opal-security 2.0.10 → 2.0.13

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (-v|--version|version)
-opal-security/2.0.10 darwin-x64 node-v14.16.1
+opal-security/2.0.13 darwin-x64 node-v14.16.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -86,7 +86,7 @@ EXAMPLE
   opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/aws/identity.ts)_
 
 ## `opal curl-example`
 
@@ -100,7 +100,7 @@ OPTIONS
   -h, --help  show CLI help
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/curl-example.ts)_
 
 ## `opal help [COMMAND]`
 
@@ -128,15 +128,16 @@ USAGE
   $ opal iam-roles:start
 
 OPTIONS
-  -h, --help  show CLI help
-  --id=id     The ID of the Opal role resource.
+  -h, --help             show CLI help
+  --id=id                The ID of the Opal role resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal iam-roles:start
   opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -150,6 +151,7 @@ OPTIONS
   -h, --help                                 show CLI help
   --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the cluster.
   --id=id                                    The ID of the Opal role resource.
+  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal kube-roles:start
@@ -158,7 +160,7 @@ EXAMPLES
   "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -175,7 +177,7 @@ EXAMPLE
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -192,7 +194,7 @@ EXAMPLE
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
@@ -206,6 +208,7 @@ OPTIONS
   -h, --help                                 show CLI help
   --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the database.
   --id=id                                    The ID of the Opal instance resource.
+  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal postgres-instances:start
@@ -213,7 +216,7 @@ EXAMPLES
   opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "fullaccess"
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -231,7 +234,7 @@ EXAMPLE
   opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/resources/get.ts)_
 
 ## `opal set-url`
 
@@ -249,12 +252,13 @@ OPTIONS
   --dev
   --devLocal
   --prod
+  --staging
 
 EXAMPLE
   $ opal set-host
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -265,22 +269,23 @@ USAGE
   $ opal ssh:copyFrom
 
 OPTIONS
-  -h, --help   show CLI help
-  --dest=dest  [default: .] Pick which directory you want your files to be copied to.
-  --id=id      The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
-  --src=src    (required) The path of the directory or file you would like to copy over SCP. Note we only support one
-               file or directory at a time.
+  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
+                         support one file or directory at a time.
 
-  --user=user  [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will have access
-               to each other's home directory.
+  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
+                         have access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyFrom --src instance/dir --dest my/dir
   opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -291,22 +296,23 @@ USAGE
   $ opal ssh:copyTo
 
 OPTIONS
-  -h, --help   show CLI help
-  --dest=dest  [default: .] Pick which directory you want your files to be copied to.
-  --id=id      The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
-  --src=src    (required) The path of the directory or file you would like to copy over SCP. Note we only support one
-               file or directory at a time.
+  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
+                         support one file or directory at a time.
 
-  --user=user  [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will have access
-               to each other's home directory.
+  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
+                         have access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyTo --src my/dir --dest instance/dir
   opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
@@ -317,13 +323,14 @@ USAGE
   $ opal ssh:start
 
 OPTIONS
-  -h, --help  show CLI help
-  --id=id     The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal ssh:start
   opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.10/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/start.ts)_
 <!-- commandsstop -->

package/lib/commands/iam-roles/start.d.ts

@@ -5,6 +5,7 @@ export default class StartIAMRoleSession extends Command {
     static flags: {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/iam-roles/start.js

@@ -8,9 +8,10 @@ const inquirer = require("inquirer");
 const aws_1 = require("../../lib/aws");
 const resources_1 = require("../../lib/resources");
 const get_1 = require("../../commands/resources/get");
+const common_1 = require("../../lib/common");
 const StartIAMRoleSessionDocument = `
-mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -27,9 +28,18 @@ mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevel
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 const ListIamRolesDocument = `
@@ -51,6 +61,7 @@ class StartIAMRoleSession extends command_1.Command {
         const { flags } = this.parse(StartIAMRoleSession);
         let roleId = flags.id;
         let roleName = null;
+        const sessionId = flags.sessionId;
         if (!roleId) {
             const { resp: iamRolesResp, error } = await handler_1.runQuery({
                 command: this,
@@ -106,7 +117,7 @@ class StartIAMRoleSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartIAMRoleSessionDocument,
-            variables: { id: roleId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: roleId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId: sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -125,6 +136,10 @@ class StartIAMRoleSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, roleId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -142,4 +157,8 @@ StartIAMRoleSession.flags = {
         multiple: false,
         description: 'The ID of the Opal role resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/kube-roles/start.d.ts

@@ -6,6 +6,7 @@ export default class StartKubeIAMRoleSession extends Command {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
         accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/kube-roles/start.js

@@ -8,9 +8,10 @@ const inquirer = require("inquirer");
 const types_1 = require("../../types");
 const aws_1 = require("../../lib/aws");
 const resources_1 = require("../../lib/resources");
+const common_1 = require("../../lib/common");
 const StartKubeIAMRoleSessionDocument = `
-mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -27,9 +28,18 @@ mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessL
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 const ListKubeIamRolesDocument = `
@@ -54,6 +64,7 @@ class StartKubeIAMRoleSession extends command_1.Command {
         const { flags } = this.parse(StartKubeIAMRoleSession);
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         let clusterId = flags.id;
+        const sessionId = flags.sessionId;
         if (!clusterId) {
             const { resp: kubeIamRolesResp, error } = await handler_1.runQuery({
                 command: this,
@@ -101,7 +112,7 @@ class StartKubeIAMRoleSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartKubeIAMRoleSessionDocument,
-            variables: { id: clusterId, accessLevel },
+            variables: { id: clusterId, accessLevel, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -120,6 +131,10 @@ class StartKubeIAMRoleSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, clusterId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -142,4 +157,8 @@ StartKubeIAMRoleSession.flags = {
         multiple: false,
         description: 'The remote ID of the access level with which to access the cluster.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/login.js

@@ -10,9 +10,11 @@ const inquirer = require("inquirer");
 const handler_1 = require("../handler");
 const credentials_2 = require("../lib/credentials");
 const config_1 = require("../lib/config");
-const ISSUER = 'https://auth.opal.dev';
+const ISSUER_PROD = 'https://auth.opal.dev';
+const ISSUER_DEV = 'https://authdev.opal.dev';
 const GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
-const CLIENT_ID = '42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF';
+const CLIENT_ID_PROD = '42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF';
+const CLIENT_ID_DEV = 'XYV8qoAvZG7dHnhRp2g5XMJ1zX9fBP6s';
 const CLISignInMethodDocument = `
 query CLISignInMethod($input: SignInMethodInput!) {
   signInMethod(input: $input) {
@@ -41,52 +43,69 @@ class Login extends command_1.Command {
         var _a, _b, _c, _d, _e;
         try {
             await apollo_1.initClient(this);
+            let email;
+            let organizationID;
             if (await credentials_2.cred.accessToken) {
-                this.log('Please use `opal logout` to log out before logging in.');
-                return;
+                email = await credentials_2.cred.email;
+                organizationID = await credentials_2.cred.organizationID;
+                await credentials_2.cred.removeCredentials(-1);
             }
             const configDir = this.config.configDir;
             const configData = config_1.getOrCreateConfigData(configDir);
-            this.log('Welcome to Opal! ⚡️\n');
-            this.log('Please confirm your Opal instance URL:', configData[config_1.urlKey]);
-            this.log('If this is not correct, please first use `opal set-url --help`\n');
-            const { email } = await inquirer.prompt([{
-                    name: 'email',
-                    message: 'Enter your email:',
-                    type: 'input',
-                    validate: email => Boolean(email),
-                }]);
-            const { resp: signInOrganizationsResponse, error } = await handler_1.runQuery({
-                command: this,
-                query: CLISignInMethodDocument,
-                variables: { input: { email } },
-            });
-            if (error) {
-                this.log('Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+            if (email && organizationID) {
+                console.log('Signing in as ' + email + ' - to use a different account, run `opal logout`');
             }
-            const signInOrganizations = (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations;
-            let organizationID = '';
-            if (signInOrganizations) {
-                if (signInOrganizations.length === 1) {
-                    organizationID = signInOrganizations[0].organizationId;
+            else {
+                this.log('Welcome to Opal! ⚡️\n');
+                this.log('Please confirm your Opal instance URL:', configData[config_1.urlKey]);
+                this.log('If this is not correct, please first use `opal set-url --help`\n');
+                const { email: promptEmail } = await inquirer.prompt([{
+                        name: 'email',
+                        message: 'Enter your email:',
+                        type: 'input',
+                        validate: email => Boolean(email),
+                    }]);
+                email = promptEmail;
+                const { resp: signInOrganizationsResponse, error } = await handler_1.runQuery({
+                    command: this,
+                    query: CLISignInMethodDocument,
+                    variables: { input: { email } },
+                });
+                if (error) {
+                    this.log('Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
                 }
-                else {
-                    const responses = await inquirer.prompt([{
-                            name: 'organizationID',
-                            message: 'Select an organization:',
-                            type: 'list',
-                            choices: signInOrganizations.map(signInOrganization => ({
-                                name: signInOrganization.organizationName,
-                                value: signInOrganization.organizationId,
-                            })),
-                        }]);
-                    organizationID = responses.organizationID;
+                const signInOrganizations = (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations;
+                if (signInOrganizations) {
+                    if (signInOrganizations.length === 1) {
+                        organizationID = signInOrganizations[0].organizationId;
+                    }
+                    else {
+                        const responses = await inquirer.prompt([{
+                                name: 'organizationID',
+                                message: 'Select an organization:',
+                                type: 'list',
+                                choices: signInOrganizations.map(signInOrganization => ({
+                                    name: signInOrganization.organizationName,
+                                    value: signInOrganization.organizationId,
+                                })),
+                            }]);
+                        organizationID = responses.organizationID;
+                    }
                 }
             }
-            const issuer = await openid_client_1.Issuer.discover(ISSUER);
+            let issuer;
+            let clientId;
+            if (config_1.isProduction(this.config.configDir)) {
+                issuer = await openid_client_1.Issuer.discover(ISSUER_PROD);
+                clientId = CLIENT_ID_PROD;
+            }
+            else {
+                issuer = await openid_client_1.Issuer.discover(ISSUER_DEV);
+                clientId = CLIENT_ID_DEV;
+            }
             const client = new issuer.Client({
                 grant_types: [GRANT_TYPE],
-                client_id: CLIENT_ID,
+                client_id: clientId,
                 response_types: [],
                 redirect_uris: [],
                 token_endpoint_auth_method: 'none',

package/lib/commands/postgres-instances/start.d.ts

@@ -6,6 +6,7 @@ export default class StartPostgresInstanceSession extends Command {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
         accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/postgres-instances/start.js

@@ -6,6 +6,7 @@ const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
 const inquirer = require("inquirer");
 const resources_1 = require("../../lib/resources");
+const common_1 = require("../../lib/common");
 const ListPostgresInstancesDocument = `
 query ListPostgresInstances {
   resources(input: {serviceType: POSTGRES, onlyMine: true, maxNumEntries: 1000}) {
@@ -20,8 +21,8 @@ query ListPostgresInstances {
   }
 }`;
 const StartPostgresInstanceSessionDocument = `
-mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -38,9 +39,18 @@ mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAc
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartPostgresInstanceSession extends command_1.Command {
@@ -49,6 +59,7 @@ class StartPostgresInstanceSession extends command_1.Command {
         const { flags } = this.parse(StartPostgresInstanceSession);
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         if (!instanceId) {
             const { resp: postgresInstancesResp, error } = await handler_1.runQuery({
@@ -100,6 +111,7 @@ class StartPostgresInstanceSession extends command_1.Command {
             variables: {
                 id: instanceId,
                 accessLevel,
+                sessionId,
             },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
@@ -138,6 +150,10 @@ class StartPostgresInstanceSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -160,4 +176,8 @@ StartPostgresInstanceSession.flags = {
         multiple: false,
         description: 'The remote ID of the access level with which to access the database.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/set-url.d.ts

@@ -7,6 +7,7 @@ export default class SetUrl extends Command {
         custom: flags.IOptionFlag<string | undefined>;
         allowSelfSignedCerts: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
         prod: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
+        staging: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
         demo: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
         dev: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
         devLocal: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;

package/lib/commands/set-url.js

@@ -14,6 +14,9 @@ class SetUrl extends command_1.Command {
             else if (flags.prod) {
                 url = 'https://app.opal.dev';
             }
+            else if (flags.staging) {
+                url = 'https://staging.opal.dev';
+            }
             else if (flags.demo) {
                 url = 'https://demo.opal.dev';
             }
@@ -46,6 +49,7 @@ SetUrl.flags = {
     }),
     allowSelfSignedCerts: command_1.flags.boolean(),
     prod: command_1.flags.boolean(),
+    staging: command_1.flags.boolean(),
     demo: command_1.flags.boolean(),
     dev: command_1.flags.boolean(),
     devLocal: command_1.flags.boolean(),

package/lib/commands/ssh/copyFrom.d.ts

@@ -8,6 +8,7 @@ export default class StartSCPSession extends Command {
         dest: flags.IOptionFlag<string>;
         user: flags.IOptionFlag<string>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/copyFrom.js

@@ -5,9 +5,10 @@ const handler_1 = require("../../handler");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const ssh_1 = require("../../lib/ssh");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -26,9 +27,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSCPSession extends command_1.Command {
@@ -41,6 +51,7 @@ class StartSCPSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SCP into');
             if (!selectedInstance) {
@@ -52,7 +63,7 @@ class StartSCPSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -75,6 +86,10 @@ class StartSCPSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -109,4 +124,8 @@ StartSCPSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/ssh/copyTo.d.ts

@@ -8,6 +8,7 @@ export default class StartSCPSession extends Command {
         dest: flags.IOptionFlag<string>;
         user: flags.IOptionFlag<string>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/copyTo.js

@@ -5,9 +5,10 @@ const handler_1 = require("../../handler");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const ssh_1 = require("../../lib/ssh");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -26,9 +27,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSCPSession extends command_1.Command {
@@ -41,6 +51,7 @@ class StartSCPSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SCP into');
             if (!selectedInstance) {
@@ -52,7 +63,7 @@ class StartSCPSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -75,6 +86,10 @@ class StartSCPSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -109,4 +124,8 @@ StartSCPSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/ssh/start.d.ts

@@ -5,6 +5,7 @@ export default class StartSSHSession extends Command {
     static flags: {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/start.js

@@ -7,9 +7,10 @@ const apollo_1 = require("../../lib/apollo");
 const ssh_1 = require("../../lib/ssh");
 const get_1 = require("../../commands/resources/get");
 const aws_1 = require("../../lib/aws");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -28,9 +29,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSSHSession extends command_1.Command {
@@ -43,6 +53,7 @@ class StartSSHSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SSH into');
@@ -69,7 +80,7 @@ class StartSSHSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -90,6 +101,10 @@ class StartSSHSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -107,4 +122,14 @@ StartSSHSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    // TODO: Unfortunately allowing SSM over SSH disables logging
+    // user: flags.string({
+    //   multiple: false,
+    //   required: false,
+    //   default: "ssm-user",
+    // }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/lib/common.d.ts

@@ -0,0 +1,2 @@
+import { Command } from '@oclif/command';
+export declare const handleMfaRedirect: (command: Command, resourceId: string) => void;

package/lib/lib/common.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleMfaRedirect = void 0;
+const config_1 = require("./config");
+const open = require("open");
+exports.handleMfaRedirect = (command, resourceId) => {
+    command.log('❗ MFA validation needed. Please connect via browser. Redirecting...');
+    const configData = config_1.getOrCreateConfigData(command.config.configDir);
+    const url = configData[config_1.urlKey];
+    setTimeout(() => {
+        open(url + `/resources/${resourceId}?showModal=true`);
+    }, 2000);
+};

package/lib/lib/config.d.ts

@@ -4,3 +4,4 @@ export declare const allowSelfSignedCertsKey = "allowSelfSignedCerts";
 export declare const defaultAllowSelfSignedCerts = false;
 export declare const getOrCreateConfigData: (configDir: string) => Record<string, any>;
 export declare const writeConfigData: (configDir: string, newConfigData: Record<string, any>) => void;
+export declare const isProduction: (configDir: string) => boolean;

package/lib/lib/config.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeConfigData = exports.getOrCreateConfigData = exports.defaultAllowSelfSignedCerts = exports.allowSelfSignedCertsKey = exports.defaultUrl = exports.urlKey = void 0;
+exports.isProduction = exports.writeConfigData = exports.getOrCreateConfigData = exports.defaultAllowSelfSignedCerts = exports.allowSelfSignedCertsKey = exports.defaultUrl = exports.urlKey = void 0;
 const fs = require("fs");
 const path = require("path");
 exports.urlKey = 'url';
@@ -50,3 +50,12 @@ exports.writeConfigData = (configDir, newConfigData) => {
         mode: 0o0600,
     });
 };
+exports.isProduction = (configDir) => {
+    const configData = exports.getOrCreateConfigData(configDir);
+    // Custom URLs are considered production since it includes on-prem
+    return configData[exports.urlKey] !== 'https://dev.opal.dev' &&
+        configData[exports.urlKey] !== 'http://localhost:3000' &&
+        configData[exports.urlKey] !== 'http://localhost:4000' &&
+        configData[exports.urlKey] !== 'https://demo.opal.dev' &&
+        configData[exports.urlKey] !== 'https://staging.opal.dev';
+};

package/lib/lib/credentials.d.ts

@@ -3,5 +3,6 @@ export declare const cred: {
     removeCredentials(after: number): Promise<void>;
     readonly accountId: Promise<string | undefined>;
     readonly organizationID: Promise<string | undefined>;
+    readonly email: Promise<string | undefined>;
     readonly accessToken: Promise<string | undefined>;
 };

package/lib/lib/credentials.js

@@ -50,6 +50,25 @@ exports.cred = {
             }
         })();
     },
+    get email() {
+        return (async () => {
+            try {
+                const keyContents = await keytar.findCredentials(exports.OPAL_CREDS_KEY);
+                if (!keyContents[0]) {
+                    return undefined;
+                }
+                const { account } = keyContents[0];
+                const parts = account.split('|');
+                if (!parts || parts.length <= 1) {
+                    return undefined;
+                }
+                return parts[0];
+            }
+            catch (error) {
+                throw error;
+            }
+        })();
+    },
     get accessToken() {
         return (async () => {
             try {

package/oclif.manifest.json

@@ -1 +1 @@
-{"version":"2.0.10","commands":{"curl-example":{"id":"curl-example","description":"Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"login":{"id":"login","description":"Authenticates you with the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal login"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"logout":{"id":"logout","description":"Clears locally stored Opal server authentication credentials.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal logout"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"set-url":{"id":"set-url","description":"Sets the url of the Opal server. Defaults to https://app.opal.dev.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal set-host"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"custom":{"name":"custom","type":"option"},"allowSelfSignedCerts":{"name":"allowSelfSignedCerts","type":"boolean","allowNo":false},"prod":{"name":"prod","type":"boolean","allowNo":false},"demo":{"name":"demo","type":"boolean","allowNo":false},"dev":{"name":"dev","type":"boolean","allowNo":false},"devLocal":{"name":"devLocal","type":"boolean","allowNo":false}},"args":[]},"aws:identity":{"id":"aws:identity","description":"Gets the current caller identity for the \"opal\" AWS profile.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal aws:identity"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"iam-roles:start":{"id":"iam-roles:start","description":"Starts a session to assume an IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal iam-roles:start","opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."}},"args":[]},"kube-roles:start":{"id":"kube-roles:start","description":"Starts a session to assume a Kubernetes cluster IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal kube-roles:start","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the cluster."}},"args":[]},"postgres-instances:start":{"id":"postgres-instances:start","description":"Starts a session to query a Postgres database.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal postgres-instances:start","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"fullaccess\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the database."}},"args":[]},"resources:get":{"id":"resources:get","description":"Get resource info for a particular resource.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","required":true}},"args":[]},"ssh:copyFrom":{"id":"ssh:copyFrom","description":"Use SCP to copy files from a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyFrom --src instance/dir --dest my/dir","opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]},"ssh:copyTo":{"id":"ssh:copyTo","description":"Use SCP to copy files to a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyTo --src my/dir --dest instance/dir","opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]},"ssh:start":{"id":"ssh:start","description":"Start an SSH session to access a particular compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:start","opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]}}}
+{"version":"2.0.13","commands":{"curl-example":{"id":"curl-example","description":"Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"login":{"id":"login","description":"Authenticates you with the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal login"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"logout":{"id":"logout","description":"Clears locally stored Opal server authentication credentials.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal logout"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"set-url":{"id":"set-url","description":"Sets the url of the Opal server. Defaults to https://app.opal.dev.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal set-host"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"custom":{"name":"custom","type":"option"},"allowSelfSignedCerts":{"name":"allowSelfSignedCerts","type":"boolean","allowNo":false},"prod":{"name":"prod","type":"boolean","allowNo":false},"staging":{"name":"staging","type":"boolean","allowNo":false},"demo":{"name":"demo","type":"boolean","allowNo":false},"dev":{"name":"dev","type":"boolean","allowNo":false},"devLocal":{"name":"devLocal","type":"boolean","allowNo":false}},"args":[]},"aws:identity":{"id":"aws:identity","description":"Gets the current caller identity for the \"opal\" AWS profile.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal aws:identity"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"iam-roles:start":{"id":"iam-roles:start","description":"Starts a session to assume an IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal iam-roles:start","opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"kube-roles:start":{"id":"kube-roles:start","description":"Starts a session to assume a Kubernetes cluster IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal kube-roles:start","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the cluster."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"postgres-instances:start":{"id":"postgres-instances:start","description":"Starts a session to query a Postgres database.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal postgres-instances:start","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"fullaccess\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the database."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"resources:get":{"id":"resources:get","description":"Get resource info for a particular resource.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","required":true}},"args":[]},"ssh:copyFrom":{"id":"ssh:copyFrom","description":"Use SCP to copy files from a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyFrom --src instance/dir --dest my/dir","opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"ssh:copyTo":{"id":"ssh:copyTo","description":"Use SCP to copy files to a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyTo --src my/dir --dest instance/dir","opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"ssh:start":{"id":"ssh:start","description":"Start an SSH session to access a particular compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:start","opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]}}}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "2.0.10",
+  "version": "2.0.13",
   "author": "Stephen Cobbe",
   "bin": {
     "opal": "./bin/run"