@p0security/cli 0.8.2 → 0.9.0

package/dist/plugins/kubeconfig/index.js

@@ -0,0 +1,98 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsCloudAuth = exports.profileName = exports.requestAccessToCluster = exports.getAndValidateK8sIntegration = void 0;
+const shared_1 = require("../../commands/shared");
+const request_1 = require("../../commands/shared/request");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const config_1 = require("../aws/config");
+const idc_1 = require("../aws/idc");
+const aws_1 = require("../okta/aws");
+const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
+const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/k8s`));
+    // Validation done here in lieu of the backend, since the backend doesn't validate until approval. TODO: ENG-2365.
+    const clusterConfig = (_a = configDoc
+        .data()) === null || _a === void 0 ? void 0 : _a.workflows.items.find((c) => c.clusterId === clusterId && c.state === "installed");
+    if (!clusterConfig) {
+        throw `Cluster with ID ${clusterId} not found`;
+    }
+    const { awsAccountId, awsClusterArn } = clusterConfig;
+    if (!awsAccountId || !awsClusterArn) {
+        throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
+            "You can request access to the cluster using the `p0 request k8s` command.");
+    }
+    const { config: awsConfig } = yield (0, config_1.getAwsConfig)(authn, awsAccountId);
+    const { login: awsLogin } = awsConfig;
+    // Verify that the AWS auth type is supported before issuing the requests
+    if (!(awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) || (awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) === "iam") {
+        throw "This AWS account is not configured for kubectl access via the P0 CLI.\nYou can request access to the cluster using the `p0 request k8s` command.";
+    }
+    return {
+        clusterConfig: Object.assign(Object.assign({}, clusterConfig), { awsAccountId,
+            awsClusterArn }),
+        awsLoginType: awsLogin.type,
+    };
+});
+exports.getAndValidateK8sIntegration = getAndValidateK8sIntegration;
+const requestAccessToCluster = (authn, args, clusterId, role) => __awaiter(void 0, void 0, void 0, function* () {
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "k8s",
+            "resource",
+            "--cluster",
+            clusterId,
+            "--role",
+            role,
+            ...(args.resource ? ["--locator", args.resource] : []),
+            ...(args.reason ? ["--reason", args.reason] : []),
+            ...(args.requestedDuration
+                ? ["--requested-duration", args.requestedDuration]
+                : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        throw "Did not receive access ID from server";
+    }
+    const { id, isPreexisting } = response;
+    if (!isPreexisting) {
+        (0, stdio_1.print2)("Waiting for access to be provisioned. This may take up to a minute.");
+    }
+    return yield (0, shared_1.waitForProvisioning)(authn, id);
+});
+exports.requestAccessToCluster = requestAccessToCluster;
+const profileName = (eksCluterName) => `p0cli-managed-eks-${eksCluterName}`;
+exports.profileName = profileName;
+const awsCloudAuth = (authn, awsAccountId, generated, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+    const { eksGenerated } = generated;
+    const { name, idc } = eksGenerated;
+    switch (loginType) {
+        case "idc":
+            if (!idc) {
+                throw "AWS is configured to use Identity Center, but IDC information wasn't received in the request.";
+            }
+            return yield (0, idc_1.assumeRoleWithIdc)({
+                accountId: awsAccountId,
+                permissionSet: name,
+                idc,
+            });
+        case "federated":
+            return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
+                accountId: awsAccountId,
+                role: name,
+            });
+        default:
+            throw (0, util_1.assertNever)(loginType);
+    }
+});
+exports.awsCloudAuth = awsCloudAuth;

package/dist/plugins/kubeconfig/install.d.ts

@@ -0,0 +1 @@
+export declare const ensureEksInstall: () => Promise<boolean>;

