granny-devops 0.9.0__tar.gz → 0.9.2__tar.gz

{granny_devops-0.9.0 → granny_devops-0.9.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.9.0
+Version: 0.9.2
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -288,10 +288,14 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
-granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
+granny authentik provision-oauth-app my-app \
+  --name "My App" \
+  --redirect-uri https://app.example.com/auth/callback \
+  --launch-url https://app.example.com \
+  --group my-app-admins
 granny authentik list providers
-granny authentik rotate-secret stoz3n-dash-staging
-granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
@@ -309,7 +313,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
-| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.9.0 → granny_devops-0.9.2}/README.md

@@ -156,10 +156,14 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
-granny authentik provision-stoz3n-dash development     # idempotent per-stage setup
+granny authentik provision-oauth-app my-app \
+  --name "My App" \
+  --redirect-uri https://app.example.com/auth/callback \
+  --launch-url https://app.example.com \
+  --group my-app-admins
 granny authentik list providers
-granny authentik rotate-secret stoz3n-dash-staging
-granny authentik add-user-to-group martin              # defaults to dash_admins
+granny authentik rotate-secret my-oauth-provider
+granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 ```
 
@@ -177,7 +181,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | AWS inventory | VPCs, Lambdas |
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
-| SSO / IdP | Authentik (provider + application + group provisioning, per-stage stoz3n-dash workflow) |
+| SSO / IdP | Authentik (provider, application, group, and user operations) |
 
 ## As a library
 

{granny_devops-0.9.0 → granny_devops-0.9.2}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.8.0"
+__version__ = "0.9.2"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

granny_devops-0.9.2/granny/authentik/__init__.py

@@ -0,0 +1,12 @@
+"""Authentik management — REST API wrapper."""
+
+from granny.authentik.client import AuthentikClient, AuthentikError
+from granny.authentik.provision import OAuthAppSpec, ProvisionResult, provision_oauth_app
+
+__all__ = [
+    "AuthentikClient",
+    "AuthentikError",
+    "OAuthAppSpec",
+    "ProvisionResult",
+    "provision_oauth_app",
+]

{granny_devops-0.9.0 → granny_devops-0.9.2}/granny/authentik/client.py

@@ -256,3 +256,82 @@ class AuthentikClient:
             f"/api/v3/providers/oauth2/{provider['pk']}/",
             body={"client_secret": ""},
         )
+
+    def create_user(
+        self,
+        username: str,
+        *,
+        name: str | None = None,
+        email: str | None = None,
+        path: str = "users",
+        user_type: str = "internal",
+        is_active: bool = True,
+        attributes: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Create an internal Authentik user (idempotent on ``username``).
+
+        If a user with the same ``username`` already exists it is returned
+        unmodified — call ``request("PATCH", …)`` separately if you need to
+        update fields. The default ``path="users"`` puts the user in the
+        regular Authentik directory (not under any LDAP source path), so
+        the user can authenticate against an internal password rather than
+        being bound to Kanidm.
+        """
+        existing = self.find_user_by_username(username)
+        if existing:
+            return existing
+        body: dict[str, Any] = {
+            "username": username,
+            "name": name or username,
+            "is_active": is_active,
+            "type": user_type,
+            "path": path,
+            "groups": [],
+        }
+        if email is not None:
+            body["email"] = email
+        if attributes:
+            body["attributes"] = attributes
+        return self.request("POST", "/api/v3/core/users/", body=body)
+
+    def set_user_password(self, username: str, password: str) -> None:
+        """Set a user's password directly (admin reset, no email)."""
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/set_password/",
+            body={"password": password},
+        )
+
+    def delete_user(self, username: str) -> None:
+        """Delete a user by username. No-op if absent."""
+        user = self.find_user_by_username(username)
+        if not user:
+            return
+        self.request("DELETE", f"/api/v3/core/users/{user['pk']}/")
+
+    def generate_recovery_link(self, username: str) -> str:
+        """Mint a one-shot recovery URL for the given user.
+
+        Returns the absolute URL the user opens to set their own password
+        (and enroll MFA if the recovery flow is configured to require it).
+        Authentik invalidates the token after a single use; default TTL is
+        short, set in the recovery flow's stage configuration.
+        """
+        user = self.find_user_by_username(username)
+        if not user:
+            raise AuthentikError(404, f"User {username!r} not found")
+        result = self.request(
+            "POST",
+            f"/api/v3/core/users/{user['pk']}/recovery/",
+        )
+        # Authentik returns {"link": "https://..."} on this endpoint.
+        if isinstance(result, dict) and "link" in result:
+            return result["link"]
+        raise AuthentikError(
+            500,
+            f"Unexpected recovery payload for {username!r}: {result!r}. "
+            "Make sure a recovery flow is configured on the tenant.",
+        )

granny_devops-0.9.2/granny/authentik/provision.py

@@ -0,0 +1,197 @@
+"""Generic Authentik OAuth2 application provisioning."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+from granny.authentik.client import AuthentikClient
+
+DEFAULT_AUTHORIZATION_FLOW_SLUG = "default-provider-authorization-explicit-consent"
+DEFAULT_INVALIDATION_FLOW_SLUG = "default-provider-invalidation-flow"
+DEFAULT_OIDC_SCOPES: tuple[str, ...] = ("openid", "profile", "email")
+
+
+@dataclass(frozen=True)
+class OAuthAppSpec:
+    """Desired state for an Authentik OAuth2 provider + application."""
+
+    slug: str
+    name: str
+    redirect_uris: tuple[str, ...]
+    launch_url: str | None = None
+    group: str | None = None
+    provider_name: str | None = None
+    scopes: tuple[str, ...] = DEFAULT_OIDC_SCOPES
+    authorization_flow_slug: str = DEFAULT_AUTHORIZATION_FLOW_SLUG
+    invalidation_flow_slug: str = DEFAULT_INVALIDATION_FLOW_SLUG
+    access_token_validity: str = "minutes=10"
+    refresh_token_validity: str = "days=30"
+    sub_mode: str = "user_username"
+    include_claims_in_id_token: bool = True
+
+    def __post_init__(self) -> None:
+        if not self.slug:
+            raise ValueError("slug must not be empty")
+        if not self.name:
+            raise ValueError("name must not be empty")
+        if not self.redirect_uris:
+            raise ValueError("at least one redirect URI is required")
+
+
+@dataclass
+class ProvisionResult:
+    """Result of provisioning an Authentik OAuth2 application."""
+
+    base_url: str
+    issuer: str
+    client_id: str
+    client_secret: str
+    redirect_uris: tuple[str, ...]
+    scopes: str
+    provider_pk: str
+    application_slug: str
+    group: str | None
+    group_pk: str | None
+    created_provider: bool
+    created_application: bool
+    created_binding: bool
+    created_group: bool
+    extra: dict[str, str] = field(default_factory=dict)
+
+    @property
+    def authorization_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/authorize/"
+
+    @property
+    def token_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/token/"
+
+    @property
+    def userinfo_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/userinfo/"
+
+    def oidc_block(self) -> dict[str, str | list[str] | None]:
+        """Return a copy-paste friendly OIDC configuration snippet."""
+        return {
+            "issuer": self.issuer,
+            "authorization_endpoint": self.authorization_endpoint,
+            "token_endpoint": self.token_endpoint,
+            "userinfo_endpoint": self.userinfo_endpoint,
+            "client_id": self.client_id,
+            "client_secret": self.client_secret or None,
+            "redirect_uris": list(self.redirect_uris),
+            "scopes": self.scopes,
+            "admin_group": self.group,
+        }
+
+
+def provision_oauth_app(
+    client: AuthentikClient,
+    spec: OAuthAppSpec,
+    *,
+    rotate_secret: bool = False,
+) -> ProvisionResult:
+    """Idempotently provision an OAuth2 provider and application in Authentik."""
+    provider_name = spec.provider_name or spec.slug
+    authorization_flow = client.find_flow_pk(spec.authorization_flow_slug)
+    invalidation_flow = client.find_flow_pk(spec.invalidation_flow_slug)
+    signing_key = client.find_signing_key_pk()
+    scope_mappings = client.find_scope_mappings(spec.scopes)
+
+    group = None
+    created_group = False
+    if spec.group:
+        existing_group = client.find_group_by_name(spec.group)
+        created_group = existing_group is None
+        group = existing_group or client.ensure_group(spec.group)
+
+    existing_app = client.find_application_by_slug(spec.slug)
+    adopt_pk: int | str | None = None
+    if existing_app is not None:
+        adopt_pk = existing_app.get("provider")
+    existing_provider = (
+        client.find_provider_by_pk(adopt_pk) if adopt_pk is not None else None
+    ) or client.find_provider_by_name(provider_name)
+
+    provider_body: dict[str, object] = {
+        "name": provider_name,
+        "authorization_flow": authorization_flow,
+        "invalidation_flow": invalidation_flow,
+        "client_type": "confidential",
+        "redirect_uris": [
+            {"matching_mode": "strict", "url": uri} for uri in spec.redirect_uris
+        ],
+        "signing_key": signing_key,
+        "property_mappings": scope_mappings,
+        "sub_mode": spec.sub_mode,
+        "include_claims_in_id_token": spec.include_claims_in_id_token,
+        "access_token_validity": spec.access_token_validity,
+        "refresh_token_validity": spec.refresh_token_validity,
+    }
+    if existing_provider:
+        if rotate_secret:
+            provider_body["client_secret"] = ""
+        provider = client.request(
+            "PATCH",
+            f"/api/v3/providers/oauth2/{existing_provider['pk']}/",
+            body=provider_body,
+        )
+        created_provider = False
+    else:
+        provider = client.request("POST", "/api/v3/providers/oauth2/", body=provider_body)
+        created_provider = True
+
+    app_body: dict[str, object] = {
+        "name": spec.name,
+        "slug": spec.slug,
+        "provider": provider["pk"],
+        "policy_engine_mode": "any",
+    }
+    if spec.launch_url is not None:
+        app_body["meta_launch_url"] = spec.launch_url
+    if existing_app:
+        client.request("PATCH", f"/api/v3/core/applications/{spec.slug}/", body=app_body)
+        created_application = False
+        target_pk = existing_app["pk"]
+    else:
+        new_app = client.request("POST", "/api/v3/core/applications/", body=app_body)
+        created_application = True
+        target_pk = new_app["pk"]
+
+    created_binding = False
+    if group is not None:
+        bindings = client.request(
+            "GET", "/api/v3/policies/bindings/", params={"target": target_pk}
+        ).get("results", [])
+        has_binding = any(binding.get("group") == group["pk"] for binding in bindings)
+        if not has_binding:
+            client.request(
+                "POST",
+                "/api/v3/policies/bindings/",
+                body={
+                    "target": target_pk,
+                    "group": group["pk"],
+                    "enabled": True,
+                    "order": 0,
+                    "negate": False,
+                    "timeout": 30,
+                },
+            )
+            created_binding = True
+
+    return ProvisionResult(
+        base_url=client.base_url,
+        issuer=f"{client.base_url}/application/o/{spec.slug}",
+        client_id=provider["client_id"],
+        client_secret=provider.get("client_secret") or "",
+        redirect_uris=spec.redirect_uris,
+        scopes=" ".join(spec.scopes),
+        provider_pk=str(provider["pk"]),
+        application_slug=spec.slug,
+        group=spec.group,
+        group_pk=str(group["pk"]) if group is not None else None,
+        created_provider=created_provider,
+        created_application=created_application,
+        created_binding=created_binding,
+        created_group=created_group,
+    )

{granny_devops-0.9.0 → granny_devops-0.9.2}/granny/cli/authentik.py

@@ -1,8 +1,4 @@
-"""``granny authentik`` — manage the pseekoo Authentik instance via API.
-
-Wraps :mod:`granny.authentik` so the common Authentik ops (per-stage
-stoz3n-dash provisioning, group plumbing, secret rotation) work from the
-command line without dropping to the admin UI.
+"""``granny authentik`` — manage an Authentik instance via API.
 
 Auth resolution: ``AUTHENTIK_API_TOKEN`` (env / .env / vault) or
 ``AK_TOKEN`` (env / .env). See :meth:`AuthentikClient.from_environment`.
@@ -16,18 +12,14 @@ from typing import Any
 
 import click
 
-from granny.authentik import (
-    ADMIN_GROUP_NAME,
-    STOZ3N_DASH_STAGES,
-    AuthentikClient,
-    AuthentikError,
-    provision_stoz3n_dash,
-)
+from granny.authentik import AuthentikClient, AuthentikError, OAuthAppSpec, provision_oauth_app
+
+ADMIN_GROUP_NAME = "dash_admins"
 
 
 @click.group()
 def authentik() -> None:
-    """Manage Authentik (auth.pseekoo.io) via its REST API."""
+    """Manage Authentik via its REST API."""
 
 
 def _client() -> AuthentikClient:
@@ -39,18 +31,17 @@ def _client() -> AuthentikClient:
 
 
 def _print_provision_report(result: Any) -> None:
-    """Pretty-print a ProvisionResult and the paste-ready JSON snippets."""
     click.echo("", err=True)
     click.echo("─" * 72)
-    click.echo(f"Stage              : {result.stage}")
     click.echo(f"Authentik URL      : {result.base_url}")
+    click.echo(f"Application slug   : {result.application_slug}")
     click.echo(f"Issuer             : {result.issuer}")
     click.echo(f"client_id          : {result.client_id}")
     click.echo(
         f"client_secret      : {result.client_secret or '(not echoed — rotate-secret to see)'}"
     )
-    click.echo(f"redirect_uri       : {result.redirect_uri}")
-    click.echo(f"admin_group        : {result.admin_group}")
+    click.echo(f"redirect_uris      : {', '.join(result.redirect_uris)}")
+    click.echo(f"group              : {result.group or '(none)'}")
     click.echo(f"scopes             : {result.scopes}")
     flags = [
         f"provider={'NEW' if result.created_provider else 'EXISTS'}",
@@ -61,11 +52,7 @@ def _print_provision_report(result: Any) -> None:
     click.echo(f"state              : {', '.join(flags)}")
     click.echo("─" * 72)
     click.echo("")
-    click.echo(f"# Paste into dotfiles/stoz3n-chat-agent/config.{result.stage}.json")
-    click.echo(json.dumps(result.chat_agent_oidc_block(), indent=2))
-    click.echo("")
-    click.echo(f"# Paste into dotfiles/stoz3n-agent-dash/config.{result.stage}.json")
-    click.echo(json.dumps(result.dashboard_oidc_block(), indent=2))
+    click.echo(json.dumps({"oidc": result.oidc_block()}, indent=2))
     if not result.client_secret:
         click.echo("", err=True)
         click.echo(
@@ -76,18 +63,71 @@ def _print_provision_report(result: Any) -> None:
         )
 
 
-@authentik.command("provision-stoz3n-dash")
-@click.argument("stage", type=click.Choice(sorted(STOZ3N_DASH_STAGES.keys())))
+@authentik.command("provision-oauth-app")
+@click.argument("slug")
+@click.option("--name", required=True, help="Application display name.")
+@click.option(
+    "--redirect-uri",
+    "redirect_uris",
+    multiple=True,
+    required=True,
+    help="Allowed redirect URI. Repeat for multiple callbacks.",
+)
+@click.option("--launch-url", default=None, help="Optional application launch URL.")
+@click.option("--group", default=None, help="Optional group allowed to access the app.")
+@click.option("--provider-name", default=None, help="OAuth2 provider name (defaults to slug).")
+@click.option(
+    "--scope",
+    "scopes",
+    multiple=True,
+    default=("openid", "profile", "email"),
+    show_default=True,
+    help="OIDC scope to include. Repeat to override/add scopes.",
+)
+@click.option(
+    "--authorization-flow",
+    default="default-provider-authorization-explicit-consent",
+    show_default=True,
+    help="Authorization flow slug.",
+)
+@click.option(
+    "--invalidation-flow",
+    default="default-provider-invalidation-flow",
+    show_default=True,
+    help="Invalidation flow slug.",
+)
 @click.option(
     "--rotate",
     is_flag=True,
     help="Force a fresh client_secret if the provider already exists.",
 )
-def provision_stoz3n_dash_cmd(stage: str, rotate: bool) -> None:
-    """End-to-end per-stage stoz3n-dashboard provisioning (idempotent)."""
+def provision_oauth_app_cmd(
+    slug: str,
+    name: str,
+    redirect_uris: tuple[str, ...],
+    launch_url: str | None,
+    group: str | None,
+    provider_name: str | None,
+    scopes: tuple[str, ...],
+    authorization_flow: str,
+    invalidation_flow: str,
+    rotate: bool,
+) -> None:
+    """Provision an OAuth2 provider + application + optional group binding."""
+    spec = OAuthAppSpec(
+        slug=slug,
+        name=name,
+        redirect_uris=redirect_uris,
+        launch_url=launch_url,
+        group=group,
+        provider_name=provider_name,
+        scopes=scopes,
+        authorization_flow_slug=authorization_flow,
+        invalidation_flow_slug=invalidation_flow,
+    )
     client = _client()
     try:
-        result = provision_stoz3n_dash(client, stage=stage, rotate_secret=rotate)
+        result = provision_oauth_app(client, spec, rotate_secret=rotate)
     except AuthentikError as exc:
         click.echo(f"Authentik error: {exc}", err=True)
         sys.exit(1)
@@ -203,6 +243,104 @@ def remove_user_from_group_cmd(user: str, group: str) -> None:
     click.echo(f"Removed {user} from {group}")
 
 
+@authentik.command("create-user")
+@click.argument("username")
+@click.option("--name", default=None, help="Display name (defaults to username).")
+@click.option("--email", default=None, help="Email address.")
+@click.option(
+    "--group",
+    default=None,
+    help="Group to add the new user to after creation (e.g. dash_admins).",
+)
+@click.option(
+    "--password",
+    default=None,
+    help="Set this password directly. Suppresses --recovery-link.",
+)
+@click.option(
+    "--recovery-link/--no-recovery-link",
+    default=True,
+    help="Print a one-shot recovery URL the user opens to set their own password (default: yes).",
+)
+def create_user_cmd(
+    username: str,
+    name: str | None,
+    email: str | None,
+    group: str | None,
+    password: str | None,
+    recovery_link: bool,
+) -> None:
+    """Create an internal Authentik user (idempotent on username).
+
+    Defaults to printing a one-shot recovery URL so the user sets their
+    own password — pass ``--password`` to skip that and set one inline.
+    """
+    if password is not None:
+        recovery_link = False
+    client = _client()
+    try:
+        existed_before = client.find_user_by_username(username) is not None
+        user = client.create_user(username, name=name, email=email)
+        click.echo(
+            f"User {username} {'already exists' if existed_before else 'created'} (pk={user['pk']})"
+        )
+        if group:
+            client.add_user_to_group(username, group)
+            click.echo(f"Added {username} to {group}")
+        if password is not None:
+            client.set_user_password(username, password)
+            click.echo(f"Password set for {username}")
+        if recovery_link:
+            link = client.generate_recovery_link(username)
+            click.echo("")
+            click.echo("Recovery link (single-use, share over a secure channel):")
+            click.echo(f"  {link}")
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+
+
+@authentik.command("recovery-link")
+@click.argument("username")
+def recovery_link_cmd(username: str) -> None:
+    """Mint a one-shot recovery URL the user opens to set a password."""
+    client = _client()
+    try:
+        link = client.generate_recovery_link(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(link)
+
+
+@authentik.command("set-password")
+@click.argument("username")
+@click.option("--password", required=True, help="New password to set.")
+def set_password_cmd(username: str, password: str) -> None:
+    """Set a user's password directly (admin reset)."""
+    client = _client()
+    try:
+        client.set_user_password(username, password)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"Password updated for {username}")
+
+
+@authentik.command("delete-user")
+@click.argument("username")
+@click.confirmation_option(prompt="Really delete this Authentik user?")
+def delete_user_cmd(username: str) -> None:
+    """Delete an Authentik user. No-op if the user doesn't exist."""
+    client = _client()
+    try:
+        client.delete_user(username)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    click.echo(f"User {username} deleted (or already absent)")
+
+
 @authentik.command("api")
 @click.argument("method")
 @click.argument("path")

{granny_devops-0.9.0 → granny_devops-0.9.2}/granny/cli/serverless.py

@@ -213,11 +213,11 @@ def deploy(
     """Zip ``--source-dir``, upload, sync env vars, and deploy.
 
     Example:
-        granny serverless deploy bessa-wissa-api \\
+        granny serverless deploy my-api \\
             --source-dir backend/dist-bundle \\
-            --namespace bessa-wissa \\
+            --namespace my-app \\
             --env NODE_ENV=production \\
-            --secret STOZ3N_API_TOKEN=$STOZ3N_API_TOKEN
+            --secret API_TOKEN=$API_TOKEN
     """
     c = _client(region)
 

{granny_devops-0.9.0 → granny_devops-0.9.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "granny-devops"
-version = "0.9.0"
+version = "0.9.2"
 description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
 readme = "README.md"
 license = { file = "LICENSE" }

granny_devops-0.9.0/granny/authentik/__init__.py

@@ -1,33 +0,0 @@
-"""Authentik management — REST API wrapper + per-stage stoz3n-dash provisioning.
-
-Powered by the ``AUTHENTIK_API_TOKEN`` secret (resolves via env var or
-Vaultwarden under ``granny/infra/authentik-api-token``) and the
-non-secret ``AUTHENTIK_URL`` (default ``https://auth.pseekoo.io``).
-
-Public API::
-
-    from granny.authentik import AuthentikClient, STOZ3N_DASH_STAGES, provision_stoz3n_dash
-
-    client = AuthentikClient.from_environment()
-    result = provision_stoz3n_dash(client, stage="development")
-    print(result.client_id, result.client_secret)
-"""
-
-from granny.authentik.client import AuthentikClient, AuthentikError
-from granny.authentik.provision import (
-    ADMIN_GROUP_NAME,
-    OIDC_SCOPES,
-    STOZ3N_DASH_STAGES,
-    ProvisionResult,
-    provision_stoz3n_dash,
-)
-
-__all__ = [
-    "ADMIN_GROUP_NAME",
-    "AuthentikClient",
-    "AuthentikError",
-    "OIDC_SCOPES",
-    "ProvisionResult",
-    "STOZ3N_DASH_STAGES",
-    "provision_stoz3n_dash",
-]

granny_devops-0.9.0/granny/authentik/provision.py

@@ -1,235 +0,0 @@
-"""Per-stage stoz3n-dash app provisioning in Authentik.
-
-The :data:`STOZ3N_DASH_STAGES` map defines the slug + redirect_uri + launch
-URL for each environment. Keep this synchronised with the canonical doc at
-``stoz3n-agent-dash/docs/authentik-sso.md``.
-"""
-
-from __future__ import annotations
-
-from dataclasses import dataclass
-
-from granny.authentik.client import AuthentikClient
-
-STOZ3N_DASH_STAGES: dict[str, dict[str, str]] = {
-    "development": {
-        "slug": "stoz3n-dash-dev",
-        "name": "Stoz3n Dashboard (dev)",
-        "redirect_uri": "http://localhost:8000/api/auth/oidc/callback",
-        "launch_url": "http://localhost:5173",
-    },
-    "staging": {
-        "slug": "stoz3n-dash-staging",
-        "name": "Stoz3n Dashboard (staging)",
-        "redirect_uri": "https://facts-dev.stozn.ai/api/auth/oidc/callback",
-        "launch_url": "https://dash-dev.stozn.ai",
-    },
-    "production": {
-        "slug": "stoz3n-dash",
-        "name": "Stoz3n Dashboard",
-        "redirect_uri": "https://facts.stozn.ai/api/auth/oidc/callback",
-        "launch_url": "https://dash.stozn.ai",
-    },
-}
-
-ADMIN_GROUP_NAME = "dash_admins"
-AUTHORIZATION_FLOW_SLUG = "default-provider-authorization-explicit-consent"
-INVALIDATION_FLOW_SLUG = "default-provider-invalidation-flow"
-OIDC_SCOPES: tuple[str, ...] = ("openid", "profile", "email")
-
-
-@dataclass
-class ProvisionResult:
-    """Outcome of :func:`provision_stoz3n_dash`."""
-
-    stage: str
-    base_url: str
-    issuer: str
-    client_id: str
-    client_secret: str  # empty string if Authentik didn't echo it back
-    redirect_uri: str
-    admin_group: str
-    scopes: str
-    provider_pk: str
-    application_slug: str
-    group_pk: str
-    created_provider: bool
-    created_application: bool
-    created_binding: bool
-    created_group: bool
-
-    @property
-    def authorization_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/authorize/"
-
-    @property
-    def token_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/token/"
-
-    @property
-    def userinfo_endpoint(self) -> str:
-        return f"{self.base_url}/application/o/userinfo/"
-
-    def chat_agent_oidc_block(self) -> dict[str, dict[str, str]]:
-        """JSON snippet to paste into the chat-agent's encrypted config."""
-        return {
-            "oidc": {
-                "issuer": self.issuer,
-                "authorization_endpoint": self.authorization_endpoint,
-                "token_endpoint": self.token_endpoint,
-                "userinfo_endpoint": self.userinfo_endpoint,
-                "client_id": self.client_id,
-                "client_secret": self.client_secret
-                or "<rerun with --rotate or run granny authentik rotate-secret>",
-                "redirect_uri": self.redirect_uri,
-                "admin_group": self.admin_group,
-                "scopes": self.scopes,
-            }
-        }
-
-    def dashboard_oidc_block(self) -> dict[str, dict[str, str]]:
-        """JSON snippet to paste into the dashboard repo's encrypted config."""
-        return {
-            "oidc": {
-                "client_secret": self.client_secret
-                or "<rerun with --rotate or run granny authentik rotate-secret>"
-            }
-        }
-
-
-def provision_stoz3n_dash(
-    client: AuthentikClient,
-    *,
-    stage: str,
-    rotate_secret: bool = False,
-) -> ProvisionResult:
-    """End-to-end idempotent provisioning of one stoz3n-dashboard stage.
-
-    Steps:
-
-    1. Resolve authorization flow + signing key + OIDC scope mappings.
-    2. Ensure the ``dash_admins`` group exists.
-    3. Create or PATCH the OAuth2 provider.
-    4. Create or PATCH the application.
-    5. Create the application→group policy binding if absent.
-
-    Re-running is safe; nothing is destroyed. ``rotate_secret=True`` forces
-    a new ``client_secret`` to be minted on an existing provider.
-    """
-    if stage not in STOZ3N_DASH_STAGES:
-        raise ValueError(
-            f"Unknown stage {stage!r}; choose one of {sorted(STOZ3N_DASH_STAGES)}"
-        )
-    cfg = STOZ3N_DASH_STAGES[stage]
-    provider_name = cfg["slug"]
-    app_slug = cfg["slug"]
-
-    # 1. Foreign keys
