@p0security/cli 0.11.0 → 0.11.2

package/dist/drivers/stdio.js

@@ -9,15 +9,25 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Ansi = exports.print2 = exports.print1 = void 0;
+exports.spinUntil = exports.clear2 = exports.reset2 = exports.print2 = exports.print1 = void 0;
 /** Functions to handle stdio
  *
  * These are essentially wrappers around console.foo, but allow for
  * - Better testing
  * - Later redirection / duplication
  */
-const lodash_1 = require("lodash");
+const util_1 = require("../util");
+const ansi_1 = require("./ansi");
 /** Used to output machine-readable text to stdout
  *
  * In general this should not be used for text meant to be consumed
@@ -37,10 +47,43 @@ function print2(message) {
     console.error(message);
 }
 exports.print2 = print2;
-const AnsiCodes = {
-    Reset: "00",
-    Dim: "02",
-    Yellow: "33",
+/** Resets the terminal cursor to the beginning of the line */
+function reset2() {
+    process.stderr.write((0, ansi_1.Ansi)("0G"));
+}
+exports.reset2 = reset2;
+/** Clears the current terminal line */
+function clear2() {
+    // Replaces text with spaces
+    process.stderr.write((0, ansi_1.Ansi)("2K"));
+    reset2();
+}
+exports.clear2 = clear2;
+const Spin = {
+    items: ["⠇", "⠋", "⠙", "⠸", "⠴", "⠦"],
+    delayMs: 200,
 };
-exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);
+/** Prints a Unicode spinner until a promise resolves */
+const spinUntil = (message, promise) => __awaiter(void 0, void 0, void 0, function* () {
+    let isDone = false;
+    let ix = 0;
+    // 'catch' here just prevents UncaughtExceptionError; errors are sent to caller
+    // on function return
+    void promise.finally(() => (isDone = true)).catch(() => { });
+    while (!isDone) {
+        yield (0, util_1.sleep)(Spin.delayMs);
+        if (isDone)
+            break;
+        clear2();
+        process.stderr.write(ansi_1.AnsiSgr.Green +
+            Spin.items[ix % Spin.items.length] +
+            " " +
+            message +
+            ansi_1.AnsiSgr.Reset);
+        ix++;
+    }
+    clear2();
+    return yield promise;
+});
+exports.spinUntil = spinUntil;
 //# sourceMappingURL=stdio.js.map

package/dist/drivers/stdio.js.map

@@ -1 +1 @@
-{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH;;;;;GAKG;AACH,mCAAmC;AAEnC;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,MAAM,SAAS,GAAG;IAChB,KAAK,EAAE,IAAI;IACX,GAAG,EAAE,IAAI;IACT,MAAM,EAAE,IAAI;CACJ,CAAC;AAEE,QAAA,IAAI,GAAG,IAAA,kBAAS,EAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC"}
+{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;AAEH;;;;;GAKG;AACH,kCAAgC;AAChC,iCAAuC;AAEvC;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,8DAA8D;AAC9D,SAAgB,MAAM;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;AACnC,CAAC;AAFD,wBAEC;AAED,uCAAuC;AACvC,SAAgB,MAAM;IACpB,4BAA4B;IAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;IACjC,MAAM,EAAE,CAAC;AACX,CAAC;AAJD,wBAIC;AAED,MAAM,IAAI,GAAG;IACX,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,OAAO,EAAE,GAAG;CACb,CAAC;AAEF,wDAAwD;AACjD,MAAM,SAAS,GAAG,CAAU,OAAe,EAAE,OAAmB,EAAE,EAAE;IACzE,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,+EAA+E;IAC/E,qBAAqB;IACrB,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,MAAM,EAAE;QACd,MAAM,IAAA,YAAK,EAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,IAAI,MAAM;YAAE,MAAM;QAClB,MAAM,EAAE,CAAC;QACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,cAAO,CAAC,KAAK;YACX,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YAClC,GAAG;YACH,OAAO;YACP,cAAO,CAAC,KAAK,CAChB,CAAC;QACF,EAAE,EAAE,CAAC;KACN;IACD,MAAM,EAAE,CAAC;IACT,OAAO,MAAM,OAAO,CAAC;AACvB,CAAC,CAAA,CAAC;AArBW,QAAA,SAAS,aAqBpB"}

package/dist/plugins/aws/ssh.js

@@ -15,29 +15,34 @@ const aws_1 = require("../okta/aws");
 const config_1 = require("./config");
 const idc_1 = require("./idc");
 const install_1 = require("./ssm/install");
-/** Maximum number of attempts to start an SSH session
- *
- * Each attempt consumes ~ 1 s.
- */
-const MAX_SSH_RETRIES = 30;
+const PROPAGATION_TIMEOUT_LIMIT_MS = 30 * 1000;
 /** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
 const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
-exports.awsSshProvider = {
-    requestToSsh: (request) => {
-        const { permission, generated } = request;
-        const { instanceId, accountId, region } = permission.spec;
-        const { idc, ssh, name } = generated;
-        const { linuxUserName } = ssh;
-        const common = { linuxUserName, accountId, region, id: instanceId };
-        return !idc
-            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
+/**There are 2 cases of unprovisioned access in AWS
+ * 1. SSM:StartSession action is missing either on the SSM document (AWS-StartSSHSession) or the EC2 instance
+ * 2. Temporary error when issuing an SCP command
+ *
+ * 1: results in UNAUTHORIZED_START_SESSION_MESSAGE
+ * 2: results in CONNECTION_CLOSED_MESSAGE
+ */
+const unprovisionedAccessPatterns = [
+    /** Matches the error message that AWS SSM prints when access is not propagated */
+    // Note that the resource will randomly be either the SSM document or the EC2 instance
+    {
+        pattern: /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/,
     },
-    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
-    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
-        if (!(yield (0, install_1.ensureSsmInstall)())) {
-            throw "Please try again after installing the required AWS utilities";
-        }
-    }),
+    /**
+     * Matches the following error messages that AWS SSM pints when ssh authorized
+     * key access hasn't propagated to the instance yet.
+     * - Connection closed by UNKNOWN port 65535
+     * - scp: Connection closed
+     * - kex_exchange_identification: Connection closed by remote host
+     */
+    {
+        pattern: /\bConnection closed\b.*\b(?:by UNKNOWN port \d+|by remote host)?/,
+    },
+];
+exports.awsSshProvider = {
     cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
         var _a, _b, _c, _d;
         const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
@@ -50,6 +55,14 @@ exports.awsSshProvider = {
                 ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, request)
                 : (0, util_1.throwAssertNever)(config.login);
     }),
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
+        if (!(yield (0, install_1.ensureSsmInstall)())) {
+            throw "Please try again after installing the required AWS utilities";
+        }
+    }),
+    friendlyName: "AWS",
+    propagationTimeoutMs: PROPAGATION_TIMEOUT_LIMIT_MS,
+    preTestAccessPropagationArgs: () => undefined,
     proxyCommand: (request) => {
         return [
             "aws",
@@ -74,8 +87,17 @@ exports.awsSshProvider = {
         }
         return undefined;
     },
-    preTestAccessPropagationArgs: () => undefined,
-    maxRetries: MAX_SSH_RETRIES,
-    friendlyName: "AWS",
+    requestToSsh: (request) => {
+        const { permission, generated } = request;
+        const { awsResourcePermission, instanceId, accountId, region } = permission.spec;
+        const { idcId, idcRegion } = awsResourcePermission.permission;
+        const { ssh, name } = generated;
+        const { linuxUserName } = ssh;
+        const common = { linuxUserName, accountId, region, id: instanceId };
+        return !idcId || !idcRegion
+            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc: { id: idcId, region: idcRegion }, permissionSet: name, type: "aws", access: "idc" });
+    },
+    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+    unprovisionedAccessPatterns,
 };
 //# sourceMappingURL=ssh.js.map

package/dist/plugins/aws/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,qCAA8C;AAC9C,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AASjD;;;GAGG;AACH,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAEjD,QAAA,cAAc,GAKvB;IACF,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QAC1C,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC;QAC1D,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC;QACrC,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC;QAC9B,MAAM,MAAM,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;QACpE,OAAO,CAAC,GAAG;YACT,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EACH,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC;IACR,CAAC;IACD,YAAY,EAAE,CAAO,OAAO,EAAE,EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA;IAC1E,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAgB,GAAE,CAAC,EAAE;YAC/B,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IACD,kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,EAAE;;QAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,8DAA8D,CAAC;SACtE;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE,OAA4B,CAAC;gBACnE,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;IACD,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,IAAI;YACJ,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,iBAAiB;SAClB,CAAC;IACJ,CAAC;IACD,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,6BAA6B,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,GAAG;aAC5E,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,4BAA4B,EAAE,GAAG,EAAE,CAAC,SAAS;IAC7C,UAAU,EAAE,eAAe;IAC3B,YAAY,EAAE,KAAK;CACpB,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,qCAA8C;AAC9C,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AASjD,MAAM,4BAA4B,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,2BAA2B,GAAG;IAClC,kFAAkF;IAClF,sFAAsF;IACtF;QACE,OAAO,EACL,0RAA0R;KAC7R;IACD;;;;;;OAMG;IACH;QACE,OAAO,EAAE,kEAAkE;KAC5E;CACO,CAAC;AAEE,QAAA,cAAc,GAKvB;IACF,kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,EAAE;;QAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,8DAA8D,CAAC;SACtE;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE,OAA4B,CAAC;gBACnE,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAgB,GAAE,CAAC,EAAE;YAC/B,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,KAAK;IAEnB,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,GAAG,EAAE,CAAC,SAAS;IAE7C,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,IAAI;YACJ,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,6BAA6B,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,GAAG;aAC5E,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QAC1C,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAC5D,UAAU,CAAC,IAAI,CAAC;QAClB,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,qBAAqB,CAAC,UAAU,CAAC;QAC9D,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC;QAChC,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC;QAC9B,MAAM,MAAM,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;QACpE,OAAO,CAAC,KAAK,IAAI,CAAC,SAAS;YACzB,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,EACrC,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC;IACR,CAAC;IAED,YAAY,EAAE,CAAO,OAAO,EAAE,EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA;IAE1E,2BAA2B;CAC5B,CAAC"}

package/dist/plugins/aws/types.d.ts

@@ -59,6 +59,12 @@ export type AwsSshPermission = {
         accountId: string;
         region: string;
         type: "aws";
+        awsResourcePermission: {
+            permission: {
+                idcId?: string;
+                idcRegion?: string;
+            };
+        };
     };
     type: "session";
 };
@@ -67,10 +73,6 @@ export type AwsSshGenerated = {
     ssh: {
         linuxUserName: string;
     };
-    idc?: {
-        region: string;
-        id: string;
-    };
 };
 export type AwsSshPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
 export type AwsSsh = CliPermissionSpec<AwsSshPermissionSpec, undefined>;

package/dist/plugins/google/ssh-key.js

@@ -61,7 +61,15 @@ const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, f
         },
     });
     if (!response.ok) {
-        throw `Import of SSH public key failed. HTTP error ${response.status}: ${yield response.text()}`;
+        if (debug) {
+            (0, stdio_1.print2)(`HTTP error ${response.status}: ${yield response.text()}`);
+        }
+        if (response.status === 401) {
+            throw `Authentication failed. Please login to Google Cloud CLI with 'gcloud auth login'`;
+        }
+        else {
+            throw `Import of SSH public key failed.`;
+        }
     }
     const data = yield response.json();
     if (debug) {

package/dist/plugins/google/ssh-key.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAG7C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IACtC,yDAAyD;IACzD,MAAM,WAAW,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QAC/D,MAAM;QACN,oBAAoB;KACrB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QACpD,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;KACH;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,MAAM,+CAA+C,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;KAClG;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AAlEW,QAAA,YAAY,gBAkEvB"}
+{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAG7C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IACtC,yDAAyD;IACzD,MAAM,WAAW,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QAC/D,MAAM;QACN,oBAAoB;KACrB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QACpD,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;KACH;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,cAAc,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACnE;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,kFAAkF,CAAC;SAC1F;aAAM;YACL,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AA1EW,QAAA,YAAY,gBA0EvB"}

package/dist/plugins/google/ssh.js

@@ -23,32 +23,61 @@ You should have received a copy of the GNU General Public License along with @p0
 const ssh_1 = require("../../commands/shared/ssh");
 const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
-/** Maximum number of attempts to start an SSH session
+// It typically takes < 1 minute for access to propagate on GCP, so set the time limit to 2 minutes.
+const PROPAGATION_TIMEOUT_LIMIT_MS = 2 * 60 * 1000;
+/**
+ * There are 7 cases of unprovisioned access in Google Cloud.
+ * These are all potentially subject to propagation delays.
+ * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
+ * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
+ * 3. The user cannot act as the service account of the compute instance
+ * 4. The user cannot tunnel through the IAP tunnel to the instance
+ * 5. The user doesn't have osLogin or osAdminLogin role to the instance
+ * 5.a. compute.instances.get permission is missing
+ * 5.b. compute.instances.osLogin permission is missing
+ * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
+ * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
  *
- * The length of each attempt varies based on the type of error from a few seconds to < 1s
+ * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
+ * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
+ * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
+ * 6: results in SUDO_MESSAGE
+ * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
  */
-const MAX_SSH_RETRIES = 120;
-exports.gcpSshProvider = {
-    requestToSsh: (request) => {
-        return {
-            id: request.permission.spec.instanceName,
-            projectId: request.permission.spec.projectId,
-            zone: request.permission.spec.zone,
-            linuxUserName: request.cliLocalData.linuxUserName,
-            type: "gcloud",
-        };
+const unprovisionedAccessPatterns = [
+    { pattern: /Permission denied \(publickey\)/ },
+    {
+        // The output of `sudo -v` when the user is not allowed to run sudo
+        pattern: /Sorry, user .+ may not run sudo on .+/,
     },
-    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-        return (Object.assign(Object.assign({}, request), { cliLocalData: {
-                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
-            } }));
-    }),
+    { pattern: /Error while connecting \[4033: 'not authorized'\]/ },
+    {
+        pattern: /Required 'compute\.instances\.get' permission/,
+        validationWindowMs: 30e3,
+    },
+    { pattern: /Error while connecting \[4010: 'destination read failed'\]/ },
+];
+exports.gcpSshProvider = {
+    // TODO support login with Google Cloud
+    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
     ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureGcpSshInstall)())) {
             throw "Please try again after installing the required GCP utilities";
         }
     }),
-    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
+    friendlyName: "Google Cloud",
+    loginRequiredMessage: "Please login to Google Cloud CLI with 'gcloud auth login'",
+    loginRequiredPattern: /You do not currently have an active account selected/,
+    propagationTimeoutMs: PROPAGATION_TIMEOUT_LIMIT_MS,
+    preTestAccessPropagationArgs: (cmdArgs) => {
+        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
+            return Object.assign(Object.assign({}, cmdArgs), { 
+                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
+                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
+                command: "sudo", arguments: ["-v"] });
+        }
+        return undefined;
+    },
     proxyCommand: (request) => {
         return [
             "gcloud",
@@ -66,16 +95,20 @@ exports.gcpSshProvider = {
         ];
     },
     reproCommands: () => undefined,
-    preTestAccessPropagationArgs: (cmdArgs) => {
-        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
-            return Object.assign(Object.assign({}, cmdArgs), { 
-                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
-                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
-                command: "sudo", arguments: ["-v"] });
-        }
-        return undefined;
+    requestToSsh: (request) => {
+        return {
+            id: request.permission.spec.instanceName,
+            projectId: request.permission.spec.projectId,
+            zone: request.permission.spec.zone,
+            linuxUserName: request.cliLocalData.linuxUserName,
+            type: "gcloud",
+        };
     },
-    maxRetries: MAX_SSH_RETRIES,
-    friendlyName: "Google Cloud",
+    unprovisionedAccessPatterns,
+    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+        return (Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } }));
+    }),
 };
 //# sourceMappingURL=ssh.js.map

package/dist/plugins/google/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAE1D,uCAAgD;AAChD,uCAAyC;AAGzC;;;GAGG;AACH,MAAM,eAAe,GAAG,GAAG,CAAC;AAEf,QAAA,cAAc,GAIvB;IACF,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY;YACxC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;YAC5C,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI;YAClC,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IACD,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAC/B,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EACjC,OAAO,CACR;aACF,IACD,CAAA;MAAA;IACF,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IACD,kBAAkB,EAAE,GAAS,EAAE,kDAAC,OAAA,SAAS,CAAA,GAAA;IACzC,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,QAAQ;YACR,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI;YACJ,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC;IACJ,CAAC;IACD,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAC9B,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,UAAU,EAAE,eAAe;IAC3B,YAAY,EAAE,cAAc;CAC7B,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAE1D,uCAAgD;AAChD,uCAAyC;AAGzC,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,uCAAuC;IACvC,kBAAkB,EAAE,GAAS,EAAE,kDAAC,OAAA,SAAS,CAAA,GAAA;IAEzC,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,QAAQ;YACR,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI;YACJ,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY;YACxC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;YAC5C,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI;YAClC,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAC/B,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EACjC,OAAO,CACR;aACF,IACD,CAAA;MAAA;CACH,CAAC"}

package/dist/plugins/ssh/index.js

@@ -25,65 +25,11 @@ const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
 const util_1 = require("../../util");
 const node_child_process_1 = require("node:child_process");
-/** Matches the error message that AWS SSM print1 when access is not propagated */
-// Note that the resource will randomly be either the SSM document or the EC2 instance
-const UNAUTHORIZED_START_SESSION_MESSAGE = /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/;
-/**
- * Matches the following error messages that AWS SSM print1 when ssh authorized
- * key access hasn't propagated to the instance yet.
- * - Connection closed by UNKNOWN port 65535
- * - scp: Connection closed
- * - kex_exchange_identification: Connection closed by remote host
- */
-const CONNECTION_CLOSED_MESSAGE = /\bConnection closed\b.*\b(?:by UNKNOWN port \d+|by remote host)?/;
-const PUBLIC_KEY_DENIED_MESSAGE = /Permission denied \(publickey\)/;
-const UNAUTHORIZED_TUNNEL_USER_MESSAGE = /Error while connecting \[4033: 'not authorized'\]/;
-const UNAUTHORIZED_INSTANCES_GET_MESSAGE = /Required 'compute\.instances\.get' permission/;
-const DESTINATION_READ_ERROR = /Error while connecting \[4010: 'destination read failed'\]/;
-const GOOGLE_LOGIN_MESSAGE = /You do not currently have an active account selected/;
-const SUDO_MESSAGE = /Sorry, user .+ may not run sudo on .+/; // The output of `sudo -v` when the user is not allowed to run sudo
 /** Maximum amount of time after SSH subprocess starts to check for {@link UNPROVISIONED_ACCESS_MESSAGES}
  *  in the process's stderr
  */
 const DEFAULT_VALIDATION_WINDOW_MS = 5e3;
-const RETRY_DELAY_MS = 1000;
-/**
- * AWS
- * There are 2 cases of unprovisioned access in AWS
- * 1. SSM:StartSession action is missing either on the SSM document (AWS-StartSSHSession) or the EC2 instance
- * 2. Temporary error when issuing an SCP command
- *
- * 1: results in UNAUTHORIZED_START_SESSION_MESSAGE
- * 2: results in CONNECTION_CLOSED_MESSAGE
- *
- * Google Cloud
- * There are 7 cases of unprovisioned access in Google Cloud.
- * These are all potentially subject to propagation delays.
- * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
- * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
- * 3. The user cannot act as the service account of the compute instance
- * 4. The user cannot tunnel through the IAP tunnel to the instance
- * 5. The user doesn't have osLogin or osAdminLogin role to the instance
- * 5.a. compute.instances.get permission is missing
- * 5.b. compute.instances.osLogin permission is missing
- * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
- * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
- *
- * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
- * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
- * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
- * 6: results in SUDO_MESSAGE
- * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
- */
-const UNPROVISIONED_ACCESS_MESSAGES = [
-    { pattern: UNAUTHORIZED_START_SESSION_MESSAGE },
-    { pattern: CONNECTION_CLOSED_MESSAGE },
-    { pattern: PUBLIC_KEY_DENIED_MESSAGE },
-    { pattern: SUDO_MESSAGE },
-    { pattern: UNAUTHORIZED_TUNNEL_USER_MESSAGE },
-    { pattern: UNAUTHORIZED_INSTANCES_GET_MESSAGE, validationWindowMs: 30e3 },
-    { pattern: DESTINATION_READ_ERROR },
-];
+const RETRY_DELAY_MS = 5000;
 /** Checks if access has propagated through AWS to the SSM agent
  *
  * AWS takes about 8 minutes, GCP takes under 1 minute
@@ -100,77 +46,102 @@ const UNPROVISIONED_ACCESS_MESSAGES = [
  * This works because AWS SSM wraps the session in a single-stream pty, so we
  * do not capture stderr emitted from the wrapped shell session.
  */
-const accessPropagationGuard = (child, debug) => {
+const accessPropagationGuard = (provider, child, options) => {
     let isEphemeralAccessDeniedException = false;
-    let isGoogleLoginException = false;
-    const beforeStart = Date.now();
+    let isLoginException = false;
     child.stderr.on("data", (chunk) => {
         const chunkString = chunk.toString("utf-8");
-        if (debug)
-            (0, stdio_1.print2)(chunkString);
-        const match = UNPROVISIONED_ACCESS_MESSAGES.find((message) => chunkString.match(message.pattern));
-        if (match &&
-            Date.now() <=
-                beforeStart + (match.validationWindowMs || DEFAULT_VALIDATION_WINDOW_MS)) {
+        parseAndPrintSshOutputToStderr(chunkString, options);
+        const match = provider.unprovisionedAccessPatterns.find((message) => chunkString.match(message.pattern));
+        if (match) {
             isEphemeralAccessDeniedException = true;
         }
-        const googleLoginMatch = chunkString.match(GOOGLE_LOGIN_MESSAGE);
-        isGoogleLoginException = isGoogleLoginException || !!googleLoginMatch; // once true, always true
-        if (isGoogleLoginException) {
+        if (provider.loginRequiredPattern) {
+            const loginMatch = chunkString.match(provider.loginRequiredPattern);
+            isLoginException = isLoginException || !!loginMatch; // once true, always true
+        }
+        if (isLoginException) {
             isEphemeralAccessDeniedException = false; // always overwrite to false so we don't retry the access
         }
     });
     return {
         isAccessPropagated: () => !isEphemeralAccessDeniedException,
-        isGoogleLoginException: () => isGoogleLoginException,
+        isLoginException: () => isLoginException,
     };
 };
+/**
+ * Parses and prints a chunk of SSH output to stderr.
+ *
+ * If debug is enabled, all output is printed. Otherwise, only selected messages are printed.
+ *
+ * @param chunkString the chunk to print
+ * @param options SSH spawn options
+ */
+const parseAndPrintSshOutputToStderr = (chunkString, options) => {
+    const lines = chunkString.split("\n");
+    const isPreTest = options.isAccessPropagationPreTest;
+    for (const line of lines) {
+        if (options.debug) {
+            (0, stdio_1.print2)(line);
+        }
+        else {
+            if (!isPreTest && line.includes("Authenticated to")) {
+                // We want to let the user know that they successfully authenticated
+                (0, stdio_1.print2)(line);
+            }
+            else if (!isPreTest && line.includes("port forwarding failed")) {
+                // We also want to let the user know if port forwarding failed
+                (0, stdio_1.print2)(line);
+            }
+        }
+    }
+};
 const spawnChildProcess = (credential, command, args, stdio) => (0, node_child_process_1.spawn)(command, args, {
     env: Object.assign(Object.assign({}, process.env), credential),
     stdio,
     shell: false,
 });
-/** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
- *
- * Requires `aws ssm` to be installed on the client machine.
- */
 function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
             const provider = ssh_1.SSH_PROVIDERS[options.provider];
-            const attemptsRemaining = options.attemptsRemaining;
             if (options.debug) {
                 const gerund = options.isAccessPropagationPreTest
                     ? "Pre-testing"
                     : "Trying";
-                (0, stdio_1.print2)(`Waiting for access to propagate. ${gerund} SSH session... (remaining attempts: ${attemptsRemaining})`);
+                const remainingSeconds = ((options.endTime - Date.now()) / 1e3).toFixed(1);
+                (0, stdio_1.print2)(`Waiting for access to propagate. ${gerund} SSH session... (will wait up to ${remainingSeconds} seconds)`);
             }
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
-            const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
+            const { isAccessPropagated, isLoginException } = accessPropagationGuard(provider, child, options);
             const exitListener = child.on("exit", (code) => {
-                var _a;
+                var _a, _b;
                 exitListener.unref();
                 // In the case of ephemeral AccessDenied exceptions due to unpropagated
                 // permissions, continually retry access until success
                 if (!isAccessPropagated()) {
-                    if (attemptsRemaining <= 0) {
-                        reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
+                    if (options.endTime < Date.now()) {
+                        reject(`Access did not propagate through ${provider.friendlyName} in time. Please contact support@p0.dev for assistance.`);
                         return;
                     }
                     (0, util_1.delay)(RETRY_DELAY_MS)
-                        .then(() => spawnSshNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 })))
+                        .then(() => spawnSshNode(options))
                         .then((code) => resolve(code))
                         .catch(reject);
                     return;
                 }
-                else if (isGoogleLoginException()) {
-                    reject(`Please login to Google Cloud CLI with 'gcloud auth login'`);
+                else if (isLoginException()) {
+                    reject((_a = provider.loginRequiredMessage) !== null && _a !== void 0 ? _a : `Please log in to the ${provider.friendlyName} CLI to SSH`);
                     return;
                 }
-                (_a = options.abortController) === null || _a === void 0 ? void 0 : _a.abort(code);
-                if (!options.isAccessPropagationPreTest)
+                (_b = options.abortController) === null || _b === void 0 ? void 0 : _b.abort(code);
+                if (code && code !== 0) {
+                    (0, stdio_1.print2)(`Failed to establish an SSH session.${!options.debug ? " Use the --debug option to see additional details." : ""}`);
+                }
+                else if (!options.isAccessPropagationPreTest) {
                     (0, stdio_1.print2)(`SSH session terminated`);
+                }
                 resolve(code);
             });
         });
@@ -227,6 +198,7 @@ const addCommonArgs = (args, proxyCommand) => {
     if (!proxyCommandExists) {
         sshOptions.push("-o", `ProxyCommand=${proxyCommand.join(" ")}`);
     }
+    // Force verbose output from SSH so we can parse the output
     const verboseOptionExists = sshOptions.some((opt) => opt === "-v");
     if (!verboseOptionExists) {
         sshOptions.push("-v");
@@ -261,7 +233,7 @@ const transformForShell = (args) => {
     });
 };
 /** Construct another command to use for testing access propagation prior to actually logging in the user to the ssh session */
-const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCommand, credential) => __awaiter(void 0, void 0, void 0, function* () {
+const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCommand, credential, endTime) => __awaiter(void 0, void 0, void 0, function* () {
     const testCmdArgs = sshProvider.preTestAccessPropagationArgs(cmdArgs);
     // Pre-testing comes at a performance cost because we have to execute another ssh subprocess after
     // a successful test. Only do when absolutely necessary.
@@ -276,7 +248,7 @@ const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCo
             stdio: ["inherit", "inherit", "pipe"],
             debug: cmdArgs.debug,
             provider: request.type,
-            attemptsRemaining: sshProvider.maxRetries,
+            endTime: endTime,
             isAccessPropagationPreTest: true,
         });
     }
@@ -300,9 +272,11 @@ const sshOrScp = (args) => __awaiter(void 0, void 0, void 0, function* () {
             (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${repro}\n*** COMMANDS END ***"\n`);
         }
     }
-    const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential);
+    const endTime = Date.now() + sshProvider.propagationTimeoutMs;
+    const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential, endTime);
+    // Only exit if there was an error when pre-testing
     if (exitCode && exitCode !== 0) {
-        return exitCode; // Only exit if there was an error when pre-testing
+        return exitCode;
     }
     return spawnSshNode({
         credential,
@@ -312,7 +286,7 @@ const sshOrScp = (args) => __awaiter(void 0, void 0, void 0, function* () {
         stdio: ["inherit", "inherit", "pipe"],
         debug: cmdArgs.debug,
         provider: request.type,
-        attemptsRemaining: sshProvider.maxRetries,
+        endTime: endTime,
     });
 });
 exports.sshOrScp = sshOrScp;