@p0security/cli 0.3.0

package/dist/commands/request.js

@@ -0,0 +1,116 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.request = exports.requestCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../drivers/api");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const firestore_2 = require("firebase/firestore");
+const typescript_1 = require("typescript");
+const WAIT_TIMEOUT = 300e3;
+const APPROVED = { message: "Your request was approved", code: 0 };
+const DENIED = { message: "Your request was denied", code: 2 };
+const ERRORED = { message: "Your request encountered an error", code: 1 };
+const COMPLETED_REQUEST_STATUSES = {
+    APPROVED,
+    APPROVED_NOTIFIED: APPROVED,
+    DONE: APPROVED,
+    DONE_NOTIFIED: APPROVED,
+    DENIED,
+    ERRORED,
+};
+const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
+const requestArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", requestArgs, (0, firestore_1.guard)(exports.request));
+exports.requestCommand = requestCommand;
+const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield new Promise((resolve) => {
+        if (logMessage)
+            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
+        let cancel = undefined;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            const { status } = data;
+            if (isCompletedStatus(status)) {
+                if (cancel)
+                    clearTimeout(cancel);
+                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
+                if (code !== 0 || logMessage)
+                    (0, stdio_1.print2)(message);
+                resolve(code);
+            }
+        });
+        cancel = setTimeout(() => {
+            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
+            resolve(4);
+        }, WAIT_TIMEOUT);
+    });
+});
+const request = (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const { userCredential } = resolvedAuthn;
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        "request",
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
+            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
+            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
+                !data.isPreexisting &&
+                !data.isPersistent);
+        if (logMessage)
+            (0, stdio_1.print2)(data.message);
+        const { id } = data;
+        if (args.wait && id && userCredential.user.tenantId) {
+            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
+            if (code) {
+                typescript_1.sys.exit(code);
+                return undefined;
+            }
+            return data;
+        }
+        else
+            return undefined;
+    }
+    else {
+        throw data;
+    }
+});
+exports.request = request;

package/dist/commands/ssh.d.ts

@@ -0,0 +1,11 @@
+import yargs from "yargs";
+export declare type SshCommandArgs = {
+    destination: string;
+    command?: string;
+    L?: string;
+    N?: boolean;
+    arguments: string[];
+    sudo?: boolean;
+    reason?: string;
+};
+export declare const sshCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<SshCommandArgs>;

package/dist/commands/ssh.js

@@ -0,0 +1,154 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sshCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const ssm_1 = require("../plugins/aws/ssm");
+const request_1 = require("../types/request");
+const request_2 = require("./request");
+const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
+// Matches strings with the pattern "digits:digits" (e.g. 1234:5678)
+const LOCAL_PORT_FORWARD_PATTERN = /^\d+:\d+$/;
+/** Maximum amount of time to wait after access is approved to wait for access
+ *  to be configured
+ */
+const GRANT_TIMEOUT_MILLIS = 60e3;
+const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
+    .positional("destination", {
+    type: "string",
+    demandOption: true,
+})
+    .option("sudo", {
+    type: "boolean",
+    describe: "Add user to sudoers file",
+})
+    .positional("command", {
+    type: "string",
+    describe: "Pass command to the shell",
+})
+    .positional("arguments", {
+    describe: "Command arguments",
+    array: true,
+    string: true,
+    default: [],
+})
+    .check((argv) => {
+    if (argv.L == null)
+        return true;
+    return (argv.L.match(LOCAL_PORT_FORWARD_PATTERN) ||
+        "Local port forward should be in the format `local_port:remote_port`");
+})
+    .option("L", {
+    type: "string",
+    describe: 
+    // the order of the sockets in the address matches the ssh man page
+    "Forward a local port to the remote host; `local_socket:remote_socket`",
+})
+    .option("N", {
+    type: "boolean",
+    describe: "Do not execute a remote command. Useful for forwarding ports.",
+})
+    // Match `p0 request --reason`
+    .option("reason", {
+    describe: "Reason access is needed",
+    type: "string",
+}), (0, firestore_1.guard)(ssh));
+exports.sshCommand = sshCommand;
+const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b;
+    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
+    const items = (_b = (_a = configDoc
+        .data()) === null || _a === void 0 ? void 0 : _a.workflows) === null || _b === void 0 ? void 0 : _b.items.filter((i) => i.state === "installed" && i.type === "aws");
+    if (!(items === null || items === void 0 ? void 0 : items.length)) {
+        throw "This organization is not configured for SSH access via the P0 CLI";
+    }
+});
+// TODO: Move this to a shared utility
+/** Waits until P0 grants access for a request */
+const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
+    let cancel = undefined;
+    const result = yield new Promise((resolve, reject) => {
+        let isResolved = false;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            if (request_1.DONE_STATUSES.includes(data.status)) {
+                resolve(data);
+            }
+            else if (request_1.DENIED_STATUSES.includes(data.status)) {
+                reject("Your access request was denied");
+            }
+            else if (request_1.ERROR_STATUSES.includes(data.status)) {
+                reject("Your access request encountered an error (see Slack for details)");
+            }
+            else {
+                return;
+            }
+            isResolved = true;
+            unsubscribe();
+        });
+        // Skip timeout in test; it holds a ref longer than the test lasts
+        if (process.env.NODE_ENV === "test")
+            return;
+        cancel = setTimeout(() => {
+            if (!isResolved) {
+                unsubscribe();
+                reject("Timeout awaiting SSH access grant");
+            }
+        }, GRANT_TIMEOUT_MILLIS);
+    });
+    clearTimeout(cancel);
+    return result;
+});
+/** Connect to an SSH backend
+ *
+ * Implicitly gains access to the SSH resource if required.
+ *
+ * Supported SSH mechanisms:
+ * - AWS EC2 via SSM with Okta SAML
+ */
+const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    // Prefix is required because the backend uses it to determine that this is an AWS request
+    const authn = yield (0, auth_1.authenticate)();
+    yield validateSshInstall(authn);
+    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "ssh",
+            args.destination,
+            "--provider",
+            "aws",
+            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
+            ...(args.reason ? ["--reason", args.reason] : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        (0, stdio_1.print2)("Did not receive access ID from server");
+        return;
+    }
+    const { id, isPreexisting } = response;
+    if (!isPreexisting)
+        (0, stdio_1.print2)("Waiting for access to be provisioned");
+    const requestData = yield waitForProvisioning(authn, id);
+    const requestWithId = Object.assign(Object.assign({}, requestData), { id });
+    yield (0, ssm_1.ssm)(authn, requestWithId, args);
+});

package/dist/common/auth/oidc.d.ts

@@ -0,0 +1,4 @@
+export declare const OIDC_HEADERS: {
+    Accept: "application/json";
+    "Content-Type": "application/x-www-form-urlencoded";
+};

package/dist/common/auth/oidc.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OIDC_HEADERS = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const mime_1 = require("../mime");
+exports.OIDC_HEADERS = {
+    Accept: mime_1.application.JSON,
+    "Content-Type": mime_1.application.X_WWW_FORM_URLENCODED,
+};

package/dist/common/auth/server.d.ts

@@ -0,0 +1,15 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import http from "node:http";
+/** Waits for an OIDC authorization redirect using a locally mounted server */
+export declare const withRedirectServer: <S, T, U>(start: (server: http.Server) => Promise<S>, complete: (value: S, token: T) => Promise<U>, options?: {
+    port?: number;
+}) => Promise<U>;

package/dist/common/auth/server.js

@@ -0,0 +1,73 @@
+"use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withRedirectServer = void 0;
+/** Implements a local auth server, which can receive auth tokens from an OIDC app */
+const util_1 = require("../../util");
+const express_1 = __importDefault(require("express"));
+const node_path_1 = require("node:path");
+const ROOT_PATH = `${(0, node_path_1.dirname)(require.main.filename)}/dist`;
+/** A small amount of time is necessary prior to shutting down the redirect server to
+ * properly render the redirect-landing page
+ */
+const SERVER_SHUTDOWN_WAIT_MILLIS = 2e3;
+/** Waits for an OIDC authorization redirect using a locally mounted server */
+const withRedirectServer = (start, complete, options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const app = (0, express_1.default)();
+    app.use(express_1.default.static(`${ROOT_PATH}/public`));
+    let redirectResolve;
+    let redirectReject;
+    let value;
+    const redirectPromise = new Promise((resolve, reject) => {
+        redirectResolve = resolve;
+        redirectReject = reject;
+    });
+    const redirectRouter = express_1.default.Router();
+    redirectRouter.get("/", (req, res) => {
+        const token = req.query;
+        complete(value, token)
+            .then((result) => {
+            res.status(200).sendFile(`${ROOT_PATH}/public/redirect-landing.html`);
+            redirectResolve(result);
+        })
+            .catch((error) => {
+            var _a;
+            res.status(500).send((_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : error);
+            redirectReject(error);
+        });
+    });
+    app.use(redirectRouter);
+    const server = app.listen((_a = options === null || options === void 0 ? void 0 : options.port) !== null && _a !== void 0 ? _a : 0);
+    try {
+        value = yield start(server);
+        return yield redirectPromise;
+    }
+    finally {
+        yield (0, util_1.sleep)(SERVER_SHUTDOWN_WAIT_MILLIS);
+        server.closeAllConnections();
+        server.unref();
+    }
+});
+exports.withRedirectServer = withRedirectServer;

package/dist/common/fetch.d.ts

@@ -0,0 +1,16 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+/** Converts object data to a URL encoded form */
+export declare const urlEncode: (data: Record<string, string>) => string;
+/** Validates an HTTP response, throwing a friendly
+ *  error message if invalid
+ */
+export declare const validateResponse: (response: Response) => Promise<Response>;

package/dist/common/fetch.js

@@ -0,0 +1,39 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateResponse = exports.urlEncode = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+/** Converts object data to a URL encoded form */
+const urlEncode = (data) => Object.entries(data)
+    .map((kv) => kv.map(encodeURIComponent).join("="))
+    .join("&");
+exports.urlEncode = urlEncode;
+/** Validates an HTTP response, throwing a friendly
+ *  error message if invalid
+ */
+const validateResponse = (response) => __awaiter(void 0, void 0, void 0, function* () {
+    if (response.ok)
+        return response;
+    throw new Error(`Error in fetch request to ${response.url.split("?")[0]}:
+${response.status} ${response.statusText}
+
+${yield response.text()}`);
+});
+exports.validateResponse = validateResponse;

package/dist/common/mime.d.ts

@@ -0,0 +1,14 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const application: {
+    readonly JSON: "application/json";
+    readonly X_WWW_FORM_URLENCODED: "application/x-www-form-urlencoded";
+};

package/dist/common/mime.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.application = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.application = {
+    JSON: "application/json",
+    X_WWW_FORM_URLENCODED: "application/x-www-form-urlencoded",
+};

package/dist/common/xml.d.ts

@@ -0,0 +1,21 @@
+/** A janky XML document -> POJS parser
+ *
+ * The document is treated as an XML element, then transformed
+ * recursively via the following rules:
+ *
+ * If the element has child elements, it is converted to an object
+ * with a property for each unique child element name, with
+ * the property value equal to:
+ * - The child element's transformed value, if there is only
+ *   one element with the property name
+ * - An array of transformed elements, if there are multiple
+ *   child elements with the property name
+ *
+ * In addition, when the element has children, it receives an
+ * additional `_attributes` property, which is an object of the
+ * element's attributes.
+ *
+ * Otherwise, the element is transformed into the element's XML
+ * text.
+ */
+export declare const parseXml: (xml: string) => any;

package/dist/common/xml.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseXml = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+// Avoid XXE and friends with a (best-as-we-know) safe XML parser
+const parse_xml_1 = require("@rgrove/parse-xml");
+const lodash_1 = require("lodash");
+const isXmlElement = (node) => node instanceof parse_xml_1.XmlElement;
+const elementToObject = (el) => {
+    if (el.children.find((n) => n instanceof parse_xml_1.XmlElement)) {
+        const object = (0, lodash_1.mapValues)((0, lodash_1.groupBy)(el.children.filter(isXmlElement), (el) => el.name), (items) => items.length === 1
+            ? elementToObject(items[0])
+            : items.map(elementToObject));
+        Object.assign(object, { _attributes: Object.assign({}, el.attributes) });
+        return object;
+    }
+    return el.text.trim();
+};
+/** A janky XML document -> POJS parser
+ *
+ * The document is treated as an XML element, then transformed
+ * recursively via the following rules:
+ *
+ * If the element has child elements, it is converted to an object
+ * with a property for each unique child element name, with
+ * the property value equal to:
+ * - The child element's transformed value, if there is only
+ *   one element with the property name
+ * - An array of transformed elements, if there are multiple
+ *   child elements with the property name
+ *
+ * In addition, when the element has children, it receives an
+ * additional `_attributes` property, which is an object of the
+ * element's attributes.
+ *
+ * Otherwise, the element is transformed into the element's XML
+ * text.
+ */
+const parseXml = (xml) => {
+    const parsed = (0, parse_xml_1.parseXml)(xml);
+    return elementToObject(parsed);
+};
+exports.parseXml = parseXml;

package/dist/drivers/__mocks__/auth.d.ts

@@ -0,0 +1,30 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const authenticate: () => Promise<{
+    identity: {
+        credential: {
+            access_token: string;
+        };
+        org: {
+            ssoProvider: string;
+            providerDomain: string;
+            providerType: string;
+            slug: string;
+            tenantId: string;
+        };
+    };
+    userCredential: {
+        user: {
+            tenantId: string;
+        };
+    };
+}>;
+export declare const cached: (_label: string, callback: () => Promise<any>) => Promise<any>;

package/dist/drivers/__mocks__/auth.js

@@ -0,0 +1,46 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cached = exports.authenticate = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const authenticate = () => __awaiter(void 0, void 0, void 0, function* () {
+    return ({
+        identity: {
+            credential: {
+                access_token: "test-access-token",
+            },
+            org: {
+                ssoProvider: "oidc-pkce",
+                providerDomain: "test.okta.com",
+                providerType: "okta",
+                slug: "test-org",
+                tenantId: "test-tenant",
+            },
+        },
+        userCredential: {
+            user: {
+                tenantId: "test-tenant",
+            },
+        },
+    });
+});
+exports.authenticate = authenticate;
+const cached = (_label, callback) => __awaiter(void 0, void 0, void 0, function* () { return yield callback(); });
+exports.cached = cached;

package/dist/drivers/api.d.ts

@@ -0,0 +1,3 @@
+import { Authn } from "../types/identity";
+import yargs from "yargs";
+export declare const fetchCommand: <T>(authn: Authn, args: yargs.ArgumentsCamelCase, argv: string[]) => Promise<T>;