@flowcore/cli-plugin-iam 1.6.1 → 1.8.0

package/dist/commands/get/user-roles.js

@@ -0,0 +1,90 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class GetUserRoles extends BaseCommand {
+    static args = {
+        USER_ID: Args.string({
+            description: "The user ID to get roles for (e.g. auth0|abc123)",
+            required: true,
+        }),
+    };
+    static description = "List all IAM roles assigned to a specific user, optionally scoped to a tenant";
+    static examples = [
+        `$ flowcore iam get user-roles "auth0|abc123" -t my-org`,
+        `$ flowcore iam get user-roles "auth0|abc123" -j`,
+        `$ flowcore iam get user-roles "auth0|abc123" -t my-org -w`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "Scope results to a specific tenant (organization slug)",
+            required: false,
+        }),
+        wide: Flags.boolean({
+            char: "w",
+            description: "Show additional columns in table output",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(GetUserRoles);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        let organizationId;
+        if (flags.tenant) {
+            const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+            if (!organization) {
+                this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+            }
+            organizationId = organization.organization.id;
+        }
+        const [err, response] = await tryit(iamClient.getApiV1RoleAssociationsUserByUserId)(args.USER_ID, organizationId ? { organizationId } : undefined, authHeaders);
+        if (err) {
+            this.logger.fatal(`Failed to get user roles: ${getErrorMessage(err)}`);
+        }
+        const roles = response.data;
+        if (flags.json) {
+            console.log(JSON.stringify(roles, null, 2));
+        }
+        else {
+            const headers = [
+                "Role ID",
+                "Name",
+                "Description",
+                ...(flags.wide ? ["Organization ID"] : []),
+            ];
+            let table = this.ui.table().head(headers);
+            for (const role of roles) {
+                const row = [
+                    role.id,
+                    role.name,
+                    role.description ?? "",
+                    ...(flags.wide ? [role.organizationId] : []),
+                ];
+                table = table.row(row);
+            }
+            table.render();
+        }
+    }
+}

package/dist/commands/unassign/policy.d.ts

@@ -0,0 +1,17 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class UnassignPolicy extends BaseCommand<typeof UnassignPolicy> {
+    static args: {
+        POLICY_NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        key: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        role: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        yes: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/unassign/policy.js

@@ -0,0 +1,143 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags, ux } from "@oclif/core";
+import enquirer from "enquirer";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class UnassignPolicy extends BaseCommand {
+    static args = {
+        POLICY_NAME: Args.string({
+            description: "The name of the policy to unassign",
+            required: true,
+        }),
+    };
+    static description = "Remove an IAM policy assignment from a user, API key, or role. Exactly one of --user, --key, or --role must be specified";
+    static examples = [
+        `$ flowcore iam unassign policy read-access --user "auth0|abc123" -t my-org -y`,
+        `$ flowcore iam unassign policy read-access --key "550e8400-e29b-41d4-a716-446655440000" -t my-org -y`,
+        "$ flowcore iam unassign policy read-access --role data-reader -t my-org -y",
+        `$ flowcore iam unassign policy read-access --user "auth0|abc123" -t my-org -j -y`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        key: Flags.string({
+            description: "The API key ID to unassign the policy from",
+            exclusive: ["user", "role"],
+            required: false,
+        }),
+        role: Flags.string({
+            description: "The role name to unassign the policy from",
+            exclusive: ["user", "key"],
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) containing the policy",
+            required: true,
+        }),
+        user: Flags.string({
+            description: "The user ID to unassign the policy from",
+            exclusive: ["key", "role"],
+            required: false,
+        }),
+        yes: Flags.boolean({
+            char: "y",
+            description: "Skip confirmation prompt",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(UnassignPolicy);
+        if (!flags.user && !flags.key && !flags.role) {
+            this.logger.fatal("Exactly one of --user, --key, or --role is required");
+        }
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        // Resolve policy name to ID
+        const [policiesErr, policies] = await tryit(iamClient.getApiV1PolicyAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+        if (policiesErr) {
+            this.logger.fatal(`Failed to get policies: ${policiesErr.message}`);
+        }
+        const policy = policies.data.find((p) => p.name === args.POLICY_NAME);
+        if (!policy) {
+            this.logger.fatal(`Policy "${args.POLICY_NAME}" not found in tenant: ${flags.tenant}`);
+        }
+        const target = flags.user
+            ? `user ${flags.user}`
+            : flags.key
+                ? `key ${flags.key}`
+                : `role ${flags.role}`;
+        if (!flags.yes) {
+            const { confirm } = await enquirer.prompt([
+                {
+                    message: `Are you sure you want to unassign policy ${ux.colorize("cyan", args.POLICY_NAME)} from ${ux.colorize("cyan", target)}?`,
+                    name: "confirm",
+                    type: "confirm",
+                },
+            ]);
+            if (!confirm) {
+                this.logger.info("Aborted");
+                return;
+            }
+        }
+        let result;
+        if (flags.user) {
+            const [err, response] = await tryit(iamClient.deleteApiV1PolicyAssociationsUserByUserId)(flags.user, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to unassign policy from user: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.key) {
+            const [err, response] = await tryit(iamClient.deleteApiV1PolicyAssociationsKeyByKeyId)(flags.key, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to unassign policy from key: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.role) {
+            // Resolve role name to ID
+            const [rolesErr, roles] = await tryit(iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+            if (rolesErr) {
+                this.logger.fatal(`Failed to get roles: ${rolesErr.message}`);
+            }
+            const role = roles.data.find((r) => r.name === flags.role);
+            if (!role) {
+                this.logger.fatal(`Role "${flags.role}" not found in tenant: ${flags.tenant}`);
+            }
+            const [err, response] = await tryit(iamClient.deleteApiV1PolicyAssociationsRoleByRoleId)(role.id, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to unassign policy from role: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            this.logger.info(`Policy "${args.POLICY_NAME}" unassigned from ${target}`);
+        }
+    }
+}

package/dist/commands/unassign/role.d.ts

@@ -0,0 +1,16 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class UnassignRole extends BaseCommand<typeof UnassignRole> {
+    static args: {
+        ROLE_NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        key: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        yes: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/unassign/role.js

@@ -0,0 +1,117 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags, ux } from "@oclif/core";
+import enquirer from "enquirer";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class UnassignRole extends BaseCommand {
+    static args = {
+        ROLE_NAME: Args.string({
+            description: "The name of the role to unassign",
+            required: true,
+        }),
+    };
+    static description = "Remove an IAM role assignment from a user or API key. Exactly one of --user or --key must be specified";
+    static examples = [
+        `$ flowcore iam unassign role data-reader --user "auth0|abc123" -t my-org -y`,
+        `$ flowcore iam unassign role data-reader --key "550e8400-e29b-41d4-a716-446655440000" -t my-org -y`,
+        `$ flowcore iam unassign role data-reader --user "auth0|abc123" -t my-org -j -y`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        key: Flags.string({
+            description: "The API key ID to unassign the role from",
+            exclusive: ["user"],
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) containing the role",
+            required: true,
+        }),
+        user: Flags.string({
+            description: "The user ID to unassign the role from",
+            exclusive: ["key"],
+            required: false,
+        }),
+        yes: Flags.boolean({
+            char: "y",
+            description: "Skip confirmation prompt",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(UnassignRole);
+        if (!flags.user && !flags.key) {
+            this.logger.fatal("Exactly one of --user or --key is required");
+        }
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        // Resolve role name to ID
+        const [rolesErr, roles] = await tryit(iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+        if (rolesErr) {
+            this.logger.fatal(`Failed to get roles: ${rolesErr.message}`);
+        }
+        const role = roles.data.find((r) => r.name === args.ROLE_NAME);
+        if (!role) {
+            this.logger.fatal(`Role "${args.ROLE_NAME}" not found in tenant: ${flags.tenant}`);
+        }
+        const target = flags.user ? `user ${flags.user}` : `key ${flags.key}`;
+        if (!flags.yes) {
+            const { confirm } = await enquirer.prompt([
+                {
+                    message: `Are you sure you want to unassign role ${ux.colorize("cyan", args.ROLE_NAME)} from ${ux.colorize("cyan", target)}?`,
+                    name: "confirm",
+                    type: "confirm",
+                },
+            ]);
+            if (!confirm) {
+                this.logger.info("Aborted");
+                return;
+            }
+        }
+        let result;
+        if (flags.user) {
+            const [err, response] = await tryit(iamClient.deleteApiV1RoleAssociationsUserByUserId)(flags.user, { roleId: role.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to unassign role from user: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.key) {
+            const [err, response] = await tryit(iamClient.deleteApiV1RoleAssociationsKeyByKeyId)(flags.key, { roleId: role.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to unassign role from key: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            this.logger.info(`Role "${args.ROLE_NAME}" unassigned from ${target}`);
+        }
+    }
+}

package/dist/commands/validate/key.d.ts

@@ -0,0 +1,15 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class ValidateKey extends BaseCommand<typeof ValidateKey> {
+    static args: {
+        KEY_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        action: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        resource: import("@oclif/core/interfaces").OptionFlag<string[], import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/validate/key.js

@@ -0,0 +1,106 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class ValidateKey extends BaseCommand {
+    static args = {
+        KEY_ID: Args.string({
+            description: "The API key ID to validate access for",
+            required: true,
+        }),
+    };
+    static description = "Validate whether an API key has permission to perform an action on one or more resources";
+    static examples = [
+        `$ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action ingest --resource "frn::my-org:event-type/*"`,
+        `$ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action read --resource "frn::my-org:data-core/my-core" -j`,
+        `$ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action read --resource "frn::my-org:data-core/core1" --resource "frn::my-org:data-core/core2"`,
+    ];
+    static flags = {
+        action: Flags.string({
+            description: "The action to validate (e.g. read, write, ingest, fetch)",
+            required: true,
+        }),
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        resource: Flags.string({
+            description: "The resource FRN to validate against (can be specified multiple times)",
+            multiple: true,
+            required: true,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) to validate within",
+            required: true,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(ValidateKey);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const [err, response] = await tryit(iamClient.postApiV1ValidateKeysById)(args.KEY_ID, {
+            mode: "tenant",
+            requestedAccess: [
+                {
+                    action: flags.action,
+                    resource: flags.resource,
+                },
+            ],
+        }, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            // 403 responses contain validation failure details in the error body
+            const errorResponse = err;
+            if (errorResponse.error && errorResponse.error.valid === false) {
+                if (flags.json) {
+                    console.log(JSON.stringify(errorResponse.error, null, 2));
+                }
+                else {
+                    this.logger.info(`INVALID \u2717 — ${errorResponse.error.message}`);
+                    if (errorResponse.error.invalidRequest &&
+                        Array.isArray(errorResponse.error.invalidRequest)) {
+                        for (const req of errorResponse.error.invalidRequest) {
+                            const r = req;
+                            this.logger.info(`  Action: ${String(r.action)}, Resources: ${r.resource.join(", ")}`);
+                        }
+                    }
+                }
+                return;
+            }
+            this.logger.fatal(`Failed to validate key access: ${getErrorMessage(err)}`);
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(response.data, null, 2));
+        }
+        else {
+            this.logger.info("VALID \u2713");
+            if (response.data.validPolicies.length > 0) {
+                this.logger.info("Matching policies:");
+                for (const p of response.data.validPolicies) {
+                    this.logger.info(`  Policy FRN: ${p.policyFrn}, Statement: ${p.statementId}`);
+                }
+            }
+        }
+    }
+}

package/dist/commands/validate/user.d.ts

@@ -0,0 +1,15 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class ValidateUser extends BaseCommand<typeof ValidateUser> {
+    static args: {
+        USER_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        action: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        resource: import("@oclif/core/interfaces").OptionFlag<string[], import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/validate/user.js

