recce-cloud 1.32.0__py3-none-any.whl → 1.33.1__py3-none-any.whl

recce_cloud/VERSION

@@ -1 +1 @@
-1.32.0
+1.33.1

recce_cloud/api/client.py

@@ -1,13 +1,13 @@
 """
 Recce Cloud API clients for lightweight operations.
 
-Provides clients for session management and report generation.
+Provides clients for session management, organization/project listing, and report generation.
 """
 
 import json
 import logging
 import os
-from typing import Optional
+from typing import Any, Dict, List, Optional
 
 import requests
 
@@ -260,6 +260,249 @@ class RecceCloudClient:
             status_code=response.status_code,
         )
 
+    def list_organizations(self) -> List[Dict[str, Any]]:
+        """
+        List all organizations the user has access to.
+
+        Returns:
+            List of organization dictionaries with id, name, slug fields.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        api_url = f"{self.base_url_v2}/organizations"
+        response = self._request("GET", api_url)
+
+        if response.status_code != 200:
+            raise RecceCloudException(
+                reason=response.text,
+                status_code=response.status_code,
+            )
+
+        data = response.json()
+        return data.get("organizations", [])
+
+    def list_projects(self, org_id: str) -> List[Dict[str, Any]]:
+        """
+        List all projects in an organization.
+
+        Args:
+            org_id: Organization ID or slug.
+
+        Returns:
+            List of project dictionaries with id, name, slug fields.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        api_url = f"{self.base_url_v2}/organizations/{org_id}/projects"
+        response = self._request("GET", api_url)
+
+        if response.status_code != 200:
+            raise RecceCloudException(
+                reason=response.text,
+                status_code=response.status_code,
+            )
+
+        data = response.json()
+        return data.get("projects", [])
+
+    def get_organization(self, org_id: str) -> Optional[Dict[str, Any]]:
+        """
+        Get a specific organization by ID or slug.
+
+        Args:
+            org_id: Organization ID or slug.
+
+        Returns:
+            Organization dictionary, or None if not found.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        orgs = self.list_organizations()
+        for org in orgs:
+            # Compare as strings to handle both int and str IDs
+            if str(org.get("id")) == str(org_id) or org.get("slug") == org_id or org.get("name") == org_id:
+                return org
+        return None
+
+    def get_project(self, org_id: str, project_id: str) -> Optional[Dict[str, Any]]:
+        """
+        Get a specific project by ID or slug.
+
+        Args:
+            org_id: Organization ID or slug.
+            project_id: Project ID or slug.
+
+        Returns:
+            Project dictionary, or None if not found.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        projects = self.list_projects(org_id)
+        for project in projects:
+            # Compare as strings to handle both int and str IDs
+            if (
+                str(project.get("id")) == str(project_id)
+                or project.get("slug") == project_id
+                or project.get("name") == project_id
+            ):
+                return project
+        return None
+
+    def list_sessions(
+        self,
+        org_id: str,
+        project_id: str,
+        session_name: Optional[str] = None,
+        session_type: Optional[str] = None,
+        branch: Optional[str] = None,
+        limit: Optional[int] = None,
+        offset: Optional[int] = None,
+    ) -> List[Dict[str, Any]]:
+        """
+        List sessions in a project with optional filtering.
+
+        Args:
+            org_id: Organization ID or slug.
+            project_id: Project ID or slug.
+            session_name: Filter by session name (exact match).
+            session_type: Filter by session type (e.g., "pr", "prod", "manual").
+            branch: Filter by branch name (exact match).
+            limit: Maximum number of results to return (1-1000).
+            offset: Number of results to skip for pagination.
+
+        Returns:
+            List of session dictionaries.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        api_url = f"{self.base_url_v2}/organizations/{org_id}/projects/{project_id}/sessions"
+        params = {}
+        if session_name:
+            params["name"] = session_name
+        if session_type:
+            params["type"] = session_type
+        if branch:
+            params["branch"] = branch
+        if limit is not None:
+            params["limit"] = limit
+        if offset is not None:
+            params["offset"] = offset
+
+        response = self._request("GET", api_url, params=params if params else None)
+
+        if response.status_code == 404:
+            raise RecceCloudException(
+                reason="Organization or project not found",
+                status_code=response.status_code,
+            )
+        if response.status_code != 200:
+            raise RecceCloudException(
+                reason=response.text,
+                status_code=response.status_code,
+            )
+
+        data = response.json()
+        return data.get("sessions", [])
+
+    def get_session_by_name(
+        self,
+        org_id: str,
+        project_id: str,
+        session_name: str,
+    ) -> Optional[Dict[str, Any]]:
+        """
+        Get a session by its name.
+
+        Uses the list sessions endpoint with filtering to find a session
+        by name, which is unique within a project.
+
+        Args:
+            org_id: Organization ID or slug.
+            project_id: Project ID or slug.
+            session_name: The session name to look up.
+
+        Returns:
+            Session dictionary if found, None otherwise.
+
+        Raises:
+            RecceCloudException: If the API call fails.
+        """
+        sessions = self.list_sessions(
+            org_id=org_id,
+            project_id=project_id,
+            session_name=session_name,
+            limit=1,
+        )
+        if sessions:
+            return sessions[0]
+        return None
+
+    def create_session(
+        self,
+        org_id: str,
+        project_id: str,
+        session_name: str,
+        adapter_type: Optional[str] = None,
+        session_type: str = "manual",
+    ) -> Dict[str, Any]:
+        """
+        Create a new session with the given name.
+
+        Args:
+            org_id: Organization ID or slug.
+            project_id: Project ID or slug.
+            session_name: The name for the new session.
+            adapter_type: dbt adapter type (e.g., "postgres", "snowflake").
+            session_type: Session type (default: "manual").
+
+        Returns:
+            Created session dictionary with id, name, and other fields.
+
+        Raises:
+            RecceCloudException: If the API call fails or session creation fails.
+        """
+        api_url = f"{self.base_url_v2}/organizations/{org_id}/projects/{project_id}/sessions"
+        data = {
+            "name": session_name,
+            "type": session_type,
+        }
+        if adapter_type:
+            data["adapter_type"] = adapter_type
+
+        response = self._request("POST", api_url, json=data)
+
+        if response.status_code == 404:
+            raise RecceCloudException(
+                reason="Organization or project not found",
+                status_code=response.status_code,
+            )
+        if response.status_code == 409:
+            raise RecceCloudException(
+                reason=f"Session with name '{session_name}' already exists",
+                status_code=response.status_code,
+            )
+        if response.status_code == 403:
+            raise RecceCloudException(
+                reason=response.json().get("detail", "Permission denied"),
+                status_code=response.status_code,
+            )
+        if response.status_code not in [200, 201]:
+            raise RecceCloudException(
+                reason=response.text,
+                status_code=response.status_code,
+            )
+
+        result = response.json()
+        # Handle both direct session response and wrapped response
+        if "session" in result:
+            return result["session"]
+        return result
+
 
 class ReportClient:
     """Client for fetching reports from Recce Cloud API."""

recce_cloud/auth/__init__.py

@@ -0,0 +1,21 @@
+"""
+Authentication module for Recce Cloud CLI.
+
+This module provides browser-based OAuth authentication and credential management.
+It is designed to be standalone (duplicated from Recce OSS) to support future
+repository separation.
+"""
+
+from recce_cloud.auth.profile import (
+    get_api_token,
+    get_user_id,
+    load_profile,
+    update_api_token,
+)
+
+__all__ = [
+    "get_api_token",
+    "get_user_id",
+    "load_profile",
+    "update_api_token",
+]

recce_cloud/auth/callback_server.py

@@ -0,0 +1,128 @@
+"""
+One-time HTTP callback server for OAuth authentication.
+
+This server receives the encrypted token from Recce Cloud after
+browser-based authentication.
+"""
+
+import threading
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from pathlib import Path
+from typing import Optional
+from urllib.parse import parse_qs, urlparse
+
+
+class CallbackResult:
+    """Container for callback result."""
+
+    def __init__(self):
+        self.code: Optional[str] = None
+        self.error: Optional[str] = None
+
+
+def make_callback_handler(result: CallbackResult, on_success_html: str, on_error_html: str):
+    """
+    Create a one-time HTTP request handler.
+
+    Args:
+        result: CallbackResult object to store the received code.
+        on_success_html: HTML content to return on success.
+        on_error_html: HTML content to return on error.
+
+    Returns:
+        HTTP request handler class.
+    """
+
+    class OneTimeHTTPRequestHandler(BaseHTTPRequestHandler):
+        def do_GET(self):
+            try:
+                parsed_url = urlparse(self.path)
+                query_params = parse_qs(parsed_url.query)
+
+                code = query_params.get("code", [None])[0]
+                if not code:
+                    result.error = "Missing 'code' parameter in callback"
+                    self._send_response(400, on_error_html)
+                    return
+
+                result.code = code
+                self._send_response(200, on_success_html)
+
+            except Exception as e:
+                result.error = str(e)
+                self._send_response(500, on_error_html)
+            finally:
+                # Shutdown server after handling the request
+                self.server.server_close()
+                threading.Thread(target=self.server.shutdown, daemon=True).start()
+
+        def _send_response(self, status_code: int, html_content: str):
+            self.send_response(status_code)
+            self.send_header("Content-Type", "text/html")
+            self.send_header("Content-Length", str(len(html_content.encode())))
+            self.end_headers()
+            self.wfile.write(html_content.encode())
+
+        def log_message(self, format, *args):
+            # Suppress default logging
+            pass
+
+    return OneTimeHTTPRequestHandler
+
+
+def run_callback_server(
+    port: int,
+    result: CallbackResult,
+    on_success_html: str,
+    on_error_html: str,
+    timeout: int = 300,
+) -> bool:
+    """
+    Run a one-time HTTP server to receive the OAuth callback.
+
+    Args:
+        port: Port to listen on.
+        result: CallbackResult object to store the received code.
+        on_success_html: HTML content to return on success.
+        on_error_html: HTML content to return on error.
+        timeout: Server timeout in seconds (default 5 minutes).
+
+    Returns:
+        True if callback was received, False if timeout or error.
+    """
+    handler = make_callback_handler(result, on_success_html, on_error_html)
+    server = HTTPServer(("localhost", port), handler)
+    server.timeout = timeout
+
+    try:
+        # Handle a single request
+        server.handle_request()
+        return result.code is not None
+    except Exception:
+        return False
+    finally:
+        server.server_close()
+
+
+def _load_template(filename: str) -> str:
+    """
+    Load HTML template from the templates directory.
+
+    Args:
+        filename: Name of the template file (e.g., 'success.html').
+
+    Returns:
+        HTML content as string.
+
+    Raises:
+        FileNotFoundError: If template file is not found.
+    """
+    templates_dir = Path(__file__).parent / "templates"
+    template_path = templates_dir / filename
+    with open(template_path, "r", encoding="utf-8") as f:
+        return f.read()
+
+
+# Load HTML templates from separate files
+SUCCESS_HTML = _load_template("success.html")
+ERROR_HTML = _load_template("error.html")

recce_cloud/auth/login.py

@@ -0,0 +1,281 @@
+"""
+Browser-based OAuth login flow for Recce Cloud.
+
+This module implements the RSA-encrypted OAuth flow:
+1. Generate RSA-2048 key pair
+2. Open browser to Recce Cloud with public key
+3. Start local callback server
+4. Receive encrypted token via callback
+5. Decrypt and verify token
+6. Save to profile
+"""
+
+import base64
+import os
+import random
+import webbrowser
+from typing import Optional, Tuple
+
+import requests
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
+from rich.console import Console
+
+from recce_cloud.auth.callback_server import (
+    ERROR_HTML,
+    SUCCESS_HTML,
+    CallbackResult,
+    run_callback_server,
+)
+from recce_cloud.auth.profile import (
+    clear_api_token,
+    get_api_token,
+    get_profile_path,
+    update_api_token,
+)
+
+# Cloud API configuration
+RECCE_CLOUD_API_HOST = os.environ.get("RECCE_CLOUD_API_HOST", "https://cloud.datarecce.io")
+RECCE_CLOUD_BASE_URL = os.environ.get("RECCE_CLOUD_BASE_URL", RECCE_CLOUD_API_HOST)
+
+console = Console()
+
+
+def generate_key_pair() -> Tuple[RSAPrivateKey, RSAPublicKey]:
+    """
+    Generate RSA-2048 key pair for secure token exchange.
+
+    Returns:
+        Tuple of (private_key, public_key).
+    """
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+        backend=default_backend(),
+    )
+    public_key = private_key.public_key()
+    return private_key, public_key
+
+
+def decrypt_code(private_key: RSAPrivateKey, encrypted_code: str) -> str:
+    """
+    Decrypt the RSA-encrypted token from Recce Cloud.
+
+    Uses RSA-OAEP-SHA1 padding to match Node.js defaults.
+
+    Args:
+        private_key: RSA private key.
+        encrypted_code: Base64-encoded encrypted token.
+
+    Returns:
+        Decrypted API token string.
+    """
+    ciphertext = base64.b64decode(encrypted_code)
+    plaintext = private_key.decrypt(
+        ciphertext,
+        padding.OAEP(
+            mgf=padding.MGF1(algorithm=hashes.SHA1()),  # Node.js uses SHA1 by default
+            algorithm=hashes.SHA1(),
+            label=None,
+        ),
+    )
+    return plaintext.decode("utf-8")
+
+
+def prepare_connection_url(public_key: RSAPublicKey) -> Tuple[str, int]:
+    """
+    Prepare the OAuth connection URL with public key.
+
+    Args:
+        public_key: RSA public key to include in URL.
+
+    Returns:
+        Tuple of (connection_url, callback_port).
+    """
+    public_key_pem_bytes = public_key.public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    )
+    public_key_pem_str = base64.b64encode(public_key_pem_bytes).decode("utf-8")
+    callback_port = random.randint(10000, 15000)
+    connect_url = f"{RECCE_CLOUD_BASE_URL}/connect?_key={public_key_pem_str}&_port={callback_port}"
+    return connect_url, callback_port
+
+
+def verify_token(token: str) -> bool:
+    """
+    Verify the API token with Recce Cloud.
+
+    Args:
+        token: API token to verify.
+
+    Returns:
+        True if token is valid, False otherwise.
+    """
+    api_url = f"{RECCE_CLOUD_API_HOST}/api/v1/verify-token"
+    try:
+        response = requests.get(
+            api_url,
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=30,
+        )
+        return response.status_code == 200
+    except Exception:
+        return False
+
+
+def get_user_info(token: str) -> Optional[dict]:
+    """
+    Get user information from Recce Cloud.
+
+    Args:
+        token: API token for authentication.
+
+    Returns:
+        User info dict with email, name, etc., or None if failed.
+    """
+    api_url = f"{RECCE_CLOUD_API_HOST}/api/v1/users"
+    try:
+        response = requests.get(
+            api_url,
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=30,
+        )
+        if response.status_code == 200:
+            return response.json().get("user")
+    except Exception:
+        pass
+    return None
+
+
+def login_with_browser() -> bool:
+    """
+    Perform browser-based OAuth login.
+
+    Opens browser to Recce Cloud, waits for callback with encrypted token,
+    decrypts and verifies token, then saves to profile.
+
+    Returns:
+        True if login successful, False otherwise.
+    """
+    console.print("Opening browser to authenticate...")
+    console.print()
+
+    # Generate key pair
+    private_key, public_key = generate_key_pair()
+    connect_url, callback_port = prepare_connection_url(public_key)
+
+    # Open browser
+    webbrowser.open(connect_url)
+
+    # Always show the URL for manual access
+    console.print("If the browser does not open, please visit:")
+    console.print(f"  [cyan]{connect_url}[/cyan]")
+    console.print()
+
+    # Wait for callback
+    console.print("Waiting for authentication...")
+    result = CallbackResult()
+
+    if not run_callback_server(callback_port, result, SUCCESS_HTML, ERROR_HTML):
+        if result.error:
+            console.print(f"[red]Error:[/red] {result.error}")
+        else:
+            console.print("[red]Error:[/red] Authentication timed out")
+        return False
+
+    if not result.code:
+        console.print("[red]Error:[/red] No authentication code received")
+        return False
+
+    # Decrypt token
+    try:
+        api_token = decrypt_code(private_key, result.code)
+    except Exception as e:
+        console.print(f"[red]Error:[/red] Failed to decrypt authentication code: {e}")
+        return False
+
+    # Verify token
+    if not verify_token(api_token):
+        console.print("[red]Error:[/red] Invalid token received from Recce Cloud")
+        return False
+
+    # Save token
+    update_api_token(api_token)
+
+    # Get user info for display
+    user_info = get_user_info(api_token)
+    if user_info:
+        email = user_info.get("email", "Unknown")
+        console.print(f"[green]✓[/green] Logged in as [cyan]{email}[/cyan]")
+    else:
+        console.print("[green]✓[/green] Logged in successfully")
+
+    console.print(f"  Credentials saved to {get_profile_path()}")
+    return True
+
+
+def login_with_token(token: str) -> bool:
+    """
+    Login with a manually provided token.
+
+    Args:
+        token: API token to use.
+
+    Returns:
+        True if login successful, False otherwise.
+    """
+    # Verify token
+    if not verify_token(token):
+        console.print("[red]Error:[/red] Invalid API token")
+        return False
+
+    # Save token
+    update_api_token(token)
+
+    # Get user info for display
+    user_info = get_user_info(token)
+    if user_info:
+        email = user_info.get("email", "Unknown")
+        console.print(f"[green]✓[/green] Logged in as [cyan]{email}[/cyan]")
+    else:
+        console.print("[green]✓[/green] Logged in successfully")
+
+    console.print(f"  Credentials saved to {get_profile_path()}")
+    return True
+
+
+def check_login_status() -> Tuple[bool, Optional[str]]:
+    """
+    Check current login status.
+
+    Checks for authentication token in this order:
+    1. RECCE_API_TOKEN environment variable
+    2. Stored token from profile (via get_api_token)
+
+    Returns:
+        Tuple of (is_logged_in, user_email_or_none).
+    """
+    token = os.getenv("RECCE_API_TOKEN") or get_api_token()
+    if not token:
+        return False, None
+
+    if not verify_token(token):
+        return False, None
+
+    user_info = get_user_info(token)
+    email = user_info.get("email") if user_info else None
+    return True, email
+
+
+def logout() -> bool:
+    """
+    Clear stored credentials.
+
+    Returns:
+        True if logout successful.
+    """
+    clear_api_token()
+    return True