@p0security/cli 0.6.1 → 0.7.1

package/dist/plugins/ping/login.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { OrgData } from "../../types/org";
+/** Logs in to PingOne via OIDC */
+export declare const pingLogin: (org: OrgData) => Promise<import("../../types/oidc").TokenResponse>;

package/dist/plugins/ping/login.js

@@ -0,0 +1,16 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pingLogin = void 0;
+const login_1 = require("../oidc/login");
+/** Logs in to PingOne via OIDC */
+const pingLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile"); });
+exports.pingLogin = pingLogin;

package/dist/plugins/ssh-agent/index.d.ts

@@ -0,0 +1,10 @@
+import { AgentArgs, SshAgentEnv } from "./types";
+/** Spawns a subprocess with the ssh-agent command.
+ * Detects the auth socket and agent PID from stdout.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with an object that contains the auth socket and agent PID,
+ * or rejects with the contents of stderr. */
+export declare const sshAgent: (cmdArgs: AgentArgs) => Promise<SshAgentEnv>;
+export declare const sshAdd: (args: AgentArgs, sshAgentEnv: SshAgentEnv, privateKey: string) => Promise<number>;
+export declare const sshAddList: (args: AgentArgs, sshAgentEnv: SshAgentEnv) => Promise<number>;
+export declare const withSshAgent: <T>(args: AgentArgs, fn: (sshAgentEnv: SshAgentEnv) => Promise<T>) => Promise<T>;

package/dist/plugins/ssh-agent/index.js

@@ -0,0 +1,142 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withSshAgent = exports.sshAddList = exports.sshAdd = exports.sshAgent = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const __1 = require("../..");
+const stdio_1 = require("../../drivers/stdio");
+const node_child_process_1 = require("node:child_process");
+const AUTH_SOCK_MESSAGE = /SSH_AUTH_SOCK=(.+?);/;
+const AGENT_PID_MESSAGE = /SSH_AGENT_PID=(\d+?);/;
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves or rejects with the exit code. */
+const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        var _a;
+        const child = (0, node_child_process_1.spawn)(command, args, options);
+        if (writeStdin) {
+            if (!child.stdin)
+                return reject("Child process has no stdin");
+            child.stdin.write(writeStdin);
+        }
+        child.stdout.on("data", (data) => {
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.stderr.on("data", (data) => {
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.on("exit", (code) => {
+            if (code !== 0) {
+                return reject(code);
+            }
+            resolve(code);
+        });
+        if (writeStdin) {
+            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
+        }
+    });
+});
+/** Spawns a subprocess with the ssh-agent command.
+ * Detects the auth socket and agent PID from stdout.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with an object that contains the auth socket and agent PID,
+ * or rejects with the contents of stderr. */
+const sshAgent = (cmdArgs) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        let stderr = "";
+        let stdout = "";
+        // There is a debug flag in ssh-agent but it causes the ssh-agent process to NOT fork
+        const child = (0, node_child_process_1.spawn)("ssh-agent");
+        child.stdout.on("data", (data) => {
+            const str = data.toString("utf-8");
+            if (cmdArgs.debug) {
+                (0, stdio_1.print2)(str);
+            }
+            stdout += str;
+        });
+        child.stderr.on("data", (data) => {
+            const str = data.toString("utf-8");
+            if (cmdArgs.debug) {
+                (0, stdio_1.print2)(str);
+            }
+            stderr += str;
+        });
+        const exitListener = child.on("exit", (code) => {
+            exitListener.unref();
+            if (code !== 0) {
+                return reject(stderr);
+            }
+            const authSockMatch = stdout.match(AUTH_SOCK_MESSAGE);
+            const agentPidMatch = stdout.match(AGENT_PID_MESSAGE);
+            if (!(authSockMatch === null || authSockMatch === void 0 ? void 0 : authSockMatch[1]) || !(agentPidMatch === null || agentPidMatch === void 0 ? void 0 : agentPidMatch[1])) {
+                return reject("Failed to parse ssh-agent stdout:\n" + stdout);
+            }
+            resolve({
+                SSH_AUTH_SOCK: authSockMatch[1],
+                SSH_AGENT_PID: agentPidMatch[1],
+            });
+        });
+    });
+});
+exports.sshAgent = sshAgent;
+const sshAgentKill = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
+    return asyncSpawn(args, "ssh-agent", ["-k"], {
+        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
+    });
+});
+const sshAdd = (args, sshAgentEnv, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+    return asyncSpawn(args, "ssh-add", 
+    // In debug mode do not use the quiet flag. There is no debug flag in ssh-add.
+    // Instead increase to maximum verbosity of 3 with -v flag.
+    args.debug ? ["-v", "-v", "-v", "-"] : ["-q", "-"], { env: Object.assign(Object.assign({}, process.env), sshAgentEnv) }, privateKey);
+});
+exports.sshAdd = sshAdd;
+const sshAddList = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
+    return asyncSpawn(args, "ssh-add", ["-l"], {
+        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
+    });
+});
+exports.sshAddList = sshAddList;
+const withSshAgent = (args, fn) => __awaiter(void 0, void 0, void 0, function* () {
+    const sshAgentEnv = yield (0, exports.sshAgent)(args);
+    // The ssh-agent runs in a process that is not automatically terminated.
+    // 1. Kill it when catching the main process termination signal.
+    // 2. Also kill it if the encapsulated function throws an error.
+    const abortListener = (_code) => {
+        __1.TERMINATION_CONTROLLER.signal.removeEventListener("abort", abortListener);
+        void sshAgentKill(args, sshAgentEnv);
+    };
+    __1.TERMINATION_CONTROLLER.signal.addEventListener("abort", abortListener);
+    try {
+        return yield fn(sshAgentEnv);
+    }
+    finally {
+        // keep the ssh-agent alive in debug mode
+        if (!args.debug)
+            yield sshAgentKill(args, sshAgentEnv);
+    }
+});
+exports.withSshAgent = withSshAgent;

package/dist/plugins/ssh-agent/types.d.ts

@@ -0,0 +1,17 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AgentArgs = {
+    debug?: boolean;
+};
+export declare type SshAgentEnv = {
+    SSH_AUTH_SOCK: string;
+    SSH_AGENT_PID: string;
+};

package/dist/plugins/ssh-agent/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/allow.d.ts

@@ -0,0 +1,14 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AllowResponse = {
+    ok: true;
+    message: string;
+};

package/dist/types/allow.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/org.d.ts

@@ -8,13 +8,21 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-/** Publicly readable organization data */
-export declare type OrgData = {
+declare type BaseOrgData = {
     clientId: string;
     providerId: string;
     providerDomain?: string;
-    providerType?: "okta";
     ssoProvider: "azure-oidc" | "google-oidc" | "google" | "microsoft" | "oidc-pkce" | "okta";
-    slug: string;
     tenantId: string;
 };
+/** Publicly readable organization data */
+export declare type RawOrgData = BaseOrgData & ({
+    providerType?: "okta";
+} | {
+    providerType?: "ping";
+    environmentId: string;
+});
+export declare type OrgData = RawOrgData & {
+    slug: string;
+};
+export {};

package/dist/types/org.js

@@ -1,2 +1,12 @@
 "use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/util.d.ts

@@ -40,3 +40,6 @@ export declare const exec: (command: string, args: string[], options?: child_pro
     stdout: string;
     stderr: string;
 }>;
+export declare const throwAssertNever: (value: never) => never;
+export declare const assertNever: (value: never) => Error;
+export declare const unexpectedValueError: (value: any) => Error;

package/dist/util.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
+exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -85,3 +85,13 @@ const exec = (command, args, options) => __awaiter(void 0, void 0, void 0, funct
     });
 });
 exports.exec = exec;
+const throwAssertNever = (value) => {
+    throw (0, exports.assertNever)(value);
+};
+exports.throwAssertNever = throwAssertNever;
+const assertNever = (value) => {
+    return (0, exports.unexpectedValueError)(value);
+};
+exports.assertNever = assertNever;
+const unexpectedValueError = (value) => new Error(`Unexpected code state: value ${value} had unexpected type`);
+exports.unexpectedValueError = unexpectedValueError;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.6.1",
+  "version": "0.7.1",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -31,7 +31,6 @@
     "open": "^8.4.0",
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
-    "ps-tree": "^1.2.0",
     "semver": "^7.6.0",
     "typescript": "^4.8.4",
     "which": "^4.0.0",
@@ -47,7 +46,6 @@
     "@types/node": "^18.11.7",
     "@types/node-forge": "^1.3.11",
     "@types/pluralize": "^0.0.33",
-    "@types/ps-tree": "^1.1.6",
     "@types/which": "^3.0.3",
     "@types/yargs": "^17.0.13",
     "@typescript-eslint/eslint-plugin": "^6.4.0",