@p0security/cli 0.8.2 → 0.8.3

package/dist/commands/__tests__/grant.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/__tests__/grant.test.js

@@ -0,0 +1,55 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const stdio_1 = require("../../drivers/stdio");
+const grant_1 = require("../grant");
+const yargs_1 = __importDefault(require("yargs"));
+jest.mock("../../drivers/api");
+jest.mock("../../drivers/auth");
+jest.mock("../../drivers/stdio");
+const mockFetchCommand = api_1.fetchCommand;
+const mockPrint1 = stdio_1.print1;
+const mockPrint2 = stdio_1.print2;
+describe("grant", () => {
+    beforeEach(() => jest.clearAllMocks());
+    describe("when valid grant command", () => {
+        const command = "grant gcloud role viewer --to someone@test.com --principal-type user";
+        function mockFetch() {
+            mockFetchCommand.mockResolvedValue({
+                ok: true,
+                message: "a message",
+                id: "abcefg",
+                isPreexisting: false,
+                isPersistent: false,
+            });
+        }
+        it(`should print request response`, () => __awaiter(void 0, void 0, void 0, function* () {
+            mockFetch();
+            yield (0, grant_1.grantCommand)((0, yargs_1.default)()).parse(command);
+            expect(mockPrint2.mock.calls).toMatchSnapshot();
+            expect(mockPrint1).not.toHaveBeenCalled();
+        }));
+    });
+});

package/dist/commands/grant.d.ts

@@ -0,0 +1,4 @@
+import yargs from "yargs";
+export declare const grantCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;

package/dist/commands/grant.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.grantCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../drivers/firestore");
+const request_1 = require("./shared/request");
+const grantCommand = (yargs) => yargs.command("grant [arguments..]", "Grant access to another identity", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("grant")));
+exports.grantCommand = grantCommand;

package/dist/commands/index.js

@@ -18,6 +18,7 @@ const stdio_1 = require("../drivers/stdio");
 const version_1 = require("../middlewares/version");
 const allow_1 = require("./allow");
 const aws_1 = require("./aws");
+const grant_1 = require("./grant");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
 const request_1 = require("./request");
@@ -28,6 +29,7 @@ const yargs_1 = __importDefault(require("yargs"));
 const helpers_1 = require("yargs/helpers");
 const commands = [
     aws_1.awsCommand,
+    grant_1.grantCommand,
     login_1.loginCommand,
     ls_1.lsCommand,
     request_1.requestCommand,

package/dist/commands/request.d.ts

@@ -1,12 +1,4 @@
-import { Authn } from "../types/identity";
-import { RequestResponse } from "../types/request";
 import yargs from "yargs";
 export declare const requestCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
     arguments: string[];
 }>;
-export declare const request: <T>(args: yargs.ArgumentsCamelCase<{
-    arguments: string[];
-    wait?: boolean;
-}>, authn?: Authn, options?: {
-    message?: "all" | "approval-required" | "none";
-}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/request.js

@@ -1,15 +1,6 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.request = exports.requestCommand = void 0;
+exports.requestCommand = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,97 +11,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
-const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const firestore_2 = require("firebase/firestore");
-const typescript_1 = require("typescript");
-const WAIT_TIMEOUT = 300e3;
-const APPROVED = { message: "Your request was approved", code: 0 };
-const DENIED = { message: "Your request was denied", code: 2 };
-const ERRORED = { message: "Your request encountered an error", code: 1 };
-const COMPLETED_REQUEST_STATUSES = {
-    APPROVED,
-    APPROVED_NOTIFIED: APPROVED,
-    DONE: APPROVED,
-    DONE_NOTIFIED: APPROVED,
-    DENIED,
-    ERRORED,
-};
-const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
-const requestArgs = (yargs) => yargs
-    .parserConfiguration({ "unknown-options-as-args": true })
-    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
-    .option("wait", {
-    alias: "w",
-    boolean: true,
-    default: false,
-    describe: "Block until the command is completed",
-})
-    .option("arguments", {
-    array: true,
-    string: true,
-    default: [],
-});
-const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", requestArgs, (0, firestore_1.guard)(exports.request));
+const request_1 = require("./shared/request");
+const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("request")));
 exports.requestCommand = requestCommand;
-const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield new Promise((resolve) => {
-        if (logMessage)
-            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
-        let cancel = undefined;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            const { status } = data;
-            if (isCompletedStatus(status)) {
-                if (cancel)
-                    clearTimeout(cancel);
-                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
-                if (code !== 0 || logMessage)
-                    (0, stdio_1.print2)(message);
-                resolve(code);
-            }
-        });
-        cancel = setTimeout(() => {
-            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
-            resolve(4);
-        }, WAIT_TIMEOUT);
-    });
-});
-const request = (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
-    const { userCredential } = resolvedAuthn;
-    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
-        "request",
-        ...args.arguments,
-    ]);
-    if (data && "ok" in data && "message" in data && data.ok) {
-        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
-            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
-            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
-                !data.isPreexisting &&
-                !data.isPersistent);
-        if (logMessage)
-            (0, stdio_1.print2)(data.message);
-        const { id } = data;
-        if (args.wait && id && userCredential.user.tenantId) {
-            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
-            if (code) {
-                typescript_1.sys.exit(code);
-                return undefined;
-            }
-            return data;
-        }
-        else
-            return undefined;
-    }
-    else {
-        throw data;
-    }
-});
-exports.request = request;

package/dist/commands/shared/request.d.ts

@@ -0,0 +1,14 @@
+import { Authn } from "../../types/identity";
+import { RequestResponse } from "../../types/request";
+import yargs from "yargs";
+export declare const requestArgs: <T>(yargs: yargs.Argv<T>) => yargs.Argv<T & {
+    wait: boolean;
+} & {
+    arguments: string[];
+}>;
+export declare const request: (command: "grant" | "request") => <T>(args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn, options?: {
+    message?: "all" | "approval-required" | "none";
+}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/shared/request.js

@@ -0,0 +1,115 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.request = exports.requestArgs = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const auth_1 = require("../../drivers/auth");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const firestore_2 = require("firebase/firestore");
+const typescript_1 = require("typescript");
+const WAIT_TIMEOUT = 300e3;
+const APPROVED = { message: "Your request was approved", code: 0 };
+const DENIED = { message: "Your request was denied", code: 2 };
+const ERRORED = { message: "Your request encountered an error", code: 1 };
+const COMPLETED_REQUEST_STATUSES = {
+    APPROVED,
+    APPROVED_NOTIFIED: APPROVED,
+    DONE: APPROVED,
+    DONE_NOTIFIED: APPROVED,
+    DENIED,
+    ERRORED,
+};
+const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
+const requestArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+exports.requestArgs = requestArgs;
+const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield new Promise((resolve) => {
+        if (logMessage)
+            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
+        let cancel = undefined;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            const { status } = data;
+            if (isCompletedStatus(status)) {
+                if (cancel)
+                    clearTimeout(cancel);
+                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
+                if (code !== 0 || logMessage)
+                    (0, stdio_1.print2)(message);
+                resolve(code);
+            }
+        });
+        cancel = setTimeout(() => {
+            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
+            resolve(4);
+        }, WAIT_TIMEOUT);
+    });
+});
+const request = (command) => (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const { userCredential } = resolvedAuthn;
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        command,
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
+            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
+            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
+                !data.isPreexisting &&
+                !data.isPersistent);
+        if (logMessage)
+            (0, stdio_1.print2)(data.message);
+        const { id } = data;
+        if (args.wait && id && userCredential.user.tenantId) {
+            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
+            if (code) {
+                typescript_1.sys.exit(code);
+                return undefined;
+            }
+            return data;
+        }
+        else
+            return undefined;
+    }
+    else {
+        throw data;
+    }
+});
+exports.request = request;

package/dist/commands/shared/ssh.d.ts

@@ -1,6 +1,6 @@
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
-import { CliSshRequest, SshRequest, SupportedSshProvider } from "../../types/ssh";
+import { CliSshRequest, SshProvider, SshRequest, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
@@ -23,6 +23,12 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     arguments: string[];
     command?: string;
 };
+export declare type CommandArgs = ScpCommandArgs | SshCommandArgs;
+export declare const SSH_PROVIDERS: Record<SupportedSshProvider, SshProvider<any, any, any, any>>;
+export declare const isSudoCommand: (args: {
+    sudo?: boolean;
+    command?: string;
+}) => boolean;
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
     request: Request<CliSshRequest>;
     publicKey: string;

package/dist/commands/shared/ssh.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = exports.isSudoCommand = exports.SSH_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -27,10 +27,10 @@ const stdio_1 = require("../../drivers/stdio");
 const ssh_1 = require("../../plugins/aws/ssh");
 const ssh_2 = require("../../plugins/google/ssh");
 const ssh_3 = require("../../types/ssh");
-const request_1 = require("../request");
+const request_1 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-const SSH_PROVIDERS = {
+exports.SSH_PROVIDERS = {
     aws: ssh_1.awsSshProvider,
     gcloud: ssh_2.gcpSshProvider,
 };
@@ -48,19 +48,21 @@ const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, fu
     }
 });
 const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
+    return yield exports.SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
 });
+const isSudoCommand = (args) => args.sudo || args.command === "sudo";
+exports.isSudoCommand = isSudoCommand;
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
-    const response = yield (0, request_1.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
             "--public-key",
             publicKey,
             ...(args.provider ? ["--provider", args.provider] : []),
-            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
+            ...((0, exports.isSudoCommand)(args) ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
         ], wait: true }), authn, { message: "approval-required" });
@@ -81,5 +83,5 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
+const requestToSsh = (request) => exports.SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
 exports.requestToSsh = requestToSsh;

package/dist/plugins/aws/ssh.d.ts

@@ -9,5 +9,5 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 import { SshProvider } from "../../types/ssh";
-import { AwsSshPermissionSpec, AwsSshRequest } from "./types";
-export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest>;
+import { AwsCredentials, AwsSshPermissionSpec, AwsSshRequest } from "./types";
+export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest, AwsCredentials>;

package/dist/plugins/aws/ssh.js

@@ -10,6 +10,18 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.awsSshProvider = void 0;
+const util_1 = require("../../util");
+const aws_1 = require("../okta/aws");
+const config_1 = require("./config");
+const idc_1 = require("./idc");
+const install_1 = require("./ssm/install");
+/** Maximum number of attempts to start an SSH session
+ *
+ * Each attempt consumes ~ 1 s.
+ */
+const MAX_SSH_RETRIES = 30;
+/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
+const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 exports.awsSshProvider = {
     requestToSsh: (request) => {
         const { permission, generated } = request;
@@ -21,4 +33,46 @@ exports.awsSshProvider = {
             ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
     },
     toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
+        if (!(yield (0, install_1.ensureSsmInstall)())) {
+            throw "Please try again after installing the required AWS utilities";
+        }
+        const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
+        if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
+            throw "This account is not configured for SSH access via the P0 CLI";
+        }
+        return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
+            ? yield (0, idc_1.assumeRoleWithIdc)(request)
+            : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
+                ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, request)
+                : (0, util_1.throwAssertNever)(config.login);
+    }),
+    proxyCommand: (request) => {
+        return [
+            "aws",
+            "ssm",
+            "start-session",
+            "--region",
+            request.region,
+            "--target",
+            "%h",
+            "--document-name",
+            START_SSH_SESSION_DOCUMENT_NAME,
+            "--parameters",
+            '"portNumber=%p"',
+        ];
+    },
+    reproCommands: (request) => {
+        // TODO: Add manual commands for IDC login
+        if (request.access !== "idc") {
+            return [
+                `eval $(p0 aws role assume ${request.role} --account ${request.accountId})`,
+            ];
+        }
+        return undefined;
+    },
+    preTestAccessPropagationArgs: () => undefined,
+    maxRetries: MAX_SSH_RETRIES,
+    friendlyName: "AWS",
 };

package/dist/plugins/google/ssh.d.ts

@@ -1,13 +1,3 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
 import { SshProvider } from "../../types/ssh";
 import { GcpSshPermissionSpec, GcpSshRequest } from "./types";
 export declare const gcpSshProvider: SshProvider<GcpSshPermissionSpec, {

package/dist/plugins/google/ssh.js

@@ -10,7 +10,23 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.gcpSshProvider = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ssh_1 = require("../../commands/shared/ssh");
 const ssh_key_1 = require("./ssh-key");
+/** Maximum number of attempts to start an SSH session
+ *
+ * The length of each attempt varies based on the type of error from a few seconds to < 1s
+ */
+const MAX_SSH_RETRIES = 120;
 exports.gcpSshProvider = {
     requestToSsh: (request) => {
         return {
@@ -26,4 +42,33 @@ exports.gcpSshProvider = {
                 linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
             } }));
     }),
+    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
+    proxyCommand: (request) => {
+        return [
+            "gcloud",
+            "compute",
+            "start-iap-tunnel",
+            request.id,
+            "%p",
+            // --listen-on-stdin flag is required for interactive SSH session.
+            // It is undocumented on page https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel
+            // but mention on page https://cloud.google.com/iap/docs/tcp-by-host
+            // and also found in `gcloud ssh --dry-run` output
+            "--listen-on-stdin",
+            `--zone=${request.zone}`,
+            `--project=${request.projectId}`,
+        ];
+    },
+    reproCommands: () => undefined,
+    preTestAccessPropagationArgs: (cmdArgs) => {
+        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
+            return Object.assign(Object.assign({}, cmdArgs), { 
+                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
+                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
+                command: "sudo", arguments: ["-v"] });
+        }
+        return undefined;
+    },
+    maxRetries: MAX_SSH_RETRIES,
+    friendlyName: "Google Cloud",
 };

package/dist/plugins/ssh/index.d.ts

@@ -8,7 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ScpCommandArgs, SshCommandArgs } from "../../commands/shared/ssh";
+import { CommandArgs } from "../../commands/shared/ssh";
 import { Authn } from "../../types/identity";
 import { SshRequest } from "../../types/ssh";
-export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;
+export declare const sshOrScp: (authn: Authn, request: SshRequest, cmdArgs: CommandArgs, privateKey: string) => Promise<number | null>;

package/dist/plugins/ssh/index.js

@@ -10,13 +10,19 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sshOrScp = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
-const util_1 = require("../../util");
-const config_1 = require("../aws/config");
-const idc_1 = require("../aws/idc");
-const install_1 = require("../aws/ssm/install");
-const aws_1 = require("../okta/aws");
 const ssh_agent_1 = require("../ssh-agent");
 const node_child_process_1 = require("node:child_process");
 /** Matches the error message that AWS SSM print1 when access is not propagated */
@@ -35,18 +41,11 @@ const UNAUTHORIZED_TUNNEL_USER_MESSAGE = /Error while connecting \[4033: 'not au
 const UNAUTHORIZED_INSTANCES_GET_MESSAGE = /Required 'compute\.instances\.get' permission/;
 const DESTINATION_READ_ERROR = /Error while connecting \[4010: 'destination read failed'\]/;
 const GOOGLE_LOGIN_MESSAGE = /You do not currently have an active account selected/;
+const SUDO_MESSAGE = /Sorry, user .+ may not run sudo on .+/; // The output of `sudo -v` when the user is not allowed to run sudo
 /** Maximum amount of time after SSH subprocess starts to check for {@link UNPROVISIONED_ACCESS_MESSAGES}
  *  in the process's stderr
  */
 const DEFAULT_VALIDATION_WINDOW_MS = 5e3;
-/** Maximum number of attempts to start an SSH session
- *
- * Note that each attempt consumes ~ 1 s.
- */
-const DEFAULT_MAX_SSH_RETRIES = 30;
-const GCP_MAX_SSH_RETRIES = 120; // GCP requires more time to propagate access
-/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
-const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 /**
  * AWS
  * There are 2 cases of unprovisioned access in AWS
@@ -57,7 +56,7 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 2: results in CONNECTION_CLOSED_MESSAGE
  *
  * Google Cloud
- * There are 5 cases of unprovisioned access in Google Cloud.
+ * There are 7 cases of unprovisioned access in Google Cloud.
  * These are all potentially subject to propagation delays.
  * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
  * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
@@ -66,17 +65,20 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 5. The user doesn't have osLogin or osAdminLogin role to the instance
  * 5.a. compute.instances.get permission is missing
  * 5.b. compute.instances.osLogin permission is missing
- * 6: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
+ * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
+ * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
  *
  * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
  * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
  * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
- * 6: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
+ * 6: results in SUDO_MESSAGE
+ * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
  */
 const UNPROVISIONED_ACCESS_MESSAGES = [
     { pattern: UNAUTHORIZED_START_SESSION_MESSAGE },
     { pattern: CONNECTION_CLOSED_MESSAGE },
     { pattern: PUBLIC_KEY_DENIED_MESSAGE },
+    { pattern: SUDO_MESSAGE },
     { pattern: UNAUTHORIZED_TUNNEL_USER_MESSAGE },
     { pattern: UNAUTHORIZED_INSTANCES_GET_MESSAGE, validationWindowMs: 30e3 },
     { pattern: DESTINATION_READ_ERROR },
@@ -127,11 +129,6 @@ const spawnChildProcess = (credential, command, args, stdio) => (0, node_child_p
     stdio,
     shell: false,
 });
-const friendlyProvider = (provider) => provider === "aws"
-    ? "AWS"
-    : provider === "gcloud"
-        ? "Google Cloud"
-        : (0, util_1.throwAssertNever)(provider);
 /** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
  *
  * Requires `aws ssm` to be installed on the client machine.
@@ -139,6 +136,7 @@ const friendlyProvider = (provider) => provider === "aws"
 function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
+            const provider = ssh_1.SSH_PROVIDERS[options.provider];
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
             const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
@@ -153,7 +151,7 @@ function spawnSshNode(options) {
                         (0, stdio_1.print2)(`Waiting for access to propagate. Retrying SSH session... (remaining attempts: ${attemptsRemaining})`);
                     }
                     if (attemptsRemaining <= 0) {
-                        reject(`Access did not propagate through ${friendlyProvider(options.provider)} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
+                        reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
                         return;
                     }
                     spawnSshNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
@@ -166,50 +164,16 @@ function spawnSshNode(options) {
                     return;
                 }
                 (_a = options.abortController) === null || _a === void 0 ? void 0 : _a.abort(code);
-                (0, stdio_1.print2)(`SSH session terminated`);
+                if (!options.isAccessPropagationPreTest)
+                    (0, stdio_1.print2)(`SSH session terminated`);
                 resolve(code);
             });
         });
     });
 }
-const createProxyCommands = (data, args, debug) => {
-    let proxyCommand;
-    if (data.type === "aws") {
-        proxyCommand = [
-            "aws",
-            "ssm",
-            "start-session",
-            "--region",
-            data.region,
-            "--target",
-            "%h",
-            "--document-name",
-            START_SSH_SESSION_DOCUMENT_NAME,
-            "--parameters",
-            '"portNumber=%p"',
-        ];
-    }
-    else if (data.type === "gcloud") {
-        proxyCommand = [
-            "gcloud",
-            "compute",
-            "start-iap-tunnel",
-            data.id,
-            "%p",
-            // --listen-on-stdin flag is required for interactive SSH session.
-            // It is undocumented on page https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel
-            // but mention on page https://cloud.google.com/iap/docs/tcp-by-host
-            // and also found in `gcloud ssh --dry-run` output
-            "--listen-on-stdin",
-            `--zone=${data.zone}`,
-            `--project=${data.projectId}`,
-        ];
-    }
-    else {
-        throw (0, util_1.assertNever)(data);
-    }
+const createCommand = (data, args, proxyCommand) => {
     const commonArgs = [
-        ...(debug ? ["-v"] : []),
+        ...(args.debug ? ["-v"] : []),
         "-o",
         `ProxyCommand=${proxyCommand.join(" ")}`,
     ];
@@ -257,45 +221,53 @@ const transformForShell = (args) => {
         return arg;
     });
 };
-const awsLogin = (authn, data) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a, _b, _c, _d;
-    if (!(yield (0, install_1.ensureSsmInstall)())) {
-        throw "Please try again after installing the required AWS utilities";
-    }
-    const { config } = yield (0, config_1.getAwsConfig)(authn, data.accountId);
-    if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
-        throw "This account is not configured for SSH access via the P0 CLI";
+/** Construct another command to use for testing access propagation prior to actually logging in the user to the ssh session */
+const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCommand, credential) => __awaiter(void 0, void 0, void 0, function* () {
+    const testCmdArgs = sshProvider.preTestAccessPropagationArgs(cmdArgs);
+    // Pre-testing comes at a performance cost because we have to execute another ssh subprocess after
+    // a successful test. Only do when absolutely necessary.
+    if (testCmdArgs) {
+        const { command, args } = createCommand(request, testCmdArgs, proxyCommand);
+        // Assumes that this is a non-interactive ssh command that exits automatically
+        return spawnSshNode({
+            credential,
+            abortController: new AbortController(),
+            command,
+            args,
+            stdio: ["inherit", "inherit", "pipe"],
+            debug: cmdArgs.debug,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
+            isAccessPropagationPreTest: true,
+        });
     }
-    return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
-        ? yield (0, idc_1.assumeRoleWithIdc)(data)
-        : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
-            ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, data)
-            : (0, util_1.throwAssertNever)(config.login);
+    return null;
 });
-const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+const sshOrScp = (authn, request, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
     if (!privateKey) {
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
-    // TODO ENG-2284 support login with Google Cloud
-    const credential = data.type === "aws" ? yield awsLogin(authn, data) : undefined;
+    const sshProvider = ssh_1.SSH_PROVIDERS[request.type];
+    const credential = yield sshProvider.cloudProviderLogin(authn, request);
+    const proxyCommand = sshProvider.proxyCommand(request);
     return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {
-        const { command, args } = createProxyCommands(data, cmdArgs, cmdArgs.debug);
+        const { command, args } = createCommand(request, cmdArgs, proxyCommand);
         if (cmdArgs.debug) {
-            const reproCommands = [
-                `eval $(ssh-agent)`,
-                `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
-                // TODO ENG-2284 support login with Google Cloud
-                // TODO: Modify commands to add the ability to get permission set commands
-                ...(data.type === "aws" && data.access !== "idc"
-                    ? [
-                        `eval $(p0 aws role assume ${data.role} --account ${data.accountId})`,
-                    ]
-                    : []),
-                `${command} ${transformForShell(args).join(" ")}`,
-            ];
-            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***"\n`);
+            const reproCommands = sshProvider.reproCommands(request);
+            if (reproCommands) {
+                const repro = [
+                    `eval $(ssh-agent)`,
+                    `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
+                    ...reproCommands,
+                    `${command} ${transformForShell(args).join(" ")}`,
+                ].join("\n");
+                (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${repro}\n*** COMMANDS END ***"\n`);
+            }
+        }
+        const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential);
+        if (exitCode && exitCode !== 0) {
+            return exitCode; // Only exit if there was an error when pre-testing
         }
-        const maxRetries = data.type === "gcloud" ? GCP_MAX_SSH_RETRIES : DEFAULT_MAX_SSH_RETRIES;
         return spawnSshNode({
             credential,
             abortController: new AbortController(),
@@ -303,8 +275,8 @@ const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0,
             args,
             stdio: ["inherit", "inherit", "pipe"],
             debug: cmdArgs.debug,
-            provider: data.type,
-            attemptsRemaining: maxRetries,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
         });
     }));
 });

package/dist/types/ssh.d.ts

@@ -8,8 +8,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { CommandArgs } from "../commands/shared/ssh";
 import { AwsSsh, AwsSshPermissionSpec, AwsSshRequest } from "../plugins/aws/types";
 import { GcpSsh, GcpSshPermissionSpec, GcpSshRequest } from "../plugins/google/types";
+import { Authn } from "./identity";
 import { Request } from "./request";
 export declare type CliSshRequest = AwsSsh | GcpSsh;
 export declare type PluginSshRequest = AwsSshPermissionSpec | GcpSshPermissionSpec;
@@ -18,10 +20,28 @@ export declare type CliPermissionSpec<P extends PluginSshRequest, C extends obje
 };
 export declare const SupportedSshProviders: readonly ["aws", "gcloud"];
 export declare type SupportedSshProvider = (typeof SupportedSshProviders)[number];
-export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest, O extends object | undefined = undefined, SR extends SshRequest = SshRequest> = {
+export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest, O extends object | undefined = undefined, SR extends SshRequest = SshRequest, C extends object | undefined = undefined> = {
     requestToSsh: (request: CliPermissionSpec<PR, O>) => SR;
+    /** Converts a backend request to a CLI request */
     toCliRequest: (request: Request<PR>, options?: {
         debug?: boolean;
     }) => Promise<Request<CliSshRequest>>;
+    /** Logs in the user to the cloud provider */
+    cloudProviderLogin: (authn: Authn, request: SR) => Promise<C>;
+    /** Returns the command and its arguments that are going to be injected as the ssh ProxyCommand option */
+    proxyCommand: (request: SR) => string[];
+    /** Each element in the returned array is a command that can be run to reproduce the
+     * steps of logging in the user to the ssh session. */
+    reproCommands: (request: SR) => string[] | undefined;
+    /** Arguments for a pre-test command to verify access propagation prior
+     * to actually logging in the user to the ssh session.
+     * This must return arguments for a non-interactive command - meaning the `command`
+     * and potentially the `args` props must be specified in the returned scp/ssh command.
+     * If the return value is undefined then no pre-testing is done prior to executing
+     * the actual ssh/scp command.
+     */
+    preTestAccessPropagationArgs: (cmdArgs: CommandArgs) => CommandArgs | undefined;
+    maxRetries: number;
+    friendlyName: string;
 };
 export declare type SshRequest = AwsSshRequest | GcpSshRequest;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.8.2",
+  "version": "0.8.3",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -25,7 +25,7 @@
     "express": "^4.18.2",
     "firebase": "^10.7.2",
     "inquirer": "^9.2.15",
-    "jsdom": "^24.0.0",
+    "jsdom": "^24.1.1",
     "lodash": "^4.17.21",
     "node-forge": "^1.3.1",
     "open": "^8.4.0",
@@ -67,5 +67,6 @@
     "lint": "yarn prettier --check . &&  yarn run eslint --max-warnings 0 .",
     "p0": "node --no-deprecation ./p0",
     "prepublishOnly": "npm run clean && npm run build"
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }