opencode-cloud 25.1.3

CLI for managing opencode as a persistent cloud service
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231

//! User add subcommand
//!
//! Creates a new user in the container with a password.

use crate::passwords::{generate_random_password, print_generated_password};
use anyhow::{Result, bail};
use clap::Args;
use console::style;
use dialoguer::{Input, Password};
use opencode_cloud_core::docker::{
    CONTAINER_NAME, DockerClient, create_user, persist_user, set_user_password, user_exists,
};
use opencode_cloud_core::{load_config_or_default, save_config};

/// Arguments for the user add command
#[derive(Args)]
#[command(
    after_help = "Tip: Press Enter at the password prompt to auto-generate and display a secure password, or use --generate (-g) for non-interactive use."
)]
pub struct UserAddArgs {
    /// Username to create (default: admin if not provided)
    pub username: Option<String>,

    /// Generate a random secure password instead of prompting
    #[arg(long, short)]
    pub generate: bool,

    /// Print only the generated password for scripting
    #[arg(long)]
    pub print_password_only: bool,
}

/// Validate username according to rules
/// - Non-empty
/// - 3-32 characters
/// - Alphanumeric + underscore only
fn validate_username(username: &str) -> Result<(), String> {
    if username.is_empty() {
        return Err("Username cannot be empty".to_string());
    }
    if username.len() < 3 {
        return Err("Username must be at least 3 characters".to_string());
    }
    if username.len() > 32 {
        return Err("Username must be at most 32 characters".to_string());
    }
    if !username.chars().all(|c| c.is_alphanumeric() || c == '_') {
        return Err("Username must contain only letters, numbers, and underscores".to_string());
    }
    Ok(())
}

/// Add a new user to the container
pub async fn cmd_user_add(
    client: &DockerClient,
    args: &UserAddArgs,
    quiet: bool,
    _verbose: u8,
) -> Result<()> {
    if args.print_password_only && !args.generate {
        bail!("--print-password-only requires --generate");
    }

    // Get username - prompt if not provided
    let username = if let Some(ref name) = args.username {
        validate_username(name).map_err(|e| anyhow::anyhow!("{e}"))?;
        name.clone()
    } else {
        Input::new()
            .with_prompt("Username")
            .default("admin".to_string())
            .validate_with(|input: &String| validate_username(input))
            .interact_text()?
    };

    // Check if user already exists
    if user_exists(client, CONTAINER_NAME, &username).await? {
        bail!("User '{username}' already exists in the container");
    }

    // Get password
    let mut generated = args.generate;
    let password = if args.generate {
        generate_random_password()
    } else {
        // Explain what password is being requested to avoid confusion with sudo
        if !quiet {
            println!();
            println!(
                "{}",
                style("Set a password for the new container user.").dim()
            );
            println!(
                "{}",
                style("This will be used for opencode web login.").dim()
            );
            println!(
                "{}",
                style(
                    "Authentication is handled by the system via PAM - we don't store passwords."
                )
                .dim()
            );
            println!(
                "  {} Use {} to auto-generate a secure password.",
                style("Tip:").cyan(),
                style("--generate (-g)").bold()
            );
            println!(
                "  {} Press Enter to auto-generate and display a secure password.",
                style("Tip:").cyan()
            );
        }
        loop {
            let pwd = Password::new()
                .with_prompt("Password")
                .allow_empty_password(true)
                .interact()?;

            if pwd.is_empty() {
                generated = true;
                break generate_random_password();
            }

            let confirm = Password::new().with_prompt("Confirm password").interact()?;
            if pwd != confirm {
                eprintln!("{}", style("Passwords do not match").red());
                continue;
            }

            break pwd;
        }
    };

    // Create the user
    create_user(client, CONTAINER_NAME, &username).await?;

    // Set password
    set_user_password(client, CONTAINER_NAME, &username, &password).await?;

    // Persist user credentials for rebuild/update restores
    persist_user(client, CONTAINER_NAME, &username).await?;

    // Update config - add username to users array
    let mut config = load_config_or_default()?;
    if !config.users.contains(&username) {
        config.users.push(username.clone());
        save_config(&config)?;
    }

    if args.print_password_only {
        println!("{password}");
        return Ok(());
    }

    // Display success
    if !quiet {
        println!(
            "{} User '{}' created successfully",
            style("Success:").green().bold(),
            username
        );

        if generated {
            print_generated_password(
                &password,
                "Save this password securely - it won't be shown again.",
            );
        }
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_username_valid() {
        assert!(validate_username("admin").is_ok());
        assert!(validate_username("user_123").is_ok());
        assert!(validate_username("ABC").is_ok());
        assert!(validate_username("opencode").is_ok());
    }

    #[test]
    fn test_validate_username_empty() {
        assert!(validate_username("").is_err());
    }

    #[test]
    fn test_validate_username_too_short() {
        assert!(validate_username("ab").is_err());
    }

    #[test]
    fn test_validate_username_too_long() {
        let long = "a".repeat(33);
        assert!(validate_username(&long).is_err());
    }

    #[test]
    fn test_validate_username_invalid_chars() {
        assert!(validate_username("user@name").is_err());
        assert!(validate_username("user-name").is_err());
        assert!(validate_username("user name").is_err());
    }

    #[test]
    fn test_generate_random_password_length() {
        let password = generate_random_password();
        assert_eq!(password.len(), crate::passwords::password_length());
    }

    #[test]
    fn test_generate_random_password_alphanumeric() {
        let password = generate_random_password();
        assert!(password.chars().all(|c| c.is_alphanumeric()));
    }

    #[test]
    fn test_generate_random_password_uniqueness() {
        let p1 = generate_random_password();
        let p2 = generate_random_password();
        let p3 = generate_random_password();
        assert_ne!(p1, p2);
        assert_ne!(p2, p3);
        assert_ne!(p1, p3);
    }
}