Skip to content

Interactive Credentials Feature

Overview

The Network Toolkit now supports interactive credential input through the --interactive-auth (or -i) flag, providing a secure way to enter credentials at runtime without storing them in environment variables, .env files, or configuration files.

Usage

Add the --interactive-auth or -i flag to any command that connects to devices:

# Device information with interactive auth
nw info sw-acc1 --interactive-auth

# Execute commands with interactive auth
nw run sw-acc1 '/system/identity/print' --interactive-auth

# Multiple devices with interactive auth (short flag)
nw run sw-acc1,sw-acc2 '/system/clock/print' -i

# Group operations with interactive auth
nw run access_switches system_info --interactive-auth
```bash
# Execute command with interactive auth
$ nw run sw-acc1 '/system/identity/print' -i
Interactive authentication mode enabled
Username [admin]: myuser
Password: ********
Will use username: myuser

Executing on sw-acc1: /system/identity/print
name="MikroTik"
Command completed successfully on sw-acc1

  1. src/network_toolkit/common/credentials.py - New module providing:

  2. InteractiveCredentials - Type-safe credential container (NamedTuple)

  3. prompt_for_credentials() - Secure credential input using getpass

  4. confirm_credentials() - Optional credential verification

  5. Enhanced Configuration System - src/network_toolkit/config.py:

  6. get_device_connection_params() now accepts credential overrides

  7. Maintains compatibility with existing credential sources

  8. Updated Device Session - src/network_toolkit/device.py:

  9. DeviceSession constructor accepts username/password overrides

  10. Credential override parameters passed to connection logic

  11. CLI Integration - Commands updated with --interactive-auth flag:

  12. info command - Shows device information with interactive auth
  13. run command - Executes commands with interactive auth support

Credential Resolution Priority

  1. Interactive credentials (highest priority) - When --interactive-auth is used
  2. Environment variables - NW_USER_DEFAULT, NW_PASSWORD_DEFAULT, device-specific overrides
  3. Configuration file - Defaults in modular config.yml (discouraged)

Error Handling

  • Empty username/password: Raises typer.BadParameter with descriptive message
  • KeyboardInterrupt: Properly propagated to allow clean cancellation
  • Connection failures: Existing error handling maintained

Testing

Test Coverage

  • Unit tests: tests/test_credentials.py - 14 tests covering all credential functionality
  • Integration tests: Existing CLI and config tests continue to pass
  • Validation: All tests pass, ensuring no regressions

Test Categories

  1. InteractiveCredentials class: Immutability, equality, creation
  2. Credential prompting: Basic prompting, defaults, error conditions
  3. Credential confirmation: Accept/reject flow, keyboard interrupts
  4. Integration scenarios: Full workflow, rejection handling
  5. Error handling: Exception propagation, validation

Examples

Basic Usage

# Info command with interactive auth
$ nw info sw-acc1 --interactive-auth
Interactive authentication mode enabled
Username [admin]: admin
Password: ********
Will use username: admin

Device: sw-acc1
├─ Connection: Not tested (use --check for live connection)
├─ Host: 192.168.1.10
├─ Port: 22
├─ Credentials: Interactive (admin)
└─ Groups: access_switches
```bash
# Run on multiple devices
$ nw run sw-acc1,sw-acc2 '/system/clock/print' --interactive-auth
Interactive authentication mode enabled
Username [admin]: admin
Password: ********
Will use username: admin

Executing on sw-acc1,sw-acc2: '/system/clock/print'
Command completed successfully on sw-acc1
Command completed successfully on sw-acc2

Executing on sw-acc1: /system/identity/print name="MikroTik" ✓ Command completed successfully on sw-acc1

### Multiple Devices

```bash
# Run on multiple devices
$ nw run sw-acc1,sw-acc2 '/system/clock/print' --interactive-auth
Interactive authentication mode enabled
Username [admin]: admin
Password: ********
Will use username: admin

Executing on sw-acc1,sw-acc2: /system/clock/print
✓ Command completed successfully on sw-acc1
✓ Command completed successfully on sw-acc2

Implementation Notes

Type Safety

All functions use proper type annotations with Python 3.11+ typing features:

def prompt_for_credentials(
    username_prompt: str = "Username",
    password_prompt: str = "Password",
    default_username: str | None = None,
) -> InteractiveCredentials:

Backward Compatibility

  • All existing functionality remains unchanged
  • Environment variables and config files still work as before
  • Interactive auth is purely additive - no breaking changes
  • Existing scripts and automation continue to work

Future Enhancements

Potential improvements for future versions:

  1. Credential caching: Optional session-based credential caching
  2. SSH key support: Interactive SSH key selection and passphrase entry
  3. Multi-factor auth: Support for 2FA/MFA prompts
  4. Credential managers: Integration with system credential stores
  5. Role-based auth: Different credentials for different device roles

Conclusion

The interactive credentials feature provides a secure, user-friendly way to handle authentication in the Network Toolkit while maintaining full backward compatibility and following security best practices. The implementation is well-tested, type-safe, and follows the project's architectural patterns.