systemlink-cli 1.6.2__tar.gz → 1.6.3__tar.gz

{systemlink_cli-1.6.2 → systemlink_cli-1.6.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: systemlink-cli
-Version: 1.6.2
+Version: 1.6.3
 Summary: SystemLink Integrator CLI - cross-platform CLI for SystemLink workflows and templates.
 License-File: LICENSE
 Author: Fred Visser

{systemlink_cli-1.6.2 → systemlink_cli-1.6.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "systemlink-cli"
-version = "1.6.2"
+version = "1.6.3"
 description = "SystemLink Integrator CLI - cross-platform CLI for SystemLink workflows and templates."
 authors = ["Fred Visser <fred.visser@emerson.com>"]
 packages = [{ include = "slcli" }]

{systemlink_cli-1.6.2 → systemlink_cli-1.6.3}/slcli/_version.py

@@ -1,4 +1,4 @@
 """Version information for slcli."""
 
 # This file is auto-generated. Do not edit manually.
-__version__ = "1.6.2"
+__version__ = "1.6.3"

{systemlink_cli-1.6.2 → systemlink_cli-1.6.3}/slcli/user_click.py

@@ -29,6 +29,103 @@ from .workspace_utils import get_workspace_display_name, resolve_workspace_id
 
 USER_QUERY_PAGE_SIZE = 100
 USER_JSON_DEFAULT_TAKE = 1000
+AUTH_WILDCARD_VALUES = {"*", "*/*", "*:*"}
+AUTH_MUTATING_VERBS = {"*", "create", "write", "update", "manage", "admin", "delete"}
+AUTH_ADMIN_RESOURCE_KEYWORDS = {"policy", "policies", "role", "roles"}
+
+
+def _has_global_auth_scope(value: Any) -> bool:
+    """Return whether an auth scope value grants wildcard access."""
+    if isinstance(value, str):
+        return value.strip().lower() in AUTH_WILDCARD_VALUES
+    if isinstance(value, list):
+        return any(
+            isinstance(item, str) and item.strip().lower() in AUTH_WILDCARD_VALUES for item in value
+        )
+    return False
+
+
+def _action_grants_auth_management(action: str) -> bool:
+    """Return whether an action implies auth policy or role management access."""
+    normalized = action.strip().lower()
+    if normalized in AUTH_WILDCARD_VALUES:
+        return True
+
+    action_parts = [part.strip().lower() for part in normalized.split(":") if part.strip()]
+    if len(action_parts) < 2 or action_parts[0] not in {"niauth", "auth"}:
+        return False
+
+    remainder = action_parts[1:]
+    if remainder == ["*"]:
+        return True
+
+    if remainder[-1] not in AUTH_MUTATING_VERBS and "*" not in remainder:
+        return False
+
+    if len(remainder) == 1:
+        return True
+
+    return any(part in AUTH_ADMIN_RESOURCE_KEYWORDS for part in remainder[:-1])
+
+
+def _has_user_admin_access(auth_context: Dict[str, Any]) -> bool:
+    """Return whether the current caller appears to have server-admin style access."""
+    for policy in auth_context.get("policies", []):
+        statements = policy.get("statements", [])
+        if not isinstance(statements, list):
+            continue
+
+        for statement in statements:
+            if not isinstance(statement, dict):
+                continue
+
+            if not _has_global_auth_scope(statement.get("workspace")):
+                continue
+            if not _has_global_auth_scope(statement.get("resource")):
+                continue
+
+            actions = statement.get("actions", [])
+            if not isinstance(actions, list):
+                continue
+
+            for action in actions:
+                if isinstance(action, str) and _action_grants_auth_management(action):
+                    return True
+
+    return False
+
+
+def _try_get_current_auth_context() -> Optional[Dict[str, Any]]:
+    """Fetch effective auth data for the current caller when available."""
+    url = f"{get_base_url()}/niauth/v1/auth"
+
+    try:
+        auth_response = make_api_request("GET", url, payload=None, handle_errors=False)
+        auth_context = auth_response.json()
+        return auth_context if isinstance(auth_context, dict) else None
+    except Exception as exc:
+        error_response = getattr(exc, "response", None)
+        if error_response is not None and error_response.status_code in {401, 403}:
+            handle_api_error(exc)
+        return None
+
+
+def _ensure_user_admin_access(operation: str) -> None:
+    """Fail fast when the caller clearly lacks admin access for user mutations."""
+    auth_context = _try_get_current_auth_context()
+    if auth_context is None:
+        return
+
+    if _has_user_admin_access(auth_context):
+        return
+
+    click.echo(
+        f"✗ User and service account {operation} requires server admin permissions. "
+        "The active API key does not appear to have wildcard auth role or policy access "
+        "across all workspaces.",
+        err=True,
+    )
+    sys.exit(ExitCodes.PERMISSION_DENIED)
 
 
 def _get_policy_details(policy_id: str) -> Optional[dict]:
@@ -851,6 +948,7 @@ def register_user_commands(cli: click.Group) -> None:
         from .utils import check_readonly_mode
 
         check_readonly_mode("create a user")
+        _ensure_user_admin_access("creation")
 
         # If user_type wasn't specified via CLI, prompt for it first
         if user_type is None:
@@ -1060,6 +1158,7 @@ def register_user_commands(cli: click.Group) -> None:
         from .utils import check_readonly_mode
 
         check_readonly_mode("update a user")
+        _ensure_user_admin_access("updates")
 
         # First, fetch the user to check if it's a service account
         get_url = f"{get_base_url()}/niuser/v1/users/{user_id}"

{systemlink_cli-1.6.2 → systemlink_cli-1.6.3}/slcli/utils.py

@@ -75,7 +75,7 @@ def handle_api_error(exc: Exception) -> None:
     if "not found" in error_msg:
         click.echo(f"✗ Resource not found: {exc}", err=True)
         sys.exit(ExitCodes.NOT_FOUND)
-    elif "permission" in error_msg or "unauthorized" in error_msg:
+    elif "permission" in error_msg or "unauthorized" in error_msg or "forbidden" in error_msg:
         click.echo(f"✗ Permission denied: {exc}", err=True)
         sys.exit(ExitCodes.PERMISSION_DENIED)
     elif "network" in error_msg or "connection" in error_msg: