@p0security/cli 0.8.1 → 0.8.2

package/dist/commands/scp.d.ts

@@ -1,3 +1,3 @@
-import { ScpCommandArgs } from "./shared";
+import { ScpCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const scpCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<ScpCommandArgs>;

package/dist/commands/scp.js

@@ -23,7 +23,8 @@ You should have received a copy of the GNU General Public License along with @p0
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssh_1 = require("../plugins/ssh");
-const shared_1 = require("./shared");
+const ssh_2 = require("../types/ssh");
+const ssh_3 = require("./shared/ssh");
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
 "SCP copies files between a local and remote host.", (yargs) => yargs
@@ -53,7 +54,7 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
     .option("provider", {
     type: "string",
     describe: "The cloud provider where the instance is hosted",
-    choices: shared_1.SUPPORTED_PROVIDERS,
+    choices: ssh_2.SupportedSshProviders,
 })
     .option("sudo", {
     type: "boolean",
@@ -74,12 +75,12 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    const result = yield (0, ssh_3.provisionRequest)(authn, args, host);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
     const { request, privateKey } = result;
-    const data = (0, shared_1.requestToSsh)(request);
+    const data = (0, ssh_3.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
     const { source, destination } = replaceHostWithInstance(data, args);
     yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,

package/dist/commands/shared/index.d.ts

@@ -0,0 +1,4 @@
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+/** Waits until P0 grants access for a request */
+export declare const waitForProvisioning: <P extends import("../../types/ssh").PluginSshRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;

package/dist/commands/shared/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.waitForProvisioning = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../../drivers/firestore");
+const request_1 = require("../../types/request");
+const firestore_2 = require("firebase/firestore");
+/** Maximum amount of time to wait after access is approved to wait for access
+ *  to be configured
+ */
+const GRANT_TIMEOUT_MILLIS = 60e3;
+/** Waits until P0 grants access for a request */
+const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
+    let cancel = undefined;
+    const result = yield new Promise((resolve, reject) => {
+        let isResolved = false;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            if (request_1.DONE_STATUSES.includes(data.status)) {
+                resolve(data);
+            }
+            else if (request_1.DENIED_STATUSES.includes(data.status)) {
+                reject("Your access request was denied");
+            }
+            else if (request_1.ERROR_STATUSES.includes(data.status)) {
+                reject("Your access request encountered an error (see Slack for details)");
+            }
+            else {
+                return;
+            }
+            isResolved = true;
+            unsubscribe();
+        });
+        // Skip timeout in test; it holds a ref longer than the test lasts
+        if (process.env.NODE_ENV === "test")
+            return;
+        cancel = setTimeout(() => {
+            if (!isResolved) {
+                unsubscribe();
+                reject("Timeout awaiting SSH access grant");
+            }
+        }, GRANT_TIMEOUT_MILLIS);
+    });
+    clearTimeout(cancel);
+    return result;
+});
+exports.waitForProvisioning = waitForProvisioning;

package/dist/commands/{shared.d.ts → shared/ssh.d.ts}

@@ -1,28 +1,12 @@
-import { Authn } from "../types/identity";
-import { CliRequest, Request } from "../types/request";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { CliSshRequest, SshRequest, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
-export declare const SUPPORTED_PROVIDERS: string[];
-export declare type SshRequest = AwsSshRequest | GcpSshRequest;
-export declare type AwsSshRequest = {
-    linuxUserName: string;
-    role: string;
-    accountId: string;
-    region: string;
-    id: string;
-    type: "aws";
-};
-export declare type GcpSshRequest = {
-    linuxUserName: string;
-    projectId: string;
-    zone: string;
-    id: string;
-    type: "gcloud";
-};
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
     reason?: string;
     account?: string;
-    provider?: "aws" | "gcloud";
+    provider?: SupportedSshProvider;
     debug?: boolean;
 };
 export declare type ScpCommandArgs = BaseSshCommandArgs & {
@@ -40,8 +24,8 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     command?: string;
 };
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
-    request: Request<CliRequest>;
+    request: Request<CliSshRequest>;
     publicKey: string;
     privateKey: string;
 } | undefined>;
-export declare const requestToSsh: (request: Request<CliRequest>) => SshRequest;
+export declare const requestToSsh: (request: Request<CliSshRequest>) => SshRequest;

package/dist/commands/{shared.js → shared/ssh.js}

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = exports.SUPPORTED_PROVIDERS = void 0;
+exports.requestToSsh = exports.provisionRequest = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,86 +20,40 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const keys_1 = require("../common/keys");
-const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const ssh_1 = require("../plugins/aws/ssh");
-const ssh_2 = require("../plugins/google/ssh");
-const ssh_key_1 = require("../plugins/google/ssh-key");
-const request_1 = require("../types/request");
-const util_1 = require("../util");
-const request_2 = require("./request");
+const _1 = require(".");
+const keys_1 = require("../../common/keys");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const ssh_1 = require("../../plugins/aws/ssh");
+const ssh_2 = require("../../plugins/google/ssh");
+const ssh_3 = require("../../types/ssh");
+const request_1 = require("../request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-/** Maximum amount of time to wait after access is approved to wait for access
- *  to be configured
- */
-const GRANT_TIMEOUT_MILLIS = 60e3;
-// The prefix of installed SSH accounts in P0 is the provider name
-exports.SUPPORTED_PROVIDERS = ["aws", "gcloud"];
+const SSH_PROVIDERS = {
+    aws: ssh_1.awsSshProvider,
+    gcloud: ssh_2.gcpSshProvider,
+};
 const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
     const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
     const providersToCheck = args.provider
         ? [args.provider]
-        : exports.SUPPORTED_PROVIDERS;
+        : ssh_3.SupportedSshProviders;
     const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" &&
         providersToCheck.some((prefix) => key.startsWith(prefix)));
     if (items.length === 0) {
         throw "This organization is not configured for SSH access via the P0 CLI";
     }
 });
-/** Waits until P0 grants access for a request */
-const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
-    let cancel = undefined;
-    const result = yield new Promise((resolve, reject) => {
-        let isResolved = false;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            if (request_1.DONE_STATUSES.includes(data.status)) {
-                resolve(data);
-            }
-            else if (request_1.DENIED_STATUSES.includes(data.status)) {
-                reject("Your access request was denied");
-            }
-            else if (request_1.ERROR_STATUSES.includes(data.status)) {
-                reject("Your access request encountered an error (see Slack for details)");
-            }
-            else {
-                return;
-            }
-            isResolved = true;
-            unsubscribe();
-        });
-        // Skip timeout in test; it holds a ref longer than the test lasts
-        if (process.env.NODE_ENV === "test")
-            return;
-        cancel = setTimeout(() => {
-            if (!isResolved) {
-                unsubscribe();
-                reject("Timeout awaiting SSH access grant");
-            }
-        }, GRANT_TIMEOUT_MILLIS);
-    });
-    clearTimeout(cancel);
-    return result;
-});
 const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-    return request.permission.spec.type === "gcloud"
-        ? Object.assign(Object.assign({}, request), { cliLocalData: {
-                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
-            } })
-        : request.permission.spec.type === "aws"
-            ? request
-            : (0, util_1.throwAssertNever)(request.permission.spec);
+    return yield SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
 });
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
-    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+    const response = yield (0, request_1.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
@@ -117,7 +71,7 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    const provisionedRequest = yield waitForProvisioning(authn, id);
+    const provisionedRequest = yield (0, _1.waitForProvisioning)(authn, id);
     if (provisionedRequest.permission.spec.publicKey !== publicKey) {
         throw "Public key mismatch. Please revoke the request and try again.";
     }
@@ -127,15 +81,5 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => {
-    if (request.permission.spec.type === "aws") {
-        return (0, ssh_1.awsRequestToSsh)(request);
-    }
-    else if (request.permission.spec.type === "gcloud") {
-        return (0, ssh_2.gcpRequestToSsh)(request);
-    }
-    else {
-        throw (0, util_1.assertNever)(request.permission.spec);
-    }
-};
+const requestToSsh = (request) => SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
 exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.d.ts

@@ -1,3 +1,3 @@
-import { SshCommandArgs } from "./shared";
+import { SshCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const sshCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<SshCommandArgs>;

package/dist/commands/ssh.js

@@ -23,7 +23,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssh_1 = require("../plugins/ssh");
-const shared_1 = require("./shared");
+const ssh_2 = require("./shared/ssh");
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -86,10 +86,10 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    const result = yield (0, ssh_2.provisionRequest)(authn, args, destination);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
     const { request, privateKey } = result;
-    yield (0, ssh_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
+    yield (0, ssh_1.sshOrScp)(authn, (0, ssh_2.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/common/retry.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+export declare function retryWithSleep<T>(operation: () => Promise<T>, shouldRetry: (error: unknown) => boolean, retries?: number, delayMs?: number): Promise<T>;

package/dist/common/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.retryWithSleep = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const MAX_RETRIES = 3;
+const MAX_RETRY_BACK_OFF_TIME = 10000;
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+function retryWithSleep(operation, shouldRetry, retries = MAX_RETRIES, delayMs = MAX_RETRY_BACK_OFF_TIME) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            return yield operation();
+        }
+        catch (error) {
+            if (shouldRetry(error)) {
+                if (retries > 0) {
+                    yield (0, util_1.sleep)(delayMs);
+                    return yield retryWithSleep(operation, shouldRetry, retries - 1);
+                }
+            }
+            throw error;
+        }
+    });
+}
+exports.retryWithSleep = retryWithSleep;