-    authorization_flow = client.find_flow_pk(AUTHORIZATION_FLOW_SLUG)
-    invalidation_flow = client.find_flow_pk(INVALIDATION_FLOW_SLUG)
-    signing_key = client.find_signing_key_pk()
-    scope_mappings = client.find_scope_mappings(OIDC_SCOPES)
-
-    # 2. Admin group
-    existing_group = client.find_group_by_name(ADMIN_GROUP_NAME)
-    created_group = existing_group is None
-    group = existing_group or client.ensure_group(ADMIN_GROUP_NAME)
-
-    # 3. Provider — three reconciliation paths:
-    #   a. App+provider already exist under our slug → adopt them. We honor
-    #      the existing provider's pk so its client_id stays stable; only
-    #      rename + reconfigure fields. This is the production path where
-    #      a pre-existing app may already be live with consumers.
-    #   b. Provider exists by name (our convention) but no app → PATCH it
-    #      in place.
-    #   c. Nothing exists → POST a fresh provider.
-    existing_app_for_adoption = client.find_application_by_slug(app_slug)
-    adopt_pk: int | str | None = None
-    if existing_app_for_adoption is not None:
-        adopt_pk = existing_app_for_adoption.get("provider")
-    existing_provider = (
-        client.find_provider_by_pk(adopt_pk) if adopt_pk is not None else None
-    ) or client.find_provider_by_name(provider_name)
-
-    provider_body: dict[str, object] = {
-        "name": provider_name,
-        "authorization_flow": authorization_flow,
-        "invalidation_flow": invalidation_flow,
-        "client_type": "confidential",
-        "redirect_uris": [{"matching_mode": "strict", "url": cfg["redirect_uri"]}],
-        "signing_key": signing_key,
-        "property_mappings": scope_mappings,
-        "sub_mode": "user_username",
-        "include_claims_in_id_token": True,
-        "access_token_validity": "minutes=10",
-        "refresh_token_validity": "days=30",
-    }
-    if existing_provider:
-        if rotate_secret:
-            provider_body["client_secret"] = ""  # empty → Authentik regenerates
-        provider = client.request(
-            "PATCH",
-            f"/api/v3/providers/oauth2/{existing_provider['pk']}/",
-            body=provider_body,
-        )
-        created_provider = False
-    else:
-        provider = client.request("POST", "/api/v3/providers/oauth2/", body=provider_body)
-        created_provider = True
-
-    # 4. Application
-    app_body = {
-        "name": cfg["name"],
-        "slug": app_slug,
-        "provider": provider["pk"],
-        "meta_launch_url": cfg["launch_url"],
-        "policy_engine_mode": "any",
-    }
-    if existing_app_for_adoption:
-        client.request("PATCH", f"/api/v3/core/applications/{app_slug}/", body=app_body)
-        created_application = False
-        target_pk = existing_app_for_adoption["pk"]
-    else:
-        new_app = client.request("POST", "/api/v3/core/applications/", body=app_body)
-        created_application = True
-        target_pk = new_app["pk"]
-
-    # 5. Group → application policy binding
-    bindings = client.request(
-        "GET", "/api/v3/policies/bindings/", params={"target": target_pk}
-    ).get("results", [])
-    has_binding = any(b.get("group") == group["pk"] for b in bindings)
-    if has_binding:
-        created_binding = False
-    else:
-        client.request(
-            "POST",
-            "/api/v3/policies/bindings/",
-            body={
-                "target": target_pk,
-                "group": group["pk"],
-                "enabled": True,
-                "order": 0,
-                "negate": False,
-                "timeout": 30,
-            },
-        )
-        created_binding = True
-
-    return ProvisionResult(
-        stage=stage,
-        base_url=client.base_url,
-        issuer=f"{client.base_url}/application/o/{app_slug}",
-        client_id=provider["client_id"],
-        client_secret=provider.get("client_secret") or "",
-        redirect_uri=cfg["redirect_uri"],
-        admin_group=ADMIN_GROUP_NAME,
-        scopes=" ".join(OIDC_SCOPES),
-        provider_pk=str(provider["pk"]),
-        application_slug=app_slug,
-        group_pk=str(group["pk"]),
-        created_provider=created_provider,
-        created_application=created_application,
-        created_binding=created_binding,
-        created_group=created_group,
-    )