Merge pull request #43 from britive/aws-optional-session-token

Aws optional session token

Author: twratl

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All changes to the package starting with v0.3.1 will be logged here.
 
+## v0.8.0 [2023-01-05]
+#### What's New
+* Ability to store a GCP `gcloud` key file locally so `eval $(pybritive checkout "profile" -m gcloudauth)` will automatically authenticate the user with the gcloud CLI.
+* Ability to override the default location of the GCP `gcloud` key file with `pybritive checkout "profile" -m gcloudauth --gcloud-key-file /path/to/key.json`
+* New command `clear` with subcommands `cache` and `gcloud-key-files`. `cache` has same functionality as `pybritive cache clear` and `gcloud-key-files` will remove all `pybritive` generated temporary key files stored in the default location.
+
+#### Enhancements
+* None
+
+#### Bug Fixes
+* None
+
+#### Dependencies
+* `britive~=2.12.4` from `britive~=2.12.3` - AWS provider optional session token
+
+#### Other
+* None
+
 ## v0.7.2 [2022-12-12]
 #### What's New
 * None

TECH_README.md

@@ -42,6 +42,9 @@ Environment variables that should be set for testing include the following.
 
 Create `./testing-variables.txt` and load what you need so you can easily re-create the needed variables. This file is in `.gitignore`. 
 
+Package the code locally with `pip install -e .` so pytest can run against the python package.
+Then `pytest tests/ -v` to perform the testing. 
+
 The identity used for testing will require access to at least one profile to test `checkout` and `checkin`. 
 Additionally, the identity will need access to 2 secrets
 * one standard secret with path `/pybritive-test-standard` to test `view` - the value of the secret should be generic note with note of `test`

requirements.txt

@@ -1,4 +1,4 @@
-britive~=2.12.3
+britive~=2.12.4
 certifi==2022.6.15
 charset-normalizer==2.1.0
 click==8.1.3

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 0.7.2
+version = 0.8.0
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive
@@ -26,7 +26,7 @@ install_requires =
     toml
     cryptography
     python-dateutil
-    britive>=2.12.3
+    britive>=2.12.4
 
 [options.packages.find]
 where = src

src/pybritive/britive_cli.py

@@ -255,7 +255,7 @@ def _get_app_type(self, application_id):
         raise click.ClickException(f'Application {application_id} not found')
 
     def __get_cloud_credential_printer(self, app_type, console, mode, profile, silent, credentials,
-                                       aws_credentials_file):
+                                       aws_credentials_file, gcloud_key_file):
         if app_type in ['AWS', 'AWS Standalone']:
             return printer.AwsCloudCredentialPrinter(
                 console=console,
@@ -282,7 +282,8 @@ def __get_cloud_credential_printer(self, app_type, console, mode, profile, silen
                 profile=profile,
                 credentials=credentials,
                 silent=silent,
-                cli=self
+                cli=self,
+                gcloud_key_file=gcloud_key_file
             )
         else:
             return printer.GenericCloudCredentialPrinter(
@@ -348,7 +349,7 @@ def _split_profile_into_parts(self, profile):
         return parts_dict
 
     def checkout(self, alias, blocktime, console, justification, mode, maxpolltime, profile, passphrase,
-                 force_renew, aws_credentials_file):
+                 force_renew, aws_credentials_file, gcloud_key_file):
         credentials = None
         app_type = None
         credential_process_creds_found = False
@@ -418,7 +419,8 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
             alias or profile,
             self.silent,
             credentials,
-            aws_credentials_file
+            aws_credentials_file,
+            gcloud_key_file
         ).print()
 
     def import_existing_npm_config(self):
@@ -559,6 +561,9 @@ def request_withdraw(self, profile):
             application_name=parts['app']
         )
 
+    def clear_gcloud_auth_key_files(self):
+        self.config.clear_gcloud_auth_key_files()
+
 
 
 

src/pybritive/choices/mode.py

@@ -14,7 +14,8 @@
         'awscredentialprocess',     # aws credential process output with additional caching to make the credential process more performant
         'azlogin',                  # azure az login command with all fields populated (suitable for eval)
         'azps',                     # azure powershell script
-        'browser'                   # when console access is checked out open the browser to the URL provided
+        'browser',                  # when console access is checked out open the browser to the URL provided
+        'gcloudauth'                # gcloud auth activate-service-account with all fields populated (suitable for eval)
     ],
     case_sensitive=False
 )

src/pybritive/cli_interface.py

@@ -10,6 +10,7 @@
 from .commands.secret import secret as group_secret
 from .commands.cache import cache as group_cache
 from .commands.request import request as group_request
+from .commands.clear import clear as group_clear
 import sys
 import os
 
@@ -46,6 +47,7 @@ def cli(version):
 cli.add_command(group_secret)
 cli.add_command(group_cache)
 cli.add_command(group_request)
+cli.add_command(group_clear)
 
 
 if __name__ == "__main__":

src/pybritive/commands/checkout.py

@@ -7,10 +7,10 @@
 @click.command()
 @build_britive
 @britive_options(names='alias,blocktime,console,justification,mode,maxpolltime,silent,force_renew,aws_credentials_file,'
-                       'tenant,token,passphrase,federation_provider')
+                       'gcloud_key_file,tenant,token,passphrase,federation_provider')
 @click.argument('profile', shell_complete=profile_completer)
 def checkout(ctx, alias, blocktime, console, justification, mode, maxpolltime, silent, force_renew,
-             aws_credentials_file, tenant, token, passphrase, federation_provider, profile):
+             aws_credentials_file, gcloud_key_file, tenant, token, passphrase, federation_provider, profile):
     """Checkout a profile.
 
     This command takes 1 required argument `PROFILE`. This should be a string representation of the profile
@@ -28,5 +28,6 @@ def checkout(ctx, alias, blocktime, console, justification, mode, maxpolltime, s
         profile=profile,
         passphrase=passphrase,
         force_renew=force_renew,
-        aws_credentials_file=aws_credentials_file
+        aws_credentials_file=aws_credentials_file,
+        gcloud_key_file=gcloud_key_file
     )

src/pybritive/commands/clear.py

@@ -0,0 +1,24 @@
+import click
+from ..helpers.build_britive import build_britive
+
+
+@click.group()
+def clear():
+    """Clear various local settings and configurations."""
+    pass
+
+
+@clear.command()
+@build_britive
+def cache(ctx):
+    """Clears the local cache."""
+    ctx.obj.britive.cache_clear()
+
+
+@clear.command(name='gcloud-auth-key-files')
+@build_britive
+def gcloud_auth_key_files(ctx):
+    """Clears the local gcloud auth key files."""
+    ctx.obj.britive.clear_gcloud_auth_key_files()
+
+

src/pybritive/helpers/cloud_credential_printer.py

@@ -1,4 +1,5 @@
 import json
+import uuid
 import click
 import platform
 import configparser
@@ -50,6 +51,8 @@ def print(self):
             self.print_awscredentialprocess()
         if mode_prefix == 'azps':
             self.print_azps()
+        if mode_prefix == 'gcloudauth':
+            self.print_gcloudauth()
 
     def print_console(self):
         if self.mode == 'browser':
@@ -81,6 +84,9 @@ def print_azlogin(self):
     def print_azps(self):
         self._not_implemented()
 
+    def print_gcloudauth(self):
+        self._not_implemented()
+
     def _not_implemented(self):
         raise click.ClickException(f'Application type {self.app_type} does not support the specified mode.')
 
@@ -210,10 +216,11 @@ def print_azps(self):
 
 
 class GcpCloudCredentialPrinter(CloudCredentialPrinter):
-    def __init__(self, console, mode, profile, silent, credentials, cli):
+    def __init__(self, console, mode, profile, silent, credentials, cli, gcloud_key_file):
         key = list(credentials.keys())[0]
         credentials = json.loads(credentials[key])
         super().__init__('GCP', console, mode, profile, silent, credentials, cli)
+        self.gcloud_key_file = gcloud_key_file
 
     def print_json(self):
         self.cli.print(json.dumps(self.credentials, indent=2), ignore_silent=True)
@@ -223,3 +230,18 @@ def print_json(self):
             "--key-file <path-where-above-json-is-stored>", ignore_silent=True
         )
 
+    def print_gcloudauth(self):
+        # get path to gcloud key file
+        if not self.gcloud_key_file:  # if --gcloud-key-file not provided
+            path = Path(self.cli.config.path).parent / 'pybritive-gcloud-key-files' / f'{uuid.uuid4().hex}.json'
+        else:  # we need to parse out/sanitize what was provided
+            path = Path(self.gcloud_key_file).expanduser().absolute()
+
+        # key file does not yet exist so write to it
+        path.parent.mkdir(exist_ok=True, parents=True)
+        path.write_text(json.dumps(self.credentials, indent=2))
+
+        self.cli.print(
+            f"gcloud auth activate-service-account {self.credentials['client_email']} --key-file {str(path)}",
+            ignore_silent=True
+        )