@p0security/cli 0.8.1 → 0.8.3

package/dist/commands/__tests__/grant.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/__tests__/grant.test.js

@@ -0,0 +1,55 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const stdio_1 = require("../../drivers/stdio");
+const grant_1 = require("../grant");
+const yargs_1 = __importDefault(require("yargs"));
+jest.mock("../../drivers/api");
+jest.mock("../../drivers/auth");
+jest.mock("../../drivers/stdio");
+const mockFetchCommand = api_1.fetchCommand;
+const mockPrint1 = stdio_1.print1;
+const mockPrint2 = stdio_1.print2;
+describe("grant", () => {
+    beforeEach(() => jest.clearAllMocks());
+    describe("when valid grant command", () => {
+        const command = "grant gcloud role viewer --to someone@test.com --principal-type user";
+        function mockFetch() {
+            mockFetchCommand.mockResolvedValue({
+                ok: true,
+                message: "a message",
+                id: "abcefg",
+                isPreexisting: false,
+                isPersistent: false,
+            });
+        }
+        it(`should print request response`, () => __awaiter(void 0, void 0, void 0, function* () {
+            mockFetch();
+            yield (0, grant_1.grantCommand)((0, yargs_1.default)()).parse(command);
+            expect(mockPrint2.mock.calls).toMatchSnapshot();
+            expect(mockPrint1).not.toHaveBeenCalled();
+        }));
+    });
+});

package/dist/commands/grant.d.ts

@@ -0,0 +1,4 @@
+import yargs from "yargs";
+export declare const grantCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;

package/dist/commands/grant.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.grantCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../drivers/firestore");
+const request_1 = require("./shared/request");
+const grantCommand = (yargs) => yargs.command("grant [arguments..]", "Grant access to another identity", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("grant")));
+exports.grantCommand = grantCommand;

package/dist/commands/index.js

@@ -18,6 +18,7 @@ const stdio_1 = require("../drivers/stdio");
 const version_1 = require("../middlewares/version");
 const allow_1 = require("./allow");
 const aws_1 = require("./aws");
+const grant_1 = require("./grant");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
 const request_1 = require("./request");
@@ -28,6 +29,7 @@ const yargs_1 = __importDefault(require("yargs"));
 const helpers_1 = require("yargs/helpers");
 const commands = [
     aws_1.awsCommand,
+    grant_1.grantCommand,
     login_1.loginCommand,
     ls_1.lsCommand,
     request_1.requestCommand,

package/dist/commands/request.d.ts

@@ -1,12 +1,4 @@
-import { Authn } from "../types/identity";
-import { RequestResponse } from "../types/request";
 import yargs from "yargs";
 export declare const requestCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
     arguments: string[];
 }>;
-export declare const request: <T>(args: yargs.ArgumentsCamelCase<{
-    arguments: string[];
-    wait?: boolean;
-}>, authn?: Authn, options?: {
-    message?: "all" | "approval-required" | "none";
-}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/request.js

@@ -1,15 +1,6 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.request = exports.requestCommand = void 0;
+exports.requestCommand = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,97 +11,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
-const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const firestore_2 = require("firebase/firestore");
-const typescript_1 = require("typescript");
-const WAIT_TIMEOUT = 300e3;
-const APPROVED = { message: "Your request was approved", code: 0 };
-const DENIED = { message: "Your request was denied", code: 2 };
-const ERRORED = { message: "Your request encountered an error", code: 1 };
-const COMPLETED_REQUEST_STATUSES = {
-    APPROVED,
-    APPROVED_NOTIFIED: APPROVED,
-    DONE: APPROVED,
-    DONE_NOTIFIED: APPROVED,
-    DENIED,
-    ERRORED,
-};
-const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
-const requestArgs = (yargs) => yargs
-    .parserConfiguration({ "unknown-options-as-args": true })
-    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
-    .option("wait", {
-    alias: "w",
-    boolean: true,
-    default: false,
-    describe: "Block until the command is completed",
-})
-    .option("arguments", {
-    array: true,
-    string: true,
-    default: [],
-});
-const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", requestArgs, (0, firestore_1.guard)(exports.request));
+const request_1 = require("./shared/request");
+const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("request")));
 exports.requestCommand = requestCommand;
-const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield new Promise((resolve) => {
-        if (logMessage)
-            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
-        let cancel = undefined;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            const { status } = data;
-            if (isCompletedStatus(status)) {
-                if (cancel)
-                    clearTimeout(cancel);
-                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
-                if (code !== 0 || logMessage)
-                    (0, stdio_1.print2)(message);
-                resolve(code);
-            }
-        });
-        cancel = setTimeout(() => {
-            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
-            resolve(4);
-        }, WAIT_TIMEOUT);
-    });
-});
-const request = (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
-    const { userCredential } = resolvedAuthn;
-    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
-        "request",
-        ...args.arguments,
-    ]);
-    if (data && "ok" in data && "message" in data && data.ok) {
-        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
-            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
-            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
-                !data.isPreexisting &&
-                !data.isPersistent);
-        if (logMessage)
-            (0, stdio_1.print2)(data.message);
-        const { id } = data;
-        if (args.wait && id && userCredential.user.tenantId) {
-            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
-            if (code) {
-                typescript_1.sys.exit(code);
-                return undefined;
-            }
-            return data;
-        }
-        else
-            return undefined;
-    }
-    else {
-        throw data;
-    }
-});
-exports.request = request;

package/dist/commands/scp.d.ts

@@ -1,3 +1,3 @@
-import { ScpCommandArgs } from "./shared";
+import { ScpCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const scpCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<ScpCommandArgs>;

package/dist/commands/scp.js

@@ -23,7 +23,8 @@ You should have received a copy of the GNU General Public License along with @p0
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssh_1 = require("../plugins/ssh");
-const shared_1 = require("./shared");
+const ssh_2 = require("../types/ssh");
+const ssh_3 = require("./shared/ssh");
 const scpCommand = (yargs) => yargs.command("scp <source> <destination>", 
 // TODO (ENG-1930): support scp across multiple remote hosts.
 "SCP copies files between a local and remote host.", (yargs) => yargs
@@ -53,7 +54,7 @@ const scpCommand = (yargs) => yargs.command("scp <source> <destination>",
     .option("provider", {
     type: "string",
     describe: "The cloud provider where the instance is hosted",
-    choices: shared_1.SUPPORTED_PROVIDERS,
+    choices: ssh_2.SupportedSshProviders,
 })
     .option("sudo", {
     type: "boolean",
@@ -74,12 +75,12 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const result = yield (0, shared_1.provisionRequest)(authn, args, host);
+    const result = yield (0, ssh_3.provisionRequest)(authn, args, host);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
     const { request, privateKey } = result;
-    const data = (0, shared_1.requestToSsh)(request);
+    const data = (0, ssh_3.requestToSsh)(request);
     // replace the host with the linuxUserName@instanceId
     const { source, destination } = replaceHostWithInstance(data, args);
     yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,

package/dist/commands/shared/index.d.ts

@@ -0,0 +1,4 @@
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+/** Waits until P0 grants access for a request */
+export declare const waitForProvisioning: <P extends import("../../types/ssh").PluginSshRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;

package/dist/commands/shared/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.waitForProvisioning = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../../drivers/firestore");
+const request_1 = require("../../types/request");
+const firestore_2 = require("firebase/firestore");
+/** Maximum amount of time to wait after access is approved to wait for access
+ *  to be configured
+ */
+const GRANT_TIMEOUT_MILLIS = 60e3;
+/** Waits until P0 grants access for a request */
+const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
+    let cancel = undefined;
+    const result = yield new Promise((resolve, reject) => {
+        let isResolved = false;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            if (request_1.DONE_STATUSES.includes(data.status)) {
+                resolve(data);
+            }
+            else if (request_1.DENIED_STATUSES.includes(data.status)) {
+                reject("Your access request was denied");
+            }
+            else if (request_1.ERROR_STATUSES.includes(data.status)) {
+                reject("Your access request encountered an error (see Slack for details)");
+            }
+            else {
+                return;
+            }
+            isResolved = true;
+            unsubscribe();
+        });
+        // Skip timeout in test; it holds a ref longer than the test lasts
+        if (process.env.NODE_ENV === "test")
+            return;
+        cancel = setTimeout(() => {
+            if (!isResolved) {
+                unsubscribe();
+                reject("Timeout awaiting SSH access grant");
+            }
+        }, GRANT_TIMEOUT_MILLIS);
+    });
+    clearTimeout(cancel);
+    return result;
+});
+exports.waitForProvisioning = waitForProvisioning;

package/dist/commands/shared/request.d.ts

@@ -0,0 +1,14 @@
+import { Authn } from "../../types/identity";
+import { RequestResponse } from "../../types/request";
+import yargs from "yargs";
+export declare const requestArgs: <T>(yargs: yargs.Argv<T>) => yargs.Argv<T & {
+    wait: boolean;
+} & {
+    arguments: string[];
+}>;
+export declare const request: (command: "grant" | "request") => <T>(args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn, options?: {
+    message?: "all" | "approval-required" | "none";
+}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/shared/request.js

@@ -0,0 +1,115 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.request = exports.requestArgs = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const auth_1 = require("../../drivers/auth");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const firestore_2 = require("firebase/firestore");
+const typescript_1 = require("typescript");
+const WAIT_TIMEOUT = 300e3;
+const APPROVED = { message: "Your request was approved", code: 0 };
+const DENIED = { message: "Your request was denied", code: 2 };
+const ERRORED = { message: "Your request encountered an error", code: 1 };
+const COMPLETED_REQUEST_STATUSES = {
+    APPROVED,
+    APPROVED_NOTIFIED: APPROVED,
+    DONE: APPROVED,
+    DONE_NOTIFIED: APPROVED,
+    DENIED,
+    ERRORED,
+};
+const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
+const requestArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+exports.requestArgs = requestArgs;
+const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield new Promise((resolve) => {
+        if (logMessage)
+            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
+        let cancel = undefined;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            const { status } = data;
+            if (isCompletedStatus(status)) {
+                if (cancel)
+                    clearTimeout(cancel);
+                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
+                if (code !== 0 || logMessage)
+                    (0, stdio_1.print2)(message);
+                resolve(code);
+            }
+        });
+        cancel = setTimeout(() => {
+            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
+            resolve(4);
+        }, WAIT_TIMEOUT);
+    });
+});
+const request = (command) => (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const { userCredential } = resolvedAuthn;
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        command,
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
+            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
+            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
+                !data.isPreexisting &&
+                !data.isPersistent);
+        if (logMessage)
+            (0, stdio_1.print2)(data.message);
+        const { id } = data;
+        if (args.wait && id && userCredential.user.tenantId) {
+            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
+            if (code) {
+                typescript_1.sys.exit(code);
+                return undefined;
+            }
+            return data;
+        }
+        else
+            return undefined;
+    }
+    else {
+        throw data;
+    }
+});
+exports.request = request;

package/dist/commands/{shared.d.ts → shared/ssh.d.ts}

@@ -1,28 +1,12 @@
-import { Authn } from "../types/identity";
-import { CliRequest, Request } from "../types/request";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { CliSshRequest, SshProvider, SshRequest, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
-export declare const SUPPORTED_PROVIDERS: string[];
-export declare type SshRequest = AwsSshRequest | GcpSshRequest;
-export declare type AwsSshRequest = {
-    linuxUserName: string;
-    role: string;
-    accountId: string;
-    region: string;
-    id: string;
-    type: "aws";
-};
-export declare type GcpSshRequest = {
-    linuxUserName: string;
-    projectId: string;
-    zone: string;
-    id: string;
-    type: "gcloud";
-};
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
     reason?: string;
     account?: string;
-    provider?: "aws" | "gcloud";
+    provider?: SupportedSshProvider;
     debug?: boolean;
 };
 export declare type ScpCommandArgs = BaseSshCommandArgs & {
@@ -39,9 +23,15 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     arguments: string[];
     command?: string;
 };
+export declare type CommandArgs = ScpCommandArgs | SshCommandArgs;
+export declare const SSH_PROVIDERS: Record<SupportedSshProvider, SshProvider<any, any, any, any>>;
+export declare const isSudoCommand: (args: {
+    sudo?: boolean;
+    command?: string;
+}) => boolean;
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
-    request: Request<CliRequest>;
+    request: Request<CliSshRequest>;
     publicKey: string;
     privateKey: string;
 } | undefined>;
-export declare const requestToSsh: (request: Request<CliRequest>) => SshRequest;
+export declare const requestToSsh: (request: Request<CliSshRequest>) => SshRequest;