remotivelabs-cli 0.0.42__py3-none-any.whl → 0.1.0a2__py3-none-any.whl

cli/cloud/auth/login.py

@@ -1,18 +1,46 @@
-import datetime
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import os
+import secrets
+import sys
 import time
 import webbrowser
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from threading import Thread
-from typing import Any
+from typing import Any, Optional, Tuple
+from urllib.parse import parse_qs, urlparse
 
+import typer
+from rich.console import Console
 from typing_extensions import override
 
-from cli.cloud.rest_helper import RestHelper as Rest
-from cli.settings import settings
-from cli.settings import token_file as tf
+from cli.cloud.auth_tokens import do_activate, prompt_to_set_org
+from cli.errors import ErrorPrinter
+from cli.settings import TokenFile, TokenNotFoundError, settings
+from cli.utils.rest_helper import RestHelper as Rest
 
 httpd: HTTPServer
 
+console = Console()
+
+
+def generate_pkce_pair() -> Tuple[str, str]:
+    """
+    PKCE is used for all cli login flows, both headless and browser.
+    """
+    code_verifier_ = secrets.token_urlsafe(64)  # High-entropy string
+    code_challenge_ = base64.urlsafe_b64encode(hashlib.sha256(code_verifier_.encode("ascii")).digest()).rstrip(b"=").decode("ascii")
+    return code_verifier_, code_challenge_
+
+
+code_verifier, code_challenge = generate_pkce_pair()
+state = secrets.token_urlsafe(16)
+
+short_lived_token = None
+
 
 class S(BaseHTTPRequestHandler):
     def _set_response(self) -> None:
@@ -21,42 +49,269 @@ class S(BaseHTTPRequestHandler):
         self.end_headers()
 
     @override
-    def log_message(self, format: Any, *args: Any) -> None:  # pylint: disable=W0622,
+    def log_message(self, format: Any, *args: Any) -> None:
         return
 
     # Please do not change this into lowercase!
     @override
-    # type: ignore
-    def do_GET(self):  # pylint: disable=invalid-name,
+    def do_GET(self) -> None:  # type: ignore # noqa: PLR0912
         self._set_response()
-        self.wfile.write("Successfully setup CLI, return to your terminal to continue".encode("utf-8"))
+
+        parsed_url = urlparse(self.path)
+
+        # Get query parameters as a dict
+        query_params = parse_qs(parsed_url.query)
+
+        # Example: Get the value of the "error" parameter if it exists
+        error_value = query_params.get("error", [None])[0]
         path = self.path
+        auth_code = path[1:]  # Remotive /
         time.sleep(1)
         httpd.server_close()
 
         killerthread = Thread(target=httpd.shutdown)
         killerthread.start()
+        if error_value is None:
+            res = Rest.handle_get(
+                f"/api/open/token?code={auth_code}&code_verifier={code_verifier}",
+                return_response=True,
+                skip_access_token=True,
+                allow_status_codes=[401, 400],
+            )
+            if res.status_code != 200:
+                ErrorPrinter.print_generic_error(
+                    "Failed to fetch token. Please try again, if the problem persists please reach out to support@remotivelabs.com"
+                )
+                self.wfile.write(
+                    "Failed to fetch token. Please try again, if the problem persists please reach out to support@remotivelabs.com".encode(
+                        "utf-8"
+                    )
+                )
+                sys.exit(1)
 
-        token = tf.TokenFile(
-            name="CLI_login_token",
-            token=path[1:],
-            created=str(datetime.datetime.now().isoformat()),
-            expires="unknown",
-        )
-        settings.add_and_activate_short_lived_cli_token(tf.dumps(token))
-        print("Successfully logged on, you are ready to go with cli")
+            # TODO - This is written before we are done...
+            self.wfile.write(
+                """Successfully setup CLI, you may close this window now. Return to your terminal to continue""".encode("utf-8")
+            )
+            access_token = res.json()["access_token"]
+
+            global short_lived_token  # noqa: PLW0603
+            short_lived_token = access_token
 
+        else:
+            if error_value == "no_consent":
+                self.wfile.write(
+                    """
+                Authorization was cancelled.<br/>
+                To use RemotiveCLI, you need to grant access to your RemotiveCloud account.
+                <br/><br/>
+                Run `remotive cloud auth login` to try again.
+                """.encode("utf-8")
+                )
+                ErrorPrinter.print_generic_error("You did not grant access to RemotiveCloud, login aborted")
+            elif error_value == "user_not_exists":
+                self.wfile.write(
+                    """
+                It seems like you do not have an account at RemotiveCloud with that user<br/>
+                To use RemotiveCLI you must first sign up at <a href="https://cloud.remotivelabs.com">cloud.remotivelabs.com</a>
+                and approve our agreements.<br/>
+                <br/><br/>
+                Once you are signed up, Run `remotive cloud auth login` again.
+                """.encode("utf-8")
+                )
+                ErrorPrinter.print_generic_error(
+                    "To use RemotiveCLI you must first sign up at https://cloud.remotivelabs.com and approve our agreements"
+                )
+            else:
+                self.wfile.write(f"Unknown error {error_value}, please contact support@remotivelabs.com".encode("utf-8"))
+                ErrorPrinter.print_generic_error(f"Unexpected error {error_value}, please contact support@remotivelabs.com")
+            sys.exit(1)
+
+
+def prepare_local_webserver(server_class: type = HTTPServer, handler_class: type = S, port: Optional[int] = None) -> None:
+    if port is None:
+        env_val = os.getenv("REMOTIVE_LOGIN_CALLBACK_PORT" or "")
+        if env_val and env_val.isdigit():
+            port = int(env_val)
+        else:
+            port = 0
 
-def start_local_webserver(server_class: type = HTTPServer, handler_class: type = S, port: int = 0) -> None:
     server_address = ("", port)
-    global httpd  # pylint: disable=W0603
+    global httpd  # noqa: PLW0603
     httpd = server_class(server_address, handler_class)
 
 
-def login() -> None:
+def create_personal_token() -> None:
+    response = Rest.handle_post(
+        url="/api/me/keys",
+        return_response=True,
+        body=json.dumps({"alias": "roine"}),
+        access_token=short_lived_token,
+    )
+    token = response.json()
+    email = token["account"]["email"]
+    existing_file = settings.get_token_file_by_email(email=email)
+    if existing_file is not None:
+        # ErrorPrinter.print_hint(f"Revoking and deleting existing credentials [remove_me]{existing_file.name}")
+        res = Rest.handle_patch(
+            f"/api/me/keys/{existing_file.name}/revoke",
+            quiet=True,
+            access_token=short_lived_token,
+            allow_status_codes=[400, 404],
+        )
+        if res is not None and res.status_code == 200:
+            Rest.handle_delete(
+                f"/api/me/keys/{existing_file.name}",
+                quiet=True,
+                access_token=short_lived_token,
+            )
+        settings.remove_token_file(existing_file.name)
+
+    settings.add_personal_token(response.text, activate=True)
+
+    print("Successfully logged on")
+
+
+def _do_prompt_to_use_existing_credentials() -> Optional[TokenFile]:
+    files = settings.list_personal_token_files()
+    if len(files) > 0:
+        should_select_token = typer.confirm(
+            "You have credentials available already, would you like to choose one of these instead?", default=True
+        )
+        if should_select_token:
+            token = do_activate(token_name=None)
+            # token = list_and_select_personal_token(skip_prompt=False, include_service_accounts=True)
+            if token is not None:
+                return token
+            # TODO - fix so this is not needed
+            sys.exit(0)
+    return None
+
+
+def login(headless: bool = False) -> bool:  # noqa: C901, PLR0912, PLR0915
     """
-    Initiate login using browser
+    Initiate login
     """
-    start_local_webserver()
-    webbrowser.open_new_tab(f"{Rest.get_base_url()}/login?redirectUrl=http://localhost:{httpd.server_address[1]}")
-    httpd.serve_forever()
+
+    #
+    # Check login.md flowchart for better understanding
+    #
+    # 1. Check for active token valid and working credentials
+    #
+    try:
+        activate_token = settings.get_active_token_file()
+
+        if not activate_token.is_expired():
+            if Rest.has_access("/api/whoami"):
+                token = _do_prompt_to_use_existing_credentials()
+                if token is not None:
+                    return True
+            else:
+                settings.clear_active_token()
+                raise TokenNotFoundError()
+        else:
+            # TODO - Cleanup token since expired
+            pass
+
+    except TokenNotFoundError:
+        #
+        # 2. If no token was found, let user choose an existing if exists
+        #
+        token = _do_prompt_to_use_existing_credentials()
+        if token is not None:
+            return True
+
+    prepare_local_webserver()
+
+    def force_use_webserver_callback() -> bool:
+        env_val = os.getenv("REMOTIVE_LOGIN_FORCE_CALLBACK" or "no")
+        if env_val and env_val == "yes":
+            return True
+        return False
+
+    def login_with_callback_but_copy_url() -> None:
+        """
+        This will print a url the will trigger a callback later so the webserver must be up and running.
+        """
+        print("Copy the following link in a browser to login to cloud, and complete the sign-in prompts:")
+        print("")
+
+        url = (
+            f"{Rest.get_base_frontend_url()}/login"
+            f"?state={state}"
+            f"&cli_version={Rest.get_cli_version()}"
+            f"&response_type=code"
+            f"&code_challenge={code_challenge}"
+            f"&redirect_uri=http://localhost:{httpd.server_address[1]}"
+        )
+        console.print(url, style="bold")
+        httpd.serve_forever()
+
+    def login_headless() -> None:
+        """
+        Full headless, opens a browser and expects a auth code to be entered and exchanged for the token
+        """
+        print("Copy the following link in a browser to login to cloud, and complete the sign-in prompts:")
+        print("")
+
+        url = (
+            f"{Rest.get_base_frontend_url()}/login"
+            f"?state={state}"
+            f"&cli_version={Rest.get_cli_version()}"
+            f"&response_type=code"
+            f"&code_challenge={code_challenge}"
+        )
+        console.print(url, style="bold")
+
+        code = typer.prompt(
+            "Once finished, enter the verification code provided in your browser",
+            hide_input=False,
+        )
+        res = Rest.handle_get(
+            f"/api/open/token?code={code}&code_verifier={code_verifier}",
+            return_response=True,
+            skip_access_token=True,
+            allow_status_codes=[401],
+        )
+        if res.status_code == 401:
+            ErrorPrinter.print_generic_error(
+                "Failed to fetch token. Please try again, if the problem persists please reach out to support@remotivelabs.com"
+            )
+            sys.exit(1)
+        access_token = res.json()["access_token"]
+        # res = Rest.handle_get("/api/whoami", return_response=True, access_token=access_token)
+        global short_lived_token  # noqa: PLW0603
+        short_lived_token = access_token
+        create_personal_token()
+        prompt_to_set_org()
+
+    if headless and not force_use_webserver_callback():
+        login_headless()
+    elif headless and force_use_webserver_callback():
+        login_with_callback_but_copy_url()
+    else:
+        could_open = webbrowser.open_new_tab(
+            f"{Rest.get_base_frontend_url()}/login"
+            f"?state={state}"
+            f"&cli_version={Rest.get_cli_version()}"
+            f"&response_type=code"
+            f"&code_challenge={code_challenge}"
+            f"&redirect_uri=http://localhost:{httpd.server_address[1]}"
+        )
+
+        if not could_open:
+            print(
+                "Could not open a browser on this machine, this is likely because you are in an environment where no browser is avaialble"
+            )
+            print("")
+            if force_use_webserver_callback():
+                login_with_callback_but_copy_url()
+            else:
+                login_headless()
+        else:
+            httpd.serve_forever()
+
+        # Once we received our callback or code we are logged in and ready to go
+        create_personal_token()
+
+    return True

cli/cloud/auth_tokens.py

@@ -1,33 +1,340 @@
+from __future__ import annotations
+
+from typing import List, Literal, Optional
+
 import typer
+from rich.console import Console
+from rich.table import Table
 
-from cli.settings import settings
+from cli.api.cloud import tokens
+from cli.cloud.organisations import do_select_default_org
+from cli.errors import ErrorPrinter
+from cli.settings import TokenFile, TokenNotFoundError, settings
 from cli.typer import typer_utils
+from cli.utils.rest_helper import RestHelper as Rest
 
-from .rest_helper import RestHelper as Rest
+console = Console(stderr=False)
+err_console = Console(stderr=True)
 
 app = typer_utils.create_typer()
 
+PromptType = Literal["activate", "login"]
+
+
+def _prompt_choice(  # noqa: C901, PLR0912
+    choices: List[TokenFile],
+    skip_prompt: bool = False,
+    info_message: Optional[str] = None,
+) -> Optional[TokenFile]:
+    accounts = settings.get_cli_config().accounts
+    try:
+        active_account = settings.get_cli_config().get_active()
+    except TokenNotFoundError:
+        active_account = None
+
+    table = Table("#", "Active", "Type", "Token", "Account", "Created", "Expires")
+
+    included_tokens: list[TokenFile] = []
+    excluded_tokens: list[TokenFile] = []
+
+    for token in choices:
+        account = accounts.get(token.account.email)
+        if account and account.credentials_name and account.credentials_name in (token.name or ""):
+            included_tokens.append(token)
+        else:
+            excluded_tokens.append(token)
+
+    if len(included_tokens) == 0:
+        return None
+
+    included_tokens.sort(key=lambda token: token.created, reverse=True)
+
+    active_token_index = None
+    for idx, choice in enumerate(included_tokens, start=1):
+        is_active = active_account is not None and active_account.credentials_name == choice.name
+        active_token_index = idx if is_active else active_token_index
+        table.add_row(
+            f"[yellow]{idx}",
+            ":white_check_mark:" if is_active else "",
+            "user" if choice.type == "authorized_user" else "sa",
+            choice.name,
+            f"[bold]{choice.account.email if choice.account else 'unknown'}[/bold]",
+            str(choice.created),
+            str(choice.expires),
+        )
+    # console.print("It seems like you have access tokens from previous login, you can select one of these instead of logging in")
+    console.print(table)
+
+    if skip_prompt:
+        return None
+
+    typer.echo("")
+    if info_message is not None:
+        console.print(info_message)
+
+    selection = typer.prompt(
+        f"Enter the number(# 1-{len(included_tokens)}) of the account to select (q to quit)",
+        default=f"{active_token_index}" if active_token_index is not None else None,
+    )
+
+    if selection == "q":
+        return None
+    try:
+        index = int(selection) - 1
+        if 0 <= index < len(included_tokens):
+            return included_tokens[index]
+        raise ValueError
+    except ValueError:
+        typer.echo("Invalid choice, please try again")
+        return _prompt_choice(included_tokens, skip_prompt, info_message)
 
-# TODO: add add interactive flag to set target directory # pylint: disable=fixme
-@app.command(name="create", help="Create and download a new personal access token")
-def create(activate: bool = typer.Option(False, help="Activate the token for use after download")) -> None:  # pylint: disable=W0621
-    response = Rest.handle_post(url="/api/me/keys", return_response=True)
-    pat = settings.add_personal_token(response.text)
+
+# @app.command(name="create")
+def create(
+    activate: bool = typer.Option(False, help="Activate the token for use after download"),
+) -> None:
+    """
+    Create a new personal access token in [bold]cloud[/bold] and download locally
+    """
+    response = tokens.create()
+    pat = settings.add_personal_token(response.text())
     print(f"Personal access token added: {pat.name}")
 
     if not activate:
         print(f"Use 'remotive cloud auth tokens activate {pat.name}' to use this access token from cli")
     else:
-        settings.activate_token(pat.name)
+        settings.activate_token(pat)
         print("Token file activated and ready for use")
     print("\033[93m This file contains secrets and must be kept safe")
 
 
-@app.command(name="list", help="List personal access tokens")
+# @app.command(name="list", help="List personal credentials in [bold]cloud[/bold]")
 def list_tokens() -> None:
     Rest.handle_get("/api/me/keys")
 
