@p0security/cli 0.8.1 → 0.8.3

package/dist/commands/{shared.js → shared/ssh.js}

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = exports.SUPPORTED_PROVIDERS = void 0;
+exports.requestToSsh = exports.provisionRequest = exports.isSudoCommand = exports.SSH_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,93 +20,49 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const keys_1 = require("../common/keys");
-const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const ssh_1 = require("../plugins/aws/ssh");
-const ssh_2 = require("../plugins/google/ssh");
-const ssh_key_1 = require("../plugins/google/ssh-key");
-const request_1 = require("../types/request");
-const util_1 = require("../util");
-const request_2 = require("./request");
+const _1 = require(".");
+const keys_1 = require("../../common/keys");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const ssh_1 = require("../../plugins/aws/ssh");
+const ssh_2 = require("../../plugins/google/ssh");
+const ssh_3 = require("../../types/ssh");
+const request_1 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-/** Maximum amount of time to wait after access is approved to wait for access
- *  to be configured
- */
-const GRANT_TIMEOUT_MILLIS = 60e3;
-// The prefix of installed SSH accounts in P0 is the provider name
-exports.SUPPORTED_PROVIDERS = ["aws", "gcloud"];
+exports.SSH_PROVIDERS = {
+    aws: ssh_1.awsSshProvider,
+    gcloud: ssh_2.gcpSshProvider,
+};
 const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/ssh`));
     const configItems = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"];
     const providersToCheck = args.provider
         ? [args.provider]
-        : exports.SUPPORTED_PROVIDERS;
+        : ssh_3.SupportedSshProviders;
     const items = Object.entries(configItems !== null && configItems !== void 0 ? configItems : {}).filter(([key, value]) => value.state == "installed" &&
         providersToCheck.some((prefix) => key.startsWith(prefix)));
     if (items.length === 0) {
         throw "This organization is not configured for SSH access via the P0 CLI";
     }
 });
-/** Waits until P0 grants access for a request */
-const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void 0, function* () {
-    let cancel = undefined;
-    const result = yield new Promise((resolve, reject) => {
-        let isResolved = false;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            if (request_1.DONE_STATUSES.includes(data.status)) {
-                resolve(data);
-            }
-            else if (request_1.DENIED_STATUSES.includes(data.status)) {
-                reject("Your access request was denied");
-            }
-            else if (request_1.ERROR_STATUSES.includes(data.status)) {
-                reject("Your access request encountered an error (see Slack for details)");
-            }
-            else {
-                return;
-            }
-            isResolved = true;
-            unsubscribe();
-        });
-        // Skip timeout in test; it holds a ref longer than the test lasts
-        if (process.env.NODE_ENV === "test")
-            return;
-        cancel = setTimeout(() => {
-            if (!isResolved) {
-                unsubscribe();
-                reject("Timeout awaiting SSH access grant");
-            }
-        }, GRANT_TIMEOUT_MILLIS);
-    });
-    clearTimeout(cancel);
-    return result;
-});
 const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-    return request.permission.spec.type === "gcloud"
-        ? Object.assign(Object.assign({}, request), { cliLocalData: {
-                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
-            } })
-        : request.permission.spec.type === "aws"
-            ? request
-            : (0, util_1.throwAssertNever)(request.permission.spec);
+    return yield exports.SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
 });
+const isSudoCommand = (args) => args.sudo || args.command === "sudo";
+exports.isSudoCommand = isSudoCommand;
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
-    const response = yield (0, request_2.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
             "--public-key",
             publicKey,
             ...(args.provider ? ["--provider", args.provider] : []),
-            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
+            ...((0, exports.isSudoCommand)(args) ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
         ], wait: true }), authn, { message: "approval-required" });
@@ -117,7 +73,7 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     const { id, isPreexisting } = response;
     if (!isPreexisting)
         (0, stdio_1.print2)("Waiting for access to be provisioned");
-    const provisionedRequest = yield waitForProvisioning(authn, id);
+    const provisionedRequest = yield (0, _1.waitForProvisioning)(authn, id);
     if (provisionedRequest.permission.spec.publicKey !== publicKey) {
         throw "Public key mismatch. Please revoke the request and try again.";
     }
@@ -127,15 +83,5 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => {
-    if (request.permission.spec.type === "aws") {
-        return (0, ssh_1.awsRequestToSsh)(request);
-    }
-    else if (request.permission.spec.type === "gcloud") {
-        return (0, ssh_2.gcpRequestToSsh)(request);
-    }
-    else {
-        throw (0, util_1.assertNever)(request.permission.spec);
-    }
-};
+const requestToSsh = (request) => exports.SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
 exports.requestToSsh = requestToSsh;

package/dist/commands/ssh.d.ts

@@ -1,3 +1,3 @@
-import { SshCommandArgs } from "./shared";
+import { SshCommandArgs } from "./shared/ssh";
 import yargs from "yargs";
 export declare const sshCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<SshCommandArgs>;

package/dist/commands/ssh.js

@@ -23,7 +23,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
 const ssh_1 = require("../plugins/ssh");
-const shared_1 = require("./shared");
+const ssh_2 = require("./shared/ssh");
 const sshCommand = (yargs) => yargs.command("ssh <destination> [command [arguments..]]", "SSH into a virtual machine", (yargs) => yargs
     .positional("destination", {
     type: "string",
@@ -86,10 +86,10 @@ const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
     const destination = args.destination;
-    const result = yield (0, shared_1.provisionRequest)(authn, args, destination);
+    const result = yield (0, ssh_2.provisionRequest)(authn, args, destination);
     if (!result) {
         throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
     }
     const { request, privateKey } = result;
-    yield (0, ssh_1.sshOrScp)(authn, (0, shared_1.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
+    yield (0, ssh_1.sshOrScp)(authn, (0, ssh_2.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
 });

package/dist/common/retry.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+export declare function retryWithSleep<T>(operation: () => Promise<T>, shouldRetry: (error: unknown) => boolean, retries?: number, delayMs?: number): Promise<T>;

package/dist/common/retry.js

@@ -0,0 +1,50 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.retryWithSleep = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const util_1 = require("../util");
+const MAX_RETRIES = 3;
+const MAX_RETRY_BACK_OFF_TIME = 10000;
+/**
+ * Retries an operation with a delay between retries
+ * @param operation operation to retry
+ * @param shouldRetry predicate to evaluate on error; will retry only if this is true
+ * @param retries number of retries
+ * @param delay time to wait before retrying
+ * @returns
+ */
+function retryWithSleep(operation, shouldRetry, retries = MAX_RETRIES, delayMs = MAX_RETRY_BACK_OFF_TIME) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            return yield operation();
+        }
+        catch (error) {
+            if (shouldRetry(error)) {
+                if (retries > 0) {
+                    yield (0, util_1.sleep)(delayMs);
+                    return yield retryWithSleep(operation, shouldRetry, retries - 1);
+                }
+            }
+            throw error;
+        }
+    });
+}
+exports.retryWithSleep = retryWithSleep;

package/dist/drivers/auth.d.ts

@@ -2,7 +2,7 @@ import { Authn, Identity } from "../types/identity";
 export declare const IDENTITY_FILE_PATH: string;
 export declare const cached: <T>(name: string, loader: () => Promise<T>, options: {
     duration: number;
-}) => Promise<T>;
+}, hasExpired?: ((data: T) => boolean) | undefined) => Promise<T>;
 export declare const loadCredentials: (options?: {
     noRefresh?: boolean;
 }) => Promise<Identity>;

package/dist/drivers/auth.js

@@ -51,7 +51,7 @@ const auth_1 = require("firebase/auth");
 const fs = __importStar(require("fs/promises"));
 const path = __importStar(require("path"));
 exports.IDENTITY_FILE_PATH = path.join(util_1.P0_PATH, "identity.json");
-const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, function* () {
+const cached = (name, loader, options, hasExpired) => __awaiter(void 0, void 0, void 0, function* () {
     var _a;
     const cachePath = path.join(path.dirname(exports.IDENTITY_FILE_PATH), "cache");
     // Following lines sanitize input
@@ -74,8 +74,12 @@ const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, func
             yield fs.rm(loc);
             return yield loadCache();
         }
-        const data = yield fs.readFile(loc);
-        return JSON.parse(data.toString("utf-8"));
+        const data = JSON.parse((yield fs.readFile(loc)).toString("utf-8"));
+        if (hasExpired === null || hasExpired === void 0 ? void 0 : hasExpired(data)) {
+            yield fs.rm(loc);
+            return yield loadCache();
+        }
+        return data;
     }
     catch (error) {
         if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT")

package/dist/plugins/aws/config.d.ts

@@ -4,7 +4,7 @@ export declare const getAwsConfig: (authn: Authn, account: string | undefined) =
     config: {
         label?: string | undefined;
         state: string;
-        login?: (import("./types").AwsIamLogin | import("./types").AwsIdcLogin | import("./types").AwsFederatedLogin) | undefined;
+        login?: import("./types").AwsLogin | undefined;
         id: string;
     };
 }>;

package/dist/plugins/aws/idc/index.d.ts

@@ -0,0 +1,16 @@
+import { AWSClientInformation } from "../../../types/aws/oidc";
+import { AwsCredentials } from "../types";
+export declare const registerClient: (region: string) => Promise<AWSClientInformation>;
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+export declare const assumeRoleWithIdc: (args: {
+    accountId?: string;
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
+    };
+}) => Promise<AwsCredentials>;

package/dist/plugins/aws/idc/index.js

@@ -0,0 +1,150 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithIdc = exports.registerClient = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const fetch_1 = require("../../../common/fetch");
+const retry_1 = require("../../../common/retry");
+const auth_1 = require("../../../drivers/auth");
+const login_1 = require("../../oidc/login");
+const HOURS = 60 * 60 * 1000;
+const DAYS = 24 * HOURS;
+const AWS_TOKEN_EXPIRY = 1 * HOURS;
+const AWS_CLIENT_TOKEN_EXPIRY = 90 * DAYS; // the token has lifetime of 90 days
+const AWS_SSO_SCOPES = ["sso:account:access"];
+const registerClient = (region) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)("aws-idc-client", () => __awaiter(void 0, void 0, void 0, function* () {
+        const init = {
+            method: "POST",
+            body: JSON.stringify({
+                clientName: "p0Cli",
+                clientType: "public",
+                grantTypes: [login_1.DEVICE_GRANT_TYPE],
+                scopes: AWS_SSO_SCOPES,
+            }),
+        };
+        const response = yield fetch(`https://oidc.${region}.amazonaws.com/client/register`, init);
+        return yield response.json();
+    }), { duration: AWS_CLIENT_TOKEN_EXPIRY }, (data) => data.clientSecretExpiresAt
+        ? data.clientSecretExpiresAt < Date.now()
+        : true);
+});
+exports.registerClient = registerClient;
+const awsIdcHelpers = (clientCredentials, idc) => {
+    const { clientId, clientSecret } = clientCredentials;
+    const { id, region } = idc;
+    const buildOidcAuthorizeRequest = () => ({
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                startUrl: `https://${id}.awsapps.com/start`,
+            }),
+        },
+        url: `https://oidc.${region}.amazonaws.com/device_authorization`,
+    });
+    const buildIdcTokenRequest = (authorizeResponse) => ({
+        url: `https://oidc.${region}.amazonaws.com/token`,
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                deviceCode: authorizeResponse.deviceCode,
+                grantType: login_1.DEVICE_GRANT_TYPE,
+            }),
+        },
+    });
+    /**
+     * Exchanges the oidc token for AWS credentials for a given account and permission set
+     * @param oidcResponse oidc token response fot he oidc /token endpoint
+     * @param request accountId and permissionSet to exchange for AWS credentials
+     * @returns
+     */
+    const exchangeForAwsCredentials = (oidcResponse, request) => __awaiter(void 0, void 0, void 0, function* () {
+        // There is a delay in between aws issuing the sso token and it being available for exchange for AWS credentials
+        // When exchanging token immediately, an "unauthorized" may will be thrown, so retry with sleep.
+        return yield (0, retry_1.retryWithSleep)(() => __awaiter(void 0, void 0, void 0, function* () {
+            const init = {
+                method: "GET",
+                headers: {
+                    "x-amz-sso_bearer_token": oidcResponse.accessToken,
+                },
+            };
+            const { accountId, permissionSet } = request;
+            if (accountId === undefined)
+                throw new Error("Could not find an AWS account ID for this access request");
+            const params = new URLSearchParams();
+            params.append("account_id", accountId);
+            params.append("role_name", permissionSet);
+            const response = yield fetch(`https://portal.sso.${region}.amazonaws.com/federation/credentials?${params.toString()}`, init);
+            if (!response.ok)
+                throw new Error(`Failed to fetch AWS credentials: ${response.statusText}: ${yield response.text()}`);
+            return yield response.json();
+        }), () => true, 3);
+    });
+    return {
+        loginSteps: {
+            providerType: "aws-oidc",
+            validateResponse: fetch_1.validateResponse,
+            buildAuthorizeRequest: buildOidcAuthorizeRequest,
+            buildTokenRequest: buildIdcTokenRequest,
+            processAuthzExpiry: (authorize) => ({
+                expires_in: authorize.expiresIn,
+                interval: authorize.interval,
+            }),
+            processAuthzResponse: (authorize) => ({
+                user_code: authorize.userCode,
+                verification_uri_complete: authorize.verificationUriComplete,
+            }),
+        },
+        exchangeForAwsCredentials,
+    };
+};
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+const assumeRoleWithIdc = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)(`aws-idc-${args.accountId}-${args.permissionSet}`, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { idc } = args;
+        const { region } = idc;
+        const clientSecrets = yield (0, exports.registerClient)(region);
+        const { loginSteps, exchangeForAwsCredentials } = awsIdcHelpers(clientSecrets, idc);
+        const oidcResponse = yield (0, auth_1.cached)("aws-idc-device-authorization", () => __awaiter(void 0, void 0, void 0, function* () {
+            const data = yield (0, login_1.oidcLogin)(loginSteps);
+            return Object.assign(Object.assign({}, data), { expiresAt: Date.now() + data.expiresIn * 1e3 });
+        }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+        const credentials = yield exchangeForAwsCredentials(oidcResponse, {
+            accountId: args.accountId,
+            permissionSet: args.permissionSet,
+        });
+        return {
+            AWS_ACCESS_KEY_ID: credentials.roleCredentials.accessKeyId,
+            AWS_SECRET_ACCESS_KEY: credentials.roleCredentials.secretAccessKey,
+            AWS_SESSION_TOKEN: credentials.roleCredentials.sessionToken,
+            AWS_SECURITY_TOKEN: credentials.roleCredentials.sessionToken,
+            expiresAt: credentials.roleCredentials.expiration,
+        };
+    }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+});
+exports.assumeRoleWithIdc = assumeRoleWithIdc;

package/dist/plugins/aws/ssh.d.ts

@@ -8,6 +8,6 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { SshRequest } from "../../commands/shared";
-import { AwsSsh } from "./types";
-export declare const awsRequestToSsh: (request: AwsSsh) => SshRequest;
+import { SshProvider } from "../../types/ssh";
+import { AwsCredentials, AwsSshPermissionSpec, AwsSshRequest } from "./types";
+export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest, AwsCredentials>;

package/dist/plugins/aws/ssh.js

@@ -1,14 +1,78 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.awsRequestToSsh = void 0;
-const awsRequestToSsh = (request) => {
-    return {
-        id: request.permission.spec.instanceId,
-        accountId: request.permission.spec.accountId,
-        region: request.permission.spec.region,
-        role: request.generated.name,
-        linuxUserName: request.generated.ssh.linuxUserName,
-        type: "aws",
-    };
+exports.awsSshProvider = void 0;
+const util_1 = require("../../util");
+const aws_1 = require("../okta/aws");
+const config_1 = require("./config");
+const idc_1 = require("./idc");
+const install_1 = require("./ssm/install");
+/** Maximum number of attempts to start an SSH session
+ *
+ * Each attempt consumes ~ 1 s.
+ */
+const MAX_SSH_RETRIES = 30;
+/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
+const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
+exports.awsSshProvider = {
+    requestToSsh: (request) => {
+        const { permission, generated } = request;
+        const { instanceId, accountId, region } = permission.spec;
+        const { idc, ssh, name } = generated;
+        const { linuxUserName } = ssh;
+        const common = { linuxUserName, accountId, region, id: instanceId };
+        return !idc
+            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
+    },
+    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
+        if (!(yield (0, install_1.ensureSsmInstall)())) {
+            throw "Please try again after installing the required AWS utilities";
+        }
+        const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
+        if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
+            throw "This account is not configured for SSH access via the P0 CLI";
+        }
+        return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
+            ? yield (0, idc_1.assumeRoleWithIdc)(request)
+            : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
+                ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, request)
+                : (0, util_1.throwAssertNever)(config.login);
+    }),
+    proxyCommand: (request) => {
+        return [
+            "aws",
+            "ssm",
+            "start-session",
+            "--region",
+            request.region,
+            "--target",
+            "%h",
+            "--document-name",
+            START_SSH_SESSION_DOCUMENT_NAME,
+            "--parameters",
+            '"portNumber=%p"',
+        ];
+    },
+    reproCommands: (request) => {
+        // TODO: Add manual commands for IDC login
+        if (request.access !== "idc") {
+            return [
+                `eval $(p0 aws role assume ${request.role} --account ${request.accountId})`,
+            ];
+        }
+        return undefined;
+    },
+    preTestAccessPropagationArgs: () => undefined,
+    maxRetries: MAX_SSH_RETRIES,
+    friendlyName: "AWS",
 };
-exports.awsRequestToSsh = awsRequestToSsh;

package/dist/plugins/aws/types.d.ts

@@ -8,7 +8,8 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { CliPermissionSpec, PermissionSpec } from "../../types/request";
+import { PermissionSpec } from "../../types/request";
+import { CliPermissionSpec } from "../../types/ssh";
 import { CommonSshPermissionSpec } from "../ssh/types";
 export declare type AwsCredentials = {
     AWS_ACCESS_KEY_ID: string;
@@ -40,7 +41,7 @@ export declare type AwsFederatedLogin = {
         };
     };
 };
-declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
+export declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
 export declare type AwsItemConfig = {
     label?: string;
     state: string;
@@ -66,7 +67,30 @@ export declare type AwsSshGenerated = {
     ssh: {
         linuxUserName: string;
     };
+    idc?: {
+        region: string;
+        id: string;
+    };
+};
+export declare type AwsSshPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
+export declare type AwsSsh = CliPermissionSpec<AwsSshPermissionSpec, undefined>;
+export declare type BaseAwsSshRequest = {
+    linuxUserName: string;
+    accountId: string;
+    region: string;
+    id: string;
+    type: "aws";
+};
+export declare type AwsSshRoleRequest = BaseAwsSshRequest & {
+    role: string;
+    access: "role";
+};
+export declare type AwsSshIdcRequest = BaseAwsSshRequest & {
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
+    };
+    access: "idc";
 };
-export declare type AwsPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
-export declare type AwsSsh = CliPermissionSpec<AwsPermissionSpec>;
-export {};
+export declare type AwsSshRequest = AwsSshIdcRequest | AwsSshRoleRequest;

package/dist/plugins/google/ssh.d.ts

@@ -1,13 +1,5 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
-import { SshRequest } from "../../commands/shared";
-import { GcpSsh } from "./types";
-export declare const gcpRequestToSsh: (request: GcpSsh) => SshRequest;
+import { SshProvider } from "../../types/ssh";
+import { GcpSshPermissionSpec, GcpSshRequest } from "./types";
+export declare const gcpSshProvider: SshProvider<GcpSshPermissionSpec, {
+    linuxUserName: string;
+}, GcpSshRequest>;