From a42f2e1e64ca82ea30a4ce217c6e22f6bae3973c Mon Sep 17 00:00:00 2001
From: Claude Sonnet 4.6
Date: Wed, 3 Jun 2026 00:00:00 +0000
Subject: wsgi: add create-test-oauth2-client command

Add create-test-oauth2-client which reads the users-file produced
by create-test-users to find the client owner, auto-generates the client
name with the session timestamp, and delegates to __create_one_client__.
---
 gn_auth/wsgi.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

(limited to 'gn_auth')

diff --git a/gn_auth/wsgi.py b/gn_auth/wsgi.py
index 0feb69a..7fa544c 100644
--- a/gn_auth/wsgi.py
+++ b/gn_auth/wsgi.py
@@ -387,6 +387,52 @@ def create_oauth2_client(client_name, owner_id, redirect_uris, scopes,
 
     __write_output__({"client": record}, output_path)
 
+
+@app.cli.command()
+@click.option("--session-timestamp", required=True,
+              help="Compact ISO 8601 UTC timestamp (e.g. 20260602T122700Z)")
+@click.option("--users-file", required=True, type=click.Path(exists=True),
+              help="Credentials file produced by create-test-users")
+@click.option("--owner-role", default="system-admin", show_default=True,
+              help="Role of the user in users-file to assign as client owner")
+@click.option("--output", "output_path", required=True, type=click.Path(),
+              help="Write credentials as JSON to this file (0600 permissions)")
+def create_test_oauth2_client(session_timestamp, users_file, owner_role,
+                              output_path):
+    """Create an ephemeral OAuth2 client for a test session.
+
+    Reads the credentials file produced by create-test-users to find the
+    owner. Client name and secret are auto-generated using the session
+    timestamp. Output is written with 0600 permissions.
+    """
+    with open(users_file) as f:
+        users_data = json.load(f)
+
+    owner_record = next(
+        (u for u in users_data.get("users", []) if u["role"] == owner_role),
+        None)
+    if owner_record is None:
+        print(
+            f"No user with role {owner_role!r} found in {users_file}",
+            file=sys.stderr)
+        sys.exit(1)
+
+    client_name = f"gn-test-client-{session_timestamp}"
+
+    with db.connection(app.config["AUTH_DB"]) as conn:
+        try:
+            owner = user_by_id(conn, uuid.UUID(owner_record["user_id"]))
+        except NotFoundError:
+            print(
+                f"Owner user {owner_record['user_id']!r} not found in DB",
+                file=sys.stderr)
+            sys.exit(1)
+        record = __create_one_client__(conn, client_name, owner, tuple())
+
+    __write_output__(
+        {"session_timestamp": session_timestamp, "client": record},
+        output_path)
+
 ##### END: CLI Commands #####
 
 if __name__ == '__main__':
-- 
cgit 1.4.1