@p0security/cli 0.4.1 → 0.5.0

package/dist/commands/__tests__/ssh.test.js

@@ -43,9 +43,9 @@ const mockPrint2 = stdio_1.print2;
     workflows: {
         items: [
             {
-                identifier: "test-account",
                 state: "installed",
                 type: "aws",
+                identifier: "test-account",
             },
         ],
     },
@@ -64,6 +64,19 @@ describe("ssh", () => {
                 id: "abcefg",
                 isPreexisting: false,
                 isPersistent,
+                event: {
+                    permission: {
+                        type: "session",
+                        spec: {
+                            resource: {
+                                arn: "arn:aws:ec2:us-west-2:391052057035:instance/i-0b1b7b7b7b7b7b7b7",
+                            },
+                        },
+                    },
+                    generated: {
+                        documentName: "documentName",
+                    },
+                },
             });
         });
         it("should call p0 request with reason arg", () => __awaiter(void 0, void 0, void 0, function* () {

package/dist/commands/aws/__tests__/role.test.js

@@ -53,29 +53,33 @@ beforeEach(() => {
 describe("aws role", () => {
     describe("a single installed account", () => {
         const item = {
-            account: {
-                id: "1",
-                description: "1 (test)",
-            },
+            label: "test",
             state: "installed",
         };
         describe("without Okta SAML", () => {
-            (0, firestore_1.mockGetDoc)({ workflows: { items: [item] } });
+            (0, firestore_1.mockGetDoc)({ "iam-write": { "1": item } });
             describe.each([
                 ["ls", "aws role ls"],
                 ["assume", "aws role assume Role1"],
             ])("%s", (_, command) => {
                 it("should print a friendly error message", () => __awaiter(void 0, void 0, void 0, function* () {
                     const error = yield (0, yargs_1.failure)((0, __1.awsCommand)((0, yargs_2.default)()), command);
-                    expect(error).toMatchInlineSnapshot(`"Account 1 (test) is not configured for Okta SAML login."`);
+                    expect(error).toMatchInlineSnapshot(`"Account test is not configured for Okta SAML login."`);
                 }));
             });
         });
         describe("with Okta SAML", () => {
             beforeEach(() => {
                 (0, firestore_1.mockGetDoc)({
-                    workflows: {
-                        items: [Object.assign(Object.assign({}, item), { uidLocation: { id: "okta_saml_sso" } })],
+                    "iam-write": {
+                        "1": Object.assign(Object.assign({}, item), { login: {
+                                type: "federated",
+                                provider: {
+                                    type: "okta",
+                                    appId: "0oabcdefgh",
+                                    identityProvider: "okta",
+                                },
+                            } }),
                     },
                 });
             });

package/dist/commands/aws/role.d.ts

@@ -1,4 +1,4 @@
-import { AwsItemConfig, AwsOktaSamlUidLocation } from "../../plugins/aws/types";
+import { AwsFederatedLogin } from "../../plugins/aws/types";
 import { Authn } from "../../types/identity";
 import yargs from "yargs";
 export declare const role: (yargs: yargs.Argv<{
@@ -15,8 +15,10 @@ export declare const role: (yargs: yargs.Argv<{
  */
 export declare const initOktaSaml: (authn: Authn, account: string | undefined) => Promise<{
     samlResponse: string;
-    config: AwsItemConfig & {
-        uidLocation: AwsOktaSamlUidLocation;
+    config: {
+        id: string;
+    } & import("../../plugins/aws/types").AwsItemConfig & {
+        login: AwsFederatedLogin;
     };
     account: string;
 }>;