@@ -0,0 +1,106 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class ValidateUser extends BaseCommand {
+    static args = {
+        USER_ID: Args.string({
+            description: "The user ID to validate access for (e.g. auth0|abc123)",
+            required: true,
+        }),
+    };
+    static description = "Validate whether a user has permission to perform an action on one or more resources";
+    static examples = [
+        `$ flowcore iam validate user "auth0|abc123" -t my-org --action read --resource "frn::my-org:data-core/my-core"`,
+        `$ flowcore iam validate user "auth0|abc123" -t my-org --action write --resource "frn::my-org:data-core/*" -j`,
+        `$ flowcore iam validate user "auth0|abc123" -t my-org --action read --resource "frn::my-org:data-core/core1" --resource "frn::my-org:data-core/core2"`,
+    ];
+    static flags = {
+        action: Flags.string({
+            description: "The action to validate (e.g. read, write, ingest, fetch)",
+            required: true,
+        }),
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        resource: Flags.string({
+            description: "The resource FRN to validate against (can be specified multiple times)",
+            multiple: true,
+            required: true,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) to validate within",
+            required: true,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(ValidateUser);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const [err, response] = await tryit(iamClient.postApiV1ValidateUsersById)(args.USER_ID, {
+            mode: "tenant",
+            requestedAccess: [
+                {
+                    action: flags.action,
+                    resource: flags.resource,
+                },
+            ],
+        }, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            // 403 responses contain validation failure details in the error body
+            const errorResponse = err;
+            if (errorResponse.error && errorResponse.error.valid === false) {
+                if (flags.json) {
+                    console.log(JSON.stringify(errorResponse.error, null, 2));
+                }
+                else {
+                    this.logger.info(`INVALID \u2717 — ${errorResponse.error.message}`);
+                    if (errorResponse.error.invalidRequest &&
+                        Array.isArray(errorResponse.error.invalidRequest)) {
+                        for (const req of errorResponse.error.invalidRequest) {
+                            const r = req;
+                            this.logger.info(`  Action: ${String(r.action)}, Resources: ${r.resource.join(", ")}`);
+                        }
+                    }
+                }
+                return;
+            }
+            this.logger.fatal(`Failed to validate user access: ${getErrorMessage(err)}`);
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(response.data, null, 2));
+        }
+        else {
+            this.logger.info("VALID \u2713");
+            if (response.data.validPolicies.length > 0) {
+                this.logger.info("Matching policies:");
+                for (const p of response.data.validPolicies) {
+                    this.logger.info(`  Policy FRN: ${p.policyFrn}, Statement: ${p.statementId}`);
+                }
+            }
+        }
+    }
+}

package/dist/index.d.ts

@@ -1 +1 @@
-export { run } from '@oclif/core';
+export { run } from "@oclif/core";

package/dist/index.js

@@ -1 +1 @@
-export { run } from '@oclif/core';
+export { run } from "@oclif/core";

package/dist/resource-types/iam-api-version.js

@@ -1,9 +1,9 @@
 import { ValidateLogin, } from "@flowcore/cli-plugin-config";
 import { Api as IamApi } from "../utils/clients/iam/Api.js";
-import { PolicyService } from "./policy.resource.js";
 import { PolicyBindingService } from "./policy-binding.resource.js";
-import { RoleService } from "./role.resource.js";
+import { PolicyService } from "./policy.resource.js";
 import { RoleBindingService } from "./role-binding.resource.js";
+import { RoleService } from "./role.resource.js";
 const applyOrder = ["Policy", "PolicyBinding", "Role", "RoleBinding"];
 export class IAMApply {
     organizationService;