tripwire-cli 0.2.0__tar.gz → 0.3.0__tar.gz

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tripwire-cli
-Version: 0.2.0
+Version: 0.3.0
 Summary: Command-line client for Tripwire canaries
 Requires-Python: >=3.12
 Requires-Dist: click>=8.1
@@ -53,7 +53,11 @@ plain-text messages go to stderr, so stdout stays clean JSON. Run
 `tripwire --help` for the full reference.
 
 Supported create types are `dns_label`, `aws_access_key`, `anthropic_api_key`,
-and `github_pat`.
+`github_pat`, `web_login_credential`, `browser_session_cookie`,
+`postgres_login`, and `kubernetes_kubeconfig`. The request-path types
+(`web_login_credential`, `browser_session_cookie`, `postgres_login`,
+`kubernetes_kubeconfig`) inline their artifact fields directly in the create
+response.
 
 `canaries create` accepts `--timeout <seconds>` (env `TRIPWIRE_CREATE_TIMEOUT`,
 default 240) for the per-request read timeout; it must stay above the server's

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/README.md

@@ -44,7 +44,11 @@ plain-text messages go to stderr, so stdout stays clean JSON. Run
 `tripwire --help` for the full reference.
 
 Supported create types are `dns_label`, `aws_access_key`, `anthropic_api_key`,
-and `github_pat`.
+`github_pat`, `web_login_credential`, `browser_session_cookie`,
+`postgres_login`, and `kubernetes_kubeconfig`. The request-path types
+(`web_login_credential`, `browser_session_cookie`, `postgres_login`,
+`kubernetes_kubeconfig`) inline their artifact fields directly in the create
+response.
 
 `canaries create` accepts `--timeout <seconds>` (env `TRIPWIRE_CREATE_TIMEOUT`,
 default 240) for the per-request read timeout; it must stay above the server's

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "tripwire-cli"
-version = "0.2.0"
+version = "0.3.0"
 description = "Command-line client for Tripwire canaries"
 readme = "README.md"
 requires-python = ">=3.12"

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/tests/test_cli.py

@@ -14,6 +14,7 @@ from tripwire_cli.cli import (
     build_create_payload,
     cli,
     resolve_login_server,
+    _unauthorized_message,
 )
 from tripwire_cli.client import ApiError
 
@@ -170,15 +171,18 @@ def test_build_create_payload_matches_api_contract():
     assert build_create_payload(canary_type="dns_label") == {"type": "dns_label"}
 
 
-def test_canary_types_is_the_four_public_types():
-    # The four request-path types (web_login_credential, browser_session_cookie,
-    # postgres_login, kubernetes_kubeconfig) are held private; the CLI must not
-    # surface them.
+def test_canary_types_are_the_eight_api_types():
+    # All eight types POST /canary accepts: the four provider/dns types plus the
+    # four request-path types whose artifact fields are inlined in the response.
     assert CANARY_TYPES == [
         "dns_label",
         "aws_access_key",
         "anthropic_api_key",
         "github_pat",
+        "web_login_credential",
+        "browser_session_cookie",
+        "postgres_login",
+        "kubernetes_kubeconfig",
     ]
 
 
@@ -201,10 +205,81 @@ def test_readme_lists_every_supported_create_type(path: Path):
         "kubernetes_kubeconfig",
     ],
 )
-def test_create_rejects_held_private_request_path_types(canary_type: str):
-    # These are not part of the public --type surface yet.
-    result = CliRunner().invoke(cli, ["canaries", "create", "--type", canary_type])
-    assert result.exit_code != 0
+def test_create_accepts_request_path_types(tmp_path, canary_type: str):
+    # The four request-path types are now part of the public --type surface and
+    # send the same {"type": ...} body as the provider types.
+    canary = {"id": "can_1", "type": canary_type, "status": "active"}
+    client = _FakeClient(result=canary)
+    result = CliRunner().invoke(
+        cli,
+        ["canaries", "create", "--type", canary_type],
+        obj=_logged_in_context(tmp_path, client),
+    )
+    assert result.exit_code == 0, result.output
+    assert client.created_payloads == [{"type": canary_type}]
+
+
+@pytest.mark.parametrize(
+    "canary_type,inlined",
+    [
+        (
+            "web_login_credential",
+            {
+                "url": "https://app.example/login",
+                "username": "svc-backups",
+                "password": "s3kret",
+            },
+        ),
+        (
+            "browser_session_cookie",
+            {
+                "url": "https://app.example",
+                "cookie_name": "session",
+                "cookie_value": "abc.def",
+                "cookie_domain": "app.example",
+                "cookie_path": "/",
+            },
+        ),
+        (
+            "postgres_login",
+            {
+                "database_url": "postgres://u:p@h:5432/db?sslmode=require",
+                "host": "h",
+                "port": 5432,
+                "database": "db",
+                "username": "u",
+                "password": "p",
+                "sslmode": "require",
+                "url": "postgres://h:5432",
+            },
+        ),
+        (
+            "kubernetes_kubeconfig",
+            {
+                "kubeconfig": "apiVersion: v1\nkind: Config\n",
+                "server": "https://k8s.example:6443",
+                "cluster_name": "prod",
+                "user_name": "deployer",
+                "bearer_token": "eyJ.tok",
+                "token": "eyJ.tok",
+            },
+        ),
+    ],
+)
+def test_create_prints_request_path_inlined_fields_verbatim(
+    tmp_path, canary_type: str, inlined: dict
+):
+    # The create response inlines each type's artifact fields; the CLI prints
+    # the server JSON unchanged and must not filter any field out.
+    canary = {"id": "can_1", "type": canary_type, "status": "active", **inlined}
+    client = _FakeClient(result=canary)
+    result = CliRunner().invoke(
+        cli,
+        ["canaries", "create", "--type", canary_type],
+        obj=_logged_in_context(tmp_path, client),
+    )
+    assert result.exit_code == 0, result.output
+    assert json.loads(result.stdout) == canary
 
 
 # --- argument surface -------------------------------------------------------
@@ -590,3 +665,164 @@ def test_whoami_prints_email_when_present(tmp_path):
     result = CliRunner().invoke(cli, ["whoami"], obj=ctx)
     assert result.exit_code == 0
     assert "alice@example.com" in result.output
+
+
+# --- login resilience: non-interactive flags --------------------------------
+
+
+class _StartErrorClient(_FakeClient):
+    """Email-login fake whose /auth/login/start raises a canned ApiError, so a
+    test can drive the rate-limit (429) path."""
+
+    def __init__(self, *, start_error: ApiError):
+        super().__init__(result=None)
+        self._start_error = start_error
+
+    def login_start(self, email):
+        self.login_starts.append(email)
+        raise self._start_error
+
+
+class _CodeErrorClient(_FakeClient):
+    """Email-login fake whose /auth/login (code exchange) raises a canned
+    ApiError, so a test can drive the server-error (5xx) path. start() succeeds
+    so the test reaches the exchange."""
+
+    def __init__(self, *, code_error: ApiError):
+        super().__init__(result=None)
+        self._code_error = code_error
+
+    def login_with_code(self, email, code):
+        self.code_logins.append((email, code))
+        raise self._code_error
+
+
+_GOOD_LOGIN = {
+    "user_id": "usr_alice",
+    "access_token": "tok",
+    "expires_at": 1700000000,
+    "role": "user",
+}
+
+
+def test_login_email_and_code_flags_skip_prompts_and_start(tmp_path, monkeypatch):
+    # Both --email and --code given: a fully non-interactive code exchange that
+    # does NOT call the rate-limited start and never prompts.
+    monkeypatch.setenv("TRIPWIRE_SERVER", "https://api.example")
+    client = _FakeClient(result=_GOOD_LOGIN)
+    ctx = _context(tmp_path, client)
+    result = CliRunner().invoke(
+        cli,
+        ["login", "--email", "ci@example.com", "--code", "123456"],
+        input="",  # no TTY input available
+        obj=ctx,
+    )
+    assert result.exit_code == 0, result.output
+    assert client.login_starts == []  # start is rate-limited; must be skipped
+    assert client.code_logins == [("ci@example.com", "123456")]
+    loaded = ctx.store.load()
+    assert loaded.access_token == "tok"
+    assert loaded.email == "ci@example.com"
+
+
+def test_login_email_flag_skips_email_prompt_only(tmp_path, monkeypatch):
+    # --email without --code: start is sent (no code yet) and only the code is
+    # prompted for.
+    monkeypatch.setenv("TRIPWIRE_SERVER", "https://api.example")
+    client = _FakeClient(result=_GOOD_LOGIN)
+    ctx = _context(tmp_path, client)
+    result = CliRunner().invoke(
+        cli, ["login", "--email", "ci@example.com"], input="123456\n", obj=ctx
+    )
+    assert result.exit_code == 0, result.output
+    assert client.login_starts == ["ci@example.com"]
+    assert client.code_logins == [("ci@example.com", "123456")]
+
+
+# --- login resilience: start rate limit (429) -------------------------------
+
+
+def test_login_start_rate_limit_gives_friendly_message(tmp_path, monkeypatch):
+    monkeypatch.setenv("TRIPWIRE_SERVER", "https://api.example")
+    client = _StartErrorClient(start_error=ApiError(429, "rate_limited"))
+    ctx = _context(tmp_path, client)
+    result = CliRunner().invoke(cli, ["login"], input="alice@example.com\n", obj=ctx)
+    assert result.exit_code != 0
+    # Friendly, actionable text rather than a raw "429: rate_limited".
+    assert "too many login attempts from this network" in result.output
+    assert "~10 minutes" in result.output
+    assert "429: rate_limited" not in result.output
+    # No token cached on a failed login.
+    assert not (tmp_path / "credentials.json").exists()
+
+
+def test_login_start_non_429_error_is_not_masked(tmp_path, monkeypatch):
+    # A non-rate-limit start failure keeps the generic API-error surface.
+    monkeypatch.setenv("TRIPWIRE_SERVER", "https://api.example")
+    client = _StartErrorClient(start_error=ApiError(503, "upstream_down"))
+    ctx = _context(tmp_path, client)
+    result = CliRunner().invoke(cli, ["login"], input="alice@example.com\n", obj=ctx)
+    assert result.exit_code != 0
+    assert "503: upstream_down" in result.output
+
+
+# --- login resilience: 5xx on the code exchange -----------------------------
+
+
+@pytest.mark.parametrize("status", [500, 502, 503])
+def test_login_code_exchange_5xx_tells_user_code_may_be_spent(
+    tmp_path, monkeypatch, status
+):
+    # A 5xx during the code exchange may have consumed the code server-side;
+    # retrying the same code is futile, so the CLI exits cleanly and tells the
+    # user to re-run login for a fresh code.
+    monkeypatch.setenv("TRIPWIRE_SERVER", "https://api.example")
+    client = _CodeErrorClient(code_error=ApiError(status, "internal_error"))
+    ctx = _context(tmp_path, client)
+    result = CliRunner().invoke(
+        cli, ["login"], input="alice@example.com\n123456\n", obj=ctx
+    )
+    assert result.exit_code != 0
+    # start() was called exactly once; the code was attempted exactly once (no
+    # silent retry of a possibly-spent code).
+    assert client.login_starts == ["alice@example.com"]
+    assert client.code_logins == [("alice@example.com", "123456")]
+    assert "may already be spent" in result.output
+    assert "run `tripwire login` again" in result.output
+    assert not (tmp_path / "credentials.json").exists()
+
+
+# --- login resilience: 401 detail polish ------------------------------------
+
+
+@pytest.mark.parametrize(
+    "raw_detail",
+    [
+        "Invalid header padding",
+        "Invalid token",
+        "Not enough segments",
+        "Signature verification failed",
+        "token expired",
+        "Failed to decrypt token",
+    ],
+)
+def test_unauthorized_message_maps_token_errors_to_session_expired(raw_detail):
+    assert _unauthorized_message(raw_detail) == "session expired; run `tripwire login`"
+
+
+def test_unauthorized_message_keeps_meaningful_detail():
+    assert _unauthorized_message("forbidden_scope") == (
+        "401: forbidden_scope\nhint: run `tripwire login`"
+    )
+
+
+def test_list_maps_opaque_401_to_session_expired(tmp_path):
+    # A 401 whose detail is a raw token-decode error becomes a clean
+    # session-expired prompt instead of leaking "Invalid header padding".
+    client = _FakeClient(error=ApiError(401, "Invalid header padding"))
+    result = CliRunner().invoke(
+        cli, ["canaries", "list"], obj=_logged_in_context(tmp_path, client)
+    )
+    assert result.exit_code != 0
+    assert "session expired; run `tripwire login`" in result.output
+    assert "Invalid header padding" not in result.output

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/tripwire_cli/cli.py

@@ -50,7 +50,22 @@ def _git_user_email() -> str | None:
 
 DEFAULT_SERVER = "https://tripwire.so/api/v1"
 
-CANARY_TYPES = ["dns_label", "aws_access_key", "anthropic_api_key", "github_pat"]
+# The canary types the API's POST /canary accepts. The provider-minted types
+# (aws/anthropic/github) take ~2 min to provision; the request-path types
+# (web_login_credential, browser_session_cookie, postgres_login,
+# kubernetes_kubeconfig) inline their artifact fields directly in the create
+# response. The CLI prints the server JSON verbatim, so new inlined fields flow
+# through unchanged.
+CANARY_TYPES = [
+    "dns_label",
+    "aws_access_key",
+    "anthropic_api_key",
+    "github_pat",
+    "web_login_credential",
+    "browser_session_cookie",
+    "postgres_login",
+    "kubernetes_kubeconfig",
+]
 
 # How long the create read timeout may run, in seconds. Must stay above the
 # server's synchronous create wait window (180s) so the client never abandons a
@@ -113,6 +128,29 @@ class Context:
             return None
 
 
+# Substrings the server (or its JWT/Fernet token layer) leaks on a 401 when the
+# cached token is malformed or undecodable. These are opaque to users, so we map
+# them to a plain "session expired" message instead of echoing the raw detail.
+_EXPIRED_SESSION_TOKEN_MARKERS = (
+    "invalid header padding",
+    "invalid token",
+    "not enough segments",
+    "signature",
+    "expired",
+    "decrypt",
+)
+
+
+def _unauthorized_message(detail: str) -> str:
+    """User-facing text for a 401. Raw token/header decode errors (e.g. "Invalid
+    header padding") are meaningless to users, so map them to a clear
+    session-expired prompt; otherwise keep the server detail and append a hint."""
+    lowered = detail.lower()
+    if any(marker in lowered for marker in _EXPIRED_SESSION_TOKEN_MARKERS):
+        return "session expired; run `tripwire login`"
+    return f"401: {detail}\nhint: run `tripwire login`"
+
+
 def _handle_errors(func):
     """Translate API/credential errors into a clean CLI error and exit code."""
 
@@ -121,10 +159,9 @@ def _handle_errors(func):
         try:
             return func(*args, **kwargs)
         except ApiError as exc:
-            message = f"{exc.status}: {exc.detail}"
             if exc.status == 401:
-                message += "\nhint: run `tripwire login`"
-            raise click.ClickException(message) from exc
+                raise click.ClickException(_unauthorized_message(exc.detail)) from exc
+            raise click.ClickException(f"{exc.status}: {exc.detail}") from exc
         except (credentials.NoCredentialsError, ValueError) as exc:
             raise click.ClickException(str(exc)) from exc
 
@@ -148,21 +185,42 @@ def cli(ctx: click.Context) -> None:
 @click.option(
     "--password", help="operator password (selects password login; prefer the prompt)"
 )
+@click.option(
+    "--email",
+    help="email for passwordless login (skips the prompt; for headless/CI use)",
+)
+@click.option(
+    "--code",
+    help=(
+        "6-digit code for passwordless login (skips the code prompt; pair with "
+        "--email for a non-interactive exchange of an already-sent code)"
+    ),
+)
 @click.pass_obj
 @_handle_errors
-def login(obj: Context, user_id: str | None, password: str | None) -> None:
+def login(
+    obj: Context,
+    user_id: str | None,
+    password: str | None,
+    email: str | None,
+    code: str | None,
+) -> None:
     """Log in and cache a token.
 
     Defaults to passwordless email-code login. Passing --user-id or --password
     selects the operator (user-id + password) login instead, so operator
     scripts keep working unchanged.
+
+    For headless/CI use, pass --email (and optionally --code) to skip the
+    interactive prompts. With both --email and --code, a code that was already
+    emailed is exchanged directly without re-sending one or prompting.
     """
     server = resolve_login_server(dict(os.environ), obj.cached_server())
     client = obj.client(server)
     if user_id is not None or password is not None:
         creds = _password_login(client, server, user_id, password)
     else:
-        creds = _email_login(client, server, obj.git_email())
+        creds = _email_login(client, server, obj.git_email(), email=email, code=code)
     path = obj.store.save(creds)
     click.echo(f"logged in as {creds.user_id} ({creds.role}); token cached at {path}")
 
@@ -178,19 +236,40 @@ def _password_login(
 
 
 def _email_login(
-    client: ApiClient, server: str, default_email: str | None
+    client: ApiClient,
+    server: str,
+    default_email: str | None,
+    *,
+    email: str | None = None,
+    code: str | None = None,
 ) -> credentials.Credentials:
-    """Passwordless email-code login. Calls /auth/login/start once (it is
-    rate-limited), then re-prompts for the 6-digit code in-band on an
-    invalid/expired code without re-calling start."""
-    email = click.prompt("email", default=default_email)
-    client.login_start(email)
+    """Passwordless email-code login.
+
+    Interactive path (no ``code``): calls /auth/login/start once (it is
+    rate-limited), then prompts for the 6-digit code, re-prompting in-band on an
+    invalid/expired code without re-calling start.
+
+    Non-interactive path (``code`` supplied): exchanges that code directly and
+    does NOT call /auth/login/start, since the code was already emailed and
+    re-sending would burn the rate-limited start and invalidate the held code.
+
+    ``email`` (e.g. from ``--email``) skips the email prompt for headless/CI use.
+    """
+    email = email or click.prompt("email", default=default_email)
+
+    if code is not None:
+        # Headless: a code was supplied, so do not (re)send one. Exchange it
+        # directly; a single attempt, no prompt loop.
+        response = _exchange_code(client, email, code)
+        return _credentials_from_login(server, response, email=email)
+
+    _start_email_login(client, email)
     click.echo(f"sent a 6-digit sign-in code to {email}; check your inbox.")
     last_error: ApiError | None = None
     for attempt in range(EMAIL_CODE_ATTEMPTS):
-        code = click.prompt("code")
+        entered = click.prompt("code")
         try:
-            response = client.login_with_code(email, code)
+            response = _exchange_code(client, email, entered)
         except ApiError as exc:
             if exc.status == 400 and exc.detail == "invalid_or_expired_code":
                 last_error = exc
@@ -207,6 +286,37 @@ def _email_login(
     raise last_error if last_error is not None else ApiError(400, "invalid_or_expired_code")
 
 
+def _start_email_login(client: ApiClient, email: str) -> None:
+    """Send the sign-in code, turning the rate-limit 429 into a friendly,
+    actionable message instead of a raw ``429: rate_limited``."""
+    try:
+        client.login_start(email)
+    except ApiError as exc:
+        if exc.status == 429:
+            raise click.ClickException(
+                "too many login attempts from this network; wait ~10 minutes and "
+                "try `tripwire login` again."
+            ) from exc
+        raise
+
+
+def _exchange_code(client: ApiClient, email: str, code: str) -> dict[str, Any]:
+    """Exchange a code for a token. A server-side 5xx here is the dangerous case:
+    the code may already have been consumed, so retrying the same code is futile
+    and silently re-sending one would burn the rate-limited start. Surface a
+    clear message and have the user re-run `tripwire login` for a fresh code."""
+    try:
+        return client.login_with_code(email, code)
+    except ApiError as exc:
+        if exc.status >= 500:
+            raise click.ClickException(
+                "the server errored while verifying your code "
+                f"({exc.status}: {exc.detail}); your code may already be spent. "
+                "run `tripwire login` again to request a fresh code."
+            ) from exc
+        raise
+
+
 def _credentials_from_login(
     server: str, response: dict[str, Any], email: str | None = None
 ) -> credentials.Credentials:

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/tripwire_cli/client.py

@@ -111,13 +111,17 @@ class ApiClient:
     def login_start(self, email: str) -> dict[str, Any]:
         """Begin an email-code login: the server emails a 6-digit code. The
         response is intentionally neutral (``{"status": "ok"}``) and never
-        reveals whether the address is known. This endpoint is rate-limited, so
-        call it once per login and re-prompt for the code in-band on failure."""
+        reveals whether the address is known. This endpoint is IP rate-limited
+        (~5 starts / 10 min, plus a new-user cap), returning
+        ``429 rate_limited`` when exceeded, so call it once per login and
+        re-prompt for the code in-band on failure."""
         return self._request("POST", "/auth/login/start", {"email": email})
 
     def login_with_code(self, email: str, code: str) -> dict[str, Any]:
         """Exchange an emailed 6-digit code for a token. A wrong/expired/used
-        code returns ``400 invalid_or_expired_code``."""
+        code returns ``400 invalid_or_expired_code``. A ``5xx`` here can leave
+        the code consumed server-side, so the caller treats it as spent and
+        sends the user back to request a fresh code rather than retrying."""
         return self._request("POST", "/auth/login", {"email": email, "code": code})
 
     def list_canaries(self) -> dict[str, Any]:

{tripwire_cli-0.2.0 → tripwire_cli-0.3.0}/uv.lock

@@ -145,7 +145,7 @@ wheels = [
 
 [[package]]
 name = "tripwire-cli"
-version = "0.2.0"
+version = "0.3.0"
 source = { editable = "." }
 dependencies = [
     { name = "click" },