login-auth-tui 0.3__py3-none-any.whl

login_auth_tui/__main__.py

@@ -0,0 +1,4 @@
+from login_auth_tui.cli import cli
+
+if __name__ == "__main__":
+    cli()

login_auth_tui/aws_mfa.py

@@ -0,0 +1,61 @@
+import configparser
+import datetime
+import logging
+import os
+
+from .util import log_command, log_command_output
+
+logger = logging.getLogger("aws")
+
+HOMEDIR = str(os.getenv("HOME"))
+
+
+def credential_is_valid(profile: str) -> bool:
+    now = datetime.datetime.now(datetime.UTC)
+
+    p = configparser.ConfigParser()
+    p.read(os.path.join(HOMEDIR, ".aws", "credentials"))
+
+    then_s = p.get(profile, "expiration")
+    then = datetime.datetime.strptime(f"{then_s} +0000", "%Y-%m-%d %H:%M:%S %z")
+
+    if now < then:
+        return True
+    return False
+
+
+def aws_mfa(profile: str, force: bool) -> None:
+    logger.info(f"Running mfa process for {profile}")
+
+    no_mfa_file = os.path.join(HOMEDIR, f".no-mfa-{profile}")
+    if os.path.exists(no_mfa_file) and not force:
+        logger.info("Not doing mfa due to temp file existing. (Removing the file.)")
+        os.unlink(no_mfa_file)
+        return
+
+    if credential_is_valid(profile) and not force:
+        logger.info("Not doing mfa due to credentials still valid.")
+        return
+
+    code = log_command_output(
+        logger, ["op", "read", "op://Private/AWS/one-time password?attribute=totp"]
+    )
+    logger.info(f"Using {code} for {profile}")
+    rval = log_command(
+        logger,
+        [f"{os.getenv('HOMEBREW_PREFIX')}/bin/aws", "mfa", profile],
+        input=code.encode("utf-8"),
+    ).returncode
+
+    if rval != 0:
+        # For some reason, recently, aws-mfa has been returning 1 even though
+        # it successfully updates the tokens. So if it does return non-zero,
+        # we need to check the credentials file itself to verify if it's a real
+        # failure or not.
+        logger.info("Warning: MFA seems to have failed by rval, checking expiration")
+        if not credential_is_valid(profile):
+            logger.error(f"Not rotating long-term keys due to MFA failure ({rval})")
+            raise Exception("AWS MFA failure")
+
+    logger.info("Rotating long-term keys")
+    log_command(logger, ["aws", "rotate-iam-keys", f"{profile}-long-term"], check=True)

login_auth_tui/cli.py

@@ -0,0 +1,254 @@
+import copy
+import logging
+import os
+import sqlite3
+import sys
+import time
+
+import click
+
+from .aws_mfa import aws_mfa
+from .dbx_token_rotate import manage_dbx_tokens
+from .kion_auth_password import update_kion_auth_password
+from .kion_cli_password import DEFAULT_CONFIG_FILE, update_kion_cli_password
+from .tui import run_tui
+from .tui_bootstrap import bootstrap_tui_config
+from .util import configure_logging, log_command
+
+TWELVE_HOURS = 12 * 60 * 60
+DEFAULT_LOG = os.path.join(str(os.getenv("HOME")), ".logs", "login-auth.log")
+
+
+class CliArgs:
+    __slots__ = ["force", "log", "level"]
+
+    def __init__(self):
+        self.force = False
+        self.log = DEFAULT_LOG
+        self.level = "INFO"
+
+
+@click.group()
+@click.version_option()
+@click.option(
+    "--force",
+    is_flag=True,
+    default=False,
+    help="Force update regardless of last update time (only aws, batch, and dbx).",
+)
+@click.option(
+    "--log",
+    type=click.Path(dir_okay=False, writable=True, resolve_path=True, allow_dash=True),
+    default=DEFAULT_LOG,
+    help="File to log to ('-' for stdout).",
+)
+@click.option(
+    "--level",
+    type=click.Choice([k for k in logging.getLevelNamesMapping().keys() if k != "NOTSET"]),
+    default="INFO",
+    help="Logging level to use.",
+)
+@click.pass_context
+def cli(ctx: click.Context, force: bool, log: str, level: str):
+    """Run authentication useful when developing on DataConnect."""
+    ctx.ensure_object(CliArgs)
+    ctx.obj.force = force
+    ctx.obj.log = log
+    ctx.obj.level = level
+
+
+def login_auth(force: bool, conn: sqlite3.Connection) -> None:
+    # Now that we hold an exclusive lock on the config, see if we actually need
+    # to do anything.
+    last_update = conn.execute("SELECT * FROM last_update").fetchone()[0]
+    now = time.time()
+    if last_update < (now - TWELVE_HOURS):
+        logging.info("More than twelve hours since last update.")
+    elif force:
+        logging.info("Running due to force")
+    else:
+        logging.info("Not running; auth does not need to be updated")
+        return
+
+    res = conn.execute("SELECT * FROM config")
+    config = dict(zip([r[0] for r in res.description], res.fetchone()))
+
+    if config["wait"]:
+        logging.info(f"Waiting {config['wait']} seconds for boot...")
+        time.sleep(config["wait"])
+
+    if config["ssh_add"]:
+        logging.info("Adding SSH keys...")
+        env = copy.deepcopy(os.environ)
+        args = ["/usr/bin/ssh-add"]
+        if sys.platform == "darwin":
+            env["APPLE_SSH_ADD_BEHAVIOR"] = "yes"
+            args.append("-A")
+        log_command(logging.getLogger(), args, env=env)
+
+    success = True
+    res = conn.execute("SELECT * FROM aws_profiles")
+    aws_profiles = [r[0] for r in res.fetchall()]
+    for aws_profile in aws_profiles:
+        logging.info(f"Authenticating AWS profile {aws_profile}")
+        try:
+            aws_mfa(aws_profile, force)
+        except Exception:
+            logging.exception(f"Exception running AWS MFA {aws_profile}")
+            success = False
+
+    res = conn.execute("SELECT * FROM dbx_profiles")
+    for row in res.fetchall():
+        profile, alias = row
+        logging.info(f"Rotating DBX token {profile} (alias={alias})")
+        try:
+            manage_dbx_tokens(profile, [alias], force)
+        except Exception:
+            logging.exception(f"Exception rotating DBX token {profile}")
+            success = False
+
+    kion_auth_config_file = config["kion_auth_config_file"]
+    if kion_auth_config_file:
+        logging.info("Update kion-auth config file with current password")
+        update_kion_auth_password(kion_auth_config_file)
+
+    kion_cli_config_file = config["kion_cli_config_file"]
+    if kion_cli_config_file:
+        logging.info("Update kion cli config file with current password")
+        update_kion_cli_password(kion_cli_config_file)
+
+    if success:
+        logging.info("Success!")
+        conn.execute(f"UPDATE last_update SET tstamp = {int(now)}")  # nosec
+    else:
+        logging.info("Failed")
+
+
+@cli.command("batch")
+@click.option("--background", is_flag=True, default=False, help="Run in the background.")
+@click.option(
+    "--config",
+    type=click.Path(dir_okay=False, exists=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login-auth.sqlite"),
+    help="Path to configuration database.",
+)
+@click.pass_context
+def login_auth_main(ctx: click.Context, background: bool, config: str) -> None:
+    """Run all the login management in one batch."""
+    if background:
+        # TODO - run in the background
+        pid = os.fork()
+        if pid != 0:
+            # This is the parent, we done
+            return
+
+        # This is the child, detach from the parent
+        os.setpgrp()
+
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    conn = sqlite3.connect(config)
+    conn.execute("BEGIN EXCLUSIVE TRANSACTION")
+
+    try:
+        login_auth(ctx.obj.force, conn)
+    except Exception:
+        logging.exception("Exception doing login_auth")
+        conn.execute("ROLLBACK")
+        raise
+    else:
+        logging.info("Commit transaction")
+        conn.execute("COMMIT")
+
+
+@cli.command("aws")
+@click.argument("profile")
+@click.pass_context
+def aws_mfa_main(ctx: click.Context, profile: str) -> None:
+    """Run AWS MFA process.
+
+    PROFILE the AWS profile to run the MFA process for.
+    """
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    aws_mfa(profile, ctx.obj.force)
+
+
+@cli.command("dbx")
+@click.option("--alias", multiple=True, help="Other profiles that are aliases.")
+@click.argument("profile")
+@click.pass_context
+def dbx_token_rotate_main(ctx: click.Context, alias: tuple[str], profile: str) -> None:
+    """Rotate Databricks API token.
+
+    PROFILE the Databricks configuration profile to rotate the API token for.
+    """
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    manage_dbx_tokens(profile, alias, ctx.obj.force)
+
+
+@cli.command("kion-auth")
+@click.option(
+    "--file",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "kion-auth.ini"),
+    help="Path of kion-auth configuration file.",
+)
+@click.pass_context
+def update_kion_auth_password_main(ctx: click.Context, file: str) -> None:
+    """Update the password used by kion-auth from 1Password."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    update_kion_auth_password(file)
+
+
+@cli.command("kion-cli")
+@click.option(
+    "--file",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=DEFAULT_CONFIG_FILE,
+    help="Path of kion cli configuration file.",
+)
+@click.pass_context
+def update_kion_cli_password_main(ctx: click.Context, file: str) -> None:
+    """Update the password used by the kion cli from 1Password."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    update_kion_cli_password(file)
+
+
+@cli.command("tui")
+@click.option(
+    "--config",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login_auth.yml"),
+    help="Path of TUI configuration file.",
+)
+@click.pass_context
+def tui(ctx: click.Context, config: str) -> None:
+    """Run the TUI for authentication processes."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+    run_tui(config)
+
+
+@cli.command("tui-bootstrap")
+@click.option(
+    "--in-config",
+    type=click.Path(dir_okay=False, exists=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login-auth.sqlite"),
+    help="Path to configuration database.",
+)
+@click.option(
+    "--out-config",
+    type=click.Path(dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login_auth.yml"),
+    help="Path of TUI configuration file.",
+)
+@click.pass_context
+def tui_bootstrap(ctx: click.Context, in_config: str, out_config: str) -> None:
+    """Bootstrap the tui configuration from the batch configuration."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+    if os.path.exists(out_config) and not ctx.obj.force:
+        raise ValueError(f"Not overwriting existing TUI config {out_config}")
+    bootstrap_tui_config(in_config, out_config)

login_auth_tui/dbx_token_rotate.py

@@ -0,0 +1,89 @@
+import configparser
+import datetime
+import json
+import logging
+import os
+import shutil
+import time
+import typing
+
+from .util import log_command_output
+
+logger = logging.getLogger("dbx")
+
+HOMEDIR = os.getenv("HOME")
+TEN_DAYS_MS = 10 * 24 * 60 * 60 * 1000
+NINETY_DAYS_S = int((TEN_DAYS_MS / 1000) * 9)
+
+
+def run_dbx(profile: str, *args) -> str:
+    subprocess_args = ["databricks", "--profile", profile, "-o", "json"] + list(args)
+    logger.info(f"Run {' '.join(subprocess_args)}")
+    return log_command_output(logger, subprocess_args)
+
+
+def create_new_token(profile: str) -> str:
+    logger.info(f"Creating new token for {profile}")
+    today = str(datetime.date.today())
+    new_token_json = run_dbx(
+        profile,
+        "tokens",
+        "create",
+        "--comment",
+        f"dbx cli {today}",
+        "--lifetime-seconds",
+        str(NINETY_DAYS_S),
+    )
+    new_token = json.loads(new_token_json)
+
+    return new_token["token_value"]
+
+
+def delete_old_token(profile: str, token_id: str) -> None:
+    logger.info(f"Deleting old token {token_id} for profile {profile}")
+    run_dbx(profile, "tokens", "delete", token_id)
+
+
+def overwrite_dbx_config(
+    dbxcfg: str,
+    cp: configparser.ConfigParser,
+    profile: str,
+    aliases: typing.Iterable[str],
+    new_token: str,
+) -> None:
+    logger.info(f"Updating config file for profile {profile} (alias={aliases})")
+    cp[profile]["token"] = new_token
+    cp[profile]["nwgh-last-update"] = str(datetime.date.today())
+    if aliases:
+        for alias in aliases:
+            cp[alias]["token"] = new_token
+    with open(f"{dbxcfg}.new", "w") as f:
+        cp.write(f)
+    shutil.copyfile(dbxcfg, f"{dbxcfg}.old")
+    shutil.move(f"{dbxcfg}.new", dbxcfg)
+
+
+def manage_dbx_tokens(profile: str, aliases: typing.Iterable[str], force: bool) -> None:
+    dbxcfg = os.path.join(str(os.getenv("HOME")), ".databrickscfg")
+    if not os.path.exists(dbxcfg):
+        raise Exception(f"Databricks config file {dbxcfg} does not exist")
+
+    cp = configparser.ConfigParser()
+    cp.read(dbxcfg)
+    if profile not in cp:
+        raise Exception(f"Databricks config does not have profile {dbxcfg}")
+
+    json_result = run_dbx(profile, "tokens", "list")
+    tokens = json.loads(json_result)
+    if len(tokens) != 1:
+        raise Exception(
+            f"This script does not work with {len(tokens)} tokens! There can be only one."
+        )
+
+    now_ms = int(time.time()) * 1000
+    if force or (tokens[0]["expiry_time"] - now_ms <= TEN_DAYS_MS):
+        new_token = create_new_token(profile)
+        overwrite_dbx_config(dbxcfg, cp, profile, aliases, new_token)
+        delete_old_token(profile, tokens[0]["token_id"])
+    else:
+        logger.info(f"Token for {profile} is still ok, not rotating")

login_auth_tui/kion_auth_password.py

@@ -0,0 +1,26 @@
+import configparser
+import logging
+import os
+
+from .util import log_command_output
+
+logger = logging.getLogger("kion-auth")
+
+
+def update_kion_auth_password(config_file: str) -> None:
+    if not os.path.exists(config_file):
+        logger.error(f"kion-auth config file {config_file} does not exist")
+        return
+
+    cp = configparser.ConfigParser()
+    cp.read(config_file)
+
+    if not cp.get("kion_auth", "password"):
+        logger.info("Kion password is not defined, not updating")
+        return
+
+    password = log_command_output(logger, ["op", "read", "op://Private/CMS EUA/password"])
+    cp["kion_auth"]["password"] = password
+
+    with open(config_file, "w") as f:
+        cp.write(f)

login_auth_tui/kion_cli_password.py

@@ -0,0 +1,27 @@
+import logging
+import os
+
+from .util import log_command_output
+
+logger = logging.getLogger("kion-cli")
+
+DEFAULT_CONFIG_FILE = os.path.join(str(os.getenv("HOME")), ".config", "kion.yml")
+
+
+def update_kion_cli_password(config_file: str) -> None:
+    if not os.path.exists(config_file):
+        logger.error(f"kion cli config file {config_file} does not exist")
+        return
+
+    password = log_command_output(logger, ["op", "read", "op://Private/CMS EUA/password"])
+
+    new_lines = []
+    with open(config_file) as f:
+        for line in f:
+            line = line.rstrip()
+            if line.startswith("  password:"):
+                line = f"  password: {password}"
+            new_lines.append(line)
+
+    with open(config_file, "w") as f:
+        f.write("\n".join(new_lines))

login_auth_tui/noop.py

@@ -0,0 +1,17 @@
+import datetime
+import logging
+import random
+
+logger = logging.getLogger("noop")
+
+
+def run_noop():
+    now = datetime.datetime.now()
+    nlines = random.randint(2, 5)
+    for i in range(1, nlines):
+        logger.info(f"Message {i} from run at {now}")
+
+    if random.choice([0, 1]):
+        msg = f"Faking error for run at {now}"
+        logger.error(msg)
+        raise Exception(msg)

login_auth_tui/tui.py

@@ -0,0 +1,259 @@
+import enum
+import io
+import logging
+
+import yaml
+from textual import on, work
+from textual.app import App, ComposeResult
+from textual.binding import Binding
+from textual.containers import HorizontalGroup
+from textual.logging import TextualHandler
+from textual.message import Message
+from textual.reactive import reactive
+from textual.screen import ModalScreen
+from textual.widget import Widget
+from textual.widgets import (
+    Footer,
+    Label,
+    ListItem,
+    ListView,
+    Log,
+    Rule,
+)
+
+from .aws_mfa import aws_mfa
+from .dbx_token_rotate import manage_dbx_tokens
+from .kion_cli_password import DEFAULT_CONFIG_FILE, update_kion_cli_password
+from .noop import run_noop
+
+logger = logging.getLogger("tui")
+
+
+class ProcessStatus(enum.Enum):
+    OK = 0
+    FAIL = 1
+    UNKNOWN = 2
+    RUNNING = 3
+
+
+# Each process will write to its own io.StringIO
+class AuthProcess:
+    def __init__(self, process_config: dict):
+        self.name = process_config["name"]
+        self.type = process_config["type"]
+
+        if self.type == "aws":
+            self.profile = process_config["profile"]
+        elif self.type == "dbx":
+            self.profile = process_config["profile"]
+            self.aliases = []
+            alias = process_config.get("alias")
+            if alias:
+                self.aliases.append(alias)
+        elif self.type == "kion-cli":
+            self.config = process_config.get("config", DEFAULT_CONFIG_FILE)
+        elif self.type == "noop":
+            # This is used for testing things
+            pass
+        else:
+            raise ValueError(f"Unexpected auth process type: {self.type}")
+
+        self.log_stream = io.StringIO()
+        self.log_handler = logging.StreamHandler(self.log_stream)
+
+    def run(self):
+        logger.debug(f"Run {self.name} {self.type}")
+        process_logger = logging.getLogger(self.type)
+        process_logger.addHandler(self.log_handler)
+        try:
+            if self.type == "aws":
+                aws_mfa(self.profile, False)
+            elif self.type == "dbx":
+                manage_dbx_tokens(self.profile, self.aliases, False)
+            elif self.type == "kion-cli":
+                update_kion_cli_password(self.config)
+            elif self.type == "noop":
+                run_noop()
+            else:
+                raise ValueError(f"Unexpected auth process type: {self.type}")
+        finally:
+            process_logger.removeHandler(self.log_handler)
+
+
+def load_config(config_file: str) -> list[AuthProcess]:
+    logger.debug(f"Loading config from {config_file}")
+    processes = []
+    with open(config_file) as f:
+        config = yaml.safe_load(f)
+    for auth_process in config:
+        processes.append(AuthProcess(auth_process))
+    return processes
+
+
+class AuthProcessStatus(Widget):
+    value = reactive(ProcessStatus.UNKNOWN)
+
+    def render(self) -> str:
+        if self.value == ProcessStatus.OK:
+            return "\u2714"
+        if self.value == ProcessStatus.FAIL:
+            return "\u2716"
+        if self.value == ProcessStatus.RUNNING:
+            return "-"
+        return "?"
+
+
+class AuthRunMessage(Message):
+    def __init__(self, status: ProcessStatus, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.status = status
+
+
+class AuthRunCompleteMessage(Message):
+    pass
+
+
+class AuthProcessItem(ListItem):
+    def __init__(self, proc: AuthProcess, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.process_config = proc
+        self.status = AuthProcessStatus()
+
+    def compose(self) -> ComposeResult:
+        # TODO - make use of more stuff here
+        yield HorizontalGroup(Label(self.process_config.name), Label(" "), self.status)
+
+    @on(AuthRunMessage)
+    def run_complete(self, msg: AuthRunMessage):
+        self.status.value = msg.status
+        self.post_message(AuthRunCompleteMessage())
+
+    @work(exclusive=True, thread=True)
+    def run_auth(self):
+        logger.debug(f"Run auth: {self}")
+        result = ProcessStatus.UNKNOWN
+        try:
+            self.process_config.run()
+            result = ProcessStatus.OK
+        except Exception:
+            logger.exception("Error updating auth")
+            result = ProcessStatus.FAIL
+        self.post_message(AuthRunMessage(result))
+
+
+class UpdateLogMessage(Message):
+    def __init__(self, name: str, value: str, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.proc_name = name
+        self.log_value = value
+
+
+class AuthProcessList(ListView):
+    BINDINGS = [
+        Binding("j, down", "cursor_down", "Cursor down"),
+        Binding("k, up", "cursor_up", "Cursor up"),
+        Binding("o, enter", "select_cursor", "Select"),
+        Binding("r", "run_auth", "Run highlighted"),
+    ]
+
+    def __init__(self, procs: list[AuthProcess], *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth_processes: list[AuthProcess] = procs
+        self._highlighted: AuthProcessItem
+        self.running = False
+        self.running_all = False
+        self.current_item = 0
+        self.set_interval(300, self.run_all)
+
+    def compose(self) -> ComposeResult:
+        for p in self._auth_processes:
+            yield AuthProcessItem(p)
+
+    def action_run_auth(self):
+        self.running = True
+        self._highlighted.status.value = ProcessStatus.RUNNING
+        self._highlighted.run_auth()
+
+    def on_list_view_selected(self, event: ListView.Selected):
+        logger.debug(f"Opening {event.item}")
+        proc: AuthProcessItem = event.item  # type: ignore
+        proc_name = proc.process_config.name
+        log_value = proc.process_config.log_stream.getvalue()
+        self.post_message(UpdateLogMessage(proc_name, log_value))
+
+    def on_list_view_highlighted(self, event: ListView.Highlighted):
+        logger.debug(f"Item is {event.item}")
+        self._highlighted = event.item  # type: ignore
+
+    def run_all(self):
+        self.running_all = True
+        self.running = True
+        self.current_item = 0
+        self.run_next()
+
+    def run_next(self):
+        if self.current_item >= len(self.children):
+            self.running_all = False
+        else:
+            self.running = True
+            item: AuthProcessItem = self.children[self.current_item]  # type: ignore
+            item.run_auth()
+
+    @on(AuthRunCompleteMessage)
+    def handle_auth_run_complete(self):
+        self.running = False
+        if self.running_all:
+            self.current_item += 1
+            self.run_next()
+
+
+class ProcessLogHeader(Widget):
+    process = reactive("none")
+
+    def render(self):
+        return f"Log for process: {self.process}"
+
+
+class LogScreen(ModalScreen):
+    BINDINGS = [Binding("x", "close_log", "Close")]
+
+    def __init__(self, auth_name: str, log_value: str, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.auth_name = auth_name
+        self.log_value = log_value
+
+    def compose(self) -> ComposeResult:
+        yield Label(f"Log for {self.auth_name}")
+        yield Rule()
+
+        log = Log()
+        yield log
+        log.write(self.log_value)
+        yield Footer()
+
+    def action_close_log(self):
+        self.app.pop_screen()
+
+
+class AuthTUI(App):
+    BINDINGS = [Binding("q", "quit", "Quit")]
+    CSS_PATH = "tui.tcss"
+
+    def __init__(self, processes: list[AuthProcess], **kwargs):
+        super().__init__(**kwargs)
+        self._processes = processes
+
+    def compose(self) -> ComposeResult:
+        yield AuthProcessList(self._processes, id="auth_list")
+        yield Footer()
+
+    @on(UpdateLogMessage)
+    def handle_update_log(self, msg: UpdateLogMessage):
+        self.push_screen(LogScreen(msg.proc_name, msg.log_value))
+
+
+def run_tui(config_file: str):
+    logger.addHandler(TextualHandler())
+    processes = load_config(config_file)
+    app = AuthTUI(processes)
+    app.run()

login_auth_tui/tui.tcss

@@ -0,0 +1,11 @@
+ProcessLogHeader {
+    height: 1;
+  }
+
+LogScreen {
+    align: center middle;
+    height: 80%;
+    width: 80%;
+    background: $surface;
+    padding: 0 1;
+  }

login_auth_tui/tui_bootstrap.py

@@ -0,0 +1,34 @@
+import sqlite3
+
+import yaml
+
+
+def bootstrap_tui_config(input_config: str, output_config: str):
+    tui_config = []
+    with sqlite3.connect(input_config) as conn:
+        res = conn.execute("SELECT * FROM aws_profiles").fetchall()
+        for r in res:
+            profile_name = r[0]
+            tui_config.append(
+                {"name": f"AWS ({profile_name})", "type": "aws", "profile": profile_name}
+            )
+
+        res = conn.execute("SELECT * FROM dbx_profiles").fetchall()
+        for r in res:
+            profile_name = r[0]
+            alias = r[1]
+            config_entry = {
+                "name": f"Databricks ({profile_name})",
+                "type": "dbx",
+                "profile": profile_name,
+            }
+            if alias:
+                config_entry["alias"] = alias
+            tui_config.append(config_entry)
+
+        res = conn.execute("SELECT kion_cli_config_file FROM config").fetchall()
+        if res[0][0]:
+            tui_config.append({"name": "Kion", "type": "kion-cli", "config": res[0][0]})
+
+    with open(output_config, "w") as f:
+        yaml.dump(tui_config, f)

login_auth_tui/util.py

@@ -0,0 +1,49 @@
+import logging
+import logging.handlers
+import os
+import subprocess  # nosec
+import sys
+
+HOME = str(os.getenv("HOME"))
+
+
+def configure_logging(log: str, level: str) -> None:
+    if log in ("stdout", "-"):
+        handler = logging.StreamHandler(sys.stdout)
+    else:
+        handler = logging.handlers.RotatingFileHandler(
+            log,
+            backupCount=1,
+            maxBytes=1024 * 1024,
+        )
+    try:
+        log_level = logging.getLevelNamesMapping()[level]
+    except Exception:
+        raise ValueError(f"Unhandled log level {level}")
+    logging.basicConfig(
+        format="%(asctime)s %(levelname)s [%(name)s] %(message)s",
+        level=log_level,
+        handlers=[handler],
+    )
+
+
+def log_command(
+    logger: logging.Logger, command: list[str], **kwargs
+) -> subprocess.CompletedProcess:
+    logger.info(f"Run {' '.join(command)}")
+    result = subprocess.run(command, capture_output=True, **kwargs)  # nosec
+    logger.info("--- BEGIN PROCESS STDOUT ---")
+    for line in result.stdout.decode("utf-8").strip().split("\n"):
+        logger.info(line)
+    logger.info("--- END PROCESS STDOUT ---")
+    logger.info("--- BEGIN PROCESS STDERR ---")
+    for line in result.stderr.decode("utf-8").strip().split("\n"):
+        logger.error(line)
+    logger.info("--- END PROCESS STDERR ---")
+    return result
+
+
+def log_command_output(logger: logging.Logger, command: list[str], **kwargs) -> str:
+    logger.info(f"Run: {' '.join(command)}")
+    output = subprocess.check_output(command, **kwargs)  # nosec
+    return output.decode("utf-8").strip()

login_auth_tui-0.3.dist-info/METADATA

@@ -0,0 +1,64 @@
+Metadata-Version: 2.4
+Name: login-auth-tui
+Version: 0.3
+Summary: TUI for login-auth stuff
+Author: Nicholas Hurley
+License-Expression: CC0-1.0
+Requires-Dist: click
+Requires-Dist: textual>=6.4.0
+Requires-Dist: pyyaml
+Requires-Python: >=3.13, <3.14
+Project-URL: CI, https://builds.sr.ht/~nwgh/login-auth-tui
+Project-URL: Changelog, https://git.sr.ht/~nwgh/login-auth-tui/log
+Project-URL: Homepage, https://sr.ht/~nwgh/login-auth-tui
+Project-URL: Issues, https://todo.sr.ht/~nwgh/login-auth-tui
+Description-Content-Type: text/markdown
+
+# login-auth-tui
+
+[![Changelog](https://img.shields.io/pypi/v/login-auth-tui)](https://git.sr.ht/~nwgh/login-auth-tui/log)
+
+[![builds.sr.ht status](https://builds.sr.ht/~nwgh/login-auth-tui.svg)](https://builds.sr.ht/~nwgh/login-auth-tui?)
+
+[![License](https://img.shields.io/badge/license-CC0%201.0-blue.svg)](https://git.sr.ht/~nwgh/login-auth-tui/tree/main/item/LICENSE)
+
+TUI for login-auth stuff
+
+## Installation
+
+Install this tool using `uv`:
+
+```bash
+uv tool install auth-manage --from login-auth-tui
+```
+
+## Usage
+
+For help, run:
+
+```bash
+auth-manage --help
+```
+
+## Development
+
+To contribute to this tool, first install `uv`. See [the uv documentation](https://docs.astral.sh/uv/getting-started/installation/) for how.
+
+Next, checkout the code
+
+```bash
+git clone https://git.sr.ht/~nwgh/login-auth-tui
+```
+
+Then create a new virtual environment and sync the dependencies:
+
+```bash
+cd login-auth-tui
+uv sync
+```
+
+To run the tests:
+
+```bash
+uv run python -m pytest
+```

login_auth_tui-0.3.dist-info/RECORD

@@ -0,0 +1,16 @@
+login_auth_tui/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+login_auth_tui/__main__.py,sha256=NdADfCPzs5EAB6hEUNtEpxZNgLdWpqA5iuLGiQmNwlE,73
+login_auth_tui/aws_mfa.py,sha256=rXOcl8DmwSBtRszhubUiT6DmNpGHT_t1oS9kXTPRh8s,2041
+login_auth_tui/cli.py,sha256=3WXcB7uf3ZDBfrekZKk8Iwf1sznGBlgOtMpQ9MhmxiA,8250
+login_auth_tui/dbx_token_rotate.py,sha256=vOp4WtyU6eSH9d0ZpjN5I7Y3J7jDwt0Uz2A2wKdSLuU,2748
+login_auth_tui/kion_auth_password.py,sha256=TA90E0VbKJf2_L8i-Sk51MF0GSLlYyydhN92925KJ6M,697
+login_auth_tui/kion_cli_password.py,sha256=vQM3xyOtSRl1K2KmUYGY5AoDCHCyH_mkoIeS8ZiviuY,783
+login_auth_tui/noop.py,sha256=oqgboJVQte12AO55EPCpJEZ-Q-kRtdNX4bKiTaaOo5M,385
+login_auth_tui/tui.py,sha256=AKSLt0Hq5ZVvDbFZt9tGimPSdPM1y43095DF2_EcuB0,7821
+login_auth_tui/tui.tcss,sha256=T4bylO35mSyN4rkzhYiv80mNILXMaThV8PKVfksCvb0,158
+login_auth_tui/tui_bootstrap.py,sha256=-WVRZwktQWkLtIoiTay5HupQxPufNMncKtDkSVNSnh0,1118
+login_auth_tui/util.py,sha256=JWoyP1K5kvjsX2il5RNlR02HhvK0bqnyx1-yVaguAXg,1570
+login_auth_tui-0.3.dist-info/WHEEL,sha256=5w2T7AS2mz1-rW9CNagNYWRCaB0iQqBMYLwKdlgiR4Q,78
+login_auth_tui-0.3.dist-info/entry_points.txt,sha256=gudzjnTw1su5H2XCHjbHX2MfqDjEiozvUAEXqar9Fgk,56
+login_auth_tui-0.3.dist-info/METADATA,sha256=rLVBYB2mlo0c8coKL9vbMOLKzzZ00Ia8HWEwND15nNE,1507
+login_auth_tui-0.3.dist-info/RECORD,,

login_auth_tui-0.3.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: uv 0.9.7
+Root-Is-Purelib: true
+Tag: py3-none-any

login_auth_tui-0.3.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+auth-manage = login_auth_tui.cli:cli
+