@p0security/cli 0.7.1 → 0.8.0

package/dist/commands/__tests__/ssh.test.js

@@ -22,6 +22,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../../common/__mocks__/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
 const ssm_1 = require("../../plugins/aws/ssm");
@@ -35,10 +36,28 @@ jest.mock("../../drivers/api");
 jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
 jest.mock("../../plugins/aws/ssm");
+jest.mock("../../common/keys");
 const mockFetchCommand = api_1.fetchCommand;
 const mockSshOrScp = ssm_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
+const MOCK_REQUEST = {
+    status: "DONE",
+    generated: {
+        name: "name",
+        ssh: {
+            linuxUserName: "linuxUserName",
+            publicKey: keys_1.TEST_PUBLIC_KEY,
+        },
+    },
+    permission: {
+        spec: {
+            instanceId: "instanceId",
+            accountId: "accountId",
+            region: "region",
+        },
+    },
+};
 (0, firestore_1.mockGetDoc)({
     "iam-write": {
         ["aws:test-account"]: {
@@ -68,9 +87,6 @@ describe("ssh", () => {
                             },
                         },
                     },
-                    generated: {
-                        documentName: "documentName",
-                    },
                 },
             });
         });
@@ -103,9 +119,7 @@ describe("ssh", () => {
                 status: "APPROVED",
             });
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
-            firestore_2.onSnapshot.trigger({
-                status: "DONE",
-            });
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();
@@ -118,9 +132,7 @@ describe("ssh", () => {
                 status: "APPROVED",
             });
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
-            firestore_2.onSnapshot.trigger({
-                status: "DONE",
-            });
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();

package/dist/commands/scp.js

@@ -20,7 +20,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
@@ -70,19 +69,15 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, host);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination: host,
-        publicKey,
-    });
+    const { request, privateKey } = result;
+    const data = (0, shared_1.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
-    const { source, destination } = replaceHostWithInstance(result, args);
-    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { source,
+    const { source, destination } = replaceHostWithInstance(data, args);
+    yield (0, ssm_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */
@@ -106,10 +101,10 @@ const replaceHostWithInstance = (result, args) => {
     let source = args.source;
     let destination = args.destination;
     if (isExplicitlyRemote(source)) {
-        source = `${result.linuxUserName}@${result.instance.id}:${source.split(":")[1]}`;
+        source = `${result.linuxUserName}@${result.id}:${source.split(":")[1]}`;
     }
     if (isExplicitlyRemote(destination)) {
-        destination = `${result.linuxUserName}@${result.instance.id}:${destination.split(":")[1]}`;
+        destination = `${result.linuxUserName}@${result.id}:${destination.split(":")[1]}`;
     }
     return { source, destination };
 };

package/dist/commands/shared.d.ts

@@ -1,17 +1,13 @@
+import { AwsSsh } from "../plugins/aws/types";
 import { Authn } from "../types/identity";
+import { Request } from "../types/request";
 import yargs from "yargs";
-export declare type ExerciseGrantResponse = {
-    documentName: string;
+export declare type SshRequest = {
     linuxUserName: string;
-    ok: true;
     role: string;
-    instance: {
-        arn: string;
-        accountId: string;
-        region: string;
-        id: string;
-        name?: string;
-    };
+    accountId: string;
+    region: string;
+    id: string;
 };
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
@@ -34,8 +30,9 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     command?: string;
     debug?: boolean;
 };
-export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<string | undefined>;
-export declare const createKeyPair: () => {
+export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
+    request: Request<AwsSsh>;
     publicKey: string;
     privateKey: string;
-};
+} | undefined>;
+export declare const requestToSsh: (request: AwsSsh) => SshRequest;

package/dist/commands/shared.js

@@ -8,11 +8,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createKeyPair = exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -23,13 +20,13 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../common/keys");
 const firestore_1 = require("../drivers/firestore");
 const stdio_1 = require("../drivers/stdio");
 const request_1 = require("../types/request");
 const request_2 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-const node_forge_1 = __importDefault(require("node-forge"));
 /** Maximum amount of time to wait after access is approved to wait for access
  *  to be configured
  */
@@ -82,10 +79,13 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
 });
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn);
+    const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
     const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
+            "--public-key",
+            publicKey,
             // Prefix is required because the backend uses it to determine that this is an AWS request
             "--provider",
             "aws",
@@ -100,14 +100,20 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    yield waitForProvisioning(authn, id);
-    return id;
+    const provisionedRequest = yield waitForProvisioning(authn, id);
+    if (provisionedRequest.generated.ssh.publicKey !== publicKey) {
+        throw "Public key mismatch. Please revoke the request and try again.";
+    }
+    return { request: provisionedRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const createKeyPair = () => {
-    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
-    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
-    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
-    return { publicKey, privateKey };
+const requestToSsh = (request) => {
+    return {
+        id: request.permission.spec.instanceId,
+        accountId: request.permission.spec.accountId,
+        region: request.permission.spec.region,
+        role: request.generated.name,
+        linuxUserName: request.generated.ssh.linuxUserName,
+    };
 };
-exports.createKeyPair = createKeyPair;
+exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.js

@@ -20,7 +20,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssm_1 = require("../plugins/aws/ssm");
@@ -82,15 +81,9 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, destination);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination,
-        publicKey,
-    });
-    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { destination }), privateKey);
+    yield (0, ssm_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(result.request), Object.assign(Object.assign({}, args), { destination }), result.privateKey);
 });

package/dist/common/__mocks__/keys.d.ts

@@ -0,0 +1,13 @@
+/// <reference types="jest" />
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const TEST_PUBLIC_KEY = "test-public-key";
+export declare const createKeyPair: jest.Mock<any, any, any>;

package/dist/common/__mocks__/keys.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.TEST_PUBLIC_KEY = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.TEST_PUBLIC_KEY = "test-public-key";
+exports.createKeyPair = jest.fn().mockImplementation(() => ({
+    publicKey: "test-public-key",
+    privateKey: "test-private-key",
+}));

package/dist/common/keys.d.ts

@@ -0,0 +1,9 @@
+export declare const PUBLIC_KEY_PATH: string;
+export declare const PRIVATE_KEY_PATH: string;
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+export declare const createKeyPair: () => Promise<{
+    publicKey: string;
+    privateKey: string;
+}>;

package/dist/common/keys.js

@@ -0,0 +1,84 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.PRIVATE_KEY_PATH = exports.PUBLIC_KEY_PATH = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const fs = __importStar(require("fs/promises"));
+const node_forge_1 = __importDefault(require("node-forge"));
+const path = __importStar(require("path"));
+exports.PUBLIC_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa.pub");
+exports.PRIVATE_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa");
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+const createKeyPair = () => __awaiter(void 0, void 0, void 0, function* () {
+    if ((yield fileExists(exports.PUBLIC_KEY_PATH)) &&
+        (yield fileExists(exports.PRIVATE_KEY_PATH))) {
+        const publicKey = yield fs.readFile(exports.PUBLIC_KEY_PATH, "utf8");
+        const privateKey = yield fs.readFile(exports.PRIVATE_KEY_PATH, "utf8");
+        return { publicKey, privateKey };
+    }
+    else {
+        const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
+        const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
+        const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
+        yield fs.mkdir(path.dirname(exports.PUBLIC_KEY_PATH), { recursive: true });
+        yield fs.writeFile(exports.PUBLIC_KEY_PATH, publicKey, { mode: 0o600 });
+        yield fs.writeFile(exports.PRIVATE_KEY_PATH, privateKey, { mode: 0o600 });
+        return { publicKey, privateKey };
+    }
+});
+exports.createKeyPair = createKeyPair;
+const fileExists = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield fs.access(path);
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+});

package/dist/drivers/api.d.ts

@@ -1,20 +1,4 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-import { ExerciseGrantResponse } from "../commands/shared";
 import { Authn } from "../types/identity";
 import yargs from "yargs";
 export declare const fetchCommand: <T>(authn: Authn, args: yargs.ArgumentsCamelCase, argv: string[]) => Promise<T>;
-export declare const fetchExerciseGrant: (authn: Authn, args: {
-    requestId: string;
-    destination: string;
-    publicKey?: string;
-}) => Promise<ExerciseGrantResponse>;
 export declare const baseFetch: <T>(authn: Authn, url: string, method: string, body: string) => Promise<T>;

package/dist/drivers/api.js

@@ -32,12 +32,21 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.baseFetch = exports.fetchExerciseGrant = exports.fetchCommand = void 0;
+exports.baseFetch = exports.fetchCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
 const env_1 = require("../drivers/env");
 const path = __importStar(require("node:path"));
 const tenantUrl = (tenant) => `${env_1.config.appUrl}/o/${tenant}`;
 const commandUrl = (tenant) => `${tenantUrl(tenant)}/command/`;
-const exerciseGrantUrl = (tenant) => `${tenantUrl(tenant)}/exercise-grant/`;
 const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
     return (0, exports.baseFetch)(authn, commandUrl(authn.identity.org.slug), "POST", JSON.stringify({
         argv,
@@ -45,10 +54,6 @@ const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, fu
     }));
 });
 exports.fetchCommand = fetchCommand;
-const fetchExerciseGrant = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, exports.baseFetch)(authn, exerciseGrantUrl(authn.identity.org.slug), "POST", JSON.stringify(args));
-});
-exports.fetchExerciseGrant = fetchExerciseGrant;
 const baseFetch = (authn, url, method, body) => __awaiter(void 0, void 0, void 0, function* () {
     const token = yield authn.userCredential.user.getIdToken();
     const response = yield fetch(url, {

package/dist/index.d.ts

@@ -1,2 +1 @@
-export declare const TERMINATION_CONTROLLER: AbortController;
 export declare const main: () => void;

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.main = exports.TERMINATION_CONTROLLER = void 0;
+exports.main = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -13,17 +13,6 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const commands_1 = require("./commands");
 const lodash_1 = require("lodash");
-const node_os_1 = require("node:os");
-// Subscribing to this global abort controller allows handling process termination signals anywhere in the application
-exports.TERMINATION_CONTROLLER = new AbortController();
-const terminationHandler = (code) => () => {
-    exports.TERMINATION_CONTROLLER.abort(code);
-    process.exit(128 + code); // by convention the exit code is the signal code + 128
-};
-process.on("SIGHUP", terminationHandler(node_os_1.constants.signals.SIGHUP));
-process.on("SIGINT", terminationHandler(node_os_1.constants.signals.SIGINT));
-process.on("SIGQUIT", terminationHandler(node_os_1.constants.signals.SIGQUIT));
-process.on("SIGTERM", terminationHandler(node_os_1.constants.signals.SIGTERM));
 const main = () => {
     // We can suppress output here, as .fail() already print1 errors
     void commands_1.cli.parse().catch(lodash_1.noop);

package/dist/plugins/aws/assumeRole.js

@@ -26,9 +26,10 @@ const api_1 = require("./api");
 const api_2 = require("./api");
 const roleArn = (args) => `${(0, api_1.arnPrefix)(args.account)}:role/${args.role}`;
 const stsAssume = (params) => __awaiter(void 0, void 0, void 0, function* () {
-    const url = `https://sts.amazonaws.com?${(0, fetch_1.urlEncode)(params)}`;
+    const url = `https://sts.amazonaws.com`;
     const response = yield fetch(url, {
-        method: "GET",
+        method: "POST",
+        body: new URLSearchParams(params),
     });
     yield (0, fetch_1.validateResponse)(response);
     const stsXml = yield response.text();

package/dist/plugins/aws/ssm/index.d.ts

@@ -8,6 +8,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ExerciseGrantResponse, ScpCommandArgs, SshCommandArgs } from "../../../commands/shared";
+import { ScpCommandArgs, SshCommandArgs, SshRequest } from "../../../commands/shared";
 import { Authn } from "../../../types/identity";
-export declare const sshOrScp: (authn: Authn, data: ExerciseGrantResponse, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;
+export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;

package/dist/plugins/aws/ssm/index.js

@@ -10,6 +10,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sshOrScp = void 0;
+const keys_1 = require("../../../common/keys");
 const stdio_1 = require("../../../drivers/stdio");
 const aws_1 = require("../../okta/aws");
 const ssh_agent_1 = require("../../ssh-agent");
@@ -81,8 +82,8 @@ const createBaseSsmCommand = (args) => {
         args.instance,
     ];
 };
-const spawnChildProcess = (credential, command, args, stdio, sshAgentEnv) => (0, node_child_process_1.spawn)(command, args, {
-    env: Object.assign(Object.assign(Object.assign({}, process.env), credential), (sshAgentEnv || {})),
+const spawnChildProcess = (credential, command, args, stdio) => (0, node_child_process_1.spawn)(command, args, {
+    env: Object.assign(Object.assign({}, process.env), credential),
     stdio,
     shell: false,
 });
@@ -93,7 +94,7 @@ const spawnChildProcess = (credential, command, args, stdio, sshAgentEnv) => (0,
 function spawnSsmNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
-            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio, options.sshAgentEnv);
+            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             const { isAccessPropagated } = accessPropagationGuard(child);
             const exitListener = child.on("exit", (code) => {
                 var _a, _b;
@@ -118,10 +119,10 @@ function spawnSsmNode(options) {
         });
     });
 }
-const createProxyCommands = (data, args, sshAuthSock, debug) => {
+const createProxyCommands = (data, args, debug) => {
     const ssmCommand = [
         ...createBaseSsmCommand({
-            region: data.instance.region,
+            region: data.region,
             instance: "%h",
         }),
         "--document-name",
@@ -131,9 +132,6 @@ const createProxyCommands = (data, args, sshAuthSock, debug) => {
     ];
     const commonArgs = [
         ...(debug ? ["-v"] : []),
-        // ignore any overrides in the user's config file, we only want to use the ssh-agent we've set up for the session
-        "-o",
-        `IdentityAgent=${sshAuthSock}`,
         "-o",
         `ProxyCommand=${ssmCommand.join(" ")}`,
     ];
@@ -161,7 +159,7 @@ const createProxyCommands = (data, args, sshAuthSock, debug) => {
             ...(args.A ? ["-A"] : []),
             ...(args.L ? ["-L", args.L] : []),
             ...(args.N ? ["-N"] : []),
-            `${data.linuxUserName}@${data.instance.id}`,
+            `${data.linuxUserName}@${data.id}`,
             ...(args.command ? [args.command] : []),
             ...args.arguments.map((argument) => 
             // escape all double quotes (") in commands such as `p0 ssh <instance>> echo 'hello; "world"'` because we
@@ -189,28 +187,22 @@ const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0,
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
     const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account: data.instance.accountId,
+        account: data.accountId,
         role: data.role,
     });
-    return (0, ssh_agent_1.withSshAgent)(cmdArgs, (sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-        yield (0, ssh_agent_1.sshAdd)(cmdArgs, sshAgentEnv, privateKey);
-        if (cmdArgs.debug) {
-            (0, stdio_1.print2)("SSH Agent Keys:");
-            yield (0, ssh_agent_1.sshAddList)(cmdArgs, sshAgentEnv);
-        }
-        const { command, args } = createProxyCommands(data, cmdArgs, sshAgentEnv.SSH_AUTH_SOCK, cmdArgs.debug);
+    return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { command, args } = createProxyCommands(data, cmdArgs, cmdArgs.debug);
         if (cmdArgs.debug) {
             const reproCommands = [
-                `eval $(p0 aws role assume ${data.role} --account ${data.instance.accountId})`,
-                `export SSH_AUTH_SOCK=${sshAgentEnv.SSH_AUTH_SOCK}`,
-                `export SSH_AGENT_PID=${sshAgentEnv.SSH_AGENT_PID}`,
+                `eval $(ssh-agent)`,
+                `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
+                `eval $(p0 aws role assume ${data.role} --account ${data.accountId})`,
                 `${command} ${transformForShell(args).join(" ")}`,
             ];
-            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***\n\nTHE SSH AGENT PROCESS WILL NOT BE KILLED AUTOMATICALLY IN DEBUG MODE\nYou can kill it with "sudo kill ${sshAgentEnv.SSH_AGENT_PID}"\n`);
+            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***"\n`);
         }
         return spawnSsmNode({
             credential,
-            sshAgentEnv,
             abortController: new AbortController(),
             command,
             args,

package/dist/plugins/aws/types.d.ts

@@ -53,16 +53,18 @@ export declare type AwsConfig = {
 export declare type AwsSsh = {
     permission: {
         spec: {
-            awsResourcePermission: {
-                resource: {
-                    arn: string;
-                };
-            };
+            instanceId: string;
+            accountId: string;
+            region: string;
         };
         type: "session";
     };
     generated: {
-        documentName: string;
+        name: string;
+        ssh: {
+            linuxUserName: string;
+            publicKey: string;
+        };
     };
 };
 export {};

package/dist/plugins/ssh-agent/index.d.ts

@@ -1,10 +1,4 @@
-import { AgentArgs, SshAgentEnv } from "./types";
-/** Spawns a subprocess with the ssh-agent command.
- * Detects the auth socket and agent PID from stdout.
- * Stdout and stderr of the subprocess is printed to stderr in debug mode.
- * The returned promise resolves with an object that contains the auth socket and agent PID,
- * or rejects with the contents of stderr. */
-export declare const sshAgent: (cmdArgs: AgentArgs) => Promise<SshAgentEnv>;
-export declare const sshAdd: (args: AgentArgs, sshAgentEnv: SshAgentEnv, privateKey: string) => Promise<number>;
-export declare const sshAddList: (args: AgentArgs, sshAgentEnv: SshAgentEnv) => Promise<number>;
-export declare const withSshAgent: <T>(args: AgentArgs, fn: (sshAgentEnv: SshAgentEnv) => Promise<T>) => Promise<T>;
+import { AgentArgs } from "./types";
+export declare const privateKeyExists: (args: AgentArgs) => Promise<boolean>;
+export declare const addPrivateKey: (args: AgentArgs) => Promise<boolean>;
+export declare const withSshAgent: <T>(args: AgentArgs, fn: () => Promise<T>) => Promise<T>;

package/dist/plugins/ssh-agent/index.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.withSshAgent = exports.sshAddList = exports.sshAdd = exports.sshAgent = void 0;
+exports.withSshAgent = exports.addPrivateKey = exports.privateKeyExists = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,11 +20,9 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const __1 = require("../..");
+const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
 const node_child_process_1 = require("node:child_process");
-const AUTH_SOCK_MESSAGE = /SSH_AUTH_SOCK=(.+?);/;
-const AGENT_PID_MESSAGE = /SSH_AGENT_PID=(\d+?);/;
 /** Spawns a subprocess with given command, args, and options.
  * May write content to its standard input.
  * Stdout and stderr of the subprocess is printed to stderr in debug mode.
@@ -59,84 +57,80 @@ const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(
         }
     });
 });
-/** Spawns a subprocess with the ssh-agent command.
- * Detects the auth socket and agent PID from stdout.
- * Stdout and stderr of the subprocess is printed to stderr in debug mode.
- * The returned promise resolves with an object that contains the auth socket and agent PID,
- * or rejects with the contents of stderr. */
-const sshAgent = (cmdArgs) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        let stderr = "";
-        let stdout = "";
-        // There is a debug flag in ssh-agent but it causes the ssh-agent process to NOT fork
-        const child = (0, node_child_process_1.spawn)("ssh-agent");
-        child.stdout.on("data", (data) => {
-            const str = data.toString("utf-8");
-            if (cmdArgs.debug) {
-                (0, stdio_1.print2)(str);
-            }
-            stdout += str;
-        });
-        child.stderr.on("data", (data) => {
-            const str = data.toString("utf-8");
-            if (cmdArgs.debug) {
-                (0, stdio_1.print2)(str);
-            }
-            stderr += str;
-        });
-        const exitListener = child.on("exit", (code) => {
-            exitListener.unref();
-            if (code !== 0) {
-                return reject(stderr);
-            }
-            const authSockMatch = stdout.match(AUTH_SOCK_MESSAGE);
-            const agentPidMatch = stdout.match(AGENT_PID_MESSAGE);
-            if (!(authSockMatch === null || authSockMatch === void 0 ? void 0 : authSockMatch[1]) || !(agentPidMatch === null || agentPidMatch === void 0 ? void 0 : agentPidMatch[1])) {
-                return reject("Failed to parse ssh-agent stdout:\n" + stdout);
-            }
-            resolve({
-                SSH_AUTH_SOCK: authSockMatch[1],
-                SSH_AGENT_PID: agentPidMatch[1],
-            });
-        });
-    });
+const isSshAgentRunning = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        if (args.debug)
+            (0, stdio_1.print2)("Searching for active ssh-agents");
+        // TODO: There's a possible edge-case but unlikely that ssh-agent has an invalid process or PID.
+        // We can check to see if the active PID matches the current socket to mitigate this.
+        yield asyncSpawn(args, `pgrep`, ["-x", "ssh-agent"]);
+        if (args.debug)
+            (0, stdio_1.print2)("At least one SSH agent is running");
+        return true;
+    }
+    catch (_a) {
+        if (args.debug)
+            (0, stdio_1.print2)("No SSH agent is running!");
+        return false;
+    }
 });
-exports.sshAgent = sshAgent;
-const sshAgentKill = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-agent", ["-k"], {
-        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
-    });
+const isSshAgentAuthSocketSet = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `sh`, ["-c", '[ -n "$SSH_AUTH_SOCK" ]']);
+        if (args.debug)
+            (0, stdio_1.print2)(`SSH_AUTH_SOCK=${process.env.SSH_AUTH_SOCK}`);
+        return true;
+    }
+    catch (_b) {
+        if (args.debug)
+            (0, stdio_1.print2)("SSH_AUTH_SOCK is not set!");
+        return false;
+    }
 });
-const sshAdd = (args, sshAgentEnv, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-add", 
-    // In debug mode do not use the quiet flag. There is no debug flag in ssh-add.
-    // Instead increase to maximum verbosity of 3 with -v flag.
-    args.debug ? ["-v", "-v", "-v", "-"] : ["-q", "-"], { env: Object.assign(Object.assign({}, process.env), sshAgentEnv) }, privateKey);
+const privateKeyExists = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `sh`, [
+            "-c",
+            `KEY_PATH="${keys_1.PRIVATE_KEY_PATH}" && KEY_FINGERPRINT=$(ssh-keygen -lf "$KEY_PATH" | awk '{print $2}') && ssh-add -l | grep -q "$KEY_FINGERPRINT" && exit 0 || exit 1`,
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key exists in ssh agent");
+        return true;
+    }
+    catch (_c) {
+        if (args.debug)
+            (0, stdio_1.print2)("Private key does not exist in ssh agent");
+        return false;
+    }
 });
-exports.sshAdd = sshAdd;
-const sshAddList = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-add", ["-l"], {
-        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
-    });
+exports.privateKeyExists = privateKeyExists;
+const addPrivateKey = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield asyncSpawn(args, `ssh-add`, [
+            keys_1.PRIVATE_KEY_PATH,
+            ...(args.debug ? ["-v", "-v", "-v"] : ["-q"]),
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key added to ssh agent");
+        return true;
+    }
+    catch (_d) {
+        if (args.debug)
+            (0, stdio_1.print2)("Failed to add private key to ssh agent");
+        return false;
+    }
 });
-exports.sshAddList = sshAddList;
+exports.addPrivateKey = addPrivateKey;
 const withSshAgent = (args, fn) => __awaiter(void 0, void 0, void 0, function* () {
-    const sshAgentEnv = yield (0, exports.sshAgent)(args);
-    // The ssh-agent runs in a process that is not automatically terminated.
-    // 1. Kill it when catching the main process termination signal.
-    // 2. Also kill it if the encapsulated function throws an error.
-    const abortListener = (_code) => {
-        __1.TERMINATION_CONTROLLER.signal.removeEventListener("abort", abortListener);
-        void sshAgentKill(args, sshAgentEnv);
-    };
-    __1.TERMINATION_CONTROLLER.signal.addEventListener("abort", abortListener);
-    try {
-        return yield fn(sshAgentEnv);
+    const isRunning = yield isSshAgentRunning(args);
+    const hasSocket = yield isSshAgentAuthSocketSet(args);
+    if (!isRunning || !hasSocket) {
+        throw "SSH agent is not running. Please start it by running: eval $(ssh-agent)";
     }
-    finally {
-        // keep the ssh-agent alive in debug mode
-        if (!args.debug)
-            yield sshAgentKill(args, sshAgentEnv);
+    const hasKey = yield (0, exports.privateKeyExists)(args);
+    if (!hasKey) {
+        yield (0, exports.addPrivateKey)(args);
     }
+    return yield fn();
 });
 exports.withSshAgent = withSshAgent;

package/dist/plugins/ssh-agent/types.d.ts

@@ -11,7 +11,3 @@ You should have received a copy of the GNU General Public License along with @p0
 export declare type AgentArgs = {
     debug?: boolean;
 };
-export declare type SshAgentEnv = {
-    SSH_AUTH_SOCK: string;
-    SSH_AGENT_PID: string;
-};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.7.1",
+  "version": "0.8.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {