@p0security/cli 0.7.1 → 0.8.1

package/dist/commands/__tests__/ssh.test.js

@@ -22,23 +22,43 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../../common/__mocks__/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
-const ssm_1 = require("../../plugins/aws/ssm");
+const ssh_1 = require("../../plugins/ssh");
 const firestore_1 = require("../../testing/firestore");
 const util_1 = require("../../util");
-const ssh_1 = require("../ssh");
+const ssh_2 = require("../ssh");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
 const yargs_1 = __importDefault(require("yargs"));
 jest.mock("../../drivers/api");
 jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
-jest.mock("../../plugins/aws/ssm");
+jest.mock("../../plugins/ssh");
+jest.mock("../../common/keys");
 const mockFetchCommand = api_1.fetchCommand;
-const mockSshOrScp = ssm_1.sshOrScp;
+const mockSshOrScp = ssh_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
+const MOCK_REQUEST = {
+    status: "DONE",
+    generated: {
+        name: "name",
+        ssh: {
+            linuxUserName: "linuxUserName",
+        },
+    },
+    permission: {
+        spec: {
+            instanceId: "instanceId",
+            accountId: "accountId",
+            region: "region",
+            publicKey: keys_1.TEST_PUBLIC_KEY,
+            type: "aws",
+        },
+    },
+};
 (0, firestore_1.mockGetDoc)({
     "iam-write": {
         ["aws:test-account"]: {
@@ -68,26 +88,23 @@ describe("ssh", () => {
                             },
                         },
                     },
-                    generated: {
-                        documentName: "documentName",
-                    },
                 },
             });
         });
         it("should call p0 request with reason arg", () => __awaiter(void 0, void 0, void 0, function* () {
-            void (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason`);
+            void (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason --provider aws`);
             yield (0, util_1.sleep)(100);
             const hiddenFilenameRequestArgs = (0, lodash_1.omit)(mockFetchCommand.mock.calls[0][1], "$0");
             expect(hiddenFilenameRequestArgs).toMatchSnapshot("args");
         }));
         it("should wait for access grant", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             const wait = (0, util_1.sleep)(100);
             yield Promise.race([wait, promise]);
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should wait for provisioning", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
@@ -97,30 +114,26 @@ describe("ssh", () => {
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should call sshOrScp with non-interactive command", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
             });
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
-            firestore_2.onSnapshot.trigger({
-                status: "DONE",
-            });
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();
             expect(mockSshOrScp).toHaveBeenCalled();
         }));
         it("should call sshOrScp with interactive session", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
             });
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
-            firestore_2.onSnapshot.trigger({
-                status: "DONE",
-            });
+            firestore_2.onSnapshot.trigger(MOCK_REQUEST);
             yield expect(promise).resolves.toBeDefined();
             expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
             expect(mockPrint1).not.toHaveBeenCalled();

package/dist/commands/scp.js

@@ -20,10 +20,9 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
+const ssh_1 = require("../plugins/ssh");
 const shared_1 = require("./shared");
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
@@ -50,6 +49,11 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: shared_1.SUPPORTED_PROVIDERS,
 })
     .option("sudo", {
     type: "boolean",
@@ -70,19 +74,15 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, host);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination: host,
-        publicKey,
-    });
+    const { request, privateKey } = result;
+    const data = (0, shared_1.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
-    const { source, destination } = replaceHostWithInstance(result, args);
-    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { source,
+    const { source, destination } = replaceHostWithInstance(data, args);
+    yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */
@@ -106,10 +106,10 @@ const replaceHostWithInstance = (result, args) => {
     let source = args.source;
     let destination = args.destination;
     if (isExplicitlyRemote(source)) {
-        source = `${result.linuxUserName}@${result.instance.id}:${source.split(":")[1]}`;
+        source = `${result.linuxUserName}@${result.id}:${source.split(":")[1]}`;
     }
     if (isExplicitlyRemote(destination)) {
-        destination = `${result.linuxUserName}@${result.instance.id}:${destination.split(":")[1]}`;
+        destination = `${result.linuxUserName}@${result.id}:${destination.split(":")[1]}`;
     }
     return { source, destination };
 };

