cumulusci-plus 5.0.35__py3-none-any.whl → 5.0.43__py3-none-any.whl

cumulusci/tasks/salesforce/update_external_credential.py

@@ -4,8 +4,10 @@ from typing import Any, Dict, List, Optional
 from pydantic.v1 import root_validator
 
 from cumulusci.core.exceptions import SalesforceDXException
+from cumulusci.core.utils import determine_managed_mode
 from cumulusci.salesforce_api.utils import get_simple_salesforce_connection
 from cumulusci.tasks.salesforce import BaseSalesforceApiTask
+from cumulusci.utils import inject_namespace
 from cumulusci.utils.options import CCIOptions, Field
 
 
@@ -109,6 +111,10 @@ class ExternalCredentialParameter(CCIOptions):
         False,
         description="Is the value a secret. [default to False]",
     )
+    external_auth_identity_provider: str = Field(
+        None,
+        description="External auth identity provider name. [default to None]",
+    )
 
     @root_validator
     def check_parameters(cls, values):
@@ -125,6 +131,7 @@ class ExternalCredentialParameter(CCIOptions):
             "named_principal",
             "per_user_principal",
             "signing_certificate",
+            "external_auth_identity_provider",
         ]
 
         provided_params = [
@@ -157,9 +164,15 @@ class ExternalCredentialParameter(CCIOptions):
 
         if self.auth_provider is not None:
             ext_cred_param["parameterType"] = "AuthProvider"
-            ext_cred_param["parameterValue"] = self.auth_provider
             ext_cred_param["parameterName"] = "AuthProvider"
-            ext_cred_param["authProvider"] = ext_cred_param["parameterValue"]
+            ext_cred_param["authProvider"] = self.auth_provider
+
+        if self.external_auth_identity_provider is not None:
+            ext_cred_param["parameterType"] = "ExternalAuthIdentityProvider"
+            ext_cred_param["parameterName"] = "ExternalAuthIdentityProvider"
+            ext_cred_param[
+                "externalAuthIdentityProvider"
+            ] = self.external_auth_identity_provider
 
         if self.auth_provider_url is not None:
             ext_cred_param["parameterType"] = "AuthProviderUrl"
@@ -451,6 +464,16 @@ class UpdateExternalCredential(BaseSalesforceApiTask):
     ):
         """Update the parameters"""
         for param_input in external_credential_parameters:
+
+            if param_input.external_auth_identity_provider is not None:
+                param_input.external_auth_identity_provider = self._inject_namespace(
+                    param_input.external_auth_identity_provider
+                )
+            if param_input.auth_provider is not None:
+                param_input.auth_provider = self._inject_namespace(
+                    param_input.auth_provider
+                )
+
             param_to_update = param_input.get_external_credential_parameter()
             secret = param_to_update.pop("secret", False)
 
@@ -459,6 +482,15 @@ class UpdateExternalCredential(BaseSalesforceApiTask):
                 k: v for k, v in param_to_update.items() if k != "parameterValue"
             }
 
+            if param_to_update.get("parameterType") == "ExternalAuthIdentityProvider":
+                self._remove_conflicting_parameters(
+                    external_credential, "ExternalAuthIdentityProvider", log=False
+                )
+            elif param_to_update.get("parameterType") == "AuthProvider":
+                self._remove_conflicting_parameters(
+                    external_credential, "AuthProvider", log=False
+                )
+
             # Find existing parameter
             cred_param = next(
                 (
@@ -481,7 +513,7 @@ class UpdateExternalCredential(BaseSalesforceApiTask):
                         if cred_param.get("parameterName")
                         else ""
                     )
-                    + f" with new value {param_to_update['parameterValue'] if not secret else '********'}"
+                    + f" with new value {param_to_update.get('parameterValue', '') if not secret else '********'}"
                 )
             else:
                 # Add new parameter
@@ -499,9 +531,50 @@ class UpdateExternalCredential(BaseSalesforceApiTask):
                         if copy_template_param.get("parameterName")
                         else ""
                     )
-                    + f" with new value {param_to_update['parameterValue'] if not secret else '********'}"
+                    + f" with new value {param_to_update.get('parameterValue', '') if not secret else '********'}"
                 )
 
+            # Enforce mutual exclusivity between AuthProvider and ExternalAuthIdentityProvider
+            # If auth_provider is provided, remove any ExternalAuthIdentityProvider parameters
+            # If external_auth_identity_provider is provided, remove any AuthProvider parameters
+
+            if param_to_update.get("parameterType") == "AuthProvider":
+                self._remove_conflicting_parameters(
+                    external_credential, "ExternalAuthIdentityProvider"
+                )
+            elif param_to_update.get("parameterType") == "ExternalAuthIdentityProvider":
+                self._remove_conflicting_parameters(external_credential, "AuthProvider")
+
+    def _remove_conflicting_parameters(
+        self, external_credential: Dict[str, Any], parameter_type: str, log: bool = True
+    ):
+        """Remove conflicting parameter types from external credential.
+
+        Args:
+            external_credential: The external credential object
+            parameter_type: The parameter type to remove (e.g., 'AuthProvider' or 'ExternalAuthIdentityProvider')
+        """
+        if "externalCredentialParameters" not in external_credential:
+            return
+
+        original_count = len(external_credential["externalCredentialParameters"])
+
+        # Filter out parameters with the conflicting type
+        external_credential["externalCredentialParameters"] = [
+            param
+            for param in external_credential["externalCredentialParameters"]
+            if param.get("parameterType") != parameter_type
+        ]
+
+        removed_count = original_count - len(
+            external_credential["externalCredentialParameters"]
+        )
+
+        if removed_count > 0 and log:
+            self.logger.info(
+                f"Removed {removed_count} conflicting parameter(s) of type '{parameter_type}'"
+            )
+
     def _get_external_credential_template_parameter(self) -> Dict[str, Any]:
         """Get the external credential template parameter"""
         return {
@@ -560,3 +633,15 @@ class UpdateExternalCredential(BaseSalesforceApiTask):
                 raise SalesforceDXException(msg)
 
             self.logger.info(f"Updated credential {param.named_principal.name}")
+
+    def _inject_namespace(self, value: str) -> str:
+        _, value = inject_namespace(
+            "",
+            value,
+            namespace=self.parsed_options.namespace,
+            managed=determine_managed_mode(
+                self.options, self.project_config, self.org_config
+            ),
+            namespaced_org=self.org_config.namespaced or False,
+        )
+        return value

cumulusci/tasks/salesforce/update_record.py

@@ -0,0 +1,217 @@
+import os
+from typing import Optional
+
+from pydantic.v1 import root_validator
+
+from cumulusci.core.exceptions import SalesforceException
+from cumulusci.tasks.salesforce import BaseSalesforceApiTask
+from cumulusci.utils.options import CCIOptions, Field, MappingOption
+
+
+class UpdateRecord(BaseSalesforceApiTask):
+    task_docs = """
+        Update one or more Salesforce records.
+        For example, update by record ID:
+        cci task run update_record --org dev --object Account --record_id 001xx000003DGbXXXX --values Name:UpdatedName,Status__c:Active
+        Or update by query criteria:
+        cci task run update_record --org dev --object Account --where Name:TestAccount,Status__c:Draft --values Name:UpdatedName,Status__c:Active
+        Or use environment variables with transform_values:
+        cci task run update_record --org dev --object Account --record_id 001xx000003DGbXXXX --transform_values Name:ACCOUNT_NAME_VAR,Status__c:ACCOUNT_STATUS_VAR
+    """
+
+    class Options(CCIOptions):
+        object: str = Field(..., description="An sObject type to update")
+        values: Optional[MappingOption] = Field(
+            None,
+            description="Field names and values to update in the format 'aa:bb,cc:dd', or a YAML dict in cumulusci.yml.",
+        )
+        transform_values: Optional[MappingOption] = Field(
+            None,
+            description="Field names and environment variable keys in the format 'field:ENV_KEY,field2:ENV_KEY2'. Values will be extracted from environment variables.",
+        )
+        record_id: Optional[str] = Field(
+            None,
+            description="The ID of a specific record to update. If specified, the 'where' option is ignored.",
+        )
+        where: Optional[str] = Field(
+            None,
+            description="Query criteria to identify records in the format 'field:value,field2:value2'. Multiple records may be updated.",
+        )
+        tooling: bool = Field(
+            False, description="If True, use the Tooling API instead of REST API."
+        )
+        fail_on_error: bool = Field(
+            True,
+            description="If True (default), fail the task if any record update fails. If False, log errors but continue.",
+        )
+
+        @root_validator
+        def validate_options(cls, values):
+            """Validate required option combinations"""
+            # Validate that either record_id or where is provided
+            if not values.get("record_id") and not values.get("where"):
+                raise SalesforceException(
+                    "Either 'record_id' or 'where' option must be specified"
+                )
+
+            # Validate that at least values or transform_values is provided
+            if not values.get("values") and not values.get("transform_values"):
+                raise SalesforceException(
+                    "Either 'values' or 'transform_values' option must be specified"
+                )
+
+            return values
+
+    parsed_options: Options
+
+    def _init_task(self):
+        super()._init_task()
+        self.api = self.sf if not self.parsed_options.tooling else self.tooling
+
+        # Build the final values dict by merging values and transform_values
+        self.final_values = {}
+
+        # Start with regular values if provided
+        if self.parsed_options.values:
+            self.final_values.update(self.parsed_options.values)
+
+        # Process transform_values and extract from environment
+        if self.parsed_options.transform_values:
+            for field, env_key in self.parsed_options.transform_values.items():
+                env_value = os.environ.get(env_key, env_key)
+                self.final_values[field] = env_value
+                self.logger.info(
+                    f"Transform value for field '{field}': {env_key} -> {env_value}"
+                )
+
+    def _run_task(self):
+        if self.parsed_options.record_id:
+            # Direct update by record ID
+            self._update_by_id(self.parsed_options.record_id)
+        else:
+            # Query and update multiple records
+            self._update_by_query()
+
+    def _update_by_id(self, record_id):
+        """Update a single record by ID"""
+        object_handler = getattr(self.api, self.parsed_options.object)
+
+        try:
+            rc = object_handler.update(record_id, self.final_values)
+            if rc == 204 or (isinstance(rc, dict) and rc.get("success")):
+                self.logger.info(
+                    f"{self.parsed_options.object} record updated successfully: {record_id}"
+                )
+            else:
+                error_msg = (
+                    f"Could not update {self.parsed_options.object} record {record_id}"
+                )
+                if isinstance(rc, dict) and "errors" in rc:
+                    error_msg += f": {rc['errors']}"
+                if self.parsed_options.fail_on_error:
+                    raise SalesforceException(error_msg)
+                else:
+                    self.logger.error(error_msg)
+        except Exception as e:
+            if self.parsed_options.fail_on_error:
+                raise SalesforceException(
+                    f"Error updating {self.parsed_options.object} record {record_id}: {str(e)}"
+                )
+            else:
+                self.logger.error(
+                    f"Error updating {self.parsed_options.object} record {record_id}: {str(e)}"
+                )
+
+    def _update_by_query(self):
+        """Query records and update all matching records"""
+        # Parse where clause into query criteria - MappingOption already parses it
+        from cumulusci.core.utils import parse_list_of_pairs_dict_arg
+
+        where_criteria = parse_list_of_pairs_dict_arg(self.parsed_options.where)
+
+        # Build WHERE clause
+        where_parts = [
+            f"{field} = '{value}'" for field, value in where_criteria.items()
+        ]
+        where_clause = " AND ".join(where_parts)
+
+        # Build and execute query
+        query = f"SELECT Id FROM {self.parsed_options.object} WHERE {where_clause}"
+        self.logger.info(f"Querying records: {query}")
+
+        try:
+            result = self.api.query(query)
+        except Exception as e:
+            raise SalesforceException(f"Error executing query: {str(e)}")
+
+        records = result.get("records", [])
+        total_count = len(records)
+
+        if total_count == 0:
+            self.logger.warning(
+                f"No {self.parsed_options.object} records found matching criteria: {self.parsed_options.where}"
+            )
+            return
+
+        self.logger.info(
+            f"Found {total_count} {self.parsed_options.object} record(s) to update"
+        )
+
+        # Use different update strategy based on record count
+        if total_count == 1:
+            # Single record: use direct update
+            self._update_by_id(records[0]["Id"])
+        else:
+            # Multiple records: use bulk update
+            self._update_records_bulk(records)
+
+    def _update_records_bulk(self, records):
+        """Update multiple records using Bulk API"""
+        # Prepare data for bulk update
+        update_data = []
+        for record in records:
+            record_data = {"Id": record["Id"]}
+            record_data.update(self.final_values)
+            update_data.append(record_data)
+
+        self.logger.info(
+            f"Performing bulk update of {len(update_data)} {self.parsed_options.object} records"
+        )
+
+        try:
+            # Use Bulk API for update
+            results = self.bulk.update(self.parsed_options.object, update_data)
+
+            # Process results
+            success_count = 0
+            failed_records = []
+
+            for idx, result in enumerate(results):
+                record_id = update_data[idx]["Id"]
+                if result.success:
+                    success_count += 1
+                    self.logger.info(f"Updated record: {record_id}")
+                else:
+                    error_msg = f"Failed to update record {record_id}: {result.error}"
+                    failed_records.append({"id": record_id, "error": result.error})
+                    self.logger.error(error_msg)
+
+            # Summary logging
+            self.logger.info(
+                f"Bulk update complete: {success_count}/{len(update_data)} records updated successfully"
+            )
+
+            # Handle failures
+            if failed_records and self.parsed_options.fail_on_error:
+                error_summary = "\n".join(
+                    [f"  - {rec['id']}: {rec['error']}" for rec in failed_records]
+                )
+                raise SalesforceException(
+                    f"Failed to update {len(failed_records)} record(s):\n{error_summary}"
+                )
+
+        except Exception as e:
+            if self.parsed_options.fail_on_error:
+                raise SalesforceException(f"Bulk update failed: {str(e)}")
+            else:
+                self.logger.error(f"Bulk update failed: {str(e)}")

cumulusci/tasks/sfdmu/sfdmu.py

@@ -47,7 +47,20 @@ class SfdmuTask(BaseSalesforceTask, Command):
         super()._init_options(kwargs)
 
         # Convert path to absolute path
-        self.options["path"] = os.path.abspath(self.options["path"])
+        if "path" in self.options and self.options["path"]:
+            if os.path.isabs(self.options["path"]):
+                # Path is already absolute, normalize it
+                self.options["path"] = os.path.abspath(self.options["path"])
+            else:
+                # Path is relative, join with repo_root
+                repo_root = self.project_config.repo_root
+                if not repo_root:
+                    raise TaskOptionsError(
+                        "Cannot resolve relative path: no repository root found"
+                    )
+                self.options["path"] = os.path.abspath(
+                    os.path.join(repo_root, self.options["path"])
+                )
 
         # Validate that the path exists and contains export.json
         if not os.path.exists(self.options["path"]):

cumulusci/tasks/utility/credentialManager.py

@@ -1,7 +1,7 @@
 import logging
 import os
 from abc import ABC, abstractmethod
-from typing import Any, Optional
+from typing import Any, Optional, Union
 
 
 # Abstract Base Class for Credential Providers
@@ -66,6 +66,9 @@ class DevEnvironmentVariableProvider(CredentialProvider):
         self, key: str, options: Optional[dict[str, Any]] = None
     ) -> Any:
         value = options.get("value", None)
+        if isinstance(value, dict):
+            value = next(iter(value.values()))
+
         self.logger.info(f"Credentials for {key} from local environment is {value}.")
         return value
 
@@ -89,7 +92,12 @@ class EnvironmentVariableProvider(CredentialProvider):
         self, key: str, options: Optional[dict[str, Any]] = None
     ) -> Any:
         value = options.get("value", None)
+        if isinstance(value, dict):
+            value = next(iter(value.values()))
+
         ret_value = os.getenv(self.get_key(key))
+        if ret_value is None and value is not None:
+            ret_value = os.getenv(self.get_key(value))
         if ret_value is None:
             self.logger.info(f"Credentials for {key} from environment is {value}.")
         return ret_value or value
@@ -148,13 +156,18 @@ class AwsSecretsManagerProvider(CredentialProvider):
             raise ValueError("Secret name is required for AWS Secrets Manager.")
 
         try:
-            if secret_name in self.secrets_cache:
-                return self.secrets_cache[secret_name]
-
             import json
 
             import boto3
             from botocore.exceptions import ClientError
+        except ImportError:
+            raise RuntimeError(
+                "boto3 is not installed. Please install it using 'pip install boto3' or 'pipx inject cumulusci-plus-azure-devops boto3'."
+            )
+
+        try:
+            if secret_name in self.secrets_cache:
+                return self.secrets_cache[secret_name]
 
             # Boto3 automatically handles credential lookup. In an Azure Pipeline,
             # it will find the temporary credentials provided by the AWS Service Connection.
@@ -166,24 +179,49 @@ class AwsSecretsManagerProvider(CredentialProvider):
 
             get_secret_value_response = client.get_secret_value(SecretId=secret_name)
 
-            secret = get_secret_value_response["SecretString"]
+            if "SecretString" in get_secret_value_response:
+                secret = json.loads(get_secret_value_response["SecretString"])
+            elif "SecretBinary" in get_secret_value_response:
+                file_path = self.create_binary_file(
+                    secret_name, get_secret_value_response["SecretBinary"]
+                )
+                secret_key = key if key and key != "*" else os.path.basename(file_path)
+                secret = {secret_key: file_path}
+            else:
+                raise ValueError(f"Secret {secret_name} is not a valid secret.")
 
             # Assuming the secret is a JSON string with the credentials
             # We need to check the binary type of the secret at later development
-            self.secrets_cache[secret_name] = json.loads(secret)
+            self.secrets_cache[secret_name] = secret
 
             return self.secrets_cache[secret_name]
         except ClientError as e:
             # For a list of exceptions thrown, see
             # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
             raise e
-        except ImportError:
-            raise RuntimeError(
-                "boto3 is not installed. Please install it using 'pip install boto3' or 'pipx inject cumulusci-plus-azure-devops boto3'."
-            )
+        except ValueError:
+            # Re-raise ValueError as-is (e.g., invalid secret format)
+            raise
         except Exception as e:
             raise RuntimeError(f"Failed to retrieve secret '{key}': {e}")
 
+    def create_binary_file(self, secret_name: str, content: Union[str, bytes]) -> str:
+        """
+        Write the binary content to a file.
+        secret_name is relative path to the root of the project.
+        create the directory if it doesn't exist.
+        return the absolute path to the file with windows or linux path separator.
+        """
+        absolute_path = os.path.abspath(os.path.join(".cci", secret_name))
+
+        try:
+            os.makedirs(os.path.dirname(absolute_path), exist_ok=True)
+            with open(absolute_path, "wb") as f:
+                f.write(content)
+            return absolute_path
+        except Exception as e:
+            raise RuntimeError(f"Failed to create binary file {absolute_path}: {e}")
+
 
 # Concrete Credential Provider for Azure Variable Groups
 class AzureVariableGroupProvider(CredentialProvider):
@@ -202,9 +240,17 @@ class AzureVariableGroupProvider(CredentialProvider):
         Looks for AWS credentials in environment variables exposed by
         an Azure variable group.
         """
+        value = options.get("value", None)
+        if isinstance(value, dict):
+            value = next(iter(value.values()))
+
         # Azure pipelines convert variable names to uppercase and replace dots with underscores.
-        key_env_var = self.get_key(key)
-        return os.getenv(key_env_var.upper().replace(".", "_"))
+        ret_value = os.getenv(self.get_key(key).upper().replace(".", "_"))
+
+        if ret_value is None and value is not None:
+            ret_value = os.getenv(self.get_key(value).upper().replace(".", "_"))
+
+        return ret_value
 
     def get_all_credentials(
         self, key: str, options: Optional[dict[str, Any]] = None

cumulusci/tasks/utility/secretsToEnv.py

@@ -27,8 +27,8 @@ class GenericOptions(CCIOptions):
 class SecretsToEnv(BaseTask):
     class Options(GenericOptions):
         secrets: Union[ListOfStringsOption, MappingOption] = Field(
-            [],
-            description="List of secret keys to retrieve be it with a list of keys or a mapping of secret name to key. Defaults to empty list.",
+            ...,
+            description="List of secret keys to retrieve be it with a list of keys or a mapping of key to secret name.",
         )
 
     parsed_options: Options