comply-cli 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fcf980a7d9d589a6a1cfe1da71914a000bbe0449847e87ea3045eb0712322d8e
+  data.tar.gz: f2842dbe4f9e4e2d2396a3b8ac6c14a722c09d48d6ad7240b6ef8bcd73b1c5e6
+SHA512:
+  metadata.gz: f78cb51dd7da44ad62c11d12e7465e06f8f4c3510be00851ce6e860647f4c33fa8c769adf70c6e18f39416f45b207e86b7b359c1a60386ffdb172da2841edd30
+  data.tar.gz: 2adb450ccc5370b987d933721d3b2c82dd734e1dfe71cbef8a4349cc06a5b800c6eca041516e38c3612558f00da603c12aff69735453aaeac0443af0848ff164

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @wongal5

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+*.dump
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+/.idea
+

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.travis.yml

@@ -0,0 +1,9 @@
+sudo: false
+
+rvm:
+  - "2.5"
+
+script:
+  - bundle exec rake
+  - bundle exec script/sync-readme-usage
+  - git diff --exit-code

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in aptible-cli.gemspec
+gemspec

data/LICENSE.md

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Aptible, Inc.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# Comply CLI
+
+Command-line interface for Aptible Comply.
+
+## Installation
+
+_Note: while this gem is in development, it is (a) private, and (b) built against API endpoints that are still in development. As a result, the instructions here are both temporary (subject to change) and more complicated than they will eventually be._
+
+1. Clone this repo: `git clone git@github.com:aptible/comply-cli.git`
+2. From the repo directory, install the gem:
+
+        pushd comply-cli/
+        bundle install
+        bundle exec rake install
+        popd
+
+When using the gem, you will need to configure it to point at a version of the Comply CLI that supports the endpoints required by the CLI. At this moment, the "comply-api-cli" app in the "aptible-staging" environment on Deploy is the deployment kept mos up to date. To use this app with comply-cli, set `APTIBLE_AUTH_ROOT_URL` and `APTIBLE_COMPLY_ROOT_URL` each time you open a new shell (terminal) to use the CLI:
+
+```
+export APTIBLE_AUTH_ROOT_URL=https://auth-api-master.aptible-staging.com APTIBLE_COMPLY_ROOT_URL=https://comply-api-cli.aptible-staging.com
+```
+
+
+## Usage
+
+From `comply help`:
+
+<!-- BEGIN USAGE -->
+```
+Commands:
+  comply help [COMMAND]                      # Describe available commands or one specific command
+  comply integrations:enable INTEGRATION_ID  # Enable an integration
+  comply integrations:list                   # List integrations
+  comply integrations:sync INTEGRATION_ID    # Sync an integration
+  comply integrations:update INTEGRATION_ID  # Enable an integration
+  comply login                               # Log in to Aptible
+  comply programs:select                     # Select a program for CLI context
+  comply version                             # Print Aptible CLI version
+```
+<!-- END USAGE -->
+
+## Contributing
+
+1. Fork the project.
+1. Commit your changes, with specs.
+1. Ensure that your code passes specs (`rake spec`) and meets Aptible's Ruby style guide (`rake rubocop`).
+1. If you add a command, sync this README (`bundle exec script/sync-readme-usage`).
+1. Create a new pull request on GitHub.
+
+## Copyright and License
+
+MIT License, see [LICENSE](LICENSE.md) for details.
+
+Copyright (c) 2019 [Aptible](https://www.aptible.com) and contributors.

data/Rakefile

@@ -0,0 +1,4 @@
+require 'bundler/gem_tasks'
+
+require 'aptible/tasks'
+Aptible::Tasks.load_tasks

data/bin/comply

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'comply/cli'
+rescue
+  require 'rubygems'
+  require 'comply/cli'
+end
+
+begin
+  Comply::CLI::Agent.start
+rescue HyperResource::ClientError => e
+  m = if e.body['error'] == 'invalid_token'
+        'API authentication error: please run comply login'
+      else
+        "An error occurred: #{e.body['message']}"
+      end
+  puts m
+  exit 1
+end

data/comply-cli.gemspec

@@ -0,0 +1,34 @@
+# encoding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'English'
+require 'comply/cli/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'comply-cli'
+  spec.version       = Comply::CLI::VERSION
+  spec.authors       = ['Frank Macreery']
+  spec.email         = ['frank@macreery.com']
+  spec.description   = 'Comply CLI'
+  spec.summary       = 'Command-line interface for Aptible Comply'
+  spec.homepage      = 'https://github.com/aptible/comply-cli'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($RS)
+  spec.executables   = spec.files.grep(%r{bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{spec/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'aptible-resource', '~> 1.1'
+  spec.add_dependency 'aptible-auth', '~> 1.0'
+  spec.add_dependency 'aptible-comply', '>= 0.1.0'
+  spec.add_dependency 'thor', '~> 0.20.0'
+  spec.add_dependency 'chronic_duration', '~> 0.10.6'
+  spec.add_dependency 'highline', '~> 1.7'
+  spec.add_development_dependency 'rspec', '~> 3.2'
+  spec.add_development_dependency 'fabrication', '~> 2.15.2'
+  spec.add_development_dependency 'climate_control', '= 0.0.3'
+  spec.add_development_dependency 'aptible-tasks', '~> 0.5.8'
+  spec.add_development_dependency 'pry'
+end

data/lib/comply/cli.rb

@@ -0,0 +1,9 @@
+require_relative 'ext/string'
+
+require 'comply/cli/version'
+require 'comply/cli/agent'
+
+module Comply
+  module CLI
+  end
+end

data/lib/comply/cli/agent.rb

@@ -0,0 +1,122 @@
+require 'aptible/auth'
+require 'thor'
+require 'chronic_duration'
+require 'highline/import'
+
+Dir[File.join(__dir__, 'helpers', '*.rb')].each { |file| require file }
+Dir[File.join(__dir__, 'subcommands', '*.rb')].each { |file| require file }
+
+module Comply
+  module CLI
+    class Agent < Thor
+      include Thor::Actions
+
+      include Helpers::Token
+      include Helpers::Program
+
+      include Subcommands::Integrations
+
+      # Forward return codes on failures.
+      def self.exit_on_failure?
+        true
+      end
+
+      def initialize(*)
+        Aptible::Resource.configure { |conf| conf.user_agent = version_string }
+        super
+      end
+
+      desc 'version', 'Print Aptible CLI version'
+      def version
+        puts version_string
+      end
+
+      desc 'login', 'Log in to Aptible'
+      option :email
+      option :password
+      option :lifetime, desc: 'The duration the token should be valid for ' \
+                              '(example usage: 24h, 1d, 600s, etc.)'
+      option :otp_token, desc: 'A token generated by your second-factor app'
+      def login
+        email = options[:email] || ask('Email: ')
+        password = options[:password] || ask('Password: ', echo: false)
+        puts ''
+
+        token_options = { email: email, password: password }
+
+        otp_token = options[:otp_token]
+        token_options[:otp_token] = otp_token if otp_token
+
+        begin
+          lifetime = '1w'
+          lifetime = '12h' if token_options[:otp_token]
+          lifetime = options[:lifetime] if options[:lifetime]
+
+          duration = ChronicDuration.parse(lifetime)
+          if duration.nil?
+            raise Thor::Error, "Invalid token lifetime requested: #{lifetime}"
+          end
+
+          token_options[:expires_in] = duration
+          token = Aptible::Auth::Token.create(token_options)
+        rescue OAuth2::Error => e
+          if e.code == 'otp_token_required'
+            token_options[:otp_token] = options[:otp_token] ||
+                                        ask('2FA Token: ')
+            retry
+          end
+
+          raise Thor::Error, 'Could not authenticate with given credentials: ' \
+                             "#{e.code}"
+        end
+
+        save_token(token.access_token)
+        puts "Token written to #{token_file}"
+
+        lifetime_format = { units: 2, joiner: ', ' }
+        token_lifetime = (token.expires_at - token.created_at).round
+        expires_in = ChronicDuration.output(token_lifetime, lifetime_format)
+        puts "This token will expire after #{expires_in} " \
+             '(use --lifetime to customize)'
+
+        # Select a default program
+        set_default_program
+      end
+
+      desc 'programs:select', 'Select a program for CLI context'
+      define_method 'programs:select' do
+        candidates = accessible_programs
+        current_program_id = begin
+                               fetch_program_id
+                             rescue Thor::Error
+                               nil
+                             end
+
+        choose do |menu|
+          menu.prompt = 'Choose a program (* is current default):'
+          candidates.each do |program|
+            pretty = pretty_print_program(program)
+            if program.id == current_program_id
+              pretty = "* #{pretty}"
+              menu.default = pretty
+            end
+
+            menu.choice pretty do
+              save_program_id program.id
+            end
+          end
+        end
+      end
+
+      private
+
+      def version_string
+        bits = [
+          'comply-cli',
+          "v#{Comply::CLI::VERSION}"
+        ]
+        bits.join ' '
+      end
+    end
+  end
+end

data/lib/comply/cli/helpers/integration.rb

@@ -0,0 +1,55 @@
+require 'aptible/comply'
+require 'json'
+
+module Comply
+  module CLI
+    module Helpers
+      module Integration
+        def prettify_integration(integration)
+          integration.integration_type
+        end
+
+        def pretty_print_integration(integration)
+          "#{prettify_integration(integration)} (#{integration.id})"
+        end
+
+        def prompt_and_create_integration(type)
+          env = prompt_for_env(type)
+          default_program.create_integration(integration_type: type, env: env)
+        end
+
+        def prompt_and_update_integration(integration)
+          env = prompt_for_env(integration.integration_type)
+          integration.update(env: env)
+        end
+
+        def prompt_for_env(type)
+          env = {}
+          env_vars_by_prompt(type).each do |human, key|
+            env[key] = ask("#{human}:", echo: false)
+            puts
+          end
+
+          env
+        end
+
+        def env_vars_by_prompt(type)
+          case type
+          when 'gsuite'
+            {
+              'Client ID' => 'GOOGLE_CLIENT_ID',
+              'Client Secret' => 'GOOGLE_CLIENT_SECRET',
+              'Access Token' => 'GOOGLE_ACCESS_TOKEN',
+              'Refresh Token' => 'GOOGLE_REFRESH_TOKEN'
+            }
+          when 'okta'
+            {
+              'Org Name' => 'OKTA_ORG_NAME',
+              'API Key' => 'OKTA_API_KEY'
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/comply/cli/helpers/program.rb

@@ -0,0 +1,81 @@
+require 'aptible/comply'
+require 'json'
+
+require_relative 'token'
+
+module Comply
+  module CLI
+    module Helpers
+      module Program
+        include Helpers::Token
+
+        PROGRAM_ENV_VAR = 'APTIBLE_PROGRAM_ID'.freeze
+
+        def default_program
+          return nil unless (id = fetch_program_id)
+          @default_program ||= Aptible::Comply::Program.find(
+            id, token: fetch_token
+          )
+        end
+
+        def set_default_program
+          default_program = accessible_programs.first
+          save_program_id(default_program.id) if default_program
+        end
+
+        def pretty_print_program(program)
+          "#{program.organization.name} (#{program.id})"
+        end
+
+        def fetch_program_id
+          @program_id ||=
+            ENV[PROGRAM_ENV_VAR] ||
+            current_program_id_hash[Aptible::Comply.configuration.root_url]
+          return @program_id if @program_id
+          raise Thor::Error, 'Could not read program: please run comply ' \
+                             "programs:select or set #{PROGRAM_ENV_VAR}"
+        end
+
+        def save_program_id(program_id)
+          hash = current_program_id_hash.merge(
+            Aptible::Comply.configuration.root_url => program_id
+          )
+
+          FileUtils.mkdir_p(File.dirname(program_id_file))
+
+          File.open(program_id_file, 'w', 0o600) do |file|
+            file.puts hash.to_json
+          end
+        rescue StandardError => e
+          m = "Could not write program to #{program_id_file}: #{e}. " \
+              'Check filesystem permissions.'
+          raise Thor::Error, m
+        end
+
+        def current_program_id_hash
+          JSON.parse(File.read(program_id_file))
+        rescue
+          {}
+        end
+
+        def program_id_file
+          File.join ENV['HOME'], '.aptible', 'programs.json'
+        end
+
+        def accessible_programs
+          # If a user is a member of a role in ACCOUNT_MANAGEMENT_ROLE_IDS
+          # in Comply, they have read access to ALL programs. As a result,
+          # when offering programs for customers to access, we select just
+          # those which actually belong to their organization(s).
+
+          programs = Aptible::Comply::Program.all(token: fetch_token)
+          orgs = Aptible::Auth::Organization.all(token: fetch_token)
+
+          programs.select do |program|
+            orgs.map(&:href).include?(program.organization_url)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/comply/cli/helpers/token.rb

@@ -0,0 +1,54 @@
+require 'aptible/auth'
+require 'json'
+
+module Comply
+  module CLI
+    module Helpers
+      module Token
+        TOKEN_ENV_VAR = 'APTIBLE_ACCESS_TOKEN'.freeze
+
+        def current_user_email
+          @current_user_email ||=
+            Aptible::Auth::Agent.new(token: fetch_token).me.email
+        end
+
+        def fetch_token
+          @token ||= ENV[TOKEN_ENV_VAR] ||
+                     current_token_hash[Aptible::Auth.configuration.root_url]
+          return @token if @token
+          raise Thor::Error, 'Could not read token: please run comply login ' \
+                             "or set #{TOKEN_ENV_VAR}"
+        end
+
+        def save_token(token)
+          hash = current_token_hash.merge(
+            Aptible::Auth.configuration.root_url => token
+          )
+
+          FileUtils.mkdir_p(File.dirname(token_file))
+
+          File.open(token_file, 'w', 0o600) do |file|
+            file.puts hash.to_json
+          end
+        rescue StandardError => e
+          m = "Could not write token to #{token_file}: #{e}. " \
+              'Check filesystem permissions.'
+          raise Thor::Error, m
+        end
+
+        def current_token_hash
+          # NOTE: older versions of the CLI did not properly create the
+          # token_file with mode 600, which is why we update it when reading.
+          File.chmod(0o600, token_file)
+          JSON.parse(File.read(token_file))
+        rescue
+          {}
+        end
+
+        def token_file
+          File.join ENV['HOME'], '.aptible', 'tokens.json'
+        end
+      end
+    end
+  end
+end

data/lib/comply/cli/subcommands/integrations.rb

@@ -0,0 +1,56 @@
+module Comply
+  module CLI
+    module Subcommands
+      module Integrations
+        include Helpers::Integration
+
+        def self.included(thor)
+          thor.class_eval do
+            desc 'integrations:list', 'List integrations'
+            define_method 'integrations:list' do
+              integrations = default_program.integrations
+              if integrations.empty?
+                say 'No integrations found.'
+              else
+                integrations.each do |integration|
+                  say pretty_print_integration(integration)
+                end
+              end
+            end
+
+            desc 'integrations:enable INTEGRATION_ID', 'Enable an integration'
+            define_method 'integrations:enable' do |integration_type|
+              integration = default_program.integrations.find do |i|
+                i.integration_type == integration_type
+              end
+              raise Thor::Error, 'Integration already enabled' if integration
+
+              prompt_and_create_integration(integration_type)
+            end
+
+            desc 'integrations:update INTEGRATION_ID', 'Enable an integration'
+            define_method 'integrations:update' do |integration_type|
+              integration = default_program.integrations.find do |i|
+                i.integration_type == integration_type
+              end
+              raise Thor::Error, 'Integration not found' unless integration
+
+              prompt_and_update_integration(integration)
+            end
+
+            desc 'integrations:sync INTEGRATION_ID', 'Sync an integration'
+            define_method 'integrations:sync' do |integration_type|
+              integration = default_program.integrations.find do |i|
+                i.integration_type == integration_type
+              end
+              raise Thor::Error, 'Integration not found' unless integration
+
+              integration.links['sync'].post
+              say 'Integration synced'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/comply/cli/version.rb

@@ -0,0 +1,5 @@
+module Comply
+  module CLI
+    VERSION = '0.0.1'.freeze
+  end
+end

data/lib/comply/ext/string.rb

@@ -0,0 +1,5 @@
+class String
+  def uuid?
+    !!(self =~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/)
+  end
+end

data/script/sync-readme-usage

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+require 'open3'
+
+USAGE = ARGV.fetch(0, 'README.md')
+
+puts "Sync CLI usage in #{USAGE}"
+
+txt, err, status = Open3.capture3(
+  { 'THOR_COLUMNS' => '1000' },
+  'bundle', 'exec', 'bin/comply', 'help'
+)
+
+raise "Failed to extract usage: #{err}" unless status.success?
+
+usage = "```\n#{txt.gsub(/^$\n/, '')}```\n"
+
+bits = []
+
+File.open(USAGE) do |f|
+  in_usage = false
+
+  f.each_line do |l|
+    in_usage = false if l.include?('END USAGE')
+
+    bits << l unless in_usage
+
+    if l.include?('BEGIN USAGE')
+      in_usage = true
+      bits << usage
+    end
+  end
+end
+
+File.write(USAGE, bits.join(''))

data/spec/comply/cli/agent_spec.rb

@@ -0,0 +1,196 @@
+require 'spec_helper'
+
+describe Comply::CLI::Agent do
+  before do
+    allow(subject).to receive(:ask)
+    allow(subject).to receive(:save_token)
+    allow(subject).to receive(:token_file).and_return 'some.json'
+  end
+
+  describe 'version' do
+    it 'should print the version' do
+      version = Comply::CLI::VERSION
+
+      expect do
+        subject.version
+      end.to output("comply-cli v#{version}\n").to_stdout
+    end
+  end
+
+  describe 'login' do
+    let(:token) { double('Aptible::Auth::Token') }
+    let(:created_at) { Time.now }
+    let(:expires_at) { created_at + 1.week }
+
+    before do
+      m = -> (code) { @code = code }
+      OAuth2::Error.send :define_method, :initialize, m
+
+      allow(token).to receive(:access_token).and_return 'access_token'
+      allow(token).to receive(:created_at).and_return created_at
+      allow(token).to receive(:expires_at).and_return expires_at
+      allow(subject).to receive(:puts) {}
+
+      allow(subject).to receive(:set_default_program) {}
+    end
+
+    it 'should save a token to ~/.aptible/tokens' do
+      allow(Aptible::Auth::Token).to receive(:create).and_return token
+      expect(subject).to receive(:save_token).with('access_token')
+      subject.login
+    end
+
+    it 'should output the token location and token lifetime' do
+      allow(Aptible::Auth::Token).to receive(:create).and_return token
+      allow(subject).to receive(:puts).and_call_original
+
+      expect { subject.login }.to output(/token written to.*json/i).to_stdout
+      expect { subject.login }.to output(/expire after 7 days/i).to_stdout
+    end
+
+    it 'should raise an error if authentication fails' do
+      allow(Aptible::Auth::Token).to receive(:create)
+        .and_raise(OAuth2::Error, 'foo')
+      expect do
+        subject.login
+      end.to raise_error 'Could not authenticate with given credentials: foo'
+    end
+
+    it 'should use command line arguments if passed' do
+      options = { email: 'test@example.com', password: 'password',
+                  lifetime: '30 minutes' }
+      allow(subject).to receive(:options).and_return options
+      args = { email: options[:email], password: options[:password],
+               expires_in: 30.minutes.seconds }
+      expect(Aptible::Auth::Token).to receive(:create).with(args) { token }
+      subject.login
+    end
+
+    it 'should default to 1 week expiry when OTP is disabled' do
+      options = { email: 'test@example.com', password: 'password' }
+      allow(subject).to receive(:options).and_return options
+      args = options.dup.merge(expires_in: 1.week.seconds)
+      expect(Aptible::Auth::Token).to receive(:create).with(args) { token }
+      subject.login
+    end
+
+    it 'should fail if the lifetime is invalid' do
+      options = { email: 'test@example.com', password: 'password',
+                  lifetime: 'this is sparta' }
+      allow(subject).to receive(:options).and_return options
+
+      expect { subject.login }.to raise_error(/Invalid token lifetime/)
+    end
+
+    it 'should set a default program' do
+      allow(Aptible::Auth::Token).to receive(:create).and_return token
+      expect(subject).to receive(:set_default_program)
+      subject.login
+    end
+
+    context 'with OTP' do
+      let(:email) { 'foo@example.org' }
+      let(:password) { 'bar' }
+      let(:token) { '123456' }
+
+      context 'with options' do
+        before do
+          allow(subject).to receive(:options)
+            .and_return(email: email, password: password, otp_token: token)
+        end
+
+        it 'should authenticate without otp_token_required feedback' do
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, otp_token: token,
+                  expires_in: 12.hours.seconds)
+            .once
+            .and_return(token)
+
+          subject.login
+        end
+      end
+
+      context 'with prompts' do
+        before do
+          [
+            [['Email: '], email],
+            [['Password: ', echo: false], password],
+            [['2FA Token: '], token]
+          ].each do |prompt, val|
+            expect(subject).to receive(:ask).with(*prompt).once.and_return(val)
+          end
+        end
+
+        it 'should prompt for an OTP token and use it' do
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, expires_in: 1.week.seconds)
+            .once
+            .and_raise(OAuth2::Error, 'otp_token_required')
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, otp_token: token,
+                  expires_in: 12.hours.seconds)
+            .once
+            .and_return(token)
+
+          subject.login
+        end
+
+        it 'should let the user override the default lifetime' do
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, expires_in: 1.day.seconds)
+            .once
+            .and_raise(OAuth2::Error, 'otp_token_required')
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, otp_token: token,
+                  expires_in: 1.day.seconds)
+            .once
+            .and_return(token)
+
+          allow(subject).to receive(:options).and_return(lifetime: '1d')
+          subject.login
+        end
+
+        it 'should not retry non-OTP errors.' do
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, expires_in: 1.week.seconds)
+            .once
+            .and_raise(OAuth2::Error, 'otp_token_required')
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, otp_token: token,
+                  expires_in: 12.hours.seconds)
+            .once
+            .and_raise(OAuth2::Error, 'foo')
+
+          expect { subject.login }.to raise_error(/Could not authenticate/)
+        end
+      end
+    end
+  end
+
+  describe 'programs:select' do
+    # TODO: Try to get this working
+    # https://github.com/JEG2/highline/issues/176 might be helpful
+
+    let(:p1) { Fabricate(:program) }
+    let(:p2) { Fabricate(:program) }
+
+    before do
+      allow(subject).to receive(:accessible_programs) { [p1, p2] }
+      allow(subject).to receive(:fetch_program_id) { p1.id }
+      allow_any_instance_of(HighLine).to receive(:get_line) { '1' }
+    end
+
+    skip 'displays a selection of available programs' do
+      lines = ["* #{subject.pretty_print_program(p1)}",
+               subject.pretty_print_program(p2),
+               'Choose a program']
+
+      lines.each do |line|
+        expect { subject.send('programs:select') }.to output(line).to_stdout
+      end
+    end
+  end
+end

data/spec/comply/cli/helpers/program_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'securerandom'
+
+describe Comply::CLI::Helpers::Program do
+  around do |example|
+    Dir.mktmpdir { |home| ClimateControl.modify(HOME: home) { example.run } }
+  end
+
+  subject { Class.new.send(:include, described_class).new }
+
+  let(:program_id) { SecureRandom.uuid }
+  let(:token) { double('token') }
+
+  before do
+    allow(subject).to receive(:fetch_token) { token }
+  end
+
+  describe '#save_program / #fetch_program' do
+    it 'reads back a program ID it saved' do
+      subject.save_program_id(program_id)
+      expect(subject.fetch_program_id).to eq(program_id)
+    end
+  end
+
+  describe 'accessible_programs' do
+    it 'filters programs' do
+      o1 = Fabricate(:organization)
+      o2 = Fabricate(:organization)
+
+      p1 = Fabricate(:program, organization: o1)
+      p2 = Fabricate(:program, organization: o2)
+      p3 = Fabricate(:program)
+
+      allow(Aptible::Comply::Program).to receive(:all) { [p1, p2, p3] }
+      allow(Aptible::Auth::Organization).to receive(:all) { [o1, o2] }
+
+      programs = subject.accessible_programs
+      expect(programs.map(&:id).sort).to eq [p1.id, p2.id].sort
+    end
+  end
+end

data/spec/comply/cli/helpers/token_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe Comply::CLI::Helpers::Token do
+  around do |example|
+    Dir.mktmpdir { |home| ClimateControl.modify(HOME: home) { example.run } }
+  end
+
+  subject { Class.new.send(:include, described_class).new }
+
+  describe '#save_token / #fetch_token' do
+    it 'reads back a token it saved' do
+      subject.save_token('foo')
+      expect(subject.fetch_token).to eq('foo')
+    end
+  end
+
+  context 'permissions' do
+    before { skip 'Windows' if Gem.win_platform? }
+
+    describe '#save_token' do
+      it 'creates the token_file with mode 600' do
+        subject.save_token('foo')
+        expect(format('%o', File.stat(subject.token_file).mode))
+          .to eq('100600')
+      end
+    end
+
+    describe '#current_token_hash' do
+      it 'updates the token_file to mode 600' do
+        subject.save_token('foo')
+        File.chmod(0o644, subject.token_file)
+        expect(format('%o', File.stat(subject.token_file).mode))
+          .to eq('100644')
+
+        subject.current_token_hash
+        expect(format('%o', File.stat(subject.token_file).mode))
+          .to eq('100600')
+      end
+    end
+  end
+end

data/spec/comply/cli/subcommands/groups_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe Comply::CLI::Agent do
+end

data/spec/comply/cli/subcommands/integrations_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe Comply::CLI::Agent do
+end

data/spec/comply/cli_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe Comply::CLI do
+end

data/spec/fabricators/organization_fabricator.rb

@@ -0,0 +1,8 @@
+class StubOrganization < OpenStruct
+end
+
+Fabricator(:organization, from: :stub_organization) do
+  id { Fabricate.sequence(:organization_id) { |i| i } }
+
+  href { |attrs| "https://auth.aptible.com/organizations/#{attrs[:id]}" }
+end

data/spec/fabricators/program_fabricator.rb

@@ -0,0 +1,11 @@
+class StubProgram < OpenStruct
+end
+
+Fabricator(:program, from: :stub_program) do
+  id { Fabricate.sequence(:program_id) { |i| i } }
+
+  organization
+  organization_url { |attrs| attrs[:organization].href }
+
+  errors { Aptible::Resource::Errors.new }
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+Bundler.require :development
+
+# Load shared spec files
+Dir["#{File.dirname(__FILE__)}/shared/**/*.rb"].each do |file|
+  require file
+end
+
+# Require library up front
+require 'comply/cli'

metadata

@@ -0,0 +1,235 @@
+--- !ruby/object:Gem::Specification
+name: comply-cli
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Frank Macreery
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-12-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aptible-resource
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: aptible-auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aptible-comply
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.0
+- !ruby/object:Gem::Dependency
+  name: chronic_duration
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.6
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: fabrication
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.15.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.15.2
+- !ruby/object:Gem::Dependency
+  name: climate_control
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+- !ruby/object:Gem::Dependency
+  name: aptible-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.8
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.8
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Comply CLI
+email:
+- frank@macreery.com
+executables:
+- comply
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/CODEOWNERS"
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- bin/comply
+- comply-cli.gemspec
+- lib/comply/cli.rb
+- lib/comply/cli/agent.rb
+- lib/comply/cli/helpers/integration.rb
+- lib/comply/cli/helpers/program.rb
+- lib/comply/cli/helpers/token.rb
+- lib/comply/cli/subcommands/integrations.rb
+- lib/comply/cli/version.rb
+- lib/comply/ext/string.rb
+- script/sync-readme-usage
+- spec/comply/cli/agent_spec.rb
+- spec/comply/cli/helpers/program_spec.rb
+- spec/comply/cli/helpers/token_spec.rb
+- spec/comply/cli/subcommands/groups_spec.rb
+- spec/comply/cli/subcommands/integrations_spec.rb
+- spec/comply/cli_spec.rb
+- spec/fabricators/organization_fabricator.rb
+- spec/fabricators/program_fabricator.rb
+- spec/spec_helper.rb
+homepage: https://github.com/aptible/comply-cli
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Command-line interface for Aptible Comply
+test_files:
+- spec/comply/cli/agent_spec.rb
+- spec/comply/cli/helpers/program_spec.rb
+- spec/comply/cli/helpers/token_spec.rb
+- spec/comply/cli/subcommands/groups_spec.rb
+- spec/comply/cli/subcommands/integrations_spec.rb
+- spec/comply/cli_spec.rb
+- spec/fabricators/organization_fabricator.rb
+- spec/fabricators/program_fabricator.rb
+- spec/spec_helper.rb