souleyez 2.43.28__py3-none-any.whl → 2.43.32__py3-none-any.whl

souleyez/security/scope_validator.py

@@ -20,12 +20,14 @@ logger = get_logger(__name__)
 
 class ScopeViolationError(Exception):
     """Raised when a target is out of scope and enforcement is 'block'."""
+
     pass
 
 
 @dataclass
 class ScopeValidationResult:
     """Result of scope validation check."""
+
     is_in_scope: bool
     matched_entry: Optional[Dict[str, Any]]
     reason: str
@@ -71,15 +73,15 @@ class ScopeValidator:
                    FROM engagement_scope
                    WHERE engagement_id = ?
                    ORDER BY is_excluded ASC, scope_type ASC""",
-                (self.engagement_id,)
+                (self.engagement_id,),
             )
             self._scope_cache = entries
             return entries
         except Exception as e:
-            logger.warning("Failed to get scope entries", extra={
-                "engagement_id": self.engagement_id,
-                "error": str(e)
-            })
+            logger.warning(
+                "Failed to get scope entries",
+                extra={"engagement_id": self.engagement_id, "error": str(e)},
+            )
             return []
 
     def has_scope_defined(self) -> bool:
@@ -91,7 +93,7 @@ class ScopeValidator:
         """
         entries = self.get_scope_entries()
         # Only count inclusion entries (not exclusions)
-        inclusions = [e for e in entries if not e.get('is_excluded')]
+        inclusions = [e for e in entries if not e.get("is_excluded")]
         return len(inclusions) > 0
 
     def get_enforcement_mode(self) -> str:
@@ -107,17 +109,17 @@ class ScopeValidator:
         try:
             result = self.db.execute_one(
                 "SELECT scope_enforcement FROM engagements WHERE id = ?",
-                (self.engagement_id,)
+                (self.engagement_id,),
             )
-            mode = result.get('scope_enforcement', 'off') if result else 'off'
-            self._enforcement_cache = mode or 'off'
+            mode = result.get("scope_enforcement", "off") if result else "off"
+            self._enforcement_cache = mode or "off"
             return self._enforcement_cache
         except Exception as e:
-            logger.warning("Failed to get enforcement mode", extra={
-                "engagement_id": self.engagement_id,
-                "error": str(e)
-            })
-            return 'off'
+            logger.warning(
+                "Failed to get enforcement mode",
+                extra={"engagement_id": self.engagement_id, "error": str(e)},
+            )
+            return "off"
 
     def validate_target(self, target: str) -> ScopeValidationResult:
         """
@@ -128,6 +130,7 @@ class ScopeValidator:
         - IP addresses
         - CIDR ranges
         - Hostnames/domains
+        - Space-separated multiple targets (validates each, all must be in scope)
 
         Args:
             target: The target to validate (IP, URL, hostname, etc.)
@@ -140,18 +143,48 @@ class ScopeValidator:
                 is_in_scope=False,
                 matched_entry=None,
                 reason="Empty target",
-                scope_type=None
+                scope_type=None,
             )
 
         target = target.strip()
 
+        # Handle space-separated multiple targets
+        # Check if this looks like multiple targets (space-separated, not a URL with spaces)
+        if " " in target and not target.startswith(("http://", "https://")):
+            targets = target.split()
+            # Validate each target - all must be in scope
+            for t in targets:
+                result = self._validate_single_target(t)
+                if not result.is_in_scope:
+                    return result  # Return first out-of-scope result
+            # All targets are in scope
+            return ScopeValidationResult(
+                is_in_scope=True,
+                matched_entry=None,
+                reason=f"All {len(targets)} targets are in scope",
+                scope_type=None,
+            )
+
+        return self._validate_single_target(target)
+
+    def _validate_single_target(self, target: str) -> ScopeValidationResult:
+        """
+        Validate a single target against the engagement scope.
+
+        Args:
+            target: Single target to validate (IP, URL, hostname, etc.)
+
+        Returns:
+            ScopeValidationResult with validation outcome
+        """
+
         # If no scope defined, everything is in scope (permissive default)
         if not self.has_scope_defined():
             return ScopeValidationResult(
                 is_in_scope=True,
                 matched_entry=None,
                 reason="No scope defined (permissive)",
-                scope_type=None
+                scope_type=None,
             )
 
         # Determine target type and extract relevant part
@@ -162,26 +195,26 @@ class ScopeValidator:
 
         # First check exclusions (deny rules take precedence)
         for entry in entries:
-            if not entry.get('is_excluded'):
+            if not entry.get("is_excluded"):
                 continue
             if self._matches_entry(normalized, target_type, entry):
                 return ScopeValidationResult(
                     is_in_scope=False,
                     matched_entry=entry,
                     reason=f"Explicitly excluded by scope entry: {entry['value']}",
-                    scope_type=entry['scope_type']
+                    scope_type=entry["scope_type"],
                 )
 
         # Then check inclusions
         for entry in entries:
-            if entry.get('is_excluded'):
+            if entry.get("is_excluded"):
                 continue
             if self._matches_entry(normalized, target_type, entry):
                 return ScopeValidationResult(
                     is_in_scope=True,
                     matched_entry=entry,
                     reason=f"Matched scope entry: {entry['value']}",
-                    scope_type=entry['scope_type']
+                    scope_type=entry["scope_type"],
                 )
 
         # No match found - out of scope
@@ -189,7 +222,7 @@ class ScopeValidator:
             is_in_scope=False,
             matched_entry=None,
             reason=f"Target '{target}' does not match any scope entry",
-            scope_type=None
+            scope_type=None,
         )
 
     def validate_ip(self, ip: str) -> ScopeValidationResult:
@@ -228,8 +261,13 @@ class ScopeValidator:
         """
         return self.validate_target(url)
 
-    def log_validation(self, target: str, result: ScopeValidationResult,
-                       action: str, job_id: int = None) -> None:
+    def log_validation(
+        self,
+        target: str,
+        result: ScopeValidationResult,
+        action: str,
+        job_id: int = None,
+    ) -> None:
         """
         Log a validation result to the audit trail.
 
@@ -241,31 +279,40 @@ class ScopeValidator:
         """
         try:
             from souleyez.auth import get_current_user
+
             user = get_current_user()
             user_id = user.id if user else None
         except Exception:
             user_id = None
 
-        validation_result = 'in_scope' if result.is_in_scope else 'out_of_scope'
+        validation_result = "in_scope" if result.is_in_scope else "out_of_scope"
         if not self.has_scope_defined():
-            validation_result = 'no_scope_defined'
+            validation_result = "no_scope_defined"
 
         try:
-            self.db.insert('scope_validation_log', {
-                'engagement_id': self.engagement_id,
-                'job_id': job_id,
-                'target': target,
-                'validation_result': validation_result,
-                'action_taken': action,
-                'matched_scope_id': result.matched_entry.get('id') if result.matched_entry else None,
-                'user_id': user_id
-            })
+            self.db.insert(
+                "scope_validation_log",
+                {
+                    "engagement_id": self.engagement_id,
+                    "job_id": job_id,
+                    "target": target,
+                    "validation_result": validation_result,
+                    "action_taken": action,
+                    "matched_scope_id": (
+                        result.matched_entry.get("id") if result.matched_entry else None
+                    ),
+                    "user_id": user_id,
+                },
+            )
         except Exception as e:
-            logger.warning("Failed to log scope validation", extra={
-                "engagement_id": self.engagement_id,
-                "target": target,
-                "error": str(e)
-            })
+            logger.warning(
+                "Failed to log scope validation",
+                extra={
+                    "engagement_id": self.engagement_id,
+                    "target": target,
+                    "error": str(e),
+                },
+            )
 
     def _parse_target(self, target: str) -> tuple:
         """
@@ -276,35 +323,37 @@ class ScopeValidator:
             target_type is one of: 'ip', 'cidr', 'domain', 'url'
         """
         # Check if URL
-        if target.startswith(('http://', 'https://')):
+        if target.startswith(("http://", "https://")):
             parsed = urlparse(target)
-            host = parsed.netloc.split(':')[0]  # Remove port
+            host = parsed.netloc.split(":")[0]  # Remove port
             # Check if host part is IP
             try:
                 ipaddress.ip_address(host)
-                return ('ip', host)
+                return ("ip", host)
             except ValueError:
-                return ('domain', host.lower())
+                return ("domain", host.lower())
 
         # Check if IP address
         try:
             ipaddress.ip_address(target)
-            return ('ip', target)
+            return ("ip", target)
         except ValueError:
             pass
 
         # Check if CIDR notation
-        if '/' in target:
+        if "/" in target:
             try:
                 ipaddress.ip_network(target, strict=False)
-                return ('cidr', target)
+                return ("cidr", target)
             except ValueError:
                 pass
 
         # Assume domain/hostname
-        return ('domain', target.lower())
+        return ("domain", target.lower())
 
-    def _matches_entry(self, target: str, target_type: str, entry: Dict[str, Any]) -> bool:
+    def _matches_entry(
+        self, target: str, target_type: str, entry: Dict[str, Any]
+    ) -> bool:
         """
         Check if a target matches a scope entry.
 
@@ -316,46 +365,48 @@ class ScopeValidator:
         Returns:
             True if matches, False otherwise
         """
-        entry_type = entry['scope_type']
-        entry_value = entry['value']
+        entry_type = entry["scope_type"]
+        entry_value = entry["value"]
 
         # IP target
-        if target_type == 'ip':
-            if entry_type == 'cidr':
+        if target_type == "ip":
+            if entry_type == "cidr":
                 return self._ip_in_cidr(target, entry_value)
-            elif entry_type == 'hostname':
+            elif entry_type == "hostname":
                 # Exact IP match
                 return target == entry_value
-            elif entry_type == 'domain':
+            elif entry_type == "domain":
                 # IP doesn't match domain patterns
                 return False
-            elif entry_type == 'url':
+            elif entry_type == "url":
                 # Extract host from URL entry
                 try:
                     parsed = urlparse(entry_value)
-                    return target == parsed.netloc.split(':')[0]
+                    return target == parsed.netloc.split(":")[0]
                 except Exception:
                     return False
 
         # CIDR target (less common - check containment)
-        elif target_type == 'cidr':
-            if entry_type == 'cidr':
+        elif target_type == "cidr":
+            if entry_type == "cidr":
                 return self._cidr_overlaps(target, entry_value)
             return False
 
         # Domain target
-        elif target_type == 'domain':
-            if entry_type == 'domain':
+        elif target_type == "domain":
+            if entry_type == "domain":
                 return self._domain_matches(target, entry_value)
-            elif entry_type == 'hostname':
+            elif entry_type == "hostname":
                 # Exact hostname match
                 return target.lower() == entry_value.lower()
-            elif entry_type == 'url':
+            elif entry_type == "url":
                 # Extract host from URL entry
                 try:
                     parsed = urlparse(entry_value)
-                    entry_host = parsed.netloc.split(':')[0].lower()
-                    return target == entry_host or self._domain_matches(target, entry_host)
+                    entry_host = parsed.netloc.split(":")[0].lower()
+                    return target == entry_host or self._domain_matches(
+                        target, entry_host
+                    )
                 except Exception:
                     return False
             return False
@@ -400,14 +451,14 @@ class ScopeValidator:
         target = target.lower()
 
         # Handle wildcard patterns
-        if pattern.startswith('*.'):
+        if pattern.startswith("*."):
             # Remove the *. prefix for suffix matching
             suffix = pattern[2:]
             # Match exact suffix or .suffix
-            return target == suffix or target.endswith('.' + suffix)
+            return target == suffix or target.endswith("." + suffix)
 
         # Handle wildcards in other positions using fnmatch
-        if '*' in pattern or '?' in pattern:
+        if "*" in pattern or "?" in pattern:
             return fnmatch.fnmatch(target, pattern)
 
         # Exact match
@@ -428,8 +479,14 @@ class ScopeManager:
     def __init__(self):
         self.db = get_db()
 
-    def add_scope(self, engagement_id: int, scope_type: str, value: str,
-                  is_excluded: bool = False, description: str = None) -> int:
+    def add_scope(
+        self,
+        engagement_id: int,
+        scope_type: str,
+        value: str,
+        is_excluded: bool = False,
+        description: str = None,
+    ) -> int:
         """
         Add a scope entry for an engagement.
 
@@ -446,28 +503,34 @@ class ScopeManager:
         Raises:
             ValueError: If scope_type or value is invalid
         """
-        valid_types = ['cidr', 'domain', 'url', 'hostname']
+        valid_types = ["cidr", "domain", "url", "hostname"]
         if scope_type not in valid_types:
-            raise ValueError(f"Invalid scope_type: {scope_type}. Must be one of: {valid_types}")
+            raise ValueError(
+                f"Invalid scope_type: {scope_type}. Must be one of: {valid_types}"
+            )
 
         # Validate the value based on type
         self._validate_scope_value(scope_type, value)
 
         try:
             from souleyez.auth import get_current_user
+
             user = get_current_user()
             added_by = user.id if user else None
         except Exception:
             added_by = None
 
-        return self.db.insert('engagement_scope', {
-            'engagement_id': engagement_id,
-            'scope_type': scope_type,
-            'value': value,
-            'is_excluded': is_excluded,
-            'description': description,
-            'added_by': added_by
-        })
+        return self.db.insert(
+            "engagement_scope",
+            {
+                "engagement_id": engagement_id,
+                "scope_type": scope_type,
+                "value": value,
+                "is_excluded": is_excluded,
+                "description": description,
+                "added_by": added_by,
+            },
+        )
 
     def remove_scope(self, scope_id: int) -> bool:
         """
@@ -480,16 +543,13 @@ class ScopeManager:
             True if removed, False if not found
         """
         try:
-            self.db.execute(
-                "DELETE FROM engagement_scope WHERE id = ?",
-                (scope_id,)
-            )
+            self.db.execute("DELETE FROM engagement_scope WHERE id = ?", (scope_id,))
             return True
         except Exception as e:
-            logger.warning("Failed to remove scope entry", extra={
-                "scope_id": scope_id,
-                "error": str(e)
-            })
+            logger.warning(
+                "Failed to remove scope entry",
+                extra={"scope_id": scope_id, "error": str(e)},
+            )
             return False
 
     def list_scope(self, engagement_id: int) -> List[Dict[str, Any]]:
@@ -507,7 +567,7 @@ class ScopeManager:
                FROM engagement_scope
                WHERE engagement_id = ?
                ORDER BY is_excluded ASC, scope_type ASC, value ASC""",
-            (engagement_id,)
+            (engagement_id,),
         )
 
     def set_enforcement(self, engagement_id: int, mode: str) -> bool:
@@ -524,25 +584,28 @@ class ScopeManager:
         Raises:
             ValueError: If mode is invalid
         """
-        valid_modes = ['off', 'warn', 'block']
+        valid_modes = ["off", "warn", "block"]
         if mode not in valid_modes:
-            raise ValueError(f"Invalid enforcement mode: {mode}. Must be one of: {valid_modes}")
+            raise ValueError(
+                f"Invalid enforcement mode: {mode}. Must be one of: {valid_modes}"
+            )
 
         try:
             self.db.execute(
                 "UPDATE engagements SET scope_enforcement = ? WHERE id = ?",
-                (mode, engagement_id)
+                (mode, engagement_id),
             )
             return True
         except Exception as e:
-            logger.warning("Failed to set enforcement mode", extra={
-                "engagement_id": engagement_id,
-                "mode": mode,
-                "error": str(e)
-            })
+            logger.warning(
+                "Failed to set enforcement mode",
+                extra={"engagement_id": engagement_id, "mode": mode, "error": str(e)},
+            )
             return False
 
-    def get_validation_log(self, engagement_id: int, limit: int = 100) -> List[Dict[str, Any]]:
+    def get_validation_log(
+        self, engagement_id: int, limit: int = 100
+    ) -> List[Dict[str, Any]]:
         """
         Get scope validation log for an engagement.
 
@@ -560,7 +623,7 @@ class ScopeManager:
                WHERE engagement_id = ?
                ORDER BY created_at DESC
                LIMIT ?""",
-            (engagement_id, limit)
+            (engagement_id, limit),
         )
 
     def _validate_scope_value(self, scope_type: str, value: str) -> None:
@@ -575,13 +638,13 @@ class ScopeManager:
 
         value = value.strip()
 
-        if scope_type == 'cidr':
+        if scope_type == "cidr":
             try:
                 ipaddress.ip_network(value, strict=False)
             except ValueError:
                 raise ValueError(f"Invalid CIDR notation: {value}")
 
-        elif scope_type == 'hostname':
+        elif scope_type == "hostname":
             # Basic hostname validation (can be IP or hostname)
             try:
                 ipaddress.ip_address(value)
@@ -589,23 +652,29 @@ class ScopeManager:
                 # Not an IP, validate as hostname
                 if len(value) > 253:
                     raise ValueError("Hostname too long (max 253 characters)")
-                if not re.match(r'^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$', value):
+                if not re.match(
+                    r"^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$",
+                    value,
+                ):
                     raise ValueError(f"Invalid hostname format: {value}")
 
-        elif scope_type == 'domain':
+        elif scope_type == "domain":
             # Allow wildcards like *.example.com
-            if value.startswith('*.'):
+            if value.startswith("*."):
                 domain_part = value[2:]
             else:
                 domain_part = value
 
             if len(domain_part) > 253:
                 raise ValueError("Domain too long (max 253 characters)")
-            if not re.match(r'^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$', domain_part):
+            if not re.match(
+                r"^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$",
+                domain_part,
+            ):
                 raise ValueError(f"Invalid domain format: {value}")
 
-        elif scope_type == 'url':
-            if not value.startswith(('http://', 'https://')):
+        elif scope_type == "url":
+            if not value.startswith(("http://", "https://")):
                 raise ValueError("URL must start with http:// or https://")
             try:
                 parsed = urlparse(value)