bt-cli 0.4.29__tar.gz → 0.4.31__tar.gz

{bt_cli-0.4.29 → bt_cli-0.4.31}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows. **Version: 0.4.29**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows. **Version: 0.4.31**
 
 ## Setup
 

{bt_cli-0.4.29 → bt_cli-0.4.31}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.29
+Version: 0.4.31
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.29 → bt_cli-0.4.31}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.29"
+version = "0.4.31"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.29"
+__version__ = "0.4.31"

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/core/rest_debug.py

@@ -74,6 +74,7 @@ def _sanitize_body(body: Any) -> Any:
         "client_secret", "client-secret", "clientsecret",
         "authorization", "bearer", "credential", "credentials",
         "access_token", "refresh_token", "id_token",
+        "private_key", "privatekey", "ssh_key", "sshkey", "passphrase",
     }
 
     if isinstance(body, dict):
@@ -118,6 +119,10 @@ def _truncate_body(body: Any, max_length: int = 500, sanitize: bool = True) -> s
         body = json.dumps(body, indent=2)
 
     body_str = str(body)
+
+    # Detect PEM private key material in string responses
+    if sanitize and "-----BEGIN" in body_str and "PRIVATE KEY" in body_str:
+        return "[REDACTED - private key material]"
     if len(body_str) > max_length:
         return body_str[:max_length] + f"\n... ({len(body_str) - max_length} more chars)"
     return body_str

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/pws/client/passwordsafe.py

@@ -2,6 +2,8 @@
 
 from typing import Any, Optional, TYPE_CHECKING
 
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
+
 if TYPE_CHECKING:
     from .base import PasswordSafeClient
 
@@ -378,19 +380,32 @@ class PasswordSafeMixin:
             access_type=access_type,
         )
 
-    def get_credential(self: "PasswordSafeClient", request_id: int) -> dict[str, Any]:
-        """Get the credential (password) for an approved request.
+    def get_credential(
+        self: "PasswordSafeClient",
+        request_id: int,
+        credential_type: Optional[str] = None,
+    ) -> dict[str, Any]:
+        """Get the credential for an approved request.
 
         Args:
             request_id: Request ID
+            credential_type: Type of credential to retrieve:
+                password (default), dsskey (SSH private key), passphrase
 
         Returns:
-            Credential object with Password field
+            Credential dict with key based on type (Password, PrivateKey, or Passphrase)
         """
-        result = self.get(f"/Credentials/{request_id}")
-        # API returns password as plain string, wrap in dict for consistency
+        # Only send type param for non-default types (preserves backward compat)
+        params = {"type": credential_type} if credential_type and credential_type != "password" else None
+        result = self.get(f"/Credentials/{request_id}", params=params)
+
+        # Determine the response dict key based on credential type
+        ctype = CredentialType(credential_type) if credential_type else CredentialType.PASSWORD
+        meta = CREDENTIAL_TYPE_META[ctype]
+
+        # API returns credential as plain string, wrap in dict for consistency
         if isinstance(result, str):
-            return {"Password": result}
+            return {meta["key"]: result}
         return result
 
     def checkin_request(
@@ -806,16 +821,29 @@ class PasswordSafeMixin:
     ) -> list[dict[str, Any]]:
         """List user groups.
 
-        Args:
-            search: Optional name filter
-
-        Returns:
-            List of user group objects
+        /UserGroups does not support pagination. The ``name`` server-side
+        param is an exact match, so filtering is handled client-side.
         """
-        params = {}
+        result = self.get("/UserGroups")
+        if isinstance(result, list):
+            groups = result
+        elif isinstance(result, dict):
+            if "GroupID" in result:
+                groups = [result]
+            else:
+                groups = result.get("Data", result.get("results", []))
+        else:
+            groups = []
+
         if search:
-            params["name"] = search
-        return self.paginate("/UserGroups", params=params)
+            search_lower = search.lower()
+            groups = [
+                g for g in groups
+                if search_lower in (g.get("Name", "") or "").lower()
+                or search_lower in (g.get("Description", "") or "").lower()
+            ]
+
+        return groups
 
     def get_user_group(self: "PasswordSafeClient", group_id: int) -> dict[str, Any]:
         """Get a user group by ID.
@@ -833,13 +861,16 @@ class PasswordSafeMixin:
     ) -> list[dict[str, Any]]:
         """Get users in a user group.
 
-        Args:
-            group_id: User group ID
-
-        Returns:
-            List of user objects (includes ClientID, AccessPolicyID for API users)
+        /UserGroups/{id}/Users does not support pagination.
         """
-        return self.paginate(f"/UserGroups/{group_id}/Users")
+        result = self.get(f"/UserGroups/{group_id}/Users")
+        if isinstance(result, list):
+            return result
+        if isinstance(result, dict):
+            if "UserID" in result:
+                return [result]
+            return result.get("Data", result.get("results", []))
+        return []
 
     # =========================================================================
     # Users
@@ -849,20 +880,29 @@ class PasswordSafeMixin:
         self: "PasswordSafeClient",
         search: Optional[str] = None,
         limit: Optional[int] = None,
+        include_inactive: bool = False,
     ) -> list[dict[str, Any]]:
         """List users.
 
-        Args:
-            search: Optional username search filter (client-side filtering)
-            limit: Maximum number of results (None for all)
-
-        Returns:
-            List of user objects
+        /Users does not support pagination. The ``username`` server-side
+        param is an exact match (returns a single user dict or 404), so
+        searching is handled client-side across username/first/last/email.
         """
-        # API doesn't support server-side search, so we fetch all and filter client-side
-        users = self.paginate("/Users")
+        params: dict[str, Any] = {}
+        if include_inactive:
+            params["includeInactive"] = "true"
+
+        result = self.get("/Users", params=params)
+        if isinstance(result, list):
+            users = result
+        elif isinstance(result, dict):
+            if "UserID" in result:
+                users = [result]
+            else:
+                users = result.get("Data", result.get("results", []))
+        else:
+            users = []
 
-        # Apply client-side search filter
         if search:
             search_lower = search.lower()
             users = [
@@ -873,7 +913,6 @@ class PasswordSafeMixin:
                 or search_lower in (u.get("EmailAddress", "") or "").lower()
             ]
 
-        # Apply limit
         if limit is not None:
             users = users[:limit]
 

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/pws/commands/credentials.py

@@ -6,11 +6,13 @@ import json
 import httpx
 import typer
 from rich.console import Console
+from rich.markup import escape as rich_escape
 from rich.table import Table
 from rich.panel import Panel
 
 from ...core.output import print_error, print_api_error
 from ..client.base import get_client
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
 
 app = typer.Typer(no_args_is_help=True, help="Checkout and manage credentials in Password Safe")
 console = Console()
@@ -77,7 +79,8 @@ def checkout_credential(
                 f"System: {system}\n"
                 f"Account: {account}\n"
                 f"Duration: {duration} minutes\n\n"
-                f"[dim]Use 'pws credentials show {request_id}' to get the password[/dim]",
+                f"[dim]Use 'pws credentials show {request_id}' to get the password[/dim]\n"
+                f"[dim]For SSH keys: 'pws credentials show {request_id} --credential-type dsskey'[/dim]",
                 title="Checkout Request",
             ))
 
@@ -98,31 +101,42 @@ def checkout_credential(
 @app.command("show")
 def show_credential(
     request_id: int = typer.Argument(..., help="Request ID"),
+    credential_type: str = typer.Option(
+        "password", "--credential-type", help="Credential type: password, dsskey, passphrase"
+    ),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
-    raw: bool = typer.Option(False, "--raw", "-r", help="Output only the password (for scripts)"),
+    raw: bool = typer.Option(False, "--raw", "-r", help="Output only the credential value (for scripts)"),
 ) -> None:
-    """Get the password for an approved credential request.
+    """Get the credential for an approved request.
 
     Example:
         pws credentials show 12345
-        pws credentials show 12345 --raw   # Just the password for scripts
-        PASSWORD=$(bt pws credentials show 12345 --raw)
+        pws credentials show 12345 --raw
+        pws credentials show 12345 --credential-type dsskey --raw
+        KEY=$(bt pws credentials show 12345 --credential-type dsskey --raw)
     """
+    try:
+        ctype = CredentialType(credential_type)
+    except ValueError:
+        print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+        raise typer.Exit(1)
+
+    meta = CREDENTIAL_TYPE_META[ctype]
+
     try:
         with get_client() as client:
             client.authenticate()
-            credential = client.get_credential(request_id)
+            credential = client.get_credential(request_id, credential_type=credential_type)
 
         if raw:
-            # Output just the password with no formatting (for scripts)
-            print(credential.get("Password", ""), end="")
+            print(credential.get(meta["key"], ""), end="")
         elif output == "json":
             console.print_json(json.dumps(credential, default=str))
         else:
-            password = credential.get("Password", "N/A")
+            value = rich_escape(credential.get(meta["key"], "N/A"))
             console.print(Panel(
                 f"Request ID: [bold cyan]{request_id}[/bold cyan]\n"
-                f"Password: [bold green]{password}[/bold green]",
+                f"{meta['label']}: [bold green]{value}[/bold green]",
                 title="Credential",
             ))
 

