@p0security/cli 0.8.1 → 0.8.2

package/dist/plugins/aws/types.d.ts

@@ -8,7 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { CliPermissionSpec, PermissionSpec } from "../../types/request";
+import { PermissionSpec } from "../../types/request";
+import { CliPermissionSpec } from "../../types/ssh";
 import { CommonSshPermissionSpec } from "../ssh/types";
 export declare type AwsCredentials = {
     AWS_ACCESS_KEY_ID: string;
@@ -40,7 +41,7 @@ export declare type AwsFederatedLogin = {
         };
     };
 };
-declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
+export declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
 export declare type AwsItemConfig = {
     label?: string;
     state: string;
@@ -66,7 +67,30 @@ export declare type AwsSshGenerated = {
     ssh: {
         linuxUserName: string;
     };
+    idc?: {
+        region: string;
+        id: string;
+    };
+};
+export declare type AwsSshPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
+export declare type AwsSsh = CliPermissionSpec<AwsSshPermissionSpec, undefined>;
+export declare type BaseAwsSshRequest = {
+    linuxUserName: string;
+    accountId: string;
+    region: string;
+    id: string;
+    type: "aws";
+};
+export declare type AwsSshRoleRequest = BaseAwsSshRequest & {
+    role: string;
+    access: "role";
+};
+export declare type AwsSshIdcRequest = BaseAwsSshRequest & {
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
+    };
+    access: "idc";
 };
-export declare type AwsPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
-export declare type AwsSsh = CliPermissionSpec<AwsPermissionSpec>;
-export {};
+export declare type AwsSshRequest = AwsSshIdcRequest | AwsSshRoleRequest;

package/dist/plugins/google/ssh.d.ts

@@ -8,6 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { SshRequest } from "../../commands/shared";
-import { GcpSsh } from "./types";
-export declare const gcpRequestToSsh: (request: GcpSsh) => SshRequest;
+import { SshProvider } from "../../types/ssh";
+import { GcpSshPermissionSpec, GcpSshRequest } from "./types";
+export declare const gcpSshProvider: SshProvider<GcpSshPermissionSpec, {
+    linuxUserName: string;
+}, GcpSshRequest>;

package/dist/plugins/google/ssh.js

@@ -1,13 +1,29 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.gcpRequestToSsh = void 0;
-const gcpRequestToSsh = (request) => {
-    return {
-        id: request.permission.spec.instanceName,
-        projectId: request.permission.spec.projectId,
-        zone: request.permission.spec.zone,
-        linuxUserName: request.cliLocalData.linuxUserName,
-        type: "gcloud",
-    };
+exports.gcpSshProvider = void 0;
+const ssh_key_1 = require("./ssh-key");
+exports.gcpSshProvider = {
+    requestToSsh: (request) => {
+        return {
+            id: request.permission.spec.instanceName,
+            projectId: request.permission.spec.projectId,
+            zone: request.permission.spec.zone,
+            linuxUserName: request.cliLocalData.linuxUserName,
+            type: "gcloud",
+        };
+    },
+    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+        return (Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } }));
+    }),
 };
-exports.gcpRequestToSsh = gcpRequestToSsh;

package/dist/plugins/google/types.d.ts

@@ -8,7 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { CliPermissionSpec, PermissionSpec } from "../../types/request";
+import { PermissionSpec } from "../../types/request";
+import { CliPermissionSpec } from "../../types/ssh";
 import { CommonSshPermissionSpec } from "../ssh/types";
 export declare type GcpSshPermission = {
     spec: CommonSshPermissionSpec & {
@@ -19,10 +20,17 @@ export declare type GcpSshPermission = {
     };
     type: "session";
 };
-export declare type GcpPermissionSpec = PermissionSpec<"ssh", GcpSshPermission>;
-export declare type GcpSsh = CliPermissionSpec<GcpPermissionSpec, {
+export declare type GcpSshPermissionSpec = PermissionSpec<"ssh", GcpSshPermission>;
+export declare type GcpSsh = CliPermissionSpec<GcpSshPermissionSpec, {
     linuxUserName: string;
 }>;
+export declare type GcpSshRequest = {
+    linuxUserName: string;
+    projectId: string;
+    zone: string;
+    id: string;
+    type: "gcloud";
+};
 declare type PosixAccount = {
     username: string;
     uid: string;

