Merge pull request #42 from britive/develop

v0.7.2

Author: twratl

CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All changes to the package starting with v0.3.1 will be logged here.
 
+## v0.7.2 [2022-12-12]
+#### What's New
+* None
+
+#### Enhancements
+* None
+
+#### Bug Fixes
+* None
+
+#### Dependencies
+* `britive~=2.12.3` from `britive~=2.12.2` - AWS provider tenant port removal, disable SSL verification, json decode bug fix
+
+#### Other
+* None
+
 ## v0.7.1 [2022-11-28]
 #### What's New
 * None

docs/index.md

@@ -67,13 +67,58 @@ order of operations for determining the tenant.
 ## Credential Selection Logic
 
 There are numerous ways to provide the CLI with the Britive credentials that should be used to authenticate to the
-Britive tenant. The below list is the order of operations for determining the tenant.
+Britive tenant. The below list is the order of operations for determining the token to use.
 
-1. Value retrieved from CLI option/flag `--token/-T`
-2. Value retrieved from environment variable `BRITIVE_API_TOKEN`
-3. If none of the above are available an interactive login will be performed and temporary credentials will be stored locally for future use with the CLI
+1. Workload federation provider token via option/flag `--federation-provider/-P` (see below for more details on this option)
+2. Value retrieved from CLI option/flag `--token/-T`
+3. Value retrieved from environment variable `BRITIVE_API_TOKEN`
+4. If none of the above are available an interactive login will be performed and temporary credentials will be stored locally for future use with the CLI
 
 
+## Workload Federation Providers
+
+*NOTE*: Before any of the below will work there is required setup and configuration within your Britive tenant 
+so trust can be established between the identity provider and Britive.
+
+`pybritive` and the Python SDK offer the capability to source an ephemeral token from a federation provider. 
+This use case is targeted for machines/automated workloads and removes the need to store a long-lived API token 
+to interact with Britive. These tokens are mapped to service identities within your Britive tenant.
+
+At feature launch the following types of identity providers are supported for workload identity federation.
+
+* Open ID Connect (OIDC)
+* AWS STS
+
+`pybritive` offers some native integrations with the following services at the launch of this feature.
+
+* Github Actions
+* AWS
+
+It is possible to source an identity token from a different OIDC provider and explicitly set it via the `--token\-T` flag.
+However, if you are using one of the above providers, a shortcut is provided to abstract away the complexity of sourcing these tokens.
+Over time this list will grow. Reach out to your customer success manager if you have an identity provider you would like added to
+this list.
+
+A couple of examples are below which illustrate how to use the above identity providers. Note that these commands will only work
+if they are being run within the context of the identity provider. Otherwise, the necessary data and connections will not be 
+present in the execution environment.
+
+~~~bash
+# github actions
+pybritive checkout "profile" --federation-provider github  # use github actions with the default OIDC audience
+pybritive checkout "profile" --federation-provider github-audience  # use github actions with a custom OIDC audience
+pybritive checkout "profile" --federation-provider github-audience_expirationseconds   # use github actions with a custom OIDC audience and set the Britive expiration (in seconds) of the generated token
+pybritive checkout "profile" --federation-provider github_expirationseconds  # use github actions with the default OIDC audience and set the Britive expiration (in seconds) of the generated token
+
+# aws sts
+pybritive checkout "profile" --federation-provider aws  # use aws sts without an AWS CLI profile (source credentials via the standard credential discovery process)
+pybritive checkout "profile" --federation-provider aws-profile  # use aws sts with an AWS CLI profile
+pybritive checkout "profile" --federation-provider aws-profile_expirationseconds   # use aws sts with an AWS CLI profile and set the Britive expiration (in seconds) of the generated token
+pybritive checkout "profile" --federation-provider aws_expirationseconds  # use aws sts without an AWS CLI profile and set the Britive expiration (in seconds) of the generated token
+~~~
+
+In general the field format for `--federation-provider` is `provider-[something provider specific]_[duration in seconds]`.
+
 ## Credential Stores
 
 The CLI currently offers two ways in which temporary credentials obtained via interactive login can be stored.

requirements.txt

@@ -1,4 +1,4 @@
-britive~=2.12.2
+britive~=2.12.3
 certifi==2022.6.15
 charset-normalizer==2.1.0
 click==8.1.3

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 0.7.1
+version = 0.7.2
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive
@@ -26,7 +26,7 @@ install_requires =
     toml
     cryptography
     python-dateutil
-    britive>=2.12.2
+    britive>=2.12.3
 
 [options.packages.find]
 where = src

src/pybritive/helpers/credentials.py

@@ -4,6 +4,7 @@
 import time
 import webbrowser
 import requests
+from requests.adapters import HTTPAdapter, Retry
 from pathlib import Path
 import click
 import configparser
@@ -50,6 +51,7 @@ def __init__(self, tenant_name: str, tenant_alias: str, cli: any, federation_pro
         self.alias = tenant_alias
         self.base_url = f'https://{Britive.parse_tenant(tenant_name)}'
         self.federation_provider = federation_provider
+        self.session = None
 
         # not sure if we really need 32 random bytes or if any random string would work
         # but the current britive-cli in node.js does it this way so it will be done the same
@@ -58,10 +60,29 @@ def __init__(self, tenant_name: str, tenant_alias: str, cli: any, federation_pro
         self.auth_token = b64_encode_url_safe(bytes(hashlib.sha512(self.verifier.encode('utf-8')).digest()))
         self.credentials = self.load() or {}
 
+    def _setup_requests_session(self):
+        self.session = requests.Session()
+        retries = Retry(total=5, backoff_factor=1, status_forcelist=[429, 500, 502, 503, 504])
+        self.session.mount('https://', HTTPAdapter(max_retries=retries))
+
+        # allow the disabling of TLS/SSL verification for testing in development (mostly local development)
+        if os.getenv('BRITIVE_NO_VERIFY_SSL') and '.dev.' in self.tenant:
+            # turn off ssl verification
+            self.session.verify = False
+            # wipe these due to this bug: https://github.com/psf/requests/issues/3829
+            os.environ['CURL_CA_BUNDLE'] = ""
+            os.environ['REQUESTS_CA_BUNDLE'] = ""
+            # disable the warning message
+            import urllib3
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
     def perform_interactive_login(self):
         self.cli.print(f'Performing interactive login against tenant {self.tenant}.')
         url = f'{self.base_url}/login?token={self.auth_token}'
 
+        # establish a requests session which will be used in retrieve_tokens()
+        self._setup_requests_session()
+
         try:
             webbrowser.get()
             webbrowser.open(url)