package/dist/commands/shared.d.ts

@@ -1,28 +1,34 @@
 import { Authn } from "../types/identity";
+import { CliRequest, Request } from "../types/request";
 import yargs from "yargs";
-export declare type ExerciseGrantResponse = {
-    documentName: string;
+export declare const SUPPORTED_PROVIDERS: string[];
+export declare type SshRequest = AwsSshRequest | GcpSshRequest;
+export declare type AwsSshRequest = {
     linuxUserName: string;
-    ok: true;
     role: string;
-    instance: {
-        arn: string;
-        accountId: string;
-        region: string;
-        id: string;
-        name?: string;
-    };
+    accountId: string;
+    region: string;
+    id: string;
+    type: "aws";
+};
+export declare type GcpSshRequest = {
+    linuxUserName: string;
+    projectId: string;
+    zone: string;
+    id: string;
+    type: "gcloud";
 };
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
     reason?: string;
     account?: string;
+    provider?: "aws" | "gcloud";
+    debug?: boolean;
 };
 export declare type ScpCommandArgs = BaseSshCommandArgs & {
     source: string;
     destination: string;
     recursive?: boolean;
-    debug?: boolean;
 };
 export declare type SshCommandArgs = BaseSshCommandArgs & {
     sudo?: boolean;
@@ -32,10 +38,10 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     A?: boolean;
     arguments: string[];
     command?: string;
-    debug?: boolean;
 };
-export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<string | undefined>;
-export declare const createKeyPair: () => {
+export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
+    request: Request<CliRequest>;
     publicKey: string;
     privateKey: string;
-};
+} | undefined>;
+export declare const requestToSsh: (request: Request<CliRequest>) => SshRequest;

package/dist/commands/shared.js

@@ -8,11 +8,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createKeyPair = exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = exports.SUPPORTED_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -23,22 +20,32 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+const keys_1 = require("../common/keys");
 const firestore_1 = require("../drivers/firestore");
 const stdio_1 = require("../drivers/stdio");
+const ssh_1 = require("../plugins/aws/ssh");
+const ssh_2 = require("../plugins/google/ssh");
+const ssh_key_1 = require("../plugins/google/ssh-key");
 const request_1 = require("../types/request");
+const util_1 = require("../util");
 const request_2 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-const node_forge_1 = __importDefault(require("node-forge"));
 /** Maximum amount of time to wait after access is approved to wait for access
  *  to be configured
  */
 const GRANT_TIMEOUT_MILLIS = 60e3;
-const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
+// The prefix of installed SSH accounts in P0 is the provider name
+exports.SUPPORTED_PROVIDERS = ["aws", "gcloud"];
+const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
     const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
-    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" && key.startsWith("aws"));
+    const providersToCheck = args.provider
+        ? [args.provider]
+        : exports.SUPPORTED_PROVIDERS;
+    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" &&
+        providersToCheck.some((prefix) => key.startsWith(prefix)));
     if (items.length === 0) {
         throw "This organization is not configured for SSH access via the P0 CLI";
     }
@@ -80,15 +87,25 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
     clearTimeout(cancel);
     return result;
 });
+const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+    return request.permission.spec.type === "gcloud"
+        ? Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } })
+        : request.permission.spec.type === "aws"
+            ? request
+            : (0, util_1.throwAssertNever)(request.permission.spec);
+});
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
-    yield validateSshInstall(authn);
+    yield validateSshInstall(authn, args);
+    const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
     const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
-            // Prefix is required because the backend uses it to determine that this is an AWS request
-            "--provider",
-            "aws",
+            "--public-key",
+            publicKey,
+            ...(args.provider ? ["--provider", args.provider] : []),
             ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
@@ -100,14 +117,25 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    yield waitForProvisioning(authn, id);
-    return id;
+    const provisionedRequest = yield waitForProvisioning(authn, id);
+    if (provisionedRequest.permission.spec.publicKey !== publicKey) {
+        throw "Public key mismatch. Please revoke the request and try again.";
+    }
+    const cliRequest = yield pluginToCliRequest(provisionedRequest, {
+        debug: args.debug,
+    });
+    return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const createKeyPair = () => {
-    const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
-    const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
-    const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
-    return { publicKey, privateKey };
+const requestToSsh = (request) => {
+    if (request.permission.spec.type === "aws") {
+        return (0, ssh_1.awsRequestToSsh)(request);
+    }
+    else if (request.permission.spec.type === "gcloud") {
+        return (0, ssh_2.gcpRequestToSsh)(request);
+    }
+    else {
+        throw (0, util_1.assertNever)(request.permission.spec);
+    }
 };
-exports.createKeyPair = createKeyPair;
+exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.js

@@ -20,10 +20,9 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
+const ssh_1 = require("../plugins/ssh");
 const shared_1 = require("./shared");
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
@@ -65,6 +64,11 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: ["aws", "gcloud"],
 })
     .option("debug", {
     type: "boolean",
@@ -82,15 +86,10 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const requestId = yield (0, shared_1.provisionRequest)(authn, args, destination);
-    if (!requestId) {
+    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    const { publicKey, privateKey } = (0, shared_1.createKeyPair)();
-    const result = yield (0, api_1.fetchExerciseGrant)(authn, {
-        requestId,
-        destination,
-        publicKey,
-    });
-    yield (0, ssm_1.sshOrScp)(authn, result, Object.assign(Object.assign({}, args), { destination }), privateKey);
+    const { request, privateKey } = result;
+    yield (0, ssh_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/common/__mocks__/keys.d.ts

@@ -0,0 +1,13 @@
+/// <reference types="jest" />
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const TEST_PUBLIC_KEY = "test-public-key";
+export declare const createKeyPair: jest.Mock<any, any, any>;

package/dist/common/__mocks__/keys.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.TEST_PUBLIC_KEY = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.TEST_PUBLIC_KEY = "test-public-key";
+exports.createKeyPair = jest.fn().mockImplementation(() => ({
+    publicKey: "test-public-key",
+    privateKey: "test-private-key",
+}));

package/dist/common/keys.d.ts

@@ -0,0 +1,9 @@
+export declare const PUBLIC_KEY_PATH: string;
+export declare const PRIVATE_KEY_PATH: string;
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+export declare const createKeyPair: () => Promise<{
+    publicKey: string;
+    privateKey: string;
+}>;

package/dist/common/keys.js

@@ -0,0 +1,84 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyPair = exports.PRIVATE_KEY_PATH = exports.PUBLIC_KEY_PATH = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const fs = __importStar(require("fs/promises"));
+const node_forge_1 = __importDefault(require("node-forge"));
+const path = __importStar(require("path"));
+exports.PUBLIC_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa.pub");
+exports.PRIVATE_KEY_PATH = path.join(util_1.P0_PATH, "ssh", "id_rsa");
+/**
+ * Search for a cached key pair, or create a new one if not found
+ */
+const createKeyPair = () => __awaiter(void 0, void 0, void 0, function* () {
+    if ((yield fileExists(exports.PUBLIC_KEY_PATH)) &&
+        (yield fileExists(exports.PRIVATE_KEY_PATH))) {
+        const publicKey = yield fs.readFile(exports.PUBLIC_KEY_PATH, "utf8");
+        const privateKey = yield fs.readFile(exports.PRIVATE_KEY_PATH, "utf8");
+        return { publicKey, privateKey };
+    }
+    else {
+        const rsaKeyPair = node_forge_1.default.pki.rsa.generateKeyPair({ bits: 2048 });
+        const privateKey = node_forge_1.default.pki.privateKeyToPem(rsaKeyPair.privateKey);
+        const publicKey = node_forge_1.default.ssh.publicKeyToOpenSSH(rsaKeyPair.publicKey);
+        yield fs.mkdir(path.dirname(exports.PUBLIC_KEY_PATH), { recursive: true });
+        yield fs.writeFile(exports.PUBLIC_KEY_PATH, publicKey, { mode: 0o600 });
+        yield fs.writeFile(exports.PRIVATE_KEY_PATH, privateKey, { mode: 0o600 });
+        return { publicKey, privateKey };
+    }
+});
+exports.createKeyPair = createKeyPair;
+const fileExists = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield fs.access(path);
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+});

package/dist/common/subprocess.d.ts

@@ -0,0 +1,10 @@
+import { AgentArgs } from "../plugins/ssh-agent/types";
+import { SpawnOptionsWithoutStdio } from "node:child_process";
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+export declare const asyncSpawn: ({ debug }: AgentArgs, command: string, args?: ReadonlyArray<string>, options?: SpawnOptionsWithoutStdio, writeStdin?: string) => Promise<string>;

package/dist/common/subprocess.js

@@ -0,0 +1,72 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asyncSpawn = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const node_child_process_1 = require("node:child_process");
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        var _a;
+        const child = (0, node_child_process_1.spawn)(command, args, options);
+        // Use streams for larger output
+        let stdout = "";
+        let stderr = "";
+        if (writeStdin) {
+            if (!child.stdin)
+                return reject("Child process has no stdin");
+            child.stdin.write(writeStdin);
+        }
+        child.stdout.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stdout += str;
+            if (debug) {
+                (0, stdio_1.print2)(str);
+            }
+        });
+        child.stderr.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stderr += str;
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.on("exit", (code) => {
+            if (debug) {
+                (0, stdio_1.print2)("Process exited with code " + code);
+            }
+            if (code !== 0) {
+                return reject(stderr);
+            }
+            resolve(stdout);
+        });
+        if (writeStdin) {
+            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
+        }
+    });
+});
+exports.asyncSpawn = asyncSpawn;

package/dist/drivers/api.d.ts

@@ -1,20 +1,4 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-import { ExerciseGrantResponse } from "../commands/shared";
 import { Authn } from "../types/identity";
 import yargs from "yargs";
 export declare const fetchCommand: <T>(authn: Authn, args: yargs.ArgumentsCamelCase, argv: string[]) => Promise<T>;
-export declare const fetchExerciseGrant: (authn: Authn, args: {
-    requestId: string;
-    destination: string;
-    publicKey?: string;
-}) => Promise<ExerciseGrantResponse>;
 export declare const baseFetch: <T>(authn: Authn, url: string, method: string, body: string) => Promise<T>;