@p0security/cli 0.6.2 → 0.7.1

package/dist/plugins/aws/ssm/index.js

@@ -8,19 +8,13 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.scp = exports.ssm = void 0;
+exports.sshOrScp = void 0;
 const stdio_1 = require("../../../drivers/stdio");
 const aws_1 = require("../../okta/aws");
+const ssh_agent_1 = require("../../ssh-agent");
 const install_1 = require("./install");
-const lodash_1 = require("lodash");
 const node_child_process_1 = require("node:child_process");
-const node_stream_1 = require("node:stream");
-const ps_tree_1 = __importDefault(require("ps-tree"));
-const STARTING_SESSION_MESSAGE = /Starting session with SessionId: (.*)/;
 /** Matches the error message that AWS SSM print1 when access is not propagated */
 // Note that the resource will randomly be either the SSM document or the EC2 instance
 const UNPROVISIONED_ACCESS_MESSAGE = /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/;
@@ -42,7 +36,6 @@ const UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS = 5e3;
  */
 const MAX_SSM_RETRIES = 30;
 /** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
-const LOCAL_PORT_FORWARDING_DOCUMENT_NAME = "AWS-StartPortForwardingSession";
 const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 /** Checks if access has propagated through AWS to the SSM agent
  *
@@ -88,53 +81,11 @@ const createBaseSsmCommand = (args) => {
         args.instance,
     ];
 };
-const createInteractiveShellCommand = (args) => {
-    var _a;
-    const ssmCommand = [
-        ...createBaseSsmCommand(args),
-        "--document-name",
-        args.documentName,
-    ];
-    const command = (_a = args.command) === null || _a === void 0 ? void 0 : _a.trim();
-    if (command) {
-        ssmCommand.push("--parameters", `command='${command}'`);
-    }
-    return ssmCommand;
-};
-const createPortForwardingCommand = (args) => {
-    const [localPort, remotePort] = args.forwardPortAddress
-        .split(":")
-        .map(Number);
-    return [
-        ...createBaseSsmCommand(args),
-        "--document-name",
-        // Port forwarding is a special case that uses an AWS-managed document, not the user-generated document we use for an SSH session
-        LOCAL_PORT_FORWARDING_DOCUMENT_NAME,
-        "--parameters",
-        `localPortNumber=${localPort},portNumber=${remotePort}`,
-    ];
-};
-const createSsmCommands = (args) => {
-    const interactiveShellCommand = createInteractiveShellCommand(args);
-    const forwardPortAddress = args.forwardPortAddress;
-    if (!forwardPortAddress) {
-        return { shellCommand: interactiveShellCommand };
-    }
-    const portForwardingCommand = createPortForwardingCommand(Object.assign(Object.assign({}, args), { forwardPortAddress }));
-    if (args.noRemoteCommands) {
-        return { shellCommand: portForwardingCommand };
-    }
-    return {
-        shellCommand: interactiveShellCommand,
-        subCommand: portForwardingCommand,
-    };
-};
-function spawnChildProcess(credential, command, args, stdio) {
-    return (0, node_child_process_1.spawn)(command, args, {
-        env: Object.assign(Object.assign({}, process.env), credential),
-        stdio,
-    });
-}
+const spawnChildProcess = (credential, command, args, stdio, sshAgentEnv) => (0, node_child_process_1.spawn)(command, args, {
+    env: Object.assign(Object.assign(Object.assign({}, process.env), credential), (sshAgentEnv || {})),
+    stdio,
+    shell: false,
+});
 /** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
  *
  * Requires `aws ssm` to be installed on the client machine.
@@ -142,12 +93,7 @@ function spawnChildProcess(credential, command, args, stdio) {
 function spawnSsmNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
-            var _a, _b;
-            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
-            // optionally buffer content into stdin for the child process
-            for (const command of (_a = options.writeStdin) !== null && _a !== void 0 ? _a : []) {
-                (_b = child.stdin) === null || _b === void 0 ? void 0 : _b.write(`${command}\n`);
-            }
+            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio, options.sshAgentEnv);
             const { isAccessPropagated } = accessPropagationGuard(child);
             const exitListener = child.on("exit", (code) => {
                 var _a, _b;
@@ -172,111 +118,7 @@ function spawnSsmNode(options) {
         });
     });
 }
-/**
- * A subprocess SSM session redirects its output through a proxy that filters certain messages reducing the verbosity of the output.
- * The subprocess also makes sure to terminate any grandchild processes that might spawn during the session.
- *
- * This process should be used when multiple SSM sessions need to be spawned in parallel.
- */
-const spawnSubprocessSsmNode = (options) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        const child = spawnChildProcess(options.credential, "/usr/bin/env", options.command, ["ignore", "pipe", "pipe"]);
-        // Captures the starting session message and filters it from the output
-        const proxyStream = new node_stream_1.Transform({
-            transform(chunk, _, end) {
-                const message = chunk.toString("utf-8");
-                const match = message.match(STARTING_SESSION_MESSAGE);
-                if (!match) {
-                    this.push(chunk);
-                }
-                end();
-            },
-        });
-        // Ensures that content from the child process is printed to the terminal and the proxy stream
-        child.stdout.pipe(proxyStream).pipe(process.stdout);
-        const { isAccessPropagated } = accessPropagationGuard(child);
-        const abortListener = (code) => {
-            options.abortController.signal.removeEventListener("abort", abortListener);
-            // AWS CLI typically will spawn a grandchild process for the SSM session. Using `ps-tree` will allow us
-            // to identify and terminate the grandchild process as well.
-            (0, ps_tree_1.default)(child.pid, function (_, children) {
-                // kill the original child process first so that messages from grandchildren are not printed to stdout
-                child.kill();
-                // Send a SIGTERM because other signals (e.g. SIGKILL) will not propagate to the grandchildren
-                (0, node_child_process_1.exec)(`kill -15 ${children.map((p) => p.PID).join(" ")}`);
-            });
-            resolve(code);
-        };
-        child.on("spawn", () => {
-            options.abortController.signal.addEventListener("abort", abortListener);
-        });
-        const exitListener = child.on("exit", (code) => {
-            var _a;
-            exitListener.unref();
-            // In the case of ephemeral AccessDenied exceptions due to unpropagated
-            // permissions, continually retry access until success
-            if (!isAccessPropagated()) {
-                options.abortController.signal.removeEventListener("abort", abortListener);
-                const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
-                if (attemptsRemaining <= 0) {
-                    reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
-                    return;
-                }
-                spawnSubprocessSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
-                    .then((code) => resolve(code))
-                    .catch(reject);
-                return;
-            }
-            options.abortController.abort(code);
-        });
-    });
-});
-/** Convert an SshCommandArgs into an SSM document "command" parameter */
-const commandParameter = (args) => args.command
-    ? `${args.command} ${args.arguments
-        .map((argument) => 
-    // escape all double quotes (") in commands such as `p0 ssh <instance>> echo 'hello; "world"'` because we
-    // need to encapsulate command arguments in double quotes as we pass them along to the remote shell
-    `"${String(argument).replace(/"/g, '\\"')}"`)
-        .join(" ")}`.trim()
-    : undefined;
-/** Connect to an SSH backend using AWS Systems Manager (SSM) */
-const ssm = (authn, request, args) => __awaiter(void 0, void 0, void 0, function* () {
-    const isInstalled = yield (0, install_1.ensureSsmInstall)();
-    if (!isInstalled)
-        throw "Please try again after installing the required AWS utilities";
-    const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account: request.instance.accountId,
-        role: request.role,
-    });
-    const ssmArgs = {
-        instance: request.instance.id,
-        region: request.instance.region,
-        documentName: request.documentName,
-        forwardPortAddress: args.L,
-        noRemoteCommands: args.N,
-        command: commandParameter(args),
-    };
-    const ssmCommands = createSsmCommands(ssmArgs);
-    yield startSsmProcesses(credential, ssmCommands);
-});
-exports.ssm = ssm;
-/**
- * Starts the SSM session and any additional processes that are requested for the session to function properly.
- */
-const startSsmProcesses = (credential, commands) => __awaiter(void 0, void 0, void 0, function* () {
-    /** The AbortController is responsible for sending a shared signal to all spawned processes ({@link spawnSsmNode}) when the parent process is terminated unexpectedly. This is necessary because the spawned processes are detached and would otherwise continue running after the parent process is terminated. */
-    const abortController = new AbortController();
-    const args = { credential, abortController };
-    const processes = [
-        spawnSsmNode(Object.assign(Object.assign({}, args), { command: "/usr/bin/env", args: commands.shellCommand, stdio: ["inherit", "inherit", "pipe"] })),
-    ];
-    if (commands.subCommand) {
-        processes.push(spawnSubprocessSsmNode(Object.assign(Object.assign({}, args), { command: commands.subCommand })));
-    }
-    yield Promise.all(processes);
-});
-const createProxyCommands = (data, args, debug) => {
+const createProxyCommands = (data, args, sshAuthSock, debug) => {
     const ssmCommand = [
         ...createBaseSsmCommand({
             region: data.instance.region,
@@ -287,36 +129,59 @@ const createProxyCommands = (data, args, debug) => {
         "--parameters",
         '"portNumber=%p"',
     ];
+    const commonArgs = [
+        ...(debug ? ["-v"] : []),
+        // ignore any overrides in the user's config file, we only want to use the ssh-agent we've set up for the session
+        "-o",
+        `IdentityAgent=${sshAuthSock}`,
+        "-o",
+        `ProxyCommand=${ssmCommand.join(" ")}`,
+    ];
+    if ("source" in args) {
+        return {
+            command: "scp",
+            args: [
+                ...commonArgs,
+                // if a response is not received after three 5 minute attempts,
+                // the connection will be closed.
+                "-o",
+                "ServerAliveCountMax=3",
+                `-o`,
+                "ServerAliveInterval=300",
+                ...(args.recursive ? ["-r"] : []),
+                args.source,
+                args.destination,
+            ],
+        };
+    }
     return {
-        scp: [
-            "scp",
-            ...(debug ? ["-v"] : []),
-            // ignore any overrides in the user's config file, we only want to use the ssh-agent we've set up for the session
-            "-o",
-            "IdentityAgent=$SSH_AUTH_SOCK",
-            "-o",
-            `ProxyCommand='${ssmCommand.join(" ")}'`,
-            // if a response is not received after three 5 minute attempts,
-            // the connection will be closed.
-            "-o",
-            "ServerAliveCountMax=3",
-            `-o`,
-            "ServerAliveInterval=300",
-            ...(args.recursive ? ["-r"] : []),
-            args.source,
-            args.destination,
-        ],
-        ssh: [
-            "ssh",
-            ...(debug ? ["-v"] : []),
-            "-o",
-            `ProxyCommand='${ssmCommand.join(" ")}'`,
+        command: "ssh",
+        args: [
+            ...commonArgs,
+            ...(args.A ? ["-A"] : []),
+            ...(args.L ? ["-L", args.L] : []),
+            ...(args.N ? ["-N"] : []),
             `${data.linuxUserName}@${data.instance.id}`,
+            ...(args.command ? [args.command] : []),
+            ...args.arguments.map((argument) => 
+            // escape all double quotes (") in commands such as `p0 ssh <instance>> echo 'hello; "world"'` because we
+            // need to encapsulate command arguments in double quotes as we pass them along to the remote shell
+            `"${String(argument).replace(/"/g, '\\"')}"`),
         ],
-        ssm: ssmCommand,
     };
 };
-const scp = (authn, data, args, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+/** Converts arguments for manual execution - arguments may have to be quoted or certain characters escaped when executing the commands from a shell */
+const transformForShell = (args) => {
+    return args.map((arg) => {
+        // The ProxyCommand option must be surrounded by single quotes
+        if (arg.startsWith("ProxyCommand=")) {
+            const [name, ...value] = arg.split("="); // contains the '=' character in the parameters option: ProxyCommand=aws ssm start-session ... --parameters "portNumber=%p"
+            return `${name}='${value.join("=")}'`;
+        }
+        return arg;
+    });
+};
+const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
     if (!(yield (0, install_1.ensureSsmInstall)())) {
         throw "Please try again after installing the required AWS utilities";
     }
@@ -327,55 +192,30 @@ const scp = (authn, data, args, privateKey) => __awaiter(void 0, void 0, void 0,
         account: data.instance.accountId,
         role: data.role,
     });
-    const commands = createProxyCommands(data, args, args.debug);
-    const scpCommand = commands.scp.join(" ");
-    const sshCommand = commands.ssh.join(" ");
-    const debug = [
-        `echo "SSH_AUTH_SOCK: $SSH_AUTH_SOCK"`,
-        `echo "SSH_AGENT_PID: $SSH_AGENT_PID"`,
-        `echo '$(p0 aws role assume ${data.role})'`,
-        `echo "${sshCommand}"`,
-        `echo "${scpCommand}"`,
-        `echo "SSH Agent Keys:"`,
-        `ssh-add -l`,
-    ];
-    /**
-     * Spawns a child process to add a private key to the ssh-agent. The SSH agent is included in the OpenSSH suite
-     * of tools and is used to hold private keys during a session. The SSH agent typically does not persist keys
-     * across system reboots or logout/login cycles. Once you log out or restart your system, any keys added to
-     * the SSH agent during that session will need to be added again in subsequent sessions.
-     */
-    const writeStdin = [
-        // This might be overkill because we are already spawning a subprocess that will run the commands for us
-        // but just in case someone enters that subprocess we're also disabling the history of commands run.
-        `unset HISTFILE`,
-        // in debug mode, we want to see the pid of the ssh-agent and compare it to the environment variable
-        `eval $(ssh-agent)${args.debug ? "" : " >/dev/null 2>&1"}`,
-        `trap 'kill $SSH_AGENT_PID' EXIT`,
-        `ssh-add -q - <<< '${privateKey}'`,
-        // in debug mode, we'll see the keys that were added to the agent and more information about the agent
-        ...(args.debug ? debug : []),
-        scpCommand,
-        `SCP_EXIT_CODE=$?`,
-        `exit $SCP_EXIT_CODE`,
-    ];
-    if (args.debug) {
-        // Print commands that can be individually executed to reproduce behavior
-        // Remove the debug information - can be executed manually between steps
-        const reproCommands = (0, lodash_1.without)([
-            "bash",
-            ...Object.entries(process.env).map(([key, value]) => `export ${key}='${value}'`),
-            ...Object.entries(credential).map(([key, value]) => `export ${key}='${value}'`),
-            ...writeStdin,
-        ], ...debug);
-        (0, stdio_1.print2)(`Execute the following commands to create a similar SCP session:\n *** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n *** COMMANDS END ***`);
-    }
-    return spawnSsmNode({
-        credential,
-        writeStdin,
-        stdio: ["pipe", "inherit", "pipe"],
-        command: "bash",
-        args: [],
-    });
+    return (0, ssh_agent_1.withSshAgent)(cmdArgs, (sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
+        yield (0, ssh_agent_1.sshAdd)(cmdArgs, sshAgentEnv, privateKey);
+        if (cmdArgs.debug) {
+            (0, stdio_1.print2)("SSH Agent Keys:");
+            yield (0, ssh_agent_1.sshAddList)(cmdArgs, sshAgentEnv);
+        }
+        const { command, args } = createProxyCommands(data, cmdArgs, sshAgentEnv.SSH_AUTH_SOCK, cmdArgs.debug);
+        if (cmdArgs.debug) {
+            const reproCommands = [
+                `eval $(p0 aws role assume ${data.role} --account ${data.instance.accountId})`,
+                `export SSH_AUTH_SOCK=${sshAgentEnv.SSH_AUTH_SOCK}`,
+                `export SSH_AGENT_PID=${sshAgentEnv.SSH_AGENT_PID}`,
+                `${command} ${transformForShell(args).join(" ")}`,
+            ];
+            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***\n\nTHE SSH AGENT PROCESS WILL NOT BE KILLED AUTOMATICALLY IN DEBUG MODE\nYou can kill it with "sudo kill ${sshAgentEnv.SSH_AGENT_PID}"\n`);
+        }
+        return spawnSsmNode({
+            credential,
+            sshAgentEnv,
+            abortController: new AbortController(),
+            command,
+            args,
+            stdio: ["inherit", "inherit", "pipe"],
+        });
+    }));
 });
-exports.scp = scp;
+exports.sshOrScp = sshOrScp;

package/dist/plugins/login.js

@@ -12,8 +12,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.pluginLoginMap = void 0;
 const login_1 = require("./google/login");
 const login_2 = require("./okta/login");
+const login_3 = require("./ping/login");
 exports.pluginLoginMap = {
     google: login_1.googleLogin,
     okta: login_2.oktaLogin,
+    ping: login_3.pingLogin,
     "oidc-pkce": (org) => __awaiter(void 0, void 0, void 0, function* () { return yield exports.pluginLoginMap[org.providerType](org); }),
 };

package/dist/plugins/oidc/login.d.ts

@@ -0,0 +1,5 @@
+import { TokenResponse } from "../../types/oidc";
+import { OrgData } from "../../types/org";
+export declare const validateProviderDomain: (org: OrgData) => void;
+/** Logs in to an Identity Provider via OIDC */
+export declare const oidcLogin: (org: OrgData, scope: string) => Promise<TokenResponse>;

package/dist/plugins/oidc/login.js

@@ -0,0 +1,133 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcLogin = exports.validateProviderDomain = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const oidc_1 = require("../../common/auth/oidc");
+const fetch_1 = require("../../common/fetch");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const lodash_1 = require("lodash");
+const open_1 = __importDefault(require("open"));
+const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+const validateProviderDomain = (org) => {
+    if (!org.providerDomain)
+        throw "Login requires a configured provider domain.";
+};
+exports.validateProviderDomain = validateProviderDomain;
+/** Executes the first step of a device-authorization grant flow */
+// cf. https://developer.okta.com/docs/guides/device-authorization-grant/main/
+const authorize = (org, scope) => __awaiter(void 0, void 0, void 0, function* () {
+    if (org.providerType === undefined) {
+        throw "Login requires a configured provider type.";
+    }
+    const init = {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)({
+            client_id: org.clientId,
+            scope,
+        }),
+    };
+    (0, exports.validateProviderDomain)(org);
+    // This is the "org" authorization server; the okta.apps.* scopes are not
+    // available with custom authorization servers
+    const url = org.providerType === "okta"
+        ? `https:${org.providerDomain}/oauth2/v1/device/authorize`
+        : org.providerType === "ping"
+            ? `https://${org.providerDomain}/${org.environmentId}/as/device_authorization`
+            : (0, util_1.throwAssertNever)(org.providerType);
+    const response = yield fetch(url, init);
+    yield (0, fetch_1.validateResponse)(response);
+    return (yield response.json());
+});
+/** Attempts to fetch this device's OIDC token
+ *
+ * The authorization may or may not be granted at this stage. If it is not, the
+ * authorization server will return "authorization_pending", in which case this
+ * function will return undefined.
+ */
+const fetchOidcToken = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
+    if (org.providerType === undefined) {
+        throw "Login requires a configured provider type.";
+    }
+    const init = {
+        method: "POST",
+        headers: oidc_1.OIDC_HEADERS,
+        body: (0, fetch_1.urlEncode)({
+            client_id: org.clientId,
+            device_code: authorize.device_code,
+            grant_type: DEVICE_GRANT_TYPE,
+        }),
+    };
+    (0, exports.validateProviderDomain)(org);
+    const url = org.providerType === "okta"
+        ? `https:${org.providerDomain}/oauth2/v1/token`
+        : org.providerType === "ping"
+            ? `https://${org.providerDomain}/${org.environmentId}/as/token`
+            : (0, util_1.throwAssertNever)(org.providerType);
+    const response = yield fetch(url, init);
+    if (!response.ok) {
+        if (response.status === 400) {
+            const data = yield response.json();
+            if (data.error === "authorization_pending")
+                return undefined;
+        }
+        yield (0, fetch_1.validateResponse)(response);
+    }
+    return (yield response.json());
+});
+/** Waits until user device authorization is complete
+ *
+ * Returns the OIDC token after completion.
+ */
+const waitForActivation = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
+    const start = Date.now();
+    while (Date.now() - start <= authorize.expires_in * 1e3) {
+        const response = yield fetchOidcToken(org, authorize);
+        if (!response)
+            yield (0, util_1.sleep)(authorize.interval * 1e3);
+        else
+            return response;
+    }
+    throw "Expired awaiting in-browser authorization.";
+});
+/** Logs in to an Identity Provider via OIDC */
+const oidcLogin = (org, scope) => __awaiter(void 0, void 0, void 0, function* () {
+    if (org.providerType === undefined) {
+        throw "Login requires a configured provider type.";
+    }
+    const authorizeResponse = yield authorize(org, scope);
+    (0, stdio_1.print2)(`Please use the opened browser window to continue your P0 login.
+  
+When prompted, confirm that ${(0, lodash_1.capitalize)(org.providerType)} displays this code:
+
+  ${authorizeResponse.user_code}
+
+Waiting for authorization...
+`);
+    void (0, open_1.default)(authorizeResponse.verification_uri_complete);
+    const oidcResponse = yield waitForActivation(org, authorizeResponse);
+    return oidcResponse;
+});
+exports.oidcLogin = oidcLogin;

package/dist/plugins/okta/login.js

@@ -8,9 +8,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSamlResponse = exports.oktaLogin = void 0;
 /** Copyright © 2024-present P0 Security
@@ -25,81 +22,13 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const oidc_1 = require("../../common/auth/oidc");
 const fetch_1 = require("../../common/fetch");
-const stdio_1 = require("../../drivers/stdio");
-const util_1 = require("../../util");
+const login_1 = require("../oidc/login");
 const jsdom_1 = require("jsdom");
 const lodash_1 = require("lodash");
-const open_1 = __importDefault(require("open"));
-const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
 const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
 const ID_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token";
 const TOKEN_EXCHANGE_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
 const WEB_SSO_TOKEN_TYPE = "urn:okta:oauth:token-type:web_sso_token";
-const validateProviderDomain = (org) => {
-    if (!org.providerDomain)
-        throw "Okta login requires a configured provider domain.";
-};
-/** Executes the first step of Okta's device-authorization grant flow */
-// cf. https://developer.okta.com/docs/guides/device-authorization-grant/main/
-const authorize = (org) => __awaiter(void 0, void 0, void 0, function* () {
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            scope: "openid email profile okta.apps.sso",
-        }),
-    };
-    validateProviderDomain(org);
-    // This is the "org" authorization server; the okta.apps.* scopes are not
-    // available with custom authorization servers
-    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/device/authorize`, init);
-    yield (0, fetch_1.validateResponse)(response);
-    return (yield response.json());
-});
-/** Attempts to fetch this device's OIDC token
- *
- * The authorization may or may not be granted at this stage. If it is not, the
- * authorization server will return "authorization_pending", in which case this
- * function will return undefined.
- */
-const fetchOidcToken = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            device_code: authorize.device_code,
-            grant_type: DEVICE_GRANT_TYPE,
-        }),
-    };
-    validateProviderDomain(org);
-    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
-    if (!response.ok) {
-        if (response.status === 400) {
-            const data = yield response.json();
-            if (data.error === "authorization_pending")
-                return undefined;
-        }
-        yield (0, fetch_1.validateResponse)(response);
-    }
-    return (yield response.json());
-});
-/** Waits until user device authorization is complete
- *
- * Returns the OIDC token after completion.
- */
-const waitForActivation = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
-    const start = Date.now();
-    while (Date.now() - start <= authorize.expires_in * 1e3) {
-        const response = yield fetchOidcToken(org, authorize);
-        if (!response)
-            yield (0, util_1.sleep)(authorize.interval * 1e3);
-        else
-            return response;
-    }
-    throw "Expired awaiting in-browser authorization.";
-});
 /** Exchanges an Okta OIDC SSO token for an Okta app SSO token */
 const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void 0, void 0, function* () {
     const init = {
@@ -116,7 +45,7 @@ const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void
             requested_token_type: WEB_SSO_TOKEN_TYPE,
         }),
     };
-    validateProviderDomain(org);
+    (0, login_1.validateProviderDomain)(org);
     const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
     yield (0, fetch_1.validateResponse)(response);
     return (yield response.json());
@@ -127,7 +56,7 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
         method: "GET",
         headers: (0, lodash_1.omit)(oidc_1.OIDC_HEADERS, "Content-Type"),
     };
-    validateProviderDomain(org);
+    (0, login_1.validateProviderDomain)(org);
     const url = `https://${org.providerDomain}/login/token/sso?token=${encodeURIComponent(access_token)}`;
     const response = yield fetch(url, init);
     yield (0, fetch_1.validateResponse)(response);
@@ -137,20 +66,7 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
     return samlInput === null || samlInput === void 0 ? void 0 : samlInput.value;
 });
 /** Logs in to Okta via OIDC */
-const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
-    const authorizeResponse = yield authorize(org);
-    (0, stdio_1.print2)(`Please use the opened browser window to continue your P0 login.
-  
-When prompted, confirm that Okta displays this code:
-
-  ${authorizeResponse.user_code}
-
-Waiting for authorization...
-`);
-    void (0, open_1.default)(authorizeResponse.verification_uri_complete);
-    const oidcResponse = yield waitForActivation(org, authorizeResponse);
-    return oidcResponse;
-});
+const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile okta.apps.sso"); });
 exports.oktaLogin = oktaLogin;
 /** Retrieves a SAML response for an okta app */
 // TODO: Inject Okta app