 
-@app.command(name="revoke", help="Revoke personal access token")
-def revoke(name: str = typer.Argument(help="Access token name")) -> None:
-    Rest.handle_delete(f"/api/me/keys/{name}")
+# @app.command(name="revoke")
+def revoke(
+    name: str = typer.Argument(help="Access token name"),
+    delete: bool = typer.Option(True, help="Also delete token"),
+) -> None:
+    """
+    Revoke personal credentials in cloud and removes the file from filesystem
+
+    If cloud token is not found but token is found on file system it will delete it and
+    vice versa.
+    """
+    _revoke_and_delete_personal_token(name, delete)
+
+
+# @app.command(name="activate")
+def activate(
+    token_name: str = typer.Argument(..., help="Token path, filename or name to activate"),
+) -> None:
+    """
+    Activate a credential file to be used for authentication using filename, path or name.
+
+    This will be used as the current access token in all requests.
+    """
+    try:
+        token_file = settings.get_token_file(token_name)
+        settings.activate_token(token_file)
+    except TokenNotFoundError:
+        err_console.print(f":boom: [bold red] Error: [/bold red] Token with filename or name {token_name} could not be found")
+
+
+def prompt_to_set_org() -> None:
+    if settings.get_cli_config().get_active_default_organisation() is None:
+        set_default_organisation = typer.confirm(
+            "You have not set a default organization\nWould you like to choose one now?",
+            abort=False,
+            default=True,
+        )
+        if set_default_organisation:
+            do_select_default_org(get=False)
+
+
+@app.command("activate")
+def select_personal_token(
+    token_name: str = typer.Argument(None, help="Name, filename or path to a credentials file"),
+) -> None:
+    """
+    Activates is setting the current active credentials to use by the CLI, this can be done by specifying a name
+    of the token or getting prompted and choosing from existing.
+    """
+    do_activate(token_name)
+
+
+def do_activate(
+    token_name: Optional[str],
+) -> Optional[TokenFile]:
+    if token_name is not None:
+        try:
+            token_file = settings.get_token_file(token_name)
+            settings.activate_token(token_file)
+            return token_file
+        except TokenNotFoundError:
+            err_console.print(f":boom: [bold red] Error: [/bold red] Token with filename or name {token_name} could not be found")
+            return None
+    else:
+        token_files = settings.list_personal_tokens()
+        token_files.extend(settings.list_service_account_tokens())
+        if len(token_files) > 0:
+            token_selected = list_and_select_personal_token(include_service_accounts=True)
+            if token_selected is not None:
+                is_logged_in = Rest.has_access("/api/whoami")
+                if not is_logged_in:
+                    ErrorPrinter.print_generic_error("Could not access RemotiveCloud with selected token")
+                else:
+                    console.print("[green]Success![/green] Access to RemotiveCloud granted")
+                    # Only select default if activate was done with selection and successful
+                    # and not SA since SA cannot list available organizations
+                    if token_selected.type == "authorized_user":
+                        prompt_to_set_org()
+            return token_selected
+
+        ErrorPrinter.print_hint("No credentials available, login to activate credentials")
+        return None
+
+
+def list_and_select_personal_token(
+    skip_prompt: bool = False,
+    include_service_accounts: bool = False,
+    info_message: Optional[str] = None,
+) -> Optional[TokenFile]:
+    personal_tokens = settings.list_personal_tokens()
+
+    if include_service_accounts:
+        sa_tokens = settings.list_service_account_tokens()
+        personal_tokens.extend(sa_tokens)
+
+    # merged = _merge_local_tokens_with_cloud(personal_tokens)
+
+    selected_token = _prompt_choice(personal_tokens, skip_prompt=skip_prompt, info_message=info_message)
+    if selected_token is not None:
+        settings.activate_token(selected_token)
+
+    return selected_token
+
+
+# @app.command("select-revoke")
+def select_revoke_personal_token() -> None:
+    """
+    Prompts a user to select one of the credential files to revoke and delete
+    """
+    personal_tokens = settings.list_personal_tokens()
+    sa_tokens = settings.list_service_account_tokens()
+    personal_tokens.extend(sa_tokens)
+
+    is_logged_in = Rest.has_access("/api/whoami")
+    if not is_logged_in:
+        ErrorPrinter.print_hint("You must be logged in")
+        raise typer.Exit(0)
+
+    # merged = _merge_local_tokens_with_cloud(personal_tokens)
+
+    selected_token = _prompt_choice(personal_tokens)
+
+    if selected_token is not None:
+        _revoke_and_delete_personal_token(selected_token.name, True)
+        # Rest.handle_patch(f"/api/me/keys/{selected_token.name}/revoke", quiet=True, access_token=selected_token.token)
+        # Rest.handle_delete(f"/api/me/keys/{selected_token.name}", quiet=True, access_token=selected_token.token)
+        # settings.remove_token_file(selected_token.name)
+        # active_token = settings.get_active_token_file()
+        # if active_token.name == selected_token.name:
+        #    settings.clear_active_token()
+        # select_revoke_personal_token()
+
+
+# @app.command("test-all")
+def test_all_personal_tokens() -> None:
+    """
+    Tests each credential file to see if it is valid
+    """
+    personal_tokens = settings.list_personal_tokens()
+    personal_tokens.extend(settings.list_service_account_tokens())
+    if len(personal_tokens) == 0:
+        console.print("No personal tokens found on disk")
+        return
+
+    for token in personal_tokens:
+        r = Rest.handle_get(
+            "/api/whoami",
+            allow_status_codes=[401],
+            access_token=token.token,
+            use_progress_indicator=True,
+            return_response=True,
+        )
+        if r.status_code == 200:
+            if token.account is not None:
+                console.print(f"{token.account.email} ({token.name}) :white_check_mark:")
+            else:
+                console.print(f"{token.name} :white_check_mark:")
+        elif token.account is not None:
+            console.print(f"{token.account.email} ({token.name}) :x: Failed")
+        else:
+            console.print(f"{token.name} :x: Failed")
+
+
+# @app.command(name="list-service-account-tokens-files")
+def list_sats_files() -> None:
+    """
+    List service account access token files in remotivelabs config directory
+    """
+    service_account_files = settings.list_service_account_token_files()
+    for file in service_account_files:
+        print(file)
+
+
+@app.command(name="list")
+def list_pats_files(
+    accounts: bool = typer.Option(True, help="Lists all available accounts"),
+    files: bool = typer.Option(False, help="Shows all token files in config directory"),
+) -> None:
+    """
+    Lists available credential files on filesystem
+    """
+
+    if accounts:
+        list_and_select_personal_token(skip_prompt=True, include_service_accounts=True, info_message="hello")
+
+    if files:
+        personal_files = settings.list_personal_token_files()
+        service_account_files = settings.list_service_account_token_files()
+        personal_files.extend(service_account_files)
+        for file in personal_files:
+            print(file)
+
+
+def _revoke_and_delete_personal_token(name: str, delete: bool) -> None:
+    token_file = None
+
+    # First we try to find the file and make sure its not the currently active
+    try:
+        token_file = settings.get_token_file(name)
+        active_token = settings.get_active_token_file()
+        if token_file.name == active_token.name:
+            ErrorPrinter.print_hint("You cannot revoke the current active token")
+            return
+    except TokenNotFoundError:
+        pass
+
+    # The lets try to revoke from cloud
+    res_revoke = tokens.revoke(name)
+    if delete:
+        res_delete = tokens.delete(name)
+        if res_delete.is_success:
+            ErrorPrinter.print_generic_message("Token successfully revoked and deleted")
+        else:
+            ErrorPrinter.print_hint(f"Failed to revoke and delete token in cloud: {res_delete.status_code}")
+    elif res_revoke.is_success:
+        ErrorPrinter.print_generic_message("Token successfully revoked")
+    else:
+        ErrorPrinter.print_hint("Failed to revoke and delete token in cloud")
+
+    # Finally try to remove the file if exists
+    if token_file is not None:
+        settings.remove_token_file(token_file.name)
+        console.print("Successfully deleted token on filesystem")
+    else:
+        ErrorPrinter.print_hint("Token not found on filesystem")