opal-security 2.1.2 → 2.3.0

package/lib/commands/ssh/start.d.ts

@@ -1,13 +1,13 @@
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 export declare const Ec2SessionMetadataFragment = "\n... on AwsIamFederatedSSMSession {\n  awsAccessKeyId\n  awsSecretAccessKey\n  awsSessionToken\n  awsLoginUrl\n  federatedArn\n  ec2InstanceId\n  ec2Region\n}";
 export default class StartSSHSession extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        id: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
-        sessionId: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
-        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }

package/lib/commands/ssh/start.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Ec2SessionMetadataFragment = void 0;
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const handler_1 = require("../../handler");
 const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
@@ -21,14 +21,14 @@ exports.Ec2SessionMetadataFragment = `
   ec2InstanceId
   ec2Region
 }`;
-class StartSSHSession extends command_1.Command {
+class StartSSHSession extends core_1.Command {
     async run() {
-        cmd_1.setMostRecentCommand(this);
-        const { flags } = this.parse(StartSSHSession);
+        (0, cmd_1.setMostRecentCommand)(this);
+        const { flags } = await this.parse(StartSSHSession);
         if (flags.sessionId && flags.refresh) {
-            return apollo_1.handleError(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
         }
-        const pluginExists = await ssh_1.assertSessionManagerPluginExists();
+        const pluginExists = await (0, ssh_1.assertSessionManagerPluginExists)();
         if (!pluginExists) {
             return;
         }
@@ -36,7 +36,7 @@ class StartSSHSession extends command_1.Command {
         let instanceName = null;
         const sessionId = flags.sessionId;
         if (!instanceId) {
-            const selectedInstance = await ssh_1.selectComputeInstance(this, 'SSH into');
+            const selectedInstance = await (0, ssh_1.selectComputeInstance)(this, 'SSH into');
             if (!selectedInstance) {
                 return;
             }
@@ -44,7 +44,7 @@ class StartSSHSession extends command_1.Command {
             instanceName = selectedInstance.name;
         }
         else {
-            const { resp, error } = await handler_1.runQuery({
+            const { resp, error } = await (0, handler_1.runQuery)({
                 command: this,
                 query: get_1.GetResourceDocument,
                 variables: {
@@ -52,34 +52,36 @@ class StartSSHSession extends command_1.Command {
                 },
             });
             if (error) {
-                return apollo_1.handleError(this, error, resp);
+                return (0, apollo_1.handleError)(this, error, resp);
             }
             if (!(resp === null || resp === void 0 ? void 0 : resp.data.resource.resource)) {
-                return apollo_1.handleError(this, `Resource not found for ID: ${instanceId}`);
+                return (0, apollo_1.handleError)(this, `Resource not found for ID: ${instanceId}`);
             }
             instanceName =
                 (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || 'ssh-instance';
         }
-        const session = await sessions_1.getOrCreateSession(this, instanceId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, exports.Ec2SessionMetadataFragment, flags.refresh);
+        const session = await (0, sessions_1.getOrCreateSession)(this, instanceId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, exports.Ec2SessionMetadataFragment, flags.refresh);
+        if (!session) {
+            return;
+        }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case 'AwsIamFederatedSSMSession': {
-                this.log(`\n🕰️  Connecting to a session that expires in ${sessions_1.getSessionExpirationMessage(session)}.`);
-                const updateAwsConfigCommand = aws_1.getAwsConfigUpdateCmd(instanceName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                this.log(`\n🕰️  Connecting to a session that expires in ${(0, sessions_1.getSessionExpirationMessage)(session)}.`);
+                const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(instanceName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const sessionCmd = `aws ssm start-session --target ${metadata.ec2InstanceId} --region ${metadata.ec2Region} --profile opal`;
                 // TODO: Unfortunately allowing SSH over SSM disables logging
                 // Run SSH script
                 // const sessionCmd = `../../scripts/ssh_ssm.sh ${metadata.ec2InstanceId} ${flags.user} ${metadata.ec2Region}`
                 const startSessionCmd = `${updateAwsConfigCommand} && ${sessionCmd}`;
-                cmd_1.startInteractiveShell(startSessionCmd, `shell into ${instanceName ? `"${instanceName}" instance` : 'instance'}`);
+                (0, cmd_1.startInteractiveShell)(startSessionCmd, `shell into ${instanceName ? `"${instanceName}" instance` : 'instance'}`);
                 break;
             }
             default:
-                return apollo_1.handleError(this, undefined, session);
+                return (0, apollo_1.handleError)(this, undefined, session);
         }
     }
 }
-exports.default = StartSSHSession;
 StartSSHSession.description = 'Starts an SSH session to access a compute instance.';
 StartSSHSession.examples = [
     'opal ssh:start',
@@ -97,3 +99,4 @@ StartSSHSession.flags = {
     sessionId: flags_1.SHARED_FLAGS.sessionId,
     refresh: flags_1.SHARED_FLAGS.refresh,
 };
+exports.default = StartSSHSession;

package/lib/handler.d.ts

@@ -1,15 +1,16 @@
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
+import { OperationVariables, ApolloError } from '@apollo/client/core';
 interface QueryHandlerProps<TVar = Record<string, any>> {
     command: Command;
     query: string;
     variables?: TVar;
 }
 export declare const runMutation: ({ command, query, variables, }: QueryHandlerProps) => Promise<{
-    resp: import("@apollo/client/core").FetchResult<any, Record<string, any>, Record<string, any>> | null;
-    error: any;
+    resp: import("@apollo/client/core").FetchResult<any> | null;
+    error: unknown;
 }>;
-export declare const runQuery: <TResponse = any, TVar = Record<string, any>>({ command, query, variables, }: QueryHandlerProps<TVar>) => Promise<{
+export declare const runQuery: <TResponse = any, TVar extends OperationVariables = Record<string, any>>({ command, query, variables, }: QueryHandlerProps<TVar>) => Promise<{
     resp: import("@apollo/client/core").ApolloQueryResult<TResponse> | null;
-    error: any;
+    error: ApolloError;
 }>;
 export {};

package/lib/handler.js

@@ -3,13 +3,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runQuery = exports.runMutation = void 0;
 const graphql_tag_1 = require("graphql-tag");
 const apollo_1 = require("./lib/apollo");
-exports.runMutation = async ({ command, query, variables, }) => {
-    await apollo_1.initClient(command);
+const runMutation = async ({ command, query, variables, }) => {
+    await (0, apollo_1.initClient)(command);
     let mutationResp = null;
     let mutationError = null;
     try {
         mutationResp = await apollo_1.client.mutate({
-            mutation: graphql_tag_1.default `
+            mutation: (0, graphql_tag_1.default) `
         ${query}
       `,
             variables: variables,
@@ -20,13 +20,14 @@ exports.runMutation = async ({ command, query, variables, }) => {
     }
     return { resp: mutationResp, error: mutationError };
 };
-exports.runQuery = async ({ command, query, variables, }) => {
-    await apollo_1.initClient(command);
+exports.runMutation = runMutation;
+const runQuery = async ({ command, query, variables, }) => {
+    await (0, apollo_1.initClient)(command);
     let queryResp = null;
     let queryError = null;
     try {
         queryResp = await apollo_1.client.query({
-            query: graphql_tag_1.default `
+            query: (0, graphql_tag_1.default) `
         ${query}
       `,
             variables: variables,
@@ -37,3 +38,4 @@ exports.runQuery = async ({ command, query, variables, }) => {
     }
     return { resp: queryResp, error: queryError };
 };
+exports.runQuery = runQuery;

package/lib/index.d.ts

@@ -1 +1 @@
-export { run } from '@oclif/command';
+export { run } from '@oclif/core';

package/lib/index.js

@@ -1,4 +1,5 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-var command_1 = require("@oclif/command");
-Object.defineProperty(exports, "run", { enumerable: true, get: function () { return command_1.run; } });
+exports.run = void 0;
+var core_1 = require("@oclif/core");
+Object.defineProperty(exports, "run", { enumerable: true, get: function () { return core_1.run; } });

package/lib/lib/apollo.d.ts

@@ -1,5 +1,5 @@
 import { ApolloClient, NormalizedCacheObject } from '@apollo/client/core';
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 export declare let client: ApolloClient<NormalizedCacheObject> | null;
 export declare const printResponse: (command: Command, resp: any) => void;
 export declare const handleError: (command: Command, err: any, resp?: any) => void;

package/lib/lib/apollo.js

@@ -17,16 +17,17 @@ const https = require('https');
 const http = require('http');
 exports.client = null;
 let alreadyNotifiedRecommendedVersion = false;
-exports.printResponse = (command, resp) => {
+const printResponse = (command, resp) => {
     const filteredJson = JSON.parse(JSON.stringify(resp.data, (k, v) => {
         if (k === '__typename' || v === null || (Array.isArray(v) && v.length === 0)) {
             return undefined;
         }
         return v;
     }));
-    command.log(prettyjson_1.render(filteredJson));
+    command.log((0, prettyjson_1.render)(filteredJson));
 };
-exports.handleError = (command, err, resp) => {
+exports.printResponse = printResponse;
+const handleError = (command, err, resp) => {
     if (err && typeof err === 'object' && ('networkError' in err && 'statusCode' in err.networkError)) {
         // Status code errors are already handled in the global Apollo handler, so we can just return here.
         return;
@@ -44,18 +45,20 @@ exports.handleError = (command, err, resp) => {
     errorMsg = '❗ ' + errorMsg;
     command.log(errorMsg);
     if (resp) {
-        exports.printResponse(command, resp);
+        (0, exports.printResponse)(command, resp);
     }
     // OPAL-6579: Use process.exit to avoid UnhandledPromiseRejectionWarning
     // eslint-disable-next-line no-process-exit,unicorn/no-process-exit
     process.exit(1);
 };
-exports.initClient = async (command) => {
+exports.handleError = handleError;
+const initClient = async (command) => {
     const configDir = command.config.configDir;
     const currentCLIVersion = command.config.version;
-    const configData = config_1.getOrCreateConfigData(configDir);
-    const accessToken = await credentials_1.cred.accessToken;
-    const organizationID = await credentials_1.cred.organizationID;
+    const configData = (0, config_1.getOrCreateConfigData)(configDir);
+    const opalCreds = await (0, credentials_1.getOpalCredentials)(command);
+    const accessToken = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.accessToken;
+    const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
     const httpsAgent = new https.Agent({
         rejectUnauthorized: !configData[config_1.allowSelfSignedCertsKey],
     });
@@ -69,14 +72,14 @@ exports.initClient = async (command) => {
         '' :
         customHeader.split(':')[1];
     const agent = specifiedUrl.includes('https') ? httpsAgent : httpAgent;
-    const httpLink = core_1.createHttpLink({
+    const httpLink = (0, core_1.createHttpLink)({
         uri: `${specifiedUrl}/query`,
         fetch,
         fetchOptions: {
             agent: agent,
         },
     });
-    const authLink = context_1.setContext((_, { headers }) => {
+    const authLink = (0, context_1.setContext)((_, { headers }) => {
         const baseHeaders = Object.assign(Object.assign({}, headers), { authorization: `Bearer ${accessToken}`, 'X-Opal-Organization-ID': organizationID, 'X-Opal-Cli-Version': currentCLIVersion });
         if (customHeaderKey) {
             return {
@@ -94,20 +97,20 @@ exports.initClient = async (command) => {
             const expectedCLIMajorVersion = headers.get('Opal-CLI-Expected-Major-Version');
             if (expectedCLIMajorVersion) {
                 const semverExpectedMinCLIVersion = `${expectedCLIMajorVersion}.0.0`;
-                if (semver_1.major(currentCLIVersion) < semver_1.major(semverExpectedMinCLIVersion)) {
+                if ((0, semver_1.major)(currentCLIVersion) < (0, semver_1.major)(semverExpectedMinCLIVersion)) {
                     command.warn(chalk_1.default.yellow(`
 ❗️ Your CLI is outdated and is incompatible with your Opal server.
    Expected major version ${chalk_1.default.blueBright(semverExpectedMinCLIVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
    Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}\n`));
                 }
-                else if (semver_1.major(currentCLIVersion) > semver_1.major(semverExpectedMinCLIVersion)) {
+                else if ((0, semver_1.major)(currentCLIVersion) > (0, semver_1.major)(semverExpectedMinCLIVersion)) {
                     command.warn(chalk_1.default.yellow(`
 ❗️ Uh oh! The currently installed Opal server is outdated. Please contact your Opal admins to let them know they need to upgrade their deployment.\n`));
                 }
             }
             if (!alreadyNotifiedRecommendedVersion) {
                 const recommendedCLIMinorVersion = headers.get('Opal-CLI-Recommended-Version');
-                if (recommendedCLIMinorVersion && semver_1.compare(currentCLIVersion, recommendedCLIMinorVersion) < 0) {
+                if (recommendedCLIMinorVersion && (0, semver_1.compare)(currentCLIVersion, recommendedCLIMinorVersion) < 0) {
                     command.log(chalk_1.default.yellow(`
 ❗️ Opal recommends that you upgrade your CLI.
    Recommended version >=${chalk_1.default.blueBright(recommendedCLIMinorVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
@@ -123,8 +126,8 @@ exports.initClient = async (command) => {
             return response;
         });
     });
-    const errorLink = error_1.onError(({ networkError, operation }) => {
-        var _a, _b;
+    const errorLink = (0, error_1.onError)(({ networkError, operation }) => {
+        var _a;
         if (operation.operationName === login_1.CLIAuthSessionCheckName) {
             // These operations are triggered after the user just called `opal login` or `opal set-token`,
             // so we have special handling if they fail and we don't want to trigger an automatic redirect
@@ -139,9 +142,12 @@ exports.initClient = async (command) => {
         if (networkError && 'statusCode' in networkError) {
             let errorMessage = null;
             if ('result' in networkError) {
-                const errors = (_a = networkError === null || networkError === void 0 ? void 0 : networkError.result) === null || _a === void 0 ? void 0 : _a.errors;
-                if (errors && errors.length > 0) {
-                    errorMessage = (_b = errors[0]) === null || _b === void 0 ? void 0 : _b.message;
+                const result = networkError.result;
+                // result is now of type string | Record<string, any>
+                if (typeof result === "string")
+                    errorMessage = result;
+                else if (result.length > 0) {
+                    errorMessage = (_a = result[0]) === null || _a === void 0 ? void 0 : _a.message;
                 }
             }
             switch (networkError.statusCode) {
@@ -160,7 +166,7 @@ exports.initClient = async (command) => {
                     break;
                 }
                 default:
-                    return exports.handleError(command, `Received status code ${networkError.statusCode} from server${errorMessage ? ` with message "${errorMessage}"` : ''}`);
+                    return (0, exports.handleError)(command, `Received status code ${networkError.statusCode} from server${errorMessage ? ` with message "${errorMessage}"` : ''}`);
             }
         }
     });
@@ -172,3 +178,4 @@ exports.initClient = async (command) => {
         cache: new core_1.InMemoryCache(),
     });
 };
+exports.initClient = initClient;

package/lib/lib/aws.js

@@ -2,21 +2,18 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAwsEnvVarMessage = exports.getAwsConfigUpdateCmd = void 0;
 const opalProfileKey = 'opal';
-const kebabCase = (str) => {
-    return str.replace(/([a-z])([A-Z])/g, '$1-$2').replace(/[\s_]+/g, '-').toLowerCase();
-};
 const sanitize = (str) => {
-    // remove non standard characters
-    let sanitizedStr = str.replace(/[^A-Za-z0-9- ]/g, '');
-    // de-dupe spaces
+    // Remove non standard characters.
+    // Note: AWS supports profile names containing alphanumeric characters, symbols, and white spaces
+    // from the ASCII character set.
+    let sanitizedStr = str.replace(/[^A-Za-z0-9-_ ]/g, '');
+    // De-dupe spaces
     sanitizedStr = sanitizedStr.replace(/\s+/g, ' ');
-    // map remaining spaces to '-;
+    // Map remaining spaces to '-'
     sanitizedStr = sanitizedStr.replace(/ /g, '-');
-    // convert to kebab case
-    sanitizedStr = kebabCase(sanitizedStr);
     return sanitizedStr;
 };
-exports.getAwsConfigUpdateCmd = (itemName, awsAccessKeyId, awsSecretAccessKey, awsSessionToken) => {
+const getAwsConfigUpdateCmd = (itemName, awsAccessKeyId, awsSecretAccessKey, awsSessionToken) => {
     let updateProfilesCmd = '';
     const sanitizedProfileName = sanitize(itemName);
     const profileNames = [opalProfileKey, sanitizedProfileName];
@@ -33,7 +30,8 @@ exports.getAwsConfigUpdateCmd = (itemName, awsAccessKeyId, awsSecretAccessKey, a
     });
     return updateProfilesCmd;
 };
-exports.getAwsEnvVarMessage = () => {
+exports.getAwsConfigUpdateCmd = getAwsConfigUpdateCmd;
+const getAwsEnvVarMessage = () => {
     if (!process.env.AWS_DEFAULT_PROFILE || process.env.AWS_DEFAULT_PROFILE !== opalProfileKey) {
         let envVarPhrase = '';
         if (!process.env.AWS_DEFAULT_PROFILE) {
@@ -48,3 +46,4 @@ exports.getAwsEnvVarMessage = () => {
     }
     return '';
 };
+exports.getAwsEnvVarMessage = getAwsEnvVarMessage;

package/lib/lib/cmd.d.ts

@@ -1,11 +1,12 @@
 /// <reference types="node" />
+/// <reference types="node" />
 import { ExecException } from 'child_process';
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 import * as moment from 'moment';
 export declare let mostRecentCommand: Command | null;
 export declare let mostRecentCommandTime: moment.Moment | null;
 export declare const setMostRecentCommand: (cmd: Command) => void;
-export declare const startInteractiveShell: (runCmd: string, shellName?: string | undefined) => void;
-export declare const runCommandExec: (runCmd: string, successMessage: string, errorMessage: string, envVars?: Record<string, any> | undefined) => void;
+export declare const startInteractiveShell: (runCmd: string, shellName?: string) => void;
+export declare const runCommandExec: (runCmd: string, successMessage: string, errorMessage: string, envVars?: Record<string, any>) => void;
 export declare const runCommandExecWithCallback: (cmd: string, callback?: ((error: ExecException | null, stdout: Buffer, stderr: Buffer) => void) | undefined) => Promise<unknown>;
-export declare const runCommandSpawn: (runCmd: string, successMessage: string, errorMessage: string, envVars?: Record<string, any> | undefined) => void;
+export declare const runCommandSpawn: (runCmd: string, successMessage: string, errorMessage: string, envVars?: Record<string, any>) => void;

package/lib/lib/cmd.js

@@ -6,11 +6,12 @@ const moment = require("moment");
 const { exec, spawn } = require('child_process');
 exports.mostRecentCommand = null;
 exports.mostRecentCommandTime = null;
-exports.setMostRecentCommand = (cmd) => {
+const setMostRecentCommand = (cmd) => {
     exports.mostRecentCommand = cmd;
     exports.mostRecentCommandTime = moment(new Date());
 };
-exports.startInteractiveShell = (runCmd, shellName) => {
+exports.setMostRecentCommand = setMostRecentCommand;
+const startInteractiveShell = (runCmd, shellName) => {
     const shell = spawn(`$SHELL -c "${runCmd}"`, [], {
         env: Object.assign(Object.assign({}, process.env), { SCRIPT_PATH: __dirname }),
         stdio: 'inherit',
@@ -36,7 +37,8 @@ exports.startInteractiveShell = (runCmd, shellName) => {
         // intercepting SIGTSTP
     });
 };
-exports.runCommandExec = (runCmd, successMessage, errorMessage, envVars) => {
+exports.startInteractiveShell = startInteractiveShell;
+const runCommandExec = (runCmd, successMessage, errorMessage, envVars) => {
     const envVarsToUse = envVars || {};
     exec(`${runCmd}`, {
         env: Object.assign(Object.assign(Object.assign({}, process.env), { SCRIPT_PATH: __dirname }), envVarsToUse),
@@ -55,7 +57,8 @@ exports.runCommandExec = (runCmd, successMessage, errorMessage, envVars) => {
         }
     });
 };
-exports.runCommandExecWithCallback = (cmd, callback) => {
+exports.runCommandExec = runCommandExec;
+const runCommandExecWithCallback = (cmd, callback) => {
     return new Promise(resolve => {
         exec(cmd, function (error, stdOut, stdErr) {
             callback && callback(error, stdOut, stdErr);
@@ -63,7 +66,8 @@ exports.runCommandExecWithCallback = (cmd, callback) => {
         });
     });
 };
-exports.runCommandSpawn = (runCmd, successMessage, errorMessage, envVars) => {
+exports.runCommandExecWithCallback = runCommandExecWithCallback;
+const runCommandSpawn = (runCmd, successMessage, errorMessage, envVars) => {
     const envVarsToUse = envVars || {};
     const shell = spawn(`${runCmd}`, [], {
         env: Object.assign(Object.assign(Object.assign({}, process.env), { SCRIPT_PATH: __dirname }), envVarsToUse),
@@ -79,3 +83,4 @@ exports.runCommandSpawn = (runCmd, successMessage, errorMessage, envVars) => {
         }
     });
 };
+exports.runCommandSpawn = runCommandSpawn;

package/lib/lib/config.js

@@ -8,7 +8,7 @@ exports.defaultUrl = 'https://app.opal.dev';
 exports.allowSelfSignedCertsKey = 'allowSelfSignedCerts';
 exports.defaultAllowSelfSignedCerts = false;
 exports.customHttpHeaderKey = 'customHttpHeader';
-exports.getOrCreateConfigData = (configDir) => {
+const getOrCreateConfigData = (configDir) => {
     if (!fs.existsSync(configDir)) {
         fs.mkdirSync(configDir, { recursive: true });
     }
@@ -31,8 +31,9 @@ exports.getOrCreateConfigData = (configDir) => {
     }
     return configData;
 };
-exports.writeConfigData = (configDir, newConfigData) => {
-    const existingData = exports.getOrCreateConfigData(configDir);
+exports.getOrCreateConfigData = getOrCreateConfigData;
+const writeConfigData = (configDir, newConfigData) => {
+    const existingData = (0, exports.getOrCreateConfigData)(configDir);
     for (const [key, value] of Object.entries(newConfigData)) {
         existingData[key] = value;
     }
@@ -41,8 +42,9 @@ exports.writeConfigData = (configDir, newConfigData) => {
         mode: 0o0600,
     });
 };
-exports.isProduction = (configDir) => {
-    const configData = exports.getOrCreateConfigData(configDir);
+exports.writeConfigData = writeConfigData;
+const isProduction = (configDir) => {
+    const configData = (0, exports.getOrCreateConfigData)(configDir);
     // Custom URLs are considered production since it includes on-prem
     return configData[exports.urlKey] !== 'https://dev.opal.dev' &&
         configData[exports.urlKey] !== 'http://localhost:3000' &&
@@ -50,3 +52,4 @@ exports.isProduction = (configDir) => {
         configData[exports.urlKey] !== 'https://demo.opal.dev' &&
         configData[exports.urlKey] !== 'https://staging.opal.dev';
 };
+exports.isProduction = isProduction;

package/lib/lib/credentials/index.d.ts

@@ -0,0 +1,11 @@
+import { Command } from '@oclif/core';
+interface OpalCredentials {
+    email?: string;
+    organizationID?: string;
+    clientIDCandidate?: string;
+    accessToken?: string;
+}
+export declare const setOpalCredentials: (command: Command, email: string | undefined, organizationID: string, clientIDCandidate: string | undefined | null, accessToken: string) => Promise<void>;
+export declare const getOpalCredentials: (command: Command) => Promise<OpalCredentials>;
+export declare const removeOpalCredentials: (command: Command) => Promise<void>;
+export {};

package/lib/lib/credentials/index.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.removeOpalCredentials = exports.getOpalCredentials = exports.setOpalCredentials = void 0;
+const config_1 = require("../config");
+const keychain_1 = require("./keychain");
+const localEncryption_1 = require("./localEncryption");
+const setOpalCredentials = async (command, email, organizationID, clientIDCandidate, accessToken) => {
+    email = email || 'email-unset';
+    const configData = (0, config_1.getOrCreateConfigData)(command.config.configDir);
+    configData.creds = {
+        clientIDCandidate,
+        email,
+        organizationID,
+    };
+    (0, config_1.writeConfigData)(command.config.configDir, configData);
+    if (process.platform === "darwin") {
+        await (0, keychain_1.setTokenInKeychain)(email, accessToken);
+    }
+    else {
+        await (0, localEncryption_1.setTokenInConfig)(command, configData, accessToken);
+    }
+};
+exports.setOpalCredentials = setOpalCredentials;
+const getOpalCredentials = async (command) => {
+    var _a, _b;
+    let creds = (_b = (_a = (0, config_1.getOrCreateConfigData)(command.config.configDir)) === null || _a === void 0 ? void 0 : _a.creds) !== null && _b !== void 0 ? _b : {};
+    let accessToken = null;
+    if (process.platform === "darwin") {
+        accessToken = await (0, keychain_1.getTokenFromKeychain)((creds === null || creds === void 0 ? void 0 : creds.email) || 'email-unset');
+    }
+    else {
+        accessToken = await (0, localEncryption_1.getTokenFromConfig)(creds);
+    }
+    if (accessToken) {
+        creds.accessToken = accessToken;
+    }
+    return creds;
+};
+exports.getOpalCredentials = getOpalCredentials;
+const removeOpalCredentials = async (command) => {
+    var _a;
+    const configData = (0, config_1.getOrCreateConfigData)(command.config.configDir);
+    const email = ((_a = configData === null || configData === void 0 ? void 0 : configData.creds) === null || _a === void 0 ? void 0 : _a.email) || 'email-unset';
+    // On linux, the access token is stored encrypted in configData.creds, so this effectively removes it
+    configData.creds = {};
+    (0, config_1.writeConfigData)(command.config.configDir, configData);
+    // but on OSX, we need an extra step to delete the token from the keychain
+    if (process.platform === "darwin") {
+        await (0, keychain_1.deleteTokenFromKeychain)(email);
+    }
+};
+exports.removeOpalCredentials = removeOpalCredentials;

package/lib/lib/credentials/keychain.d.ts

@@ -0,0 +1,3 @@
+export declare const setTokenInKeychain: (email: string, accessToken: string) => Promise<void>;
+export declare const getTokenFromKeychain: (email: string) => Promise<string>;
+export declare const deleteTokenFromKeychain: (email: string) => Promise<void>;

package/lib/lib/credentials/keychain.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteTokenFromKeychain = exports.getTokenFromKeychain = exports.setTokenInKeychain = void 0;
+const keychain = require("keychain");
+const OPAL_KEYCHAIN_SERVICE = 'opal-cli';
+// On OSX, we can easily work with the system Keychain to store the access token.
+const setTokenInKeychain = async (email, accessToken) => {
+    return new Promise((resolve, reject) => {
+        keychain.setPassword({ account: email, service: OPAL_KEYCHAIN_SERVICE, password: accessToken }, function (err) {
+            if (err) {
+                reject(err);
+            }
+            else {
+                resolve();
+            }
+        });
+    });
+};
+exports.setTokenInKeychain = setTokenInKeychain;
+const getTokenFromKeychain = async (email) => {
+    return new Promise((resolve, reject) => {
+        keychain.getPassword({ account: email, service: OPAL_KEYCHAIN_SERVICE }, function (err, password) {
+            if (err && (err === null || err === void 0 ? void 0 : err.type) !== 'PasswordNotFoundError') {
+                reject(err);
+            }
+            else {
+                resolve(password);
+            }
+        });
+    });
+};
+exports.getTokenFromKeychain = getTokenFromKeychain;
+const deleteTokenFromKeychain = async (email) => {
+    return new Promise((resolve) => {
+        keychain.deletePassword({ service: OPAL_KEYCHAIN_SERVICE, account: email }, function () {
+            // we might get errors here if the password doesn't exist, which we want to swallow
+            resolve();
+        });
+    });
+};
+exports.deleteTokenFromKeychain = deleteTokenFromKeychain;

package/lib/lib/credentials/localEncryption.d.ts

@@ -0,0 +1,3 @@
+import { Command } from '@oclif/core';
+export declare const setTokenInConfig: (command: Command, configData: Record<string, any>, accessToken: string) => Promise<void>;
+export declare const getTokenFromConfig: (credsConfig: Record<string, any>) => Promise<string | undefined>;