@p0security/cli 0.9.0 → 0.10.0

package/dist/commands/scp.js

@@ -75,16 +75,17 @@ const scpAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     if (!host) {
         throw "Could not determine host identifier from source or destination";
     }
-    const result = yield (0, ssh_3.provisionRequest)(authn, args, host);
-    if (!result) {
-        throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
-    }
-    const { request, privateKey } = result;
-    const data = (0, ssh_3.requestToSsh)(request);
+    const { request, privateKey, sshProvider } = yield (0, ssh_3.prepareRequest)(authn, args, host);
     // replace the host with the linuxUserName@instanceId
-    const { source, destination } = replaceHostWithInstance(data, args);
-    yield (0, ssh_1.sshOrScp)(authn, data, Object.assign(Object.assign({}, args), { source,
-        destination }), privateKey);
+    const { source, destination } = replaceHostWithInstance(request, args);
+    yield (0, ssh_1.sshOrScp)({
+        authn,
+        request,
+        cmdArgs: Object.assign(Object.assign({}, args), { source,
+            destination }),
+        privateKey,
+        sshProvider,
+    });
 });
 /** If a path is not explicitly local, use this pattern to determine if it's remote */
 const REMOTE_PATTERN_COLON = /^([^:]+:)(.*)$/; // Matches host:[path]

package/dist/commands/shared/ssh.d.ts

@@ -1,6 +1,6 @@
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
-import { CliSshRequest, SshProvider, SshRequest, SupportedSshProvider } from "../../types/ssh";
+import { PluginSshRequest, SshProvider, SupportedSshProvider } from "../../types/ssh";
 import yargs from "yargs";
 export declare type BaseSshCommandArgs = {
     sudo?: boolean;
@@ -18,8 +18,10 @@ export declare type SshCommandArgs = BaseSshCommandArgs & {
     sudo?: boolean;
     destination: string;
     L?: string;
+    R?: string;
     N?: boolean;
     A?: boolean;
+    o?: string;
     arguments: string[];
     command?: string;
 };
@@ -30,8 +32,14 @@ export declare const isSudoCommand: (args: {
     command?: string;
 }) => boolean;
 export declare const provisionRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
-    request: Request<CliSshRequest>;
+    provisionedRequest: Request<PluginSshRequest>;
     publicKey: string;
     privateKey: string;
 } | undefined>;
-export declare const requestToSsh: (request: Request<CliSshRequest>) => SshRequest;
+export declare const prepareRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<BaseSshCommandArgs>, destination: string) => Promise<{
+    request: any;
+    sshProvider: SshProvider<any, any, any, any>;
+    provisionedRequest: Request<PluginSshRequest>;
+    publicKey: string;
+    privateKey: string;
+}>;

package/dist/commands/shared/ssh.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requestToSsh = exports.provisionRequest = exports.isSudoCommand = exports.SSH_PROVIDERS = void 0;
+exports.prepareRequest = exports.provisionRequest = exports.isSudoCommand = exports.SSH_PROVIDERS = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -77,11 +77,21 @@ const provisionRequest = (authn, args, destination) => __awaiter(void 0, void 0,
     if (provisionedRequest.permission.spec.publicKey !== publicKey) {
         throw "Public key mismatch. Please revoke the request and try again.";
     }
+    return { provisionedRequest, publicKey, privateKey };
+});
+exports.provisionRequest = provisionRequest;
+const prepareRequest = (authn, args, destination) => __awaiter(void 0, void 0, void 0, function* () {
+    const result = yield (0, exports.provisionRequest)(authn, args, destination);
+    if (!result) {
+        throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
+    }
+    const { provisionedRequest } = result;
+    const sshProvider = exports.SSH_PROVIDERS[provisionedRequest.permission.spec.type];
+    yield sshProvider.ensureInstall();
     const cliRequest = yield pluginToCliRequest(provisionedRequest, {
         debug: args.debug,
     });
-    return { request: cliRequest, publicKey, privateKey };
+    const request = sshProvider.requestToSsh(cliRequest);
+    return Object.assign(Object.assign({}, result), { request, sshProvider });
 });
-exports.provisionRequest = provisionRequest;
-const requestToSsh = (request) => exports.SSH_PROVIDERS[request.permission.spec.type].requestToSsh(request);
-exports.requestToSsh = requestToSsh;
+exports.prepareRequest = prepareRequest;

package/dist/commands/ssh.js

@@ -28,10 +28,6 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .positional("destination", {
     type: "string",
     demandOption: true,
-})
-    .option("sudo", {
-    type: "boolean",
-    describe: "Add user to sudoers file",
 })
     .positional("command", {
     type: "string",
@@ -42,11 +38,20 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     array: true,
     string: true,
     default: [],
+})
+    .option("sudo", {
+    type: "boolean",
+    describe: "Add user to sudoers file",
 })
     .option("L", {
     type: "string",
     // Copied from `man ssh`
     describe: "Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side.",
+})
+    .option("R", {
+    type: "string",
+    // Copied from `man ssh`
+    describe: "Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.",
 })
     .option("N", {
     type: "boolean",
@@ -55,6 +60,10 @@ const sshCommand = (yargs) => yargs.command("ssh <destination> [command [argumen
     .option("A", {
     type: "boolean",
     describe: "Enables forwarding of connections from an authentication agent such as ssh-agent",
+})
+    .option("o", {
+    type: "string",
+    describe: "Can be used to give options in the format used in the SSH configuration file.",
 })
     // Match `p0 request --reason`
     .option("reason", {
@@ -85,11 +94,12 @@ exports.sshCommand = sshCommand;
 const sshAction = (args) => __awaiter(void 0, void 0, void 0, function* () {
     // Prefix is required because the backend uses it to determine that this is an AWS request
     const authn = yield (0, auth_1.authenticate)();
-    const destination = args.destination;
-    const result = yield (0, ssh_2.provisionRequest)(authn, args, destination);
-    if (!result) {
-        throw "Server did not return a request id. Please contact support@p0.dev for assistance.";
-    }
-    const { request, privateKey } = result;
-    yield (0, ssh_1.sshOrScp)(authn, (0, ssh_2.requestToSsh)(request), Object.assign(Object.assign({}, args), { destination }), privateKey);
+    const { request, privateKey, sshProvider } = yield (0, ssh_2.prepareRequest)(authn, args, args.destination);
+    yield (0, ssh_1.sshOrScp)({
+        authn,
+        request,
+        cmdArgs: args,
+        privateKey,
+        sshProvider,
+    });
 });

package/dist/plugins/aws/ssh.js

@@ -33,11 +33,13 @@ exports.awsSshProvider = {
             ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
     },
     toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
-    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
-        var _a, _b, _c, _d;
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureSsmInstall)())) {
             throw "Please try again after installing the required AWS utilities";
         }
+    }),
+    cloudProviderLogin: (authn, request) => __awaiter(void 0, void 0, void 0, function* () {
+        var _a, _b, _c, _d;
         const { config } = yield (0, config_1.getAwsConfig)(authn, request.accountId);
         if (!((_a = config.login) === null || _a === void 0 ? void 0 : _a.type) || ((_b = config.login) === null || _b === void 0 ? void 0 : _b.type) === "iam") {
             throw "This account is not configured for SSH access via the P0 CLI";

package/dist/plugins/aws/ssm/install.js

@@ -1,16 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ensureSsmInstall = void 0;
 /** Copyright © 2024-present P0 Security
@@ -24,8 +12,6 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 const install_1 = require("../../../common/install");
-const types_1 = require("../../../types");
-const node_os_1 = __importDefault(require("node:os"));
 const SsmItems = [...install_1.AwsItems, "session-manager-plugin"];
 const SsmInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { "session-manager-plugin": {
         label: "the AWS CLI Session Manager plugin",
@@ -44,11 +30,5 @@ const SsmInstall = Object.assign(Object.assign({}, install_1.AwsInstall), { "ses
  * the user declines, or if not a TTY, the installation commands are printed to
  * stdout.
  */
-const ensureSsmInstall = () => __awaiter(void 0, void 0, void 0, function* () {
-    const platform = node_os_1.default.platform();
-    // Preserve existing behavior of a hard error on unsupported platforms
-    if (!(0, types_1.isa)(install_1.SupportedPlatforms)(platform))
-        throw "SSH to AWS managed instances is only available on MacOS";
-    return yield (0, install_1.ensureInstall)(SsmItems, SsmInstall);
-});
+const ensureSsmInstall = () => (0, install_1.ensureInstall)(SsmItems, SsmInstall);
 exports.ensureSsmInstall = ensureSsmInstall;

package/dist/plugins/google/install.d.ts

@@ -0,0 +1,2 @@
+export declare const SupportedPlatforms: readonly ["darwin"];
+export declare const ensureGcpSshInstall: () => Promise<boolean>;

package/dist/plugins/google/install.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureGcpSshInstall = exports.SupportedPlatforms = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const install_1 = require("../../common/install");
+exports.SupportedPlatforms = ["darwin"];
+const GcpSshItems = ["gcloud"];
+const GcpSshInstall = {
+    gcloud: {
+        label: "GCloud CLI",
+        commands: {
+            darwin: [
+                // See https://cloud.google.com/sdk/docs/install-sdk
+                "architecture=$(arch)",
+                'package=$([ $architecture = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
+                "wget -O ~/google-cloud-cli.tar.gz $package",
+                "tar -xzf ~/google-cloud-cli.tar.gz -C ~",
+                "~/google-cloud-sdk/install.sh",
+                "rm -rf ~/google-cloud-cli.tar.gz",
+                // Symlink gcloud to /usr/local/bin - assumes /usr/local/bin is already in $PATH so next time `gcloud` is run it will be found
+                "sudo mkdir -p /usr/local/bin",
+                "sudo ln -s ~/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud",
+                "sudo chown root: /usr/local/bin/gcloud",
+            ],
+        },
+    },
+};
+const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, GcpSshInstall);
+exports.ensureGcpSshInstall = ensureGcpSshInstall;

package/dist/plugins/google/ssh.js

@@ -21,6 +21,7 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 const ssh_1 = require("../../commands/shared/ssh");
+const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
 /** Maximum number of attempts to start an SSH session
  *
@@ -42,6 +43,11 @@ exports.gcpSshProvider = {
                 linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
             } }));
     }),
+    ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
+        if (!(yield (0, install_1.ensureGcpSshInstall)())) {
+            throw "Please try again after installing the required GCP utilities";
+        }
+    }),
     cloudProviderLogin: () => __awaiter(void 0, void 0, void 0, function* () { return undefined; }),
     proxyCommand: (request) => {
         return [

package/dist/plugins/kubeconfig/index.d.ts

@@ -12,10 +12,14 @@ import { KubeconfigCommandArgs } from "../../commands/kubeconfig";
 import { Authn } from "../../types/identity";
 import { Request } from "../../types/request";
 import { AwsCredentials } from "../aws/types";
-import { EksClusterConfig, K8sGenerated, K8sPermissionSpec } from "./types";
+import { K8sGenerated, K8sPermissionSpec } from "./types";
 import yargs from "yargs";
 export declare const getAndValidateK8sIntegration: (authn: Authn, clusterId: string) => Promise<{
-    clusterConfig: EksClusterConfig;
+    clusterConfig: {
+        clusterId: string;
+        awsAccountId: string;
+        awsClusterArn: string;
+    };
     awsLoginType: "federated" | "idc";
 }>;
 export declare const requestAccessToCluster: (authn: Authn, args: yargs.ArgumentsCamelCase<KubeconfigCommandArgs>, clusterId: string, role: string) => Promise<Request<K8sPermissionSpec>>;

package/dist/plugins/kubeconfig/index.js

@@ -21,15 +21,18 @@ const aws_1 = require("../okta/aws");
 const firestore_2 = require("firebase/firestore");
 const lodash_1 = require("lodash");
 const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
+    var _a, _b;
     const configDoc = yield (0, firestore_2.getDoc)((0, firestore_1.doc)(`o/${authn.identity.org.tenantId}/integrations/k8s`));
     // Validation done here in lieu of the backend, since the backend doesn't validate until approval. TODO: ENG-2365.
-    const clusterConfig = (_a = configDoc
-        .data()) === null || _a === void 0 ? void 0 : _a.workflows.items.find((c) => c.clusterId === clusterId && c.state === "installed");
-    if (!clusterConfig) {
+    const config = (_b = (_a = configDoc.data()) === null || _a === void 0 ? void 0 : _a["iam-write"]) === null || _b === void 0 ? void 0 : _b[clusterId];
+    if (!config) {
         throw `Cluster with ID ${clusterId} not found`;
     }
-    const { awsAccountId, awsClusterArn } = clusterConfig;
+    if (config.state !== "installed" || config.provider.type !== "aws") {
+        throw `Cluster with ID ${clusterId} is not installed`;
+    }
+    const { provider } = config;
+    const { accountId: awsAccountId, clusterArn: awsClusterArn } = provider;
     if (!awsAccountId || !awsClusterArn) {
         throw (`This command currently only supports AWS EKS clusters, and ${clusterId} is not configured as one.\n` +
             "You can request access to the cluster using the `p0 request k8s` command.");
@@ -41,8 +44,11 @@ const getAndValidateK8sIntegration = (authn, clusterId) => __awaiter(void 0, voi
         throw "This AWS account is not configured for kubectl access via the P0 CLI.\nYou can request access to the cluster using the `p0 request k8s` command.";
     }
     return {
-        clusterConfig: Object.assign(Object.assign({}, clusterConfig), { awsAccountId,
-            awsClusterArn }),
+        clusterConfig: {
+            clusterId,
+            awsAccountId,
+            awsClusterArn,
+        },
         awsLoginType: awsLogin.type,
     };
 });

package/dist/plugins/kubeconfig/types.d.ts

@@ -9,29 +9,24 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 import { PermissionSpec } from "../../types/request";
-export declare type K8sConfig = {
-    workflows: {
-        items: K8sClusterConfig[];
-    };
-};
 export declare type K8sClusterConfig = {
-    clusterId: string;
+    label?: string;
     clusterServer: string;
     clusterCertificate: string;
+    isProxy: boolean;
+    token: string;
+    publicJwk?: string;
+    provider: {
+        type: "aws";
+        clusterArn: string;
+        accountId: string;
+    } | {
+        type: "email";
+    };
     state: string;
-    awsAccountId?: string;
-    awsClusterArn?: string;
-} & (KubernetesProxyComponentConfig | KubernetesPublicComponentConfig);
-export declare type EksClusterConfig = K8sClusterConfig & {
-    awsAccountId: string;
-    awsClusterArn: string;
-};
-declare type KubernetesProxyComponentConfig = {
-    isProxy: true;
-    publicJwk: string;
 };
-export declare type KubernetesPublicComponentConfig = {
-    isProxy: false;
+export declare type K8sConfig = {
+    "iam-write": Record<string, K8sClusterConfig>;
 };
 export declare type K8sPermissionSpec = PermissionSpec<"k8s", K8sResourcePermission, K8sGenerated>;
 export declare type K8sResourcePermission = {
@@ -54,4 +49,3 @@ export declare type K8sGenerated = {
     };
     role: string;
 };
-export {};

package/dist/plugins/ssh/index.d.ts

@@ -10,5 +10,11 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 import { CommandArgs } from "../../commands/shared/ssh";
 import { Authn } from "../../types/identity";
-import { SshRequest } from "../../types/ssh";
-export declare const sshOrScp: (authn: Authn, request: SshRequest, cmdArgs: CommandArgs, privateKey: string) => Promise<number | null>;
+import { SshProvider, SshRequest } from "../../types/ssh";
+export declare const sshOrScp: (args: {
+    authn: Authn;
+    request: SshRequest;
+    cmdArgs: CommandArgs;
+    privateKey: string;
+    sshProvider: SshProvider<any, any, any, any>;
+}) => Promise<number | null>;

package/dist/plugins/ssh/index.js

@@ -137,6 +137,13 @@ function spawnSshNode(options) {
     return __awaiter(this, void 0, void 0, function* () {
         return new Promise((resolve, reject) => {
             const provider = ssh_1.SSH_PROVIDERS[options.provider];
+            const attemptsRemaining = options.attemptsRemaining;
+            if (options.debug) {
+                const gerund = options.isAccessPropagationPreTest
+                    ? "Pre-testing"
+                    : "Trying";
+                (0, stdio_1.print2)(`Waiting for access to propagate. ${gerund} SSH session... (remaining attempts: ${attemptsRemaining})`);
+            }
             const child = spawnChildProcess(options.credential, options.command, options.args, options.stdio);
             // TODO ENG-2284 support login with Google Cloud: currently return a boolean to indicate if the exception was a Google login error.
             const { isAccessPropagated, isGoogleLoginException } = accessPropagationGuard(child, options.debug);
@@ -146,10 +153,6 @@ function spawnSshNode(options) {
                 // In the case of ephemeral AccessDenied exceptions due to unpropagated
                 // permissions, continually retry access until success
                 if (!isAccessPropagated()) {
-                    const attemptsRemaining = options.attemptsRemaining;
-                    if (options.debug) {
-                        (0, stdio_1.print2)(`Waiting for access to propagate. Retrying SSH session... (remaining attempts: ${attemptsRemaining})`);
-                    }
                     if (attemptsRemaining <= 0) {
                         reject(`Access did not propagate through ${provider.friendlyName} before max retry attempts were exceeded. Please contact support@p0.dev for assistance.`);
                         return;
@@ -200,7 +203,9 @@ const createCommand = (data, args, proxyCommand) => {
             ...commonArgs,
             ...(args.A ? ["-A"] : []),
             ...(args.L ? ["-L", args.L] : []),
+            ...(args.R ? ["-R", args.R] : []),
             ...(args.N ? ["-N"] : []),
+            ...(args.o ? ["-o", args.o] : []),
             `${data.linuxUserName}@${data.id}`,
             ...(args.command ? [args.command] : []),
             ...args.arguments.map((argument) => 
@@ -243,11 +248,11 @@ const preTestAccessPropagationIfNeeded = (sshProvider, request, cmdArgs, proxyCo
     }
     return null;
 });
-const sshOrScp = (authn, request, cmdArgs, privateKey) => __awaiter(void 0, void 0, void 0, function* () {
+const sshOrScp = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    const { authn, request, cmdArgs, privateKey, sshProvider } = args;
     if (!privateKey) {
         throw "Failed to load a private key for this request. Please contact support@p0.dev for assistance.";
     }
-    const sshProvider = ssh_1.SSH_PROVIDERS[request.type];
     const credential = yield sshProvider.cloudProviderLogin(authn, request);
     const proxyCommand = sshProvider.proxyCommand(request);
     return (0, ssh_agent_1.withSshAgent)(cmdArgs, () => __awaiter(void 0, void 0, void 0, function* () {

package/dist/types/ssh.d.ts

@@ -26,6 +26,7 @@ export declare type SshProvider<PR extends PluginSshRequest = PluginSshRequest,
     toCliRequest: (request: Request<PR>, options?: {
         debug?: boolean;
     }) => Promise<Request<CliSshRequest>>;
+    ensureInstall: () => Promise<void>;
     /** Logs in the user to the cloud provider */
     cloudProviderLogin: (authn: Authn, request: SR) => Promise<C>;
     /** Returns the command and its arguments that are going to be injected as the ssh ProxyCommand option */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@p0security/cli",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "description": "Execute infra CLI commands with P0 grants",
   "main": "index.ts",
   "repository": {