praetorian-cli 2.2.1__py3-none-any.whl → 2.2.2__py3-none-any.whl

praetorian_cli/handlers/aegis.py

@@ -0,0 +1,107 @@
+import click
+from praetorian_cli.handlers.chariot import chariot
+from praetorian_cli.handlers.cli_decorators import cli_handler
+
+
+@chariot.group(invoke_without_command=True)
+@cli_handler
+@click.pass_context
+def aegis(ctx, sdk):
+    """Aegis management commands"""
+    if ctx.invoked_subcommand is None:
+        # No subcommand was invoked, run the default interactive interface
+        from praetorian_cli.ui.aegis.menu import run_aegis_menu
+        run_aegis_menu(sdk)
+
+
+# Add the shared commands to the CLI group
+# Each shared command gets wrapped to inject the CLI context
+
+@aegis.command('list')
+@cli_handler
+@click.option('--details', is_flag=True, help='Show detailed agent information')
+@click.option('--filter', help='Filter agents by hostname or other properties')
+@click.pass_context
+def list_agents(ctx, sdk, details, filter):
+    """List Aegis agents with optional details"""
+    click.echo(sdk.aegis.format_agents_list(details=details, filter_text=filter))
+
+
+@aegis.command('ssh')
+@cli_handler
+@click.argument('client_id', required=True)
+@click.option('-u', '--user', help='SSH username (prepends user@ to hostname)')
+@click.argument('args', nargs=-1)
+@click.pass_context
+def ssh(ctx, sdk, client_id, user, args):
+    """Connect to an Aegis agent via SSH.
+
+    Pass native ssh flags after client_id; they are forwarded to ssh.
+
+    Common options (forwarded to ssh):
+      -L [bind_address:]port:host:hostport   Local port forward (repeatable)
+      -R [bind_address:]port:host:hostport   Remote port forward (repeatable)
+      -D [bind_address:]port                 Dynamic SOCKS proxy
+      -i IDENTITY_FILE                       Identity (private key) file
+      -l USER                                Remote username (alternative to -u/--user)
+      -o OPTION=VALUE                        Extra ssh config option
+      -p PORT                                SSH port
+      -v/-vv/-vvv                            Verbose output
+    """
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+
+    options = list(args)
+    sdk.aegis.ssh_to_agent(agent=agent, options=options, user=user, display_info=True)
+
+
+@aegis.command('job')
+@cli_handler
+@click.option('-c', '--capability', 'capabilities', multiple=True, help='Capability to run (e.g., windows-smb-snaffler)')
+@click.option('--config', help='JSON configuration string for the job')
+@click.argument('client_id', required=True)
+@click.pass_context
+def job(ctx, sdk, capabilities, config, client_id):
+    """Run a job on an Aegis agent"""
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+    
+    try:
+        result = sdk.aegis.run_job(
+            agent,
+            list(capabilities) if capabilities else None,
+            config
+        )
+
+        if 'capabilities' in result:
+            click.echo("Available capabilities:")
+            for cap in result['capabilities']:
+                name = cap.get('name', 'unknown')
+                desc = cap.get('description', '')[:50]
+                click.echo(f"  {name:<25} {desc}")
+        elif result.get('success'):
+            click.echo("✓ Job queued successfully")
+            click.echo(f"  Job ID: {result.get('job_id', 'unknown')}")
+            click.echo(f"  Status: {result.get('status', 'unknown')}")
+        else:
+            click.echo("Error: Unknown error", err=True)
+    except Exception as e:
+        click.echo(f"Error: {e}", err=True)
+
+
+@aegis.command('info')
+@cli_handler
+@click.argument('client_id', required=True)
+@click.pass_context
+def info(ctx, sdk, client_id):
+    """Show detailed information for an agent"""
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+    
+    click.echo(agent.to_detailed_string())

praetorian_cli/handlers/get.py

@@ -278,3 +278,20 @@ def credential(chariot, credential_id, category, type, format, parameters):
     result = chariot.credentials.get(credential_id, category, type, [format], **params)
     output = chariot.credentials.format_output(result)
     click.echo(output)
+
+
+@get.command()
+@cli_handler
+@click.argument('key', required=True)
+def scanner(chariot, key):
+    """ Get scanner details
+
+    \b
+    Argument:
+        - KEY: the key of an existing scanner record
+
+    \b
+    Example usage:
+        - praetorian chariot get scanner "#scanner#127.0.0.1"
+    """
+    print_json(chariot.scanners.get(key))

praetorian_cli/handlers/list.py

@@ -64,6 +64,22 @@ def accounts(chariot, filter, details, offset, page):
     render_list_results(chariot.accounts.list(filter, offset, pagination_size(page)), details)
 
 
+@list.command()
+@list_params('Aegis ID', has_filter=False)
+def aegis(chariot, details, offset, page):
+    """ List Aegis
+
+    Retrieve and display a list of Aegis instances.
+
+    \b
+    Example usages:
+        - praetorian chariot list aegis
+        - praetorian chariot list aegis --details
+        - praetorian chariot list aegis --page all
+    """
+    render_list_results(chariot.aegis.list(offset, pagination_size(page)), details)
+
+
 @list.command()
 @list_params('integration name')
 def integrations(chariot, filter, details, offset, page):
@@ -336,3 +352,20 @@ def capabilities(chariot, name, target, executor):
         - praetorian chariot list capabilities --name nuclei --target attribute --executor chariot
     """
     print_json(chariot.capabilities.list(name, target, executor))
+
+
+@list.command()
+@list_params('IP address')
+def scanners(chariot, filter, details, offset, page):
+    """ List scanners
+
+    Retrieve and display a list of scanner records that track IP addresses used by chariot.
+
+    \b
+    Example usages:
+        - praetorian chariot list scanners
+        - praetorian chariot list scanners --filter 127.0.0.1
+        - praetorian chariot list scanners --details
+        - praetorian chariot list scanners --page all
+    """
+    render_list_results(chariot.scanners.list(filter, offset, pagination_size(page)), details)

praetorian_cli/handlers/ssh_utils.py

@@ -0,0 +1,154 @@
+"""
+Shared SSH utilities for Aegis CLI and TUI commands
+"""
+
+from typing import List, Dict, Optional
+from praetorian_cli.sdk.model.aegis import Agent
+
+
+class SSHArgumentParser:
+    """Shared SSH argument parser for both CLI and TUI interfaces"""
+    
+    def __init__(self, console=None):
+        self.console = console
+    
+    def parse_ssh_args(self, args: List[str]) -> Optional[Dict]:
+        """
+        Parse SSH command arguments and return options dict
+        Returns None if parsing fails with error messages displayed
+        """
+        options = {
+            'local_forward': [],
+            'remote_forward': [],
+            'dynamic_forward': None,
+            'key': None,
+            'ssh_opts': None,
+            'user': None,
+            'passthrough': []  # collect unknown flags to pass through
+        }
+        
+        i = 0
+        while i < len(args):
+            arg = args[i]
+            
+            if arg in ['-L', '-l', '--local-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -L requires a port forwarding specification")
+                    self._print_error("Example: ssh -L 8080:localhost:80", dim=True)
+                    return None
+                options['local_forward'].append(args[i + 1])
+                i += 2
+                
+            elif arg in ['-R', '-r', '--remote-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -R requires a port forwarding specification")
+                    self._print_error("Example: ssh -R 9090:localhost:3000", dim=True)
+                    return None
+                options['remote_forward'].append(args[i + 1])
+                i += 2
+                
+            elif arg in ['-D', '-d', '--dynamic-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -D requires a port number")
+                    self._print_error("Example: ssh -D 1080", dim=True)
+                    return None
+                try:
+                    port = int(args[i + 1])
+                    if port < 1 or port > 65535:
+                        raise ValueError()
+                    options['dynamic_forward'] = str(port)
+                except ValueError:
+                    self._print_error(f"Error: Invalid port number '{args[i + 1]}'")
+                    self._print_error("Port must be a number between 1 and 65535", dim=True)
+                    return None
+                i += 2
+                
+            elif arg in ['-i', '-I', '--key']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -i requires a key file path")
+                    self._print_error("Example: ssh -i ~/.ssh/my_key", dim=True)
+                    return None
+                options['key'] = args[i + 1]
+                i += 2
+                
+            elif arg in ['-u', '-U', '--user']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -u requires a username")
+                    self._print_error("Example: ssh -u root", dim=True)
+                    return None
+                options['user'] = args[i + 1]
+                i += 2
+                
+            elif arg.startswith('-'):
+                # Collect unknown options and their arguments if any
+                options['passthrough'].append(arg)
+                # If next token is a value and current looks like expects arg (heuristic), include it
+                if i + 1 < len(args) and not args[i + 1].startswith('-'):
+                    options['passthrough'].append(args[i + 1])
+                    i += 2
+                else:
+                    i += 1
+            else:
+                self._print_error(f"Error: Unexpected argument '{arg}'")
+                return None
+            
+        return options
+    
+    def validate_agent_ssh_availability(self, agent) -> bool:
+        """
+        Check if SSH is available for the given agent
+        Returns True if available, False otherwise with error messages displayed
+        """
+        is_valid, error_msg = validate_agent_for_ssh(agent)
+        if not is_valid:
+            self._print_error(error_msg)
+            return False
+        return True
+    
+    def has_ssh_options(self, options: Dict) -> bool:
+        """Check if any actual SSH options were provided (not just passthrough)"""
+        return bool(
+            options['local_forward'] or 
+            options['remote_forward'] or 
+            options['dynamic_forward'] or
+            options['key'] or
+            options['user']
+        )
+    
+    def _print_error(self, message: str, dim: bool = False):
+        """Print error message using console if available, otherwise plain print"""
+        if self.console:
+            if dim:
+                self.console.print(f"[dim]{message}[/dim]")
+            else:
+                self.console.print(f"[red]{message}[/red]")
+        else:
+            # Fallback for CLI usage
+            print(f"Error: {message}" if not dim else message)
+
+
+def validate_agent_for_ssh(agent: Agent) -> tuple[bool, str]:
+    """
+    Validate if an agent is ready for SSH connections
+    Returns (is_valid, error_message)
+    """
+    if not agent:
+        return False, "No agent specified"
+    
+    client_id = agent.client_id
+    hostname = agent.hostname or 'Unknown'
+    has_tunnel = agent.has_tunnel
+    
+    if not client_id:
+        return False, "Agent missing client_id"
+    
+    # Check if Cloudflare tunnel is available
+    if not has_tunnel:
+        return False, f"SSH not available for {hostname} - no active tunnel"
+    
+    # Check if tunnel has a public hostname
+    public_hostname = agent.health_check.cloudflared_status.hostname if has_tunnel else None
+    if not public_hostname:
+        return False, f"No public hostname found in tunnel configuration for {hostname}"
+    
+    return True, ""

praetorian_cli/handlers/test.py

@@ -1,4 +1,6 @@
 import os
+import sys
+import subprocess
 
 import click
 import pytest
@@ -10,7 +12,7 @@ from praetorian_cli.handlers.cli_decorators import cli_handler
 
 @chariot.command()
 @cli_handler
-@click.option('-s', '--suite', type=click.Choice(['coherence', 'cli']), help='Run a specific test suite')
+@click.option('-s', '--suite', type=click.Choice(['coherence', 'cli', 'tui']), help='Run a specific test suite')
 @click.argument('key', required=False)
 def test(chariot, key, suite):
     """ Run integration test suite """
@@ -21,4 +23,7 @@ def test(chariot, key, suite):
         command.extend(['-k', key])
     if suite:
         command.extend(['-m', suite])
-    pytest.main(command)
+    # Run pytest in a subprocess to isolate from CLI pre-imports
+    args = [sys.executable, '-m', 'pytest'] + command
+    result = subprocess.run(args)
+    raise SystemExit(result.returncode)

praetorian_cli/main.py

@@ -1,6 +1,7 @@
 import click
 
 import praetorian_cli.handlers.add
+import praetorian_cli.handlers.aegis
 import praetorian_cli.handlers.agent
 import praetorian_cli.handlers.delete
 import praetorian_cli.handlers.enrich

praetorian_cli/sdk/chariot.py

@@ -1,6 +1,7 @@
 import json, requests, os
 
 from praetorian_cli.sdk.entities.accounts import Accounts
+from praetorian_cli.sdk.entities.aegis import Aegis
 from praetorian_cli.sdk.entities.agents import Agents
 from praetorian_cli.sdk.entities.assets import Assets
 from praetorian_cli.sdk.entities.attributes import Attributes
@@ -14,6 +15,7 @@ from praetorian_cli.sdk.entities.jobs import Jobs
 from praetorian_cli.sdk.entities.keys import Keys
 from praetorian_cli.sdk.entities.preseeds import Preseeds
 from praetorian_cli.sdk.entities.risks import Risks
+from praetorian_cli.sdk.entities.scanners import Scanners
 from praetorian_cli.sdk.entities.search import Search
 from praetorian_cli.sdk.entities.seeds import Seeds
 from praetorian_cli.sdk.entities.settings import Settings
@@ -39,8 +41,10 @@ class Chariot:
         self.definitions = Definitions(self)
         self.attributes = Attributes(self)
         self.search = Search(self)
+        self.scanners = Scanners(self)
         self.webhook = Webhook(self)
         self.statistics = Statistics(self)
+        self.aegis = Aegis(self)
         self.agents = Agents(self)
         self.settings = Settings(self)
         self.configurations = Configurations(self)
@@ -256,6 +260,69 @@ class Chariot:
         
         server = MCPServer(self, allowable_tools)
         return anyio.run(server.start)
+
+    def get_current_user(self) -> tuple:
+        """
+        Get current user information for Aegis functionality.
+        
+        Returns:
+            tuple: (user_email, username) where user_email is the login email
+                   and username is the SSH username derived from the email
+        """
+        # Try to get username from keychain first (for username/password auth)
+        user_email = self.keychain.username()
+        
+        # If no username in keychain (API key auth), try to get it from JWT token
+        if not user_email and self.keychain.has_api_key():
+            token = self.keychain.token()
+            payload = decode_jwt_payload(token)
+            if payload:
+                # Extract email from the 'email' field in the JWT payload
+                user_email = payload.get('email')
+            else:
+                # If JWT decoding fails, fall back to the account parameter
+                raise Exception("Failed to decode JWT token")
+        
+        # Extract username from email (part before @) for SSH access
+        username = user_email.split('@')[0] if user_email and '@' in user_email else user_email
+        return user_email, username
+
+
+def decode_jwt_payload(token: str) -> dict | None:
+    """
+    Decode the payload from a JWT token.
+    
+    Args:
+        token: JWT token string in format header.payload.signature
+        
+    Returns:
+        dict: Decoded payload contents, or None if decoding fails
+        
+    Example:
+        >>> token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20ifQ.signature"
+        >>> payload = decode_jwt_payload(token)
+        >>> print(payload.get('email'))
+        user@example.com
+    """
+    try:
+        import json
+        import base64
+        
+        # JWT tokens have 3 parts: header.payload.signature
+        parts = token.split('.')
+        if len(parts) != 3:
+            return None
+            
+        payload_part = parts[1]
+        # Add padding if needed for base64 decoding
+        payload_part += '=' * (4 - len(payload_part) % 4)
+        payload = json.loads(base64.b64decode(payload_part))
+        
+        return payload
+    except Exception:
+        return None
+
+
 def is_query_limit_failure(response: requests.Response) -> bool:
     return response.status_code == 413 and 'reduce page size' in response.text