glaip-sdk 0.4.0__py3-none-any.whl → 0.5.1__py3-none-any.whl

glaip_sdk/cli/auth.py

@@ -1,23 +1,24 @@
-"""Authentication export helpers for MCP CLI commands.
+"""Authentication export helpers for MCP CLI commands and credential resolution.
 
 This module provides utilities for preparing authentication data for export,
 including interactive secret capture and placeholder generation.
 
-These helpers are distinct from the AIP CLI's own authentication, which always
-relies on the API URL and API key managed via ``aip configure`` / `AIP_API_*`
-environment variables.
+It also provides credential resolution for the AIP CLI, supporting multiple
+account profiles and environment variable overrides.
 
 Authors:
     Raymond Christopher (raymond.christopher@gdplabs.id)
 """
 
-from collections.abc import Iterable, Mapping
+import os
+from collections.abc import Callable, Iterable, Mapping
 from typing import Any
 
 import click
 from rich.console import Console
 
 from glaip_sdk.branding import HINT_PREFIX_STYLE, WARNING_STYLE
+from glaip_sdk.cli.account_store import AccountNotFoundError, AccountStoreError, get_account_store
 from glaip_sdk.cli.hints import format_command_hint
 from glaip_sdk.cli.utils import command_hint
 
@@ -108,6 +109,24 @@ def _get_token_value(prompt_for_secrets: bool, placeholder: str, console: Consol
     return placeholder
 
 
+def _normalize_header_keys(
+    header_keys: Iterable[str] | str | None,
+    *,
+    default: Iterable[str] | None = None,
+) -> list[str]:
+    """Normalize header_keys to a list, handling strings and None safely."""
+    if header_keys is None:
+        return list(default or [])
+    if isinstance(header_keys, str):
+        return [header_keys] if header_keys else list(default or [])
+    try:
+        return list(header_keys)
+    except TypeError:
+        raise click.ClickException(
+            f"Invalid header_keys type: expected string or iterable, got {type(header_keys).__name__}"
+        ) from None
+
+
 def _build_bearer_headers(auth: dict[str, Any], token_value: str) -> dict[str, str]:
     """Build headers for bearer token authentication.
 
@@ -119,7 +138,10 @@ def _build_bearer_headers(auth: dict[str, Any], token_value: str) -> dict[str, s
         A dictionary of HTTP headers including the Authorization header when
         applicable.
     """
-    header_keys = auth.get("header_keys", ["Authorization"])
+    default_header_keys = ["Authorization"]
+    has_header_keys = "header_keys" in auth
+    header_keys_raw = auth.get("header_keys") if has_header_keys else default_header_keys
+    header_keys = _normalize_header_keys(header_keys_raw, default=None if has_header_keys else default_header_keys)
     headers = {}
     for key in header_keys:
         # Prepend "Bearer " if this is Authorization header
@@ -178,8 +200,8 @@ def _extract_api_key_name(auth: dict[str, Any]) -> str | None:
     """
     key_name = auth.get("key")
     if not key_name and "header_keys" in auth:
-        header_keys = auth["header_keys"]
-        if isinstance(header_keys, list) and header_keys:
+        header_keys = _normalize_header_keys(auth["header_keys"])
+        if header_keys:
             key_name = header_keys[0]
     return key_name
 
@@ -227,8 +249,12 @@ def _build_api_key_headers(auth: dict[str, Any], key_name: str | None, key_value
     Returns:
         A dictionary of HTTP headers for API key authentication.
     """
-    header_keys = auth.get("header_keys", [key_name] if key_name else [])
-    return {key: key_value for key in header_keys}
+    default_header_keys = [key_name] if key_name else []
+    has_header_keys = "header_keys" in auth
+    header_keys_raw = auth.get("header_keys") if has_header_keys else default_header_keys
+    header_keys_list = _normalize_header_keys(header_keys_raw, default=None if has_header_keys else default_header_keys)
+    filtered_keys = [k for k in header_keys_list if k]
+    return dict.fromkeys(filtered_keys, key_value)
 
 
 def _prepare_api_key_auth(
@@ -314,9 +340,7 @@ def _extract_header_names(existing_headers: Mapping[str, Any] | None, header_key
     """
     if existing_headers:
         return list(existing_headers.keys())
-    if header_keys:
-        return list(header_keys)
-    return []
+    return _normalize_header_keys(header_keys)
 
 
 def _is_valid_secret(value: Any) -> bool:
@@ -459,3 +483,217 @@ def _prompt_secret_with_placeholder(
 
     # This line is unreachable as the loop always returns
     # return placeholder
+
+
+# ----------------------------- Credential Resolution ----------------------------- #
+
+
+def resolve_api_url_from_context(
+    ctx: Any,
+    *,
+    get_api_url: Callable[[Any], str | None] | None = None,
+    get_account_name: Callable[[Any], str | None] | None = None,
+) -> str | None:
+    """Resolve API URL from context using account store (CLI/palette ignores env creds).
+
+    Helper function to extract API URL from various context formats.
+    Used by transcript capture and slash session to avoid code duplication.
+
+    Args:
+        ctx: Context object (can be dict, click.Context, or any object with attributes).
+        get_api_url: Optional function to extract api_url from context.
+            If None, tries ctx.obj.get("api_url") or ctx.get("api_url").
+        get_account_name: Optional function to extract account_name from context.
+            If None, tries ctx.obj.get("account_name") or ctx.get("account_name").
+
+    Returns:
+        Resolved API URL or None.
+    """
+    api_url = None
+    account_name = None
+
+    if get_api_url:
+        api_url = get_api_url(ctx)
+    elif isinstance(ctx, dict):
+        api_url = ctx.get("api_url")
+    elif hasattr(ctx, "obj") and isinstance(ctx.obj, dict):
+        api_url = ctx.obj.get("api_url")
+
+    if get_account_name:
+        account_name = get_account_name(ctx)
+    elif isinstance(ctx, dict):
+        account_name = ctx.get("account_name")
+    elif hasattr(ctx, "obj") and isinstance(ctx.obj, dict):
+        account_name = ctx.obj.get("account_name")
+
+    resolved_url, _, _ = resolve_credentials(
+        account_name=account_name,
+        api_url=api_url,
+        api_key=None,
+        ignore_env_creds=True,
+    )
+    return resolved_url
+
+
+def _resolve_account_name(account_name: str | None) -> str | None:
+    """Resolve account name from parameter (env var removed for CLI/palette)."""
+    return account_name
+
+
+def _validate_account_exists(account_name: str | None, store: Any) -> None:
+    """Validate that the specified account exists.
+
+    Raises:
+        AccountNotFoundError: If account_name is specified but account doesn't exist.
+    """
+    if account_name:
+        account = store.get_account(account_name)
+        if not account:
+            raise AccountNotFoundError(
+                f"Account '{account_name}' not found. Run 'aip accounts list' to see available accounts."
+            )
+
+
+def _merge_credentials(
+    api_url: str | None,
+    api_key: str | None,
+    profile_url: str | None,
+    profile_key: str | None,
+    ignore_env_creds: bool,
+) -> tuple[str | None, str | None]:
+    """Merge credentials from multiple sources.
+
+    Args:
+        api_url: Explicit API URL override.
+        api_key: Explicit API key override.
+        profile_url: Profile API URL.
+        profile_key: Profile API key.
+        ignore_env_creds: If True, ignore env vars.
+
+    Returns:
+        Tuple of (final_url, final_key).
+    """
+    if not ignore_env_creds:
+        env_url = os.getenv("AIP_API_URL")
+        env_key = os.getenv("AIP_API_KEY")
+        final_url = api_url or env_url or profile_url
+        final_key = api_key or env_key or profile_key
+    else:
+        final_url = api_url or profile_url
+        final_key = api_key or profile_key
+    return final_url, final_key
+
+
+def _determine_source(
+    api_url: str | None,
+    api_key: str | None,
+    account_name: str | None,
+    store: Any,
+) -> str:
+    """Determine the source of credentials.
+
+    Returns:
+        Source string describing where credentials came from.
+    """
+    if api_url or api_key:
+        return "flag"
+    if account_name:
+        return f"account:{account_name}"
+    active = store.get_active_account()
+    return f"active_profile:{active}" if active else "none"
+
+
+_ENV_WARNING_EMITTED = False
+
+
+def _maybe_warn_env_creds_ignored(ignore_env_creds: bool) -> None:
+    """Emit a one-time warning when env credentials are present but ignored."""
+    global _ENV_WARNING_EMITTED
+
+    if _ENV_WARNING_EMITTED or not ignore_env_creds:
+        return
+
+    if os.getenv("AIP_API_URL") or os.getenv("AIP_API_KEY"):
+        click.echo(
+            "Warning: CLI ignores AIP_API_URL/AIP_API_KEY; use account profiles via 'aip accounts add/use'. "
+            "Python SDK callers can opt in with ignore_env_creds=False.",
+            err=True,
+        )
+        _ENV_WARNING_EMITTED = True
+
+
+def resolve_credentials(
+    account_name: str | None = None,
+    api_url: str | None = None,
+    api_key: str | None = None,
+    *,
+    ignore_env_creds: bool = True,
+) -> tuple[str | None, str | None, str]:
+    """Resolve credentials from multiple sources with precedence.
+
+    For CLI/palette: ignores raw credential env vars (AIP_API_URL/AIP_API_KEY),
+    and only uses explicit account selection (no AIP_ACCOUNT env). Python SDK can use
+    ignore_env_creds=False to honor env vars if needed.
+
+    Precedence order (CLI/palette):
+    1. Explicit parameters (api_url, api_key)
+    2. Account profile (from account_name or active_account)
+
+    Args:
+        account_name: Account name to use, or None for active account.
+        api_url: Explicit API URL override.
+        api_key: Explicit API key override.
+        ignore_env_creds: If True (default), ignore AIP_API_URL/AIP_API_KEY env vars.
+
+    Returns:
+        Tuple of (api_url, api_key, source) where source describes where
+        credentials came from (e.g., "flag", "active_profile", "account:name").
+
+    Raises:
+        click.ClickException: If a requested account does not exist.
+    """
+    _maybe_warn_env_creds_ignored(ignore_env_creds)
+
+    # 1. Explicit parameters take highest precedence
+    if api_url and api_key:
+        return api_url, api_key, "flag"
+
+    # 2. Account profile resolution
+    account_name = _resolve_account_name(account_name)
+    store = get_account_store()
+    try:
+        _validate_account_exists(account_name, store)
+    except AccountNotFoundError as exc:
+        raise click.ClickException(str(exc)) from exc
+
+    try:
+        profile_url, profile_key = store.get_credentials(account_name)
+    except AccountStoreError:
+        profile_url, profile_key = None, None
+
+    final_url, final_key = _merge_credentials(api_url, api_key, profile_url, profile_key, ignore_env_creds)
+    source = _determine_source(api_url, api_key, account_name, store)
+
+    return final_url, final_key, source
+
+
+def get_credentials(
+    account_name: str | None = None,
+    api_url: str | None = None,
+    api_key: str | None = None,
+) -> tuple[str | None, str | None]:
+    """Get credentials for CLI commands (backward compatible wrapper).
+
+    This function maintains backward compatibility with existing code that
+    expects (url, key) tuple. For source information, use resolve_credentials.
+
+    Args:
+        account_name: Account name to use, or None for active account.
+        api_url: Explicit API URL override.
+        api_key: Explicit API key override.
+
+    Returns:
+        Tuple of (api_url, api_key).
+    """
+    url, key, _ = resolve_credentials(account_name, api_url, api_key)
+    return url, key