package/dist/plugins/kubeconfig/install.js

@@ -0,0 +1,65 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureEksInstall = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const install_1 = require("../../common/install");
+const EksItems = [...install_1.AwsItems, "kubectl"];
+/**
+ * Converts the current system architecture, as represented in TypeScript, to
+ * the value used in the kubectl download URL, or throw an exception if the
+ * current architecture is not one kubectl has an official build for.
+ */
+const kubectlDownloadArch = () => {
+    const arch = process.arch;
+    switch (arch) {
+        case "x64": // macOS, Linux, and Windows
+            return "amd64";
+        case "arm64": // macOS and Linux only
+            return arch;
+        default:
+            throw `Unsupported system architecture for kubectl: ${arch}. Please install kubectl manually, or check that it is available in your PATH.`;
+    }
+};
+const kubectlInstallCommandsDarwin = () => {
+    const arch = kubectlDownloadArch();
+    // The download is the kubectl binary itself
+    return [
+        `curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/${arch}/kubectl"`,
+        "chmod +x kubectl",
+        "sudo mkdir -p /usr/local/bin",
+        "sudo mv -i ./kubectl /usr/local/bin/kubectl",
+        "sudo chown root: /usr/local/bin/kubectl",
+    ];
+};
+const EksInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { kubectl: {
+        label: "Kubernetes command-line tool",
+        commands: {
+            get darwin() {
+                // Use a getter so that we only invoke kubectlInstallCommandsDarwin() if and when we
+                // need to generate the installation commands so that we only check the architecture as
+                // needed; if kubectl is already installed, doesn't really matter how it was installed
+                // or whether it's an officially-supported architecture.
+                return kubectlInstallCommandsDarwin();
+            },
+        },
+    } });
+const ensureEksInstall = () => __awaiter(void 0, void 0, void 0, function* () { return yield (0, install_1.ensureInstall)(EksItems, EksInstall); });
+exports.ensureEksInstall = ensureEksInstall;

package/dist/plugins/kubeconfig/types.d.ts

@@ -0,0 +1,57 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { PermissionSpec } from "../../types/request";
+export declare type K8sConfig = {
+    workflows: {
+        items: K8sClusterConfig[];
+    };
+};
+export declare type K8sClusterConfig = {
+    clusterId: string;
+    clusterServer: string;
+    clusterCertificate: string;
+    state: string;
+    awsAccountId?: string;
+    awsClusterArn?: string;
+} & (KubernetesProxyComponentConfig | KubernetesPublicComponentConfig);
+export declare type EksClusterConfig = K8sClusterConfig & {
+    awsAccountId: string;
+    awsClusterArn: string;
+};
+declare type KubernetesProxyComponentConfig = {
+    isProxy: true;
+    publicJwk: string;
+};
+export declare type KubernetesPublicComponentConfig = {
+    isProxy: false;
+};
+export declare type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated>;
+export declare type K8sResourcePermission = {
+    resource: {
+        name: string;
+        namespace: string;
+        kind: string;
+    };
+    role: string;
+    clusterId: string;
+    type: "resource";
+};
+export declare type K8sGenerated = {
+    eksGenerated: {
+        name: string;
+        idc?: {
+            id: string;
+            region: string;
+        };
+    };
+    role: string;
+};
+export {};

package/dist/plugins/kubeconfig/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/ssh/index.d.ts

@@ -8,7 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-import { ScpCommandArgs, SshCommandArgs } from "../../commands/shared/ssh";
+import { CommandArgs } from "../../commands/shared/ssh";
 import { Authn } from "../../types/identity";
 import { SshRequest } from "../../types/ssh";
-export declare const sshOrScp: (authn: Authn, data: SshRequest, cmdArgs: ScpCommandArgs | SshCommandArgs, privateKey: string) => Promise<number | null>;
+export declare const sshOrScp: (authn: Authn, request: SshRequest, cmdArgs: CommandArgs, privateKey: string) => Promise<number | null>;

package/dist/plugins/ssh/index.js

@@ -10,13 +10,19 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sshOrScp = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
 const stdio_1 = require("../../drivers/stdio");
-const util_1 = require("../../util");
-const config_1 = require("../aws/config");
-const idc_1 = require("../aws/idc");
-const install_1 = require("../aws/ssm/install");
-const aws_1 = require("../okta/aws");
 const ssh_agent_1 = require("../ssh-agent");
 const node_child_process_1 = require("node:child_process");
 /** Matches the error message that AWS SSM print1 when access is not propagated */
@@ -35,18 +41,11 @@ const UNAUTHORIZED_TUNNEL_USER_MESSAGE = /Error while connecting \[4033: 'not au
 const UNAUTHORIZED_INSTANCES_GET_MESSAGE = /Required 'compute\.instances\.get' permission/;
 const DESTINATION_READ_ERROR = /Error while connecting \[4010: 'destination read failed'\]/;
 const GOOGLE_LOGIN_MESSAGE = /You do not currently have an active account selected/;
+const SUDO_MESSAGE = /Sorry, user .+ may not run sudo on .+/; // The output of `sudo -v` when the user is not allowed to run sudo
 /** Maximum amount of time after SSH subprocess starts to check for {@link UNPROVISIONED_ACCESS_MESSAGES}
  *  in the process's stderr
  */
 const DEFAULT_VALIDATION_WINDOW_MS = 5e3;
-/** Maximum number of attempts to start an SSH session
- *
- * Note that each attempt consumes ~ 1 s.
- */
-const DEFAULT_MAX_SSH_RETRIES = 30;
-const GCP_MAX_SSH_RETRIES = 120; // GCP requires more time to propagate access
-/** The name of the SessionManager port forwarding document. This document is managed by AWS.  */
-const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
 /**
  * AWS
  * There are 2 cases of unprovisioned access in AWS
@@ -57,7 +56,7 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 2: results in CONNECTION_CLOSED_MESSAGE
  *
  * Google Cloud
- * There are 5 cases of unprovisioned access in Google Cloud.
+ * There are 7 cases of unprovisioned access in Google Cloud.
  * These are all potentially subject to propagation delays.
  * 1. The linux user name is not present in the user's Google Workspace profile `posixAccounts` attribute
  * 2. The public key is not present in the user's Google Workspace profile `sshPublicKeys` attribute
@@ -66,17 +65,20 @@ const START_SSH_SESSION_DOCUMENT_NAME = "AWS-StartSSHSession";
  * 5. The user doesn't have osLogin or osAdminLogin role to the instance
  * 5.a. compute.instances.get permission is missing
  * 5.b. compute.instances.osLogin permission is missing
- * 6: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
+ * 6. compute.instances.osAdminLogin is not provisioned but compute.instances.osLogin is - happens when a user upgrades existing access to sudo
+ * 7: Rare occurrence, the exact conditions so far undetermined (together with CONNECTION_CLOSED_MESSAGE)
  *
  * 1, 2, 3 (yes!), 5b: result in PUBLIC_KEY_DENIED_MESSAGE
  * 4: results in UNAUTHORIZED_TUNNEL_USER_MESSAGE and also CONNECTION_CLOSED_MESSAGE
  * 5a: results in UNAUTHORIZED_INSTANCES_GET_MESSAGE
- * 6: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
+ * 6: results in SUDO_MESSAGE
+ * 7: results in DESTINATION_READ_ERROR and also CONNECTION_CLOSED_MESSAGE
  */
 const UNPROVISIONED_ACCESS_MESSAGES = [
     { pattern: UNAUTHORIZED_START_SESSION_MESSAGE },
     { pattern: CONNECTION_CLOSED_MESSAGE },
     { pattern: PUBLIC_KEY_DENIED_MESSAGE },
+    { pattern: SUDO_MESSAGE },
     { pattern: UNAUTHORIZED_TUNNEL_USER_MESSAGE },
     { pattern: UNAUTHORIZED_INSTANCES_GET_MESSAGE, validationWindowMs: 30e3 },
     { pattern: DESTINATION_READ_ERROR },
@@ -127,11 +129,6 @@ const spawnChildProcess = (credential, command, args, stdio) => (0, node_child_p
     stdio,
     shell: false,
 });
-const friendlyProvider = (provider) => provider === "aws"
-    ? "AWS"
-    : provider === "gcloud"
-        ? "Google Cloud"
-        : (0, util_1.throwAssertNever)(provider);
 /** Starts an SSM session in the terminal by spawning `aws ssm` as a subprocess
  *
  * Requires `aws ssm` to be installed on the client machine.
@@ -139,6 +136,7 @@ const friendlyProvider = (provider) => provider === "aws"
 function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
+            const provider = ssh_1.SSH_PROVIDERS[options.provider];
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
             const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
@@ -153,7 +151,7 @@ function spawnSshNode(options) {
                         (0, stdio_1.print2)(`Waiting for access to propagate. Retrying SSH session... (remaining attempts: ${attemptsRemaining})`);
                     }
                     if (attemptsRemaining <= 0) {
-                        reject(`Access did not propagate through ${friendlyProvider(options.provider)} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
+                        reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
                         return;
                     }
                     spawnSshNode(Object.assign(Object.assign({}, options), { attemptsRemaining: attemptsRemaining - 1 }))
@@ -166,50 +164,16 @@ function spawnSshNode(options) {
                     return;
                 }
                 (_a = options.abortController) === null || _a === void 0 ? void 0 : _a.abort(code);
-                (0, stdio_1.print2)(`SSH session terminated`);
+                if (!options.isAccessPropagationPreTest)
+                    (0, stdio_1.print2)(`SSH session terminated`);
                 resolve(code);
             });
         });
     });
 }
-const createProxyCommands = (data, args, debug) => {
-    let proxyCommand;
-    if (data.type === "aws") {
-        proxyCommand = [
-            "aws",
-            "ssm",
-            "start-session",
-            "--region",
-            data.region,
-            "--target",
-            "%h",
-            "--document-name",
-            START_SSH_SESSION_DOCUMENT_NAME,
-            "--parameters",
-            '"portNumber=%p"',
-        ];
-    }
-    else if (data.type === "gcloud") {
-        proxyCommand = [
-            "gcloud",
-            "compute",
-            "start-iap-tunnel",
-            data.id,
-            "%p",
-            // --listen-on-stdin flag is required for interactive SSH session.
-            // It is undocumented on page https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel
-            // but mention on page https://cloud.google.com/iap/docs/tcp-by-host
-            // and also found in `gcloud ssh --dry-run` output
-            "--listen-on-stdin",
-            `--zone=${data.zone}`,
-            `--project=${data.projectId}`,
-        ];
-    }
-    else {
-        throw (0, util_1.assertNever)(data);
-    }
+const createCommand = (data, args, proxyCommand) => {
     const commonArgs = [
-        ...(debug ? ["-v"] : []),
+        ...(args.debug ? ["-v"] : []),
         "-o",
         `ProxyCommand=${proxyCommand.join(" ")}`,
     ];
@@ -257,45 +221,53 @@ const transformForShell = (args) => {
         return arg;
     });
 };
-const awsLogin = (authn, data) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a, _b, _c, _d;
-    if (!(yield (0, install_1.ensureSsmInstall)())) {
-        throw "Please try again after installing the required AWS utilities";
-    }
-    const { config } = yield (0, config_1.getAwsConfig)(authn, data.accountId);
-    if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
-        throw "This account is not configured for SSH access via the P0 CLI";
+/** Construct another command to use for testing access propagation prior to actually logging in the user to the ssh session */
+const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCommand, credential) => __awaiter(void 0, void 0, void 0, function* () {
+    const testCmdArgs = sshProvider.preTestAccessPropagationArgs(cmdArgs);
+    // Pre-testing comes at a performance cost because we have to execute another ssh subprocess after
