cloudsmith-cli 1.12.1__tar.gz → 1.13.0__tar.gz

{cloudsmith_cli-1.12.1/cloudsmith_cli.egg-info → cloudsmith_cli-1.13.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cloudsmith-cli
-Version: 1.12.1
+Version: 1.13.0
 Summary: Cloudsmith Command-Line Interface (CLI)
 Home-page: https://github.com/cloudsmith-io/cloudsmith-cli
 Author: Cloudsmith Ltd
@@ -34,7 +34,7 @@ Requires-Dist: json5>=0.9.0
 Requires-Dist: cloudsmith-api<3.0,>=2.0.24
 Requires-Dist: keyring>=25.4.1
 Requires-Dist: mcp==1.9.1
-Requires-Dist: toon-python==0.1.2
+Requires-Dist: python-toon==0.1.2
 Requires-Dist: requests>=2.18.4
 Requires-Dist: requests_toolbelt>=1.0.0
 Requires-Dist: semver>=2.7.9
@@ -102,6 +102,7 @@ The CLI currently supports the following commands (and sub-commands):
   - `packages`:             List packages for a repository. (Aliases `repos list`)
   - `repos`:                List repositories for a namespace (owner).
 - `login`|`token`:        Retrieve your API authentication token/key via login.
+- `logout`:               Clear stored authentication credentials and SSO tokens (Keyring, API key from credential file and emit warning when `$CLOUDSMITH_API_KEY` is still set).
 - `metrics`:              Metrics and statistics for a repository.
   - `tokens`:               Retrieve bandwidth usage for entitlement tokens.
   - `packages`:             Retrieve package usage for repository.

{cloudsmith_cli-1.12.1 → cloudsmith_cli-1.13.0}/README.md

@@ -47,6 +47,7 @@ The CLI currently supports the following commands (and sub-commands):
   - `packages`:             List packages for a repository. (Aliases `repos list`)
   - `repos`:                List repositories for a namespace (owner).
 - `login`|`token`:        Retrieve your API authentication token/key via login.
+- `logout`:               Clear stored authentication credentials and SSO tokens (Keyring, API key from credential file and emit warning when `$CLOUDSMITH_API_KEY` is still set).
 - `metrics`:              Metrics and statistics for a repository.
   - `tokens`:               Retrieve bandwidth usage for entitlement tokens.
   - `packages`:             Retrieve package usage for repository.

{cloudsmith_cli-1.12.1 → cloudsmith_cli-1.13.0}/cloudsmith_cli/cli/commands/__init__.py

@@ -12,6 +12,7 @@ from . import (
     help_,
     list_,
     login,
+    logout,
     mcp,
     metrics,
     move,

{cloudsmith_cli-1.12.1 → cloudsmith_cli-1.13.0}/cloudsmith_cli/cli/commands/auth.py

@@ -9,14 +9,16 @@ from ..exceptions import handle_api_exceptions
 from ..saml import create_configured_session, get_idp_url
 from ..webserver import AuthenticationWebRequestHandler, AuthenticationWebServer
 from .main import main
-from .tokens import create
+from .tokens import create, request_api_key
 
 # Authentication server configuration
 AUTH_SERVER_HOST = "127.0.0.1"
 AUTH_SERVER_PORT = 12400
 
 
-def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=False):
+def _perform_saml_authentication(
+    opts, owner, enable_token_creation=False, use_stderr=False
+):
     """Perform SAML authentication via web browser and local web server."""
     session = create_configured_session(opts)
     api_host = opts.api_config.host
@@ -25,12 +27,12 @@ def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=
 
     click.echo(
         f"Opening your organization's SAML IDP URL in your browser: {click.style(idp_url, bold=True)}",
-        err=json,
+        err=use_stderr,
     )
-    click.echo(err=json)
+    click.echo(err=use_stderr)
     webbrowser.open(idp_url)
 
-    click.echo("Starting webserver to begin authentication ... ", err=json)
+    click.echo("Starting webserver to begin authentication ... ", err=use_stderr)
 
     auth_server = AuthenticationWebServer(
         (AUTH_SERVER_HOST, AUTH_SERVER_PORT),
@@ -60,14 +62,14 @@ def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=
     "--token",
     default=False,
     is_flag=True,
-    help="Retrieve a user API token after successful authentication.",
+    help="[DEPRECATED: Use --request-api-key] Retrieve a user API token after successful authentication.",
 )
 @click.option(
     "-f",
     "--force",
     default=False,
     is_flag=True,
-    help="Force refresh of user API token without prompts.",
+    help="[DEPRECATED: Use --request-api-key] Force refresh of user API token without prompts.",
 )
 @click.option(
     "--save-config",
@@ -79,17 +81,49 @@ def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=
     "--json",
     default=False,
     is_flag=True,
-    help="Output token details in json format.",
+    help="[DEPRECATED: Use --output-format json] Output token details in JSON format.",
+)
+@click.option(
+    "--request-api-key",
+    "request_api_key_flag",
+    default=False,
+    is_flag=True,
+    help="Retrieve API token (auto-creates or auto-rotates, no prompts). "
+    "Warning: If token exists, this will rotate it and invalidate the old key.",
 )
 @decorators.common_cli_config_options
 @decorators.common_cli_output_options
 @decorators.initialise_api
 @click.pass_context
-def authenticate(ctx, opts, owner, token, force, save_config, json):
+def authenticate(
+    ctx, opts, owner, token, force, save_config, json, request_api_key_flag
+):
     """Authenticate to Cloudsmith using the org's SAML setup."""
-    json = json or utils.should_use_stderr(opts)
-    # If using json output, we redirect info messages to stderr
-    use_stderr = json
+    # Validate mutual exclusivity
+    if request_api_key_flag and (token or force):
+        raise click.UsageError(
+            "--request-api-key cannot be used with --token or --force. "
+            "Use --request-api-key alone for fully automated token retrieval."
+        )
+
+    # Determine if we should redirect info messages to stderr
+    use_stderr = request_api_key_flag or json or utils.should_use_stderr(opts)
+
+    if token:
+        click.secho(
+            "DEPRECATION WARNING: The `--token` flag is deprecated and will be removed in a future release. "
+            "Please use `--request-api-key` instead.",
+            fg="yellow",
+            err=True,
+        )
+
+    if force:
+        click.secho(
+            "DEPRECATION WARNING: The `--force` flag is deprecated and will be removed in a future release. "
+            "Please use `--request-api-key` instead (force is implied).",
+            fg="yellow",
+            err=True,
+        )
 
     if json and not utils.should_use_stderr(opts):
         click.secho(
@@ -106,11 +140,34 @@ def authenticate(ctx, opts, owner, token, force, save_config, json):
         err=use_stderr,
     )
 
+    # Determine if we need to refresh API after SSO (required for token operations)
+    enable_token_creation = token or request_api_key_flag
+
     context_message = "Failed to authenticate via SSO!"
     with handle_api_exceptions(ctx, opts=opts, context_msg=context_message):
         _perform_saml_authentication(
-            opts, owner, enable_token_creation=token, json=json
+            opts,
+            owner,
+            enable_token_creation=enable_token_creation,
+            use_stderr=use_stderr,
         )
 
+    if request_api_key_flag:
+        # Non-interactive token retrieval
+        new_token = request_api_key(ctx, opts, save_config=save_config)
+
+        if not new_token:
+            raise click.ClickException(
+                "Failed to retrieve API token. No token was returned."
+            )
+
+        # Check if JSON output is requested
+        if utils.maybe_print_as_json(opts, new_token):
+            return
+
+        # Default: output only the raw token value to stdout
+        click.echo(new_token.key)
+        return
+
     if token:
         ctx.invoke(create, opts=opts, save_config=save_config, force=force, json=json)

cloudsmith_cli-1.13.0/cloudsmith_cli/cli/commands/logout.py

@@ -0,0 +1,151 @@
+# Copyright 2026 Cloudsmith Ltd
+"""CLI/Commands - Log out and clear authentication state."""
+
+import os
+
+import click
+import cloudsmith_api
+
+from ...core import keyring
+from .. import decorators, utils
+from ..config import CredentialsReader
+from .main import main
+
+
+def _clear_credentials(dry_run, use_stderr):
+    """Clear credential files. Returns result dict."""
+    creds_files = CredentialsReader.find_existing_files()
+    if not creds_files:
+        click.echo("No credentials file found.", err=use_stderr)
+        return {"action": "not_found", "files": []}
+
+    if not dry_run:
+        for path in creds_files:
+            CredentialsReader.clear_api_key(path)
+
+    verb = "Would remove" if dry_run else "Removed"
+    for path in creds_files:
+        click.echo(
+            f"{verb} credentials from: " + click.style(path, bold=True),
+            err=use_stderr,
+        )
+    action = "would_remove" if dry_run else "removed"
+    return {"action": action, "files": list(creds_files)}
+
+
+def _clear_keyring(api_host, dry_run, use_stderr):
+    """Clear SSO tokens from keyring. Returns result dict."""
+    if not keyring.should_use_keyring():
+        click.secho(
+            "Keyring is disabled (CLOUDSMITH_NO_KEYRING is set).",
+            fg="yellow",
+            err=use_stderr,
+        )
+        return {"action": "disabled"}
+
+    if not keyring.has_sso_tokens(api_host):
+        click.echo("No SSO tokens found in system keyring.", err=use_stderr)
+        return {"action": "not_found"}
+
+    if dry_run:
+        click.echo("Would remove SSO tokens from system keyring.", err=use_stderr)
+        return {"action": "would_remove"}
+
+    deleted = keyring.delete_sso_tokens(api_host)
+    action = "removed" if deleted else "failed"
+    msg = f"{'Removed' if deleted else 'Failed to remove'} SSO tokens from system keyring."
+    click.secho(msg, fg=None if deleted else "red", err=use_stderr)
+    return {"action": action} if deleted else {"action": action, "message": msg}
+
+
+def _env_api_key_status():
+    """Return structured status for the CLOUDSMITH_API_KEY env var."""
+    is_set = bool(os.environ.get("CLOUDSMITH_API_KEY"))
+    return {
+        "is_set": is_set,
+        "action": "unset CLOUDSMITH_API_KEY" if is_set else "none",
+    }
+
+
+def _collect_warnings(keyring_only, config_only):
+    """Collect advisory warnings based on flags and environment."""
+    warnings = []
+    if config_only:
+        warnings.append("SSO tokens were not modified (--config-only).")
+    if keyring_only:
+        warnings.append("credentials.ini was not modified (--keyring-only).")
+    if os.environ.get("CLOUDSMITH_API_KEY"):
+        warnings.append(
+            "CLOUDSMITH_API_KEY is set in your environment. "
+            "Run: unset CLOUDSMITH_API_KEY"
+        )
+    return warnings
+
+
+@main.command()
+@click.option(
+    "--api-host",
+    envvar="CLOUDSMITH_API_HOST",
+    default=None,
+    help="The API host to clear keyring tokens for.",
+)
+@click.option(
+    "--keyring-only",
+    is_flag=True,
+    default=False,
+    help="Only clear SSO tokens from the system keyring.",
+)
+@click.option(
+    "--config-only",
+    is_flag=True,
+    default=False,
+    help="Only clear credentials from credentials.ini.",
+)
+@click.option(
+    "--dry-run",
+    is_flag=True,
+    default=False,
+    help="Show what would be removed without removing anything.",
+)
+@decorators.common_cli_config_options
+@decorators.common_cli_output_options
+@click.pass_context
+def logout(ctx, opts, api_host, keyring_only, config_only, dry_run):
+    """Clear stored authentication credentials and SSO tokens."""
+    if keyring_only and config_only:
+        raise click.UsageError(
+            "--keyring-only and --config-only are mutually exclusive."
+        )
+
+    if api_host is None:
+        api_host = opts.api_host or cloudsmith_api.Configuration().host
+
+    use_stderr = utils.should_use_stderr(opts)
+
+    credential_file = (
+        _clear_credentials(dry_run, use_stderr)
+        if not keyring_only
+        else {"action": "skipped", "files": []}
+    )
+    keyring_result = (
+        _clear_keyring(api_host, dry_run, use_stderr)
+        if not config_only
+        else {"action": "skipped"}
+    )
+    warnings = _collect_warnings(keyring_only, config_only)
+
+    for warning in warnings:
+        click.secho(f"Note: {warning}", fg="yellow", err=use_stderr)
+
+    utils.maybe_print_as_json(
+        opts,
+        {
+            "api_host": api_host,
+            "dry_run": dry_run,
+            "sources": {
+                "credential_file": credential_file,
+                "keyring": keyring_result,
+                "environment_api_key": _env_api_key_status(),
+            },
+        },
+    )

{cloudsmith_cli-1.12.1 → cloudsmith_cli-1.13.0}/cloudsmith_cli/cli/commands/tokens.py

@@ -31,6 +31,77 @@ def handle_duplicate_token_error(exc, ctx, opts, save_config, force, json):
     raise exc
 
 
+def request_api_key(ctx, opts, save_config=False):
+    """
+    Request an API key non-interactively.
+
+    This function creates a new token or rotates an existing one without any prompts.
+    Used by the --request-api-key flag in the auth command.
+
+    Returns the token object on success.
+    Raises ApiException on failure.
+    """
+    context_msg = "Failed to retrieve API token!"
+
+    try:
+        # Don't use handle_api_exceptions here so we can catch and handle
+        # the "already has token" error ourselves
+        with utils.maybe_spinner(opts):
+            new_token = api.create_user_token_saml()
+
+        if save_config:
+            create, has_errors = create_config_files(
+                ctx, opts, api_key=new_token.key, force=True
+            )
+            new_config_messaging(has_errors, opts, create, api_key=new_token.key)
+
+        return new_token
+
+    except exceptions.ApiException as exc:
+        if exc.status == 401:
+            # Unauthorized - re-raise with handler
+            with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+                raise
+
+        if (
+            exc.status == 400
+            and exc.detail
+            and "User has already created an API key" in exc.detail
+        ):
+            # Token exists - rotate it automatically
+            click.echo(
+                "Warning: Rotating existing API token. Your old key will be invalidated.",
+                err=True,
+            )
+
+            # List tokens and select the first one
+            with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+                with utils.maybe_spinner(opts):
+                    api_tokens = api.list_user_tokens()
+
+            if not api_tokens:
+                raise click.ClickException("No existing tokens found to rotate.")
+
+            token_slug = api_tokens[0].slug_perm
+
+            # Refresh the token
+            with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+                with utils.maybe_spinner(opts):
+                    new_token = api.refresh_user_token(token_slug)
+
+            if save_config:
+                create, has_errors = create_config_files(
+                    ctx, opts, api_key=new_token.key, force=True
+                )
+                new_config_messaging(has_errors, opts, create, api_key=new_token.key)
+
+            return new_token
+
+        # Other errors - use the handler
+        with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+            raise exc
+
+
 @main.group(cls=command.AliasGroup, name="tokens")
 @decorators.common_cli_config_options
 @decorators.common_cli_output_options

cloudsmith_cli-1.13.0/cloudsmith_cli/cli/commands/whoami.py

@@ -0,0 +1,193 @@
+"""CLI/Commands - Retrieve authentication status."""
+
+import os
+
+import click
+
+from ...core import keyring
+from ...core.api.exceptions import ApiException
+from ...core.api.user import get_token_metadata, get_user_brief
+from .. import decorators, utils
+from ..config import CredentialsReader
+from ..exceptions import handle_api_exceptions
+from .main import main
+
+
+def _get_active_method(api_config):
+    """Inspect API config to determine SSO, API key, or no auth."""
+    headers = getattr(api_config, "headers", {}) or {}
+    if headers.get("Authorization", "").startswith("Bearer "):
+        return "sso_token"
+    if (getattr(api_config, "api_key", {}) or {}).get("X-Api-Key"):
+        return "api_key"
+    return "none"
+
+
+def _get_api_key_source(opts):
+    """Determine where the API key was loaded from.
+
+    Checks in priority order matching actual resolution:
+    CLI --api-key flag > CLOUDSMITH_API_KEY env var > credentials.ini.
+    """
+    if not opts.api_key:
+        return {"configured": False, "source": None, "source_key": None}
+
+    env_key = os.environ.get("CLOUDSMITH_API_KEY")
+
+    # If env var is set but differs from the resolved key, CLI flag won
+    if env_key and opts.api_key != env_key:
+        source, key = "CLI --api-key flag", "cli_flag"
+    elif env_key:
+        suffix = env_key[-4:]
+        source, key = f"CLOUDSMITH_API_KEY env var (ends with ...{suffix})", "env_var"
+    elif creds := CredentialsReader.find_existing_files():
+        source, key = f"credentials.ini ({creds[0]})", "credentials_file"
+    else:
+        source, key = "CLI --api-key flag", "cli_flag"
+
+    return {"configured": True, "source": source, "source_key": key}
+
+
+def _get_sso_status(api_host):
+    """Return SSO token status from the system keyring."""
+    enabled = keyring.should_use_keyring()
+    has_tokens = enabled and keyring.has_sso_tokens(api_host)
+    refreshed = keyring.get_refresh_attempted_at(api_host) if has_tokens else None
+
+    return {
+        "configured": has_tokens,
+        "keyring_enabled": enabled,
+        "source": "System Keyring" if has_tokens else None,
+        "last_refreshed": utils.fmt_datetime(refreshed) if refreshed else None,
+    }
+
+
+def _get_verbose_auth_data(opts, api_host):
+    """Gather all auth details for verbose output."""
+    api_key_info = _get_api_key_source(opts)
+    sso_info = _get_sso_status(api_host)
+
+    # Fetch token metadata (extra API call, graceful fallback)
+    token_meta = None
+    if api_key_info["configured"]:
+        try:
+            token_meta = get_token_metadata()
+        except ApiException:
+            token_meta = None
+
+    created = token_meta.get("created") if token_meta else None
+    api_key_info["slug"] = token_meta["slug"] if token_meta else None
+    api_key_info["created"] = utils.fmt_datetime(created) if created else None
+
+    return {
+        "active_method": _get_active_method(opts.api_config),
+        "api_key": api_key_info,
+        "sso": sso_info,
+    }
+
+
+def _print_user_line(name, username, email):
+    """Print a styled user identity line."""
+    styled_name = click.style(name or "Unknown", fg="cyan")
+    styled_slug = click.style(username or "Unknown", fg="magenta")
+    email_part = f", email: {click.style(email, fg='green')}" if email else ""
+    click.echo(f"User: {styled_name} (slug: {styled_slug}{email_part})")
+
+
+def _print_verbose_text(data):
+    """Print verbose authentication details as styled text."""
+    click.echo()
+    _print_user_line(data["name"], data["username"], data.get("email"))
+
+    auth = data["auth"]
+    active = auth["active_method"]
+    ak = auth["api_key"]
+    sso = auth["sso"]
+
+    click.echo()
+    if active == "sso_token":
+        click.secho("Authentication Method: SSO Token (primary)", fg="cyan", bold=True)
+        if sso.get("source"):
+            click.echo(f"  Source: {sso['source']}")
+        if sso.get("last_refreshed"):
+            click.echo(
+                f"  Last Refreshed: {sso['last_refreshed']} (refreshes every 30 min)"
+            )
+        if ak["configured"]:
+            click.echo()
+            click.secho("API Key: Also configured", fg="yellow")
+            if ak.get("source"):
+                click.echo(f"  Source: {ak['source']}")
+            click.echo("  Note: SSO token is being used instead")
+    elif active == "api_key":
+        click.secho("Authentication Method: API Key", fg="cyan", bold=True)
+        for label, field in [
+            ("Source", "source"),
+            ("Token Slug", "slug"),
+            ("Created", "created"),
+        ]:
+            if ak.get(field):
+                click.echo(f"  {label}: {ak[field]}")
+    else:
+        click.secho("Authentication Method: None (anonymous)", fg="yellow", bold=True)
+
+    if active != "sso_token":
+        click.echo()
+        if not sso["keyring_enabled"]:
+            click.secho(
+                "SSO Status: Keyring disabled (CLOUDSMITH_NO_KEYRING)", fg="yellow"
+            )
+        elif sso["configured"]:
+            click.secho("SSO Status: Configured (not active)", fg="yellow")
+            click.echo(f"  Source: {sso['source']}")
+        else:
+            click.echo("SSO Status: Not configured")
+            click.echo("  Keyring: Enabled (no tokens stored)")
+
+
+@main.command()
+@decorators.common_cli_config_options
+@decorators.common_cli_output_options
+@decorators.common_api_auth_options
+@decorators.initialise_api
+@click.pass_context
+def whoami(ctx, opts):
+    """Retrieve your current authentication status."""
+    use_stderr = utils.should_use_stderr(opts)
+
+    click.echo(
+        "Retrieving your authentication status from the API ... ",
+        nl=False,
+        err=use_stderr,
+    )
+
+    context_msg = "Failed to retrieve your authentication status!"
+    with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+        with utils.maybe_spinner(opts):
+            is_auth, username, email, name = get_user_brief()
+    click.secho("OK", fg="green", err=use_stderr)
+
+    data = {
+        "is_authenticated": is_auth,
+        "username": username,
+        "email": email,
+        "name": name,
+    }
+
+    if opts.verbose:
+        api_host = getattr(opts.api_config, "host", None) or opts.api_host
+        data["auth"] = _get_verbose_auth_data(opts, api_host)
+
+    if utils.maybe_print_as_json(opts, data):
+        return
+
+    if not is_auth:
+        click.echo("You are authenticated as:")
+        click.secho("Nobody (i.e. anonymous user)", fg="yellow")
+        return
+
+    if opts.verbose:
+        _print_verbose_text(data)
+    else:
+        click.echo("You are authenticated as:")
+        _print_user_line(name, username, email)

{cloudsmith_cli-1.12.1 → cloudsmith_cli-1.13.0}/cloudsmith_cli/cli/config.py

@@ -208,6 +208,44 @@ class CredentialsReader(ConfigReader):
     config_searchpath = list(_CFG_SEARCH_PATHS)
     config_section_schemas = [CredentialsSchema.Default, CredentialsSchema.Profile]
 
+    @classmethod
+    def find_existing_files(cls):
+        """Return a list of existing credentials file paths."""
+        paths = []
+        seen = set()
+        for filename in cls.config_files:
+            for searchpath in cls.config_searchpath:
+                path = os.path.join(searchpath, filename)
+                if os.path.exists(path) and path not in seen:
+                    paths.append(path)
+                    seen.add(path)
+        return paths
+
+    @classmethod
+    def _set_api_key(cls, path, api_key=""):
+        """Write api_key value in a credentials file, preserving structure."""
+        with open(path) as f:
+            content = f.read()
+        replacement = rf"\1 = {api_key}" if api_key else r"\1 ="
+        content = re.sub(
+            r"^(api_key)\s*=\s*.*$",
+            replacement,
+            content,
+            flags=re.MULTILINE,
+        )
+        with open(path, "w") as f:
+            f.write(content)
+
+    @classmethod
+    def clear_api_key(cls, path):
+        """Clear api_key values in a credentials file, preserving structure."""
+        cls._set_api_key(path)
+
+    @classmethod
+    def update_api_key(cls, path, api_key):
+        """Update api_key value in an existing credentials file, preserving structure."""
+        cls._set_api_key(path, api_key)
+
 
 class Options:
     """Options object that holds config for the application."""

cloudsmith_cli-1.13.0/cloudsmith_cli/cli/tests/commands/conftest.py

@@ -0,0 +1,27 @@
+import pytest
+
+
+class MockToken:
+    """Mock Token object with the properties needed for testing."""
+
+    def __init__(self, key, created, slug_perm):
+        self.key = key
+        self.created = created
+        self.slug_perm = slug_perm
+
+    def to_dict(self):
+        return {
+            "key": self.key,
+            "created": self.created,
+            "slug_perm": self.slug_perm,
+        }
+
+
+@pytest.fixture
+def mock_token():
+    """Return a default MockToken for use in tests."""
+    return MockToken(
+        key="ck_test123456",
+        created="2026-02-06T00:00:00Z",
+        slug_perm="test-token",
+    )