@p0security/cli 0.3.0

package/dist/plugins/aws/assumeRole.js

@@ -0,0 +1,55 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithSaml = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const fetch_1 = require("../../common/fetch");
+const xml_1 = require("../../common/xml");
+const api_1 = require("./api");
+const api_2 = require("./api");
+const roleArn = (args) => `${(0, api_1.arnPrefix)(args.account)}:role/${args.role}`;
+const stsAssume = (params) => __awaiter(void 0, void 0, void 0, function* () {
+    const url = `https://sts.amazonaws.com?${(0, fetch_1.urlEncode)(params)}`;
+    const response = yield fetch(url, {
+        method: "GET",
+    });
+    yield (0, fetch_1.validateResponse)(response);
+    const stsXml = yield response.text();
+    const stsObject = (0, xml_1.parseXml)(stsXml);
+    const stsCredentials = stsObject.AssumeRoleWithSAMLResponse.AssumeRoleWithSAMLResult.Credentials;
+    return {
+        AWS_ACCESS_KEY_ID: stsCredentials.AccessKeyId,
+        AWS_SECRET_ACCESS_KEY: stsCredentials.SecretAccessKey,
+        AWS_SESSION_TOKEN: stsCredentials.SessionToken,
+    };
+});
+/** Assumes an AWS role via SAML login */
+const assumeRoleWithSaml = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const params = {
+        Version: api_2.AWS_API_VERSION,
+        Action: "AssumeRoleWithSAML",
+        RoleArn: roleArn(args),
+        PrincipalArn: `${(0, api_1.arnPrefix)(args.account)}:saml-provider/${args.saml.providerName}`,
+        // Note that, despite the name, AWS actually expects a SAML Response
+        SAMLAssertion: args.saml.response,
+    };
+    return yield stsAssume(params);
+});
+exports.assumeRoleWithSaml = assumeRoleWithSaml;

package/dist/plugins/aws/config.d.ts

@@ -0,0 +1,5 @@
+import { Authn } from "../../types/identity";
+export declare const getAwsConfig: (authn: Authn, account: string | undefined) => Promise<{
+    identity: import("../../types/identity").Identity;
+    config: import("./types").AwsItemConfig;
+}>;

package/dist/plugins/aws/config.js

@@ -0,0 +1,38 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAwsConfig = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../../drivers/firestore");
+const firestore_2 = require("firebase/firestore");
+const getAwsConfig = (authn, account) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b;
+    const { identity } = authn;
+    const snapshot = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${identity.org.tenantId}/integrations/aws`));
+    const config = snapshot.data();
+    // TODO: Support alias lookup
+    const item = account
+        ? (_a = config === null || config === void 0 ? void 0 : config.workflows) === null || _a === void 0 ? void 0 : _a.items.find((i) => i.state === "installed" && i.account.id === account)
+        : (_b = config === null || config === void 0 ? void 0 : config.workflows) === null || _b === void 0 ? void 0 : _b.items[0];
+    if (!item)
+        throw `P0 is not installed on AWS account ${account}`;
+    return { identity, config: item };
+});
+exports.getAwsConfig = getAwsConfig;

package/dist/plugins/aws/ssm/index.d.ts

@@ -0,0 +1,18 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { SshCommandArgs } from "../../../commands/ssh";
+import { Authn } from "../../../types/identity";
+import { Request } from "../../../types/request";
+import { AwsSsh } from "../types";
+/** Connect to an SSH backend using AWS Systems Manager (SSM) */
+export declare const ssm: (authn: Authn, request: Request<AwsSsh> & {
+    id: string;
+}, args: SshCommandArgs) => Promise<void>;

