@p0security/cli 0.27.1 → 0.27.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.27.1",
+  "version": "0.27.4",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -46,7 +46,6 @@
     "open": "^8.4.0",
     "pkce-challenge": "^5.0.0",
     "pluralize": "^8.0.0",
-    "proper-lockfile": "^4.1.2",
     "semver": "^7.6.0",
     "tmp-promise": "^3.0.3",
     "typescript": "^4.8.4",
@@ -62,7 +61,6 @@
     "@types/lodash": "^4.14.202",
     "@types/node": "^20.17.46",
     "@types/pluralize": "^0.0.33",
-    "@types/proper-lockfile": "^4.1.4",
     "@types/which": "^3.0.3",
     "@types/yargs": "^17.0.13",
     "@typescript-eslint/eslint-plugin": "^6.4.0",

package/build/dist/drivers/auth/lock.d.ts

@@ -1,11 +0,0 @@
-/**
- * Serialize critical sections that read-modify-write the identity file.
- *
- * Acquires an exclusive `proper-lockfile` on identity.json (creates an
- * adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
- * The caller is expected to re-read the identity inside `fn` because a peer
- * may have updated it while we were waiting on the lock.
- *
- * Requires identity.json to exist — caller's responsibility.
- */
-export declare const withIdentityLock: <T>(fn: () => Promise<T>) => Promise<T>;

package/build/dist/drivers/auth/lock.js

@@ -1,70 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.withIdentityLock = void 0;
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-const path_1 = require("./path");
-const proper_lockfile_1 = __importDefault(require("proper-lockfile"));
-// If a lock holder dies without releasing, the lock file's mtime stops
-// updating; after STALE_LOCK_MS another process is allowed to steal it.
-const STALE_LOCK_MS = 30000;
-// Bound the *total* wait so a hung peer process can't make this CLI invocation
-// appear to hang. The retry backoff below sums to ~20s in the worst case, then
-// proper-lockfile gives up and we let the caller fall through to device flow.
-const LOCK_RETRY_OPTIONS = {
-    retries: 8,
-    factor: 1.5,
-    minTimeout: 100,
-    maxTimeout: 4000,
-};
-/**
- * Serialize critical sections that read-modify-write the identity file.
- *
- * Acquires an exclusive `proper-lockfile` on identity.json (creates an
- * adjacent `.lock` directory) and releases it after `fn` resolves or rejects.
- * The caller is expected to re-read the identity inside `fn` because a peer
- * may have updated it while we were waiting on the lock.
- *
- * Requires identity.json to exist — caller's responsibility.
- */
-const withIdentityLock = (fn) => __awaiter(void 0, void 0, void 0, function* () {
-    const release = yield proper_lockfile_1.default.lock((0, path_1.getIdentityFilePath)(), {
-        stale: STALE_LOCK_MS,
-        retries: LOCK_RETRY_OPTIONS,
-    });
-    try {
-        return yield fn();
-    }
-    finally {
-        try {
-            yield release();
-        }
-        catch (_a) {
-            // release() may throw if the lock was stolen (we exceeded stale time)
-            // or already released. The on-disk state is still consistent because
-            // writeIdentity is atomic; nothing useful to do here.
-        }
-    }
-});
-exports.withIdentityLock = withIdentityLock;
-//# sourceMappingURL=lock.js.map

package/build/dist/drivers/auth/lock.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"lock.js","sourceRoot":"","sources":["../../../../src/drivers/auth/lock.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iCAA6C;AAC7C,sEAAuC;AAEvC,uEAAuE;AACvE,wEAAwE;AACxE,MAAM,aAAa,GAAG,KAAM,CAAC;AAE7B,+EAA+E;AAC/E,+EAA+E;AAC/E,8EAA8E;AAC9E,MAAM,kBAAkB,GAAG;IACzB,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,GAAG;IACX,UAAU,EAAE,GAAG;IACf,UAAU,EAAE,IAAI;CACjB,CAAC;AAEF;;;;;;;;;GASG;AACI,MAAM,gBAAgB,GAAG,CAAU,EAAoB,EAAc,EAAE;IAC5E,MAAM,OAAO,GAAG,MAAM,yBAAQ,CAAC,IAAI,CAAC,IAAA,0BAAmB,GAAE,EAAE;QACzD,KAAK,EAAE,aAAa;QACpB,OAAO,EAAE,kBAAkB;KAC5B,CAAC,CAAC;IACH,IAAI;QACF,OAAO,MAAM,EAAE,EAAE,CAAC;KACnB;YAAS;QACR,IAAI;YACF,MAAM,OAAO,EAAE,CAAC;SACjB;QAAC,WAAM;YACN,sEAAsE;YACtE,qEAAqE;YACrE,sDAAsD;SACvD;KACF;AACH,CAAC,CAAA,CAAC;AAhBW,QAAA,gBAAgB,oBAgB3B"}

package/build/dist/drivers/auth/refresh.d.ts

@@ -1,31 +0,0 @@
-import { Identity } from "../../types/identity";
-import { TokenResponse } from "../../types/oidc";
-export declare const REFRESH_FAILED: "REFRESH_FAILED";
-export type RefreshError = {
-    code: typeof REFRESH_FAILED;
-    reason: "http_error" | "missing_id_token" | "missing_provider_config" | "network_error" | "no_refresh_token";
-    cause?: unknown;
-    detail?: string;
-};
-/**
- * Merge a newly-issued credential from the refresh-token grant with the
- * previously-stored credential. Note, not all fields are included in the
- * refreshed token, and thus must be carried forward from the previous/original token.
- **/
-export declare const mergeRefreshedCredential: (previous: TokenResponse, refreshed: TokenResponse) => TokenResponse;
-/**
- * Exchange the stored refresh_token for a new access/id token pair against
- * Okta's /oauth2/v1/token endpoint.
- *
- * On any failure, throws a RefreshError. Callers are expected to
- * catch this and fall through to the device-flow path.
- */
-export declare const refreshOktaTokens: (identity: Identity, options?: {
-    debug?: boolean;
-}) => Promise<TokenResponse>;
-/**
- * Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
- */
-export declare const revokeOktaRefreshToken: (identity: Identity, options?: {
-    debug?: boolean;
-}) => Promise<void>;

package/build/dist/drivers/auth/refresh.js

@@ -1,130 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.revokeOktaRefreshToken = exports.refreshOktaTokens = exports.mergeRefreshedCredential = exports.REFRESH_FAILED = void 0;
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-const oidc_1 = require("../../common/auth/oidc");
-const fetch_1 = require("../../common/fetch");
-const authUtils_1 = require("../../types/authUtils");
-const stdio_1 = require("../stdio");
-exports.REFRESH_FAILED = "REFRESH_FAILED";
-const refreshError = (reason, extra) => (Object.assign({ code: exports.REFRESH_FAILED, reason }, extra));
-/**
- * Merge a newly-issued credential from the refresh-token grant with the
- * previously-stored credential. Note, not all fields are included in the
- * refreshed token, and thus must be carried forward from the previous/original token.
- **/
-const mergeRefreshedCredential = (previous, refreshed) => {
-    var _a, _b, _c;
-    return (Object.assign(Object.assign(Object.assign({}, previous), refreshed), { refresh_token: (_a = refreshed.refresh_token) !== null && _a !== void 0 ? _a : previous.refresh_token, device_secret: previous.device_secret, 
-        // RFC 6749 §6: omitted scope on refresh means "identical to original grant"
-        scope: (_b = refreshed.scope) !== null && _b !== void 0 ? _b : previous.scope, token_type: (_c = refreshed.token_type) !== null && _c !== void 0 ? _c : previous.token_type }));
-};
-exports.mergeRefreshedCredential = mergeRefreshedCredential;
-/**
- * Exchange the stored refresh_token for a new access/id token pair against
- * Okta's /oauth2/v1/token endpoint.
- *
- * On any failure, throws a RefreshError. Callers are expected to
- * catch this and fall through to the device-flow path.
- */
-const refreshOktaTokens = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const refresh_token = identity.credential.refresh_token;
-    if (!refresh_token)
-        throw refreshError("no_refresh_token");
-    const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
-    const clientId = (0, authUtils_1.getClientId)(identity.org);
-    if (!providerDomain || !clientId) {
-        throw refreshError("missing_provider_config");
-    }
-    const url = `https://${providerDomain}/oauth2/v1/token`;
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            grant_type: "refresh_token",
-            client_id: clientId,
-            refresh_token,
-        }),
-    };
-    let response;
-    try {
-        response = yield fetch(url, init);
-    }
-    catch (e) {
-        throw refreshError("network_error", { cause: e });
-    }
-    if (!response.ok) {
-        if (options === null || options === void 0 ? void 0 : options.debug) {
-            const detail = yield response.text().catch(() => undefined);
-            (0, stdio_1.print2)(`Okta refresh-token grant failed: ${response.status} ${response.statusText} ${detail !== null && detail !== void 0 ? detail : ""}`);
-        }
-        throw refreshError("http_error", {
-            detail: `${response.status} ${response.statusText}`,
-        });
-    }
-    const refreshed = (yield response.json());
-    if (!refreshed.id_token) {
-        if (options === null || options === void 0 ? void 0 : options.debug) {
-            (0, stdio_1.print2)("Okta refresh response omitted id_token; falling back to device flow.");
-        }
-        throw refreshError("missing_id_token");
-    }
-    return (0, exports.mergeRefreshedCredential)(identity.credential, refreshed);
-});
-exports.refreshOktaTokens = refreshOktaTokens;
-/**
- * Best-effort revoke of the stored refresh_token at Okta's /oauth2/v1/revoke.
- */
-const revokeOktaRefreshToken = (identity, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const refresh_token = identity.credential.refresh_token;
-    if (!refresh_token)
-        return;
-    const providerDomain = (0, authUtils_1.getProviderDomain)(identity.org);
-    const clientId = (0, authUtils_1.getClientId)(identity.org);
-    if (!providerDomain || !clientId) {
-        if (options === null || options === void 0 ? void 0 : options.debug) {
-            (0, stdio_1.print2)("Skipping refresh-token revoke: missing provider domain or client id.");
-        }
-        return;
-    }
-    try {
-        const response = yield fetch(`https://${providerDomain}/oauth2/v1/revoke`, {
-            method: "POST",
-            headers: oidc_1.OIDC_HEADERS,
-            body: (0, fetch_1.urlEncode)({
-                client_id: clientId,
-                token: refresh_token,
-                token_type_hint: "refresh_token",
-            }),
-        });
-        if (!response.ok && (options === null || options === void 0 ? void 0 : options.debug)) {
-            (0, stdio_1.print2)(`Refresh-token revoke returned ${response.status} ${response.statusText}; proceeding with logout.`);
-        }
-    }
-    catch (e) {
-        if (options === null || options === void 0 ? void 0 : options.debug) {
-            const detail = e instanceof Error ? e.message : String(e);
-            (0, stdio_1.print2)(`Refresh-token revoke failed (${detail}); proceeding with logout.`);
-        }
-    }
-});
-exports.revokeOktaRefreshToken = revokeOktaRefreshToken;
-//# sourceMappingURL=refresh.js.map

package/build/dist/drivers/auth/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../../src/drivers/auth/refresh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAA+C;AAC/C,qDAAuE;AAGvE,oCAAkC;AAErB,QAAA,cAAc,GAAG,gBAAyB,CAAC;AAcxD,MAAM,YAAY,GAAG,CACnB,MAA8B,EAC9B,KAA4C,EAC9B,EAAE,CAAC,iBAAG,IAAI,EAAE,sBAAc,EAAE,MAAM,IAAK,KAAK,EAAG,CAAC;AAEhE;;;;IAII;AACG,MAAM,wBAAwB,GAAG,CACtC,QAAuB,EACvB,SAAwB,EACT,EAAE;;IAAC,OAAA,+CACf,QAAQ,GACR,SAAS,KACZ,aAAa,EAAE,MAAA,SAAS,CAAC,aAAa,mCAAI,QAAQ,CAAC,aAAa,EAChE,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,4EAA4E;QAC5E,KAAK,EAAE,MAAA,SAAS,CAAC,KAAK,mCAAI,QAAQ,CAAC,KAAK,EACxC,UAAU,EAAE,MAAA,SAAS,CAAC,UAAU,mCAAI,QAAQ,CAAC,UAAU,IACvD,CAAA;CAAA,CAAC;AAXU,QAAA,wBAAwB,4BAWlC;AAEH;;;;;;GAMG;AACI,MAAM,iBAAiB,GAAG,CAC/B,QAAkB,EAClB,OAA6B,EACL,EAAE;IAC1B,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;IAE3D,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,MAAM,YAAY,CAAC,yBAAyB,CAAC,CAAC;KAC/C;IAED,MAAM,GAAG,GAAG,WAAW,cAAc,kBAAkB,CAAC;IACxD,MAAM,IAAI,GAAgB;QACxB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,QAAQ;YACnB,aAAa;SACd,CAAC;KACH,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI;QACF,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;KACnC;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;KACnD;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;YAC5D,IAAA,cAAM,EACJ,oCAAoC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,IAAI,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,EAAE,CAC7F,CAAC;SACH;QACD,MAAM,YAAY,CAAC,YAAY,EAAE;YAC/B,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE;SACpD,CAAC,CAAC;KACJ;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;IAE3D,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;QACvB,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,MAAM,YAAY,CAAC,kBAAkB,CAAC,CAAC;KACxC;IAED,OAAO,IAAA,gCAAwB,EAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AAClE,CAAC,CAAA,CAAC;AAvDW,QAAA,iBAAiB,qBAuD5B;AAEF;;GAEG;AACI,MAAM,sBAAsB,GAAG,CACpC,QAAkB,EAClB,OAA6B,EACd,EAAE;IACjB,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;IACxD,IAAI,CAAC,aAAa;QAAE,OAAO;IAE3B,MAAM,cAAc,GAAG,IAAA,6BAAiB,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAA,uBAAW,EAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,IAAA,cAAM,EACJ,sEAAsE,CACvE,CAAC;SACH;QACD,OAAO;KACR;IAED,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,cAAc,mBAAmB,EAAE;YACzE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mBAAY;YACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;gBACd,SAAS,EAAE,QAAQ;gBACnB,KAAK,EAAE,aAAa;gBACpB,eAAe,EAAE,eAAe;aACjC,CAAC;SACH,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,CAAA,EAAE;YAClC,IAAA,cAAM,EACJ,iCAAiC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,2BAA2B,CACnG,CAAC;SACH;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,KAAK,EAAE;YAClB,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,IAAA,cAAM,EACJ,gCAAgC,MAAM,4BAA4B,CACnE,CAAC;SACH;KACF;AACH,CAAC,CAAA,CAAC;AAzCW,QAAA,sBAAsB,0BAyCjC"}