cisco-ise 1.0.0

package/cli/utils/config.js

@@ -0,0 +1,125 @@
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+const { execSync } = require("node:child_process");
+
+const SS_PLACEHOLDER_RE = /<ss:(\d+):(\w+)>/g;
+
+function getConfigDir() {
+  return process.env.CISCO_ISE_CONFIG_DIR || path.join(os.homedir(), ".cisco-ise");
+}
+
+function getConfigPath() {
+  return path.join(getConfigDir(), "config.json");
+}
+
+function loadConfig() {
+  const configPath = getConfigPath();
+  if (!fs.existsSync(configPath)) {
+    return { activeCluster: null, clusters: {} };
+  }
+  return JSON.parse(fs.readFileSync(configPath, "utf-8"));
+}
+
+function saveConfig(config) {
+  const dir = getConfigDir();
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+  fs.writeFileSync(getConfigPath(), JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+function addCluster(name, opts) {
+  const config = loadConfig();
+  config.clusters[name] = {
+    host: opts.host,
+    username: opts.username,
+    password: opts.password,
+  };
+  if (opts.ppan) config.clusters[name].ppan = opts.ppan;
+  if (opts.pmnt) config.clusters[name].pmnt = opts.pmnt;
+  if (opts.sponsorUser) config.clusters[name].sponsorUser = opts.sponsorUser;
+  if (opts.sponsorPassword) config.clusters[name].sponsorPassword = opts.sponsorPassword;
+  if (opts.insecure) config.clusters[name].insecure = true;
+  if (opts.readOnly) config.clusters[name].readOnly = true;
+  if (!config.activeCluster) config.activeCluster = name;
+  saveConfig(config);
+}
+
+function useCluster(name) {
+  const config = loadConfig();
+  if (!config.clusters[name]) {
+    throw new Error(`Cluster "${name}" not found. Run "cisco-ise config list" to see available clusters.`);
+  }
+  config.activeCluster = name;
+  saveConfig(config);
+}
+
+function removeCluster(name) {
+  const config = loadConfig();
+  if (!config.clusters[name]) throw new Error(`Cluster "${name}" not found.`);
+  delete config.clusters[name];
+  if (config.activeCluster === name) {
+    const remaining = Object.keys(config.clusters);
+    config.activeCluster = remaining.length > 0 ? remaining[0] : null;
+  }
+  saveConfig(config);
+}
+
+function getActiveCluster(clusterName) {
+  const config = loadConfig();
+  const name = clusterName || config.activeCluster;
+  if (!name || !config.clusters[name]) return null;
+  return { name, ...config.clusters[name] };
+}
+
+function listClusters() {
+  const config = loadConfig();
+  return config.clusters;
+}
+
+function updateCluster(name, updates) {
+  const config = loadConfig();
+  if (!config.clusters[name]) throw new Error(`Cluster "${name}" not found.`);
+  Object.assign(config.clusters[name], updates);
+  saveConfig(config);
+}
+
+function maskPassword(password) {
+  if (!password) return "";
+  if (SS_PLACEHOLDER_RE.test(password)) { SS_PLACEHOLDER_RE.lastIndex = 0; return password; }
+  return "*".repeat(password.length);
+}
+
+function resolveSecrets(value) {
+  if (typeof value !== "string") return value;
+  SS_PLACEHOLDER_RE.lastIndex = 0;
+  if (!SS_PLACEHOLDER_RE.test(value)) return value;
+  SS_PLACEHOLDER_RE.lastIndex = 0;
+  return value.replace(SS_PLACEHOLDER_RE, (match, id, field) => {
+    try {
+      const output = execSync(`ss-cli get ${id} --format json`, { encoding: "utf-8", timeout: 10000 });
+      const secret = JSON.parse(output);
+      if (secret[field] !== undefined) return secret[field];
+      if (Array.isArray(secret.items)) {
+        const item = secret.items.find((i) => i.fieldName === field || i.slug === field);
+        if (item) return item.itemValue;
+      }
+      throw new Error(`Field "${field}" not found in secret ${id}`);
+    } catch (err) {
+      if (err.message.includes("ENOENT") || err.message.includes("not found")) {
+        throw new Error(
+          "Config contains Secret Server references (<ss:...>) but ss-cli is not available. " +
+          "Install with: npm install -g @sieteunoseis/ss-cli"
+        );
+      }
+      throw err;
+    }
+  });
+}
+
+module.exports = {
+  getConfigDir, getConfigPath, loadConfig, saveConfig,
+  addCluster, useCluster, removeCluster, getActiveCluster,
+  listClusters, updateCluster, maskPassword, resolveSecrets,
+};

package/cli/utils/confirm.js

@@ -0,0 +1,34 @@
+const readline = require("readline");
+const { getRandomWord } = require("./wordlist.js");
+
+function checkWriteAllowed(clusterConfig, globalOpts = {}) {
+  const readOnly = clusterConfig?.readOnly || globalOpts.readOnly;
+  if (!readOnly) return Promise.resolve(true);
+
+  if (!process.stdin.isTTY) {
+    throw new Error(
+      "This cluster is configured as read-only. " +
+      "Interactive TTY required for write confirmation. " +
+      "Change config with: cisco-ise config update <name> --no-read-only"
+    );
+  }
+
+  const word = getRandomWord();
+  const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+
+  return new Promise((resolve, reject) => {
+    rl.question(
+      `\n⚠ This cluster is configured as read-only.\nTo proceed, type "${word}" to confirm: `,
+      (answer) => {
+        rl.close();
+        if (answer.trim().toLowerCase() === word.toLowerCase()) {
+          resolve({ confirmed: true, word });
+        } else {
+          reject(new Error("Confirmation failed. Write operation cancelled."));
+        }
+      }
+    );
+  });
+}
+
+module.exports = { checkWriteAllowed };

package/cli/utils/connection.js

@@ -0,0 +1,47 @@
+const config = require("./config.js");
+
+function resolveConnection(opts) {
+  let cluster;
+  try {
+    cluster = opts.cluster
+      ? config.getActiveCluster(opts.cluster)
+      : config.getActiveCluster();
+  } catch {
+    cluster = null;
+  }
+
+  if (!cluster && !opts.host && !process.env.CISCO_ISE_HOST) {
+    throw new Error(
+      "No cluster configured. Run: cisco-ise config add <name> --host <host> --username <user> --password <pass>"
+    );
+  }
+
+  const resolved = {
+    host: opts.host || process.env.CISCO_ISE_HOST || cluster?.host,
+    username: opts.username || process.env.CISCO_ISE_USERNAME || cluster?.username,
+    password: opts.password || process.env.CISCO_ISE_PASSWORD || cluster?.password,
+    ppan: opts.ppan || process.env.CISCO_ISE_PPAN || cluster?.ppan || undefined,
+    pmnt: opts.pmnt || process.env.CISCO_ISE_PMNT || cluster?.pmnt || undefined,
+    sponsorUser: opts.sponsorUser || process.env.CISCO_ISE_SPONSOR_USER || cluster?.sponsorUser || undefined,
+    sponsorPassword: opts.sponsorPassword || process.env.CISCO_ISE_SPONSOR_PASSWORD || cluster?.sponsorPassword || undefined,
+    insecure: opts.insecure ?? cluster?.insecure ?? false,
+    readOnly: opts.readOnly ?? cluster?.readOnly ?? false,
+  };
+
+  if (!resolved.host) throw new Error("Missing --host. Provide via flag, env var CISCO_ISE_HOST, or config.");
+  if (!resolved.username) throw new Error("Missing --username.");
+  if (!resolved.password) throw new Error("Missing --password.");
+
+  for (const key of ["host", "username", "password", "ppan", "pmnt", "sponsorUser", "sponsorPassword"]) {
+    if (resolved[key]) resolved[key] = config.resolveSecrets(resolved[key]);
+  }
+
+  // Set TLS override if insecure (covers config-file sourced flag)
+  if (resolved.insecure) {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+  }
+
+  return resolved;
+}
+
+module.exports = { resolveConnection };