@p0security/cli 0.8.0 → 0.8.1

package/dist/commands/__tests__/ssh.test.js

@@ -25,20 +25,20 @@ You should have received a copy of the GNU General Public License along with @p0
 const keys_1 = require("../../common/__mocks__/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
-const ssm_1 = require("../../plugins/aws/ssm");
+const ssh_1 = require("../../plugins/ssh");
 const firestore_1 = require("../../testing/firestore");
 const util_1 = require("../../util");
-const ssh_1 = require("../ssh");
+const ssh_2 = require("../ssh");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
 const yargs_1 = __importDefault(require("yargs"));
 jest.mock("../../drivers/api");
 jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
-jest.mock("../../plugins/aws/ssm");
+jest.mock("../../plugins/ssh");
 jest.mock("../../common/keys");
 const mockFetchCommand = api_1.fetchCommand;
-const mockSshOrScp = ssm_1.sshOrScp;
+const mockSshOrScp = ssh_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
 const MOCK_REQUEST = {
@@ -47,7 +47,6 @@ const MOCK_REQUEST = {
         name: "name",
         ssh: {
             linuxUserName: "linuxUserName",
-            publicKey: keys_1.TEST_PUBLIC_KEY,
         },
     },
     permission: {
@@ -55,6 +54,8 @@ const MOCK_REQUEST = {
             instanceId: "instanceId",
             accountId: "accountId",
             region: "region",
+            publicKey: keys_1.TEST_PUBLIC_KEY,
+            type: "aws",
         },
     },
 };
@@ -91,19 +92,19 @@ describe("ssh", () => {
             });
         });
         it("should call p0 request with reason arg", () => __awaiter(void 0, void 0, void 0, function* () {
-            void (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason`);
+            void (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason --provider aws`);
             yield (0, util_1.sleep)(100);
             const hiddenFilenameRequestArgs = (0, lodash_1.omit)(mockFetchCommand.mock.calls[0][1], "$0");
             expect(hiddenFilenameRequestArgs).toMatchSnapshot("args");
         }));
         it("should wait for access grant", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             const wait = (0, util_1.sleep)(100);
             yield Promise.race([wait, promise]);
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should wait for provisioning", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
@@ -113,7 +114,7 @@ describe("ssh", () => {
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should call sshOrScp with non-interactive command", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
@@ -126,7 +127,7 @@ describe("ssh", () => {
             expect(mockSshOrScp).toHaveBeenCalled();
         }));
         it("should call sshOrScp with interactive session", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",

package/dist/commands/scp.js

@@ -22,7 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
+const ssh_1 = require("../plugins/ssh");
 const shared_1 = require("./shared");
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
@@ -49,6 +49,11 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: shared_1.SUPPORTED_PROVIDERS,
 })
     .option("sudo", {
     type: "boolean",
@@ -77,7 +82,7 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     const data = (0, shared_1.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
     const { source, destination } = replaceHostWithInstance(data, args);
-    yield (0, ssm_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
+    yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */

package/dist/commands/shared.d.ts

@@ -1,24 +1,34 @@
-import { AwsSsh } from "../plugins/aws/types";
 import { Authn } from "../types/identity";
-import { Request } from "../types/request";
+import { CliRequest, Request } from "../types/request";
 import yargs from "yargs";
-export declare type SshRequest = {
+export declare const SUPPORTED_PROVIDERS: string[];
+export declare type SshRequest = AwsSshRequest | GcpSshRequest;
+export declare type AwsSshRequest = {
     linuxUserName: string;
     role: string;
     accountId: string;
     region: string;
     id: string;
+    type: "aws";
+};
+export declare type GcpSshRequest = {
+    linuxUserName: string;
+    projectId: string;
+    zone: string;
+    id: string;
+    type: "gcloud";
 };
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
     reason?: string;
     account?: string;
+    provider?: "aws" | "gcloud";
+    debug?: boolean;
 };
 export declare type ScpCommandArgs = BaseSshCommandArgs & {
     source: string;
     destination: string;
     recursive?: boolean;
-    debug?: boolean;
 };
 export declare type SshCommandArgs = BaseSshCommandArgs & {
     sudo?: boolean;
@@ -28,11 +38,10 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     A?: boolean;
     arguments: string[];
     command?: string;
-    debug?: boolean;
 };
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
-    request: Request<AwsSsh>;
+    request: Request<CliRequest>;
     publicKey: string;
     privateKey: string;
 } | undefined>;
-export declare const requestToSsh: (request: AwsSsh) => SshRequest;
+export declare const requestToSsh: (request: Request<CliRequest>) => SshRequest;

package/dist/commands/shared.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = exports.SUPPORTED_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -23,7 +23,11 @@ You should have received a copy of the GNU General Public License along with @p0
 const keys_1 = require("../common/keys");
 const firestore_1 = require("../drivers/firestore");
 const stdio_1 = require("../drivers/stdio");
+const ssh_1 = require("../plugins/aws/ssh");
+const ssh_2 = require("../plugins/google/ssh");
+const ssh_key_1 = require("../plugins/google/ssh-key");
 const request_1 = require("../types/request");
+const util_1 = require("../util");
 const request_2 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
@@ -31,11 +35,17 @@ const lodash_1 = require("lodash");
  *  to be configured
  */
 const GRANT_TIMEOUT_MILLIS = 60e3;
-const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
+// The prefix of installed SSH accounts in P0 is the provider name
+exports.SUPPORTED_PROVIDERS = ["aws", "gcloud"];
+const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
     const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
-    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" && key.startsWith("aws"));
+    const providersToCheck = args.provider
+        ? [args.provider]
+        : exports.SUPPORTED_PROVIDERS;
+    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" &&
+        providersToCheck.some((prefix) => key.startsWith(prefix)));
     if (items.length === 0) {
         throw "This organization is not configured for SSH access via the P0 CLI";
     }
@@ -77,8 +87,17 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
     clearTimeout(cancel);
     return result;
 });
+const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+    return request.permission.spec.type === "gcloud"
+        ? Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } })
+        : request.permission.spec.type === "aws"
+            ? request
+            : (0, util_1.throwAssertNever)(request.permission.spec);
+});
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
-    yield validateSshInstall(authn);
+    yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
     const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
@@ -86,9 +105,7 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
             destination,
             "--public-key",
             publicKey,
-            // Prefix is required because the backend uses it to determine that this is an AWS request
-            "--provider",
-            "aws",
+            ...(args.provider ? ["--provider", args.provider] : []),
             ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
@@ -101,19 +118,24 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
     const provisionedRequest = yield waitForProvisioning(authn, id);
-    if (provisionedRequest.generated.ssh.publicKey !== publicKey) {
+    if (provisionedRequest.permission.spec.publicKey !== publicKey) {
         throw "Public key mismatch. Please revoke the request and try again.";
     }
-    return { request: provisionedRequest, publicKey, privateKey };
+    const cliRequest = yield pluginToCliRequest(provisionedRequest, {
+        debug: args.debug,
+    });
+    return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
 const requestToSsh = (request) => {
-    return {
-        id: request.permission.spec.instanceId,
-        accountId: request.permission.spec.accountId,
-        region: request.permission.spec.region,
-        role: request.generated.name,
-        linuxUserName: request.generated.ssh.linuxUserName,
-    };
+    if (request.permission.spec.type === "aws") {
+        return (0, ssh_1.awsRequestToSsh)(request);
+    }
+    else if (request.permission.spec.type === "gcloud") {
+        return (0, ssh_2.gcpRequestToSsh)(request);
+    }
+    else {
+        throw (0, util_1.assertNever)(request.permission.spec);
+    }
 };
 exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.js

@@ -22,7 +22,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
+const ssh_1 = require("../plugins/ssh");
 const shared_1 = require("./shared");
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
@@ -64,6 +64,11 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: ["aws", "gcloud"],
 })
     .option("debug", {
     type: "boolean",
@@ -85,5 +90,6 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    yield (0, ssm_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(result.request), Object.assign(Object.assign({}, args), { destination }), result.privateKey);
+    const { request, privateKey } = result;
+    yield (0, ssh_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/common/subprocess.d.ts

@@ -0,0 +1,10 @@
+import { AgentArgs } from "../plugins/ssh-agent/types";
+import { SpawnOptionsWithoutStdio } from "node:child_process";
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+export declare const asyncSpawn: ({ debug }: AgentArgs, command: string, args?: ReadonlyArray<string>, options?: SpawnOptionsWithoutStdio, writeStdin?: string) => Promise<string>;

package/dist/common/subprocess.js

@@ -0,0 +1,72 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asyncSpawn = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const node_child_process_1 = require("node:child_process");
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        var _a;
+        const child = (0, node_child_process_1.spawn)(command, args, options);
+        // Use streams for larger output
+        let stdout = "";
+        let stderr = "";
+        if (writeStdin) {
+            if (!child.stdin)
+                return reject("Child process has no stdin");
+            child.stdin.write(writeStdin);
+        }
+        child.stdout.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stdout += str;
+            if (debug) {
+                (0, stdio_1.print2)(str);
+            }
+        });
+        child.stderr.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stderr += str;
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.on("exit", (code) => {
+            if (debug) {
+                (0, stdio_1.print2)("Process exited with code " + code);
+            }
+            if (code !== 0) {
+                return reject(stderr);
+            }
+            resolve(stdout);
+        });
+        if (writeStdin) {
+            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
+        }
+    });
+});
+exports.asyncSpawn = asyncSpawn;

package/dist/plugins/aws/ssh.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { SshRequest } from "../../commands/shared";
+import { AwsSsh } from "./types";
+export declare const awsRequestToSsh: (request: AwsSsh) => SshRequest;

package/dist/plugins/aws/ssh.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsRequestToSsh = void 0;
+const awsRequestToSsh = (request) => {
+    return {
+        id: request.permission.spec.instanceId,
+        accountId: request.permission.spec.accountId,
+        region: request.permission.spec.region,
+        role: request.generated.name,
+        linuxUserName: request.generated.ssh.linuxUserName,
+        type: "aws",
+    };
+};
+exports.awsRequestToSsh = awsRequestToSsh;

package/dist/plugins/aws/types.d.ts

@@ -8,6 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { CliPermissionSpec, PermissionSpec } from "../../types/request";
+import { CommonSshPermissionSpec } from "../ssh/types";
 export declare type AwsCredentials = {
     AWS_ACCESS_KEY_ID: string;
     AWS_SECRET_ACCESS_KEY: string;
@@ -50,21 +52,21 @@ export declare type AwsItem = {
 export declare type AwsConfig = {
     "iam-write": Record<string, AwsItemConfig>;
 };
-export declare type AwsSsh = {
-    permission: {
-        spec: {
-            instanceId: string;
-            accountId: string;
-            region: string;
-        };
-        type: "session";
+export declare type AwsSshPermission = {
+    spec: CommonSshPermissionSpec & {
+        instanceId: string;
+        accountId: string;
+        region: string;
+        type: "aws";
     };
-    generated: {
-        name: string;
-        ssh: {
-            linuxUserName: string;
-            publicKey: string;
-        };
+    type: "session";
+};
+export declare type AwsSshGenerated = {
+    name: string;
+    ssh: {
+        linuxUserName: string;
     };
 };
+export declare type AwsPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
+export declare type AwsSsh = CliPermissionSpec<AwsPermissionSpec>;
 export {};

package/dist/plugins/google/ssh-key.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
+ * GCP OS Login uses these public keys to authenticate the user.
+ * Importing the same public key multiple times is idempotent.
+ *
+ * The user account and the access token is retrieved from the gcloud CLI.
+ *
+ * Returns the posix account to use for SSH access.
+ *
+ * See https://cloud.google.com/compute/docs/oslogin/rest/v1/users/importSshPublicKey
+ */
+export declare const importSshKey: (publicKey: string, options?: {
+    debug?: boolean;
+}) => Promise<string>;

package/dist/plugins/google/ssh-key.js

@@ -0,0 +1,80 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.importSshKey = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const subprocess_1 = require("../../common/subprocess");
+const stdio_1 = require("../../drivers/stdio");
+/**
+ * Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
+ * GCP OS Login uses these public keys to authenticate the user.
+ * Importing the same public key multiple times is idempotent.
+ *
+ * The user account and the access token is retrieved from the gcloud CLI.
+ *
+ * Returns the posix account to use for SSH access.
+ *
+ * See https://cloud.google.com/compute/docs/oslogin/rest/v1/users/importSshPublicKey
+ */
+const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const debug = (_a = options === null || options === void 0 ? void 0 : options.debug) !== null && _a !== void 0 ? _a : false;
+    // Force debug=false otherwise it prints the access token
+    const accessToken = yield (0, subprocess_1.asyncSpawn)({ debug: false }, "gcloud", [
+        "auth",
+        "print-access-token",
+    ]);
+    const account = yield (0, subprocess_1.asyncSpawn)({ debug }, "gcloud", [
+        "config",
+        "get-value",
+        "account",
+    ]);
+    if (debug) {
+        (0, stdio_1.print2)(`Retrieved access token ${accessToken.slice(0, 10)}... for account ${account}`);
+    }
+    const url = `https://oslogin.googleapis.com/v1/users/${account}:importSshPublicKey`;
+    const response = yield fetch(url, {
+        method: "POST",
+        body: JSON.stringify({
+            key: publicKey,
+        }),
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+        },
+    });
+    const data = yield response.json();
+    if (debug) {
+        (0, stdio_1.print2)(`Login profile for user after importing public key: ${JSON.stringify(data)}`);
+    }
+    const { loginProfile } = data;
+    // Find the primary POSIX account for the user, or the first in the array
+    const linuxAccounts = loginProfile.posixAccounts.filter((account) => account.operatingSystemType === "LINUX");
+    const posixAccount = linuxAccounts.find((account) => account.primary) ||
+        loginProfile.posixAccounts[0];
+    if (debug) {
+        (0, stdio_1.print2)(`Picked linux user name: ${posixAccount === null || posixAccount === void 0 ? void 0 : posixAccount.username}`);
+    }
+    if (!posixAccount) {
+        throw "No POSIX accounts configured for the user. Ask your Google Workspace administrator to configure the user's POSIX account.";
+    }
+    return posixAccount.username;
+});
+exports.importSshKey = importSshKey;

package/dist/plugins/google/ssh.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { SshRequest } from "../../commands/shared";
+import { GcpSsh } from "./types";
+export declare const gcpRequestToSsh: (request: GcpSsh) => SshRequest;

package/dist/plugins/google/ssh.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gcpRequestToSsh = void 0;
+const gcpRequestToSsh = (request) => {
+    return {
+        id: request.permission.spec.instanceName,
+        projectId: request.permission.spec.projectId,
+        zone: request.permission.spec.zone,
+        linuxUserName: request.cliLocalData.linuxUserName,
+        type: "gcloud",
+    };
+};
+exports.gcpRequestToSsh = gcpRequestToSsh;

package/dist/plugins/google/types.d.ts

@@ -0,0 +1,49 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { CliPermissionSpec, PermissionSpec } from "../../types/request";
+import { CommonSshPermissionSpec } from "../ssh/types";
+export declare type GcpSshPermission = {
+    spec: CommonSshPermissionSpec & {
+        instanceName: string;
+        projectId: string;
+        zone: string;
+        type: "gcloud";
+    };
+    type: "session";
+};
+export declare type GcpPermissionSpec = PermissionSpec<"ssh", GcpSshPermission>;
+export declare type GcpSsh = CliPermissionSpec<GcpPermissionSpec, {
+    linuxUserName: string;
+}>;
+declare type PosixAccount = {
+    username: string;
+    uid: string;
+    gid: string;
+    operatingSystemType: "LINUX" | "OPERATING_SYSTEM_TYPE_UNSPECIFIED" | "WINDOWS";
+    homeDirectory?: string;
+    primary?: boolean;
+};
+declare type SshPublicKey = {
+    key: string;
+    fingerprint?: string;
+    expirationTimeUsec?: number;
+};
+declare type LoginProfile = {
+    name: string;
+    posixAccounts: PosixAccount[];
+    sshPublicKeys: {
+        [fingerprint: string]: SshPublicKey;
+    };
+};
+export declare type ImportSshPublicKeyResponse = {
+    loginProfile: LoginProfile;
+};
+export {};

package/dist/plugins/google/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/{aws/ssm → ssh}/index.d.ts

@@ -8,6 +8,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ScpCommandArgs, SshCommandArgs, SshRequest } from "../../../commands/shared";
-import { Authn } from "../../../types/identity";
+import { ScpCommandArgs, SshCommandArgs, SshRequest } from "../../commands/shared";
+import { Authn } from "../../types/identity";
 export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;