@p0security/cli 0.11.2 → 0.11.4

package/dist/drivers/config.js

@@ -0,0 +1,43 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = exports.saveConfig = exports.getTenantConfig = exports.CONFIG_FILE_PATH = void 0;
+const util_1 = require("../util");
+const stdio_1 = require("./stdio");
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+exports.CONFIG_FILE_PATH = path_1.default.join(util_1.P0_PATH, "config.json");
+let tenantConfig;
+function getTenantConfig() {
+    return tenantConfig;
+}
+exports.getTenantConfig = getTenantConfig;
+function saveConfig(config) {
+    return __awaiter(this, void 0, void 0, function* () {
+        (0, stdio_1.print2)(`Saving config to ${exports.CONFIG_FILE_PATH}.`);
+        const dir = path_1.default.dirname(exports.CONFIG_FILE_PATH);
+        yield promises_1.default.mkdir(dir, { recursive: true });
+        yield promises_1.default.writeFile(exports.CONFIG_FILE_PATH, JSON.stringify(config), { mode: "600" });
+        tenantConfig = config;
+    });
+}
+exports.saveConfig = saveConfig;
+function loadConfig() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const buffer = yield promises_1.default.readFile(exports.CONFIG_FILE_PATH);
+        tenantConfig = JSON.parse(buffer.toString());
+    });
+}
+exports.loadConfig = loadConfig;
+//# sourceMappingURL=config.js.map

package/dist/drivers/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/drivers/config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAWA,kCAAkC;AAClC,mCAAiC;AACjC,2DAA6B;AAC7B,gDAAwB;AAEX,QAAA,gBAAgB,GAAG,cAAI,CAAC,IAAI,CAAC,cAAO,EAAE,aAAa,CAAC,CAAC;AAElE,IAAI,YAAoB,CAAC;AAEzB,SAAgB,eAAe;IAC7B,OAAO,YAAY,CAAC;AACtB,CAAC;AAFD,0CAEC;AAED,SAAsB,UAAU,CAAC,MAAc;;QAC7C,IAAA,cAAM,EAAC,oBAAoB,wBAAgB,GAAG,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,wBAAgB,CAAC,CAAC;QAC3C,MAAM,kBAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,MAAM,kBAAE,CAAC,SAAS,CAAC,wBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9E,YAAY,GAAG,MAAM,CAAC;IACxB,CAAC;CAAA;AAND,gCAMC;AAED,SAAsB,UAAU;;QAC9B,MAAM,MAAM,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,wBAAgB,CAAC,CAAC;QACnD,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,CAAC;CAAA;AAHD,gCAGC"}

package/dist/drivers/env.d.ts

@@ -1,4 +1,4 @@
-export declare const config: {
+export declare const bootstrapConfig: {
     fs: {
         apiKey: string;
         authDomain: string;

package/dist/drivers/env.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.config = void 0;
+exports.bootstrapConfig = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -18,7 +18,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const dotenv_1 = __importDefault(require("dotenv"));
 dotenv_1.default.config();
 const { env } = process;
-exports.config = {
+exports.bootstrapConfig = {
     fs: {
         // Falls back to public production Firestore credentials
         apiKey: (_a = env.P0_FS_API_KEY) !== null && _a !== void 0 ? _a : "AIzaSyCaL-Ik_l_5tdmgNUNZ4Nv6NuR4o5_PPfs",

package/dist/drivers/env.js.map

@@ -1 +1 @@
-{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/drivers/env.ts"],"names":[],"mappings":";;;;;;;AAAA;;;;;;;;;GASG;AACH,oDAA4B;AAE5B,gBAAM,CAAC,MAAM,EAAE,CAAC;AAEhB,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;AAEX,QAAA,MAAM,GAAG;IACpB,EAAE,EAAE;QACF,wDAAwD;QACxD,MAAM,EAAE,MAAA,GAAG,CAAC,aAAa,mCAAI,yCAAyC;QACtE,UAAU,EAAE,MAAA,GAAG,CAAC,iBAAiB,mCAAI,yBAAyB;QAC9D,SAAS,EAAE,MAAA,GAAG,CAAC,gBAAgB,mCAAI,SAAS;QAC5C,aAAa,EAAE,MAAA,GAAG,CAAC,oBAAoB,mCAAI,qBAAqB;QAChE,iBAAiB,EAAE,MAAA,GAAG,CAAC,yBAAyB,mCAAI,cAAc;QAClE,KAAK,EAAE,MAAA,GAAG,CAAC,YAAY,mCAAI,2CAA2C;KACvE;IACD,MAAM,EAAE;QACN,QAAQ,EACN,MAAA,GAAG,CAAC,wBAAwB,mCAC5B,0EAA0E;QAC5E,4EAA4E;QAC5E,qFAAqF;QACrF,YAAY,EACV,MAAA,GAAG,CAAC,4BAA4B,mCAAI,qCAAqC;KAC5E;IACD,MAAM,EAAE,MAAA,GAAG,CAAC,UAAU,mCAAI,oBAAoB;IAC9C,WAAW,EAAE,MAAA,GAAG,CAAC,MAAM,mCAAI,YAAY;CACxC,CAAC"}
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/drivers/env.ts"],"names":[],"mappings":";;;;;;;AAAA;;;;;;;;;GASG;AACH,oDAA4B;AAE5B,gBAAM,CAAC,MAAM,EAAE,CAAC;AAEhB,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;AAEX,QAAA,eAAe,GAAG;IAC7B,EAAE,EAAE;QACF,wDAAwD;QACxD,MAAM,EAAE,MAAA,GAAG,CAAC,aAAa,mCAAI,yCAAyC;QACtE,UAAU,EAAE,MAAA,GAAG,CAAC,iBAAiB,mCAAI,yBAAyB;QAC9D,SAAS,EAAE,MAAA,GAAG,CAAC,gBAAgB,mCAAI,SAAS;QAC5C,aAAa,EAAE,MAAA,GAAG,CAAC,oBAAoB,mCAAI,qBAAqB;QAChE,iBAAiB,EAAE,MAAA,GAAG,CAAC,yBAAyB,mCAAI,cAAc;QAClE,KAAK,EAAE,MAAA,GAAG,CAAC,YAAY,mCAAI,2CAA2C;KACvE;IACD,MAAM,EAAE;QACN,QAAQ,EACN,MAAA,GAAG,CAAC,wBAAwB,mCAC5B,0EAA0E;QAC5E,4EAA4E;QAC5E,qFAAqF;QACrF,YAAY,EACV,MAAA,GAAG,CAAC,4BAA4B,mCAAI,qCAAqC;KAC5E;IACD,MAAM,EAAE,MAAA,GAAG,CAAC,UAAU,mCAAI,oBAAoB;IAC9C,WAAW,EAAE,MAAA,GAAG,CAAC,MAAM,mCAAI,YAAY;CACxC,CAAC"}

package/dist/drivers/firestore.d.ts

@@ -1,10 +1,22 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { Identity } from "../types/identity";
 import { CollectionReference, DocumentReference } from "firebase/firestore";
-export declare const FIRESTORE: import("@firebase/firestore").Firestore;
-export declare const auth: import("@firebase/auth").Auth;
+export declare function initializeFirebase(): void;
+export declare function authenticateToFirebase(identity: Identity): Promise<import("@firebase/auth").UserCredential>;
 export declare const collection: <T>(path: string, ...pathSegments: string[]) => CollectionReference<T, import("@firebase/firestore").DocumentData>;
 export declare const doc: <T>(path: string) => DocumentReference<T, import("@firebase/firestore").DocumentData>;
+export declare const publicDoc: <T>(path: string) => DocumentReference<T, import("@firebase/firestore").DocumentData>;
 /** Ensures that Firestore is shutdown at command termination
  *
  * This prevents Firestore from holding the command on execution completion or failure.
  */
-export declare const guard: <P, T>(cb: (args: P) => Promise<T>) => (args: P) => Promise<void>;
+export declare const fsShutdownGuard: <P, T>(cb: (args: P) => Promise<T>) => (args: P) => Promise<void>;

package/dist/drivers/firestore.js

@@ -9,46 +9,71 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.guard = exports.doc = exports.collection = exports.auth = exports.FIRESTORE = void 0;
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
+exports.fsShutdownGuard = exports.publicDoc = exports.doc = exports.collection = exports.authenticateToFirebase = exports.initializeFirebase = void 0;
+const config_1 = require("./config");
 const env_1 = require("./env");
 const app_1 = require("firebase/app");
 const auth_1 = require("firebase/auth");
 const firestore_1 = require("firebase/firestore");
-// Your web app's Firebase configuration
-const firebaseConfig = env_1.config.fs;
-// Initialize Firebase
-const app = (0, app_1.initializeApp)(firebaseConfig);
-exports.FIRESTORE = (0, firestore_1.getFirestore)(app);
-exports.auth = (0, auth_1.getAuth)();
+const bootstrapApp = (0, app_1.initializeApp)(env_1.bootstrapConfig.fs, "bootstrapApp");
+const bootstrapFirestore = (0, firestore_1.getFirestore)(bootstrapApp);
+let app;
+let firestore;
+function initializeFirebase() {
+    const tenantConfig = (0, config_1.getTenantConfig)();
+    app = (0, app_1.initializeApp)(tenantConfig.fs, "authFirebase");
+    firestore = (0, firestore_1.getFirestore)(app);
+}
+exports.initializeFirebase = initializeFirebase;
+function authenticateToFirebase(identity) {
+    var _a;
+    return __awaiter(this, void 0, void 0, function* () {
+        const { credential } = identity;
+        const tenantId = identity.org.tenantId;
+        // TODO: Move to map lookup
+        const provider = new auth_1.OAuthProvider(identity.org.ssoProvider === "google"
+            ? auth_1.SignInMethod.GOOGLE
+            : identity.org.providerId);
+        const firebaseCredential = provider.credential({
+            accessToken: credential.access_token,
+            idToken: credential.id_token,
+        });
+        const auth = (0, auth_1.getAuth)(app);
+        auth.tenantId = tenantId;
+        const userCredential = yield (0, auth_1.signInWithCredential)(auth, firebaseCredential);
+        if (!((_a = userCredential === null || userCredential === void 0 ? void 0 : userCredential.user) === null || _a === void 0 ? void 0 : _a.email)) {
+            throw "Can not sign in: this user has previously signed in with a different identity provider.\nPlease contact support@p0.dev to enable this user.";
+        }
+        return userCredential;
+    });
+}
+exports.authenticateToFirebase = authenticateToFirebase;
 const collection = (path, ...pathSegments) => {
-    return (0, firestore_1.collection)(exports.FIRESTORE, path, ...pathSegments);
+    return (0, firestore_1.collection)(firestore, path, ...pathSegments);
 };
 exports.collection = collection;
 const doc = (path) => {
-    return (0, firestore_1.doc)(exports.FIRESTORE, path);
+    return (0, firestore_1.doc)(firestore, path);
 };
 exports.doc = doc;
+const publicDoc = (path) => {
+    return (0, firestore_1.doc)(bootstrapFirestore, path);
+};
+exports.publicDoc = publicDoc;
 /** Ensures that Firestore is shutdown at command termination
  *
  * This prevents Firestore from holding the command on execution completion or failure.
  */
-const guard = (cb) => (args) => __awaiter(void 0, void 0, void 0, function* () {
+const fsShutdownGuard = (cb) => (args) => __awaiter(void 0, void 0, void 0, function* () {
     try {
         yield cb(args);
     }
     finally {
-        void (0, firestore_1.terminate)(exports.FIRESTORE);
+        if (bootstrapFirestore)
+            void (0, firestore_1.terminate)(bootstrapFirestore);
+        if (firestore)
+            void (0, firestore_1.terminate)(firestore);
     }
 });
-exports.guard = guard;
+exports.fsShutdownGuard = fsShutdownGuard;
 //# sourceMappingURL=firestore.js.map

