Merge branch 'ceng-355-httpsgithubcomcloudsmith-iocloudsmith-clipull171' of github.com:cloudsmith-io/cloudsmith-cli into ceng-355-httpsgithubcomcloudsmith-iocloudsmith-clipull171

Author: BartoszBlizniak

CHANGELOG.md

@@ -9,6 +9,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.3.1] - 2024-10-08
+
+### Fixed
+
+ - Missing dependency from `setup.py` file ([#177](https://github.com/cloudsmith-io/cloudsmith-cli/pull/177))
+
+## [1.3.0] - 2024-10-08
+
+### Added
+
+- The `auth` command, enabling users to authenticate against the API with their organization's configured SAML provider ([#174](https://github.com/cloudsmith-io/cloudsmith-cli/pull/174))
+
 ## [1.2.5] - 2024-06-11
 
 ### Added

README.md

@@ -28,6 +28,7 @@ Please see the [changelog](https://github.com/cloudsmith-io/cloudsmith-cli/blob/
 
 The CLI currently supports the following commands (and sub-commands):
 
+- `auth`:                 Authenticate the CLI against an organization's SAML configuration.
 - `check`:                Check rate limits and service status.
 - `copy`|`cp`:            Copy a package to another repository.
 - `delete`|`rm`:          Delete a package from a repository.
@@ -169,11 +170,26 @@ You can specify the following configuration options:
 - `api_key`: The API key for authenticating with the API.
 
 
-### Getting Your API Key
+### Authenticating
 
 You'll need to provide authentication to Cloudsmith for any CLI actions that result in accessing private data or making changes to resources (such as pushing a new package to a repository)..
 
-With the CLI this is simple to do. You can retrieve your API key using the `cloudsmith login` command:
+#### SAML authentication
+
+You can authenticate using your organization's SAML provider, if configured, with the `cloudsmith auth` command:
+```
+cloudsmith auth --owner example
+Beginning authentication for the example org ...
+Opening your organization's SAML IDP URL in your browser: https://example.com/some-saml-idp
+
+Starting webserver to begin authentication ...
+
+Authentication complete
+```
+
+#### Getting Your API Key
+
+You can retrieve your API key using the `cloudsmith login` command:
 
 ```
 cloudsmith login

cloudsmith_cli/cli/commands/__init__.py

@@ -1,6 +1,7 @@
 """CLI/Commands - Import all commands."""
 
 from . import (
+    auth,
     check,
     copy,
     delete,

cloudsmith_cli/cli/commands/auth.py

@@ -0,0 +1,58 @@
+"""CLI/Commands - Authenticate the user."""
+import webbrowser
+
+import click
+
+from .. import decorators, validators
+from ..exceptions import handle_api_exceptions
+from ..saml import get_idp_url
+from ..webserver import AuthenticationWebRequestHandler, AuthenticationWebServer
+from .main import main
+
+
+@main.command(aliases=["auth"])
+@click.option(
+    "-o",
+    "--owner",
+    metavar="OWNER",
+    required=True,
+    callback=validators.validate_owner,
+    prompt=True,
+    help="The name of the Cloudsmith organization to authenticate with.",
+)
+@decorators.common_cli_config_options
+@decorators.common_cli_output_options
+@decorators.initialise_api
+@click.pass_context
+def authenticate(ctx, opts, owner):
+    """Authenticate to Cloudsmith using the org's SAML setup."""
+    owner = owner[0]
+    api_host = opts.api_config.host
+
+    click.echo(
+        "Beginning authentication for the {owner} org ... ".format(
+            owner=click.style(owner, bold=True)
+        )
+    )
+
+    context_message = "Failed to authenticate via SSO!"
+    with handle_api_exceptions(ctx, opts=opts, context_msg=context_message):
+        idp_url = get_idp_url(api_host, owner)
+        click.echo(
+            "Opening your organization's SAML IDP URL in your browser: %(idp_url)s"
+            % {"idp_url": click.style(idp_url, bold=True)}
+        )
+        click.echo()
+        webbrowser.open(idp_url)
+        click.echo("Starting webserver to begin authentication ... ")
+
+        auth_server = AuthenticationWebServer(
+            ("127.0.0.1", 12400),
+            AuthenticationWebRequestHandler,
+            api_host=api_host,
+            owner=owner,
+        )
+        auth_server.handle_request()
+
+        click.echo()
+        click.secho("Authentication complete", fg="green")

cloudsmith_cli/cli/commands/login.py

@@ -1,11 +1,9 @@
 """CLI/Commands - Get an API token."""
 
 import collections
-import getpass
 import stat
 
 import click
-import keyring
 
 from ...core.api.user import get_user_token
 from ...core.utils import get_help_website
@@ -103,30 +101,6 @@ def create_config_files(ctx, opts, api_key):
     return create, has_errors
 
 
-def get_username():
-    return getpass.getuser()
-
-
-def store_access_token(access_token):
-    username = get_username()
-    keyring.set_password("cloudsmith_cli-access_token", username, access_token)
-
-
-def get_access_token():
-    username = get_username()
-    return keyring.get_password("cloudsmith_cli-access_token", username)
-
-
-def store_refresh_token(refresh_token):
-    username = get_username()
-    keyring.set_password("cloudsmith_cli-refresh_token", username, refresh_token)
-
-
-def get_refresh_token():
-    username = get_username()
-    return keyring.get_password("cloudsmith_cli-refresh_token", username)
-
-
 @main.command(aliases=["token"])
 @click.option(
     "-l",

cloudsmith_cli/cli/exceptions.py

@@ -7,6 +7,7 @@
 import click
 
 from ..core.api.exceptions import ApiException
+from ..core.keyring import get_access_token
 
 
 @contextlib.contextmanager
@@ -132,6 +133,10 @@ def get_401_error_hint(ctx, opts, exc):
             "you don't have the permission to perform this action."
         )
 
+    access_token = get_access_token(opts.api_host)
+    if access_token:
+        return "Since you have an SSO access token set, this probably means that it has expired. Try getting a new token with 'cloudsmith auth', then try again."
+
     if ctx.info_name == "token":
         # This is already the token command
         return (
@@ -141,9 +146,9 @@ def get_401_error_hint(ctx, opts, exc):
         )
 
     return (
-        "You don't have an API key set, but it seems this action "
+        "You don't have an API key or access token set, but it seems this action "
         "requires authentication - Try getting your API key via "
-        "'cloudsmith token' first then try again."
+        "'cloudsmith token', or access token via 'cloudsmith auth', then try again."
     )
 
 

cloudsmith_cli/cli/saml.py

@@ -0,0 +1,86 @@
+from urllib.parse import urlencode
+
+import requests
+
+from ..core.api.exceptions import ApiException
+
+
+def get_idp_url(api_host, owner):
+    org_saml_url = "{api_host}/orgs/{owner}/saml/?{params}".format(
+        api_host=api_host,
+        owner=owner,
+        params=urlencode({"redirect_url": "http://localhost:12400"}),
+    )
+
+    org_saml_response = requests.get(org_saml_url, timeout=30)
+
+    try:
+        org_saml_response.raise_for_status()
+    except requests.RequestException as exc:
+        raise ApiException(
+            org_saml_response.status_code,
+            headers=exc.response.headers,
+            body=exc.response.content,
+        )
+
+    return org_saml_response.json().get("redirect_url")
+
+
+def exchange_2fa_token(api_host, two_factor_token, totp_token):
+    exchange_data = {"two_factor_token": two_factor_token, "totp_token": totp_token}
+    exchange_url = "{api_host}/user/two-factor/".format(api_host=api_host)
+
+    exchange_response = requests.post(
+        exchange_url,
+        data=exchange_data,
+        headers={
+            "Authorization": "Bearer {two_factor_token}".format(
+                two_factor_token=two_factor_token
+            )
+        },
+        timeout=30,
+    )
+
+    try:
+        exchange_response.raise_for_status()
+    except requests.RequestException as exc:
+        raise ApiException(
+            exchange_response.status_code,
+            headers=exc.response.headers,
+            body=exc.response.content,
+        )
+
+    exchange_data = exchange_response.json()
+    access_token = exchange_data.get("access_token")
+    refresh_token = exchange_data.get("refresh_token")
+
+    return (access_token, refresh_token)
+
+
+def refresh_access_token(api_host, access_token, refresh_token):
+    data = {"refresh_token": refresh_token}
+    url = "{api_host}/user/refresh-token/".format(api_host=api_host)
+
+    response = requests.post(
+        url,
+        data=data,
+        headers={
+            "Authorization": "Bearer {access_token}".format(access_token=access_token)
+        },
+        timeout=30,
+    )
+
+    try:
+        response.raise_for_status()
+    except requests.RequestException as exc:
+        raise ApiException(
+            response.status_code,
+            headers=exc.response.headers,
+            body=exc.response.content,
+        )
+
+    response_data = response.json()
+    access_token = response_data.get("access_token")
+    refresh_token = response_data.get("refresh_token")
+
+    return (access_token, refresh_token)