@p0security/cli 0.5.2 → 0.6.1

package/dist/commands/index.js

@@ -20,6 +20,7 @@ const aws_1 = require("./aws");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
 const request_1 = require("./request");
+const scp_1 = require("./scp");
 const ssh_1 = require("./ssh");
 const typescript_1 = require("typescript");
 const yargs_1 = __importDefault(require("yargs"));
@@ -30,6 +31,7 @@ const commands = [
     ls_1.lsCommand,
     request_1.requestCommand,
     ssh_1.sshCommand,
+    scp_1.scpCommand,
 ];
 exports.cli = commands
     .reduce((m, c) => c(m), (0, yargs_1.default)((0, helpers_1.hideBin)(process.argv)))

package/dist/commands/scp.d.ts

@@ -0,0 +1,3 @@
+import { ScpCommandArgs } from "./shared";
+import yargs from "yargs";
+export declare const scpCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<ScpCommandArgs>;

package/dist/commands/scp.js

@@ -0,0 +1,125 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scpCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../drivers/api");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const ssm_1 = require("../plugins/aws/ssm");
+const shared_1 = require("./shared");
+const node_forge_1 = __importDefault(require("node-forge"));
+const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
+// TODO (ENG-1930): support scp across multiple remote hosts.
+"SCP copies files between a local and remote host.", (yargs) => yargs
+    .positional("source", {
+    type: "string",
+    demandOption: true,
+    description: "Format [hostname:]file",
+})
+    .positional("destination", {
+    type: "string",
+    demandOption: true,
+    description: "Format [hostname:]file",
+})
+    .option("r", {
+    alias: "recursive",
+    type: "boolean",
+    describe: "Recursively copy entire directories",
+})
+    .option("reason", {
+    describe: "Reason access is needed",
+    type: "string",
+})
+    .option("account", {
+    type: "string",
+    describe: "The account on which the instance is located",
+})
+    .option("sudo", {
+    type: "boolean",
+    describe: "Add user to sudoers file",
+})
+    .option("debug", {
+    type: "boolean",
+    describe: "Print debug information, dangerous for sensitive data",
+}), (0, firestore_1.guard)(scpAction));
+exports.scpCommand = scpCommand;
+/** Transfers files between a local and remote hosts using SSH.
+ *
+ * Implicitly gains access to the SSH resource if required.
+ */
+const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const authn = yield (0, auth_1.authenticate)();
+    const host = getHostIdentifier(args.source, args.destination);
+    if (!host) {
+        throw "Could not determine host identifier from source or destination";
+    }
+    const requestId = yield (0, shared_1.provisionRequest)(authn, args, host);
+    if (!requestId) {
+        throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
+    }
+    const { publicKey, privateKey } = createKeyPair();
+    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
+        requestId,
+        destination: host,
+        publicKey,
+    });
+    // replace the host with the linuxUserName@instanceId
+    const { source, destination } = replaceHostWithInstance(result, args);
+    yield (0, ssm_1.scp)(authn, result, Object.assign(Object.assign({}, args), { source,
+        destination }), privateKey);
+});
+/** If a path is not explicitly local, use this pattern to determine if it's remote */
+const REMOTE_PATTERN_COLON = /^([^:]+:)(.*)$/; // Matches host:[path]
+// TODO (ENG-1931): Improve remote host and local host checking for SCP requests
+const isExplicitlyRemote = (path) => {
+    return REMOTE_PATTERN_COLON.test(path);
+};
+const getHostIdentifier = (source, destination) => {
+    // the instance is contained in the source or destination and is always delimited by a colon.
+    const isSourceRemote = isExplicitlyRemote(source);
+    const isDestinationRemote = isExplicitlyRemote(destination);
+    const remote = isSourceRemote ? source : destination;
+    if (isSourceRemote != isDestinationRemote) {
+        return remote.split(":")[0];
+    }
+    // TODO (ENG-1930): support scp across multiple remote hosts.
+    throw "Exactly one host (source or destination) must be remote.";
+};
+const replaceHostWithInstance = (result, args) => {
+    let source = args.source;
+    let destination = args.destination;
+    if (isExplicitlyRemote(source)) {
+        source = `${result.linuxUserName}@${result.instance.id}:${source.split(":")[1]}`;
+    }
+    if (isExplicitlyRemote(destination)) {
+        destination = `${result.linuxUserName}@${result.instance.id}:${destination.split(":")[1]}`;
+    }
+    return { source, destination };
+};
+const createKeyPair = () => {
+    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
+    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
+    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
+    return { publicKey, privateKey };
+};

