Allow to disable autologin in core (for login, logout CLI actions) an…

…d keyring for CLI login action
CERT-Polska · Oct 6, 2022 · 45c19e9 · 45c19e9
1 parent 8536ca1
commit 45c19e9
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 46 deletions.
diff --git a/mwdblib/__version__.py b/mwdblib/__version__.py
@@ -1 +1 @@
-__version__ = "4.3.1"
+__version__ = "4.4.0"
diff --git a/mwdblib/api/api.py b/mwdblib/api/api.py
@@ -77,9 +77,21 @@ class APIClient:
         mwdb.api.delete(f'object/{sha256}')
     """
 
-    def __init__(self, _auth_token: Optional[str] = None, **api_options: Any) -> None:
+    def __init__(
+        self,
+        _auth_token: Optional[str] = None,
+        autologin: bool = True,
+        **api_options: Any,
+    ) -> None:
         self.options: APIClientOptions = APIClientOptions(**api_options)
         self.auth_token: Optional[JWTAuthToken] = None
+
+        # These state variables will be filled after
+        # successful authentication
+        self.username: Optional[str] = None
+        self.password: Optional[str] = None
+        self.api_key: Optional[str] = None
+
         self._server_metadata: Optional[dict] = None
 
         self.session: requests.Session = requests.Session()
@@ -92,10 +104,12 @@ def __init__(self, _auth_token: Optional[str] = None, **api_options: Any) -> Non
 
         if _auth_token:
             self.set_auth_token(_auth_token)
-        if self.options.api_key:
-            self.set_api_key(self.options.api_key)
-        elif self.options.username and self.options.password:
-            self.login(self.options.username, self.options.password)
+
+        if autologin:
+            if self.options.api_key:
+                self.set_api_key(self.options.api_key)
+            elif self.options.username and self.options.password:
+                self.login(self.options.username, self.options.password)
 
     @property
     def server_metadata(self) -> dict:
@@ -151,8 +165,8 @@ def login(self, username: str, password: str) -> None:
         )["token"]
         self.set_auth_token(token)
         # Store credentials in API options
-        self.options.username = username
-        self.options.password = password
+        self.username = username
+        self.password = password
 
     def set_api_key(self, api_key: str) -> None:
         """
@@ -165,8 +179,8 @@ def set_api_key(self, api_key: str) -> None:
         :param api_key: API key to set
         """
         self.set_auth_token(api_key)
-        # Store credentials in API options
-        self.options.api_key = api_key
+        # Store credentials in API state
+        self.api_key = api_key
 
     def logout(self) -> None:
         """
@@ -251,10 +265,10 @@ def request(
                 # Forget current auth_key
                 self.logout()
                 # If no password set: re-raise
-                if self.options.password is None:
+                if self.username is None or self.password is None:
                     raise
                 # Try to log in
-                self.login(self.options.username, self.options.password)
+                self.login(self.username, self.password)
                 # Retry failed request...
             except LimitExceededError as e:
                 if not self.options.obey_ratelimiter:

diff --git a/mwdblib/api/options.py b/mwdblib/api/options.py
@@ -219,11 +219,13 @@ def store_credentials(self) -> None:
                 keyring.set_password(
                     f"mwdb:{self.api_url}", self.username, self.password
                 )
+            self.config_parser.set(instance_section, "use_keyring", "1")
         else:
             if self.api_key:
                 self.config_parser.set(instance_section, "api_key", self.api_key)
             else:
                 self.config_parser.set(instance_section, "password", self.password)
+            self.config_parser.set(instance_section, "use_keyring", "0")
         # Perform configuration writeback
         if self.config_path:
             with self.config_path.open("w") as f:

diff --git a/mwdblib/cli/login.py b/mwdblib/cli/login.py
@@ -11,6 +11,11 @@
 @click.option(
     "--password", "-p", type=str, default=None, help="MWDB password (default: ask)"
 )
+@click.option(
+    "--use-keyring/--no-keyring",
+    default=None,
+    help="Don't use keyring, store credentials in plaintext",
+)
 @click.option("--via-api-key", "-A", is_flag=True, help="Use API key provided by stdin")
 @click.option(
     "--api-key",
@@ -19,18 +24,22 @@
     default=None,
     help="API key token (default: password-based authentication)",
 )
-@pass_mwdb
+@pass_mwdb(autologin=False)
 @click.pass_context
-def login_command(ctx, mwdb, username, password, via_api_key, api_key):
+def login_command(ctx, mwdb, username, password, use_keyring, via_api_key, api_key):
     """Store credentials for MWDB authentication"""
     if via_api_key:
         api_key = click.prompt("Provide your API key token", hide_input=True)
+
     if api_key is None:
         if username is None:
             username = click.prompt("Username")
         if password is None:
             password = click.prompt("Password", hide_input=True)
 
+    if use_keyring is not None:
+        mwdb.api.options.use_keyring = use_keyring
+
     try:
         # Try to use credentials
         if api_key is None:
@@ -43,10 +52,16 @@ def login_command(ctx, mwdb, username, password, via_api_key, api_key):
         click.echo("Error: Login failed - {}".format(str(e)), err=True)
         ctx.abort()
     mwdb.api.options.store_credentials()
+    click.echo(
+        f"Logged in successfully to {mwdb.api.options.api_url} "
+        f"as {mwdb.api.logged_user}",
+        err=True,
+    )
 
 
 @main.command("logout")
-@pass_mwdb
+@pass_mwdb(autologin=False)
 def logout_command(mwdb):
     """Reset stored credentials"""
     mwdb.api.options.clear_stored_credentials()
+    click.echo(f"Logged out successfully from {mwdb.api.options.api_url}", err=True)
diff --git a/mwdblib/cli/main.py b/mwdblib/cli/main.py
@@ -8,37 +8,49 @@
 from ..exc import MWDBError, NotAuthenticatedError
 
 
-def pass_mwdb(fn):
-    @click.option("--api-url", type=str, default=None, help="URL to MWDB instance API")
-    @click.option(
-        "--config-path", type=str, default=None, help="Alternative configuration path"
-    )
-    @functools.wraps(fn)
-    def wrapper(*args, **kwargs):
-        ctx = get_current_context()
-        mwdb_options = {}
-        api_url = kwargs.pop("api_url")
-        if api_url:
-            mwdb_options["api_url"] = api_url
-        config_path = kwargs.pop("config_path")
-        if config_path:
-            mwdb_options["config_path"] = config_path
-        mwdb = MWDB(**mwdb_options)
-        try:
-            return fn(mwdb=mwdb, *args, **kwargs)
-        except NotAuthenticatedError:
-            click.echo(
-                "Error: Not authenticated. Use `mwdb login` first to set credentials.",
-                err=True,
-            )
-            ctx.abort()
-        except MWDBError as error:
-            click.echo(
-                "{}: {}".format(error.__class__.__name__, error.args[0]), err=True
-            )
-            ctx.abort()
-
-    return wrapper
+def pass_mwdb(*fn, autologin=True):
+    def uses_mwdb(fn):
+        @click.option(
+            "--api-url", type=str, default=None, help="URL to MWDB instance API"
+        )
+        @click.option(
+            "--config-path",
+            type=str,
+            default=None,
+            help="Alternative configuration path",
+        )
+        @functools.wraps(fn)
+        def wrapper(*args, **kwargs):
+            ctx = get_current_context()
+            mwdb_options = {}
+            api_url = kwargs.pop("api_url")
+            if api_url:
+                mwdb_options["api_url"] = api_url
+            config_path = kwargs.pop("config_path")
+            if config_path:
+                mwdb_options["config_path"] = config_path
+            mwdb = MWDB(autologin=autologin, **mwdb_options)
+            try:
+                return fn(mwdb=mwdb, *args, **kwargs)
+            except NotAuthenticatedError:
+                click.echo(
+                    "Error: Not authenticated. Use `mwdb login` first "
+                    "to set credentials.",
+                    err=True,
+                )
+                ctx.abort()
+            except MWDBError as error:
+                click.echo(
+                    "{}: {}".format(error.__class__.__name__, error.args[0]), err=True
+                )
+                ctx.abort()
+
+        return wrapper
+
+    if fn:
+        return uses_mwdb(fn[0])
+    else:
+        return uses_mwdb
 
 
 @click.group()

diff --git a/mwdblib/core.py b/mwdblib/core.py
@@ -36,6 +36,8 @@ class MWDB:
     :param api_key: MWDB API key
     :param username: MWDB account username
     :param password: MWDB account password
+    :param autologin: Login automatically using credentials stored in configuration
+        or provided in arguments (default: True)
     :param verify_ssl: Verify SSL certificate correctness (default: True)
     :param obey_ratelimiter: If ``False``, HTTP 429 errors will cause an exception
         like all other error codes.
@@ -78,6 +80,9 @@ class MWDB:
        Added ``use_keyring``, ``emit_warnings`` and ``config_path`` options.
        ``username`` and ``password`` can be passed directly to the constructor.
 
+    .. versionadded:: 4.4.0
+       Added ``autologin`` option.
+
     Usage example:
 
     .. code-block:: python