@p0security/cli 0.8.3 → 0.10.0

package/dist/common/install.js

@@ -0,0 +1,120 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureInstall = exports.guidedInstall = exports.AwsInstall = exports.AwsItems = exports.SupportedPlatforms = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const types_1 = require("../types");
+const lodash_1 = require("lodash");
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = __importDefault(require("node:os"));
+const typescript_1 = require("typescript");
+const which_1 = __importDefault(require("which"));
+exports.SupportedPlatforms = ["darwin"];
+exports.AwsItems = ["aws"];
+exports.AwsInstall = {
+    aws: {
+        label: "AWS CLI v2",
+        commands: {
+            darwin: [
+                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
+                "sudo installer -pkg AWSCLIV2.pkg -target /",
+                'rm "AWSCLIV2.pkg"',
+            ],
+        },
+    },
+};
+const printToInstall = (toInstall, installMetadata) => {
+    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
+    for (const item of toInstall) {
+        (0, stdio_1.print2)(`  - ${installMetadata[item].label} (${item})`);
+    }
+    (0, stdio_1.print2)("");
+};
+const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
+    const inquirer = (yield import("inquirer")).default;
+    const { isGuided } = yield inquirer.prompt([
+        {
+            type: "confirm",
+            name: "isGuided",
+            message: "Do you want P0 to install these for you (sudo access required)?",
+        },
+    ]);
+    (0, stdio_1.print2)("");
+    return isGuided;
+});
+const requiredInstalls = (installItems) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, lodash_1.compact)(yield Promise.all(installItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
+});
+const printInstallCommands = (platform, item, installData) => {
+    const { label, commands } = installData[item];
+    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
+    for (const command of commands[platform]) {
+        (0, stdio_1.print1)(`  ${command}`);
+    }
+    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
+};
+const guidedInstall = (platform, item, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    const commands = installData[item].commands[platform];
+    const combined = commands.join(" && \\\n");
+    (0, stdio_1.print2)(`Executing:\n${combined}`);
+    (0, stdio_1.print2)("");
+    yield new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(`Shell exited with code ${code}`);
+        });
+    });
+    (0, stdio_1.print2)("");
+});
+exports.guidedInstall = guidedInstall;
+const ensureInstall = (installItems, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const toInstall = yield requiredInstalls(installItems);
+    if (toInstall.length === 0) {
+        return true;
+    }
+    const platform = node_os_1.default.platform();
+    printToInstall(toInstall, installData);
+    if (!(0, types_1.isa)(exports.SupportedPlatforms)(platform)) {
+        throw (`Guided dependency installation is not available on platform ${platform}\n` +
+            "Please install the above dependencies manually, or ensure they are on your PATH.");
+    }
+    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
+    for (const item of toInstall) {
+        if (interactive)
+            yield (0, exports.guidedInstall)(platform, item, installData);
+        else
+            printInstallCommands(platform, item, installData);
+    }
+    const remaining = yield requiredInstalls(installItems);
+    if (remaining.length === 0) {
+        (0, stdio_1.print2)("All packages successfully installed");
+        return true;
+    }
+    return false;
+});
+exports.ensureInstall = ensureInstall;

package/dist/drivers/stdio.d.ts

@@ -22,4 +22,5 @@ export declare function print2(message: any): void;
 export declare const Ansi: {
     readonly Reset: string;
     readonly Dim: string;
+    readonly Yellow: string;
 };

package/dist/drivers/stdio.js

@@ -40,5 +40,6 @@ exports.print2 = print2;
 const AnsiCodes = {
     Reset: "00",
     Dim: "02",
+    Yellow: "33",
 };
 exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);

package/dist/plugins/aws/ssh.js

@@ -33,11 +33,13 @@ exports.awsSshProvider = {
             ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
     },
     toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
-    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
-        var _a, _b, _c, _d;
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureSsmInstall)())) {
             throw "Please try again after installing the required AWS utilities";
         }
+    }),
+    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
         const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
         if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
             throw "This account is not configured for SSH access via the P0 CLI";

package/dist/plugins/aws/ssm/install.js

@@ -1,16 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ensureSsmInstall = void 0;
 /** Copyright © 2024-present P0 Security
@@ -23,27 +11,9 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const stdio_1 = require("../../../drivers/stdio");
-const types_1 = require("../../../types");
-const lodash_1 = require("lodash");
-const node_child_process_1 = require("node:child_process");
-const node_os_1 = __importDefault(require("node:os"));
-const typescript_1 = require("typescript");
-const which_1 = __importDefault(require("which"));
-const SupportedPlatforms = ["darwin"];
-const AwsItems = ["aws", "session-manager-plugin"];
-const AwsInstall = {
-    aws: {
-        label: "AWS CLI v2",
-        commands: {
-            darwin: [
-                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
-                "sudo installer -pkg AWSCLIV2.pkg -target /",
-                'rm "AWSCLIV2.pkg"',
-            ],
-        },
-    },
-    "session-manager-plugin": {
+const install_1 = require("../../../common/install");
+const SsmItems = [...install_1.AwsItems, "session-manager-plugin"];
+const SsmInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { "session-manager-plugin": {
         label: "the AWS CLI Session Manager plugin",
         commands: {
             darwin: [
@@ -53,81 +23,12 @@ const AwsInstall = {
                 'rm "session-manager-plugin.pkg"',
             ],
         },
-    },
-};
-const printToInstall = (toInstall) => {
-    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
-    for (const item of toInstall) {
-        (0, stdio_1.print2)(`  - ${AwsInstall[item].label}`);
-    }
-    (0, stdio_1.print2)("");
-};
-const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
-    const inquirer = (yield import("inquirer")).default;
-    const { isGuided } = yield inquirer.prompt([
-        {
-            type: "confirm",
-            name: "isGuided",
-            message: "Do you want P0 to install these for you (sudo access required)?",
-        },
-    ]);
-    (0, stdio_1.print2)("");
-    return isGuided;
-});
-const requiredInstalls = () => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, lodash_1.compact)(yield Promise.all(AwsItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
-});
-const printInstallCommands = (platform, item) => {
-    const { label, commands } = AwsInstall[item];
-    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
-    for (const command of commands[platform]) {
-        (0, stdio_1.print1)(`  ${command}`);
-    }
-    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
-};
-const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, function* () {
-    const commands = AwsInstall[item].commands[platform];
-    const combined = commands.join(" && \\\n");
-    (0, stdio_1.print2)(`Executing:\n${combined}`);
-    (0, stdio_1.print2)("");
-    yield new Promise((resolve, reject) => {
-        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
-        child.on("exit", (code) => {
-            if (code === 0)
-                resolve();
-            else
-                reject(`Shell exited with code ${code}`);
-        });
-    });
-    (0, stdio_1.print2)("");
-});
+    } });
 /** Ensures that AWS CLI and SSM plugin are installed on the user environment
  *
  * If they are not, and the session is a TTY, prompt the user to auto-install. If
  * the user declines, or if not a TTY, the installation commands are printed to
  * stdout.
  */
-const ensureSsmInstall = () => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
-    const platform = node_os_1.default.platform();
-    if (!(0, types_1.isa)(SupportedPlatforms)(platform))
-        throw "SSH to AWS managed instances is only available on MacOS";
-    const toInstall = yield requiredInstalls();
-    if (toInstall.length === 0)
-        return true;
-    printToInstall(toInstall);
-    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
-    for (const item of toInstall) {
-        if (interactive)
-            yield guidedInstall(platform, item);
-        else
-            printInstallCommands(platform, item);
-    }
-    const remaining = yield requiredInstalls();
-    if (remaining.length === 0) {
-        (0, stdio_1.print2)("All packages successfully installed");
-        return true;
-    }
-    return false;
-});
+const ensureSsmInstall = () => (0, install_1.ensureInstall)(SsmItems, SsmInstall);
 exports.ensureSsmInstall = ensureSsmInstall;

package/dist/plugins/google/install.d.ts

@@ -0,0 +1,2 @@
+export declare const SupportedPlatforms: readonly ["darwin"];
+export declare const ensureGcpSshInstall: () => Promise<boolean>;

package/dist/plugins/google/install.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureGcpSshInstall = exports.SupportedPlatforms = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const install_1 = require("../../common/install");
+exports.SupportedPlatforms = ["darwin"];
+const GcpSshItems = ["gcloud"];
+const GcpSshInstall = {
+    gcloud: {
+        label: "GCloud CLI",
+        commands: {
+            darwin: [
+                // See https://cloud.google.com/sdk/docs/install-sdk
+                "architecture=$(arch)",
+                'package=$([ $architecture = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
+                "wget -O ~/google-cloud-cli.tar.gz $package",
+                "tar -xzf ~/google-cloud-cli.tar.gz -C ~",
+                "~/google-cloud-sdk/install.sh",
+                "rm -rf ~/google-cloud-cli.tar.gz",
+                // Symlink gcloud to /usr/local/bin - assumes /usr/local/bin is already in $PATH so next time `gcloud` is run it will be found
+                "sudo mkdir -p /usr/local/bin",
+                "sudo ln -s ~/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud",
+                "sudo chown root: /usr/local/bin/gcloud",
+            ],
+        },
+    },
+};
+const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, GcpSshInstall);
+exports.ensureGcpSshInstall = ensureGcpSshInstall;

package/dist/plugins/google/ssh.js

@@ -21,6 +21,7 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 const ssh_1 = require("../../commands/shared/ssh");
+const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
 /** Maximum number of attempts to start an SSH session
  *
@@ -42,6 +43,11 @@ exports.gcpSshProvider = {
                 linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
             } }));
     }),
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
+        if (!(yield (0, install_1.ensureGcpSshInstall)())) {
+            throw "Please try again after installing the required GCP utilities";
+        }
+    }),
     cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
     proxyCommand: (request) => {
         return [

package/dist/plugins/kubeconfig/index.d.ts

@@ -0,0 +1,27 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { AwsCredentials } from "../aws/types";
+import { K8sGenerated, K8sPermissionSpec } from "./types";
+import yargs from "yargs";
+export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
+    clusterConfig: {
+        clusterId: string;
+        awsAccountId: string;
+        awsClusterArn: string;
+    };
+    awsLoginType: "federated" | "idc";
+}>;
+export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;
+export declare const profileName: (eksCluterName: string) => string;
+export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, generated: K8sGenerated, loginType: "federated" | "idc") => Promise<AwsCredentials>;

package/dist/plugins/kubeconfig/index.js

@@ -0,0 +1,104 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsCloudAuth = exports.profileName = exports.requestAccessToCluster = exports.getAndValidateK8sIntegration = void 0;
+const shared_1 = require("../../commands/shared");
+const request_1 = require("../../commands/shared/request");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const config_1 = require("../aws/config");
+const idc_1 = require("../aws/idc");
+const aws_1 = require("../okta/aws");
+const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
+const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b;
+    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/k8s`));
+    // Validation done here in lieu of the backend, since the backend doesn't validate until approval. TODO: ENG-2365.
+    const config = (_b = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"]) === null || _b === void 0 ? void 0 : _b[clusterId];
+    if (!config) {
+        throw `Cluster with ID ${clusterId} not found`;
+    }
+    if (config.state !== "installed" || config.provider.type !== "aws") {
+        throw `Cluster with ID ${clusterId} is not installed`;
+    }
+    const { provider } = config;
+    const { accountId: awsAccountId, clusterArn: awsClusterArn } = provider;
+    if (!awsAccountId || !awsClusterArn) {
+        throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
+            "You can request access to the cluster using the `p0 request k8s` command.");
+    }
+    const { config: awsConfig } = yield (0, config_1.getAwsConfig)(authn, awsAccountId);
+    const { login: awsLogin } = awsConfig;
+    // Verify that the AWS auth type is supported before issuing the requests
+    if (!(awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) || (awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) === "iam") {
+        throw "This AWS account is not configured for kubectl access via the P0 CLI.\nYou can request access to the cluster using the `p0 request k8s` command.";
+    }
+    return {
+        clusterConfig: {
+            clusterId,
+            awsAccountId,
+            awsClusterArn,
+        },
+        awsLoginType: awsLogin.type,
+    };
+});
+exports.getAndValidateK8sIntegration = getAndValidateK8sIntegration;
+const requestAccessToCluster = (authn, args, clusterId, role) => __awaiter(void 0, void 0, void 0, function* () {
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "k8s",
+            "resource",
+            "--cluster",
+            clusterId,
+            "--role",
+            role,
+            ...(args.resource ? ["--locator", args.resource] : []),
+            ...(args.reason ? ["--reason", args.reason] : []),
+            ...(args.requestedDuration
+                ? ["--requested-duration", args.requestedDuration]
+                : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        throw "Did not receive access ID from server";
+    }
+    const { id, isPreexisting } = response;
+    if (!isPreexisting) {
+        (0, stdio_1.print2)("Waiting for access to be provisioned. This may take up to a minute.");
+    }
+    return yield (0, shared_1.waitForProvisioning)(authn, id);
+});
+exports.requestAccessToCluster = requestAccessToCluster;
+const profileName = (eksCluterName) => `p0cli-managed-eks-${eksCluterName}`;
+exports.profileName = profileName;
+const awsCloudAuth = (authn, awsAccountId, generated, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+    const { eksGenerated } = generated;
+    const { name, idc } = eksGenerated;
+    switch (loginType) {
+        case "idc":
+            if (!idc) {
+                throw "AWS is configured to use Identity Center, but IDC information wasn't received in the request.";
+            }
+            return yield (0, idc_1.assumeRoleWithIdc)({
+                accountId: awsAccountId,
+                permissionSet: name,
+                idc,
+            });
+        case "federated":
+            return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
+                accountId: awsAccountId,
+                role: name,
+            });
+        default:
+            throw (0, util_1.assertNever)(loginType);
+    }
+});
+exports.awsCloudAuth = awsCloudAuth;

