feat: extend commands coverage & add request wait for approval (#2)

Author: MatteoManzoni

Formula/team-cli.rb

@@ -4,7 +4,7 @@ class TeamCli < Formula
   desc "CLI for AWS TEAM (Temporary Elevated Access Management)"
   homepage "https://github.com/DocPlanner/team-cli"
   url "https://github.com/DocPlanner/team-cli.git", branch: "main"
-  version "0.1.0"
+  version "0.2.0"
 
 
   depends_on "python@3.11"

README.md

@@ -106,21 +106,31 @@ team request --account my-account --role ReadOnly --duration 2 --justification "
 | `--justification`, `-j` | Business justification (required) |
 | `--ticket`, `-t` | Ticket number |
 | `--start`, `-s` | Start time in ISO format (default: now) |
+| `--wait`, `-w` | Wait for request to reach a terminal state (for scripting) |
+| `--wait-timeout` | Max seconds to wait (default: 600) |
 
 In interactive mode, you can select multiple accounts and reuse the same justification across them.
 
+The `--wait` flag blocks until the request is approved, rejected, or otherwise resolved. Exit code 0 for approved/in-progress, 1 for rejected/error, 2 for timeout. When piped, outputs final request state as JSON.
+
 ### Check request status
 
 ```bash
 team requests            # list all your requests
 team status <request-id> # detailed view of a single request
+team pending             # list requests awaiting your approval
 ```
 
-### Approve requests
+### Approve, reject, revoke, cancel
 
 ```bash
-team approve <request-id>
-team approve <request-id> --comment "Looks good"
+team approve <request-id>                    # approve pending request
+team approve <request-id> --comment "LGTM"   # with comment
+team reject <request-id>                     # reject pending request
+team reject <request-id> -c "Not justified"  # with reason
+team revoke <request-id>                     # revoke active session
+team revoke <request-id> -c "Security event" # with reason
+team cancel <request-id>                     # cancel own pending request
 ```
 
 ### Audit elevation requests

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "team-cli"
-version = "0.1.0"
+version = "0.2.0"
 description = "CLI for AWS TEAM (Temporary Elevated Access Management)"
 requires-python = ">=3.11"
 dependencies = [

team_cli/__init__.py

@@ -1,2 +1,2 @@
 """CLI for AWS TEAM (Temporary Elevated Access Management)."""
-__version__ = "0.1.0"
+__version__ = "0.2.0"

team_cli/api.py

@@ -140,6 +140,26 @@ def get_requests_by_email(email: str, tokens: dict, status: dict | None = None)
     return items
 
 
+def get_requests_by_approver(approver_id: str, tokens: dict, status: dict | None = None) -> list:
+    """Fetch requests assigned to an approver, with optional status filter. Paginates automatically."""
+    from team_cli.queries import REQUEST_BY_APPROVER_AND_STATUS
+    items = []
+    next_token = None
+    while True:
+        variables = {"approverId": approver_id, "limit": 50}
+        if status:
+            variables["status"] = status
+        if next_token:
+            variables["nextToken"] = next_token
+        data = execute(REQUEST_BY_APPROVER_AND_STATUS, variables, tokens)
+        result = data.get("requestByApproverAndStatus", {})
+        items.extend(result.get("items", []))
+        next_token = result.get("nextToken")
+        if not next_token:
+            break
+    return items
+
+
 def get_request(request_id: str, tokens: dict) -> dict:
     """Fetch a single request by ID."""
     from team_cli.queries import GET_REQUESTS

team_cli/cli.py

@@ -6,9 +6,9 @@
 
 from team_cli.auth import require_auth, get_user_info, login as auth_login, get_valid_tokens, clear_tokens
 from team_cli.api import (
-    get_user_policy, get_requests_by_email, get_request,
-    create_request, update_request, validate_request, get_settings,
-    AuthExpiredError,
+    get_user_policy, get_requests_by_email, get_requests_by_approver,
+    get_request, create_request, update_request, validate_request,
+    get_settings, AuthExpiredError,
 )
 from team_cli.config import CONFIG_FILE, load_config, save_config, get_config
 from team_cli.interactive import (
@@ -194,6 +194,40 @@ def _get_permissions_for_account(account_id: str, policy: list[dict]) -> list[di
     return list(perms.values())
 
 
+def _poll_request(request_id: str, tokens: dict, timeout: int = 600, interval: int = 5) -> dict:
+    """Poll a request until it reaches a terminal state or timeout."""
+    import time as _time
+
+    terminal = {"approved", "rejected", "cancelled", "expired", "error",
+                "in progress", "ended", "revoked"}
+    status = "pending"
+    elapsed = 0
+
+    while elapsed < timeout:
+        req = get_request(request_id, tokens)
+        status = (req.get("status") or "").lower()
+        if status in terminal:
+            print(file=sys.stderr)  # clear the progress line
+            return req
+        remaining = timeout - elapsed
+        print(f"\r⏳ Waiting for approval... {remaining}s remaining  ",
+              end="", file=sys.stderr, flush=True)
+        _time.sleep(interval)
+        elapsed += interval
+        # Refresh tokens in case they expire during long waits
+        try:
+            refreshed = get_valid_tokens()
+            if refreshed:
+                tokens.update(refreshed)
+        except Exception:
+            pass
+
+    print(file=sys.stderr)
+    print(f"Timed out after {timeout}s. Request {request_id} still {status}.",
+          file=sys.stderr)
+    sys.exit(2)
+
+
 def _request_flag_mode(args, tokens, user, policy, all_accounts, max_duration):
     """Handle request creation via CLI flags."""
     account = _find_account(args.account, all_accounts)
@@ -234,7 +268,26 @@ def _request_flag_mode(args, tokens, user, policy, all_accounts, max_duration):
     ticket = args.ticket or ""
     start_time = args.start or datetime.now(timezone.utc).isoformat()
 
-    _submit_request(tokens, user, account, role, duration, start_time, justification, ticket)
+    result = _submit_request(tokens, user, account, role, duration, start_time, justification, ticket)
+
+    if args.wait and result and result.get("id"):
+        _wait_for_request(result["id"], tokens, args.wait_timeout)
+
+
+def _wait_for_request(request_id: str, tokens: dict, timeout: int):
+    """Wait for a request and output final state."""
+    final = _poll_request(request_id, tokens, timeout=timeout)
+    status = (final.get("status") or "").lower()
+
+    if not sys.stdout.isatty():
+        import json as json_mod
+        print(json_mod.dumps(final, indent=2))
+    else:
+        print(format_request_detail(final))
+
+    success = {"approved", "in progress"}
+    if status not in success:
+        sys.exit(1)
 
 
 def _request_interactive_mode(tokens, user, policy, all_accounts, max_duration, args):
@@ -274,6 +327,7 @@ def _request_interactive_mode(tokens, user, policy, all_accounts, max_duration,
 
     print(f"\nCreating {len(selected_accounts)} request(s)...")
 
+    results = []
     for i, acct in enumerate(selected_accounts):
         if prev_justification is None:
             # First account or user wants different justification
@@ -299,7 +353,16 @@ def _request_interactive_mode(tokens, user, policy, all_accounts, max_duration,
             prev_justification = justification
             prev_ticket = ticket
 
-        _submit_request(tokens, user, acct, role, duration, start_time, justification, ticket)
+        result = _submit_request(tokens, user, acct, role, duration, start_time, justification, ticket)
+        if result:
+            results.append(result)
+
+    if args.wait and results:
+        if len(results) == 1:
+            _wait_for_request(results[0]["id"], tokens, args.wait_timeout)
+        else:
+            print("\n--wait is only supported for single-account requests. "
+                  "Use `team status <id>` to check individual requests.", file=sys.stderr)
 
