@p0security/cli 0.27.1 → 0.27.4

package/build/dist/plugins/file-transfer/index.d.ts

@@ -13,23 +13,39 @@ import { Authn } from "../../types/identity";
 import { AwsResourcePermissionSpec } from "../aws/types";
 import { S3Client } from "@aws-sdk/client-s3";
 import yargs from "yargs";
+export declare const MAX_SECONDS_TO_EXPIRE_GET_URL: number;
+export declare const MAX_SECONDS_TO_EXPIRE_DELETE_URL: number;
 export declare const provisionTransferRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<FileTransferCommandArgs>) => Promise<{
     bucket: string;
     prefix: string;
     region: string;
     awsSpec: AwsResourcePermissionSpec;
 }>;
-export declare const generateTransferUrls: (authn: Authn, target: {
+/**
+ * Builds an S3 client whose credentials refresh automatically. A large upload
+ * can run longer than the temporary credentials live; passing a provider
+ * function (that returns `expiration`) lets the SDK re-fetch fresh credentials
+ * mid-upload instead of failing the in-flight parts with ExpiredToken.
+ */
+export declare const createTransferClient: (authn: Authn, target: {
+    region: string;
+    awsSpec: AwsResourcePermissionSpec;
+}, debug?: boolean) => S3Client;
+/**
+ * Signs the GET (download) or DELETE (cleanup) URL. Call this AFTER the upload
+ * completes: the GET window is finite, and signing before a large upload would
+ * burn that window while the file is still uploading.
+ *
+ * Each expiry is capped to the credentials' remaining lifetime so a URL can
+ * never outlive the credentials that signed it.
+ */
+type SignedUrlCommand = "delete" | "get";
+export declare const generateSignedUrl: (authn: Authn, s3: S3Client, target: {
     bucket: string;
     key: string;
-    region: string;
     awsSpec: AwsResourcePermissionSpec;
-}, debug?: boolean) => Promise<{
-    s3: S3Client;
-    getUrl: string;
-    deleteUrl: string;
-    expirySeconds: {
-        get: number;
-        delete: number;
-    };
+}, command: SignedUrlCommand, debug?: boolean) => Promise<{
+    signedUrl: string;
+    expirySeconds: number;
 }>;
+export {};

package/build/dist/plugins/file-transfer/index.js

@@ -9,14 +9,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateTransferUrls = exports.provisionTransferRequest = void 0;
+exports.generateSignedUrl = exports.createTransferClient = exports.provisionTransferRequest = exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL = exports.MAX_SECONDS_TO_EXPIRE_GET_URL = void 0;
 const request_1 = require("../../commands/shared/request");
+const delegation_1 = require("../../types/delegation");
 const auth_1 = require("../aws/auth");
 const client_s3_1 = require("@aws-sdk/client-s3");
 const s3_request_presigner_1 = require("@aws-sdk/s3-request-presigner");
 const lodash_1 = require("lodash");
-const GET_EXPIRES_SECONDS = 5 * 60;
-const DELETE_EXPIRES_SECONDS = 60 * 60;
+exports.MAX_SECONDS_TO_EXPIRE_GET_URL = 5 * 60;
+exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL = 60 * 60;
+const MIN_URL_EXPIRY_THRESHOLD_SECONDS = 60;
 const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "file-transfer",
@@ -27,7 +29,7 @@ const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void
     if (!response) {
         throw "Did not receive a response from server";
     }
-    const awsSpec = response.request.delegation.aws;
+    const awsSpec = (0, delegation_1.getDelegate)(response.request.delegation, "aws");
     if (!awsSpec) {
         throw "Backend granted file-transfer access, but there was an error getting AWS access details";
     }
@@ -40,35 +42,57 @@ const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void
     };
 });
 exports.provisionTransferRequest = provisionTransferRequest;
-const generateTransferUrls = (authn, target, debug) => __awaiter(void 0, void 0, void 0, function* () {
-    const credentials = yield (0, auth_1.awsCloudAuth)(authn, target.awsSpec, debug);
-    const sdkCredentials = {
-        accessKeyId: credentials.AWS_ACCESS_KEY_ID,
-        secretAccessKey: credentials.AWS_SECRET_ACCESS_KEY,
-        sessionToken: credentials.AWS_SESSION_TOKEN,
+/**
+ * Builds an S3 client whose credentials refresh automatically. A large upload
+ * can run longer than the temporary credentials live; passing a provider
+ * function (that returns `expiration`) lets the SDK re-fetch fresh credentials
+ * mid-upload instead of failing the in-flight parts with ExpiredToken.
+ */
+const createTransferClient = (authn, target, debug) => new client_s3_1.S3Client({
+    region: target.region,
+    credentials: () => __awaiter(void 0, void 0, void 0, function* () {
+        const credentials = yield (0, auth_1.awsCloudAuth)(authn, target.awsSpec, debug);
+        return Object.assign({ accessKeyId: credentials.AWS_ACCESS_KEY_ID, secretAccessKey: credentials.AWS_SECRET_ACCESS_KEY, sessionToken: credentials.AWS_SESSION_TOKEN }, (credentials.expiresAt !== undefined
+            ? { expiration: new Date(credentials.expiresAt) }
+            : {}));
+    }),
+});
+exports.createTransferClient = createTransferClient;
+const generateSignedUrl = (authn, s3, target, command, debug) => __awaiter(void 0, void 0, void 0, function* () {
+    const { expiresAt } = yield (0, auth_1.awsCloudAuth)(authn, target.awsSpec, debug);
+    const remaining = expiresAt !== undefined
+        ? Math.floor((expiresAt - Date.now()) / 1000)
+        : Infinity;
+    if (remaining < MIN_URL_EXPIRY_THRESHOLD_SECONDS) {
+        throw new Error(`AWS credentials expire in ${remaining}s — too soon to sign usable URLs. ` +
+            `Check your system clock or re-run the request.`);
+    }
+    const URL_CONFIGS = {
+        get: {
+            maxExpiry: exports.MAX_SECONDS_TO_EXPIRE_GET_URL,
+            s3Command: new client_s3_1.GetObjectCommand({
+                Bucket: target.bucket,
+                Key: target.key,
+            }),
+        },
+        delete: {
+            maxExpiry: exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL,
+            s3Command: new client_s3_1.DeleteObjectCommand({
+                Bucket: target.bucket,
+                Key: target.key,
+            }),
+        },
     };
-    const s3 = new client_s3_1.S3Client({
-        region: target.region,
-        credentials: sdkCredentials,
+    const urlConfig = URL_CONFIGS[command];
+    const secondsToExpireUrl = Math.min(urlConfig.maxExpiry, remaining);
+    const signedUrl = yield (0, s3_request_presigner_1.getSignedUrl)(s3, urlConfig.s3Command, {
+        expiresIn: secondsToExpireUrl,
     });
-    const objectArgs = { Bucket: target.bucket, Key: target.key };
-    const [getUrl, deleteUrl] = yield Promise.all([
-        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.GetObjectCommand(objectArgs), {
-            expiresIn: GET_EXPIRES_SECONDS,
-        }),
-        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.DeleteObjectCommand(objectArgs), {
-            expiresIn: DELETE_EXPIRES_SECONDS,
-        }),
-    ]);
     return {
-        s3,
-        getUrl,
-        deleteUrl,
-        expirySeconds: {
-            get: GET_EXPIRES_SECONDS,
-            delete: DELETE_EXPIRES_SECONDS,
-        },
+        signedUrl,
+        // Report the ACTUAL (capped) seconds so debug output is honest.
+        expirySeconds: secondsToExpireUrl,
     };
 });
-exports.generateTransferUrls = generateTransferUrls;
+exports.generateSignedUrl = generateSignedUrl;
 //# sourceMappingURL=index.js.map

package/build/dist/plugins/file-transfer/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,2DAAwD;AAGxD,sCAA2C;AAG3C,kDAI4B;AAC5B,wEAA6D;AAC7D,mCAA8B;AAG9B,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,CAAC;AACnC,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,CAAC;AAEhC,MAAM,wBAAwB,GAAG,CACtC,KAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAIlC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,eAAe;YACf,SAAS;YACT,IAAI,CAAC,WAAW;YAChB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,yFAAyF,CAAC;KACjG;IAED,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,GAC9C,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,YAAY;QACpB,OAAO;KACR,CAAC;AACJ,CAAC,CAAA,CAAC;AAvCW,QAAA,wBAAwB,4BAuCnC;AAEK,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,MAKC,EACD,KAAe,EAMd,EAAE;IACH,MAAM,WAAW,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAErE,MAAM,cAAc,GAAG;QACrB,WAAW,EAAE,WAAW,CAAC,iBAAiB;QAC1C,eAAe,EAAE,WAAW,CAAC,qBAAqB;QAClD,YAAY,EAAE,WAAW,CAAC,iBAAiB;KAC5C,CAAC;IAEF,MAAM,EAAE,GAAG,IAAI,oBAAQ,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,WAAW,EAAE,cAAc;KAC5B,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;IAC9D,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,4BAAgB,CAAC,UAAU,CAAC,EAAE;YACjD,SAAS,EAAE,mBAAmB;SAC/B,CAAC;QACF,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,+BAAmB,CAAC,UAAU,CAAC,EAAE;YACpD,SAAS,EAAE,sBAAsB;SAClC,CAAC;KACH,CAAC,CAAC;IAEH,OAAO;QACL,EAAE;QACF,MAAM;QACN,SAAS;QACT,aAAa,EAAE;YACb,GAAG,EAAE,mBAAmB;YACxB,MAAM,EAAE,sBAAsB;SAC/B;KACF,CAAC;AACJ,CAAC,CAAA,CAAC;AA/CW,QAAA,oBAAoB,wBA+C/B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,2DAAwD;AACxD,uDAAqD;AAGrD,sCAA2C;AAG3C,kDAI4B;AAC5B,wEAA6D;AAC7D,mCAA8B;AAGjB,QAAA,6BAA6B,GAAG,CAAC,GAAG,EAAE,CAAC;AACvC,QAAA,gCAAgC,GAAG,EAAE,GAAG,EAAE,CAAC;AACxD,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAErC,MAAM,wBAAwB,GAAG,CACtC,KAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAIlC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,eAAe;YACf,SAAS;YACT,IAAI,CAAC,WAAW;YAChB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,yFAAyF,CAAC;KACjG;IAED,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,GAC9C,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,YAAY;QACpB,OAAO;KACR,CAAC;AACJ,CAAC,CAAA,CAAC;AAvCW,QAAA,wBAAwB,4BAuCnC;AAEF;;;;;GAKG;AACI,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,MAA8D,EAC9D,KAAe,EACL,EAAE,CACZ,IAAI,oBAAQ,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,WAAW,EAAE,GAAS,EAAE;QACtB,MAAM,WAAW,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrE,uBACE,WAAW,EAAE,WAAW,CAAC,iBAAiB,EAC1C,eAAe,EAAE,WAAW,CAAC,qBAAqB,EAClD,YAAY,EAAE,WAAW,CAAC,iBAAiB,IAIxC,CAAC,WAAW,CAAC,SAAS,KAAK,SAAS;YACrC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE;YACjD,CAAC,CAAC,EAAE,CAAC,EACP;IACJ,CAAC,CAAA;CACF,CAAC,CAAC;AArBQ,QAAA,oBAAoB,wBAqB5B;AAaE,MAAM,iBAAiB,GAAG,CAC/B,KAAY,EACZ,EAAY,EACZ,MAA2E,EAC3E,OAAyB,EACzB,KAAe,EAId,EAAE;IACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvE,MAAM,SAAS,GACb,SAAS,KAAK,SAAS;QACrB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;QAC7C,CAAC,CAAC,QAAQ,CAAC;IACf,IAAI,SAAS,GAAG,gCAAgC,EAAE;QAChD,MAAM,IAAI,KAAK,CACb,6BAA6B,SAAS,oCAAoC;YACxE,gDAAgD,CACnD,CAAC;KACH;IAED,MAAM,WAAW,GAGb;QACF,GAAG,EAAE;YACH,SAAS,EAAE,qCAA6B;YACxC,SAAS,EAAE,IAAI,4BAAgB,CAAC;gBAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,EAAE,MAAM,CAAC,GAAG;aAChB,CAAC;SACH;QACD,MAAM,EAAE;YACN,SAAS,EAAE,wCAAgC;YAC3C,SAAS,EAAE,IAAI,+BAAmB,CAAC;gBACjC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,EAAE,MAAM,CAAC,GAAG;aAChB,CAAC;SACH;KACF,CAAC;IAEF,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAEvC,MAAM,kBAAkB,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAEpE,MAAM,SAAS,GAAG,MAAM,IAAA,mCAAY,EAAC,EAAE,EAAE,SAAS,CAAC,SAAS,EAAE;QAC5D,SAAS,EAAE,kBAAkB;KAC9B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,gEAAgE;QAChE,aAAa,EAAE,kBAAkB;KAClC,CAAC;AACJ,CAAC,CAAA,CAAC;AAvDW,QAAA,iBAAiB,qBAuD5B"}

package/build/dist/plugins/file-transfer/types.d.ts

@@ -24,8 +24,6 @@ export type FileTransferPermission = {
     destination: string;
     type: "resource";
 };
-export type FileTransferPermissionSpec = PermissionSpec<"file-transfer", FileTransferPermission, Record<string, never>> & {
-    delegation: {
-        aws?: AwsResourcePermissionSpec;
-    };
-};
+export type FileTransferPermissionSpec = PermissionSpec<"file-transfer", FileTransferPermission, Record<string, never>, {
+    aws?: AwsResourcePermissionSpec;
+}>;

package/build/dist/plugins/google/connection-error.d.ts

@@ -0,0 +1,39 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { GcpSshRequest } from "./types";
+/**
+ * P0 grants the IAM roles needed for GCP SSH, but OS Login must be enabled in
+ * the customer's project — P0 cannot enable it on their behalf. When OS Login is
+ * off the IAM grant still succeeds, but the connection fails at SSH
+ * authentication: without OS Login the user's key is never provisioned onto the
+ * VM (P0's grant does not include permission to write keys to instance
+ * metadata), so auth is rejected with `Permission denied (publickey)`.
+ *
+ * Historically the user saw only that raw, generic rejection and concluded P0
+ * was broken. We surface a targeted hint instead. `Permission denied
+ * (publickey)` is not exclusively an OS Login problem — it can also be a brief
+ * key-propagation delay or a just-granted IAM role — so the message names OS
+ * Login as the most likely cause while listing the alternatives, and never
+ * claims certainty.
+ *
+ * We deliberately do NOT try to classify the other GCP prerequisite failure (IAP
+ * / firewall not configured, which fails earlier, at the gcloud tunnel rather
+ * than at SSH auth). Its `gcloud start-iap-tunnel` error strings vary by gcloud
+ * version and are easy to misattribute; since misattributing is worse than the
+ * status quo, those failures fall through to the raw error unchanged.
+ */
+export declare const GCP_SSH_PREREQUISITES_DOC = "https://docs.p0.dev/integrations/resource-integrations/ssh#gcp-project-requirements";
+/**
+ * Inspects the captured stderr of a failed GCP SSH connection and returns an
+ * actionable message when the failure is an SSH auth rejection (most likely OS
+ * Login not being enabled), or `undefined` to fall through to the raw error.
+ */
+export declare const classifyGcpConnectionError: (stderr: string, request: Pick<GcpSshRequest, "id">) => string | undefined;

package/build/dist/plugins/google/connection-error.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyGcpConnectionError = exports.GCP_SSH_PREREQUISITES_DOC = void 0;
+/**
+ * P0 grants the IAM roles needed for GCP SSH, but OS Login must be enabled in
+ * the customer's project — P0 cannot enable it on their behalf. When OS Login is
+ * off the IAM grant still succeeds, but the connection fails at SSH
+ * authentication: without OS Login the user's key is never provisioned onto the
+ * VM (P0's grant does not include permission to write keys to instance
+ * metadata), so auth is rejected with `Permission denied (publickey)`.
+ *
+ * Historically the user saw only that raw, generic rejection and concluded P0
+ * was broken. We surface a targeted hint instead. `Permission denied
+ * (publickey)` is not exclusively an OS Login problem — it can also be a brief
+ * key-propagation delay or a just-granted IAM role — so the message names OS
+ * Login as the most likely cause while listing the alternatives, and never
+ * claims certainty.
+ *
+ * We deliberately do NOT try to classify the other GCP prerequisite failure (IAP
+ * / firewall not configured, which fails earlier, at the gcloud tunnel rather
+ * than at SSH auth). Its `gcloud start-iap-tunnel` error strings vary by gcloud
+ * version and are easy to misattribute; since misattributing is worse than the
+ * status quo, those failures fall through to the raw error unchanged.
+ */
+exports.GCP_SSH_PREREQUISITES_DOC = "https://docs.p0.dev/integrations/resource-integrations/ssh#gcp-project-requirements";
+/** SSH auth was reached and rejected — most likely because OS Login is off. */
+const AUTH_REJECTED_PATTERN = /Permission denied \(publickey\)/;
+// Leads with a newline so it prints with one blank line above the preceding SSH
+// output, for legibility.
+const osLoginMessage = (instance) => `\nConnected to ${instance} but authentication was rejected ` +
+    `(Permission denied (publickey)). The most common cause is OS Login not ` +
+    `being enabled. Enable it by setting enable-oslogin=TRUE on the project (or ` +
+    `instance) metadata, then retry. If OS Login is already enabled, this can ` +
+    `also be a brief key-propagation delay or a just-granted IAM role — wait ` +
+    `~30s and retry. See ${exports.GCP_SSH_PREREQUISITES_DOC}`;
+/**
+ * Inspects the captured stderr of a failed GCP SSH connection and returns an
+ * actionable message when the failure is an SSH auth rejection (most likely OS
+ * Login not being enabled), or `undefined` to fall through to the raw error.
+ */
+const classifyGcpConnectionError = (stderr, request) => AUTH_REJECTED_PATTERN.test(stderr) ? osLoginMessage(request.id) : undefined;
+exports.classifyGcpConnectionError = classifyGcpConnectionError;
+//# sourceMappingURL=connection-error.js.map

package/build/dist/plugins/google/connection-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection-error.js","sourceRoot":"","sources":["../../../../src/plugins/google/connection-error.ts"],"names":[],"mappings":";;;AAYA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEU,QAAA,yBAAyB,GACpC,qFAAqF,CAAC;AAExF,+EAA+E;AAC/E,MAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAEhE,gFAAgF;AAChF,0BAA0B;AAC1B,MAAM,cAAc,GAAG,CAAC,QAAgB,EAAE,EAAE,CAC1C,kBAAkB,QAAQ,mCAAmC;IAC7D,yEAAyE;IACzE,6EAA6E;IAC7E,2EAA2E;IAC3E,0EAA0E;IAC1E,uBAAuB,iCAAyB,EAAE,CAAC;AAErD;;;;GAIG;AACI,MAAM,0BAA0B,GAAG,CACxC,MAAc,EACd,OAAkC,EACd,EAAE,CACtB,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAJjE,QAAA,0BAA0B,8BAIuC"}

package/build/dist/plugins/google/install.d.ts

@@ -1,2 +1,17 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { InstallMetadata } from "../../common/install";
 export declare const SupportedPlatforms: readonly ["darwin"];
+declare const GcpSshItems: readonly ["gcloud"];
+type GcpSshItem = (typeof GcpSshItems)[number];
+export declare const GcpSshInstall: Readonly<Record<GcpSshItem, InstallMetadata>>;
 export declare const ensureGcpSshInstall: () => Promise<boolean>;
+export {};

package/build/dist/plugins/google/install.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureGcpSshInstall = exports.SupportedPlatforms = void 0;
+exports.ensureGcpSshInstall = exports.GcpSshInstall = exports.SupportedPlatforms = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -14,14 +14,14 @@ You should have received a copy of the GNU General Public License along with @p0
 const install_1 = require("../../common/install");
 exports.SupportedPlatforms = ["darwin"];
 const GcpSshItems = ["gcloud"];
-const GcpSshInstall = {
+exports.GcpSshInstall = {
     gcloud: {
         label: "GCloud CLI",
         commands: {
             darwin: [
                 // See https://cloud.google.com/sdk/docs/install-sdk
                 "architecture=$(arch)",
-                'package=$([ $architecture = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
+                'package=$([ "$architecture" = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
                 "wget -O ~/google-cloud-cli.tar.gz $package",
                 "tar -xzf ~/google-cloud-cli.tar.gz -C ~",
                 "~/google-cloud-sdk/install.sh",
@@ -34,6 +34,6 @@ const GcpSshInstall = {
         },
     },
 };
-const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, GcpSshInstall);
+const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, exports.GcpSshInstall);
 exports.ensureGcpSshInstall = ensureGcpSshInstall;
 //# sourceMappingURL=install.js.map

package/build/dist/plugins/google/install.js.map

@@ -1 +1 @@
-{"version":3,"file":"install.js","sourceRoot":"","sources":["../../../../src/plugins/google/install.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,kDAAsE;AAEzD,QAAA,kBAAkB,GAAG,CAAC,QAAQ,CAAU,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,QAAQ,CAAU,CAAC;AAGxC,MAAM,aAAa,GAAkD;IACnE,MAAM,EAAE;QACN,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE;YACR,MAAM,EAAE;gBACN,oDAAoD;gBACpD,sBAAsB;gBACtB,uPAAuP;gBACvP,4CAA4C;gBAC5C,yCAAyC;gBACzC,+BAA+B;gBAC/B,kCAAkC;gBAClC,8HAA8H;gBAC9H,8BAA8B;gBAC9B,gEAAgE;gBAChE,wCAAwC;aACzC;SACF;KACF;CACF,CAAC;AAEK,MAAM,mBAAmB,GAAG,GAAG,EAAE,CACtC,IAAA,uBAAa,EAAC,WAAW,EAAE,aAAa,CAAC,CAAC;AAD/B,QAAA,mBAAmB,uBACY"}
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../../../src/plugins/google/install.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,kDAAsE;AAEzD,QAAA,kBAAkB,GAAG,CAAC,QAAQ,CAAU,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,QAAQ,CAAU,CAAC;AAG3B,QAAA,aAAa,GAAkD;IAC1E,MAAM,EAAE;QACN,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE;YACR,MAAM,EAAE;gBACN,oDAAoD;gBACpD,sBAAsB;gBACtB,8PAA8P;gBAC9P,4CAA4C;gBAC5C,yCAAyC;gBACzC,+BAA+B;gBAC/B,kCAAkC;gBAClC,8HAA8H;gBAC9H,8BAA8B;gBAC9B,gEAAgE;gBAChE,wCAAwC;aACzC;SACF;KACF;CACF,CAAC;AAEK,MAAM,mBAAmB,GAAG,GAAG,EAAE,CACtC,IAAA,uBAAa,EAAC,WAAW,EAAE,qBAAa,CAAC,CAAC;AAD/B,QAAA,mBAAmB,uBACY"}

package/build/dist/plugins/google/ssh.js

@@ -23,6 +23,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
 const auth_1 = require("./auth");
+const connection_error_1 = require("./connection-error");
 const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
 const util_1 = require("./util");
@@ -65,6 +66,7 @@ exports.gcpSshProvider = {
         yield (0, auth_1.ensureGcloudLogin)({ debug });
         return undefined;
     }),
+    connectionErrorMessage: (stderr, request) => (0, connection_error_1.classifyGcpConnectionError)(stderr, request),
     ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureGcpSshInstall)())) {
             throw "Please try again after installing the required GCP utilities";

package/build/dist/plugins/google/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,yDAAgE;AAChE,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,sBAAsB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAC1C,IAAA,6CAA0B,EAAC,MAAM,EAAE,OAAO,CAAC;IAE7C,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}

package/build/dist/plugins/login.d.ts

@@ -2,7 +2,5 @@ import { TokenResponse } from "../types/oidc";
 import { OrgData } from "../types/org";
 declare const loginPlugins: readonly ["google", "okta", "ping", "oidc-pkce", "microsoft", "azure-oidc", "google-oidc", "aws-oidc"];
 export type LoginPluginType = (typeof loginPlugins)[number];
-export declare const pluginLoginMap: Record<string, (org: OrgData, options?: {
-    debug?: boolean;
-}) => Promise<TokenResponse>>;
+export declare const pluginLoginMap: Record<string, (org: OrgData) => Promise<TokenResponse>>;
 export {};

package/build/dist/plugins/login.js

@@ -41,12 +41,12 @@ exports.pluginLoginMap = {
     okta: login_4.oktaLogin,
     ping: login_5.pingLogin,
     "google-oidc": login_3.googleLogin,
-    "oidc-pkce": (org, options) => __awaiter(void 0, void 0, void 0, function* () {
+    "oidc-pkce": (org) => __awaiter(void 0, void 0, void 0, function* () {
         const providerType = (0, authUtils_1.getProviderType)(org);
         if (!providerType) {
             throw "Missing provider type for OIDC PKCE login";
         }
-        return yield exports.pluginLoginMap[providerType](org, options);
+        return yield exports.pluginLoginMap[providerType](org);
     }),
     password: login_2.emailPasswordLogin,
     "azure-oidc": login_1.azureLogin,

package/build/dist/plugins/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,kDAAqD;AAGrD,yCAA2C;AAC3C,yCAAmD;AACnD,0CAA6C;AAC7C,wCAAyC;AACzC,wCAAyC;AAEzC,MAAM,YAAY,GAAG;IACnB,QAAQ;IACR,MAAM;IACN,MAAM;IACN,WAAW;IACX,WAAW;IACX,YAAY;IACZ,aAAa;IACb,UAAU;CACF,CAAC;AAIE,QAAA,cAAc,GAGvB;IACF,MAAM,EAAE,mBAAW;IACnB,IAAI,EAAE,iBAAS;IACf,IAAI,EAAE,iBAAS;IACf,aAAa,EAAE,mBAAW;IAC1B,WAAW,EAAE,CAAO,GAAG,EAAE,OAAO,EAAE,EAAE;QAClC,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,EAAE;YACjB,MAAM,2CAA2C,CAAC;SACnD;QACD,OAAO,MAAM,sBAAc,CAAC,YAAY,CAAE,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC,CAAA;IACD,QAAQ,EAAE,0BAAkB;IAC5B,YAAY,EAAE,kBAAU;CACzB,CAAC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../src/plugins/login.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,kDAAqD;AAGrD,yCAA2C;AAC3C,yCAAmD;AACnD,0CAA6C;AAC7C,wCAAyC;AACzC,wCAAyC;AAEzC,MAAM,YAAY,GAAG;IACnB,QAAQ;IACR,MAAM;IACN,MAAM;IACN,WAAW;IACX,WAAW;IACX,YAAY;IACZ,aAAa;IACb,UAAU;CACF,CAAC;AAIE,QAAA,cAAc,GAGvB;IACF,MAAM,EAAE,mBAAW;IACnB,IAAI,EAAE,iBAAS;IACf,IAAI,EAAE,iBAAS;IACf,aAAa,EAAE,mBAAW;IAC1B,WAAW,EAAE,CAAO,GAAG,EAAE,EAAE;QACzB,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,EAAE;YACjB,MAAM,2CAA2C,CAAC;SACnD;QACD,OAAO,MAAM,sBAAc,CAAC,YAAY,CAAE,CAAC,GAAG,CAAC,CAAC;IAClD,CAAC,CAAA;IACD,QAAQ,EAAE,0BAAkB;IAC5B,YAAY,EAAE,kBAAU;CACzB,CAAC"}

package/build/dist/plugins/okta/login.d.ts

@@ -2,16 +2,8 @@ import { Identity } from "../../types/identity";
 import { TokenResponse } from "../../types/oidc";
 import { OrgData } from "../../types/org";
 import { AwsFederatedLogin } from "../aws/types";
-/** Logs in to Okta via OIDC.
- *
- * Requests `offline_access` so we can silently refresh the access token at TTL.
- * Some Okta tenants disallow this scope at the app config — in that case
- * `/device/authorize` returns `invalid_scope`; we retry once without it and
- * proceed with the legacy device-only flow.
- */
-export declare const oktaLogin: (org: OrgData, options?: {
-    debug?: boolean;
-}) => Promise<TokenResponse>;
+/** Logs in to Okta via OIDC */
+export declare const oktaLogin: (org: OrgData) => Promise<TokenResponse>;
 /**
  * Converts OIDC tokens into a SAML assertion for AWS federated authentication.
  *

