@p0security/cli 0.7.1 → 0.8.1

package/dist/plugins/ssh-agent/index.d.ts

@@ -1,10 +1,4 @@
-import { AgentArgs, SshAgentEnv } from "./types";
-/** Spawns a subprocess with the ssh-agent command.
- * Detects the auth socket and agent PID from stdout.
- * Stdout and stderr of the subprocess is printed to stderr in debug mode.
- * The returned promise resolves with an object that contains the auth socket and agent PID,
- * or rejects with the contents of stderr. */
-export declare const sshAgent: (cmdArgs: AgentArgs) => Promise<SshAgentEnv>;
-export declare const sshAdd: (args: AgentArgs, sshAgentEnv: SshAgentEnv, privateKey: string) => Promise<number>;
-export declare const sshAddList: (args: AgentArgs, sshAgentEnv: SshAgentEnv) => Promise<number>;
-export declare const withSshAgent: <T>(args: AgentArgs, fn: (sshAgentEnv: SshAgentEnv) => Promise<T>) => Promise<T>;
+import { AgentArgs } from "./types";
+export declare const privateKeyExists: (args: AgentArgs) => Promise<boolean>;
+export declare const addPrivateKey: (args: AgentArgs) => Promise<boolean>;
+export declare const withSshAgent: <T>(args: AgentArgs, fn: () => Promise<T>) => Promise<T>;

package/dist/plugins/ssh-agent/index.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.withSshAgent = exports.sshAddList = exports.sshAdd = exports.sshAgent = void 0;
+exports.withSshAgent = exports.addPrivateKey = exports.privateKeyExists = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,123 +20,83 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const __1 = require("../..");
+const keys_1 = require("../../common/keys");
+const subprocess_1 = require("../../common/subprocess");
 const stdio_1 = require("../../drivers/stdio");
-const node_child_process_1 = require("node:child_process");
-const AUTH_SOCK_MESSAGE = /SSH_AUTH_SOCK=(.+?);/;
-const AGENT_PID_MESSAGE = /SSH_AGENT_PID=(\d+?);/;
-/** Spawns a subprocess with given command, args, and options.
- * May write content to its standard input.
- * Stdout and stderr of the subprocess is printed to stderr in debug mode.
- * The returned promise resolves or rejects with the exit code. */
-const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        var _a;
-        const child = (0, node_child_process_1.spawn)(command, args, options);
-        if (writeStdin) {
-            if (!child.stdin)
-                return reject("Child process has no stdin");
-            child.stdin.write(writeStdin);
-        }
-        child.stdout.on("data", (data) => {
-            if (debug) {
-                (0, stdio_1.print2)(data.toString("utf-8"));
-            }
-        });
-        child.stderr.on("data", (data) => {
-            if (debug) {
-                (0, stdio_1.print2)(data.toString("utf-8"));
-            }
-        });
-        child.on("exit", (code) => {
-            if (code !== 0) {
-                return reject(code);
-            }
-            resolve(code);
-        });
-        if (writeStdin) {
-            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
-        }
-    });
-});
-/** Spawns a subprocess with the ssh-agent command.
- * Detects the auth socket and agent PID from stdout.
- * Stdout and stderr of the subprocess is printed to stderr in debug mode.
- * The returned promise resolves with an object that contains the auth socket and agent PID,
- * or rejects with the contents of stderr. */
-const sshAgent = (cmdArgs) => __awaiter(void 0, void 0, void 0, function* () {
-    return new Promise((resolve, reject) => {
-        let stderr = "";
-        let stdout = "";
-        // There is a debug flag in ssh-agent but it causes the ssh-agent process to NOT fork
-        const child = (0, node_child_process_1.spawn)("ssh-agent");
-        child.stdout.on("data", (data) => {
-            const str = data.toString("utf-8");
-            if (cmdArgs.debug) {
-                (0, stdio_1.print2)(str);
-            }
-            stdout += str;
-        });
-        child.stderr.on("data", (data) => {
-            const str = data.toString("utf-8");
-            if (cmdArgs.debug) {
-                (0, stdio_1.print2)(str);
-            }
-            stderr += str;
-        });
-        const exitListener = child.on("exit", (code) => {
-            exitListener.unref();
-            if (code !== 0) {
-                return reject(stderr);
-            }
-            const authSockMatch = stdout.match(AUTH_SOCK_MESSAGE);
-            const agentPidMatch = stdout.match(AGENT_PID_MESSAGE);
-            if (!(authSockMatch === null || authSockMatch === void 0 ? void 0 : authSockMatch[1]) || !(agentPidMatch === null || agentPidMatch === void 0 ? void 0 : agentPidMatch[1])) {
-                return reject("Failed to parse ssh-agent stdout:\n" + stdout);
-            }
-            resolve({
-                SSH_AUTH_SOCK: authSockMatch[1],
-                SSH_AGENT_PID: agentPidMatch[1],
-            });
-        });
-    });
+const isSshAgentRunning = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        if (args.debug)
+            (0, stdio_1.print2)("Searching for active ssh-agents");
+        // TODO: There's a possible edge-case but unlikely that ssh-agent has an invalid process or PID.
+        // We can check to see if the active PID matches the current socket to mitigate this.
+        yield (0, subprocess_1.asyncSpawn)(args, `pgrep`, ["-x", "ssh-agent"]);
+        if (args.debug)
+            (0, stdio_1.print2)("At least one SSH agent is running");
+        return true;
+    }
+    catch (_a) {
+        if (args.debug)
+            (0, stdio_1.print2)("No SSH agent is running!");
+        return false;
+    }
 });
-exports.sshAgent = sshAgent;
-const sshAgentKill = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-agent", ["-k"], {
-        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
-    });
+const isSshAgentAuthSocketSet = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield (0, subprocess_1.asyncSpawn)(args, `sh`, ["-c", '[ -n "$SSH_AUTH_SOCK" ]']);
+        if (args.debug)
+            (0, stdio_1.print2)(`SSH_AUTH_SOCK=${process.env.SSH_AUTH_SOCK}`);
+        return true;
+    }
+    catch (_b) {
+        if (args.debug)
+            (0, stdio_1.print2)("SSH_AUTH_SOCK is not set!");
+        return false;
+    }
 });
-const sshAdd = (args, sshAgentEnv, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-add", 
-    // In debug mode do not use the quiet flag. There is no debug flag in ssh-add.
-    // Instead increase to maximum verbosity of 3 with -v flag.
-    args.debug ? ["-v", "-v", "-v", "-"] : ["-q", "-"], { env: Object.assign(Object.assign({}, process.env), sshAgentEnv) }, privateKey);
+const privateKeyExists = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield (0, subprocess_1.asyncSpawn)(args, `sh`, [
+            "-c",
+            `KEY_PATH="${keys_1.PRIVATE_KEY_PATH}" && KEY_FINGERPRINT=$(ssh-keygen -lf "$KEY_PATH" | awk '{print $2}') && ssh-add -l | grep -q "$KEY_FINGERPRINT" && exit 0 || exit 1`,
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key exists in ssh agent");
+        return true;
+    }
+    catch (_c) {
+        if (args.debug)
+            (0, stdio_1.print2)("Private key does not exist in ssh agent");
+        return false;
+    }
 });
-exports.sshAdd = sshAdd;
-const sshAddList = (args, sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-    return asyncSpawn(args, "ssh-add", ["-l"], {
-        env: Object.assign(Object.assign({}, process.env), sshAgentEnv),
-    });
+exports.privateKeyExists = privateKeyExists;
+const addPrivateKey = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield (0, subprocess_1.asyncSpawn)(args, `ssh-add`, [
+            keys_1.PRIVATE_KEY_PATH,
+            ...(args.debug ? ["-v", "-v", "-v"] : ["-q"]),
+        ]);
+        if (args.debug)
+            (0, stdio_1.print2)("Private key added to ssh agent");
+        return true;
+    }
+    catch (_d) {
+        if (args.debug)
+            (0, stdio_1.print2)("Failed to add private key to ssh agent");
+        return false;
+    }
 });
-exports.sshAddList = sshAddList;
+exports.addPrivateKey = addPrivateKey;
 const withSshAgent = (args, fn) => __awaiter(void 0, void 0, void 0, function* () {
-    const sshAgentEnv = yield (0, exports.sshAgent)(args);
-    // The ssh-agent runs in a process that is not automatically terminated.
-    // 1. Kill it when catching the main process termination signal.
-    // 2. Also kill it if the encapsulated function throws an error.
-    const abortListener = (_code) => {
-        __1.TERMINATION_CONTROLLER.signal.removeEventListener("abort", abortListener);
-        void sshAgentKill(args, sshAgentEnv);
-    };
-    __1.TERMINATION_CONTROLLER.signal.addEventListener("abort", abortListener);
-    try {
-        return yield fn(sshAgentEnv);
+    const isRunning = yield isSshAgentRunning(args);
+    const hasSocket = yield isSshAgentAuthSocketSet(args);
+    if (!isRunning || !hasSocket) {
+        throw "SSH agent is not running. Please start it by running: eval $(ssh-agent)";
     }
-    finally {
-        // keep the ssh-agent alive in debug mode
-        if (!args.debug)
-            yield sshAgentKill(args, sshAgentEnv);
+    const hasKey = yield (0, exports.privateKeyExists)(args);
+    if (!hasKey) {
+        yield (0, exports.addPrivateKey)(args);
     }
+    return yield fn();
 });
 exports.withSshAgent = withSshAgent;

package/dist/plugins/ssh-agent/types.d.ts

@@ -11,7 +11,3 @@ You should have received a copy of the GNU General Public License along with @p0
 export declare type AgentArgs = {
     debug?: boolean;
 };
-export declare type SshAgentEnv = {
-    SSH_AUTH_SOCK: string;
-    SSH_AGENT_PID: string;
-};

package/dist/types/request.d.ts

@@ -8,22 +8,25 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { AwsPermissionSpec, AwsSsh } from "../plugins/aws/types";
+import { GcpPermissionSpec, GcpSsh } from "../plugins/google/types";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
 export declare const ERROR_STATUSES: readonly ["ERRORED", "ERRORED", "ERRORED_NOTIFIED"];
-export declare type PluginRequest = {
-    permission: object;
-    generated?: object;
+export declare type CliRequest = AwsSsh | GcpSsh;
+export declare type PluginRequest = AwsPermissionSpec | GcpPermissionSpec;
+export declare type CliPermissionSpec<P extends PluginRequest, C extends object | undefined = undefined> = P & {
+    cliLocalData: C;
 };
-export declare type Request<P extends PluginRequest = {
-    permission: object;
-}> = {
+export declare type PermissionSpec<K extends string, P extends {
+    type: string;
+}, G extends object | undefined = undefined> = {
+    type: K;
+    permission: P;
+    generated: G;
+};
+export declare type Request<P extends PluginRequest> = P & {
     status: string;
-    generatedRoles: {
-        role: string;
-    }[];
-    generated: P["generated"];
-    permission: P["permission"];
     principal: string;
 };
 export declare type RequestResponse<T> = {

package/dist/types/request.js

@@ -1,16 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ERROR_STATUSES = exports.DENIED_STATUSES = exports.DONE_STATUSES = void 0;
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
 exports.DONE_STATUSES = ["DONE", "DONE_NOTIFIED"];
 exports.DENIED_STATUSES = ["DENIED", "DENIED_NOTIFIED"];
 exports.ERROR_STATUSES = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.7.1",
+  "version": "0.8.1",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {

package/dist/plugins/aws/ssm/index.js

@@ -1,221 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sshOrScp = void 0;
-const stdio_1 = require("../../../drivers/stdio");
-const aws_1 = require("../../okta/aws");
-const ssh_agent_1 = require("../../ssh-agent");
-const install_1 = require("./install");
-const node_child_process_1 = require("node:child_process");
-/** Matches the error message that AWS SSM print1 when access is not propagated */
-// Note that the resource will randomly be either the SSM document or the EC2 instance
-const UNPROVISIONED_ACCESS_MESSAGE = /An error occurred \(AccessDeniedException\) when calling the StartSession operation: User: arn:aws:sts::.*:assumed-role\/P0GrantsRole.* is not authorized to perform: ssm:StartSession on resource: arn:aws:.*:.*:.* because no identity-based policy allows the ssm:StartSession action/;
-/**
- * Matches the following error messages that AWS SSM print1 when ssh authorized
- * key access hasn't propagated to the instance yet.
- * - Connection closed by UNKNOWN port 65535
- * - scp: Connection closed
- * - kex_exchange_identification: Connection closed by remote host
- */
-const UNPROVISIONED_SCP_ACCESS_MESSAGE = /\bConnection closed\b.*\b(?:by UNKNOWN port \d+|by remote host)?/;
-/** Maximum amount of time after AWS SSM process starts to check for {@link UNPROVISIONED_ACCESS_MESSAGE}
- *  in the process's stderr
- */
-const UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS = 5e3;
-/** Maximum number of attempts to start an SSM session
- *
- * Note that each attempt consumes ~ 1 s.
- */
-const MAX_SSM_RETRIES = 30;
-/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
-const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
-/** Checks if access has propagated through AWS to the SSM agent
- *
- * AWS takes about 8 minutes to fully resolve access after it is granted. During
- * this time, calls to `aws ssm start-session` will fail randomly with an
- * access denied exception.
- *
- * This function checks AWS to see if this exception is print1d to the SSM
- * error output within the first 5 seconds of startup. If it is, the returned
- * `isAccessPropagated()` function will return false. When this occurs, the
- * consumer of this function should retry the AWS SSM session.
- *
- * Note that this function requires interception of the AWS SSM stderr stream.
- * This works because AWS SSM wraps the session in a single-stream pty, so we
- * do not capture stderr emitted from the wrapped shell session.
- */
-const accessPropagationGuard = (child) => {
-    let isEphemeralAccessDeniedException = false;
-    const beforeStart = Date.now();
-    child.stderr.on("data", (chunk) => {
-        const chunkString = chunk.toString("utf-8");
-        const match = chunkString.match(UNPROVISIONED_ACCESS_MESSAGE) ||
-            chunkString.match(UNPROVISIONED_SCP_ACCESS_MESSAGE);
-        if (match &&
-            Date.now() <= beforeStart + UNPROVISIONED_ACCESS_VALIDATION_WINDOW_MS) {
-            isEphemeralAccessDeniedException = true;
-            return;
-        }
-        (0, stdio_1.print2)(chunkString);
-    });
-    return {
-        isAccessPropagated: () => !isEphemeralAccessDeniedException,
-    };
-};
-const createBaseSsmCommand = (args) => {
-    return [
-        "aws",
-        "ssm",
-        "start-session",
-        "--region",
-        args.region,
-        "--target",
-        args.instance,
-    ];
-};
-const spawnChildProcess = (credential, command, args, stdio, sshAgentEnv) => (0, node_child_process_1.spawn)(command, args, {
-    env: Object.assign(Object.assign(Object.assign({}, process.env), credential), (sshAgentEnv || {})),
-    stdio,
-    shell: false,
-});
-/** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
- *
- * Requires `aws ssm` to be installed on the client machine.
- */
-function spawnSsmNode(options) {
-    return __awaiter(this, void 0, void 0, function* () {
-        return new Promise((resolve, reject) => {
-            const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio, options.sshAgentEnv);
-            const { isAccessPropagated } = accessPropagationGuard(child);
-            const exitListener = child.on("exit", (code) => {
-                var _a, _b;
-                exitListener.unref();
-                // In the case of ephemeral AccessDenied exceptions due to unpropagated
-                // permissions, continually retry access until success
-                if (!isAccessPropagated()) {
-                    const attemptsRemaining = (_a = options === null || options === void 0 ? void 0 : options.attemptsRemaining) !== null && _a !== void 0 ? _a : MAX_SSM_RETRIES;
-                    if (attemptsRemaining <= 0) {
-                        reject("Access did not propagate through AWS before max retry attempts were exceeded. Please contact support@p0.dev for assistance.");
-                        return;
-                    }
-                    spawnSsmNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
-                        .then((code) => resolve(code))
-                        .catch(reject);
-                    return;
-                }
-                (_b = options.abortController) === null || _b === void 0 ? void 0 : _b.abort(code);
-                (0, stdio_1.print2)(`SSH session terminated`);
-                resolve(code);
-            });
-        });
-    });
-}
-const createProxyCommands = (data, args, sshAuthSock, debug) => {
-    const ssmCommand = [
-        ...createBaseSsmCommand({
-            region: data.instance.region,
-            instance: "%h",
-        }),
-        "--document-name",
-        START_SSH_SESSION_DOCUMENT_NAME,
-        "--parameters",
-        '"portNumber=%p"',
-    ];
-    const commonArgs = [
-        ...(debug ? ["-v"] : []),
-        // ignore any overrides in the user's config file, we only want to use the ssh-agent we've set up for the session
-        "-o",
-        `IdentityAgent=${sshAuthSock}`,
-        "-o",
-        `ProxyCommand=${ssmCommand.join(" ")}`,
-    ];
-    if ("source" in args) {
-        return {
-            command: "scp",
-            args: [
-                ...commonArgs,
-                // if a response is not received after three 5 minute attempts,
-                // the connection will be closed.
-                "-o",
-                "ServerAliveCountMax=3",
-                `-o`,
-                "ServerAliveInterval=300",
-                ...(args.recursive ? ["-r"] : []),
-                args.source,
-                args.destination,
-            ],
-        };
-    }
-    return {
-        command: "ssh",
-        args: [
-            ...commonArgs,
-            ...(args.A ? ["-A"] : []),
-            ...(args.L ? ["-L", args.L] : []),
-            ...(args.N ? ["-N"] : []),
-            `${data.linuxUserName}@${data.instance.id}`,
-            ...(args.command ? [args.command] : []),
-            ...args.arguments.map((argument) => 
-            // escape all double quotes (") in commands such as `p0 ssh <instance>> echo 'hello; "world"'` because we
-            // need to encapsulate command arguments in double quotes as we pass them along to the remote shell
-            `"${String(argument).replace(/"/g, '\\"')}"`),
-        ],
-    };
-};
-/** Converts arguments for manual execution - arguments may have to be quoted or certain characters escaped when executing the commands from a shell */
-const transformForShell = (args) => {
-    return args.map((arg) => {
-        // The ProxyCommand option must be surrounded by single quotes
-        if (arg.startsWith("ProxyCommand=")) {
-            const [name, ...value] = arg.split("="); // contains the '=' character in the parameters option: ProxyCommand=aws ssm start-session ... --parameters "portNumber=%p"
-            return `${name}='${value.join("=")}'`;
-        }
-        return arg;
-    });
-};
-const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
-    if (!(yield (0, install_1.ensureSsmInstall)())) {
-        throw "Please try again after installing the required AWS utilities";
-    }
-    if (!privateKey) {
-        throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
-    }
-    const credential = yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account: data.instance.accountId,
-        role: data.role,
-    });
-    return (0, ssh_agent_1.withSshAgent)(cmdArgs, (sshAgentEnv) => __awaiter(void 0, void 0, void 0, function* () {
-        yield (0, ssh_agent_1.sshAdd)(cmdArgs, sshAgentEnv, privateKey);
-        if (cmdArgs.debug) {
-            (0, stdio_1.print2)("SSH Agent Keys:");
-            yield (0, ssh_agent_1.sshAddList)(cmdArgs, sshAgentEnv);
-        }
-        const { command, args } = createProxyCommands(data, cmdArgs, sshAgentEnv.SSH_AUTH_SOCK, cmdArgs.debug);
-        if (cmdArgs.debug) {
-            const reproCommands = [
-                `eval $(p0 aws role assume ${data.role} --account ${data.instance.accountId})`,
-                `export SSH_AUTH_SOCK=${sshAgentEnv.SSH_AUTH_SOCK}`,
-                `export SSH_AGENT_PID=${sshAgentEnv.SSH_AGENT_PID}`,
-                `${command} ${transformForShell(args).join(" ")}`,
-            ];
-            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***\n\nTHE SSH AGENT PROCESS WILL NOT BE KILLED AUTOMATICALLY IN DEBUG MODE\nYou can kill it with "sudo kill ${sshAgentEnv.SSH_AGENT_PID}"\n`);
-        }
-        return spawnSsmNode({
-            credential,
-            sshAgentEnv,
-            abortController: new AbortController(),
-            command,
-            args,
-            stdio: ["inherit", "inherit", "pipe"],
-        });
-    }));
-});
-exports.sshOrScp = sshOrScp;