npm - @p0security/cli - Versions diffs - 0.11.1 → 0.11.3 - Mend

@p0security/cli 0.11.1 → 0.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/dist/commands/__tests__/login.test.js +17 -0
package/dist/commands/__tests__/login.test.js.map +1 -1
package/dist/commands/__tests__/ls.test.js +4 -3
package/dist/commands/__tests__/ls.test.js.map +1 -1
package/dist/commands/__tests__/ssh.test.js +10 -5
package/dist/commands/__tests__/ssh.test.js.map +1 -1
package/dist/commands/kubeconfig.js +11 -15
package/dist/commands/kubeconfig.js.map +1 -1
package/dist/commands/login.js +11 -0
package/dist/commands/login.js.map +1 -1
package/dist/commands/ls.js +4 -6
package/dist/commands/ls.js.map +1 -1
package/dist/commands/shared/request.js +2 -2
package/dist/commands/shared/request.js.map +1 -1
package/dist/drivers/__mocks__/stdio.d.ts +14 -0
package/dist/drivers/__mocks__/stdio.js +26 -0
package/dist/drivers/__mocks__/stdio.js.map +1 -0
package/dist/drivers/ansi.d.ts +8 -0
package/dist/drivers/ansi.js +25 -0
package/dist/drivers/ansi.js.map +1 -0
package/dist/drivers/auth.d.ts +1 -0
package/dist/drivers/auth.js +8 -4
package/dist/drivers/auth.js.map +1 -1
package/dist/drivers/stdio.d.ts +6 -5
package/dist/drivers/stdio.js +50 -7
package/dist/drivers/stdio.js.map +1 -1
package/dist/plugins/aws/__tests__/utils.test.d.ts +1 -0
package/dist/plugins/aws/__tests__/utils.test.js +82 -0
package/dist/plugins/aws/__tests__/utils.test.js.map +1 -0
package/dist/plugins/aws/ssh.js +45 -23
package/dist/plugins/aws/ssh.js.map +1 -1
package/dist/plugins/aws/types.d.ts +6 -4
package/dist/plugins/aws/utils.d.ts +20 -0
package/dist/plugins/aws/utils.js +54 -0
package/dist/plugins/aws/utils.js.map +1 -0
package/dist/plugins/google/ssh-key.js +9 -1
package/dist/plugins/google/ssh-key.js.map +1 -1
package/dist/plugins/google/ssh.js +61 -28
package/dist/plugins/google/ssh.js.map +1 -1
package/dist/plugins/kubeconfig/index.d.ts +2 -2
package/dist/plugins/kubeconfig/index.js +17 -14
package/dist/plugins/kubeconfig/index.js.map +1 -1
package/dist/plugins/kubeconfig/types.d.ts +9 -8
package/dist/plugins/ssh/index.js +55 -86
package/dist/plugins/ssh/index.js.map +1 -1
package/dist/types/ssh.d.ts +28 -13
package/package.json +3 -3

package/dist/drivers/stdio.js CHANGED Viewed

@@ -9,15 +9,25 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Ansi = exports.print2 = exports.print1 = void 0;
+exports.spinUntil = exports.clear2 = exports.reset2 = exports.print2 = exports.print1 = void 0;
 /** Functions to handle stdio
  *
  * These are essentially wrappers around console.foo, but allow for
  * - Better testing
  * - Later redirection / duplication
  */
-const lodash_1 = require("lodash");
+const util_1 = require("../util");
+const ansi_1 = require("./ansi");
 /** Used to output machine-readable text to stdout
  *
  * In general this should not be used for text meant to be consumed
@@ -37,10 +47,43 @@ function print2(message) {
     console.error(message);
 }
 exports.print2 = print2;
-const AnsiCodes = {
-    Reset: "00",
-    Dim: "02",
-    Yellow: "33",
+/** Resets the terminal cursor to the beginning of the line */
+function reset2() {
+    process.stderr.write((0, ansi_1.Ansi)("0G"));
+}
+exports.reset2 = reset2;
+/** Clears the current terminal line */
+function clear2() {
+    // Replaces text with spaces
+    process.stderr.write((0, ansi_1.Ansi)("2K"));
+    reset2();
+}
+exports.clear2 = clear2;
+const Spin = {
+    items: ["⠇", "⠋", "⠙", "⠸", "⠴", "⠦"],
+    delayMs: 200,
 };
-exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);
+/** Prints a Unicode spinner until a promise resolves */
+const spinUntil = (message, promise) => __awaiter(void 0, void 0, void 0, function* () {
+    let isDone = false;
+    let ix = 0;
+    // 'catch' here just prevents UncaughtExceptionError; errors are sent to caller
+    // on function return
+    void promise.finally(() => (isDone = true)).catch(() => { });
+    while (!isDone) {
+        yield (0, util_1.sleep)(Spin.delayMs);
+        if (isDone)
+            break;
+        clear2();
+        process.stderr.write(ansi_1.AnsiSgr.Green +
+            Spin.items[ix % Spin.items.length] +
+            " " +
+            message +
+            ansi_1.AnsiSgr.Reset);
+        ix++;
+    }
+    clear2();
+    return yield promise;
+});
+exports.spinUntil = spinUntil;
 //# sourceMappingURL=stdio.js.map

package/dist/drivers/stdio.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG~~;;;~~AAEH;;;;;GAKG;AACH,~~mCAAmC~~;~~AAEnC~~;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,MAAM,~~SAAS~~,~~GAAG~~;~~IAChB~~,KAAK,EAAE,IAAI;IACX,GAAG,EAAE,~~IAAI~~;~~IACT~~,MAAM,EAAE,IAAI;~~CACJ~~,CAAC;~~AAEE~~,~~QAAA~~,IAAI,GAAG,IAAA,~~kBAAS~~,EAAC,~~SAAS~~,~~EAAE~~,CAAC,CAAC,EAAE,EAAE,CAAC,~~UAAU~~,CAAC,GAAG,CAAC,CAAC"}
1	+ {"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/drivers/stdio.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;;;;;;;AAEH;;;;;GAKG;AACH,kCAAgC;AAChC,iCAAuC;AAEvC;;;;GAIG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAHD,wBAGC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,OAAY;IACjC,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAHD,wBAGC;AAED,8DAA8D;AAC9D,SAAgB,MAAM;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;AACnC,CAAC;AAFD,wBAEC;AAED,uCAAuC;AACvC,SAAgB,MAAM;IACpB,4BAA4B;IAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,WAAI,EAAC,IAAI,CAAC,CAAC,CAAC;IACjC,MAAM,EAAE,CAAC;AACX,CAAC;AAJD,wBAIC;AAED,MAAM,IAAI,GAAG;IACX,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,OAAO,EAAE,GAAG;CACb,CAAC;AAEF,wDAAwD;AACjD,MAAM,SAAS,GAAG,CAAU,OAAe,EAAE,OAAmB,EAAE,EAAE;IACzE,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,+EAA+E;IAC/E,qBAAqB;IACrB,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,MAAM,EAAE;QACd,MAAM,IAAA,YAAK,EAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,IAAI,MAAM;YAAE,MAAM;QAClB,MAAM,EAAE,CAAC;QACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,cAAO,CAAC,KAAK;YACX,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YAClC,GAAG;YACH,OAAO;YACP,cAAO,CAAC,KAAK,CAChB,CAAC;QACF,EAAE,EAAE,CAAC;KACN;IACD,MAAM,EAAE,CAAC;IACT,OAAO,MAAM,OAAO,CAAC;AACvB,CAAC,CAAA,CAAC;AArBW,QAAA,SAAS,aAqBpB"}

package/dist/plugins/aws/__tests__/utils.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/plugins/aws/__tests__/utils.test.js ADDED Viewed

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+This file is part of @p0security/cli
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const utils_1 = require("../utils");
+describe("parseArn() function", () => {
+    it.each([
+        "badarn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE",
+        ":aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE",
+        "arn:aws:ec2:us-east-1:123456789012", // Too few elements
+    ])('Raises an "Invalid ARN" error', (arn) => {
+        expect(() => (0, utils_1.parseArn)(arn)).toThrow("Invalid AWS ARN");
+    });
+    it("Parses a valid ARN with all fields correctly", () => {
+        const arn = "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "ec2",
+            region: "us-east-1",
+            accountId: "123456789012",
+            resource: "vpc/vpc-0e9801d129EXAMPLE",
+        });
+    });
+    it("Parses a valid ARN with colons in the resource correctly", () => {
+        // Note: This is not the format we would expect an EKS ARN to actually be in (it should
+        // use a / instead of a : in the resource); this is just for unit testing purposes.
+        const arn = "arn:aws:eks:us-west-2:123456789012:cluster:my-testing-cluster";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "eks",
+            region: "us-west-2",
+            accountId: "123456789012",
+            resource: "cluster:my-testing-cluster",
+        });
+    });
+    it("Parses a valid ARN with no region correctly", () => {
+        const arn = "arn:aws:iam::123456789012:user/johndoe";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "iam",
+            region: "",
+            accountId: "123456789012",
+            resource: "user/johndoe",
+        });
+    });
+    it("Parses a valid ARN with no account ID correctly", () => {
+        // Note: This is not a valid SNS ARN; they would ordinarily have an account ID. This is
+        // just for unit testing purposes.
+        const arn = "arn:aws-us-gov:sns:us-east-1::example-sns-topic-name";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws-us-gov",
+            service: "sns",
+            region: "us-east-1",
+            accountId: "",
+            resource: "example-sns-topic-name",
+        });
+    });
+    it("Parses a valid ARN with no region or account ID correctly", () => {
+        const arn = "arn:aws-cn:s3:::my-corporate-bucket";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws-cn",
+            service: "s3",
+            region: "",
+            accountId: "",
+            resource: "my-corporate-bucket",
+        });
+    });
+});
+//# sourceMappingURL=utils.test.js.map

package/dist/plugins/aws/__tests__/utils.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"utils.test.js","sourceRoot":"","sources":["../../../../src/plugins/aws/__tests__/utils.test.ts"],"names":[],"mappings":";;AAAA;;;;;;;;;GASG;AACH,oCAAoC;AAEpC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,IAAI,CAAC;QACN,iEAAiE;QACjE,2DAA2D;QAC3D,oCAAoC,EAAE,mBAAmB;KAC1D,CAAC,CAAC,+BAA+B,EAAE,CAAC,GAAG,EAAE,EAAE;QAC1C,MAAM,CAAC,GAAG,EAAE,CAAC,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,8DAA8D,CAAC;QAE3E,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,2BAA2B;SACtC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,uFAAuF;QACvF,mFAAmF;QACnF,MAAM,GAAG,GAAG,+DAA+D,CAAC;QAE5E,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,4BAA4B;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,wCAAwC,CAAC;QAErD,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,EAAE;YACV,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,uFAAuF;QACvF,kCAAkC;QAClC,MAAM,GAAG,GAAG,sDAAsD,CAAC;QAEnE,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,EAAE;YACb,QAAQ,EAAE,wBAAwB;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,GAAG,GAAG,qCAAqC,CAAC;QAElD,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,EAAE;YACV,SAAS,EAAE,EAAE;YACb,QAAQ,EAAE,qBAAqB;SAChC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/plugins/aws/ssh.js CHANGED Viewed

@@ -15,29 +15,34 @@ const aws_1 = require("../okta/aws");
 const config_1 = require("./config");
 const idc_1 = require("./idc");
 const install_1 = require("./ssm/install");
-/** Maximum number of attempts to start an SSH session
- *
- * Each attempt consumes ~ 1 s.
- */
-const MAX_SSH_RETRIES = 30;
+const PROPAGATION_TIMEOUT_LIMIT_MS = 30 * 1000;
 /** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
 const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
-exports.awsSshProvider = {
-    requestToSsh: (request) => {
-        const { permission, generated } = request;
-        const { instanceId, accountId, region } = permission.spec;
-        const { idc, ssh, name } = generated;
-        const { linuxUserName } = ssh;
-        const common = { linuxUserName, accountId, region, id: instanceId };
-        return !idc
-            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
+/**There are 2 cases of unprovisioned access in AWS
+ * 1. SSM:StartSession action is missing either on the SSM document (AWS-StartSSHSession) or the EC2 instance
+ * 2. Temporary error when issuing an SCP command
+ *
+ * 1: results in UNAUTHORIZED_START_SESSION_MESSAGE
+ * 2: results in CONNECTION_CLOSED_MESSAGE
+ */
+const unprovisionedAccessPatterns = [
+    /** Matches the error message that AWS SSM prints when access is not propagated */
+    // Note that the resource will randomly be either the SSM document or the EC2 instance
+    {
+        pattern: /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/,
     },
-    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
-    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
-        if (!(yield (0, install_1.ensureSsmInstall)())) {
-            throw "Please try again after installing the required AWS utilities";
-        }
-    }),
+    /**
+     * Matches the following error messages that AWS SSM pints when ssh authorized
+     * key access hasn't propagated to the instance yet.
+     * - Connection closed by UNKNOWN port 65535
+     * - scp: Connection closed
+     * - kex_exchange_identification: Connection closed by remote host
+     */
+    {
+        pattern: /\bConnection closed\b.*\b(?:by UNKNOWN port \d+|by remote host)?/,
+    },
+];
+exports.awsSshProvider = {
     cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
         var _a, _b, _c, _d;
         const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
@@ -50,6 +55,14 @@ exports.awsSshProvider = {
                 ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, request)
                 : (0, util_1.throwAssertNever)(config.login);
     }),
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
+        if (!(yield (0, install_1.ensureSsmInstall)())) {
+            throw "Please try again after installing the required AWS utilities";
+        }
+    }),
+    friendlyName: "AWS",
+    propagationTimeoutMs: PROPAGATION_TIMEOUT_LIMIT_MS,
+    preTestAccessPropagationArgs: () => undefined,
     proxyCommand: (request) => {
         return [
             "aws",
@@ -74,8 +87,17 @@ exports.awsSshProvider = {
         }
         return undefined;
     },
-    preTestAccessPropagationArgs: () => undefined,
-    maxRetries: MAX_SSH_RETRIES,
-    friendlyName: "AWS",
+    requestToSsh: (request) => {
+        const { permission, generated } = request;
+        const { awsResourcePermission, instanceId, accountId, region } = permission.spec;
+        const { idcId, idcRegion } = awsResourcePermission.permission;
+        const { ssh, name } = generated;
+        const { linuxUserName } = ssh;
+        const common = { linuxUserName, accountId, region, id: instanceId };
+        return !idcId || !idcRegion
+            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc: { id: idcId, region: idcRegion }, permissionSet: name, type: "aws", access: "idc" });
+    },
+    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+    unprovisionedAccessPatterns,
 };
 //# sourceMappingURL=ssh.js.map

package/dist/plugins/aws/ssh.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,qCAA8C;AAC9C,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AASjD~~;;;GAGG;AACH~~,MAAM,~~eAAe~~,GAAG,EAAE,CAAC;~~AAE3B~~,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;~~AAEjD,QAAA,cAAc,GAKvB~~;~~IACF~~,~~YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,~~MAAM,~~EAAE~~,~~UAAU,EAAE,SAAS,EAAE,~~GAAG~~,OAAO,CAAC~~;~~QAC1C~~,~~MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC~~;~~QAC1D~~,~~MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC~~;~~QACrC,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC~~;~~QAC9B~~,~~MAAM,MAAM,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;QACpE,~~OAAO,~~CAAC~~,~~GAAG~~;~~YACT,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EACH,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC~~;~~IACR,CAAC~~;~~IACD~~,~~YAAY,EAAE,CAAO,~~OAAO,EAAE,~~EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA~~;~~IAC1E,aAAa,EAAE,GAAS,EAAE~~;~~QACxB~~,~~IAAI,~~CAAC~~,CAAC,MAAM,IAAA,0BAAgB,GAAE,CAAC,EAAE~~;~~YAC/B~~,~~MAAM~~,~~8DAA8D~~,~~CAAC~~;~~SACtE;IACH~~,~~CAAC,CAAA;IACD,~~kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,EAAE;;QAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,8DAA8D,CAAC;SACtE;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE,OAA4B,CAAC;gBACnE,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;~~IACD~~,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,IAAI;YACJ,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,iBAAiB;SAClB,CAAC;IACJ,CAAC;~~IACD~~,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,6BAA6B,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,GAAG;aAC5E,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;~~IACD~~,~~4BAA4B~~,EAAE,GAAG,EAAE,CAAC,SAAS;~~IAC7C~~,UAAU,EAAE,~~eAAe~~;~~IAC3B~~,~~YAAY~~,EAAE,KAAK;~~CACpB~~,CAAC"}
1	+ {"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/aws/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,qCAA8C;AAC9C,qCAAqD;AACrD,qCAAwC;AACxC,+BAA0C;AAC1C,2CAAiD;AASjD,MAAM,4BAA4B,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,iGAAiG;AACjG,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,2BAA2B,GAAG;IAClC,kFAAkF;IAClF,sFAAsF;IACtF;QACE,OAAO,EACL,0RAA0R;KAC7R;IACD;;;;;;OAMG;IACH;QACE,OAAO,EAAE,kEAAkE;KAC5E;CACO,CAAC;AAEE,QAAA,cAAc,GAKvB;IACF,kBAAkB,EAAE,CAAO,KAAK,EAAE,OAAO,EAAE,EAAE;;QAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,CAAA,IAAI,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK,EAAE;YACvD,MAAM,8DAA8D,CAAC;SACtE;QAED,OAAO,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,KAAK;YACjC,CAAC,CAAC,MAAM,IAAA,uBAAiB,EAAC,OAA2B,CAAC;YACtD,CAAC,CAAC,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW;gBAClC,CAAC,CAAC,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE,OAA4B,CAAC;gBACnE,CAAC,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAgB,GAAE,CAAC,EAAE;YAC/B,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,KAAK;IAEnB,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,GAAG,EAAE,CAAC,SAAS;IAE7C,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,KAAK;YACL,KAAK;YACL,eAAe;YACf,UAAU;YACV,OAAO,CAAC,MAAM;YACd,UAAU;YACV,IAAI;YACJ,iBAAiB;YACjB,+BAA+B;YAC/B,cAAc;YACd,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,CAAC,OAAO,EAAE,EAAE;QACzB,0CAA0C;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE;YAC5B,OAAO;gBACL,6BAA6B,OAAO,CAAC,IAAI,cAAc,OAAO,CAAC,SAAS,GAAG;aAC5E,CAAC;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QAC1C,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAC5D,UAAU,CAAC,IAAI,CAAC;QAClB,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,qBAAqB,CAAC,UAAU,CAAC;QAC9D,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC;QAChC,MAAM,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC;QAC9B,MAAM,MAAM,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;QACpE,OAAO,CAAC,KAAK,IAAI,CAAC,SAAS;YACzB,CAAC,iCAAM,MAAM,KAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,IACtD,CAAC,iCACM,MAAM,KACT,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,EACrC,aAAa,EAAE,IAAI,EACnB,IAAI,EAAE,KAAK,EACX,MAAM,EAAE,KAAK,GACd,CAAC;IACR,CAAC;IAED,YAAY,EAAE,CAAO,OAAO,EAAE,EAAE,kDAAC,OAAA,iCAAM,OAAO,KAAE,YAAY,EAAE,SAAS,IAAG,CAAA,GAAA;IAE1E,2BAA2B;CAC5B,CAAC"}

package/dist/plugins/aws/types.d.ts CHANGED Viewed

@@ -59,6 +59,12 @@ export type AwsSshPermission = {
         accountId: string;
         region: string;
         type: "aws";
+        awsResourcePermission: {
+            permission: {
+                idcId?: string;
+                idcRegion?: string;
+            };
+        };
     };
     type: "session";
 };
@@ -67,10 +73,6 @@ export type AwsSshGenerated = {
     ssh: {
         linuxUserName: string;
     };
-    idc?: {
-        region: string;
-        id: string;
-    };
 };
 export type AwsSshPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
 export type AwsSsh = CliPermissionSpec<AwsSshPermissionSpec, undefined>;

package/dist/plugins/aws/utils.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Parses out Amazon Resource Names (ARNs) from AWS into their components. Note
+ * that not all components are present in all ARNs (depending on the service;
+ * for example, S3 ARNs don't have a region or account ID), and the final
+ * component of the ARN (`resource`) may contain its own internal structure that
+ * is also service-dependent and which may also include colons. In particular,
+ * quoting the Amazon docs: "Be aware that the ARNs for some resources omit the
+ * Region, the account ID, or both the Region and the account ID."
+ *
+ * @param arn The ARN to parse as a string.
+ * @return A structure representing the components of the ARN. All fields will
+ * be defined, but some may be empty strings if they are not present in the ARN.
+ */
+export declare const parseArn: (arn: string) => {
+    partition: string;
+    service: string;
+    region: string;
+    accountId: string;
+    resource: string;
+};

package/dist/plugins/aws/utils.js ADDED Viewed

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseArn = void 0;
+/** Copyright © 2024-present P0 Security
+This file is part of @p0security/cli
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ARN_PATTERN = /^arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):([^:]*):([^:]*):([^:]*):(.*)$/;
+/**
+ * Parses out Amazon Resource Names (ARNs) from AWS into their components. Note
+ * that not all components are present in all ARNs (depending on the service;
+ * for example, S3 ARNs don't have a region or account ID), and the final
+ * component of the ARN (`resource`) may contain its own internal structure that
+ * is also service-dependent and which may also include colons. In particular,
+ * quoting the Amazon docs: "Be aware that the ARNs for some resources omit the
+ * Region, the account ID, or both the Region and the account ID."
+ *
+ * @param arn The ARN to parse as a string.
+ * @return A structure representing the components of the ARN. All fields will
+ * be defined, but some may be empty strings if they are not present in the ARN.
+ */
+const parseArn = (arn) => {
+    // Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
+    const invalidArnMsg = `Invalid AWS ARN: ${arn}`;
+    const match = arn.match(ARN_PATTERN);
+    if (!match) {
+        throw invalidArnMsg;
+    }
+    const [_, partition, service, region, accountId, resource] = match;
+    // We know these are all defined based on the regex, but TypeScript doesn't.
+    // Empty string is okay, so explicitly check for undefined.
+    if (partition === undefined ||
+        service === undefined ||
+        accountId === undefined ||
+        region === undefined ||
+        resource === undefined) {
+        throw invalidArnMsg;
+    }
+    return {
+        partition,
+        service,
+        region,
+        accountId,
+        resource,
+    };
+};
+exports.parseArn = parseArn;
+//# sourceMappingURL=utils.js.map

package/dist/plugins/aws/utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/plugins/aws/utils.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,MAAM,WAAW,GACf,8EAA8E,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACI,MAAM,QAAQ,GAAG,CACtB,GAAW,EAOX,EAAE;IACF,kFAAkF;IAClF,MAAM,aAAa,GAAG,oBAAoB,GAAG,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAErC,IAAI,CAAC,KAAK,EAAE;QACV,MAAM,aAAa,CAAC;KACrB;IAED,MAAM,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,GAAG,KAAK,CAAC;IAEnE,4EAA4E;IAC5E,2DAA2D;IAC3D,IACE,SAAS,KAAK,SAAS;QACvB,OAAO,KAAK,SAAS;QACrB,SAAS,KAAK,SAAS;QACvB,MAAM,KAAK,SAAS;QACpB,QAAQ,KAAK,SAAS,EACtB;QACA,MAAM,aAAa,CAAC;KACrB;IAED,OAAO;QACL,SAAS;QACT,OAAO;QACP,MAAM;QACN,SAAS;QACT,QAAQ;KACT,CAAC;AACJ,CAAC,CAAC;AAtCW,QAAA,QAAQ,YAsCnB"}

package/dist/plugins/google/ssh-key.js CHANGED Viewed

@@ -61,7 +61,15 @@ const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, f
         },
     });
     if (!response.ok) {
-        throw `Import of SSH public key failed. HTTP error ${response.status}: ${yield response.text()}`;
+        if (debug) {
+            (0, stdio_1.print2)(`HTTP error ${response.status}: ${yield response.text()}`);
+        }
+        if (response.status === 401) {
+            throw `Authentication failed. Please login to Google Cloud CLI with 'gcloud auth login'`;
+        }
+        else {
+            throw `Import of SSH public key failed.`;
+        }
     }
     const data = yield response.json();
     if (debug) {

package/dist/plugins/google/ssh-key.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAG7C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IACtC,yDAAyD;IACzD,MAAM,WAAW,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QAC/D,MAAM;QACN,oBAAoB;KACrB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QACpD,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;KACH;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,~~MAAM,+CAA+C~~,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;~~KAClG~~;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;~~AAlEW~~,QAAA,YAAY,~~gBAkEvB~~"}
1	+ {"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAG7C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IACtC,yDAAyD;IACzD,MAAM,WAAW,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QAC/D,MAAM;QACN,oBAAoB;KACrB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE;QACpD,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;KACH;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,cAAc,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACnE;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,kFAAkF,CAAC;SAC1F;aAAM;YACL,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AA1EW,QAAA,YAAY,gBA0EvB"}

package/dist/plugins/google/ssh.js CHANGED Viewed

@@ -23,32 +23,61 @@ You should have received a copy of the GNU General Public License along with @p0
 const ssh_1 = require("../../commands/shared/ssh");
 const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
-/** Maximum number of attempts to start an SSH session
+// It typically takes < 1 minute for access to propagate on GCP, so set the time limit to 2 minutes.
+const PROPAGATION_TIMEOUT_LIMIT_MS = 2 * 60 * 1000;
+/**
+ * There are 7 cases of unprovisioned access in Google Cloud.
+ * These are all potentially subject to propagation delays.
+ * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
+ * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
+ * 3. The user cannot act as the service account of the compute instance
+ * 4. The user cannot tunnel through the IAP tunnel to the instance
+ * 5. The user doesn't have osLogin or osAdminLogin role to the instance
+ * 5.a. compute.instances.get permission is missing
+ * 5.b. compute.instances.osLogin permission is missing
+ * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
+ * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
  *
- * The length of each attempt varies based on the type of error from a few seconds to < 1s
+ * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
+ * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
+ * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
+ * 6: results in SUDO_MESSAGE
+ * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
  */
-const MAX_SSH_RETRIES = 120;
-exports.gcpSshProvider = {
-    requestToSsh: (request) => {
-        return {
-            id: request.permission.spec.instanceName,
-            projectId: request.permission.spec.projectId,
-            zone: request.permission.spec.zone,
-            linuxUserName: request.cliLocalData.linuxUserName,
-            type: "gcloud",
-        };
+const unprovisionedAccessPatterns = [
+    { pattern: /Permission denied \(publickey\)/ },
+    {
+        // The output of `sudo -v` when the user is not allowed to run sudo
+        pattern: /Sorry, user .+ may not run sudo on .+/,
     },
-    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-        return (Object.assign(Object.assign({}, request), { cliLocalData: {
-                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
-            } }));
-    }),
+    { pattern: /Error while connecting \[4033: 'not authorized'\]/ },
+    {
+        pattern: /Required 'compute\.instances\.get' permission/,
+        validationWindowMs: 30e3,
+    },
+    { pattern: /Error while connecting \[4010: 'destination read failed'\]/ },
+];
+exports.gcpSshProvider = {
+    // TODO support login with Google Cloud
+    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
     ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureGcpSshInstall)())) {
             throw "Please try again after installing the required GCP utilities";
         }
     }),
-    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
+    friendlyName: "Google Cloud",
+    loginRequiredMessage: "Please login to Google Cloud CLI with 'gcloud auth login'",
+    loginRequiredPattern: /You do not currently have an active account selected/,
+    propagationTimeoutMs: PROPAGATION_TIMEOUT_LIMIT_MS,
+    preTestAccessPropagationArgs: (cmdArgs) => {
+        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
+            return Object.assign(Object.assign({}, cmdArgs), {
+                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
+                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
+                command: "sudo", arguments: ["-v"] });
+        }
+        return undefined;
+    },
     proxyCommand: (request) => {
         return [
             "gcloud",
@@ -66,16 +95,20 @@ exports.gcpSshProvider = {
         ];
     },
     reproCommands: () => undefined,
-    preTestAccessPropagationArgs: (cmdArgs) => {
-        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
-            return Object.assign(Object.assign({}, cmdArgs), {
-                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
-                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
-                command: "sudo", arguments: ["-v"] });
-        }
-        return undefined;
+    requestToSsh: (request) => {
+        return {
+            id: request.permission.spec.instanceName,
+            projectId: request.permission.spec.projectId,
+            zone: request.permission.spec.zone,
+            linuxUserName: request.cliLocalData.linuxUserName,
+            type: "gcloud",
+        };
     },
-    maxRetries: MAX_SSH_RETRIES,
-    friendlyName: "Google Cloud",
+    unprovisionedAccessPatterns,
+    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+        return (Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } }));
+    }),
 };
 //# sourceMappingURL=ssh.js.map

package/dist/plugins/google/ssh.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAE1D,uCAAgD;AAChD,uCAAyC;AAGzC~~;;;GAGG~~;~~AACH~~,MAAM,~~eAAe~~,GAAG,GAAG,CAAC;~~AAEf~~,~~QAAA~~,~~cAAc~~,~~GAIvB~~;~~IACF~~,~~YAAY,~~EAAE,~~CAAC,~~OAAO,EAAE,EAAE;~~QACxB~~,~~OAAO~~;~~YACL~~,EAAE,EAAE,OAAO,~~CAAC~~,~~UAAU~~,~~CAAC~~,~~IAAI~~,~~CAAC,YAAY~~;~~YACxC~~,~~SAAS~~,EAAE,OAAO,~~CAAC~~,~~UAAU~~,CAAC,~~IAAI~~,~~CAAC~~,~~SAAS~~;~~YAC5C~~,~~IAAI~~,EAAE,~~OAAO~~,~~CAAC~~,~~UAAU~~,~~CAAC~~,~~IAAI~~,~~CAAC~~,~~IAAI~~;~~YAClC~~,aAAa,EAAE,~~OAAO~~,~~CAAC~~,~~YAAY~~,CAAC,~~aAAa;YACjD~~,~~IAAI~~,~~EAAE~~,~~QAAQ;SACf~~,CAAC~~;IACJ~~,~~CAAC~~;~~IACD~~,~~YAAY~~,~~EAAE~~,~~CAAO~~,~~OAAO~~,~~EAAE~~,~~OAAO~~,EAAE,~~EAAE~~;~~QAAC~~,~~OAAA~~,~~iCACrC~~,~~OAAO~~,~~KACV~~,~~YAAY~~,~~EAAE~~;~~gBACZ~~,~~aAAa~~,EAAE,~~MAAM~~,~~IAAA~~,~~sBAAY~~,~~EAC/B~~,OAAO,~~CAAC~~,~~UAAU~~,~~CAAC,~~IAAI,~~CAAC~~,~~SAAS~~,~~EACjC~~,OAAO,~~CACR~~;~~aACF~~,~~IACD~~,~~CAAA~~;~~MAAA~~;~~IACF~~,~~aAAa~~,EAAE,~~GAAS~~,~~EAAE;QACxB~~,~~IAAI~~,~~CAAC~~,CAAC,~~MAAM~~,~~IAAA,6BAAmB,GAAE,~~CAAC,~~EAAE~~;~~YAClC~~,~~MAAM~~,~~8DAA8D~~,CAAC;~~SACtE;IACH~~,CAAC~~,CAAA~~;~~IACD~~,~~kBAAkB,EAAE,GAAS,EAAE,kDAAC,OAAA,SAAS,CAAA,GAAA;IACzC,~~YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,QAAQ;YACR,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI;YACJ,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC;IACJ,CAAC;~~IACD~~,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;~~IAC9B~~,~~4BAA4B~~,EAAE,CAAC,OAAO,EAAE,EAAE;~~QACxC~~,~~IAAI~~,~~IAAA~~,~~mBAAa~~,~~EAAC,~~OAAO,CAAC,~~EAAE;YAC1B~~,~~uCACK~~,~~OAAO;gBACV~~,~~6GAA6G;gBAC7G~~,~~6HAA6H~~;~~gBAC7H~~,~~OAAO~~,EAAE,~~MAAM~~,~~EACf~~,SAAS,EAAE,CAAC,IAAI,CAAC,~~IACjB~~;~~SACH;QACD~~,OAAO,~~SAAS~~,CAAC;~~IACnB~~,CAAC;~~IACD~~,~~UAAU~~,EAAE,~~eAAe~~;~~IAC3B~~,YAAY,EAAE,~~cAAc~~;~~CAC7B~~,CAAC"}
1	+ {"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAE1D,uCAAgD;AAChD,uCAAyC;AAGzC,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,uCAAuC;IACvC,kBAAkB,EAAE,GAAS,EAAE,kDAAC,OAAA,SAAS,CAAA,GAAA;IAEzC,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,QAAQ;YACR,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI;YACJ,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC;IACJ,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY;YACxC,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;YAC5C,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI;YAClC,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAC/B,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EACjC,OAAO,CACR;aACF,IACD,CAAA;MAAA;CACH,CAAC"}

package/dist/plugins/kubeconfig/index.d.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
 import { AwsCredentials } from "../aws/types";
-import { K8sGenerated, K8sPermissionSpec } from "./types";
+import { K8sPermissionSpec } from "./types";
 import yargs from "yargs";
 export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
     clusterConfig: {
@@ -24,4 +24,4 @@ export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: str
 }>;
 export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;
 export declare const profileName: (eksCluterName: string) => string;
-export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, generated: K8sGenerated, loginType: "federated" | "idc") => Promise<AwsCredentials>;
+export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, request: Request<K8sPermissionSpec>, loginType: "federated" | "idc") => Promise<AwsCredentials>;

package/dist/plugins/kubeconfig/index.js CHANGED Viewed

@@ -17,6 +17,7 @@ const stdio_1 = require("../../drivers/stdio");
 const util_1 = require("../../util");
 const config_1 = require("../aws/config");
 const idc_1 = require("../aws/idc");
+const utils_1 = require("../aws/utils");
 const aws_1 = require("../okta/aws");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
@@ -28,15 +29,16 @@ const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, voi
     if (!config) {
         throw `Cluster with ID ${clusterId} not found`;
     }
-    if (config.state !== "installed" || config.provider.type !== "aws") {
+    if (config.state !== "installed") {
         throw `Cluster with ID ${clusterId} is not installed`;
     }
-    const { provider } = config;
-    const { accountId: awsAccountId, clusterArn: awsClusterArn } = provider;
-    if (!awsAccountId || !awsClusterArn) {
+    const { hosting } = config;
+    if (hosting.type !== "aws") {
         throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
             "You can request access to the cluster using the `p0 request k8s` command.");
     }
+    const { arn: awsClusterArn } = hosting;
+    const { accountId: awsAccountId } = (0, utils_1.parseArn)(awsClusterArn);
     const { config: awsConfig } = yield (0, config_1.getAwsConfig)(authn, awsAccountId);
     const { login: awsLogin } = awsConfig;
     // Verify that the AWS auth type is supported before issuing the requests
@@ -70,28 +72,29 @@ const requestAccessToCluster = (authn, args, clusterId, role) => __awaiter(void
     if (!response) {
         throw "Did not receive access ID from server";
     }
-    const { id, isPreexisting } = response;
-    if (!isPreexisting) {
-        (0, stdio_1.print2)("Waiting for access to be provisioned. This may take up to a minute.");
-    }
-    return yield (0, shared_1.waitForProvisioning)(authn, id);
+    const { id } = response;
+    return yield (0, stdio_1.spinUntil)("Waiting for access to be provisioned. This may take up to a minute.", (0, shared_1.waitForProvisioning)(authn, id));
 });
 exports.requestAccessToCluster = requestAccessToCluster;
 const profileName = (eksCluterName) => `p0cli-managed-eks-${eksCluterName}`;
 exports.profileName = profileName;
-const awsCloudAuth = (authn, awsAccountId, generated, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+const awsCloudAuth = (authn, awsAccountId, request, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+    var _c;
+    const { permission, generated } = request;
     const { eksGenerated } = generated;
-    const { name, idc } = eksGenerated;
+    const { name } = eksGenerated;
     switch (loginType) {
-        case "idc":
-            if (!idc) {
+        case "idc": {
+            const { idcId, idcRegion } = (_c = permission.awsResourcePermission) !== null && _c !== void 0 ? _c : {};
+            if (!idcId || !idcRegion) {
                 throw "AWS is configured to use Identity Center, but IDC information wasn't received in the request.";
             }
             return yield (0, idc_1.assumeRoleWithIdc)({
                 accountId: awsAccountId,
                 permissionSet: name,
-                idc,
+                idc: { id: idcId, region: idcRegion },
             });
+        }
         case "federated":
             return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
                 accountId: awsAccountId,