@p0security/cli 0.3.0

package/dist/plugins/google/login.js

@@ -0,0 +1,76 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.googleLogin = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const oidc_1 = require("../../common/auth/oidc");
+const server_1 = require("../../common/auth/server");
+const fetch_1 = require("../../common/fetch");
+const env_1 = require("../../drivers/env");
+const stdio_1 = require("../../drivers/stdio");
+const open_1 = __importDefault(require("open"));
+const GOOGLE_OIDC_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+const GOOGLE_OIDC_EXCHANGE_URL = "https://oauth2.googleapis.com/token";
+const GOOGLE_OIDC_REDIRECT_PORT = 52700;
+const GOOGLE_OIDC_REDIRECT_URL = `http://127.0.0.1:${GOOGLE_OIDC_REDIRECT_PORT}`;
+const PKCE_LENGTH = 128;
+const requestAuth = () => __awaiter(void 0, void 0, void 0, function* () {
+    const pkceChallenge = (yield import("pkce-challenge")).default;
+    const pkce = yield pkceChallenge(PKCE_LENGTH);
+    const authBody = {
+        client_id: env_1.config.google.clientId,
+        code_challenge: pkce.code_challenge,
+        code_challenge_method: "S256",
+        redirect_uri: GOOGLE_OIDC_REDIRECT_URL,
+        response_type: "code",
+        scope: "openid",
+    };
+    const url = `${GOOGLE_OIDC_URL}?${(0, fetch_1.urlEncode)(authBody)}`;
+    (0, open_1.default)(url).catch(() => {
+        (0, stdio_1.print2)(`Please visit the following URL to continue login:
+
+${url}`);
+    });
+    return pkce;
+});
+const requestToken = (code, pkce) => __awaiter(void 0, void 0, void 0, function* () {
+    const body = {
+        client_id: env_1.config.google.clientId,
+        client_secret: env_1.config.google.clientSecret,
+        code,
+        code_verifier: pkce.code_verifier,
+        grant_type: "authorization_code",
+        redirect_uri: GOOGLE_OIDC_REDIRECT_URL,
+    };
+    const response = yield fetch(GOOGLE_OIDC_EXCHANGE_URL, {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)(body),
+    });
+    const valid = yield (0, fetch_1.validateResponse)(response);
+    return (yield valid.json());
+});
+const googleLogin = () => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, server_1.withRedirectServer)(() => __awaiter(void 0, void 0, void 0, function* () { return yield requestAuth(); }), (pkce, token) => __awaiter(void 0, void 0, void 0, function* () { return yield requestToken(token.code, pkce); }), { port: GOOGLE_OIDC_REDIRECT_PORT });
+});
+exports.googleLogin = googleLogin;

package/dist/plugins/login.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { TokenResponse } from "../types/oidc";
+import { OrgData } from "../types/org";
+export declare const pluginLoginMap: Record<string, (org: OrgData) => Promise<TokenResponse>>;

package/dist/plugins/login.js

@@ -0,0 +1,19 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pluginLoginMap = void 0;
+const login_1 = require("./google/login");
+const login_2 = require("./okta/login");
+exports.pluginLoginMap = {
+    google: login_1.googleLogin,
+    okta: login_2.oktaLogin,
+    "oidc-pkce": (org) => __awaiter(void 0, void 0, void 0, function* () { return yield exports.pluginLoginMap[org.providerType](org); }),
+};

package/dist/plugins/okta/aws.d.ts

@@ -0,0 +1,5 @@
+import { Authn } from "../../types/identity";
+export declare const assumeRoleWithOktaSaml: (authn: Authn, args: {
+    account?: string;
+    role: string;
+}) => Promise<import("../aws/types").AwsCredentials>;

package/dist/plugins/okta/aws.js

@@ -0,0 +1,42 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithOktaSaml = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const role_1 = require("../../commands/aws/role");
+const auth_1 = require("../../drivers/auth");
+const assumeRole_1 = require("../aws/assumeRole");
+const assumeRoleWithOktaSaml = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)(`aws-okta-${args.account}-${args.role}`, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { account, config, samlResponse } = yield (0, role_1.initOktaSaml)(authn, args.account);
+        const { roles } = (0, role_1.rolesFromSaml)(account, samlResponse);
+        if (!roles.includes(args.role))
+            throw `Role not available. Available roles:\n${roles.map((r) => `  ${r}`).join("\n")}`;
+        return yield (0, assumeRole_1.assumeRoleWithSaml)({
+            account,
+            role: args.role,
+            saml: {
+                providerName: config.uidLocation.samlProviderName,
+                response: samlResponse,
+            },
+        });
+    }), { duration: 3600e3 });
+});
+exports.assumeRoleWithOktaSaml = assumeRoleWithOktaSaml;

package/dist/plugins/okta/login.d.ts

@@ -0,0 +1,8 @@
+import { Identity } from "../../types/identity";
+import { TokenResponse } from "../../types/oidc";
+import { OrgData } from "../../types/org";
+import { AwsOktaSamlUidLocation } from "../aws/types";
+/** Logs in to Okta via OIDC */
+export declare const oktaLogin: (org: OrgData) => Promise<TokenResponse>;
+/** Retrieves a SAML response for an okta app */
+export declare const getSamlResponse: (identity: Identity, config: AwsOktaSamlUidLocation) => Promise<string>;

package/dist/plugins/okta/login.js

@@ -0,0 +1,165 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSamlResponse = exports.oktaLogin = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const oidc_1 = require("../../common/auth/oidc");
+const fetch_1 = require("../../common/fetch");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const jsdom_1 = require("jsdom");
+const lodash_1 = require("lodash");
+const open_1 = __importDefault(require("open"));
+const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+const ID_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token";
+const TOKEN_EXCHANGE_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
+const WEB_SSO_TOKEN_TYPE = "urn:okta:oauth:token-type:web_sso_token";
+const validateProviderDomain = (org) => {
+    if (!org.providerDomain)
+        throw "Okta login requires a configured provider domain.";
+};
+/** Executes the first step of Okta's device-authorization grant flow */
+// cf. https://developer.okta.com/docs/guides/device-authorization-grant/main/
+const authorize = (org) => __awaiter(void 0, void 0, void 0, function* () {
+    const init = {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)({
+            client_id: org.clientId,
+            scope: "openid email profile okta.apps.sso",
+        }),
+    };
+    validateProviderDomain(org);
+    // This is the "org" authorization server; the okta.apps.* scopes are not
+    // available with custom authorization servers
+    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/device/authorize`, init);
+    yield (0, fetch_1.validateResponse)(response);
+    return (yield response.json());
+});
+/** Attempts to fetch this device's OIDC token
+ *
+ * The authorization may or may not be granted at this stage. If it is not, the
+ * authorization server will return "authorization_pending", in which case this
+ * function will return undefined.
+ */
+const fetchOidcToken = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
+    const init = {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)({
+            client_id: org.clientId,
+            device_code: authorize.device_code,
+            grant_type: DEVICE_GRANT_TYPE,
+        }),
+    };
+    validateProviderDomain(org);
+    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
+    if (!response.ok) {
+        if (response.status === 400) {
+            const data = yield response.json();
+            if (data.error === "authorization_pending")
+                return undefined;
+        }
+        yield (0, fetch_1.validateResponse)(response);
+    }
+    return (yield response.json());
+});
+/** Waits until user device authorization is complete
+ *
+ * Returns the OIDC token after completion.
+ */
+const waitForActivation = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
+    const start = Date.now();
+    while (Date.now() - start <= authorize.expires_in * 1e3) {
+        const response = yield fetchOidcToken(org, authorize);
+        if (!response)
+            yield (0, util_1.sleep)(authorize.interval * 1e3);
+        else
+            return response;
+    }
+    throw "Expired awaiting in-browser authorization.";
+});
+/** Exchanges an Okta OIDC SSO token for an Okta app SSO token */
+const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void 0, void 0, function* () {
+    const init = {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)({
+            audience: `urn:okta:apps:${appId}`,
+            client_id: org.clientId,
+            actor_token: credential.access_token,
+            actor_token_type: ACCESS_TOKEN_TYPE,
+            subject_token: credential.id_token,
+            subject_token_type: ID_TOKEN_TYPE,
+            grant_type: TOKEN_EXCHANGE_TYPE,
+            requested_token_type: WEB_SSO_TOKEN_TYPE,
+        }),
+    };
+    validateProviderDomain(org);
+    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
+    yield (0, fetch_1.validateResponse)(response);
+    return (yield response.json());
+});
+/** Retrieves an Okta app's SAML response */
+const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, void 0, function* () {
+    const init = {
+        method: "GET",
+        headers: (0, lodash_1.omit)(oidc_1.OIDC_HEADERS, "Content-Type"),
+    };
+    validateProviderDomain(org);
+    const url = `https://${org.providerDomain}/login/token/sso?token=${encodeURIComponent(access_token)}`;
+    const response = yield fetch(url, init);
+    yield (0, fetch_1.validateResponse)(response);
+    const html = yield response.text();
+    const dom = new jsdom_1.JSDOM(html);
+    const samlInput = dom.window.document.querySelector('input[name="SAMLResponse"]');
+    return samlInput === null || samlInput === void 0 ? void 0 : samlInput.value;
+});
+/** Logs in to Okta via OIDC */
+const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
+    const authorizeResponse = yield authorize(org);
+    (0, stdio_1.print2)(`Please use the opened browser window to continue your P0 login.
+  
+When prompted, confirm that Okta displays this code:
+
+  ${authorizeResponse.user_code}
+
+Waiting for authorization...
+`);
+    void (0, open_1.default)(authorizeResponse.verification_uri_complete);
+    const oidcResponse = yield waitForActivation(org, authorizeResponse);
+    return oidcResponse;
+});
+exports.oktaLogin = oktaLogin;
+/** Retrieves a SAML response for an okta app */
+// TODO: Inject Okta app
+const getSamlResponse = (identity, config) => __awaiter(void 0, void 0, void 0, function* () {
+    const webTokenResponse = yield fetchSsoWebToken(config.appId, identity);
+    const samlResponse = yield fetchSamlResponse(identity.org, webTokenResponse);
+    if (!samlResponse) {
+        throw "No SAML assertion obtained from Okta.";
+    }
+    return samlResponse;
+});
+exports.getSamlResponse = getSamlResponse;

