pangea-sdk 4.4.0__py3-none-any.whl → 5.1.0__py3-none-any.whl

pangea/crypto/rsa.py

@@ -1,7 +1,19 @@
 from __future__ import annotations
 
+import base64
+from typing import TYPE_CHECKING
+
+from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+
+from pangea.services.vault.models.common import ExportEncryptionAlgorithm
+from pangea.services.vault.models.symmetric import SymmetricKeyEncryptionAlgorithm
+
+if TYPE_CHECKING:
+    from pangea.services.vault.models.common import ExportResult
 
 
 def generate_key_pair() -> tuple[rsa.RSAPrivateKey, rsa.RSAPublicKey]:
@@ -45,3 +57,79 @@ def public_key_to_pem(public_key: rsa.RSAPublicKey) -> bytes:
     return public_key.public_bytes(
         encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
     )
+
+
+_AES_GCM_IV_SIZE = 12
+"""Standard nonce size for GCM."""
+
+_KEY_LENGTH = 32
+"""AES-256 key length in bytes."""
+
+
+def kem_decrypt(
+    private_key: rsa.RSAPrivateKey,
+    iv: bytes,
+    ciphertext: bytes,
+    symmetric_algorithm: str,
+    asymmetric_algorithm: str,
+    encrypted_salt: bytes,
+    password: str,
+    iteration_count: int,
+    hash_algorithm: str,
+) -> str:
+    if symmetric_algorithm.casefold() != SymmetricKeyEncryptionAlgorithm.AES_GCM_256.value.casefold():
+        raise NotImplementedError(f"Unsupported symmetric algorithm: {symmetric_algorithm}")
+
+    if asymmetric_algorithm != ExportEncryptionAlgorithm.RSA_NO_PADDING_4096_KEM:
+        raise NotImplementedError(f"Unsupported asymmetric algorithm: {asymmetric_algorithm}")
+
+    if hash_algorithm.casefold() != "SHA512".casefold():
+        raise NotImplementedError(f"Unsupported hash algorithm: {hash_algorithm}")
+
+    # No-padding RSA decryption.
+    n = private_key.private_numbers().public_numbers.n
+    salt = pow(
+        int.from_bytes(encrypted_salt, byteorder="big"),
+        private_key.private_numbers().d,
+        n,
+    ).to_bytes(n.bit_length() // 8, byteorder="big")
+
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA512(), length=_KEY_LENGTH, salt=salt, iterations=iteration_count, backend=default_backend()
+    )
+    symmetric_key = kdf.derive(password.encode("utf-8"))
+
+    decrypted = AESGCM(symmetric_key).decrypt(nonce=iv, data=ciphertext, associated_data=None)
+
+    return decrypted.decode("ascii")
+
+
+def kem_decrypt_export_result(*, result: ExportResult, password: str, private_key: rsa.RSAPrivateKey) -> str:
+    """Decrypt the exported result of a KEM operation."""
+    cipher_encoded = result.private_key or result.key
+    if not cipher_encoded:
+        raise TypeError("`private_key` or `key` should be set.")
+
+    assert result.encrypted_salt
+    assert result.symmetric_algorithm
+    assert result.asymmetric_algorithm
+    assert result.iteration_count
+    assert result.hash_algorithm
+
+    cipher_with_iv = base64.b64decode(cipher_encoded)
+    encrypted_salt = base64.b64decode(result.encrypted_salt)
+
+    iv = cipher_with_iv[:_AES_GCM_IV_SIZE]
+    cipher = cipher_with_iv[_AES_GCM_IV_SIZE:]
+
+    return kem_decrypt(
+        private_key=private_key,
+        iv=iv,
+        ciphertext=cipher,
+        password=password,
+        encrypted_salt=encrypted_salt,
+        symmetric_algorithm=result.symmetric_algorithm,
+        asymmetric_algorithm=result.asymmetric_algorithm,
+        iteration_count=result.iteration_count,
+        hash_algorithm=result.hash_algorithm,
+    )

pangea/request.py

@@ -1,5 +1,6 @@
 # Copyright 2022 Pangea Cyber Corporation
 # Author: Pangea Cyber Corporation
+from __future__ import annotations
 
 import copy
 import json
@@ -8,6 +9,7 @@ import time
 from typing import TYPE_CHECKING, Any, Dict, List, Optional, Sequence, Tuple, Type, Union
 
 import requests
+from pydantic import BaseModel
 from requests.adapters import HTTPAdapter, Retry
 from requests_toolbelt import MultipartDecoder  # type: ignore
 from typing_extensions import TypeVar
@@ -22,7 +24,7 @@ if TYPE_CHECKING:
     import aiohttp
 
 
-class MultipartResponse(object):
+class MultipartResponse:
     pangea_json: Dict[str, str]
     attached_files: List = []
 
@@ -31,7 +33,7 @@ class MultipartResponse(object):
         self.attached_files = attached_files
 
 
-class PangeaRequestBase(object):
+class PangeaRequestBase:
     def __init__(
         self, config: PangeaConfig, token: str, service: str, logger: logging.Logger, config_id: Optional[str] = None
     ):
@@ -129,8 +131,7 @@ class PangeaRequestBase(object):
         filename_parts = content_disposition.split("name=")
         if len(filename_parts) > 1:
             return filename_parts[1].split(";")[0].strip('"')
-        else:
-            return None
+        return None
 
     def _get_filename_from_url(self, url: str) -> Optional[str]:
         return url.split("/")[-1].split("?")[0]
@@ -157,35 +158,35 @@ class PangeaRequestBase(object):
 
         if status == ResponseStatus.VALIDATION_ERR.value:
             raise pe.ValidationException(summary, response)
-        elif status == ResponseStatus.TOO_MANY_REQUESTS.value:
+        if status == ResponseStatus.TOO_MANY_REQUESTS.value:
             raise pe.RateLimitException(summary, response)
-        elif status == ResponseStatus.NO_CREDIT.value:
+        if status == ResponseStatus.NO_CREDIT.value:
             raise pe.NoCreditException(summary, response)
-        elif status == ResponseStatus.UNAUTHORIZED.value:
+        if status == ResponseStatus.UNAUTHORIZED.value:
             raise pe.UnauthorizedException(self.service, response)
-        elif status == ResponseStatus.SERVICE_NOT_ENABLED.value:
+        if status == ResponseStatus.SERVICE_NOT_ENABLED.value:
             raise pe.ServiceNotEnabledException(self.service, response)
-        elif status == ResponseStatus.PROVIDER_ERR.value:
+        if status == ResponseStatus.PROVIDER_ERR.value:
             raise pe.ProviderErrorException(summary, response)
-        elif status in (ResponseStatus.MISSING_CONFIG_ID_SCOPE.value, ResponseStatus.MISSING_CONFIG_ID.value):
+        if status in (ResponseStatus.MISSING_CONFIG_ID_SCOPE.value, ResponseStatus.MISSING_CONFIG_ID.value):
             raise pe.MissingConfigID(self.service, response)
-        elif status == ResponseStatus.SERVICE_NOT_AVAILABLE.value:
+        if status == ResponseStatus.SERVICE_NOT_AVAILABLE.value:
             raise pe.ServiceNotAvailableException(summary, response)
-        elif status == ResponseStatus.TREE_NOT_FOUND.value:
+        if status == ResponseStatus.TREE_NOT_FOUND.value:
             raise pe.TreeNotFoundException(summary, response)
-        elif status == ResponseStatus.IP_NOT_FOUND.value:
+        if status == ResponseStatus.IP_NOT_FOUND.value:
             raise pe.IPNotFoundException(summary, response)
-        elif status == ResponseStatus.BAD_OFFSET.value:
+        if status == ResponseStatus.BAD_OFFSET.value:
             raise pe.BadOffsetException(summary, response)
-        elif status == ResponseStatus.FORBIDDEN_VAULT_OPERATION.value:
+        if status == ResponseStatus.FORBIDDEN_VAULT_OPERATION.value:
             raise pe.ForbiddenVaultOperation(summary, response)
-        elif status == ResponseStatus.VAULT_ITEM_NOT_FOUND.value:
+        if status == ResponseStatus.VAULT_ITEM_NOT_FOUND.value:
             raise pe.VaultItemNotFound(summary, response)
-        elif status == ResponseStatus.NOT_FOUND.value:
+        if status == ResponseStatus.NOT_FOUND.value:
             raise pe.NotFound(str(response.raw_response.url) if response.raw_response is not None else "", response)
-        elif status == ResponseStatus.INTERNAL_SERVER_ERROR.value:
+        if status == ResponseStatus.INTERNAL_SERVER_ERROR.value:
             raise pe.InternalServerError(response)
-        elif status == ResponseStatus.ACCEPTED.value:
+        if status == ResponseStatus.ACCEPTED.value:
             raise pe.AcceptedRequestException(response)
         raise pe.PangeaAPIException(f"{summary} ", response)
 
@@ -209,7 +210,7 @@ class PangeaRequest(PangeaRequestBase):
         self,
         endpoint: str,
         result_class: Type[TResult],
-        data: Union[str, Dict] = {},
+        data: str | BaseModel | dict[str, Any] | None = None,
         files: Optional[List[Tuple]] = None,
         poll_result: bool = True,
         url: Optional[str] = None,
@@ -224,6 +225,13 @@ class PangeaRequest(PangeaRequestBase):
             PangeaResponse which contains the response in its entirety and
                various properties to retrieve individual fields
         """
+
+        if isinstance(data, BaseModel):
+            data = data.model_dump(exclude_none=True)
+
+        if data is None:
+            data = {}
+
         if url is None:
             url = self._url(endpoint)
 
@@ -336,19 +344,17 @@ class PangeaRequest(PangeaRequestBase):
                 multi.extend(files)
                 files = multi
                 return None, files
-            else:
-                # Post to presigned url as form
-                data_send: list = []  # type: ignore[no-redef]
-                for k, v in data.items():  # type: ignore[union-attr]
-                    data_send.append((k, v))  # type: ignore[attr-defined]
-                # When posting to presigned url, file key should be 'file'
-                files = {  # type: ignore[assignment]
-                    "file": files[0][1],
-                }
-                return data_send, files
-        else:
-            data_send = json.dumps(data, default=default_encoder) if isinstance(data, dict) else data
-            return data_send, None
+            # Post to presigned url as form
+            data_send: list = []  # type: ignore[no-redef]
+            for k, v in data.items():  # type: ignore[union-attr]
+                data_send.append((k, v))  # type: ignore[attr-defined]
+            # When posting to presigned url, file key should be 'file'
+            files = {  # type: ignore[assignment]
+                "file": files[0][1],
+            }
+            return data_send, files
+        data_send = json.dumps(data, default=default_encoder) if isinstance(data, dict) else data
+        return data_send, None
 
         return data, files
 
@@ -432,8 +438,7 @@ class PangeaRequest(PangeaRequestBase):
                 )
             )
             return AttachedFile(filename=filename, file=response.content, content_type=content_type)
-        else:
-            raise pe.DownloadFileError(f"Failed to download file. Status: {response.status_code}", response.text)
+        raise pe.DownloadFileError(f"Failed to download file. Status: {response.status_code}", response.text)
 
     def poll_result_by_id(
         self, request_id: str, result_class: Type[TResult], check_response: bool = True
@@ -462,10 +467,8 @@ class PangeaRequest(PangeaRequestBase):
     ) -> PangeaResponse:
         # Send request
         try:
-            # This should return 202 (AcceptedRequestException)
-            resp = self.post(endpoint=endpoint, result_class=result_class, data=data, poll_result=False)
-            raise pe.PresignedURLException("Should return 202", resp)
-
+            # This should return 202 (AcceptedRequestException) at least zero size file is sent
+            return self.post(endpoint=endpoint, result_class=result_class, data=data, poll_result=False)
         except pe.AcceptedRequestException as e:
             accepted_exception = e
         except Exception as e:
@@ -523,6 +526,9 @@ class PangeaRequest(PangeaRequestBase):
             raise AttributeError("files attribute should have at least 1 file")
 
         response = self.request_presigned_url(endpoint=endpoint, result_class=result_class, data=data)
+
+        if response.success:  # This should only happen when uploading a zero bytes file
+            return response.raw_response
         if response.accepted_result is None:
             raise pe.PangeaException("No accepted_result field when requesting presigned url")
         if response.accepted_result.post_url is None:
@@ -589,8 +595,7 @@ class PangeaRequest(PangeaRequestBase):
 
         if loop_resp.accepted_result is not None and not loop_resp.accepted_result.has_upload_url:
             return loop_resp
-        else:
-            raise loop_exc
+        raise loop_exc
 
     def _init_session(self) -> requests.Session:
         retry_config = Retry(

pangea/response.py

@@ -28,6 +28,7 @@ class AttachedFile(object):
             filename = self.filename if self.filename else "default_save_filename"
 
         filepath = os.path.join(dest_folder, filename)
+        filepath = self._find_available_file(filepath)
         directory = os.path.dirname(filepath)
         if not os.path.exists(directory):
             os.makedirs(directory)
@@ -35,6 +36,17 @@ class AttachedFile(object):
         with open(filepath, "wb") as file:
             file.write(self.file)
 
+    def _find_available_file(self, file_path):
+        base_name, ext = os.path.splitext(file_path)
+        counter = 1
+        while os.path.exists(file_path):
+            if ext:
+                file_path = f"{base_name}_{counter}{ext}"
+            else:
+                file_path = f"{base_name}_{counter}"
+            counter += 1
+        return file_path
+
 
 class TransferMethod(str, enum.Enum):
     """Transfer methods for uploading file data."""

pangea/services/__init__.py

@@ -6,4 +6,5 @@ from .file_scan import FileScan
 from .intel import DomainIntel, FileIntel, IpIntel, UrlIntel, UserIntel
 from .redact import Redact
 from .sanitize import Sanitize
+from .share.share import Share
 from .vault.vault import Vault

pangea/services/audit/signing.py

@@ -1,5 +1,7 @@
 # Copyright 2022 Pangea Cyber Corporation
 # Author: Pangea Cyber Corporation
+from __future__ import annotations
+
 from abc import ABC, abstractmethod
 from typing import Optional
 
@@ -10,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, Pub
 
 from pangea.exceptions import PangeaException
 from pangea.services.audit.util import b64decode, b64decode_ascii, b64encode_ascii
-from pangea.services.vault.models.common import AsymmetricAlgorithm
+from pangea.services.vault.models.asymmetric import AsymmetricKeySigningAlgorithm
 
 
 class AlgorithmSigner(ABC):
@@ -43,7 +45,7 @@ class ED25519Signer(AlgorithmSigner):
         )
 
     def get_algorithm(self) -> str:
-        return AsymmetricAlgorithm.Ed25519.value
+        return AsymmetricKeySigningAlgorithm.ED25519.value
 
 
 signers = {
@@ -144,8 +146,7 @@ class Verifier:
         for cls, verifier in verifiers.items():
             if isinstance(pubkey, cls):
                 return verifier(pubkey).verify(message_bytes, signature_bytes)
-        else:
-            raise PangeaException(f"Not supported public key type: {type(pubkey)}")
+        raise PangeaException(f"Not supported public key type: {type(pubkey)}")
 
     def _decode_public_key(self, public_key: bytes):
         """Parse a public key in PEM or ssh format"""

pangea/services/share/file_format.py

@@ -0,0 +1,170 @@
+import enum
+
+
+class FileFormat(str, enum.Enum):
+    F3G2 = "3G2"
+    F3GP = "3GP"
+    F3MF = "3MF"
+    F7Z = "7Z"
+    A = "A"
+    AAC = "AAC"
+    ACCDB = "ACCDB"
+    AIFF = "AIFF"
+    AMF = "AMF"
+    AMR = "AMR"
+    APE = "APE"
+    ASF = "ASF"
+    ATOM = "ATOM"
+    AU = "AU"
+    AVI = "AVI"
+    AVIF = "AVIF"
+    BIN = "BIN"
+    BMP = "BMP"
+    BPG = "BPG"
+    BZ2 = "BZ2"
+    CAB = "CAB"
+    CLASS = "CLASS"
+    CPIO = "CPIO"
+    CRX = "CRX"
+    CSV = "CSV"
+    DAE = "DAE"
+    DBF = "DBF"
+    DCM = "DCM"
+    DEB = "DEB"
+    DJVU = "DJVU"
+    DLL = "DLL"
+    DOC = "DOC"
+    DOCX = "DOCX"
+    DWG = "DWG"
+    EOT = "EOT"
+    EPUB = "EPUB"
+    EXE = "EXE"
+    FDF = "FDF"
+    FITS = "FITS"
+    FLAC = "FLAC"
+    FLV = "FLV"
+    GBR = "GBR"
+    GEOJSON = "GEOJSON"
+    GIF = "GIF"
+    GLB = "GLB"
+    GML = "GML"
+    GPX = "GPX"
+    GZ = "GZ"
+    HAR = "HAR"
+    HDR = "HDR"
+    HEIC = "HEIC"
+    HEIF = "HEIF"
+    HTML = "HTML"
+    ICNS = "ICNS"
+    ICO = "ICO"
+    ICS = "ICS"
+    ISO = "ISO"
+    JAR = "JAR"
+    JP2 = "JP2"
+    JPF = "JPF"
+    JPG = "JPG"
+    JPM = "JPM"
+    JS = "JS"
+    JSON = "JSON"
+    JXL = "JXL"
+    JXR = "JXR"
+    KML = "KML"
+    LIT = "LIT"
+    LNK = "LNK"
+    LUA = "LUA"
+    LZ = "LZ"
+    M3U = "M3U"
+    M4A = "M4A"
+    MACHO = "MACHO"
+    MDB = "MDB"
+    MIDI = "MIDI"
+    MKV = "MKV"
+    MOBI = "MOBI"
+    MOV = "MOV"
+    MP3 = "MP3"
+    MP4 = "MP4"
+    MPC = "MPC"
+    MPEG = "MPEG"
+    MQV = "MQV"
+    MRC = "MRC"
+    MSG = "MSG"
+    MSI = "MSI"
+    NDJSON = "NDJSON"
+    NES = "NES"
+    ODC = "ODC"
+    ODF = "ODF"
+    ODG = "ODG"
+    ODP = "ODP"
+    ODS = "ODS"
+    ODT = "ODT"
+    OGA = "OGA"
+    OGV = "OGV"
+    OTF = "OTF"
+    OTG = "OTG"
+    OTP = "OTP"
+    OTS = "OTS"
+    OTT = "OTT"
+    OWL = "OWL"
+    P7S = "P7S"
+    PAT = "PAT"
+    PDF = "PDF"
+    PHP = "PHP"
+    PL = "PL"
+    PNG = "PNG"
+    PPT = "PPT"
+    PPTX = "PPTX"
+    PS = "PS"
+    PSD = "PSD"
+    PUB = "PUB"
+    PY = "PY"
+    QCP = "QCP"
+    RAR = "RAR"
+    RMVB = "RMVB"
+    RPM = "RPM"
+    RSS = "RSS"
+    RTF = "RTF"
+    SHP = "SHP"
+    SHX = "SHX"
+    SO = "SO"
+    SQLITE = "SQLITE"
+    SRT = "SRT"
+    SVG = "SVG"
+    SWF = "SWF"
+    SXC = "SXC"
+    TAR = "TAR"
+    TCL = "TCL"
+    TCX = "TCX"
+    TIFF = "TIFF"
+    TORRENT = "TORRENT"
+    TSV = "TSV"
+    TTC = "TTC"
+    TTF = "TTF"
+    TXT = "TXT"
+    VCF = "VCF"
+    VOC = "VOC"
+    VTT = "VTT"
+    WARC = "WARC"
+    WASM = "WASM"
+    WAV = "WAV"
+    WEBM = "WEBM"
+    WEBP = "WEBP"
+    WOFF = "WOFF"
+    WOFF2 = "WOFF2"
+    X3D = "X3D"
+    XAR = "XAR"
+    XCF = "XCF"
+    XFDF = "XFDF"
+    XLF = "XLF"
+    XLS = "XLS"
+    XLSX = "XLSX"
+    XML = "XML"
+    XPM = "XPM"
+    XZ = "XZ"
+    ZIP = "ZIP"
+    ZST = "ZST"
+
+    def __str__(self):
+        return str(self.value)
+
+    def __repr__(self):
+        return str(self.value)