+    // a successful test. Only do when absolutely necessary.
+    if (testCmdArgs) {
+        const { command, args } = createCommand(request, testCmdArgs, proxyCommand);
+        // Assumes that this is a non-interactive ssh command that exits automatically
+        return spawnSshNode({
+            credential,
+            abortController: new AbortController(),
+            command,
+            args,
+            stdio: ["inherit", "inherit", "pipe"],
+            debug: cmdArgs.debug,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
+            isAccessPropagationPreTest: true,
+        });
     }
-    return ((_c = config.login) === null || _c === void 0 ? void 0 : _c.type) === "idc"
-        ? yield (0, idc_1.assumeRoleWithIdc)(data)
-        : ((_d = config.login) === null || _d === void 0 ? void 0 : _d.type) === "federated"
-            ? yield (0, aws_1.assumeRoleWithOktaSaml)(authn, data)
-            : (0, util_1.throwAssertNever)(config.login);
+    return null;
 });
-const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+const sshOrScp = (authn, request, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
     if (!privateKey) {
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
-    // TODO ENG-2284 support login with Google Cloud
-    const credential = data.type === "aws" ? yield awsLogin(authn, data) : undefined;
+    const sshProvider = ssh_1.SSH_PROVIDERS[request.type];
+    const credential = yield sshProvider.cloudProviderLogin(authn, request);
+    const proxyCommand = sshProvider.proxyCommand(request);
     return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {
-        const { command, args } = createProxyCommands(data, cmdArgs, cmdArgs.debug);
+        const { command, args } = createCommand(request, cmdArgs, proxyCommand);
         if (cmdArgs.debug) {
-            const reproCommands = [
-                `eval $(ssh-agent)`,
-                `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
-                // TODO ENG-2284 support login with Google Cloud
-                // TODO: Modify commands to add the ability to get permission set commands
-                ...(data.type === "aws" && data.access !== "idc"
-                    ? [
-                        `eval $(p0 aws role assume ${data.role} --account ${data.accountId})`,
-                    ]
-                    : []),
-                `${command} ${transformForShell(args).join(" ")}`,
-            ];
-            (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${reproCommands.join("\n")}\n*** COMMANDS END ***"\n`);
+            const reproCommands = sshProvider.reproCommands(request);
+            if (reproCommands) {
+                const repro = [
+                    `eval $(ssh-agent)`,
+                    `ssh-add "${keys_1.PRIVATE_KEY_PATH}"`,
+                    ...reproCommands,
+                    `${command} ${transformForShell(args).join(" ")}`,
+                ].join("\n");
+                (0, stdio_1.print2)(`Execute the following commands to create a similar SSH/SCP session:\n*** COMMANDS BEGIN ***\n${repro}\n*** COMMANDS END ***"\n`);
+            }
+        }
+        const exitCode = yield preTestAccessPropagationIfNeeded(sshProvider, request, cmdArgs, proxyCommand, credential);
+        if (exitCode && exitCode !== 0) {
+            return exitCode; // Only exit if there was an error when pre-testing
         }
-        const maxRetries = data.type === "gcloud" ? GCP_MAX_SSH_RETRIES : DEFAULT_MAX_SSH_RETRIES;
         return spawnSshNode({
             credential,
             abortController: new AbortController(),
@@ -303,8 +275,8 @@ const sshOrScp = (authn, data, cmdArgs, privateKey) => __awaiter(void 0, void 0,
             args,
             stdio: ["inherit", "inherit", "pipe"],
             debug: cmdArgs.debug,
-            provider: data.type,
-            attemptsRemaining: maxRetries,
+            provider: request.type,
+            attemptsRemaining: sshProvider.maxRetries,
         });
     }));
 });

package/dist/types/request.d.ts

@@ -8,6 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { K8sPermissionSpec } from "../plugins/kubeconfig/types";
 import { PluginSshRequest } from "./ssh";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
@@ -19,7 +20,7 @@ export declare type PermissionSpec<K extends string, P extends {
     permission: P;
     generated: G;
 };
-export declare type PluginRequest = PluginSshRequest;
+export declare type PluginRequest = K8sPermissionSpec | PluginSshRequest;
 export declare type Request<P extends PluginRequest> = P & {
     status: string;
     principal: string;

package/dist/types/ssh.d.ts

@@ -8,8 +8,10 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { CommandArgs } from "../commands/shared/ssh";
 import { AwsSsh, AwsSshPermissionSpec, AwsSshRequest } from "../plugins/aws/types";
 import { GcpSsh, GcpSshPermissionSpec, GcpSshRequest } from "../plugins/google/types";
+import { Authn } from "./identity";
 import { Request } from "./request";
 export declare type CliSshRequest = AwsSsh | GcpSsh;
 export declare type PluginSshRequest = AwsSshPermissionSpec | GcpSshPermissionSpec;
@@ -18,10 +20,28 @@ export declare type CliPermissionSpec<P extends PluginSshRequest, C extends obje
 };
 export declare const SupportedSshProviders: readonly ["aws", "gcloud"];
 export declare type SupportedSshProvider = (typeof SupportedSshProviders)[number];
-export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest, O extends object | undefined = undefined, SR extends SshRequest = SshRequest> = {
+export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest, O extends object | undefined = undefined, SR extends SshRequest = SshRequest, C extends object | undefined = undefined> = {
     requestToSsh: (request: CliPermissionSpec<PR, O>) => SR;
+    /** Converts a backend request to a CLI request */
     toCliRequest: (request: Request<PR>, options?: {
         debug?: boolean;
     }) => Promise<Request<CliSshRequest>>;
+    /** Logs in the user to the cloud provider */
+    cloudProviderLogin: (authn: Authn, request: SR) => Promise<C>;
+    /** Returns the command and its arguments that are going to be injected as the ssh ProxyCommand option */
+    proxyCommand: (request: SR) => string[];
+    /** Each element in the returned array is a command that can be run to reproduce the
+     * steps of logging in the user to the ssh session. */
+    reproCommands: (request: SR) => string[] | undefined;
+    /** Arguments for a pre-test command to verify access propagation prior
+     * to actually logging in the user to the ssh session.
+     * This must return arguments for a non-interactive command - meaning the `command`
+     * and potentially the `args` props must be specified in the returned scp/ssh command.
+     * If the return value is undefined then no pre-testing is done prior to executing
+     * the actual ssh/scp command.
+     */
+    preTestAccessPropagationArgs: (cmdArgs: CommandArgs) => CommandArgs | undefined;
+    maxRetries: number;
+    friendlyName: string;
 };
 export declare type SshRequest = AwsSshRequest | GcpSshRequest;

package/dist/util.d.ts

@@ -43,3 +43,14 @@ export declare const exec: (command: string, args: string[], options?: child_pro
 export declare const throwAssertNever: (value: never) => never;
 export declare const assertNever: (value: never) => Error;
 export declare const unexpectedValueError: (value: any) => Error;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+export declare const ciEquals: (a: string, b: string) => boolean;

package/dist/util.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
+exports.ciEquals = exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -95,3 +95,15 @@ const assertNever = (value) => {
 exports.assertNever = assertNever;
 const unexpectedValueError = (value) => new Error(`Unexpected code state: value ${value} had unexpected type`);
 exports.unexpectedValueError = unexpectedValueError;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+const ciEquals = (a, b) => a.localeCompare(b, undefined, { sensitivity: "accent" }) === 0;
+exports.ciEquals = ciEquals;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.8.2",
+  "version": "0.9.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -21,17 +21,20 @@
   ],
   "dependencies": {
     "@rgrove/parse-xml": "^4.1.0",
+    "@types/ini": "^4.1.1",
     "dotenv": "^16.4.1",
     "express": "^4.18.2",
     "firebase": "^10.7.2",
+    "ini": "^4.1.3",
     "inquirer": "^9.2.15",
-    "jsdom": "^24.0.0",
+    "jsdom": "^24.1.1",
     "lodash": "^4.17.21",
     "node-forge": "^1.3.1",
     "open": "^8.4.0",
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
     "semver": "^7.6.0",
+    "tmp-promise": "^3.0.3",
     "typescript": "^4.8.4",
     "which": "^4.0.0",
     "yargs": "^17.6.0"
@@ -67,5 +70,6 @@
     "lint": "yarn prettier --check . &&  yarn run eslint --max-warnings 0 .",
     "p0": "node --no-deprecation ./p0",
     "prepublishOnly": "npm run clean && npm run build"
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }