vm-tool 1.0.32__py3-none-any.whl

vm_tool/policy.py

@@ -0,0 +1,197 @@
+"""Policy as Code framework for deployment policies."""
+
+import logging
+from typing import Dict, Any, Callable, List, Optional
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class PolicyViolation:
+    """Policy violation details."""
+
+    policy_name: str
+    message: str
+    severity: str  # "error", "warning", "info"
+
+
+class Policy:
+    """Base policy class."""
+
+    def __init__(self, name: str, description: str):
+        self.name = name
+        self.description = description
+
+    def evaluate(self, context: Dict[str, Any]) -> List[PolicyViolation]:
+        """Evaluate policy against context."""
+        raise NotImplementedError
+
+
+class DeploymentPolicy(Policy):
+    """Policy for deployment validation."""
+
+    def __init__(self, name: str, description: str, rules: List[Callable]):
+        super().__init__(name, description)
+        self.rules = rules
+
+    def evaluate(self, context: Dict[str, Any]) -> List[PolicyViolation]:
+        """Evaluate all rules."""
+        violations = []
+
+        for rule in self.rules:
+            try:
+                violation = rule(context)
+                if violation:
+                    violations.append(violation)
+            except Exception as e:
+                logger.error(f"Policy rule failed: {e}")
+
+        return violations
+
+
+class PolicyEngine:
+    """Policy evaluation engine."""
+
+    def __init__(self):
+        self.policies: List[Policy] = []
+        self._register_default_policies()
+
+    def _register_default_policies(self):
+        """Register default policies."""
+        # Production deployment policy
+        self.add_policy(
+            DeploymentPolicy(
+                name="production_safety",
+                description="Safety checks for production deployments",
+                rules=[
+                    self._require_approval_for_production,
+                    self._require_backup_before_deploy,
+                    self._require_health_checks,
+                ],
+            )
+        )
+
+        # Security policy
+        self.add_policy(
+            DeploymentPolicy(
+                name="security",
+                description="Security requirements",
+                rules=[
+                    self._require_secrets_encryption,
+                    self._no_hardcoded_credentials,
+                ],
+            )
+        )
+
+    def add_policy(self, policy: Policy):
+        """Add a policy."""
+        self.policies.append(policy)
+        logger.info(f"Policy registered: {policy.name}")
+
+    def evaluate_all(self, context: Dict[str, Any]) -> List[PolicyViolation]:
+        """Evaluate all policies."""
+        all_violations = []
+
+        for policy in self.policies:
+            violations = policy.evaluate(context)
+            all_violations.extend(violations)
+
+        return all_violations
+
+    def enforce(self, context: Dict[str, Any]) -> bool:
+        """Enforce policies (fail on errors)."""
+        violations = self.evaluate_all(context)
+
+        errors = [v for v in violations if v.severity == "error"]
+        warnings = [v for v in violations if v.severity == "warning"]
+
+        if warnings:
+            for v in warnings:
+                logger.warning(f"Policy warning [{v.policy_name}]: {v.message}")
+
+        if errors:
+            for v in errors:
+                logger.error(f"Policy violation [{v.policy_name}]: {v.message}")
+            return False
+
+        return True
+
+    # Default policy rules
+    def _require_approval_for_production(
+        self, context: Dict[str, Any]
+    ) -> Optional[PolicyViolation]:
+        """Require manual approval for production."""
+        if context.get("environment") == "production" and not context.get("approved"):
+            return PolicyViolation(
+                policy_name="production_safety",
+                message="Production deployments require manual approval",
+                severity="error",
+            )
+        return None
+
+    def _require_backup_before_deploy(
+        self, context: Dict[str, Any]
+    ) -> Optional[PolicyViolation]:
+        """Require backup before deployment."""
+        if context.get("environment") == "production" and not context.get(
+            "backup_created"
+        ):
+            return PolicyViolation(
+                policy_name="production_safety",
+                message="Backup required before production deployment",
+                severity="warning",
+            )
+        return None
+
+    def _require_health_checks(
+        self, context: Dict[str, Any]
+    ) -> Optional[PolicyViolation]:
+        """Require health checks."""
+        if not context.get("health_checks_enabled"):
+            return PolicyViolation(
+                policy_name="production_safety",
+                message="Health checks must be enabled",
+                severity="warning",
+            )
+        return None
+
+    def _require_secrets_encryption(
+        self, context: Dict[str, Any]
+    ) -> Optional[PolicyViolation]:
+        """Require encrypted secrets."""
+        if context.get("secrets_plaintext"):
+            return PolicyViolation(
+                policy_name="security",
+                message="Secrets must be encrypted",
+                severity="error",
+            )
+        return None
+
+    def _no_hardcoded_credentials(
+        self, context: Dict[str, Any]
+    ) -> Optional[PolicyViolation]:
+        """Check for hardcoded credentials."""
+        compose_content = context.get("compose_file_content", "")
+        if (
+            "password:" in compose_content.lower()
+            or "secret:" in compose_content.lower()
+        ):
+            return PolicyViolation(
+                policy_name="security",
+                message="Possible hardcoded credentials detected",
+                severity="warning",
+            )
+        return None
+
+
+# Global policy engine
+_policy_engine = None
+
+
+def get_policy_engine() -> PolicyEngine:
+    """Get global policy engine instance."""
+    global _policy_engine
+    if _policy_engine is None:
+        _policy_engine = PolicyEngine()
+    return _policy_engine

vm_tool/rbac.py

@@ -0,0 +1,140 @@
+"""Role-Based Access Control (RBAC) system."""
+
+import logging
+from typing import Dict, Set, Optional, List
+from enum import Enum
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+class Permission(Enum):
+    """System permissions."""
+
+    DEPLOY = "deploy"
+    ROLLBACK = "rollback"
+    VIEW_HISTORY = "view_history"
+    MANAGE_CONFIG = "manage_config"
+    MANAGE_SECRETS = "manage_secrets"
+    MANAGE_USERS = "manage_users"
+    VIEW_METRICS = "view_metrics"
+    MANAGE_BACKUPS = "manage_backups"
+
+
+class Role(Enum):
+    """Predefined roles."""
+
+    ADMIN = "admin"
+    DEPLOYER = "deployer"
+    VIEWER = "viewer"
+    OPERATOR = "operator"
+
+
+@dataclass
+class User:
+    """User with roles and permissions."""
+
+    username: str
+    roles: Set[Role]
+    custom_permissions: Set[Permission]
+
+
+class RBAC:
+    """Role-Based Access Control manager."""
+
+    # Default role permissions
+    ROLE_PERMISSIONS = {
+        Role.ADMIN: {
+            Permission.DEPLOY,
+            Permission.ROLLBACK,
+            Permission.VIEW_HISTORY,
+            Permission.MANAGE_CONFIG,
+            Permission.MANAGE_SECRETS,
+            Permission.MANAGE_USERS,
+            Permission.VIEW_METRICS,
+            Permission.MANAGE_BACKUPS,
+        },
+        Role.DEPLOYER: {
+            Permission.DEPLOY,
+            Permission.ROLLBACK,
+            Permission.VIEW_HISTORY,
+            Permission.VIEW_METRICS,
+        },
+        Role.OPERATOR: {
+            Permission.DEPLOY,
+            Permission.VIEW_HISTORY,
+            Permission.VIEW_METRICS,
+            Permission.MANAGE_BACKUPS,
+        },
+        Role.VIEWER: {Permission.VIEW_HISTORY, Permission.VIEW_METRICS},
+    }
+
+    def __init__(self):
+        self.users: Dict[str, User] = {}
+
+    def add_user(self, username: str, roles: List[Role]):
+        """Add a user with roles."""
+        self.users[username] = User(
+            username=username, roles=set(roles), custom_permissions=set()
+        )
+        logger.info(f"User added: {username} with roles {[r.value for r in roles]}")
+
+    def grant_permission(self, username: str, permission: Permission):
+        """Grant custom permission to user."""
+        if username in self.users:
+            self.users[username].custom_permissions.add(permission)
+            logger.info(f"Granted {permission.value} to {username}")
+
+    def revoke_permission(self, username: str, permission: Permission):
+        """Revoke custom permission from user."""
+        if username in self.users:
+            self.users[username].custom_permissions.discard(permission)
+            logger.info(f"Revoked {permission.value} from {username}")
+
+    def has_permission(self, username: str, permission: Permission) -> bool:
+        """Check if user has permission."""
+        if username not in self.users:
+            return False
+
+        user = self.users[username]
+
+        # Check custom permissions
+        if permission in user.custom_permissions:
+            return True
+
+        # Check role permissions
+        for role in user.roles:
+            if permission in self.ROLE_PERMISSIONS.get(role, set()):
+                return True
+
+        return False
+
+    def require_permission(self, username: str, permission: Permission):
+        """Require permission or raise exception."""
+        if not self.has_permission(username, permission):
+            from vm_tool.audit import get_audit_logger, AuditEventType
+
+            audit = get_audit_logger()
+            audit.log_event(
+                AuditEventType.PERMISSION_DENIED,
+                user=username,
+                action=permission.value,
+                resource="system",
+                success=False,
+            )
+
+            raise PermissionError(
+                f"User {username} does not have permission: {permission.value}"
+            )
+
+
+# Global RBAC instance
+_rbac = None
+
+
+def get_rbac() -> RBAC:
+    """Get global RBAC instance."""
+    global _rbac
+    if _rbac is None:
+        _rbac = RBAC()
+    return _rbac

vm_tool/recovery.py

@@ -0,0 +1,169 @@
+"""Error recovery mechanisms for failed deployments."""
+
+import logging
+from typing import Optional, Callable, Any
+from enum import Enum
+
+logger = logging.getLogger(__name__)
+
+
+class RecoveryStrategy(Enum):
+    """Error recovery strategies."""
+
+    RETRY = "retry"
+    ROLLBACK = "rollback"
+    SKIP = "skip"
+    FAIL = "fail"
+
+
+class ErrorRecovery:
+    """Automatic error recovery for deployments."""
+
+    def __init__(
+        self,
+        max_retries: int = 3,
+        retry_delay: int = 30,
+        auto_rollback: bool = True,
+    ):
+        self.max_retries = max_retries
+        self.retry_delay = retry_delay
+        self.auto_rollback = auto_rollback
+
+    def execute_with_recovery(
+        self,
+        func: Callable,
+        *args,
+        strategy: RecoveryStrategy = RecoveryStrategy.RETRY,
+        **kwargs,
+    ) -> Any:
+        """Execute function with error recovery.
+
+        Args:
+            func: Function to execute
+            strategy: Recovery strategy to use
+            *args, **kwargs: Arguments to pass to function
+
+        Returns:
+            Function result
+        """
+        if strategy == RecoveryStrategy.RETRY:
+            return self._retry_on_failure(func, *args, **kwargs)
+        elif strategy == RecoveryStrategy.ROLLBACK:
+            return self._rollback_on_failure(func, *args, **kwargs)
+        elif strategy == RecoveryStrategy.SKIP:
+            return self._skip_on_failure(func, *args, **kwargs)
+        else:  # FAIL
+            return func(*args, **kwargs)
+
+    def _retry_on_failure(self, func: Callable, *args, **kwargs) -> Any:
+        """Retry function on failure."""
+        import time
+
+        last_error = None
+
+        for attempt in range(1, self.max_retries + 1):
+            try:
+                logger.info(f"Attempt {attempt}/{self.max_retries}")
+                result = func(*args, **kwargs)
+                logger.info(f"✅ Success on attempt {attempt}")
+                return result
+            except Exception as e:
+                last_error = e
+                logger.warning(f"❌ Attempt {attempt} failed: {e}")
+
+                if attempt < self.max_retries:
+                    logger.info(f"⏳ Retrying in {self.retry_delay}s...")
+                    time.sleep(self.retry_delay)
+
+        logger.error(f"❌ All {self.max_retries} attempts failed")
+        raise last_error
+
+    def _rollback_on_failure(self, func: Callable, *args, **kwargs) -> Any:
+        """Rollback on failure."""
+        try:
+            return func(*args, **kwargs)
+        except Exception as e:
+            logger.error(f"❌ Execution failed: {e}")
+
+            if self.auto_rollback:
+                logger.info("🔄 Initiating automatic rollback...")
+                try:
+                    self._perform_rollback()
+                    logger.info("✅ Rollback successful")
+                except Exception as rollback_error:
+                    logger.error(f"❌ Rollback failed: {rollback_error}")
+
+            raise
+
+    def _skip_on_failure(self, func: Callable, *args, **kwargs) -> Optional[Any]:
+        """Skip on failure (don't raise exception)."""
+        try:
+            return func(*args, **kwargs)
+        except Exception as e:
+            logger.warning(f"⏭️  Skipping due to error: {e}")
+            return None
+
+    def _perform_rollback(self):
+        """Perform rollback to previous state."""
+        from vm_tool.history import DeploymentHistory
+
+        history = DeploymentHistory()
+        previous = history.get_previous_deployment()
+
+        if previous:
+            logger.info(f"   Rolling back to deployment: {previous['id']}")
+            # TODO: Implement actual rollback
+        else:
+            logger.warning("   No previous deployment found for rollback")
+
+
+class CircuitBreaker:
+    """Circuit breaker pattern for deployment failures."""
+
+    def __init__(
+        self,
+        failure_threshold: int = 5,
+        recovery_timeout: int = 300,
+    ):
+        self.failure_threshold = failure_threshold
+        self.recovery_timeout = recovery_timeout
+        self.failure_count = 0
+        self.last_failure_time = 0
+        self.state = "closed"  # closed, open, half-open
+
+    def call(self, func: Callable, *args, **kwargs) -> Any:
+        """Call function through circuit breaker."""
+        import time
+
+        # Check if circuit should recover
+        if self.state == "open":
+            if time.time() - self.last_failure_time > self.recovery_timeout:
+                logger.info("🔄 Circuit breaker entering half-open state")
+                self.state = "half-open"
+            else:
+                raise Exception("Circuit breaker is OPEN - too many recent failures")
+
+        try:
+            result = func(*args, **kwargs)
+
+            # Success - reset or close circuit
+            if self.state == "half-open":
+                logger.info("✅ Circuit breaker closing - recovery successful")
+                self.state = "closed"
+                self.failure_count = 0
+
+            return result
+
+        except Exception as e:
+            self.failure_count += 1
+            self.last_failure_time = time.time()
+
+            logger.warning(
+                f"Circuit breaker failure {self.failure_count}/{self.failure_threshold}"
+            )
+
+            if self.failure_count >= self.failure_threshold:
+                logger.error("❌ Circuit breaker OPEN - failure threshold reached")
+                self.state = "open"
+
+            raise