das-cli 1.2.32__tar.gz → 1.2.34__tar.gz

{das_cli-1.2.32/das_cli.egg-info → das_cli-1.2.34}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: das-cli
-Version: 1.2.32
+Version: 1.2.34
 Summary: DAS api client.
 Author: Royal Netherlands Institute for Sea Research
 License-Expression: MIT

das_cli-1.2.34/das/authentication/oauth.py

@@ -0,0 +1,324 @@
+"""
+OAuth 2.0 Authorization Code + PKCE flow for Azure Entra / Azure AD.
+
+Uses only stdlib + requests (already a dependency).
+"""
+import base64
+import hashlib
+import json
+import secrets
+import socket
+import threading
+import time
+import urllib.parse
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Optional, Tuple
+
+import requests
+
+
+def _decode_jwt_payload(token: str) -> dict:
+    """Decode a JWT payload (no signature verification — only for reading claims)."""
+    try:
+        parts = token.split(".")
+        if len(parts) != 3:
+            return {}
+        payload = parts[1]
+        payload += "=" * (4 - len(payload) % 4)  # fix padding
+        return json.loads(base64.urlsafe_b64decode(payload))
+    except Exception:
+        return {}
+
+
+def _find_free_port() -> int:
+    """Bind to port 0 and return the OS-assigned ephemeral port."""
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", 0))
+        return s.getsockname()[1]
+
+
+def _generate_pkce() -> Tuple[str, str]:
+    """Return (code_verifier, code_challenge) using S256 method."""
+    code_verifier = base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b"=").decode("ascii")
+    digest = hashlib.sha256(code_verifier.encode("ascii")).digest()
+    code_challenge = base64.urlsafe_b64encode(digest).rstrip(b"=").decode("ascii")
+    return code_verifier, code_challenge
+
+
+_SUCCESS_HTML = """<!DOCTYPE html><html><body style="font-family:sans-serif;text-align:center;margin-top:80px">
+<h2 style="color:#2e7d32">&#10003; Authentication successful!</h2>
+<p>You may close this browser tab and return to the terminal.</p>
+</body></html>"""
+
+_ERROR_HTML = """<!DOCTYPE html><html><body style="font-family:sans-serif;text-align:center;margin-top:80px">
+<h2 style="color:#c62828">&#10007; Authentication failed</h2>
+<p>{error}</p>
+<p>Please return to the terminal.</p>
+</body></html>"""
+
+
+class _CallbackHandler(BaseHTTPRequestHandler):
+    """Handles the single OAuth callback redirect from Azure."""
+
+    def do_GET(self):
+        parsed = urllib.parse.urlparse(self.path)
+        params = urllib.parse.parse_qs(parsed.query)
+
+        if "code" in params:
+            self.server.auth_code = params["code"][0]
+            self.server.auth_error = None
+            body = _SUCCESS_HTML.encode("utf-8")
+        elif "error" in params:
+            error_desc = params.get("error_description", [params.get("error", ["Unknown error"])[0]])[0]
+            self.server.auth_code = None
+            self.server.auth_error = error_desc
+            body = _ERROR_HTML.format(error=error_desc).encode("utf-8")
+        else:
+            # Ignore favicon or other unrelated requests
+            self.send_response(204)
+            self.end_headers()
+            return
+
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html; charset=utf-8")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+        # Signal the main thread
+        self.server.callback_event.set()
+
+    def log_message(self, format, *args):  # noqa: A002
+        pass  # Suppress default request logging
+
+
+class OAuthPKCE:
+    """
+    Authorization Code + PKCE flow for Azure Entra (or any OIDC provider).
+
+    Example usage::
+
+        oauth = OAuthPKCE(
+            client_id="<app-client-id>",
+            authority="https://login.microsoftonline.com/<tenant>/v2.0",
+            scope="openid profile email offline_access",
+        )
+        tokens = oauth.authenticate()
+        access_token = tokens["access_token"]
+    """
+
+    def __init__(self, client_id: str, authority: str, scope: str):
+        self.client_id = client_id
+        self.authority = self._normalize_authority(authority)
+        self.scope = scope
+
+    @staticmethod
+    def _normalize_authority(authority: str) -> str:
+        """Strip any OAuth path components so the authority is bare.
+
+        Accepts any of these forms and normalises to the bare tenant URL:
+          https://login.microsoftonline.com/{tenant}
+          https://login.microsoftonline.com/{tenant}/v2.0
+          https://login.microsoftonline.com/{tenant}/oauth2/v2.0
+          https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
+        """
+        a = authority.rstrip("/")
+        # Strip anything from /oauth2 onwards
+        idx = a.find("/oauth2")
+        if idx != -1:
+            a = a[:idx]
+        # Strip trailing /v2.0
+        if a.endswith("/v2.0"):
+            a = a[: -len("/v2.0")]
+        return a
+
+    # ------------------------------------------------------------------
+    # Internal helpers
+    # ------------------------------------------------------------------
+
+    def _authorize_url(self) -> str:
+        return f"{self.authority}/oauth2/v2.0/authorize"
+
+    def _token_url(self) -> str:
+        return f"{self.authority}/oauth2/v2.0/token"
+
+    # ------------------------------------------------------------------
+    # Public API
+    # ------------------------------------------------------------------
+
+    def authenticate(self, verify_ssl: bool = True, timeout: int = 300) -> dict:
+        """
+        Run the full PKCE flow.
+
+        Opens the system browser, waits for the redirect callback on a
+        localhost HTTP server, then exchanges the auth code for tokens.
+
+        Returns the token response dict (keys: access_token, id_token,
+        refresh_token, expires_in, …).
+
+        Raises RuntimeError on failure or timeout.
+        """
+        code_verifier, code_challenge = _generate_pkce()
+        state = secrets.token_urlsafe(16)
+        port = _find_free_port()
+        redirect_uri = f"http://localhost:{port}/callback"
+
+        # Build authorisation URL
+        params = {
+            "client_id": self.client_id,
+            "response_type": "code",
+            "redirect_uri": redirect_uri,
+            "scope": self.scope,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+            "state": state,
+            "response_mode": "query",
+        }
+        auth_url = self._authorize_url() + "?" + urllib.parse.urlencode(params)
+
+        # Start local callback server
+        server = HTTPServer(("127.0.0.1", port), _CallbackHandler)
+        server.auth_code = None
+        server.auth_error = None
+        server.callback_event = threading.Event()
+
+        server_thread = threading.Thread(target=server.serve_forever, daemon=True)
+        server_thread.start()
+
+        try:
+            print(f"Opening browser for authentication…\n{auth_url}\n")
+            webbrowser.open(auth_url)
+
+            # Wait for callback (up to `timeout` seconds)
+            if not server.callback_event.wait(timeout=timeout):
+                raise RuntimeError("Timed out waiting for authentication callback.")
+
+            if server.auth_error:
+                raise RuntimeError(f"Authentication error: {server.auth_error}")
+
+            auth_code = server.auth_code
+        finally:
+            server.shutdown()
+
+        # Exchange code for tokens
+        return self._exchange_code(auth_code, code_verifier, redirect_uri, verify_ssl)
+
+    def _exchange_code(
+        self,
+        code: str,
+        code_verifier: str,
+        redirect_uri: str,
+        verify_ssl: bool,
+    ) -> dict:
+        data = {
+            "client_id": self.client_id,
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "code_verifier": code_verifier,
+            "scope": self.scope,
+        }
+        response = requests.post(self._token_url(), data=data, verify=verify_ssl, timeout=30)
+        response.raise_for_status()
+        tokens = response.json()
+        if "access_token" not in tokens:
+            raise RuntimeError(f"Token response missing access_token: {tokens}")
+        return tokens
+
+    def refresh_tokens(self, refresh_token: str, verify_ssl: bool = True) -> dict:
+        """
+        Use a stored refresh token to obtain a new access token (and
+        possibly a new refresh token).
+
+        Returns the token response dict.
+        Raises RuntimeError on failure.
+        """
+        data = {
+            "client_id": self.client_id,
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+            "scope": self.scope,
+        }
+        response = requests.post(self._token_url(), data=data, verify=verify_ssl, timeout=30)
+        response.raise_for_status()
+        tokens = response.json()
+        if "access_token" not in tokens:
+            raise RuntimeError(f"Token refresh response missing access_token: {tokens}")
+        return tokens
+
+    def _get_provider_name(self, api_url: str, verify_ssl: bool) -> str:
+        """Auto-detect the ExternalAuthenticate provider name by matching client_id."""
+        try:
+            resp = requests.get(
+                f"{api_url.rstrip('/')}/api/TokenAuth/GetExternalAuthenticationProviders",
+                verify=verify_ssl,
+                timeout=10,
+            )
+            resp.raise_for_status()
+            for provider in resp.json().get("result", []):
+                if provider.get("clientId") == self.client_id:
+                    return provider["name"]
+        except Exception:
+            pass
+        return "OpenIdConnect"  # sensible fallback
+
+    def exchange_for_das_token(
+        self,
+        azure_tokens: dict,
+        api_url: str,
+        verify_ssl: bool = True,
+        debug: bool = False,
+    ) -> str:
+        """Exchange an Azure access token for a DAS API token.
+
+        Calls POST /api/TokenAuth/ExternalAuthenticate on the DAS API.
+        Returns the DAS API access token string.
+        Raises RuntimeError on failure.
+        """
+        # The id_token is signed for the client (DAS API can validate it via OIDC keys).
+        # The access_token is signed for the resource/audience and will fail signature validation.
+        id_token = azure_tokens.get("id_token")
+        if not id_token:
+            raise RuntimeError(
+                "No id_token in Azure response. Ensure 'openid' is in the requested scopes."
+            )
+
+        claims = _decode_jwt_payload(id_token)
+
+        # ABP stores the 'sub' claim as the provider key (confirmed via AbpUserLogins).
+        # 'sub' in Azure AD v2.0 is pairwise per client_id, so the client_id used
+        # here must match the one the web app used when the user first logged in.
+        provider_key = claims.get("sub") or claims.get("oid")
+        if not provider_key:
+            raise RuntimeError(
+                "Could not extract user identity (sub/oid) from id_token. "
+                "Ensure 'openid' is in the requested scopes."
+            )
+
+        provider_name = self._get_provider_name(api_url, verify_ssl)
+
+        if debug:
+            print(f"  authProvider  : {provider_name}")
+            print(f"  providerKey   : {provider_key}")
+            print(f"  providerKey from claim: oid={claims.get('oid')}  sub={claims.get('sub')}")
+            print(f"  preferred_username: {claims.get('preferred_username')}")
+            print()
+
+        response = requests.post(
+            f"{api_url.rstrip('/')}/api/TokenAuth/ExternalAuthenticate",
+            json={
+                "authProvider": provider_name,
+                "providerKey": provider_key,
+                "providerAccessCode": id_token,  # id_token, not access_token
+            },
+            verify=verify_ssl,
+            timeout=30,
+        )
+        response.raise_for_status()
+        result = response.json()
+        das_token = (result.get("result") or {}).get("accessToken")
+        if not das_token:
+            raise RuntimeError(
+                f"DAS API did not return an access token. Response: {result}"
+            )
+        return das_token

{das_cli-1.2.32 → das_cli-1.2.34}/das/cli.py

@@ -7,7 +7,9 @@ from das.common.config import (
     save_api_url, load_api_url, DEFAULT_BASE_URL,
     save_verify_ssl, load_verify_ssl, VERIFY_SSL,
     load_openai_api_key, save_openai_api_key, clear_openai_api_key,
-    clear_token, _config_dir
+    clear_token, _config_dir,
+    save_oauth_config, load_oauth_config, get_auth_type, set_auth_type,
+    save_token, save_token_expiry, save_refresh_token, clear_refresh_token
 )
 
 from das.app import Das
@@ -91,24 +93,134 @@ def cli(ctx):
 
 @cli.command()
 @click.option('--api-url', required=True, help='API base URL')
-@click.option('--username', required=True, prompt=True, help='Username')
-@click.option('--password', required=True, prompt=True, hide_input=True, help='Password')
+@click.option('--username', default=None, help='Username (basic auth)')
+@click.option('--password', default=None, hide_input=True, help='Password (basic auth)')
+@click.option('--oauth', 'use_oauth', is_flag=True, default=False, help='Use Azure Entra/OAuth authentication (opens browser)')
+@click.option('--debug', is_flag=True, default=False, help='Print decoded token claims for troubleshooting')
 @pass_das_context
-def login(das_ctx, api_url, username, password):
+def login(das_ctx, api_url, username, password, use_oauth, debug):
     """Login and store authentication token"""
     # Save API URL for future use
     save_api_url(api_url)
     das_ctx.api_url = api_url
-    
-    # Authenticate
+
+    if use_oauth:
+        # --- OAuth / Azure Entra PKCE flow ---
+        oauth_cfg = load_oauth_config()
+        if not oauth_cfg.get("client_id"):
+            click.secho(
+                "❌ OAuth is not configured. Run 'das oauth configure --client-id <id> --authority <url>' first.",
+                fg="red",
+            )
+            return
+        try:
+            from das.authentication.oauth import OAuthPKCE, _decode_jwt_payload
+            import time as _time
+            pkce = OAuthPKCE(
+                client_id=oauth_cfg["client_id"],
+                authority=oauth_cfg.get("authority", ""),
+                scope=oauth_cfg.get("scope", "openid profile email offline_access"),
+            )
+            tokens = pkce.authenticate(verify_ssl=True)  # Microsoft's servers always have valid certs
+
+            if debug:
+                id_token = tokens.get("id_token", "")
+                claims = _decode_jwt_payload(id_token)
+                click.secho("\nid_token claims:", fg="yellow", bold=True)
+                for k, v in claims.items():
+                    click.echo(f"  {k}: {v}")
+                click.echo()
+
+            # Exchange the Azure token for a DAS API token
+            verify_ssl = load_verify_ssl()
+            das_token = pkce.exchange_for_das_token(tokens, api_url, verify_ssl=verify_ssl, debug=debug)
+            save_token(das_token)
+            save_token_expiry(_time.time() + tokens.get("expires_in", 3600))
+            if "refresh_token" in tokens:
+                save_refresh_token(tokens["refresh_token"])
+            set_auth_type("oauth")
+            click.secho("✓ Authentication successful!", fg="green")
+        except Exception as e:
+            click.secho(f"❌ OAuth authentication failed: {e}", fg="red")
+        return
+
+    # --- Basic username/password flow ---
+    if not username:
+        username = click.prompt("Username")
+    if not password:
+        password = click.prompt("Password", hide_input=True)
+
     client = das_ctx.get_client()
     token = client.authenticate(username, password)
     if not token:
         click.secho("❌ Authentication failed. Please check your credentials.", fg="red")
         return
     else:
+        set_auth_type("basic")
         click.secho("✓ Authentication successful!", fg="green")
 
+# OAuth / Azure Entra command group
+@cli.group()
+def oauth():
+    """OAuth / Azure Entra configuration"""
+
+
+@oauth.command("configure")
+@click.option('--client-id', required=True, help='Azure app (client) ID')
+@click.option('--authority', default='https://login.microsoftonline.com/common/v2.0', show_default=True, help='Authority URL (e.g. https://login.microsoftonline.com/{tenant}/v2.0)')
+@click.option('--scope', default='openid profile email offline_access', show_default=True, help='Space-separated OAuth scopes')
+def oauth_configure(client_id, authority, scope):
+    """Save OAuth client settings (run once before 'das login --oauth')"""
+    save_oauth_config(client_id, authority, scope)
+    click.secho("✓ OAuth configuration saved.", fg="green")
+    click.echo(f"  Client ID : {client_id}")
+    click.echo(f"  Authority : {authority}")
+    click.echo(f"  Scope     : {scope}")
+
+
+@oauth.command("status")
+def oauth_status():
+    """Show current OAuth configuration"""
+    cfg = load_oauth_config()
+    auth_type = get_auth_type()
+    if not cfg.get("client_id"):
+        click.secho("OAuth is not configured.", fg="yellow")
+        click.echo("Run 'das oauth configure --client-id <id>' to set it up.")
+        return
+    click.secho("OAuth configuration:", fg="green")
+    click.echo(f"  Client ID  : {cfg.get('client_id')}")
+    click.echo(f"  Authority  : {cfg.get('authority')}")
+    click.echo(f"  Scope      : {cfg.get('scope')}")
+    click.echo(f"  Auth type  : {auth_type}")
+    expires_at = cfg.get("token_expires_at")
+    if expires_at:
+        import time as _time
+        remaining = int(expires_at - _time.time())
+        if remaining > 0:
+            click.echo(f"  Token exp  : in {remaining}s")
+        else:
+            click.echo(f"  Token exp  : expired {-remaining}s ago")
+
+
+@oauth.command("clear")
+def oauth_clear():
+    """Remove OAuth configuration and tokens"""
+    cfg = load_oauth_config()
+    if cfg:
+        # Remove oauth key from config.json
+        import json as _json
+        from das.common.config import CONFIG_FILE
+        try:
+            config = _json.loads(CONFIG_FILE.read_text(encoding="utf-8"))
+            config.pop("oauth", None)
+            config.pop("auth_type", None)
+            CONFIG_FILE.write_text(_json.dumps(config), encoding="utf-8")
+        except Exception:
+            pass
+    clear_refresh_token()
+    click.secho("✓ OAuth configuration and tokens cleared.", fg="green")
+
+
 # Search commands group
 @cli.group()
 def search():
@@ -907,6 +1019,65 @@ def get_ssl_status():
     status = "enabled" if VERIFY_SSL else "disabled"
     click.echo(f"SSL certificate verification is currently {status}")
 
+@config.command("show")
+def config_show():
+    """Show all current persistent settings"""
+    import time as _time
+    from das.common.config import load_token, load_token_expiry
+
+    # API URL
+    api_url = load_api_url() or "(not set)"
+
+    # Auth
+    auth_type = get_auth_type()
+    token = load_token(auto_refresh=False)
+    token_display = f"{token[:8]}…" if token else "(none)"
+
+    # SSL
+    ssl = load_verify_ssl()
+
+    # OAuth
+    oauth_cfg = load_oauth_config()
+
+    # OpenAI
+    openai_key = load_openai_api_key()
+    openai_display = f"{openai_key[:8]}…" if openai_key else "(not set)"
+
+    click.secho("Current settings", bold=True)
+    click.echo("─" * 40)
+
+    click.secho("  Connection", fg="blue", bold=True)
+    click.echo(f"    API URL      : {api_url}")
+    click.echo(f"    SSL verify   : {'enabled' if ssl else 'disabled'}")
+
+    click.echo("")
+    click.secho("  Authentication", fg="blue", bold=True)
+    click.echo(f"    Auth type    : {auth_type}")
+    click.echo(f"    Token        : {token_display}")
+
+    if auth_type == "oauth":
+        expires_at = load_token_expiry()
+        if expires_at:
+            remaining = int(expires_at - _time.time())
+            if remaining > 0:
+                click.echo(f"    Token expiry : in {remaining}s")
+            else:
+                click.echo(f"    Token expiry : expired {-remaining}s ago")
+
+    if oauth_cfg.get("client_id"):
+        click.echo("")
+        click.secho("  OAuth / Azure Entra", fg="blue", bold=True)
+        click.echo(f"    Client ID    : {oauth_cfg.get('client_id')}")
+        click.echo(f"    Authority    : {oauth_cfg.get('authority')}")
+        click.echo(f"    Scope        : {oauth_cfg.get('scope')}")
+
+    click.echo("")
+    click.secho("  AI", fg="blue", bold=True)
+    click.echo(f"    OpenAI key   : {openai_display}")
+
+    click.echo("─" * 40)
+
+
 @config.command("reset")
 @click.option('--force', is_flag=True, help='Skip confirmation prompt')
 def reset_config(force):
@@ -919,8 +1090,9 @@ def reset_config(force):
     from das.common.config import clear_token, _config_dir
     import shutil
 
-    # Clear token (handles both keyring and file-based storage)
+    # Clear token and OAuth refresh token (handles both keyring and file-based storage)
     clear_token()
+    clear_refresh_token()
     
     # Get the config directory path
     config_dir = _config_dir()