@p0security/cli 0.8.2 → 0.9.0

package/dist/commands/__tests__/grant.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/__tests__/grant.test.js

@@ -0,0 +1,55 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const stdio_1 = require("../../drivers/stdio");
+const grant_1 = require("../grant");
+const yargs_1 = __importDefault(require("yargs"));
+jest.mock("../../drivers/api");
+jest.mock("../../drivers/auth");
+jest.mock("../../drivers/stdio");
+const mockFetchCommand = api_1.fetchCommand;
+const mockPrint1 = stdio_1.print1;
+const mockPrint2 = stdio_1.print2;
+describe("grant", () => {
+    beforeEach(() => jest.clearAllMocks());
+    describe("when valid grant command", () => {
+        const command = "grant gcloud role viewer --to someone@test.com --principal-type user";
+        function mockFetch() {
+            mockFetchCommand.mockResolvedValue({
+                ok: true,
+                message: "a message",
+                id: "abcefg",
+                isPreexisting: false,
+                isPersistent: false,
+            });
+        }
+        it(`should print request response`, () => __awaiter(void 0, void 0, void 0, function* () {
+            mockFetch();
+            yield (0, grant_1.grantCommand)((0, yargs_1.default)()).parse(command);
+            expect(mockPrint2.mock.calls).toMatchSnapshot();
+            expect(mockPrint1).not.toHaveBeenCalled();
+        }));
+    });
+});

package/dist/commands/aws/files.d.ts

@@ -0,0 +1,41 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { AwsCredentials } from "../../plugins/aws/types";
+import * as ini from "ini";
+export declare const AWS_CONFIG_FILE: string;
+export declare const AWS_CREDENTIALS_FILE: string;
+/**
+ * Reads in an AWS CLI configuration file, which is formatted as INI text, and
+ * returns an arbitrary object representing the contents.
+ *
+ * @param path Path of the file to read
+ * @returns Arbitrary object representing the contents of the file, or an empty
+ * object if the file is empty or does not exist
+ */
+export declare const readIniFile: (path: string) => Promise<{
+    [key: string]: any;
+}>;
+/**
+ * This function writes an arbitrary object as INI-formatted text to a file
+ * atomically by first writing the data to a temporary file then moving the
+ * temporary file on top of the target file. This minimizes the chance that an
+ * exception, system crash, or other similar event will leave the file in a
+ * corrupted state; this is important since we're mucking around with the AWS
+ * CLI's configuration files.
+ *
+ * @param path Path of the (permanent) file to write to
+ * @param obj Arbitrary object to convert to INI-formatted text and write to the
+ * file
+ * @param iniEncodeOptions Options to pass to the INI encoding library
+ */
+export declare const atomicWriteIniFile: (path: string, obj: any, iniEncodeOptions?: ini.EncodeOptions) => Promise<void>;
+export declare const writeAwsTempCredentials: (profileName: string, awsCredentials: AwsCredentials) => Promise<void>;
+export declare const writeAwsConfigProfile: (profileName: string, profileConfig: any) => Promise<void>;

package/dist/commands/aws/files.js

@@ -0,0 +1,108 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeAwsConfigProfile = exports.writeAwsTempCredentials = exports.atomicWriteIniFile = exports.readIniFile = exports.AWS_CREDENTIALS_FILE = exports.AWS_CONFIG_FILE = void 0;
+const ini = __importStar(require("ini"));
+const fs = __importStar(require("node:fs/promises"));
+const os = __importStar(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const tmp_promise_1 = __importDefault(require("tmp-promise"));
+const AWS_CONFIG_PATH = node_path_1.default.join(os.homedir(), ".aws");
+exports.AWS_CONFIG_FILE = node_path_1.default.join(AWS_CONFIG_PATH, "config");
+exports.AWS_CREDENTIALS_FILE = node_path_1.default.join(AWS_CONFIG_PATH, "credentials");
+// Reference documentation: https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html
+/**
+ * Reads in an AWS CLI configuration file, which is formatted as INI text, and
+ * returns an arbitrary object representing the contents.
+ *
+ * @param path Path of the file to read
+ * @returns Arbitrary object representing the contents of the file, or an empty
+ * object if the file is empty or does not exist
+ */
+const readIniFile = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const data = yield fs.readFile(path, { encoding: "utf-8" });
+        return data ? ini.parse(data) : {};
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+});
+exports.readIniFile = readIniFile;
+/**
+ * This function writes an arbitrary object as INI-formatted text to a file
+ * atomically by first writing the data to a temporary file then moving the
+ * temporary file on top of the target file. This minimizes the chance that an
+ * exception, system crash, or other similar event will leave the file in a
+ * corrupted state; this is important since we're mucking around with the AWS
+ * CLI's configuration files.
+ *
+ * @param path Path of the (permanent) file to write to
+ * @param obj Arbitrary object to convert to INI-formatted text and write to the
+ * file
+ * @param iniEncodeOptions Options to pass to the INI encoding library
+ */
+const atomicWriteIniFile = (path, obj, iniEncodeOptions) => __awaiter(void 0, void 0, void 0, function* () {
+    const data = ini.stringify(obj, iniEncodeOptions);
+    // Permissions will be moved along with the file
+    const { path: tmpPath } = yield tmp_promise_1.default.file({ mode: 0o600, prefix: "p0cli-" });
+    yield fs.writeFile(tmpPath, data, { encoding: "utf-8" });
+    yield fs.rename(tmpPath, path);
+});
+exports.atomicWriteIniFile = atomicWriteIniFile;
+const writeAwsTempCredentials = (profileName, awsCredentials) => __awaiter(void 0, void 0, void 0, function* () {
+    const credentials = yield (0, exports.readIniFile)(exports.AWS_CREDENTIALS_FILE);
+    credentials[profileName] = {
+        aws_access_key_id: awsCredentials.AWS_ACCESS_KEY_ID,
+        aws_secret_access_key: awsCredentials.AWS_SECRET_ACCESS_KEY,
+        aws_session_token: awsCredentials.AWS_SESSION_TOKEN,
+    };
+    // The credentials file is formatted with whitespace before and after the `=`
+    yield (0, exports.atomicWriteIniFile)(exports.AWS_CREDENTIALS_FILE, credentials, {
+        whitespace: true,
+    });
+});
+exports.writeAwsTempCredentials = writeAwsTempCredentials;
+const writeAwsConfigProfile = (profileName, profileConfig) => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, exports.readIniFile)(exports.AWS_CONFIG_FILE);
+    config[`profile ${profileName}`] = profileConfig;
+    yield (0, exports.atomicWriteIniFile)(exports.AWS_CONFIG_FILE, config);
+});
+exports.writeAwsConfigProfile = writeAwsConfigProfile;

package/dist/commands/grant.d.ts

@@ -0,0 +1,4 @@
+import yargs from "yargs";
+export declare const grantCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
+    arguments: string[];
+}>;

package/dist/commands/grant.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.grantCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const firestore_1 = require("../drivers/firestore");
+const request_1 = require("./shared/request");
+const grantCommand = (yargs) => yargs.command("grant [arguments..]", "Grant access to another identity", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("grant")));
+exports.grantCommand = grantCommand;

package/dist/commands/index.js

@@ -18,6 +18,8 @@ const stdio_1 = require("../drivers/stdio");
 const version_1 = require("../middlewares/version");
 const allow_1 = require("./allow");
 const aws_1 = require("./aws");
+const grant_1 = require("./grant");
+const kubeconfig_1 = require("./kubeconfig");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
 const request_1 = require("./request");
@@ -28,12 +30,14 @@ const yargs_1 = __importDefault(require("yargs"));
 const helpers_1 = require("yargs/helpers");
 const commands = [
     aws_1.awsCommand,
+    grant_1.grantCommand,
     login_1.loginCommand,
     ls_1.lsCommand,
     request_1.requestCommand,
     allow_1.allowCommand,
     ssh_1.sshCommand,
     scp_1.scpCommand,
+    kubeconfig_1.kubeconfigCommand,
 ];
 exports.cli = commands
     .reduce((m, c) => c(m), (0, yargs_1.default)((0, helpers_1.hideBin)(process.argv)))

package/dist/commands/kubeconfig.d.ts

@@ -0,0 +1,9 @@
+import yargs from "yargs";
+export declare type KubeconfigCommandArgs = {
+    cluster: string;
+    role: string;
+    resource?: string;
+    reason?: string;
+    requestedDuration?: string;
+};
+export declare const kubeconfigCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<KubeconfigCommandArgs>;

package/dist/commands/kubeconfig.js

@@ -0,0 +1,190 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.kubeconfigCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const retry_1 = require("../common/retry");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const kubeconfig_1 = require("../plugins/kubeconfig");
+const install_1 = require("../plugins/kubeconfig/install");
+const util_1 = require("../util");
+const files_1 = require("./aws/files");
+const kubeconfigCommand = (yargs) => yargs.command("kubeconfig", "Request access to and automatically configure kubectl for a k8s cluster hosted by a cloud provider. Currently supports AWS EKS only.", (yargs) => yargs
+    .option("cluster", {
+    type: "string",
+    demandOption: true,
+    describe: "The ID of the k8s cluster as configured P0 Security",
+})
+    .option("resource", {
+    type: "string",
+    describe: 'The resource or resource type (e.g., "Pod / *"), or omit for all',
+})
+    .option("role", {
+    type: "string",
+    demandOption: true,
+    describe: 'The k8s role to request, e.g., "ClusterRole / cluster-admin"',
+})
+    .option("reason", {
+    type: "string",
+    describe: "Reason access is needed",
+})
+    .option("requested-duration", {
+    type: "string",
+    // Copied from the P0 backend
+    describe: "Requested duration for access (format like '10 minutes', '2 hours', '5 days', or '1 week')",
+}), (0, firestore_1.guard)(kubeconfigAction));
+exports.kubeconfigCommand = kubeconfigCommand;
+const kubeconfigAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const role = normalizeRoleArg(args.role);
+    if (args.resource) {
+        validateResourceArg(args.resource);
+    }
+    const authn = yield (0, auth_1.authenticate)();
+    const { clusterConfig, awsLoginType } = yield (0, kubeconfig_1.getAndValidateK8sIntegration)(authn, args.cluster);
+    const { clusterId, awsAccountId, awsClusterArn } = clusterConfig;
+    if (!(yield (0, install_1.ensureEksInstall)())) {
+        throw "Required dependencies are missing; please try again after installing them, or check that they are available on the PATH.";
+    }
+    const request = yield (0, kubeconfig_1.requestAccessToCluster)(authn, args, clusterId, role);
+    const awsAuth = yield (0, kubeconfig_1.awsCloudAuth)(authn, awsAccountId, request.generated, awsLoginType);
+    const profile = (0, kubeconfig_1.profileName)(clusterId);
+    // The `aws eks update-kubeconfig` command can't handle the ARN of the EKS cluster.
+    // So we must, with great annoyance, parse it to extract the cluster name and region.
+    const clusterInfo = extractClusterNameAndRegion(awsClusterArn);
+    const { clusterRegion, clusterName } = clusterInfo;
+    yield (0, files_1.writeAwsTempCredentials)(profile, awsAuth);
+    yield (0, files_1.writeAwsConfigProfile)(profile, { region: clusterRegion });
+    const updateKubeconfigArgs = [
+        "eks",
+        "update-kubeconfig",
+        "--name",
+        clusterName,
+        "--region",
+        clusterRegion,
+        "--profile",
+        profile,
+    ];
+    try {
+        // Federated access especially sometimes takes some time to propagate, so
+        // retry for up to 20 seconds just in case it takes a while.
+        const awsResult = yield (0, retry_1.retryWithSleep)(() => __awaiter(void 0, void 0, void 0, function* () { return yield (0, util_1.exec)("aws", updateKubeconfigArgs, { check: true }); }), () => true, 8, 2500);
+        (0, stdio_1.print2)(awsResult.stdout);
+    }
+    catch (error) {
+        (0, stdio_1.print2)("Failed to invoke `aws eks update-kubeconfig`");
+        throw error;
+    }
+    // `aws update-kubeconfig` will set the kubectl context if it made a change to the kubeconfig file.
+    // We'll set the context manually anyway, just in case. `aws update-kubeconfig` names the context
+    // with the EKS cluster's ARN.
+    try {
+        const kubectlResult = yield (0, util_1.exec)("kubectl", ["config", "use-context", awsClusterArn], { check: true });
+        (0, stdio_1.print2)(kubectlResult.stdout);
+    }
+    catch (error) {
+        (0, stdio_1.print2)("Failed to invoke `kubectl config use-context`");
+        throw error;
+    }
+    (0, stdio_1.print2)("Access granted and kubectl configured successfully. Re-run this command to refresh access if credentials expire.");
+    if (process.env.AWS_ACCESS_KEY_ID) {
+        (0, stdio_1.print2)(`${stdio_1.Ansi.Yellow}Warning: AWS credentials were detected in your environment, which may cause kubectl errors. ` +
+            `To avoid issues, unset with \`unset AWS_ACCESS_KEY_ID\`.${stdio_1.Ansi.Reset}`);
+    }
+});
+/**
+ * Normalize the role argument to the format expected by the P0 backend,
+ * matching the way the Slack modal formats the role. Also validates that the
+ * role argument contains the components expected by the backend without having
+ * to make the request first.
+ *
+ * Currently, the P0 backend does not validate request arguments until after a
+ * request is approved; this function allows the validation to be done up-front
+ * pending a future backend change. TODO: ENG-2365.
+ *
+ * @param role The role argument to normalize
+ * @returns The normalized role value to pass to the backend
+ */
+const normalizeRoleArg = (role) => {
+    const SEPARATOR = "/";
+    const SYNTAX_HINT = "The role argument must be in one of the following formats:\n" +
+        "- ClusterRole/<roleName>\n" +
+        "- CuratedRole/<roleName>\n" +
+        "- Role/<namespace>/<roleName>";
+    const items = role.split(SEPARATOR).map((item) => item.trim());
+    if (items.length < 2 || items.length > 3) {
+        throw `Invalid format for role argument.\n${SYNTAX_HINT}`;
+    }
+    if (!items[0]) {
+        throw `Role kind must be specified.\n${SYNTAX_HINT}`;
+    }
+    if ((0, util_1.ciEquals)(items[0], "ClusterRole")) {
+        return `ClusterRole ${SEPARATOR} ${items[1]}`;
+    }
+    else if ((0, util_1.ciEquals)(items[0], "CuratedRole")) {
+        return `CuratedRole ${SEPARATOR} ${items[1]}`;
+    }
+    else if ((0, util_1.ciEquals)(items[0], "Role")) {
+        if (items.length !== 3) {
+            throw `Invalid format for role argument.\n${SYNTAX_HINT}`;
+        }
+        return `Role ${SEPARATOR} ${items[1]} ${SEPARATOR} ${items[2]}`;
+    }
+    throw `Invalid role kind ${items[0]}.\n${SYNTAX_HINT}`;
+};
+/**
+ * Validate that the resource argument is of the format expected by the P0
+ * backend, again matching the way the Slack modal formats the resource.
+ *
+ * Currently, the P0 backend does not validate request arguments until after a
+ * request is approved; this function allows the validation to be done up-front
+ * pending a future backend change. TODO: ENG-2365.
+ *
+ * @param resource The resource argument to validate
+ */
+const validateResourceArg = (resource) => {
+    const SEPARATOR = " / ";
+    const items = resource.split(SEPARATOR);
+    if (items.length < 2 || items.length > 3) {
+        throw ("Invalid format for resource argument.\n" +
+            "The resource argument must be in one of the following formats (spaces required):\n" +
+            "- <kind> / <namespace> / <name>\n" +
+            "- <kind> / <name>");
+    }
+};
+const extractClusterNameAndRegion = (clusterArn) => {
+    const INVALID_ARN_MSG = `Invalid EKS cluster ARN: ${clusterArn}`;
+    // Example EKS cluster ARN: arn:aws:eks:us-west-2:123456789012:cluster/my-testing-cluster
+    const parts = clusterArn.split(":");
+    if (parts.length < 6 || !parts[3] || !parts[5]) {
+        throw INVALID_ARN_MSG;
+    }
+    const clusterRegion = parts[3];
+    const resource = parts[5].split("/");
+    if (resource[0] !== "cluster") {
+        throw INVALID_ARN_MSG;
+    }
+    const clusterName = resource[1];
+    if (!clusterName) {
+        throw INVALID_ARN_MSG;
+    }
+    return { clusterRegion, clusterName };
+};

package/dist/commands/request.d.ts

@@ -1,12 +1,4 @@
-import { Authn } from "../types/identity";
-import { RequestResponse } from "../types/request";
 import yargs from "yargs";
 export declare const requestCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<{
     arguments: string[];
 }>;
-export declare const request: <T>(args: yargs.ArgumentsCamelCase<{
-    arguments: string[];
-    wait?: boolean;
-}>, authn?: Authn, options?: {
-    message?: "all" | "approval-required" | "none";
-}) => Promise<RequestResponse<T> | undefined>;

package/dist/commands/request.js

@@ -1,15 +1,6 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.request = exports.requestCommand = void 0;
+exports.requestCommand = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -20,97 +11,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const api_1 = require("../drivers/api");
-const auth_1 = require("../drivers/auth");
 const firestore_1 = require("../drivers/firestore");
-const stdio_1 = require("../drivers/stdio");
-const firestore_2 = require("firebase/firestore");
-const typescript_1 = require("typescript");
-const WAIT_TIMEOUT = 300e3;
-const APPROVED = { message: "Your request was approved", code: 0 };
-const DENIED = { message: "Your request was denied", code: 2 };
-const ERRORED = { message: "Your request encountered an error", code: 1 };
-const COMPLETED_REQUEST_STATUSES = {
-    APPROVED,
-    APPROVED_NOTIFIED: APPROVED,
-    DONE: APPROVED,
-    DONE_NOTIFIED: APPROVED,
-    DENIED,
-    ERRORED,
-};
-const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
-const requestArgs = (yargs) => yargs
-    .parserConfiguration({ "unknown-options-as-args": true })
-    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
-    .option("wait", {
-    alias: "w",
-    boolean: true,
-    default: false,
-    describe: "Block until the command is completed",
-})
-    .option("arguments", {
-    array: true,
-    string: true,
-    default: [],
-});
-const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", requestArgs, (0, firestore_1.guard)(exports.request));
+const request_1 = require("./shared/request");
+const requestCommand = (yargs) => yargs.command("request [arguments..]", "Manually request permissions on a resource", request_1.requestArgs, (0, firestore_1.guard)((0, request_1.request)("request")));
 exports.requestCommand = requestCommand;
-const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield new Promise((resolve) => {
-        if (logMessage)
-            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
-        let cancel = undefined;
-        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
-            const data = snap.data();
-            if (!data)
-                return;
-            const { status } = data;
-            if (isCompletedStatus(status)) {
-                if (cancel)
-                    clearTimeout(cancel);
-                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
-                if (code !== 0 || logMessage)
-                    (0, stdio_1.print2)(message);
-                resolve(code);
-            }
-        });
-        cancel = setTimeout(() => {
-            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
-            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
-            resolve(4);
-        }, WAIT_TIMEOUT);
-    });
-});
-const request = (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
-    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
-    const { userCredential } = resolvedAuthn;
-    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
-        "request",
-        ...args.arguments,
-    ]);
-    if (data && "ok" in data && "message" in data && data.ok) {
-        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
-            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
-            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
-                !data.isPreexisting &&
-                !data.isPersistent);
-        if (logMessage)
-            (0, stdio_1.print2)(data.message);
-        const { id } = data;
-        if (args.wait && id && userCredential.user.tenantId) {
-            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
-            if (code) {
-                typescript_1.sys.exit(code);
-                return undefined;
-            }
-            return data;
-        }
-        else
-            return undefined;
-    }
-    else {
-        throw data;
-    }
-});
-exports.request = request;

package/dist/commands/shared/index.d.ts

@@ -1,4 +1,4 @@
 import { Authn } from "../../types/identity";
-import { Request } from "../../types/request";
+import { PluginRequest, Request } from "../../types/request";
 /** Waits until P0 grants access for a request */
-export declare const waitForProvisioning: <P extends import("../../types/ssh").PluginSshRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;
+export declare const waitForProvisioning: <P extends PluginRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;

package/dist/commands/shared/index.js

@@ -57,7 +57,7 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
         cancel = setTimeout(() => {
             if (!isResolved) {
                 unsubscribe();
-                reject("Timeout awaiting SSH access grant");
+                reject("Timeout awaiting access grant. Please try again.");
             }
         }, GRANT_TIMEOUT_MILLIS);
     });

package/dist/commands/shared/request.d.ts

@@ -0,0 +1,14 @@
+import { Authn } from "../../types/identity";
+import { RequestResponse } from "../../types/request";
+import yargs from "yargs";
+export declare const requestArgs: <T>(yargs: yargs.Argv<T>) => yargs.Argv<T & {
+    wait: boolean;
+} & {
+    arguments: string[];
+}>;
+export declare const request: (command: "grant" | "request") => <T>(args: yargs.ArgumentsCamelCase<{
+    arguments: string[];
+    wait?: boolean;
+}>, authn?: Authn, options?: {
+    message?: "all" | "approval-required" | "none";
+}) => Promise<RequestResponse<T> | undefined>;