@p0security/cli 0.8.3 → 0.9.0

package/dist/commands/aws/files.d.ts

@@ -0,0 +1,41 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { AwsCredentials } from "../../plugins/aws/types";
+import * as ini from "ini";
+export declare const AWS_CONFIG_FILE: string;
+export declare const AWS_CREDENTIALS_FILE: string;
+/**
+ * Reads in an AWS CLI configuration file, which is formatted as INI text, and
+ * returns an arbitrary object representing the contents.
+ *
+ * @param path Path of the file to read
+ * @returns Arbitrary object representing the contents of the file, or an empty
+ * object if the file is empty or does not exist
+ */
+export declare const readIniFile: (path: string) => Promise<{
+    [key: string]: any;
+}>;
+/**
+ * This function writes an arbitrary object as INI-formatted text to a file
+ * atomically by first writing the data to a temporary file then moving the
+ * temporary file on top of the target file. This minimizes the chance that an
+ * exception, system crash, or other similar event will leave the file in a
+ * corrupted state; this is important since we're mucking around with the AWS
+ * CLI's configuration files.
+ *
+ * @param path Path of the (permanent) file to write to
+ * @param obj Arbitrary object to convert to INI-formatted text and write to the
+ * file
+ * @param iniEncodeOptions Options to pass to the INI encoding library
+ */
+export declare const atomicWriteIniFile: (path: string, obj: any, iniEncodeOptions?: ini.EncodeOptions) => Promise<void>;
+export declare const writeAwsTempCredentials: (profileName: string, awsCredentials: AwsCredentials) => Promise<void>;
+export declare const writeAwsConfigProfile: (profileName: string, profileConfig: any) => Promise<void>;

package/dist/commands/aws/files.js

@@ -0,0 +1,108 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeAwsConfigProfile = exports.writeAwsTempCredentials = exports.atomicWriteIniFile = exports.readIniFile = exports.AWS_CREDENTIALS_FILE = exports.AWS_CONFIG_FILE = void 0;
+const ini = __importStar(require("ini"));
+const fs = __importStar(require("node:fs/promises"));
+const os = __importStar(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const tmp_promise_1 = __importDefault(require("tmp-promise"));
+const AWS_CONFIG_PATH = node_path_1.default.join(os.homedir(), ".aws");
+exports.AWS_CONFIG_FILE = node_path_1.default.join(AWS_CONFIG_PATH, "config");
+exports.AWS_CREDENTIALS_FILE = node_path_1.default.join(AWS_CONFIG_PATH, "credentials");
+// Reference documentation: https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html
+/**
+ * Reads in an AWS CLI configuration file, which is formatted as INI text, and
+ * returns an arbitrary object representing the contents.
+ *
+ * @param path Path of the file to read
+ * @returns Arbitrary object representing the contents of the file, or an empty
+ * object if the file is empty or does not exist
+ */
+const readIniFile = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const data = yield fs.readFile(path, { encoding: "utf-8" });
+        return data ? ini.parse(data) : {};
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+});
+exports.readIniFile = readIniFile;
+/**
+ * This function writes an arbitrary object as INI-formatted text to a file
+ * atomically by first writing the data to a temporary file then moving the
+ * temporary file on top of the target file. This minimizes the chance that an
+ * exception, system crash, or other similar event will leave the file in a
+ * corrupted state; this is important since we're mucking around with the AWS
+ * CLI's configuration files.
+ *
+ * @param path Path of the (permanent) file to write to
+ * @param obj Arbitrary object to convert to INI-formatted text and write to the
+ * file
+ * @param iniEncodeOptions Options to pass to the INI encoding library
+ */
+const atomicWriteIniFile = (path, obj, iniEncodeOptions) => __awaiter(void 0, void 0, void 0, function* () {
+    const data = ini.stringify(obj, iniEncodeOptions);
+    // Permissions will be moved along with the file
+    const { path: tmpPath } = yield tmp_promise_1.default.file({ mode: 0o600, prefix: "p0cli-" });
+    yield fs.writeFile(tmpPath, data, { encoding: "utf-8" });
+    yield fs.rename(tmpPath, path);
+});
+exports.atomicWriteIniFile = atomicWriteIniFile;
+const writeAwsTempCredentials = (profileName, awsCredentials) => __awaiter(void 0, void 0, void 0, function* () {
+    const credentials = yield (0, exports.readIniFile)(exports.AWS_CREDENTIALS_FILE);
+    credentials[profileName] = {
+        aws_access_key_id: awsCredentials.AWS_ACCESS_KEY_ID,
+        aws_secret_access_key: awsCredentials.AWS_SECRET_ACCESS_KEY,
+        aws_session_token: awsCredentials.AWS_SESSION_TOKEN,
+    };
+    // The credentials file is formatted with whitespace before and after the `=`
+    yield (0, exports.atomicWriteIniFile)(exports.AWS_CREDENTIALS_FILE, credentials, {
+        whitespace: true,
+    });
+});
+exports.writeAwsTempCredentials = writeAwsTempCredentials;
+const writeAwsConfigProfile = (profileName, profileConfig) => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, exports.readIniFile)(exports.AWS_CONFIG_FILE);
+    config[`profile ${profileName}`] = profileConfig;
+    yield (0, exports.atomicWriteIniFile)(exports.AWS_CONFIG_FILE, config);
+});
+exports.writeAwsConfigProfile = writeAwsConfigProfile;

package/dist/commands/index.js

@@ -19,6 +19,7 @@ const version_1 = require("../middlewares/version");
 const allow_1 = require("./allow");
 const aws_1 = require("./aws");
 const grant_1 = require("./grant");
+const kubeconfig_1 = require("./kubeconfig");
 const login_1 = require("./login");
 const ls_1 = require("./ls");
 const request_1 = require("./request");
@@ -36,6 +37,7 @@ const commands = [
     allow_1.allowCommand,
     ssh_1.sshCommand,
     scp_1.scpCommand,
+    kubeconfig_1.kubeconfigCommand,
 ];
 exports.cli = commands
     .reduce((m, c) => c(m), (0, yargs_1.default)((0, helpers_1.hideBin)(process.argv)))

package/dist/commands/kubeconfig.d.ts

@@ -0,0 +1,9 @@
+import yargs from "yargs";
+export declare type KubeconfigCommandArgs = {
+    cluster: string;
+    role: string;
+    resource?: string;
+    reason?: string;
+    requestedDuration?: string;
+};
+export declare const kubeconfigCommand: (yargs: yargs.Argv<{}>) => yargs.Argv<KubeconfigCommandArgs>;

package/dist/commands/kubeconfig.js

@@ -0,0 +1,190 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.kubeconfigCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const retry_1 = require("../common/retry");
+const auth_1 = require("../drivers/auth");
+const firestore_1 = require("../drivers/firestore");
+const stdio_1 = require("../drivers/stdio");
+const kubeconfig_1 = require("../plugins/kubeconfig");
+const install_1 = require("../plugins/kubeconfig/install");
+const util_1 = require("../util");
+const files_1 = require("./aws/files");
+const kubeconfigCommand = (yargs) => yargs.command("kubeconfig", "Request access to and automatically configure kubectl for a k8s cluster hosted by a cloud provider. Currently supports AWS EKS only.", (yargs) => yargs
+    .option("cluster", {
+    type: "string",
+    demandOption: true,
+    describe: "The ID of the k8s cluster as configured P0 Security",
+})
+    .option("resource", {
+    type: "string",
+    describe: 'The resource or resource type (e.g., "Pod / *"), or omit for all',
+})
+    .option("role", {
+    type: "string",
+    demandOption: true,
+    describe: 'The k8s role to request, e.g., "ClusterRole / cluster-admin"',
+})
+    .option("reason", {
+    type: "string",
+    describe: "Reason access is needed",
+})
+    .option("requested-duration", {
+    type: "string",
+    // Copied from the P0 backend
+    describe: "Requested duration for access (format like '10 minutes', '2 hours', '5 days', or '1 week')",
+}), (0, firestore_1.guard)(kubeconfigAction));
+exports.kubeconfigCommand = kubeconfigCommand;
+const kubeconfigAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const role = normalizeRoleArg(args.role);
+    if (args.resource) {
+        validateResourceArg(args.resource);
+    }
+    const authn = yield (0, auth_1.authenticate)();
+    const { clusterConfig, awsLoginType } = yield (0, kubeconfig_1.getAndValidateK8sIntegration)(authn, args.cluster);
+    const { clusterId, awsAccountId, awsClusterArn } = clusterConfig;
+    if (!(yield (0, install_1.ensureEksInstall)())) {
+        throw "Required dependencies are missing; please try again after installing them, or check that they are available on the PATH.";
+    }
+    const request = yield (0, kubeconfig_1.requestAccessToCluster)(authn, args, clusterId, role);
+    const awsAuth = yield (0, kubeconfig_1.awsCloudAuth)(authn, awsAccountId, request.generated, awsLoginType);
+    const profile = (0, kubeconfig_1.profileName)(clusterId);
+    // The `aws eks update-kubeconfig` command can't handle the ARN of the EKS cluster.
+    // So we must, with great annoyance, parse it to extract the cluster name and region.
+    const clusterInfo = extractClusterNameAndRegion(awsClusterArn);
+    const { clusterRegion, clusterName } = clusterInfo;
+    yield (0, files_1.writeAwsTempCredentials)(profile, awsAuth);
+    yield (0, files_1.writeAwsConfigProfile)(profile, { region: clusterRegion });
+    const updateKubeconfigArgs = [
+        "eks",
+        "update-kubeconfig",
+        "--name",
+        clusterName,
+        "--region",
+        clusterRegion,
+        "--profile",
+        profile,
+    ];
+    try {
+        // Federated access especially sometimes takes some time to propagate, so
+        // retry for up to 20 seconds just in case it takes a while.
+        const awsResult = yield (0, retry_1.retryWithSleep)(() => __awaiter(void 0, void 0, void 0, function* () { return yield (0, util_1.exec)("aws", updateKubeconfigArgs, { check: true }); }), () => true, 8, 2500);
+        (0, stdio_1.print2)(awsResult.stdout);
+    }
+    catch (error) {
+        (0, stdio_1.print2)("Failed to invoke `aws eks update-kubeconfig`");
+        throw error;
+    }
+    // `aws update-kubeconfig` will set the kubectl context if it made a change to the kubeconfig file.
+    // We'll set the context manually anyway, just in case. `aws update-kubeconfig` names the context
+    // with the EKS cluster's ARN.
+    try {
+        const kubectlResult = yield (0, util_1.exec)("kubectl", ["config", "use-context", awsClusterArn], { check: true });
+        (0, stdio_1.print2)(kubectlResult.stdout);
+    }
+    catch (error) {
+        (0, stdio_1.print2)("Failed to invoke `kubectl config use-context`");
+        throw error;
+    }
+    (0, stdio_1.print2)("Access granted and kubectl configured successfully. Re-run this command to refresh access if credentials expire.");
+    if (process.env.AWS_ACCESS_KEY_ID) {
+        (0, stdio_1.print2)(`${stdio_1.Ansi.Yellow}Warning: AWS credentials were detected in your environment, which may cause kubectl errors. ` +
+            `To avoid issues, unset with \`unset AWS_ACCESS_KEY_ID\`.${stdio_1.Ansi.Reset}`);
+    }
+});
+/**
+ * Normalize the role argument to the format expected by the P0 backend,
+ * matching the way the Slack modal formats the role. Also validates that the
+ * role argument contains the components expected by the backend without having
+ * to make the request first.
+ *
+ * Currently, the P0 backend does not validate request arguments until after a
+ * request is approved; this function allows the validation to be done up-front
+ * pending a future backend change. TODO: ENG-2365.
+ *
+ * @param role The role argument to normalize
+ * @returns The normalized role value to pass to the backend
+ */
+const normalizeRoleArg = (role) => {
+    const SEPARATOR = "/";
+    const SYNTAX_HINT = "The role argument must be in one of the following formats:\n" +
+        "- ClusterRole/<roleName>\n" +
+        "- CuratedRole/<roleName>\n" +
+        "- Role/<namespace>/<roleName>";
+    const items = role.split(SEPARATOR).map((item) => item.trim());
+    if (items.length < 2 || items.length > 3) {
+        throw `Invalid format for role argument.\n${SYNTAX_HINT}`;
+    }
+    if (!items[0]) {
+        throw `Role kind must be specified.\n${SYNTAX_HINT}`;
+    }
+    if ((0, util_1.ciEquals)(items[0], "ClusterRole")) {
+        return `ClusterRole ${SEPARATOR} ${items[1]}`;
+    }
+    else if ((0, util_1.ciEquals)(items[0], "CuratedRole")) {
+        return `CuratedRole ${SEPARATOR} ${items[1]}`;
+    }
+    else if ((0, util_1.ciEquals)(items[0], "Role")) {
+        if (items.length !== 3) {
+            throw `Invalid format for role argument.\n${SYNTAX_HINT}`;
+        }
+        return `Role ${SEPARATOR} ${items[1]} ${SEPARATOR} ${items[2]}`;
+    }
+    throw `Invalid role kind ${items[0]}.\n${SYNTAX_HINT}`;
+};
+/**
+ * Validate that the resource argument is of the format expected by the P0
+ * backend, again matching the way the Slack modal formats the resource.
+ *
+ * Currently, the P0 backend does not validate request arguments until after a
+ * request is approved; this function allows the validation to be done up-front
+ * pending a future backend change. TODO: ENG-2365.
+ *
+ * @param resource The resource argument to validate
+ */
+const validateResourceArg = (resource) => {
+    const SEPARATOR = " / ";
+    const items = resource.split(SEPARATOR);
+    if (items.length < 2 || items.length > 3) {
+        throw ("Invalid format for resource argument.\n" +
+            "The resource argument must be in one of the following formats (spaces required):\n" +
+            "- <kind> / <namespace> / <name>\n" +
+            "- <kind> / <name>");
+    }
+};
+const extractClusterNameAndRegion = (clusterArn) => {
+    const INVALID_ARN_MSG = `Invalid EKS cluster ARN: ${clusterArn}`;
+    // Example EKS cluster ARN: arn:aws:eks:us-west-2:123456789012:cluster/my-testing-cluster
+    const parts = clusterArn.split(":");
+    if (parts.length < 6 || !parts[3] || !parts[5]) {
+        throw INVALID_ARN_MSG;
+    }
+    const clusterRegion = parts[3];
+    const resource = parts[5].split("/");
+    if (resource[0] !== "cluster") {
+        throw INVALID_ARN_MSG;
+    }
+    const clusterName = resource[1];
+    if (!clusterName) {
+        throw INVALID_ARN_MSG;
+    }
+    return { clusterRegion, clusterName };
+};

package/dist/commands/shared/index.d.ts

@@ -1,4 +1,4 @@
 import { Authn } from "../../types/identity";
-import { Request } from "../../types/request";
+import { PluginRequest, Request } from "../../types/request";
 /** Waits until P0 grants access for a request */
-export declare const waitForProvisioning: <P extends import("../../types/ssh").PluginSshRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;
+export declare const waitForProvisioning: <P extends PluginRequest>(authn: Authn, requestId: string) => Promise<Request<P>>;

package/dist/commands/shared/index.js

@@ -57,7 +57,7 @@ const waitForProvisioning = (authn, requestId) => __awaiter(void 0, void 0, void
         cancel = setTimeout(() => {
             if (!isResolved) {
                 unsubscribe();
-                reject("Timeout awaiting SSH access grant");
+                reject("Timeout awaiting access grant. Please try again.");
             }
         }, GRANT_TIMEOUT_MILLIS);
     });

package/dist/common/install.d.ts

@@ -0,0 +1,11 @@
+export declare const SupportedPlatforms: readonly ["darwin"];
+export declare type SupportedPlatform = (typeof SupportedPlatforms)[number];
+export declare const AwsItems: readonly ["aws"];
+export declare type AwsItem = (typeof AwsItems)[number];
+export declare type InstallMetadata = {
+    label: string;
+    commands: Record<SupportedPlatform, Readonly<string[]>>;
+};
+export declare const AwsInstall: Readonly<Record<AwsItem, InstallMetadata>>;
+export declare const guidedInstall: <T extends string, U extends Readonly<Record<T, InstallMetadata>>>(platform: SupportedPlatform, item: T, installData: U) => Promise<void>;
+export declare const ensureInstall: <T extends string, U extends Readonly<Record<T, InstallMetadata>>>(installItems: readonly T[], installData: U) => Promise<boolean>;

package/dist/common/install.js

@@ -0,0 +1,120 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureInstall = exports.guidedInstall = exports.AwsInstall = exports.AwsItems = exports.SupportedPlatforms = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const types_1 = require("../types");
+const lodash_1 = require("lodash");
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = __importDefault(require("node:os"));
+const typescript_1 = require("typescript");
+const which_1 = __importDefault(require("which"));
+exports.SupportedPlatforms = ["darwin"];
+exports.AwsItems = ["aws"];
+exports.AwsInstall = {
+    aws: {
+        label: "AWS CLI v2",
+        commands: {
+            darwin: [
+                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
+                "sudo installer -pkg AWSCLIV2.pkg -target /",
+                'rm "AWSCLIV2.pkg"',
+            ],
+        },
+    },
+};
+const printToInstall = (toInstall, installMetadata) => {
+    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
+    for (const item of toInstall) {
+        (0, stdio_1.print2)(`  - ${installMetadata[item].label} (${item})`);
+    }
+    (0, stdio_1.print2)("");
+};
+const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
+    const inquirer = (yield import("inquirer")).default;
+    const { isGuided } = yield inquirer.prompt([
+        {
+            type: "confirm",
+            name: "isGuided",
+            message: "Do you want P0 to install these for you (sudo access required)?",
+        },
+    ]);
+    (0, stdio_1.print2)("");
+    return isGuided;
+});
+const requiredInstalls = (installItems) => __awaiter(void 0, void 0, void 0, function* () {
+    return (0, lodash_1.compact)(yield Promise.all(installItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
+});
+const printInstallCommands = (platform, item, installData) => {
+    const { label, commands } = installData[item];
+    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
+    for (const command of commands[platform]) {
+        (0, stdio_1.print1)(`  ${command}`);
+    }
+    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
+};
+const guidedInstall = (platform, item, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    const commands = installData[item].commands[platform];
+    const combined = commands.join(" && \\\n");
+    (0, stdio_1.print2)(`Executing:\n${combined}`);
+    (0, stdio_1.print2)("");
+    yield new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(`Shell exited with code ${code}`);
+        });
+    });
+    (0, stdio_1.print2)("");
+});
+exports.guidedInstall = guidedInstall;
+const ensureInstall = (installItems, installData) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const toInstall = yield requiredInstalls(installItems);
+    if (toInstall.length === 0) {
+        return true;
+    }
+    const platform = node_os_1.default.platform();
+    printToInstall(toInstall, installData);
+    if (!(0, types_1.isa)(exports.SupportedPlatforms)(platform)) {
+        throw (`Guided dependency installation is not available on platform ${platform}\n` +
+            "Please install the above dependencies manually, or ensure they are on your PATH.");
+    }
+    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
+    for (const item of toInstall) {
+        if (interactive)
+            yield (0, exports.guidedInstall)(platform, item, installData);
+        else
+            printInstallCommands(platform, item, installData);
+    }
+    const remaining = yield requiredInstalls(installItems);
+    if (remaining.length === 0) {
+        (0, stdio_1.print2)("All packages successfully installed");
+        return true;
+    }
+    return false;
+});
+exports.ensureInstall = ensureInstall;

package/dist/drivers/stdio.d.ts

@@ -22,4 +22,5 @@ export declare function print2(message: any): void;
 export declare const Ansi: {
     readonly Reset: string;
     readonly Dim: string;
+    readonly Yellow: string;
 };

package/dist/drivers/stdio.js

@@ -40,5 +40,6 @@ exports.print2 = print2;
 const AnsiCodes = {
     Reset: "00",
     Dim: "02",
+    Yellow: "33",
 };
 exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);

package/dist/plugins/aws/ssm/install.js

@@ -23,27 +23,11 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
-const stdio_1 = require("../../../drivers/stdio");
+const install_1 = require("../../../common/install");
 const types_1 = require("../../../types");
-const lodash_1 = require("lodash");
-const node_child_process_1 = require("node:child_process");
 const node_os_1 = __importDefault(require("node:os"));
-const typescript_1 = require("typescript");
-const which_1 = __importDefault(require("which"));
-const SupportedPlatforms = ["darwin"];
-const AwsItems = ["aws", "session-manager-plugin"];
-const AwsInstall = {
-    aws: {
-        label: "AWS CLI v2",
-        commands: {
-            darwin: [
-                'curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"',
-                "sudo installer -pkg AWSCLIV2.pkg -target /",
-                'rm "AWSCLIV2.pkg"',
-            ],
-        },
-    },
-    "session-manager-plugin": {
+const SsmItems = [...install_1.AwsItems, "session-manager-plugin"];
+const SsmInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { "session-manager-plugin": {
         label: "the AWS CLI Session Manager plugin",
         commands: {
             darwin: [
@@ -53,54 +37,7 @@ const AwsInstall = {
                 'rm "session-manager-plugin.pkg"',
             ],
         },
-    },
-};
-const printToInstall = (toInstall) => {
-    (0, stdio_1.print2)("The following items must be installed on your system to continue:");
-    for (const item of toInstall) {
-        (0, stdio_1.print2)(`  - ${AwsInstall[item].label}`);
-    }
-    (0, stdio_1.print2)("");
-};
-const queryInteractive = () => __awaiter(void 0, void 0, void 0, function* () {
-    const inquirer = (yield import("inquirer")).default;
-    const { isGuided } = yield inquirer.prompt([
-        {
-            type: "confirm",
-            name: "isGuided",
-            message: "Do you want P0 to install these for you (sudo access required)?",
-        },
-    ]);
-    (0, stdio_1.print2)("");
-    return isGuided;
-});
-const requiredInstalls = () => __awaiter(void 0, void 0, void 0, function* () {
-    return (0, lodash_1.compact)(yield Promise.all(AwsItems.map((item) => __awaiter(void 0, void 0, void 0, function* () { return (yield (0, which_1.default)(item, { nothrow: true })) === null ? item : undefined; }))));
-});
-const printInstallCommands = (platform, item) => {
-    const { label, commands } = AwsInstall[item];
-    (0, stdio_1.print2)(`To install ${label}, run the following commands:\n`);
-    for (const command of commands[platform]) {
-        (0, stdio_1.print1)(`  ${command}`);
-    }
-    (0, stdio_1.print1)(""); // Newline is useful for reading command output in a script, so send to /fd/1
-};
-const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, function* () {
-    const commands = AwsInstall[item].commands[platform];
-    const combined = commands.join(" && \\\n");
-    (0, stdio_1.print2)(`Executing:\n${combined}`);
-    (0, stdio_1.print2)("");
-    yield new Promise((resolve, reject) => {
-        const child = (0, node_child_process_1.spawn)("bash", ["-c", combined], { stdio: "inherit" });
-        child.on("exit", (code) => {
-            if (code === 0)
-                resolve();
-            else
-                reject(`Shell exited with code ${code}`);
-        });
-    });
-    (0, stdio_1.print2)("");
-});
+    } });
 /** Ensures that AWS CLI and SSM plugin are installed on the user environment
  *
  * If they are not, and the session is a TTY, prompt the user to auto-install. If
@@ -108,26 +45,10 @@ const guidedInstall = (platform, item) => __awaiter(void 0, void 0, void 0, func
  * stdout.
  */
 const ensureSsmInstall = () => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
     const platform = node_os_1.default.platform();
-    if (!(0, types_1.isa)(SupportedPlatforms)(platform))
+    // Preserve existing behavior of a hard error on unsupported platforms
+    if (!(0, types_1.isa)(install_1.SupportedPlatforms)(platform))
         throw "SSH to AWS managed instances is only available on MacOS";
-    const toInstall = yield requiredInstalls();
-    if (toInstall.length === 0)
-        return true;
-    printToInstall(toInstall);
-    const interactive = !!((_a = typescript_1.sys.writeOutputIsTTY) === null || _a === void 0 ? void 0 : _a.call(typescript_1.sys)) && (yield queryInteractive());
-    for (const item of toInstall) {
-        if (interactive)
-            yield guidedInstall(platform, item);
-        else
-            printInstallCommands(platform, item);
-    }
-    const remaining = yield requiredInstalls();
-    if (remaining.length === 0) {
-        (0, stdio_1.print2)("All packages successfully installed");
-        return true;
-    }
-    return false;
+    return yield (0, install_1.ensureInstall)(SsmItems, SsmInstall);
 });
 exports.ensureSsmInstall = ensureSsmInstall;

package/dist/plugins/kubeconfig/index.d.ts

@@ -0,0 +1,23 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
+import { Authn } from "../../types/identity";
+import { Request } from "../../types/request";
+import { AwsCredentials } from "../aws/types";
+import { EksClusterConfig, K8sGenerated, K8sPermissionSpec } from "./types";
+import yargs from "yargs";
+export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
+    clusterConfig: EksClusterConfig;
+    awsLoginType: "federated" | "idc";
+}>;
+export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;
+export declare const profileName: (eksCluterName: string) => string;
+export declare const awsCloudAuth: (authn: Authn, awsAccountId: string, generated: K8sGenerated, loginType: "federated" | "idc") => Promise<AwsCredentials>;

package/dist/plugins/kubeconfig/index.js

@@ -0,0 +1,98 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsCloudAuth = exports.profileName = exports.requestAccessToCluster = exports.getAndValidateK8sIntegration = void 0;
+const shared_1 = require("../../commands/shared");
+const request_1 = require("../../commands/shared/request");
+const firestore_1 = require("../../drivers/firestore");
+const stdio_1 = require("../../drivers/stdio");
+const util_1 = require("../../util");
+const config_1 = require("../aws/config");
+const idc_1 = require("../aws/idc");
+const aws_1 = require("../okta/aws");
+const firestore_2 = require("firebase/firestore");
+const lodash_1 = require("lodash");
+const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/k8s`));
+    // Validation done here in lieu of the backend, since the backend doesn't validate until approval. TODO: ENG-2365.
+    const clusterConfig = (_a = configDoc
+        .data()) === null || _a === void 0 ? void 0 : _a.workflows.items.find((c) => c.clusterId === clusterId && c.state === "installed");
+    if (!clusterConfig) {
+        throw `Cluster with ID ${clusterId} not found`;
+    }
+    const { awsAccountId, awsClusterArn } = clusterConfig;
+    if (!awsAccountId || !awsClusterArn) {
+        throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
+            "You can request access to the cluster using the `p0 request k8s` command.");
+    }
+    const { config: awsConfig } = yield (0, config_1.getAwsConfig)(authn, awsAccountId);
+    const { login: awsLogin } = awsConfig;
+    // Verify that the AWS auth type is supported before issuing the requests
+    if (!(awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) || (awsLogin === null || awsLogin === void 0 ? void 0 : awsLogin.type) === "iam") {
+        throw "This AWS account is not configured for kubectl access via the P0 CLI.\nYou can request access to the cluster using the `p0 request k8s` command.";
+    }
+    return {
+        clusterConfig: Object.assign(Object.assign({}, clusterConfig), { awsAccountId,
+            awsClusterArn }),
+        awsLoginType: awsLogin.type,
+    };
+});
+exports.getAndValidateK8sIntegration = getAndValidateK8sIntegration;
+const requestAccessToCluster = (authn, args, clusterId, role) => __awaiter(void 0, void 0, void 0, function* () {
+    const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
+            "k8s",
+            "resource",
+            "--cluster",
+            clusterId,
+            "--role",
+            role,
+            ...(args.resource ? ["--locator", args.resource] : []),
+            ...(args.reason ? ["--reason", args.reason] : []),
+            ...(args.requestedDuration
+                ? ["--requested-duration", args.requestedDuration]
+                : []),
+        ], wait: true }), authn, { message: "approval-required" });
+    if (!response) {
+        throw "Did not receive access ID from server";
+    }
+    const { id, isPreexisting } = response;
+    if (!isPreexisting) {
+        (0, stdio_1.print2)("Waiting for access to be provisioned. This may take up to a minute.");
+    }
+    return yield (0, shared_1.waitForProvisioning)(authn, id);
+});
+exports.requestAccessToCluster = requestAccessToCluster;
+const profileName = (eksCluterName) => `p0cli-managed-eks-${eksCluterName}`;
+exports.profileName = profileName;
+const awsCloudAuth = (authn, awsAccountId, generated, loginType) => __awaiter(void 0, void 0, void 0, function* () {
+    const { eksGenerated } = generated;
+    const { name, idc } = eksGenerated;
+    switch (loginType) {
+        case "idc":
+            if (!idc) {
+                throw "AWS is configured to use Identity Center, but IDC information wasn't received in the request.";
+            }
+            return yield (0, idc_1.assumeRoleWithIdc)({
+                accountId: awsAccountId,
+                permissionSet: name,
+                idc,
+            });
+        case "federated":
+            return yield (0, aws_1.assumeRoleWithOktaSaml)(authn, {
+                accountId: awsAccountId,
+                role: name,
+            });
+        default:
+            throw (0, util_1.assertNever)(loginType);
+    }
+});
+exports.awsCloudAuth = awsCloudAuth;

package/dist/plugins/kubeconfig/install.d.ts

@@ -0,0 +1 @@
+export declare const ensureEksInstall: () => Promise<boolean>;

package/dist/plugins/kubeconfig/install.js

@@ -0,0 +1,65 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureEksInstall = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const install_1 = require("../../common/install");
+const EksItems = [...install_1.AwsItems, "kubectl"];
+/**
+ * Converts the current system architecture, as represented in TypeScript, to
+ * the value used in the kubectl download URL, or throw an exception if the
+ * current architecture is not one kubectl has an official build for.
+ */
+const kubectlDownloadArch = () => {
+    const arch = process.arch;
+    switch (arch) {
+        case "x64": // macOS, Linux, and Windows
+            return "amd64";
+        case "arm64": // macOS and Linux only
+            return arch;
+        default:
+            throw `Unsupported system architecture for kubectl: ${arch}. Please install kubectl manually, or check that it is available in your PATH.`;
+    }
+};
+const kubectlInstallCommandsDarwin = () => {
+    const arch = kubectlDownloadArch();
+    // The download is the kubectl binary itself
+    return [
+        `curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/${arch}/kubectl"`,
+        "chmod +x kubectl",
+        "sudo mkdir -p /usr/local/bin",
+        "sudo mv -i ./kubectl /usr/local/bin/kubectl",
+        "sudo chown root: /usr/local/bin/kubectl",
+    ];
+};
+const EksInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { kubectl: {
+        label: "Kubernetes command-line tool",
+        commands: {
+            get darwin() {
+                // Use a getter so that we only invoke kubectlInstallCommandsDarwin() if and when we
+                // need to generate the installation commands so that we only check the architecture as
+                // needed; if kubectl is already installed, doesn't really matter how it was installed
+                // or whether it's an officially-supported architecture.
+                return kubectlInstallCommandsDarwin();
+            },
+        },
+    } });
+const ensureEksInstall = () => __awaiter(void 0, void 0, void 0, function* () { return yield (0, install_1.ensureInstall)(EksItems, EksInstall); });
+exports.ensureEksInstall = ensureEksInstall;

package/dist/plugins/kubeconfig/types.d.ts

@@ -0,0 +1,57 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { PermissionSpec } from "../../types/request";
+export declare type K8sConfig = {
+    workflows: {
+        items: K8sClusterConfig[];
+    };
+};
+export declare type K8sClusterConfig = {
+    clusterId: string;
+    clusterServer: string;
+    clusterCertificate: string;
+    state: string;
+    awsAccountId?: string;
+    awsClusterArn?: string;
+} & (KubernetesProxyComponentConfig | KubernetesPublicComponentConfig);
+export declare type EksClusterConfig = K8sClusterConfig & {
+    awsAccountId: string;
+    awsClusterArn: string;
+};
+declare type KubernetesProxyComponentConfig = {
+    isProxy: true;
+    publicJwk: string;
+};
+export declare type KubernetesPublicComponentConfig = {
+    isProxy: false;
+};
+export declare type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated>;
+export declare type K8sResourcePermission = {
+    resource: {
+        name: string;
+        namespace: string;
+        kind: string;
+    };
+    role: string;
+    clusterId: string;
+    type: "resource";
+};
+export declare type K8sGenerated = {
+    eksGenerated: {
+        name: string;
+        idc?: {
+            id: string;
+            region: string;
+        };
+    };
+    role: string;
+};
+export {};

package/dist/plugins/kubeconfig/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/request.d.ts

@@ -8,6 +8,7 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { K8sPermissionSpec } from "../plugins/kubeconfig/types";
 import { PluginSshRequest } from "./ssh";
 export declare const DONE_STATUSES: readonly ["DONE", "DONE_NOTIFIED"];
 export declare const DENIED_STATUSES: readonly ["DENIED", "DENIED_NOTIFIED"];
@@ -19,7 +20,7 @@ export declare type PermissionSpec<K extends string, P extends {
     permission: P;
     generated: G;
 };
-export declare type PluginRequest = PluginSshRequest;
+export declare type PluginRequest = K8sPermissionSpec | PluginSshRequest;
 export declare type Request<P extends PluginRequest> = P & {
     status: string;
     principal: string;

package/dist/util.d.ts

@@ -43,3 +43,14 @@ export declare const exec: (command: string, args: string[], options?: child_pro
 export declare const throwAssertNever: (value: never) => never;
 export declare const assertNever: (value: never) => Error;
 export declare const unexpectedValueError: (value: any) => Error;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+export declare const ciEquals: (a: string, b: string) => boolean;

package/dist/util.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
+exports.ciEquals = exports.unexpectedValueError = exports.assertNever = exports.throwAssertNever = exports.exec = exports.timeout = exports.sleep = exports.P0_PATH = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -95,3 +95,15 @@ const assertNever = (value) => {
 exports.assertNever = assertNever;
 const unexpectedValueError = (value) => new Error(`Unexpected code state: value ${value} had unexpected type`);
 exports.unexpectedValueError = unexpectedValueError;
+/**
+ * Performs a case-insensitive comparison of two strings. This uses
+ * `localeCompare()`, which is safer than `toLowerCase()` or `toUpperCase()` for
+ * non-ASCII characters and is the generally-accepted best practice. See:
+ * https://stackoverflow.com/a/2140723
+ *
+ * @param a The first string to compare
+ * @param b The second string to compare
+ * @returns true if the strings are equal, ignoring case
+ */
+const ciEquals = (a, b) => a.localeCompare(b, undefined, { sensitivity: "accent" }) === 0;
+exports.ciEquals = ciEquals;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.8.3",
+  "version": "0.9.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {
@@ -21,9 +21,11 @@
   ],
   "dependencies": {
     "@rgrove/parse-xml": "^4.1.0",
+    "@types/ini": "^4.1.1",
     "dotenv": "^16.4.1",
     "express": "^4.18.2",
     "firebase": "^10.7.2",
+    "ini": "^4.1.3",
     "inquirer": "^9.2.15",
     "jsdom": "^24.1.1",
     "lodash": "^4.17.21",
@@ -32,6 +34,7 @@
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
     "semver": "^7.6.0",
+    "tmp-promise": "^3.0.3",
     "typescript": "^4.8.4",
     "which": "^4.0.0",
     "yargs": "^17.6.0"