@p0security/cli 0.8.2 → 0.9.0

package/dist/commands/shared/request.js

@@ -0,0 +1,115 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.request = exports.requestArgs = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const api_1 = require("../../drivers/api");
+const auth_1 = require("../../drivers/auth");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const firestore_2 = require("firebase/firestore");
+const typescript_1 = require("typescript");
+const WAIT_TIMEOUT = 300e3;
+const APPROVED = { message: "Your request was approved", code: 0 };
+const DENIED = { message: "Your request was denied", code: 2 };
+const ERRORED = { message: "Your request encountered an error", code: 1 };
+const COMPLETED_REQUEST_STATUSES = {
+    APPROVED,
+    APPROVED_NOTIFIED: APPROVED,
+    DONE: APPROVED,
+    DONE_NOTIFIED: APPROVED,
+    DENIED,
+    ERRORED,
+};
+const isCompletedStatus = (status) => status in COMPLETED_REQUEST_STATUSES;
+const requestArgs = (yargs) => yargs
+    .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
+    .option("wait", {
+    alias: "w",
+    boolean: true,
+    default: false,
+    describe: "Block until the command is completed",
+})
+    .option("arguments", {
+    array: true,
+    string: true,
+    default: [],
+});
+exports.requestArgs = requestArgs;
+const waitForRequest = (tenantId, requestId, logMessage) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield new Promise((resolve) => {
+        if (logMessage)
+            (0, stdio_1.print2)("Will wait up to 5 minutes for this request to complete...");
+        let cancel = undefined;
+        const unsubscribe = (0, firestore_2.onSnapshot)((0, firestore_1.doc)(`o/${tenantId}/permission-requests/${requestId}`), (snap) => {
+            const data = snap.data();
+            if (!data)
+                return;
+            const { status } = data;
+            if (isCompletedStatus(status)) {
+                if (cancel)
+                    clearTimeout(cancel);
+                unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+                const { message, code } = COMPLETED_REQUEST_STATUSES[status];
+                if (code !== 0 || logMessage)
+                    (0, stdio_1.print2)(message);
+                resolve(code);
+            }
+        });
+        cancel = setTimeout(() => {
+            unsubscribe === null || unsubscribe === void 0 ? void 0 : unsubscribe();
+            (0, stdio_1.print2)("Your request did not complete within 5 minutes.");
+            resolve(4);
+        }, WAIT_TIMEOUT);
+    });
+});
+const request = (command) => (args, authn, options) => __awaiter(void 0, void 0, void 0, function* () {
+    const resolvedAuthn = authn !== null && authn !== void 0 ? authn : (yield (0, auth_1.authenticate)());
+    const { userCredential } = resolvedAuthn;
+    const data = yield (0, api_1.fetchCommand)(resolvedAuthn, args, [
+        command,
+        ...args.arguments,
+    ]);
+    if (data && "ok" in data && "message" in data && data.ok) {
+        const logMessage = !(options === null || options === void 0 ? void 0 : options.message) ||
+            (options === null || options === void 0 ? void 0 : options.message) === "all" ||
+            ((options === null || options === void 0 ? void 0 : options.message) === "approval-required" &&
+                !data.isPreexisting &&
+                !data.isPersistent);
+        if (logMessage)
+            (0, stdio_1.print2)(data.message);
+        const { id } = data;
+        if (args.wait && id && userCredential.user.tenantId) {
+            const code = yield waitForRequest(userCredential.user.tenantId, id, logMessage);
+            if (code) {
+                typescript_1.sys.exit(code);
+                return undefined;
+            }
+            return data;
+        }
+        else
+            return undefined;
+    }
+    else {
+        throw data;
+    }
+});
+exports.request = request;

package/dist/commands/shared/ssh.d.ts

@@ -1,6 +1,6 @@
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
-import { CliSshRequest, SshRequest, SupportedSshProvider } from "../../types/ssh";
+import { CliSshRequest, SshProvider, SshRequest, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
@@ -23,6 +23,12 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     arguments: string[];
     command?: string;
 };
+export declare type CommandArgs = ScpCommandArgs | SshCommandArgs;
+export declare const SSH_PROVIDERS: Record<SupportedSshProvider, SshProvider<any, any, any, any>>;
+export declare const isSudoCommand: (args: {
+    sudo?: boolean;
+    command?: string;
+}) => boolean;
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
     request: Request<CliSshRequest>;
     publicKey: string;

package/dist/commands/shared/ssh.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = void 0;
+exports.requestToSsh = exports.provisionRequest = exports.isSudoCommand = exports.SSH_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -27,10 +27,10 @@ const stdio_1 = require("../../drivers/stdio");
 const ssh_1 = require("../../plugins/aws/ssh");
 const ssh_2 = require("../../plugins/google/ssh");
 const ssh_3 = require("../../types/ssh");
-const request_1 = require("../request");
+const request_1 = require("./request");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
-const SSH_PROVIDERS = {
+exports.SSH_PROVIDERS = {
     aws: ssh_1.awsSshProvider,
     gcloud: ssh_2.gcpSshProvider,
 };
@@ -48,19 +48,21 @@ const validateSshInstall = (authn, args) => __awaiter(void 0, void 0, void 0, fu
     }
 });
 const pluginToCliRequest = (request, options) => __awaiter(void 0, void 0, void 0, function* () {
-    return yield SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
+    return yield exports.SSH_PROVIDERS[request.permission.spec.type].toCliRequest(request, options);
 });
+const isSudoCommand = (args) => args.sudo || args.command === "sudo";
+exports.isSudoCommand = isSudoCommand;
 const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
     yield validateSshInstall(authn, args);
     const { publicKey, privateKey } = yield (0, keys_1.createKeyPair)();
-    const response = yield (0, request_1.request)(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
             "ssh",
             "session",
             destination,
             "--public-key",
             publicKey,
             ...(args.provider ? ["--provider", args.provider] : []),
-            ...(args.sudo || args.command === "sudo" ? ["--sudo"] : []),
+            ...((0, exports.isSudoCommand)(args) ? ["--sudo"] : []),
             ...(args.reason ? ["--reason", args.reason] : []),
             ...(args.account ? ["--account", args.account] : []),
         ], wait: true }), authn, { message: "approval-required" });
@@ -81,5 +83,5 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     return { request: cliRequest, publicKey, privateKey };
 });
 exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
+const requestToSsh = (request) => exports.SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
 exports.requestToSsh = requestToSsh;

package/dist/common/install.d.ts

@@ -0,0 +1,11 @@
+export declare const SupportedPlatforms: readonly ["darwin"];
+export declare type SupportedPlatform = (typeof SupportedPlatforms)[number];
+export declare const AwsItems: readonly ["aws"];
+export declare type AwsItem = (typeof AwsItems)[number];
+export declare type InstallMetadata = {
+    label: string;
+    commands: Record<SupportedPlatform, Readonly<string[]>>;
+};
+export declare const AwsInstall: Readonly<Record<AwsItem, InstallMetadata>>;
+export declare const guidedInstall: <T extends string, U extends Readonly<Record<T, InstallMetadata>>>(platform: SupportedPlatform, item: T, installData: U) => Promise<void>;
+export declare const ensureInstall: <T extends string, U extends Readonly<Record<T, InstallMetadata>>>(installItems: readonly T[], installData: U) => Promise<boolean>;

package/dist/common/install.js

@@ -0,0 +1,120 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureInstall = exports.guidedInstall = exports.AwsInstall = exports.AwsItems = exports.SupportedPlatforms = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const types_1 = require("../types");
+const lodash_1 = require("lodash");
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = __importDefault(require("node:os"));
+const typescript_1 = require("typescript");
+const which_1 = __importDefault(require("which"));
+exports.SupportedPlatforms = ["darwin"];
+exports.AwsItems = ["aws"];
+exports.AwsInstall = {
+    aws: {
+        label: "AWS CLI v2",
+        commands: {
+            darwin: [
+                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
+                "sudo installer -pkg AWSCLIV2.pkg -target /",
+                'rm "AWSCLIV2.pkg"',
+            ],
+        },
+    },
+};
+const printToInstall = (toInstall, installMetadata) => {
+    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
+    for (const item of toInstall) {
+        (0, stdio_1.print2)(`  - ${installMetadata[item].label} (${item})`);
+    }
+    (0, stdio_1.print2)("");
+};
+const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
+    const inquirer = (yield import("inquirer")).default;
+    const { isGuided } = yield inquirer.prompt([
+        {
+            type: "confirm",
+            name: "isGuided",
+            message: "Do you want P0 to install these for you (sudo access required)?",
+        },
+    ]);
+    (0, stdio_1.print2)("");
+    return isGuided;
+});
+const requiredInstalls = (installItems) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, lodash_1.compact)(yield Promise.all(installItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
+});
+const printInstallCommands = (platform, item, installData) => {
+    const { label, commands } = installData[item];
+    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
+    for (const command of commands[platform]) {
+        (0, stdio_1.print1)(`  ${command}`);
+    }
+    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
+};
+const guidedInstall = (platform, item, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    const commands = installData[item].commands[platform];
+    const combined = commands.join(" && \\\n");
+    (0, stdio_1.print2)(`Executing:\n${combined}`);
+    (0, stdio_1.print2)("");
+    yield new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(`Shell exited with code ${code}`);
+        });
+    });
+    (0, stdio_1.print2)("");
+});
+exports.guidedInstall = guidedInstall;
+const ensureInstall = (installItems, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const toInstall = yield requiredInstalls(installItems);
+    if (toInstall.length === 0) {
+        return true;
+    }
+    const platform = node_os_1.default.platform();
+    printToInstall(toInstall, installData);
+    if (!(0, types_1.isa)(exports.SupportedPlatforms)(platform)) {
+        throw (`Guided dependency installation is not available on platform ${platform}\n` +
+            "Please install the above dependencies manually, or ensure they are on your PATH.");
+    }
+    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
+    for (const item of toInstall) {
+        if (interactive)
+            yield (0, exports.guidedInstall)(platform, item, installData);
+        else
+            printInstallCommands(platform, item, installData);
+    }
+    const remaining = yield requiredInstalls(installItems);
+    if (remaining.length === 0) {
+        (0, stdio_1.print2)("All packages successfully installed");
+        return true;
+    }
+    return false;
+});
+exports.ensureInstall = ensureInstall;

package/dist/drivers/stdio.d.ts

@@ -22,4 +22,5 @@ export declare function print2(message: any): void;
 export declare const Ansi: {
     readonly Reset: string;
     readonly Dim: string;
+    readonly Yellow: string;
 };

package/dist/drivers/stdio.js

@@ -40,5 +40,6 @@ exports.print2 = print2;
 const AnsiCodes = {
     Reset: "00",
     Dim: "02",
+    Yellow: "33",
 };
 exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);

package/dist/plugins/aws/ssh.d.ts

@@ -9,5 +9,5 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 import { SshProvider } from "../../types/ssh";
-import { AwsSshPermissionSpec, AwsSshRequest } from "./types";
-export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest>;
+import { AwsCredentials, AwsSshPermissionSpec, AwsSshRequest } from "./types";
+export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest, AwsCredentials>;

package/dist/plugins/aws/ssh.js

@@ -10,6 +10,18 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.awsSshProvider = void 0;
+const util_1 = require("../../util");
+const aws_1 = require("../okta/aws");
+const config_1 = require("./config");
+const idc_1 = require("./idc");
+const install_1 = require("./ssm/install");
+/** Maximum number of attempts to start an SSH session
+ *
+ * Each attempt consumes ~ 1 s.
+ */
+const MAX_SSH_RETRIES = 30;
+/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
+const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 exports.awsSshProvider = {
     requestToSsh: (request) => {
         const { permission, generated } = request;
@@ -21,4 +33,46 @@ exports.awsSshProvider = {
             ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
     },
     toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
+        if (!(yield (0, install_1.ensureSsmInstall)())) {
+            throw "Please try again after installing the required AWS utilities";
+        }
+        const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
+        if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
+            throw "This account is not configured for SSH access via the P0 CLI";
+        }
+        return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
+            ? yield (0, idc_1.assumeRoleWithIdc)(request)
+            : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
+                ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, request)
+                : (0, util_1.throwAssertNever)(config.login);
+    }),
+    proxyCommand: (request) => {
+        return [
+            "aws",
+            "ssm",
+            "start-session",
+            "--region",
+            request.region,
+            "--target",
+            "%h",
+            "--document-name",
+            START_SSH_SESSION_DOCUMENT_NAME,
+            "--parameters",
+            '"portNumber=%p"',
+        ];
+    },
+    reproCommands: (request) => {
+        // TODO: Add manual commands for IDC login
+        if (request.access !== "idc") {
+            return [
+                `eval $(p0 aws role assume ${request.role} --account ${request.accountId})`,
+            ];
+        }
+        return undefined;
+    },
+    preTestAccessPropagationArgs: () => undefined,
+    maxRetries: MAX_SSH_RETRIES,
+    friendlyName: "AWS",
 };

package/dist/plugins/aws/ssm/install.js

@@ -23,27 +23,11 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const stdio_1 = require("../../../drivers/stdio");
+const install_1 = require("../../../common/install");
 const types_1 = require("../../../types");
-const lodash_1 = require("lodash");
-const node_child_process_1 = require("node:child_process");
 const node_os_1 = __importDefault(require("node:os"));
-const typescript_1 = require("typescript");
-const which_1 = __importDefault(require("which"));
-const SupportedPlatforms = ["darwin"];
-const AwsItems = ["aws", "session-manager-plugin"];
-const AwsInstall = {
-    aws: {
-        label: "AWS CLI v2",
-        commands: {
-            darwin: [
-                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
-                "sudo installer -pkg AWSCLIV2.pkg -target /",
-                'rm "AWSCLIV2.pkg"',
-            ],
-        },
-    },
-    "session-manager-plugin": {
+const SsmItems = [...install_1.AwsItems, "session-manager-plugin"];
+const SsmInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { "session-manager-plugin": {
         label: "the AWS CLI Session Manager plugin",
         commands: {
             darwin: [
@@ -53,54 +37,7 @@ const AwsInstall = {
                 'rm "session-manager-plugin.pkg"',
             ],
         },
-    },
-};
-const printToInstall = (toInstall) => {
-    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
-    for (const item of toInstall) {
-        (0, stdio_1.print2)(`  - ${AwsInstall[item].label}`);
-    }
-    (0, stdio_1.print2)("");
-};
-const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
-    const inquirer = (yield import("inquirer")).default;
-    const { isGuided } = yield inquirer.prompt([
-        {
-            type: "confirm",
-            name: "isGuided",
-            message: "Do you want P0 to install these for you (sudo access required)?",
-        },
-    ]);
-    (0, stdio_1.print2)("");
-    return isGuided;
-});
-const requiredInstalls = () => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, lodash_1.compact)(yield Promise.all(AwsItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
-});
-const printInstallCommands = (platform, item) => {
-    const { label, commands } = AwsInstall[item];
-    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
-    for (const command of commands[platform]) {
-        (0, stdio_1.print1)(`  ${command}`);
-    }
-    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
-};
-const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, function* () {
-    const commands = AwsInstall[item].commands[platform];
-    const combined = commands.join(" && \\\n");
-    (0, stdio_1.print2)(`Executing:\n${combined}`);
-    (0, stdio_1.print2)("");
-    yield new Promise((resolve, reject) => {
-        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
-        child.on("exit", (code) => {
-            if (code === 0)
-                resolve();
-            else
-                reject(`Shell exited with code ${code}`);
-        });
-    });
-    (0, stdio_1.print2)("");
-});
+    } });
 /** Ensures that AWS CLI and SSM plugin are installed on the user environment
  *
  * If they are not, and the session is a TTY, prompt the user to auto-install. If
@@ -108,26 +45,10 @@ const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, func
  * stdout.
  */
 const ensureSsmInstall = () => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
     const platform = node_os_1.default.platform();
-    if (!(0, types_1.isa)(SupportedPlatforms)(platform))
+    // Preserve existing behavior of a hard error on unsupported platforms
+    if (!(0, types_1.isa)(install_1.SupportedPlatforms)(platform))
         throw "SSH to AWS managed instances is only available on MacOS";
-    const toInstall = yield requiredInstalls();
-    if (toInstall.length === 0)
-        return true;
-    printToInstall(toInstall);
-    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
-    for (const item of toInstall) {
-        if (interactive)
-            yield guidedInstall(platform, item);
-        else
-            printInstallCommands(platform, item);
-    }
-    const remaining = yield requiredInstalls();
-    if (remaining.length === 0) {
-        (0, stdio_1.print2)("All packages successfully installed");
-        return true;
-    }
-    return false;
+    return yield (0, install_1.ensureInstall)(SsmItems, SsmInstall);
 });
 exports.ensureSsmInstall = ensureSsmInstall;

package/dist/plugins/google/ssh.d.ts

@@ -1,13 +1,3 @@
-/** Copyright © 2024-present P0 Security
-
-This file is part of @p0security/cli
-
-@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
-
-@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
-**/
 import { SshProvider } from "../../types/ssh";
 import { GcpSshPermissionSpec, GcpSshRequest } from "./types";
 export declare const gcpSshProvider: SshProvider<GcpSshPermissionSpec, {

package/dist/plugins/google/ssh.js

@@ -10,7 +10,23 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.gcpSshProvider = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ssh_1 = require("../../commands/shared/ssh");
 const ssh_key_1 = require("./ssh-key");
+/** Maximum number of attempts to start an SSH session
+ *
+ * The length of each attempt varies based on the type of error from a few seconds to < 1s
+ */
+const MAX_SSH_RETRIES = 120;
 exports.gcpSshProvider = {
     requestToSsh: (request) => {
         return {
@@ -26,4 +42,33 @@ exports.gcpSshProvider = {
                 linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
             } }));
     }),
+    cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
+    proxyCommand: (request) => {
+        return [
+            "gcloud",
+            "compute",
+            "start-iap-tunnel",
+            request.id,
+            "%p",
+            // --listen-on-stdin flag is required for interactive SSH session.
+            // It is undocumented on page https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel
+            // but mention on page https://cloud.google.com/iap/docs/tcp-by-host
+            // and also found in `gcloud ssh --dry-run` output
+            "--listen-on-stdin",
+            `--zone=${request.zone}`,
+            `--project=${request.projectId}`,
+        ];
+    },
+    reproCommands: () => undefined,
+    preTestAccessPropagationArgs: (cmdArgs) => {
+        if ((0, ssh_1.isSudoCommand)(cmdArgs)) {
+            return Object.assign(Object.assign({}, cmdArgs), { 
+                // `sudo -v` prints `Sorry, user <user> may not run sudo on <hostname>.` to stderr when user is not a sudoer.
+                // It prints nothing to stdout when user is a sudoer - which is important because we don't want any output from the pre-test.
+                command: "sudo", arguments: ["-v"] });
+        }
+        return undefined;
+    },
+    maxRetries: MAX_SSH_RETRIES,
+    friendlyName: "Google Cloud",
 };

package/dist/plugins/kubeconfig/index.d.ts

@@ -0,0 +1,23 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { AwsCredentials } from "../aws/types";
+import { EksClusterConfig, K8sGenerated, K8sPermissionSpec } from "./types";
+import yargs from "yargs";
+export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
+    clusterConfig: EksClusterConfig;
+    awsLoginType: "federated" | "idc";
+}>;
+export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;
+export declare const profileName: (eksCluterName: string) => string;
+export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, generated: K8sGenerated, loginType: "federated" | "idc") => Promise<AwsCredentials>;