@p0security/cli 0.3.0

package/dist/commands/aws/__tests__/__input__/sts-response.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stsResponse = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.stsResponse = `<AssumeRoleWithSAMLResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+<AssumeRoleWithSAMLResult>
+  <Audience>https://signin.aws.amazon.com/saml</Audience>
+  <AssumedRoleUser>
+    <AssumedRoleId>ABCDEFGHIJLMNOPQRST:test-user@test.com</AssumedRoleId>
+    <Arn>arn:aws:sts::1:assumed-role/Role1/test-user@test.com</Arn>
+  </AssumedRoleUser>
+  <Credentials>
+    <AccessKeyId>test-access-key</AccessKeyId>
+    <SecretAccessKey>secret-access-key</SecretAccessKey>
+    <SessionToken>session-token</SessionToken>
+    <Expiration>2024-02-22T00:18:21Z</Expiration>
+  </Credentials>
+  <Subject>test-user@test.com</Subject>
+  <NameQualifier>abcdefghijklmnop</NameQualifier>
+  <SourceIdentity>test-user@test.com</SourceIdentity>
+  <PackedPolicySize>2</PackedPolicySize>
+  <SubjectType>unspecified</SubjectType>
+  <Issuer>http://www.okta.com/abc</Issuer>
+</AssumeRoleWithSAMLResult>
+<ResponseMetadata>
+  <RequestId>f5b94ad4-f322-4d7b-b568-84f2ec184cd7</RequestId>
+</ResponseMetadata>
+</AssumeRoleWithSAMLResponse>`;

package/dist/commands/aws/__tests__/role.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/aws/__tests__/role.test.js

@@ -0,0 +1,98 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const __1 = require("..");
+const stdio_1 = require("../../../drivers/stdio");
+const firestore_1 = require("../../../testing/firestore");
+const yargs_1 = require("../../../testing/yargs");
+const saml_response_1 = require("./__input__/saml-response");
+const sts_response_1 = require("./__input__/sts-response");
+const yargs_2 = __importDefault(require("yargs"));
+jest.mock("fs/promises");
+jest.mock("../../../drivers/auth");
+jest.mock("../../../drivers/stdio");
+jest.mock("typescript", () => (Object.assign(Object.assign({}, jest.requireActual("typescript")), { sys: {
+        writeOutputIsTTY: () => true,
+    } })));
+const mockFetch = jest.spyOn(global, "fetch");
+const mockPrint1 = stdio_1.print1;
+const mockPrint2 = stdio_1.print2;
+beforeEach(() => {
+    jest.clearAllMocks();
+    mockFetch.mockImplementation((url) => __awaiter(void 0, void 0, void 0, function* () {
+        return ({
+            ok: true,
+            // This is the token response from fetchSsoWebToken
+            json: () => __awaiter(void 0, void 0, void 0, function* () { return ({}); }),
+            // This is the XML response from fetchSamlResponse or stsAssumeRole
+            text: () => __awaiter(void 0, void 0, void 0, function* () { return url.match(/okta.com/) ? saml_response_1.samlResponse : sts_response_1.stsResponse; }),
+        });
+    }));
+});
+describe("aws role", () => {
+    describe("a single installed account", () => {
+        const item = {
+            account: {
+                id: "1",
+                description: "1 (test)",
+            },
+            state: "installed",
+        };
+        describe("without Okta SAML", () => {
+            (0, firestore_1.mockGetDoc)({ workflows: { items: [item] } });
+            describe.each([
+                ["ls", "aws role ls"],
+                ["assume", "aws role assume Role1"],
+            ])("%s", (_, command) => {
+                it("should print a friendly error message", () => __awaiter(void 0, void 0, void 0, function* () {
+                    const error = yield (0, yargs_1.failure)((0, __1.awsCommand)((0, yargs_2.default)()), command);
+                    expect(error).toMatchInlineSnapshot(`"Account 1 (test) is not configured for Okta SAML login."`);
+                }));
+            });
+        });
+        describe("with Okta SAML", () => {
+            beforeEach(() => {
+                (0, firestore_1.mockGetDoc)({
+                    workflows: {
+                        items: [Object.assign(Object.assign({}, item), { uidLocation: { id: "okta_saml_sso" } })],
+                    },
+                });
+            });
+            describe("assume", () => {
+                it("should assume a role", () => __awaiter(void 0, void 0, void 0, function* () {
+                    yield (0, __1.awsCommand)((0, yargs_2.default)()).parse("aws role assume Role1");
+                    expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
+                    expect(mockPrint1.mock.calls).toMatchSnapshot("stdout");
+                }));
+            });
+            describe("ls", () => {
+                it("lists roles", () => __awaiter(void 0, void 0, void 0, function* () {
+                    yield (0, __1.awsCommand)((0, yargs_2.default)()).parse("aws role ls");
+                    expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
+                    expect(mockPrint1.mock.calls).toMatchSnapshot("stdout");
+                }));
+            });
+        });
+    });
+});

package/dist/commands/aws/index.d.ts

@@ -0,0 +1,4 @@
+import yargs from "yargs";
+export declare const awsCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    account: string | undefined;
+}>;

package/dist/commands/aws/index.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const role_1 = require("./role");
+const awsCommands = [role_1.role];
+const awsArgs = (yargs) => {
+    const base = yargs
+        .option("account", {
+        type: "string",
+        describe: "AWS account ID or alias (or set P0_AWS_ACCOUNT)",
+    })
+        .env("P0_AWS");
+    return awsCommands.reduce((m, c) => c(m), base).demandCommand(1);
+};
+const awsCommand = (yargs) => yargs.command("aws", "Execute AWS commands", awsArgs);
+exports.awsCommand = awsCommand;

package/dist/commands/aws/role.d.ts

@@ -0,0 +1,27 @@
+import { AwsItemConfig, AwsOktaSamlUidLocation } from "../../plugins/aws/types";
+import { Authn } from "../../types/identity";
+import yargs from "yargs";
+export declare const role: (yargs: yargs.Argv<{
+    account: string | undefined;
+}>) => yargs.Argv<{
+    account: string | undefined;
+} & {
+    role: string;
+}>;
+/** Retrieves the configured Okta SAML response for the specified account
+ *
+ * If no account is passed, and the organization only has one account configured,
+ * assumes that account.
+ */
+export declare const initOktaSaml: (authn: Authn, account: string | undefined) => Promise<{
+    samlResponse: string;
+    config: AwsItemConfig & {
+        uidLocation: AwsOktaSamlUidLocation;
+    };
+    account: string;
+}>;
+/** Extracts all roles from a SAML assertion */
+export declare const rolesFromSaml: (account: string, saml: string) => {
+    arns: string[];
+    roles: string[];
+};

package/dist/commands/aws/role.js

@@ -0,0 +1,123 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rolesFromSaml = exports.initOktaSaml = exports.role = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const xml_1 = require("../../common/xml");
+const auth_1 = require("../../drivers/auth");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const config_1 = require("../../plugins/aws/config");
+const aws_1 = require("../../plugins/okta/aws");
+const login_1 = require("../../plugins/okta/login");
+const lodash_1 = require("lodash");
+const typescript_1 = require("typescript");
+const role = (yargs) => yargs.command("role", "Interact with AWS roles", (yargs) => yargs
+    .command("ls", "List available AWS roles", lodash_1.identity, 
+// TODO: select based on uidLocation
+(0, firestore_1.guard)(oktaAwsListRoles))
+    .command("assume <role>", "Assume an AWS role", (y) => y.positional("role", {
+    type: "string",
+    demandOption: true,
+    describe: "An AWS role name",
+}), 
+// TODO: select based on uidLocation
+(0, firestore_1.guard)(oktaAwsAssumeRole))
+    .demandCommand(1));
+exports.role = role;
+const isOktaSamlConfig = (config) => { var _a; return ((_a = config.uidLocation) === null || _a === void 0 ? void 0 : _a.id) === "okta_saml_sso"; };
+/** Retrieves the configured Okta SAML response for the specified account
+ *
+ * If no account is passed, and the organization only has one account configured,
+ * assumes that account.
+ */
+const initOktaSaml = (authn, account) => __awaiter(void 0, void 0, void 0, function* () {
+    const { identity, config } = yield (0, config_1.getAwsConfig)(authn, account);
+    if (!isOktaSamlConfig(config))
+        throw `Account ${config.account.description} is not configured for Okta SAML login.`;
+    const samlResponse = yield (0, login_1.getSamlResponse)(identity, config.uidLocation);
+    return {
+        samlResponse,
+        config,
+        account: config.account.id,
+    };
+});
+exports.initOktaSaml = initOktaSaml;
+/** Extracts all roles from a SAML assertion */
+const rolesFromSaml = (account, saml) => {
+    var _a;
+    const samlText = Buffer.from(saml, "base64").toString("ascii");
+    const samlObject = (0, xml_1.parseXml)(samlText);
+    const samlAttributes = samlObject["saml2p:Response"]["saml2:Assertion"]["saml2:AttributeStatement"]["saml2:Attribute"];
+    const roleAttribute = samlAttributes.find((a) => a._attributes.Name === "https://aws.amazon.com/SAML/Attributes/Role");
+    // Format:
+    //   'arn:aws:iam::391052057035:saml-provider/p0dev-ext_okta_sso,arn:aws:iam::391052057035:role/path/to/role/SSOAmazonS3FullAccess'
+    const arns = (_a = (0, lodash_1.flatten)([roleAttribute === null || roleAttribute === void 0 ? void 0 : roleAttribute["saml2:AttributeValue"]])) === null || _a === void 0 ? void 0 : _a.map((r) => r.split(",")[1]);
+    const roles = arns
+        .filter((r) => r.startsWith(`arn:aws:iam::${account}:role/`))
+        .map((r) => r.split("/").slice(1).join("/"));
+    return { arns, roles };
+};
+exports.rolesFromSaml = rolesFromSaml;
+/** Assumes a role in AWS via Okta SAML federation.
+ *
+ * Prerequisites:
+ * - AWS is configured with a SAML identity provider
+ * - This identity provider is integrated with a
+ *   "AWS SAML Account Federation" app in Okta
+ * - The AWS SAML identity provider name, Okta domain,
+ *   and Okta SAML app identifier are all contained in
+ *   the user's identity blob
+ * - The requested role is assigned to the user in Okta
+ */
+const oktaAwsAssumeRole = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const authn = yield (0, auth_1.authenticate)();
+    const awsCredential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, args);
+    const isTty = (_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys);
+    if (isTty)
+        (0, stdio_1.print2)("Execute the following commands:\n");
+    const indent = isTty ? "  " : "";
+    (0, stdio_1.print1)(Object.entries(awsCredential)
+        .map(([key, value]) => `${indent}export ${key}=${value}`)
+        .join("\n"));
+    if (isTty)
+        (0, stdio_1.print2)(`
+Or, populate these environment variables using BASH command substitution:
+
+  $(p0 aws${args.account ? ` --account ${args.account}` : ""} role assume ${args.role})
+`);
+});
+/** Lists assigned AWS roles for this user on this account */
+const oktaAwsListRoles = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    var _b;
+    const authn = yield (0, auth_1.authenticate)();
+    const { account, samlResponse } = yield (0, exports.initOktaSaml)(authn, args.account);
+    const { arns, roles } = (0, exports.rolesFromSaml)(account, samlResponse);
+    const isTty = (_b = typescript_1.sys.writeOutputIsTTY) === null || _b === void 0 ? void 0 : _b.call(typescript_1.sys);
+    if (isTty)
+        (0, stdio_1.print2)(`Your available roles for account ${account}:`);
+    if (!(roles === null || roles === void 0 ? void 0 : roles.length)) {
+        const accounts = (0, lodash_1.uniq)(arns.map((a) => a.split(":")[4])).sort();
+        throw `No roles found. You have roles on these accounts:\n${accounts.join("\n")}`;
+    }
+    const indent = isTty ? "  " : "";
+    (0, stdio_1.print1)(roles.map((r) => `${indent}${r}`).join("\n"));
+});

package/dist/commands/index.d.ts

@@ -0,0 +1,2 @@
+import yargs from "yargs";
+export declare const cli: yargs.Argv<{}>;

package/dist/commands/index.js

@@ -0,0 +1,49 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cli = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const version_1 = require("../middlewares/version");
+const aws_1 = require("./aws");
+const login_1 = require("./login");
+const ls_1 = require("./ls");
+const request_1 = require("./request");
+const ssh_1 = require("./ssh");
+const lodash_1 = require("lodash");
+const typescript_1 = require("typescript");
+const yargs_1 = __importDefault(require("yargs"));
+const helpers_1 = require("yargs/helpers");
+const commands = [
+    aws_1.awsCommand,
+    login_1.loginCommand,
+    ls_1.lsCommand,
+    request_1.requestCommand,
+    ssh_1.sshCommand,
+];
+exports.cli = commands
+    .reduce((m, c) => c(m), (0, yargs_1.default)((0, helpers_1.hideBin)(process.argv)))
+    .middleware(version_1.checkVersion)
+    .strict()
+    .version(lodash_1.VERSION)
+    .demandCommand(1)
+    .fail((message, error, yargs) => {
+    if (error)
+        (0, stdio_1.print2)(error);
+    else {
+        (0, stdio_1.print2)(yargs.help());
+        (0, stdio_1.print2)(`\n${message}`);
+    }
+    typescript_1.sys.exit(1);
+});

package/dist/commands/login.d.ts

@@ -0,0 +1,14 @@
+import yargs from "yargs";
+/** Logs in the user
+ *
+ * Currently only supports login to a single organization. Login credentials, together
+ * with organization details, are saved to {@link IDENTITY_FILE_PATH}.
+ */
+export declare const login: (args: {
+    org: string;
+}, options?: {
+    skipAuthenticate?: boolean;
+}) => Promise<void>;
+export declare const loginCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    org: string;
+}>;

