Skip to content

feat(providers): add credential refresh foundation #1349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
johntmyers wants to merge 14 commits into
base: main
Choose a base branch
from
Open

feat(providers): add credential refresh foundation #1349

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0d06fb5
feat(providers): add credential refresh foundation
johntmyers May 13, 2026
22b0071
feat(providers): mint oauth refresh token credentials
johntmyers May 14, 2026
e2cc7a7
fix(providers): allow delegated refresh bootstrap
johntmyers May 14, 2026
5cd2bf6
fix(providers): guard refresh credential modes
johntmyers May 16, 2026
dabc724
fix(providers): refine refresh lifecycle UX
johntmyers May 18, 2026
456dcf7
fix(cli): restore provider test gateway response import
johntmyers May 18, 2026
39950a7
fix(server): clean auth endpoint test qualifications
johntmyers May 18, 2026
5e71431
fix(providers): tighten refresh authorization and collisions
johntmyers May 18, 2026
74b146f
chore(providers): trim bundled v2 profiles
johntmyers May 18, 2026
79eae79
fix(providers): resolve refresh rebase fallout
johntmyers May 18, 2026
5f0e8a4
fix(cli): accept rfc3339 credential expiry
johntmyers May 19, 2026
e7c9ed1
test(providers): update inferred claude provider type
johntmyers May 19, 2026
fab848c
test(providers): avoid removed outlook default profile
johntmyers May 19, 2026
b3e4235
test(providers): isolate attach limit fixtures
johntmyers May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions crates/openshell-cli/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ tokio = { workspace = true }
tonic = { workspace = true, features = ["tls", "tls-native-roots"] }

# CLI
chrono = "0.4"
clap = { workspace = true }
clap_complete = { workspace = true }
crossterm = { workspace = true }
Expand Down
296 changes: 296 additions & 0 deletions crates/openshell-cli/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -653,6 +653,23 @@ enum OutputFormat {
Json,
}

#[derive(Clone, Debug, ValueEnum)]
enum CliProviderRefreshStrategy {
Oauth2RefreshToken,
Oauth2ClientCredentials,
GoogleServiceAccountJwt,
}

impl CliProviderRefreshStrategy {
fn as_str(&self) -> &'static str {
match self {
Self::Oauth2RefreshToken => "oauth2_refresh_token",
Self::Oauth2ClientCredentials => "oauth2_client_credentials",
Self::GoogleServiceAccountJwt => "google_service_account_jwt",
}
}
}

impl OutputFormat {
fn as_str(&self) -> &'static str {
match self {
Expand Down Expand Up @@ -708,6 +725,10 @@ enum ProviderCommands {
config: Vec<String>,
},

/// Manage provider credential refresh.
#[command(subcommand, help_template = SUBCOMMAND_HELP_TEMPLATE)]
Refresh(ProviderRefreshCommands),

/// Fetch a provider by name.
#[command(help_template = LEAF_HELP_TEMPLATE, next_help_heading = "FLAGS")]
Get {
Expand Down Expand Up @@ -766,6 +787,10 @@ enum ProviderCommands {
/// Provider config key/value pair.
#[arg(long = "config", value_name = "KEY=VALUE")]
config: Vec<String>,

/// Credential expiry (`KEY=TIMESTAMP`). Accepts epoch milliseconds or RFC3339. A zero timestamp clears expiry.
#[arg(long = "credential-expires-at", value_name = "KEY=TIMESTAMP")]
credential_expires_at: Vec<String>,
},

/// Delete providers by name.
Expand All @@ -777,6 +802,77 @@ enum ProviderCommands {
},
}

#[derive(Subcommand, Debug)]
enum ProviderRefreshCommands {
/// Show provider credential refresh status.
#[command(help_template = LEAF_HELP_TEMPLATE, next_help_heading = "FLAGS")]
Status {
/// Provider name.
#[arg(add = ArgValueCompleter::new(completers::complete_provider_names))]
name: String,

/// Optional credential key to filter by.
#[arg(long = "credential-key")]
credential_key: Option<String>,
},

/// Configure refresh metadata for a provider credential.
#[command(help_template = LEAF_HELP_TEMPLATE, next_help_heading = "FLAGS")]
Configure {
/// Provider name.
#[arg(add = ArgValueCompleter::new(completers::complete_provider_names))]
name: String,

/// Injectable credential key, for example `MS_GRAPH_ACCESS_TOKEN`.
#[arg(long = "credential-key")]
credential_key: String,

/// Refresh strategy.
#[arg(long, value_enum)]
strategy: CliProviderRefreshStrategy,

/// Non-injectable refresh material (`KEY=VALUE`).
#[arg(long = "material", value_name = "KEY=VALUE")]
material: Vec<String>,

/// Material keys that are secret and must not be exposed.
#[arg(long = "secret-material-key", value_name = "KEY")]
secret_material_keys: Vec<String>,

/// Expiry for the current credential. Accepts epoch milliseconds or RFC3339.
#[arg(
long = "credential-expires-at",
value_name = "TIMESTAMP",
value_parser = run::parse_credential_expiry_cli_value
)]
credential_expires_at: Option<i64>,
},

/// Record a gateway-owned credential rotation request.
#[command(help_template = LEAF_HELP_TEMPLATE, next_help_heading = "FLAGS")]
Rotate {
/// Provider name.
#[arg(add = ArgValueCompleter::new(completers::complete_provider_names))]
name: String,

/// Injectable credential key, for example `MS_GRAPH_ACCESS_TOKEN`.
#[arg(long = "credential-key")]
credential_key: String,
},

/// Delete refresh metadata for a provider credential.
#[command(help_template = LEAF_HELP_TEMPLATE, next_help_heading = "FLAGS")]
Delete {
/// Provider name.
#[arg(add = ArgValueCompleter::new(completers::complete_provider_names))]
name: String,

/// Injectable credential key, for example `MS_GRAPH_ACCESS_TOKEN`.
#[arg(long = "credential-key")]
credential_key: String,
},
}

#[derive(Subcommand, Debug)]
enum ProviderProfileCommands {
/// Export a provider profile.
Expand Down Expand Up @@ -2641,6 +2737,55 @@ async fn main() -> Result<()> {
)
.await?;
}
ProviderCommands::Refresh(command) => match command {
ProviderRefreshCommands::Status {
name,
credential_key,
} => {
run::provider_refresh_status(
endpoint,
&name,
credential_key.as_deref(),
&tls,
)
.await?;
}
ProviderRefreshCommands::Configure {
name,
credential_key,
strategy,
material,
secret_material_keys,
credential_expires_at,
} => {
run::provider_refresh_config(
endpoint,
run::ProviderRefreshConfigInput {
name: &name,
credential_key: &credential_key,
strategy: strategy.as_str(),
material: &material,
secret_material_keys: &secret_material_keys,
credential_expires_at_ms: credential_expires_at,
},
&tls,
)
.await?;
}
ProviderRefreshCommands::Rotate {
name,
credential_key,
} => {
run::provider_rotate(endpoint, &name, &credential_key, &tls).await?;
}
ProviderRefreshCommands::Delete {
name,
credential_key,
} => {
run::provider_refresh_delete(endpoint, &name, &credential_key, &tls)
.await?;
}
},
ProviderCommands::Get { name } => {
run::provider_get(endpoint, &name, &tls).await?;
}
Expand Down Expand Up @@ -2685,13 +2830,15 @@ async fn main() -> Result<()> {
from_existing,
credentials,
config,
credential_expires_at,
} => {
run::provider_update(
endpoint,
&name,
from_existing,
&credentials,
&config,
&credential_expires_at,
&tls,
)
.await?;
Expand Down Expand Up @@ -3572,6 +3719,155 @@ mod tests {
}
}

#[test]
fn provider_refresh_commands_parse() {
let status = Cli::try_parse_from([
"openshell",
"provider",
"refresh",
"status",
"my-graph",
"--credential-key",
"MS_GRAPH_ACCESS_TOKEN",
])
.expect("provider refresh status should parse");
assert!(matches!(
status.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Refresh(ProviderRefreshCommands::Status {
name,
credential_key: Some(key)
}))
}) if name == "my-graph" && key == "MS_GRAPH_ACCESS_TOKEN"
));

let config = Cli::try_parse_from([
"openshell",
"provider",
"refresh",
"configure",
"my-graph",
"--credential-key",
"MS_GRAPH_ACCESS_TOKEN",
"--strategy",
"oauth2-client-credentials",
"--material",
"tenant_id=abc",
"--secret-material-key",
"client_secret",
"--credential-expires-at",
"1767225600000",
])
.expect("provider refresh configure should parse");
assert!(matches!(
config.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Refresh(
ProviderRefreshCommands::Configure {
strategy: CliProviderRefreshStrategy::Oauth2ClientCredentials,
credential_expires_at: Some(1_767_225_600_000),
..
}
))
})
));

let rotate = Cli::try_parse_from([
"openshell",
"provider",
"refresh",
"rotate",
"my-graph",
"--credential-key",
"MS_GRAPH_ACCESS_TOKEN",
])
.expect("provider refresh rotate should parse");
assert!(matches!(
rotate.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Refresh(ProviderRefreshCommands::Rotate {
name,
credential_key
}))
}) if name == "my-graph" && credential_key == "MS_GRAPH_ACCESS_TOKEN"
));

let delete = Cli::try_parse_from([
"openshell",
"provider",
"refresh",
"delete",
"my-graph",
"--credential-key",
"MS_GRAPH_ACCESS_TOKEN",
])
.expect("provider refresh delete should parse");
assert!(matches!(
delete.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Refresh(ProviderRefreshCommands::Delete {
name,
credential_key
}))
}) if name == "my-graph" && credential_key == "MS_GRAPH_ACCESS_TOKEN"
));
}

#[test]
fn provider_update_accepts_credential_expiry() {
let cli = Cli::try_parse_from([
"openshell",
"provider",
"update",
"my-graph",
"--credential",
"MS_GRAPH_ACCESS_TOKEN=abc",
"--credential-expires-at",
"MS_GRAPH_ACCESS_TOKEN=1767225600000",
])
.expect("provider update should parse credential expiry");

assert!(matches!(
cli.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Update {
credential_expires_at,
..
})
}) if credential_expires_at == vec!["MS_GRAPH_ACCESS_TOKEN=1767225600000"]
));
}

#[test]
fn provider_refresh_config_accepts_rfc3339_credential_expiry() {
let cli = Cli::try_parse_from([
"openshell",
"provider",
"refresh",
"configure",
"my-graph",
"--credential-key",
"MS_GRAPH_ACCESS_TOKEN",
"--strategy",
"oauth2-client-credentials",
"--credential-expires-at",
"2026-01-01T00:00:00Z",
])
.expect("provider refresh configure should parse RFC3339 credential expiry");

assert!(matches!(
cli.command,
Some(Commands::Provider {
command: Some(ProviderCommands::Refresh(
ProviderRefreshCommands::Configure {
credential_expires_at: Some(1_767_225_600_000),
..
}
))
})
));
}

#[test]
fn settings_set_global_parses_yes_flag() {
let cli = Cli::try_parse_from([
Expand Down
Loading
Loading