bt-cli 0.4.53__tar.gz → 0.4.54__tar.gz

{bt_cli-0.4.53 → bt_cli-0.4.54}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.53**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.54**
 
 ## Setup
 

{bt_cli-0.4.53 → bt_cli-0.4.54}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.53
+Version: 0.4.54
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.53 → bt_cli-0.4.54}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.53"
+version = "0.4.54"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.53"
+__version__ = "0.4.54"

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/commands/configure.py

@@ -41,12 +41,26 @@ def configure_callback(
     ),
     api_url: Optional[str] = typer.Option(None, "--api-url", help="API URL"),
     client_id: Optional[str] = typer.Option(None, "--client-id", help="OAuth Client ID"),
-    client_secret: Optional[str] = typer.Option(None, "--client-secret", help="OAuth Client Secret"),
-    api_key: Optional[str] = typer.Option(None, "--api-key", help="API Key"),
+    client_secret: Optional[str] = typer.Option(
+        None,
+        "--client-secret",
+        help="OAuth Client Secret (visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
+    api_key: Optional[str] = typer.Option(
+        None,
+        "--api-key",
+        help="API Key (visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
     user_api_key: Optional[str] = typer.Option(
         None,
         "--user-api-key",
-        help="Entitle user-context API key (only required for `bt entitle requests create`)",
+        help="Entitle user-context API key, only required for `bt entitle requests create` "
+        "(visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
+    show_input: bool = typer.Option(
+        False,
+        "--show-input",
+        help="Show secret values while typing/pasting in interactive mode (default: hidden)",
     ),
 ) -> None:
     """Configure bt-cli interactively or via flags.
@@ -79,10 +93,14 @@ def configure_callback(
         )
     else:
         # Interactive mode
-        _configure_interactive(product, profile)
+        _configure_interactive(product, profile, show_input=show_input)
 
 
-def _configure_interactive(product: Optional[str] = None, profile: Optional[str] = None) -> None:
+def _configure_interactive(
+    product: Optional[str] = None,
+    profile: Optional[str] = None,
+    show_input: bool = False,
+) -> None:
     """Run interactive configuration wizard."""
     console.print()
     console.print(Panel.fit(
@@ -164,17 +182,19 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
                 choices=field_info["choices"],
                 default=str(default) if default else None
             )
-        # Handle secret fields - show the value (not hidden) for easier pasting verification
+        # Handle secret fields - input hidden by default (--show-input to reveal for
+        # paste verification); never echo more than the last 4 chars of an existing value
         elif field_info.get("secret"):
             if existing.get(field_name):
                 existing_val = str(existing[field_name])
                 if existing_val.startswith("keyring://"):
                     console.print(f"  [dim](current: stored in keyring)[/dim]")
                 else:
-                    console.print(f"  [dim](current: {existing_val[:20]}...)[/dim]" if len(existing_val) > 20 else f"  [dim](current: {existing_val})[/dim]")
-            # Don't use password=True so users can see what they paste
+                    hint = "****" + existing_val[-4:] if len(existing_val) > 4 else "****"
+                    console.print(f"  [dim](current: {hint}, press Enter to keep)[/dim]")
             value = Prompt.ask(
                 prompt_text,
+                password=not show_input,
                 default="" if not default else None
             )
             if not value and default:
@@ -198,6 +218,10 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
                 console.print(f"  [dim]Stored in keyring[/dim]")
             else:
                 new_config[field_name] = value
+                print_warning(
+                    f"Keyring storage failed for '{field_name}' — "
+                    "value saved to config file instead (file mode 0600)"
+                )
         else:
             new_config[field_name] = value
 

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/core/config_file.py

@@ -9,6 +9,8 @@ Supports:
 
 import logging
 import os
+import sys
+import tempfile
 from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Any, Optional
@@ -242,7 +244,14 @@ def load_config_file(path: Optional[Path] = None) -> ConfigFile:
             profiles=data.get("profiles", {}),
         )
     except (yaml.YAMLError, OSError) as e:
-        # Return empty config on error, caller can handle
+        # Fall back to empty config, but tell the user — a corrupt/unreadable
+        # file silently ignored looks like "my profiles disappeared"
+        logger.warning(f"Failed to load config file {path}: {e}")
+        print(
+            f"\033[93mWarning: could not read config file {path} ({type(e).__name__}) - "
+            "ignoring it. Fix or delete the file to silence this warning.\033[0m",
+            file=sys.stderr,
+        )
         return ConfigFile()
 
 
@@ -267,9 +276,6 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
     # Security: Create file atomically with secure permissions (0o600)
     # This prevents TOCTOU race where file could be readable between
     # creation and chmod.
-    import os
-    import sys
-    import tempfile
 
     # Write to temp file in same directory, then atomic rename
     dir_path = path.parent
@@ -283,10 +289,9 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
                 os.fchmod(fd, 0o600)
             with os.fdopen(fd, "w") as f:
                 yaml.dump(data, f, default_flow_style=False, sort_keys=False)
-            # Atomic rename (on Windows, need to remove target first if exists)
-            if sys.platform == "win32" and path.exists():
-                os.unlink(path)
-            os.rename(tmp_path, path)
+            # os.replace overwrites atomically on POSIX and Windows alike —
+            # no delete-then-rename window where the config doesn't exist
+            os.replace(tmp_path, path)
             # On Windows, set permissions after the fact using chmod
             if sys.platform == "win32":
                 try:

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/core/output.py

@@ -5,6 +5,7 @@ from enum import Enum
 from typing import Any, Optional
 
 from rich.console import Console
+from rich.markup import escape
 from rich.panel import Panel
 from rich.table import Table
 
@@ -141,7 +142,7 @@ def print_success(message: str) -> None:
     Args:
         message: Message to display
     """
-    console.print(f"[green]{message}[/green]")
+    console.print(f"[green]{escape(message)}[/green]")
 
 
 def print_error(message: str) -> None:
@@ -150,7 +151,7 @@ def print_error(message: str) -> None:
     Args:
         message: Error message to display
     """
-    console.print(f"[red]Error:[/red] {message}")
+    console.print(f"[red]Error:[/red] {escape(message)}")
 
 
 def print_warning(message: str) -> None:
@@ -159,7 +160,7 @@ def print_warning(message: str) -> None:
     Args:
         message: Warning message to display
     """
-    console.print(f"[yellow]Warning:[/yellow] {message}")
+    console.print(f"[yellow]Warning:[/yellow] {escape(message)}")
 
 
 def print_info(message: str) -> None:
@@ -168,7 +169,7 @@ def print_info(message: str) -> None:
     Args:
         message: Info message to display
     """
-    console.print(f"[blue]{message}[/blue]")
+    console.print(f"[blue]{escape(message)}[/blue]")
 
 
 def confirm_action(message: str, default: bool = False) -> bool:
@@ -202,4 +203,4 @@ def print_api_error(error: Exception, operation: str) -> None:
         operation: Description of the operation that failed (e.g., "list systems")
     """
     message = handle_api_error(error, operation)
-    console.print(f"[red]Error:[/red] {message}")
+    console.print(f"[red]Error:[/red] {escape(message)}")

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/core/prompts.py

@@ -64,10 +64,11 @@ def prompt_from_list(
         The selected ID
     """
     console.print(f"\n[bold]{title}:[/bold]")
+    id_width = max((len(str(item.get(id_key, ""))) for item in items), default=1)
     for item in items:
         item_id = item.get(id_key, "")
         item_name = item.get(name_key, "Unknown")
-        console.print(f"  {item_id}: {item_name}")
+        console.print(f"  {str(item_id):>{id_width}}: {item_name}")
     raw = typer.prompt(prompt_text, type=value_type)
     if value_type is str:
         return _clean_str(raw)  # type: ignore[return-value]

{bt_cli-0.4.53 → bt_cli-0.4.54}/src/bt_cli/core/rest_debug.py

@@ -9,9 +9,12 @@ from typing import Any, Dict
 
 import httpx
 from rich.console import Console
+from rich.markup import escape as rich_escape
 from rich.panel import Panel
 from rich.syntax import Syntax
 
+from .errors import sanitize_error_message
+
 # Global flag for REST debugging
 _show_rest = False
 
@@ -120,9 +123,13 @@ def _truncate_body(body: Any, max_length: int = 500, sanitize: bool = True) -> s
 
     body_str = str(body)
 
-    # Detect PEM private key material in string responses
-    if sanitize and "-----BEGIN" in body_str and "PRIVATE KEY" in body_str:
-        return "[REDACTED - private key material]"
+    if sanitize:
+        # Detect PEM private key material in string responses
+        if "-----BEGIN" in body_str and "PRIVATE KEY" in body_str:
+            return "[REDACTED - private key material]"
+        # String bodies (form-encoded requests, bare-string JSON, plain text)
+        # never pass through _sanitize_body — regex-redact them here.
+        body_str = sanitize_error_message(body_str)
     if len(body_str) > max_length:
         return body_str[:max_length] + f"\n... ({len(body_str) - max_length} more chars)"
     return body_str
@@ -135,7 +142,8 @@ def log_request(request: httpx.Request) -> None:
 
     # Build request info
     method = request.method
-    url = str(request.url)
+    # Sanitize in case a credential ever lands in a query string or userinfo
+    url = sanitize_error_message(str(request.url))
     headers = _sanitize_headers(request.headers)
 
     # Get request body if present
@@ -146,21 +154,21 @@ def log_request(request: httpx.Request) -> None:
         except (json.JSONDecodeError, UnicodeDecodeError):
             body = request.content
 
-    # Build output
+    # Build output (escape dynamic values so they can't inject Rich markup)
     lines = [
-        f"[bold cyan]{method}[/bold cyan] [white]{url}[/white]",
+        f"[bold cyan]{method}[/bold cyan] [white]{rich_escape(url)}[/white]",
         "",
         "[dim]Headers:[/dim]",
     ]
 
     for key, value in headers.items():
-        lines.append(f"  [green]{key}:[/green] {value}")
+        lines.append(f"  [green]{rich_escape(key)}:[/green] {rich_escape(value)}")
 
     if body:
         lines.append("")
         lines.append("[dim]Body:[/dim]")
         body_str = _truncate_body(body, max_length=300)
-        lines.append(f"  {body_str}")
+        lines.append(f"  {rich_escape(body_str)}")
 
     _console.print(Panel(
         "\n".join(lines),
@@ -197,12 +205,12 @@ def log_response(response: httpx.Response) -> None:
     except Exception:
         body = "(could not read response)"
 
-    # Build output
+    # Build output (escape server-controlled values so they can't inject Rich markup)
     lines = [
-        f"[bold {status_color}]{status_code} {status_text}[/bold {status_color}]",
+        f"[bold {status_color}]{status_code} {rich_escape(status_text)}[/bold {status_color}]",
         "",
         "[dim]Response Body:[/dim]",
-        _truncate_body(body, max_length=500),
+        rich_escape(_truncate_body(body, max_length=500)),
     ]
 
     _console.print(Panel(

{bt_cli-0.4.53 → bt_cli-0.4.54}/tests/core/test_config.py

@@ -210,7 +210,8 @@ class TestLoadPWSConfig:
         """Load PWS config from environment variables (OAuth)."""
         with patch.dict(os.environ, pws_env_vars):
             with patch("bt_cli.core.config.get_layered_config", return_value={}):
-                config = load_pws_config()
+                with patch("bt_cli.core.config.load_dotenv"):  # Prevent loading .env
+                    config = load_pws_config()
 
         assert config.api_url == pws_env_vars["BT_PWS_API_URL"]
         assert config.client_id == pws_env_vars["BT_PWS_CLIENT_ID"]
@@ -223,7 +224,8 @@ class TestLoadPWSConfig:
         """Load PWS config from environment variables (API key)."""
         with patch.dict(os.environ, pws_env_vars_apikey):
             with patch("bt_cli.core.config.get_layered_config", return_value={}):
-                config = load_pws_config()
+                with patch("bt_cli.core.config.load_dotenv"):  # Prevent loading .env
+                    config = load_pws_config()
 
         assert config.api_url == pws_env_vars_apikey["BT_PWS_API_URL"]
         assert config.api_key == pws_env_vars_apikey["BT_PWS_API_KEY"]

bt_cli-0.4.54/tests/core/test_config_file.py

@@ -0,0 +1,67 @@
+"""Tests for file-based configuration (config_file.py)."""
+
+from pathlib import Path
+
+from bt_cli.core.config_file import (
+    ConfigFile,
+    load_config_file,
+    save_config_file,
+)
+
+
+class TestSaveLoadRoundTrip:
+    """Saving and loading the config file preserves content and permissions."""
+
+    def test_round_trip(self, tmp_path):
+        path = tmp_path / "config.yaml"
+        config = ConfigFile(
+            default_profile="prod",
+            profiles={"prod": {"pws": {"api_url": "https://example.com/api"}}},
+        )
+        save_config_file(config, path)
+
+        loaded = load_config_file(path)
+        assert loaded.default_profile == "prod"
+        assert loaded.profiles["prod"]["pws"]["api_url"] == "https://example.com/api"
+
+    def test_save_sets_owner_only_permissions(self, tmp_path):
+        path = tmp_path / "config.yaml"
+        save_config_file(ConfigFile(), path)
+
+        mode = path.stat().st_mode & 0o777
+        assert mode == 0o600
+
+    def test_save_overwrites_existing_file(self, tmp_path):
+        path = tmp_path / "config.yaml"
+        save_config_file(ConfigFile(default_profile="one"), path)
+        save_config_file(ConfigFile(default_profile="two"), path)
+
+        assert load_config_file(path).default_profile == "two"
+
+    def test_no_temp_files_left_behind(self, tmp_path):
+        path = tmp_path / "config.yaml"
+        save_config_file(ConfigFile(), path)
+
+        leftovers = [p for p in tmp_path.iterdir() if p.name != "config.yaml"]
+        assert leftovers == []
+
+
+class TestLoadFailures:
+    """Unreadable/corrupt config files fall back to empty config with a warning."""
+
+    def test_missing_file_returns_empty_config_silently(self, tmp_path, capsys):
+        loaded = load_config_file(tmp_path / "does-not-exist.yaml")
+
+        assert loaded.profiles == {}
+        assert capsys.readouterr().err == ""
+
+    def test_corrupt_yaml_warns_on_stderr(self, tmp_path, capsys):
+        path = tmp_path / "config.yaml"
+        path.write_text("default_profile: [unclosed\n  bad: : yaml")
+
+        loaded = load_config_file(path)
+
+        assert loaded.profiles == {}
+        err = capsys.readouterr().err
+        assert "could not read config file" in err
+        assert str(path) in err

bt_cli-0.4.54/tests/core/test_output.py

@@ -0,0 +1,44 @@
+"""Tests for shared output helpers."""
+
+from io import StringIO
+
+from rich.console import Console
+
+from bt_cli.core import output as output_mod
+from bt_cli.core.output import print_error, print_info, print_success, print_warning
+
+
+def _capture(monkeypatch, func, message):
+    """Run a print_* helper against a real Console and return what it rendered."""
+    buf = StringIO()
+    console = Console(file=buf, force_terminal=False, width=200)
+    monkeypatch.setattr(output_mod, "console", console)
+    func(message)
+    return buf.getvalue()
+
+
+class TestMarkupEscaping:
+    """Server/user-controlled text in messages must not inject Rich markup."""
+
+    def test_print_error_escapes_markup(self, monkeypatch):
+        rendered = _capture(
+            monkeypatch, print_error, "[green]Connection successful[/green]"
+        )
+        # Literal brackets survive instead of being interpreted as markup
+        assert "[green]Connection successful[/green]" in rendered
+
+    def test_print_warning_escapes_markup(self, monkeypatch):
+        rendered = _capture(monkeypatch, print_warning, "[blink]look here[/blink]")
+        assert "[blink]look here[/blink]" in rendered
+
+    def test_print_success_escapes_markup(self, monkeypatch):
+        rendered = _capture(monkeypatch, print_success, "done [red]x[/red]")
+        assert "done [red]x[/red]" in rendered
+
+    def test_print_info_escapes_markup(self, monkeypatch):
+        rendered = _capture(monkeypatch, print_info, "info [bold]y[/bold]")
+        assert "info [bold]y[/bold]" in rendered
+
+    def test_plain_message_unchanged(self, monkeypatch):
+        rendered = _capture(monkeypatch, print_error, "plain failure text")
+        assert "plain failure text" in rendered

{bt_cli-0.4.53 → bt_cli-0.4.54}/tests/core/test_rest_debug.py

@@ -164,6 +164,27 @@ class TestTruncateBody:
         assert "binary data" in result
         assert "5 bytes" in result
 
+    def test_form_encoded_client_secret_redacted(self):
+        """Form-encoded string bodies (OAuth token exchange) are redacted."""
+        body = b"grant_type=client_credentials&client_id=my-id&client_secret=super-secret-value"
+        result = _truncate_body(body)
+
+        assert "super-secret-value" not in result
+        assert "[REDACTED]" in result
+        assert "client_id=my-id" in result  # non-secret fields untouched
+
+    def test_plain_text_password_redacted(self):
+        """password=... in plain-text string bodies is redacted."""
+        result = _truncate_body("error: login failed for password=hunter2 retry")
+
+        assert "hunter2" not in result
+        assert "[REDACTED]" in result
+
+    def test_string_body_not_redacted_when_sanitize_off(self):
+        """sanitize=False leaves string bodies untouched."""
+        body = "client_secret=super-secret-value"
+        assert _truncate_body(body, sanitize=False) == body
+
 
 # =============================================================================
 # Request Logging Tests
@@ -196,6 +217,43 @@ class TestLogRequest:
             log_request(request)
             mock_console.print.assert_called()
 
+    def test_oauth_token_exchange_secret_not_logged(self):
+        """The form-encoded client_secret from the OAuth token exchange never
+        appears in --show-rest output (mirrors OAuthClientCredentials.authenticate)."""
+        set_show_rest(True)
+
+        request = httpx.Request(
+            "POST",
+            "https://test.com/Auth/connect/token",
+            data={
+                "grant_type": "client_credentials",
+                "client_id": "my-client-id",
+                "client_secret": "super-secret-value",
+            },
+        )
+
+        with patch("bt_cli.core.rest_debug._console") as mock_console:
+            log_request(request)
+
+        panel = mock_console.print.call_args[0][0]
+        assert "super-secret-value" not in panel.renderable
+        assert "[REDACTED]" in panel.renderable
+
+    def test_query_string_credential_not_logged(self):
+        """Credentials in query strings are redacted from the logged URL."""
+        set_show_rest(True)
+
+        request = httpx.Request(
+            "GET", "https://test.com/api/endpoint?api_key=super-secret-value"
+        )
+
+        with patch("bt_cli.core.rest_debug._console") as mock_console:
+            log_request(request)
+
+        panel = mock_console.print.call_args[0][0]
+        assert "super-secret-value" not in panel.renderable
+        assert "[REDACTED]" in panel.renderable
+
 
 # =============================================================================
 # Response Logging Tests
@@ -230,6 +288,22 @@ class TestLogResponse:
             log_response(response)
             mock_console.print.assert_called()
 
+    def test_server_markup_in_body_escaped(self):
+        """Rich markup in a server-controlled response body cannot inject styling."""
+        set_show_rest(True)
+
+        request = httpx.Request("GET", "https://test.com")
+        response = httpx.Response(
+            200, json={"message": "[bold red]fake error[/bold red]"}, request=request
+        )
+
+        with patch("bt_cli.core.rest_debug._console") as mock_console:
+            log_response(response)
+
+        panel = mock_console.print.call_args_list[0][0][0]
+        # The markup must arrive escaped (backslash-prefixed), not live
+        assert "\\[bold red]" in panel.renderable
+
 
 # =============================================================================
 # Event Hooks Tests