 
 def _submit_request(tokens, user, account, role, duration, start_time, justification, ticket):
@@ -311,7 +374,7 @@ def _submit_request(tokens, user, account, role, duration, start_time, justifica
         )
         if not validation.get("valid"):
             print(f"  ✗ {account['name']} → denied: {validation.get('reason', 'unknown')}")
-            return
+            return None
     except Exception as e:
         print(f"  ⚠ {account['name']} → validation failed: {e}")
         # Continue anyway — server-side validation will catch issues
@@ -331,8 +394,10 @@ def _submit_request(tokens, user, account, role, duration, start_time, justifica
         req_id = result.get("id", "unknown")
         status = result.get("status", "pending")
         print(f"  ✓ {account['name']} → {status} (id: {req_id})")
+        return result
     except Exception as e:
         print(f"  ✗ {account['name']} → failed: {e}")
+        return None
 
 
 def cmd_requests(args):
@@ -390,6 +455,105 @@ def cmd_approve(args):
     print(f"✓ Request {args.request_id} approved")
 
 
+def cmd_reject(args):
+    """team reject — reject a pending request."""
+    tokens = _ensure_tokens()
+    user = get_user_info(tokens)
+
+    with with_spinner("Fetching request..."):
+        req = get_request(args.request_id, tokens)
+
+    if not req:
+        print(f"Request not found: {args.request_id}", file=sys.stderr)
+        sys.exit(1)
+
+    if req.get("status", "").lower() != "pending":
+        print(f"Request is not pending (status: {req.get('status')})", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"Rejecting request from {req.get('email', '')} for {req.get('accountName', '')} / {req.get('role', '')}")
+
+    update_request({
+        "id": args.request_id,
+        "status": "rejected",
+        "approver": user["email"],
+        "approverId": user["user_id"],
+        "comment": args.comment or "",
+    }, tokens)
+
+    print(f"✓ Request {args.request_id} rejected")
+
+
+def cmd_revoke(args):
+    """team revoke — revoke an active/approved request."""
+    tokens = _ensure_tokens()
+
+    with with_spinner("Fetching request..."):
+        req = get_request(args.request_id, tokens)
+
+    if not req:
+        print(f"Request not found: {args.request_id}", file=sys.stderr)
+        sys.exit(1)
+
+    revocable = {"approved", "scheduled", "in progress"}
+    current = req.get("status", "").lower()
+    if current not in revocable:
+        print(f"Request cannot be revoked (status: {req.get('status')}). "
+              f"Revocable statuses: {', '.join(sorted(revocable))}", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"Revoking request from {req.get('email', '')} for {req.get('accountName', '')} / {req.get('role', '')}")
+
+    update_request({
+        "id": args.request_id,
+        "status": "revoked",
+        "revokeComment": args.comment or "",
+    }, tokens)
+
+    print(f"✓ Request {args.request_id} revoked")
+
+
+def cmd_cancel(args):
+    """team cancel — cancel own pending request."""
+    tokens = _ensure_tokens()
+    user = get_user_info(tokens)
+
+    with with_spinner("Fetching request..."):
+        req = get_request(args.request_id, tokens)
+
+    if not req:
+        print(f"Request not found: {args.request_id}", file=sys.stderr)
+        sys.exit(1)
+
+    if req.get("status", "").lower() != "pending":
+        print(f"Request is not pending (status: {req.get('status')})", file=sys.stderr)
+        sys.exit(1)
+
+    if req.get("email", "").lower() != user["email"].lower():
+        print(f"Cannot cancel another user's request (owner: {req.get('email')})", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"Cancelling request for {req.get('accountName', '')} / {req.get('role', '')}")
+
+    update_request({
+        "id": args.request_id,
+        "status": "cancelled",
+    }, tokens)
+
+    print(f"✓ Request {args.request_id} cancelled")
+
+
+def cmd_pending(args):
+    """team pending — list requests awaiting my approval."""
+    tokens = _ensure_tokens()
+    user = get_user_info(tokens)
+
+    with with_spinner("Fetching pending requests..."):
+        reqs = get_requests_by_approver(user["user_id"], tokens, status={"eq": "pending"})
+
+    print(format_request_table(reqs))
+
+
 def cmd_sync(args):
     """team sync — add missing accounts to ~/.aws/config."""
     config = get_config()
@@ -612,6 +776,10 @@ def build_parser() -> argparse.ArgumentParser:
     req_parser.add_argument("--justification", "-j", help="Business justification")
     req_parser.add_argument("--ticket", "-t", help="Ticket number")
     req_parser.add_argument("--start", "-s", help="Start time (ISO format, default: now)")
+    req_parser.add_argument("--wait", "-w", action="store_true",
+                            help="Wait for request to reach a terminal state")
+    req_parser.add_argument("--wait-timeout", type=int, default=600,
+                            help="Max seconds to wait (default: 600)")
 
     # requests
     sub.add_parser("requests", help="List my requests")
@@ -625,6 +793,23 @@ def build_parser() -> argparse.ArgumentParser:
     approve_parser.add_argument("request_id", help="Request ID")
     approve_parser.add_argument("--comment", "-c", help="Approval comment")
 
+    # reject
+    reject_parser = sub.add_parser("reject", help="Reject a pending request")
+    reject_parser.add_argument("request_id", help="Request ID")
+    reject_parser.add_argument("--comment", "-c", help="Rejection reason")
+
+    # revoke
+    revoke_parser = sub.add_parser("revoke", help="Revoke an active/approved request")
+    revoke_parser.add_argument("request_id", help="Request ID")
+    revoke_parser.add_argument("--comment", "-c", help="Revoke reason")
+
+    # cancel
+    cancel_parser = sub.add_parser("cancel", help="Cancel own pending request")
+    cancel_parser.add_argument("request_id", help="Request ID")
+
+    # pending
+    sub.add_parser("pending", help="List requests awaiting my approval")
+
     # audit
     audit_parser = sub.add_parser("audit", help="Audit elevation requests with CloudTrail events")
     audit_parser.add_argument("--actor", help="Filter by requester email")
@@ -657,6 +842,10 @@ def build_parser() -> argparse.ArgumentParser:
     "requests": cmd_requests,
     "status": cmd_status,
     "approve": cmd_approve,
+    "reject": cmd_reject,
+    "revoke": cmd_revoke,
+    "cancel": cmd_cancel,
+    "pending": cmd_pending,
     "audit": cmd_audit,
     "sync": cmd_sync,
     "configure": cmd_configure,

team_cli/interactive.py

@@ -158,6 +158,9 @@ def format_request_table(requests_list: list[dict]) -> str:
         "approved": "✅",
         "rejected": "❌",
         "revoked": "🔄",
+        "cancelled": "🚫",
+        "in progress": "⏩",
+        "scheduled": "📅",
         "ended": "⏹",
         "expired": "💤",
     }
@@ -184,7 +187,8 @@ def format_request_detail(r: dict) -> str:
     """Format a single request as detailed view."""
     status_icon = {
         "pending": "⏳", "approved": "✅", "rejected": "❌",
-        "revoked": "🔄", "ended": "⏹", "expired": "💤",
+        "revoked": "🔄", "cancelled": "🚫", "in progress": "⏩",
+        "scheduled": "📅", "ended": "⏹", "expired": "💤",
     }
     status = r.get("status", "unknown")
     icon = status_icon.get(status.lower(), "?")
@@ -206,6 +210,10 @@ def format_request_detail(r: dict) -> str:
         lines.append(f"Approver: {r.get('approver', '')}")
     if r.get("comment"):
         lines.append(f"Comment: {r.get('comment', '')}")
+    if r.get("revoker"):
+        lines.append(f"Revoker: {r.get('revoker', '')}")
+    if r.get("revokeComment"):
+        lines.append(f"Revoke reason: {r.get('revokeComment', '')}")
 
     lines.append(f"Created: {r.get('createdAt', '')}")
     lines.append(f"Updated: {r.get('updatedAt', '')}")