xenfra 0.2.4__py3-none-any.whl → 0.2.6__py3-none-any.whl

xenfra/utils/config.py

@@ -1,20 +1,38 @@
 """
 Configuration file generation utilities.
 """
+
 import os
 import shutil
 from datetime import datetime
 from pathlib import Path
 
+import click
 import yaml
+from rich.console import Console
 from rich.prompt import Confirm, IntPrompt, Prompt
 from xenfra_sdk import CodebaseAnalysisResponse
 
+console = Console()
+
 
 def read_xenfra_yaml(filename: str = "xenfra.yaml") -> dict:
     """
     Read and parse xenfra.yaml configuration file.
 
+    Args:
+        filename: Path to the config file (default: xenfra.yaml)
+
+    Returns:
+        Dictionary containing the configuration
+
+    Raises:
+        FileNotFoundError: If the config file doesn't exist
+        yaml.YAMLError: If the YAML is malformed
+    """
+    """
+    Read and parse xenfra.yaml configuration file.
+
     Args:
         filename: Path to the config file (default: xenfra.yaml)
 
@@ -25,10 +43,17 @@ def read_xenfra_yaml(filename: str = "xenfra.yaml") -> dict:
         FileNotFoundError: If the config file doesn't exist
     """
     if not Path(filename).exists():
-        raise FileNotFoundError(f"Configuration file '{filename}' not found. Run 'xenfra init' first.")
+        raise FileNotFoundError(
+            f"Configuration file '{filename}' not found. Run 'xenfra init' first."
+        )
 
-    with open(filename, 'r') as f:
-        return yaml.safe_load(f) or {}
+    try:
+        with open(filename, "r") as f:
+            return yaml.safe_load(f) or {}
+    except yaml.YAMLError as e:
+        raise ValueError(f"Invalid YAML in {filename}: {e}")
+    except Exception as e:
+        raise IOError(f"Failed to read {filename}: {e}")
 
 
 def generate_xenfra_yaml(analysis: CodebaseAnalysisResponse, filename: str = "xenfra.yaml") -> str:
@@ -44,44 +69,38 @@ def generate_xenfra_yaml(analysis: CodebaseAnalysisResponse, filename: str = "xe
     """
     # Build configuration dictionary
     config = {
-        'name': os.path.basename(os.getcwd()),
-        'framework': analysis.framework,
-        'port': analysis.port,
+        "name": os.path.basename(os.getcwd()),
+        "framework": analysis.framework,
+        "port": analysis.port,
     }
 
     # Add database configuration if detected
-    if analysis.database and analysis.database != 'none':
-        config['database'] = {
-            'type': analysis.database,
-            'env_var': 'DATABASE_URL'
-        }
+    if analysis.database and analysis.database != "none":
+        config["database"] = {"type": analysis.database, "env_var": "DATABASE_URL"}
 
     # Add cache configuration if detected
-    if analysis.cache and analysis.cache != 'none':
-        config['cache'] = {
-            'type': analysis.cache,
-            'env_var': f"{analysis.cache.upper()}_URL"
-        }
+    if analysis.cache and analysis.cache != "none":
+        config["cache"] = {"type": analysis.cache, "env_var": f"{analysis.cache.upper()}_URL"}
 
     # Add worker configuration if detected
     if analysis.workers and len(analysis.workers) > 0:
-        config['workers'] = analysis.workers
+        config["workers"] = analysis.workers
 
     # Add environment variables
     if analysis.env_vars and len(analysis.env_vars) > 0:
-        config['env_vars'] = analysis.env_vars
+        config["env_vars"] = analysis.env_vars
 
     # Add instance size
-    config['instance_size'] = analysis.instance_size
+    config["instance_size"] = analysis.instance_size
 
     # Add package manager info (for intelligent diagnosis)
     if analysis.package_manager:
-        config['package_manager'] = analysis.package_manager
+        config["package_manager"] = analysis.package_manager
     if analysis.dependency_file:
-        config['dependency_file'] = analysis.dependency_file
+        config["dependency_file"] = analysis.dependency_file
 
     # Write to file
-    with open(filename, 'w') as f:
+    with open(filename, "w") as f:
         yaml.dump(config, f, sort_keys=False, default_flow_style=False)
 
     return filename
@@ -116,6 +135,36 @@ def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool =
     """
     Apply a JSON patch to a configuration file with automatic backup.
 
+    Args:
+        patch: Patch object with file, operation, path, value
+        target_file: Optional override for the file to patch
+        create_backup_file: Whether to create a backup before patching (default: True)
+
+    Returns:
+        Path to the backup file if created, None otherwise
+
+    Raises:
+        ValueError: If patch structure is invalid
+        FileNotFoundError: If target file doesn't exist
+        NotImplementedError: If file type is not supported
+    """
+    # Validate patch structure
+    if not isinstance(patch, dict):
+        raise ValueError("Patch must be a dictionary")
+
+    required_fields = ["file", "operation"]
+    for field in required_fields:
+        if field not in patch:
+            raise ValueError(f"Patch missing required field: {field}")
+
+    operation = patch.get("operation")
+    if operation not in ["add", "replace", "remove"]:
+        raise ValueError(
+            f"Invalid patch operation: {operation}. Must be 'add', 'replace', or 'remove'"
+        )
+    """
+    Apply a JSON patch to a configuration file with automatic backup.
+
     Args:
         patch: Patch object with file, operation, path, value
         target_file: Optional override for the file to patch
@@ -124,7 +173,7 @@ def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool =
     Returns:
         Path to the backup file if created, None otherwise
     """
-    file_to_patch = target_file or patch.get('file')
+    file_to_patch = target_file or patch.get("file")
 
     if not file_to_patch:
         raise ValueError("No target file specified in patch")
@@ -138,19 +187,19 @@ def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool =
         backup_path = create_backup(file_to_patch)
 
     # For YAML files
-    if file_to_patch.endswith(('.yaml', '.yml')):
-        with open(file_to_patch, 'r') as f:
+    if file_to_patch.endswith((".yaml", ".yml")):
+        with open(file_to_patch, "r") as f:
             config_data = yaml.safe_load(f) or {}
 
         # Apply patch based on operation
-        operation = patch.get('operation')
-        path = patch.get('path', '').strip('/')
-        value = patch.get('value')
+        operation = patch.get("operation")
+        path = patch.get("path", "").strip("/")
+        value = patch.get("value")
 
-        if operation == 'add':
+        if operation == "add":
             # For simple paths, add to root
             if path:
-                path_parts = path.split('/')
+                path_parts = path.split("/")
                 current = config_data
                 for part in path_parts[:-1]:
                     if part not in current:
@@ -164,9 +213,9 @@ def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool =
                 else:
                     config_data = value
 
-        elif operation == 'replace':
+        elif operation == "replace":
             if path:
-                path_parts = path.split('/')
+                path_parts = path.split("/")
                 current = config_data
                 for part in path_parts[:-1]:
                     current = current[part]
@@ -175,23 +224,66 @@ def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool =
                 config_data = value
 
         # Write back
-        with open(file_to_patch, 'w') as f:
+        with open(file_to_patch, "w") as f:
             yaml.dump(config_data, f, sort_keys=False, default_flow_style=False)
 
+    # For JSON files
+    elif file_to_patch.endswith(".json"):
+        import json
+
+        with open(file_to_patch, "r") as f:
+            config_data = json.load(f)
+
+        operation = patch.get("operation")
+        path = patch.get("path", "").strip("/")
+        value = patch.get("value")
+
+        if operation == "add":
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    if part not in current:
+                        current[part] = {}
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                if isinstance(value, dict):
+                    config_data.update(value)
+                else:
+                    config_data = value
+
+        elif operation == "replace":
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                config_data = value
+
+        # Write back
+        with open(file_to_patch, "w") as f:
+            json.dump(config_data, f, indent=2)
+
     # For text files (like requirements.txt)
-    elif file_to_patch.endswith('.txt'):
-        operation = patch.get('operation')
-        value = patch.get('value')
+    elif file_to_patch.endswith(".txt"):
+        operation = patch.get("operation")
+        value = patch.get("value")
 
-        if operation == 'add':
+        if operation == "add":
             # Append to file
-            with open(file_to_patch, 'a') as f:
+            with open(file_to_patch, "a") as f:
                 f.write(f"\n{value}\n")
-        elif operation == 'replace':
+        elif operation == "replace":
             # Replace entire file
-            with open(file_to_patch, 'w') as f:
+            with open(file_to_patch, "w") as f:
                 f.write(str(value))
     else:
+        # Design decision: Only support auto-patching for common dependency files
+        # Other file types should be manually edited to avoid data loss
+        # See docs/future-enhancements.md #4 for potential extensions
         raise NotImplementedError(f"Patching not supported for file type: {file_to_patch}")
 
     return backup_path
@@ -211,19 +303,24 @@ def manual_prompt_for_config(filename: str = "xenfra.yaml") -> str:
 
     # Project name (default to directory name)
     default_name = os.path.basename(os.getcwd())
-    config['name'] = Prompt.ask("Project name", default=default_name)
+    config["name"] = Prompt.ask("Project name", default=default_name)
 
     # Framework
     framework = Prompt.ask(
-        "Framework",
-        choices=["fastapi", "flask", "django", "other"],
-        default="fastapi"
+        "Framework", choices=["fastapi", "flask", "django", "other"], default="fastapi"
     )
-    config['framework'] = framework
+    config["framework"] = framework
 
     # Port
     port = IntPrompt.ask("Application port", default=8000)
-    config['port'] = port
+    # Validate port
+    from .validation import validate_port
+
+    is_valid, error_msg = validate_port(port)
+    if not is_valid:
+        console.print(f"[bold red]Invalid port: {error_msg}[/bold red]")
+        raise click.Abort()
+    config["port"] = port
 
     # Database
     use_database = Confirm.ask("Does your app use a database?", default=False)
@@ -231,33 +328,21 @@ def manual_prompt_for_config(filename: str = "xenfra.yaml") -> str:
         db_type = Prompt.ask(
             "Database type",
             choices=["postgresql", "mysql", "sqlite", "mongodb"],
-            default="postgresql"
+            default="postgresql",
         )
-        config['database'] = {
-            'type': db_type,
-            'env_var': 'DATABASE_URL'
-        }
+        config["database"] = {"type": db_type, "env_var": "DATABASE_URL"}
 
     # Cache
     use_cache = Confirm.ask("Does your app use caching?", default=False)
     if use_cache:
-        cache_type = Prompt.ask(
-            "Cache type",
-            choices=["redis", "memcached"],
-            default="redis"
-        )
-        config['cache'] = {
-            'type': cache_type,
-            'env_var': f"{cache_type.upper()}_URL"
-        }
+        cache_type = Prompt.ask("Cache type", choices=["redis", "memcached"], default="redis")
+        config["cache"] = {"type": cache_type, "env_var": f"{cache_type.upper()}_URL"}
 
     # Instance size
     instance_size = Prompt.ask(
-        "Instance size",
-        choices=["basic", "standard", "premium"],
-        default="basic"
+        "Instance size", choices=["basic", "standard", "premium"], default="basic"
     )
-    config['instance_size'] = instance_size
+    config["instance_size"] = instance_size
 
     # Environment variables
     add_env = Confirm.ask("Add environment variables?", default=False)
@@ -269,10 +354,10 @@ def manual_prompt_for_config(filename: str = "xenfra.yaml") -> str:
                 break
             env_vars.append(env_var)
         if env_vars:
-            config['env_vars'] = env_vars
+            config["env_vars"] = env_vars
 
     # Write to file
-    with open(filename, 'w') as f:
+    with open(filename, "w") as f:
         yaml.dump(config, f, sort_keys=False, default_flow_style=False)
 
     return filename

xenfra/utils/security.py

@@ -2,6 +2,7 @@
 Security utilities for Xenfra CLI.
 Implements comprehensive URL validation, domain whitelisting, HTTPS enforcement, and certificate pinning.
 """
+
 import os
 import ssl
 from urllib.parse import urlparse
@@ -14,23 +15,25 @@ from rich.console import Console
 console = Console()
 
 # Production API URL
-PRODUCTION_API_URL = "https://api.xenfra.com"  # TODO: Update with real production URL
+PRODUCTION_API_URL = "https://api.xenfra.tech"
 
 # Allowed domains (whitelist) - Solution 2
 ALLOWED_DOMAINS = [
-    "api.xenfra.com",           # Production
-    "api-staging.xenfra.com",   # Staging
-    "localhost",                 # Local development
-    "127.0.0.1",                # Local development (IP)
+    "api.xenfra.tech",  # Production
+    "api-staging.xenfra.tech",  # Staging
+    "localhost",  # Local development
+    "127.0.0.1",  # Local development (IP)
 ]
 
 # Certificate fingerprints for pinning - Solution 4
 # These should be updated when certificates are rotated
 PINNED_CERTIFICATES = {
-    "api.xenfra.com": {
+    "api.xenfra.tech": {
         # SHA256 fingerprint of the expected certificate
         # Example: "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
-        # To get: openssl s_client -connect api.xenfra.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
+        # To get fingerprint, run:
+        # openssl s_client -connect api.xenfra.tech:443 | openssl x509 -pubkey -noout \
+        # | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
         "fingerprints": [],  # Add actual fingerprints when you have production cert
     }
 }
@@ -47,7 +50,9 @@ class SecurityConfig:
         # Security settings (can be overridden by environment variables)
         self.enforce_https = os.getenv("XENFRA_ENFORCE_HTTPS", "false").lower() == "true"
         self.enforce_whitelist = os.getenv("XENFRA_ENFORCE_WHITELIST", "false").lower() == "true"
-        self.enable_cert_pinning = os.getenv("XENFRA_ENABLE_CERT_PINNING", "false").lower() == "true"
+        self.enable_cert_pinning = (
+            os.getenv("XENFRA_ENABLE_CERT_PINNING", "false").lower() == "true"
+        )
         self.warn_on_http = os.getenv("XENFRA_WARN_ON_HTTP", "true").lower() == "true"
 
         # Auto-enable strict security in production
@@ -88,8 +93,7 @@ def validate_url_format(url: str) -> dict:
         # Check scheme
         if parsed.scheme not in ["http", "https"]:
             raise ValueError(
-                f"Invalid URL scheme '{parsed.scheme}'. "
-                f"Only 'http' and 'https' are allowed."
+                f"Invalid URL scheme '{parsed.scheme}'. " f"Only 'http' and 'https' are allowed."
             )
 
         # Check hostname exists
@@ -108,7 +112,7 @@ def validate_url_format(url: str) -> dict:
             "scheme": parsed.scheme,
             "hostname": parsed.hostname,
             "port": parsed.port,
-            "url": url
+            "url": url,
         }
 
     except Exception as e:
@@ -145,12 +149,8 @@ def check_domain_whitelist(hostname: str) -> bool:
             console.print(
                 f"[yellow]⚠️  Warning: Domain '{hostname}' is not in the official whitelist.[/yellow]"
             )
-            console.print(
-                f"[dim]Whitelisted domains: {', '.join(ALLOWED_DOMAINS)}[/dim]"
-            )
-            console.print(
-                f"[yellow]Are you sure you want to connect to this API?[/yellow]"
-            )
+            console.print(f"[dim]Whitelisted domains: {', '.join(ALLOWED_DOMAINS)}[/dim]")
+            console.print("[yellow]Are you sure you want to connect to this API?[/yellow]")
 
             if not click.confirm("Continue?", default=False):
                 raise click.Abort()
@@ -220,8 +220,8 @@ def create_secure_client(url: str, token: str = None) -> httpx.Client:
         ssl_context.verify_mode = ssl.CERT_REQUIRED
 
         # Note: Full certificate pinning implementation would require custom verification
-        # For now, we use strict certificate validation
-        # TODO: Implement actual fingerprint verification if needed
+        # For now, we use strict certificate validation with system CA bundle
+        # Future enhancement: Certificate fingerprint pinning (see docs/future-enhancements.md #3)
 
         return httpx.Client(
             base_url=url,
@@ -285,7 +285,7 @@ def validate_and_get_api_url(url: str = None) -> str:
         return url
 
     except ValueError as e:
-        console.print(f"[bold red]🔒 Security Validation Failed:[/bold red]")
+        console.print("[bold red]🔒 Security Validation Failed:[/bold red]")
         console.print(f"[red]{e}[/red]")
         raise click.Abort()
 
@@ -297,9 +297,15 @@ def display_security_info():
     table_data = [
         ("Environment", security_config.environment),
         ("HTTPS Enforcement", "✅ Enabled" if security_config.enforce_https else "⚠️  Disabled"),
-        ("Domain Whitelist", "✅ Enforced" if security_config.enforce_whitelist else "⚠️  Warning Only"),
+        (
+            "Domain Whitelist",
+            "✅ Enforced" if security_config.enforce_whitelist else "⚠️  Warning Only",
+        ),
         ("HTTP Warning", "✅ Enabled" if security_config.warn_on_http else "❌ Disabled"),
-        ("Certificate Pinning", "✅ Enabled" if security_config.enable_cert_pinning else "❌ Disabled"),
+        (
+            "Certificate Pinning",
+            "✅ Enabled" if security_config.enable_cert_pinning else "❌ Disabled",
+        ),
     ]
 
     for key, value in table_data:
@@ -346,5 +352,5 @@ XENFRA_API_URL=http://localhost:8000 xenfra login
 XENFRA_API_URL=https://xenfra.mycompany.com XENFRA_ENFORCE_WHITELIST=false xenfra login
 
 # Production (strict):
-XENFRA_ENV=production XENFRA_API_URL=https://api.xenfra.com xenfra login
+XENFRA_ENV=production XENFRA_API_URL=https://api.xenfra.tech xenfra login
 """