opal-security 2.0.12 → 2.0.13

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (-v|--version|version)
-opal-security/2.0.12 darwin-x64 node-v14.16.1
+opal-security/2.0.13 darwin-x64 node-v14.16.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -86,7 +86,7 @@ EXAMPLE
   opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/aws/identity.ts)_
 
 ## `opal curl-example`
 
@@ -100,7 +100,7 @@ OPTIONS
   -h, --help  show CLI help
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/curl-example.ts)_
 
 ## `opal help [COMMAND]`
 
@@ -128,15 +128,16 @@ USAGE
   $ opal iam-roles:start
 
 OPTIONS
-  -h, --help  show CLI help
-  --id=id     The ID of the Opal role resource.
+  -h, --help             show CLI help
+  --id=id                The ID of the Opal role resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal iam-roles:start
   opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -150,6 +151,7 @@ OPTIONS
   -h, --help                                 show CLI help
   --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the cluster.
   --id=id                                    The ID of the Opal role resource.
+  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal kube-roles:start
@@ -158,7 +160,7 @@ EXAMPLES
   "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -175,7 +177,7 @@ EXAMPLE
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -192,7 +194,7 @@ EXAMPLE
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
@@ -206,6 +208,7 @@ OPTIONS
   -h, --help                                 show CLI help
   --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the database.
   --id=id                                    The ID of the Opal instance resource.
+  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal postgres-instances:start
@@ -213,7 +216,7 @@ EXAMPLES
   opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "fullaccess"
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -231,7 +234,7 @@ EXAMPLE
   opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/resources/get.ts)_
 
 ## `opal set-url`
 
@@ -255,7 +258,7 @@ EXAMPLE
   $ opal set-host
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -266,22 +269,23 @@ USAGE
   $ opal ssh:copyFrom
 
 OPTIONS
-  -h, --help   show CLI help
-  --dest=dest  [default: .] Pick which directory you want your files to be copied to.
-  --id=id      The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
-  --src=src    (required) The path of the directory or file you would like to copy over SCP. Note we only support one
-               file or directory at a time.
+  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
+                         support one file or directory at a time.
 
-  --user=user  [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will have access
-               to each other's home directory.
+  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
+                         have access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyFrom --src instance/dir --dest my/dir
   opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -292,22 +296,23 @@ USAGE
   $ opal ssh:copyTo
 
 OPTIONS
-  -h, --help   show CLI help
-  --dest=dest  [default: .] Pick which directory you want your files to be copied to.
-  --id=id      The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
-  --src=src    (required) The path of the directory or file you would like to copy over SCP. Note we only support one
-               file or directory at a time.
+  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
+                         support one file or directory at a time.
 
-  --user=user  [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will have access
-               to each other's home directory.
+  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
+                         have access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyTo --src my/dir --dest instance/dir
   opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
@@ -318,13 +323,14 @@ USAGE
   $ opal ssh:start
 
 OPTIONS
-  -h, --help  show CLI help
-  --id=id     The ID of the Opal instance resource.
+  -h, --help             show CLI help
+  --id=id                The ID of the Opal instance resource.
+  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal ssh:start
   opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.12/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.13/src/commands/ssh/start.ts)_
 <!-- commandsstop -->

package/lib/commands/iam-roles/start.d.ts

@@ -5,6 +5,7 @@ export default class StartIAMRoleSession extends Command {
     static flags: {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/iam-roles/start.js

@@ -8,9 +8,10 @@ const inquirer = require("inquirer");
 const aws_1 = require("../../lib/aws");
 const resources_1 = require("../../lib/resources");
 const get_1 = require("../../commands/resources/get");
+const common_1 = require("../../lib/common");
 const StartIAMRoleSessionDocument = `
-mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -27,9 +28,18 @@ mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevel
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 const ListIamRolesDocument = `
@@ -51,6 +61,7 @@ class StartIAMRoleSession extends command_1.Command {
         const { flags } = this.parse(StartIAMRoleSession);
         let roleId = flags.id;
         let roleName = null;
+        const sessionId = flags.sessionId;
         if (!roleId) {
             const { resp: iamRolesResp, error } = await handler_1.runQuery({
                 command: this,
@@ -106,7 +117,7 @@ class StartIAMRoleSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartIAMRoleSessionDocument,
-            variables: { id: roleId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: roleId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId: sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -125,6 +136,10 @@ class StartIAMRoleSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, roleId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -142,4 +157,8 @@ StartIAMRoleSession.flags = {
         multiple: false,
         description: 'The ID of the Opal role resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/kube-roles/start.d.ts

@@ -6,6 +6,7 @@ export default class StartKubeIAMRoleSession extends Command {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
         accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/kube-roles/start.js

@@ -8,9 +8,10 @@ const inquirer = require("inquirer");
 const types_1 = require("../../types");
 const aws_1 = require("../../lib/aws");
 const resources_1 = require("../../lib/resources");
+const common_1 = require("../../lib/common");
 const StartKubeIAMRoleSessionDocument = `
-mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -27,9 +28,18 @@ mutation StartKubeIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessL
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 const ListKubeIamRolesDocument = `
@@ -54,6 +64,7 @@ class StartKubeIAMRoleSession extends command_1.Command {
         const { flags } = this.parse(StartKubeIAMRoleSession);
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         let clusterId = flags.id;
+        const sessionId = flags.sessionId;
         if (!clusterId) {
             const { resp: kubeIamRolesResp, error } = await handler_1.runQuery({
                 command: this,
@@ -101,7 +112,7 @@ class StartKubeIAMRoleSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartKubeIAMRoleSessionDocument,
-            variables: { id: clusterId, accessLevel },
+            variables: { id: clusterId, accessLevel, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -120,6 +131,10 @@ class StartKubeIAMRoleSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, clusterId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -142,4 +157,8 @@ StartKubeIAMRoleSession.flags = {
         multiple: false,
         description: 'The remote ID of the access level with which to access the cluster.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/postgres-instances/start.d.ts

@@ -6,6 +6,7 @@ export default class StartPostgresInstanceSession extends Command {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
         accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/postgres-instances/start.js

@@ -6,6 +6,7 @@ const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
 const inquirer = require("inquirer");
 const resources_1 = require("../../lib/resources");
+const common_1 = require("../../lib/common");
 const ListPostgresInstancesDocument = `
 query ListPostgresInstances {
   resources(input: {serviceType: POSTGRES, onlyMine: true, maxNumEntries: 1000}) {
@@ -20,8 +21,8 @@ query ListPostgresInstances {
   }
 }`;
 const StartPostgresInstanceSessionDocument = `
-mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -38,9 +39,18 @@ mutation StartPostgresInstanceSession($id: ResourceId!, $accessLevel: ResourceAc
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartPostgresInstanceSession extends command_1.Command {
@@ -49,6 +59,7 @@ class StartPostgresInstanceSession extends command_1.Command {
         const { flags } = this.parse(StartPostgresInstanceSession);
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         if (!instanceId) {
             const { resp: postgresInstancesResp, error } = await handler_1.runQuery({
@@ -100,6 +111,7 @@ class StartPostgresInstanceSession extends command_1.Command {
             variables: {
                 id: instanceId,
                 accessLevel,
+                sessionId,
             },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
@@ -138,6 +150,10 @@ class StartPostgresInstanceSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -160,4 +176,8 @@ StartPostgresInstanceSession.flags = {
         multiple: false,
         description: 'The remote ID of the access level with which to access the database.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/ssh/copyFrom.d.ts

@@ -8,6 +8,7 @@ export default class StartSCPSession extends Command {
         dest: flags.IOptionFlag<string>;
         user: flags.IOptionFlag<string>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/copyFrom.js

@@ -5,9 +5,10 @@ const handler_1 = require("../../handler");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const ssh_1 = require("../../lib/ssh");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -26,9 +27,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSCPSession extends command_1.Command {
@@ -41,6 +51,7 @@ class StartSCPSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SCP into');
             if (!selectedInstance) {
@@ -52,7 +63,7 @@ class StartSCPSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -75,6 +86,10 @@ class StartSCPSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -109,4 +124,8 @@ StartSCPSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/ssh/copyTo.d.ts

@@ -8,6 +8,7 @@ export default class StartSCPSession extends Command {
         dest: flags.IOptionFlag<string>;
         user: flags.IOptionFlag<string>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/copyTo.js

@@ -5,9 +5,10 @@ const handler_1 = require("../../handler");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const ssh_1 = require("../../lib/ssh");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -26,9 +27,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSCPSession extends command_1.Command {
@@ -41,6 +51,7 @@ class StartSCPSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SCP into');
             if (!selectedInstance) {
@@ -52,7 +63,7 @@ class StartSCPSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -75,6 +86,10 @@ class StartSCPSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -109,4 +124,8 @@ StartSCPSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/commands/ssh/start.d.ts

@@ -5,6 +5,7 @@ export default class StartSSHSession extends Command {
     static flags: {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
+        sessionId: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/start.js

@@ -7,9 +7,10 @@ const apollo_1 = require("../../lib/apollo");
 const ssh_1 = require("../../lib/ssh");
 const get_1 = require("../../commands/resources/get");
 const aws_1 = require("../../lib/aws");
+const common_1 = require("../../lib/common");
 const StartSSHSessionDocument = `
-mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel}) {
+mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
+  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
     __typename
     ... on CreateSessionResult {
       session {
@@ -28,9 +29,18 @@ mutation StartSSHSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInpu
         }
       }
     }
+    ... on SessionNotFoundError {
+      message
+    }
+    ... on MfaInvalidError {
+      message
+    }
     ... on ResourceNotFoundError {
       message
     }
+    ... on EndSystemAuthorizationError {
+      message
+    }
   }
 }`;
 class StartSSHSession extends command_1.Command {
@@ -43,6 +53,7 @@ class StartSSHSession extends command_1.Command {
         }
         let instanceId = flags.id;
         let instanceName = null;
+        const sessionId = flags.sessionId;
         // TODO: RESOURCES-1: How do we grant access to a perm using ID
         if (!instanceId) {
             const selectedInstance = await ssh_1.selectComputeInstance(this, 'SSH into');
@@ -69,7 +80,7 @@ class StartSSHSession extends command_1.Command {
         const { resp, error } = await handler_1.runMutation({
             command: this,
             query: StartSSHSessionDocument,
-            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL },
+            variables: { id: instanceId, accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL, sessionId },
         });
         switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
             case 'CreateSessionResult': {
@@ -90,6 +101,10 @@ class StartSSHSession extends command_1.Command {
                 }
                 break;
             }
+            case 'MfaInvalidError': {
+                common_1.handleMfaRedirect(this, instanceId);
+                break;
+            }
             default:
                 apollo_1.printRequestOutput(this, resp, error);
         }
@@ -107,4 +122,14 @@ StartSSHSession.flags = {
         multiple: false,
         description: 'The ID of the Opal instance resource.',
     }),
+    // TODO: Unfortunately allowing SSM over SSH disables logging
+    // user: flags.string({
+    //   multiple: false,
+    //   required: false,
+    //   default: "ssm-user",
+    // }),
+    sessionId: command_1.flags.string({
+        multiple: false,
+        description: 'SessionId of a session that has already been created via the web flow.',
+    }),
 };

package/lib/lib/common.d.ts

@@ -0,0 +1,2 @@
+import { Command } from '@oclif/command';
+export declare const handleMfaRedirect: (command: Command, resourceId: string) => void;

package/lib/lib/common.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleMfaRedirect = void 0;
+const config_1 = require("./config");
+const open = require("open");
+exports.handleMfaRedirect = (command, resourceId) => {
+    command.log('❗ MFA validation needed. Please connect via browser. Redirecting...');
+    const configData = config_1.getOrCreateConfigData(command.config.configDir);
+    const url = configData[config_1.urlKey];
+    setTimeout(() => {
+        open(url + `/resources/${resourceId}?showModal=true`);
+    }, 2000);
+};

package/lib/lib/config.js

@@ -55,6 +55,7 @@ exports.isProduction = (configDir) => {
     // Custom URLs are considered production since it includes on-prem
     return configData[exports.urlKey] !== 'https://dev.opal.dev' &&
         configData[exports.urlKey] !== 'http://localhost:3000' &&
+        configData[exports.urlKey] !== 'http://localhost:4000' &&
         configData[exports.urlKey] !== 'https://demo.opal.dev' &&
         configData[exports.urlKey] !== 'https://staging.opal.dev';
 };

package/oclif.manifest.json

@@ -1 +1 @@
-{"version":"2.0.12","commands":{"curl-example":{"id":"curl-example","description":"Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"login":{"id":"login","description":"Authenticates you with the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal login"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"logout":{"id":"logout","description":"Clears locally stored Opal server authentication credentials.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal logout"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"set-url":{"id":"set-url","description":"Sets the url of the Opal server. Defaults to https://app.opal.dev.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal set-host"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"custom":{"name":"custom","type":"option"},"allowSelfSignedCerts":{"name":"allowSelfSignedCerts","type":"boolean","allowNo":false},"prod":{"name":"prod","type":"boolean","allowNo":false},"staging":{"name":"staging","type":"boolean","allowNo":false},"demo":{"name":"demo","type":"boolean","allowNo":false},"dev":{"name":"dev","type":"boolean","allowNo":false},"devLocal":{"name":"devLocal","type":"boolean","allowNo":false}},"args":[]},"aws:identity":{"id":"aws:identity","description":"Gets the current caller identity for the \"opal\" AWS profile.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal aws:identity"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"iam-roles:start":{"id":"iam-roles:start","description":"Starts a session to assume an IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal iam-roles:start","opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."}},"args":[]},"kube-roles:start":{"id":"kube-roles:start","description":"Starts a session to assume a Kubernetes cluster IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal kube-roles:start","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the cluster."}},"args":[]},"postgres-instances:start":{"id":"postgres-instances:start","description":"Starts a session to query a Postgres database.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal postgres-instances:start","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"fullaccess\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the database."}},"args":[]},"resources:get":{"id":"resources:get","description":"Get resource info for a particular resource.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","required":true}},"args":[]},"ssh:copyFrom":{"id":"ssh:copyFrom","description":"Use SCP to copy files from a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyFrom --src instance/dir --dest my/dir","opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]},"ssh:copyTo":{"id":"ssh:copyTo","description":"Use SCP to copy files to a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyTo --src my/dir --dest instance/dir","opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]},"ssh:start":{"id":"ssh:start","description":"Start an SSH session to access a particular compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:start","opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."}},"args":[]}}}
+{"version":"2.0.13","commands":{"curl-example":{"id":"curl-example","description":"Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"login":{"id":"login","description":"Authenticates you with the Opal server.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal login"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"logout":{"id":"logout","description":"Clears locally stored Opal server authentication credentials.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal logout"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"set-url":{"id":"set-url","description":"Sets the url of the Opal server. Defaults to https://app.opal.dev.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["$ opal set-host"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"custom":{"name":"custom","type":"option"},"allowSelfSignedCerts":{"name":"allowSelfSignedCerts","type":"boolean","allowNo":false},"prod":{"name":"prod","type":"boolean","allowNo":false},"staging":{"name":"staging","type":"boolean","allowNo":false},"demo":{"name":"demo","type":"boolean","allowNo":false},"dev":{"name":"dev","type":"boolean","allowNo":false},"devLocal":{"name":"devLocal","type":"boolean","allowNo":false}},"args":[]},"aws:identity":{"id":"aws:identity","description":"Gets the current caller identity for the \"opal\" AWS profile.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal aws:identity"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false}},"args":[]},"iam-roles:start":{"id":"iam-roles:start","description":"Starts a session to assume an IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal iam-roles:start","opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"kube-roles:start":{"id":"kube-roles:start","description":"Starts a session to assume a Kubernetes cluster IAM role.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal kube-roles:start","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal role resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the cluster."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"postgres-instances:start":{"id":"postgres-instances:start","description":"Starts a session to query a Postgres database.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal postgres-instances:start","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398","opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"fullaccess\""],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"accessLevelRemoteId":{"name":"accessLevelRemoteId","type":"option","description":"The remote ID of the access level with which to access the database."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"resources:get":{"id":"resources:get","description":"Get resource info for a particular resource.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","required":true}},"args":[]},"ssh:copyFrom":{"id":"ssh:copyFrom","description":"Use SCP to copy files from a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyFrom --src instance/dir --dest my/dir","opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"ssh:copyTo":{"id":"ssh:copyTo","description":"Use SCP to copy files to a compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:copyTo --src my/dir --dest instance/dir","opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"src":{"name":"src","type":"option","description":"The path of the directory or file you would like to copy over SCP. Note we only support one file or directory at a time.","required":true},"dest":{"name":"dest","type":"option","description":"Pick which directory you want your files to be copied to.","required":false,"default":"."},"user":{"name":"user","type":"option","description":"Pick which user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.","required":false,"default":"ssm-user"},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]},"ssh:start":{"id":"ssh:start","description":"Start an SSH session to access a particular compute instance.","pluginName":"opal-security","pluginType":"core","aliases":[],"examples":["opal ssh:start","opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398"],"flags":{"help":{"name":"help","type":"boolean","char":"h","description":"show CLI help","allowNo":false},"id":{"name":"id","type":"option","description":"The ID of the Opal instance resource."},"sessionId":{"name":"sessionId","type":"option","description":"SessionId of a session that has already been created via the web flow."}},"args":[]}}}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "2.0.12",
+  "version": "2.0.13",
   "author": "Stephen Cobbe",
   "bin": {
     "opal": "./bin/run"