package/dist/commands/aws/role.js

@@ -42,21 +42,22 @@ const role = (yargs) => yargs.command("role", "Interact with AWS roles", (yargs)
 (0, firestore_1.guard)(oktaAwsAssumeRole))
     .demandCommand(1));
 exports.role = role;
-const isOktaSamlConfig = (config) => { var _a; return ((_a = config.uidLocation) === null || _a === void 0 ? void 0 : _a.id) === "okta_saml_sso"; };
+const isFederatedLogin = (config) => { var _a; return ((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) === "federated"; };
 /** Retrieves the configured Okta SAML response for the specified account
  *
  * If no account is passed, and the organization only has one account configured,
  * assumes that account.
  */
 const initOktaSaml = (authn, account) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
     const { identity, config } = yield (0, config_1.getAwsConfig)(authn, account);
-    if (!isOktaSamlConfig(config))
-        throw `Account ${config.account.description} is not configured for Okta SAML login.`;
-    const samlResponse = yield (0, login_1.getSamlResponse)(identity, config.uidLocation);
+    if (!isFederatedLogin(config))
+        throw `Account ${(_a = config.label) !== null && _a !== void 0 ? _a : config.id} is not configured for Okta SAML login.`;
+    const samlResponse = yield (0, login_1.getSamlResponse)(identity, config.login);
     return {
         samlResponse,
         config,
-        account: config.account.id,
+        account: config.id,
     };
 });
 exports.initOktaSaml = initOktaSaml;
@@ -88,10 +89,10 @@ exports.rolesFromSaml = rolesFromSaml;
  * - The requested role is assigned to the user in Okta
  */
 const oktaAwsAssumeRole = (args) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
+    var _b;
     const authn = yield (0, auth_1.authenticate)();
     const awsCredential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, args);
-    const isTty = (_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys);
+    const isTty = (_b = typescript_1.sys.writeOutputIsTTY) === null || _b === void 0 ? void 0 : _b.call(typescript_1.sys);
     if (isTty)
         (0, stdio_1.print2)("Execute the following commands:\n");
     const indent = isTty ? "  " : "";
@@ -107,11 +108,11 @@ Or, populate these environment variables using BASH command substitution:
 });
 /** Lists assigned AWS roles for this user on this account */
 const oktaAwsListRoles = (args) => __awaiter(void 0, void 0, void 0, function* () {
-    var _b;
+    var _c;
     const authn = yield (0, auth_1.authenticate)();
     const { account, samlResponse } = yield (0, exports.initOktaSaml)(authn, args.account);
     const { arns, roles } = (0, exports.rolesFromSaml)(account, samlResponse);
-    const isTty = (_b = typescript_1.sys.writeOutputIsTTY) === null || _b === void 0 ? void 0 : _b.call(typescript_1.sys);
+    const isTty = (_c = typescript_1.sys.writeOutputIsTTY) === null || _c === void 0 ? void 0 : _c.call(typescript_1.sys);
     if (isTty)
         (0, stdio_1.print2)(`Your available roles for account ${account}:`);
     if (!(roles === null || roles === void 0 ? void 0 : roles.length)) {

package/dist/commands/request.d.ts

@@ -4,9 +4,9 @@ import yargs from "yargs";
 export declare const requestCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
     arguments: string[];
 }>;
-export declare const request: (args: yargs.ArgumentsCamelCase<{
+export declare const request: <T>(args: yargs.ArgumentsCamelCase<{
     arguments: string[];
     wait?: boolean;
 }>, authn?: Authn, options?: {
     message?: "all" | "approval-required" | "none";
-}) => Promise<RequestResponse | undefined>;
+}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/ssh.js

@@ -146,10 +146,22 @@ const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
         (0, stdio_1.print2)("Did not receive access ID from server");
         return;
     }
-    const { id, isPreexisting } = response;
+    const { id, isPreexisting, event } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
+    /**
+     * TODO TECH-DEBT ENG-1813:
+     * We use the id and waitForProvisioning to find the permission request document which has
+     * critical data, such as the document name and generated role, that we need to build up a
+     * viable SSM request.
+     *
+     * Replacing the permission with event.permission is necessary when trying to connect to an
+     * instance which has been granted approval through it's group. The event.permission object
+     * will contain details about the specific instance we are trying to connect to such as the
+     * instance id. Without an instance id, which an SSH group permission request document does
+     * not contain we cannot construct a valid SSM command.
+     */
     const requestData = yield waitForProvisioning(authn, id);
-    const requestWithId = Object.assign(Object.assign({}, requestData), { id });
+    const requestWithId = Object.assign(Object.assign({}, requestData), { id, permission: event.permission });
     yield (0, ssm_1.ssm)(authn, requestWithId, args);
 });

package/dist/plugins/aws/config.d.ts

@@ -1,5 +1,10 @@
 import { Authn } from "../../types/identity";
 export declare const getAwsConfig: (authn: Authn, account: string | undefined) => Promise<{
     identity: import("../../types/identity").Identity;
-    config: import("./types").AwsItemConfig;
+    config: {
+        label?: string | undefined;
+        state: string;
+        login?: (import("./types").AwsIamLogin | import("./types").AwsIdcLogin | import("./types").AwsFederatedLogin) | undefined;
+        id: string;
+    };
 }>;

package/dist/plugins/aws/config.js

@@ -22,17 +22,23 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const firestore_1 = require("../../drivers/firestore");
 const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
 const getAwsConfig = (authn, account) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a, _b;
+    var _a;
     const { identity } = authn;
     const snapshot = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${identity.org.tenantId}/integrations/aws`));
     const config = snapshot.data();
     // TODO: Support alias lookup
+    const allItems = (0, lodash_1.sortBy)(Object.entries((_a = config === null || config === void 0 ? void 0 : config["iam-write"]) !== null && _a !== void 0 ? _a : {}).filter(([, { state }]) => state === "installed"), ([id]) => id);
     const item = account
-        ? (_a = config === null || config === void 0 ? void 0 : config.workflows) === null || _a === void 0 ? void 0 : _a.items.find((i) => i.state === "installed" && i.account.id === account)
-        : (_b = config === null || config === void 0 ? void 0 : config.workflows) === null || _b === void 0 ? void 0 : _b.items[0];
+        ? allItems.find(([id, { label }]) => id === account || label === account)
+        : allItems.length !== 1
+            ? (() => {
+                throw `Please select a unique AWS account with --account; valid accounts are:\n${allItems.map(([id, { label }]) => label !== null && label !== void 0 ? label : id).join("\n")}`;
+            })()
+            : allItems[0];
     if (!item)
         throw `P0 is not installed on AWS account ${account}`;
-    return { identity, config: item };
+    return { identity, config: Object.assign({ id: item[0] }, item[1]) };
 });
 exports.getAwsConfig = getAwsConfig;

package/dist/plugins/aws/ssm/index.js

@@ -236,7 +236,7 @@ const ssm = (authn, request, args) => __awaiter(void 0, void 0, void 0, function
     const isInstalled = yield (0, install_1.ensureSsmInstall)();
     if (!isInstalled)
         throw "Please try again after installing the required AWS utilities";
-    const match = request.permission.spec.arn.match(INSTANCE_ARN_PATTERN);
+    const match = request.permission.spec.awsResourcePermission.resource.arn.match(INSTANCE_ARN_PATTERN);
     if (!match)
         throw "Did not receive a properly formatted instance identifier";
     const [, region, account, instance] = match;

package/dist/plugins/aws/types.d.ts

@@ -13,37 +13,50 @@ export declare type AwsCredentials = {
     AWS_SECRET_ACCESS_KEY: string;
     AWS_SESSION_TOKEN: string;
 };
-export declare type AwsOktaSamlUidLocation = {
-    id: "okta_saml_sso";
-    samlProviderName: string;
-    appId: string;
+export declare type AwsIamLogin = {
+    type: "iam";
+    identity: {
+        type: "email";
+    } | {
+        type: "tag";
+        tagName: string;
+    };
 };
-declare type AwsUidLocation = AwsOktaSamlUidLocation | {
-    id: "idc";
-    parentId: string;
-} | {
-    id: "user_tag";
-    tagName: string;
-} | {
-    id: "username";
+export declare type AwsIdcLogin = {
+    type: "idc";
+    parent: string;
 };
-export declare type AwsItemConfig = {
-    account: {
-        id: string;
-        description?: string;
+export declare type AwsFederatedLogin = {
+    type: "federated";
+    provider: {
+        type: "okta";
+        appId: string;
+        identityProvider: string;
+        method: {
+            type: "saml";
+        };
     };
+};
+declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
+export declare type AwsItemConfig = {
+    label?: string;
     state: string;
-    uidLocation?: AwsUidLocation;
+    login?: AwsLogin;
 };
+export declare type AwsItem = {
+    id: string;
+} & AwsItemConfig;
 export declare type AwsConfig = {
-    workflows?: {
-        items: AwsItemConfig[];
-    };
+    "iam-write": Record<string, AwsItemConfig>;
 };
 export declare type AwsSsh = {
     permission: {
         spec: {
-            arn: string;
+            awsResourcePermission: {
+                resource: {
+                    arn: string;
+                };
+            };
         };
         type: "session";
     };

package/dist/plugins/okta/aws.js

@@ -33,7 +33,7 @@ const assumeRoleWithOktaSaml = (authn, args) => __awaiter(void 0, void 0, void 0
             account,
             role: args.role,
             saml: {
-                providerName: config.uidLocation.samlProviderName,
+                providerName: config.login.provider.identityProvider,
                 response: samlResponse,
             },
         });

package/dist/plugins/okta/login.d.ts

@@ -1,8 +1,8 @@
 import { Identity } from "../../types/identity";
 import { TokenResponse } from "../../types/oidc";
 import { OrgData } from "../../types/org";
-import { AwsOktaSamlUidLocation } from "../aws/types";
+import { AwsFederatedLogin } from "../aws/types";
 /** Logs in to Okta via OIDC */
 export declare const oktaLogin: (org: OrgData) => Promise<TokenResponse>;
 /** Retrieves a SAML response for an okta app */
-export declare const getSamlResponse: (identity: Identity, config: AwsOktaSamlUidLocation) => Promise<string>;
+export declare const getSamlResponse: (identity: Identity, config: AwsFederatedLogin) => Promise<string>;

package/dist/plugins/okta/login.js

@@ -155,7 +155,7 @@ exports.oktaLogin = oktaLogin;
 /** Retrieves a SAML response for an okta app */
 // TODO: Inject Okta app
 const getSamlResponse = (identity, config) => __awaiter(void 0, void 0, void 0, function* () {
-    const webTokenResponse = yield fetchSsoWebToken(config.appId, identity);
+    const webTokenResponse = yield fetchSsoWebToken(config.provider.appId, identity);
     const samlResponse = yield fetchSamlResponse(identity.org, webTokenResponse);
     if (!samlResponse) {
         throw "No SAML assertion obtained from Okta.";

package/dist/types/request.d.ts

@@ -26,10 +26,11 @@ export declare type Request<P extends PluginRequest = {
     permission: P["permission"];
     principal: string;
 };
-export declare type RequestResponse = {
+export declare type RequestResponse<T> = {
     ok: true;
     message: string;
     id: string;
+    event: T;
     isPreexisting: boolean;
     isPersistent: boolean;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {