granny-devops 0.9.1__tar.gz → 0.9.3__tar.gz

{granny_devops-0.9.1 → granny_devops-0.9.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.9.1
+Version: 0.9.3
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License
@@ -221,6 +221,7 @@ Common keys:
 | ClouDNS | `CLOUDNS_AUTH_ID`/`_PASSWORD` (or `_SUB_AUTH_ID`/`_SUB_AUTH_USER`) |
 | INWX | `INWX_USERNAME`, `INWX_PASSWORD`, `INWX_SHARED_SECRET` (only with 2FA) |
 | Docker Hub | `DOCKER_HUB_USER`, `DOCKER_HUB_TOKEN` |
+| Elasticsearch / Kibana | `ELASTICSEARCH_URL`, `ELASTICSEARCH_API_KEY` or `ELASTICSEARCH_USERNAME` + `ELASTICSEARCH_PASSWORD` |
 
 Set only the ones you need. Use `granny credentials status` to verify
 what's configured at any time.
@@ -288,10 +289,22 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
+granny authentik provision-oauth-app my-app \
+  --name "My App" \
+  --redirect-uri https://app.example.com/auth/callback \
+  --launch-url https://app.example.com \
+  --group my-app-admins
 granny authentik list providers
 granny authentik rotate-secret my-oauth-provider
 granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
+
+# Elasticsearch / Kibana users
+granny elk add-user user@example.com \
+  --email user@example.com \
+  --full-name "Example User" \
+  --role kibana_admin \
+  --generate-password
 ```
 
 ## Capability matrix
@@ -309,6 +322,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
 | SSO / IdP | Authentik (provider, application, group, and user operations) |
+| Observability admin | Elasticsearch / Kibana native-user management |
 
 ## As a library
 

{granny_devops-0.9.1 → granny_devops-0.9.3}/README.md

@@ -89,6 +89,7 @@ Common keys:
 | ClouDNS | `CLOUDNS_AUTH_ID`/`_PASSWORD` (or `_SUB_AUTH_ID`/`_SUB_AUTH_USER`) |
 | INWX | `INWX_USERNAME`, `INWX_PASSWORD`, `INWX_SHARED_SECRET` (only with 2FA) |
 | Docker Hub | `DOCKER_HUB_USER`, `DOCKER_HUB_TOKEN` |
+| Elasticsearch / Kibana | `ELASTICSEARCH_URL`, `ELASTICSEARCH_API_KEY` or `ELASTICSEARCH_USERNAME` + `ELASTICSEARCH_PASSWORD` |
 
 Set only the ones you need. Use `granny credentials status` to verify
 what's configured at any time.
@@ -156,10 +157,22 @@ granny create scaleway-container --name my-app --port 3000
 granny create mailjet-dns example.com
 
 # Authentik admin (provider + application + group plumbing)
+granny authentik provision-oauth-app my-app \
+  --name "My App" \
+  --redirect-uri https://app.example.com/auth/callback \
+  --launch-url https://app.example.com \
+  --group my-app-admins
 granny authentik list providers
 granny authentik rotate-secret my-oauth-provider
 granny authentik add-user-to-group user@example.com     # defaults to dash_admins
 granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
+
+# Elasticsearch / Kibana users
+granny elk add-user user@example.com \
+  --email user@example.com \
+  --full-name "Example User" \
+  --role kibana_admin \
+  --generate-password
 ```
 
 ## Capability matrix
@@ -177,6 +190,7 @@ granny authentik api GET /api/v3/core/users/me/        # generic escape hatch
 | Cross-cloud inventory | GPU instances + reservations, credit balances, MTD spend + forecast (AWS, GCP, Azure) |
 | SSL automation | Bunny, Cloudflare, ACM |
 | SSO / IdP | Authentik (provider, application, group, and user operations) |
+| Observability admin | Elasticsearch / Kibana native-user management |
 
 ## As a library
 

{granny_devops-0.9.1 → granny_devops-0.9.3}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.9.1"
+__version__ = "0.9.3"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

{granny_devops-0.9.1 → granny_devops-0.9.3}/granny/authentik/__init__.py

@@ -1,8 +1,12 @@
 """Authentik management — REST API wrapper."""
 
 from granny.authentik.client import AuthentikClient, AuthentikError
+from granny.authentik.provision import OAuthAppSpec, ProvisionResult, provision_oauth_app
 
 __all__ = [
     "AuthentikClient",
     "AuthentikError",
+    "OAuthAppSpec",
+    "ProvisionResult",
+    "provision_oauth_app",
 ]

granny_devops-0.9.3/granny/authentik/provision.py

@@ -0,0 +1,197 @@
+"""Generic Authentik OAuth2 application provisioning."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+from granny.authentik.client import AuthentikClient
+
+DEFAULT_AUTHORIZATION_FLOW_SLUG = "default-provider-authorization-explicit-consent"
+DEFAULT_INVALIDATION_FLOW_SLUG = "default-provider-invalidation-flow"
+DEFAULT_OIDC_SCOPES: tuple[str, ...] = ("openid", "profile", "email")
+
+
+@dataclass(frozen=True)
+class OAuthAppSpec:
+    """Desired state for an Authentik OAuth2 provider + application."""
+
+    slug: str
+    name: str
+    redirect_uris: tuple[str, ...]
+    launch_url: str | None = None
+    group: str | None = None
+    provider_name: str | None = None
+    scopes: tuple[str, ...] = DEFAULT_OIDC_SCOPES
+    authorization_flow_slug: str = DEFAULT_AUTHORIZATION_FLOW_SLUG
+    invalidation_flow_slug: str = DEFAULT_INVALIDATION_FLOW_SLUG
+    access_token_validity: str = "minutes=10"
+    refresh_token_validity: str = "days=30"
+    sub_mode: str = "user_username"
+    include_claims_in_id_token: bool = True
+
+    def __post_init__(self) -> None:
+        if not self.slug:
+            raise ValueError("slug must not be empty")
+        if not self.name:
+            raise ValueError("name must not be empty")
+        if not self.redirect_uris:
+            raise ValueError("at least one redirect URI is required")
+
+
+@dataclass
+class ProvisionResult:
+    """Result of provisioning an Authentik OAuth2 application."""
+
+    base_url: str
+    issuer: str
+    client_id: str
+    client_secret: str
+    redirect_uris: tuple[str, ...]
+    scopes: str
+    provider_pk: str
+    application_slug: str
+    group: str | None
+    group_pk: str | None
+    created_provider: bool
+    created_application: bool
+    created_binding: bool
+    created_group: bool
+    extra: dict[str, str] = field(default_factory=dict)
+
+    @property
+    def authorization_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/authorize/"
+
+    @property
+    def token_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/token/"
+
+    @property
+    def userinfo_endpoint(self) -> str:
+        return f"{self.base_url}/application/o/userinfo/"
+
+    def oidc_block(self) -> dict[str, str | list[str] | None]:
+        """Return a copy-paste friendly OIDC configuration snippet."""
+        return {
+            "issuer": self.issuer,
+            "authorization_endpoint": self.authorization_endpoint,
+            "token_endpoint": self.token_endpoint,
+            "userinfo_endpoint": self.userinfo_endpoint,
+            "client_id": self.client_id,
+            "client_secret": self.client_secret or None,
+            "redirect_uris": list(self.redirect_uris),
+            "scopes": self.scopes,
+            "admin_group": self.group,
+        }
+
+
+def provision_oauth_app(
+    client: AuthentikClient,
+    spec: OAuthAppSpec,
+    *,
+    rotate_secret: bool = False,
+) -> ProvisionResult:
+    """Idempotently provision an OAuth2 provider and application in Authentik."""
+    provider_name = spec.provider_name or spec.slug
+    authorization_flow = client.find_flow_pk(spec.authorization_flow_slug)
+    invalidation_flow = client.find_flow_pk(spec.invalidation_flow_slug)
+    signing_key = client.find_signing_key_pk()
+    scope_mappings = client.find_scope_mappings(spec.scopes)
+
+    group = None
+    created_group = False
+    if spec.group:
+        existing_group = client.find_group_by_name(spec.group)
+        created_group = existing_group is None
+        group = existing_group or client.ensure_group(spec.group)
+
+    existing_app = client.find_application_by_slug(spec.slug)
+    adopt_pk: int | str | None = None
+    if existing_app is not None:
+        adopt_pk = existing_app.get("provider")
+    existing_provider = (
+        client.find_provider_by_pk(adopt_pk) if adopt_pk is not None else None
+    ) or client.find_provider_by_name(provider_name)
+
+    provider_body: dict[str, object] = {
+        "name": provider_name,
+        "authorization_flow": authorization_flow,
+        "invalidation_flow": invalidation_flow,
+        "client_type": "confidential",
+        "redirect_uris": [
+            {"matching_mode": "strict", "url": uri} for uri in spec.redirect_uris
+        ],
+        "signing_key": signing_key,
+        "property_mappings": scope_mappings,
+        "sub_mode": spec.sub_mode,
+        "include_claims_in_id_token": spec.include_claims_in_id_token,
+        "access_token_validity": spec.access_token_validity,
+        "refresh_token_validity": spec.refresh_token_validity,
+    }
+    if existing_provider:
+        if rotate_secret:
+            provider_body["client_secret"] = ""
+        provider = client.request(
+            "PATCH",
+            f"/api/v3/providers/oauth2/{existing_provider['pk']}/",
+            body=provider_body,
+        )
+        created_provider = False
+    else:
+        provider = client.request("POST", "/api/v3/providers/oauth2/", body=provider_body)
+        created_provider = True
+
+    app_body: dict[str, object] = {
+        "name": spec.name,
+        "slug": spec.slug,
+        "provider": provider["pk"],
+        "policy_engine_mode": "any",
+    }
+    if spec.launch_url is not None:
+        app_body["meta_launch_url"] = spec.launch_url
+    if existing_app:
+        client.request("PATCH", f"/api/v3/core/applications/{spec.slug}/", body=app_body)
+        created_application = False
+        target_pk = existing_app["pk"]
+    else:
+        new_app = client.request("POST", "/api/v3/core/applications/", body=app_body)
+        created_application = True
+        target_pk = new_app["pk"]
+
+    created_binding = False
+    if group is not None:
+        bindings = client.request(
+            "GET", "/api/v3/policies/bindings/", params={"target": target_pk}
+        ).get("results", [])
+        has_binding = any(binding.get("group") == group["pk"] for binding in bindings)
+        if not has_binding:
+            client.request(
+                "POST",
+                "/api/v3/policies/bindings/",
+                body={
+                    "target": target_pk,
+                    "group": group["pk"],
+                    "enabled": True,
+                    "order": 0,
+                    "negate": False,
+                    "timeout": 30,
+                },
+            )
+            created_binding = True
+
+    return ProvisionResult(
+        base_url=client.base_url,
+        issuer=f"{client.base_url}/application/o/{spec.slug}",
+        client_id=provider["client_id"],
+        client_secret=provider.get("client_secret") or "",
+        redirect_uris=spec.redirect_uris,
+        scopes=" ".join(spec.scopes),
+        provider_pk=str(provider["pk"]),
+        application_slug=spec.slug,
+        group=spec.group,
+        group_pk=str(group["pk"]) if group is not None else None,
+        created_provider=created_provider,
+        created_application=created_application,
+        created_binding=created_binding,
+        created_group=created_group,
+    )

{granny_devops-0.9.1 → granny_devops-0.9.3}/granny/cli/authentik.py

@@ -12,7 +12,7 @@ from typing import Any
 
 import click
 
-from granny.authentik import AuthentikClient, AuthentikError
+from granny.authentik import AuthentikClient, AuthentikError, OAuthAppSpec, provision_oauth_app
 
 ADMIN_GROUP_NAME = "dash_admins"
 
@@ -30,6 +30,110 @@ def _client() -> AuthentikClient:
         sys.exit(1)
 
 
+def _print_provision_report(result: Any) -> None:
+    click.echo("", err=True)
+    click.echo("─" * 72)
+    click.echo(f"Authentik URL      : {result.base_url}")
+    click.echo(f"Application slug   : {result.application_slug}")
+    click.echo(f"Issuer             : {result.issuer}")
+    click.echo(f"client_id          : {result.client_id}")
+    click.echo(
+        f"client_secret      : {result.client_secret or '(not echoed — rotate-secret to see)'}"
+    )
+    click.echo(f"redirect_uris      : {', '.join(result.redirect_uris)}")
+    click.echo(f"group              : {result.group or '(none)'}")
+    click.echo(f"scopes             : {result.scopes}")
+    flags = [
+        f"provider={'NEW' if result.created_provider else 'EXISTS'}",
+        f"application={'NEW' if result.created_application else 'EXISTS'}",
+        f"binding={'NEW' if result.created_binding else 'EXISTS'}",
+        f"group={'NEW' if result.created_group else 'EXISTS'}",
+    ]
+    click.echo(f"state              : {', '.join(flags)}")
+    click.echo("─" * 72)
+    click.echo("")
+    click.echo(json.dumps({"oidc": result.oidc_block()}, indent=2))
+    if not result.client_secret:
+        click.echo("", err=True)
+        click.echo(
+            "WARN: Authentik did not echo client_secret in the response. "
+            "Run `granny authentik rotate-secret " + result.application_slug
+            + "` to mint a fresh secret you can copy.",
+            err=True,
+        )
+
+
+@authentik.command("provision-oauth-app")
+@click.argument("slug")
+@click.option("--name", required=True, help="Application display name.")
+@click.option(
+    "--redirect-uri",
+    "redirect_uris",
+    multiple=True,
+    required=True,
+    help="Allowed redirect URI. Repeat for multiple callbacks.",
+)
+@click.option("--launch-url", default=None, help="Optional application launch URL.")
+@click.option("--group", default=None, help="Optional group allowed to access the app.")
+@click.option("--provider-name", default=None, help="OAuth2 provider name (defaults to slug).")
+@click.option(
+    "--scope",
+    "scopes",
+    multiple=True,
+    default=("openid", "profile", "email"),
+    show_default=True,
+    help="OIDC scope to include. Repeat to override/add scopes.",
+)
+@click.option(
+    "--authorization-flow",
+    default="default-provider-authorization-explicit-consent",
+    show_default=True,
+    help="Authorization flow slug.",
+)
+@click.option(
+    "--invalidation-flow",
+    default="default-provider-invalidation-flow",
+    show_default=True,
+    help="Invalidation flow slug.",
+)
+@click.option(
+    "--rotate",
+    is_flag=True,
+    help="Force a fresh client_secret if the provider already exists.",
+)
+def provision_oauth_app_cmd(
+    slug: str,
+    name: str,
+    redirect_uris: tuple[str, ...],
+    launch_url: str | None,
+    group: str | None,
+    provider_name: str | None,
+    scopes: tuple[str, ...],
+    authorization_flow: str,
+    invalidation_flow: str,
+    rotate: bool,
+) -> None:
+    """Provision an OAuth2 provider + application + optional group binding."""
+    spec = OAuthAppSpec(
+        slug=slug,
+        name=name,
+        redirect_uris=redirect_uris,
+        launch_url=launch_url,
+        group=group,
+        provider_name=provider_name,
+        scopes=scopes,
+        authorization_flow_slug=authorization_flow,
+        invalidation_flow_slug=invalidation_flow,
+    )
+    client = _client()
+    try:
+        result = provision_oauth_app(client, spec, rotate_secret=rotate)
+    except AuthentikError as exc:
+        click.echo(f"Authentik error: {exc}", err=True)
+        sys.exit(1)
+    _print_provision_report(result)
+
+
 _LIST_ENDPOINTS = {
     "providers": "/api/v3/providers/oauth2/",
     "applications": "/api/v3/core/applications/",

granny_devops-0.9.3/granny/cli/elk.py

@@ -0,0 +1,192 @@
+"""``granny elk`` — manage Elasticsearch / Kibana users."""
+
+from __future__ import annotations
+
+import getpass
+import json
+import sys
+from typing import Any
+
+import click
+
+from granny.elk.client import (
+    ElasticsearchSecurityClient,
+    ElasticsearchSecurityError,
+    generate_password as generate_elk_password,
+)
+
+
+@click.group()
+def elk() -> None:
+    """Manage Elasticsearch / Kibana security objects."""
+
+
+def _client(
+    url: str | None,
+    admin_username: str | None,
+    admin_password: str | None,
+    api_key: str | None,
+    verify_tls: bool,
+) -> ElasticsearchSecurityClient:
+    try:
+        return ElasticsearchSecurityClient.from_environment(
+            base_url=url,
+            username=admin_username,
+            password=admin_password,
+            api_key=api_key,
+            verify_tls=verify_tls,
+        )
+    except ElasticsearchSecurityError as exc:
+        raise click.ClickException(str(exc)) from exc
+
+
+_COMMON_OPTIONS = [
+    click.option("--url", default=None, help="Elasticsearch URL (env: ELASTICSEARCH_URL)."),
+    click.option(
+        "--admin-username",
+        default=None,
+        help="Admin username (env/vault: ELASTICSEARCH_USERNAME).",
+    ),
+    click.option(
+        "--admin-password",
+        default=None,
+        help="Admin password (env/vault: ELASTICSEARCH_PASSWORD).",
+    ),
+    click.option(
+        "--api-key",
+        default=None,
+        help="Elasticsearch API key (env/vault: ELASTICSEARCH_API_KEY).",
+    ),
+    click.option("--verify-tls/--no-verify-tls", default=True, show_default=True),
+]
+
+
+def common_options(func: Any) -> Any:
+    for option in reversed(_COMMON_OPTIONS):
+        func = option(func)
+    return func
+
+
+@elk.command("add-user")
+@click.argument("username")
+@click.option("--email", default=None, help="User email address.")
+@click.option("--full-name", default=None, help="User display name.")
+@click.option(
+    "--role",
+    "roles",
+    multiple=True,
+    required=True,
+    help="Elasticsearch role. Repeat for multiple roles, e.g. --role kibana_admin.",
+)
+@click.option("--password", default=None, help="Initial password. Prompts if omitted.")
+@click.option(
+    "--generate-password",
+    is_flag=True,
+    help="Generate and print a random initial password instead of prompting.",
+)
+@click.option("--disabled", is_flag=True, help="Create/update the user as disabled.")
+@click.option(
+    "--metadata",
+    default=None,
+    help="Optional JSON object for Elasticsearch user metadata.",
+)
+@click.option("--json", "as_json", is_flag=True, help="Emit JSON result.")
+@common_options
+def add_user_cmd(
+    username: str,
+    email: str | None,
+    full_name: str | None,
+    roles: tuple[str, ...],
+    password: str | None,
+    generate_password: bool,
+    disabled: bool,
+    metadata: str | None,
+    as_json: bool,
+    url: str | None,
+    admin_username: str | None,
+    admin_password: str | None,
+    api_key: str | None,
+    verify_tls: bool,
+) -> None:
+    """Create or update an Elasticsearch native user for Kibana/ELK access."""
+    if password and generate_password:
+        raise click.ClickException("Use either --password or --generate-password, not both")
+    generated_password: str | None = None
+    if generate_password:
+        generated_password = generate_elk_password()
+        password = generated_password
+    elif password is None:
+        password = getpass.getpass(f"Initial password for {username}: ")
+        confirm = getpass.getpass("Confirm password: ")
+        if password != confirm:
+            raise click.ClickException("Passwords do not match")
+
+    parsed_metadata: dict[str, Any] | None = None
+    if metadata:
+        try:
+            raw_metadata = json.loads(metadata)
+        except json.JSONDecodeError as exc:
+            raise click.ClickException(f"Invalid --metadata JSON: {exc}") from exc
+        if not isinstance(raw_metadata, dict):
+            raise click.ClickException("--metadata must be a JSON object")
+        parsed_metadata = raw_metadata
+
+    client = _client(url, admin_username, admin_password, api_key, verify_tls)
+    try:
+        existed_before = client.get_user(username) is not None
+        result = client.put_user(
+            username,
+            password=password,
+            roles=roles,
+            full_name=full_name,
+            email=email,
+            enabled=not disabled,
+            metadata=parsed_metadata,
+        )
+    except ElasticsearchSecurityError as exc:
+        raise click.ClickException(str(exc)) from exc
+
+    out = {
+        "username": username,
+        "created": not existed_before,
+        "updated": existed_before,
+        "roles": list(roles),
+        "enabled": not disabled,
+        "result": result,
+    }
+    if generated_password is not None:
+        out["password"] = generated_password
+    if as_json:
+        click.echo(json.dumps(out, indent=2, default=str))
+        return
+    click.echo(f"{'Created' if not existed_before else 'Updated'} ELK user {username}")
+    click.echo(f"Roles: {', '.join(roles)}")
+    if generated_password is not None:
+        click.echo(f"Password: {generated_password}")
+
+@elk.command("get-user")
+@click.argument("username")
+@click.option("--json", "as_json", is_flag=True, help="Emit raw JSON result.")
+@common_options
+def get_user_cmd(
+    username: str,
+    as_json: bool,
+    url: str | None,
+    admin_username: str | None,
+    admin_password: str | None,
+    api_key: str | None,
+    verify_tls: bool,
+) -> None:
+    """Show an Elasticsearch native user."""
+    client = _client(url, admin_username, admin_password, api_key, verify_tls)
+    try:
+        user = client.get_user(username)
+    except ElasticsearchSecurityError as exc:
+        raise click.ClickException(str(exc)) from exc
+    if user is None:
+        click.echo(f"User {username!r} not found", err=True)
+        sys.exit(1)
+    if as_json:
+        click.echo(json.dumps(user, indent=2, default=str))
+        return
+    click.echo(f"{username} | roles={','.join(user.get('roles', []))} | enabled={user.get('enabled')}")

{granny_devops-0.9.1 → granny_devops-0.9.3}/granny/cli/main.py

@@ -100,6 +100,11 @@ def _register_commands() -> None:
         cli.add_command(authentik)
     except ImportError:
         pass
+    try:
+        from granny.cli.elk import elk
+        cli.add_command(elk)
+    except ImportError:
+        pass
 
 
 _register_commands()

{granny_devops-0.9.1 → granny_devops-0.9.3}/granny/credentials/secrets.py

@@ -172,6 +172,10 @@ SECRET_MAP: dict[str, str] = {
     # superuser-issued token (Authentik UI → Directory → Tokens). Falls back
     # to AK_TOKEN env var in granny.authentik.AuthentikClient.from_environment.
     "AUTHENTIK_API_TOKEN": "authentik-api-token",
+    # Elasticsearch / Kibana security API credentials for `granny elk …`.
+    "ELASTICSEARCH_API_KEY": "elasticsearch-api-key",
+    "ELASTICSEARCH_USERNAME": "elasticsearch-username",
+    "ELASTICSEARCH_PASSWORD": "elasticsearch-password",
 }
 
 # Module-level cache so vault is only contacted once per process

granny_devops-0.9.3/granny/elk/__init__.py

@@ -0,0 +1,5 @@
+"""Elasticsearch / Kibana user management helpers."""
+
+from granny.elk.client import ElasticsearchSecurityClient, ElasticsearchSecurityError
+
+__all__ = ["ElasticsearchSecurityClient", "ElasticsearchSecurityError"]

granny_devops-0.9.3/granny/elk/client.py

@@ -0,0 +1,149 @@
+"""Thin wrapper around Elasticsearch's security user API."""
+
+from __future__ import annotations
+
+import os
+import secrets
+import string
+from typing import Any
+
+import requests
+
+from granny.credentials import get_secret
+
+
+class ElasticsearchSecurityError(RuntimeError):
+    """Raised on non-2xx responses from Elasticsearch security APIs."""
+
+    def __init__(self, status: int, body: str) -> None:
+        super().__init__(f"HTTP {status}: {body[:400]}")
+        self.status = status
+        self.body = body
+
+
+class ElasticsearchSecurityClient:
+    """Authenticated client for Elasticsearch native-user management."""
+
+    def __init__(
+        self,
+        base_url: str,
+        *,
+        username: str | None = None,
+        password: str | None = None,
+        api_key: str | None = None,
+        timeout: float = 30.0,
+        verify_tls: bool = True,
+    ) -> None:
+        self.base_url = base_url.rstrip("/")
+        self._timeout = timeout
+        self._session = requests.Session()
+        self._session.headers.update({"Accept": "application/json"})
+        self._session.verify = verify_tls
+        if api_key:
+            self._session.headers["Authorization"] = f"ApiKey {api_key}"
+        elif username and password:
+            self._session.auth = (username, password)
+        else:
+            raise ElasticsearchSecurityError(
+                0,
+                "Set ELASTICSEARCH_API_KEY or ELASTICSEARCH_USERNAME + "
+                "ELASTICSEARCH_PASSWORD.",
+            )
+
+    @classmethod
+    def from_environment(
+        cls,
+        *,
+        base_url: str | None = None,
+        username: str | None = None,
+        password: str | None = None,
+        api_key: str | None = None,
+        verify_tls: bool | None = None,
+    ) -> "ElasticsearchSecurityClient":
+        """Build a client from explicit arguments, env vars, and vault fallback."""
+        resolved_url = base_url or os.environ.get("ELASTICSEARCH_URL")
+        if not resolved_url:
+            raise ElasticsearchSecurityError(0, "ELASTICSEARCH_URL is not set")
+
+        resolved_api_key = api_key or get_secret("ELASTICSEARCH_API_KEY")
+        resolved_username = None
+        resolved_password = None
+        if not resolved_api_key:
+            resolved_username = username or get_secret("ELASTICSEARCH_USERNAME")
+            resolved_password = password or get_secret("ELASTICSEARCH_PASSWORD")
+        if verify_tls is None:
+            verify_tls = os.environ.get("ELASTICSEARCH_VERIFY_TLS", "true").lower() not in {
+                "0",
+                "false",
+                "no",
+            }
+        return cls(
+            resolved_url,
+            username=resolved_username,
+            password=resolved_password,
+            api_key=resolved_api_key,
+            verify_tls=verify_tls,
+        )
+
+    def request(self, method: str, path: str, *, body: Any = None) -> Any:
+        if not path.startswith("/"):
+            path = "/" + path
+        try:
+            resp = self._session.request(
+                method.upper(),
+                self.base_url + path,
+                json=body,
+                timeout=self._timeout,
+            )
+        except requests.RequestException as exc:
+            raise ElasticsearchSecurityError(0, str(exc)) from exc
+        if resp.status_code >= 400:
+            raise ElasticsearchSecurityError(resp.status_code, resp.text)
+        if not resp.content:
+            return None
+        try:
+            return resp.json()
+        except ValueError:
+            return resp.text
+
+    def get_user(self, username: str) -> dict[str, Any] | None:
+        try:
+            result = self.request("GET", f"/_security/user/{username}")
+        except ElasticsearchSecurityError as exc:
+            if exc.status == 404:
+                return None
+            raise
+        if isinstance(result, dict):
+            return result.get(username)
+        return None
+
+    def put_user(
+        self,
+        username: str,
+        *,
+        roles: list[str] | tuple[str, ...],
+        password: str | None = None,
+        full_name: str | None = None,
+        email: str | None = None,
+        enabled: bool = True,
+        metadata: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Create or update a native Elasticsearch user."""
+        body: dict[str, Any] = {
+            "roles": list(roles),
+            "enabled": enabled,
+            "metadata": metadata or {},
+        }
+        if password is not None:
+            body["password"] = password
+        if full_name is not None:
+            body["full_name"] = full_name
+        if email is not None:
+            body["email"] = email
+        return self.request("PUT", f"/_security/user/{username}", body=body)
+
+
+def generate_password(length: int = 24) -> str:
+    """Generate a Kibana-friendly random password."""
+    alphabet = string.ascii_letters + string.digits + "-_.!~"
+    return "".join(secrets.choice(alphabet) for _ in range(length))

{granny_devops-0.9.1 → granny_devops-0.9.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "granny-devops"
-version = "0.9.1"
+version = "0.9.3"
 description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
 readme = "README.md"
 license = { file = "LICENSE" }