package/build/dist/plugins/okta/login.js

@@ -140,44 +140,18 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
     const samlInputValue = $('input[name="SAMLResponse"]').val();
     return typeof samlInputValue === "string" ? samlInputValue : undefined;
 });
-const oktaOidcUrls = (org) => () => {
-    const providerType = (0, authUtils_1.getProviderType)(org);
-    const providerDomain = (0, authUtils_1.getProviderDomain)(org);
-    (0, node_assert_1.default)(providerType === "okta", "Invalid provider configuration (expected okta OIDC provider)");
-    (0, node_assert_1.default)(providerDomain, "Invalid provider configuration (missing Okta domain)");
-    return {
-        deviceAuthorizationUrl: `https://${providerDomain}/oauth2/v1/device/authorize`,
-        tokenUrl: `https://${providerDomain}/oauth2/v1/token`,
-    };
-};
-const OKTA_BASE_SCOPE = "openid email profile";
-const OKTA_BROWSER_SCOPE = `${OKTA_BASE_SCOPE} okta.apps.sso`;
-const OKTA_OFFLINE_SCOPE = `${OKTA_BASE_SCOPE} offline_access`;
-/** Logs in to Okta via OIDC.
- *
- * Requests `offline_access` so we can silently refresh the access token at TTL.
- * Some Okta tenants disallow this scope at the app config — in that case
- * `/device/authorize` returns `invalid_scope`; we retry once without it and
- * proceed with the legacy device-only flow.
- */
-const oktaLogin = (org, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const urls = oktaOidcUrls(org);
-    try {
-        const tokenResponse = yield (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, OKTA_OFFLINE_SCOPE, urls));
-        if (!tokenResponse.refresh_token && (options === null || options === void 0 ? void 0 : options.debug)) {
-            (0, stdio_1.print2)("Okta token response omitted refresh_token; CLI will re-prompt for auth at session TTL.");
-        }
-        return tokenResponse;
-    }
-    catch (e) {
-        const message = e instanceof Error ? e.message : String(e);
-        if (!message.includes("invalid_scope"))
-            throw e;
-        if (options === null || options === void 0 ? void 0 : options.debug) {
-            (0, stdio_1.print2)("Okta tenant rejected offline_access; retrying without it.");
-        }
-        return yield (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, OKTA_BROWSER_SCOPE, urls));
-    }
+/** Logs in to Okta via OIDC */
+const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, "openid email profile okta.apps.sso", () => {
+        const providerType = (0, authUtils_1.getProviderType)(org);
+        const providerDomain = (0, authUtils_1.getProviderDomain)(org);
+        (0, node_assert_1.default)(providerType === "okta", "Invalid provider configuration (expected okta OIDC provider)");
+        (0, node_assert_1.default)(providerDomain, "Invalid provider configuration (missing Okta domain)");
+        return {
+            deviceAuthorizationUrl: `https://${providerDomain}/oauth2/v1/device/authorize`,
+            tokenUrl: `https://${providerDomain}/oauth2/v1/token`,
+        };
+    }));
 });
 exports.oktaLogin = oktaLogin;
 /**

package/build/dist/plugins/okta/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAI4B;AAC5B,6CAAoD;AACpD,+CAA6C;AAC7C,qDAI+B;AAK/B,yCAIuB;AACvB,iDAAmC;AACnC,mCAA8B;AAC9B,8DAAiC;AAEjC,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAClE,MAAM,mBAAmB,GAAG,iDAAiD,CAAC;AAC9E,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAErE,MAAM,uBAAuB,GAAG;IAC9B,8EAA8E;IAC9E,8FAA8F;CAC/F,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG,CACvB,KAAa,EACb,EAAE,GAAG,EAAE,UAAU,EAAY,EAC7B,KAAe,EACf,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAC3D,MAAM,wDAAwD,CAAC;KAChE;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,UAAU,CAAC,QAAQ;YAClC,kBAAkB,EAAE,aAAa;YACjC,UAAU,EAAE,mBAAmB;YAC/B,oBAAoB,EAAE,kBAAkB;SACzC,CAAC;KACH,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,cAAc,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE;gBAClC,MAAM,IAAA,qBAAc,GAAE,CAAC;gBACvB,0GAA0G;gBAC1G,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE;oBAC5D,IAAA,cAAM,EACJ;wGAC4F,CAC7F,CAAC;oBACF,IAAI,KAAK,EAAE;wBACT,IAAA,cAAM,EAAC,yCAAyC,GAAG,IAAI,CAAC,CAAC;qBAC1D;oBACD,MAAM,IAAI,CAAC,iBAAiB,CAAC;iBAC9B;qBAAM;oBACL,MAAM,0HAA0H,CAAC;iBAClI;aACF;YACD,wBAAwB;YACxB,MAAM,IAAI,KAAK,CACb,IAAA,2BAAmB,EACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CACrB,CACF,CAAC;SACH;QAED,oCAAoC;QACpC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;KAClC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,CACxB,GAAY,EACZ,EAAE,YAAY,EAAiB,EAC/B,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE;QAC9C,MAAM,uDAAuD,CAAC;KAC/D;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,aAAI,EAAC,mBAAY,EAAE,cAAc,CAAC;KAC5C,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,WAAW,cAAc,0BAA0B,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;IAClG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,cAAc,GAAG,CAAC,CAAC,4BAA4B,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7D,OAAO,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,GAAY,EAAE,EAAE,CAAC,GAAG,EAAE;IAC1C,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAA,qBAAM,EACJ,YAAY,KAAK,MAAM,EACvB,8DAA8D,CAC/D,CAAC;IACF,IAAA,qBAAM,EACJ,cAAc,EACd,sDAAsD,CACvD,CAAC;IACF,OAAO;QACL,sBAAsB,EAAE,WAAW,cAAc,6BAA6B;QAC9E,QAAQ,EAAE,WAAW,cAAc,kBAAkB;KACtD,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,sBAAsB,CAAC;AAE/C,MAAM,kBAAkB,GAAG,GAAG,eAAe,gBAAgB,CAAC;AAC9D,MAAM,kBAAkB,GAAG,GAAG,eAAe,iBAAiB,CAAC;AAE/D;;;;;;GAMG;AACI,MAAM,SAAS,GAAG,CACvB,GAAY,EACZ,OAA6B,EACL,EAAE;IAC1B,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI;QACF,MAAM,aAAa,GAAG,MAAM,IAAA,iBAAS,EACnC,IAAA,sBAAc,EAAC,GAAG,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAC9C,CAAC;QACF,IAAI,CAAC,aAAa,CAAC,aAAa,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAA,EAAE;YAClD,IAAA,cAAM,EACJ,wFAAwF,CACzF,CAAC;SACH;QACD,OAAO,aAAa,CAAC;KACtB;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YAAE,MAAM,CAAC,CAAC;QAChD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EAAC,2DAA2D,CAAC,CAAC;SACrE;QACD,OAAO,MAAM,IAAA,iBAAS,EACpB,IAAA,sBAAc,EAAC,GAAG,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAC9C,CAAC;KACH;AACH,CAAC,CAAA,CAAC;AAzBW,QAAA,SAAS,aAyBpB;AAEF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAwB;AACjB,MAAM,wBAAwB,GAAG,CACtC,QAAkB,EAClB,MAAyB,EACzB,KAAe,EACE,EAAE;IACnB,MAAM,gBAAgB,GAAG,MAAM,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,QAAQ,EACR,KAAK,CACN,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC7E,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,uCAAuC,CAAC;KAC/C;IACD,OAAO,YAAY,CAAC;AACtB,CAAC,CAAA,CAAC;AAfW,QAAA,wBAAwB,4BAenC"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAI4B;AAC5B,6CAAoD;AACpD,+CAA6C;AAC7C,qDAI+B;AAK/B,yCAIuB;AACvB,iDAAmC;AACnC,mCAA8B;AAC9B,8DAAiC;AAEjC,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAClE,MAAM,mBAAmB,GAAG,iDAAiD,CAAC;AAC9E,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAErE,MAAM,uBAAuB,GAAG;IAC9B,8EAA8E;IAC9E,8FAA8F;CAC/F,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG,CACvB,KAAa,EACb,EAAE,GAAG,EAAE,UAAU,EAAY,EAC7B,KAAe,EACf,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAC3D,MAAM,wDAAwD,CAAC;KAChE;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,UAAU,CAAC,QAAQ;YAClC,kBAAkB,EAAE,aAAa;YACjC,UAAU,EAAE,mBAAmB;YAC/B,oBAAoB,EAAE,kBAAkB;SACzC,CAAC;KACH,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,cAAc,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE;gBAClC,MAAM,IAAA,qBAAc,GAAE,CAAC;gBACvB,0GAA0G;gBAC1G,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE;oBAC5D,IAAA,cAAM,EACJ;wGAC4F,CAC7F,CAAC;oBACF,IAAI,KAAK,EAAE;wBACT,IAAA,cAAM,EAAC,yCAAyC,GAAG,IAAI,CAAC,CAAC;qBAC1D;oBACD,MAAM,IAAI,CAAC,iBAAiB,CAAC;iBAC9B;qBAAM;oBACL,MAAM,0HAA0H,CAAC;iBAClI;aACF;YACD,wBAAwB;YACxB,MAAM,IAAI,KAAK,CACb,IAAA,2BAAmB,EACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CACrB,CACF,CAAC;SACH;QAED,oCAAoC;QACpC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;KAClC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,CACxB,GAAY,EACZ,EAAE,YAAY,EAAiB,EAC/B,EAAE;IACF,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;IAE9C,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE;QAC9C,MAAM,uDAAuD,CAAC;KAC/D;IAED,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,aAAI,EAAC,mBAAY,EAAE,cAAc,CAAC;KAC5C,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,WAAW,cAAc,0BAA0B,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;IAClG,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,cAAc,GAAG,CAAC,CAAC,4BAA4B,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7D,OAAO,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC,CAAA,CAAC;AAEF,+BAA+B;AACxB,MAAM,SAAS,GAAG,CAAO,GAAY,EAAE,EAAE;IAC9C,OAAA,IAAA,iBAAS,EACP,IAAA,sBAAc,EAAC,GAAG,EAAE,oCAAoC,EAAE,GAAG,EAAE;QAC7D,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,GAAG,CAAC,CAAC;QAE9C,IAAA,qBAAM,EACJ,YAAY,KAAK,MAAM,EACvB,8DAA8D,CAC/D,CAAC;QACF,IAAA,qBAAM,EACJ,cAAc,EACd,sDAAsD,CACvD,CAAC;QACF,OAAO;YACL,sBAAsB,EAAE,WAAW,cAAc,6BAA6B;YAC9E,QAAQ,EAAE,WAAW,cAAc,kBAAkB;SACtD,CAAC;IACJ,CAAC,CAAC,CACH,CAAA;EAAA,CAAC;AAnBS,QAAA,SAAS,aAmBlB;AAEJ;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAwB;AACjB,MAAM,wBAAwB,GAAG,CACtC,QAAkB,EAClB,MAAyB,EACzB,KAAe,EACE,EAAE;IACnB,MAAM,gBAAgB,GAAG,MAAM,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,QAAQ,EACR,KAAK,CACN,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC7E,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,uCAAuC,CAAC;KAC/C;IACD,OAAO,YAAY,CAAC;AACtB,CAAC,CAAA,CAAC;AAfW,QAAA,wBAAwB,4BAenC"}