securedeploy 0.1.0__py3-none-any.whl

securedeploy/__init__.py

@@ -0,0 +1,3 @@
+from securedeploy.client import SecureDeploy
+
+__all__ = ["SecureDeploy"]

securedeploy/cli.py

@@ -0,0 +1,274 @@
+from __future__ import annotations
+
+import functools
+import json
+from collections.abc import Callable
+from pathlib import Path
+from typing import Any, Optional
+
+import click
+
+from securedeploy import SecureDeploy
+
+_WORKSPACE_SLUG_OPTION_HELP = "Workspace slug (default: config)."
+_APPLICATION_SLUG_OPTION_HELP = "Application slug (default: config)."
+_URL_PATH_OPTION_HELP = (
+    "Path under the app host URL (after the domain). "
+    "With --file: full path including file name (extension must match the file). "
+    "With --path: prefix added before each file's path relative to that directory."
+)
+
+
+def handle_errors(f: Callable[..., Any]) -> Callable[..., Any]:
+    @functools.wraps(f)
+    def wrapper(*args: Any, **kwargs: Any) -> Any:
+        try:
+            return f(*args, **kwargs)
+        except click.UsageError:
+            raise
+        except Exception as e:
+            raise click.ClickException(str(e)) from e
+
+    return wrapper
+
+
+def _echo_json(data: object) -> None:
+    if data is None:
+        return
+    click.echo(json.dumps(data, indent=2))
+
+
+@click.group()
+@click.option(
+    "--dev",
+    is_flag=True,
+    help="Use local dev URLs.",
+)
+@click.pass_context
+def cli(ctx: click.Context, dev: bool) -> None:
+    ctx.obj = SecureDeploy(env="development" if dev else "production")
+
+
+@cli.group()
+def auth() -> None:
+    """Authenticate with SecureDeploy."""
+
+
+@auth.command("login")
+@click.pass_context
+@handle_errors
+def auth_login(ctx: click.Context) -> None:
+    ctx.obj.auth.login(
+        verification_callback=lambda uri: click.echo(
+            f"Please go to this URL to authorize: {uri}"
+        )
+    )
+    click.echo("Login successful")
+
+
+@auth.command("refresh-token")
+@click.pass_context
+@handle_errors
+def auth_refresh_token(ctx: click.Context) -> None:
+    """Exchange the stored refresh token for new tokens."""
+    ctx.obj.auth.refresh_token()
+    _echo_json(ctx.obj.whoami())
+
+
+@auth.command("inspect")
+@click.pass_context
+@handle_errors
+def auth_inspect(ctx: click.Context) -> None:
+    """Print stored access and refresh tokens from local config as JSON."""
+    _echo_json(ctx.obj.auth.inspect())
+
+
+@cli.command("whoami")
+@click.pass_context
+@handle_errors
+def whoami_cmd(ctx: click.Context) -> None:
+    _echo_json(ctx.obj.whoami())
+
+
+@cli.group()
+def workspaces() -> None:
+    """Manage workspaces."""
+
+
+@workspaces.command("list")
+@click.pass_context
+@handle_errors
+def workspaces_list(ctx: click.Context) -> None:
+    _echo_json(ctx.obj.workspaces.list())
+
+
+@workspaces.command("set-default")
+@click.argument("slug", required=False)
+@click.pass_context
+@handle_errors
+def workspaces_set_default(ctx: click.Context, slug: Optional[str]) -> None:
+    if not slug:
+        workspaces = ctx.obj.workspaces.list()
+        if not workspaces:
+            raise click.UsageError("No workspaces found; create one first.")
+        slug = str(workspaces[0].get("slug") or "")
+        if not slug:
+            raise click.ClickException(
+                "First workspace in list has no slug; pass slug explicitly."
+            )
+    ctx.obj.workspaces.set_default(slug)
+    click.echo(f"Default workspace set to {slug!r}")
+
+
+@workspaces.command("get")
+@click.argument("slug", required=False)
+@click.pass_context
+@handle_errors
+def workspaces_get(ctx: click.Context, slug: Optional[str]) -> None:
+    if slug:
+        ws = ctx.obj.workspaces.get(slug)
+    else:
+        ws = ctx.obj.workspaces.get_default()
+    _echo_json(ws.data)
+
+
+@workspaces.command("create")
+@click.option("--name", default=None, help="Workspace display name.")
+@click.option("--slug", required=True, help="Workspace slug.")
+@click.pass_context
+@handle_errors
+def workspaces_create(ctx: click.Context, name: Optional[str], slug: str) -> None:
+    ws = ctx.obj.workspaces.create(name=name, slug=slug)
+    _echo_json(ws.data)
+
+
+@cli.group()
+def applications() -> None:
+    """Manage applications."""
+
+
+@applications.command("list")
+@click.option("--workspace", default=None, help=_WORKSPACE_SLUG_OPTION_HELP)
+@click.pass_context
+@handle_errors
+def applications_list(ctx: click.Context, workspace: Optional[str]) -> None:
+    _echo_json(ctx.obj.applications.list(workspace=workspace))
+
+
+@applications.command("get")
+@click.argument("slug", required=False)
+@click.option("--workspace", default=None, help=_WORKSPACE_SLUG_OPTION_HELP)
+@click.pass_context
+@handle_errors
+def applications_get(
+    ctx: click.Context, slug: Optional[str], workspace: Optional[str]
+) -> None:
+    app = ctx.obj.applications.get(slug, workspace=workspace)
+    _echo_json(app.data)
+
+
+@applications.command("create")
+@click.option("--name", default=None, help="Application display name.")
+@click.option("--slug", required=True, help="Application slug.")
+@click.option("--workspace", default=None, help=_WORKSPACE_SLUG_OPTION_HELP)
+@click.pass_context
+@handle_errors
+def applications_create(
+    ctx: click.Context,
+    name: Optional[str],
+    slug: str,
+    workspace: Optional[str],
+) -> None:
+    _echo_json(ctx.obj.applications.create(name=name, slug=slug, workspace=workspace))
+
+
+@applications.command("set-default")
+@click.argument("slug")
+@click.option("--workspace", default=None, help=_WORKSPACE_SLUG_OPTION_HELP)
+@click.pass_context
+@handle_errors
+def applications_set_default(
+    ctx: click.Context, slug: str, workspace: Optional[str]
+) -> None:
+    ctx.obj.applications.set_default(slug, workspace=workspace)
+    click.echo(f"Default application set to {slug!r}")
+
+
+@cli.group()
+def defaults() -> None:
+    """Show configured defaults."""
+
+
+@defaults.command("list")
+@click.pass_context
+@handle_errors
+def defaults_list(ctx: click.Context) -> None:
+    _echo_json(ctx.obj.defaults.list())
+
+
+def _upload_cli_url_path_for_file(file: Path, url_path: str) -> str:
+    up = url_path.strip()
+    if not up:
+        raise click.UsageError("--url-path must not be empty.")
+    normalized = up.replace("\\", "/").lstrip("/")
+    if normalized.startswith(".."):
+        raise click.UsageError("--url-path must not start with '..'.")
+    if "/.." in normalized:
+        raise click.UsageError(
+            "--url-path must not contain '/..' (parent directory segments)."
+        )
+    if normalized.endswith("/"):
+        raise click.UsageError(
+            "--url-path must not be a directory path (remove trailing '/')."
+        )
+    base = Path(normalized).name
+    if not base or base in (".", ".."):
+        raise click.UsageError("--url-path must include a file name.")
+    ext_file = file.suffix.lower()
+    ext_url = Path(normalized).suffix.lower()
+    if ext_file != ext_url:
+        raise click.UsageError(
+            f"--url-path extension must match the file: expected {ext_file!r}, "
+            f"got {ext_url!r}."
+        )
+    return normalized
+
+
+@cli.command("upload")
+@click.option("--file", type=click.Path(path_type=Path), default=None)
+@click.option("--path", type=click.Path(path_type=Path), default=None)
+@click.option("--url-path", default=None, help=_URL_PATH_OPTION_HELP)
+@click.option("--application", default=None, help=_APPLICATION_SLUG_OPTION_HELP)
+@click.option("--workspace", default=None, help=_WORKSPACE_SLUG_OPTION_HELP)
+@click.pass_context
+@handle_errors
+def upload_cmd(
+    ctx: click.Context,
+    file: Optional[Path],
+    path: Optional[Path],
+    url_path: Optional[str],
+    application: Optional[str],
+    workspace: Optional[str],
+) -> None:
+    if (file is None) == (path is None):
+        raise click.UsageError("Specify exactly one of --file or --path.")
+    if file is not None:
+        url_p = _upload_cli_url_path_for_file(file, url_path) if url_path else None
+        _echo_json(
+            ctx.obj.upload.file(
+                file, application=application, workspace=workspace, url_path=url_p
+            )
+        )
+    else:
+        _echo_json(
+            ctx.obj.upload.path(
+                path,
+                application=application,
+                workspace=workspace,
+                url_path=url_path,
+            )
+        )
+
+
+if __name__ == "__main__":
+    cli()

securedeploy/client.py

@@ -0,0 +1,509 @@
+from __future__ import annotations
+
+import logging
+import webbrowser
+from collections.abc import Iterator
+from contextlib import contextmanager
+from json import dumps
+from pathlib import Path
+from typing import Any, Callable, Literal, Optional, Union
+
+import httpx
+import tomli_w
+from httpx import ConnectError, TimeoutException
+
+from securedeploy.config import Config
+from securedeploy.oauth import OAuth
+
+logger = logging.getLogger(__name__)
+
+# Max size per file for uploads (directory walks skip oversize files; single-file upload raises).
+_MAX_UPLOAD_FILE_BYTES = 10 * 1024 * 1024
+
+# Basenames compared case-insensitively; common secret/credential artifacts in repos.
+_UPLOAD_IGNORE_FILENAMES: frozenset[str] = frozenset(
+    {
+        ".git-credentials",
+        ".htpasswd",
+        ".lesshst",
+        ".mysql_history",
+        ".netrc",
+        ".npmrc",
+        ".pgpass",
+        ".psql_history",
+        ".pypirc",
+        ".rediscli_history",
+        ".sqlite_history",
+        "credentials.json",
+        "google-services.json",
+        "googleservice-info.plist",
+        "id_dsa",
+        "id_ecdsa",
+        "id_ed25519",
+        "id_rsa",
+        "local.settings.json",  # Azure Functions secrets
+        "pscredentials.xml",
+        "secrets.json",
+        "webhook.secret",
+    }
+)
+
+# Suffixes (lowercase, leading dot) often used for keys, keystores, VPN, etc.
+_UPLOAD_IGNORE_EXTENSIONS: frozenset[str] = frozenset(
+    {
+        ".der",
+        ".jks",
+        ".kdbx",
+        ".key",
+        ".keystore",
+        ".ovpn",
+        ".p12",
+        ".p8",
+        ".pem",
+        ".pfx",
+    }
+)
+
+
+def _upload_ignore_reason(file_path: Path) -> Optional[str]:
+    """If file_path should not be uploaded from a directory walk, return why; else None."""
+    name_lower = file_path.name.lower()
+    if name_lower == ".env" or name_lower.startswith(".env."):
+        return "sensitive env file (.env*)"
+    if name_lower == "credentials" and file_path.parent.name.lower() == ".aws":
+        return "AWS credentials file"
+    if name_lower in _UPLOAD_IGNORE_FILENAMES:
+        return "sensitive filename"
+    if file_path.suffix.lower() in _UPLOAD_IGNORE_EXTENSIONS:
+        return f"sensitive extension {file_path.suffix!r}"
+    return None
+
+
+@contextmanager
+def _upstream_request_guard() -> Iterator[None]:
+    try:
+        yield
+    except ConnectError as e:
+        raise ConnectError(
+            "Upstream API is not reachable; \n"
+            "Please check your connection and try again. \n\n"
+            "If the problem persists, please contact support at support@securedeploy.org. \n"
+            "Please include the following information in your support request: \n"
+            f"Error details: {e}."
+        ) from e
+    except TimeoutException as e:
+        raise TimeoutException(
+            "Upstream API has timed out; \n"
+            "Please check your connection and try again. \n\n"
+            "If the problem persists, please contact support at support@securedeploy.org. \n"
+            "Please include the following information in your support request: \n"
+            f"Error details: {e}."
+        ) from e
+
+
+def _handle_api_error_response(
+    r: httpx.Response,
+    method: str,
+    path: str,
+    auth: _Auth,
+    retry: Optional[Callable[[], Any]],
+) -> Any:
+    ct = r.headers.get("content-type", "").lower()
+    if r.content and "json" in ct:
+        try:
+            detail = dumps(r.json(), indent=2)
+        except ValueError:
+            detail = r.text
+    else:
+        detail = r.text
+    msg = f"{method} {path} failed ({r.status_code}):\n{detail}"
+    if r.status_code == 404:
+        raise ResourceNotFoundError(msg)
+    if r.status_code == 401:
+        if retry is None:
+            raise RuntimeError(msg)
+        logger.info("Refreshing access token")
+        auth.refresh_token()
+        return retry()
+    raise RuntimeError(msg)
+
+
+class ResourceNotFoundError(RuntimeError):
+    """Raised when the API returns HTTP 404."""
+
+
+class SecureDeploy:
+    """Client for the securedeploy.org API; mirrors CLI command groups."""
+
+    def __init__(
+        self, env: Literal["development", "production"] = "production"
+    ) -> None:
+        if env == "development":
+            self._config = Config(
+                api_base_url="http://api.securedeploy.local",
+                auth_base_url="http://localhost",
+            )
+        else:
+            self._config = Config()
+        self.auth = _Auth(self)
+        self.workspaces = _Workspaces(self)
+        self.applications = _Applications(self)
+        self.defaults = _Defaults(self)
+        self.upload = _Upload(self)
+
+    def whoami(self) -> dict[str, Any]:
+        users = self._request("GET", "/v1/users")
+        if not users or len(users) == 0:
+            raise RuntimeError("Failed to get user details")
+        return users[0]
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        json: Optional[dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        reauth: bool = True,
+    ) -> Any:
+        url = f"{self._config.api_base_url.rstrip('/')}{path}"
+        headers = {"Authorization": f"Bearer {self._config.get_access_token()}"}
+        with _upstream_request_guard(), httpx.Client(timeout=60.0) as client:
+            r = client.request(method, url, headers=headers, json=json, params=params)
+            if r.status_code >= 400:
+                retry: Optional[Callable[[], Any]] = (
+                    (
+                        lambda: self._request(
+                            method, path, json=json, params=params, reauth=False
+                        )
+                    )
+                    if reauth
+                    else None
+                )
+                return _handle_api_error_response(r, method, path, self.auth, retry)
+            if not r.content:
+                return None
+            return r.json()
+
+    def _save_config(self) -> None:
+        self._config.config_file.write_text(
+            tomli_w.dumps(self._config.config), encoding="utf-8"
+        )
+
+    def _default_workspace_slug(self) -> str:
+        slug = self._config.config.get("default_workspace")
+        if not slug:
+            raise RuntimeError("No default workspace; set one or pass workspace=")
+        return str(slug)
+
+    def _default_application_slug(self) -> str:
+        slug = self._config.config.get("default_application")
+        if not slug:
+            raise RuntimeError("No default application; set one or pass application=")
+        return str(slug)
+
+    def _default_application_workspace_slug(self) -> str:
+        slug = self._config.config.get("default_application_workspace")
+        if not slug:
+            raise RuntimeError(
+                "No default application workspace; set one or pass application_workspace="
+            )
+        return str(slug)
+
+
+class _Auth:
+    def __init__(self, client: SecureDeploy) -> None:
+        self._client = client
+
+    def login(self, verification_callback: Optional[Callable] = None) -> None:
+        oauth = OAuth(self._client._config)
+        response = oauth.create_device_code()
+        verification_uri = response.get("verification_uri")
+        if verification_uri:
+            logger.info(f"Please go to this URL to authorize:\n{verification_uri}")
+            if verification_callback:
+                verification_callback(verification_uri)
+            webbrowser.open(str(verification_uri))
+        tokens = oauth.poll_for_token()
+        self._client._config.set_tokens(
+            tokens.get("access_token"), tokens.get("refresh_token")
+        )
+
+    def refresh_token(self) -> None:
+        oauth = OAuth(self._client._config)
+        tokens = oauth.refresh_access_token()
+        self._client._config.set_tokens(
+            tokens.get("access_token"), tokens.get("refresh_token")
+        )
+
+    def inspect(self) -> dict[str, Any]:
+        c = self._client._config.config
+        return {
+            "access_token": c.get("access_token"),
+            "refresh_token": c.get("refresh_token"),
+        }
+
+
+class _Defaults:
+    def __init__(self, client: SecureDeploy) -> None:
+        self._client = client
+
+    def list(self) -> dict[str, Any]:
+        return {
+            "default_workspace": self._client._config.config.get("default_workspace"),
+            "default_application": self._client._config.config.get(
+                "default_application"
+            ),
+            "default_application_workspace": self._client._config.config.get(
+                "default_application_workspace"
+            ),
+        }
+
+
+class _Workspaces:
+    def __init__(self, client: SecureDeploy) -> None:
+        self._client = client
+
+    def list(self) -> list[dict[str, Any]]:
+        return self._client._request("GET", "/v1/workspaces")
+
+    def get(self, slug: str) -> Workspace:
+        data = self._client._request("GET", f"/v1/workspaces/{slug}")
+        return Workspace(self._client, slug, data if isinstance(data, dict) else {})
+
+    def get_default(self) -> Workspace:
+        slug = self._client._default_workspace_slug()
+        return self.get(slug)
+
+    def set_default(self, slug: str) -> None:
+        self.get(slug)
+        self._client._config.config["default_workspace"] = slug
+        self._client._save_config()
+
+    def create(
+        self,
+        *,
+        name: Optional[str] = None,
+        slug: Optional[str] = None,
+    ) -> Workspace:
+        body = {k: v for k, v in {"name": name, "slug": slug}.items() if v is not None}
+        if not body:
+            raise ValueError("workspaces.create requires at least name or slug")
+        data = self._client._request("POST", "/v1/workspaces", json=body)
+        if not isinstance(data, dict):
+            raise RuntimeError("Unexpected API response for workspace create")
+        ws_slug = str(data.get("slug") or slug or "")
+        if not ws_slug:
+            raise RuntimeError("API did not return a workspace slug")
+        return Workspace(self._client, ws_slug, data)
+
+
+class Workspace:
+    def __init__(self, client: SecureDeploy, slug: str, data: dict[str, Any]) -> None:
+        self._client = client
+        self.slug = slug
+        self.data = data
+
+    @property
+    def applications(self) -> _ScopedApplications:
+        return _ScopedApplications(self._client, self.slug)
+
+
+class Application:
+    def __init__(
+        self,
+        client: SecureDeploy,
+        workspace_slug: str,
+        slug: str,
+        data: dict[str, Any],
+    ) -> None:
+        self._client = client
+        self.workspace_slug = workspace_slug
+        self.slug = slug
+        self.data = data
+
+
+class _Applications:
+    def __init__(self, client: SecureDeploy) -> None:
+        self._client = client
+
+    def list(self, *, workspace: Optional[str] = None) -> list[dict[str, Any]]:
+        ws = workspace or self._client._default_workspace_slug()
+        return self._client._request("GET", f"/v1/workspaces/{ws}/applications")
+
+    def get(
+        self,
+        slug: Optional[str] = None,
+        *,
+        workspace: Optional[str] = None,
+    ) -> Application:
+        if slug is None:
+            slug = self._client._default_application_slug()
+            ws = (
+                self._client._default_application_workspace_slug()
+                or self._client._default_workspace_slug()
+            )
+        else:
+            ws = workspace or self._client._default_workspace_slug()
+        data = self._client._request("GET", f"/v1/workspaces/{ws}/applications/{slug}")
+        return Application(
+            self._client,
+            ws,
+            slug,
+            data if isinstance(data, dict) else {},
+        )
+
+    def create(
+        self,
+        *,
+        name: Optional[str] = None,
+        slug: Optional[str] = None,
+        workspace: Optional[str] = None,
+    ) -> dict[str, Any]:
+        ws = workspace or self._client._default_workspace_slug()
+        body = {k: v for k, v in {"name": name, "slug": slug}.items() if v is not None}
+        if not body:
+            body = {}
+        return self._client._request(
+            "POST", f"/v1/workspaces/{ws}/applications", json=body
+        )
+
+    def set_default(
+        self,
+        slug: str,
+        *,
+        workspace: Optional[str] = None,
+    ) -> None:
+        ws = workspace or self._client._default_workspace_slug()
+        try:
+            self.get(slug, workspace=ws)
+        except ResourceNotFoundError:
+            raise RuntimeError(f"Application {slug} not found in workspace {ws}")
+        self._client._config.config["default_application"] = slug
+        if not self._client._config.config.get("default_workspace"):
+            self._client._config.config["default_workspace"] = ws
+        elif self._client._config.config.get("default_workspace") != ws:
+            self._client._config.config["default_application_workspace"] = ws
+
+        self._client._save_config()
+
+
+class _ScopedApplications:
+    def __init__(self, client: SecureDeploy, workspace_slug: str) -> None:
+        self._client = client
+        self._workspace = workspace_slug
+
+    def list(self) -> list[dict[str, Any]]:
+        return self._client.applications.list(workspace=self._workspace)
+
+    def get(self, slug: Optional[str] = None) -> Application:
+        return self._client.applications.get(slug, workspace=self._workspace)
+
+    def create(
+        self,
+        *,
+        name: Optional[str] = None,
+        slug: Optional[str] = None,
+    ) -> dict[str, Any]:
+        return self._client.applications.create(
+            name=name, slug=slug, workspace=self._workspace
+        )
+
+    def set_default(self, slug: str) -> None:
+        self._client.applications.set_default(slug, workspace=self._workspace)
+
+
+class _Upload:
+    def __init__(self, client: SecureDeploy) -> None:
+        self._client = client
+
+    def file(
+        self,
+        path: Union[str, Path],
+        *,
+        application: Optional[str] = None,
+        workspace: Optional[str] = None,
+        url_path: Optional[str] = None,
+    ) -> Any:
+        p = Path(path)
+        if not p.is_file():
+            raise FileNotFoundError(p)
+        try:
+            file_size = p.stat().st_size
+        except OSError as e:
+            raise OSError(f"cannot stat {p}") from e
+        if file_size > _MAX_UPLOAD_FILE_BYTES:
+            raise ValueError(f"{p}: file size {file_size} bytes exceeds 10MiB limit")
+        ws = workspace or self._client._default_workspace_slug()
+        app = application or self._client._default_application_slug()
+        upload_path = f"/v1/workspaces/{ws}/applications/{app}/upload"
+        url = f"{self._client._config.api_base_url.rstrip('/')}{upload_path}"
+
+        def _post_upload(reauth: bool = True) -> Any:
+            headers = {
+                "Authorization": f"Bearer {self._client._config.get_access_token()}"
+            }
+            with _upstream_request_guard(), httpx.Client(timeout=120.0) as http:
+                with p.open("rb") as f:
+                    # Ordered multipart parts: url_path field first, then file (httpx preserves
+                    # sequence order; (None, value) is a non-file form field).
+                    parts: list[tuple[str, Any]] = []
+                    if url_path is not None:
+                        parts.append(("url_path", (None, url_path)))
+                    parts.append(("file", (p.name, f)))
+                    r = http.post(url, headers=headers, files=parts)
+            if r.status_code >= 400:
+                return _handle_api_error_response(
+                    r,
+                    "POST",
+                    upload_path,
+                    self._client.auth,
+                    _post_upload if reauth else None,
+                )
+            if not r.content:
+                return None
+            return r.json()
+
+        return _post_upload()
+
+    def path(
+        self,
+        dir_path: Union[str, Path],
+        *,
+        application: Optional[str] = None,
+        workspace: Optional[str] = None,
+        url_path: Optional[str] = None,
+    ) -> list[Any]:
+        root = Path(dir_path)
+        if not root.is_dir():
+            raise NotADirectoryError(root)
+        prefix = (url_path or "").strip().replace("\\", "/").strip("/")
+        results: list[Any] = []
+        for file_path in root.rglob("*"):
+            if not file_path.is_file():
+                continue
+            skip_reason = _upload_ignore_reason(file_path)
+            if skip_reason is not None:
+                logger.warning(f"Skipped {file_path}: {skip_reason}")
+                continue
+            try:
+                size = file_path.stat().st_size
+            except OSError as e:
+                logger.warning(f"Skipped {file_path}: cannot read file metadata ({e})")
+                continue
+            if size > _MAX_UPLOAD_FILE_BYTES:
+                logger.warning(
+                    f"Skipped {file_path}: exceeds 10MiB limit "
+                    f"({size} bytes > {_MAX_UPLOAD_FILE_BYTES} bytes)"
+                )
+                continue
+            rel = file_path.relative_to(root).as_posix()
+            results.append(
+                self.file(
+                    file_path,
+                    application=application,
+                    workspace=workspace,
+                    url_path=(f"{prefix}/{rel}" if prefix else None),
+                )
+            )
+        return results

securedeploy/config.py

@@ -0,0 +1,55 @@
+import sys
+from pathlib import Path
+from typing import Optional
+
+import click
+import tomli_w
+
+if sys.version_info >= (3, 11):
+    import tomllib
+else:
+    import tomli as tomllib
+
+
+class ConfigError(Exception):
+    pass
+
+
+class Config:
+    def __init__(
+        self,
+        *,
+        api_base_url: Optional[str] = None,
+        auth_base_url: Optional[str] = None,
+    ):
+        self.api_base_url = api_base_url or "https://api.securedeploy.org"
+        self.auth_base_url = auth_base_url or "https://auth.securedeploy.org"
+        self.oauth_client_id = "27r2dr2ei9vagomf4096gcsdf5"
+        self.config_dir = Path(click.get_app_dir("securedeploy"))
+        self.config_file = self.config_dir / "config.toml"
+        self.config_dir.mkdir(parents=True, exist_ok=True)
+        self.config_file.touch(exist_ok=True)
+        self.reload_config()
+
+    def get_access_token(self):
+
+        access_token = self.config.get("access_token")
+        if not access_token:
+            raise ConfigError("No access token found")
+        return access_token
+
+    def get_refresh_token(self):
+        refresh_token = self.config.get("refresh_token")
+        if not refresh_token:
+            raise ConfigError("No refresh token found")
+        return refresh_token
+
+    def set_tokens(self, access_token, refresh_token):
+        self.config["access_token"] = access_token
+        self.config["refresh_token"] = refresh_token
+        self.config_file.write_text(tomli_w.dumps(self.config), encoding="utf-8")
+        self.reload_config()
+
+    def reload_config(self):
+        content = self.config_file.read_text(encoding="utf-8").strip()
+        self.config = tomllib.loads(content) if content else {}

securedeploy/oauth.py

@@ -0,0 +1,86 @@
+import time
+
+import httpx
+
+from securedeploy.config import Config
+
+
+class OAuthFailure(Exception):
+    pass
+
+
+class OAuthTokenExpired(Exception):
+    pass
+
+
+class OAuth:
+    def __init__(self, cfg: Config):
+        self._cfg = cfg
+        self.client_id = self._cfg.oauth_client_id
+        base = self._cfg.auth_base_url.rstrip("/")
+        self.device_code_endpoint = f"{base}/device/code"
+        self.token_endpoint = f"{base}/token"
+        self.interval = 5
+
+    def create_device_code(self):
+        response = httpx.post(
+            self.device_code_endpoint,
+            data={"client_id": self.client_id, "scope": "openid profile email"},
+            headers={
+                "Content-Type": "application/x-www-form-urlencoded; charset=utf-8"
+            },
+        )
+        if response.status_code != 200:
+            raise OAuthFailure(f"Failed to create device code: {response.text}")
+        response = response.json()
+        self.interval = response.get("interval", 5)
+        self.device_code = response.get("device_code")
+        self.user_code = response.get("user_code")
+        self.expires_in = response.get("expires_in")
+        self.verification_uri = response.get("verification_uri")
+        return response
+
+    def poll_for_token(self):
+        while True:
+            response = httpx.post(
+                self.token_endpoint,
+                data={
+                    "client_id": self.client_id,
+                    "device_code": self.device_code,
+                    "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                },
+                headers={
+                    "Content-Type": "application/x-www-form-urlencoded; charset=utf-8"
+                },
+            )
+            response_json = response.json()
+            if response.status_code == 200:
+                return response_json
+            elif response.status_code == 400:
+                if response_json.get("error") == "authorization_pending":
+                    time.sleep(self.interval)
+                elif response_json.get("error") == "slow_down":
+                    self.interval *= 2
+                    time.sleep(self.interval)
+                elif response_json.get("error") == "expired_token":
+                    raise OAuthTokenExpired("Token expired: Please login again.")
+                else:
+                    raise OAuthFailure(f"Failed to poll for token: {response.text}")
+            else:
+                raise OAuthFailure(f"Failed to poll for token: {response.text}")
+
+    def refresh_access_token(self):
+        response = httpx.post(
+            self.token_endpoint,
+            data={
+                "client_id": self.client_id,
+                "grant_type": "refresh_token",
+                "refresh_token": self._cfg.get_refresh_token(),
+            },
+            headers={
+                "Content-Type": "application/x-www-form-urlencoded; charset=utf-8"
+            },
+        )
+        if response.status_code != 200:
+            raise OAuthFailure(f"Failed to refresh access token: {response.text}")
+        return response.json()

securedeploy-0.1.0.dist-info/METADATA

@@ -0,0 +1,11 @@
+Metadata-Version: 2.4
+Name: securedeploy
+Version: 0.1.0
+Summary: Add your description here
+Project-URL: Homepage, https://securedeploy.org
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.1.0
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: tomli-w>=1.2.0
+Requires-Dist: tomli>=1.2.0; python_version < "3.11"

securedeploy-0.1.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+securedeploy/__init__.py,sha256=xVJAWTxppE4us2IuwIcYt2014Ho70cPMX5JXqCekGhA,73
+securedeploy/cli.py,sha256=FrSOBEB1sZAaYSv-bRhyDop6pBoViouqKYeicA-OYUw,8013
+securedeploy/client.py,sha256=f-qedSySZnFlBNjeiRIb4vS_JVqhWne2dpSK4tZScZ0,17395
+securedeploy/config.py,sha256=syVYjQ_PJ96hBMGf9nuLTL90sP4NSdKopF-mgP8nnb4,1690
+securedeploy/oauth.py,sha256=bG3RQwss-xARptAmg5sFrEGei1VVJXD0Jbnv0jt9LpM,3101
+securedeploy-0.1.0.dist-info/METADATA,sha256=VQk0E4vMfGkZNgBNRz5yFfJMJwJiak4Kj4nfrGJfnRs,342
+securedeploy-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+securedeploy-0.1.0.dist-info/entry_points.txt,sha256=xT-GOedjtxAIGdksaMHenRWzASPVBXTz1pfNW7tM7nE,54
+securedeploy-0.1.0.dist-info/top_level.txt,sha256=0_6AVwCEoBPfaw-I9UZ44TxN88W8PMjLD38th1LMCfc,13
+securedeploy-0.1.0.dist-info/RECORD,,

securedeploy-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

securedeploy-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+securedeploy = securedeploy.cli:cli

securedeploy-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+securedeploy