bt-cli 0.4.28__tar.gz → 0.4.30__tar.gz

{bt_cli-0.4.28 → bt_cli-0.4.30}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows. **Version: 0.4.28**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows. **Version: 0.4.29**
 
 ## Setup
 

{bt_cli-0.4.28 → bt_cli-0.4.30}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.28
+Version: 0.4.30
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.28 → bt_cli-0.4.30}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.28"
+version = "0.4.30"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.28"
+__version__ = "0.4.30"

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/commands/configure.py

@@ -298,11 +298,21 @@ def show_config(
     profile: Optional[str] = typer.Option(None, "--profile", help="Profile to show"),
     show_secrets: bool = typer.Option(False, "--show-secrets", help="Show secret values"),
 ) -> None:
-    """Show current configuration."""
+    """Show configuration from config file.
+
+    Note: This only shows profiles saved to ~/.bt-cli/config.yaml.
+    If you're using environment variables or .env file, use:
+
+        bt configure effective
+
+    to see the actual configuration in use.
+    """
     config = load_config_file()
 
     if not config.profiles:
-        print_warning("No configuration found. Run 'bt configure' to set up.")
+        print_warning("No profiles in config file. Run 'bt configure' to set up.")
+        console.print("\n[dim]Tip: If using .env or environment variables, run:[/dim]")
+        console.print("[cyan]  bt configure effective[/cyan]")
         raise typer.Exit(0)
 
     profiles_to_show = [profile] if profile else config.list_profiles()
@@ -413,3 +423,209 @@ def show_path() -> None:
         console.print("[green]Config file exists[/green]")
     else:
         console.print("[yellow]Config file does not exist yet[/yellow]")
+
+
+@app.command("import-env")
+def import_from_env(
+    profile: str = typer.Option("default", "--profile", "-p", help="Profile name to save as"),
+    force: bool = typer.Option(False, "--force", "-f", help="Overwrite existing profile"),
+) -> None:
+    """Import configuration from environment variables into a profile.
+
+    This saves the current BT_* environment variables (including .env file)
+    into a named profile in the config file. Useful for:
+
+    - Converting .env setup to profile-based config
+    - Creating profiles from existing environment
+    - Backing up current config to file
+
+    Example:
+        bt configure import-env --profile production
+    """
+    import os
+    from dotenv import load_dotenv, find_dotenv
+    from rich.prompt import Confirm
+
+    # Load .env if present
+    env_file = find_dotenv()
+    if env_file:
+        load_dotenv(env_file)
+        console.print(f"[dim]Loaded .env from: {env_file}[/dim]\n")
+
+    config = load_config_file()
+
+    # Check if profile exists
+    if profile in config.profiles and not force:
+        if not Confirm.ask(f"Profile '{profile}' exists. Overwrite?", default=False):
+            print_info("Cancelled")
+            raise typer.Exit(0)
+
+    # Product environment variable mappings
+    env_mappings = {
+        "pws": {
+            "api_url": "BT_PWS_API_URL",
+            "api_key": "BT_PWS_API_KEY",
+            "client_id": "BT_PWS_CLIENT_ID",
+            "client_secret": "BT_PWS_CLIENT_SECRET",
+            "run_as": "BT_PWS_RUN_AS",
+            "verify_ssl": "BT_PWS_VERIFY_SSL",
+            "timeout": "BT_PWS_TIMEOUT",
+        },
+        "pra": {
+            "api_url": "BT_PRA_API_URL",
+            "client_id": "BT_PRA_CLIENT_ID",
+            "client_secret": "BT_PRA_CLIENT_SECRET",
+            "verify_ssl": "BT_PRA_VERIFY_SSL",
+            "timeout": "BT_PRA_TIMEOUT",
+        },
+        "entitle": {
+            "api_url": "BT_ENTITLE_API_URL",
+            "api_key": "BT_ENTITLE_API_KEY",
+            "verify_ssl": "BT_ENTITLE_VERIFY_SSL",
+            "timeout": "BT_ENTITLE_TIMEOUT",
+        },
+        "epmw": {
+            "api_url": "BT_EPM_API_URL",
+            "client_id": "BT_EPM_CLIENT_ID",
+            "client_secret": "BT_EPM_CLIENT_SECRET",
+            "verify_ssl": "BT_EPM_VERIFY_SSL",
+            "timeout": "BT_EPM_TIMEOUT",
+        },
+    }
+
+    imported = []
+    for product, env_vars in env_mappings.items():
+        product_config = {}
+        for setting, env_var in env_vars.items():
+            value = os.getenv(env_var)
+            if value:
+                # Convert types
+                if setting == "verify_ssl":
+                    product_config[setting] = value.lower() not in ("false", "0", "no")
+                elif setting == "timeout":
+                    try:
+                        product_config[setting] = float(value)
+                    except ValueError:
+                        product_config[setting] = 30.0
+                else:
+                    product_config[setting] = value
+
+        if product_config.get("api_url"):
+            # Infer auth_method for PWS
+            if product == "pws":
+                if product_config.get("api_key"):
+                    product_config["auth_method"] = "apikey"
+                elif product_config.get("client_id"):
+                    product_config["auth_method"] = "oauth"
+
+            config.set_product_config(product, product_config, profile)
+            imported.append(product)
+
+    if imported:
+        if not config.default_profile or profile == "default":
+            config.default_profile = profile
+        save_config_file(config)
+        print_success(f"Imported {', '.join(imported)} into profile '{profile}'")
+        console.print(f"[dim]Config saved to: {CONFIG_FILE}[/dim]")
+    else:
+        print_warning("No configuration found in environment variables")
+
+
+@app.command("effective")
+def show_effective_config(
+    show_secrets: bool = typer.Option(False, "--show-secrets", help="Show secret values"),
+) -> None:
+    """Show effective configuration from all sources.
+
+    Shows what configuration is actually in use, combining:
+    - Environment variables (BT_PWS_*, BT_PRA_*, etc.)
+    - .env file (if present)
+    - Config file profiles (~/.bt-cli/config.yaml)
+
+    This is useful for debugging why the CLI connects successfully
+    but 'bt configure show' appears empty.
+    """
+    import os
+    from dotenv import load_dotenv, find_dotenv
+
+    # Load .env if present
+    env_file = find_dotenv()
+    if env_file:
+        load_dotenv(env_file)
+        console.print(f"[dim]Loaded .env from: {env_file}[/dim]\n")
+
+    def mask_secret(key: str, value: str) -> str:
+        if not value:
+            return "[dim]not set[/dim]"
+        if not show_secrets and any(s in key.lower() for s in ["secret", "key", "password"]):
+            return "****" + value[-4:] if len(value) > 4 else "****"
+        return value
+
+    # Product environment variable mappings
+    products = {
+        "Password Safe": {
+            "api_url": "BT_PWS_API_URL",
+            "api_key": "BT_PWS_API_KEY",
+            "client_id": "BT_PWS_CLIENT_ID",
+            "client_secret": "BT_PWS_CLIENT_SECRET",
+            "run_as": "BT_PWS_RUN_AS",
+            "verify_ssl": "BT_PWS_VERIFY_SSL",
+            "timeout": "BT_PWS_TIMEOUT",
+        },
+        "PRA": {
+            "api_url": "BT_PRA_API_URL",
+            "client_id": "BT_PRA_CLIENT_ID",
+            "client_secret": "BT_PRA_CLIENT_SECRET",
+            "verify_ssl": "BT_PRA_VERIFY_SSL",
+            "timeout": "BT_PRA_TIMEOUT",
+        },
+        "Entitle": {
+            "api_url": "BT_ENTITLE_API_URL",
+            "api_key": "BT_ENTITLE_API_KEY",
+            "verify_ssl": "BT_ENTITLE_VERIFY_SSL",
+            "timeout": "BT_ENTITLE_TIMEOUT",
+        },
+        "EPM Windows": {
+            "api_url": "BT_EPM_API_URL",
+            "client_id": "BT_EPM_CLIENT_ID",
+            "client_secret": "BT_EPM_CLIENT_SECRET",
+            "verify_ssl": "BT_EPM_VERIFY_SSL",
+            "timeout": "BT_EPM_TIMEOUT",
+        },
+    }
+
+    # Check active profile
+    active_profile = os.getenv("BT_PROFILE", "default")
+    console.print(f"[bold]Active Profile:[/bold] {active_profile}\n")
+
+    # Show effective config for each product
+    for product_name, env_vars in products.items():
+        table = Table(title=product_name, show_header=True, title_style="bold cyan")
+        table.add_column("Setting", style="green")
+        table.add_column("Env Var", style="dim")
+        table.add_column("Value")
+        table.add_column("Source", style="dim")
+
+        has_config = False
+        for setting, env_var in env_vars.items():
+            value = os.getenv(env_var, "")
+            if value:
+                has_config = True
+                source = ".env" if env_file else "environment"
+                table.add_row(setting, env_var, mask_secret(setting, value), source)
+
+        if has_config:
+            console.print(table)
+            console.print()
+        else:
+            console.print(f"[dim]{product_name}: not configured[/dim]\n")
+
+    # Also show config file info
+    config = load_config_file()
+    if config.profiles:
+        console.print("[bold]Config File Profiles:[/bold]")
+        for profile_name in config.list_profiles():
+            products_list = list(config.profiles[profile_name].keys())
+            is_default = " (default)" if profile_name == config.default_profile else ""
+            console.print(f"  {profile_name}{is_default}: {', '.join(products_list)}")
+        console.print(f"\n[dim]Note: Environment variables override config file settings[/dim]")

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/core/rest_debug.py

@@ -74,6 +74,7 @@ def _sanitize_body(body: Any) -> Any:
         "client_secret", "client-secret", "clientsecret",
         "authorization", "bearer", "credential", "credentials",
         "access_token", "refresh_token", "id_token",
+        "private_key", "privatekey", "ssh_key", "sshkey", "passphrase",
     }
 
     if isinstance(body, dict):
@@ -118,6 +119,10 @@ def _truncate_body(body: Any, max_length: int = 500, sanitize: bool = True) -> s
         body = json.dumps(body, indent=2)
 
     body_str = str(body)
+
+    # Detect PEM private key material in string responses
+    if sanitize and "-----BEGIN" in body_str and "PRIVATE KEY" in body_str:
+        return "[REDACTED - private key material]"
     if len(body_str) > max_length:
         return body_str[:max_length] + f"\n... ({len(body_str) - max_length} more chars)"
     return body_str

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/pws/client/passwordsafe.py

@@ -2,6 +2,8 @@
 
 from typing import Any, Optional, TYPE_CHECKING
 
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
+
 if TYPE_CHECKING:
     from .base import PasswordSafeClient
 
@@ -378,19 +380,32 @@ class PasswordSafeMixin:
             access_type=access_type,
         )
 
-    def get_credential(self: "PasswordSafeClient", request_id: int) -> dict[str, Any]:
-        """Get the credential (password) for an approved request.
+    def get_credential(
+        self: "PasswordSafeClient",
+        request_id: int,
+        credential_type: Optional[str] = None,
+    ) -> dict[str, Any]:
+        """Get the credential for an approved request.
 
         Args:
             request_id: Request ID
+            credential_type: Type of credential to retrieve:
+                password (default), dsskey (SSH private key), passphrase
 
         Returns:
-            Credential object with Password field
+            Credential dict with key based on type (Password, PrivateKey, or Passphrase)
         """
-        result = self.get(f"/Credentials/{request_id}")
-        # API returns password as plain string, wrap in dict for consistency
+        # Only send type param for non-default types (preserves backward compat)
+        params = {"type": credential_type} if credential_type and credential_type != "password" else None
+        result = self.get(f"/Credentials/{request_id}", params=params)
+
+        # Determine the response dict key based on credential type
+        ctype = CredentialType(credential_type) if credential_type else CredentialType.PASSWORD
+        meta = CREDENTIAL_TYPE_META[ctype]
+
+        # API returns credential as plain string, wrap in dict for consistency
         if isinstance(result, str):
-            return {"Password": result}
+            return {meta["key"]: result}
         return result
 
     def checkin_request(

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/pws/commands/credentials.py

@@ -6,11 +6,13 @@ import json
 import httpx
 import typer
 from rich.console import Console
+from rich.markup import escape as rich_escape
 from rich.table import Table
 from rich.panel import Panel
 
 from ...core.output import print_error, print_api_error
 from ..client.base import get_client
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
 
 app = typer.Typer(no_args_is_help=True, help="Checkout and manage credentials in Password Safe")
 console = Console()
@@ -77,7 +79,8 @@ def checkout_credential(
                 f"System: {system}\n"
                 f"Account: {account}\n"
                 f"Duration: {duration} minutes\n\n"
-                f"[dim]Use 'pws credentials show {request_id}' to get the password[/dim]",
+                f"[dim]Use 'pws credentials show {request_id}' to get the password[/dim]\n"
+                f"[dim]For SSH keys: 'pws credentials show {request_id} --credential-type dsskey'[/dim]",
                 title="Checkout Request",
             ))
 
@@ -98,31 +101,42 @@ def checkout_credential(
 @app.command("show")
 def show_credential(
     request_id: int = typer.Argument(..., help="Request ID"),
+    credential_type: str = typer.Option(
+        "password", "--credential-type", help="Credential type: password, dsskey, passphrase"
+    ),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
-    raw: bool = typer.Option(False, "--raw", "-r", help="Output only the password (for scripts)"),
+    raw: bool = typer.Option(False, "--raw", "-r", help="Output only the credential value (for scripts)"),
 ) -> None:
-    """Get the password for an approved credential request.
+    """Get the credential for an approved request.
 
     Example:
         pws credentials show 12345
-        pws credentials show 12345 --raw   # Just the password for scripts
-        PASSWORD=$(bt pws credentials show 12345 --raw)
+        pws credentials show 12345 --raw
+        pws credentials show 12345 --credential-type dsskey --raw
+        KEY=$(bt pws credentials show 12345 --credential-type dsskey --raw)
     """
+    try:
+        ctype = CredentialType(credential_type)
+    except ValueError:
+        print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+        raise typer.Exit(1)
+
+    meta = CREDENTIAL_TYPE_META[ctype]
+
     try:
         with get_client() as client:
             client.authenticate()
-            credential = client.get_credential(request_id)
+            credential = client.get_credential(request_id, credential_type=credential_type)
 
         if raw:
-            # Output just the password with no formatting (for scripts)
-            print(credential.get("Password", ""), end="")
+            print(credential.get(meta["key"], ""), end="")
         elif output == "json":
             console.print_json(json.dumps(credential, default=str))
         else:
-            password = credential.get("Password", "N/A")
+            value = rich_escape(credential.get(meta["key"], "N/A"))
             console.print(Panel(
                 f"Request ID: [bold cyan]{request_id}[/bold cyan]\n"
-                f"Password: [bold green]{password}[/bold green]",
+                f"{meta['label']}: [bold green]{value}[/bold green]",
                 title="Credential",
             ))
 

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/pws/commands/quick.py

@@ -6,12 +6,14 @@ import json
 import httpx
 import typer
 from rich.console import Console
+from rich.markup import escape as rich_escape
 from rich.panel import Panel
 from rich.table import Table
 
 from ...core.output import print_api_error, print_error, print_success, print_warning
 from ...core.prompts import prompt_if_missing, prompt_from_list, prompt_choice
 from ..client.base import get_client
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
 
 app = typer.Typer(no_args_is_help=True, help="Quick commands - common multi-step operations in one command")
 console = Console()
@@ -23,12 +25,13 @@ def quick_checkout(
     account: Optional[str] = typer.Option(None, "--account", "-a", help="Account name"),
     duration: int = typer.Option(60, "--duration", "-d", help="Duration in minutes"),
     reason: Optional[str] = typer.Option(None, "--reason", "-r", help="Reason for checkout"),
-    raw: bool = typer.Option(False, "--raw", help="Output only the password (for scripts)"),
+    credential_type: str = typer.Option("password", "--credential-type", help="Credential type: password, dsskey, passphrase"),
+    raw: bool = typer.Option(False, "--raw", help="Output only the credential value (for scripts)"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
 ) -> None:
-    """Checkout credentials and show password in one step.
+    """Checkout credentials and show password/SSH key in one step.
 
-    Combines: find system -> find account -> checkout -> show password
+    Combines: find system -> find account -> checkout -> show credential
 
     If system or account not provided, prompts interactively.
 
@@ -37,6 +40,7 @@ def quick_checkout(
         bt pws quick checkout -s "axion-finapp-01" -a "root"
         bt pws quick checkout -s axion -a root --duration 30
         PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
+        KEY=$(bt pws quick checkout -s server -a admin --credential-type dsskey --raw)
     """
     try:
         with get_client() as client:
@@ -115,12 +119,19 @@ def quick_checkout(
             request_id = request.get("RequestID")
 
             # Step 4: Get the credential
-            credential = client.get_credential(request_id)
-            password = credential.get("Password", "")
+            try:
+                ctype = CredentialType(credential_type)
+            except ValueError:
+                print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+                raise typer.Exit(1)
+            meta = CREDENTIAL_TYPE_META[ctype]
+
+            credential = client.get_credential(request_id, credential_type=credential_type)
+            value = credential.get(meta["key"], "")
 
         # Output
         if raw:
-            print(password, end="")
+            print(value, end="")
         elif output == "json":
             result = {
                 "request_id": request_id,
@@ -128,7 +139,8 @@ def quick_checkout(
                 "system_id": system_id,
                 "account": account_name,
                 "account_id": account_id,
-                "password": password,
+                "credential_type": credential_type,
+                meta["key"]: value,
                 "duration_minutes": duration,
             }
             console.print_json(json.dumps(result))
@@ -139,7 +151,7 @@ def quick_checkout(
                 f"Account: [cyan]{account_name}[/cyan] (ID: {account_id})\n"
                 f"Request ID: [bold yellow]{request_id}[/bold yellow]\n"
                 f"Duration: {duration} minutes\n\n"
-                f"Password: [bold green]{password}[/bold green]\n\n"
+                f"{meta['label']}: [bold green]{rich_escape(value)}[/bold green]\n\n"
                 f"[dim]Checkin: bt pws credentials checkin {request_id}[/dim]",
                 title="Quick Checkout",
             ))
@@ -288,16 +300,18 @@ def quick_password(
     system: Optional[str] = typer.Option(None, "--system", "-s", help="System name"),
     account: Optional[str] = typer.Option(None, "--account", "-a", help="Account name"),
     duration: int = typer.Option(5, "--duration", "-d", help="Duration in minutes (default: 5)"),
-    auto_checkin: bool = typer.Option(True, "--auto-checkin/--no-auto-checkin", help="Auto checkin after showing password"),
+    credential_type: str = typer.Option("password", "--credential-type", help="Credential type: password, dsskey, passphrase"),
+    auto_checkin: bool = typer.Option(True, "--auto-checkin/--no-auto-checkin", help="Auto checkin after showing credential"),
 ) -> None:
-    """Get a password quickly - checkout, show, and optionally auto-checkin.
+    """Get a credential quickly - checkout, show, and optionally auto-checkin.
 
-    Ideal for quick lookups where you just need to see/copy the password.
+    Ideal for quick lookups where you just need to see/copy the password or SSH key.
     If system or account not provided, prompts interactively.
 
     Examples:
         bt pws quick password                           # Interactive mode
         bt pws quick password -s server -a root
+        bt pws quick password -s server -a root --credential-type dsskey
         bt pws quick password -s db-server -a admin --no-auto-checkin
     """
     try:
@@ -361,12 +375,19 @@ def quick_password(
             )
             request_id = request.get("RequestID")
 
-            # Get password
-            credential = client.get_credential(request_id)
-            password = credential.get("Password", "")
+            # Get credential
+            try:
+                ctype = CredentialType(credential_type)
+            except ValueError:
+                print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+                raise typer.Exit(1)
+            meta = CREDENTIAL_TYPE_META[ctype]
+
+            credential = client.get_credential(request_id, credential_type=credential_type)
+            value = credential.get(meta["key"], "")
 
-            # Show password
-            console.print(f"\n[bold green]{password}[/bold green]\n")
+            # Show credential
+            console.print(f"\n[bold green]{rich_escape(value)}[/bold green]\n")
             console.print(f"[dim]{account_name}@{system_name} (Request: {request_id})[/dim]")
 
             # Auto checkin

{bt_cli-0.4.28 → bt_cli-0.4.30}/src/bt_cli/pws/models/common.py

@@ -1,10 +1,26 @@
 """Common models and types shared across the API."""
 
+from enum import Enum
 from typing import Any, Generic, Optional, TypeVar
 from datetime import datetime
 from pydantic import BaseModel, ConfigDict
 
 
+class CredentialType(str, Enum):
+    """Type of credential to retrieve from Password Safe."""
+
+    PASSWORD = "password"
+    DSSKEY = "dsskey"
+    PASSPHRASE = "passphrase"
+
+
+CREDENTIAL_TYPE_META = {
+    CredentialType.PASSWORD: {"key": "Password", "label": "Password"},
+    CredentialType.DSSKEY: {"key": "PrivateKey", "label": "Private Key"},
+    CredentialType.PASSPHRASE: {"key": "Passphrase", "label": "Passphrase"},
+}
+
+
 # Type variable for generic paginated responses
 T = TypeVar("T", bound=BaseModel)