nexus/scripts/create-api-key.py at develop · nexi-lab/nexus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python3
"""Create API keys for Nexus users.

Usage:
    python create-api-key.py alice "Alice's laptop" --admin
    python create-api-key.py bob "Bob's server" --days 90
"""

import argparse
import os
import sys
from datetime import UTC, datetime, timedelta

# Add parent directory to path for imports
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "src"))

from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker

from nexus.bricks.auth.providers.database_key import DatabaseAPIKeyAuth
from nexus.bricks.rebac.entity_registry import EntityRegistry


def main() -> None:
    parser = argparse.ArgumentParser(description="Create Nexus API key")
    parser.add_argument("user_id", help="User ID (e.g., alice, bob)")
    parser.add_argument("name", help="Key name (e.g., 'Alice laptop')")
    parser.add_argument("--admin", action="store_true", help="Grant admin privileges")
    parser.add_argument("--days", type=int, help="Expiry in days (optional)")
    parser.add_argument("--zone-id", default="default", help="Zone ID (default: default)")

    args = parser.parse_args()

    # Get database URL from environment
    database_url = os.getenv("NEXUS_DATABASE_URL")
    if not database_url:
        print("Error: NEXUS_DATABASE_URL environment variable not set")
        print("Example: export NEXUS_DATABASE_URL='postgresql://nexus:password@localhost/nexus'")
        sys.exit(1)

    # Create engine and session
    engine = create_engine(database_url)
    SessionFactory = sessionmaker(bind=engine)

    # Calculate expiry if specified
    expires_at = None
    if args.days:
        expires_at = datetime.now(UTC) + timedelta(days=args.days)

    # Register user in entity registry (for agent permission inheritance)
    class _SessionFactoryWrapper:
        def __init__(self, sf):
            self.session_factory = sf

    entity_registry = EntityRegistry(_SessionFactoryWrapper(SessionFactory))
    entity_registry.register_entity(
        entity_type="user",
        entity_id=args.user_id,
        parent_type="zone",
        parent_id=args.zone_id,
    )

    # Create API key
    with SessionFactory() as session:
        try:
            key_id, raw_key = DatabaseAPIKeyAuth.create_key(
                session,
                user_id=args.user_id,
                name=args.name,
                zone_id=args.zone_id,
                is_admin=args.admin,
                expires_at=expires_at,
            )
            session.commit()

            print(f"✓ Created API key for user '{args.user_id}'")
            print(f"  Name: {args.name}")
            print(f"  Admin: {args.admin}")
            if expires_at:
                print(f"  Expires: {expires_at.strftime('%Y-%m-%d')}")
            else:
                print("  Expires: Never")
            print()
            print("IMPORTANT: Save this key - it will not be shown again!")
            print()
            print(f"  API Key: {raw_key}")
            print()
            print("Use with:")
            print(f"  export NEXUS_API_KEY='{raw_key}'")
            print("  nexus ls /workspace --remote-url http://localhost:2026")

        except Exception as e:
            print(f"Error creating API key: {e}")
            sys.exit(1)


if __name__ == "__main__":
    main()