package/dist/plugins/kubeconfig/install.d.ts

@@ -0,0 +1 @@
+export declare const ensureEksInstall: () => Promise<boolean>;

package/dist/plugins/kubeconfig/install.js

@@ -0,0 +1,65 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureEksInstall = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const install_1 = require("../../common/install");
+const EksItems = [...install_1.AwsItems, "kubectl"];
+/**
+ * Converts the current system architecture, as represented in TypeScript, to
+ * the value used in the kubectl download URL, or throw an exception if the
+ * current architecture is not one kubectl has an official build for.
+ */
+const kubectlDownloadArch = () => {
+    const arch = process.arch;
+    switch (arch) {
+        case "x64": // macOS, Linux, and Windows
+            return "amd64";
+        case "arm64": // macOS and Linux only
+            return arch;
+        default:
+            throw `Unsupported system architecture for kubectl: ${arch}. Please install kubectl manually, or check that it is available in your PATH.`;
+    }
+};
+const kubectlInstallCommandsDarwin = () => {
+    const arch = kubectlDownloadArch();
+    // The download is the kubectl binary itself
+    return [
+        `curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/${arch}/kubectl"`,
+        "chmod +x kubectl",
+        "sudo mkdir -p /usr/local/bin",
+        "sudo mv -i ./kubectl /usr/local/bin/kubectl",
+        "sudo chown root: /usr/local/bin/kubectl",
+    ];
+};
+const EksInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { kubectl: {
+        label: "Kubernetes command-line tool",
+        commands: {
+            get darwin() {
+                // Use a getter so that we only invoke kubectlInstallCommandsDarwin() if and when we
+                // need to generate the installation commands so that we only check the architecture as
+                // needed; if kubectl is already installed, doesn't really matter how it was installed
+                // or whether it's an officially-supported architecture.
+                return kubectlInstallCommandsDarwin();
+            },
+        },
+    } });
+const ensureEksInstall = () => __awaiter(void 0, void 0, void 0, function* () { return yield (0, install_1.ensureInstall)(EksItems, EksInstall); });
+exports.ensureEksInstall = ensureEksInstall;

package/dist/plugins/kubeconfig/types.d.ts

@@ -0,0 +1,51 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { PermissionSpec } from "../../types/request";
+export declare type K8sClusterConfig = {
+    label?: string;
+    clusterServer: string;
+    clusterCertificate: string;
+    isProxy: boolean;
+    token: string;
+    publicJwk?: string;
+    provider: {
+        type: "aws";
+        clusterArn: string;
+        accountId: string;
+    } | {
+        type: "email";
+    };
+    state: string;
+};
+export declare type K8sConfig = {
+    "iam-write": Record<string, K8sClusterConfig>;
+};
+export declare type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated>;
+export declare type K8sResourcePermission = {
+    resource: {
+        name: string;
+        namespace: string;
+        kind: string;
+    };
+    role: string;
+    clusterId: string;
+    type: "resource";
+};
+export declare type K8sGenerated = {
+    eksGenerated: {
+        name: string;
+        idc?: {
+            id: string;
+            region: string;
+        };
+    };
+    role: string;
+};

package/dist/plugins/kubeconfig/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/ssh/index.d.ts

@@ -10,5 +10,11 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 import { CommandArgs } from "../../commands/shared/ssh";
 import { Authn } from "../../types/identity";
-import { SshRequest } from "../../types/ssh";
-export declare const sshOrScp: (authn: Authn, request: SshRequest, cmdArgs: CommandArgs, privateKey: string) => Promise<number | null>;
+import { SshProvider, SshRequest } from "../../types/ssh";
+export declare const sshOrScp: (args: {
+    authn: Authn;
+    request: SshRequest;
+    cmdArgs: CommandArgs;
+    privateKey: string;
+    sshProvider: SshProvider<any, any, any, any>;
+}) => Promise<number | null>;