PyPI - proxcli - Versions diffs - 0.13.0__tar.gz → 0.13.2__tar.gz - Mend

proxcli 0.13.0tar.gz → 0.13.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

{proxcli-0.13.0 → proxcli-0.13.2}/.github/workflows/ci.yml RENAMED Viewed

@@ -5,6 +5,8 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  release:
+    types: [published]
 jobs:
   lint:
@@ -55,7 +57,7 @@ jobs:
   publish:
     runs-on: ubuntu-24.04
-    if: github.ref == 'refs/heads/main'
+    if: github.event_name == 'release'
     needs: [build]
     environment: pypi
     steps:
@@ -70,4 +72,4 @@ jobs:
           name: dist
           path: dist/
-      - run: uv publish --token "${{ secrets.PYPI_TOKEN }}" --check-url https://pypi.org/simple
+      - run: uv publish --token "${{ secrets.PYPI_TOKEN }}"

{proxcli-0.13.0 → proxcli-0.13.2}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [0.13.1] - 2026-06-21
+### Fixed
+- **``proxmox auth setup``**: now uses the correct ``tokens`` (plural) form
+  parameter for token ACLs instead of ``tokenid``, which Proxmox's REST API
+  doesn't accept.  Token-scoped ACLs are now created fully automatically.
+- **Role permissions**: ``Pool.Allocate`` and ``Pool.Audit`` moved to
+  ``proxcli-sys`` (pool operations check against ``/``, not ``/vms``).
+  ``VM.GuestAgent.Audit`` added to ``proxcli-vm`` (guest agent checks
+  against ``/vms/{id}``, not ``/nodes/{node}``).
+### Added
+- **``proxmox auth check``**: now prints each check inline with colored
+  PASS (green) / FAIL (red) as it runs instead of only at the end.
+  Also scans the token for leftover Administrator/PVEAdmin roles and
+  warns to remove them after the proxcli roles are confirmed working.
 ## [0.13.0] - 2026-06-21
 ### Added

{proxcli-0.13.0 → proxcli-0.13.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxcli
-Version: 0.13.0
+Version: 0.13.2
 Summary: A CLI tool to interact with Proxmox VE nodes and clusters via the REST API
 Author-email: Xabi Ezpeleta <xezpeleta@gmail.com>
 License: MIT

{proxcli-0.13.0 → proxcli-0.13.2}/docs/api-permissions.md RENAMED Viewed

@@ -99,18 +99,23 @@ Role name: proxcli-node
 ```
 ```bash
-# Assign each role to its path:
-pvesh set /access/acl --path /        --roles proxcli-sys    --users xezpeleta@pve
-pvesh set /access/acl --path /storage --roles proxcli-storage --users xezpeleta@pve
-pvesh set /access/acl --path /vms     --roles proxcli-vm     --users xezpeleta@pve
-pvesh set /access/acl --path /nodes   --roles proxcli-node   --users xezpeleta@pve
-```
+# Assign each role to the token — use 'proxmox auth setup' (does this automatically):
+proxmox auth setup
-That's it.  Four roles, four ACLs, zero privilege creep — each path
-only gets what proxcli actually uses there.
+# Or manually via pvesh:
+pvesh set /access/acl --path /        --roles proxcli-sys    --tokenid proxcli --users xezpeleta@pve
+pvesh set /access/acl --path /storage --roles proxcli-storage --tokenid proxcli --users xezpeleta@pve
+pvesh set /access/acl --path /vms     --roles proxcli-vm     --tokenid proxcli --users xezpeleta@pve
+pvesh set /access/acl --path /nodes   --roles proxcli-node   --tokenid proxcli --users xezpeleta@pve
+```
-> **One-liner**: `proxmox auth setup` does all of this automatically
-> if your current token has Administrator privileges.
+> **One-liner**: `proxmox auth setup` creates both roles and token ACLs
+> automatically if your token has Administrator privileges.
+>
+> **Safe by design**: ACLs target the **token** (`--tokenid proxcli`),
+> not the user.  Your user account keeps whatever roles it already has
+> (PVEAdmin, Administrator, etc.).  The token gets exactly the proxcli
+> privileges without touching anything else.
 | Path | Role | Why |
 |------|------|-----|

{proxcli-0.13.0 → proxcli-0.13.2}/proxmox/cli/auth.py RENAMED Viewed

@@ -11,15 +11,16 @@ from proxmox.config.config import ConfigLoader
 # Recommended roles for proxcli (see docs/api-permissions.md)
 PROXCLI_ROLES: dict[str, str] = {
-    "proxcli-sys": "Sys.Audit,Sys.Modify",
+    "proxcli-sys": "Sys.Audit,Sys.Modify,Pool.Allocate,Pool.Audit",
     "proxcli-storage": "Datastore.Allocate,Datastore.AllocateSpace,"
                        "Datastore.AllocateTemplate,Datastore.Audit",
     "proxcli-vm": "VM.Allocate,VM.Audit,VM.Backup,VM.Clone,"
                   "VM.Config.CDROM,VM.Config.Cloudinit,VM.Config.CPU,"
                   "VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,"
                   "VM.Config.Network,VM.Config.Options,VM.Console,"
+                  "VM.GuestAgent.Audit,VM.GuestAgent.FileRead,"
                   "VM.Migrate,VM.PowerMgmt,VM.Snapshot,"
-                  "VM.Snapshot.Rollback,Pool.Allocate,Pool.Audit",
+                  "VM.Snapshot.Rollback",
     "proxcli-node": "VM.GuestAgent.Audit,VM.GuestAgent.FileRead",
 }
@@ -191,46 +192,46 @@ def _auth_setup(args: argparse.Namespace, client: ProxmoxClient) -> dict:
         client.request("POST", "/access/roles", content=content)
         created_roles.append(role_name)
-    # 2. Create ACLs
-    # We need the username from config to assign ACLs
+    # 2. Create ACLs for the token using 'tokens' parameter (plural —
+    #    the API docs say 'tokenid' but the actual HTTP param is 'tokens')
     loader = ConfigLoader()
     creds = loader.load()
-    ug = creds.username
+    token_ug = f"{creds.username}!{creds.api_token_id}" if creds.api_token_id else creds.username
     for path, role in PROXCLI_ACLS:
         existing_acls = client.get("/access/acl")
-        # Check if this exact ACL already exists
         already = any(
             a.get("path") == path
             and a.get("roleid") == role
-            and a.get("ugid") == ug
+            and a.get("ugid") == token_ug
+            and a.get("type") == "token"
             for a in existing_acls
         )
         if already:
-            skipped_acls.append(f"{path} → {role} ({ug})")
+            skipped_acls.append(f"{path} → {role} ({token_ug})")
             continue
-        content = _safe_encode({"path": path, "roles": role, "users": ug})
+        content = _safe_encode({"path": path, "roles": role, "tokens": token_ug})
         client.request("PUT", "/access/acl", content=content)
-        created_acls.append(f"{path} → {role} ({ug})")
-    return {
-        "created_roles": created_roles,
-        "skipped_roles": skipped_roles,
-        "created_acls": created_acls,
-        "skipped_acls": skipped_acls,
-    }
+        created_acls.append(f"{path} → {role} ({token_ug})")
-def _auth_check(args: argparse.Namespace, client: ProxmoxClient) -> list[dict]:
+def _auth_check(args: argparse.Namespace, client: ProxmoxClient) -> None:
     """Test each proxcli endpoint and report permission status."""
-    results: list[dict] = []
+    # Rich for colored output
+    from rich.console import Console
+    from rich.text import Text
+    console = Console(highlight=False, force_terminal=True, width=120)
     # Resolve a real node name for paths that need it
     nodes = client.get("/nodes")
     node = nodes[0]["node"] if nodes else "pve"
-    for label, method, path, needed_priv in PERMISSION_CHECKS:
-        # Replace placeholders
+    total = len(PERMISSION_CHECKS)
+    passed = 0
+    failed = 0
+    for idx, (label, method, path, needed_priv) in enumerate(PERMISSION_CHECKS, 1):
         real_path = path.replace("{node}", node).replace("{vmid}", "99999") \
                          .replace("{storage}", "local").replace("{snapname}", "test")
@@ -238,22 +239,58 @@ def _auth_check(args: argparse.Namespace, client: ProxmoxClient) -> list[dict]:
             if method in ("GET", "DELETE"):
                 client.request(method, real_path)
             else:
-                # POST/PUT: send dummy body to check permission (not actual creation)
                 client.request(method, real_path, data={"dry": "1"})
             status = "PASS"
+            passed += 1
         except ProxmoxAPIError as exc:
             if exc.status_code == 403:
                 status = "FAIL"
+                failed += 1
             else:
-                # 404 (node not found), 500, etc. means we had permission
-                # to reach the endpoint but something else went wrong
                 status = "PASS"
+                passed += 1
+        # Print inline with colors
+        color = "green" if status == "PASS" else "red"
+        status_text = Text(status, style=f"bold {color}")
+        console.print(
+            f"[{idx}/{total}]",
+            status_text,
+            f"{needed_priv:<28s}",
+            label,
+        )
-        results.append({
-            "feature": label,
-            "method": method,
-            "privilege": needed_priv,
-            "status": status,
-        })
+    # Summary
+    console.print()
+    console.print(f"Passed: [bold green]{passed}[/], Failed: [bold red]{failed}[/], Total: {total}")
+    if failed == 0:
+        console.print("[bold green]✓ All permissions configured correctly!")
+    else:
+        console.print("[bold yellow]⚠ Some permissions are missing. Run 'proxmox auth setup' or check docs/api-permissions.md")
-    return results
+    # ── Check for stray/leftover roles on the token ──
+    loader = ConfigLoader()
+    creds = loader.load()
+    token_ug = f"{creds.username}!{creds.api_token_id}" if creds.api_token_id else creds.username
+    acls = client.get("/access/acl")
+    token_acls = [a for a in acls if a.get("ugid") == token_ug and a.get("type") == "token"]
+    expected_roles = set("proxcli-" + suffix for suffix in ["sys", "storage", "vm", "node"])
+    stray = [a for a in token_acls if a.get("roleid") not in expected_roles]
+    if stray:
+        console.print()
+        console.print(
+            f"[bold yellow]⚠ The token [bold]{token_ug}[/] has extra roles[/] "
+            f"[dim](not needed after initial setup)[/]:"
+        )
+        for a in stray:
+            console.print(f"     Path: [bold]{a['path']:<10s}[/]  Role: [bold red]{a['roleid']}[/]")
+        console.print()
+        console.print("   Remove them in Datacenter → Permissions → API Token Permissions.")
+        console.print("   Keep only: [bold green]proxcli-sys, proxcli-storage, proxcli-vm, proxcli-node[/]")
+        console.print()
+        # Add note to summary
+        console.print(
+            f"[bold yellow]⚠ {len(stray)} stray role(s) — remove after verifying proxcli roles work.[/]"
+        )

{proxcli-0.13.0 → proxcli-0.13.2}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "proxcli"
-version = "0.13.0"
+version = "0.13.2"
 description = "A CLI tool to interact with Proxmox VE nodes and clusters via the REST API"
 readme = "README.md"
 authors = [

{proxcli-0.13.0 → proxcli-0.13.2}/uv.lock RENAMED Viewed

@@ -1,5 +1,5 @@
 version = 1
-revision = 2
+revision = 3
 requires-python = ">=3.10"
 [[package]]
@@ -254,7 +254,7 @@ wheels = [
 [[package]]
 name = "proxcli"
-version = "0.13.0"
+version = "0.13.2"
 source = { editable = "." }
 dependencies = [
     { name = "httpx" },