Metadata-Version: 2.4
Name: cadmould-sdk-auth
Version: 0.1.0
Summary: Login CLI for the cadmould Python SDK — authenticates with your Simcon account and configures pip to install cadmould from the licensed private package index.
Project-URL: Homepage, https://github.com/Simcon-Software/cadmould-sdk-auth
Author: SIMCON kunststofftechnische Software GmbH
License-Expression: Apache-2.0
License-File: LICENSE
License-File: NOTICE
Keywords: authentication,cadmould,cli,codeartifact,pip
Classifier: Environment :: Console
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.9
Requires-Dist: boto3>=1.34
Provides-Extra: test
Requires-Dist: pytest>=7; extra == 'test'
Description-Content-Type: text/markdown

# cadmould-sdk-auth

Login CLI for the **cadmould** Python SDK. It signs you in with your Simcon account
and configures `pip` so you can install `cadmould` from Simcon's licensed private
package index — no AWS account or AWS CLI required.

## Who can sign in

Sign-in is currently limited to **Simcon staff** — a Simcon Auth0 account on the
`simcon.com` domain. External-customer access (role/entitlement-based) is **not enabled
yet**; it's a later phase. If your sign-in succeeds in the browser but the tool then
reports access denied, your account isn't authorized for the cadmould package index —
contact Simcon support.

## Install

```bash
pipx install cadmould-sdk-auth      # recommended (isolated)
# or: pip install cadmould-sdk-auth
```

## Use

```bash
# activate the virtualenv you want cadmould installed into, then:
cadmould-sdk-auth
pip install cadmould
```

`cadmould-sdk-auth` opens your browser to sign in. On success it writes an
authenticated index URL into the **active virtualenv's** pip config
(`$VIRTUAL_ENV/pip.conf`, or `%VIRTUAL_ENV%\pip.ini` on Windows), so the next
`pip install cadmould` pulls from the private index.

No virtualenv active? Use `--print-index-url` to get the URL and configure pip
yourself, or `--scope user` to write pip's per-user config instead.

**Sign out / manage:**

- `cadmould-sdk-auth --logout` — removes the cadmould index-url entry again (no network
  call), restoring a previous index-url if this tool had replaced one. Exits `3` if the
  current index-url wasn't set by this tool (it's left untouched). It removes the cadmould
  index-url regardless of which `--channel` configured it (pip keeps only one index-url
  per scope), so `--channel` has no effect on `--logout`.
- `--scope user` — applies to the per-user pip config instead of the active venv (works with both the default action and `--logout`).
- `--channel customer|staging` — which distribution channel to authenticate for. Defaults to
  `customer` (the public index). `staging` is an **internal** pre-release channel for Simcon
  staff (gated by Simcon SSO via Entra) and isn't available to external customers.
  **To switch channels, just re-run** with the one you want — it overwrites the active venv's
  single index-url (pip keeps one per scope). For example, switch to staging with
  `cadmould-sdk-auth --channel staging` then `pip install cadmould`, and switch back with
  `cadmould-sdk-auth` (the default `customer` channel).

> Note: writing pip config rewrites the file via `RawConfigParser`, which **drops any
> comments** the file previously contained (settings are preserved). The written file is
> restricted to your user (`0600`; on Windows file modes don't apply — the file gets
> your profile's default ACLs) since it embeds a short-lived token. If you already have
> a custom `index-url`, the tool replaces it and warns you, and `--logout` only removes an
> entry it set (a foreign one is left untouched).
> **Headless / remote machines:** sign-in uses a browser redirect to a loopback address on
> the machine running the CLI, so it won't complete over plain SSH (no local browser) or in
> CI. Run it on a workstation with a browser, or forward the loopback port. (A device-code
> flow is a possible future addition if this is a common need.)

## How it works

1. **PKCE login** to Simcon's identity provider (loopback redirect; opens your browser).
2. The resulting token is exchanged via **AWS STS** for short-lived, read-only
   credentials to the private package repository.
3. Those mint a **CodeArtifact authorization token**, embedded in the pip index URL.

The token is short-lived; re-run `cadmould-sdk-auth` when it expires. The tool only
ever obtains **read** access to the cadmould package index.

**If a long install fails with `401 Unauthorized`:** pip does **not** re-authenticate
mid-install, so if the token expires while a large download is in progress, the
install fails. Re-run `cadmould-sdk-auth` to get a fresh token, then restart the
`pip install` (already-downloaded wheels are cached, so the retry is fast).

## License

[Apache License 2.0](LICENSE). (The cadmould SDK itself is proprietary, licensed
software — this tool only handles sign-in and pip configuration.)
