@p0security/cli 0.6.2 → 0.8.0

package/dist/plugins/okta/login.js

@@ -8,9 +8,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSamlResponse = exports.oktaLogin = void 0;
 /** Copyright © 2024-present P0 Security
@@ -25,81 +22,13 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const oidc_1 = require("../../common/auth/oidc");
 const fetch_1 = require("../../common/fetch");
-const stdio_1 = require("../../drivers/stdio");
-const util_1 = require("../../util");
+const login_1 = require("../oidc/login");
 const jsdom_1 = require("jsdom");
 const lodash_1 = require("lodash");
-const open_1 = __importDefault(require("open"));
-const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
 const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
 const ID_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token";
 const TOKEN_EXCHANGE_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
 const WEB_SSO_TOKEN_TYPE = "urn:okta:oauth:token-type:web_sso_token";
-const validateProviderDomain = (org) => {
-    if (!org.providerDomain)
-        throw "Okta login requires a configured provider domain.";
-};
-/** Executes the first step of Okta's device-authorization grant flow */
-// cf. https://developer.okta.com/docs/guides/device-authorization-grant/main/
-const authorize = (org) => __awaiter(void 0, void 0, void 0, function* () {
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            scope: "openid email profile okta.apps.sso",
-        }),
-    };
-    validateProviderDomain(org);
-    // This is the "org" authorization server; the okta.apps.* scopes are not
-    // available with custom authorization servers
-    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/device/authorize`, init);
-    yield (0, fetch_1.validateResponse)(response);
-    return (yield response.json());
-});
-/** Attempts to fetch this device's OIDC token
- *
- * The authorization may or may not be granted at this stage. If it is not, the
- * authorization server will return "authorization_pending", in which case this
- * function will return undefined.
- */
-const fetchOidcToken = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            device_code: authorize.device_code,
-            grant_type: DEVICE_GRANT_TYPE,
-        }),
-    };
-    validateProviderDomain(org);
-    const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
-    if (!response.ok) {
-        if (response.status === 400) {
-            const data = yield response.json();
-            if (data.error === "authorization_pending")
-                return undefined;
-        }
-        yield (0, fetch_1.validateResponse)(response);
-    }
-    return (yield response.json());
-});
-/** Waits until user device authorization is complete
- *
- * Returns the OIDC token after completion.
- */
-const waitForActivation = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
-    const start = Date.now();
-    while (Date.now() - start <= authorize.expires_in * 1e3) {
-        const response = yield fetchOidcToken(org, authorize);
-        if (!response)
-            yield (0, util_1.sleep)(authorize.interval * 1e3);
-        else
-            return response;
-    }
-    throw "Expired awaiting in-browser authorization.";
-});
 /** Exchanges an Okta OIDC SSO token for an Okta app SSO token */
 const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void 0, void 0, function* () {
     const init = {
@@ -116,7 +45,7 @@ const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void
             requested_token_type: WEB_SSO_TOKEN_TYPE,
         }),
     };
-    validateProviderDomain(org);
+    (0, login_1.validateProviderDomain)(org);
     const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
     yield (0, fetch_1.validateResponse)(response);
     return (yield response.json());
@@ -127,7 +56,7 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
         method: "GET",
         headers: (0, lodash_1.omit)(oidc_1.OIDC_HEADERS, "Content-Type"),
     };
-    validateProviderDomain(org);
+    (0, login_1.validateProviderDomain)(org);
     const url = `https://${org.providerDomain}/login/token/sso?token=${encodeURIComponent(access_token)}`;
     const response = yield fetch(url, init);
     yield (0, fetch_1.validateResponse)(response);
@@ -137,20 +66,7 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
     return samlInput === null || samlInput === void 0 ? void 0 : samlInput.value;
 });
 /** Logs in to Okta via OIDC */
-const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
-    const authorizeResponse = yield authorize(org);
-    (0, stdio_1.print2)(`Please use the opened browser window to continue your P0 login.
-  
-When prompted, confirm that Okta displays this code:
-
-  ${authorizeResponse.user_code}
-
-Waiting for authorization...
-`);
-    void (0, open_1.default)(authorizeResponse.verification_uri_complete);
-    const oidcResponse = yield waitForActivation(org, authorizeResponse);
-    return oidcResponse;
-});
+const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile okta.apps.sso"); });
 exports.oktaLogin = oktaLogin;
 /** Retrieves a SAML response for an okta app */
 // TODO: Inject Okta app

package/dist/plugins/ping/login.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { OrgData } from "../../types/org";
+/** Logs in to PingOne via OIDC */
+export declare const pingLogin: (org: OrgData) => Promise<import("../../types/oidc").TokenResponse>;

package/dist/plugins/ping/login.js

@@ -0,0 +1,16 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pingLogin = void 0;
+const login_1 = require("../oidc/login");
+/** Logs in to PingOne via OIDC */
+const pingLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile"); });
+exports.pingLogin = pingLogin;

package/dist/plugins/ssh-agent/index.d.ts

@@ -0,0 +1,4 @@
+import { AgentArgs } from "./types";
+export declare const privateKeyExists: (args: AgentArgs) => Promise<boolean>;
+export declare const addPrivateKey: (args: AgentArgs) => Promise<boolean>;
+export declare const withSshAgent: <T>(args: AgentArgs, fn: () => Promise<T>) => Promise<T>;

package/dist/plugins/ssh-agent/index.js

@@ -0,0 +1,136 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withSshAgent = exports.addPrivateKey = exports.privateKeyExists = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const keys_1 = require("../../common/keys");
+const stdio_1 = require("../../drivers/stdio");
+const node_child_process_1 = require("node:child_process");
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves or rejects with the exit code. */
+const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        var _a;
+        const child = (0, node_child_process_1.spawn)(command, args, options);
+        if (writeStdin) {
+            if (!child.stdin)
+                return reject("Child process has no stdin");
+            child.stdin.write(writeStdin);
+        }
+        child.stdout.on("data", (data) => {
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.stderr.on("data", (data) => {
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.on("exit", (code) => {
+            if (code !== 0) {
+                return reject(code);
+            }
+            resolve(code);
+        });
+        if (writeStdin) {
+            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
+        }
+    });
+});
+const isSshAgentRunning = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        if (args.debug)
+            (0, stdio_1.print2)("Searching for active ssh-agents");
+        // TODO: There's a possible edge-case but unlikely that ssh-agent has an invalid process or PID.
+        // We can check to see if the active PID matches the current socket to mitigate this.
+        yield asyncSpawn(args, `pgrep`, ["-x", "ssh-agent"]);
+        if (args.debug)
+            (0, stdio_1.print2)("At least one SSH agent is running");
+        return true;
+    }
+    catch (_a) {
+        if (args.debug)
+            (0, stdio_1.print2)("No SSH agent is running!");
+        return false;
+    }
+});
+const isSshAgentAuthSocketSet = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `sh`, ["-c", '[ -n "$SSH_AUTH_SOCK" ]']);
+        if (args.debug)
+            (0, stdio_1.print2)(`SSH_AUTH_SOCK=${process.env.SSH_AUTH_SOCK}`);
+        return true;
+    }
+    catch (_b) {
+        if (args.debug)
+            (0, stdio_1.print2)("SSH_AUTH_SOCK is not set!");
+        return false;
+    }
+});
+const privateKeyExists = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `sh`, [
+            "-c",
+            `KEY_PATH="${keys_1.PRIVATE_KEY_PATH}" && KEY_FINGERPRINT=$(ssh-keygen -lf "$KEY_PATH" | awk '{print $2}') && ssh-add -l | grep -q "$KEY_FINGERPRINT" && exit 0 || exit 1`,
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key exists in ssh agent");
+        return true;
+    }
+    catch (_c) {
+        if (args.debug)
+            (0, stdio_1.print2)("Private key does not exist in ssh agent");
+        return false;
+    }
+});
+exports.privateKeyExists = privateKeyExists;
+const addPrivateKey = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `ssh-add`, [
+            keys_1.PRIVATE_KEY_PATH,
+            ...(args.debug ? ["-v", "-v", "-v"] : ["-q"]),
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key added to ssh agent");
+        return true;
+    }
+    catch (_d) {
+        if (args.debug)
+            (0, stdio_1.print2)("Failed to add private key to ssh agent");
+        return false;
+    }
+});
+exports.addPrivateKey = addPrivateKey;
+const withSshAgent = (args, fn) => __awaiter(void 0, void 0, void 0, function* () {
+    const isRunning = yield isSshAgentRunning(args);
+    const hasSocket = yield isSshAgentAuthSocketSet(args);
+    if (!isRunning || !hasSocket) {
+        throw "SSH agent is not running. Please start it by running: eval $(ssh-agent)";
+    }
+    const hasKey = yield (0, exports.privateKeyExists)(args);
+    if (!hasKey) {
+        yield (0, exports.addPrivateKey)(args);
+    }
+    return yield fn();
+});
+exports.withSshAgent = withSshAgent;

package/dist/plugins/ssh-agent/types.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AgentArgs = {
+    debug?: boolean;
+};

package/dist/plugins/ssh-agent/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/allow.d.ts

@@ -0,0 +1,14 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AllowResponse = {
+    ok: true;
+    message: string;
+};

package/dist/types/allow.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/org.d.ts

@@ -8,13 +8,21 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-/** Publicly readable organization data */
-export declare type OrgData = {
+declare type BaseOrgData = {
     clientId: string;
     providerId: string;
     providerDomain?: string;
-    providerType?: "okta";
     ssoProvider: "azure-oidc" | "google-oidc" | "google" | "microsoft" | "oidc-pkce" | "okta";
-    slug: string;
     tenantId: string;
 };
+/** Publicly readable organization data */
+export declare type RawOrgData = BaseOrgData & ({
+    providerType?: "okta";
+} | {
+    providerType?: "ping";
+    environmentId: string;
+});
+export declare type OrgData = RawOrgData & {
+    slug: string;
+};
+export {};

package/dist/types/org.js

@@ -1,2 +1,12 @@
 "use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/util.d.ts

@@ -40,3 +40,6 @@ export declare const exec: (command: string, args: string[], options?: child_pro
     stdout: string;
     stderr: string;
 }>;
+export declare const throwAssertNever: (value: never) => never;
+export declare const assertNever: (value: never) => Error;
+export declare const unexpectedValueError: (value: any) => Error;

package/dist/util.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
+exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -85,3 +85,13 @@ const exec = (command, args, options) => __awaiter(void 0, void 0, void 0, funct
     });
 });
 exports.exec = exec;
+const throwAssertNever = (value) => {
+    throw (0, exports.assertNever)(value);
+};
+exports.throwAssertNever = throwAssertNever;
+const assertNever = (value) => {
+    return (0, exports.unexpectedValueError)(value);
+};
+exports.assertNever = assertNever;
+const unexpectedValueError = (value) => new Error(`Unexpected code state: value ${value} had unexpected type`);
+exports.unexpectedValueError = unexpectedValueError;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.6.2",
+  "version": "0.8.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -31,7 +31,6 @@
     "open": "^8.4.0",
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
-    "ps-tree": "^1.2.0",
     "semver": "^7.6.0",
     "typescript": "^4.8.4",
     "which": "^4.0.0",
@@ -47,7 +46,6 @@
     "@types/node": "^18.11.7",
     "@types/node-forge": "^1.3.11",
     "@types/pluralize": "^0.0.33",
-    "@types/ps-tree": "^1.1.6",
     "@types/which": "^3.0.3",
     "@types/yargs": "^17.0.13",
     "@typescript-eslint/eslint-plugin": "^6.4.0",