@p0security/cli 0.6.2 → 0.8.0

package/dist/commands/__tests__/ssh.test.js

@@ -22,6 +22,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../../common/__mocks__/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
 const ssm_1 = require("../../plugins/aws/ssm");
@@ -35,10 +36,28 @@ jest.mock("../../drivers/api");
 jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
 jest.mock("../../plugins/aws/ssm");
+jest.mock("../../common/keys");
 const mockFetchCommand = api_1.fetchCommand;
-const mockSsm = ssm_1.ssm;
+const mockSshOrScp = ssm_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
+const MOCK_REQUEST = {
+    status: "DONE",
+    generated: {
+        name: "name",
+        ssh: {
+            linuxUserName: "linuxUserName",
+            publicKey: keys_1.TEST_PUBLIC_KEY,
+        },
+    },
+    permission: {
+        spec: {
+            instanceId: "instanceId",
+            accountId: "accountId",
+            region: "region",
+        },
+    },
+};
 (0, firestore_1.mockGetDoc)({
     "iam-write": {
         ["aws:test-account"]: {
@@ -46,7 +65,6 @@ const mockPrint2 = stdio_1.print2;
         },
     },
 });
-mockSsm.mockResolvedValue({});
 describe("ssh", () => {
     describe.each([
         ["persistent", true],
@@ -69,9 +87,6 @@ describe("ssh", () => {
                             },
                         },
                     },
-                    generated: {
-                        documentName: "documentName",
-                    },
                 },
             });
         });
@@ -97,20 +112,31 @@ describe("ssh", () => {
             yield Promise.race([wait, promise]);
             yield expect(wait).resolves.toBeUndefined();
         }));
-        it("should call ssm", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+        it("should call sshOrScp with non-interactive command", () => __awaiter(void 0, void 0, void 0, function* () {
+            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
             });
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
+            yield expect(promise).resolves.toBeDefined();
+            expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
+            expect(mockPrint1).not.toHaveBeenCalled();
+            expect(mockSshOrScp).toHaveBeenCalled();
+        }));
+        it("should call sshOrScp with interactive session", () => __awaiter(void 0, void 0, void 0, function* () {
+            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
-                status: "DONE",
+                status: "APPROVED",
             });
+            yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();
-            expect(mockSsm).toHaveBeenCalled();
+            expect(mockSshOrScp).toHaveBeenCalled();
         }));
     });
 });

package/dist/commands/allow.d.ts

@@ -0,0 +1,10 @@
+import { AllowResponse } from "../types/allow";
+import { Authn } from "../types/identity";
+import yargs from "yargs";
+export declare const allowCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;
+export declare const allow: (args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn) => Promise<AllowResponse | undefined>;

package/dist/commands/allow.js

@@ -0,0 +1,57 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allow = exports.allowCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../drivers/api");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const allowArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+const allowCommand = (yargs) => yargs.command("allow [arguments..]", "Create standing access for a resource", allowArgs, (0, firestore_1.guard)(exports.allow));
+exports.allowCommand = allowCommand;
+const allow = (args, authn) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        "allow",
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        (0, stdio_1.print2)(data.message);
+        return data;
+    }
+    else {
+        throw data;
+    }
+});
+exports.allow = allow;

package/dist/commands/index.js

@@ -16,6 +16,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const stdio_1 = require("../drivers/stdio");
 const version_1 = require("../middlewares/version");
+const allow_1 = require("./allow");
 const aws_1 = require("./aws");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
@@ -30,6 +31,7 @@ const commands = [
     login_1.loginCommand,
     ls_1.lsCommand,
     request_1.requestCommand,
+    allow_1.allowCommand,
     ssh_1.sshCommand,
     scp_1.scpCommand,
 ];

package/dist/commands/scp.js

@@ -8,9 +8,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.scpCommand = void 0;
 /** Copyright © 2024-present P0 Security
@@ -23,12 +20,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
 const shared_1 = require("./shared");
-const node_forge_1 = __importDefault(require("node-forge"));
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
 "SCP copies files between a local and remote host.", (yargs) => yargs
@@ -61,7 +56,7 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
 })
     .option("debug", {
     type: "boolean",
-    describe: "Print debug information, dangerous for sensitive data",
+    describe: "Print debug information. The ssh-agent subprocess is not terminated automatically.",
 }), (0, firestore_1.guard)(scpAction));
 exports.scpCommand = scpCommand;
 /** Transfers files between a local and remote hosts using SSH.
@@ -74,19 +69,15 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, host);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = createKeyPair();
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination: host,
-        publicKey,
-    });
+    const { request, privateKey } = result;
+    const data = (0, shared_1.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
-    const { source, destination } = replaceHostWithInstance(result, args);
-    yield (0, ssm_1.scp)(authn, result, Object.assign(Object.assign({}, args), { source,
+    const { source, destination } = replaceHostWithInstance(data, args);
+    yield (0, ssm_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */
@@ -110,16 +101,10 @@ const replaceHostWithInstance = (result, args) => {
     let source = args.source;
     let destination = args.destination;
     if (isExplicitlyRemote(source)) {
-        source = `${result.linuxUserName}@${result.instance.id}:${source.split(":")[1]}`;
+        source = `${result.linuxUserName}@${result.id}:${source.split(":")[1]}`;
     }
     if (isExplicitlyRemote(destination)) {
-        destination = `${result.linuxUserName}@${result.instance.id}:${destination.split(":")[1]}`;
+        destination = `${result.linuxUserName}@${result.id}:${destination.split(":")[1]}`;
     }
     return { source, destination };
 };
-const createKeyPair = () => {
-    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
-    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
-    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
-    return { publicKey, privateKey };
-};

package/dist/commands/shared.d.ts

@@ -1,17 +1,13 @@
+import { AwsSsh } from "../plugins/aws/types";
 import { Authn } from "../types/identity";
+import { Request } from "../types/request";
 import yargs from "yargs";
-export declare type ExerciseGrantResponse = {
-    documentName: string;
+export declare type SshRequest = {
     linuxUserName: string;
-    ok: true;
     role: string;
-    instance: {
-        arn: string;
-        accountId: string;
-        region: string;
-        id: string;
-        name?: string;
-    };
+    accountId: string;
+    region: string;
+    id: string;
 };
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
@@ -29,7 +25,14 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     destination: string;
     L?: string;
     N?: boolean;
+    A?: boolean;
     arguments: string[];
     command?: string;
+    debug?: boolean;
 };
-export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<string | undefined>;
+export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
+    request: Request<AwsSsh>;
+    publicKey: string;
+    privateKey: string;
+} | undefined>;
+export declare const requestToSsh: (request: AwsSsh) => SshRequest;

package/dist/commands/shared.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,6 +20,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../common/keys");
 const firestore_1 = require("../drivers/firestore");
 const stdio_1 = require("../drivers/stdio");
 const request_1 = require("../types/request");
@@ -78,10 +79,13 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
 });
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn);
+    const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
     const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
+            "--public-key",
+            publicKey,
             // Prefix is required because the backend uses it to determine that this is an AWS request
             "--provider",
             "aws",
@@ -96,7 +100,20 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    yield waitForProvisioning(authn, id);
-    return id;
+    const provisionedRequest = yield waitForProvisioning(authn, id);
+    if (provisionedRequest.generated.ssh.publicKey !== publicKey) {
+        throw "Public key mismatch. Please revoke the request and try again.";
+    }
+    return { request: provisionedRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
+const requestToSsh = (request) => {
+    return {
+        id: request.permission.spec.instanceId,
+        accountId: request.permission.spec.accountId,
+        region: request.permission.spec.region,
+        role: request.generated.name,
+        linuxUserName: request.generated.ssh.linuxUserName,
+    };
+};
+exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.js

@@ -20,13 +20,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
 const shared_1 = require("./shared");
-// Matches strings with the pattern "digits:digits" (e.g. 1234:5678)
-const LOCAL_PORT_FORWARD_PATTERN = /^\d+:\d+$/;
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -45,22 +42,19 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     array: true,
     string: true,
     default: [],
-})
-    .check((argv) => {
-    if (argv.L == null)
-        return true;
-    return (argv.L.match(LOCAL_PORT_FORWARD_PATTERN) ||
-        "Local port forward should be in the format `local_port:remote_port`");
 })
     .option("L", {
     type: "string",
-    describe: 
-    // the order of the sockets in the address matches the ssh man page
-    "Forward a local port to the remote host; `local_socket:remote_socket`",
+    // Copied from `man ssh`
+    describe: "Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side.",
 })
     .option("N", {
     type: "boolean",
     describe: "Do not execute a remote command. Useful for forwarding ports.",
+})
+    .option("A", {
+    type: "boolean",
+    describe: "Enables forwarding of connections from an authentication agent such as ssh-agent",
 })
     // Match `p0 request --reason`
     .option("reason", {
@@ -70,7 +64,11 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
-}), (0, firestore_1.guard)(ssh));
+})
+    .option("debug", {
+    type: "boolean",
+    describe: "Print debug information. The ssh-agent subprocess is not terminated automatically.",
+}), (0, firestore_1.guard)(sshAction));
 exports.sshCommand = sshCommand;
 /** Connect to an SSH backend
  *
@@ -79,17 +77,13 @@ exports.sshCommand = sshCommand;
  * Supported SSH mechanisms:
  * - AWS EC2 via SSM with Okta SAML
  */
-const ssh = (args) => __awaiter(void 0, void 0, void 0, function* () {
+const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, destination);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination,
-    });
-    yield (0, ssm_1.ssm)(authn, result, args);
+    yield (0, ssm_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(result.request), Object.assign(Object.assign({}, args), { destination }), result.privateKey);
 });

package/dist/common/__mocks__/keys.d.ts

@@ -0,0 +1,13 @@
+/// <reference types="jest" />
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const TEST_PUBLIC_KEY = "test-public-key";
+export declare const createKeyPair: jest.Mock<any, any, any>;

package/dist/common/__mocks__/keys.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.TEST_PUBLIC_KEY = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.TEST_PUBLIC_KEY = "test-public-key";
+exports.createKeyPair = jest.fn().mockImplementation(() => ({
+    publicKey: "test-public-key",
+    privateKey: "test-private-key",
+}));

package/dist/common/keys.d.ts

@@ -0,0 +1,9 @@
+export declare const PUBLIC_KEY_PATH: string;
+export declare const PRIVATE_KEY_PATH: string;
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+export declare const createKeyPair: () => Promise<{
+    publicKey: string;
+    privateKey: string;
+}>;

package/dist/common/keys.js

@@ -0,0 +1,84 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.PRIVATE_KEY_PATH = exports.PUBLIC_KEY_PATH = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const fs = __importStar(require("fs/promises"));
+const node_forge_1 = __importDefault(require("node-forge"));
+const path = __importStar(require("path"));
+exports.PUBLIC_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa.pub");
+exports.PRIVATE_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa");
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+const createKeyPair = () => __awaiter(void 0, void 0, void 0, function* () {
+    if ((yield fileExists(exports.PUBLIC_KEY_PATH)) &&
+        (yield fileExists(exports.PRIVATE_KEY_PATH))) {
+        const publicKey = yield fs.readFile(exports.PUBLIC_KEY_PATH, "utf8");
+        const privateKey = yield fs.readFile(exports.PRIVATE_KEY_PATH, "utf8");
+        return { publicKey, privateKey };
+    }
+    else {
+        const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
+        const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
+        const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
+        yield fs.mkdir(path.dirname(exports.PUBLIC_KEY_PATH), { recursive: true });
+        yield fs.writeFile(exports.PUBLIC_KEY_PATH, publicKey, { mode: 0o600 });
+        yield fs.writeFile(exports.PRIVATE_KEY_PATH, privateKey, { mode: 0o600 });
+        return { publicKey, privateKey };
+    }
+});
+exports.createKeyPair = createKeyPair;
+const fileExists = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield fs.access(path);
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+});

package/dist/drivers/api.d.ts

@@ -1,20 +1,4 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-import { ExerciseGrantResponse } from "../commands/shared";
 import { Authn } from "../types/identity";
 import yargs from "yargs";
 export declare const fetchCommand: <T>(authn: Authn, args: yargs.ArgumentsCamelCase, argv: string[]) => Promise<T>;
-export declare const fetchExerciseGrant: (authn: Authn, args: {
-    requestId: string;
-    destination: string;
-    publicKey?: string;
-}) => Promise<ExerciseGrantResponse>;
 export declare const baseFetch: <T>(authn: Authn, url: string, method: string, body: string) => Promise<T>;

package/dist/drivers/api.js

@@ -32,12 +32,21 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.baseFetch = exports.fetchExerciseGrant = exports.fetchCommand = void 0;
+exports.baseFetch = exports.fetchCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
 const env_1 = require("../drivers/env");
 const path = __importStar(require("node:path"));
 const tenantUrl = (tenant) => `${env_1.config.appUrl}/o/${tenant}`;
 const commandUrl = (tenant) => `${tenantUrl(tenant)}/command/`;
-const exerciseGrantUrl = (tenant) => `${tenantUrl(tenant)}/exercise-grant/`;
 const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
     return (0, exports.baseFetch)(authn, commandUrl(authn.identity.org.slug), "POST", JSON.stringify({
         argv,
@@ -45,10 +54,6 @@ const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, fu
     }));
 });
 exports.fetchCommand = fetchCommand;
-const fetchExerciseGrant = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, exports.baseFetch)(authn, exerciseGrantUrl(authn.identity.org.slug), "POST", JSON.stringify(args));
-});
-exports.fetchExerciseGrant = fetchExerciseGrant;
 const baseFetch = (authn, url, method, body) => __awaiter(void 0, void 0, void 0, function* () {
     const token = yield authn.userCredential.user.getIdToken();
     const response = yield fetch(url, {

package/dist/plugins/aws/assumeRole.js

@@ -26,9 +26,10 @@ const api_1 = require("./api");
 const api_2 = require("./api");
 const roleArn = (args) => `${(0, api_1.arnPrefix)(args.account)}:role/${args.role}`;
 const stsAssume = (params) => __awaiter(void 0, void 0, void 0, function* () {
-    const url = `https://sts.amazonaws.com?${(0, fetch_1.urlEncode)(params)}`;
+    const url = `https://sts.amazonaws.com`;
     const response = yield fetch(url, {
-        method: "GET",
+        method: "POST",
+        body: new URLSearchParams(params),
     });
     yield (0, fetch_1.validateResponse)(response);
     const stsXml = yield response.text();

package/dist/plugins/aws/ssm/index.d.ts

@@ -8,8 +8,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ExerciseGrantResponse, ScpCommandArgs, SshCommandArgs } from "../../../commands/shared";
+import { ScpCommandArgs, SshCommandArgs, SshRequest } from "../../../commands/shared";
 import { Authn } from "../../../types/identity";
-/** Connect to an SSH backend using AWS Systems Manager (SSM) */
-export declare const ssm: (authn: Authn, request: ExerciseGrantResponse, args: SshCommandArgs) => Promise<void>;
-export declare const scp: (authn: Authn, data: ExerciseGrantResponse, args: ScpCommandArgs, privateKey: string) => Promise<number | null>;
+export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;