@p0security/cli 0.8.1 → 0.8.3

package/dist/plugins/ssh/index.js

@@ -10,11 +10,19 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sshOrScp = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
-const util_1 = require("../../util");
-const install_1 = require("../aws/ssm/install");
-const aws_1 = require("../okta/aws");
 const ssh_agent_1 = require("../ssh-agent");
 const node_child_process_1 = require("node:child_process");
 /** Matches the error message that AWS SSM print1 when access is not propagated */
@@ -33,18 +41,11 @@ const UNAUTHORIZED_TUNNEL_USER_MESSAGE = /Error while connecting \[4033: 'not au
 const UNAUTHORIZED_INSTANCES_GET_MESSAGE = /Required 'compute\.instances\.get' permission/;
 const DESTINATION_READ_ERROR = /Error while connecting \[4010: 'destination read failed'\]/;
 const GOOGLE_LOGIN_MESSAGE = /You do not currently have an active account selected/;
+const SUDO_MESSAGE = /Sorry, user .+ may not run sudo on .+/; // The output of `sudo -v` when the user is not allowed to run sudo
 /** Maximum amount of time after SSH subprocess starts to check for {@link UNPROVISIONED_ACCESS_MESSAGES}
  *  in the process's stderr
  */
 const DEFAULT_VALIDATION_WINDOW_MS = 5e3;
-/** Maximum number of attempts to start an SSH session
- *
- * Note that each attempt consumes ~ 1 s.
- */
-const DEFAULT_MAX_SSH_RETRIES = 30;
-const GCP_MAX_SSH_RETRIES = 120; // GCP requires more time to propagate access
-/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
-const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 /**
  * AWS
  * There are 2 cases of unprovisioned access in AWS
@@ -55,7 +56,7 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 2: results in CONNECTION_CLOSED_MESSAGE
  *
  * Google Cloud
- * There are 5 cases of unprovisioned access in Google Cloud.
+ * There are 7 cases of unprovisioned access in Google Cloud.
  * These are all potentially subject to propagation delays.
  * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
  * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
@@ -64,17 +65,20 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 5. The user doesn't have osLogin or osAdminLogin role to the instance
  * 5.a. compute.instances.get permission is missing
  * 5.b. compute.instances.osLogin permission is missing
- * 6: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
+ * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
+ * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
  *
  * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
  * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
  * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
- * 6: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
+ * 6: results in SUDO_MESSAGE
+ * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
  */
 const UNPROVISIONED_ACCESS_MESSAGES = [
     { pattern: UNAUTHORIZED_START_SESSION_MESSAGE },
     { pattern: CONNECTION_CLOSED_MESSAGE },
     { pattern: PUBLIC_KEY_DENIED_MESSAGE },
+    { pattern: SUDO_MESSAGE },
     { pattern: UNAUTHORIZED_TUNNEL_USER_MESSAGE },
     { pattern: UNAUTHORIZED_INSTANCES_GET_MESSAGE, validationWindowMs: 30e3 },
     { pattern: DESTINATION_READ_ERROR },
@@ -125,11 +129,6 @@ const spawnChildProcess = (credential, command, args, stdio) => (0, node_child_p
     stdio,
     shell: false,
 });
-const friendlyProvider = (provider) => provider === "aws"
-    ? "AWS"
-    : provider === "gcloud"
-        ? "Google Cloud"
-        : (0, util_1.throwAssertNever)(provider);
 /** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
  *
  * Requires `aws ssm` to be installed on the client machine.
@@ -137,6 +136,7 @@ const friendlyProvider = (provider) => provider === "aws"
 function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
+            const provider = ssh_1.SSH_PROVIDERS[options.provider];
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
             const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
@@ -151,7 +151,7 @@ function spawnSshNode(options) {
                         (0, stdio_1.print2)(`Waiting for access to propagate. Retrying SSH session... (remaining attempts: ${attemptsRemaining})`);
                     }
                     if (attemptsRemaining <= 0) {
-                        reject(`Access did not propagate through ${friendlyProvider(options.provider)} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
+                        reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
                         return;
                     }
                     spawnSshNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
@@ -164,50 +164,16 @@ function spawnSshNode(options) {
                     return;
                 }
                 (_a = options.abortController) === null || _a === void 0 ? void 0 : _a.abort(code);
-                (0, stdio_1.print2)(`SSH session terminated`);
+                if (!options.isAccessPropagationPreTest)
+                    (0, stdio_1.print2)(`SSH session terminated`);
                 resolve(code);
             });
         });
     });
 }
-const createProxyCommands = (data, args, debug) => {
-    let proxyCommand;
-    if (data.type === "aws") {
-        proxyCommand = [
-            "aws",
-            "ssm",
-            "start-session",
-            "--region",
-            data.region,
-            "--target",
-            "%h",
-            "--document-name",
-            START_SSH_SESSION_DOCUMENT_NAME,
-            "--parameters",
-            '"portNumber=%p"',
-        ];
-    }
-    else if (data.type === "gcloud") {
-        proxyCommand = [
-            "gcloud",
-            "compute",
-            "start-iap-tunnel",
-            data.id,
-            "%p",
-            // --listen-on-stdin flag is required for interactive SSH session.
-            // It is undocumented on page https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel
-            // but mention on page https://cloud.google.com/iap/docs/tcp-by-host
-            // and also found in `gcloud ssh --dry-run` output
-            "--listen-on-stdin",
-            `--zone=${data.zone}`,
-            `--project=${data.projectId}`,
-        ];
-    }
-    else {
-        throw (0, util_1.assertNever)(data);
-    }
+const createCommand = (data, args, proxyCommand) => {
     const commonArgs = [
-        ...(debug ? ["-v"] : []),
+        ...(args.debug ? ["-v"] : []),
         "-o",
         `ProxyCommand=${proxyCommand.join(" ")}`,
     ];
@@ -255,38 +221,53 @@ const transformForShell = (args) => {
         return arg;
     });
 };
-const awsLogin = (authn, data) => __awaiter(void 0, void 0, void 0, function* () {
-    if (!(yield (0, install_1.ensureSsmInstall)())) {
-        throw "Please try again after installing the required AWS utilities";
+/** Construct another command to use for testing access propagation prior to actually logging in the user to the ssh session */
+const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCommand, credential) => __awaiter(void 0, void 0, void 0, function* () {
+    const testCmdArgs = sshProvider.preTestAccessPropagationArgs(cmdArgs);
+    // Pre-testing comes at a performance cost because we have to execute another ssh subprocess after
+    // a successful test. Only do when absolutely necessary.
+    if (testCmdArgs) {
+        const { command, args } = createCommand(request, testCmdArgs, proxyCommand);
+        // Assumes that this is a non-interactive ssh command that exits automatically
+        return spawnSshNode({
+            credential,
+            abortController: new AbortController(),
+            command,
+            args,
+            stdio: ["inherit", "inherit", "pipe"],
+            debug: cmdArgs.debug,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
+            isAccessPropagationPreTest: true,
+        });
     }
-    return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
-        account: data.accountId,
-        role: data.role,
-    });
+    return null;
 });
-const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+const sshOrScp = (authn, request, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
     if (!privateKey) {
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
-    // TODO ENG-2284 support login with Google Cloud
-    const credential = data.type === "aws" ? yield awsLogin(authn, data) : undefined;
+    const sshProvider = ssh_1.SSH_PROVIDERS[request.type];
+    const credential = yield sshProvider.cloudProviderLogin(authn, request);
+    const proxyCommand = sshProvider.proxyCommand(request);
     return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {
-        const { command, args } = createProxyCommands(data, cmdArgs, cmdArgs.debug);
+        const { command, args } = createCommand(request, cmdArgs, proxyCommand);
         if (cmdArgs.debug) {
-            const reproCommands = [
-                `eval $(ssh-agent)`,
-                `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
-                // TODO ENG-2284 support login with Google Cloud
-                ...(data.type === "aws"
-                    ? [
-                        `eval $(p0 aws role assume ${data.role} --account ${data.accountId})`,
-                    ]
-                    : []),
-                `${command} ${transformForShell(args).join(" ")}`,
-            ];
-            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***"\n`);
+            const reproCommands = sshProvider.reproCommands(request);
+            if (reproCommands) {
+                const repro = [
+                    `eval $(ssh-agent)`,
+                    `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
+                    ...reproCommands,
+                    `${command} ${transformForShell(args).join(" ")}`,
+                ].join("\n");
+                (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${repro}\n*** COMMANDS END ***"\n`);
+            }
+        }
+        const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential);
+        if (exitCode && exitCode !== 0) {
+            return exitCode; // Only exit if there was an error when pre-testing
         }
-        const maxRetries = data.type === "gcloud" ? GCP_MAX_SSH_RETRIES : DEFAULT_MAX_SSH_RETRIES;
         return spawnSshNode({
             credential,
             abortController: new AbortController(),
@@ -294,8 +275,8 @@ const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0,
             args,
             stdio: ["inherit", "inherit", "pipe"],
             debug: cmdArgs.debug,
-            provider: data.type,
-            attemptsRemaining: maxRetries,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
         });
     }));
 });

package/dist/types/aws/oidc.d.ts

@@ -0,0 +1,36 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare type AWSClientInformation = {
+    authorizationEndpoint: string;
+    clientId: string;
+    clientIdIssuedAt: number;
+    clientSecret: string;
+    clientSecretExpiresAt: number;
+    tokenEndpoint: string;
+};
+/**
+ * AWS OIDC token response uses camelCase instead of snake_case
+ */
+export declare type AWSTokenResponse = {
+    accessToken: string;
+    expiresIn: number;
+    idToken: string;
+    refreshToken: string;
+    tokenType: string;
+};
+export declare type AWSAuthorizeResponse = {
+    deviceCode: string;
+    expiresIn: number;
+    interval: number;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete: string;
+};

package/dist/types/aws/oidc.js

@@ -0,0 +1,12 @@
+"use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/oidc.d.ts

@@ -1,3 +1,4 @@
+import { LoginPluginType } from "../plugins/login";
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -39,3 +40,23 @@ export declare type TokenResponse = {
 export declare type TokenErrorResponse = {
     error: "access_denied" | "authorization_pending" | "bad grant type" | "expired_token" | "missing parameter" | "not found" | "slow_down";
 };
+export declare type OidcLoginSteps<A> = {
+    providerType: LoginPluginType;
+    validateResponse: (response: Response) => Promise<Response>;
+    buildAuthorizeRequest: () => {
+        url: string;
+        init: RequestInit;
+    };
+    buildTokenRequest: (authorize: A) => {
+        url: string;
+        init: RequestInit;
+    };
+    processAuthzResponse: (authorize: A) => {
+        user_code: string;
+        verification_uri_complete: string;
+    };
+    processAuthzExpiry: (authorize: A) => {
+        expires_in: number;
+        interval: number;
+    };
+};

package/dist/types/request.d.ts

@@ -8,16 +8,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { AwsPermissionSpec, AwsSsh } from "../plugins/aws/types";
-import { GcpPermissionSpec, GcpSsh } from "../plugins/google/types";
+import { PluginSshRequest } from "./ssh";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
 export declare const ERROR_STATUSES: readonly ["ERRORED", "ERRORED", "ERRORED_NOTIFIED"];
-export declare type CliRequest = AwsSsh | GcpSsh;
-export declare type PluginRequest = AwsPermissionSpec | GcpPermissionSpec;
-export declare type CliPermissionSpec<P extends PluginRequest, C extends object | undefined = undefined> = P & {
-    cliLocalData: C;
-};
 export declare type PermissionSpec<K extends string, P extends {
     type: string;
 }, G extends object | undefined = undefined> = {
@@ -25,6 +19,7 @@ export declare type PermissionSpec<K extends string, P extends {
     permission: P;
     generated: G;
 };
+export declare type PluginRequest = PluginSshRequest;
 export declare type Request<P extends PluginRequest> = P & {
     status: string;
     principal: string;

package/dist/types/ssh.d.ts

@@ -0,0 +1,47 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { CommandArgs } from "../commands/shared/ssh";
+import { AwsSsh, AwsSshPermissionSpec, AwsSshRequest } from "../plugins/aws/types";
+import { GcpSsh, GcpSshPermissionSpec, GcpSshRequest } from "../plugins/google/types";
+import { Authn } from "./identity";
+import { Request } from "./request";
+export declare type CliSshRequest = AwsSsh | GcpSsh;
+export declare type PluginSshRequest = AwsSshPermissionSpec | GcpSshPermissionSpec;
+export declare type CliPermissionSpec<P extends PluginSshRequest, C extends object | undefined> = P & {
+    cliLocalData: C;
+};
+export declare const SupportedSshProviders: readonly ["aws", "gcloud"];
+export declare type SupportedSshProvider = (typeof SupportedSshProviders)[number];
+export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest, O extends object | undefined = undefined, SR extends SshRequest = SshRequest, C extends object | undefined = undefined> = {
+    requestToSsh: (request: CliPermissionSpec<PR, O>) => SR;
+    /** Converts a backend request to a CLI request */
+    toCliRequest: (request: Request<PR>, options?: {
+        debug?: boolean;
+    }) => Promise<Request<CliSshRequest>>;
+    /** Logs in the user to the cloud provider */
+    cloudProviderLogin: (authn: Authn, request: SR) => Promise<C>;
+    /** Returns the command and its arguments that are going to be injected as the ssh ProxyCommand option */
+    proxyCommand: (request: SR) => string[];
+    /** Each element in the returned array is a command that can be run to reproduce the
+     * steps of logging in the user to the ssh session. */
+    reproCommands: (request: SR) => string[] | undefined;
+    /** Arguments for a pre-test command to verify access propagation prior
+     * to actually logging in the user to the ssh session.
+     * This must return arguments for a non-interactive command - meaning the `command`
+     * and potentially the `args` props must be specified in the returned scp/ssh command.
+     * If the return value is undefined then no pre-testing is done prior to executing
+     * the actual ssh/scp command.
+     */
+    preTestAccessPropagationArgs: (cmdArgs: CommandArgs) => CommandArgs | undefined;
+    maxRetries: number;
+    friendlyName: string;
+};
+export declare type SshRequest = AwsSshRequest | GcpSshRequest;

package/dist/types/ssh.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SupportedSshProviders = void 0;
+// The prefix of installed SSH accounts in P0 is the provider name
+exports.SupportedSshProviders = ["aws", "gcloud"];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.8.1",
+  "version": "0.8.3",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -25,7 +25,7 @@
     "express": "^4.18.2",
     "firebase": "^10.7.2",
     "inquirer": "^9.2.15",
-    "jsdom": "^24.0.0",
+    "jsdom": "^24.1.1",
     "lodash": "^4.17.21",
     "node-forge": "^1.3.1",
     "open": "^8.4.0",
@@ -67,5 +67,6 @@
     "lint": "yarn prettier --check . &&  yarn run eslint --max-warnings 0 .",
     "p0": "node --no-deprecation ./p0",
     "prepublishOnly": "npm run clean && npm run build"
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }