@p0security/cli 0.27.0 → 0.27.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/dist/commands/login.js +3 -2
- package/build/dist/commands/login.js.map +1 -1
- package/build/dist/commands/logout.js +3 -4
- package/build/dist/commands/logout.js.map +1 -1
- package/build/dist/drivers/auth/index.d.ts +3 -1
- package/build/dist/drivers/auth/index.js +44 -2
- package/build/dist/drivers/auth/index.js.map +1 -1
- package/build/dist/drivers/auth/lock.d.ts +11 -0
- package/build/dist/drivers/auth/lock.js +70 -0
- package/build/dist/drivers/auth/lock.js.map +1 -0
- package/build/dist/drivers/auth/refresh.d.ts +31 -0
- package/build/dist/drivers/auth/refresh.js +130 -0
- package/build/dist/drivers/auth/refresh.js.map +1 -0
- package/build/dist/plugins/google/auth.d.ts +4 -0
- package/build/dist/plugins/google/auth.js +75 -0
- package/build/dist/plugins/google/auth.js.map +1 -0
- package/build/dist/plugins/google/ssh-key.js +7 -3
- package/build/dist/plugins/google/ssh-key.js.map +1 -1
- package/build/dist/plugins/google/ssh.js +5 -2
- package/build/dist/plugins/google/ssh.js.map +1 -1
- package/build/dist/plugins/login.d.ts +3 -1
- package/build/dist/plugins/login.js +2 -2
- package/build/dist/plugins/login.js.map +1 -1
- package/build/dist/plugins/okta/login.d.ts +10 -2
- package/build/dist/plugins/okta/login.js +38 -12
- package/build/dist/plugins/okta/login.js.map +1 -1
- package/build/dist/plugins/ssh/index.js +1 -1
- package/build/dist/plugins/ssh/index.js.map +1 -1
- package/build/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +3 -1
|
@@ -39,7 +39,7 @@ const doActualLogin = (orgWithSlug, debug) => __awaiter(void 0, void 0, void 0,
|
|
|
39
39
|
const loginFn = plugin && login_1.pluginLoginMap[plugin];
|
|
40
40
|
if (!loginFn)
|
|
41
41
|
throw "Unsupported login for your organization";
|
|
42
|
-
const tokenResponse = yield loginFn(orgWithSlug);
|
|
42
|
+
const tokenResponse = yield loginFn(orgWithSlug, { debug });
|
|
43
43
|
yield (0, auth_1.writeIdentity)(orgWithSlug, tokenResponse);
|
|
44
44
|
});
|
|
45
45
|
const formatTimeLeft = (seconds) => {
|
|
@@ -105,7 +105,8 @@ const login = (args, options) => __awaiter(void 0, void 0, void 0, function* ()
|
|
|
105
105
|
else {
|
|
106
106
|
(0, stdio_1.print2)(`You are currently logged in to the ${orgSlug} organization.`);
|
|
107
107
|
}
|
|
108
|
-
|
|
108
|
+
// Only show the "expires in" line for identities that lack a refresh_token.
|
|
109
|
+
if (tokenTimeRemaining > 0 && !(identity === null || identity === void 0 ? void 0 : identity.credential.refresh_token)) {
|
|
109
110
|
(0, stdio_1.print2)(`The current session expires in ${formatTimeLeft(tokenTimeRemaining)}.`);
|
|
110
111
|
}
|
|
111
112
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/commands/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wCAAkD;AAClD,0CAMyB;AACzB,8CAA+C;AAC/C,oDAA0D;AAC1D,wCAA4C;AAC5C,4CAA0C;AAC1C,4CAAkD;AAClD,kDAAqE;AAKrE,MAAM,gCAAgC,GAAG,CAAC,GAAG,EAAE,CAAC;AAEhD,MAAM,aAAa,GAAG,CAAO,WAAoB,EAAE,KAAe,EAAE,EAAE;IACpE,MAAM,WAAW,GAAG,IAAA,0BAAc,EAAC,WAAW,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,IAAA,2BAAe,EAAC,WAAW,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAExE,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,uBAAuB,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,SAAS,EAAE,CAAC,CAAC;KACtD;IAED,MAAM,OAAO,GAAG,MAAM,IAAI,sBAAc,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,CAAC,OAAO;QAAE,MAAM,yCAAyC,CAAC;IAE9D,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/commands/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wCAAkD;AAClD,0CAMyB;AACzB,8CAA+C;AAC/C,oDAA0D;AAC1D,wCAA4C;AAC5C,4CAA0C;AAC1C,4CAAkD;AAClD,kDAAqE;AAKrE,MAAM,gCAAgC,GAAG,CAAC,GAAG,EAAE,CAAC;AAEhD,MAAM,aAAa,GAAG,CAAO,WAAoB,EAAE,KAAe,EAAE,EAAE;IACpE,MAAM,WAAW,GAAG,IAAA,0BAAc,EAAC,WAAW,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,IAAA,2BAAe,EAAC,WAAW,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAExE,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,uBAAuB,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,SAAS,EAAE,CAAC,CAAC;KACtD;IAED,MAAM,OAAO,GAAG,MAAM,IAAI,sBAAc,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,CAAC,OAAO;QAAE,MAAM,yCAAyC,CAAC;IAE9D,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IAE5D,MAAM,IAAA,oBAAa,EAAC,WAAW,EAAE,aAAa,CAAC,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,OAAe,EAAE,EAAE;IACzC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,kCAAkC;IACzF,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACjD,MAAM,CAAC,GAAG,YAAY,GAAG,EAAE,CAAC;IAC5B,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AAC3B,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,MAAM,KAAK,GAAG,CACnB,IAAyC,EACzC,OAAyD,EACzD,EAAE;IACF,qDAAqD;IACrD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAe,GAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAEhE,MAAM,kBAAkB,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAA,yBAAkB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvE,IAAI,QAAQ,GAAG,kBAAkB,GAAG,gCAAgC,CAAC;IACrE,IAAI,OAAO,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE;QACZ,IAAI,QAAQ,IAAI,QAAQ,EAAE;YACxB,kFAAkF;YAClF,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;SAC7B;aAAM;YACL,MAAM,2GAA2G,CAAC;SACnH;KACF;SAAM;QACL,IAAI,QAAQ,IAAI,QAAQ,EAAE;YACxB,IAAI,OAAO,KAAK,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE;gBACjD,sFAAsF;gBACtF,QAAQ,GAAG,KAAK,CAAC;aAClB;SACF;KACF;IAED,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;QAClB,IAAA,cAAM,EACJ,yBAAyB,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,UAAU,OAAO,EAAE,CACrF,CAAC;KACH;IAED,MAAM,IAAA,mBAAU,EAAC,OAAO,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAC,CAAC;IAE1C,MAAM,IAAA,8BAAkB,GAAE,CAAC;IAE3B,MAAM,OAAO,GAAG,MAAM,IAAA,gBAAU,EAAC,OAAO,CAAC,CAAC;IAE1C,MAAM,WAAW,mCAAiB,OAAO,KAAE,IAAI,EAAE,OAAO,GAAE,CAAC;IAE3D,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;QAClB,IAAA,cAAM,EAAC,aAAa,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;KACpD;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;SAC3D;QACD,MAAM,aAAa,CAAC,WAAW,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAC,CAAC;KAClD;IAED,IAAI,CAAC,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,gBAAgB,CAAA,EAAE;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,EAAC,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,CAAC,CAAC;QAC5D,MAAM,oBAAoB,CAAC,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAC,CAAC;KACnD;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,IAAA,cAAM,EACJ,gCAAgC,OAAO,wCAAwC,CAChF,CAAC;KACH;SAAM;QACL,IAAA,cAAM,EAAC,sCAAsC,OAAO,gBAAgB,CAAC,CAAC;KACvE;IAED,4EAA4E;IAC5E,IAAI,kBAAkB,GAAG,CAAC,IAAI,CAAC,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,UAAU,CAAC,aAAa,CAAA,EAAE;QACjE,IAAA,cAAM,EACJ,kCAAkC,cAAc,CAAC,kBAAkB,CAAC,GAAG,CACxE,CAAC;KACH;AACH,CAAC,CAAA,CAAC;AAxEW,QAAA,KAAK,SAwEhB;AAEK,MAAM,YAAY,GAAG,CAAC,KAAiB,EAAE,EAAE,CAChD,KAAK,CAAC,OAAO,CACX,aAAa,EACb,4BAA4B,EAC5B,CAAC,KAAK,EAAE,EAAE,CACR,KAAK;KACF,UAAU,CAAC,KAAK,EAAE;IACjB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,sBAAsB;CACjC,CAAC;KACD,MAAM,CAAC,SAAS,EAAE;IACjB,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,yBAAyB;IACnC,OAAO,EAAE,KAAK;CACf,CAAC;KACD,MAAM,CAAC,OAAO,EAAE;IACf,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,0BAA0B;CACrC,CAAC,EAEN,CACE,IAIE,EACF,EAAE,CAAC,IAAA,aAAK,EAAC,IAAI,EAAE,IAAI,CAAC,CACvB,CAAC;AA3BS,QAAA,YAAY,gBA2BrB;AAEJ,MAAM,oBAAoB,GAAG,CAAO,KAAY,EAAE,KAAe,EAAE,EAAE;IACnE,IAAI;QACF,MAAM,IAAA,sBAAgB,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;KACb;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,IAAA,qBAAc,GAAE,CAAC;QACvB,MAAM,2CAA2C,CAAC;KACnD;AACH,CAAC,CAAA,CAAC"}
|
|
@@ -23,6 +23,7 @@ This file is part of @p0security/cli
|
|
|
23
23
|
|
|
24
24
|
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
25
25
|
**/
|
|
26
|
+
const auth_1 = require("../drivers/auth");
|
|
26
27
|
const path_1 = require("../drivers/auth/path");
|
|
27
28
|
const stdio_1 = require("../drivers/stdio");
|
|
28
29
|
const promises_1 = __importDefault(require("fs/promises"));
|
|
@@ -41,12 +42,10 @@ const safeDelete = (filePath, description, debug) => __awaiter(void 0, void 0, v
|
|
|
41
42
|
});
|
|
42
43
|
const logout = (debug) => __awaiter(void 0, void 0, void 0, function* () {
|
|
43
44
|
(0, stdio_1.print2)("Logging out...");
|
|
44
|
-
|
|
45
|
-
yield
|
|
45
|
+
// Revoke identity token and delete related files
|
|
46
|
+
yield (0, auth_1.deleteIdentity)({ debug });
|
|
46
47
|
const configPath = (0, path_1.getConfigFilePath)();
|
|
47
48
|
yield safeDelete(configPath, "config file", debug);
|
|
48
|
-
const cachePath = (0, path_1.getIdentityCachePath)();
|
|
49
|
-
yield safeDelete(cachePath, "cache", debug);
|
|
50
49
|
(0, stdio_1.print2)("Successfully logged out. All authentication data has been cleared.");
|
|
51
50
|
});
|
|
52
51
|
const logoutCommand = (yargs) => yargs.command("logout", "Log out and clear all authentication data", (yargs) => yargs.option("debug", {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/commands/logout.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,+
|
|
1
|
+
{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../src/commands/logout.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,0CAAiD;AACjD,+CAAyD;AACzD,4CAA0C;AAC1C,2DAA6B;AAG7B,MAAM,UAAU,GAAG,CACjB,QAAgB,EAChB,WAAmB,EACnB,KAAc,EACd,EAAE;IACF,IAAI;QACF,MAAM,kBAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,WAAW,WAAW,KAAK,QAAQ,EAAE,CAAC,CAAC;SAC/C;KACF;IAAC,OAAO,KAAU,EAAE;QACnB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE;YAC3B,IAAA,cAAM,EACJ,6BAA6B,WAAW,OAAO,QAAQ,KAAK,KAAK,CAAC,OAAO,EAAE,CAC5E,CAAC;SACH;KACF;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,MAAM,GAAG,CAAO,KAAc,EAAiB,EAAE;IACrD,IAAA,cAAM,EAAC,gBAAgB,CAAC,CAAC;IAEzB,iDAAiD;IACjD,MAAM,IAAA,qBAAc,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAEhC,MAAM,UAAU,GAAG,IAAA,wBAAiB,GAAE,CAAC;IACvC,MAAM,UAAU,CAAC,UAAU,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC;IAEnD,IAAA,cAAM,EAAC,oEAAoE,CAAC,CAAC;AAC/E,CAAC,CAAA,CAAC;AAEK,MAAM,aAAa,GAAG,CAAC,KAAiB,EAAE,EAAE,CACjD,KAAK,CAAC,OAAO,CACX,QAAQ,EACR,2CAA2C,EAC3C,CAAC,KAAK,EAAE,EAAE,CACR,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE;IACpB,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,6CAA6C;IACvD,OAAO,EAAE,KAAK;CACf,CAAC,EACJ,CAAO,IAAI,EAAE,EAAE;;IACb,MAAM,MAAM,CAAC,MAAA,IAAI,CAAC,KAAK,mCAAI,KAAK,CAAC,CAAC;AACpC,CAAC,CAAA,CACF,CAAC;AAbS,QAAA,aAAa,iBAatB"}
|
|
@@ -7,7 +7,9 @@ export declare const cached: <T>(name: string, loader: () => Promise<T>, options
|
|
|
7
7
|
export declare const loadCredentials: () => Promise<Identity>;
|
|
8
8
|
export declare const remainingTokenTime: (identity: Identity) => number;
|
|
9
9
|
export declare const writeIdentity: (org: OrgData, credential: TokenResponse) => Promise<void>;
|
|
10
|
-
export declare const deleteIdentity: (
|
|
10
|
+
export declare const deleteIdentity: (options?: {
|
|
11
|
+
debug?: boolean;
|
|
12
|
+
}) => Promise<void>;
|
|
11
13
|
export declare const authenticate: (options?: {
|
|
12
14
|
noRefresh?: boolean;
|
|
13
15
|
debug?: boolean;
|
|
@@ -45,12 +45,15 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
45
45
|
**/
|
|
46
46
|
const login_1 = require("../../commands/login");
|
|
47
47
|
const instrumentation_1 = require("../../opentelemetry/instrumentation");
|
|
48
|
+
const authUtils_1 = require("../../types/authUtils");
|
|
48
49
|
const util_1 = require("../../util");
|
|
49
50
|
const api_1 = require("../api");
|
|
50
51
|
const firestore_1 = require("../firestore");
|
|
51
52
|
const stdio_1 = require("../stdio");
|
|
52
53
|
const util_2 = require("../util");
|
|
54
|
+
const lock_1 = require("./lock");
|
|
53
55
|
const path_1 = require("./path");
|
|
56
|
+
const refresh_1 = require("./refresh");
|
|
54
57
|
const fs = __importStar(require("fs/promises"));
|
|
55
58
|
const path = __importStar(require("path"));
|
|
56
59
|
const MIN_REMAINING_TOKEN_TIME_SECONDS = 60;
|
|
@@ -134,6 +137,7 @@ exports.loadCredentials = loadCredentials;
|
|
|
134
137
|
const remainingTokenTime = (identity) => Math.floor(identity.credential.expires_at - Date.now() * 1e-3);
|
|
135
138
|
exports.remainingTokenTime = remainingTokenTime;
|
|
136
139
|
const loadCredentialsWithAutoLogin = (options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
140
|
+
var _e, _f, _g;
|
|
137
141
|
let identity;
|
|
138
142
|
try {
|
|
139
143
|
identity = yield (0, exports.loadCredentials)();
|
|
@@ -149,6 +153,33 @@ const loadCredentialsWithAutoLogin = (options) => __awaiter(void 0, void 0, void
|
|
|
149
153
|
if ((0, exports.remainingTokenTime)(identity) > MIN_REMAINING_TOKEN_TIME_SECONDS) {
|
|
150
154
|
return identity;
|
|
151
155
|
}
|
|
156
|
+
// If token is expired, and provider is okta, try the silent refresh-token
|
|
157
|
+
// grant first, and only fall through to the interactive device flow if that
|
|
158
|
+
// path is unavailable or fails.
|
|
159
|
+
if (identity.credential.refresh_token &&
|
|
160
|
+
(0, authUtils_1.getProviderType)(identity.org) === "okta") {
|
|
161
|
+
try {
|
|
162
|
+
return yield (0, lock_1.withIdentityLock)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
163
|
+
// Double-checked under the lock: a peer process may have refreshed
|
|
164
|
+
// identity.json while we were waiting to acquire it.
|
|
165
|
+
const current = yield (0, exports.loadCredentials)();
|
|
166
|
+
if ((0, exports.remainingTokenTime)(current) > MIN_REMAINING_TOKEN_TIME_SECONDS) {
|
|
167
|
+
return current;
|
|
168
|
+
}
|
|
169
|
+
const refreshed = yield (0, refresh_1.refreshOktaTokens)(current, {
|
|
170
|
+
debug: options === null || options === void 0 ? void 0 : options.debug,
|
|
171
|
+
});
|
|
172
|
+
yield (0, exports.writeIdentity)(current.org, refreshed);
|
|
173
|
+
return yield (0, exports.loadCredentials)();
|
|
174
|
+
}));
|
|
175
|
+
}
|
|
176
|
+
catch (e) {
|
|
177
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
178
|
+
const detail = (_g = (_f = (_e = e === null || e === void 0 ? void 0 : e.reason) !== null && _e !== void 0 ? _e : e === null || e === void 0 ? void 0 : e.code) !== null && _f !== void 0 ? _f : e === null || e === void 0 ? void 0 : e.message) !== null && _g !== void 0 ? _g : String(e);
|
|
179
|
+
(0, stdio_1.print2)(`Okta refresh-token grant failed (${detail}); falling back to device flow.`);
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
}
|
|
152
183
|
if (options === null || options === void 0 ? void 0 : options.noRefresh) {
|
|
153
184
|
throw (0, util_2.getExpiredCredentialsMessage)();
|
|
154
185
|
}
|
|
@@ -163,10 +194,21 @@ const writeIdentity = (org, credential) => __awaiter(void 0, void 0, void 0, fun
|
|
|
163
194
|
(0, stdio_1.print2)(`Saving authorization to ${identityFilePath}.`);
|
|
164
195
|
const dir = path.dirname(identityFilePath);
|
|
165
196
|
yield fs.mkdir(dir, { recursive: true });
|
|
166
|
-
|
|
197
|
+
// Write to a sibling tmp file then rename, so a crash mid-write can't leave
|
|
198
|
+
// identity.json truncated. Same-directory rename keeps the operation atomic.
|
|
199
|
+
const tmpPath = `${identityFilePath}.tmp`;
|
|
200
|
+
yield fs.writeFile(tmpPath, JSON.stringify({ credential: Object.assign(Object.assign({}, credential), { expires_at }), org }, null, 2), { mode: "600" });
|
|
201
|
+
yield fs.rename(tmpPath, identityFilePath);
|
|
167
202
|
});
|
|
168
203
|
exports.writeIdentity = writeIdentity;
|
|
169
|
-
const deleteIdentity = () => __awaiter(void 0, void 0, void 0, function* () {
|
|
204
|
+
const deleteIdentity = (options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
205
|
+
// Best-effort: revoke the refresh_token at the IDP before destroying our
|
|
206
|
+
// local copy.
|
|
207
|
+
const identity = yield (0, exports.loadCredentials)();
|
|
208
|
+
if (identity.credential.refresh_token &&
|
|
209
|
+
(0, authUtils_1.getProviderType)(identity.org) === "okta") {
|
|
210
|
+
yield (0, refresh_1.revokeOktaRefreshToken)(identity, { debug: options === null || options === void 0 ? void 0 : options.debug });
|
|
211
|
+
}
|
|
170
212
|
yield clearIdentityCache();
|
|
171
213
|
yield clearIdentityFile();
|
|
172
214
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/drivers/auth/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,gDAA6C;AAC7C,yEAA4E;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/drivers/auth/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,gDAA6C;AAC7C,yEAA4E;AAC5E,qDAAwD;AAIxD,qCAAwC;AACxC,gCAAmC;AACnC,4CAAsD;AACtD,oCAAkC;AAClC,kCAAuD;AACvD,iCAA0C;AAC1C,iCAAmE;AACnE,uCAAsE;AACtE,gDAAkC;AAClC,2CAA6B;AAE7B,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAErC,MAAM,MAAM,GAAG,CACpB,IAAY,EACZ,MAAwB,EACxB,OAA6B,EAC7B,UAAiC,EACrB,EAAE;;IACd,MAAM,iBAAiB,GAAG,IAAA,2BAAoB,GAAE,CAAC;IAEjD,iCAAiC;IACjC,mHAAmH;IACnH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC;IACvE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE;QACtC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;KAC3C;IAED,MAAM,SAAS,GAAG,GAAS,EAAE;QAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,MAAM,mCAAmC,IAAI,GAAG,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC,CAAA,CAAC;IAEF,IAAI;QACF,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,QAAQ,EAAE;YACxD,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,MAAM,SAAS,EAAE,CAAC;SAC1B;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAM,CAAC;QACzE,IAAI,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAG,IAAI,CAAC,EAAE;YACtB,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,MAAM,SAAS,EAAE,CAAC;SAC1B;QACD,OAAO,IAAI,CAAC;KACb;IAAC,OAAO,KAAU,EAAE;QACnB,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,IAAI,MAAK,QAAQ;YAC1B,IAAA,cAAM,EACJ,+BAA+B,IAAI,iBAAiB,MAAA,KAAK,CAAC,OAAO,mCAAI,KAAK,EAAE,CAC7E,CAAC;QACJ,OAAO,MAAM,SAAS,EAAE,CAAC;KAC1B;AACH,CAAC,CAAA,CAAC;AA3CW,QAAA,MAAM,UA2CjB;AAEF,MAAM,iBAAiB,GAAG,GAAS,EAAE;IACnC,IAAI;QACF,MAAM,gBAAgB,GAAG,IAAA,0BAAmB,GAAE,CAAC;QAC/C,6DAA6D;QAC7D,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAClC,MAAM,EAAE,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC;KAC/B;IAAC,WAAM;QACN,OAAO;KACR;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,kBAAkB,GAAG,GAAS,EAAE;IACpC,IAAI;QACF,MAAM,iBAAiB,GAAG,IAAA,2BAAoB,GAAE,CAAC;QACjD,kEAAkE;QAClE,MAAM,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,EAAE,CAAC,iBAAiB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;KACrD;IAAC,WAAM;QACN,OAAO;KACR;AACH,CAAC,CAAA,CAAC;AAEK,MAAM,eAAe,GAAG,GAA4B,EAAE;;IAC3D,IAAI;QACF,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAA,0BAAmB,GAAE,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAa,CAAC;QACvD,IAAI,CAAC,CAAA,MAAA,IAAI,CAAC,GAAG,0CAAE,IAAI,CAAA,EAAE;YACnB,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;SACxD;QACD,OAAO,IAAI,CAAC;KACb;IAAC,OAAO,KAAU,EAAE;QACnB,IAAI,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,IAAI,MAAK,QAAQ,EAAE;YAC5B,MAAM,gBAAgB,IAAA,iBAAU,GAAE,0BAA0B,CAAC;SAC9D;QACD,MAAM,KAAK,CAAC;KACb;AACH,CAAC,CAAA,CAAC;AAdW,QAAA,eAAe,mBAc1B;AAEK,MAAM,kBAAkB,GAAG,CAAC,QAAkB,EAAE,EAAE,CACvD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AADpD,QAAA,kBAAkB,sBACkC;AAEjE,MAAM,4BAA4B,GAAG,CAAO,OAG3C,EAAqB,EAAE;;IACtB,IAAI,QAAkB,CAAC;IACvB,IAAI;QACF,QAAQ,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;KACpC;IAAC,OAAO,CAAM,EAAE;QACf,IAAI,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,IAAI,MAAK,iBAAiB,EAAE;YACjC,MAAM,IAAA,aAAK,EACT,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,EACf,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAClD,CAAC;YACF,IAAA,cAAM,EAAC,IAAI,CAAC,CAAC;YACb,OAAO,4BAA4B,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;SAC1D;QACD,MAAM,CAAC,CAAC;KACT;IAED,IAAI,IAAA,0BAAkB,EAAC,QAAQ,CAAC,GAAG,gCAAgC,EAAE;QACnE,OAAO,QAAQ,CAAC;KACjB;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,gCAAgC;IAChC,IACE,QAAQ,CAAC,UAAU,CAAC,aAAa;QACjC,IAAA,2BAAe,EAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,MAAM,EACxC;QACA,IAAI;YACF,OAAO,MAAM,IAAA,uBAAgB,EAAC,GAAS,EAAE;gBACvC,mEAAmE;gBACnE,qDAAqD;gBACrD,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;gBACxC,IAAI,IAAA,0BAAkB,EAAC,OAAO,CAAC,GAAG,gCAAgC,EAAE;oBAClE,OAAO,OAAO,CAAC;iBAChB;gBACD,MAAM,SAAS,GAAG,MAAM,IAAA,2BAAiB,EAAC,OAAO,EAAE;oBACjD,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK;iBACtB,CAAC,CAAC;gBACH,MAAM,IAAA,qBAAa,EAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBAC5C,OAAO,MAAM,IAAA,uBAAe,GAAE,CAAC;YACjC,CAAC,CAAA,CAAC,CAAC;SACJ;QAAC,OAAO,CAAM,EAAE;YACf,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;gBAClB,MAAM,MAAM,GAAG,MAAA,MAAA,MAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,MAAM,mCAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,IAAI,mCAAI,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,OAAO,mCAAI,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC/D,IAAA,cAAM,EACJ,oCAAoC,MAAM,iCAAiC,CAC5E,CAAC;aACH;SACF;KACF;IAED,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,SAAS,EAAE;QACtB,MAAM,IAAA,mCAA4B,GAAE,CAAC;KACtC;IAED,MAAM,IAAA,aAAK,EACT,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAC1B,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAClD,CAAC;IACF,IAAA,cAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,mBAAmB;IACrC,OAAO,4BAA4B,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAEK,MAAM,aAAa,GAAG,CAC3B,GAAY,EACZ,UAAyB,EACzB,EAAE;IACF,MAAM,kBAAkB,EAAE,CAAC;IAE3B,MAAM,gBAAgB,GAAG,IAAA,0BAAmB,GAAE,CAAC;IAE/C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,UAAU,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,6BAA6B;IAC/F,IAAA,cAAM,EAAC,2BAA2B,gBAAgB,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3C,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,4EAA4E;IAC5E,6EAA6E;IAC7E,MAAM,OAAO,GAAG,GAAG,gBAAgB,MAAM,CAAC;IAC1C,MAAM,EAAE,CAAC,SAAS,CAChB,OAAO,EACP,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,kCAAO,UAAU,KAAE,UAAU,GAAE,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAC3E,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACF,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;AAC7C,CAAC,CAAA,CAAC;AArBW,QAAA,aAAa,iBAqBxB;AAEK,MAAM,cAAc,GAAG,CAAO,OAA6B,EAAE,EAAE;IACpE,yEAAyE;IACzE,cAAc;IAEd,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAe,GAAE,CAAC;IACzC,IACE,QAAQ,CAAC,UAAU,CAAC,aAAa;QACjC,IAAA,2BAAe,EAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,MAAM,EACxC;QACA,MAAM,IAAA,gCAAsB,EAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE,CAAC,CAAC;KACnE;IAED,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,iBAAiB,EAAE,CAAC;AAC5B,CAAC,CAAA,CAAC;AAdW,QAAA,cAAc,kBAczB;AAEF,gEAAgE;AAChE,MAAM,wBAAwB,GAAG,CAAO,KAAY,EAAiB,EAAE;IACrE,MAAM,GAAG,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,IAAA,uCAAqB,EAAC,GAAG,EAAE,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAEK,MAAM,YAAY,GAAG,CAAO,OAGlC,EAAkB,EAAE;IACnB,MAAM,QAAQ,GAAG,MAAM,4BAA4B,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;QAClB,IAAA,cAAM,EAAC,oCAAoC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAChE,IAAA,cAAM,EAAC,oBAAoB,IAAA,0BAAkB,EAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;KACpE;IACD,IAAI,KAAY,CAAC;IAEjB,IAAI,QAAQ,CAAC,GAAG,CAAC,gBAAgB,EAAE;QACjC,KAAK,GAAG;YACN,QAAQ;YACR,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;SAClE,CAAC;KACH;SAAM;QACL,kEAAkE;QAClE,yEAAyE;QACzE,oEAAoE;QACpE,MAAM,cAAc,GAAG,MAAM,IAAA,kCAAsB,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvE,KAAK,GAAG;YACN,QAAQ;YACR,cAAc;YACd,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE;SACjD,CAAC;KACH;IAED,MAAM,wBAAwB,CAAC,KAAK,CAAC,CAAC;IACtC,OAAO,KAAK,CAAC;AACf,CAAC,CAAA,CAAC;AA9BW,QAAA,YAAY,gBA8BvB"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Serialize critical sections that read-modify-write the identity file.
|
|
3
|
+
*
|
|
4
|
+
* Acquires an exclusive `proper-lockfile` on identity.json (creates an
|
|
5
|
+
* adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
|
|
6
|
+
* The caller is expected to re-read the identity inside `fn` because a peer
|
|
7
|
+
* may have updated it while we were waiting on the lock.
|
|
8
|
+
*
|
|
9
|
+
* Requires identity.json to exist — caller's responsibility.
|
|
10
|
+
*/
|
|
11
|
+
export declare const withIdentityLock: <T>(fn: () => Promise<T>) => Promise<T>;
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
12
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
13
|
+
};
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.withIdentityLock = void 0;
|
|
16
|
+
/** Copyright © 2024-present P0 Security
|
|
17
|
+
|
|
18
|
+
This file is part of @p0security/cli
|
|
19
|
+
|
|
20
|
+
@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
|
21
|
+
|
|
22
|
+
@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
23
|
+
|
|
24
|
+
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
25
|
+
**/
|
|
26
|
+
const path_1 = require("./path");
|
|
27
|
+
const proper_lockfile_1 = __importDefault(require("proper-lockfile"));
|
|
28
|
+
// If a lock holder dies without releasing, the lock file's mtime stops
|
|
29
|
+
// updating; after STALE_LOCK_MS another process is allowed to steal it.
|
|
30
|
+
const STALE_LOCK_MS = 30000;
|
|
31
|
+
// Bound the *total* wait so a hung peer process can't make this CLI invocation
|
|
32
|
+
// appear to hang. The retry backoff below sums to ~20s in the worst case, then
|
|
33
|
+
// proper-lockfile gives up and we let the caller fall through to device flow.
|
|
34
|
+
const LOCK_RETRY_OPTIONS = {
|
|
35
|
+
retries: 8,
|
|
36
|
+
factor: 1.5,
|
|
37
|
+
minTimeout: 100,
|
|
38
|
+
maxTimeout: 4000,
|
|
39
|
+
};
|
|
40
|
+
/**
|
|
41
|
+
* Serialize critical sections that read-modify-write the identity file.
|
|
42
|
+
*
|
|
43
|
+
* Acquires an exclusive `proper-lockfile` on identity.json (creates an
|
|
44
|
+
* adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
|
|
45
|
+
* The caller is expected to re-read the identity inside `fn` because a peer
|
|
46
|
+
* may have updated it while we were waiting on the lock.
|
|
47
|
+
*
|
|
48
|
+
* Requires identity.json to exist — caller's responsibility.
|
|
49
|
+
*/
|
|
50
|
+
const withIdentityLock = (fn) => __awaiter(void 0, void 0, void 0, function* () {
|
|
51
|
+
const release = yield proper_lockfile_1.default.lock((0, path_1.getIdentityFilePath)(), {
|
|
52
|
+
stale: STALE_LOCK_MS,
|
|
53
|
+
retries: LOCK_RETRY_OPTIONS,
|
|
54
|
+
});
|
|
55
|
+
try {
|
|
56
|
+
return yield fn();
|
|
57
|
+
}
|
|
58
|
+
finally {
|
|
59
|
+
try {
|
|
60
|
+
yield release();
|
|
61
|
+
}
|
|
62
|
+
catch (_a) {
|
|
63
|
+
// release() may throw if the lock was stolen (we exceeded stale time)
|
|
64
|
+
// or already released. The on-disk state is still consistent because
|
|
65
|
+
// writeIdentity is atomic; nothing useful to do here.
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
});
|
|
69
|
+
exports.withIdentityLock = withIdentityLock;
|
|
70
|
+
//# sourceMappingURL=lock.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"lock.js","sourceRoot":"","sources":["../../../../src/drivers/auth/lock.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iCAA6C;AAC7C,sEAAuC;AAEvC,uEAAuE;AACvE,wEAAwE;AACxE,MAAM,aAAa,GAAG,KAAM,CAAC;AAE7B,+EAA+E;AAC/E,+EAA+E;AAC/E,8EAA8E;AAC9E,MAAM,kBAAkB,GAAG;IACzB,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,GAAG;IACX,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;CACjB,CAAC;AAEF;;;;;;;;;GASG;AACI,MAAM,gBAAgB,GAAG,CAAU,EAAoB,EAAc,EAAE;IAC5E,MAAM,OAAO,GAAG,MAAM,yBAAQ,CAAC,IAAI,CAAC,IAAA,0BAAmB,GAAE,EAAE;QACzD,KAAK,EAAE,aAAa;QACpB,OAAO,EAAE,kBAAkB;KAC5B,CAAC,CAAC;IACH,IAAI;QACF,OAAO,MAAM,EAAE,EAAE,CAAC;KACnB;YAAS;QACR,IAAI;YACF,MAAM,OAAO,EAAE,CAAC;SACjB;QAAC,WAAM;YACN,sEAAsE;YACtE,qEAAqE;YACrE,sDAAsD;SACvD;KACF;AACH,CAAC,CAAA,CAAC;AAhBW,QAAA,gBAAgB,oBAgB3B"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import { Identity } from "../../types/identity";
|
|
2
|
+
import { TokenResponse } from "../../types/oidc";
|
|
3
|
+
export declare const REFRESH_FAILED: "REFRESH_FAILED";
|
|
4
|
+
export type RefreshError = {
|
|
5
|
+
code: typeof REFRESH_FAILED;
|
|
6
|
+
reason: "http_error" | "missing_id_token" | "missing_provider_config" | "network_error" | "no_refresh_token";
|
|
7
|
+
cause?: unknown;
|
|
8
|
+
detail?: string;
|
|
9
|
+
};
|
|
10
|
+
/**
|
|
11
|
+
* Merge a newly-issued credential from the refresh-token grant with the
|
|
12
|
+
* previously-stored credential. Note, not all fields are included in the
|
|
13
|
+
* refreshed token, and thus must be carried forward from the previous/original token.
|
|
14
|
+
**/
|
|
15
|
+
export declare const mergeRefreshedCredential: (previous: TokenResponse, refreshed: TokenResponse) => TokenResponse;
|
|
16
|
+
/**
|
|
17
|
+
* Exchange the stored refresh_token for a new access/id token pair against
|
|
18
|
+
* Okta's /oauth2/v1/token endpoint.
|
|
19
|
+
*
|
|
20
|
+
* On any failure, throws a RefreshError. Callers are expected to
|
|
21
|
+
* catch this and fall through to the device-flow path.
|
|
22
|
+
*/
|
|
23
|
+
export declare const refreshOktaTokens: (identity: Identity, options?: {
|
|
24
|
+
debug?: boolean;
|
|
25
|
+
}) => Promise<TokenResponse>;
|
|
26
|
+
/**
|
|
27
|
+
* Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
|
|
28
|
+
*/
|
|
29
|
+
export declare const revokeOktaRefreshToken: (identity: Identity, options?: {
|
|
30
|
+
debug?: boolean;
|
|
31
|
+
}) => Promise<void>;
|
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.revokeOktaRefreshToken = exports.refreshOktaTokens = exports.mergeRefreshedCredential = exports.REFRESH_FAILED = void 0;
|
|
13
|
+
/** Copyright © 2024-present P0 Security
|
|
14
|
+
|
|
15
|
+
This file is part of @p0security/cli
|
|
16
|
+
|
|
17
|
+
@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
|
18
|
+
|
|
19
|
+
@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
20
|
+
|
|
21
|
+
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
22
|
+
**/
|
|
23
|
+
const oidc_1 = require("../../common/auth/oidc");
|
|
24
|
+
const fetch_1 = require("../../common/fetch");
|
|
25
|
+
const authUtils_1 = require("../../types/authUtils");
|
|
26
|
+
const stdio_1 = require("../stdio");
|
|
27
|
+
exports.REFRESH_FAILED = "REFRESH_FAILED";
|
|
28
|
+
const refreshError = (reason, extra) => (Object.assign({ code: exports.REFRESH_FAILED, reason }, extra));
|
|
29
|
+
/**
|
|
30
|
+
* Merge a newly-issued credential from the refresh-token grant with the
|
|
31
|
+
* previously-stored credential. Note, not all fields are included in the
|
|
32
|
+
* refreshed token, and thus must be carried forward from the previous/original token.
|
|
33
|
+
**/
|
|
34
|
+
const mergeRefreshedCredential = (previous, refreshed) => {
|
|
35
|
+
var _a, _b, _c;
|
|
36
|
+
return (Object.assign(Object.assign(Object.assign({}, previous), refreshed), { refresh_token: (_a = refreshed.refresh_token) !== null && _a !== void 0 ? _a : previous.refresh_token, device_secret: previous.device_secret,
|
|
37
|
+
// RFC 6749 §6: omitted scope on refresh means "identical to original grant"
|
|
38
|
+
scope: (_b = refreshed.scope) !== null && _b !== void 0 ? _b : previous.scope, token_type: (_c = refreshed.token_type) !== null && _c !== void 0 ? _c : previous.token_type }));
|
|
39
|
+
};
|
|
40
|
+
exports.mergeRefreshedCredential = mergeRefreshedCredential;
|
|
41
|
+
/**
|
|
42
|
+
* Exchange the stored refresh_token for a new access/id token pair against
|
|
43
|
+
* Okta's /oauth2/v1/token endpoint.
|
|
44
|
+
*
|
|
45
|
+
* On any failure, throws a RefreshError. Callers are expected to
|
|
46
|
+
* catch this and fall through to the device-flow path.
|
|
47
|
+
*/
|
|
48
|
+
const refreshOktaTokens = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
49
|
+
const refresh_token = identity.credential.refresh_token;
|
|
50
|
+
if (!refresh_token)
|
|
51
|
+
throw refreshError("no_refresh_token");
|
|
52
|
+
const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
|
|
53
|
+
const clientId = (0, authUtils_1.getClientId)(identity.org);
|
|
54
|
+
if (!providerDomain || !clientId) {
|
|
55
|
+
throw refreshError("missing_provider_config");
|
|
56
|
+
}
|
|
57
|
+
const url = `https://${providerDomain}/oauth2/v1/token`;
|
|
58
|
+
const init = {
|
|
59
|
+
method: "POST",
|
|
60
|
+
headers: oidc_1.OIDC_HEADERS,
|
|
61
|
+
body: (0, fetch_1.urlEncode)({
|
|
62
|
+
grant_type: "refresh_token",
|
|
63
|
+
client_id: clientId,
|
|
64
|
+
refresh_token,
|
|
65
|
+
}),
|
|
66
|
+
};
|
|
67
|
+
let response;
|
|
68
|
+
try {
|
|
69
|
+
response = yield fetch(url, init);
|
|
70
|
+
}
|
|
71
|
+
catch (e) {
|
|
72
|
+
throw refreshError("network_error", { cause: e });
|
|
73
|
+
}
|
|
74
|
+
if (!response.ok) {
|
|
75
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
76
|
+
const detail = yield response.text().catch(() => undefined);
|
|
77
|
+
(0, stdio_1.print2)(`Okta refresh-token grant failed: ${response.status} ${response.statusText} ${detail !== null && detail !== void 0 ? detail : ""}`);
|
|
78
|
+
}
|
|
79
|
+
throw refreshError("http_error", {
|
|
80
|
+
detail: `${response.status} ${response.statusText}`,
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
const refreshed = (yield response.json());
|
|
84
|
+
if (!refreshed.id_token) {
|
|
85
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
86
|
+
(0, stdio_1.print2)("Okta refresh response omitted id_token; falling back to device flow.");
|
|
87
|
+
}
|
|
88
|
+
throw refreshError("missing_id_token");
|
|
89
|
+
}
|
|
90
|
+
return (0, exports.mergeRefreshedCredential)(identity.credential, refreshed);
|
|
91
|
+
});
|
|
92
|
+
exports.refreshOktaTokens = refreshOktaTokens;
|
|
93
|
+
/**
|
|
94
|
+
* Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
|
|
95
|
+
*/
|
|
96
|
+
const revokeOktaRefreshToken = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
97
|
+
const refresh_token = identity.credential.refresh_token;
|
|
98
|
+
if (!refresh_token)
|
|
99
|
+
return;
|
|
100
|
+
const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
|
|
101
|
+
const clientId = (0, authUtils_1.getClientId)(identity.org);
|
|
102
|
+
if (!providerDomain || !clientId) {
|
|
103
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
104
|
+
(0, stdio_1.print2)("Skipping refresh-token revoke: missing provider domain or client id.");
|
|
105
|
+
}
|
|
106
|
+
return;
|
|
107
|
+
}
|
|
108
|
+
try {
|
|
109
|
+
const response = yield fetch(`https://${providerDomain}/oauth2/v1/revoke`, {
|
|
110
|
+
method: "POST",
|
|
111
|
+
headers: oidc_1.OIDC_HEADERS,
|
|
112
|
+
body: (0, fetch_1.urlEncode)({
|
|
113
|
+
client_id: clientId,
|
|
114
|
+
token: refresh_token,
|
|
115
|
+
token_type_hint: "refresh_token",
|
|
116
|
+
}),
|
|
117
|
+
});
|
|
118
|
+
if (!response.ok && (options === null || options === void 0 ? void 0 : options.debug)) {
|
|
119
|
+
(0, stdio_1.print2)(`Refresh-token revoke returned ${response.status} ${response.statusText}; proceeding with logout.`);
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
catch (e) {
|
|
123
|
+
if (options === null || options === void 0 ? void 0 : options.debug) {
|
|
124
|
+
const detail = e instanceof Error ? e.message : String(e);
|
|
125
|
+
(0, stdio_1.print2)(`Refresh-token revoke failed (${detail}); proceeding with logout.`);
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
});
|
|
129
|
+
exports.revokeOktaRefreshToken = revokeOktaRefreshToken;
|
|
130
|
+
//# sourceMappingURL=refresh.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../../src/drivers/auth/refresh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAA+C;AAC/C,qDAAuE;AAGvE,oCAAkC;AAErB,QAAA,cAAc,GAAG,gBAAyB,CAAC;AAcxD,MAAM,YAAY,GAAG,CACnB,MAA8B,EAC9B,KAA4C,EAC9B,EAAE,CAAC,iBAAG,IAAI,EAAE,sBAAc,EAAE,MAAM,IAAK,KAAK,EAAG,CAAC;AAEhE;;;;IAII;AACG,MAAM,wBAAwB,GAAG,CACtC,QAAuB,EACvB,SAAwB,EACT,EAAE;;IAAC,OAAA,+CACf,QAAQ,GACR,SAAS,KACZ,aAAa,EAAE,MAAA,SAAS,CAAC,aAAa,mCAAI,QAAQ,CAAC,aAAa,EAChE,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,4EAA4E;QAC5E,KAAK,EAAE,MAAA,SAAS,CAAC,KAAK,mCAAI,QAAQ,CAAC,KAAK,EACxC,UAAU,EAAE,MAAA,SAAS,CAAC,UAAU,mCAAI,QAAQ,CAAC,UAAU,IACvD,CAAA;CAAA,CAAC;AAXU,QAAA,wBAAwB,4BAWlC;AAEH;;;;;;GAMG;AACI,MAAM,iBAAiB,GAAG,CAC/B,QAAkB,EAClB,OAA6B,EACL,EAAE;IAC1B,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;IAE3D,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,MAAM,YAAY,CAAC,yBAAyB,CAAC,CAAC;KAC/C;IAED,MAAM,GAAG,GAAG,WAAW,cAAc,kBAAkB,CAAC;IACxD,MAAM,IAAI,GAAgB;QACxB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,QAAQ;YACnB,aAAa;SACd,CAAC;KACH,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI;QACF,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;KACnC;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;KACnD;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAA,cAAM,EACJ,oCAAoC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,IAAI,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,EAAE,CAC7F,CAAC;SACH;QACD,MAAM,YAAY,CAAC,YAAY,EAAE;YAC/B,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE;SACpD,CAAC,CAAC;KACJ;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;IAE3D,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;QACvB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;KACxC;IAED,OAAO,IAAA,gCAAwB,EAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AAClE,CAAC,CAAA,CAAC;AAvDW,QAAA,iBAAiB,qBAuD5B;AAEF;;GAEG;AACI,MAAM,sBAAsB,GAAG,CACpC,QAAkB,EAClB,OAA6B,EACd,EAAE;IACjB,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,OAAO;IAE3B,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,OAAO;KACR;IAED,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,cAAc,mBAAmB,EAAE;YACzE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mBAAY;YACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;gBACd,SAAS,EAAE,QAAQ;gBACnB,KAAK,EAAE,aAAa;gBACpB,eAAe,EAAE,eAAe;aACjC,CAAC;SACH,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAA,EAAE;YAClC,IAAA,cAAM,EACJ,iCAAiC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,2BAA2B,CACnG,CAAC;SACH;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,IAAA,cAAM,EACJ,gCAAgC,MAAM,4BAA4B,CACnE,CAAC;SACH;KACF;AACH,CAAC,CAAA,CAAC;AAzCW,QAAA,sBAAsB,0BAyCjC"}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.ensureGcloudLogin = exports.getGcloudAccessToken = void 0;
|
|
13
|
+
/** Copyright © 2024-present P0 Security
|
|
14
|
+
|
|
15
|
+
This file is part of @p0security/cli
|
|
16
|
+
|
|
17
|
+
@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
|
18
|
+
|
|
19
|
+
@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
20
|
+
|
|
21
|
+
You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
|
|
22
|
+
**/
|
|
23
|
+
const subprocess_1 = require("../../common/subprocess");
|
|
24
|
+
const stdio_1 = require("../../drivers/stdio");
|
|
25
|
+
const util_1 = require("../../util");
|
|
26
|
+
const util_2 = require("./util");
|
|
27
|
+
const getGcloudAccessToken = () => __awaiter(void 0, void 0, void 0, function* () {
|
|
28
|
+
const { command, args } = (0, util_2.gcloudCommandArgs)(["auth", "print-access-token"]);
|
|
29
|
+
// Force debug=false otherwise it prints the access token
|
|
30
|
+
return yield (0, subprocess_1.asyncSpawn)({ debug: false }, command, args);
|
|
31
|
+
});
|
|
32
|
+
exports.getGcloudAccessToken = getGcloudAccessToken;
|
|
33
|
+
const runGcloudLogin = ({ debug }) => __awaiter(void 0, void 0, void 0, function* () {
|
|
34
|
+
return new Promise((resolve, reject) => {
|
|
35
|
+
(0, stdio_1.print2)("Logging in to Google Cloud CLI...");
|
|
36
|
+
const { command, args } = (0, util_2.gcloudCommandArgs)(["auth", "login"]);
|
|
37
|
+
const child = (0, util_1.spawnWithCleanEnv)(command, args, {
|
|
38
|
+
// stdio is [stdin, stdout, stderr]. We send the child's stdout to OUR
|
|
39
|
+
// stderr instead of inheriting fd 1: `gcloud auth login` writes its
|
|
40
|
+
// human-readable progress to stdout, but this CLI reserves fd 1 for
|
|
41
|
+
// machine-readable output (e.g. access tokens, JSON) that callers parse.
|
|
42
|
+
// Inheriting the child's stdout would interleave gcloud's chatter into
|
|
43
|
+
// that stream and corrupt it, so we redirect it to stderr — where
|
|
44
|
+
// human-facing text belongs.
|
|
45
|
+
stdio: ["inherit", process.stderr, "inherit"],
|
|
46
|
+
});
|
|
47
|
+
child.on("error", (error) => reject(`Failed to run 'gcloud auth login': ${error.message}`));
|
|
48
|
+
child.on("exit", (code) => {
|
|
49
|
+
if (debug) {
|
|
50
|
+
(0, stdio_1.print2)(`'gcloud auth login' exited with code ${code}`);
|
|
51
|
+
}
|
|
52
|
+
if (code === 0) {
|
|
53
|
+
resolve();
|
|
54
|
+
}
|
|
55
|
+
else {
|
|
56
|
+
reject("Google Cloud CLI login failed. Please run 'gcloud auth login' and try again.");
|
|
57
|
+
}
|
|
58
|
+
});
|
|
59
|
+
});
|
|
60
|
+
});
|
|
61
|
+
const ensureGcloudLogin = ({ debug, } = {}) => __awaiter(void 0, void 0, void 0, function* () {
|
|
62
|
+
try {
|
|
63
|
+
const accessToken = yield (0, exports.getGcloudAccessToken)();
|
|
64
|
+
if (debug) {
|
|
65
|
+
(0, stdio_1.print2)("Google Cloud CLI credentials are valid; skipping login.");
|
|
66
|
+
}
|
|
67
|
+
return accessToken;
|
|
68
|
+
}
|
|
69
|
+
catch (_a) {
|
|
70
|
+
yield runGcloudLogin({ debug });
|
|
71
|
+
return yield (0, exports.getGcloudAccessToken)();
|
|
72
|
+
}
|
|
73
|
+
});
|
|
74
|
+
exports.ensureGcloudLogin = ensureGcloudLogin;
|
|
75
|
+
//# sourceMappingURL=auth.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/plugins/google/auth.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAC7C,qCAA+C;AAC/C,iCAA2C;AAEpC,MAAM,oBAAoB,GAAG,GAA0B,EAAE;IAC9D,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC5E,yDAAyD;IACzD,OAAO,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAC3D,CAAC,CAAA,CAAC;AAJW,QAAA,oBAAoB,wBAI/B;AAEF,MAAM,cAAc,GAAG,CAAO,EAAE,KAAK,EAAuB,EAAE,EAAE;IAC9D,OAAA,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpC,IAAA,cAAM,EAAC,mCAAmC,CAAC,CAAC;QAC5C,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,IAAA,wBAAiB,EAAC,OAAO,EAAE,IAAI,EAAE;YAC7C,sEAAsE;YACtE,oEAAoE;YACpE,oEAAoE;YACpE,yEAAyE;YACzE,uEAAuE;YACvE,kEAAkE;YAClE,6BAA6B;YAC7B,KAAK,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC;SAC9C,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CAC1B,MAAM,CAAC,sCAAsC,KAAK,CAAC,OAAO,EAAE,CAAC,CAC9D,CAAC;QACF,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,KAAK,EAAE;gBACT,IAAA,cAAM,EAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;aACxD;YACD,IAAI,IAAI,KAAK,CAAC,EAAE;gBACd,OAAO,EAAE,CAAC;aACX;iBAAM;gBACL,MAAM,CACJ,8EAA8E,CAC/E,CAAC;aACH;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAA;EAAA,CAAC;AAEE,MAAM,iBAAiB,GAAG,CAAO,EACtC,KAAK,MACkB,EAAE,EAAmB,EAAE;IAC9C,IAAI;QACF,MAAM,WAAW,GAAG,MAAM,IAAA,4BAAoB,GAAE,CAAC;QACjD,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,yDAAyD,CAAC,CAAC;SACnE;QACD,OAAO,WAAW,CAAC;KACpB;IAAC,WAAM;QACN,MAAM,cAAc,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAChC,OAAO,MAAM,IAAA,4BAAoB,GAAE,CAAC;KACrC;AACH,CAAC,CAAA,CAAC;AAbW,QAAA,iBAAiB,qBAa5B"}
|
|
@@ -22,6 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
22
22
|
**/
|
|
23
23
|
const subprocess_1 = require("../../common/subprocess");
|
|
24
24
|
const stdio_1 = require("../../drivers/stdio");
|
|
25
|
+
const auth_1 = require("./auth");
|
|
25
26
|
const util_1 = require("./util");
|
|
26
27
|
/**
|
|
27
28
|
* Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
|
|
@@ -37,9 +38,12 @@ const util_1 = require("./util");
|
|
|
37
38
|
const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
38
39
|
var _a;
|
|
39
40
|
const debug = (_a = options === null || options === void 0 ? void 0 : options.debug) !== null && _a !== void 0 ? _a : false;
|
|
40
|
-
//
|
|
41
|
-
|
|
42
|
-
|
|
41
|
+
// Ensure the user is logged in to the Google Cloud CLI and return a valid
|
|
42
|
+
// access token. This is the earliest point a gcloud token is required in the
|
|
43
|
+
// direct `p0 ssh` and `ssh-resolve` flows (before the cloudProviderLogin hook
|
|
44
|
+
// runs), so the login must happen here. `gcloud auth login` runs only when
|
|
45
|
+
// the existing token is invalid.
|
|
46
|
+
const accessToken = yield (0, auth_1.ensureGcloudLogin)({ debug });
|
|
43
47
|
const { command: accountCommand, args: accountArgs } = (0, util_1.gcloudCommandArgs)([
|
|
44
48
|
"config",
|
|
45
49
|
"get-value",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;
|
|
1
|
+
{"version":3,"file":"ssh-key.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,wDAAqD;AACrD,+CAA6C;AAC7C,iCAA2C;AAE3C,iCAA2C;AAE3C;;;;;;;;;;GAUG;AACI,MAAM,YAAY,GAAG,CAC1B,SAAiB,EACjB,OAA6B,EAC7B,EAAE;;IACF,MAAM,KAAK,GAAG,MAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,mCAAI,KAAK,CAAC;IAEtC,0EAA0E;IAC1E,6EAA6E;IAC7E,8EAA8E;IAC9E,2EAA2E;IAC3E,iCAAiC;IACjC,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAEvD,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,IAAA,wBAAiB,EAAC;QACvE,QAAQ;QACR,WAAW;QACX,SAAS;KACV,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAU,EAAC,EAAE,KAAK,EAAE,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;IAEzE,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,0BAA0B,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,OAAO,EAAE,CAC/E,CAAC;QACF,IAAA,cAAM,EACJ,yBAAyB,SAAS,IAAI,WAAW,gBAAgB,OAAO,EAAE,CAC3E,CAAC;KACH;IAED,IAAI,CAAC,SAAS,EAAE;QACd,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,GAAG,GAAG,2CAA2C,OAAO,qBAAqB,CAAC;IACpF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,EAAE,SAAS;SACf,CAAC;QACF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,KAAK,EAAE;YACT,IAAA,cAAM,EAAC,cAAc,QAAQ,CAAC,MAAM,KAAK,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;SACnE;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,kFAAkF,CAAC;SAC1F;aAAM;YACL,MAAM,kCAAkC,CAAC;SAC1C;KACF;IAED,MAAM,IAAI,GAA+B,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EACJ,sDAAsD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;KACH;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAE9B,yEAAyE;IACzE,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,CAAC,MAAM,CACrD,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,mBAAmB,KAAK,OAAO,CACrD,CAAC;IAEF,MAAM,YAAY,GAChB,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;QAChD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAEhC,IAAI,KAAK,EAAE;QACT,IAAA,cAAM,EAAC,2BAA2B,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,QAAQ,EAAE,CAAC,CAAC;KAC7D;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,2HAA2H,CAAC;KACnI;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC;AAC/B,CAAC,CAAA,CAAC;AApFW,QAAA,YAAY,gBAoFvB"}
|
|
@@ -22,6 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
22
22
|
**/
|
|
23
23
|
const ssh_1 = require("../../commands/shared/ssh");
|
|
24
24
|
const keys_1 = require("../../common/keys");
|
|
25
|
+
const auth_1 = require("./auth");
|
|
25
26
|
const install_1 = require("./install");
|
|
26
27
|
const ssh_key_1 = require("./ssh-key");
|
|
27
28
|
const util_1 = require("./util");
|
|
@@ -60,8 +61,10 @@ const unprovisionedAccessPatterns = [
|
|
|
60
61
|
{ pattern: /Error while connecting \[4010: 'destination read failed'\]/ },
|
|
61
62
|
];
|
|
62
63
|
exports.gcpSshProvider = {
|
|
63
|
-
|
|
64
|
-
|
|
64
|
+
cloudProviderLogin: (_authn, _request, debug) => __awaiter(void 0, void 0, void 0, function* () {
|
|
65
|
+
yield (0, auth_1.ensureGcloudLogin)({ debug });
|
|
66
|
+
return undefined;
|
|
67
|
+
}),
|
|
65
68
|
ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
|
|
66
69
|
if (!(yield (0, install_1.ensureGcpSshInstall)())) {
|
|
67
70
|
throw "Please try again after installing the required GCP utilities";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,
|
|
1
|
+
{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}
|