@p0security/cli 0.6.1 → 0.7.1

package/dist/commands/__tests__/ssh.test.js

@@ -36,7 +36,7 @@ jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
 jest.mock("../../plugins/aws/ssm");
 const mockFetchCommand = api_1.fetchCommand;
-const mockSsm = ssm_1.ssm;
+const mockSshOrScp = ssm_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
 (0, firestore_1.mockGetDoc)({
@@ -46,7 +46,6 @@ const mockPrint2 = stdio_1.print2;
         },
     },
 });
-mockSsm.mockResolvedValue({});
 describe("ssh", () => {
     describe.each([
         ["persistent", true],
@@ -97,7 +96,22 @@ describe("ssh", () => {
             yield Promise.race([wait, promise]);
             yield expect(wait).resolves.toBeUndefined();
         }));
-        it("should call ssm", () => __awaiter(void 0, void 0, void 0, function* () {
+        it("should call sshOrScp with non-interactive command", () => __awaiter(void 0, void 0, void 0, function* () {
+            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
+            yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
+            firestore_2.onSnapshot.trigger({
+                status: "APPROVED",
+            });
+            yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
+            firestore_2.onSnapshot.trigger({
+                status: "DONE",
+            });
+            yield expect(promise).resolves.toBeDefined();
+            expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
+            expect(mockPrint1).not.toHaveBeenCalled();
+            expect(mockSshOrScp).toHaveBeenCalled();
+        }));
+        it("should call sshOrScp with interactive session", () => __awaiter(void 0, void 0, void 0, function* () {
             const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
@@ -110,7 +124,7 @@ describe("ssh", () => {
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();
-            expect(mockSsm).toHaveBeenCalled();
+            expect(mockSshOrScp).toHaveBeenCalled();
         }));
     });
 });

package/dist/commands/allow.d.ts

@@ -0,0 +1,10 @@
+import { AllowResponse } from "../types/allow";
+import { Authn } from "../types/identity";
+import yargs from "yargs";
+export declare const allowCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;
+export declare const allow: (args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn) => Promise<AllowResponse | undefined>;

package/dist/commands/allow.js

@@ -0,0 +1,57 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allow = exports.allowCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../drivers/api");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const allowArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+const allowCommand = (yargs) => yargs.command("allow [arguments..]", "Create standing access for a resource", allowArgs, (0, firestore_1.guard)(exports.allow));
+exports.allowCommand = allowCommand;
+const allow = (args, authn) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        "allow",
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        (0, stdio_1.print2)(data.message);
+        return data;
+    }
+    else {
+        throw data;
+    }
+});
+exports.allow = allow;

package/dist/commands/index.js

@@ -16,6 +16,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const stdio_1 = require("../drivers/stdio");
 const version_1 = require("../middlewares/version");
+const allow_1 = require("./allow");
 const aws_1 = require("./aws");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
@@ -30,6 +31,7 @@ const commands = [
     login_1.loginCommand,
     ls_1.lsCommand,
     request_1.requestCommand,
+    allow_1.allowCommand,
     ssh_1.sshCommand,
     scp_1.scpCommand,
 ];

package/dist/commands/scp.js

@@ -8,9 +8,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.scpCommand = void 0;
 /** Copyright © 2024-present P0 Security
@@ -28,7 +25,6 @@ const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
 const shared_1 = require("./shared");
-const node_forge_1 = __importDefault(require("node-forge"));
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
 "SCP copies files between a local and remote host.", (yargs) => yargs
@@ -61,7 +57,7 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
 })
     .option("debug", {
     type: "boolean",
-    describe: "Print debug information, dangerous for sensitive data",
+    describe: "Print debug information. The ssh-agent subprocess is not terminated automatically.",
 }), (0, firestore_1.guard)(scpAction));
 exports.scpCommand = scpCommand;
 /** Transfers files between a local and remote hosts using SSH.
@@ -78,7 +74,7 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!requestId) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = createKeyPair();
+    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
     const result = yield (0, api_1.fetchExerciseGrant)(authn, {
         requestId,
         destination: host,
@@ -86,7 +82,7 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     });
     // replace the host with the linuxUserName@instanceId
     const { source, destination } = replaceHostWithInstance(result, args);
-    yield (0, ssm_1.scp)(authn, result, Object.assign(Object.assign({}, args), { source,
+    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */
@@ -117,9 +113,3 @@ const replaceHostWithInstance = (result, args) => {
     }
     return { source, destination };
 };
-const createKeyPair = () => {
-    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
-    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
-    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
-    return { publicKey, privateKey };
-};

package/dist/commands/shared.d.ts

@@ -29,7 +29,13 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     destination: string;
     L?: string;
     N?: boolean;
+    A?: boolean;
     arguments: string[];
     command?: string;
+    debug?: boolean;
 };
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<string | undefined>;
+export declare const createKeyPair: () => {
+    publicKey: string;
+    privateKey: string;
+};

package/dist/commands/shared.js

@@ -8,8 +8,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.provisionRequest = void 0;
+exports.createKeyPair = exports.provisionRequest = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -26,6 +29,7 @@ const request_1 = require("../types/request");
 const request_2 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
+const node_forge_1 = __importDefault(require("node-forge"));
 /** Maximum amount of time to wait after access is approved to wait for access
  *  to be configured
  */
@@ -100,3 +104,10 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     return id;
 });
 exports.provisionRequest = provisionRequest;
+const createKeyPair = () => {
+    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
+    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
+    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
+    return { publicKey, privateKey };
+};
+exports.createKeyPair = createKeyPair;

package/dist/commands/ssh.js

@@ -25,8 +25,6 @@ const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
 const shared_1 = require("./shared");
-// Matches strings with the pattern "digits:digits" (e.g. 1234:5678)
-const LOCAL_PORT_FORWARD_PATTERN = /^\d+:\d+$/;
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -45,22 +43,19 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     array: true,
     string: true,
     default: [],
-})
-    .check((argv) => {
-    if (argv.L == null)
-        return true;
-    return (argv.L.match(LOCAL_PORT_FORWARD_PATTERN) ||
-        "Local port forward should be in the format `local_port:remote_port`");
 })
     .option("L", {
     type: "string",
-    describe: 
-    // the order of the sockets in the address matches the ssh man page
-    "Forward a local port to the remote host; `local_socket:remote_socket`",
+    // Copied from `man ssh`
+    describe: "Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side.",
 })
     .option("N", {
     type: "boolean",
     describe: "Do not execute a remote command. Useful for forwarding ports.",
+})
+    .option("A", {
+    type: "boolean",
+    describe: "Enables forwarding of connections from an authentication agent such as ssh-agent",
 })
     // Match `p0 request --reason`
     .option("reason", {
@@ -70,7 +65,11 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
-}), (0, firestore_1.guard)(ssh));
+})
+    .option("debug", {
+    type: "boolean",
+    describe: "Print debug information. The ssh-agent subprocess is not terminated automatically.",
+}), (0, firestore_1.guard)(sshAction));
 exports.sshCommand = sshCommand;
 /** Connect to an SSH backend
  *
@@ -79,7 +78,7 @@ exports.sshCommand = sshCommand;
  * Supported SSH mechanisms:
  * - AWS EC2 via SSM with Okta SAML
  */
-const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
+const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
@@ -87,9 +86,11 @@ const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!requestId) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
+    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
     const result = yield (0, api_1.fetchExerciseGrant)(authn, {
         requestId,
         destination,
+        publicKey,
     });
-    yield (0, ssm_1.ssm)(authn, result, args);
+    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/index.d.ts

@@ -1 +1,2 @@
+export declare const TERMINATION_CONTROLLER: AbortController;
 export declare const main: () => void;

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.main = void 0;
+exports.main = exports.TERMINATION_CONTROLLER = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -13,6 +13,17 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const commands_1 = require("./commands");
 const lodash_1 = require("lodash");
+const node_os_1 = require("node:os");
+// Subscribing to this global abort controller allows handling process termination signals anywhere in the application
+exports.TERMINATION_CONTROLLER = new AbortController();
+const terminationHandler = (code) => () => {
+    exports.TERMINATION_CONTROLLER.abort(code);
+    process.exit(128 + code); // by convention the exit code is the signal code + 128
+};
+process.on("SIGHUP", terminationHandler(node_os_1.constants.signals.SIGHUP));
+process.on("SIGINT", terminationHandler(node_os_1.constants.signals.SIGINT));
+process.on("SIGQUIT", terminationHandler(node_os_1.constants.signals.SIGQUIT));
+process.on("SIGTERM", terminationHandler(node_os_1.constants.signals.SIGTERM));
 const main = () => {
     // We can suppress output here, as .fail() already print1 errors
     void commands_1.cli.parse().catch(lodash_1.noop);

package/dist/plugins/aws/ssm/index.d.ts

@@ -10,6 +10,4 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 import { ExerciseGrantResponse, ScpCommandArgs, SshCommandArgs } from "../../../commands/shared";
 import { Authn } from "../../../types/identity";
-/** Connect to an SSH backend using AWS Systems Manager (SSM) */
-export declare const ssm: (authn: Authn, request: ExerciseGrantResponse, args: SshCommandArgs) => Promise<void>;
-export declare const scp: (authn: Authn, data: ExerciseGrantResponse, args: ScpCommandArgs, privateKey: string) => Promise<number | null>;
+export declare const sshOrScp: (authn: Authn, data: ExerciseGrantResponse, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;