feat(CENG-683): Add logout command to the CLI (#263)

* Add logout command to the CLI

Author: BartoszBlizniak

CHANGELOG.md

@@ -11,6 +11,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Added `CLOUDSMITH_NO_KEYRING` environment variable to disable keyring usage globally. Set `CLOUDSMITH_NO_KEYRING=1` to skip system keyring operations.
 - Added `--request-api-key` flag to `cloudsmith auth` command for fully automated, non-interactive API token retrieval. Auto-creates a token if none exists, or auto-rotates (with warning) if one already exists. Compatible with `--save-config` and `CLOUDSMITH_NO_KEYRING`.
+- Added `cloudsmith logout` command to clear stored authentication credentials and SSO tokens.
+  - Clears credentials from `credentials.ini` and SSO tokens from the system keyring
+  - `--keyring-only` to only clear SSO tokens from the system keyring
+  - `--config-only` to only clear credentials from `credentials.ini`
+  - `--dry-run` to preview what would be removed without making changes
+  - Supports `--output-format json` for programmatic usage
 
 ### Deprecation Notices
 

README.md

@@ -47,6 +47,7 @@ The CLI currently supports the following commands (and sub-commands):
   - `packages`:             List packages for a repository. (Aliases `repos list`)
   - `repos`:                List repositories for a namespace (owner).
 - `login`|`token`:        Retrieve your API authentication token/key via login.
+- `logout`:               Clear stored authentication credentials and SSO tokens (Keyring, API key from credential file and emit warning when `$CLOUDSMITH_API_KEY` is still set).
 - `metrics`:              Metrics and statistics for a repository.
   - `tokens`:               Retrieve bandwidth usage for entitlement tokens.
   - `packages`:             Retrieve package usage for repository.

cloudsmith_cli/cli/commands/__init__.py

@@ -12,6 +12,7 @@
     help_,
     list_,
     login,
+    logout,
     mcp,
     metrics,
     move,

cloudsmith_cli/cli/commands/logout.py

@@ -0,0 +1,151 @@
+# Copyright 2026 Cloudsmith Ltd
+"""CLI/Commands - Log out and clear authentication state."""
+
+import os
+
+import click
+import cloudsmith_api
+
+from ...core import keyring
+from .. import decorators, utils
+from ..config import CredentialsReader
+from .main import main
+
+
+def _clear_credentials(dry_run, use_stderr):
+    """Clear credential files. Returns result dict."""
+    creds_files = CredentialsReader.find_existing_files()
+    if not creds_files:
+        click.echo("No credentials file found.", err=use_stderr)
+        return {"action": "not_found", "files": []}
+
+    if not dry_run:
+        for path in creds_files:
+            CredentialsReader.clear_api_key(path)
+
+    verb = "Would remove" if dry_run else "Removed"
+    for path in creds_files:
+        click.echo(
+            f"{verb} credentials from: " + click.style(path, bold=True),
+            err=use_stderr,
+        )
+    action = "would_remove" if dry_run else "removed"
+    return {"action": action, "files": list(creds_files)}
+
+
+def _clear_keyring(api_host, dry_run, use_stderr):
+    """Clear SSO tokens from keyring. Returns result dict."""
+    if not keyring.should_use_keyring():
+        click.secho(
+            "Keyring is disabled (CLOUDSMITH_NO_KEYRING is set).",
+            fg="yellow",
+            err=use_stderr,
+        )
+        return {"action": "disabled"}
+
+    if not keyring.has_sso_tokens(api_host):
+        click.echo("No SSO tokens found in system keyring.", err=use_stderr)
+        return {"action": "not_found"}
+
+    if dry_run:
+        click.echo("Would remove SSO tokens from system keyring.", err=use_stderr)
+        return {"action": "would_remove"}
+
+    deleted = keyring.delete_sso_tokens(api_host)
+    action = "removed" if deleted else "failed"
+    msg = f"{'Removed' if deleted else 'Failed to remove'} SSO tokens from system keyring."
+    click.secho(msg, fg=None if deleted else "red", err=use_stderr)
+    return {"action": action} if deleted else {"action": action, "message": msg}
+
+
+def _env_api_key_status():
+    """Return structured status for the CLOUDSMITH_API_KEY env var."""
+    is_set = bool(os.environ.get("CLOUDSMITH_API_KEY"))
+    return {
+        "is_set": is_set,
+        "action": "unset CLOUDSMITH_API_KEY" if is_set else "none",
+    }
+
+
+def _collect_warnings(keyring_only, config_only):
+    """Collect advisory warnings based on flags and environment."""
+    warnings = []
+    if config_only:
+        warnings.append("SSO tokens were not modified (--config-only).")
+    if keyring_only:
+        warnings.append("credentials.ini was not modified (--keyring-only).")
+    if os.environ.get("CLOUDSMITH_API_KEY"):
+        warnings.append(
+            "CLOUDSMITH_API_KEY is set in your environment. "
+            "Run: unset CLOUDSMITH_API_KEY"
+        )
+    return warnings
+
+
+@main.command()
+@click.option(
+    "--api-host",
+    envvar="CLOUDSMITH_API_HOST",
+    default=None,
+    help="The API host to clear keyring tokens for.",
+)
+@click.option(
+    "--keyring-only",
+    is_flag=True,
+    default=False,
+    help="Only clear SSO tokens from the system keyring.",
+)
+@click.option(
+    "--config-only",
+    is_flag=True,
+    default=False,
+    help="Only clear credentials from credentials.ini.",
+)
+@click.option(
+    "--dry-run",
+    is_flag=True,
+    default=False,
+    help="Show what would be removed without removing anything.",
+)
+@decorators.common_cli_config_options
+@decorators.common_cli_output_options
+@click.pass_context
+def logout(ctx, opts, api_host, keyring_only, config_only, dry_run):
+    """Clear stored authentication credentials and SSO tokens."""
+    if keyring_only and config_only:
+        raise click.UsageError(
+            "--keyring-only and --config-only are mutually exclusive."
+        )
+
+    if api_host is None:
+        api_host = opts.api_host or cloudsmith_api.Configuration().host
+
+    use_stderr = utils.should_use_stderr(opts)
+
+    credential_file = (
+        _clear_credentials(dry_run, use_stderr)
+        if not keyring_only
+        else {"action": "skipped", "files": []}
+    )
+    keyring_result = (
+        _clear_keyring(api_host, dry_run, use_stderr)
+        if not config_only
+        else {"action": "skipped"}
+    )
+    warnings = _collect_warnings(keyring_only, config_only)
+
+    for warning in warnings:
+        click.secho(f"Note: {warning}", fg="yellow", err=use_stderr)
+
+    utils.maybe_print_as_json(
+        opts,
+        {
+            "api_host": api_host,
+            "dry_run": dry_run,
+            "sources": {
+                "credential_file": credential_file,
+                "keyring": keyring_result,
+                "environment_api_key": _env_api_key_status(),
+            },
+        },
+    )

cloudsmith_cli/cli/config.py

@@ -208,6 +208,44 @@ class CredentialsReader(ConfigReader):
     config_searchpath = list(_CFG_SEARCH_PATHS)
     config_section_schemas = [CredentialsSchema.Default, CredentialsSchema.Profile]
 
+    @classmethod
+    def find_existing_files(cls):
+        """Return a list of existing credentials file paths."""
+        paths = []
+        seen = set()
+        for filename in cls.config_files:
+            for searchpath in cls.config_searchpath:
+                path = os.path.join(searchpath, filename)
+                if os.path.exists(path) and path not in seen:
+                    paths.append(path)
+                    seen.add(path)
+        return paths
+
+    @classmethod
+    def _set_api_key(cls, path, api_key=""):
+        """Write api_key value in a credentials file, preserving structure."""
+        with open(path) as f:
+            content = f.read()
+        replacement = rf"\1 = {api_key}" if api_key else r"\1 ="
+        content = re.sub(
+            r"^(api_key)\s*=\s*.*$",
+            replacement,
+            content,
+            flags=re.MULTILINE,
+        )
+        with open(path, "w") as f:
+            f.write(content)
+
+    @classmethod
+    def clear_api_key(cls, path):
+        """Clear api_key values in a credentials file, preserving structure."""
+        cls._set_api_key(path)
+
+    @classmethod
+    def update_api_key(cls, path, api_key):
+        """Update api_key value in an existing credentials file, preserving structure."""
+        cls._set_api_key(path, api_key)
+
 
 class Options:
     """Options object that holds config for the application."""

cloudsmith_cli/cli/tests/commands/test_logout.py

@@ -0,0 +1,147 @@
+import json
+import os
+from unittest.mock import patch
+
+import click.testing
+import pytest
+
+from ...commands.logout import logout
+
+HOST = "https://api.example.com"
+CREDS_PATH = "/home/user/.config/cloudsmith/credentials.ini"
+
+
+@pytest.fixture()
+def runner():
+    return click.testing.CliRunner()
+
+
+@pytest.fixture
+def mock_no_keyring_env():
+    """Ensure CLOUDSMITH_NO_KEYRING and CLOUDSMITH_API_KEY are not set."""
+    env = os.environ.copy()
+    env.pop("CLOUDSMITH_NO_KEYRING", None)
+    env.pop("CLOUDSMITH_API_KEY", None)
+    with patch.dict(os.environ, env, clear=True):
+        yield
+
+
+@pytest.fixture
+def mock_deps(mock_no_keyring_env):
+    """Patch keyring and CredentialsReader with sensible defaults."""
+    with (
+        patch("cloudsmith_cli.cli.commands.logout.keyring") as mk,
+        patch("cloudsmith_cli.cli.commands.logout.CredentialsReader") as mc,
+    ):
+        mc.find_existing_files.return_value = [CREDS_PATH]
+        mk.should_use_keyring.return_value = True
+        mk.has_sso_tokens.return_value = True
+        yield mc, mk
+
+
+class TestLogoutCommand:
+    """Tests for the cloudsmith logout command."""
+
+    def test_full_logout(self, runner, mock_deps):
+        mock_creds, mock_keyring = mock_deps
+
+        result = runner.invoke(logout, ["--api-host", HOST])
+
+        assert result.exit_code == 0
+        mock_creds.clear_api_key.assert_called_once_with(CREDS_PATH)
+        mock_keyring.delete_sso_tokens.assert_called_once_with(HOST)
+        assert "Removed credentials from:" in result.output
+        assert "Removed SSO tokens from system keyring" in result.output
+
+    def test_dry_run(self, runner, mock_deps):
+        mock_creds, mock_keyring = mock_deps
+
+        result = runner.invoke(logout, ["--dry-run", "--api-host", HOST])
+
+        assert result.exit_code == 0
+        mock_creds.clear_api_key.assert_not_called()
+        mock_keyring.delete_sso_tokens.assert_not_called()
+        assert "Would remove" in result.output
+
+    def test_keyring_only_and_config_only_are_mutually_exclusive(self, runner):
+        result = runner.invoke(
+            logout, ["--keyring-only", "--config-only", "--api-host", HOST]
+        )
+
+        assert result.exit_code != 0
+        assert "mutually exclusive" in result.output
+
+    @pytest.mark.parametrize(
+        "flag, skipped_attr, note_fragment",
+        [
+            (
+                "--keyring-only",
+                "find_existing_files",
+                "credentials.ini was not modified",
+            ),
+            ("--config-only", "has_sso_tokens", "SSO tokens were not modified"),
+        ],
+    )
+    def test_scoped_flags(self, runner, mock_deps, flag, skipped_attr, note_fragment):
+        mock_creds, mock_keyring = mock_deps
+
+        result = runner.invoke(logout, [flag, "--api-host", HOST])
+
+        assert result.exit_code == 0
+        # The skipped source should not have been touched
+        target = mock_creds if hasattr(mock_creds, skipped_attr) else mock_keyring
+        getattr(target, skipped_attr).assert_not_called()
+        assert note_fragment in result.output
+
+    @pytest.mark.parametrize(
+        "env, expect_warning",
+        [
+            ({"CLOUDSMITH_API_KEY": "secret"}, True),
+            ({}, False),
+        ],
+    )
+    def test_env_api_key_warning(self, runner, mock_deps, env, expect_warning):
+        with patch.dict(os.environ, env):
+            result = runner.invoke(logout, ["--api-host", HOST])
+
+        assert result.exit_code == 0
+        if expect_warning:
+            assert "unset CLOUDSMITH_API_KEY" in result.output
+        else:
+            assert "unset CLOUDSMITH_API_KEY" not in result.output
+
+    def test_json_output(self, runner, mock_deps):
+        """--output-format json emits structured JSON with expected keys."""
+        _, mock_keyring = mock_deps
+        mock_keyring.delete_sso_tokens.return_value = True
+
+        result = runner.invoke(
+            logout,
+            ["--output-format", "json", "--api-host", HOST],
+            catch_exceptions=False,
+        )
+
+        assert result.exit_code == 0
+        # Human messages go to stderr; extract the JSON line from stdout.
+        json_line = [
+            line for line in result.output.splitlines() if line.startswith("{")
+        ]
+        assert json_line, f"No JSON found in output: {result.output!r}"
+        payload = json.loads(json_line[0])
+        data = payload["data"]
+        assert data["api_host"] == HOST
+        assert "dry_run" in data
+        sources = data["sources"]
+        assert "credential_file" in sources
+        assert "keyring" in sources
+        assert "environment_api_key" in sources
+
+    def test_keyring_delete_failure(self, runner, mock_deps):
+        """When delete_sso_tokens returns False, report failure."""
+        _, mock_keyring = mock_deps
+        mock_keyring.delete_sso_tokens.return_value = False
+
+        result = runner.invoke(logout, ["--api-host", HOST])
+
+        assert result.exit_code == 0
+        assert "Failed to remove SSO tokens" in result.output