zen-ai-pentest 2.0.0__py3-none-any.whl

core/secure_config.py

@@ -0,0 +1,328 @@
+"""
+Secure Configuration Management
+Handles API keys with keyring, .env support, and encryption
+"""
+
+import base64
+import json
+import logging
+import os
+from dataclasses import asdict, dataclass
+from functools import lru_cache
+from pathlib import Path
+from typing import Any, Dict, Literal, Optional
+
+try:
+    import keyring
+
+    KEYRING_AVAILABLE = True
+except ImportError:
+    KEYRING_AVAILABLE = False
+
+try:
+    from cryptography.fernet import Fernet
+    from cryptography.hazmat.primitives import hashes
+    from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+
+    CRYPTO_AVAILABLE = True
+except ImportError:
+    CRYPTO_AVAILABLE = False
+
+from dotenv import load_dotenv
+
+logger = logging.getLogger(__name__)
+
+# Service name for keyring
+KEYRING_SERVICE = "zen-ai-pentest"
+ENV_PREFIX = "ZEN_"
+
+
+@dataclass
+class APIKeyConfig:
+    """Configuration for API keys"""
+
+    openrouter_key: Optional[str] = None
+    openai_key: Optional[str] = None
+    anthropic_key: Optional[str] = None
+    github_token: Optional[str] = None
+    shodan_key: Optional[str] = None
+    censys_id: Optional[str] = None
+    censys_secret: Optional[str] = None
+
+    def get_key(self, provider: str) -> Optional[str]:
+        """Get API key for a specific provider"""
+        mapping = {
+            "openrouter": self.openrouter_key,
+            "openai": self.openai_key,
+            "anthropic": self.anthropic_key,
+            "claude": self.anthropic_key,
+            "chatgpt": self.openai_key,
+            "github": self.github_token,
+            "shodan": self.shodan_key,
+            "censys_id": self.censys_id,
+            "censys_secret": self.censys_secret,
+        }
+        return mapping.get(provider.lower())
+
+
+class SecureConfigManager:
+    """
+    Manages configuration securely using:
+    1. Environment variables (highest priority)
+    2. Keyring (system keychain)
+    3. Encrypted config file
+    4. Plain config file (fallback, not recommended)
+    """
+
+    def __init__(self, config_dir: Optional[Path] = None):
+        self.config_dir = config_dir or Path.home() / ".config" / "zen-ai-pentest"
+        self.config_dir.mkdir(parents=True, exist_ok=True)
+
+        self.config_file = self.config_dir / "config.json"
+        self.encrypted_config = self.config_dir / "config.enc"
+
+        # Load .env file if exists
+        env_file = self.config_dir / ".env"
+        if env_file.exists():
+            load_dotenv(env_file)
+        # Also check project root
+        load_dotenv(Path(".env"))
+
+        self._cache: Dict[str, Any] = {}
+
+    def _get_keyring_password(self, key_name: str) -> Optional[str]:
+        """Get password from system keyring"""
+        if not KEYRING_AVAILABLE:
+            return None
+        try:
+            return keyring.get_password(KEYRING_SERVICE, key_name)
+        except Exception as e:
+            logger.debug(f"Keyring error for {key_name}: {e}")
+            return None
+
+    def _set_keyring_password(self, key_name: str, password: str) -> bool:
+        """Store password in system keyring"""
+        if not KEYRING_AVAILABLE:
+            logger.warning("Keyring not available, install with: pip install keyring")
+            return False
+        try:
+            keyring.set_password(KEYRING_SERVICE, key_name, password)
+            return True
+        except Exception as e:
+            logger.error(f"Failed to store {key_name} in keyring: {e}")
+            return False
+
+    def get_api_key(self, provider: str, prefer_keyring: bool = True) -> Optional[str]:
+        """
+        Get API key with priority:
+        1. Environment variable (ZEN_{PROVIDER}_KEY)
+        2. Keyring (if prefer_keyring=True)
+        3. Encrypted config
+        """
+        env_var = f"{ENV_PREFIX}{provider.upper()}_KEY"
+
+        # 1. Check environment variable
+        env_value = os.getenv(env_var) or os.getenv(f"{provider.upper()}_KEY")
+        if env_value:
+            logger.debug(f"Using API key for {provider} from environment")
+            return env_value
+
+        # 2. Check keyring
+        if prefer_keyring and KEYRING_AVAILABLE:
+            keyring_value = self._get_keyring_password(f"{provider}_key")
+            if keyring_value:
+                logger.debug(f"Using API key for {provider} from keyring")
+                return keyring_value
+
+        # 3. Check encrypted config
+        if CRYPTO_AVAILABLE and self.encrypted_config.exists():
+            config = self._load_encrypted_config()
+            if config and provider in config:
+                return config[provider]
+
+        return None
+
+    def set_api_key(
+        self,
+        provider: str,
+        key: str,
+        storage: Literal["keyring", "encrypted", "env"] = "keyring",
+    ) -> bool:
+        """
+        Store API key securely
+
+        Args:
+            provider: Provider name (openai, anthropic, etc.)
+            key: The API key
+            storage: Where to store - keyring, encrypted, or env
+        """
+        if storage == "keyring":
+            return self._set_keyring_password(f"{provider}_key", key)
+
+        elif storage == "encrypted":
+            if not CRYPTO_AVAILABLE:
+                logger.error("cryptography library required for encrypted storage")
+                return False
+            config = self._load_encrypted_config() or {}
+            config[provider] = key
+            return self._save_encrypted_config(config)
+
+        elif storage == "env":
+            env_file = self.config_dir / ".env"
+            env_var = f"{ENV_PREFIX}{provider.upper()}_KEY"
+
+            # Read existing
+            lines = []
+            if env_file.exists():
+                lines = env_file.read_text().splitlines()
+
+            # Update or append
+            updated = False
+            for i, line in enumerate(lines):
+                if line.startswith(f"{env_var}="):
+                    lines[i] = f"{env_var}={key}"
+                    updated = True
+                    break
+
+            if not updated:
+                lines.append(f"{env_var}={key}")
+
+            env_file.write_text("\n".join(lines) + "\n")
+            # Secure permissions
+            os.chmod(env_file, 0o600)
+            return True
+
+        return False
+
+    def _derive_key(self, password: str, salt: bytes) -> bytes:
+        """Derive encryption key from password"""
+        kdf = PBKDF2HMAC(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=salt,
+            iterations=480000,
+        )
+        return base64.urlsafe_b64encode(kdf.derive(password.encode()))
+
+    def _load_encrypted_config(self) -> Optional[Dict[str, str]]:
+        """Load and decrypt config file"""
+        if not self.encrypted_config.exists():
+            return None
+
+        try:
+            # Get master password from keyring or prompt
+            master = self._get_keyring_password("master")
+            if not master:
+                return None
+
+            data = self.encrypted_config.read_bytes()
+            salt = data[:16]
+            encrypted = data[16:]
+
+            key = self._derive_key(master, salt)
+            f = Fernet(key)
+            decrypted = f.decrypt(encrypted)
+
+            return json.loads(decrypted)
+        except Exception as e:
+            logger.error(f"Failed to decrypt config: {e}")
+            return None
+
+    def _save_encrypted_config(self, config: Dict[str, str]) -> bool:
+        """Encrypt and save config file"""
+        try:
+            import secrets
+
+            # Get or create master password
+            master = self._get_keyring_password("master")
+            if not master:
+                master = secrets.token_urlsafe(32)
+                self._set_keyring_password("master", master)
+
+            salt = secrets.token_bytes(16)
+            key = self._derive_key(master, salt)
+
+            f = Fernet(key)
+            encrypted = f.encrypt(json.dumps(config).encode())
+
+            self.encrypted_config.write_bytes(salt + encrypted)
+            os.chmod(self.encrypted_config, 0o600)
+            return True
+        except Exception as e:
+            logger.error(f"Failed to encrypt config: {e}")
+            return False
+
+    def list_configured_keys(self) -> list:
+        """List all configured API keys (names only, no values)"""
+        keys = []
+        providers = ["openai", "anthropic", "openrouter", "github", "shodan"]
+
+        for provider in providers:
+            if self.get_api_key(provider):
+                keys.append(provider)
+
+        return keys
+
+    def remove_api_key(self, provider: str) -> bool:
+        """Remove API key from all storage locations"""
+        success = True
+
+        # Remove from keyring
+        if KEYRING_AVAILABLE:
+            try:
+                keyring.delete_password(KEYRING_SERVICE, f"{provider}_key")
+            except:
+                pass
+
+        # Remove from encrypted config
+        if self.encrypted_config.exists():
+            config = self._load_encrypted_config() or {}
+            if provider in config:
+                del config[provider]
+                success = self._save_encrypted_config(config) and success
+
+        return success
+
+
+@lru_cache()
+def get_secure_config() -> SecureConfigManager:
+    """Get singleton instance of SecureConfigManager"""
+    return SecureConfigManager()
+
+
+def migrate_plain_config(config_path: Path) -> bool:
+    """Migrate plain text config to secure storage"""
+    if not config_path.exists():
+        return False
+
+    try:
+        with open(config_path) as f:
+            old_config = json.load(f)
+
+        manager = get_secure_config()
+
+        # Migrate API keys
+        key_mapping = {
+            "openai_key": "openai",
+            "anthropic_key": "anthropic",
+            "openrouter_key": "openrouter",
+            "github_token": "github",
+            "shodan_key": "shodan",
+        }
+
+        for old_key, provider in key_mapping.items():
+            if old_key in old_config and old_config[old_key]:
+                manager.set_api_key(provider, old_config[old_key], storage="keyring")
+
+        # Backup old config
+        backup_path = config_path.with_suffix(".json.backup")
+        config_path.rename(backup_path)
+
+        logger.info(
+            f"Config migrated to secure storage. Old config backed up to {backup_path}"
+        )
+        return True
+
+    except Exception as e:
+        logger.error(f"Migration failed: {e}")
+        return False

core/shield_integration.py

@@ -0,0 +1,296 @@
+"""
+Integration of Zen Shield with ZenOrchestrator
+Adds security layer to LLM interactions
+"""
+
+import logging
+from typing import Any, Dict, Optional
+
+import aiohttp
+
+from zen_shield.sanitizer import ZenSanitizer
+from zen_shield.schemas import SanitizerRequest, SanitizerResponse
+
+logger = logging.getLogger(__name__)
+
+
+class ShieldedOrchestrator:
+    """
+    Wrapper for ZenOrchestrator that adds data sanitization.
+
+    Pipeline:
+    1. Raw tool output -> Zen Shield (local sanitization)
+    2. Clean data -> Big LLM (GPT-4/Claude) for analysis
+    3. Response -> Optional: Normalize through shield
+
+    This ensures:
+    - No secrets leak to cloud LLMs
+    - Reduced token costs (90% noise reduction)
+    - Compliance with data protection policies
+    - Fallback if sanitization fails
+    """
+
+    def __init__(
+        self,
+        bridge_url: str = "http://integration-bridge:8080",
+        shield_url: str = "http://zen-shield:9000",
+        big_llm_api_key: Optional[str] = None,
+        big_llm_provider: str = "openai",
+    ):
+        """
+        Initialize shielded orchestrator
+
+        Args:
+            bridge_url: URL of integration bridge for tools
+            shield_url: URL of Zen Shield sanitizer service
+            big_llm_api_key: API key for big LLM (GPT-4/Claude)
+            big_llm_provider: Provider name
+        """
+        self.bridge_url = bridge_url
+        self.shield_url = shield_url
+        self.big_llm_api_key = big_llm_api_key
+        self.big_llm_provider = big_llm_provider
+
+        self.session: Optional[aiohttp.ClientSession] = None
+
+        # Local sanitizer as fallback
+        self.local_sanitizer: Optional[ZenSanitizer] = None
+
+    async def __aenter__(self):
+        self.session = aiohttp.ClientSession()
+
+        # Try to initialize local sanitizer as backup
+        try:
+            self.local_sanitizer = ZenSanitizer()
+        except Exception as e:
+            logger.warning(f"Could not initialize local sanitizer: {e}")
+
+        return self
+
+    async def __aexit__(self, exc_type, exc_val, exc_tb):
+        if self.session:
+            await self.session.close()
+
+    async def analyze_tool_output(
+        self, raw_output: str, source_tool: str, intent: str = "analyze"
+    ) -> Dict[str, Any]:
+        """
+        Analyze tool output with security sanitization
+
+        Args:
+            raw_output: Raw output from pentesting tool
+            source_tool: Name of tool (nmap, nuclei, etc.)
+            intent: Purpose of analysis
+
+        Returns:
+            Analysis result with metadata
+        """
+        # Step 1: Sanitize through Zen Shield
+        sanitized = await self._sanitize_through_shield(raw_output, source_tool, intent)
+
+        if not sanitized:
+            # Fallback: analyze locally without LLM
+            logger.warning("Sanitization failed, using local analysis")
+            return self._local_analysis(raw_output)
+
+        if not sanitized.safe_to_send:
+            # High risk data - analyze locally
+            logger.warning(
+                f"High risk data detected ({len(sanitized.redactions)} redactions), "
+                "using local analysis"
+            )
+            return self._local_analysis(sanitized.cleaned_data)
+
+        # Step 2: Send to big LLM with sanitized data
+        analysis = await self._analyze_with_big_llm(
+            sanitized.cleaned_data,
+            metadata={
+                "source_tool": source_tool,
+                "redactions_count": len(sanitized.redactions),
+                "compression_ratio": sanitized.compression_ratio,
+                "tokens_saved": sanitized.tokens_saved,
+                "fallback_used": sanitized.fallback_used,
+            },
+        )
+
+        return {
+            "analysis": analysis,
+            "sanitization": {
+                "redactions_count": len(sanitized.redactions),
+                "risk_level": sanitized.risk_level.value,
+                "compression_ratio": sanitized.compression_ratio,
+                "tokens_saved": sanitized.tokens_saved,
+                "fallback_used": sanitized.fallback_used,
+            },
+        }
+
+    async def _sanitize_through_shield(
+        self, raw_data: str, source_tool: str, intent: str
+    ) -> Optional[SanitizerResponse]:
+        """
+        Send data to Zen Shield for sanitization
+        Falls back to local sanitizer if service unavailable
+        """
+        request = SanitizerRequest(
+            raw_data=raw_data, source_tool=source_tool, intent=intent
+        )
+
+        # Try remote shield service first
+        if self.session:
+            try:
+                async with self.session.post(
+                    f"{self.shield_url}/sanitize",
+                    json=request.model_dump(),
+                    timeout=aiohttp.ClientTimeout(total=30),
+                ) as resp:
+                    if resp.status == 200:
+                        result = await resp.json()
+                        return SanitizerResponse(**result)
+            except Exception as e:
+                logger.warning(f"Remote shield unavailable: {e}")
+
+        # Fallback to local sanitizer
+        if self.local_sanitizer:
+            try:
+                return await self.local_sanitizer.process(request)
+            except Exception as e:
+                logger.error(f"Local sanitization failed: {e}")
+
+        return None
+
+    async def _analyze_with_big_llm(
+        self, cleaned_data: str, metadata: Dict[str, Any]
+    ) -> Dict[str, Any]:
+        """
+        Send sanitized data to big LLM for analysis
+        """
+        # This integrates with your existing LLM bridge
+        # For now, returning placeholder
+
+        tool = metadata.get("source_tool", "unknown")
+
+        # Construct prompt for big LLM
+        prompt = f"""Analyze the following {tool} scan output for security issues:
+
+{cleaned_data}
+
+Focus on:
+1. Open ports and services
+2. Potential vulnerabilities
+3. Misconfigurations
+4. Exploitation paths
+
+Be concise and technical."""
+
+        # Here you would call your existing LLM bridge
+        # For now, return structure
+        return {
+            "prompt": prompt,
+            "metadata": metadata,
+            "provider": self.big_llm_provider,
+            "note": "Integrate with your existing LLM bridge here",
+        }
+
+    def _local_analysis(self, data: str) -> Dict[str, Any]:
+        """
+        Local analysis without LLM
+        Used when sanitization fails or risk is too high
+        """
+        # Simple keyword-based analysis
+        findings = []
+
+        # Check for common patterns
+        if "open" in data.lower():
+            findings.append("Open ports detected")
+        if "vuln" in data.lower() or "vulnerable" in data.lower():
+            findings.append("Potential vulnerabilities found")
+        if "error" in data.lower():
+            findings.append("Errors in scan output")
+        if "unauthorized" in data.lower() or "401" in data:
+            findings.append("Authentication may be required")
+
+        return {
+            "analysis": {
+                "findings": findings,
+                "note": "Local analysis (LLM bypassed due to security concerns)",
+            },
+            "sanitization": {"local_only": True, "reason": "security_fallback"},
+        }
+
+    async def comprehensive_scan_with_shield(
+        self, target: str, tools: list[str], use_shield: bool = True
+    ) -> Dict[str, Any]:
+        """
+        Run comprehensive scan with shield protection
+
+        Args:
+            target: Target to scan
+            tools: List of tools to use
+            use_shield: Whether to use sanitization
+        """
+        from modules.tool_orchestrator import ToolOrchestrator
+
+        results = {
+            "target": target,
+            "tools_used": tools,
+            "findings": [],
+            "sanitization_applied": use_shield,
+        }
+
+        async with ToolOrchestrator(self.bridge_url) as orch:
+            for tool in tools:
+                try:
+                    # Run tool scan
+                    scan_result = await self._run_tool(orch, tool, target)
+                    raw_output = scan_result.get("raw_output", "")
+
+                    if use_shield and raw_output:
+                        # Sanitize and analyze
+                        analysis = await self.analyze_tool_output(
+                            raw_output, tool, intent="analyze"
+                        )
+                        results["findings"].append({"tool": tool, "analysis": analysis})
+                    else:
+                        # Raw output without sanitization (not recommended)
+                        results["findings"].append(
+                            {"tool": tool, "raw": raw_output[:1000]}  # Truncate
+                        )
+
+                except Exception as e:
+                    logger.error(f"Tool {tool} failed: {e}")
+                    results["findings"].append({"tool": tool, "error": str(e)})
+
+        return results
+
+    async def _run_tool(self, orchestrator, tool: str, target: str) -> Dict[str, Any]:
+        """Run specific tool through orchestrator"""
+        method_map = {
+            "nmap": orchestrator.scan_with_nmap,
+            "nuclei": orchestrator.scan_with_nuclei,
+            "gobuster": orchestrator.scan_with_gobuster,
+            "amass": orchestrator.enumerate_subdomains,
+        }
+
+        method = method_map.get(tool)
+        if not method:
+            raise ValueError(f"Unknown tool: {tool}")
+
+        # Trigger scan
+        if tool == "amass":
+            result = await method(target, active=False)
+        else:
+            result = await method(target)
+
+        scan_id = result.get("scan_id")
+
+        # Wait for completion
+        status = await orchestrator.wait_for_scan(scan_id)
+
+        # Get results
+        scan_results = await orchestrator.get_scan_results(scan_id)
+
+        return {
+            "scan_id": scan_id,
+            "status": status.get("status"),
+            "raw_output": str(scan_results.get("results", "")),
+        }

modules/__init__.py

@@ -0,0 +1,46 @@
+"""
+Penetration Testing Modules for Zen AI
+"""
+
+from .cve_database import CVEDatabase, CVEEntry, RansomwareEntry
+from .exploit_assist import ExploitAssistModule
+from .nuclei_integration import NucleiIntegration, NucleiTemplateManager
+from .osint import (DomainInfo, EmailProfile, OSINTModule, OSINTResult,
+                    check_email_breach, enumerate_subdomains, harvest_emails)
+from .protonvpn import (ProtonVPNManager, VPNProtocol, VPNSecurityLevel,
+                        VPNServer, VPNStatus, quick_connect, secure_connect)
+from .recon import ReconModule
+from .report_gen import ReportGenerator
+from .sql_injection_db import (DBType, SQLInjectionDatabase, SQLITechnique,
+                               SQLPayload)
+from .vuln_scanner import VulnScannerModule
+
+__all__ = [
+    "ReconModule",
+    "VulnScannerModule",
+    "ExploitAssistModule",
+    "ReportGenerator",
+    "NucleiIntegration",
+    "NucleiTemplateManager",
+    "SQLInjectionDatabase",
+    "SQLPayload",
+    "SQLITechnique",
+    "DBType",
+    "CVEDatabase",
+    "CVEEntry",
+    "RansomwareEntry",
+    "ProtonVPNManager",
+    "VPNProtocol",
+    "VPNSecurityLevel",
+    "VPNStatus",
+    "VPNServer",
+    "quick_connect",
+    "secure_connect",
+    "OSINTModule",
+    "DomainInfo",
+    "EmailProfile",
+    "OSINTResult",
+    "harvest_emails",
+    "enumerate_subdomains",
+    "check_email_breach",
+]