@p0security/cli 0.26.15 → 0.27.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/dist/commands/aws/rds.js +7 -5
- package/build/dist/commands/aws/rds.js.map +1 -1
- package/build/dist/commands/claude/index.d.ts +2 -0
- package/build/dist/commands/claude/index.js +24 -0
- package/build/dist/commands/claude/index.js.map +1 -0
- package/build/dist/commands/claude/mcp.d.ts +7 -0
- package/build/dist/commands/claude/mcp.js +187 -0
- package/build/dist/commands/claude/mcp.js.map +1 -0
- package/build/dist/commands/file-transfer.d.ts +8 -0
- package/build/dist/commands/file-transfer.js +130 -0
- package/build/dist/commands/file-transfer.js.map +1 -0
- package/build/dist/commands/index.js +4 -0
- package/build/dist/commands/index.js.map +1 -1
- package/build/dist/commands/kubeconfig.js +2 -1
- package/build/dist/commands/kubeconfig.js.map +1 -1
- package/build/dist/commands/login.js +3 -2
- package/build/dist/commands/login.js.map +1 -1
- package/build/dist/commands/logout.js +3 -4
- package/build/dist/commands/logout.js.map +1 -1
- package/build/dist/drivers/api.d.ts +8 -0
- package/build/dist/drivers/api.js +20 -18
- package/build/dist/drivers/api.js.map +1 -1
- package/build/dist/drivers/auth/index.d.ts +3 -1
- package/build/dist/drivers/auth/index.js +44 -2
- package/build/dist/drivers/auth/index.js.map +1 -1
- package/build/dist/drivers/auth/lock.d.ts +11 -0
- package/build/dist/drivers/auth/lock.js +70 -0
- package/build/dist/drivers/auth/lock.js.map +1 -0
- package/build/dist/drivers/auth/path.d.ts +1 -0
- package/build/dist/drivers/auth/path.js +12 -10
- package/build/dist/drivers/auth/path.js.map +1 -1
- package/build/dist/drivers/auth/refresh.d.ts +31 -0
- package/build/dist/drivers/auth/refresh.js +130 -0
- package/build/dist/drivers/auth/refresh.js.map +1 -0
- package/build/dist/drivers/stdio.d.ts +8 -0
- package/build/dist/drivers/stdio.js +12 -1
- package/build/dist/drivers/stdio.js.map +1 -1
- package/build/dist/plugins/aws/ssh.js +8 -3
- package/build/dist/plugins/aws/ssh.js.map +1 -1
- package/build/dist/plugins/db/types.d.ts +13 -10
- package/build/dist/plugins/file-transfer/index.d.ts +35 -0
- package/build/dist/plugins/file-transfer/index.js +74 -0
- package/build/dist/plugins/file-transfer/index.js.map +1 -0
- package/build/dist/plugins/file-transfer/types.d.ts +31 -0
- package/build/dist/plugins/file-transfer/types.js +3 -0
- package/build/dist/plugins/file-transfer/types.js.map +1 -0
- package/build/dist/plugins/google/auth.d.ts +4 -0
- package/build/dist/plugins/google/auth.js +75 -0
- package/build/dist/plugins/google/auth.js.map +1 -0
- package/build/dist/plugins/google/ssh-key.js +7 -3
- package/build/dist/plugins/google/ssh-key.js.map +1 -1
- package/build/dist/plugins/google/ssh.js +5 -2
- package/build/dist/plugins/google/ssh.js.map +1 -1
- package/build/dist/plugins/kubeconfig/types.d.ts +3 -5
- package/build/dist/plugins/login.d.ts +3 -1
- package/build/dist/plugins/login.js +2 -2
- package/build/dist/plugins/login.js.map +1 -1
- package/build/dist/plugins/okta/login.d.ts +10 -2
- package/build/dist/plugins/okta/login.js +38 -12
- package/build/dist/plugins/okta/login.js.map +1 -1
- package/build/dist/plugins/ssh/index.js +1 -1
- package/build/dist/plugins/ssh/index.js.map +1 -1
- package/build/dist/types/delegation.d.ts +39 -0
- package/build/dist/types/delegation.js +36 -0
- package/build/dist/types/delegation.js.map +1 -0
- package/build/dist/types/request.d.ts +5 -3
- package/build/dist/types/request.js.map +1 -1
- package/build/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +6 -1
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Authn } from "../types/identity";
|
|
2
2
|
import yargs from "yargs";
|
|
3
|
+
export declare const tenantUrl: (tenant: string) => string;
|
|
3
4
|
export declare const requestStatusUrl: (tenant: string, requestId: string) => string;
|
|
4
5
|
export declare const tracesUrl: (tenant: string) => string;
|
|
5
6
|
export declare const fetchOrgData: <T>(orgId: string) => Promise<T>;
|
|
@@ -42,3 +43,10 @@ export declare const auditSshSessionActivity: (args: {
|
|
|
42
43
|
action: `ssh.session.${"end" | "start"}`;
|
|
43
44
|
debug: boolean | undefined;
|
|
44
45
|
}) => Promise<void>;
|
|
46
|
+
export declare const authFetch: <T>(authn: Authn, args: {
|
|
47
|
+
url: string;
|
|
48
|
+
method: string;
|
|
49
|
+
body?: string;
|
|
50
|
+
maxTimeoutMs?: number;
|
|
51
|
+
debug?: boolean;
|
|
52
|
+
}) => Promise<T>;
|
|
@@ -56,7 +56,7 @@ var __asyncGenerator = (this && this.__asyncGenerator) || function (thisArg, _ar
|
|
|
56
56
|
function settle(f, v) { if (f(v), q.shift(), q.length) resume(q[0][0], q[0][1]); }
|
|
57
57
|
};
|
|
58
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
59
|
-
exports.auditSshSessionActivity = exports.fetchWithStreaming = exports.certificateSigningRequest = exports.fetchSshHostKeys = exports.submitPublicKey = exports.fetchAdminLsCommand = exports.fetchCommand = exports.fetchStreamingStatus = exports.fetchIntegrationConfig = exports.fetchAccountInfo = exports.fetchOrgData = exports.tracesUrl = exports.requestStatusUrl = void 0;
|
|
59
|
+
exports.authFetch = exports.auditSshSessionActivity = exports.fetchWithStreaming = exports.certificateSigningRequest = exports.fetchSshHostKeys = exports.submitPublicKey = exports.fetchAdminLsCommand = exports.fetchCommand = exports.fetchStreamingStatus = exports.fetchIntegrationConfig = exports.fetchAccountInfo = exports.fetchOrgData = exports.tracesUrl = exports.requestStatusUrl = exports.tenantUrl = void 0;
|
|
60
60
|
/** Copyright © 2024-present P0 Security
|
|
61
61
|
|
|
62
62
|
This file is part of @p0security/cli
|
|
@@ -76,29 +76,30 @@ const util_1 = require("./util");
|
|
|
76
76
|
const path = __importStar(require("node:path"));
|
|
77
77
|
const tenantOrgUrl = (tenant) => `${(0, config_1.getAppUrl)()}/orgs/${tenant}`;
|
|
78
78
|
const tenantUrl = (tenant) => `${(0, config_1.getTenantConfig)().appUrl}/o/${tenant}`;
|
|
79
|
-
|
|
80
|
-
const
|
|
81
|
-
const
|
|
82
|
-
const
|
|
83
|
-
const
|
|
79
|
+
exports.tenantUrl = tenantUrl;
|
|
80
|
+
const publicKeysUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/integrations/ssh/public-keys`;
|
|
81
|
+
const sshHostKeysUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/integrations/ssh/host-keys`;
|
|
82
|
+
const certSignRequestUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/integrations/ssh/certificates`;
|
|
83
|
+
const sshAuditUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/integrations/ssh/audit`;
|
|
84
|
+
const commandUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/command/`;
|
|
84
85
|
const requestStatusUrl = (tenant, requestId) => `${commandUrl(tenant)}${requestId}/poll`;
|
|
85
86
|
exports.requestStatusUrl = requestStatusUrl;
|
|
86
|
-
const adminLsCommandUrl = (tenant) => `${tenantUrl(tenant)}/command/ls`;
|
|
87
|
-
const tracesUrl = (tenant) => `${tenantUrl(tenant)}/traces`;
|
|
87
|
+
const adminLsCommandUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/command/ls`;
|
|
88
|
+
const tracesUrl = (tenant) => `${(0, exports.tenantUrl)(tenant)}/traces`;
|
|
88
89
|
exports.tracesUrl = tracesUrl;
|
|
89
90
|
const fetchOrgData = (orgId) => __awaiter(void 0, void 0, void 0, function* () { return baseFetch({ url: tenantOrgUrl(orgId), method: "GET" }); });
|
|
90
91
|
exports.fetchOrgData = fetchOrgData;
|
|
91
92
|
const fetchAccountInfo = (authn, debug) => __awaiter(void 0, void 0, void 0, function* () {
|
|
92
|
-
return authFetch(authn, {
|
|
93
|
-
url: `${tenantUrl(authn.identity.org.slug)}/account`,
|
|
93
|
+
return (0, exports.authFetch)(authn, {
|
|
94
|
+
url: `${(0, exports.tenantUrl)(authn.identity.org.slug)}/account`,
|
|
94
95
|
method: "GET",
|
|
95
96
|
debug,
|
|
96
97
|
});
|
|
97
98
|
});
|
|
98
99
|
exports.fetchAccountInfo = fetchAccountInfo;
|
|
99
100
|
const fetchIntegrationConfig = (authn, integration, debug) => __awaiter(void 0, void 0, void 0, function* () {
|
|
100
|
-
return authFetch(authn, {
|
|
101
|
-
url: `${tenantUrl(authn.identity.org.slug)}/integrations/${integration}/config`,
|
|
101
|
+
return (0, exports.authFetch)(authn, {
|
|
102
|
+
url: `${(0, exports.tenantUrl)(authn.identity.org.slug)}/integrations/${integration}/config`,
|
|
102
103
|
method: "GET",
|
|
103
104
|
debug,
|
|
104
105
|
});
|
|
@@ -114,7 +115,7 @@ const fetchStreamingStatus = function (authn, requestId, debug) {
|
|
|
114
115
|
};
|
|
115
116
|
exports.fetchStreamingStatus = fetchStreamingStatus;
|
|
116
117
|
const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
|
|
117
|
-
return authFetch(authn, {
|
|
118
|
+
return (0, exports.authFetch)(authn, {
|
|
118
119
|
url: commandUrl(authn.identity.org.slug),
|
|
119
120
|
method: "POST",
|
|
120
121
|
body: JSON.stringify({
|
|
@@ -127,7 +128,7 @@ const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, fu
|
|
|
127
128
|
exports.fetchCommand = fetchCommand;
|
|
128
129
|
/** Special admin 'ls' command that can retrieve results for all users. Requires 'owner' permission. */
|
|
129
130
|
const fetchAdminLsCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
|
|
130
|
-
return authFetch(authn, {
|
|
131
|
+
return (0, exports.authFetch)(authn, {
|
|
131
132
|
url: adminLsCommandUrl(authn.identity.org.slug),
|
|
132
133
|
method: "POST",
|
|
133
134
|
body: JSON.stringify({
|
|
@@ -139,7 +140,7 @@ const fetchAdminLsCommand = (authn, args, argv) => __awaiter(void 0, void 0, voi
|
|
|
139
140
|
});
|
|
140
141
|
exports.fetchAdminLsCommand = fetchAdminLsCommand;
|
|
141
142
|
const submitPublicKey = (authn, args, debug) => __awaiter(void 0, void 0, void 0, function* () {
|
|
142
|
-
return authFetch(authn, {
|
|
143
|
+
return (0, exports.authFetch)(authn, {
|
|
143
144
|
url: publicKeysUrl(authn.identity.org.slug),
|
|
144
145
|
method: "POST",
|
|
145
146
|
body: JSON.stringify({
|
|
@@ -151,7 +152,7 @@ const submitPublicKey = (authn, args, debug) => __awaiter(void 0, void 0, void 0
|
|
|
151
152
|
});
|
|
152
153
|
exports.submitPublicKey = submitPublicKey;
|
|
153
154
|
const fetchSshHostKeys = (authn, requestId, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
154
|
-
return authFetch(authn, {
|
|
155
|
+
return (0, exports.authFetch)(authn, {
|
|
155
156
|
url: `${sshHostKeysUrl(authn.identity.org.slug)}?requestId=${encodeURIComponent(requestId)}${(options === null || options === void 0 ? void 0 : options.force) ? "&force=true" : ""}`,
|
|
156
157
|
method: "GET",
|
|
157
158
|
debug: options === null || options === void 0 ? void 0 : options.debug,
|
|
@@ -159,7 +160,7 @@ const fetchSshHostKeys = (authn, requestId, options) => __awaiter(void 0, void 0
|
|
|
159
160
|
});
|
|
160
161
|
exports.fetchSshHostKeys = fetchSshHostKeys;
|
|
161
162
|
const certificateSigningRequest = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
|
|
162
|
-
return authFetch(authn, {
|
|
163
|
+
return (0, exports.authFetch)(authn, {
|
|
163
164
|
url: certSignRequestUrl(authn.identity.org.slug),
|
|
164
165
|
method: "POST",
|
|
165
166
|
body: JSON.stringify({
|
|
@@ -297,7 +298,7 @@ const auditSshSessionActivity = (args) => __awaiter(void 0, void 0, void 0, func
|
|
|
297
298
|
(0, stdio_1.print2)(`Submitting audit log for request: ${requestId}, action: ${action}, sshSessionId: ${sshSessionId}`);
|
|
298
299
|
}
|
|
299
300
|
try {
|
|
300
|
-
yield authFetch(authn, {
|
|
301
|
+
yield (0, exports.authFetch)(authn, {
|
|
301
302
|
url: sshAuditUrl(authn.identity.org.slug),
|
|
302
303
|
method: "POST",
|
|
303
304
|
body: JSON.stringify({
|
|
@@ -345,6 +346,7 @@ const authFetch = (authn, args) => __awaiter(void 0, void 0, void 0, function* (
|
|
|
345
346
|
};
|
|
346
347
|
return baseFetch(Object.assign(Object.assign({}, args), { headers }));
|
|
347
348
|
});
|
|
349
|
+
exports.authFetch = authFetch;
|
|
348
350
|
const handleResponse = (response, responseText, debug) => {
|
|
349
351
|
let data;
|
|
350
352
|