package/dist/plugins/aws/ssm/index.js

@@ -0,0 +1,274 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ssm = void 0;
+const stdio_1 = require("../../../drivers/stdio");
+const aws_1 = require("../../okta/aws");
+const install_1 = require("./install");
+const node_child_process_1 = require("node:child_process");
+const node_stream_1 = require("node:stream");
+const ps_tree_1 = __importDefault(require("ps-tree"));
+const STARTING_SESSION_MESSAGE = /Starting session with SessionId: (.*)/;
+/** Matches the error message that AWS SSM print1 when access is not propagated */
+// Note that the resource will randomly be either the SSM document or the EC2 instance
+const UNPROVISIONED_ACCESS_MESSAGE = /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/;
+/** Maximum amount of time after AWS SSM process starts to check for {@link UNPROVISIONED_ACCESS_MESSAGE}
+ *  in the process's stderr
+ */
+const UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS = 5e3;
+/** Maximum number of attempts to start an SSM session
+ *
+ * Note that each attempt consumes ~ 1 s.
+ */
+const MAX_SSM_RETRIES = 30;
+const INSTANCE_ARN_PATTERN = /^arn:aws:ssm:([^:]+):([^:]+):managed-instance\/([^:]+)$/;
+/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
+const LOCAL_PORT_FORWARDING_DOCUMENT_NAME = "AWS-StartPortForwardingSession";
+/** Checks if access has propagated through AWS to the SSM agent
+ *
+ * AWS takes about 8 minutes to fully resolve access after it is granted. During
+ * this time, calls to `aws ssm start-session` will fail randomly with an
+ * access denied exception.
+ *
+ * This function checks AWS to see if this exception is print1d to the SSM
+ * error output within the first 5 seconds of startup. If it is, the returned
+ * `isAccessPropagated()` function will return false. When this occurs, the
+ * consumer of this function should retry the AWS SSM session.
+ *
+ * Note that this function requires interception of the AWS SSM stderr stream.
+ * This works because AWS SSM wraps the session in a single-stream pty, so we
+ * do not capture stderr emitted from the wrapped shell session.
+ */
+const accessPropagationGuard = (child) => {
+    let isEphemeralAccessDeniedException = false;
+    const beforeStart = Date.now();
+    child.stderr.on("data", (chunk) => {
+        const chunkString = chunk.toString("utf-8");
+        const match = chunkString.match(UNPROVISIONED_ACCESS_MESSAGE);
+        if (match &&
+            Date.now() <= beforeStart + UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS) {
+            isEphemeralAccessDeniedException = true;
+            return;
+        }
+        (0, stdio_1.print2)(chunkString);
+    });
+    return {
+        isAccessPropagated: () => !isEphemeralAccessDeniedException,
+    };
+};
+const createBaseSsmCommand = (args) => {
+    return [
+        "aws",
+        "ssm",
+        "start-session",
+        "--region",
+        args.region,
+        "--target",
+        args.instance,
+    ];
+};
+const createInteractiveShellCommand = (args) => {
+    var _a;
+    const ssmCommand = [
+        ...createBaseSsmCommand(args),
+        "--document-name",
+        args.documentName,
+    ];
+    const command = (_a = args.command) === null || _a === void 0 ? void 0 : _a.trim();
+    if (command) {
+        ssmCommand.push("--parameters", `command='${command}'`);
+    }
+    return ssmCommand;
+};
+const createPortForwardingCommand = (args) => {
+    const [localPort, remotePort] = args.forwardPortAddress
+        .split(":")
+        .map(Number);
+    return [
+        ...createBaseSsmCommand(args),
+        "--document-name",
+        // Port forwarding is a special case that uses an AWS-managed document, not the user-generated document we use for an SSH session
+        LOCAL_PORT_FORWARDING_DOCUMENT_NAME,
+        "--parameters",
+        `localPortNumber=${localPort},portNumber=${remotePort}`,
+    ];
+};
+const createSsmCommands = (args) => {
+    const interactiveShellCommand = createInteractiveShellCommand(args);
+    const forwardPortAddress = args.forwardPortAddress;
+    if (!forwardPortAddress) {
+        return { shellCommand: interactiveShellCommand };
+    }
+    const portForwardingCommand = createPortForwardingCommand(Object.assign(Object.assign({}, args), { forwardPortAddress }));
+    if (args.noRemoteCommands) {
+        return { shellCommand: portForwardingCommand };
+    }
+    return {
+        shellCommand: interactiveShellCommand,
+        subCommand: portForwardingCommand,
+    };
+};
+function spawnChildProcess(credential, command, stdio) {
+    return (0, node_child_process_1.spawn)("/usr/bin/env", command, {
+        env: Object.assign(Object.assign({}, process.env), credential),
+        stdio,
+    });
+}
+/** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
+ *
+ * Requires `aws ssm` to be installed on the client machine.
+ */
+const spawnSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        const child = spawnChildProcess(options.credential, options.command, [
+            "inherit",
+            "inherit",
+            "pipe",
+        ]);
+        const { isAccessPropagated } = accessPropagationGuard(child);
+        const exitListener = child.on("exit", (code) => {
+            var _a;
+            exitListener.unref();
+            // In the case of ephemeral AccessDenied exceptions due to unpropagated
+            // permissions, continually retry access until success
+            if (!isAccessPropagated()) {
+                const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
+                if (attemptsRemaining <= 0) {
+                    reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
+                    return;
+                }
+                spawnSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
+                    .then((code) => resolve(code))
+                    .catch(reject);
+                return;
+            }
+            options.abortController.abort(code);
+            (0, stdio_1.print2)(`SSH session terminated`);
+            resolve(code);
+        });
+    });
+});
+/**
+ * A subprocess SSM session redirects its output through a proxy that filters certain messages reducing the verbosity of the output.
+ * The subprocess also makes sure to terminate any grandchild processes that might spawn during the session.
+ *
+ * This process should be used when multiple SSM sessions need to be spawned in parallel.
+ */
+const spawnSubprocessSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        const child = spawnChildProcess(options.credential, options.command, [
+            "ignore",
+            "pipe",
+            "pipe",
+        ]);
+        // Captures the starting session message and filters it from the output
+        const proxyStream = new node_stream_1.Transform({
+            transform(chunk, _, end) {
+                const message = chunk.toString("utf-8");
+                const match = message.match(STARTING_SESSION_MESSAGE);
+                if (!match) {
+                    this.push(chunk);
+                }
+                end();
+            },
+        });
+        // Ensures that content from the child process is printed to the terminal and the proxy stream
+        child.stdout.pipe(proxyStream).pipe(process.stdout);
+        const { isAccessPropagated } = accessPropagationGuard(child);
+        const abortListener = (code) => {
+            options.abortController.signal.removeEventListener("abort", abortListener);
+            // AWS CLI typically will spawn a grandchild process for the SSM session. Using `ps-tree` will allow us
+            // to identify and terminate the grandchild process as well.
+            (0, ps_tree_1.default)(child.pid, function (_, children) {
+                // kill the original child process first so that messages from grandchildren are not printed to stdout
+                child.kill();
+                // Send a SIGTERM because other signals (e.g. SIGKILL) will not propagate to the grandchildren
+                (0, node_child_process_1.exec)(`kill -15 ${children.map((p) => p.PID).join(" ")}`);
+            });
+            resolve(code);
+        };
+        child.on("spawn", () => {
+            options.abortController.signal.addEventListener("abort", abortListener);
+        });
+        const exitListener = child.on("exit", (code) => {
+            var _a;
+            exitListener.unref();
+            // In the case of ephemeral AccessDenied exceptions due to unpropagated
+            // permissions, continually retry access until success
+            if (!isAccessPropagated()) {
+                options.abortController.signal.removeEventListener("abort", abortListener);
+                const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
+                if (attemptsRemaining <= 0) {
+                    reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
+                    return;
+                }
+                spawnSubprocessSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
+                    .then((code) => resolve(code))
+                    .catch(reject);
+                return;
+            }
+            options.abortController.abort(code);
+        });
+    });
+});
+/** Convert an SshCommandArgs into an SSM document "command" parameter */
+const commandParameter = (args) => args.command
+    ? `${args.command} ${args.arguments
+        .map((argument) => 
+    // escape all double quotes (") in commands such as `p0 ssh <instance>> echo 'hello; "world"'` because we
+    // need to encapsulate command arguments in double quotes as we pass them along to the remote shell
+    `"${String(argument).replace(/"/g, '\\"')}"`)
+        .join(" ")}`.trim()
+    : undefined;
+/** Connect to an SSH backend using AWS Systems Manager (SSM) */
+const ssm = (authn, request, args) => __awaiter(void 0, void 0, void 0, function* () {
+    const isInstalled = yield (0, install_1.ensureSsmInstall)();
+    if (!isInstalled)
+        throw "Please try again after installing the required AWS utilities";
+    const match = request.permission.spec.arn.match(INSTANCE_ARN_PATTERN);
+    if (!match)
+        throw "Did not receive a properly formatted instance identifier";
+    const [, region, account, instance] = match;
+    const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
+        account,
+        role: request.generatedRoles[0].role,
+    });
+    const ssmArgs = {
+        instance: instance,
+        region: region,
+        documentName: request.generated.documentName,
+        requestId: request.id,
+        forwardPortAddress: args.L,
+        noRemoteCommands: args.N,
+        command: commandParameter(args),
+    };
+    const ssmCommands = createSsmCommands(ssmArgs);
+    yield startSsmProcesses(credential, ssmCommands);
+});
+exports.ssm = ssm;
+/**
+ * Starts the SSM session and any additional processes that are requested for the session to function properly.
+ */
+const startSsmProcesses = (credential, commands) => __awaiter(void 0, void 0, void 0, function* () {
+    /** The AbortController is responsible for sending a shared signal to all spawned processes ({@link spawnSsmNode}) when the parent process is terminated unexpectedly. This is necessary because the spawned processes are detached and would otherwise continue running after the parent process is terminated. */
+    const abortController = new AbortController();
+    const args = { credential, abortController };
+    const processes = [
+        spawnSsmNode(Object.assign(Object.assign({}, args), { command: commands.shellCommand })),
+    ];
+    if (commands.subCommand) {
+        processes.push(spawnSubprocessSsmNode(Object.assign(Object.assign({}, args), { command: commands.subCommand })));
+    }
+    yield Promise.all(processes);
+});

package/dist/plugins/aws/ssm/install.d.ts

@@ -0,0 +1,7 @@
+/** Ensures that AWS CLI and SSM plugin are installed on the user environment
+ *
+ * If they are not, and the session is a TTY, prompt the user to auto-install. If
+ * the user declines, or if not a TTY, the installation commands are printed to
+ * stdout.
+ */
+export declare const ensureSsmInstall: () => Promise<boolean>;

package/dist/plugins/aws/ssm/install.js

@@ -0,0 +1,133 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureSsmInstall = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../../../drivers/stdio");
+const types_1 = require("../../../types");
+const lodash_1 = require("lodash");
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = __importDefault(require("node:os"));
+const typescript_1 = require("typescript");
+const which_1 = __importDefault(require("which"));
+const SupportedPlatforms = ["darwin"];
+const AwsItems = ["aws", "session-manager-plugin"];
+const AwsInstall = {
+    aws: {
+        label: "AWS CLI v2",
+        commands: {
+            darwin: [
+                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
+                "sudo installer -pkg AWSCLIV2.pkg -target /",
+                'rm "AWSCLIV2.pkg"',
+            ],
+        },
+    },
+    "session-manager-plugin": {
+        label: "the AWS CLI Session Manager plugin",
+        commands: {
+            darwin: [
+                'curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/session-manager-plugin.pkg" -o "session-manager-plugin.pkg"',
+                "sudo installer -pkg session-manager-plugin.pkg -target /",
+                "sudo ln -s /usr/local/sessionmanagerplugin/bin/session-manager-plugin /usr/local/bin/session-manager-plugin",
+                'rm "session-manager-plugin.pkg"',
+            ],
+        },
+    },
+};
+const printToInstall = (toInstall) => {
+    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
+    for (const item of toInstall) {
+        (0, stdio_1.print2)(`  - ${AwsInstall[item].label}`);
+    }
+    (0, stdio_1.print2)("");
+};
+const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
+    const inquirer = (yield import("inquirer")).default;
+    const { isGuided } = yield inquirer.prompt([
+        {
+            type: "confirm",
+            name: "isGuided",
+            message: "Do you want P0 to install these for you (sudo access required)?",
+        },
+    ]);
+    (0, stdio_1.print2)("");
+    return isGuided;
+});
+const requiredInstalls = () => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, lodash_1.compact)(yield Promise.all(AwsItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
+});
+const printInstallCommands = (platform, item) => {
+    const { label, commands } = AwsInstall[item];
+    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
+    for (const command of commands[platform]) {
+        (0, stdio_1.print1)(`  ${command}`);
+    }
+    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
+};
+const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, function* () {
+    const commands = AwsInstall[item].commands[platform];
+    const combined = commands.join(" && \\\n");
+    (0, stdio_1.print2)(`Executing:\n${combined}`);
+    (0, stdio_1.print2)("");
+    yield new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(`Shell exited with code ${code}`);
+        });
+    });
+    (0, stdio_1.print2)("");
+});
+/** Ensures that AWS CLI and SSM plugin are installed on the user environment
+ *
+ * If they are not, and the session is a TTY, prompt the user to auto-install. If
+ * the user declines, or if not a TTY, the installation commands are printed to
+ * stdout.
+ */
+const ensureSsmInstall = () => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const platform = node_os_1.default.platform();
+    if (!(0, types_1.isa)(SupportedPlatforms)(platform))
+        throw "SSH to AWS managed instances is only available on MacOS";
+    const toInstall = yield requiredInstalls();
+    if (toInstall.length === 0)
+        return true;
+    printToInstall(toInstall);
+    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
+    for (const item of toInstall) {
+        if (interactive)
+            yield guidedInstall(platform, item);
+        else
+            printInstallCommands(platform, item);
+    }
+    const remaining = yield requiredInstalls();
+    if (remaining.length === 0) {
+        (0, stdio_1.print2)("All packages successfully installed");
+        return true;
+    }
+    return false;
+});
+exports.ensureSsmInstall = ensureSsmInstall;

package/dist/plugins/aws/types.d.ts

@@ -0,0 +1,54 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AwsCredentials = {
+    AWS_ACCESS_KEY_ID: string;
+    AWS_SECRET_ACCESS_KEY: string;
+    AWS_SESSION_TOKEN: string;
+};
+export declare type AwsOktaSamlUidLocation = {
+    id: "okta_saml_sso";
+    samlProviderName: string;
+    appId: string;
+};
+declare type AwsUidLocation = AwsOktaSamlUidLocation | {
+    id: "idc";
+    parentId: string;
+} | {
+    id: "user_tag";
+    tagName: string;
+} | {
+    id: "username";
+};
+export declare type AwsItemConfig = {
+    account: {
+        id: string;
+        description?: string;
+    };
+    state: string;
+    uidLocation?: AwsUidLocation;
+};
+export declare type AwsConfig = {
+    workflows?: {
+        items: AwsItemConfig[];
+    };
+};
+export declare type AwsSsh = {
+    permission: {
+        spec: {
+            arn: string;
+        };
+        type: "session";
+    };
+    generated: {
+        documentName: string;
+    };
+};
+export {};

package/dist/plugins/aws/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/google/login.d.ts

@@ -0,0 +1,2 @@
+import { TokenResponse } from "../../types/oidc";
+export declare const googleLogin: () => Promise<TokenResponse>;