@p0security/cli 0.8.0 → 0.8.2

package/dist/commands/__tests__/ssh.test.js

@@ -25,20 +25,20 @@ You should have received a copy of the GNU General Public License along with @p0
 const keys_1 = require("../../common/__mocks__/keys");
 const api_1 = require("../../drivers/api");
 const stdio_1 = require("../../drivers/stdio");
-const ssm_1 = require("../../plugins/aws/ssm");
+const ssh_1 = require("../../plugins/ssh");
 const firestore_1 = require("../../testing/firestore");
 const util_1 = require("../../util");
-const ssh_1 = require("../ssh");
+const ssh_2 = require("../ssh");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
 const yargs_1 = __importDefault(require("yargs"));
 jest.mock("../../drivers/api");
 jest.mock("../../drivers/auth");
 jest.mock("../../drivers/stdio");
-jest.mock("../../plugins/aws/ssm");
+jest.mock("../../plugins/ssh");
 jest.mock("../../common/keys");
 const mockFetchCommand = api_1.fetchCommand;
-const mockSshOrScp = ssm_1.sshOrScp;
+const mockSshOrScp = ssh_1.sshOrScp;
 const mockPrint1 = stdio_1.print1;
 const mockPrint2 = stdio_1.print2;
 const MOCK_REQUEST = {
@@ -47,7 +47,6 @@ const MOCK_REQUEST = {
         name: "name",
         ssh: {
             linuxUserName: "linuxUserName",
-            publicKey: keys_1.TEST_PUBLIC_KEY,
         },
     },
     permission: {
@@ -55,6 +54,8 @@ const MOCK_REQUEST = {
             instanceId: "instanceId",
             accountId: "accountId",
             region: "region",
+            publicKey: keys_1.TEST_PUBLIC_KEY,
+            type: "aws",
         },
     },
 };
@@ -91,19 +92,19 @@ describe("ssh", () => {
             });
         });
         it("should call p0 request with reason arg", () => __awaiter(void 0, void 0, void 0, function* () {
-            void (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason`);
+            void (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance --reason reason --provider aws`);
             yield (0, util_1.sleep)(100);
             const hiddenFilenameRequestArgs = (0, lodash_1.omit)(mockFetchCommand.mock.calls[0][1], "$0");
             expect(hiddenFilenameRequestArgs).toMatchSnapshot("args");
         }));
         it("should wait for access grant", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             const wait = (0, util_1.sleep)(100);
             yield Promise.race([wait, promise]);
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should wait for provisioning", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
@@ -113,7 +114,7 @@ describe("ssh", () => {
             yield expect(wait).resolves.toBeUndefined();
         }));
         it("should call sshOrScp with non-interactive command", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance do something`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",
@@ -126,7 +127,7 @@ describe("ssh", () => {
             expect(mockSshOrScp).toHaveBeenCalled();
         }));
         it("should call sshOrScp with interactive session", () => __awaiter(void 0, void 0, void 0, function* () {
-            const promise = (0, ssh_1.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
+            const promise = (0, ssh_2.sshCommand)((0, yargs_1.default)()).parse(`ssh some-instance`);
             yield (0, util_1.sleep)(100); // Need to wait for listen before trigger in tests
             firestore_2.onSnapshot.trigger({
                 status: "APPROVED",

package/dist/commands/scp.d.ts

@@ -1,3 +1,3 @@
-import { ScpCommandArgs } from "./shared";
+import { ScpCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const scpCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<ScpCommandArgs>;

package/dist/commands/scp.js

@@ -22,8 +22,9 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
-const shared_1 = require("./shared");
+const ssh_1 = require("../plugins/ssh");
+const ssh_2 = require("../types/ssh");
+const ssh_3 = require("./shared/ssh");
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
 "SCP copies files between a local and remote host.", (yargs) => yargs
@@ -49,6 +50,11 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: ssh_2.SupportedSshProviders,
 })
     .option("sudo", {
     type: "boolean",
@@ -69,15 +75,15 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    const result = yield (0, ssh_3.provisionRequest)(authn, args, host);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
     const { request, privateKey } = result;
-    const data = (0, shared_1.requestToSsh)(request);
+    const data = (0, ssh_3.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
     const { source, destination } = replaceHostWithInstance(data, args);
-    yield (0, ssm_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
+    yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
         destination }), privateKey);
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */

package/dist/commands/shared/index.d.ts

@@ -0,0 +1,4 @@
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+/** Waits until P0 grants access for a request */
+export declare const waitForProvisioning: <P extends import("../../types/ssh").PluginSshRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;

package/dist/commands/shared/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.waitForProvisioning = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../../drivers/firestore");
+const request_1 = require("../../types/request");
+const firestore_2 = require("firebase/firestore");
+/** Maximum amount of time to wait after access is approved to wait for access
+ *  to be configured
+ */
+const GRANT_TIMEOUT_MILLIS = 60e3;
+/** Waits until P0 grants access for a request */
+const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
+    let cancel = undefined;
+    const result = yield new Promise((resolve, reject) => {
+        let isResolved = false;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            if (request_1.DONE_STATUSES.includes(data.status)) {
+                resolve(data);
+            }
+            else if (request_1.DENIED_STATUSES.includes(data.status)) {
+                reject("Your access request was denied");
+            }
+            else if (request_1.ERROR_STATUSES.includes(data.status)) {
+                reject("Your access request encountered an error (see Slack for details)");
+            }
+            else {
+                return;
+            }
+            isResolved = true;
+            unsubscribe();
+        });
+        // Skip timeout in test; it holds a ref longer than the test lasts
+        if (process.env.NODE_ENV === "test")
+            return;
+        cancel = setTimeout(() => {
+            if (!isResolved) {
+                unsubscribe();
+                reject("Timeout awaiting SSH access grant");
+            }
+        }, GRANT_TIMEOUT_MILLIS);
+    });
+    clearTimeout(cancel);
+    return result;
+});
+exports.waitForProvisioning = waitForProvisioning;

package/dist/commands/{shared.d.ts → shared/ssh.d.ts}

@@ -1,24 +1,18 @@
-import { AwsSsh } from "../plugins/aws/types";
-import { Authn } from "../types/identity";
-import { Request } from "../types/request";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { CliSshRequest, SshRequest, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
-export declare type SshRequest = {
-    linuxUserName: string;
-    role: string;
-    accountId: string;
-    region: string;
-    id: string;
-};
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
     reason?: string;
     account?: string;
+    provider?: SupportedSshProvider;
+    debug?: boolean;
 };
 export declare type ScpCommandArgs = BaseSshCommandArgs & {
     source: string;
     destination: string;
     recursive?: boolean;
-    debug?: boolean;
 };
 export declare type SshCommandArgs = BaseSshCommandArgs & {
     sudo?: boolean;
@@ -28,11 +22,10 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     A?: boolean;
     arguments: string[];
     command?: string;
-    debug?: boolean;
 };
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
-    request: Request<AwsSsh>;
+    request: Request<CliSshRequest>;
     publicKey: string;
     privateKey: string;
 } | undefined>;
-export declare const requestToSsh: (request: AwsSsh) => SshRequest;
+export declare const requestToSsh: (request: Request<CliSshRequest>) => SshRequest;

package/dist/commands/{shared.js → shared/ssh.js}

@@ -20,75 +20,46 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const keys_1 = require("../common/keys");
-const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const request_1 = require("../types/request");
-const request_2 = require("./request");
+const _1 = require(".");
+const keys_1 = require("../../common/keys");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const ssh_1 = require("../../plugins/aws/ssh");
+const ssh_2 = require("../../plugins/google/ssh");
+const ssh_3 = require("../../types/ssh");
+const request_1 = require("../request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-/** Maximum amount of time to wait after access is approved to wait for access
- *  to be configured
- */
-const GRANT_TIMEOUT_MILLIS = 60e3;
-const validateSshInstall = (authn) => __awaiter(void 0, void 0, void 0, function* () {
+const SSH_PROVIDERS = {
+    aws: ssh_1.awsSshProvider,
+    gcloud: ssh_2.gcpSshProvider,
+};
+const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
     const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
-    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" && key.startsWith("aws"));
+    const providersToCheck = args.provider
+        ? [args.provider]
+        : ssh_3.SupportedSshProviders;
+    const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" &&
+        providersToCheck.some((prefix) => key.startsWith(prefix)));
     if (items.length === 0) {
         throw "This organization is not configured for SSH access via the P0 CLI";
     }
 });
-/** Waits until P0 grants access for a request */
-const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
-    let cancel = undefined;
-    const result = yield new Promise((resolve, reject) => {
-        let isResolved = false;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            if (request_1.DONE_STATUSES.includes(data.status)) {
-                resolve(data);
-            }
-            else if (request_1.DENIED_STATUSES.includes(data.status)) {
-                reject("Your access request was denied");
-            }
-            else if (request_1.ERROR_STATUSES.includes(data.status)) {
-                reject("Your access request encountered an error (see Slack for details)");
-            }
-            else {
-                return;
-            }
-            isResolved = true;
-            unsubscribe();
-        });
-        // Skip timeout in test; it holds a ref longer than the test lasts
-        if (process.env.NODE_ENV === "test")
-            return;
-        cancel = setTimeout(() => {
-            if (!isResolved) {
-                unsubscribe();
-                reject("Timeout awaiting SSH access grant");
-            }
-        }, GRANT_TIMEOUT_MILLIS);
-    });
-    clearTimeout(cancel);
-    return result;
+const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
 });
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
-    yield validateSshInstall(authn);
+    yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
-    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+    const response = yield (0, request_1.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
             "--public-key",
             publicKey,
-            // Prefix is required because the backend uses it to determine that this is an AWS request
-            "--provider",
-            "aws",
+            ...(args.provider ? ["--provider", args.provider] : []),
             ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
@@ -100,20 +71,15 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    const provisionedRequest = yield waitForProvisioning(authn, id);
-    if (provisionedRequest.generated.ssh.publicKey !== publicKey) {
+    const provisionedRequest = yield (0, _1.waitForProvisioning)(authn, id);
+    if (provisionedRequest.permission.spec.publicKey !== publicKey) {
         throw "Public key mismatch. Please revoke the request and try again.";
     }
-    return { request: provisionedRequest, publicKey, privateKey };
+    const cliRequest = yield pluginToCliRequest(provisionedRequest, {
+        debug: args.debug,
+    });
+    return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => {
-    return {
-        id: request.permission.spec.instanceId,
-        accountId: request.permission.spec.accountId,
-        region: request.permission.spec.region,
-        role: request.generated.name,
-        linuxUserName: request.generated.ssh.linuxUserName,
-    };
-};
+const requestToSsh = (request) => SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
 exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.d.ts

@@ -1,3 +1,3 @@
-import { SshCommandArgs } from "./shared";
+import { SshCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const sshCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<SshCommandArgs>;

package/dist/commands/ssh.js

@@ -22,8 +22,8 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const ssm_1 = require("../plugins/aws/ssm");
-const shared_1 = require("./shared");
+const ssh_1 = require("../plugins/ssh");
+const ssh_2 = require("./shared/ssh");
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -64,6 +64,11 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("account", {
     type: "string",
     describe: "The account on which the instance is located",
+})
+    .option("provider", {
+    type: "string",
+    describe: "The cloud provider where the instance is hosted",
+    choices: ["aws", "gcloud"],
 })
     .option("debug", {
     type: "boolean",
@@ -81,9 +86,10 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    const result = yield (0, ssh_2.provisionRequest)(authn, args, destination);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
-    yield (0, ssm_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(result.request), Object.assign(Object.assign({}, args), { destination }), result.privateKey);
+    const { request, privateKey } = result;
+    yield (0, ssh_1.sshOrScp)(authn, (0, ssh_2.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/common/retry.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+export declare function retryWithSleep<T>(operation: () => Promise<T>, shouldRetry: (error: unknown) => boolean, retries?: number, delayMs?: number): Promise<T>;

package/dist/common/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.retryWithSleep = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const MAX_RETRIES = 3;
+const MAX_RETRY_BACK_OFF_TIME = 10000;
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+function retryWithSleep(operation, shouldRetry, retries = MAX_RETRIES, delayMs = MAX_RETRY_BACK_OFF_TIME) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            return yield operation();
+        }
+        catch (error) {
+            if (shouldRetry(error)) {
+                if (retries > 0) {
+                    yield (0, util_1.sleep)(delayMs);
+                    return yield retryWithSleep(operation, shouldRetry, retries - 1);
+                }
+            }
+            throw error;
+        }
+    });
+}
+exports.retryWithSleep = retryWithSleep;

package/dist/common/subprocess.d.ts

@@ -0,0 +1,10 @@
+import { AgentArgs } from "../plugins/ssh-agent/types";
+import { SpawnOptionsWithoutStdio } from "node:child_process";
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+export declare const asyncSpawn: ({ debug }: AgentArgs, command: string, args?: ReadonlyArray<string>, options?: SpawnOptionsWithoutStdio, writeStdin?: string) => Promise<string>;

package/dist/common/subprocess.js

@@ -0,0 +1,72 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.asyncSpawn = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const node_child_process_1 = require("node:child_process");
+/** Spawns a subprocess with given command, args, and options.
+ * May write content to its standard input.
+ * Stdout and stderr of the subprocess is printed to stderr in debug mode.
+ * The returned promise resolves with stdout or rejects with stderr of the subprocess.
+ *
+ * The captured output is expected to be relatively small.
+ * For larger outputs we should implement this with streams. */
+const asyncSpawn = ({ debug }, command, args, options, writeStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    return new Promise((resolve, reject) => {
+        var _a;
+        const child = (0, node_child_process_1.spawn)(command, args, options);
+        // Use streams for larger output
+        let stdout = "";
+        let stderr = "";
+        if (writeStdin) {
+            if (!child.stdin)
+                return reject("Child process has no stdin");
+            child.stdin.write(writeStdin);
+        }
+        child.stdout.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stdout += str;
+            if (debug) {
+                (0, stdio_1.print2)(str);
+            }
+        });
+        child.stderr.on("data", (data) => {
+            const str = data.toString("utf-8");
+            stderr += str;
+            if (debug) {
+                (0, stdio_1.print2)(data.toString("utf-8"));
+            }
+        });
+        child.on("exit", (code) => {
+            if (debug) {
+                (0, stdio_1.print2)("Process exited with code " + code);
+            }
+            if (code !== 0) {
+                return reject(stderr);
+            }
+            resolve(stdout);
+        });
+        if (writeStdin) {
+            (_a = child.stdin) === null || _a === void 0 ? void 0 : _a.end();
+        }
+    });
+});
+exports.asyncSpawn = asyncSpawn;

package/dist/drivers/auth.d.ts

@@ -2,7 +2,7 @@ import { Authn, Identity } from "../types/identity";
 export declare const IDENTITY_FILE_PATH: string;
 export declare const cached: <T>(name: string, loader: () => Promise<T>, options: {
     duration: number;
-}) => Promise<T>;
+}, hasExpired?: ((data: T) => boolean) | undefined) => Promise<T>;
 export declare const loadCredentials: (options?: {
     noRefresh?: boolean;
 }) => Promise<Identity>;

package/dist/drivers/auth.js

@@ -51,7 +51,7 @@ const auth_1 = require("firebase/auth");
 const fs = __importStar(require("fs/promises"));
 const path = __importStar(require("path"));
 exports.IDENTITY_FILE_PATH = path.join(util_1.P0_PATH, "identity.json");
-const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, function* () {
+const cached = (name, loader, options, hasExpired) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const cachePath = path.join(path.dirname(exports.IDENTITY_FILE_PATH), "cache");
     // Following lines sanitize input
@@ -74,8 +74,12 @@ const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, func
             yield fs.rm(loc);
             return yield loadCache();
         }
-        const data = yield fs.readFile(loc);
-        return JSON.parse(data.toString("utf-8"));
+        const data = JSON.parse((yield fs.readFile(loc)).toString("utf-8"));
+        if (hasExpired === null || hasExpired === void 0 ? void 0 : hasExpired(data)) {
+            yield fs.rm(loc);
+            return yield loadCache();
+        }
+        return data;
     }
     catch (error) {
         if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT")

package/dist/plugins/aws/config.d.ts

@@ -4,7 +4,7 @@ export declare const getAwsConfig: (authn: Authn, account: string | undefined) =
     config: {
         label?: string | undefined;
         state: string;
-        login?: (import("./types").AwsIamLogin | import("./types").AwsIdcLogin | import("./types").AwsFederatedLogin) | undefined;
+        login?: import("./types").AwsLogin | undefined;
         id: string;
     };
 }>;

package/dist/plugins/aws/idc/index.d.ts

@@ -0,0 +1,16 @@
+import { AWSClientInformation } from "../../../types/aws/oidc";
+import { AwsCredentials } from "../types";
+export declare const registerClient: (region: string) => Promise<AWSClientInformation>;
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+export declare const assumeRoleWithIdc: (args: {
+    accountId?: string;
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
+    };
+}) => Promise<AwsCredentials>;