try {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/drivers/api.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAsE;AAEtE,wCAA0C;AAC1C,qCAAsD;AACtD,2CAA4C;AAC5C,mCAAiC;AACjC,iCAAwC;AACxC,gDAAkC;AAGlC,MAAM,YAAY,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC,GAAG,IAAA,kBAAS,GAAE,SAAS,MAAM,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/drivers/api.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAsE;AAEtE,wCAA0C;AAC1C,qCAAsD;AACtD,2CAA4C;AAC5C,mCAAiC;AACjC,iCAAwC;AACxC,gDAAkC;AAGlC,MAAM,YAAY,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC,GAAG,IAAA,kBAAS,GAAE,SAAS,MAAM,EAAE,CAAC;AAClE,MAAM,SAAS,GAAG,CAAC,MAAc,EAAE,EAAE,CAC1C,GAAG,IAAA,wBAAe,GAAE,CAAC,MAAM,MAAM,MAAM,EAAE,CAAC;AAD/B,QAAA,SAAS,aACsB;AAC5C,MAAM,aAAa,GAAG,CAAC,MAAc,EAAE,EAAE,CACvC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,+BAA+B,CAAC;AACtD,MAAM,cAAc,GAAG,CAAC,MAAc,EAAE,EAAE,CACxC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,6BAA6B,CAAC;AACpD,MAAM,kBAAkB,GAAG,CAAC,MAAc,EAAE,EAAE,CAC5C,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,gCAAgC,CAAC;AACvD,MAAM,WAAW,GAAG,CAAC,MAAc,EAAE,EAAE,CACrC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,yBAAyB,CAAC;AAEhD,MAAM,UAAU,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,WAAW,CAAC;AAChE,MAAM,gBAAgB,GAAG,CAAC,MAAc,EAAE,SAAiB,EAAE,EAAE,CACpE,GAAG,UAAU,CAAC,MAAM,CAAC,GAAG,SAAS,OAAO,CAAC;AAD9B,QAAA,gBAAgB,oBACc;AAC3C,MAAM,iBAAiB,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,aAAa,CAAC;AACzE,MAAM,SAAS,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC,GAAG,IAAA,iBAAS,EAAC,MAAM,CAAC,SAAS,CAAC;AAA9D,QAAA,SAAS,aAAqD;AAEpE,MAAM,YAAY,GAAG,CAAU,KAAa,EAAE,EAAE,kDACrD,OAAA,SAAS,CAAI,EAAE,GAAG,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA,GAAA,CAAC;AAD/C,QAAA,YAAY,gBACmC;AAErD,MAAM,gBAAgB,GAAG,CAAU,KAAY,EAAE,KAAe,EAAE,EAAE;IACzE,OAAA,IAAA,iBAAS,EAAI,KAAK,EAAE;QAClB,GAAG,EAAE,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU;QACpD,MAAM,EAAE,KAAK;QACb,KAAK;KACN,CAAC,CAAA;EAAA,CAAC;AALQ,QAAA,gBAAgB,oBAKxB;AAEE,MAAM,sBAAsB,GAAG,CACpC,KAAY,EACZ,WAAmB,EACnB,KAAe,EACf,EAAE;IACF,OAAA,IAAA,iBAAS,EAAI,KAAK,EAAE;QAClB,GAAG,EAAE,GAAG,IAAA,iBAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,WAAW,SAAS;QAC/E,MAAM,EAAE,KAAK;QACb,KAAK;KACN,CAAC,CAAA;EAAA,CAAC;AATQ,QAAA,sBAAsB,0BAS9B;AAEE,MAAM,oBAAoB,GAAG,UAClC,KAAY,EACZ,SAAiB,EACjB,KAAe;;QAEf,cAAA,KAAK,CAAC,CAAC,iBAAA,cAAA,IAAA,0BAAkB,EACvB,KAAK,EACL;YACE,GAAG,EAAE,IAAA,wBAAgB,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC;YACzD,MAAM,EAAE,KAAK;SACd,EACD,KAAK,CACN,CAAA,CAAA,CAAA,CAAC;IACJ,CAAC;CAAA,CAAC;AAbW,QAAA,oBAAoB,wBAa/B;AAEK,MAAM,YAAY,GAAG,CAC1B,KAAY,EACZ,IAAmD,EACnD,IAAc,EACd,EAAE;IACF,OAAA,IAAA,iBAAS,EAAI,KAAK,EAAE;QAClB,GAAG,EAAE,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QACxC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,IAAI;YACJ,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;SACnC,CAAC;QACF,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAA;EAAA,CAAC;AAbQ,QAAA,YAAY,gBAapB;AAEL,uGAAuG;AAChG,MAAM,mBAAmB,GAAG,CACjC,KAAY,EACZ,IAAmD,EACnD,IAAc,EACd,EAAE;IACF,OAAA,IAAA,iBAAS,EAAI,KAAK,EAAE;QAClB,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QAC/C,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,IAAI;YACJ,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;SACnC,CAAC;QACF,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAA;EAAA,CAAC;AAbQ,QAAA,mBAAmB,uBAa3B;AAEE,MAAM,eAAe,GAAG,CAC7B,KAAY,EACZ,IAA8C,EAC9C,KAAe,EACf,EAAE;IACF,OAAA,IAAA,iBAAS,EAAI,KAAK,EAAE;QAClB,GAAG,EAAE,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QAC3C,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;QACF,KAAK;KACN,CAAC,CAAA;EAAA,CAAC;AAbQ,QAAA,eAAe,mBAavB;AAEE,MAAM,gBAAgB,GAAG,CAC9B,KAAY,EACZ,SAAiB,EACjB,OAA8C,EAC9C,EAAE;IACF,OAAA,IAAA,iBAAS,EAAyB,KAAK,EAAE;QACvC,GAAG,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,EAAE;QAClI,MAAM,EAAE,KAAK;QACb,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK;KACtB,CAAC,CAAA;EAAA,CAAC;AATQ,QAAA,gBAAgB,oBASxB;AAEE,MAAM,yBAAyB,GAAG,CACvC,KAAY,EACZ,IAA8C,EAC9C,EAAE;IACF,OAAA,IAAA,iBAAS,EAAgC,KAAK,EAAE;QAC9C,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;QAChD,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;KACH,CAAC,CAAA;EAAA,CAAC;AAXQ,QAAA,yBAAyB,6BAWjC;AAEE,MAAM,kBAAkB,GAAG,UAChC,KAAY,EACZ,IAKC,EACD,KAAe;;QAEf,MAAM,KAAK,GAAG,cAAM,KAAK,CAAC,QAAQ,EAAE,CAAA,CAAC;QACrC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;QACjD,MAAM,YAAY,GAAG;YACnB,MAAM;YACN,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,IAAA,sBAAY,GAAE;aAC7B;YACD,IAAI;YACJ,SAAS,EAAE,IAAI;SAChB,CAAC;QAEF,MAAM,YAAY,GAAG;;;gBACnB,MAAM,QAAQ,GAAG,cAAM,KAAK,CAC1B,GAAG,EACH,YAAY;oBACV,CAAC,iCAAM,YAAY,KAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,IAC9D,CAAC,CAAC,YAAY,CACjB,CAAA,CAAC;gBAEF,IAAI,CAAC,QAAQ,CAAC,IAAI;oBAAE,MAAM,qBAAqB,CAAC;gBAChD,MAAM,MAAM,GAAG,CAAC,IAAY,EAAE,EAAE;oBAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACjC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE;wBAC5B,MAAM,OAAO,CAAC,KAAK,CAAC;qBACrB;oBACD,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE;wBAChC,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE;4BACnD,MAAM,kCAAkC,CAAC;yBAC1C;wBACD,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;wBACzB,IAAI,OAAO,IAAI,IAAI,EAAE;4BACnB,MAAM,IAAI,CAAC,KAAK,CAAC;yBAClB;wBACD,OAAO,IAAS,CAAC;qBAClB;oBACD,OAAO,SAAS,CAAC,CAAC,4BAA4B;gBAChD,CAAC,CAAC;gBACF,mGAAmG;gBACnG,2CAA2C;gBAC3C,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,CAAC,mBAAmB;gBAEtD,oFAAoF;gBACpF,uFAAuF;gBACvF,+CAA+C;gBAC/C,iDAAiD;gBACjD,IAAI,MAAM,GAAG,EAAE,CAAC;gBAEhB,OAAO,IAAI,EAAE;oBACX,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,cAAM,MAAM,CAAC,IAAI,EAAE,CAAA,CAAC;oBAC5C,IAAI,IAAI;wBAAE,MAAM;oBAEhB,kEAAkE;oBAClE,4DAA4D;oBAC5D,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;oBAClD,IAAI,KAAK;wBAAE,IAAA,cAAM,EAAC,qCAAqC,MAAM,EAAE,CAAC,CAAC;oBACjE,6FAA6F;oBAC7F,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBACpC,MAAM,GAAG,MAAA,KAAK,CAAC,GAAG,EAAE,mCAAI,EAAE,CAAC;oBAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;wBACxB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;wBAC9B,IAAI,QAAQ,EAAE;4BACZ,oBAAM,QAAQ,CAAA,CAAC;yBAChB;qBACF;iBACF;gBACD,qIAAqI;gBACrI,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE;oBACrB,yDAAyD;oBACzD,IAAI,KAAK,EAAE;wBACT,IAAA,cAAM,EACJ,sGAAsG;4BACpG,MAAM,CACT,CAAC;qBACH;oBACD,qFAAqF;oBACrF,gHAAgH;oBAChH,4FAA4F;oBAC5F,IAAI;wBACF,IAAI,KAAK,EAAE;4BACT,IAAA,cAAM,EACJ,8DAA8D;gCAC5D,MAAM,CACT,CAAC;yBACH;wBACD,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;qBACzC;oBAAC,OAAO,GAAG,EAAE;wBACZ,yEAAyE;wBACzE,qEAAqE;wBACrE,yBAAyB;wBACzB,IAAI,GAAG,YAAY,WAAW,EAAE;4BAC9B,8BAA8B;4BAC9B,IAAI,KAAK,EAAE;gCACT,IAAA,cAAM,EACJ,0DAA0D;oCACxD,MAAM,CAAC,GAAG,CAAC,CACd,CAAC;6BACH;4BACD,MAAM,kCAAkC,CAAC;yBAC1C;6BAAM;4BACL,MAAM,GAAG,CAAC;yBACX;qBACF;4BAAS;wBACR,cAAM,MAAM,CAAC,MAAM,EAAE,CAAA,CAAC;qBACvB;iBACF;;SACF,CAAC;QAEF,IAAI;YACF,cAAA,KAAK,CAAC,CAAC,iBAAA,cAAA,IAAA,2BAAmB,EAAC,GAAG,EAAE,CAAC,YAAY,EAAE,kCAC1C,yBAAa,KAChB,KAAK,IACL,CAAA,CAAA,CAAA,CAAC;SACJ;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,IAAA,qBAAc,EAAC,KAAK,CAAC,EAAE;gBACzB,IAAI,KAAK,EAAE;oBACT,IAAA,cAAM,EAAC,iBAAiB,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;iBAC3C;gBACD,MAAM,4CAA4C,CAAC;aACpD;iBAAM;gBACL,MAAM,KAAK,CAAC;aACb;SACF;IACH,CAAC;CAAA,CAAC;AAxIW,QAAA,kBAAkB,sBAwI7B;AAEK,MAAM,uBAAuB,GAAG,CAAO,IAM7C,EAAE,EAAE;IACH,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAE/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,qCAAqC,SAAS,aAAa,MAAM,mBAAmB,YAAY,EAAE,CACnG,CAAC;KACH;IAED,IAAI;QACF,MAAM,IAAA,iBAAS,EAAC,KAAK,EAAE;YACrB,GAAG,EAAE,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;YACzC,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS;gBACT,MAAM;gBACN,YAAY;aACb,CAAC;SACH,CAAC,CAAC;QACH,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;SACzD;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,2CAA2C,SAAS,EAAE,CAAC,CAAC;YAC/D,IAAA,cAAM,EAAC,UAAU,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;SAC3C;KACF;AACH,CAAC,CAAA,CAAC;AAlCW,QAAA,uBAAuB,2BAkClC;AAEF,MAAM,SAAS,GAAG,CAAU,IAO3B,EAAE,EAAE;IACH,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC1D,MAAM,YAAY,mBAChB,MAAM,EACN,OAAO,kCACF,CAAC,OAAO,aAAP,OAAO,cAAP,OAAO,GAAI,EAAE,CAAC,KAClB,cAAc,EAAE,kBAAkB,EAClC,YAAY,EAAE,IAAA,sBAAY,GAAE,KAE9B,IAAI,EACJ,SAAS,EAAE,IAAI,IACZ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CACvE,CAAC;IAEF,MAAM,YAAY,GAAG,GAAS,EAAE;QAC9B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAM,CAAC;IACzD,CAAC,CAAA,CAAC;IAEF,IAAI;QACF,OAAO,MAAM,IAAA,sBAAc,EAAC,GAAG,EAAE,CAAC,YAAY,EAAE,kCAC3C,yBAAa,KAChB,KAAK,EAAE,IAAI,CAAC,KAAK,IACjB,CAAC;KACJ;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,IAAA,qBAAc,EAAC,KAAK,CAAC,EAAE;YACzB,MAAM,gDAAgD,GAAG,GAAG,CAAC;SAC9D;aAAM;YACL,MAAM,KAAK,CAAC;SACb;KACF;AACH,CAAC,CAAA,CAAC;AAEK,MAAM,SAAS,GAAG,CACvB,KAAY,EACZ,IAMC,EACD,EAAE;IACF,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC;IACrC,MAAM,OAAO,GAAG;QACd,aAAa,EAAE,UAAU,KAAK,EAAE;KACjC,CAAC;IACF,OAAO,SAAS,iCACX,IAAI,KACP,OAAO,IACP,CAAC;AACL,CAAC,CAAA,CAAC;AAlBW,QAAA,SAAS,aAkBpB;AAEF,MAAM,cAAc,GAAG,CACrB,QAAkB,EAClB,YAAoB,EACpB,KAAe,EACf,EAAE;IACF,IAAI,IAAI,CAAC;IACT,IAAI;QACF,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;KACjC;IAAC,OAAO,GAAG,EAAE;QACZ,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;YACpC,MAAM,eAAe,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;SAC/D;aAAM;YACL,IAAI,KAAK,EAAE;gBACT,IAAA,cAAM,EAAC,gBAAgB,MAAM,CAAC,GAAG,CAAC,kBAAkB,YAAY,EAAE,CAAC,CAAC;aACrE;YACD,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,IAAI,OAAO,IAAI,IAAI,EAAE;QACnB,MAAM,IAAI,CAAC,KAAK,CAAC;KAClB;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CAAC"}
|
|
@@ -7,7 +7,9 @@ export declare const cached: <T>(name: string, loader: () => Promise<T>, options
|
|
|
7
7
|
export declare const loadCredentials: () => Promise<Identity>;
|
|
8
8
|
export declare const remainingTokenTime: (identity: Identity) => number;
|
|
9
9
|
export declare const writeIdentity: (org: OrgData, credential: TokenResponse) => Promise<void>;
|
|
10
|
-
export declare const deleteIdentity: (
|
|
10
|
+
export declare const deleteIdentity: (options?: {
|
|
11
|
+
debug?: boolean;
|
|
12
|
+
}) => Promise<void>;
|
|
11
13
|
export declare const authenticate: (options?: {
|
|
12
14
|
noRefresh?: boolean;
|
|
13
15
|
debug?: boolean;
|
|
@@ -45,12 +45,15 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
45
45
|
**/
|
|
46
46
|
const login_1 = require("../../commands/login");
|
|
47
47
|
const instrumentation_1 = require("../../opentelemetry/instrumentation");
|
|
48
|
+
const authUtils_1 = require("../../types/authUtils");
|
|
48
49
|
const util_1 = require("../../util");
|
|
49
50
|
const api_1 = require("../api");
|
|
50
51
|
const firestore_1 = require("../firestore");
|
|
51
52
|
const stdio_1 = require("../stdio");
|
|
52
53
|
const util_2 = require("../util");
|
|
54
|
+
const lock_1 = require("./lock");
|
|
53
55
|
const path_1 = require("./path");
|
|
56
|
+
const refresh_1 = require("./refresh");
|
|
54
57
|
const fs = __importStar(require("fs/promises"));
|
|
55
58
|
const path = __importStar(require("path"));
|
|
56
59
|
const MIN_REMAINING_TOKEN_TIME_SECONDS = 60;
|
|
@@ -134,6 +137,7 @@ exports.loadCredentials = loadCredentials;
|
|
|
134
137
|
const remainingTokenTime = (identity) => Math.floor(identity.credential.expires_at - Date.now() * 1e-3);
|
|
135
138
|
exports.remainingTokenTime = remainingTokenTime;
|
|
136
139
|
const loadCredentialsWithAutoLogin = (options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
140
|
+
var _e, _f, _g;
|
|
137
141
|
let identity;
|
|
138
142
|
try {
|
|
139
143
|
identity = yield (0, exports.loadCredentials)();
|
|
@@ -149,6 +153,33 @@ const loadCredentialsWithAutoLogin = (options) => __awaiter(void 0, void 0, void
|
|
|
149
153
|
if ((0, exports.remainingTokenTime)(identity) > MIN_REMAINING_TOKEN_TIME_SECONDS) {
|
|
150
154
|
return identity;
|
|
151
155
|
}
|
|
156
|
+
// If token is expired, and provider is okta, try the silent refresh-token
|
|
157
|
+
// grant first, and only fall through to the interactive device flow if that
|
|
158
|
+
// path is unavailable or fails.
|
|
159
|
+
if (identity.credential.refresh_token &&
|
|
160
|
+
(0, authUtils_1.getProviderType)(identity.org) === "okta") {
|
|
161
|
+
try {
|
|
162
|
+
return yield (0, lock_1.withIdentityLock)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
163
|
+
// Double-checked under the lock: a peer process may have refreshed
|
|
164
|
+
// identity.json while we were waiting to acquire it.
|
|
165
|
+
const current = yield (0, exports.loadCredentials)();
|
|
166
|
+
if ((0, exports.remainingTokenTime)(current) > MIN_REMAINING_TOKEN_TIME_SECONDS) {
|
|
167
|
+
return current;
|
|
168
|
+
}
|
|
169
|
+
const refreshed = yield (0, refresh_1.refreshOktaTokens)(current, {
|
|
170
|
+
debug: options === null || options === void 0 ? void 0 : options.debug,
|
|
171
|
+
});
|
|
172
|
+
yield (0, exports.writeIdentity)(current.org, refreshed);
|
|
173
|
+
return yield (0, exports.loadCredentials)();
|
|
174
|
+
}));
|
|
175
|
+
}
|
|
176
|
+
catch (e) {
|
|
177
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
178
|
+
const detail = (_g = (_f = (_e = e === null || e === void 0 ? void 0 : e.reason) !== null && _e !== void 0 ? _e : e === null || e === void 0 ? void 0 : e.code) !== null && _f !== void 0 ? _f : e === null || e === void 0 ? void 0 : e.message) !== null && _g !== void 0 ? _g : String(e);
|
|
179
|
+
(0, stdio_1.print2)(`Okta refresh-token grant failed (${detail}); falling back to device flow.`);
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
}
|
|
152
183
|
if (options === null || options === void 0 ? void 0 : options.noRefresh) {
|
|
153
184
|
throw (0, util_2.getExpiredCredentialsMessage)();
|
|
154
185
|
}
|
|
@@ -163,10 +194,21 @@ const writeIdentity = (org, credential) => __awaiter(void 0, void 0, void 0, fun
|
|
|
163
194
|
(0, stdio_1.print2)(`Saving authorization to ${identityFilePath}.`);
|
|
164
195
|
const dir = path.dirname(identityFilePath);
|
|
165
196
|
yield fs.mkdir(dir, { recursive: true });
|
|
166
|
-
|
|
197
|
+
// Write to a sibling tmp file then rename, so a crash mid-write can't leave
|
|
198
|
+
// identity.json truncated. Same-directory rename keeps the operation atomic.
|
|
199
|
+
const tmpPath = `${identityFilePath}.tmp`;
|
|
200
|
+
yield fs.writeFile(tmpPath, JSON.stringify({ credential: Object.assign(Object.assign({}, credential), { expires_at }), org }, null, 2), { mode: "600" });
|
|
201
|
+
yield fs.rename(tmpPath, identityFilePath);
|
|
167
202
|
});
|
|
168
203
|
exports.writeIdentity = writeIdentity;
|
|
169
|
-
const deleteIdentity = () => __awaiter(void 0, void 0, void 0, function* () {
|
|
204
|
+
const deleteIdentity = (options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
205
|
+
// Best-effort: revoke the refresh_token at the IDP before destroying our
|
|
206
|
+
// local copy.
|
|
207
|
+
const identity = yield (0, exports.loadCredentials)();
|
|
208
|
+
if (identity.credential.refresh_token &&
|
|
209
|
+
(0, authUtils_1.getProviderType)(identity.org) === "okta") {
|
|
210
|
+
yield (0, refresh_1.revokeOktaRefreshToken)(identity, { debug: options === null || options === void 0 ? void 0 : options.debug });
|
|
211
|
+
}
|
|
170
212
|
yield clearIdentityCache();
|
|
171
213
|
yield clearIdentityFile();
|
|
172
214
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/drivers/auth/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,gDAA6C;AAC7C,yEAA4E;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/drivers/auth/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,gDAA6C;AAC7C,yEAA4E;AAC5E,qDAAwD;AAIxD,qCAAwC;AACxC,gCAAmC;AACnC,4CAAsD;AACtD,oCAAkC;AAClC,kCAAuD;AACvD,iCAA0C;AAC1C,iCAAmE;AACnE,uCAAsE;AACtE,gDAAkC;AAClC,2CAA6B;AAE7B,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAErC,MAAM,MAAM,GAAG,CACpB,IAAY,EACZ,MAAwB,EACxB,OAA6B,EAC7B,UAAiC,EACrB,EAAE;;IACd,MAAM,iBAAiB,GAAG,IAAA,2BAAoB,GAAE,CAAC;IAEjD,iCAAiC;IACjC,mHAAmH;IACnH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC;IACvE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE;QACtC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;KAC3C;IAED,MAAM,SAAS,GAAG,GAAS,EAAE;QAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,MAAM,mCAAmC,IAAI,GAAG,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC,CAAA,CAAC;IAEF,IAAI;QACF,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,QAAQ,EAAE;YACxD,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,MAAM,SAAS,EAAE,CAAC;SAC1B;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAM,CAAC;QACzE,IAAI,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAG,IAAI,CAAC,EAAE;YACtB,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,MAAM,SAAS,EAAE,CAAC;SAC1B;QACD,OAAO,IAAI,CAAC;KACb;IAAC,OAAO,KAAU,EAAE;QACnB,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,IAAI,MAAK,QAAQ;YAC1B,IAAA,cAAM,EACJ,+BAA+B,IAAI,iBAAiB,MAAA,KAAK,CAAC,OAAO,mCAAI,KAAK,EAAE,CAC7E,CAAC;QACJ,OAAO,MAAM,SAAS,EAAE,CAAC;KAC1B;AACH,CAAC,CAAA,CAAC;AA3CW,QAAA,MAAM,UA2CjB;AAEF,MAAM,iBAAiB,GAAG,GAAS,EAAE;IACnC,IAAI;QACF,MAAM,gBAAgB,GAAG,IAAA,0BAAmB,GAAE,CAAC;QAC/C,6DAA6D;QAC7D,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAClC,MAAM,EAAE,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC;KAC/B;IAAC,WAAM;QACN,OAAO;KACR;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,kBAAkB,GAAG,GAAS,EAAE;IACpC,IAAI;QACF,MAAM,iBAAiB,GAAG,IAAA,2BAAoB,GAAE,CAAC;QACjD,kEAAkE;QAClE,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,EAAE,CAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;KACrD;IAAC,WAAM;QACN,OAAO;KACR;AACH,CAAC,CAAA,CAAC;AAEK,MAAM,eAAe,GAAG,GAA4B,EAAE;;IAC3D,IAAI;QACF,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAA,0BAAmB,GAAE,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAa,CAAC;QACvD,IAAI,CAAC,CAAA,MAAA,IAAI,CAAC,GAAG,0CAAE,IAAI,CAAA,EAAE;YACnB,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;SACxD;QACD,OAAO,IAAI,CAAC;KACb;IAAC,OAAO,KAAU,EAAE;QACnB,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,IAAI,MAAK,QAAQ,EAAE;YAC5B,MAAM,gBAAgB,IAAA,iBAAU,GAAE,0BAA0B,CAAC;SAC9D;QACD,MAAM,KAAK,CAAC;KACb;AACH,CAAC,CAAA,CAAC;AAdW,QAAA,eAAe,mBAc1B;AAEK,MAAM,kBAAkB,GAAG,CAAC,QAAkB,EAAE,EAAE,CACvD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AADpD,QAAA,kBAAkB,sBACkC;AAEjE,MAAM,4BAA4B,GAAG,CAAO,OAG3C,EAAqB,EAAE;;IACtB,IAAI,QAAkB,CAAC;IACvB,IAAI;QACF,QAAQ,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;KACpC;IAAC,OAAO,CAAM,EAAE;QACf,IAAI,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,IAAI,MAAK,iBAAiB,EAAE;YACjC,MAAM,IAAA,aAAK,EACT,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,EACf,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAClD,CAAC;YACF,IAAA,cAAM,EAAC,IAAI,CAAC,CAAC;YACb,OAAO,4BAA4B,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;SAC1D;QACD,MAAM,CAAC,CAAC;KACT;IAED,IAAI,IAAA,0BAAkB,EAAC,QAAQ,CAAC,GAAG,gCAAgC,EAAE;QACnE,OAAO,QAAQ,CAAC;KACjB;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,gCAAgC;IAChC,IACE,QAAQ,CAAC,UAAU,CAAC,aAAa;QACjC,IAAA,2BAAe,EAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,MAAM,EACxC;QACA,IAAI;YACF,OAAO,MAAM,IAAA,uBAAgB,EAAC,GAAS,EAAE;gBACvC,mEAAmE;gBACnE,qDAAqD;gBACrD,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;gBACxC,IAAI,IAAA,0BAAkB,EAAC,OAAO,CAAC,GAAG,gCAAgC,EAAE;oBAClE,OAAO,OAAO,CAAC;iBAChB;gBACD,MAAM,SAAS,GAAG,MAAM,IAAA,2BAAiB,EAAC,OAAO,EAAE;oBACjD,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK;iBACtB,CAAC,CAAC;gBACH,MAAM,IAAA,qBAAa,EAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBAC5C,OAAO,MAAM,IAAA,uBAAe,GAAE,CAAC;YACjC,CAAC,CAAA,CAAC,CAAC;SACJ;QAAC,OAAO,CAAM,EAAE;YACf,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAA,MAAA,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,MAAM,mCAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,IAAI,mCAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,OAAO,mCAAI,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC/D,IAAA,cAAM,EACJ,oCAAoC,MAAM,iCAAiC,CAC5E,CAAC;aACH;SACF;KACF;IAED,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS,EAAE;QACtB,MAAM,IAAA,mCAA4B,GAAE,CAAC;KACtC;IAED,MAAM,IAAA,aAAK,EACT,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAC1B,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAClD,CAAC;IACF,IAAA,cAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,mBAAmB;IACrC,OAAO,4BAA4B,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAEK,MAAM,aAAa,GAAG,CAC3B,GAAY,EACZ,UAAyB,EACzB,EAAE;IACF,MAAM,kBAAkB,EAAE,CAAC;IAE3B,MAAM,gBAAgB,GAAG,IAAA,0BAAmB,GAAE,CAAC;IAE/C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,UAAU,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,6BAA6B;IAC/F,IAAA,cAAM,EAAC,2BAA2B,gBAAgB,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3C,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,4EAA4E;IAC5E,6EAA6E;IAC7E,MAAM,OAAO,GAAG,GAAG,gBAAgB,MAAM,CAAC;IAC1C,MAAM,EAAE,CAAC,SAAS,CAChB,OAAO,EACP,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,kCAAO,UAAU,KAAE,UAAU,GAAE,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAC3E,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACF,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;AAC7C,CAAC,CAAA,CAAC;AArBW,QAAA,aAAa,iBAqBxB;AAEK,MAAM,cAAc,GAAG,CAAO,OAA6B,EAAE,EAAE;IACpE,yEAAyE;IACzE,cAAc;IAEd,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;IACzC,IACE,QAAQ,CAAC,UAAU,CAAC,aAAa;QACjC,IAAA,2BAAe,EAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,MAAM,EACxC;QACA,MAAM,IAAA,gCAAsB,EAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,CAAC,CAAC;KACnE;IAED,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,iBAAiB,EAAE,CAAC;AAC5B,CAAC,CAAA,CAAC;AAdW,QAAA,cAAc,kBAczB;AAEF,gEAAgE;AAChE,MAAM,wBAAwB,GAAG,CAAO,KAAY,EAAiB,EAAE;IACrE,MAAM,GAAG,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,IAAA,uCAAqB,EAAC,GAAG,EAAE,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAEK,MAAM,YAAY,GAAG,CAAO,OAGlC,EAAkB,EAAE;IACnB,MAAM,QAAQ,GAAG,MAAM,4BAA4B,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;QAClB,IAAA,cAAM,EAAC,oCAAoC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAChE,IAAA,cAAM,EAAC,oBAAoB,IAAA,0BAAkB,EAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;KACpE;IACD,IAAI,KAAY,CAAC;IAEjB,IAAI,QAAQ,CAAC,GAAG,CAAC,gBAAgB,EAAE;QACjC,KAAK,GAAG;YACN,QAAQ;YACR,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;SAClE,CAAC;KACH;SAAM;QACL,kEAAkE;QAClE,yEAAyE;QACzE,oEAAoE;QACpE,MAAM,cAAc,GAAG,MAAM,IAAA,kCAAsB,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvE,KAAK,GAAG;YACN,QAAQ;YACR,cAAc;YACd,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE;SACjD,CAAC;KACH;IAED,MAAM,wBAAwB,CAAC,KAAK,CAAC,CAAC;IACtC,OAAO,KAAK,CAAC;AACf,CAAC,CAAA,CAAC;AA9BW,QAAA,YAAY,gBA8BvB"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Serialize critical sections that read-modify-write the identity file.
|
|
3
|
+
*
|
|
4
|
+
* Acquires an exclusive `proper-lockfile` on identity.json (creates an
|
|
5
|
+
* adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
|
|
6
|
+
* The caller is expected to re-read the identity inside `fn` because a peer
|
|
7
|
+
* may have updated it while we were waiting on the lock.
|
|
8
|
+
*
|
|
9
|
+
* Requires identity.json to exist — caller's responsibility.
|
|
10
|
+
*/
|
|
11
|
+
export declare const withIdentityLock: <T>(fn: () => Promise<T>) => Promise<T>;
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
12
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
13
|
+
};
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.withIdentityLock = void 0;
|
|
16
|
+
/** Copyright © 2024-present P0 Security
|
|
17
|
+
|
|
18
|
+
This file is part of @p0security/cli
|
|
19
|
+
|
|
20
|
+
@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
|
21
|
+
|
|
22
|
+
@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
23
|
+
|
|
24
|
+
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
25
|
+
**/
|
|
26
|
+
const path_1 = require("./path");
|
|
27
|
+
const proper_lockfile_1 = __importDefault(require("proper-lockfile"));
|
|
28
|
+
// If a lock holder dies without releasing, the lock file's mtime stops
|
|
29
|
+
// updating; after STALE_LOCK_MS another process is allowed to steal it.
|
|
30
|
+
const STALE_LOCK_MS = 30000;
|
|
31
|
+
// Bound the *total* wait so a hung peer process can't make this CLI invocation
|
|
32
|
+
// appear to hang. The retry backoff below sums to ~20s in the worst case, then
|
|
33
|
+
// proper-lockfile gives up and we let the caller fall through to device flow.
|
|
34
|
+
const LOCK_RETRY_OPTIONS = {
|
|
35
|
+
retries: 8,
|
|
36
|
+
factor: 1.5,
|
|
37
|
+
minTimeout: 100,
|
|
38
|
+
maxTimeout: 4000,
|
|
39
|
+
};
|
|
40
|
+
/**
|
|
41
|
+
* Serialize critical sections that read-modify-write the identity file.
|
|
42
|
+
*
|
|
43
|
+
* Acquires an exclusive `proper-lockfile` on identity.json (creates an
|
|
44
|
+
* adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
|
|
45
|
+
* The caller is expected to re-read the identity inside `fn` because a peer
|
|
46
|
+
* may have updated it while we were waiting on the lock.
|
|
47
|
+
*
|
|
48
|
+
* Requires identity.json to exist — caller's responsibility.
|
|
49
|
+
*/
|
|
50
|
+
const withIdentityLock = (fn) => __awaiter(void 0, void 0, void 0, function* () {
|
|
51
|
+
const release = yield proper_lockfile_1.default.lock((0, path_1.getIdentityFilePath)(), {
|
|
52
|
+
stale: STALE_LOCK_MS,
|
|
53
|
+
retries: LOCK_RETRY_OPTIONS,
|
|
54
|
+
});
|
|
55
|
+
try {
|
|
56
|
+
return yield fn();
|
|
57
|
+
}
|
|
58
|
+
finally {
|
|
59
|
+
try {
|
|
60
|
+
yield release();
|
|
61
|
+
}
|
|
62
|
+
catch (_a) {
|
|
63
|
+
// release() may throw if the lock was stolen (we exceeded stale time)
|
|
64
|
+
// or already released. The on-disk state is still consistent because
|
|
65
|
+
// writeIdentity is atomic; nothing useful to do here.
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
});
|
|
69
|
+
exports.withIdentityLock = withIdentityLock;
|
|
70
|
+
//# sourceMappingURL=lock.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"lock.js","sourceRoot":"","sources":["../../../../src/drivers/auth/lock.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iCAA6C;AAC7C,sEAAuC;AAEvC,uEAAuE;AACvE,wEAAwE;AACxE,MAAM,aAAa,GAAG,KAAM,CAAC;AAE7B,+EAA+E;AAC/E,+EAA+E;AAC/E,8EAA8E;AAC9E,MAAM,kBAAkB,GAAG;IACzB,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,GAAG;IACX,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;CACjB,CAAC;AAEF;;;;;;;;;GASG;AACI,MAAM,gBAAgB,GAAG,CAAU,EAAoB,EAAc,EAAE;IAC5E,MAAM,OAAO,GAAG,MAAM,yBAAQ,CAAC,IAAI,CAAC,IAAA,0BAAmB,GAAE,EAAE;QACzD,KAAK,EAAE,aAAa;QACpB,OAAO,EAAE,kBAAkB;KAC5B,CAAC,CAAC;IACH,IAAI;QACF,OAAO,MAAM,EAAE,EAAE,CAAC;KACnB;YAAS;QACR,IAAI;YACF,MAAM,OAAO,EAAE,CAAC;SACjB;QAAC,WAAM;YACN,sEAAsE;YACtE,qEAAqE;YACrE,sDAAsD;SACvD;KACF;AACH,CAAC,CAAA,CAAC;AAhBW,QAAA,gBAAgB,oBAgB3B"}
|
|
@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
|
|
23
23
|
return result;
|
|
24
24
|
};
|
|
25
25
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
26
|
-
exports.getBootstrapOrgDataPath = exports.getConfigFilePath = exports.getIdentityCachePath = exports.getIdentityFilePath = void 0;
|
|
26
|
+
exports.getBootstrapOrgDataPath = exports.getConfigFilePath = exports.getIdentityCachePath = exports.getIdentityFilePath = exports.postfixPath = void 0;
|
|
27
27
|
/** Copyright © 2024-present P0 Security
|
|
28
28
|
|
|
29
29
|
This file is part of @p0security/cli
|
|
@@ -35,18 +35,20 @@ This file is part of @p0security/cli
|
|
|
35
35
|
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
36
36
|
**/
|
|
37
37
|
const util_1 = require("../../util");
|
|
38
|
+
const lodash_1 = require("lodash");
|
|
38
39
|
const path = __importStar(require("path"));
|
|
39
|
-
const
|
|
40
|
-
|
|
41
|
-
|
|
40
|
+
const postfixPath = (fname) => {
|
|
41
|
+
const parts = fname.split(".");
|
|
42
|
+
return path.join(util_1.P0_PATH, process.env.P0_ORG
|
|
43
|
+
? (0, lodash_1.compact)([`${parts[0]}-${process.env.P0_ORG}`, parts[1]]).join(".")
|
|
44
|
+
: fname);
|
|
45
|
+
};
|
|
46
|
+
exports.postfixPath = postfixPath;
|
|
47
|
+
const getIdentityFilePath = () => (0, exports.postfixPath)("identity.json");
|
|
42
48
|
exports.getIdentityFilePath = getIdentityFilePath;
|
|
43
|
-
const getIdentityCachePath = () =>
|
|
44
|
-
? path.join(util_1.P0_PATH, `cache-${process.env.P0_ORG}`)
|
|
45
|
-
: path.join(util_1.P0_PATH, "cache");
|
|
49
|
+
const getIdentityCachePath = () => (0, exports.postfixPath)("cache");
|
|
46
50
|
exports.getIdentityCachePath = getIdentityCachePath;
|
|
47
|
-
const getConfigFilePath = () =>
|
|
48
|
-
? path.join(util_1.P0_PATH, `config.json-${process.env.P0_ORG}`)
|
|
49
|
-
: path.join(util_1.P0_PATH, "config.json");
|
|
51
|
+
const getConfigFilePath = () => (0, exports.postfixPath)("config.json");
|
|
50
52
|
exports.getConfigFilePath = getConfigFilePath;
|
|
51
53
|
const getBootstrapOrgDataPath = (orgId) => {
|
|
52
54
|
const safeOrgId = path.basename(orgId);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"path.js","sourceRoot":"","sources":["../../../../src/drivers/auth/path.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,qCAAqC;AACrC,2CAA6B;AAEtB,MAAM,
|
|
1
|
+
{"version":3,"file":"path.js","sourceRoot":"","sources":["../../../../src/drivers/auth/path.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,qCAAqC;AACrC,mCAAiC;AACjC,2CAA6B;AAEtB,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,EAAE;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,IAAI,CAAC,IAAI,CACd,cAAO,EACP,OAAO,CAAC,GAAG,CAAC,MAAM;QAChB,CAAC,CAAC,IAAA,gBAAO,EAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;QACpE,CAAC,CAAC,KAAK,CACV,CAAC;AACJ,CAAC,CAAC;AARW,QAAA,WAAW,eAQtB;AAEK,MAAM,mBAAmB,GAAG,GAAG,EAAE,CAAC,IAAA,mBAAW,EAAC,eAAe,CAAC,CAAC;AAAzD,QAAA,mBAAmB,uBAAsC;AAE/D,MAAM,oBAAoB,GAAG,GAAG,EAAE,CAAC,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;AAAlD,QAAA,oBAAoB,wBAA8B;AAExD,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,IAAA,mBAAW,EAAC,aAAa,CAAC,CAAC;AAArD,QAAA,iBAAiB,qBAAoC;AAE3D,MAAM,uBAAuB,GAAG,CAAC,KAAa,EAAU,EAAE;IAC/D,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,SAAS,KAAK,KAAK,EAAE;QACvB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;KACzC;IAED,MAAM,QAAQ,GAAG,aAAa,SAAS,OAAO,CAAC;IAC/C,mHAAmH;IACnH,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,cAAO,EAAE,QAAQ,CAAC,CAAC;IAEzD,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,cAAO,CAAC,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;KACzC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AAfW,QAAA,uBAAuB,2BAelC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import { Identity } from "../../types/identity";
|
|
2
|
+
import { TokenResponse } from "../../types/oidc";
|
|
3
|
+
export declare const REFRESH_FAILED: "REFRESH_FAILED";
|
|
4
|
+
export type RefreshError = {
|
|
5
|
+
code: typeof REFRESH_FAILED;
|
|
6
|
+
reason: "http_error" | "missing_id_token" | "missing_provider_config" | "network_error" | "no_refresh_token";
|
|
7
|
+
cause?: unknown;
|
|
8
|
+
detail?: string;
|
|
9
|
+
};
|
|
10
|
+
/**
|
|
11
|
+
* Merge a newly-issued credential from the refresh-token grant with the
|
|
12
|
+
* previously-stored credential. Note, not all fields are included in the
|
|
13
|
+
* refreshed token, and thus must be carried forward from the previous/original token.
|
|
14
|
+
**/
|
|
15
|
+
export declare const mergeRefreshedCredential: (previous: TokenResponse, refreshed: TokenResponse) => TokenResponse;
|
|
16
|
+
/**
|
|
17
|
+
* Exchange the stored refresh_token for a new access/id token pair against
|
|
18
|
+
* Okta's /oauth2/v1/token endpoint.
|
|
19
|
+
*
|
|
20
|
+
* On any failure, throws a RefreshError. Callers are expected to
|
|
21
|
+
* catch this and fall through to the device-flow path.
|
|
22
|
+
*/
|
|
23
|
+
export declare const refreshOktaTokens: (identity: Identity, options?: {
|
|
24
|
+
debug?: boolean;
|
|
25
|
+
}) => Promise<TokenResponse>;
|
|
26
|
+
/**
|
|
27
|
+
* Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
|
|
28
|
+
*/
|
|
29
|
+
export declare const revokeOktaRefreshToken: (identity: Identity, options?: {
|
|
30
|
+
debug?: boolean;
|
|
31
|
+
}) => Promise<void>;
|
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.revokeOktaRefreshToken = exports.refreshOktaTokens = exports.mergeRefreshedCredential = exports.REFRESH_FAILED = void 0;
|
|
13
|
+
/** Copyright © 2024-present P0 Security
|
|
14
|
+
|
|
15
|
+
This file is part of @p0security/cli
|
|
16
|
+
|
|
17
|
+
@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
|
18
|
+
|
|
19
|
+
@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
20
|
+
|
|
21
|
+
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
22
|
+
**/
|
|
23
|
+
const oidc_1 = require("../../common/auth/oidc");
|
|
24
|
+
const fetch_1 = require("../../common/fetch");
|
|
25
|
+
const authUtils_1 = require("../../types/authUtils");
|
|
26
|
+
const stdio_1 = require("../stdio");
|
|
27
|
+
exports.REFRESH_FAILED = "REFRESH_FAILED";
|
|
28
|
+
const refreshError = (reason, extra) => (Object.assign({ code: exports.REFRESH_FAILED, reason }, extra));
|
|
29
|
+
/**
|
|
30
|
+
* Merge a newly-issued credential from the refresh-token grant with the
|
|
31
|
+
* previously-stored credential. Note, not all fields are included in the
|
|
32
|
+
* refreshed token, and thus must be carried forward from the previous/original token.
|
|
33
|
+
**/
|
|
34
|
+
const mergeRefreshedCredential = (previous, refreshed) => {
|
|
35
|
+
var _a, _b, _c;
|
|
36
|
+
return (Object.assign(Object.assign(Object.assign({}, previous), refreshed), { refresh_token: (_a = refreshed.refresh_token) !== null && _a !== void 0 ? _a : previous.refresh_token, device_secret: previous.device_secret,
|
|
37
|
+
// RFC 6749 §6: omitted scope on refresh means "identical to original grant"
|
|
38
|
+
scope: (_b = refreshed.scope) !== null && _b !== void 0 ? _b : previous.scope, token_type: (_c = refreshed.token_type) !== null && _c !== void 0 ? _c : previous.token_type }));
|
|
39
|
+
};
|
|
40
|
+
exports.mergeRefreshedCredential = mergeRefreshedCredential;
|
|
41
|
+
/**
|
|
42
|
+
* Exchange the stored refresh_token for a new access/id token pair against
|
|
43
|
+
* Okta's /oauth2/v1/token endpoint.
|
|
44
|
+
*
|
|
45
|
+
* On any failure, throws a RefreshError. Callers are expected to
|
|
46
|
+
* catch this and fall through to the device-flow path.
|
|
47
|
+
*/
|
|
48
|
+
const refreshOktaTokens = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
49
|
+
const refresh_token = identity.credential.refresh_token;
|
|
50
|
+
if (!refresh_token)
|
|
51
|
+
throw refreshError("no_refresh_token");
|
|
52
|
+
const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
|
|
53
|
+
const clientId = (0, authUtils_1.getClientId)(identity.org);
|
|
54
|
+
if (!providerDomain || !clientId) {
|
|
55
|
+
throw refreshError("missing_provider_config");
|
|
56
|
+
}
|
|
57
|
+
const url = `https://${providerDomain}/oauth2/v1/token`;
|
|
58
|
+
const init = {
|
|
59
|
+
method: "POST",
|
|
60
|
+
headers: oidc_1.OIDC_HEADERS,
|
|
61
|
+
body: (0, fetch_1.urlEncode)({
|
|
62
|
+
grant_type: "refresh_token",
|
|
63
|
+
client_id: clientId,
|
|
64
|
+
refresh_token,
|
|
65
|
+
}),
|
|
66
|
+
};
|
|
67
|
+
let response;
|
|
68
|
+
try {
|
|
69
|
+
response = yield fetch(url, init);
|
|
70
|
+
}
|
|
71
|
+
catch (e) {
|
|
72
|
+
throw refreshError("network_error", { cause: e });
|
|
73
|
+
}
|
|
74
|
+
if (!response.ok) {
|
|
75
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
76
|
+
const detail = yield response.text().catch(() => undefined);
|
|
77
|
+
(0, stdio_1.print2)(`Okta refresh-token grant failed: ${response.status} ${response.statusText} ${detail !== null && detail !== void 0 ? detail : ""}`);
|
|
78
|
+
}
|
|
79
|
+
throw refreshError("http_error", {
|
|
80
|
+
detail: `${response.status} ${response.statusText}`,
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
const refreshed = (yield response.json());
|
|
84
|
+
if (!refreshed.id_token) {
|
|
85
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
86
|
+
(0, stdio_1.print2)("Okta refresh response omitted id_token; falling back to device flow.");
|
|
87
|
+
}
|
|
88
|
+
throw refreshError("missing_id_token");
|
|
89
|
+
}
|
|
90
|
+
return (0, exports.mergeRefreshedCredential)(identity.credential, refreshed);
|
|
91
|
+
});
|
|
92
|
+
exports.refreshOktaTokens = refreshOktaTokens;
|
|
93
|
+
/**
|
|
94
|
+
* Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
|
|
95
|
+
*/
|
|
96
|
+
const revokeOktaRefreshToken = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
97
|
+
const refresh_token = identity.credential.refresh_token;
|
|
98
|
+
if (!refresh_token)
|
|
99
|
+
return;
|
|
100
|
+
const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
|
|
101
|
+
const clientId = (0, authUtils_1.getClientId)(identity.org);
|
|
102
|
+
if (!providerDomain || !clientId) {
|
|
103
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
104
|
+
(0, stdio_1.print2)("Skipping refresh-token revoke: missing provider domain or client id.");
|
|
105
|
+
}
|
|
106
|
+
return;
|
|
107
|
+
}
|
|
108
|
+
try {
|
|
109
|
+
const response = yield fetch(`https://${providerDomain}/oauth2/v1/revoke`, {
|
|
110
|
+
method: "POST",
|
|
111
|
+
headers: oidc_1.OIDC_HEADERS,
|
|
112
|
+
body: (0, fetch_1.urlEncode)({
|
|
113
|
+
client_id: clientId,
|
|
114
|
+
token: refresh_token,
|
|
115
|
+
token_type_hint: "refresh_token",
|
|
116
|
+
}),
|
|
117
|
+
});
|
|
118
|
+
if (!response.ok && (options === null || options === void 0 ? void 0 : options.debug)) {
|
|
119
|
+
(0, stdio_1.print2)(`Refresh-token revoke returned ${response.status} ${response.statusText}; proceeding with logout.`);
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
catch (e) {
|
|
123
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
124
|
+
const detail = e instanceof Error ? e.message : String(e);
|
|
125
|
+
(0, stdio_1.print2)(`Refresh-token revoke failed (${detail}); proceeding with logout.`);
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
});
|
|
129
|
+
exports.revokeOktaRefreshToken = revokeOktaRefreshToken;
|
|
130
|
+
//# sourceMappingURL=refresh.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../../src/drivers/auth/refresh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAA+C;AAC/C,qDAAuE;AAGvE,oCAAkC;AAErB,QAAA,cAAc,GAAG,gBAAyB,CAAC;AAcxD,MAAM,YAAY,GAAG,CACnB,MAA8B,EAC9B,KAA4C,EAC9B,EAAE,CAAC,iBAAG,IAAI,EAAE,sBAAc,EAAE,MAAM,IAAK,KAAK,EAAG,CAAC;AAEhE;;;;IAII;AACG,MAAM,wBAAwB,GAAG,CACtC,QAAuB,EACvB,SAAwB,EACT,EAAE;;IAAC,OAAA,+CACf,QAAQ,GACR,SAAS,KACZ,aAAa,EAAE,MAAA,SAAS,CAAC,aAAa,mCAAI,QAAQ,CAAC,aAAa,EAChE,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,4EAA4E;QAC5E,KAAK,EAAE,MAAA,SAAS,CAAC,KAAK,mCAAI,QAAQ,CAAC,KAAK,EACxC,UAAU,EAAE,MAAA,SAAS,CAAC,UAAU,mCAAI,QAAQ,CAAC,UAAU,IACvD,CAAA;CAAA,CAAC;AAXU,QAAA,wBAAwB,4BAWlC;AAEH;;;;;;GAMG;AACI,MAAM,iBAAiB,GAAG,CAC/B,QAAkB,EAClB,OAA6B,EACL,EAAE;IAC1B,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;IAE3D,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,MAAM,YAAY,CAAC,yBAAyB,CAAC,CAAC;KAC/C;IAED,MAAM,GAAG,GAAG,WAAW,cAAc,kBAAkB,CAAC;IACxD,MAAM,IAAI,GAAgB;QACxB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,QAAQ;YACnB,aAAa;SACd,CAAC;KACH,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI;QACF,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;KACnC;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;KACnD;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAA,cAAM,EACJ,oCAAoC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,IAAI,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,EAAE,CAC7F,CAAC;SACH;QACD,MAAM,YAAY,CAAC,YAAY,EAAE;YAC/B,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE;SACpD,CAAC,CAAC;KACJ;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;IAE3D,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;QACvB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;KACxC;IAED,OAAO,IAAA,gCAAwB,EAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AAClE,CAAC,CAAA,CAAC;AAvDW,QAAA,iBAAiB,qBAuD5B;AAEF;;GAEG;AACI,MAAM,sBAAsB,GAAG,CACpC,QAAkB,EAClB,OAA6B,EACd,EAAE;IACjB,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,OAAO;IAE3B,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,OAAO;KACR;IAED,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,cAAc,mBAAmB,EAAE;YACzE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mBAAY;YACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;gBACd,SAAS,EAAE,QAAQ;gBACnB,KAAK,EAAE,aAAa;gBACpB,eAAe,EAAE,eAAe;aACjC,CAAC;SACH,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAA,EAAE;YAClC,IAAA,cAAM,EACJ,iCAAiC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,2BAA2B,CACnG,CAAC;SACH;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,IAAA,cAAM,EACJ,gCAAgC,MAAM,4BAA4B,CACnE,CAAC;SACH;KACF;AACH,CAAC,CAAA,CAAC;AAzCW,QAAA,sBAAsB,0BAyCjC"}
|