package/dist/commands/login.js

@@ -0,0 +1,93 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loginCommand = exports.login = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const login_1 = require("../plugins/login");
+const firestore_2 = require("firebase/firestore");
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+/** Logs in the user
+ *
+ * Currently only supports login to a single organization. Login credentials, together
+ * with organization details, are saved to {@link IDENTITY_FILE_PATH}.
+ */
+const login = (args, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const orgDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`orgs/${args.org}`));
+    const orgData = orgDoc.data();
+    if (!orgData)
+        throw "Could not find organization";
+    const orgWithSlug = Object.assign(Object.assign({}, orgData), { slug: args.org });
+    const plugin = orgWithSlug === null || orgWithSlug === void 0 ? void 0 : orgWithSlug.ssoProvider;
+    const loginFn = login_1.pluginLoginMap[plugin];
+    if (!loginFn)
+        throw "Unsupported login for your organization";
+    const tokenResponse = yield loginFn(orgWithSlug);
+    yield writeIdentity(orgWithSlug, tokenResponse);
+    // validate auth
+    if (!(options === null || options === void 0 ? void 0 : options.skipAuthenticate))
+        yield (0, auth_1.authenticate)({ noRefresh: true });
+    (0, stdio_1.print2)(`You are now logged in, and can use the p0 CLI.`);
+});
+exports.login = login;
+const writeIdentity = (org, credential) => __awaiter(void 0, void 0, void 0, function* () {
+    const expires_at = Date.now() * 1e-3 + credential.expires_in - 1; // Add 1 second safety margin
+    (0, stdio_1.print2)(`Saving authorization to ${auth_1.IDENTITY_FILE_PATH}.`);
+    const dir = path.dirname(auth_1.IDENTITY_FILE_PATH);
+    yield fs.mkdir(dir, { recursive: true });
+    yield fs.writeFile(auth_1.IDENTITY_FILE_PATH, JSON.stringify({
+        credential: Object.assign(Object.assign({}, credential), { expires_at }),
+        org,
+    }, null, 2), {
+        mode: "600",
+    });
+});
+const loginCommand = (yargs) => yargs.command("login <org>", "Log in to p0 using a web browser", (yargs) => yargs.positional("org", {
+    demandOption: true,
+    type: "string",
+    describe: "Your P0 organization ID",
+}), (0, firestore_1.guard)(exports.login));
+exports.loginCommand = loginCommand;

package/dist/commands/ls.d.ts

@@ -0,0 +1,4 @@
+import yargs from "yargs";
+export declare const lsCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;

package/dist/commands/ls.js

@@ -0,0 +1,78 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.lsCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../drivers/api");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const lodash_1 = require("lodash");
+const pluralize_1 = __importDefault(require("pluralize"));
+const lsArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+const lsCommand = (yargs) => yargs.command("ls [arguments..]", "List request-command arguments", lsArgs, (0, firestore_1.guard)(ls));
+exports.lsCommand = lsCommand;
+const ls = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const authn = yield (0, auth_1.authenticate)();
+    const data = yield (0, api_1.fetchCommand)(authn, args, [
+        "ls",
+        ...args.arguments,
+    ]);
+    const allArguments = [...args._, ...args.arguments];
+    if (data && "ok" in data && data.ok) {
+        const label = (0, pluralize_1.default)(data.arg);
+        if (data.items.length === 0) {
+            (0, stdio_1.print2)(`No ${label}`);
+            return;
+        }
+        const truncationPart = data.isTruncated
+            ? ` the first ${data.items.length}`
+            : "";
+        const postfixPart = data.term
+            ? ` matching '${data.term}'`
+            : data.isTruncated
+                ? ` (use \`p0
+         ${allArguments.join(" ")} <like>\` to narrow results)`
+                : "";
+        (0, stdio_1.print2)(`Showing${truncationPart} ${label}${postfixPart}:`);
+        const isSameValue = data.items.every((i) => !i.group && i.key === i.value);
+        const maxLength = (0, lodash_1.max)(data.items.map((i) => i.key.length)) || 0;
+        for (const item of data.items) {
+            const tagPart = `${item.group ? `${item.group} / ` : ""}${item.value}`;
+            (0, stdio_1.print1)(isSameValue
+                ? item.key
+                : maxLength > 30
+                    ? `${item.key}\n  ${stdio_1.Ansi.Dim}${tagPart}${stdio_1.Ansi.Reset}`
+                    : `${item.key.padEnd(maxLength)}${stdio_1.Ansi.Dim} - ${tagPart}${stdio_1.Ansi.Reset}`);
+        }
+    }
+    else {
+        throw data;
+    }
+});

package/dist/commands/request.d.ts

@@ -0,0 +1,12 @@
+import { Authn } from "../types/identity";
+import { RequestResponse } from "../types/request";
+import yargs from "yargs";
+export declare const requestCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;
+export declare const request: (args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn, options?: {
+    message?: "all" | "approval-required" | "none";
+}) => Promise<RequestResponse | undefined>;