souleyez 2.43.29__py3-none-any.whl → 2.43.34__py3-none-any.whl

souleyez/auth/engagement_access.py

@@ -6,6 +6,7 @@ Permission levels:
 - editor: Can run scans, add findings, but can't delete engagement
 - viewer: Read-only access to engagement data
 """
+
 import sqlite3
 from enum import Enum
 from typing import Optional, List, Dict, Any
@@ -17,6 +18,7 @@ from souleyez.auth import get_current_user, Role
 
 class EngagementPermission(Enum):
     """Permission levels for engagement access."""
+
     OWNER = "owner"
     EDITOR = "editor"
     VIEWER = "viewer"
@@ -25,6 +27,7 @@ class EngagementPermission(Enum):
 @dataclass
 class EngagementAccess:
     """Represents a user's access to an engagement."""
+
     engagement_id: int
     user_id: str
     permission_level: EngagementPermission
@@ -48,9 +51,7 @@ class EngagementAccessManager:
     # =========================================================================
 
     def get_user_permission(
-        self,
-        engagement_id: int,
-        user_id: str
+        self, engagement_id: int, user_id: str
     ) -> Optional[EngagementPermission]:
         """
         Get user's permission level for an engagement.
@@ -61,23 +62,22 @@ class EngagementAccessManager:
 
         # First check if user is the owner
         row = conn.execute(
-            "SELECT owner_id FROM engagements WHERE id = ?",
-            (engagement_id,)
+            "SELECT owner_id FROM engagements WHERE id = ?", (engagement_id,)
         ).fetchone()
 
-        if row and row['owner_id'] == user_id:
+        if row and row["owner_id"] == user_id:
             conn.close()
             return EngagementPermission.OWNER
 
         # Check engagement_permissions table
         row = conn.execute(
             "SELECT permission_level FROM engagement_permissions WHERE engagement_id = ? AND user_id = ?",
-            (engagement_id, user_id)
+            (engagement_id, user_id),
         ).fetchone()
         conn.close()
 
         if row:
-            return EngagementPermission(row['permission_level'])
+            return EngagementPermission(row["permission_level"])
 
         return None
 
@@ -105,7 +105,9 @@ class EngagementAccessManager:
         perm = self.get_user_permission(engagement_id, user_id)
         return perm == EngagementPermission.OWNER
 
-    def can_manage_team(self, engagement_id: int, user_id: str, user_role: Role) -> bool:
+    def can_manage_team(
+        self, engagement_id: int, user_id: str, user_role: Role
+    ) -> bool:
         """Check if user can add/remove team members (owner only, or admin)."""
         if user_role == Role.ADMIN:
             return True
@@ -117,7 +119,9 @@ class EngagementAccessManager:
     # Engagement Queries (Filtered by Access)
     # =========================================================================
 
-    def get_accessible_engagements(self, user_id: str, user_role: Role) -> List[Dict[str, Any]]:
+    def get_accessible_engagements(
+        self, user_id: str, user_role: Role
+    ) -> List[Dict[str, Any]]:
         """
         Get all engagements the user can access.
 
@@ -127,14 +131,17 @@ class EngagementAccessManager:
 
         if user_role == Role.ADMIN:
             # Admins see everything
-            rows = conn.execute("""
+            rows = conn.execute(
+                """
                 SELECT e.*, 'admin' as permission_level
                 FROM engagements e
                 ORDER BY e.created_at DESC
-            """).fetchall()
+            """
+            ).fetchall()
         else:
             # Non-admins see owned + shared engagements
-            rows = conn.execute("""
+            rows = conn.execute(
+                """
                 SELECT e.*,
                     CASE
                         WHEN e.owner_id = ? THEN 'owner'
@@ -147,7 +154,9 @@ class EngagementAccessManager:
                    OR ep.user_id = ?
                    OR e.owner_id IS NULL
                 ORDER BY e.created_at DESC
-            """, (user_id, user_id, user_id, user_id)).fetchall()
+            """,
+                (user_id, user_id, user_id, user_id),
+            ).fetchall()
 
         conn.close()
         return [dict(row) for row in rows]
@@ -161,7 +170,7 @@ class EngagementAccessManager:
         engagement_id: int,
         user_id: str,
         permission_level: EngagementPermission,
-        granted_by: str
+        granted_by: str,
     ) -> tuple[bool, str]:
         """
         Add a user to an engagement's team.
@@ -174,45 +183,43 @@ class EngagementAccessManager:
 
         try:
             conn = self._get_conn()
-            conn.execute("""
+            conn.execute(
+                """
                 INSERT OR REPLACE INTO engagement_permissions
                 (engagement_id, user_id, permission_level, granted_by, granted_at)
                 VALUES (?, ?, ?, ?, ?)
-            """, (
-                engagement_id,
-                user_id,
-                permission_level.value,
-                granted_by,
-                datetime.now().isoformat()
-            ))
+            """,
+                (
+                    engagement_id,
+                    user_id,
+                    permission_level.value,
+                    granted_by,
+                    datetime.now().isoformat(),
+                ),
+            )
             conn.commit()
             conn.close()
             return True, ""
         except Exception as e:
             return False, str(e)
 
-    def remove_team_member(
-        self,
-        engagement_id: int,
-        user_id: str
-    ) -> tuple[bool, str]:
+    def remove_team_member(self, engagement_id: int, user_id: str) -> tuple[bool, str]:
         """Remove a user from an engagement's team."""
         try:
             conn = self._get_conn()
 
             # Can't remove the owner via this method
             row = conn.execute(
-                "SELECT owner_id FROM engagements WHERE id = ?",
-                (engagement_id,)
+                "SELECT owner_id FROM engagements WHERE id = ?", (engagement_id,)
             ).fetchone()
 
-            if row and row['owner_id'] == user_id:
+            if row and row["owner_id"] == user_id:
                 conn.close()
                 return False, "Cannot remove the owner. Transfer ownership first."
 
             result = conn.execute(
                 "DELETE FROM engagement_permissions WHERE engagement_id = ? AND user_id = ?",
-                (engagement_id, user_id)
+                (engagement_id, user_id),
             )
             conn.commit()
             conn.close()
@@ -229,23 +236,29 @@ class EngagementAccessManager:
         conn = self._get_conn()
 
         # Get owner
-        owner_row = conn.execute("""
+        owner_row = conn.execute(
+            """
             SELECT u.id, u.username, u.email, 'owner' as permission_level,
                    e.created_at as granted_at, NULL as granted_by
             FROM engagements e
             JOIN users u ON e.owner_id = u.id
             WHERE e.id = ?
-        """, (engagement_id,)).fetchone()
+        """,
+            (engagement_id,),
+        ).fetchone()
 
         # Get other team members
-        member_rows = conn.execute("""
+        member_rows = conn.execute(
+            """
             SELECT u.id, u.username, u.email, ep.permission_level,
                    ep.granted_at, ep.granted_by
             FROM engagement_permissions ep
             JOIN users u ON ep.user_id = u.id
             WHERE ep.engagement_id = ?
             ORDER BY ep.granted_at
-        """, (engagement_id,)).fetchall()
+        """,
+            (engagement_id,),
+        ).fetchall()
 
         conn.close()
 
@@ -257,10 +270,7 @@ class EngagementAccessManager:
         return members
 
     def transfer_ownership(
-        self,
-        engagement_id: int,
-        new_owner_id: str,
-        transferred_by: str
+        self, engagement_id: int, new_owner_id: str, transferred_by: str
     ) -> tuple[bool, str]:
         """Transfer engagement ownership to another user."""
         try:
@@ -268,35 +278,42 @@ class EngagementAccessManager:
 
             # Get current owner
             row = conn.execute(
-                "SELECT owner_id FROM engagements WHERE id = ?",
-                (engagement_id,)
+                "SELECT owner_id FROM engagements WHERE id = ?", (engagement_id,)
             ).fetchone()
 
             if not row:
                 conn.close()
                 return False, "Engagement not found"
 
-            old_owner_id = row['owner_id']
+            old_owner_id = row["owner_id"]
 
             # Update owner
             conn.execute(
                 "UPDATE engagements SET owner_id = ? WHERE id = ?",
-                (new_owner_id, engagement_id)
+                (new_owner_id, engagement_id),
             )
 
             # Remove new owner from permissions table (they're now owner)
             conn.execute(
                 "DELETE FROM engagement_permissions WHERE engagement_id = ? AND user_id = ?",
-                (engagement_id, new_owner_id)
+                (engagement_id, new_owner_id),
             )
 
             # Add old owner as editor (so they don't lose access)
             if old_owner_id:
-                conn.execute("""
+                conn.execute(
+                    """
                     INSERT OR REPLACE INTO engagement_permissions
                     (engagement_id, user_id, permission_level, granted_by, granted_at)
                     VALUES (?, ?, 'editor', ?, ?)
-                """, (engagement_id, old_owner_id, transferred_by, datetime.now().isoformat()))
+                """,
+                    (
+                        engagement_id,
+                        old_owner_id,
+                        transferred_by,
+                        datetime.now().isoformat(),
+                    ),
+                )
 
             conn.commit()
             conn.close()
@@ -318,7 +335,7 @@ class EngagementAccessManager:
         conn = self._get_conn()
         result = conn.execute(
             "UPDATE engagements SET owner_id = ? WHERE owner_id IS NULL",
-            (admin_user_id,)
+            (admin_user_id,),
         )
         conn.commit()
         count = result.rowcount

souleyez/auth/permissions.py

@@ -4,6 +4,7 @@ souleyez.auth.permissions - Role-based access control definitions
 Roles: Admin, Lead, Analyst, Viewer
 Tiers: FREE, PRO (for licensing)
 """
+
 from enum import Enum, auto
 from typing import Set, Optional
 from functools import wraps
@@ -11,6 +12,7 @@ from functools import wraps
 
 class Role(Enum):
     """User roles with hierarchical permissions."""
+
     ADMIN = "admin"
     LEAD = "lead"
     ANALYST = "analyst"
@@ -19,12 +21,14 @@ class Role(Enum):
 
 class Tier(Enum):
     """Licensing tiers."""
+
     FREE = "FREE"
     PRO = "PRO"
 
 
 class Permission(Enum):
     """Individual permissions that can be checked."""
+
     # User management
     USER_CREATE = auto()
     USER_UPDATE = auto()
@@ -86,7 +90,6 @@ class Permission(Enum):
 # Role -> Permissions mapping
 ROLE_PERMISSIONS: dict[Role, Set[Permission]] = {
     Role.ADMIN: set(Permission),  # All permissions
-
     Role.LEAD: {
         Permission.ENGAGEMENT_CREATE,
         Permission.ENGAGEMENT_UPDATE,
@@ -116,7 +119,6 @@ ROLE_PERMISSIONS: dict[Role, Set[Permission]] = {
         Permission.AUDIT_VIEW,
         Permission.USER_LIST,
     },
-
     Role.ANALYST: {
         Permission.ENGAGEMENT_VIEW,
         Permission.SCAN_RUN,
@@ -136,7 +138,6 @@ ROLE_PERMISSIONS: dict[Role, Set[Permission]] = {
         Permission.AUTOMATION_MANAGE,
         Permission.MSF_INTEGRATION,
     },
-
     Role.VIEWER: {
         Permission.ENGAGEMENT_VIEW,
         Permission.FINDING_VIEW,
@@ -195,11 +196,13 @@ class PermissionChecker:
 
 def requires_permission(permission: Permission):
     """Decorator to require a permission for a function."""
+
     def decorator(func):
         @wraps(func)
         def wrapper(*args, **kwargs):
             # Get current user from context (implementation depends on how session is managed)
             from souleyez.auth import get_current_user
+
             user = get_current_user()
 
             if user is None:
@@ -212,15 +215,19 @@ def requires_permission(permission: Permission):
                 raise PermissionError(f"Permission denied: {permission.name}")
 
             return func(*args, **kwargs)
+
         return wrapper
+
     return decorator
 
 
 def requires_pro(func):
     """Decorator to require Pro tier for a function."""
+
     @wraps(func)
     def wrapper(*args, **kwargs):
         from souleyez.auth import get_current_user
+
         user = get_current_user()
 
         if user is None:
@@ -230,6 +237,7 @@ def requires_pro(func):
             raise PermissionError("Pro license required")
 
         return func(*args, **kwargs)
+
     return wrapper
 
 
@@ -241,6 +249,7 @@ def requires_role(min_role: Role):
         @wraps(func)
         def wrapper(*args, **kwargs):
             from souleyez.auth import get_current_user
+
             user = get_current_user()
 
             if user is None:
@@ -253,5 +262,7 @@ def requires_role(min_role: Role):
                 raise PermissionError(f"Requires {min_role.value} role or higher")
 
             return func(*args, **kwargs)
+
         return wrapper
+
     return decorator

souleyez/auth/session_manager.py

@@ -6,6 +6,7 @@ Handles:
 - Session storage and cleanup
 - Current user context
 """
+
 import sqlite3
 import secrets
 import hashlib
@@ -28,6 +29,7 @@ SESSION_FILE_NAME = "session.json"
 @dataclass
 class Session:
     """Active user session."""
+
     id: str
     user_id: str
     token: str  # Only available at creation time
@@ -78,7 +80,7 @@ class SessionManager:
         ip_address: Optional[str] = None,
         user_agent: Optional[str] = None,
         duration_hours: int = DEFAULT_SESSION_HOURS,
-        vault_unlocked_at: Optional[datetime] = None
+        vault_unlocked_at: Optional[datetime] = None,
     ) -> Session:
         """
         Create a new session for a user.
@@ -101,18 +103,21 @@ class SessionManager:
         expires_at = now + timedelta(hours=duration_hours)
 
         conn = self._get_conn()
-        conn.execute("""
+        conn.execute(
+            """
             INSERT INTO sessions (id, user_id, token_hash, expires_at, created_at, ip_address, user_agent)
             VALUES (?, ?, ?, ?, ?, ?, ?)
-        """, (
-            session_id,
-            user.id,
-            token_hash,
-            expires_at.isoformat(),
-            now.isoformat(),
-            ip_address,
-            user_agent
-        ))
+        """,
+            (
+                session_id,
+                user.id,
+                token_hash,
+                expires_at.isoformat(),
+                now.isoformat(),
+                ip_address,
+                user_agent,
+            ),
+        )
         conn.commit()
         conn.close()
 
@@ -124,7 +129,7 @@ class SessionManager:
             created_at=now,
             ip_address=ip_address,
             user_agent=user_agent,
-            vault_unlocked_at=vault_unlocked_at or now
+            vault_unlocked_at=vault_unlocked_at or now,
         )
 
         # Save session to local file
@@ -142,12 +147,15 @@ class SessionManager:
         token_hash = self._hash_token(token)
 
         conn = self._get_conn()
-        row = conn.execute("""
+        row = conn.execute(
+            """
             SELECT s.*, u.*
             FROM sessions s
             JOIN users u ON s.user_id = u.id
             WHERE s.token_hash = ? AND s.expires_at > ?
-        """, (token_hash, datetime.now().isoformat())).fetchone()
+        """,
+            (token_hash, datetime.now().isoformat()),
+        ).fetchone()
         conn.close()
 
         if row is None:
@@ -155,7 +163,7 @@ class SessionManager:
 
         # Build user from row
         user_manager = UserManager(self.db_path)
-        return user_manager.get_user_by_id(row['user_id'])
+        return user_manager.get_user_by_id(row["user_id"])
 
     def invalidate_session(self, session_id: str) -> bool:
         """Invalidate (logout) a specific session."""
@@ -187,8 +195,7 @@ class SessionManager:
         """Remove all expired sessions from the database."""
         conn = self._get_conn()
         result = conn.execute(
-            "DELETE FROM sessions WHERE expires_at < ?",
-            (datetime.now().isoformat(),)
+            "DELETE FROM sessions WHERE expires_at < ?", (datetime.now().isoformat(),)
         )
         conn.commit()
         count = result.rowcount
@@ -202,63 +209,70 @@ class SessionManager:
     def is_vault_session_valid(self) -> bool:
         """
         Check if vault unlock is still valid (30 min inactivity).
-        
+
         Returns:
             True if vault session is still valid
         """
-        if self._current_session is None or self._current_session.vault_unlocked_at is None:
+        if (
+            self._current_session is None
+            or self._current_session.vault_unlocked_at is None
+        ):
             return False
-        
+
         elapsed = datetime.now() - self._current_session.vault_unlocked_at
         return elapsed < timedelta(minutes=self._vault_timeout_minutes)
 
     def require_full_reauth(self) -> bool:
         """
         Check if both layers need re-authentication.
-        
+
         Returns:
             True if full re-auth (vault + user) is required
         """
         if self._current_session is None:
             return True
-        
+
         # Check if vault session has timed out
         if not self.is_vault_session_valid():
             return True
-        
+
         # Check if user session has expired
         if datetime.now() >= self._current_session.expires_at:
             return True
-        
+
         return False
 
     def apply_cross_layer_delay(self, vault_failures: int):
         """
         Apply delay based on vault failures before allowing user login.
-        
+
         Args:
             vault_failures: Number of recent vault unlock failures
         """
         import time
         import click
-        
+
         if vault_failures >= 2:
             delay = 30 * (vault_failures - 1)  # 30s for 2, 60s for 3+
-            
+
             # Avoid re-applying same delay multiple times
             if self._cross_layer_delay_applied_at:
-                since_last = (datetime.now() - self._cross_layer_delay_applied_at).total_seconds()
+                since_last = (
+                    datetime.now() - self._cross_layer_delay_applied_at
+                ).total_seconds()
                 if since_last < delay:
                     return
-            
-            click.echo(f"\n⚠️  Security delay: {delay} seconds (vault failures detected)")
-            
+
+            click.echo(
+                f"\n⚠️  Security delay: {delay} seconds (vault failures detected)"
+            )
+
             # Show countdown
             for remaining in range(delay, 0, -1):
                 click.echo(f"\r   Continuing in {remaining}s...  ", nl=False)
                 time.sleep(1)
             click.echo("\r   Continuing...              ")
-            
+
             self._cross_layer_delay_applied_at = datetime.now()
 
     def _save_session_to_file(self, session: Session):
@@ -270,7 +284,11 @@ class SessionManager:
             "token": session.token,
             "expires_at": session.expires_at.isoformat(),
             "user_id": session.user_id,
-            "vault_unlocked_at": session.vault_unlocked_at.isoformat() if session.vault_unlocked_at else None
+            "vault_unlocked_at": (
+                session.vault_unlocked_at.isoformat()
+                if session.vault_unlocked_at
+                else None
+            ),
         }
 
         self.session_file.write_text(json.dumps(data, indent=2))
@@ -285,7 +303,7 @@ class SessionManager:
         try:
             data = json.loads(self.session_file.read_text())
             # Check expiration
-            expires_at = datetime.fromisoformat(data['expires_at'])
+            expires_at = datetime.fromisoformat(data["expires_at"])
             if expires_at < datetime.now():
                 self._clear_session_file()
                 return None
@@ -317,7 +335,7 @@ class SessionManager:
         if session_data is None:
             return None
 
-        user = self.validate_token(session_data['token'])
+        user = self.validate_token(session_data["token"])
         if user is None:
             self._clear_session_file()
             return None
@@ -337,9 +355,8 @@ class SessionManager:
         """Log out the current user."""
         session_data = self._load_session_from_file()
         if session_data:
-            self.invalidate_session(session_data['session_id'])
+            self.invalidate_session(session_data["session_id"])
 
         self._clear_session_file()
         self._current_user = None
         return True
-