package/dist/drivers/firestore.js.map

@@ -1 +1 @@
-{"version":3,"file":"firestore.js","sourceRoot":"","sources":["../../src/drivers/firestore.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,+BAA+B;AAC/B,sCAA6C;AAC7C,wCAAwC;AACxC,kDAO4B;AAE5B,wCAAwC;AACxC,MAAM,cAAc,GAAG,YAAM,CAAC,EAAE,CAAC;AAEjC,sBAAsB;AACtB,MAAM,GAAG,GAAG,IAAA,mBAAa,EAAC,cAAc,CAAC,CAAC;AAC7B,QAAA,SAAS,GAAG,IAAA,wBAAY,EAAC,GAAG,CAAC,CAAC;AAC9B,QAAA,IAAI,GAAG,IAAA,cAAO,GAAE,CAAC;AAEvB,MAAM,UAAU,GAAG,CAAI,IAAY,EAAE,GAAG,YAAsB,EAAE,EAAE;IACvE,OAAO,IAAA,sBAAY,EACjB,iBAAS,EACT,IAAI,EACJ,GAAG,YAAY,CACU,CAAC;AAC9B,CAAC,CAAC;AANW,QAAA,UAAU,cAMrB;AACK,MAAM,GAAG,GAAG,CAAI,IAAY,EAAE,EAAE;IACrC,OAAO,IAAA,eAAK,EAAC,iBAAS,EAAE,IAAI,CAAyB,CAAC;AACxD,CAAC,CAAC;AAFW,QAAA,GAAG,OAEd;AAEF;;;GAGG;AACI,MAAM,KAAK,GAChB,CAAO,EAA2B,EAAE,EAAE,CACtC,CAAO,IAAO,EAAE,EAAE;IAChB,IAAI;QACF,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC;KAChB;YAAS;QACR,KAAK,IAAA,qBAAS,EAAC,iBAAS,CAAC,CAAC;KAC3B;AACH,CAAC,CAAA,CAAC;AARS,QAAA,KAAK,SAQd"}
+{"version":3,"file":"firestore.js","sourceRoot":"","sources":["../../src/drivers/firestore.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,qCAA2C;AAC3C,+BAAwC;AACxC,sCAA0D;AAC1D,wCAKuB;AACvB,kDAQ4B;AAE5B,MAAM,YAAY,GAAG,IAAA,mBAAa,EAAC,qBAAe,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;AACvE,MAAM,kBAAkB,GAAG,IAAA,wBAAY,EAAC,YAAY,CAAC,CAAC;AAEtD,IAAI,GAAgB,CAAC;AACrB,IAAI,SAAoB,CAAC;AAEzB,SAAgB,kBAAkB;IAChC,MAAM,YAAY,GAAG,IAAA,wBAAe,GAAE,CAAC;IACvC,GAAG,GAAG,IAAA,mBAAa,EAAC,YAAY,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IACrD,SAAS,GAAG,IAAA,wBAAY,EAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAJD,gDAIC;AAED,SAAsB,sBAAsB,CAAC,QAAkB;;;QAC7D,MAAM,EAAE,UAAU,EAAE,GAAG,QAAQ,CAAC;QAChC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC;QAEvC,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,oBAAa,CAChC,QAAQ,CAAC,GAAG,CAAC,WAAW,KAAK,QAAQ;YACnC,CAAC,CAAC,mBAAY,CAAC,MAAM;YACrB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAC5B,CAAC;QAEF,MAAM,kBAAkB,GAAG,QAAQ,CAAC,UAAU,CAAC;YAC7C,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,OAAO,EAAE,UAAU,CAAC,QAAQ;SAC7B,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,IAAA,cAAO,EAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,MAAM,cAAc,GAAG,MAAM,IAAA,2BAAoB,EAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAE5E,IAAI,CAAC,CAAA,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,IAAI,0CAAE,KAAK,CAAA,EAAE;YAChC,MAAM,6IAA6I,CAAC;SACrJ;QAED,OAAO,cAAc,CAAC;;CACvB;AA1BD,wDA0BC;AAEM,MAAM,UAAU,GAAG,CAAI,IAAY,EAAE,GAAG,YAAsB,EAAE,EAAE;IACvE,OAAO,IAAA,sBAAY,EACjB,SAAS,EACT,IAAI,EACJ,GAAG,YAAY,CACU,CAAC;AAC9B,CAAC,CAAC;AANW,QAAA,UAAU,cAMrB;AAEK,MAAM,GAAG,GAAG,CAAI,IAAY,EAAE,EAAE;IACrC,OAAO,IAAA,eAAK,EAAC,SAAS,EAAE,IAAI,CAAyB,CAAC;AACxD,CAAC,CAAC;AAFW,QAAA,GAAG,OAEd;AAEK,MAAM,SAAS,GAAG,CAAI,IAAY,EAAE,EAAE;IAC3C,OAAO,IAAA,eAAK,EAAC,kBAAkB,EAAE,IAAI,CAAyB,CAAC;AACjE,CAAC,CAAC;AAFW,QAAA,SAAS,aAEpB;AAEF;;;GAGG;AACI,MAAM,eAAe,GAC1B,CAAO,EAA2B,EAAE,EAAE,CACtC,CAAO,IAAO,EAAE,EAAE;IAChB,IAAI;QACF,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC;KAChB;YAAS;QACR,IAAI,kBAAkB;YAAE,KAAK,IAAA,qBAAS,EAAC,kBAAkB,CAAC,CAAC;QAC3D,IAAI,SAAS;YAAE,KAAK,IAAA,qBAAS,EAAC,SAAS,CAAC,CAAC;KAC1C;AACH,CAAC,CAAA,CAAC;AATS,QAAA,eAAe,mBASxB"}

package/dist/plugins/aws/__tests__/utils.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/plugins/aws/__tests__/utils.test.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const utils_1 = require("../utils");
+describe("parseArn() function", () => {
+    it.each([
+        "badarn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE",
+        ":aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE",
+        "arn:aws:ec2:us-east-1:123456789012", // Too few elements
+    ])('Raises an "Invalid ARN" error', (arn) => {
+        expect(() => (0, utils_1.parseArn)(arn)).toThrow("Invalid AWS ARN");
+    });
+    it("Parses a valid ARN with all fields correctly", () => {
+        const arn = "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "ec2",
+            region: "us-east-1",
+            accountId: "123456789012",
+            resource: "vpc/vpc-0e9801d129EXAMPLE",
+        });
+    });
+    it("Parses a valid ARN with colons in the resource correctly", () => {
+        // Note: This is not the format we would expect an EKS ARN to actually be in (it should
+        // use a / instead of a : in the resource); this is just for unit testing purposes.
+        const arn = "arn:aws:eks:us-west-2:123456789012:cluster:my-testing-cluster";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "eks",
+            region: "us-west-2",
+            accountId: "123456789012",
+            resource: "cluster:my-testing-cluster",
+        });
+    });
+    it("Parses a valid ARN with no region correctly", () => {
+        const arn = "arn:aws:iam::123456789012:user/johndoe";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws",
+            service: "iam",
+            region: "",
+            accountId: "123456789012",
+            resource: "user/johndoe",
+        });
+    });
+    it("Parses a valid ARN with no account ID correctly", () => {
+        // Note: This is not a valid SNS ARN; they would ordinarily have an account ID. This is
+        // just for unit testing purposes.
+        const arn = "arn:aws-us-gov:sns:us-east-1::example-sns-topic-name";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws-us-gov",
+            service: "sns",
+            region: "us-east-1",
+            accountId: "",
+            resource: "example-sns-topic-name",
+        });
+    });
+    it("Parses a valid ARN with no region or account ID correctly", () => {
+        const arn = "arn:aws-cn:s3:::my-corporate-bucket";
+        const parsed = (0, utils_1.parseArn)(arn);
+        expect(parsed).toEqual({
+            partition: "aws-cn",
+            service: "s3",
+            region: "",
+            accountId: "",
+            resource: "my-corporate-bucket",
+        });
+    });
+});
+//# sourceMappingURL=utils.test.js.map

package/dist/plugins/aws/__tests__/utils.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.test.js","sourceRoot":"","sources":["../../../../src/plugins/aws/__tests__/utils.test.ts"],"names":[],"mappings":";;AAAA;;;;;;;;;GASG;AACH,oCAAoC;AAEpC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,IAAI,CAAC;QACN,iEAAiE;QACjE,2DAA2D;QAC3D,oCAAoC,EAAE,mBAAmB;KAC1D,CAAC,CAAC,+BAA+B,EAAE,CAAC,GAAG,EAAE,EAAE;QAC1C,MAAM,CAAC,GAAG,EAAE,CAAC,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,8DAA8D,CAAC;QAE3E,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,2BAA2B;SACtC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,uFAAuF;QACvF,mFAAmF;QACnF,MAAM,GAAG,GAAG,+DAA+D,CAAC;QAE5E,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,4BAA4B;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,wCAAwC,CAAC;QAErD,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,EAAE;YACV,SAAS,EAAE,cAAc;YACzB,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,uFAAuF;QACvF,kCAAkC;QAClC,MAAM,GAAG,GAAG,sDAAsD,CAAC;QAEnE,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,EAAE;YACb,QAAQ,EAAE,wBAAwB;SACnC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,GAAG,GAAG,qCAAqC,CAAC;QAElD,MAAM,MAAM,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,EAAE;YACV,SAAS,EAAE,EAAE;YACb,QAAQ,EAAE,qBAAqB;SAChC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/plugins/aws/utils.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Parses out Amazon Resource Names (ARNs) from AWS into their components. Note
+ * that not all components are present in all ARNs (depending on the service;
+ * for example, S3 ARNs don't have a region or account ID), and the final
+ * component of the ARN (`resource`) may contain its own internal structure that
+ * is also service-dependent and which may also include colons. In particular,
+ * quoting the Amazon docs: "Be aware that the ARNs for some resources omit the
+ * Region, the account ID, or both the Region and the account ID."
+ *
+ * @param arn The ARN to parse as a string.
+ * @return A structure representing the components of the ARN. All fields will
+ * be defined, but some may be empty strings if they are not present in the ARN.
+ */
+export declare const parseArn: (arn: string) => {
+    partition: string;
+    service: string;
+    region: string;
+    accountId: string;
+    resource: string;
+};

package/dist/plugins/aws/utils.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseArn = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ARN_PATTERN = /^arn:(aws|aws-us-gov|aws-cn|aws-iso|aws-iso-b):([^:]*):([^:]*):([^:]*):(.*)$/;
+/**
+ * Parses out Amazon Resource Names (ARNs) from AWS into their components. Note
+ * that not all components are present in all ARNs (depending on the service;
+ * for example, S3 ARNs don't have a region or account ID), and the final
+ * component of the ARN (`resource`) may contain its own internal structure that
+ * is also service-dependent and which may also include colons. In particular,
+ * quoting the Amazon docs: "Be aware that the ARNs for some resources omit the
+ * Region, the account ID, or both the Region and the account ID."
+ *
+ * @param arn The ARN to parse as a string.
+ * @return A structure representing the components of the ARN. All fields will
+ * be defined, but some may be empty strings if they are not present in the ARN.
+ */
+const parseArn = (arn) => {
+    // Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
+    const invalidArnMsg = `Invalid AWS ARN: ${arn}`;
+    const match = arn.match(ARN_PATTERN);
+    if (!match) {
+        throw invalidArnMsg;
+    }
+    const [_, partition, service, region, accountId, resource] = match;
+    // We know these are all defined based on the regex, but TypeScript doesn't.
+    // Empty string is okay, so explicitly check for undefined.
+    if (partition === undefined ||
+        service === undefined ||
+        accountId === undefined ||
+        region === undefined ||
+        resource === undefined) {
+        throw invalidArnMsg;
+    }
+    return {
+        partition,
+        service,
+        region,
+        accountId,
+        resource,
+    };
+};
+exports.parseArn = parseArn;
+//# sourceMappingURL=utils.js.map

package/dist/plugins/aws/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/plugins/aws/utils.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,MAAM,WAAW,GACf,8EAA8E,CAAC;AAEjF;;;;;;;;;;;;GAYG;AACI,MAAM,QAAQ,GAAG,CACtB,GAAW,EAOX,EAAE;IACF,kFAAkF;IAClF,MAAM,aAAa,GAAG,oBAAoB,GAAG,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAErC,IAAI,CAAC,KAAK,EAAE;QACV,MAAM,aAAa,CAAC;KACrB;IAED,MAAM,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,GAAG,KAAK,CAAC;IAEnE,4EAA4E;IAC5E,2DAA2D;IAC3D,IACE,SAAS,KAAK,SAAS;QACvB,OAAO,KAAK,SAAS;QACrB,SAAS,KAAK,SAAS;QACvB,MAAM,KAAK,SAAS;QACpB,QAAQ,KAAK,SAAS,EACtB;QACA,MAAM,aAAa,CAAC;KACrB;IAED,OAAO;QACL,SAAS;QACT,OAAO;QACP,MAAM;QACN,SAAS;QACT,QAAQ;KACT,CAAC;AACJ,CAAC,CAAC;AAtCW,QAAA,QAAQ,YAsCnB"}

package/dist/plugins/google/login.js

@@ -26,7 +26,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const oidc_1 = require("../../common/auth/oidc");
 const server_1 = require("../../common/auth/server");
 const fetch_1 = require("../../common/fetch");
-const env_1 = require("../../drivers/env");
+const config_1 = require("../../drivers/config");
 const stdio_1 = require("../../drivers/stdio");
 const open_1 = __importDefault(require("open"));
 const GOOGLE_OIDC_URL = "https://accounts.google.com/o/oauth2/v2/auth";
@@ -35,10 +35,11 @@ const GOOGLE_OIDC_REDIRECT_PORT = 52700;
 const GOOGLE_OIDC_REDIRECT_URL = `http://127.0.0.1:${GOOGLE_OIDC_REDIRECT_PORT}`;
 const PKCE_LENGTH = 128;
 const requestAuth = () => __awaiter(void 0, void 0, void 0, function* () {
+    const tenantConfig = (0, config_1.getTenantConfig)();
     const pkceChallenge = (yield import("pkce-challenge")).default;
     const pkce = yield pkceChallenge(PKCE_LENGTH);
     const authBody = {
-        client_id: env_1.config.google.clientId,
+        client_id: tenantConfig.google.clientId,
         code_challenge: pkce.code_challenge,
         code_challenge_method: "S256",
         redirect_uri: GOOGLE_OIDC_REDIRECT_URL,
@@ -54,9 +55,10 @@ ${url}`);
     return pkce;
 });
 const requestToken = (code, pkce) => __awaiter(void 0, void 0, void 0, function* () {
+    const tenantConfig = (0, config_1.getTenantConfig)();
     const body = {
-        client_id: env_1.config.google.clientId,
-        client_secret: env_1.config.google.clientSecret,
+        client_id: tenantConfig.google.clientId,
+        client_secret: tenantConfig.google.clientSecret,
         code,
         code_verifier: pkce.code_verifier,
         grant_type: "authorization_code",

package/dist/plugins/google/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/google/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,qDAA8D;AAC9D,8CAAiE;AACjE,2CAA2C;AAC3C,+CAA6C;AAE7C,gDAAwB;AAOxB,MAAM,eAAe,GAAG,8CAA8C,CAAC;AACvE,MAAM,wBAAwB,GAAG,qCAAqC,CAAC;AACvE,MAAM,yBAAyB,GAAG,KAAK,CAAC;AACxC,MAAM,wBAAwB,GAAG,oBAAoB,yBAAyB,EAAE,CAAC;AACjF,MAAM,WAAW,GAAG,GAAG,CAAC;AAExB,MAAM,WAAW,GAAG,GAAS,EAAE;IAC7B,MAAM,aAAa,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAc,CAAC;IACtE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAqB;QACjC,SAAS,EAAE,YAAM,CAAC,MAAM,CAAC,QAAQ;QACjC,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,qBAAqB,EAAE,MAAM;QAC7B,YAAY,EAAE,wBAAwB;QACtC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,QAAQ;KAChB,CAAC;IACF,MAAM,GAAG,GAAG,GAAG,eAAe,IAAI,IAAA,iBAAS,EAAC,QAAQ,CAAC,EAAE,CAAC;IACxD,IAAA,cAAI,EAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACnB,IAAA,cAAM,EAAC;;EAET,GAAG,EAAE,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CACnB,IAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,IAAI,GAAG;QACX,SAAS,EAAE,YAAM,CAAC,MAAM,CAAC,QAAQ;QACjC,aAAa,EAAE,YAAM,CAAC,MAAM,CAAC,YAAY;QACzC,IAAI;QACJ,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,oBAAoB;QAChC,YAAY,EAAE,wBAAwB;KACvC,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wBAAwB,EAAE;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC,IAAI,CAAC;KACtB,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IAC/C,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,EAAE,CAAkB,CAAC;AAC/C,CAAC,CAAA,CAAC;AAEK,MAAM,WAAW,GAAG,GAAS,EAAE;IACpC,OAAO,MAAM,IAAA,2BAAkB,EAC7B,GAAS,EAAE,kDAAC,OAAA,MAAM,WAAW,EAAE,CAAA,GAAA,EAC/B,CAAO,IAAI,EAAE,KAAK,EAAE,EAAE,kDAAC,OAAA,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA,GAAA,EAC3D,EAAE,IAAI,EAAE,yBAAyB,EAAE,CACpC,CAAC;AACJ,CAAC,CAAA,CAAC;AANW,QAAA,WAAW,eAMtB"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/google/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,qDAA8D;AAC9D,8CAAiE;AACjE,iDAAuD;AACvD,+CAA6C;AAE7C,gDAAwB;AAOxB,MAAM,eAAe,GAAG,8CAA8C,CAAC;AACvE,MAAM,wBAAwB,GAAG,qCAAqC,CAAC;AACvE,MAAM,yBAAyB,GAAG,KAAK,CAAC;AACxC,MAAM,wBAAwB,GAAG,oBAAoB,yBAAyB,EAAE,CAAC;AACjF,MAAM,WAAW,GAAG,GAAG,CAAC;AAExB,MAAM,WAAW,GAAG,GAAS,EAAE;IAC7B,MAAM,YAAY,GAAG,IAAA,wBAAe,GAAE,CAAC;IACvC,MAAM,aAAa,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAc,CAAC;IACtE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAqB;QACjC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,QAAQ;QACvC,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,qBAAqB,EAAE,MAAM;QAC7B,YAAY,EAAE,wBAAwB;QACtC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,QAAQ;KAChB,CAAC;IACF,MAAM,GAAG,GAAG,GAAG,eAAe,IAAI,IAAA,iBAAS,EAAC,QAAQ,CAAC,EAAE,CAAC;IACxD,IAAA,cAAI,EAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACnB,IAAA,cAAM,EAAC;;EAET,GAAG,EAAE,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CACnB,IAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,wBAAe,GAAE,CAAC;IACvC,MAAM,IAAI,GAAG;QACX,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,QAAQ;QACvC,aAAa,EAAE,YAAY,CAAC,MAAM,CAAC,YAAY;QAC/C,IAAI;QACJ,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,oBAAoB;QAChC,YAAY,EAAE,wBAAwB;KACvC,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wBAAwB,EAAE;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC,IAAI,CAAC;KACtB,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IAC/C,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,EAAE,CAAkB,CAAC;AAC/C,CAAC,CAAA,CAAC;AAEK,MAAM,WAAW,GAAG,GAAS,EAAE;IACpC,OAAO,MAAM,IAAA,2BAAkB,EAC7B,GAAS,EAAE,kDAAC,OAAA,MAAM,WAAW,EAAE,CAAA,GAAA,EAC/B,CAAO,IAAI,EAAE,KAAK,EAAE,EAAE,kDAAC,OAAA,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA,GAAA,EAC3D,EAAE,IAAI,EAAE,yBAAyB,EAAE,CACpC,CAAC;AACJ,CAAC,CAAA,CAAC;AANW,QAAA,WAAW,eAMtB"}

package/dist/plugins/kubeconfig/index.d.ts

@@ -12,7 +12,7 @@ import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
 import { AwsCredentials } from "../aws/types";
-import { K8sGenerated, K8sPermissionSpec } from "./types";
+import { K8sPermissionSpec } from "./types";
 import yargs from "yargs";
 export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
     clusterConfig: {
@@ -24,4 +24,4 @@ export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: str
 }>;
 export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;
 export declare const profileName: (eksCluterName: string) => string;
-export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, generated: K8sGenerated, loginType: "federated" | "idc") => Promise<AwsCredentials>;
+export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, request: Request<K8sPermissionSpec>, loginType: "federated" | "idc") => Promise<AwsCredentials>;

package/dist/plugins/kubeconfig/index.js

@@ -17,6 +17,7 @@ const stdio_1 = require("../../drivers/stdio");
 const util_1 = require("../../util");
 const config_1 = require("../aws/config");
 const idc_1 = require("../aws/idc");
+const utils_1 = require("../aws/utils");
 const aws_1 = require("../okta/aws");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
@@ -28,15 +29,16 @@ const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, voi
     if (!config) {
         throw `Cluster with ID ${clusterId} not found`;
     }
-    if (config.state !== "installed" || config.provider.type !== "aws") {
+    if (config.state !== "installed") {
         throw `Cluster with ID ${clusterId} is not installed`;
     }
-    const { provider } = config;
-    const { accountId: awsAccountId, clusterArn: awsClusterArn } = provider;
-    if (!awsAccountId || !awsClusterArn) {
+    const { hosting } = config;
+    if (hosting.type !== "aws") {
         throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
             "You can request access to the cluster using the `p0 request k8s` command.");
     }
+    const { arn: awsClusterArn } = hosting;
+    const { accountId: awsAccountId } = (0, utils_1.parseArn)(awsClusterArn);
     const { config: awsConfig } = yield (0, config_1.getAwsConfig)(authn, awsAccountId);
     const { login: awsLogin } = awsConfig;
     // Verify that the AWS auth type is supported before issuing the requests
@@ -70,28 +72,29 @@ const requestAccessToCluster = (authn, args, clusterId, role) => __awaiter(void
     if (!response) {
         throw "Did not receive access ID from server";
     }
-    const { id, isPreexisting } = response;
-    if (!isPreexisting) {
-        (0, stdio_1.print2)("Waiting for access to be provisioned. This may take up to a minute.");
-    }
-    return yield (0, shared_1.waitForProvisioning)(authn, id);
+    const { id } = response;
+    return yield (0, stdio_1.spinUntil)("Waiting for access to be provisioned. This may take up to a minute.", (0, shared_1.waitForProvisioning)(authn, id));
 });
 exports.requestAccessToCluster = requestAccessToCluster;
 const profileName = (eksCluterName) => `p0cli-managed-eks-${eksCluterName}`;
 exports.profileName = profileName;
-const awsCloudAuth = (authn, awsAccountId, generated, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+const awsCloudAuth = (authn, awsAccountId, request, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+    var _c;
+    const { permission, generated } = request;
     const { eksGenerated } = generated;
-    const { name, idc } = eksGenerated;
+    const { name } = eksGenerated;
     switch (loginType) {
-        case "idc":
-            if (!idc) {
+        case "idc": {
+            const { idcId, idcRegion } = (_c = permission.awsResourcePermission) !== null && _c !== void 0 ? _c : {};
+            if (!idcId || !idcRegion) {
                 throw "AWS is configured to use Identity Center, but IDC information wasn't received in the request.";
             }
             return yield (0, idc_1.assumeRoleWithIdc)({
                 accountId: awsAccountId,
                 permissionSet: name,
-                idc,
+                idc: { id: idcId, region: idcRegion },
             });
+        }
         case "federated":
             return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
                 accountId: awsAccountId,

package/dist/plugins/kubeconfig/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugins/kubeconfig/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,kDAA4D;AAC5D,2DAAwD;AACxD,uDAA8C;AAC9C,+CAA6C;AAG7C,qCAAyC;AACzC,0CAA6C;AAC7C,oCAA+C;AAE/C,qCAAqD;AAErD,kDAA4C;AAC5C,mCAA8B;AAGvB,MAAM,4BAA4B,GAAG,CAC1C,KAAY,EACZ,SAAiB,EAQhB,EAAE;;IACH,MAAM,SAAS,GAAG,MAAM,IAAA,kBAAM,EAC5B,IAAA,eAAG,EAAC,KAAK,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,mBAAmB,CAAC,CACzD,CAAC;IAEF,kHAAkH;IAClH,MAAM,MAAM,GAAG,MAAA,MAAA,SAAS,CAAC,IAAI,EAAE,0CAAG,WAAW,CAAC,0CAAG,SAAS,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM,EAAE;QACX,MAAM,mBAAmB,SAAS,YAAY,CAAC;KAChD;IAED,IAAI,MAAM,CAAC,KAAK,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK,EAAE;QAClE,MAAM,mBAAmB,SAAS,mBAAmB,CAAC;KACvD;IAED,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IAC5B,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,QAAQ,CAAC;IAExE,IAAI,CAAC,YAAY,IAAI,CAAC,aAAa,EAAE;QACnC,MAAM,CACJ,8DAA8D,SAAS,8BAA8B;YACrG,2EAA2E,CAC5E,CAAC;KACH;IAED,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IACtE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;IAEtC,yEAAyE;IACzE,IAAI,CAAC,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,CAAA,IAAI,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,MAAK,KAAK,EAAE;QAC/C,MAAM,kJAAkJ,CAAC;KAC1J;IAED,OAAO;QACL,aAAa,EAAE;YACb,SAAS;YACT,YAAY;YACZ,aAAa;SACd;QACD,YAAY,EAAE,QAAQ,CAAC,IAAI;KAC5B,CAAC;AACJ,CAAC,CAAA,CAAC;AAnDW,QAAA,4BAA4B,gCAmDvC;AAEK,MAAM,sBAAsB,GAAG,CACpC,KAAY,EACZ,IAAqD,EACrD,SAAiB,EACjB,IAAY,EACyB,EAAE;IACvC,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAElC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,KAAK;YACL,UAAU;YACV,WAAW;YACX,SAAS;YACT,QAAQ;YACR,IAAI;YACJ,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACjD,GAAG,CAAC,IAAI,CAAC,iBAAiB;gBACxB,CAAC,CAAC,CAAC,sBAAsB,EAAE,IAAI,CAAC,iBAAiB,CAAC;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,uCAAuC,CAAC;KAC/C;IACD,MAAM,EAAE,EAAE,EAAE,aAAa,EAAE,GAAG,QAAQ,CAAC;IACvC,IAAI,CAAC,aAAa,EAAE;QAClB,IAAA,cAAM,EACJ,qEAAqE,CACtE,CAAC;KACH;IAED,OAAO,MAAM,IAAA,4BAAmB,EAAoB,KAAK,EAAE,EAAE,CAAC,CAAC;AACjE,CAAC,CAAA,CAAC;AAvCW,QAAA,sBAAsB,0BAuCjC;AAEK,MAAM,WAAW,GAAG,CAAC,aAAqB,EAAU,EAAE,CAC3D,qBAAqB,aAAa,EAAE,CAAC;AAD1B,QAAA,WAAW,eACe;AAEhC,MAAM,YAAY,GAAG,CAC1B,KAAY,EACZ,YAAoB,EACpB,SAAuB,EACvB,SAA8B,EACL,EAAE;IAC3B,MAAM,EAAE,YAAY,EAAE,GAAG,SAAS,CAAC;IACnC,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC;IAEnC,QAAQ,SAAS,EAAE;QACjB,KAAK,KAAK;YACR,IAAI,CAAC,GAAG,EAAE;gBACR,MAAM,+FAA+F,CAAC;aACvG;YAED,OAAO,MAAM,IAAA,uBAAiB,EAAC;gBAC7B,SAAS,EAAE,YAAY;gBACvB,aAAa,EAAE,IAAI;gBACnB,GAAG;aACJ,CAAC,CAAC;QACL,KAAK,WAAW;YACd,OAAO,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE;gBACzC,SAAS,EAAE,YAAY;gBACvB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;QACL;YACE,MAAM,IAAA,kBAAW,EAAC,SAAS,CAAC,CAAC;KAChC;AACH,CAAC,CAAA,CAAC;AA5BW,QAAA,YAAY,gBA4BvB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugins/kubeconfig/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,kDAA4D;AAC5D,2DAAwD;AACxD,uDAA8C;AAC9C,+CAAgD;AAGhD,qCAAyC;AACzC,0CAA6C;AAC7C,oCAA+C;AAE/C,wCAAwC;AACxC,qCAAqD;AAErD,kDAA4C;AAC5C,mCAA8B;AAGvB,MAAM,4BAA4B,GAAG,CAC1C,KAAY,EACZ,SAAiB,EAQhB,EAAE;;IACH,MAAM,SAAS,GAAG,MAAM,IAAA,kBAAM,EAC5B,IAAA,eAAG,EAAC,KAAK,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,mBAAmB,CAAC,CACzD,CAAC;IAEF,kHAAkH;IAClH,MAAM,MAAM,GAAG,MAAA,MAAA,SAAS,CAAC,IAAI,EAAE,0CAAG,WAAW,CAAC,0CAAG,SAAS,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM,EAAE;QACX,MAAM,mBAAmB,SAAS,YAAY,CAAC;KAChD;IAED,IAAI,MAAM,CAAC,KAAK,KAAK,WAAW,EAAE;QAChC,MAAM,mBAAmB,SAAS,mBAAmB,CAAC;KACvD;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE3B,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE;QAC1B,MAAM,CACJ,8DAA8D,SAAS,8BAA8B;YACrG,2EAA2E,CAC5E,CAAC;KACH;IAED,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IACvC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,IAAA,gBAAQ,EAAC,aAAa,CAAC,CAAC;IAC5D,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IACtE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;IAEtC,yEAAyE;IACzE,IAAI,CAAC,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,CAAA,IAAI,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAI,MAAK,KAAK,EAAE;QAC/C,MAAM,kJAAkJ,CAAC;KAC1J;IAED,OAAO;QACL,aAAa,EAAE;YACb,SAAS;YACT,YAAY;YACZ,aAAa;SACd;QACD,YAAY,EAAE,QAAQ,CAAC,IAAI;KAC5B,CAAC;AACJ,CAAC,CAAA,CAAC;AApDW,QAAA,4BAA4B,gCAoDvC;AAEK,MAAM,sBAAsB,GAAG,CACpC,KAAY,EACZ,IAAqD,EACrD,SAAiB,EACjB,IAAY,EACyB,EAAE;IACvC,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAElC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,KAAK;YACL,UAAU;YACV,WAAW;YACX,SAAS;YACT,QAAQ;YACR,IAAI;YACJ,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACjD,GAAG,CAAC,IAAI,CAAC,iBAAiB;gBACxB,CAAC,CAAC,CAAC,sBAAsB,EAAE,IAAI,CAAC,iBAAiB,CAAC;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,uCAAuC,CAAC;KAC/C;IACD,MAAM,EAAE,EAAE,EAAE,GAAG,QAAQ,CAAC;IAExB,OAAO,MAAM,IAAA,iBAAS,EACpB,qEAAqE,EACrE,IAAA,4BAAmB,EAAoB,KAAK,EAAE,EAAE,CAAC,CAClD,CAAC;AACJ,CAAC,CAAA,CAAC;AArCW,QAAA,sBAAsB,0BAqCjC;AAEK,MAAM,WAAW,GAAG,CAAC,aAAqB,EAAU,EAAE,CAC3D,qBAAqB,aAAa,EAAE,CAAC;AAD1B,QAAA,WAAW,eACe;AAEhC,MAAM,YAAY,GAAG,CAC1B,KAAY,EACZ,YAAoB,EACpB,OAAmC,EACnC,SAA8B,EACL,EAAE;;IAC3B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAC1C,MAAM,EAAE,YAAY,EAAE,GAAG,SAAS,CAAC;IACnC,MAAM,EAAE,IAAI,EAAE,GAAG,YAAY,CAAC;IAE9B,QAAQ,SAAS,EAAE;QACjB,KAAK,KAAK,CAAC,CAAC;YACV,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,MAAA,UAAU,CAAC,qBAAqB,mCAAI,EAAE,CAAC;YAEpE,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,EAAE;gBACxB,MAAM,+FAA+F,CAAC;aACvG;YAED,OAAO,MAAM,IAAA,uBAAiB,EAAC;gBAC7B,SAAS,EAAE,YAAY;gBACvB,aAAa,EAAE,IAAI;gBACnB,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE;aACtC,CAAC,CAAC;SACJ;QACD,KAAK,WAAW;YACd,OAAO,MAAM,IAAA,4BAAsB,EAAC,KAAK,EAAE;gBACzC,SAAS,EAAE,YAAY;gBACvB,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;QACL;YACE,MAAM,IAAA,kBAAW,EAAC,SAAS,CAAC,CAAC;KAChC;AACH,CAAC,CAAA,CAAC;AAhCW,QAAA,YAAY,gBAgCvB"}

package/dist/plugins/kubeconfig/types.d.ts

@@ -16,12 +16,13 @@ export type K8sClusterConfig = {
     isProxy: boolean;
     token: string;
     publicJwk?: string;
-    provider: {
+    hosting: {
         type: "aws";
-        clusterArn: string;
-        accountId: string;
+        arn: string;
     } | {
-        type: "email";
+        type: "azure";
+    } | {
+        type: "gcp";
     };
     state: string;
 };
@@ -38,14 +39,14 @@ export type K8sResourcePermission = {
     role: string;
     clusterId: string;
     type: "resource";
+    awsResourcePermission?: {
+        idcRegion?: string;
+        idcId?: string;
+    };
 };
 export type K8sGenerated = {
     eksGenerated: {
         name: string;
-        idc?: {
-            id: string;
-            region: string;
-        };
     };
     role: string;
 };

package/dist/plugins/ssh/index.js

@@ -136,12 +136,8 @@ function spawnSshNode(options) {
                     return;
                 }
                 (_b = options.abortController) === null || _b === void 0 ? void 0 : _b.abort(code);
-                if (code && code !== 0) {
-                    (0, stdio_1.print2)(`Failed to establish an SSH session.${!options.debug ? " Use the --debug option to see additional details." : ""}`);
-                }
-                else if (!options.isAccessPropagationPreTest) {
+                if (!options.isAccessPropagationPreTest)
                     (0, stdio_1.print2)(`SSH session terminated`);
-                }
                 resolve(code);
             });
         });
@@ -274,9 +270,8 @@ const sshOrScp = (args) => __awaiter(void 0, void 0, void 0, function* () {
     }
     const endTime = Date.now() + sshProvider.propagationTimeoutMs;
     const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential, endTime);
-    // Only exit if there was an error when pre-testing
     if (exitCode && exitCode !== 0) {
-        return exitCode;
+        return exitCode; // Only exit if there was an error when pre-testing
     }
     return spawnSshNode({
         credential,