opal-security 2.1.3 → 2.3.1

package/lib/commands/aws/identity.js

@@ -1,18 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const cmd_1 = require("../../lib/cmd");
 const flags_1 = require("../../lib/flags");
-class Identity extends command_1.Command {
+class Identity extends core_1.Command {
     async run() {
-        cmd_1.setMostRecentCommand(this);
+        (0, cmd_1.setMostRecentCommand)(this);
         const currentCallerIdentityCmd = 'aws sts get-caller-identity --profile opal';
-        cmd_1.runCommandExec(currentCallerIdentityCmd, 'This is the current caller identity for the "opal" AWS profile.', 'Failed to get the current caller identity for the "opal" AWS profile.');
+        (0, cmd_1.runCommandExec)(currentCallerIdentityCmd, 'This is the current caller identity for the "opal" AWS profile.', 'Failed to get the current caller identity for the "opal" AWS profile.');
     }
 }
-exports.default = Identity;
 Identity.description = 'Gets the current caller identity for the "opal" AWS profile.';
 Identity.examples = ['opal aws:identity'];
 Identity.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };
+exports.default = Identity;

package/lib/commands/curl-example.d.ts

@@ -1,8 +1,8 @@
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 export default class CurlExample extends Command {
     static description: string;
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
     };
     run(): Promise<void>;
 }

package/lib/commands/curl-example.js

@@ -1,14 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const config_1 = require("../lib/config");
 const credentials_1 = require("../lib/credentials");
 const flags_1 = require("../lib/flags");
-class CurlExample extends command_1.Command {
+class CurlExample extends core_1.Command {
     async run() {
-        const accessToken = await credentials_1.cred.accessToken;
-        const organizationID = await credentials_1.cred.organizationID;
-        const configData = config_1.getOrCreateConfigData(this.config.configDir);
+        const opalCreds = await (0, credentials_1.getOpalCredentials)(this);
+        const accessToken = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.accessToken;
+        const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
+        const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
         const url = configData[config_1.urlKey];
         this.log(`
 curl -v ${url}/query \\
@@ -19,8 +20,8 @@ curl -v ${url}/query \\
 `);
     }
 }
-exports.default = CurlExample;
 CurlExample.description = 'Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.';
 CurlExample.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };
+exports.default = CurlExample;

package/lib/commands/iam-roles/start.d.ts

@@ -1,13 +1,13 @@
-import { Command, flags } from '@oclif/command';
+import { Command } from '@oclif/core';
 export default class StartIAMRoleSession extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        id: flags.IOptionFlag<string | undefined>;
-        sessionId: flags.IOptionFlag<string | undefined>;
-        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
-        profileName: flags.IOptionFlag<string | undefined>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        profileName: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }

package/lib/commands/iam-roles/start.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const handler_1 = require("../../handler");
 const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
@@ -17,18 +17,18 @@ const IamSessionMetadataFragment = `
   awsLoginUrl
   federatedArn
 }`;
-class StartIAMRoleSession extends command_1.Command {
+class StartIAMRoleSession extends core_1.Command {
     async run() {
-        cmd_1.setMostRecentCommand(this);
-        const { flags } = this.parse(StartIAMRoleSession);
+        (0, cmd_1.setMostRecentCommand)(this);
+        const { flags } = await this.parse(StartIAMRoleSession);
         if (flags.sessionId && flags.refresh) {
-            return apollo_1.handleError(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
         }
         let roleId = flags.id;
         let roleName = null;
         const sessionId = flags.sessionId;
         if (!roleId) {
-            const selectedRole = await resources_1.promptUserForResource(this, 'AWS_IAM_ROLE', 'Select an IAM role to assume');
+            const selectedRole = await (0, resources_1.promptUserForResource)(this, 'AWS_IAM_ROLE', 'Select an IAM role to assume');
             if (!selectedRole) {
                 return;
             }
@@ -36,7 +36,7 @@ class StartIAMRoleSession extends command_1.Command {
             roleName = selectedRole.name;
         }
         else {
-            const { resp, error } = await handler_1.runQuery({
+            const { resp, error } = await (0, handler_1.runQuery)({
                 command: this,
                 query: get_1.GetResourceDocument,
                 variables: {
@@ -44,36 +44,35 @@ class StartIAMRoleSession extends command_1.Command {
                 },
             });
             if (error) {
-                return apollo_1.handleError(this, error, resp);
+                return (0, apollo_1.handleError)(this, error, resp);
             }
             if (!(resp === null || resp === void 0 ? void 0 : resp.data.resource.resource)) {
-                return apollo_1.handleError(this, `Resource not found for ID: ${roleId}`);
+                return (0, apollo_1.handleError)(this, `Resource not found for ID: ${roleId}`);
             }
             roleName = (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || 'iam-role';
         }
         if (flags.profileName && flags.profileName !== '') {
             roleName = flags.profileName;
         }
-        const session = await sessions_1.getOrCreateSession(this, roleId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
+        const session = await (0, sessions_1.getOrCreateSession)(this, roleId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
         if (!session) {
             return;
         }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case 'AwsIamFederatedRoleSession': {
-                const updateAwsConfigCommand = aws_1.getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const startSessionCmd = `${updateAwsConfigCommand}`;
                 const roleText = roleName ? `"${roleName}" role` : 'role';
-                const expirationMessage = sessions_1.getSessionExpirationMessage(session);
-                cmd_1.runCommandExec(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${aws_1.getAwsEnvVarMessage()}`, `Failed to use ${roleText}.`);
+                const expirationMessage = (0, sessions_1.getSessionExpirationMessage)(session);
+                (0, cmd_1.runCommandExec)(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${(0, aws_1.getAwsEnvVarMessage)()}`, `Failed to use ${roleText}.`);
                 break;
             }
             default:
-                return apollo_1.handleError(this, undefined, session);
+                return (0, apollo_1.handleError)(this, undefined, session);
         }
     }
 }
-exports.default = StartIAMRoleSession;
 StartIAMRoleSession.description = 'Starts a session to assume an IAM role.';
 StartIAMRoleSession.examples = [
     'opal iam-roles:start',
@@ -85,8 +84,9 @@ StartIAMRoleSession.flags = {
     id: flags_1.SHARED_FLAGS.id,
     sessionId: flags_1.SHARED_FLAGS.sessionId,
     refresh: flags_1.SHARED_FLAGS.refresh,
-    profileName: command_1.flags.string({
+    profileName: core_1.Flags.string({
         multiple: false,
         description: 'Uses a custom AWS profile name for the IAM role. Default value is the role\'s name.',
     }),
 };
+exports.default = StartIAMRoleSession;

package/lib/commands/kube-roles/start.d.ts

@@ -1,13 +1,13 @@
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 export default class StartKubeIAMRoleSession extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        id: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
-        accessLevelRemoteId: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
-        sessionId: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
-        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }

package/lib/commands/kube-roles/start.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
 const aws_1 = require("../../lib/aws");
@@ -15,28 +15,28 @@ const EksSessionMetadataFragment = `
   clusterName
   clusterRegion
 }`;
-class StartKubeIAMRoleSession extends command_1.Command {
+class StartKubeIAMRoleSession extends core_1.Command {
     async run() {
-        cmd_1.setMostRecentCommand(this);
-        const { flags } = this.parse(StartKubeIAMRoleSession);
+        (0, cmd_1.setMostRecentCommand)(this);
+        const { flags } = await this.parse(StartKubeIAMRoleSession);
         if (flags.sessionId && flags.refresh) {
-            return apollo_1.handleError(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
         }
         let clusterId = flags.id;
         const sessionId = flags.sessionId;
         if (!clusterId) {
-            const selectedCluster = await resources_1.promptUserForResource(this, 'AWS_EKS_CLUSTER', 'Select an EKS Kubernetes cluster to connect to');
+            const selectedCluster = await (0, resources_1.promptUserForResource)(this, 'AWS_EKS_CLUSTER', 'Select an EKS Kubernetes cluster to connect to');
             if (!selectedCluster) {
                 return;
             }
             clusterId = selectedCluster.id;
         }
         // Fetch all access levels for resource
-        const accessLevel = await resources_1.promptUserForAccessLevels(this, clusterId, 'Kubernetes cluster', flags.accessLevelRemoteId);
+        const accessLevel = await (0, resources_1.promptUserForAccessLevels)(this, clusterId, 'Kubernetes cluster', flags.accessLevelRemoteId);
         if (!accessLevel) {
             return;
         }
-        const session = await sessions_1.getOrCreateSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment, flags.refresh);
+        const session = await (0, sessions_1.getOrCreateSession)(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment, flags.refresh);
         if (!session) {
             return;
         }
@@ -44,20 +44,19 @@ class StartKubeIAMRoleSession extends command_1.Command {
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case 'AwsIamFederatedEksSession': {
                 const roleName = accessLevel.accessLevelName;
-                const updateAwsConfigCommand = aws_1.getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const updateKubeConfigCmd = `aws eks update-kubeconfig --name ${metadata.clusterName} --region ${metadata.clusterRegion} --alias ${metadata.clusterName} --profile opal`;
                 const startSessionCmd = `${updateAwsConfigCommand} && ${updateKubeConfigCmd}`;
                 const roleText = roleName ? `"${roleName}" role` : 'role';
-                const expirationMessage = sessions_1.getSessionExpirationMessage(session);
-                cmd_1.runCommandExec(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${aws_1.getAwsEnvVarMessage()}`, `Failed to assume ${roleText} and update Kube config.`);
+                const expirationMessage = (0, sessions_1.getSessionExpirationMessage)(session);
+                (0, cmd_1.runCommandExec)(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${(0, aws_1.getAwsEnvVarMessage)()}`, `Failed to assume ${roleText} and update Kube config.`);
                 break;
             }
             default:
-                return apollo_1.handleError(this, undefined, session);
+                return (0, apollo_1.handleError)(this, undefined, session);
         }
     }
 }
-exports.default = StartKubeIAMRoleSession;
 StartKubeIAMRoleSession.description = 'Starts a session to assume a Kubernetes cluster IAM role.';
 StartKubeIAMRoleSession.examples = [
     'opal kube-roles:start',
@@ -71,3 +70,4 @@ StartKubeIAMRoleSession.flags = {
     sessionId: flags_1.SHARED_FLAGS.sessionId,
     refresh: flags_1.SHARED_FLAGS.refresh,
 };
+exports.default = StartKubeIAMRoleSession;

package/lib/commands/login.d.ts

@@ -1,4 +1,4 @@
-import { Command, flags } from '@oclif/command';
+import { Command } from '@oclif/core';
 export declare const CLISignInMethodName = "CLISignInMethod";
 export declare const CLIAuthSessionCheckName = "CLIAuthSessionCheck";
 export declare const CLIAuthSessionCheckDocument = "\nquery CLIAuthSessionCheck {\n  organizationSettings {\n      ... on OrganizationSettingsResult {\n        settings {\n          id\n        }\n      }\n  }\n}\n";
@@ -6,9 +6,9 @@ export default class Login extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        email: flags.IOptionFlag<string | undefined>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        email: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
-    static args: never[];
+    static args: {};
     run(): Promise<void>;
 }

package/lib/commands/login.js

@@ -1,8 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CLIAuthSessionCheckDocument = exports.CLIAuthSessionCheckName = exports.CLISignInMethodName = void 0;
-const command_1 = require("@oclif/command");
-const keytar = require("keytar");
+const core_1 = require("@oclif/core");
 const open = require("open");
 const openid_client_1 = require("openid-client");
 const apollo_1 = require("../lib/apollo");
@@ -55,26 +54,25 @@ query CLIAuthSessionCheck {
   }
 }
 `;
-class Login extends command_1.Command {
+class Login extends core_1.Command {
     async run() {
         var _a, _b, _c, _d, _e, _f, _g;
         try {
-            await apollo_1.initClient(this);
-            const { flags } = this.parse(Login);
+            await (0, apollo_1.initClient)(this, false);
+            const { flags } = await this.parse(Login);
             const configDir = this.config.configDir;
-            const configData = config_1.getOrCreateConfigData(configDir);
+            const configData = (0, config_1.getOrCreateConfigData)(configDir);
             let email = flags.email;
             let organizationID;
             let clientIdCandidate;
-            if (await credentials_1.cred.accessToken) {
-                // Only use the previous email + organizationID if email isn't explicitly specified.
-                if (!email) {
-                    email = await credentials_1.cred.email;
-                    organizationID = await credentials_1.cred.organizationID;
-                    clientIdCandidate = await credentials_1.cred.clientIdCandidate;
-                }
-                await credentials_1.cred.removeCredentials(-1);
+            const existingCreds = await (0, credentials_1.getOpalCredentials)(this, false);
+            // Only use the previous email + organizationID if email isn't explicitly specified.
+            if (!email) {
+                email = existingCreds.email;
+                organizationID = existingCreds.organizationID;
+                clientIdCandidate = existingCreds.clientIDCandidate;
             }
+            await (0, credentials_1.removeOpalCredentials)(this);
             this.log('Welcome to Opal! ⚡️\n');
             this.log('Connecting to Opal server URL:', configData[config_1.urlKey]);
             this.log('If this is incorrect, please run `opal set-url --help`\n');
@@ -92,14 +90,14 @@ class Login extends command_1.Command {
             }
             if (!organizationID) {
                 let signInOrganizationsLegacyResponse;
-                const { resp: signInOrganizationsResponse, error } = await handler_1.runQuery({
+                const { resp: signInOrganizationsResponse, error } = await (0, handler_1.runQuery)({
                     command: this,
                     query: CLISignInMethodDocument,
                     variables: { input: { email } },
                 });
-                if (error) {
+                if (error && error.networkError) {
                     if ('statusCode' in error.networkError && error.networkError.statusCode === 422) {
-                        const { resp, error: legacyError } = await handler_1.runQuery({
+                        const { resp, error: legacyError } = await (0, handler_1.runQuery)({
                             command: this,
                             query: CLISignInMethodDocumentLegacy,
                             variables: { input: { email } },
@@ -107,15 +105,16 @@ class Login extends command_1.Command {
                         signInOrganizationsLegacyResponse = resp;
                         if (legacyError) {
                             this.log(''); // Intentional newline
-                            return apollo_1.handleError(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+                            return (0, apollo_1.handleError)(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
                         }
                     }
                     else {
                         this.log(''); // Intentional newline
-                        return apollo_1.handleError(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+                        return (0, apollo_1.handleError)(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
                     }
                 }
-                const signInOrganizations = signInOrganizationsResponse ? (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations : (_d = (_c = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _c === void 0 ? void 0 : _c.signInMethod) === null || _d === void 0 ? void 0 : _d.signInOrganizations;
+                const signInOrganizations = signInOrganizationsResponse ? (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations :
+                    (_d = (_c = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _c === void 0 ? void 0 : _c.signInMethod) === null || _d === void 0 ? void 0 : _d.signInOrganizations;
                 if (signInOrganizations && signInOrganizations.length > 0) {
                     if (signInOrganizations.length === 1) {
                         organizationID = signInOrganizations[0].organizationId;
@@ -141,7 +140,7 @@ class Login extends command_1.Command {
                 }
             }
             let issuer;
-            if (config_1.isProduction(this.config.configDir)) {
+            if ((0, config_1.isProduction)(this.config.configDir)) {
                 issuer = await openid_client_1.Issuer.discover(ISSUER_PROD);
             }
             else {
@@ -151,7 +150,7 @@ class Login extends command_1.Command {
             if (clientIdCandidate) {
                 clientId = clientIdCandidate;
             }
-            else if (config_1.isProduction(this.config.configDir)) {
+            else if ((0, config_1.isProduction)(this.config.configDir)) {
                 clientId = CLIENT_ID_PROD;
             }
             else {
@@ -175,7 +174,7 @@ class Login extends command_1.Command {
             this.log(`      User Code: ${handle.user_code}\n`);
             // Wait before opening the browser window to ensure the user has time to
             // see the User Code.
-            await util_1.sleep(1000);
+            await (0, util_1.sleep)(1000);
             await open(handle.verification_uri_complete, { wait: false });
             const tokenSet = await handle.poll();
             const userInfo = await client.userinfo(tokenSet);
@@ -184,17 +183,17 @@ class Login extends command_1.Command {
                 // Save the clientIdCandidate only when SAML is set up for the org.
                 account = account + '|' + clientIdCandidate;
             }
-            await keytar.setPassword(credentials_1.OPAL_CREDS_KEY, account, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
+            await (0, credentials_1.setOpalCredentials)(this, userInfo.email, organizationID, clientIdCandidate, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
             // "Representative" authenticated call to check the log-in worked as expected.
-            const { resp: authCheckResp, error: authCheckErr } = await handler_1.runQuery({
+            const { resp: authCheckResp, error: authCheckErr } = await (0, handler_1.runQuery)({
                 command: this,
                 query: exports.CLIAuthSessionCheckDocument,
                 variables: {},
             });
             if (authCheckErr || !((_g = (_f = (_e = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _e === void 0 ? void 0 : _e.organizationSettings) === null || _f === void 0 ? void 0 : _f.settings) === null || _g === void 0 ? void 0 : _g.id)) {
                 this.log('Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n');
-                await credentials_1.cred.removeCredentials(-1);
-                apollo_1.handleError(this, authCheckErr);
+                await (0, credentials_1.removeOpalCredentials)(this);
+                (0, apollo_1.handleError)(this, authCheckErr);
             }
             this.log('🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n');
         }
@@ -203,14 +202,14 @@ class Login extends command_1.Command {
         }
     }
 }
-exports.default = Login;
 Login.description = 'Authenticates you with the Opal server.';
 Login.examples = ['$ opal login'];
 Login.flags = {
     help: flags_1.SHARED_FLAGS.help,
-    email: command_1.flags.string({
+    email: core_1.Flags.string({
         multiple: false,
         description: 'Email address to login with.',
     }),
 };
-Login.args = [];
+Login.args = {};
+exports.default = Login;

package/lib/commands/logout.d.ts

@@ -1,10 +1,10 @@
-import { Command } from '@oclif/command';
+import { Command } from '@oclif/core';
 export default class Logout extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
     };
-    static args: never[];
+    static args: {};
     run(): Promise<void>;
 }

package/lib/commands/logout.js

@@ -1,12 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-const command_1 = require("@oclif/command");
+const core_1 = require("@oclif/core");
 const credentials_1 = require("../lib/credentials");
 const flags_1 = require("../lib/flags");
-class Logout extends command_1.Command {
+class Logout extends core_1.Command {
     async run() {
         try {
-            await credentials_1.cred.removeCredentials(-1);
+            await (0, credentials_1.removeOpalCredentials)(this);
             this.log('Successfully removed the saved Account ID and Auth Token from this computer');
         }
         catch (error) {
@@ -14,10 +14,10 @@ class Logout extends command_1.Command {
         }
     }
 }
-exports.default = Logout;
 Logout.description = 'Clears locally stored Opal server authentication credentials.';
 Logout.examples = ['$ opal logout'];
 Logout.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };
-Logout.args = [];
+Logout.args = {};
+exports.default = Logout;

package/lib/commands/migrate-creds.d.ts

@@ -0,0 +1,8 @@
+import { Command } from '@oclif/core';
+export default class MigrateCreds extends Command {
+    static description: string;
+    static flags: {
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+    };
+    run(): Promise<void>;
+}

package/lib/commands/migrate-creds.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const keytar = require("keytar");
+const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
+const OPAL_KEYTAR_CREDS_KEY = 'opal';
+/**
+ * This command helps users migrate from the old credential store w/ keytar to the new credential store
+ * It should only be recommended to users on OSX, since keytar does not reliably work on linux/WSL
+ *
+ * TODO: delete this after some time has passed, and users have likely migrated their credentials over
+ */
+const removeKeytarCreds = async () => {
+    const keyContents = await keytar.findCredentials(OPAL_KEYTAR_CREDS_KEY);
+    keyContents === null || keyContents === void 0 ? void 0 : keyContents.forEach(credential => keytar.deletePassword(OPAL_KEYTAR_CREDS_KEY, credential.account));
+};
+const getKeytarCreds = async () => {
+    const keyContents = await keytar.findCredentials(OPAL_KEYTAR_CREDS_KEY);
+    if (!keyContents[0]) {
+        return undefined;
+    }
+    const { account, password } = keyContents[0];
+    const parts = account.split('|') || [];
+    return {
+        email: parts[0],
+        organizationID: parts[1],
+        clientIDCandidate: parts[2],
+        accessToken: password
+    };
+};
+class MigrateCreds extends core_1.Command {
+    async run() {
+        const creds = await getKeytarCreds();
+        if (!creds) {
+            this.log("No credentials found in system keystore that need to be migrated");
+            return;
+        }
+        (0, credentials_1.setOpalCredentials)(this, creds.email, creds.organizationID, creds.clientIDCandidate, creds.accessToken);
+        await removeKeytarCreds();
+        this.log("Successfully migrated credentials from system keystore to new store. You should now be able to use the CLI normally, without re-authenticating");
+    }
+}
+MigrateCreds.description = 'Migrates credentials from old keystore to new store. Should only need to be run once';
+MigrateCreds.flags = {
+    help: flags_1.SHARED_FLAGS.help,
+};
+exports.default = MigrateCreds;

package/lib/commands/postgres-instances/start.d.ts

@@ -1,14 +1,14 @@
-import { Command, flags } from '@oclif/command';
+import { Command } from '@oclif/core';
 export default class StartPostgresInstanceSession extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        id: flags.IOptionFlag<string | undefined>;
-        accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
-        sessionId: flags.IOptionFlag<string | undefined>;
-        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
-        action: flags.IOptionFlag<string | undefined>;
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        action: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }