Merge pull request #64 from britive/develop

v1.1.0

Author: twratl

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 All changes to the package starting with v0.3.1 will be logged here.
 
+## v1.1.0 [2023-02-16]
+#### What's New
+* Allowing 2 part `PROFILE` parameters (see documentation for details)
+* Build support for multiple environment name formats (name, id, alternate environment name) for the `PROFILE` parameter
+
+#### Enhancements
+* None
+
+#### Bug Fixes
+* add a default checkout mode for AWS - bug fix as the effort is to match parity with legacy CLI tool
+
+#### Dependencies
+* None
+
+#### Other
+* None
+
 ## v1.0.0 [2023-02-09]
 #### What's New
 * Moving out of beta and into general availability. No other changes except for documentation updates reflecting the move out of beta.
@@ -11,7 +28,7 @@ All changes to the package starting with v0.3.1 will be logged here.
 
 #### Bug Fixes
 * None
-* 
+
 #### Dependencies
 * None
 

docs/index.md

@@ -71,6 +71,44 @@ Britive tenant. The below list is the order of operations for determining the to
 3. Value retrieved from environment variable `BRITIVE_API_TOKEN`
 4. If none of the above are available an interactive login will be performed and temporary credentials will be stored locally for future use with the CLI
 
+## `PROFILE` Parameter Construction (`checkout` and `checkin`)
+
+The general construction of a `PROFILE` parameter for `checkout` and `checkin` (in addition to profile aliases)
+is in the format `Application Name/Environment Name/Profile Name`.
+
+Behind the scenes `pybritive` will always use this format. However, there are specific application types where
+`Application Name == Environment Name`. For these application types, it is acceptable to provide a 2 part `PROFILE`
+parameter in the format `Application Name/Profile Name`. `pybritive` will convert this to the required 3 part
+format before interacting with backend services.
+
+Additionally, `ls profiles -f list` and `cache profiles` will return the 2 part format where applicable. It is still acceptable
+to provide the 3 part format in all cases so any existing profile aliases or other configurations will not be impacted.
+
+Below is the list of application types in which a 2 part format is acceptable.
+
+* GCP
+* Azure
+* Oracle
+* Google Workspace
+
+The list can be generated (assuming the caller has the required permissions) on demand with the following command.
+
+~~~bash
+pybritive api applications.catalog \
+    --query '[*].{"application type": name,"2 part format allowed":requiresHierarchicalModel}' \
+    --format table
+~~~
+
+Additionally, the `Environment Name` can be any one of three values. AWS example values are provided.
+
+* `environmentId` - 123456789012
+* `environmentName` - 123456789012 (Sigma Labs)
+* `alternateEnvironmentName` - Sigma Labs
+
+Any of the above values in the `Environment Name` position will be accepted.
+
+When running `ls profiles -f list` and `cache profiles`, the `environmentName` field will be shown.
+
 
 ## Workload Federation Providers
 

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 1.0.0
+version = 1.1.0
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive

src/pybritive/britive_cli.py

@@ -211,6 +211,8 @@ def list_profiles(self, checked_out: bool = False):
                     self.list_separator = '/'
                     row.pop('Description')
                     row.pop('Type')
+                    if profile['2_part_profile_format_allowed']:
+                        row.pop('Environment')
                 data.append(row)
 
         # set special list output if needed
@@ -223,7 +225,6 @@ def list_profiles(self, checked_out: bool = False):
         if self.output_format == 'list-profiles':
             self.output_format = 'list'
 
-
     def list_applications(self):
         self.login()
         self._set_available_profiles()
@@ -276,12 +277,14 @@ def _set_available_profiles(self):
                             'app_description': app['appDescription'],
                             'env_name': env['environmentName'],
                             'env_id': env['environmentId'],
+                            'env_short_name':  env['alternateEnvironmentName'],
                             'env_description': env['environmentDescription'],
                             'profile_name': profile['profileName'],
                             'profile_id': profile['profileId'],
                             'profile_allows_console': profile['consoleAccess'],
                             'profile_allows_programmatic': profile['programmaticAccess'],
-                            'profile_description': profile['profileDescription']
+                            'profile_description': profile['profileDescription'],
+                            '2_part_profile_format_allowed': app['requiresHierarchicalModel']
                         }
                         data.append(row)
             self.available_profiles = data
@@ -300,7 +303,7 @@ def __get_cloud_credential_printer(self, app_type, console, mode, profile, silen
         if app_type in ['AWS', 'AWS Standalone']:
             return printer.AwsCloudCredentialPrinter(
                 console=console,
-                mode=mode,
+                mode=mode or self.config.aws_default_checkout_mode(),  # handle the aws default_checkout_mode here
                 profile=profile,
                 credentials=credentials,
                 silent=silent,
@@ -350,10 +353,15 @@ def _checkout(self, profile_name, env_name, app_name, programmatic, blocktime, m
         try:
             self.login()
 
-            return self.b.my_access.checkout_by_name(
+            ids = self._convert_names_to_ids(
                 profile_name=profile_name,
                 environment_name=env_name,
-                application_name=app_name,
+                application_name=app_name
+            )
+
+            return self.b.my_access.checkout(
+                profile_id=ids['profile_id'],
+                environment_id=ids['environment_id'],
                 programmatic=programmatic,
                 include_credentials=True,
                 wait_time=blocktime,
@@ -381,8 +389,10 @@ def _should_check_force_renew(app, force_renew, console):
     def _split_profile_into_parts(self, profile):
         profile_real = self.config.profile_aliases.get(profile, profile)
         parts = profile_split(profile_real)
+        if len(parts) == 2:  # handle shortcut for profiles where the app and environment name are the same
+            parts = [parts[0], parts[0], parts[1]]
         if len(parts) != 3:
-            raise click.ClickException('Provided profile string does not have the required 3 parts.')
+            raise click.ClickException('Provided profile string does not have the required parts.')
         parts_dict = {
             'app': parts[0],
             'env': parts[1],
@@ -434,7 +444,7 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
             credentials = response['credentials']
 
         # this handles the --force-renew flag
-        # lets check to see if the we should checkin this profile first and check it out again
+        # lets check to see if we should checkin this profile first and check it out again
         if self._should_check_force_renew(app_type, force_renew, console):
             expiration = datetime.fromisoformat(credentials['expirationTime'].replace('Z', ''))
             now = datetime.utcnow()
@@ -446,7 +456,7 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
                 credential_process_creds_found = False  # need to write new creds to cache
                 credentials = response['credentials']
 
-        if alias:  # do this down here so we know that the profile is valid and a checkout was successful
+        if alias:  # do this down here, so we know that the profile is valid and a checkout was successful
             self.config.save_profile_alias(alias=alias, profile=profile)
 
         if mode == 'awscredentialprocess' and not credential_process_creds_found:
@@ -574,8 +584,11 @@ def cache_profiles(self, load=True):
         for p in self.available_profiles:
             profile = self.escape_profile_element(p['app_name'])
             profile += '/'
-            profile += self.escape_profile_element(p['env_name'])
-            profile += '/'
+
+            if not p['2_part_profile_format_allowed']:
+                profile += self.escape_profile_element(p['env_name'])
+                profile += '/'
+
             profile += self.escape_profile_element(p['profile_name'])
             profiles.append(profile)
         Cache().save_profiles(profiles)
@@ -669,9 +682,63 @@ def api(self, method, parameters={}, query=None):
         # output the response, optionally filtering based on provided jmespath query/search
         self.print(jmespath.search(query, response) if query else response)
 
+    # yes - this method exits in b.my_access as _get_profile_and_environment_ids_given_names
+    # but we are doing additional business logic here to enhance the cli experience so there is
+    # a need to duplicate some of this logic (although we are doing additional work here so the logic is
+    # not 100% duplicated)
+    def _convert_names_to_ids(self, profile_name: str, environment_name: str, application_name: str) -> dict:
+        # set the available profiles if this is not already done
+        self._set_available_profiles()
+
+        # do some sanitization just in case
+        profile_name = profile_name.lower().strip()
+        environment_name = environment_name.lower().strip()
+        application_name = application_name.lower().strip()
+
+        found_profiles = {}
 
+        # collect relevant profile/environment combinations to which the identity is entitled
+        for profile in self.available_profiles:
+            if profile['app_name'].lower() != application_name:  # kick out all the unmatched applications
+                continue
+            if profile['profile_name'].lower() != profile_name:  # kick out the unmatched profiles
+                continue
+
+            # if we get here we know we are on a record that is the right app and right profile
+
+            found_profile_id = profile['profile_id']
 
+            if found_profile_id not in found_profiles.keys():
+                found_profiles[found_profile_id] = []
 
+            # load up multiple options
+            env_options = [
+                profile['env_name'].lower(),
+                profile['env_id'].lower(),
+                profile['env_short_name'].lower()
+            ]
+
+            if environment_name in env_options:
+                found_profiles[found_profile_id].append(profile['env_id'])
+
+        # let's first check to ensure we have only 1 profile
+        if len(found_profiles.keys()) == 0:
+            raise click.ClickException('no profile found with the provided application, environment, and profile names')
+        if len(found_profiles.keys()) > 1:
+            raise click.ClickException('multiple matching profiles found - cannot determine which profile to use')
+
+        # and now we can check to ensure we have only 1 environment
+        found_profile_id = list(found_profiles.keys())[0]
+        possible_environments = found_profiles[found_profile_id]
+        if len(possible_environments) == 0:
+            raise click.ClickException('no profile found with the provided application, environment, and profile names')
+        if len(possible_environments) > 1:
+            raise click.ClickException('multiple matching profiles found - cannot determine which profile to use')
+
+        return {
+            'profile_id': found_profile_id,
+            'environment_id': possible_environments[0]
+        }
 
 
 

src/pybritive/commands/checkout.py

@@ -10,7 +10,7 @@
                        'gcloud_key_file,verbose,tenant,token,passphrase,federation_provider')
 @click.argument('profile', shell_complete=profile_completer)
 def checkout(ctx, alias, blocktime, console, justification, mode, maxpolltime, silent, force_renew,
-             aws_credentials_file, gcloud_key_file,verbose, tenant, token, passphrase, federation_provider, profile):
+             aws_credentials_file, gcloud_key_file, verbose, tenant, token, passphrase, federation_provider, profile):
     """Checkout a profile.
 
     This command takes 1 required argument `PROFILE`. This should be a string representation of the profile

src/pybritive/helpers/cloud_credential_printer.py

@@ -22,6 +22,7 @@ def __init__(self, app_type, console, mode, profile, silent, credentials, cli):
         self.app_type = app_type
         self.profile = profile
         self.console = console
+        mode = mode or 'json'  # set a default if nothing is provided via flag --mode/-m
         helper = mode.split('-')
         env_prefix = helper[1] if 1 < len(helper) else None
         self.mode = helper[0]

src/pybritive/helpers/config.py

@@ -7,6 +7,7 @@
 import toml
 from ..choices.output_format import output_format_choices
 from ..choices.backend import backend_choices
+from ..choices.mode import mode_choices
 from britive.britive import Britive
 from ..helpers.split import profile_split
 
@@ -37,7 +38,8 @@ def coalesce(*arg):
 
 non_tenant_sections = [
     'global',
-    'profile-aliases'
+    'profile-aliases',
+    'aws'
 ]
 
 global_fields = [
@@ -52,6 +54,10 @@ def coalesce(*arg):
     'output_format'
 ]
 
+aws_fields = [
+    'default_checkout_mode'
+]
+
 
 class ConfigManager:
     def __init__(self, cli: object, tenant_name: str = None):
@@ -183,6 +189,7 @@ def import_global_npm_config(self):
             npm_config = toml.load(f)
         tenant = npm_config.get('tenantURL', '').replace('https://', '').replace('.britive-app.com', '').lower()
         output_format = npm_config.get('output_format', '').lower()
+        aws_section = npm_config.get('AWS', None)
 
         # reset the config as we are building a new one
         self.config = {
@@ -198,6 +205,12 @@ def import_global_npm_config(self):
             self.cli.print(f'Found default output format {output_format}.')
             self.config['global']['output_format'] = output_format
 
+        if aws_section:
+            checkout_mode = aws_section.get('checkoutMode')
+            if checkout_mode:
+                self.cli.print(f'Found aws default checkout mode of {checkout_mode}.')
+                self.config['aws'] = {'default_checkout_mode': checkout_mode.lower()}
+
         self.save()
         self.load(force=True)
 
@@ -207,6 +220,10 @@ def backend(self):
         self.load()
         return self.config.get('global', {}).get('credential_backend', 'encrypted-file')
 
+    def aws_default_checkout_mode(self):
+        self.load()
+        return self.config.get('aws', {}).get('default_checkout_mode', None)
+
     def update(self, section, field, value):
         self.load()
         if section not in self.config.keys():
@@ -226,6 +243,8 @@ def validate(self):
                 self.validate_global(section, fields)
             if section == 'profile-aliases':
                 self.validate_profile_aliases(section, fields)
+            if section == 'aws':
+                self.validate_aws(section, fields)
             if section.startswith('tenant-'):
                 self.validate_tenant(section, fields)
 
@@ -262,6 +281,14 @@ def validate_profile_aliases(self, section, fields):
                         'separated by a /'
                 self.validation_error_messages.append(error)
 
+    def validate_aws(self, section, fields):
+        for field, value in fields.items():
+            if field not in aws_fields:
+                self.validation_error_messages.append(f'Invalid {section} field {field} provided.')
+            if field == 'default_checkout_mode' and value not in mode_choices.choices:
+                error = f'Invalid {section} field {field} value {value} provided. Invalid value choice.'
+                self.validation_error_messages.append(error)
+
     def validate_tenant(self, section, fields):
         for field, value in fields.items():
             if field not in tenant_fields:

src/pybritive/options/mode.py

@@ -2,17 +2,18 @@
 from ..choices.mode import mode_choices
 
 
+# as of v1.1.0 not setting a default value here on purpose as the config file now has an
+# aws section which provides a default value if the --mode option is omitted
+# the default to `json` will occur now in helpers/cloud_credential_printer::CloudCredentialPrinter.__init__
 option = click.option(
     '--mode', '-m',
-    default='json',
     type=mode_choices,
     show_choices=True,
-    show_default=True,
     help='The way in which the checked out credentials are presented. `integrate` will place the credentials into '
          'the cloud providers local credential file (AWS only). Value `env` can optionally include terminal specific '
          'options for setting environment variables '
          '(example: env-nix for Linux/Mac, env-wincmd for Windows Command Prompt, env-winps for Windows PowerShell).'
-         '`gcloudauth` will save the generated key file/credentials to the pybritive config directory  and generate a '
-         'gcloud auth command which can be directly evaluated.'
+         '`gcloudauth` will save the generated key file/credentials to the pybritive config directory and generate a '
+         'gcloud auth command which can be directly evaluated. Will default to `json` if not provided.'
 )
 

tests/test_0200_configure.py

@@ -170,3 +170,8 @@ def test_configure_update_tenant_correct_data(runner, cli):
     common_asserts(result, substring=['name=pybritivetest1.dev'])
     # set it back
     runner.invoke(cli, f'configure update tenant-{tenant} name {tenant}'.split(' '))
+
+
+def test_configure_update_aws_data(runner, cli):
+    result = runner.invoke(cli, f'configure update aws default_checkout_mode integrate'.split(' '))
+    common_asserts(result, substring=['aws', 'default_checkout_mode=integrate'])