opal-security 2.0.8 → 2.0.11

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (-v|--version|version)
-opal-security/2.0.8 darwin-x64 node-v14.16.1
+opal-security/2.0.11 darwin-x64 node-v14.16.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -86,7 +86,7 @@ EXAMPLE
   opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/aws/identity.ts)_
 
 ## `opal curl-example`
 
@@ -100,7 +100,7 @@ OPTIONS
   -h, --help  show CLI help
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/curl-example.ts)_
 
 ## `opal help [COMMAND]`
 
@@ -136,7 +136,7 @@ EXAMPLES
   opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -158,7 +158,7 @@ EXAMPLES
   "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -175,7 +175,7 @@ EXAMPLE
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -192,7 +192,7 @@ EXAMPLE
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
@@ -213,7 +213,7 @@ EXAMPLES
   opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "fullaccess"
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -231,7 +231,7 @@ EXAMPLE
   opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/resources/get.ts)_
 
 ## `opal set-url`
 
@@ -254,7 +254,7 @@ EXAMPLE
   $ opal set-host
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -280,7 +280,7 @@ EXAMPLES
   opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -306,7 +306,7 @@ EXAMPLES
   opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
@@ -325,5 +325,5 @@ EXAMPLES
   opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/cli/opal/blob/v2.0.8/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.11/src/commands/ssh/start.ts)_
 <!-- commandsstop -->

package/lib/commands/curl-example.js

@@ -6,13 +6,15 @@ const credentials_1 = require("../lib/credentials");
 class CurlExample extends command_1.Command {
     async run() {
         const accessToken = await credentials_1.cred.accessToken;
+        const organizationID = await credentials_1.cred.organizationID;
         const configData = config_1.getOrCreateConfigData(this.config.configDir);
         const url = configData[config_1.urlKey];
         this.log(`
 curl -v ${url}/query \\
   --data-binary '{"query":"query ListSSHSessions {resources(input: {serviceType: SSH, onlyMine: true}) {... on ResourcesResult { resources { name } } } }"}' \\
   --header "Content-Type: application/json" \\
-  --header "Authorization: Bearer ${accessToken}"
+  --header "Authorization: Bearer ${accessToken}" \\
+  --header "X-Opal-Organization-ID: ${organizationID}"
 `);
     }
 }

package/lib/commands/login.js

@@ -6,12 +6,91 @@ const open = require("open");
 const openid_client_1 = require("openid-client");
 const apollo_1 = require("../lib/apollo");
 const credentials_1 = require("../lib/credentials");
+const inquirer = require("inquirer");
+const handler_1 = require("../handler");
+const credentials_2 = require("../lib/credentials");
+const config_1 = require("../lib/config");
 const ISSUER = 'https://auth.opal.dev';
 const GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
 const CLIENT_ID = '42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF';
+const CLISignInMethodDocument = `
+query CLISignInMethod($input: SignInMethodInput!) {
+  signInMethod(input: $input) {
+    __typename
+    ... on SignInMethodResult {
+      signInOrganizations {
+        organizationId
+        organizationName
+      }
+    }
+  }
+}`;
+const CLIAuthSessionCheckDocument = `
+query CLIAuthSessionCheck {
+  organizationSettings {
+      ... on OrganizationSettingsResult {
+        settings {
+          id
+        }
+      }
+  }
+}
+`;
 class Login extends command_1.Command {
     async run() {
+        var _a, _b, _c, _d, _e;
         try {
+            await apollo_1.initClient(this);
+            let email;
+            let organizationID;
+            if (await credentials_2.cred.accessToken) {
+                email = await credentials_2.cred.email;
+                organizationID = await credentials_2.cred.organizationID;
+                await credentials_2.cred.removeCredentials(-1);
+            }
+            const configDir = this.config.configDir;
+            const configData = config_1.getOrCreateConfigData(configDir);
+            if (email && organizationID) {
+                console.log('Signing in as ' + email + ' - to use a different account, run `opal logout`');
+            }
+            else {
+                this.log('Welcome to Opal! ⚡️\n');
+                this.log('Please confirm your Opal instance URL:', configData[config_1.urlKey]);
+                this.log('If this is not correct, please first use `opal set-url --help`\n');
+                const { email: promptEmail } = await inquirer.prompt([{
+                        name: 'email',
+                        message: 'Enter your email:',
+                        type: 'input',
+                        validate: email => Boolean(email),
+                    }]);
+                email = promptEmail;
+                const { resp: signInOrganizationsResponse, error } = await handler_1.runQuery({
+                    command: this,
+                    query: CLISignInMethodDocument,
+                    variables: { input: { email } },
+                });
+                if (error) {
+                    this.log('Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+                }
+                const signInOrganizations = (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations;
+                if (signInOrganizations) {
+                    if (signInOrganizations.length === 1) {
+                        organizationID = signInOrganizations[0].organizationId;
+                    }
+                    else {
+                        const responses = await inquirer.prompt([{
+                                name: 'organizationID',
+                                message: 'Select an organization:',
+                                type: 'list',
+                                choices: signInOrganizations.map(signInOrganization => ({
+                                    name: signInOrganization.organizationName,
+                                    value: signInOrganization.organizationId,
+                                })),
+                            }]);
+                        organizationID = responses.organizationID;
+                    }
+                }
+            }
             const issuer = await openid_client_1.Issuer.discover(ISSUER);
             const client = new issuer.Client({
                 grant_types: [GRANT_TYPE],
@@ -25,13 +104,29 @@ class Login extends command_1.Command {
                 audience: 'https://opal.dev',
                 scope: 'openid email profile',
             });
-            this.log('You are being redirected to your browser to authenticate.\n');
+            this.log('\nYou are being redirected to your browser to authenticate.\n');
             this.log(`      User Code: ${handle.user_code}\n`);
+            // Wait 2 seconds to show the user code clearly
+            const sleep = (ms) => {
+                return new Promise(resolve => {
+                    setTimeout(resolve, ms);
+                });
+            };
+            await sleep(2000);
             await open(handle.verification_uri_complete, { wait: false });
             const tokenSet = await handle.poll();
             const userInfo = await client.userinfo(tokenSet);
-            await keytar.setPassword(credentials_1.OPAL_CREDS_KEY, userInfo.email || 'unset-email', (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
-            await apollo_1.initClient(this);
+            await keytar.setPassword(credentials_1.OPAL_CREDS_KEY, (userInfo.email || 'unset-email') + '|' + organizationID, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
+            // "Representative" authenticated call to check the log-in worked as expected.
+            const { resp: authCheckResp, error: authCheckErr } = await handler_1.runQuery({
+                command: this,
+                query: CLIAuthSessionCheckDocument,
+                variables: {},
+            });
+            if (authCheckErr || !((_e = (_d = (_c = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _c === void 0 ? void 0 : _c.organizationSettings) === null || _d === void 0 ? void 0 : _d.settings) === null || _e === void 0 ? void 0 : _e.id)) {
+                this.log('Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n');
+                return;
+            }
             this.log('🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n');
         }
         catch (error) {

package/lib/handler.d.ts

@@ -1,15 +1,15 @@
 import { Command } from '@oclif/command';
-interface QueryHandlerProps {
+interface QueryHandlerProps<TVar = Record<string, any>> {
     command: Command;
     query: string;
-    variables?: Record<string, any>;
+    variables?: TVar;
 }
 export declare const runMutation: ({ command, query, variables, }: QueryHandlerProps) => Promise<{
     resp: import("@apollo/client/core").FetchResult<any, Record<string, any>, Record<string, any>> | null;
     error: any;
 }>;
-export declare const runQuery: ({ command, query, variables, }: QueryHandlerProps) => Promise<{
-    resp: import("@apollo/client/core").ApolloQueryResult<any> | null;
+export declare const runQuery: <TResponse = any, TVar = Record<string, any>>({ command, query, variables, }: QueryHandlerProps<TVar>) => Promise<{
+    resp: import("@apollo/client/core").ApolloQueryResult<TResponse> | null;
     error: any;
 }>;
 declare const handler: ({ command, query, variables }: QueryHandlerProps) => void;

package/lib/lib/apollo.js

@@ -21,6 +21,7 @@ exports.initClient = async (command) => {
     const currentCLIVersion = command.config.version;
     const configData = config_1.getOrCreateConfigData(configDir);
     const accessToken = await credentials_1.cred.accessToken;
+    const organizationID = await credentials_1.cred.organizationID;
     const httpsAgent = new https.Agent({
         rejectUnauthorized: !configData[config_1.allowSelfSignedCertsKey],
     });
@@ -36,7 +37,7 @@ exports.initClient = async (command) => {
     });
     const authLink = context_1.setContext((_, { headers }) => {
         return {
-            headers: Object.assign(Object.assign({}, headers), { authorization: `Bearer ${accessToken}` }),
+            headers: Object.assign(Object.assign({}, headers), { authorization: `Bearer ${accessToken}`, 'X-Opal-Organization-ID': organizationID }),
         };
     });
     const checkCLIVersion = (operation) => {
@@ -44,15 +45,15 @@ exports.initClient = async (command) => {
         const headers = (_a = operation.getContext().response) === null || _a === void 0 ? void 0 : _a.headers;
         if (headers) {
             const expectedCLIMajorVersion = headers.get('Opal-CLI-Expected-Major-Version');
-            // defaults to version 1 since old Opal version won't have an advertised expected client version
-            const semvarExpectedMinCLIVersion = `${expectedCLIMajorVersion || '1'}.0.0`;
-            if (semver_1.major(currentCLIVersion) < semver_1.major(semvarExpectedMinCLIVersion)) {
-                command.warn(chalk_1.default.yellow(`❗️ Update your CLI to match the compatible version. Expected major version ${chalk_1.default.blueBright(semvarExpectedMinCLIVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
-
-       Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}`));
-            }
-            else if (semver_1.major(currentCLIVersion) > semver_1.major(semvarExpectedMinCLIVersion)) {
-                command.warn(chalk_1.default.yellow('❗️ Uh oh! The currently installed Opal server is outdated. Please contact your Opal admins to let them know they need to upgrade their deployment.'));
+            if (expectedCLIMajorVersion) {
+                const semvarExpectedMinCLIVersion = `${expectedCLIMajorVersion}.0.0`;
+                if (semver_1.major(currentCLIVersion) < semver_1.major(semvarExpectedMinCLIVersion)) {
+                    command.warn(chalk_1.default.yellow(`❗️ Update your CLI to match the compatible version. Expected major version ${chalk_1.default.blueBright(semvarExpectedMinCLIVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
+          Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}`));
+                }
+                else if (semver_1.major(currentCLIVersion) > semver_1.major(semvarExpectedMinCLIVersion)) {
+                    command.warn(chalk_1.default.yellow('❗️ Uh oh! The currently installed Opal server is outdated. Please contact your Opal admins to let them know they need to upgrade their deployment.'));
+                }
             }
         }
     };

package/lib/lib/credentials.d.ts

@@ -1,6 +1,8 @@
 export declare const OPAL_CREDS_KEY = "opal";
 export declare const cred: {
     removeCredentials(after: number): Promise<void>;
-    readonly accountId: Promise<string>;
-    readonly accessToken: Promise<string>;
+    readonly accountId: Promise<string | undefined>;
+    readonly organizationID: Promise<string | undefined>;
+    readonly email: Promise<string | undefined>;
+    readonly accessToken: Promise<string | undefined>;
 };

package/lib/lib/credentials.js

@@ -20,6 +20,9 @@ exports.cred = {
         return (async () => {
             try {
                 const keyContents = await keytar.findCredentials(exports.OPAL_CREDS_KEY);
+                if (!keyContents[0]) {
+                    return undefined;
+                }
                 const { account } = keyContents[0];
                 return account;
             }
@@ -28,12 +31,50 @@ exports.cred = {
             }
         })();
     },
+    get organizationID() {
+        return (async () => {
+            try {
+                const keyContents = await keytar.findCredentials(exports.OPAL_CREDS_KEY);
+                if (!keyContents[0]) {
+                    return undefined;
+                }
+                const { account } = keyContents[0];
+                const parts = account.split('|');
+                if (!parts || parts.length <= 1) {
+                    return undefined;
+                }
+                return parts.pop();
+            }
+            catch (error) {
+                throw error;
+            }
+        })();
+    },
+    get email() {
+        return (async () => {
+            try {
+                const keyContents = await keytar.findCredentials(exports.OPAL_CREDS_KEY);
+                if (!keyContents[0]) {
+                    return undefined;
+                }
+                const { account } = keyContents[0];
+                const parts = account.split('|');
+                if (!parts || parts.length <= 1) {
+                    return undefined;
+                }
+                return parts[0];
+            }
+            catch (error) {
+                throw error;
+            }
+        })();
+    },
     get accessToken() {
         return (async () => {
             try {
                 const keyContents = await keytar.findCredentials(exports.OPAL_CREDS_KEY);
                 if (!keyContents[0]) {
-                    return 'unset-token';
+                    return undefined;
                 }
                 const { password } = keyContents[0];
                 return password;