Merge pull request #145 from britive/develop

v1.7.0rc3

Author: twratl

.gitignore

@@ -12,6 +12,9 @@ site/
 lock-test.py
 test.py
 
+# IDE
+.vscode/
+
 # C extensions
 *.so
 

CHANGELOG.md

@@ -2,12 +2,34 @@
 
 * As of v1.4.0 release candidates will be published in an effort to get new features out faster while still allowing time for full QA testing before moving the release candidate to a full release.
 
+## v1.7.0rc3 [2024-04-03]
+#### What's New
+* Support for OpenShift checkout modes `os-oclogin` and `os-ocloginexec`. These checkout modes will perform the OIDC authorization code grant flow and extraction of the `oc login` command in code vs. having to use the browser. It is a "best effort" approach as the OpenShift login pages and programmatic access pages could change over time.
+
+#### Enhancements
+* Adds 3 part profile name for command `ls profiles -f json` - [#141](https://github.com/britive/python-cli/issues/141)
+
+#### Bug Fixes
+* Fixes issue with `--force-renew` on `checkout` not providing the `--console` flag properly to `checkin`
+* Flag `-p` was being used by `--maxpolltime` and `--passphrase` for command `checkout`. Switched `--maxpolltime` to `-x`.
+
+#### Dependencies
+* `britive>=2.24.0rc5`
+* Removal of `pkg_resources` dependency
+
+#### Other
+* Documentation updates for `--federation-provider` and `spacelift`
+* Documentation update for Azure Managed Identities
+* Introduction of `__version__` in `__init.py__`
+* Re-enabling the system banner/announcement logic
+
 ## v1.7.0rc2 [2024-01-19]
 #### What's New
 * None
 
 #### Enhancements
 * None
+
 #### Bug Fixes
 * Remove the banner logic as the banner api is not yet available in production
 

TECH_README.md

@@ -6,7 +6,7 @@ pip install --editable .
 
 ## Build
 
-* Update version in `setup.cfg`
+* Update version in `setup.cfg` and `src/pybritive/__init__.py` (TODO: create some pre-build script that will update one of these automatically)
 * Push code to GitHub
 * Cut a new PR and merge when appropriate
 * Run below commands

docs/index.md

@@ -75,7 +75,6 @@ order of operations for determining the tenant.
 4. If none of the above are available then check for configured tenants in `~/.britive/pybritive.config` and if there is only 1 tenant configured use it
 5. If all the above fail then error
 
-
 ## Credential Selection Logic
 
 There are numerous ways to provide the CLI with the Britive credentials that should be used to authenticate to the
@@ -124,7 +123,6 @@ Any of the above values in the `Environment Name` position will be accepted.
 
 When running `ls profiles -f list` and `cache profiles`, the `environmentName` field will be shown.
 
-
 ## Workload Federation Providers
 
 *NOTE*: Before any of the below will work there is required setup and configuration within your Britive tenant 
@@ -146,10 +144,9 @@ At feature launch the following types of identity providers are supported for wo
 * Bitbucket
 * Azure System Assigned Managed Identities
 * Azure User Assigned Managed Identities
+* Spacelift.io
 
-For more information on Azure Managed Identities reference the below link.
-
-https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+For more information on [Azure Managed Identities reference](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 'Link to Microsoft Documentaion') 
 
 It is possible to source an identity token from a different OIDC provider and explicitly set it via the `--token\-T` flag.
 However, if you are using one of the above providers, a shortcut is provided to abstract away the complexity of sourcing these tokens.
@@ -176,6 +173,9 @@ pybritive checkout "profile" --federation-provider aws_expirationseconds  # use
 # bitbucket (note that no additional options are available for bitbucket)
 pybritive checkout "profile" --federation-provider bitbucket
 
+# spacelift.io (note that no additional options are available for spacelift.io)
+pybritive checkout "profile" --federation-provider spacelift
+
 # azure system assigned managed identities
 pybritive checkout "profile" --federation-provider azuresmi # use system assigned managed identities with the default OIDC audience
 pybritive checkout "profile" --federation-provider azuresmi-audience # use system assigned managed identities with a custom OIDC audience
@@ -207,15 +207,13 @@ The user will be prompted for a passphrase to use to encrypt the file. The user
 via flag `--passphrase/-p` or via environment variable `PYBRITIVE_ENCRYPTED_CREDENTIAL_PASSPHRASE`. If no passphrase is
 provided `pybritive` will use an internally generated passphrase unique to the machine on which the application is running.
 
-
 ## Home Directory
 By default, files that `pybritive` requires will be persisted to `~/.britive/`. 
 
 This can be overwritten by specifying environment variable `PYBRITIVE_HOME_DIR`. This can be either one of the following choices to where
 the end user wants to persist the `.britive` directory. Note that `.britive` will still be created so do not specify
 that as part of the path.
 
-
 ## Browser
 By default, `pybritive` will use the OS defined default for any actions that have browser interaction(s).
 

requirements.txt

@@ -1,5 +1,5 @@
 boto3
-britive>=2.24.0rc1
+britive>=2.24.0rc5
 certifi>=2022.12.7
 charset-normalizer==2.1.0
 click~=8.1.3
@@ -21,3 +21,4 @@ toml==0.10.2
 twine~=4.0.1
 urllib3>=1.26.17; urllib3 == 1
 urllib3>=2.0.6; urllib3 == 2
+beautifulsoup4~=4.12.0

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 1.7.0rc2
+version = 1.7.0rc3
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive
@@ -27,7 +27,7 @@ install_requires =
     toml
     cryptography>=41.0.0
     python-dateutil
-    britive>=2.24.0rc1
+    britive>=2.24.0rc5
     jmespath
     pyjwt
 
@@ -38,4 +38,10 @@ where = src
 console_scripts =
     pybritive = pybritive.cli_interface:safe_cli
     pybritive-aws-cred-process = pybritive.helpers.aws_credential_process:main
-    pybritive-kube-exec = pybritive.helpers.k8s_exec:main
+    pybritive-kube-exec = pybritive.helpers.k8s_exec:main
+
+[options.extras_require]
+openshift =
+    beautifulsoup4
+aws =
+    boto3

src/pybritive/__init__.py

@@ -0,0 +1 @@
+__version__ = '1.7.0rc3'

src/pybritive/britive_cli.py

@@ -10,7 +10,6 @@
 from pathlib import Path
 import sys
 import uuid
-import pkg_resources
 import yaml
 import click
 import jmespath
@@ -169,8 +168,7 @@ def login(self, explicit: bool = False, browser: str = None):
         if explicit and should_get_profiles:
             self._set_available_profiles()  # will handle calling cache_profiles() and construct_kube_config()
 
-        # handle printing the banner - commenting out until the banner api is released into production
-        # self._display_banner()
+        self._display_banner()
 
     def _display_banner(self):
         if self.silent:
@@ -190,7 +188,8 @@ def _update_sdk_user_agent(self):
         user_agent = self.b.session.headers.get('User-Agent')
 
         try:
-            version = pkg_resources.get_distribution('pybritive').version
+            import pybritive
+            version = pybritive.__version__
         except Exception:
             version = 'unknown'
 
@@ -400,6 +399,9 @@ def list_profiles(self, checked_out: bool = False):
                     row.pop('Expiration', None)
                     if profile['2_part_profile_format_allowed']:
                         row.pop('Environment', None)
+                elif self.output_format == 'json':
+                    row['Name'] = f"{row['Application']}/{row['Environment']}/{row['Profile']}"
+
                 data.append(row)
 
         # set special list output if needed
@@ -564,6 +566,15 @@ def __get_cloud_credential_printer(self, app_type, console, mode, profile, silen
                 cli=self,
                 k8s_processor=k8s_processor
             )
+        elif app_type in ['OpenShift']:
+            return printer.OpenShiftCredentialPrinter(
+                console=console,
+                mode=mode,
+                profile=profile,
+                credentials=credentials,
+                silent=silent,
+                cli=self
+            )
         else:
             return printer.GenericCloudCredentialPrinter(
                 console=console,
@@ -696,9 +707,9 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
             from .helpers.k8s_exec_credential_builder import KubernetesExecCredentialProcessor
             k8s_processor = KubernetesExecCredentialProcessor()
 
-        # these 2 modes implicitly say that console access should be checked out without having to provide
+        # these 3 modes implicitly say that console access should be checked out without having to provide
         # the --console flag
-        if mode and (mode == 'console' or mode.startswith('browser')):
+        if mode and (mode == 'console' or mode.startswith('browser') or mode.startswith('os-')):
             console = True
             if mode.startswith('browser'):
                 self.browser = mode.replace('browser-', '')
@@ -751,7 +762,7 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
             diff = (expiration - now).total_seconds() / 60.0
             if diff < force_renew:  # time to checkin the profile so we can refresh creds
                 self.print('checking in the profile to get renewed credentials....standby')
-                self.checkin(profile=profile)
+                self.checkin(profile=profile, console=console)
                 response = self._checkout(**params)
                 cached_credentials_found = False  # need to write new creds to cache
                 credentials = response['credentials']
@@ -1224,13 +1235,16 @@ def _ssh_generate_key(self, username, hostname, key_source):
             'key_pair': key_pair
         }
 
+    @staticmethod
+    def build_import_exception_message(extras: str):
+        return f'required packages not found. run `pip3 install pybritive[{extras}]`'
+
     @staticmethod
     def _ssh_aws_push_key(aws_profile, aws_region, instance_id, username, key_pair):
         try:
             import boto3
         except ImportError as e:
-            message = 'boto3 package is required. Please ensure the package is installed.'
-            raise click.ClickException(message) from e
+            raise click.ClickException(BritiveCli.build_import_exception_message('aws')) from e
 
         # we know we will be pushing the key to the instance so establish the
         # boto3 clients which are required to perform those actions
@@ -1288,8 +1302,7 @@ def aws_console(profile, duration, browser):
         try:
             import boto3
         except ImportError as e:
-            message = 'boto3 package is required. Please ensure the package is installed.'
-            raise click.ClickException(message) from e
+            raise click.ClickException(BritiveCli.build_import_exception_message('aws')) from e
 
         creds = boto3.Session(profile_name=profile).get_credentials()
         session_id = creds.access_key

src/pybritive/choices/mode.py

@@ -26,6 +26,8 @@
         'browser-chromium',
         'kube-exec',                # bake into kubeconfig with oidc exec output and additional caching to make kubectl more performant
         'gcloudauthexec',           # will effectively execute results of gcloudauth in a sub-shell
+        'os-oclogin',               # will attempt an oidc authorization code grant flow for generating the `oc login ...` command for OpenShift
+        'os-ocloginexec',           # will attempt an oidc authorization code grant flow for generating the `oc login ...` command for OpenShift and exec the result in a subshell
     ],
     case_sensitive=False
 )