Switch to "Trusted Publishers" for deployment to PyPI

See https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers
and https://github.com/marketplace/actions/pypi-publish

.github/workflows/test_and_release.yml

@@ -30,6 +30,15 @@ jobs:
         flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
         flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+    - name: Build
+      run: |
+        python setup.py sdist
+        python setup.py bdist_wheel
+    - name: Store distribution packages
+      uses: actions/upload-artifact@v3
+      with:
+        name: dist
+        path: dist/
     - name: Tests and coverage
       run: |
         if [ -f requirements-test.txt ]; then pip install -r requirements-test.txt; fi
@@ -46,20 +55,17 @@ jobs:
     needs: build
     if: startsWith(github.ref, 'refs/tags/v')
 
+    environment:
+      name: pypi
+      url: https://pypi.org/p/python-vipacess
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v2
+    - name: Download distribution packages
+      uses: actions/download-artifact@v3
       with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
+        name: dist
+        path: dist/
     - name: Deploy to PyPI
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python setup.py sdist bdist_wheel
-        twine upload dist/*
+      uses: pypa/gh-action-pypi-publish@release/v1

README.md

@@ -112,6 +112,7 @@ usage: vipaccess provision [-h] [-p | -o DOTFILE] [-t TOKEN_MODEL]
 optional arguments:
   -h, --help            show this help message and exit
   -p, --print           Print the new credential, but don't save it to a file
+  -Q, --qrcode          Show QR code in order to load token into mobile app
   -o DOTFILE, --dotfile DOTFILE
                         File in which to store the new credential (default
                         ~/.vipaccess)

setup.py

@@ -49,5 +49,8 @@
             'vipaccess=vipaccess.__main__:main',
         ],
     },
+    extras_require={
+        "qrcode": ["qrcode"],
+    },
     test_suite='nose2.collector.collector',
 )

vipaccess/__main__.py

@@ -10,6 +10,11 @@
 from vipaccess.version import __version__
 from vipaccess import provision as vp
 
+try:
+    import qrcode
+except ImportError:
+    qrcode = None
+
 EXCL_WRITE = 'x' if sys.version_info>=(3,3) else 'wx'
 TOKEN_MODEL_REFERENCE_PAGE = 'https://support.symantec.com/us/en/article.tech239895.html'
 
@@ -79,8 +84,10 @@ def provision(p, args):
                 "    The offset would be 'baked in' to the newly-created token.\n"
                 "    Fix system time and try again." % otp_token['timeskew'])
 
+    otp_uri = vp.generate_otp_uri(otp_token, otp_secret, args.issuer)
+
+    error = None
     if args.print:
-        otp_uri = vp.generate_otp_uri(otp_token, otp_secret, args.issuer)
         print('Credential created successfully:\n\t' + otp_uri)
         print("This credential expires on this date: " + otp_token['expiry'])
         print('\nYou will need the ID to register this credential: ' + otp_token['id'])
@@ -105,7 +112,16 @@ def provision(p, args):
         print('Credential created and saved successfully: ' + dotfile.name)
         print('You will need the ID to register this credential: ' + otp_token['id'])
     else:
-        p.error('Cannot currently save a token of this type (try -p to print)')
+        error = 'Cannot currently save a token of this type (try -p to print)'
+
+    if args.qrcode:
+        qr = qrcode.QRCode(error_correction=qrcode.constants.ERROR_CORRECT_L)
+        qr.add_data(otp_uri)
+        print('\nQR code to load this credential into a mobile authenticator app:', end='')
+        qr.print_ascii()
+
+    if error:
+        p.error()
 
 def check(p, args):
     if args.secret:
@@ -171,6 +187,12 @@ def uri(p, args):
         print('Token URI:\n    ', file=sys.stderr, end='')
     print(vp.generate_otp_uri(d, key, args.issuer))
 
+    if args.qrcode:
+        qr = qrcode.QRCode(error_correction=qrcode.constants.ERROR_CORRECT_L)
+        qr.add_data(otp_uri)
+        print('\nQR code to load this credential into a mobile authenticator app:', end='')
+        qr.print_ascii()
+
 def show(p, args):
     if args.secret:
         secret = args.secret
@@ -209,8 +231,12 @@ def __call__(self, parser, namespace, values, option_string=None):
     pprov = sp.add_parser('provision', help='Provision a new VIP Access credential')
     pprov.set_defaults(func=provision)
     m = pprov.add_mutually_exclusive_group()
+    g = m.add_argument_group()
     m.add_argument('-p', '--print', action=UnsetDotfileAndStore, nargs=0,
                    help="Print the new credential, but don't save it to a file")
+    if qrcode:
+        pprov.add_argument('-Q', '--qrcode', action='store_true',
+                           help="Show QR code in order to load token into mobile app")
     m.add_argument('-o', '--dotfile', type=PathType(type='file', exists=False), default=os.path.expanduser('~/.vipaccess'),
                    help="File in which to store the new credential (default ~/.vipaccess)")
     pprov.add_argument('-i', '--issuer', default="VIP Access", action='store',
@@ -250,6 +276,9 @@ def __call__(self, parser, namespace, values, option_string=None):
                        help="Specify the issuer name to use (default: Symantec)")
     puri.add_argument('-I', '--identity', action='store',
                        help="Specify the ID of the token to use (required with --secret))")
+    if qrcode:
+        puri.add_argument('-Q', '--qrcode', action='store_true',
+                          help="Show QR code in order to load token into mobile app")
     puri.add_argument('-v', '--verbose', action='store_true')
     puri.set_defaults(func=uri)