package/dist/plugins/ssh/types.d.ts

@@ -0,0 +1,22 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+declare type SshItemConfig = {
+    alias?: string;
+    identifier: string;
+    state: string;
+    type: "aws" | "gcloud";
+};
+export declare type SshConfig = {
+    workflows?: {
+        items: SshItemConfig[];
+    };
+};
+export {};

package/dist/plugins/ssh/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/public/redirect-landing.html

@@ -0,0 +1,40 @@
+<html>
+  <head>
+    <style>
+      body {
+        font-family:
+          -apple-system,
+          BlinkMacSystemFont,
+          Segoe UI,
+          Roboto,
+          Oxygen,
+          Ubuntu,
+          Cantarell,
+          Fira Sans,
+          Droid Sans,
+          Helvetica Neue,
+          sans-serif;
+        background-color: #f0f2f5;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+      }
+
+      body .splash {
+        background-color: #fff;
+        height: fit-content;
+        width: fit-content;
+        padding: 0.3em 1em 0.3em 1em;
+      }
+    </style>
+    <title>P0 login success</title>
+    <link rel="icon" type="image/x-icon" href="/favicon.ico" />
+  </head>
+  <body>
+    <div class="splash">
+      <h2>Login success</h2>
+      <p>You are now logged in to the P0 CLI.</p>
+      <p>You can safely close this browser tab.</p>
+    </div>
+  </body>
+</html>

package/dist/testing/firestore.d.ts

@@ -0,0 +1,2 @@
+/// <reference types="jest" />
+export declare const mockGetDoc: (data: any) => jest.Mock<any, any, any>;

package/dist/testing/firestore.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mockGetDoc = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("firebase/firestore");
+const mockGetDoc = (data) => firestore_1.getDoc.mockResolvedValue({ data: () => data });
+exports.mockGetDoc = mockGetDoc;

package/dist/testing/yargs.d.ts

@@ -0,0 +1,12 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import yargs from "yargs";
+export declare const failure: (spec: yargs.Argv, command: string) => Promise<any>;

package/dist/testing/yargs.js

@@ -0,0 +1,23 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.failure = void 0;
+const failure = (spec, command) => __awaiter(void 0, void 0, void 0, function* () {
+    let error;
+    try {
+        yield spec.fail((_, err) => (error = err)).parse(command);
+    }
+    catch (thrown) {
+        error = thrown;
+    }
+    return error;
+});
+exports.failure = failure;

package/dist/types/identity.d.ts

@@ -0,0 +1,23 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { TokenResponse } from "./oidc";
+import { OrgData } from "./org";
+import { UserCredential } from "firebase/auth";
+export declare type Identity = {
+    credential: TokenResponse & {
+        expires_at: number;
+    };
+    org: OrgData;
+};
+export declare type Authn = {
+    identity: Identity;
+    userCredential: UserCredential;
+};

package/dist/types/identity.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/index.d.ts

@@ -0,0 +1,11 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const isa: <T>(values: readonly T[]) => (item: any) => item is T;

package/dist/types/index.js

@@ -0,0 +1,15 @@
+"use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isa = void 0;
+const isa = (values) => (item) => values.includes(item);
+exports.isa = isa;

package/dist/types/oidc.d.ts

@@ -0,0 +1,41 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AuthorizeRequest = {
+    client_id: string;
+    code_challenge: string;
+    code_challenge_method: "plain" | "S256";
+    redirect_uri: string;
+    response_type: "code";
+    scope: string;
+    state?: string;
+    login_hint?: string;
+};
+export declare type AuthorizeResponse = {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+};
+export declare type TokenResponse = {
+    access_token: string;
+    id_token: string;
+    token_type: string;
+    scope: string;
+    expires_in: number;
+    refresh_token: string;
+    device_secret: string;
+    expiry: string;
+};
+export declare type TokenErrorResponse = {
+    error: "access_denied" | "authorization_pending" | "bad grant type" | "expired_token" | "missing parameter" | "not found" | "slow_down";
+};

package/dist/types/oidc.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/org.d.ts

@@ -0,0 +1,20 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+/** Publicly readable organization data */
+export declare type OrgData = {
+    clientId: string;
+    providerId: string;
+    providerDomain?: string;
+    providerType?: "okta";
+    ssoProvider: "azure-oidc" | "google-oidc" | "google" | "microsoft" | "oidc-pkce" | "okta";
+    slug: string;
+    tenantId: string;
+};

package/dist/types/org.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/request.d.ts

@@ -0,0 +1,35 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
+export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
+export declare const ERROR_STATUSES: readonly ["ERRORED", "ERRORED", "ERRORED_NOTIFIED"];
+export declare type PluginRequest = {
+    permission: object;
+    generated?: object;
+};
+export declare type Request<P extends PluginRequest = {
+    permission: object;
+}> = {
+    status: string;
+    generatedRoles: {
+        role: string;
+    }[];
+    generated: P["generated"];
+    permission: P["permission"];
+    principal: string;
+};
+export declare type RequestResponse = {
+    ok: true;
+    message: string;
+    id: string;
+    isPreexisting: boolean;
+    isPersistent: boolean;
+};

package/dist/types/request.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ERROR_STATUSES = exports.DENIED_STATUSES = exports.DONE_STATUSES = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.DONE_STATUSES = ["DONE", "DONE_NOTIFIED"];
+exports.DENIED_STATUSES = ["DENIED", "DENIED_NOTIFIED"];
+exports.ERROR_STATUSES = [
+    "ERRORED",
+    "ERRORED",
+    "ERRORED_NOTIFIED",
+];