f"Invalid path format: {e}", error_logged=True
-            )
-
-        if not self.is_path_allowed(str(real_path)):
-            logger.error(
-                "Access denied: %s is outside base directory and not in allowed directories",
-                path,
-            )
-            raise PathSecurityError.from_expanded_paths(
-                original_path=path,
-                expanded_path=str(real_path),
-                base_dir=str(self._base_dir),
-                allowed_dirs=[str(d) for d in self._allowed_dirs],
-                error_logged=True,
-            )
-
-        logger.debug("Path validation successful")
-        return real_path
-
-    def is_allowed_file(self, path: str) -> bool:
-        """Check if file access is allowed.
-
-        Args:
-            path: Path to check
-
-        Returns:
-            bool: True if file exists and is allowed
-        """
-        try:
-            real_path = Path(os.path.realpath(path))
-            return self.is_path_allowed(str(real_path)) and real_path.is_file()
-        except (ValueError, OSError):
-            return False
-
-    def is_allowed_path(self, path_str: str) -> bool:
-        """Check if string path is allowed.
-
-        Args:
-            path_str: Path string to check
-
-        Returns:
-            bool: True if path is allowed
-        """
-        try:
-            return self.is_path_allowed(path_str)
-        except (ValueError, OSError):
-            return False
-
-    def resolve_path(self, path: str) -> Path:
-        """Resolve and validate a path.
-
-        This is an alias for validate_path() for backward compatibility.
-
-        Args:
-            path: Path to resolve and validate
-
-        Returns:
-            Path: Normalized path if valid
-
-        Raises:
-            PathSecurityError: If path is not allowed
-        """
-        return self.validate_path(path)

ostruct/cli/security_types.py

@@ -1,49 +0,0 @@
-"""Security type definitions and protocols."""
-
-from pathlib import Path
-from typing import List, Protocol
-
-
-class SecurityManagerProtocol(Protocol):
-    """Protocol defining the interface for security managers."""
-
-    @property
-    def base_dir(self) -> Path:
-        """Get the base directory."""
-        ...
-
-    @property
-    def allowed_dirs(self) -> List[Path]:
-        """Get the list of allowed directories."""
-        ...
-
-    def add_allowed_dir(self, directory: str) -> None:
-        """Add a directory to the set of allowed directories."""
-        ...
-
-    def add_allowed_dirs_from_file(self, file_path: str) -> None:
-        """Add allowed directories from a file."""
-        ...
-
-    def is_path_allowed(self, path: str) -> bool:
-        """Check if a path is allowed."""
-        ...
-
-    def validate_path(self, path: str, purpose: str = "access") -> Path:
-        """Validate and normalize a path."""
-        ...
-
-    def is_allowed_file(self, path: str) -> bool:
-        """Check if file access is allowed."""
-        ...
-
-    def is_allowed_path(self, path_str: str) -> bool:
-        """Check if string path is allowed."""
-        ...
-
-    def resolve_path(self, path: str) -> Path:
-        """Resolve and validate a path.
-
-        This is an alias for validate_path() for backward compatibility.
-        """
-        ...

ostruct_cli-0.2.0.dist-info/RECORD

@@ -1,27 +0,0 @@
-ostruct/__init__.py,sha256=X6zo6V7ZNMv731Wi388aTVQngD1410ExGwGx4J6lpyo,187
-ostruct/cli/__init__.py,sha256=dbdUfKRT4ARSHgjsZOmQ-TJT1mHwL7L3xMuilPkhG4Q,411
-ostruct/cli/cache_manager.py,sha256=ej3KrRfkKKZ_lEp2JswjbJ5bW2ncsvna9NeJu81cqqs,5192
-ostruct/cli/cli.py,sha256=jJ60txGOA4ju-4Z057FA8eRnrpxTHDLBn6bZLNsJy9Q,70170
-ostruct/cli/errors.py,sha256=vxfjXpUbsarYJoTBaGFpjpa8wXqOMGQryTh-roUhRuU,9454
-ostruct/cli/file_info.py,sha256=SdU_V5g4R0o41tOTlobOF5cibZfb9qS12fK7G2XNfRs,10481
-ostruct/cli/file_list.py,sha256=srrouvhimoklNo69nWjrKyUN-5zTOmtVj_swdBZPBTk,7105
-ostruct/cli/file_utils.py,sha256=uqEvRoWskzKUd5akA-NtdKtLWByKMTXOiVJiiO7uXus,21153
-ostruct/cli/path_utils.py,sha256=jhJsvmxsq0_FU5cWwB-JoEymGbvB2JX9Q0a-dUf0s1w,4461
-ostruct/cli/progress.py,sha256=rj9nVEco5UeZORMbzd7mFJpFGJjbH9KbBFh5oTE5Anw,3415
-ostruct/cli/security.py,sha256=j7oRb7UM_Mndl_CvnQlql8eyudcAVgfCkeQuXIQyME4,10945
-ostruct/cli/security_types.py,sha256=oSNbaKjhZVHB6pQEG_WOUhUYKlw9cl4uGOBx2R9BxRk,1341
-ostruct/cli/template_env.py,sha256=S2ZvxuMQMicodSVqUhrw0kOzbNmlpQjSHtWlOwjXCms,1538
-ostruct/cli/template_extensions.py,sha256=tJN3HGAS2yzGI8Up6STPday8NVL0VV6UCClBrtDKYr0,1623
-ostruct/cli/template_filters.py,sha256=SNp7PR4ZbuC9BVUlEgwzd6VZYjI0lsobTabLiJe_sZM,19030
-ostruct/cli/template_io.py,sha256=6rDw2Wx6czK1VntKGUM6cvyMbMWojt41hUlYRpfQuoc,8749
-ostruct/cli/template_rendering.py,sha256=GrQAcKpGe6QEjSVQkOjpegMcor9LzVUikGmmEVgiWCE,12391
-ostruct/cli/template_schema.py,sha256=ckH4rUZnEgfm_BHS9LnMGr8LtDxRmZ0C6UBVrSp8KTc,19604
-ostruct/cli/template_utils.py,sha256=QGgewxU_Tgn81J5U-Y4xfi67CkN2dEqXI7PsaNiI9es,7812
-ostruct/cli/template_validation.py,sha256=q3ACw4TscdekJb3Z3CTYw0YPEYttqjKjm74ap4lWtU4,11737
-ostruct/cli/utils.py,sha256=1UCl4rHjBWKR5EKugvlVGHiHjO3XXmqvkgeAUSyIPDU,831
-ostruct/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-ostruct_cli-0.2.0.dist-info/LICENSE,sha256=QUOY6QCYVxAiH8vdrUTDqe3i9hQ5bcNczppDSVpLTjk,1068
-ostruct_cli-0.2.0.dist-info/METADATA,sha256=uduwQEF87qBeSBhzFg9AWdFqnDM1TdRyvdRwq-IKqZQ,5300
-ostruct_cli-0.2.0.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
-ostruct_cli-0.2.0.dist-info/entry_points.txt,sha256=NFq9IuqHVTem0j9zKjV8C1si_zGcP1RL6Wbvt9fUDXw,48
-ostruct_cli-0.2.0.dist-info/RECORD,,