package/dist/plugins/login.d.ts

@@ -10,4 +10,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 import { TokenResponse } from "../types/oidc";
 import { OrgData } from "../types/org";
+declare const loginPlugins: readonly ["google", "okta", "ping", "oidc-pkce", "microsoft", "azure-oidc", "google-oidc", "aws-oidc"];
+export declare type LoginPluginType = (typeof loginPlugins)[number];
 export declare const pluginLoginMap: Record<string, (org: OrgData) => Promise<TokenResponse>>;
+export {};

package/dist/plugins/login.js

@@ -13,6 +13,16 @@ exports.pluginLoginMap = void 0;
 const login_1 = require("./google/login");
 const login_2 = require("./okta/login");
 const login_3 = require("./ping/login");
+const loginPlugins = [
+    "google",
+    "okta",
+    "ping",
+    "oidc-pkce",
+    "microsoft",
+    "azure-oidc",
+    "google-oidc",
+    "aws-oidc",
+];
 exports.pluginLoginMap = {
     google: login_1.googleLogin,
     okta: login_2.oktaLogin,

package/dist/plugins/oidc/login.d.ts

@@ -1,5 +1,36 @@
-import { TokenResponse } from "../../types/oidc";
+import { AuthorizeResponse, OidcLoginSteps } from "../../types/oidc";
 import { OrgData } from "../../types/org";
+export declare const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
 export declare const validateProviderDomain: (org: OrgData) => void;
+/** Executes the first step of a device-authorization grant flow */
+export declare const authorize: <T>(request: {
+    url: string;
+    init: RequestInit;
+}, validateResponse: (response: Response) => Promise<Response>) => Promise<T>;
+/** Attempts to fetch this device's OIDC token
+ *
+ * The authorization may or may not be granted at this stage. If it is not, the
+ * authorization server will return "authorization_pending", in which case this
+ * function will return undefined.
+ */
+export declare const fetchOidcToken: <T>(request: {
+    url: string;
+    init: RequestInit;
+}) => Promise<T | undefined>;
+/** Waits until user device authorization is complete
+ *
+ * Returns the OIDC token after completion.
+ */
+export declare const waitForActivation: <A, T>(authorize: A, extractExpiryInterval: (authorize: A) => {
+    expires_in: number;
+    interval: number;
+}, tokenRequest: {
+    url: string;
+    init: RequestInit;
+}) => Promise<NonNullable<Awaited<T>>>;
+export declare const oidcLoginSteps: (org: OrgData, scope: string, urls: () => {
+    deviceAuthorizationUrl: string;
+    tokenUrl: string;
+}) => OidcLoginSteps<AuthorizeResponse>;
 /** Logs in to an Identity Provider via OIDC */
-export declare const oidcLogin: (org: OrgData, scope: string) => Promise<TokenResponse>;
+export declare const oidcLogin: <A, T>(steps: OidcLoginSteps<A>) => Promise<NonNullable<Awaited<T>>>;

package/dist/plugins/oidc/login.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.oidcLogin = exports.validateProviderDomain = void 0;
+exports.oidcLogin = exports.oidcLoginSteps = exports.waitForActivation = exports.fetchOidcToken = exports.authorize = exports.validateProviderDomain = exports.DEVICE_GRANT_TYPE = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -27,107 +27,147 @@ const oidc_1 = require("../../common/auth/oidc");
 const fetch_1 = require("../../common/fetch");
 const stdio_1 = require("../../drivers/stdio");
 const util_1 = require("../../util");
-const lodash_1 = require("lodash");
 const open_1 = __importDefault(require("open"));
-const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+exports.DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
 const validateProviderDomain = (org) => {
     if (!org.providerDomain)
         throw "Login requires a configured provider domain.";
 };
 exports.validateProviderDomain = validateProviderDomain;
+const oidcProviderLabels = (providerType) => {
+    switch (providerType) {
+        case "okta":
+            return "Okta";
+        case "ping":
+            return "PingOne";
+        case "google":
+        case "google-oidc":
+            return "Google";
+        case "oidc-pkce":
+            return "OIDC";
+        case "aws-oidc":
+            return "AWS";
+        case "azure-oidc":
+        case "microsoft":
+            return "Entra ID";
+        default:
+            (0, util_1.throwAssertNever)(providerType);
+    }
+    throw "Invalid provider type";
+};
 /** Executes the first step of a device-authorization grant flow */
 // cf. https://developer.okta.com/docs/guides/device-authorization-grant/main/
-const authorize = (org, scope) => __awaiter(void 0, void 0, void 0, function* () {
-    if (org.providerType === undefined) {
-        throw "Login requires a configured provider type.";
-    }
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            scope,
-        }),
-    };
-    (0, exports.validateProviderDomain)(org);
-    // This is the "org" authorization server; the okta.apps.* scopes are not
-    // available with custom authorization servers
-    const url = org.providerType === "okta"
-        ? `https:${org.providerDomain}/oauth2/v1/device/authorize`
-        : org.providerType === "ping"
-            ? `https://${org.providerDomain}/${org.environmentId}/as/device_authorization`
-            : (0, util_1.throwAssertNever)(org.providerType);
+const authorize = (request, validateResponse) => __awaiter(void 0, void 0, void 0, function* () {
+    const { url, init } = request;
     const response = yield fetch(url, init);
-    yield (0, fetch_1.validateResponse)(response);
+    yield validateResponse(response);
     return (yield response.json());
 });
+exports.authorize = authorize;
 /** Attempts to fetch this device's OIDC token
  *
  * The authorization may or may not be granted at this stage. If it is not, the
  * authorization server will return "authorization_pending", in which case this
  * function will return undefined.
  */
-const fetchOidcToken = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
-    if (org.providerType === undefined) {
-        throw "Login requires a configured provider type.";
-    }
-    const init = {
-        method: "POST",
-        headers: oidc_1.OIDC_HEADERS,
-        body: (0, fetch_1.urlEncode)({
-            client_id: org.clientId,
-            device_code: authorize.device_code,
-            grant_type: DEVICE_GRANT_TYPE,
-        }),
-    };
-    (0, exports.validateProviderDomain)(org);
-    const url = org.providerType === "okta"
-        ? `https:${org.providerDomain}/oauth2/v1/token`
-        : org.providerType === "ping"
-            ? `https://${org.providerDomain}/${org.environmentId}/as/token`
-            : (0, util_1.throwAssertNever)(org.providerType);
+const fetchOidcToken = (request) => __awaiter(void 0, void 0, void 0, function* () {
+    const { url, init } = request;
     const response = yield fetch(url, init);
     if (!response.ok) {
         if (response.status === 400) {
             const data = yield response.json();
             if (data.error === "authorization_pending")
                 return undefined;
+            if (data.error === "access_denied")
+                throw "Access denied, try again";
         }
         yield (0, fetch_1.validateResponse)(response);
     }
     return (yield response.json());
 });
+exports.fetchOidcToken = fetchOidcToken;
 /** Waits until user device authorization is complete
  *
  * Returns the OIDC token after completion.
  */
-const waitForActivation = (org, authorize) => __awaiter(void 0, void 0, void 0, function* () {
+const waitForActivation = (authorize, extractExpiryInterval, // Aws implementation differs from standard OIDC response, need function to extract expiry
+tokenRequest) => __awaiter(void 0, void 0, void 0, function* () {
     const start = Date.now();
-    while (Date.now() - start <= authorize.expires_in * 1e3) {
-        const response = yield fetchOidcToken(org, authorize);
+    const { expires_in, interval } = extractExpiryInterval(authorize);
+    while (Date.now() - start <= expires_in * 1e3) {
+        const response = yield (0, exports.fetchOidcToken)(tokenRequest);
         if (!response)
-            yield (0, util_1.sleep)(authorize.interval * 1e3);
+            yield (0, util_1.sleep)(interval * 1e3);
         else
             return response;
     }
     throw "Expired awaiting in-browser authorization.";
 });
-/** Logs in to an Identity Provider via OIDC */
-const oidcLogin = (org, scope) => __awaiter(void 0, void 0, void 0, function* () {
+exports.waitForActivation = waitForActivation;
+const oidcLoginSteps = (org, scope, urls) => {
+    const { deviceAuthorizationUrl, tokenUrl } = urls();
     if (org.providerType === undefined) {
-        throw "Login requires a configured provider type.";
+        throw "Your organization's login configuration does not support this access. Your P0 admin will need to install a supported OIDC provider in order for you to use this command.";
     }
-    const authorizeResponse = yield authorize(org, scope);
+    const buildOidcAuthorizeRequest = () => {
+        (0, exports.validateProviderDomain)(org);
+        return {
+            init: {
+                method: "POST",
+                headers: oidc_1.OIDC_HEADERS,
+                body: (0, fetch_1.urlEncode)({
+                    client_id: org.clientId,
+                    scope,
+                }),
+            },
+            url: deviceAuthorizationUrl,
+        };
+    };
+    const buildOidcTokenRequest = (authorize) => {
+        (0, exports.validateProviderDomain)(org);
+        return {
+            url: tokenUrl,
+            init: {
+                method: "POST",
+                headers: oidc_1.OIDC_HEADERS,
+                body: (0, fetch_1.urlEncode)({
+                    client_id: org.clientId,
+                    device_code: authorize.device_code,
+                    grant_type: exports.DEVICE_GRANT_TYPE,
+                }),
+            },
+        };
+    };
+    return {
+        providerType: org.providerType,
+        validateResponse: fetch_1.validateResponse,
+        buildAuthorizeRequest: buildOidcAuthorizeRequest,
+        buildTokenRequest: buildOidcTokenRequest,
+        processAuthzExpiry: (authorize) => ({
+            expires_in: authorize.expires_in,
+            interval: authorize.interval,
+        }),
+        processAuthzResponse: (authorize) => ({
+            user_code: authorize.user_code,
+            verification_uri_complete: authorize.verification_uri_complete,
+        }),
+    };
+};
+exports.oidcLoginSteps = oidcLoginSteps;
+/** Logs in to an Identity Provider via OIDC */
+const oidcLogin = (steps) => __awaiter(void 0, void 0, void 0, function* () {
+    const { providerType, buildAuthorizeRequest, buildTokenRequest, processAuthzExpiry, processAuthzResponse, validateResponse, } = steps;
+    const deviceAuthorizationResponse = yield (0, exports.authorize)(buildAuthorizeRequest(), validateResponse);
+    const { user_code, verification_uri_complete } = processAuthzResponse(deviceAuthorizationResponse);
     (0, stdio_1.print2)(`Please use the opened browser window to continue your P0 login.
-  
-When prompted, confirm that ${(0, lodash_1.capitalize)(org.providerType)} displays this code:
-
-  ${authorizeResponse.user_code}
 
-Waiting for authorization...
-`);
-    void (0, open_1.default)(authorizeResponse.verification_uri_complete);
-    const oidcResponse = yield waitForActivation(org, authorizeResponse);
-    return oidcResponse;
+    When prompted, confirm that ${oidcProviderLabels(providerType)} displays this code:
+    
+      ${user_code}
+    
+    Waiting for authorization...
+    `);
+    void (0, open_1.default)(verification_uri_complete);
+    return yield (0, exports.waitForActivation)(deviceAuthorizationResponse, processAuthzExpiry, buildTokenRequest(deviceAuthorizationResponse));
 });
 exports.oidcLogin = oidcLogin;

package/dist/plugins/okta/aws.d.ts

@@ -1,5 +1,5 @@
 import { Authn } from "../../types/identity";
 export declare const assumeRoleWithOktaSaml: (authn: Authn, args: {
-    account?: string;
+    accountId?: string;
     role: string;
 }) => Promise<import("../aws/types").AwsCredentials>;

package/dist/plugins/okta/aws.js

@@ -24,8 +24,8 @@ const role_1 = require("../../commands/aws/role");
 const auth_1 = require("../../drivers/auth");
 const assumeRole_1 = require("../aws/assumeRole");
 const assumeRoleWithOktaSaml = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield (0, auth_1.cached)(`aws-okta-${args.account}-${args.role}`, () => __awaiter(void 0, void 0, void 0, function* () {
-        const { account, config, samlResponse } = yield (0, role_1.initOktaSaml)(authn, args.account);
+    return yield (0, auth_1.cached)(`aws-okta-${args.accountId}-${args.role}`, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { account, config, samlResponse } = yield (0, role_1.initOktaSaml)(authn, args.accountId);
         const { roles } = (0, role_1.rolesFromSaml)(account, samlResponse);
         if (!roles.includes(args.role))
             throw `Role not available. Available roles:\n${roles.map((r) => `  ${r}`).join("\n")}`;

package/dist/plugins/okta/login.js

@@ -66,7 +66,17 @@ const fetchSamlResponse = (org, { access_token }) => __awaiter(void 0, void 0, v
     return samlInput === null || samlInput === void 0 ? void 0 : samlInput.value;
 });
 /** Logs in to Okta via OIDC */
-const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile okta.apps.sso"); });
+const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, "openid email profile okta.apps.sso", () => {
+        if (org.providerType !== "okta") {
+            throw `Invalid provider type ${org.providerType} (expected "okta")`;
+        }
+        return {
+            deviceAuthorizationUrl: `https://${org.providerDomain}/oauth2/v1/device/authorize`,
+            tokenUrl: `https://${org.providerDomain}/oauth2/v1/token`,
+        };
+    }));
+});
 exports.oktaLogin = oktaLogin;
 /** Retrieves a SAML response for an okta app */
 // TODO: Inject Okta app

package/dist/plugins/ping/login.d.ts

@@ -8,6 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { TokenResponse } from "../../types/oidc";
 import { OrgData } from "../../types/org";
 /** Logs in to PingOne via OIDC */
-export declare const pingLogin: (org: OrgData) => Promise<import("../../types/oidc").TokenResponse>;
+export declare const pingLogin: (org: OrgData) => Promise<TokenResponse>;

package/dist/plugins/ping/login.js

@@ -12,5 +12,15 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.pingLogin = void 0;
 const login_1 = require("../oidc/login");
 /** Logs in to PingOne via OIDC */
-const pingLogin = (org) => __awaiter(void 0, void 0, void 0, function* () { return (0, login_1.oidcLogin)(org, "openid email profile"); });
+const pingLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, login_1.oidcLogin)((0, login_1.oidcLoginSteps)(org, "openid email profile", () => {
+        if (org.providerType !== "ping" || org.providerType === undefined) {
+            throw `Invalid provider type ${org.providerType} (expected "ping")`;
+        }
+        return {
+            deviceAuthorizationUrl: `https://${org.providerDomain}/${org.environmentId}/as/device_authorization`,
+            tokenUrl: `https://${org.providerDomain}/${org.environmentId}/as/token`,
+        };
+    }));
+});
 exports.pingLogin = pingLogin;

package/dist/plugins/ssh/index.d.ts

@@ -8,6 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ScpCommandArgs, SshCommandArgs, SshRequest } from "../../commands/shared";
+import { ScpCommandArgs, SshCommandArgs } from "../../commands/shared/ssh";
 import { Authn } from "../../types/identity";
+import { SshRequest } from "../../types/ssh";
 export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;

package/dist/plugins/ssh/index.js

@@ -13,6 +13,8 @@ exports.sshOrScp = void 0;
 const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
 const util_1 = require("../../util");
+const config_1 = require("../aws/config");
+const idc_1 = require("../aws/idc");
 const install_1 = require("../aws/ssm/install");
 const aws_1 = require("../okta/aws");
 const ssh_agent_1 = require("../ssh-agent");
@@ -256,13 +258,19 @@ const transformForShell = (args) => {
     });
 };
 const awsLogin = (authn, data) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b, _c, _d;
     if (!(yield (0, install_1.ensureSsmInstall)())) {
         throw "Please try again after installing the required AWS utilities";
     }
-    return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account: data.accountId,
-        role: data.role,
-    });
+    const { config } = yield (0, config_1.getAwsConfig)(authn, data.accountId);
+    if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
+        throw "This account is not configured for SSH access via the P0 CLI";
+    }
+    return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
+        ? yield (0, idc_1.assumeRoleWithIdc)(data)
+        : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
+            ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, data)
+            : (0, util_1.throwAssertNever)(config.login);
 });
 const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
     if (!privateKey) {
@@ -277,7 +285,8 @@ const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0,
                 `eval $(ssh-agent)`,
                 `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
                 // TODO ENG-2284 support login with Google Cloud
-                ...(data.type === "aws"
+                // TODO: Modify commands to add the ability to get permission set commands
+                ...(data.type === "aws" && data.access !== "idc"
                     ? [
                         `eval $(p0 aws role assume ${data.role} --account ${data.accountId})`,
                     ]

package/dist/types/aws/oidc.d.ts

@@ -0,0 +1,36 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AWSClientInformation = {
+    authorizationEndpoint: string;
+    clientId: string;
+    clientIdIssuedAt: number;
+    clientSecret: string;
+    clientSecretExpiresAt: number;
+    tokenEndpoint: string;
+};
+/**
+ * AWS OIDC token response uses camelCase instead of snake_case
+ */
+export declare type AWSTokenResponse = {
+    accessToken: string;
+    expiresIn: number;
+    idToken: string;
+    refreshToken: string;
+    tokenType: string;
+};
+export declare type AWSAuthorizeResponse = {
+    deviceCode: string;
+    expiresIn: number;
+    interval: number;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete: string;
+};

package/dist/types/aws/oidc.js

@@ -0,0 +1,12 @@
+"use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/oidc.d.ts

@@ -1,3 +1,4 @@
+import { LoginPluginType } from "../plugins/login";
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -39,3 +40,23 @@ export declare type TokenResponse = {
 export declare type TokenErrorResponse = {
     error: "access_denied" | "authorization_pending" | "bad grant type" | "expired_token" | "missing parameter" | "not found" | "slow_down";
 };
+export declare type OidcLoginSteps<A> = {
+    providerType: LoginPluginType;
+    validateResponse: (response: Response) => Promise<Response>;
+    buildAuthorizeRequest: () => {
+        url: string;
+        init: RequestInit;
+    };
+    buildTokenRequest: (authorize: A) => {
+        url: string;
+        init: RequestInit;
+    };
+    processAuthzResponse: (authorize: A) => {
+        user_code: string;
+        verification_uri_complete: string;
+    };
+    processAuthzExpiry: (authorize: A) => {
+        expires_in: number;
+        interval: number;
+    };
+};

package/dist/types/request.d.ts

@@ -8,16 +8,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { AwsPermissionSpec, AwsSsh } from "../plugins/aws/types";
-import { GcpPermissionSpec, GcpSsh } from "../plugins/google/types";
+import { PluginSshRequest } from "./ssh";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
 export declare const ERROR_STATUSES: readonly ["ERRORED", "ERRORED", "ERRORED_NOTIFIED"];
-export declare type CliRequest = AwsSsh | GcpSsh;
-export declare type PluginRequest = AwsPermissionSpec | GcpPermissionSpec;
-export declare type CliPermissionSpec<P extends PluginRequest, C extends object | undefined = undefined> = P & {
-    cliLocalData: C;
-};
 export declare type PermissionSpec<K extends string, P extends {
     type: string;
 }, G extends object | undefined = undefined> = {
@@ -25,6 +19,7 @@ export declare type PermissionSpec<K extends string, P extends {
     permission: P;
     generated: G;
 };
+export declare type PluginRequest = PluginSshRequest;
 export declare type Request<P extends PluginRequest> = P & {
     status: string;
     principal: string;