remove --no-keyring flag, stick with env variable instead

Author: BartoszBlizniak

CHANGELOG.md

@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Added
 
-- Added `--no-keyring` flag to `cloudsmith auth` which can only be used when passing `--get-token` flag in order to skip keyring checks. This will allow users to extract their Cloudsmith API key programmatically without requiring user-input. This can also be configured on environment level by setting `CLOUDSMITH_NO_KEYRING=1`.
+- Added `CLOUDSMITH_NO_KEYRING` environment variable to disable keyring usage globally. Set `CLOUDSMITH_NO_KEYRING=1` to skip system keyring operations.
 
 ## [1.12.1] - 2026-02-03
 

cloudsmith_cli/cli/commands/auth.py

@@ -1,6 +1,5 @@
 """CLI/Commands - Authenticate the user."""
 
-import os
 import webbrowser
 
 import click
@@ -17,16 +16,7 @@
 AUTH_SERVER_PORT = 12400
 
 
-def _set_no_keyring_env(ctx, param, value):
-    """Callback to set CLOUDSMITH_NO_KEYRING env var when flag is used."""
-    if value:
-        os.environ["CLOUDSMITH_NO_KEYRING"] = "1"
-    return value
-
-
-def _perform_saml_authentication(
-    opts, owner, enable_token_creation=False, json=False, no_keyring=False
-):
+def _perform_saml_authentication(opts, owner, enable_token_creation=False, json=False):
     """Perform SAML authentication via web browser and local web server."""
     session = create_configured_session(opts)
     api_host = opts.api_config.host
@@ -50,7 +40,6 @@ def _perform_saml_authentication(
         debug=opts.debug,
         refresh_api_on_success=enable_token_creation,
         api_opts=opts.api_config,
-        no_keyring=no_keyring,
     )
 
     auth_server.handle_request()
@@ -92,21 +81,11 @@ def _perform_saml_authentication(
     is_flag=True,
     help="Output token details in json format.",
 )
-@click.option(
-    "--no-keyring",
-    default=False,
-    is_flag=True,
-    callback=_set_no_keyring_env,
-    is_eager=True,
-    help="Skip storing SSO tokens in system keyring. Use this in CI/CD "
-    "environments to avoid keyring permission prompts. Note: SSO tokens "
-    "will not persist for subsequent CLI calls.",
-)
 @decorators.common_cli_config_options
 @decorators.common_cli_output_options
 @decorators.initialise_api
 @click.pass_context
-def authenticate(ctx, opts, owner, token, force, save_config, json, no_keyring):
+def authenticate(ctx, opts, owner, token, force, save_config, json):
     """Authenticate to Cloudsmith using the org's SAML setup."""
     json = json or utils.should_use_stderr(opts)
     # If using json output, we redirect info messages to stderr
@@ -130,7 +109,7 @@ def authenticate(ctx, opts, owner, token, force, save_config, json, no_keyring):
     context_message = "Failed to authenticate via SSO!"
     with handle_api_exceptions(ctx, opts=opts, context_msg=context_message):
         _perform_saml_authentication(
-            opts, owner, enable_token_creation=token, json=json, no_keyring=no_keyring
+            opts, owner, enable_token_creation=token, json=json
         )
 
     if token:

cloudsmith_cli/cli/exceptions.py

@@ -7,7 +7,7 @@
 import click
 
 from ..core.api.exceptions import ApiException
-from ..core.keyring import get_access_token
+from ..core.keyring import get_access_token, should_use_keyring
 
 
 @contextlib.contextmanager
@@ -170,7 +170,10 @@ def get_401_error_hint(ctx, opts, exc):
             "you don't have the permission to perform this action."
         )
 
-    access_token = get_access_token(opts.api_host)
+    # Only check keyring if enabled to avoid keyring prompts
+    access_token = None
+    if should_use_keyring():
+        access_token = get_access_token(opts.api_host)
     if access_token:
         return "Since you have an SSO access token set, this probably means that it has expired. Try getting a new token with 'cloudsmith auth', then try again."
 

cloudsmith_cli/cli/tests/test_webserver.py

@@ -1,45 +1,15 @@
 """Tests for the webserver module."""
 
+import os
 from unittest.mock import MagicMock, PropertyMock, patch
 
 import pytest
 
-from ..webserver import AuthenticationWebRequestHandler, AuthenticationWebServer
+from ..webserver import AuthenticationWebRequestHandler
 
 
-class TestAuthenticationWebServer:
-    """Tests for AuthenticationWebServer."""
-
-    def test_no_keyring_attribute_set_from_kwargs(self):
-        """Verify no_keyring is set from kwargs."""
-        with patch("socket.socket"):
-            with patch.object(AuthenticationWebServer, "server_bind"):
-                with patch.object(AuthenticationWebServer, "server_activate"):
-                    server = AuthenticationWebServer(
-                        ("127.0.0.1", 12400),
-                        AuthenticationWebRequestHandler,
-                        bind_and_activate=False,
-                        owner="testorg",
-                        no_keyring=True,
-                    )
-                    assert server.no_keyring is True
-
-    def test_no_keyring_defaults_to_false(self):
-        """Verify no_keyring defaults to False when not provided."""
-        with patch("socket.socket"):
-            with patch.object(AuthenticationWebServer, "server_bind"):
-                with patch.object(AuthenticationWebServer, "server_activate"):
-                    server = AuthenticationWebServer(
-                        ("127.0.0.1", 12400),
-                        AuthenticationWebRequestHandler,
-                        bind_and_activate=False,
-                        owner="testorg",
-                    )
-                    assert server.no_keyring is False
-
-
-class TestAuthenticationWebRequestHandlerNoKeyring:
-    """Tests for AuthenticationWebRequestHandler with no_keyring flag."""
+class TestAuthenticationWebRequestHandlerKeyring:
+    """Tests for AuthenticationWebRequestHandler keyring behavior."""
 
     @pytest.fixture
     def mock_handler(self):
@@ -57,66 +27,75 @@ def mock_handler(self):
             handler.debug = False
             return handler
 
-    def test_store_sso_tokens_called_when_no_keyring_false(self, mock_handler):
-        """Verify store_sso_tokens is called when no_keyring is False."""
-        mock_handler.no_keyring = False
-
-        with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
-            with patch.object(mock_handler, "_return_success_response"):
-                with patch.object(
-                    AuthenticationWebRequestHandler,
-                    "query_data",
-                    new_callable=PropertyMock,
-                ) as mock_query:
-                    with patch.object(
-                        AuthenticationWebRequestHandler,
-                        "api_host",
-                        new_callable=PropertyMock,
-                    ) as mock_host:
-                        mock_query.return_value = {
-                            "access_token": "test_access_token",
-                            "refresh_token": "test_refresh_token",
-                        }
-                        mock_host.return_value = "https://api.cloudsmith.io"
-
-                        mock_handler.do_GET()
-
-                        mock_store.assert_called_once_with(
-                            "https://api.cloudsmith.io",
-                            "test_access_token",
-                            "test_refresh_token",
-                        )
-
-    def test_store_sso_tokens_not_called_when_no_keyring_true(self, mock_handler):
-        """Verify store_sso_tokens is NOT called when no_keyring is True."""
-        mock_handler.no_keyring = True
-
-        with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
-            with patch("click.echo") as mock_echo:
-                with patch.object(mock_handler, "_return_success_response"):
-                    with patch.object(
-                        AuthenticationWebRequestHandler,
-                        "query_data",
-                        new_callable=PropertyMock,
-                    ) as mock_query:
+    def test_store_sso_tokens_called_when_keyring_enabled(self, mock_handler):
+        """Verify store_sso_tokens is called when keyring is enabled."""
+        # Ensure env var is not set
+        env = os.environ.copy()
+        env.pop("CLOUDSMITH_NO_KEYRING", None)
+
+        with patch.dict(os.environ, env, clear=True):
+            with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
+                with patch(
+                    "cloudsmith_cli.cli.webserver.should_use_keyring", return_value=True
+                ):
+                    with patch.object(mock_handler, "_return_success_response"):
                         with patch.object(
                             AuthenticationWebRequestHandler,
-                            "api_host",
+                            "query_data",
                             new_callable=PropertyMock,
-                        ) as mock_host:
-                            mock_query.return_value = {
-                                "access_token": "test_access_token",
-                                "refresh_token": "test_refresh_token",
-                            }
-                            mock_host.return_value = "https://api.cloudsmith.io"
-
-                            mock_handler.do_GET()
-
-                            # store_sso_tokens should NOT be called
-                            mock_store.assert_not_called()
-
-                            # Message should be displayed to stderr
-                            mock_echo.assert_called_once_with(
-                                "SSO tokens not stored (--no-keyring enabled)",
-                                err=True,
-                            )
+                        ) as mock_query:
+                            with patch.object(
+                                AuthenticationWebRequestHandler,
+                                "api_host",
+                                new_callable=PropertyMock,
+                            ) as mock_host:
+                                mock_query.return_value = {
+                                    "access_token": "test_access_token",
+                                    "refresh_token": "test_refresh_token",
+                                }
+                                mock_host.return_value = "https://api.cloudsmith.io"
+
+                                mock_handler.do_GET()
+
+                                mock_store.assert_called_once_with(
+                                    "https://api.cloudsmith.io",
+                                    "test_access_token",
+                                    "test_refresh_token",
+                                )
+
+    def test_store_sso_tokens_not_called_when_keyring_disabled(self, mock_handler):
+        """Verify store_sso_tokens is NOT called when CLOUDSMITH_NO_KEYRING=1."""
+        with patch.dict(os.environ, {"CLOUDSMITH_NO_KEYRING": "1"}):
+            with patch("cloudsmith_cli.cli.webserver.store_sso_tokens") as mock_store:
+                with patch(
+                    "cloudsmith_cli.cli.webserver.should_use_keyring",
+                    return_value=False,
+                ):
+                    with patch("click.echo") as mock_echo:
+                        with patch.object(mock_handler, "_return_success_response"):
+                            with patch.object(
+                                AuthenticationWebRequestHandler,
+                                "query_data",
+                                new_callable=PropertyMock,
+                            ) as mock_query:
+                                with patch.object(
+                                    AuthenticationWebRequestHandler,
+                                    "api_host",
+                                    new_callable=PropertyMock,
+                                ) as mock_host:
+                                    mock_query.return_value = {
+                                        "access_token": "test_access_token",
+                                        "refresh_token": "test_refresh_token",
+                                    }
+                                    mock_host.return_value = "https://api.cloudsmith.io"
+
+                                    mock_handler.do_GET()
+
+                                    # store_sso_tokens should NOT be called
+                                    mock_store.assert_not_called()
+
+                                    # Message should be displayed to stderr
+                                    mock_echo.assert_called_once_with(
+                                        "SSO tokens not stored (CLOUDSMITH_NO_KEYRING is set)",
+                                        err=True,
+                                    )

cloudsmith_cli/cli/webserver.py

@@ -9,7 +9,7 @@
 
 from ..core.api.exceptions import ApiException
 from ..core.api.init import initialise_api
-from ..core.keyring import store_sso_tokens
+from ..core.keyring import should_use_keyring, store_sso_tokens
 from .saml import exchange_2fa_token
 
 
@@ -52,7 +52,6 @@ def __init__(
         self.debug = kwargs.get("debug", False)
         self.refresh_api_on_success = kwargs.get("refresh_api_on_success", False)
         self.api_opts = kwargs.get("api_opts")
-        self.no_keyring = kwargs.get("no_keyring", False)
         self.exception = None
 
         super().__init__(
@@ -91,7 +90,6 @@ def finish_request(self, request, client_address):
             session=self.session,
             refresh_api_on_success=self.refresh_api_on_success,
             server_instance=self,
-            no_keyring=self.no_keyring,
         )
 
     def _handle_request_noblock(self):
@@ -135,7 +133,6 @@ def __init__(self, request, client_address, server, **kwargs):
         self.session = kwargs.get("session")
         self.refresh_api_on_success = kwargs.get("refresh_api_on_success", False)
         self.server_instance = kwargs.get("server_instance")
-        self.no_keyring = kwargs.get("no_keyring", False)
 
         super().__init__(request, client_address, server)
 
@@ -203,17 +200,17 @@ def do_GET(self):
 
         try:
             if access_token:
-                if self.no_keyring:
-                    click.echo(
-                        "SSO tokens not stored (--no-keyring enabled)",
-                        err=True,
-                    )
-                else:
+                if should_use_keyring():
                     store_sso_tokens(
                         self.api_host,
                         access_token,
                         refresh_token,
                     )
+                else:
+                    click.echo(
+                        "SSO tokens not stored (CLOUDSMITH_NO_KEYRING is set)",
+                        err=True,
+                    )
 
                 if self.refresh_api_on_success and self.server_instance:
                     self.server_instance.refresh_api_config_after_auth()
@@ -229,17 +226,17 @@ def do_GET(self):
                 access_token, refresh_token = exchange_2fa_token(
                     self.api_host, two_factor_token, totp_token, session=self.session
                 )
-                if self.no_keyring:
-                    click.echo(
-                        "SSO tokens not stored (--no-keyring enabled)",
-                        err=True,
-                    )
-                else:
+                if should_use_keyring():
                     store_sso_tokens(
                         self.api_host,
                         access_token,
                         refresh_token,
                     )
+                else:
+                    click.echo(
+                        "SSO tokens not stored (CLOUDSMITH_NO_KEYRING is set)",
+                        err=True,
+                    )
 
                 if self.refresh_api_on_success and self.server_instance:
                     self.server_instance.refresh_api_config_after_auth()