PyPI - urun-cli - Versions diffs - 0.2.0__tar.gz → 0.3.0__tar.gz - Mend

urun-cli 0.2.0tar.gz → 0.3.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

{urun_cli-0.2.0 → urun_cli-0.3.0}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,15 @@
 # Changelog
+## 0.3.0
+- Implement the `urun org` / `urun org id` command: print the caller's org id
+  (resolved via the control-plane org-config endpoint).
+- Implement `urun auth jwks set`: register the org's trusted JWKS for federated
+  identity, via `--jwks-url` or `--jwks-json` (file or stdin), with optional
+  `--issuer`/`--audience`. This registers a trust relationship only; JWTs are
+  issued out of band and the CLI never mints, fetches, or stores one.
+- Add `ApiClient.register_trusted_jwks`, calling `POST /org-config/trusted-jwks`.
 ## 0.2.0
 - Bumped past 0.1.1/0.1.2 because both filenames were occupied by previously-deleted PyPI artifacts.

{urun_cli-0.2.0 → urun_cli-0.3.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: urun-cli
-Version: 0.2.0
+Version: 0.3.0
 Summary: End-user CLI for deploying apps to urun
 Project-URL: Homepage, https://urun.sh
 Project-URL: Repository, https://github.com/urun-sh/urun-cli

{urun_cli-0.2.0 → urun_cli-0.3.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "urun-cli"
-version = "0.2.0"
+version = "0.3.0"
 description = "End-user CLI for deploying apps to urun"
 readme = "README.md"
 requires-python = ">=3.11"

{urun_cli-0.2.0 → urun_cli-0.3.0}/src/urun/api.py RENAMED Viewed

@@ -35,6 +35,15 @@ class ApiClient:
     def org_config(self) -> dict[str, Any]:
         return self._json("GET", "/org-config", None)
+    def register_trusted_jwks(self, payload: dict[str, Any]) -> dict[str, Any]:
+        """Register this org's trusted JWKS with the control plane.
+        The org is derived server-side from the API key; the payload carries only
+        the trusted key source (jwks_url OR jwks_json) plus optional iss/aud. This
+        records a trust relationship — it does not mint or fetch a JWT.
+        """
+        return self._json("POST", "/org-config/trusted-jwks", payload)
     def _json(self, method: str, path: str, body: dict[str, Any] | None) -> dict[str, Any]:
         data = (
             None

{urun_cli-0.2.0 → urun_cli-0.3.0}/src/urun/cli.py RENAMED Viewed

@@ -2,6 +2,7 @@ from __future__ import annotations
 import argparse
 import getpass
+import json
 import os
 import re
 import sys
@@ -28,6 +29,10 @@ def main(argv: list[str] | None = None) -> int:
             return deploy(args)
         if args.command == "login":
             return login(args)
+        if args.command == "org":
+            return org(args)
+        if args.command == "auth":
+            return auth(args)
         parser.print_help()
         return 2
     except UrunError as exc:
@@ -65,9 +70,81 @@ def build_parser() -> argparse.ArgumentParser:
         ),
     )
     add_deploy_args(run)
+    add_org_parser(sub)
+    add_auth_parser(sub)
     return parser
+def add_org_parser(sub: argparse._SubParsersAction) -> None:
+    org_parser = sub.add_parser(
+        "org",
+        help="Show the caller's org id",
+        description=(
+            "Print the organization the authenticating API key belongs to "
+            "(resolved via the control plane's org-config endpoint)."
+        ),
+    )
+    org_sub = org_parser.add_subparsers(dest="org_command")
+    id_parser = org_sub.add_parser(
+        "id",
+        help="Print just the org id (machine-readable)",
+        description="Print only the org id on stdout, with no other output.",
+    )
+    add_api_args(id_parser)
+    # Allow `urun org` (bare) to behave like `urun org id`.
+    add_api_args(org_parser)
+def add_auth_parser(sub: argparse._SubParsersAction) -> None:
+    auth_parser = sub.add_parser(
+        "auth",
+        help="Register the org's trusted JWKS for federated identity",
+        description=(
+            "Register the trusted JWKS the control plane should verify session "
+            "JWTs against for this org. JWTs are issued OUT OF BAND by your IdP; "
+            "this command only REGISTERS A TRUST RELATIONSHIP — it never mints, "
+            "fetches, or stores a JWT, and no new secret is sent."
+        ),
+    )
+    auth_sub = auth_parser.add_subparsers(dest="auth_command")
+    jwks_parser = auth_sub.add_parser(
+        "jwks",
+        help="Manage the org's trusted JWKS",
+        description="Manage the trusted JWKS registered for this org.",
+    )
+    jwks_sub = jwks_parser.add_subparsers(dest="jwks_command")
+    set_parser = jwks_sub.add_parser(
+        "set",
+        help="Register/replace the org's trusted JWKS",
+        description=(
+            "Register (or replace) the trusted key source the control plane "
+            "verifies this org's session JWTs against. Provide EXACTLY ONE of "
+            "--jwks-url (a remote JWK Set endpoint) or --jwks-json (an inline JWK "
+            "Set from a file or '-' for stdin). Optionally pin the expected token "
+            "issuer/audience. This registers trust only; it does not mint a JWT."
+        ),
+    )
+    set_parser.add_argument(
+        "--jwks-url",
+        help="HTTPS URL of the org's JWK Set (e.g. https://idp.example.com/.well-known/jwks.json)",
+    )
+    set_parser.add_argument(
+        "--jwks-json",
+        metavar="FILE",
+        help="Path to an inline JWK Set ({\"keys\":[...]}), or '-' to read from stdin",
+    )
+    set_parser.add_argument(
+        "--issuer",
+        help="Optional expected JWT `iss` claim; tokens whose iss differs are rejected",
+    )
+    set_parser.add_argument(
+        "--audience",
+        help="Optional expected JWT `aud` claim; tokens lacking it are rejected",
+    )
+    add_api_args(set_parser)
 def add_login_args(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--api-url",
@@ -132,6 +209,77 @@ def login(args: argparse.Namespace) -> int:
     return 0
+def org(args: argparse.Namespace) -> int:
+    # `urun org` and `urun org id` both print just the org id. There is no other
+    # `org` subcommand, so a bare `org` defaults to `id`.
+    api_url, api_key = resolve_api_credentials(args)
+    config = ApiClient(api_url, api_key).org_config()
+    print(config_value(config, "org_id"))
+    return 0
+def auth(args: argparse.Namespace) -> int:
+    if (
+        getattr(args, "auth_command", None) != "jwks"
+        or getattr(args, "jwks_command", None) != "set"
+    ):
+        raise UrunError("usage: urun auth jwks set --jwks-url <url> | --jwks-json <file|->")
+    return auth_jwks_set(args)
+def auth_jwks_set(args: argparse.Namespace) -> int:
+    jwks_url = string_value(args.jwks_url)
+    jwks_json_arg = string_value(args.jwks_json)
+    if bool(jwks_url) == bool(jwks_json_arg):
+        raise UrunError("provide exactly one of --jwks-url or --jwks-json")
+    payload: dict[str, Any] = {}
+    if jwks_url:
+        payload["jwks_url"] = jwks_url
+        issuer = string_value(args.issuer)
+        audience = string_value(args.audience)
+        if issuer:
+            payload["expected_issuer"] = issuer
+        if audience:
+            payload["expected_audience"] = audience
+    else:
+        payload["jwks_json"] = read_jwks_json(jwks_json_arg)
+        issuer = string_value(args.issuer)
+        audience = string_value(args.audience)
+        if issuer:
+            payload["expected_issuer"] = issuer
+        if audience:
+            payload["expected_audience"] = audience
+    api_url, api_key = resolve_api_credentials(args)
+    result = ApiClient(api_url, api_key).register_trusted_jwks(payload)
+    org_id = string_value(result.get("org_id")) or "(unknown)"
+    print(f"Registered trusted JWKS for org {org_id}.")
+    print("This registers a trust relationship only; no JWT was minted or fetched.")
+    return 0
+def read_jwks_json(source: str) -> dict[str, Any]:
+    """Read and validate a JWK Set from a file path, or '-' for stdin."""
+    if source == "-":
+        raw = sys.stdin.read()
+    else:
+        path = Path(source)
+        if not path.is_file():
+            raise UrunError(f"JWKS file not found: {source}")
+        raw = path.read_text(encoding="utf-8")
+    try:
+        parsed = json.loads(raw)
+    except json.JSONDecodeError as exc:
+        raise UrunError(f"invalid JWK Set JSON: {exc}") from exc
+    if not isinstance(parsed, dict):
+        raise UrunError("invalid JWK Set: expected a JSON object")
+    keys = parsed.get("keys")
+    if not isinstance(keys, list) or not keys:
+        raise UrunError('invalid JWK Set: must contain a non-empty "keys" array')
+    return parsed
 def deploy(args: argparse.Namespace) -> int:
     api_url, api_key = resolve_api_credentials(args)
     if args.poll_interval <= 0: