pal-explorer-cli 0.4.11 → 0.4.13

package/lib/commands/sso.js

@@ -1,200 +1,200 @@
-import chalk from 'chalk';
-
-export default function ssoCommand(program) {
-  const cmd = program
-    .command('sso')
-    .description('manage enterprise SSO (SAML/OIDC)')
-    .addHelpText('after', `
-Examples:
-  $ pe sso configure --provider oidc --issuer https://auth.example.com --client-id abc --client-secret xyz
-  $ pe sso configure --provider saml --issuer https://idp.example.com/metadata
-  $ pe sso login                             Initiate SSO login
-  $ pe sso status                            Show current SSO configuration
-  $ pe sso enforce --on                      Enforce mandatory SSO
-  $ pe sso enforce --off                     Disable mandatory SSO
-`)
-    .action(() => {
-      cmd.outputHelp();
-    });
-
-  cmd
-    .command('configure')
-    .description('configure SSO provider (SAML or OIDC)')
-    .requiredOption('--provider <type>', 'SSO provider type (saml or oidc)')
-    .option('--issuer <url>', 'IdP issuer URL')
-    .option('--client-id <id>', 'OIDC client ID')
-    .option('--client-secret <secret>', 'OIDC client secret')
-    .action(async (opts) => {
-      try {
-        const provider = opts.provider.toLowerCase();
-        if (provider !== 'saml' && provider !== 'oidc') {
-          console.log(chalk.red('Provider must be "saml" or "oidc".'));
-          process.exitCode = 1;
-          return;
-        }
-
-        if (provider === 'oidc' && (!opts.clientId || !opts.clientSecret)) {
-          console.log(chalk.red('OIDC requires --client-id and --client-secret.'));
-          process.exitCode = 1;
-          return;
-        }
-
-        if (!opts.issuer) {
-          console.log(chalk.red('--issuer is required.'));
-          process.exitCode = 1;
-          return;
-        }
-
-        const extConfig = (await import('../utils/config.js')).default;
-        const existing = extConfig.get('ext.sso-connector') || {};
-
-        const clientSecret = opts.clientSecret || existing.clientSecret || null;
-        const ssoConfig = {
-          ...existing,
-          provider,
-          issuer: opts.issuer,
-          clientId: opts.clientId || existing.clientId || null,
-          clientSecret: null,
-        };
-
-        if (clientSecret) {
-          try {
-            const keytar = (await import('keytar')).default;
-            await keytar.setPassword('palexplorer', 'sso.clientSecret', clientSecret);
-          } catch {
-            ssoConfig.clientSecret = clientSecret;
-          }
-        }
-
-        extConfig.set('ext.sso-connector', ssoConfig);
-
-        console.log(chalk.green(`✔ SSO configured`));
-        console.log(`  Provider: ${chalk.white(provider.toUpperCase())}`);
-        console.log(`  Issuer:   ${chalk.white(opts.issuer)}`);
-        if (provider === 'oidc') {
-          console.log(`  Client:   ${chalk.white(opts.clientId)}`);
-        }
-      } catch (err) {
-        console.log(chalk.red(`Failed to configure SSO: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('login')
-    .description('initiate SSO login')
-    .action(async () => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const cfg = extConfig.get('ext.sso-connector');
-
-        if (!cfg || !cfg.provider) {
-          console.log(chalk.red('SSO not configured. Run: pe sso configure'));
-          process.exitCode = 1;
-          return;
-        }
-
-        let redirectUrl;
-        if (cfg.provider === 'oidc') {
-          let clientId = cfg.clientId;
-          let clientSecret = cfg.clientSecret;
-          if (!clientSecret) {
-            try {
-              const keytar = (await import('keytar')).default;
-              clientSecret = await keytar.getPassword('palexplorer', 'sso.clientSecret');
-            } catch {}
-          }
-          const state = Math.random().toString(36).slice(2);
-          const params = new URLSearchParams({
-            response_type: 'code',
-            client_id: clientId,
-            redirect_uri: 'http://localhost:9876/callback',
-            scope: 'openid profile email',
-            state,
-          });
-          redirectUrl = `${cfg.issuer}/authorize?${params}`;
-        } else {
-          redirectUrl = `${cfg.issuer}/sso/saml?RelayState=palexplorer`;
-        }
-
-        console.log('');
-        console.log(chalk.cyan('SSO Login'));
-        console.log(`  Provider: ${chalk.white(cfg.provider.toUpperCase())}`);
-        console.log(`  Redirect: ${chalk.white(redirectUrl)}`);
-        console.log('');
-        console.log(chalk.gray('Open the URL above in your browser to authenticate.'));
-      } catch (err) {
-        console.log(chalk.red(`SSO login failed: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('status')
-    .description('show current SSO configuration')
-    .action(async () => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const cfg = extConfig.get('ext.sso-connector');
-
-        console.log('');
-        console.log(chalk.cyan.bold('SSO Configuration'));
-
-        if (!cfg || !cfg.provider) {
-          console.log(chalk.gray('  Not configured. Run: pe sso configure'));
-          console.log('');
-          return;
-        }
-
-        console.log(`  Provider:    ${chalk.white(cfg.provider.toUpperCase())}`);
-        console.log(`  Issuer:      ${chalk.white(cfg.issuer || 'not set')}`);
-        if (cfg.provider === 'oidc') {
-          console.log(`  Client ID:   ${chalk.white(cfg.clientId || 'not set')}`);
-          console.log(`  Client Secret: ${cfg.clientSecret ? chalk.gray('********') : chalk.yellow('not set')}`);
-        }
-        console.log(`  Enforce SSO: ${cfg.enforceSSO ? chalk.green('yes') : chalk.gray('no')}`);
-        console.log('');
-      } catch (err) {
-        console.log(chalk.red(`Failed to get SSO status: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('enforce')
-    .description('enable or disable mandatory SSO')
-    .option('--on', 'Enable mandatory SSO')
-    .option('--off', 'Disable mandatory SSO')
-    .action(async (opts) => {
-      try {
-        if (!opts.on && !opts.off) {
-          console.log(chalk.red('Specify --on or --off.'));
-          process.exitCode = 1;
-          return;
-        }
-
-        const extConfig = (await import('../utils/config.js')).default;
-        const cfg = extConfig.get('ext.sso-connector');
-
-        if (!cfg || !cfg.provider) {
-          console.log(chalk.red('SSO not configured. Run: pe sso configure'));
-          process.exitCode = 1;
-          return;
-        }
-
-        const enforce = !!opts.on;
-        extConfig.set('ext.sso-connector', { ...cfg, enforceSSO: enforce });
-
-        if (enforce) {
-          console.log(chalk.green('✔ Mandatory SSO enabled'));
-          console.log(chalk.gray('  All users must authenticate via SSO.'));
-        } else {
-          console.log(chalk.green('✔ Mandatory SSO disabled'));
-          console.log(chalk.gray('  Users can authenticate with local credentials.'));
-        }
-      } catch (err) {
-        console.log(chalk.red(`Failed to update enforcement: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-}
+import chalk from 'chalk';
+
+export default function ssoCommand(program) {
+  const cmd = program
+    .command('sso')
+    .description('manage enterprise SSO (SAML/OIDC)')
+    .addHelpText('after', `
+Examples:
+  $ pal sso configure --provider oidc --issuer https://auth.example.com --client-id abc --client-secret xyz
+  $ pal sso configure --provider saml --issuer https://idp.example.com/metadata
+  $ pal sso login                             Initiate SSO login
+  $ pal sso status                            Show current SSO configuration
+  $ pal sso enforce --on                      Enforce mandatory SSO
+  $ pal sso enforce --off                     Disable mandatory SSO
+`)
+    .action(() => {
+      cmd.outputHelp();
+    });
+
+  cmd
+    .command('configure')
+    .description('configure SSO provider (SAML or OIDC)')
+    .requiredOption('--provider <type>', 'SSO provider type (saml or oidc)')
+    .option('--issuer <url>', 'IdP issuer URL')
+    .option('--client-id <id>', 'OIDC client ID')
+    .option('--client-secret <secret>', 'OIDC client secret')
+    .action(async (opts) => {
+      try {
+        const provider = opts.provider.toLowerCase();
+        if (provider !== 'saml' && provider !== 'oidc') {
+          console.log(chalk.red('Provider must be "saml" or "oidc".'));
+          process.exitCode = 1;
+          return;
+        }
+
+        if (provider === 'oidc' && (!opts.clientId || !opts.clientSecret)) {
+          console.log(chalk.red('OIDC requires --client-id and --client-secret.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        if (!opts.issuer) {
+          console.log(chalk.red('--issuer is required.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const extConfig = (await import('../utils/config.js')).default;
+        const existing = extConfig.get('ext.sso-connector') || {};
+
+        const clientSecret = opts.clientSecret || existing.clientSecret || null;
+        const ssoConfig = {
+          ...existing,
+          provider,
+          issuer: opts.issuer,
+          clientId: opts.clientId || existing.clientId || null,
+          clientSecret: null,
+        };
+
+        if (clientSecret) {
+          try {
+            const keytar = (await import('keytar')).default;
+            await keytar.setPassword('palexplorer', 'sso.clientSecret', clientSecret);
+          } catch {
+            ssoConfig.clientSecret = clientSecret;
+          }
+        }
+
+        extConfig.set('ext.sso-connector', ssoConfig);
+
+        console.log(chalk.green(`✔ SSO configured`));
+        console.log(`  Provider: ${chalk.white(provider.toUpperCase())}`);
+        console.log(`  Issuer:   ${chalk.white(opts.issuer)}`);
+        if (provider === 'oidc') {
+          console.log(`  Client:   ${chalk.white(opts.clientId)}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Failed to configure SSO: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('login')
+    .description('initiate SSO login')
+    .action(async () => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.red('SSO not configured. Run: pal sso configure'));
+          process.exitCode = 1;
+          return;
+        }
+
+        let redirectUrl;
+        if (cfg.provider === 'oidc') {
+          let clientId = cfg.clientId;
+          let clientSecret = cfg.clientSecret;
+          if (!clientSecret) {
+            try {
+              const keytar = (await import('keytar')).default;
+              clientSecret = await keytar.getPassword('palexplorer', 'sso.clientSecret');
+            } catch {}
+          }
+          const state = Math.random().toString(36).slice(2);
+          const params = new URLSearchParams({
+            response_type: 'code',
+            client_id: clientId,
+            redirect_uri: 'http://localhost:9876/callback',
+            scope: 'openid profile email',
+            state,
+          });
+          redirectUrl = `${cfg.issuer}/authorize?${params}`;
+        } else {
+          redirectUrl = `${cfg.issuer}/sso/saml?RelayState=palexplorer`;
+        }
+
+        console.log('');
+        console.log(chalk.cyan('SSO Login'));
+        console.log(`  Provider: ${chalk.white(cfg.provider.toUpperCase())}`);
+        console.log(`  Redirect: ${chalk.white(redirectUrl)}`);
+        console.log('');
+        console.log(chalk.gray('Open the URL above in your browser to authenticate.'));
+      } catch (err) {
+        console.log(chalk.red(`SSO login failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('status')
+    .description('show current SSO configuration')
+    .action(async () => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        console.log('');
+        console.log(chalk.cyan.bold('SSO Configuration'));
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.gray('  Not configured. Run: pal sso configure'));
+          console.log('');
+          return;
+        }
+
+        console.log(`  Provider:    ${chalk.white(cfg.provider.toUpperCase())}`);
+        console.log(`  Issuer:      ${chalk.white(cfg.issuer || 'not set')}`);
+        if (cfg.provider === 'oidc') {
+          console.log(`  Client ID:   ${chalk.white(cfg.clientId || 'not set')}`);
+          console.log(`  Client Secret: ${cfg.clientSecret ? chalk.gray('********') : chalk.yellow('not set')}`);
+        }
+        console.log(`  Enforce SSO: ${cfg.enforceSSO ? chalk.green('yes') : chalk.gray('no')}`);
+        console.log('');
+      } catch (err) {
+        console.log(chalk.red(`Failed to get SSO status: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('enforce')
+    .description('enable or disable mandatory SSO')
+    .option('--on', 'Enable mandatory SSO')
+    .option('--off', 'Disable mandatory SSO')
+    .action(async (opts) => {
+      try {
+        if (!opts.on && !opts.off) {
+          console.log(chalk.red('Specify --on or --off.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.red('SSO not configured. Run: pal sso configure'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const enforce = !!opts.on;
+        extConfig.set('ext.sso-connector', { ...cfg, enforceSSO: enforce });
+
+        if (enforce) {
+          console.log(chalk.green('✔ Mandatory SSO enabled'));
+          console.log(chalk.gray('  All users must authenticate via SSO.'));
+        } else {
+          console.log(chalk.green('✔ Mandatory SSO disabled'));
+          console.log(chalk.gray('  Users can authenticate with local credentials.'));
+        }
+      } catch (err) {
+        console.log(chalk.red(`Failed to update enforcement: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}