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/pws/commands/quick.py

@@ -6,12 +6,14 @@ import json
 import httpx
 import typer
 from rich.console import Console
+from rich.markup import escape as rich_escape
 from rich.panel import Panel
 from rich.table import Table
 
 from ...core.output import print_api_error, print_error, print_success, print_warning
 from ...core.prompts import prompt_if_missing, prompt_from_list, prompt_choice
 from ..client.base import get_client
+from ..models.common import CredentialType, CREDENTIAL_TYPE_META
 
 app = typer.Typer(no_args_is_help=True, help="Quick commands - common multi-step operations in one command")
 console = Console()
@@ -23,12 +25,13 @@ def quick_checkout(
     account: Optional[str] = typer.Option(None, "--account", "-a", help="Account name"),
     duration: int = typer.Option(60, "--duration", "-d", help="Duration in minutes"),
     reason: Optional[str] = typer.Option(None, "--reason", "-r", help="Reason for checkout"),
-    raw: bool = typer.Option(False, "--raw", help="Output only the password (for scripts)"),
+    credential_type: str = typer.Option("password", "--credential-type", help="Credential type: password, dsskey, passphrase"),
+    raw: bool = typer.Option(False, "--raw", help="Output only the credential value (for scripts)"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
 ) -> None:
-    """Checkout credentials and show password in one step.
+    """Checkout credentials and show password/SSH key in one step.
 
-    Combines: find system -> find account -> checkout -> show password
+    Combines: find system -> find account -> checkout -> show credential
 
     If system or account not provided, prompts interactively.
 
@@ -37,6 +40,7 @@ def quick_checkout(
         bt pws quick checkout -s "axion-finapp-01" -a "root"
         bt pws quick checkout -s axion -a root --duration 30
         PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
+        KEY=$(bt pws quick checkout -s server -a admin --credential-type dsskey --raw)
     """
     try:
         with get_client() as client:
@@ -115,12 +119,19 @@ def quick_checkout(
             request_id = request.get("RequestID")
 
             # Step 4: Get the credential
-            credential = client.get_credential(request_id)
-            password = credential.get("Password", "")
+            try:
+                ctype = CredentialType(credential_type)
+            except ValueError:
+                print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+                raise typer.Exit(1)
+            meta = CREDENTIAL_TYPE_META[ctype]
+
+            credential = client.get_credential(request_id, credential_type=credential_type)
+            value = credential.get(meta["key"], "")
 
         # Output
         if raw:
-            print(password, end="")
+            print(value, end="")
         elif output == "json":
             result = {
                 "request_id": request_id,
@@ -128,7 +139,8 @@ def quick_checkout(
                 "system_id": system_id,
                 "account": account_name,
                 "account_id": account_id,
-                "password": password,
+                "credential_type": credential_type,
+                meta["key"]: value,
                 "duration_minutes": duration,
             }
             console.print_json(json.dumps(result))
@@ -139,7 +151,7 @@ def quick_checkout(
                 f"Account: [cyan]{account_name}[/cyan] (ID: {account_id})\n"
                 f"Request ID: [bold yellow]{request_id}[/bold yellow]\n"
                 f"Duration: {duration} minutes\n\n"
-                f"Password: [bold green]{password}[/bold green]\n\n"
+                f"{meta['label']}: [bold green]{rich_escape(value)}[/bold green]\n\n"
                 f"[dim]Checkin: bt pws credentials checkin {request_id}[/dim]",
                 title="Quick Checkout",
             ))
@@ -288,16 +300,18 @@ def quick_password(
     system: Optional[str] = typer.Option(None, "--system", "-s", help="System name"),
     account: Optional[str] = typer.Option(None, "--account", "-a", help="Account name"),
     duration: int = typer.Option(5, "--duration", "-d", help="Duration in minutes (default: 5)"),
-    auto_checkin: bool = typer.Option(True, "--auto-checkin/--no-auto-checkin", help="Auto checkin after showing password"),
+    credential_type: str = typer.Option("password", "--credential-type", help="Credential type: password, dsskey, passphrase"),
+    auto_checkin: bool = typer.Option(True, "--auto-checkin/--no-auto-checkin", help="Auto checkin after showing credential"),
 ) -> None:
-    """Get a password quickly - checkout, show, and optionally auto-checkin.
+    """Get a credential quickly - checkout, show, and optionally auto-checkin.
 
-    Ideal for quick lookups where you just need to see/copy the password.
+    Ideal for quick lookups where you just need to see/copy the password or SSH key.
     If system or account not provided, prompts interactively.
 
     Examples:
         bt pws quick password                           # Interactive mode
         bt pws quick password -s server -a root
+        bt pws quick password -s server -a root --credential-type dsskey
         bt pws quick password -s db-server -a admin --no-auto-checkin
     """
     try:
@@ -361,12 +375,19 @@ def quick_password(
             )
             request_id = request.get("RequestID")
 
-            # Get password
-            credential = client.get_credential(request_id)
-            password = credential.get("Password", "")
+            # Get credential
+            try:
+                ctype = CredentialType(credential_type)
+            except ValueError:
+                print_error(f"Invalid credential type: {credential_type}. Must be: password, dsskey, passphrase")
+                raise typer.Exit(1)
+            meta = CREDENTIAL_TYPE_META[ctype]
+
+            credential = client.get_credential(request_id, credential_type=credential_type)
+            value = credential.get(meta["key"], "")
 
-            # Show password
-            console.print(f"\n[bold green]{password}[/bold green]\n")
+            # Show credential
+            console.print(f"\n[bold green]{rich_escape(value)}[/bold green]\n")
             console.print(f"[dim]{account_name}@{system_name} (Request: {request_id})[/dim]")
 
             # Auto checkin

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/pws/commands/users.py

@@ -179,23 +179,29 @@ def print_roles_table(roles: list[dict], title: str = "Roles") -> None:
 
 @app.command("list")
 def list_users(
-    search: Optional[str] = typer.Option(None, "--search", "-s", help="Search by username"),
+    search: Optional[str] = typer.Option(None, "--search", "-s", help="Search by username (also matches first/last/email)"),
     limit: int = typer.Option(50, "--limit", "-l", help="Maximum results (default: 50)"),
-    fetch_all: bool = typer.Option(False, "--all", help="Fetch all results (may be slow)"),
+    fetch_all: bool = typer.Option(False, "--all", help="Fetch all results"),
+    include_inactive: bool = typer.Option(False, "--include-inactive", help="Include inactive users"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
 ) -> None:
     """List all users.
 
     Examples:
-        bt pws users list                    # First 50 users
-        bt pws users list --all              # All users
+        bt pws users list                    # First 50 active users
+        bt pws users list --all              # All active users
+        bt pws users list --include-inactive # Include inactive users
         bt pws users list -s "admin"         # Search by username
         bt pws users list -o json            # JSON output
     """
     try:
         with get_client() as client:
             client.authenticate()
-            users = client.list_users(search=search, limit=None if fetch_all else limit)
+            users = client.list_users(
+                search=search,
+                limit=None if fetch_all else limit,
+                include_inactive=include_inactive,
+            )
 
         if output == "json":
             console.print_json(json.dumps(users, default=str))

{bt_cli-0.4.29 → bt_cli-0.4.31}/src/bt_cli/pws/models/common.py

@@ -1,10 +1,26 @@
 """Common models and types shared across the API."""
 
+from enum import Enum
 from typing import Any, Generic, Optional, TypeVar
 from datetime import datetime
 from pydantic import BaseModel, ConfigDict
 
 
+class CredentialType(str, Enum):
+    """Type of credential to retrieve from Password Safe."""
+
+    PASSWORD = "password"
+    DSSKEY = "dsskey"
+    PASSPHRASE = "passphrase"
+
+
+CREDENTIAL_TYPE_META = {
+    CredentialType.PASSWORD: {"key": "Password", "label": "Password"},
+    CredentialType.DSSKEY: {"key": "PrivateKey", "label": "Private Key"},
+    CredentialType.PASSPHRASE: {"key": "Passphrase", "label": "Passphrase"},
+}
+
+
 # Type variable for generic paginated responses
 T = TypeVar("T", bound=BaseModel)