package/dist/commands/shared.d.ts

@@ -0,0 +1,35 @@
+import { Authn } from "../types/identity";
+import yargs from "yargs";
+export declare type ExerciseGrantResponse = {
+    documentName: string;
+    linuxUserName: string;
+    ok: true;
+    role: string;
+    instance: {
+        arn: string;
+        accountId: string;
+        region: string;
+        id: string;
+        name?: string;
+    };
+};
+export declare type BaseSshCommandArgs = {
+    sudo?: boolean;
+    reason?: string;
+    account?: string;
+};
+export declare type ScpCommandArgs = BaseSshCommandArgs & {
+    source: string;
+    destination: string;
+    recursive?: boolean;
+    debug?: boolean;
+};
+export declare type SshCommandArgs = BaseSshCommandArgs & {
+    sudo?: boolean;
+    destination: string;
+    L?: string;
+    N?: boolean;
+    arguments: string[];
+    command?: string;
+};
+export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<string | undefined>;

package/dist/commands/shared.js

@@ -0,0 +1,102 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.provisionRequest = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const request_1 = require("../types/request");
+const request_2 = require("./request");
+const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
+/** Maximum amount of time to wait after access is approved to wait for access
+ *  to be configured
+ */
+const GRANT_TIMEOUT_MILLIS = 60e3;
+const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
+    const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
+    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" && key.startsWith("aws"));
+    if (items.length === 0) {
+        throw "This organization is not configured for SSH access via the P0 CLI";
+    }
+});
+/** Waits until P0 grants access for a request */
+const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
+    let cancel = undefined;
+    const result = yield new Promise((resolve, reject) => {
+        let isResolved = false;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            if (request_1.DONE_STATUSES.includes(data.status)) {
+                resolve(data);
+            }
+            else if (request_1.DENIED_STATUSES.includes(data.status)) {
+                reject("Your access request was denied");
+            }
+            else if (request_1.ERROR_STATUSES.includes(data.status)) {
+                reject("Your access request encountered an error (see Slack for details)");
+            }
+            else {
+                return;
+            }
+            isResolved = true;
+            unsubscribe();
+        });
+        // Skip timeout in test; it holds a ref longer than the test lasts
+        if (process.env.NODE_ENV === "test")
+            return;
+        cancel = setTimeout(() => {
+            if (!isResolved) {
+                unsubscribe();
+                reject("Timeout awaiting SSH access grant");
+            }
+        }, GRANT_TIMEOUT_MILLIS);
+    });
+    clearTimeout(cancel);
+    return result;
+});
+const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
+    yield validateSshInstall(authn);
+    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "ssh",
+            "session",
+            destination,
+            // Prefix is required because the backend uses it to determine that this is an AWS request
+            "--provider",
+            "aws",
+            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
+            ...(args.reason ? ["--reason", args.reason] : []),
+            ...(args.account ? ["--account", args.account] : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        (0, stdio_1.print2)("Did not receive access ID from server");
+        return;
+    }
+    const { id, isPreexisting } = response;
+    if (!isPreexisting)
+        (0, stdio_1.print2)("Waiting for access to be provisioned");
+    yield waitForProvisioning(authn, id);
+    return id;
+});
+exports.provisionRequest = provisionRequest;

package/dist/commands/ssh.d.ts

@@ -1,12 +1,3 @@
+import { SshCommandArgs } from "./shared";
 import yargs from "yargs";
-export declare type SshCommandArgs = {
-    destination: string;
-    command?: string;
-    L?: string;
-    N?: boolean;
-    arguments: string[];
-    sudo?: boolean;
-    reason?: string;
-    account?: string;
-};
 export declare const sshCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<SshCommandArgs>;

package/dist/commands/ssh.js

@@ -20,20 +20,13 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
 const ssm_1 = require("../plugins/aws/ssm");
-const request_1 = require("../types/request");
-const request_2 = require("./request");
-const firestore_2 = require("firebase/firestore");
-const lodash_1 = require("lodash");
+const shared_1 = require("./shared");
 // Matches strings with the pattern "digits:digits" (e.g. 1234:5678)
 const LOCAL_PORT_FORWARD_PATTERN = /^\d+:\d+$/;
-/** Maximum amount of time to wait after access is approved to wait for access
- *  to be configured
- */
-const GRANT_TIMEOUT_MILLIS = 60e3;
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -79,53 +72,6 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     describe: "The account on which the instance is located",
 }), (0, firestore_1.guard)(ssh));
 exports.sshCommand = sshCommand;
-const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
-    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
-    const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
-    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" && key.startsWith("aws"));
-    if (items.length === 0) {
-        throw "This organization is not configured for SSH access via the P0 CLI";
-    }
-});
-// TODO: Move this to a shared utility
-/** Waits until P0 grants access for a request */
-const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
-    let cancel = undefined;
-    const result = yield new Promise((resolve, reject) => {
-        let isResolved = false;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            if (request_1.DONE_STATUSES.includes(data.status)) {
-                resolve(data);
-            }
-            else if (request_1.DENIED_STATUSES.includes(data.status)) {
-                reject("Your access request was denied");
-            }
-            else if (request_1.ERROR_STATUSES.includes(data.status)) {
-                reject("Your access request encountered an error (see Slack for details)");
-            }
-            else {
-                return;
-            }
-            isResolved = true;
-            unsubscribe();
-        });
-        // Skip timeout in test; it holds a ref longer than the test lasts
-        if (process.env.NODE_ENV === "test")
-            return;
-        cancel = setTimeout(() => {
-            if (!isResolved) {
-                unsubscribe();
-                reject("Timeout awaiting SSH access grant");
-            }
-        }, GRANT_TIMEOUT_MILLIS);
-    });
-    clearTimeout(cancel);
-    return result;
-});
 /** Connect to an SSH backend
  *
  * Implicitly gains access to the SSH resource if required.
@@ -136,37 +82,14 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
 const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
-    yield validateSshInstall(authn);
-    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
-            "ssh",
-            "session",
-            args.destination,
-            "--provider",
-            "aws",
-            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
-            ...(args.reason ? ["--reason", args.reason] : []),
-            ...(args.account ? ["--account", args.account] : []),
-        ], wait: true }), authn, { message: "approval-required" });
-    if (!response) {
-        (0, stdio_1.print2)("Did not receive access ID from server");
-        return;
+    const destination = args.destination;
+    const requestId = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    if (!requestId) {
+        throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { id, isPreexisting, event } = response;
-    if (!isPreexisting)
-        (0, stdio_1.print2)("Waiting for access to be provisioned");
-    /**
-     * TODO TECH-DEBT ENG-1813:
-     * We use the id and waitForProvisioning to find the permission request document which has
-     * critical data, such as the document name and generated role, that we need to build up a
-     * viable SSM request.
-     *
-     * Replacing the permission with event.permission is necessary when trying to connect to an
-     * instance which has been granted approval through it's group. The event.permission object
-     * will contain details about the specific instance we are trying to connect to such as the
-     * instance id. Without an instance id, which an SSH group permission request document does
-     * not contain we cannot construct a valid SSM command.
-     */
-    const requestData = yield waitForProvisioning(authn, id);
-    const requestWithId = Object.assign(Object.assign({}, requestData), { id, permission: event.permission });
-    yield (0, ssm_1.ssm)(authn, requestWithId, args);
+    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
+        requestId,
+        destination,
+    });
+    yield (0, ssm_1.ssm)(authn, result, args);
 });

package/dist/drivers/api.d.ts

@@ -1,3 +1,20 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { ExerciseGrantResponse } from "../commands/shared";
 import { Authn } from "../types/identity";
 import yargs from "yargs";
 export declare const fetchCommand: <T>(authn: Authn, args: yargs.ArgumentsCamelCase, argv: string[]) => Promise<T>;
+export declare const fetchExerciseGrant: (authn: Authn, args: {
+    requestId: string;
+    destination: string;
+    publicKey?: string;
+}) => Promise<ExerciseGrantResponse>;
+export declare const baseFetch: <T>(authn: Authn, url: string, method: string, body: string) => Promise<T>;

package/dist/drivers/api.js

@@ -32,32 +32,32 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fetchCommand = void 0;
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
+exports.baseFetch = exports.fetchExerciseGrant = exports.fetchCommand = void 0;
 const env_1 = require("../drivers/env");
 const path = __importStar(require("node:path"));
-const commandUrl = (tenant) => `${env_1.config.appUrl}/o/${tenant}/command/`;
+const tenantUrl = (tenant) => `${env_1.config.appUrl}/o/${tenant}`;
+const commandUrl = (tenant) => `${tenantUrl(tenant)}/command/`;
+const exerciseGrantUrl = (tenant) => `${tenantUrl(tenant)}/exercise-grant/`;
 const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, exports.baseFetch)(authn, commandUrl(authn.identity.org.slug), "POST", JSON.stringify({
+        argv,
+        scriptName: path.basename(args.$0),
+    }));
+});
+exports.fetchCommand = fetchCommand;
+const fetchExerciseGrant = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, exports.baseFetch)(authn, exerciseGrantUrl(authn.identity.org.slug), "POST", JSON.stringify(args));
+});
+exports.fetchExerciseGrant = fetchExerciseGrant;
+const baseFetch = (authn, url, method, body) => __awaiter(void 0, void 0, void 0, function* () {
     const token = yield authn.userCredential.user.getIdToken();
-    const response = yield fetch(commandUrl(authn.identity.org.slug), {
-        method: "POST",
+    const response = yield fetch(url, {
+        method,
         headers: {
             authorization: `Bearer ${token}`,
             "Content-Type": "application/json",
         },
-        body: JSON.stringify({
-            argv,
-            scriptName: path.basename(args.$0),
-        }),
+        body,
     });
     const text = yield response.text();
     const data = JSON.parse(text);
@@ -66,4 +66,4 @@ const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, fu
     }
     return data;
 });
-exports.fetchCommand = fetchCommand;
+exports.baseFetch = baseFetch;

package/dist/plugins/aws/ssm/index.d.ts

@@ -8,11 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { SshCommandArgs } from "../../../commands/ssh";
+import { ExerciseGrantResponse, ScpCommandArgs, SshCommandArgs } from "../../../commands/shared";
 import { Authn } from "../../../types/identity";
-import { Request } from "../../../types/request";
-import { AwsSsh } from "../types";
 /** Connect to an SSH backend using AWS Systems Manager (SSM) */
-export declare const ssm: (authn: Authn, request: Request<AwsSsh> & {
-    id: string;
-}, args: SshCommandArgs) => Promise<void>;
+export declare const ssm: (authn: Authn, request: ExerciseGrantResponse, args: SshCommandArgs) => Promise<void>;
+export declare const scp: (authn: Authn, data: ExerciseGrantResponse, args: ScpCommandArgs, privateKey: string) => Promise<number | null>;

package/dist/plugins/aws/ssm/index.js

@@ -12,10 +12,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ssm = void 0;
+exports.scp = exports.ssm = void 0;
 const stdio_1 = require("../../../drivers/stdio");
 const aws_1 = require("../../okta/aws");
 const install_1 = require("./install");
+const lodash_1 = require("lodash");
 const node_child_process_1 = require("node:child_process");
 const node_stream_1 = require("node:stream");
 const ps_tree_1 = __importDefault(require("ps-tree"));
@@ -23,6 +24,14 @@ const STARTING_SESSION_MESSAGE = /Starting session with SessionId: (.*)/;
 /** Matches the error message that AWS SSM print1 when access is not propagated */
 // Note that the resource will randomly be either the SSM document or the EC2 instance
 const UNPROVISIONED_ACCESS_MESSAGE = /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/;
+/**
+ * Matches the following error messages that AWS SSM print1 when ssh authorized
+ * key access hasn't propagated to the instance yet.
+ * - Connection closed by UNKNOWN port 65535
+ * - scp: Connection closed
+ * - kex_exchange_identification: Connection closed by remote host
+ */
+const UNPROVISIONED_SCP_ACCESS_MESSAGE = /\bConnection closed\b.*\b(?:by UNKNOWN port \d+|by remote host)?/;
 /** Maximum amount of time after AWS SSM process starts to check for {@link UNPROVISIONED_ACCESS_MESSAGE}
  *  in the process's stderr
  */
@@ -32,9 +41,9 @@ const UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS = 5e3;
  * Note that each attempt consumes ~ 1 s.
  */
 const MAX_SSM_RETRIES = 30;
-const INSTANCE_ARN_PATTERN = /^arn:aws:ssm:([^:]+):([^:]+):managed-instance\/([^:]+)$/;
 /** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
 const LOCAL_PORT_FORWARDING_DOCUMENT_NAME = "AWS-StartPortForwardingSession";
+const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 /** Checks if access has propagated through AWS to the SSM agent
  *
  * AWS takes about 8 minutes to fully resolve access after it is granted. During
@@ -55,7 +64,8 @@ const accessPropagationGuard = (child) => {
     const beforeStart = Date.now();
     child.stderr.on("data", (chunk) => {
         const chunkString = chunk.toString("utf-8");
-        const match = chunkString.match(UNPROVISIONED_ACCESS_MESSAGE);
+        const match = chunkString.match(UNPROVISIONED_ACCESS_MESSAGE) ||
+            chunkString.match(UNPROVISIONED_SCP_ACCESS_MESSAGE);
         if (match &&
             Date.now() <= beforeStart + UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS) {
             isEphemeralAccessDeniedException = true;
@@ -119,8 +129,8 @@ const createSsmCommands = (args) => {
         subCommand: portForwardingCommand,
     };
 };
-function spawnChildProcess(credential, command, stdio) {
-    return (0, node_child_process_1.spawn)("/usr/bin/env", command, {
+function spawnChildProcess(credential, command, args, stdio) {
+    return (0, node_child_process_1.spawn)(command, args, {
         env: Object.assign(Object.assign({}, process.env), credential),
         stdio,
     });
@@ -129,36 +139,39 @@ function spawnChildProcess(credential, command, stdio) {
  *
  * Requires `aws ssm` to be installed on the client machine.
  */
-const spawnSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        const child = spawnChildProcess(options.credential, options.command, [
-            "inherit",
-            "inherit",
-            "pipe",
-        ]);
-        const { isAccessPropagated } = accessPropagationGuard(child);
-        const exitListener = child.on("exit", (code) => {
-            var _a;
-            exitListener.unref();
-            // In the case of ephemeral AccessDenied exceptions due to unpropagated
-            // permissions, continually retry access until success
-            if (!isAccessPropagated()) {
-                const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
-                if (attemptsRemaining <= 0) {
-                    reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
+function spawnSsmNode(options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        return new Promise((resolve, reject) => {
+            var _a, _b;
+            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
+            // optionally buffer content into stdin for the child process
+            for (const command of (_a = options.writeStdin) !== null && _a !== void 0 ? _a : []) {
+                (_b = child.stdin) === null || _b === void 0 ? void 0 : _b.write(`${command}\n`);
+            }
+            const { isAccessPropagated } = accessPropagationGuard(child);
+            const exitListener = child.on("exit", (code) => {
+                var _a, _b;
+                exitListener.unref();
+                // In the case of ephemeral AccessDenied exceptions due to unpropagated
+                // permissions, continually retry access until success
+                if (!isAccessPropagated()) {
+                    const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
+                    if (attemptsRemaining <= 0) {
+                        reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
+                        return;
+                    }
+                    spawnSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
+                        .then((code) => resolve(code))
+                        .catch(reject);
                     return;
                 }
-                spawnSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
-                    .then((code) => resolve(code))
-                    .catch(reject);
-                return;
-            }
-            options.abortController.abort(code);
-            (0, stdio_1.print2)(`SSH session terminated`);
-            resolve(code);
+                (_b = options.abortController) === null || _b === void 0 ? void 0 : _b.abort(code);
+                (0, stdio_1.print2)(`SSH session terminated`);
+                resolve(code);
+            });
         });
     });
-});
+}
 /**
  * A subprocess SSM session redirects its output through a proxy that filters certain messages reducing the verbosity of the output.
  * The subprocess also makes sure to terminate any grandchild processes that might spawn during the session.
@@ -167,11 +180,7 @@ const spawnSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* ()
  */
 const spawnSubprocessSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* () {
     return new Promise((resolve, reject) => {
-        const child = spawnChildProcess(options.credential, options.command, [
-            "ignore",
-            "pipe",
-            "pipe",
-        ]);
+        const child = spawnChildProcess(options.credential, "/usr/bin/env", options.command, ["ignore", "pipe", "pipe"]);
         // Captures the starting session message and filters it from the output
         const proxyStream = new node_stream_1.Transform({
             transform(chunk, _, end) {
@@ -236,19 +245,14 @@ const ssm = (authn, request, args) => __awaiter(void 0, void 0, void 0, function
     const isInstalled = yield (0, install_1.ensureSsmInstall)();
     if (!isInstalled)
         throw "Please try again after installing the required AWS utilities";
-    const match = request.permission.spec.awsResourcePermission.resource.arn.match(INSTANCE_ARN_PATTERN);
-    if (!match)
-        throw "Did not receive a properly formatted instance identifier";
-    const [, region, account, instance] = match;
     const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account,
-        role: request.generatedRoles[0].role,
+        account: request.instance.accountId,
+        role: request.role,
     });
     const ssmArgs = {
-        instance: instance,
-        region: region,
-        documentName: request.generated.documentName,
-        requestId: request.id,
+        instance: request.instance.id,
+        region: request.instance.region,
+        documentName: request.documentName,
         forwardPortAddress: args.L,
         noRemoteCommands: args.N,
         command: commandParameter(args),
@@ -265,10 +269,110 @@ const startSsmProcesses = (credential, commands) => __awaiter(void 0, void 0, vo
     const abortController = new AbortController();
     const args = { credential, abortController };
     const processes = [
-        spawnSsmNode(Object.assign(Object.assign({}, args), { command: commands.shellCommand })),
+        spawnSsmNode(Object.assign(Object.assign({}, args), { command: "/usr/bin/env", args: commands.shellCommand, stdio: ["inherit", "inherit", "pipe"] })),
     ];
     if (commands.subCommand) {
         processes.push(spawnSubprocessSsmNode(Object.assign(Object.assign({}, args), { command: commands.subCommand })));
     }
     yield Promise.all(processes);
 });
+const createProxyCommands = (data, args, debug) => {
+    const ssmCommand = [
+        ...createBaseSsmCommand({
+            region: data.instance.region,
+            instance: "%h",
+        }),
+        "--document-name",
+        START_SSH_SESSION_DOCUMENT_NAME,
+        "--parameters",
+        '"portNumber=%p"',
+    ];
+    return {
+        scp: [
+            "scp",
+            ...(debug ? ["-v"] : []),
+            "-o",
+            `ProxyCommand='${ssmCommand.join(" ")}'`,
+            // if a response is not received after three 5 minute attempts,
+            // the connection will be closed.
+            "-o",
+            "ServerAliveCountMax=3",
+            `-o`,
+            "ServerAliveInterval=300",
+            ...(args.recursive ? ["-r"] : []),
+            args.source,
+            args.destination,
+        ],
+        ssh: [
+            "ssh",
+            ...(debug ? ["-v"] : []),
+            "-o",
+            `ProxyCommand='${ssmCommand.join(" ")}'`,
+            `${data.linuxUserName}@${data.instance.id}`,
+        ],
+        ssm: ssmCommand,
+    };
+};
+const scp = (authn, data, args, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+    if (!(yield (0, install_1.ensureSsmInstall)())) {
+        throw "Please try again after installing the required AWS utilities";
+    }
+    if (!privateKey) {
+        throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
+    }
+    const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
+        account: data.instance.accountId,
+        role: data.role,
+    });
+    const commands = createProxyCommands(data, args, args.debug);
+    const scpCommand = commands.scp.join(" ");
+    const sshCommand = commands.ssh.join(" ");
+    const debug = [
+        `echo "SSH_AUTH_SOCK: $SSH_AUTH_SOCK"`,
+        `echo "SSH_AGENT_PID: $SSH_AGENT_PID"`,
+        `echo '$(p0 aws role assume ${data.role})'`,
+        `echo "${sshCommand}"`,
+        `echo "${scpCommand}"`,
+        `echo "SSH Agent Keys:"`,
+        `ssh-add -l`,
+    ];
+    /**
+     * Spawns a child process to add a private key to the ssh-agent. The SSH agent is included in the OpenSSH suite
+     * of tools and is used to hold private keys during a session. The SSH agent typically does not persist keys
+     * across system reboots or logout/login cycles. Once you log out or restart your system, any keys added to
+     * the SSH agent during that session will need to be added again in subsequent sessions.
+     */
+    const writeStdin = [
+        // This might be overkill because we are already spawning a subprocess that will run the commands for us
+        // but just in case someone enters that subprocess we're also disabling the history of commands run.
+        `unset HISTFILE`,
+        // in debug mode, we want to see the pid of the ssh-agent and compare it to the environment variable
+        `eval $(ssh-agent)${args.debug ? "" : " >/dev/null 2>&1"}`,
+        `trap 'kill $SSH_AGENT_PID' EXIT`,
+        `ssh-add -q - <<< '${privateKey}'`,
+        // in debug mode, we'll see the keys that were added to the agent and more information about the agent
+        ...(args.debug ? debug : []),
+        scpCommand,
+        `SCP_EXIT_CODE=$?`,
+        `exit $SCP_EXIT_CODE`,
+    ];
+    if (args.debug) {
+        // Print commands that can be individually executed to reproduce behavior
+        // Remove the debug information - can be executed manually between steps
+        const reproCommands = (0, lodash_1.without)([
+            "bash",
+            ...Object.entries(process.env).map(([key, value]) => `export ${key}='${value}'`),
+            ...Object.entries(credential).map(([key, value]) => `export ${key}='${value}'`),
+            ...writeStdin,
+        ], ...debug);
+        (0, stdio_1.print2)(`Execute the following commands to create a similar SCP session:\n *** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n *** COMMANDS END ***`);
+    }
+    return spawnSsmNode({
+        credential,
+        writeStdin,
+        stdio: ["pipe", "inherit", "pipe"],
+        command: "bash",
+        args: [],
+    });
+});
+exports.scp = scp;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.5.2",
+  "version": "0.6.1",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -27,6 +27,7 @@
     "inquirer": "^9.2.15",
     "jsdom": "^24.0.0",
     "lodash": "^4.17.21",
+    "node-forge": "^1.3.1",
     "open": "^8.4.0",
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
@@ -44,6 +45,7 @@
     "@types/jsdom": "^21.1.6",
     "@types/lodash": "^4.14.202",
     "@types/node": "^18.11.7",
+    "@types/node-forge": "^1.3.11",
     "@types/pluralize": "^0.0.33",
     "@types/ps-tree": "^1.1.6",
     "@types/which": "^3.0.3",