login-auth-tui 0.4__tar.gz

login_auth_tui-0.4/PKG-INFO

@@ -0,0 +1,64 @@
+Metadata-Version: 2.4
+Name: login-auth-tui
+Version: 0.4
+Summary: TUI for login-auth stuff
+Author: Nicholas Hurley
+License-Expression: CC0-1.0
+Requires-Dist: click
+Requires-Dist: textual>=6.4.0
+Requires-Dist: pyyaml
+Requires-Python: >=3.13, <3.14
+Project-URL: CI, https://builds.sr.ht/~nwgh/login-auth-tui
+Project-URL: Changelog, https://git.sr.ht/~nwgh/login-auth-tui/log
+Project-URL: Homepage, https://sr.ht/~nwgh/login-auth-tui
+Project-URL: Issues, https://todo.sr.ht/~nwgh/login-auth-tui
+Description-Content-Type: text/markdown
+
+# login-auth-tui
+
+[![Changelog](https://img.shields.io/pypi/v/login-auth-tui)](https://git.sr.ht/~nwgh/login-auth-tui/log)
+
+[![builds.sr.ht status](https://builds.sr.ht/~nwgh/login-auth-tui.svg)](https://builds.sr.ht/~nwgh/login-auth-tui?)
+
+[![License](https://img.shields.io/badge/license-CC0%201.0-blue.svg)](https://git.sr.ht/~nwgh/login-auth-tui/tree/main/item/LICENSE)
+
+TUI for login-auth stuff
+
+## Installation
+
+Install this tool using `uv`:
+
+```bash
+uv tool install auth-manage --from login-auth-tui
+```
+
+## Usage
+
+For help, run:
+
+```bash
+auth-manage --help
+```
+
+## Development
+
+To contribute to this tool, first install `uv`. See [the uv documentation](https://docs.astral.sh/uv/getting-started/installation/) for how.
+
+Next, checkout the code
+
+```bash
+git clone https://git.sr.ht/~nwgh/login-auth-tui
+```
+
+Then create a new virtual environment and sync the dependencies:
+
+```bash
+cd login-auth-tui
+uv sync
+```
+
+To run the tests:
+
+```bash
+uv run python -m pytest
+```

login_auth_tui-0.4/README.md

@@ -0,0 +1,48 @@
+# login-auth-tui
+
+[![Changelog](https://img.shields.io/pypi/v/login-auth-tui)](https://git.sr.ht/~nwgh/login-auth-tui/log)
+
+[![builds.sr.ht status](https://builds.sr.ht/~nwgh/login-auth-tui.svg)](https://builds.sr.ht/~nwgh/login-auth-tui?)
+
+[![License](https://img.shields.io/badge/license-CC0%201.0-blue.svg)](https://git.sr.ht/~nwgh/login-auth-tui/tree/main/item/LICENSE)
+
+TUI for login-auth stuff
+
+## Installation
+
+Install this tool using `uv`:
+
+```bash
+uv tool install auth-manage --from login-auth-tui
+```
+
+## Usage
+
+For help, run:
+
+```bash
+auth-manage --help
+```
+
+## Development
+
+To contribute to this tool, first install `uv`. See [the uv documentation](https://docs.astral.sh/uv/getting-started/installation/) for how.
+
+Next, checkout the code
+
+```bash
+git clone https://git.sr.ht/~nwgh/login-auth-tui
+```
+
+Then create a new virtual environment and sync the dependencies:
+
+```bash
+cd login-auth-tui
+uv sync
+```
+
+To run the tests:
+
+```bash
+uv run python -m pytest
+```

login_auth_tui-0.4/pyproject.toml

@@ -0,0 +1,71 @@
+[project]
+name = "login-auth-tui"
+version = "0.4"
+description = "TUI for login-auth stuff"
+readme = "README.md"
+authors = [{ name = "Nicholas Hurley" }]
+license = "CC0-1.0"
+requires-python = ">=3.13,<3.14"
+classifiers = []
+dependencies = ["click", "textual>=6.4.0", "pyyaml"]
+
+[build-system]
+requires = ["uv_build>=0.9.5,<0.10.0"]
+build-backend = "uv_build"
+
+[project.urls]
+Homepage = "https://sr.ht/~nwgh/login-auth-tui"
+Changelog = "https://git.sr.ht/~nwgh/login-auth-tui/log"
+Issues = "https://todo.sr.ht/~nwgh/login-auth-tui"
+CI = "https://builds.sr.ht/~nwgh/login-auth-tui"
+
+[project.scripts]
+auth-manage = "login_auth_tui.cli:cli"
+
+[dependency-groups]
+dev = [
+  { include-group = "autoflake" },
+  { include-group = "bandit" },
+  { include-group = "black" },
+  { include-group = "flake8" },
+  { include-group = "installer" },
+  { include-group = "isort" },
+  { include-group = "test" },
+  "pre-commit",
+  "textual-dev",
+]
+autoflake = ["autoflake"]
+bandit = ["bandit", "tomli"]
+black = ["black"]
+flake8 = ["flake8", "flake8-bugbear", "Flake8-pyproject", "pep8-naming"]
+isort = ["isort"]
+installer = ["pyinstaller"]
+test = ["pytest"]
+
+[tool.black]
+line-length = 99
+
+[tool.isort]
+line_length = 99
+profile = "black"
+
+[tool.pytest.ini_options]
+console_output_style = "progress"
+minversion = "7.2.2"
+python_files = "test_*.py"
+addopts = "-vvvv --ignore-glob .venv* --ignore-glob venv*"
+
+[tool.flake8]
+max-line-length = 99
+exclude = [".venv*", "venv*", "typings"]
+extend-ignore = ["E203", "E501"]
+extend-select = ["B950"]
+
+[tool.bandit]
+exclude_dirs = [".venv", "venv", "tests"]
+
+[[tool.uv.index]]
+name = "testpypi"
+url = "https://test.pypi.org/simple/"
+publish-url = "https://test.pypi.org/legacy/"
+explicit = true

login_auth_tui-0.4/src/login_auth_tui/__main__.py

@@ -0,0 +1,4 @@
+from login_auth_tui.cli import cli
+
+if __name__ == "__main__":
+    cli()

login_auth_tui-0.4/src/login_auth_tui/aws_kion.py

@@ -0,0 +1,126 @@
+# This program is used to get AWS CLI credentials from kion and
+# save them to your aws configuration. It assumes you are already
+# connected to zscaler, and will likely fail in strange and
+# unusual ways if you aren't. Ideally, you would run this from a
+# cron/otherwise scheduled job to keep things updated.
+import configparser
+import datetime
+import json
+import logging
+import os
+import shutil
+import subprocess  # nosec: B404 this is all trusted inputs
+
+DEFAULT_AWS_CREDENTIALS = os.path.join(os.getenv("HOME"), ".aws", "credentials")  # type: ignore
+DEFAULT_KION_SOURCE_CONFIG = os.path.join(os.getenv("HOME"), ".config", "kion.yml")  # type: ignore
+
+logger = logging.getLogger("aws-kion")
+
+
+def creds_need_update(creds_file_path: str, profile_name: str) -> bool:
+    """Inspect the credentials we currently have to see if they
+    really need updated.
+    """
+    logger.info(f"Checking {creds_file_path} to see if update is necessary")
+    config = configparser.ConfigParser()
+    config.read(creds_file_path)
+
+    if profile_name not in config.sections():
+        logger.debug(f"Profile [{profile_name}] does not exist, forcing update.")
+        return True
+
+    expiration = config[profile_name].get("expiration")
+    if not expiration:
+        logger.debug(f"No expiration date found for [{profile_name}], forcing update.")
+        return True
+
+    expiration_time = datetime.datetime.fromisoformat(expiration)
+    now = datetime.datetime.now(datetime.UTC)
+    logger.debug(f"Expiration={expiration_time.utctimetuple()}")
+    logger.debug(f"Now={now.utctimetuple()}")
+    if expiration_time <= (now + datetime.timedelta(minutes=10)):
+        # Assume we're running no less than every 10 minutes
+        logger.debug(f"Credentials for [{profile_name}] expire in under 10 minutes. Updating.")
+        return True
+
+    logger.debug(
+        f"Credentials for [{profile_name}] are still good for at least 10 minutes. Not updating."
+    )
+    return False
+
+
+def replace_kion_yaml(kion_yaml_path: str) -> None:
+    """Copy our template kion cli config to the blessed
+    kion location.
+    """
+    destination_yaml = os.path.join(
+        os.getenv("HOME"),  # type: ignore
+        ".kion.yml",
+    )  # kion cli is inflexible
+    if kion_yaml_path == destination_yaml:
+        logger.debug("Kion yaml is sourced from the expected location, not copying.")
+        return
+
+    logger.debug(f"Copying {kion_yaml_path} -> {destination_yaml}")
+    shutil.copyfile(kion_yaml_path, destination_yaml)
+
+
+def update_aws_credentials(
+    creds_file_path: str, profile_name: str, aws_creds: dict[str, str]
+) -> None:
+    """Given the new access key, secret key, and session token, save
+    them for the named profile in the file indicated.
+    """
+    logger.info(f"Updating credentials in {creds_file_path}")
+    # Initialize ConfigParser and read the credentials file
+    config = configparser.ConfigParser()
+    config.read(creds_file_path)
+
+    # Ensure the profile exists in the credentials file, create it if missing
+    if profile_name not in config.sections():
+        logger.debug(f"Adding section {profile_name}")
+        config.add_section(profile_name)
+
+    # Update the profile with new credentials
+    config[profile_name]["aws_access_key_id"] = aws_creds["AccessKeyId"]
+    config[profile_name]["aws_secret_access_key"] = aws_creds["SecretAccessKey"]
+    config[profile_name]["aws_session_token"] = aws_creds["SessionToken"]
+    config[profile_name]["expiration"] = aws_creds["Expiration"]
+
+    # Write the updated configuration back to the file
+    with open(creds_file_path, "w") as creds_file:
+        config.write(creds_file)
+
+    logger.info(f"Credentials for profile [{profile_name}] updated successfully.")
+
+
+def get_new_aws_credentials(
+    favourite: str,
+    kion: str = "/opt/homebrew/bin/kion",
+) -> dict[str, str]:
+    """Retrieve new AWS CLI credentials from kion using the CLI."""
+    logger.info("Retrieving AWS credentials from kion")
+    json_output = subprocess.check_output([kion, "favorite", "--credential-process", favourite])
+    logger.debug(f"New credentials: {json_output}")
+    return json.loads(json_output)
+
+
+def aws_kion(
+    profile: str, credentials: str, favourite: str, kion_yaml: str, kion_bin: str
+) -> None:
+    logger.debug(f"Profile: {profile}")
+    logger.debug(f"Credentials File: {credentials}")
+    logger.debug(f"Kion Favorite: {favourite}")
+    logger.debug(f"Kion YAML: {kion_yaml}")
+
+    try:
+        if not creds_need_update(credentials, profile):  # type: ignore
+            logger.info("Credentials have not yet expired. Not updating.")
+            return
+
+        replace_kion_yaml(kion_yaml)  # type: ignore
+        aws_creds = get_new_aws_credentials(favourite, kion=kion_bin)  # type: ignore
+        update_aws_credentials(credentials, profile, aws_creds)  # type: ignore
+    except Exception:
+        logger.exception("Exception occurred during update")
+        raise

login_auth_tui-0.4/src/login_auth_tui/aws_kion_check.py

@@ -0,0 +1,10 @@
+import logging
+import subprocess
+
+logger = logging.getLogger("aws-kion-check")
+
+
+def aws_kion_check(profile: str) -> None:
+    output = subprocess.check_output(["aws", "--profile", profile, "s3", "ls"])
+    logger.debug("Output from aws s3 ls")
+    logger.debug(output)

login_auth_tui-0.4/src/login_auth_tui/aws_mfa.py

@@ -0,0 +1,61 @@
+import configparser
+import datetime
+import logging
+import os
+
+from .util import log_command, log_command_output
+
+logger = logging.getLogger("aws")
+
+HOMEDIR = str(os.getenv("HOME"))
+
+
+def credential_is_valid(profile: str) -> bool:
+    now = datetime.datetime.now(datetime.UTC)
+
+    p = configparser.ConfigParser()
+    p.read(os.path.join(HOMEDIR, ".aws", "credentials"))
+
+    then_s = p.get(profile, "expiration")
+    then = datetime.datetime.strptime(f"{then_s} +0000", "%Y-%m-%d %H:%M:%S %z")
+
+    if now < then:
+        return True
+    return False
+
+
+def aws_mfa(profile: str, force: bool) -> None:
+    logger.info(f"Running mfa process for {profile}")
+
+    no_mfa_file = os.path.join(HOMEDIR, f".no-mfa-{profile}")
+    if os.path.exists(no_mfa_file) and not force:
+        logger.info("Not doing mfa due to temp file existing. (Removing the file.)")
+        os.unlink(no_mfa_file)
+        return
+
+    if credential_is_valid(profile) and not force:
+        logger.info("Not doing mfa due to credentials still valid.")
+        return
+
+    code = log_command_output(
+        logger, ["op", "read", "op://Private/AWS/one-time password?attribute=totp"]
+    )
+    logger.info(f"Using {code} for {profile}")
+    rval = log_command(
+        logger,
+        [f"{os.getenv('HOMEBREW_PREFIX')}/bin/aws", "mfa", profile],
+        input=code.encode("utf-8"),
+    ).returncode
+
+    if rval != 0:
+        # For some reason, recently, aws-mfa has been returning 1 even though
+        # it successfully updates the tokens. So if it does return non-zero,
+        # we need to check the credentials file itself to verify if it's a real
+        # failure or not.
+        logger.info("Warning: MFA seems to have failed by rval, checking expiration")
+        if not credential_is_valid(profile):
+            logger.error(f"Not rotating long-term keys due to MFA failure ({rval})")
+            raise Exception("AWS MFA failure")
+
+    logger.info("Rotating long-term keys")
+    log_command(logger, ["aws", "rotate-iam-keys", f"{profile}-long-term"], check=True)

login_auth_tui-0.4/src/login_auth_tui/cli.py

@@ -0,0 +1,335 @@
+import configparser
+import copy
+import logging
+import os
+import sqlite3
+import sys
+import time
+
+import click
+from click.core import ParameterSource as Source
+
+from .aws_kion import DEFAULT_AWS_CREDENTIALS, DEFAULT_KION_SOURCE_CONFIG, aws_kion
+from .aws_mfa import aws_mfa
+from .dbx_token_rotate import manage_dbx_tokens
+from .kion_auth_password import update_kion_auth_password
+from .kion_cli_password import DEFAULT_CONFIG_FILE, update_kion_cli_password
+from .tui import run_tui
+from .tui_bootstrap import bootstrap_tui_config
+from .util import configure_logging, log_command
+
+TWELVE_HOURS = 12 * 60 * 60
+DEFAULT_LOG = os.path.join(str(os.getenv("HOME")), ".logs", "login-auth.log")
+
+
+class CliArgs:
+    __slots__ = ["force", "log", "level"]
+
+    def __init__(self):
+        self.force = False
+        self.log = DEFAULT_LOG
+        self.level = "INFO"
+
+
+@click.group()
+@click.version_option()
+@click.option(
+    "--force",
+    is_flag=True,
+    default=False,
+    help="Force update regardless of last update time (only aws, batch, and dbx).",
+)
+@click.option(
+    "--log",
+    type=click.Path(dir_okay=False, writable=True, resolve_path=True, allow_dash=True),
+    default=DEFAULT_LOG,
+    help="File to log to ('-' for stdout).",
+)
+@click.option(
+    "--level",
+    type=click.Choice([k for k in logging.getLevelNamesMapping().keys() if k != "NOTSET"]),
+    default="INFO",
+    help="Logging level to use.",
+)
+@click.pass_context
+def cli(ctx: click.Context, force: bool, log: str, level: str):
+    """Run authentication useful when developing on DataConnect."""
+    ctx.ensure_object(CliArgs)
+    ctx.obj.force = force
+    ctx.obj.log = log
+    ctx.obj.level = level
+
+
+def login_auth(force: bool, conn: sqlite3.Connection) -> None:
+    # Now that we hold an exclusive lock on the config, see if we actually need
+    # to do anything.
+    last_update = conn.execute("SELECT * FROM last_update").fetchone()[0]
+    now = time.time()
+    if last_update < (now - TWELVE_HOURS):
+        logging.info("More than twelve hours since last update.")
+    elif force:
+        logging.info("Running due to force")
+    else:
+        logging.info("Not running; auth does not need to be updated")
+        return
+
+    res = conn.execute("SELECT * FROM config")
+    config = dict(zip([r[0] for r in res.description], res.fetchone()))
+
+    if config["wait"]:
+        logging.info(f"Waiting {config['wait']} seconds for boot...")
+        time.sleep(config["wait"])
+
+    if config["ssh_add"]:
+        logging.info("Adding SSH keys...")
+        env = copy.deepcopy(os.environ)
+        args = ["/usr/bin/ssh-add"]
+        if sys.platform == "darwin":
+            env["APPLE_SSH_ADD_BEHAVIOR"] = "yes"
+            args.append("-A")
+        log_command(logging.getLogger(), args, env=env)
+
+    success = True
+    res = conn.execute("SELECT * FROM aws_profiles")
+    aws_profiles = [r[0] for r in res.fetchall()]
+    for aws_profile in aws_profiles:
+        logging.info(f"Authenticating AWS profile {aws_profile}")
+        try:
+            aws_mfa(aws_profile, force)
+        except Exception:
+            logging.exception(f"Exception running AWS MFA {aws_profile}")
+            success = False
+
+    res = conn.execute("SELECT * FROM dbx_profiles")
+    for row in res.fetchall():
+        profile, alias = row
+        logging.info(f"Rotating DBX token {profile} (alias={alias})")
+        try:
+            manage_dbx_tokens(profile, [alias], force)
+        except Exception:
+            logging.exception(f"Exception rotating DBX token {profile}")
+            success = False
+
+    kion_auth_config_file = config["kion_auth_config_file"]
+    if kion_auth_config_file:
+        logging.info("Update kion-auth config file with current password")
+        update_kion_auth_password(kion_auth_config_file)
+
+    kion_cli_config_file = config["kion_cli_config_file"]
+    if kion_cli_config_file:
+        logging.info("Update kion cli config file with current password")
+        update_kion_cli_password(kion_cli_config_file)
+
+    if success:
+        logging.info("Success!")
+        conn.execute(f"UPDATE last_update SET tstamp = {int(now)}")  # nosec
+    else:
+        logging.info("Failed")
+
+
+@cli.command("batch")
+@click.option("--background", is_flag=True, default=False, help="Run in the background.")
+@click.option(
+    "--config",
+    type=click.Path(dir_okay=False, exists=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login-auth.sqlite"),
+    help="Path to configuration database.",
+)
+@click.pass_context
+def login_auth_main(ctx: click.Context, background: bool, config: str) -> None:
+    """Run all the login management in one batch."""
+    if background:
+        # TODO - run in the background
+        pid = os.fork()
+        if pid != 0:
+            # This is the parent, we done
+            return
+
+        # This is the child, detach from the parent
+        os.setpgrp()
+
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    conn = sqlite3.connect(config)
+    conn.execute("BEGIN EXCLUSIVE TRANSACTION")
+
+    try:
+        login_auth(ctx.obj.force, conn)
+    except Exception:
+        logging.exception("Exception doing login_auth")
+        conn.execute("ROLLBACK")
+        raise
+    else:
+        logging.info("Commit transaction")
+        conn.execute("COMMIT")
+
+
+@cli.command("aws")
+@click.argument("profile")
+@click.pass_context
+def aws_mfa_main(ctx: click.Context, profile: str) -> None:
+    """Run AWS MFA process.
+
+    PROFILE the AWS profile to run the MFA process for.
+    """
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    aws_mfa(profile, ctx.obj.force)
+
+
+@cli.command("dbx")
+@click.option("--alias", multiple=True, help="Other profiles that are aliases.")
+@click.argument("profile")
+@click.pass_context
+def dbx_token_rotate_main(ctx: click.Context, alias: tuple[str], profile: str) -> None:
+    """Rotate Databricks API token.
+
+    PROFILE the Databricks configuration profile to rotate the API token for.
+    """
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    manage_dbx_tokens(profile, alias, ctx.obj.force)
+
+
+@cli.command("kion-auth")
+@click.option(
+    "--file",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "kion-auth.ini"),
+    help="Path of kion-auth configuration file.",
+)
+@click.pass_context
+def update_kion_auth_password_main(ctx: click.Context, file: str) -> None:
+    """Update the password used by kion-auth from 1Password."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    update_kion_auth_password(file)
+
+
+@cli.command("kion-cli")
+@click.option(
+    "--file",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=DEFAULT_CONFIG_FILE,
+    help="Path of kion cli configuration file.",
+)
+@click.pass_context
+def update_kion_cli_password_main(ctx: click.Context, file: str) -> None:
+    """Update the password used by the kion cli from 1Password."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    update_kion_cli_password(file)
+
+
+@cli.command("tui")
+@click.option(
+    "--config",
+    type=click.Path(exists=True, dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login_auth.yml"),
+    help="Path of TUI configuration file.",
+)
+@click.pass_context
+def tui(ctx: click.Context, config: str) -> None:
+    """Run the TUI for authentication processes."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+    run_tui(config)
+
+
+@cli.command("tui-bootstrap")
+@click.option(
+    "--in-config",
+    type=click.Path(dir_okay=False, exists=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login-auth.sqlite"),
+    help="Path to configuration database.",
+)
+@click.option(
+    "--out-config",
+    type=click.Path(dir_okay=False, writable=True, resolve_path=True),
+    default=os.path.join(str(os.getenv("HOME")), ".config", "login_auth.yml"),
+    help="Path of TUI configuration file.",
+)
+@click.pass_context
+def tui_bootstrap(ctx: click.Context, in_config: str, out_config: str) -> None:
+    """Bootstrap the tui configuration from the batch configuration."""
+    configure_logging(ctx.obj.log, ctx.obj.level)
+    if os.path.exists(out_config) and not ctx.obj.force:
+        raise ValueError(f"Not overwriting existing TUI config {out_config}")
+    bootstrap_tui_config(in_config, out_config)
+
+
+@cli.command("aws-kion")
+@click.option(
+    "--credentials",
+    help="Location of AWS Credentials file",
+    default=DEFAULT_AWS_CREDENTIALS,
+    show_default=True,
+)
+@click.option(
+    "--config",
+    help="Path of configuration file",
+    default=os.path.join(os.getenv("HOME"), ".config", "aws-token-updater.ini"),  # type: ignore
+    show_default=True,
+)
+@click.option(
+    "--kion-yaml",
+    help="Path of kion configuration file",
+    default=DEFAULT_KION_SOURCE_CONFIG,
+    show_default=True,
+)
+@click.option(
+    "--kion-bin",
+    help="Path to kion executable",
+    default="/opt/homebrew/bin/kion",
+)
+@click.option("--profile", help="Name of AWS profile to update")
+@click.option("--favourite/--favorite", help="Name of kion favourite to use")
+@click.pass_context
+def aws_kion_main(
+    ctx,
+    credentials: str,
+    config: str,
+    kion_yaml: str,
+    kion_bin: str,
+    profile: str,
+    favourite: str,
+):
+    configure_logging(ctx.obj.log, ctx.obj.level)
+
+    # Read configuration from the file if it exists, otherwise start
+    # with an empty configuration and hope the user used the CLI args
+    # Configuration prefers the CLI arguments if given, otherwise it
+    # takes information from the config file.
+    if os.path.exists(config):
+        c = configparser.ConfigParser()
+        c.read(config)
+        cfg = c["aws_token_updater"]
+    else:
+        cfg = {}
+
+    if not profile:
+        profile = cfg.get("profile")  # type: ignore
+
+    if not favourite:
+        favourite = cfg.get("favourite")  # type: ignore
+
+    # Just like the log destination file, we only want to override
+    # what came in from the CLI args if what came in was the default
+    if ctx.get_parameter_source("credentials") == Source.DEFAULT and cfg.get("credentials"):
+        credentials = cfg.get("credentials")  # type: ignore
+
+    # Just like the log destination file, we only want to override
+    # what came in from the CLI args if what came in was the default
+    if ctx.get_parameter_source("kion_yaml") == Source.DEFAULT and cfg.get("kion_yaml"):
+        kion_yaml = cfg.get("kion_yaml")  # type: ignore
+
+    # Just like the log destination file, we only want to override
+    # what came in from the CLI args if what came in was the default
+    if ctx.get_parameter_source("kion_bin") == Source.DEFAULT and cfg.get("kion_bin"):
+        cfg.get("kion_bin")
+
+    if not all([profile, credentials, favourite]):
+        raise ValueError(
+            "Missing one configuration. Ensure configurtion file exists or all arguments are passed"
+        )
+
+    aws_kion(profile, credentials, favourite, kion_yaml, kion_bin)

login_auth_tui-0.4/src/login_auth_tui/dbx_token_rotate.py

@@ -0,0 +1,89 @@
+import configparser
+import datetime
+import json
+import logging
+import os
+import shutil
+import time
+import typing
+
+from .util import log_command_output
+
+logger = logging.getLogger("dbx")
+
+HOMEDIR = os.getenv("HOME")
+TEN_DAYS_MS = 10 * 24 * 60 * 60 * 1000
+NINETY_DAYS_S = int((TEN_DAYS_MS / 1000) * 9)
+
+
+def run_dbx(profile: str, *args) -> str:
+    subprocess_args = ["databricks", "--profile", profile, "-o", "json"] + list(args)
+    logger.info(f"Run {' '.join(subprocess_args)}")
+    return log_command_output(logger, subprocess_args)
+
+
+def create_new_token(profile: str) -> str:
+    logger.info(f"Creating new token for {profile}")
+    today = str(datetime.date.today())
+    new_token_json = run_dbx(
+        profile,
+        "tokens",
+        "create",
+        "--comment",
+        f"dbx cli {today}",
+        "--lifetime-seconds",
+        str(NINETY_DAYS_S),
+    )
+    new_token = json.loads(new_token_json)
+
+    return new_token["token_value"]
+
+
+def delete_old_token(profile: str, token_id: str) -> None:
+    logger.info(f"Deleting old token {token_id} for profile {profile}")
+    run_dbx(profile, "tokens", "delete", token_id)
+
+
+def overwrite_dbx_config(
+    dbxcfg: str,
+    cp: configparser.ConfigParser,
+    profile: str,
+    aliases: typing.Iterable[str],
+    new_token: str,
+) -> None:
+    logger.info(f"Updating config file for profile {profile} (alias={aliases})")
+    cp[profile]["token"] = new_token
+    cp[profile]["nwgh-last-update"] = str(datetime.date.today())
+    if aliases:
+        for alias in aliases:
+            cp[alias]["token"] = new_token
+    with open(f"{dbxcfg}.new", "w") as f:
+        cp.write(f)
+    shutil.copyfile(dbxcfg, f"{dbxcfg}.old")
+    shutil.move(f"{dbxcfg}.new", dbxcfg)
+
+
+def manage_dbx_tokens(profile: str, aliases: typing.Iterable[str], force: bool) -> None:
+    dbxcfg = os.path.join(str(os.getenv("HOME")), ".databrickscfg")
+    if not os.path.exists(dbxcfg):
+        raise Exception(f"Databricks config file {dbxcfg} does not exist")
+
+    cp = configparser.ConfigParser()
+    cp.read(dbxcfg)
+    if profile not in cp:
+        raise Exception(f"Databricks config does not have profile {dbxcfg}")
+
+    json_result = run_dbx(profile, "tokens", "list")
+    tokens = json.loads(json_result)
+    if len(tokens) != 1:
+        raise Exception(
+            f"This script does not work with {len(tokens)} tokens! There can be only one."
+        )
+
+    now_ms = int(time.time()) * 1000
+    if force or (tokens[0]["expiry_time"] - now_ms <= TEN_DAYS_MS):
+        new_token = create_new_token(profile)
+        overwrite_dbx_config(dbxcfg, cp, profile, aliases, new_token)
+        delete_old_token(profile, tokens[0]["token_id"])
+    else:
+        logger.info(f"Token for {profile} is still ok, not rotating")

login_auth_tui-0.4/src/login_auth_tui/kion_auth_password.py

@@ -0,0 +1,26 @@
+import configparser
+import logging
+import os
+
+from .util import log_command_output
+
+logger = logging.getLogger("kion-auth")
+
+
+def update_kion_auth_password(config_file: str) -> None:
+    if not os.path.exists(config_file):
+        logger.error(f"kion-auth config file {config_file} does not exist")
+        return
+
+    cp = configparser.ConfigParser()
+    cp.read(config_file)
+
+    if not cp.get("kion_auth", "password"):
+        logger.info("Kion password is not defined, not updating")
+        return
+
+    password = log_command_output(logger, ["op", "read", "op://Private/CMS EUA/password"])
+    cp["kion_auth"]["password"] = password
+
+    with open(config_file, "w") as f:
+        cp.write(f)

login_auth_tui-0.4/src/login_auth_tui/kion_cli_password.py

@@ -0,0 +1,27 @@
+import logging
+import os
+
+from .util import log_command_output
+
+logger = logging.getLogger("kion-cli")
+
+DEFAULT_CONFIG_FILE = os.path.join(str(os.getenv("HOME")), ".config", "kion.yml")
+
+
+def update_kion_cli_password(config_file: str) -> None:
+    if not os.path.exists(config_file):
+        logger.error(f"kion cli config file {config_file} does not exist")
+        return
+
+    password = log_command_output(logger, ["op", "read", "op://Private/CMS EUA/password"])
+
+    new_lines = []
+    with open(config_file) as f:
+        for line in f:
+            line = line.rstrip()
+            if line.startswith("  password:"):
+                line = f"  password: {password}"
+            new_lines.append(line)
+
+    with open(config_file, "w") as f:
+        f.write("\n".join(new_lines))

login_auth_tui-0.4/src/login_auth_tui/noop.py

@@ -0,0 +1,17 @@
+import datetime
+import logging
+import random
+
+logger = logging.getLogger("noop")
+
+
+def run_noop():
+    now = datetime.datetime.now()
+    nlines = random.randint(2, 5)
+    for i in range(1, nlines):
+        logger.info(f"Message {i} from run at {now}")
+
+    if random.choice([0, 1]):
+        msg = f"Faking error for run at {now}"
+        logger.error(msg)
+        raise Exception(msg)

login_auth_tui-0.4/src/login_auth_tui/tui.py

@@ -0,0 +1,282 @@
+import enum
+import io
+import logging
+
+import yaml
+from textual import on, work
+from textual.app import App, ComposeResult
+from textual.binding import Binding
+from textual.containers import HorizontalGroup
+from textual.logging import TextualHandler
+from textual.message import Message
+from textual.reactive import reactive
+from textual.screen import ModalScreen
+from textual.widget import Widget
+from textual.widgets import (
+    Footer,
+    Label,
+    ListItem,
+    ListView,
+    Log,
+    Rule,
+)
+
+from .aws_kion import DEFAULT_AWS_CREDENTIALS, DEFAULT_KION_SOURCE_CONFIG, aws_kion
+from .aws_kion_check import aws_kion_check
+from .aws_mfa import aws_mfa
+from .dbx_token_rotate import manage_dbx_tokens
+from .kion_cli_password import DEFAULT_CONFIG_FILE, update_kion_cli_password
+from .noop import run_noop
+
+logger = logging.getLogger("tui")
+
+
+class ProcessStatus(enum.Enum):
+    OK = 0
+    FAIL = 1
+    UNKNOWN = 2
+    RUNNING = 3
+
+
+# Each process will write to its own io.StringIO
+class AuthProcess:
+    def __init__(self, process_config: dict):
+        self.name = process_config["name"]
+        self.type = process_config["type"]
+
+        if self.type == "aws":
+            self.profile = process_config["profile"]
+        elif self.type == "dbx":
+            self.profile = process_config["profile"]
+            self.aliases = []
+            alias = process_config.get("alias")
+            if alias:
+                self.aliases.append(alias)
+        elif self.type == "kion-cli":
+            self.config = process_config.get("config", DEFAULT_CONFIG_FILE)
+        elif self.type == "aws-kion":
+            self.profile = process_config["profile"]
+            self.favourite = process_config.get("favourite", process_config["favorite"])
+            self.credentials_file = process_config.get("credentials_file", DEFAULT_AWS_CREDENTIALS)
+            self.kion_config_src = process_config.get("kion_config", DEFAULT_KION_SOURCE_CONFIG)
+            self.kion_bin = process_config.get("kion_bin", "/opt/homebrew/bin/kion")
+        elif self.type == "aws-kion-check":
+            self.profile = process_config["profile"]
+        elif self.type == "noop":
+            # This is used for testing things
+            pass
+        else:
+            raise ValueError(f"Unexpected auth process type: {self.type}")
+
+        self.log_stream = io.StringIO()
+        self.log_handler = logging.StreamHandler(self.log_stream)
+
+    def run(self):
+        logger.debug(f"Run {self.name} {self.type}")
+        process_logger = logging.getLogger(self.type)
+        process_logger.addHandler(self.log_handler)
+        try:
+            if self.type == "aws":
+                aws_mfa(self.profile, False)
+            elif self.type == "dbx":
+                manage_dbx_tokens(self.profile, self.aliases, False)
+            elif self.type == "kion-cli":
+                update_kion_cli_password(self.config)
+            elif self.type == "aws-kion":
+                aws_kion(
+                    self.profile,
+                    self.credentials_file,
+                    self.favourite,
+                    self.kion_config_src,
+                    self.kion_bin,
+                )
+            elif self.type == "aws-kion-check":
+                aws_kion_check(self.profile)
+            elif self.type == "noop":
+                run_noop()
+            else:
+                raise ValueError(f"Unexpected auth process type: {self.type}")
+        except Exception:
+            process_logger.exception(f"Exception running {self.name}")
+            raise
+        finally:
+            process_logger.removeHandler(self.log_handler)
+
+
+def load_config(config_file: str) -> list[AuthProcess]:
+    logger.debug(f"Loading config from {config_file}")
+    processes = []
+    with open(config_file) as f:
+        config = yaml.safe_load(f)
+    for auth_process in config:
+        processes.append(AuthProcess(auth_process))
+    return processes
+
+
+class AuthProcessStatus(Widget):
+    value = reactive(ProcessStatus.UNKNOWN)
+
+    def render(self) -> str:
+        if self.value == ProcessStatus.OK:
+            return "\u2714"
+        if self.value == ProcessStatus.FAIL:
+            return "\u2716"
+        if self.value == ProcessStatus.RUNNING:
+            return "-"
+        return "?"
+
+
+class AuthRunMessage(Message):
+    def __init__(self, status: ProcessStatus, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.status = status
+
+
+class AuthRunCompleteMessage(Message):
+    pass
+
+
+class AuthProcessItem(ListItem):
+    def __init__(self, proc: AuthProcess, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.process_config = proc
+        self.status = AuthProcessStatus()
+
+    def compose(self) -> ComposeResult:
+        # TODO - make use of more stuff here
+        yield HorizontalGroup(Label(self.process_config.name), Label(" "), self.status)
+
+    @on(AuthRunMessage)
+    def run_complete(self, msg: AuthRunMessage):
+        self.status.value = msg.status
+        self.post_message(AuthRunCompleteMessage())
+
+    @work(exclusive=True, thread=True)
+    def run_auth(self):
+        logger.debug(f"Run auth: {self}")
+        result = ProcessStatus.UNKNOWN
+        try:
+            self.process_config.run()
+            result = ProcessStatus.OK
+        except Exception:
+            logger.exception("Error updating auth")
+            result = ProcessStatus.FAIL
+        self.post_message(AuthRunMessage(result))
+
+
+class UpdateLogMessage(Message):
+    def __init__(self, name: str, value: str, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.proc_name = name
+        self.log_value = value
+
+
+class AuthProcessList(ListView):
+    BINDINGS = [
+        Binding("j, down", "cursor_down", "Cursor down"),
+        Binding("k, up", "cursor_up", "Cursor up"),
+        Binding("o, enter", "select_cursor", "Select"),
+        Binding("r", "run_auth", "Run highlighted"),
+    ]
+
+    def __init__(self, procs: list[AuthProcess], *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth_processes: list[AuthProcess] = procs
+        self._highlighted: AuthProcessItem
+        self.running = False
+        self.running_all = False
+        self.current_item = 0
+        self.set_interval(300, self.run_all)
+
+    def compose(self) -> ComposeResult:
+        for p in self._auth_processes:
+            yield AuthProcessItem(p)
+
+    def action_run_auth(self):
+        self.running = True
+        self._highlighted.status.value = ProcessStatus.RUNNING
+        self._highlighted.run_auth()
+
+    def on_list_view_selected(self, event: ListView.Selected):
+        logger.debug(f"Opening {event.item}")
+        proc: AuthProcessItem = event.item  # type: ignore
+        proc_name = proc.process_config.name
+        log_value = proc.process_config.log_stream.getvalue()
+        self.post_message(UpdateLogMessage(proc_name, log_value))
+
+    def on_list_view_highlighted(self, event: ListView.Highlighted):
+        logger.debug(f"Item is {event.item}")
+        self._highlighted = event.item  # type: ignore
+
+    def run_all(self):
+        self.running_all = True
+        self.running = True
+        self.current_item = 0
+        self.run_next()
+
+    def run_next(self):
+        if self.current_item >= len(self.children):
+            self.running_all = False
+        else:
+            self.running = True
+            item: AuthProcessItem = self.children[self.current_item]  # type: ignore
+            item.run_auth()
+
+    @on(AuthRunCompleteMessage)
+    def handle_auth_run_complete(self):
+        self.running = False
+        if self.running_all:
+            self.current_item += 1
+            self.run_next()
+
+
+class ProcessLogHeader(Widget):
+    process = reactive("none")
+
+    def render(self):
+        return f"Log for process: {self.process}"
+
+
+class LogScreen(ModalScreen):
+    BINDINGS = [Binding("x", "close_log", "Close")]
+
+    def __init__(self, auth_name: str, log_value: str, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.auth_name = auth_name
+        self.log_value = log_value
+
+    def compose(self) -> ComposeResult:
+        yield Label(f"Log for {self.auth_name}")
+        yield Rule()
+
+        log = Log()
+        yield log
+        log.write(self.log_value)
+        yield Footer()
+
+    def action_close_log(self):
+        self.app.pop_screen()
+
+
+class AuthTUI(App):
+    BINDINGS = [Binding("q", "quit", "Quit")]
+    CSS_PATH = "tui.tcss"
+
+    def __init__(self, processes: list[AuthProcess], **kwargs):
+        super().__init__(**kwargs)
+        self._processes = processes
+
+    def compose(self) -> ComposeResult:
+        yield AuthProcessList(self._processes, id="auth_list")
+        yield Footer()
+
+    @on(UpdateLogMessage)
+    def handle_update_log(self, msg: UpdateLogMessage):
+        self.push_screen(LogScreen(msg.proc_name, msg.log_value))
+
+
+def run_tui(config_file: str):
+    logger.addHandler(TextualHandler())
+    processes = load_config(config_file)
+    app = AuthTUI(processes)
+    app.run()

login_auth_tui-0.4/src/login_auth_tui/tui.tcss

@@ -0,0 +1,11 @@
+ProcessLogHeader {
+    height: 1;
+  }
+
+LogScreen {
+    align: center middle;
+    height: 80%;
+    width: 80%;
+    background: $surface;
+    padding: 0 1;
+  }

login_auth_tui-0.4/src/login_auth_tui/tui_bootstrap.py

@@ -0,0 +1,34 @@
+import sqlite3
+
+import yaml
+
+
+def bootstrap_tui_config(input_config: str, output_config: str):
+    tui_config = []
+    with sqlite3.connect(input_config) as conn:
+        res = conn.execute("SELECT * FROM aws_profiles").fetchall()
+        for r in res:
+            profile_name = r[0]
+            tui_config.append(
+                {"name": f"AWS ({profile_name})", "type": "aws", "profile": profile_name}
+            )
+
+        res = conn.execute("SELECT * FROM dbx_profiles").fetchall()
+        for r in res:
+            profile_name = r[0]
+            alias = r[1]
+            config_entry = {
+                "name": f"Databricks ({profile_name})",
+                "type": "dbx",
+                "profile": profile_name,
+            }
+            if alias:
+                config_entry["alias"] = alias
+            tui_config.append(config_entry)
+
+        res = conn.execute("SELECT kion_cli_config_file FROM config").fetchall()
+        if res[0][0]:
+            tui_config.append({"name": "Kion", "type": "kion-cli", "config": res[0][0]})
+
+    with open(output_config, "w") as f:
+        yaml.dump(tui_config, f)

login_auth_tui-0.4/src/login_auth_tui/util.py

@@ -0,0 +1,49 @@
+import logging
+import logging.handlers
+import os
+import subprocess  # nosec
+import sys
+
+HOME = str(os.getenv("HOME"))
+
+
+def configure_logging(log: str, level: str) -> None:
+    if log in ("stdout", "-"):
+        handler = logging.StreamHandler(sys.stdout)
+    else:
+        handler = logging.handlers.RotatingFileHandler(
+            log,
+            backupCount=1,
+            maxBytes=1024 * 1024,
+        )
+    try:
+        log_level = logging.getLevelNamesMapping()[level]
+    except Exception:
+        raise ValueError(f"Unhandled log level {level}")
+    logging.basicConfig(
+        format="%(asctime)s %(levelname)s [%(name)s] %(message)s",
+        level=log_level,
+        handlers=[handler],
+    )
+
+
+def log_command(
+    logger: logging.Logger, command: list[str], **kwargs
+) -> subprocess.CompletedProcess:
+    logger.info(f"Run {' '.join(command)}")
+    result = subprocess.run(command, capture_output=True, **kwargs)  # nosec
+    logger.info("--- BEGIN PROCESS STDOUT ---")
+    for line in result.stdout.decode("utf-8").strip().split("\n"):
+        logger.info(line)
+    logger.info("--- END PROCESS STDOUT ---")
+    logger.info("--- BEGIN PROCESS STDERR ---")
+    for line in result.stderr.decode("utf-8").strip().split("\n"):
+        logger.error(line)
+    logger.info("--- END PROCESS STDERR ---")
+    return result
+
+
+def log_command_output(logger: logging.Logger, command: list[str], **kwargs) -> str:
+    logger.info(f"Run: {' '.join(command)}")
+    output = subprocess.check_output(command, **kwargs)  # nosec
+    return output.decode("utf-8").strip()