package/dist/drivers/auth.d.ts

@@ -2,7 +2,7 @@ import { Authn, Identity } from "../types/identity";
 export declare const IDENTITY_FILE_PATH: string;
 export declare const cached: <T>(name: string, loader: () => Promise<T>, options: {
     duration: number;
-}) => Promise<T>;
+}, hasExpired?: ((data: T) => boolean) | undefined) => Promise<T>;
 export declare const loadCredentials: (options?: {
     noRefresh?: boolean;
 }) => Promise<Identity>;

package/dist/drivers/auth.js

@@ -51,7 +51,7 @@ const auth_1 = require("firebase/auth");
 const fs = __importStar(require("fs/promises"));
 const path = __importStar(require("path"));
 exports.IDENTITY_FILE_PATH = path.join(util_1.P0_PATH, "identity.json");
-const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, function* () {
+const cached = (name, loader, options, hasExpired) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const cachePath = path.join(path.dirname(exports.IDENTITY_FILE_PATH), "cache");
     // Following lines sanitize input
@@ -74,8 +74,12 @@ const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, func
             yield fs.rm(loc);
             return yield loadCache();
         }
-        const data = yield fs.readFile(loc);
-        return JSON.parse(data.toString("utf-8"));
+        const data = JSON.parse((yield fs.readFile(loc)).toString("utf-8"));
+        if (hasExpired === null || hasExpired === void 0 ? void 0 : hasExpired(data)) {
+            yield fs.rm(loc);
+            return yield loadCache();
+        }
+        return data;
     }
     catch (error) {
         if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT")

package/dist/plugins/aws/config.d.ts

@@ -4,7 +4,7 @@ export declare const getAwsConfig: (authn: Authn, account: string | undefined) =
     config: {
         label?: string | undefined;
         state: string;
-        login?: (import("./types").AwsIamLogin | import("./types").AwsIdcLogin | import("./types").AwsFederatedLogin) | undefined;
+        login?: import("./types").AwsLogin | undefined;
         id: string;
     };
 }>;

package/dist/plugins/aws/idc/index.d.ts

@@ -0,0 +1,16 @@
+import { AWSClientInformation } from "../../../types/aws/oidc";
+import { AwsCredentials } from "../types";
+export declare const registerClient: (region: string) => Promise<AWSClientInformation>;
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+export declare const assumeRoleWithIdc: (args: {
+    accountId?: string;
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
+    };
+}) => Promise<AwsCredentials>;

package/dist/plugins/aws/idc/index.js

@@ -0,0 +1,150 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithIdc = exports.registerClient = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const fetch_1 = require("../../../common/fetch");
+const retry_1 = require("../../../common/retry");
+const auth_1 = require("../../../drivers/auth");
+const login_1 = require("../../oidc/login");
+const HOURS = 60 * 60 * 1000;
+const DAYS = 24 * HOURS;
+const AWS_TOKEN_EXPIRY = 1 * HOURS;
+const AWS_CLIENT_TOKEN_EXPIRY = 90 * DAYS; // the token has lifetime of 90 days
+const AWS_SSO_SCOPES = ["sso:account:access"];
+const registerClient = (region) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)("aws-idc-client", () => __awaiter(void 0, void 0, void 0, function* () {
+        const init = {
+            method: "POST",
+            body: JSON.stringify({
+                clientName: "p0Cli",
+                clientType: "public",
+                grantTypes: [login_1.DEVICE_GRANT_TYPE],
+                scopes: AWS_SSO_SCOPES,
+            }),
+        };
+        const response = yield fetch(`https://oidc.${region}.amazonaws.com/client/register`, init);
+        return yield response.json();
+    }), { duration: AWS_CLIENT_TOKEN_EXPIRY }, (data) => data.clientSecretExpiresAt
+        ? data.clientSecretExpiresAt < Date.now()
+        : true);
+});
+exports.registerClient = registerClient;
+const awsIdcHelpers = (clientCredentials, idc) => {
+    const { clientId, clientSecret } = clientCredentials;
+    const { id, region } = idc;
+    const buildOidcAuthorizeRequest = () => ({
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                startUrl: `https://${id}.awsapps.com/start`,
+            }),
+        },
+        url: `https://oidc.${region}.amazonaws.com/device_authorization`,
+    });
+    const buildIdcTokenRequest = (authorizeResponse) => ({
+        url: `https://oidc.${region}.amazonaws.com/token`,
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                deviceCode: authorizeResponse.deviceCode,
+                grantType: login_1.DEVICE_GRANT_TYPE,
+            }),
+        },
+    });
+    /**
+     * Exchanges the oidc token for AWS credentials for a given account and permission set
+     * @param oidcResponse oidc token response fot he oidc /token endpoint
+     * @param request accountId and permissionSet to exchange for AWS credentials
+     * @returns
+     */
+    const exchangeForAwsCredentials = (oidcResponse, request) => __awaiter(void 0, void 0, void 0, function* () {
+        // There is a delay in between aws issuing the sso token and it being available for exchange for AWS credentials
+        // When exchanging token immediately, an "unauthorized" may will be thrown, so retry with sleep.
+        return yield (0, retry_1.retryWithSleep)(() => __awaiter(void 0, void 0, void 0, function* () {
+            const init = {
+                method: "GET",
+                headers: {
+                    "x-amz-sso_bearer_token": oidcResponse.accessToken,
+                },
+            };
+            const { accountId, permissionSet } = request;
+            if (accountId === undefined)
+                throw new Error("Could not find an AWS account ID for this access request");
+            const params = new URLSearchParams();
+            params.append("account_id", accountId);
+            params.append("role_name", permissionSet);
+            const response = yield fetch(`https://portal.sso.${region}.amazonaws.com/federation/credentials?${params.toString()}`, init);
+            if (!response.ok)
+                throw new Error(`Failed to fetch AWS credentials: ${response.statusText}: ${yield response.text()}`);
+            return yield response.json();
+        }), () => true, 3);
+    });
+    return {
+        loginSteps: {
+            providerType: "aws-oidc",
+            validateResponse: fetch_1.validateResponse,
+            buildAuthorizeRequest: buildOidcAuthorizeRequest,
+            buildTokenRequest: buildIdcTokenRequest,
+            processAuthzExpiry: (authorize) => ({
+                expires_in: authorize.expiresIn,
+                interval: authorize.interval,
+            }),
+            processAuthzResponse: (authorize) => ({
+                user_code: authorize.userCode,
+                verification_uri_complete: authorize.verificationUriComplete,
+            }),
+        },
+        exchangeForAwsCredentials,
+    };
+};
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+const assumeRoleWithIdc = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)(`aws-idc-${args.accountId}-${args.permissionSet}`, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { idc } = args;
+        const { region } = idc;
+        const clientSecrets = yield (0, exports.registerClient)(region);
+        const { loginSteps, exchangeForAwsCredentials } = awsIdcHelpers(clientSecrets, idc);
+        const oidcResponse = yield (0, auth_1.cached)("aws-idc-device-authorization", () => __awaiter(void 0, void 0, void 0, function* () {
+            const data = yield (0, login_1.oidcLogin)(loginSteps);
+            return Object.assign(Object.assign({}, data), { expiresAt: Date.now() + data.expiresIn * 1e3 });
+        }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+        const credentials = yield exchangeForAwsCredentials(oidcResponse, {
+            accountId: args.accountId,
+            permissionSet: args.permissionSet,
+        });
+        return {
+            AWS_ACCESS_KEY_ID: credentials.roleCredentials.accessKeyId,
+            AWS_SECRET_ACCESS_KEY: credentials.roleCredentials.secretAccessKey,
+            AWS_SESSION_TOKEN: credentials.roleCredentials.sessionToken,
+            AWS_SECURITY_TOKEN: credentials.roleCredentials.sessionToken,
+            expiresAt: credentials.roleCredentials.expiration,
+        };
+    }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+});
+exports.assumeRoleWithIdc = assumeRoleWithIdc;

package/dist/plugins/aws/ssh.d.ts

@@ -8,6 +8,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { SshRequest } from "../../commands/shared";
-import { AwsSsh } from "./types";
-export declare const awsRequestToSsh: (request: AwsSsh) => SshRequest;
+import { SshProvider } from "../../types/ssh";
+import { AwsSshPermissionSpec, AwsSshRequest } from "./types";
+export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest>;

package/dist/plugins/aws/ssh.js

@@ -1,14 +1,24 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.awsRequestToSsh = void 0;
-const awsRequestToSsh = (request) => {
-    return {
-        id: request.permission.spec.instanceId,
-        accountId: request.permission.spec.accountId,
-        region: request.permission.spec.region,
-        role: request.generated.name,
-        linuxUserName: request.generated.ssh.linuxUserName,
-        type: "aws",
-    };
+exports.awsSshProvider = void 0;
+exports.awsSshProvider = {
+    requestToSsh: (request) => {
+        const { permission, generated } = request;
+        const { instanceId, accountId, region } = permission.spec;
+        const { idc, ssh, name } = generated;
+        const { linuxUserName } = ssh;
+        const common = { linuxUserName, accountId, region, id: instanceId };
+        return !idc
+            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
+    },
+    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
 };
-exports.awsRequestToSsh = awsRequestToSsh;