@p0security/cli 0.8.3 → 0.10.0

package/dist/plugins/ssh/index.js

@@ -137,6 +137,13 @@ function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
             const provider = ssh_1.SSH_PROVIDERS[options.provider];
+            const attemptsRemaining = options.attemptsRemaining;
+            if (options.debug) {
+                const gerund = options.isAccessPropagationPreTest
+                    ? "Pre-testing"
+                    : "Trying";
+                (0, stdio_1.print2)(`Waiting for access to propagate. ${gerund} SSH session... (remaining attempts: ${attemptsRemaining})`);
+            }
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
             const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
@@ -146,10 +153,6 @@ function spawnSshNode(options) {
                 // In the case of ephemeral AccessDenied exceptions due to unpropagated
                 // permissions, continually retry access until success
                 if (!isAccessPropagated()) {
-                    const attemptsRemaining = options.attemptsRemaining;
-                    if (options.debug) {
-                        (0, stdio_1.print2)(`Waiting for access to propagate. Retrying SSH session... (remaining attempts: ${attemptsRemaining})`);
-                    }
                     if (attemptsRemaining <= 0) {
                         reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
                         return;
@@ -200,7 +203,9 @@ const createCommand = (data, args, proxyCommand) => {
             ...commonArgs,
             ...(args.A ? ["-A"] : []),
             ...(args.L ? ["-L", args.L] : []),
+            ...(args.R ? ["-R", args.R] : []),
             ...(args.N ? ["-N"] : []),
+            ...(args.o ? ["-o", args.o] : []),
             `${data.linuxUserName}@${data.id}`,
             ...(args.command ? [args.command] : []),
             ...args.arguments.map((argument) => 
@@ -243,11 +248,11 @@ const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCo
     }
     return null;
 });
-const sshOrScp = (authn, request, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+const sshOrScp = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const { authn, request, cmdArgs, privateKey, sshProvider } = args;
     if (!privateKey) {
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
-    const sshProvider = ssh_1.SSH_PROVIDERS[request.type];
     const credential = yield sshProvider.cloudProviderLogin(authn, request);
     const proxyCommand = sshProvider.proxyCommand(request);
     return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {

package/dist/types/request.d.ts

@@ -8,6 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { K8sPermissionSpec } from "../plugins/kubeconfig/types";
 import { PluginSshRequest } from "./ssh";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
@@ -19,7 +20,7 @@ export declare type PermissionSpec<K extends string, P extends {
     permission: P;
     generated: G;
 };
-export declare type PluginRequest = PluginSshRequest;
+export declare type PluginRequest = K8sPermissionSpec | PluginSshRequest;
 export declare type Request<P extends PluginRequest> = P & {
     status: string;
     principal: string;

package/dist/types/ssh.d.ts

@@ -26,6 +26,7 @@ export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest,
     toCliRequest: (request: Request<PR>, options?: {
         debug?: boolean;
     }) => Promise<Request<CliSshRequest>>;
+    ensureInstall: () => Promise<void>;
     /** Logs in the user to the cloud provider */
     cloudProviderLogin: (authn: Authn, request: SR) => Promise<C>;
     /** Returns the command and its arguments that are going to be injected as the ssh ProxyCommand option */

package/dist/util.d.ts

@@ -43,3 +43,14 @@ export declare const exec: (command: string, args: string[], options?: child_pro
 export declare const throwAssertNever: (value: never) => never;
 export declare const assertNever: (value: never) => Error;
 export declare const unexpectedValueError: (value: any) => Error;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+export declare const ciEquals: (a: string, b: string) => boolean;

package/dist/util.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
+exports.ciEquals = exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -95,3 +95,15 @@ const assertNever = (value) => {
 exports.assertNever = assertNever;
 const unexpectedValueError = (value) => new Error(`Unexpected code state: value ${value} had unexpected type`);
 exports.unexpectedValueError = unexpectedValueError;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+const ciEquals = (a, b) => a.localeCompare(b, undefined, { sensitivity: "accent" }) === 0;
+exports.ciEquals = ciEquals;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.8.3",
+  "version": "0.10.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -21,9 +21,11 @@
   ],
   "dependencies": {
     "@rgrove/parse-xml": "^4.1.0",
+    "@types/ini": "^4.1.1",
     "dotenv": "^16.4.1",
     "express": "^4.18.2",
     "firebase": "^10.7.2",
+    "ini": "^4.1.3",
     "inquirer": "^9.2.15",
     "jsdom": "^24.1.1",
     "lodash": "^4.17.21",
@@ -32,6 +34,7 @@
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
     "semver": "^7.6.0",
+    "tmp-promise": "^3.0.3",
     "typescript": "^4.8.4",
     "which": "^4.0.0",
     "yargs": "^17.6.0"