opal-security 2.3.4 → 3.0.0

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/2.3.4 darwin-arm64 node-v18.19.0
+opal-security/3.0.0 darwin-arm64 node-v22.14.0
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -35,15 +35,16 @@ USAGE
 <!-- commands -->
 * [`opal autocomplete [SHELL]`](#opal-autocomplete-shell)
 * [`opal aws:identity`](#opal-awsidentity)
+* [`opal clear-auth-provider`](#opal-clear-auth-provider)
 * [`opal curl-example`](#opal-curl-example)
 * [`opal help [COMMANDS]`](#opal-help-commands)
 * [`opal iam-roles:start`](#opal-iam-rolesstart)
 * [`opal kube-roles:start`](#opal-kube-rolesstart)
 * [`opal login`](#opal-login)
 * [`opal logout`](#opal-logout)
-* [`opal migrate-creds`](#opal-migrate-creds)
 * [`opal postgres-instances:start`](#opal-postgres-instancesstart)
 * [`opal resources:get`](#opal-resourcesget)
+* [`opal set-auth-provider`](#opal-set-auth-provider)
 * [`opal set-custom-header`](#opal-set-custom-header)
 * [`opal set-token`](#opal-set-token)
 * [`opal set-url [URL]`](#opal-set-url-url)
@@ -99,7 +100,27 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/aws/identity.ts)_
+
+## `opal clear-auth-provider`
+
+Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+
+```
+USAGE
+  $ opal clear-auth-provider [-h]
+
+FLAGS
+  -h, --help  Show CLI help.
+
+DESCRIPTION
+  Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+
+EXAMPLES
+  $ opal clear-auth-provider
+```
+
+_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/clear-auth-provider.ts)_
 
 ## `opal curl-example`
 
@@ -116,7 +137,7 @@ DESCRIPTION
   Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/curl-example.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -124,10 +145,10 @@ Display help for opal.
 
 ```
 USAGE
-  $ opal help [COMMANDS] [-n]
+  $ opal help [COMMANDS...] [-n]
 
 ARGUMENTS
-  COMMANDS  Command to show help for.
+  COMMANDS...  Command to show help for.
 
 FLAGS
   -n, --nested-commands  Include all nested commands in the output.
@@ -166,7 +187,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -197,7 +218,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -218,7 +239,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -238,24 +259,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/logout.ts)_
-
-## `opal migrate-creds`
-
-Migrates credentials from old keystore to new store. Should only need to be run once
-
-```
-USAGE
-  $ opal migrate-creds [-h]
-
-FLAGS
-  -h, --help  Show CLI help.
-
-DESCRIPTION
-  Migrates credentials from old keystore to new store. Should only need to be run once
-```
-
-_See code: [src/commands/migrate-creds.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/migrate-creds.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
@@ -293,7 +297,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -314,7 +318,33 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/resources/get.ts)_
+
+## `opal set-auth-provider`
+
+Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+
+```
+USAGE
+  $ opal set-auth-provider --clientID <value> --issuerUrl <value> [-h]
+
+FLAGS
+  -h, --help               Show CLI help.
+      --clientID=<value>   (required) Client ID of your Auth Provider
+      --issuerUrl=<value>  (required) Issuer URL of your Auth Provider
+
+DESCRIPTION
+  Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.
+
+  Note - you will need an OIDC provider that supports the device_code grant.
+
+
+EXAMPLES
+  $ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com
+```
+
+_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/set-auth-provider.ts)_
 
 ## `opal set-custom-header`
 
@@ -335,7 +365,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -355,7 +385,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -379,7 +409,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -410,7 +440,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -441,7 +471,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
@@ -468,7 +498,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.0/src/commands/ssh/start.ts)_
 
 ## `opal version`
 

package/lib/commands/{migrate-creds.d.ts → clear-auth-provider.d.ts}

@@ -1,6 +1,7 @@
 import { Command } from '@oclif/core';
-export default class MigrateCreds extends Command {
+export default class ClearAuthProvider extends Command {
     static description: string;
+    static examples: string[];
     static flags: {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
     };

package/lib/commands/clear-auth-provider.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const config_1 = require("../lib/config");
+const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
+class ClearAuthProvider extends core_1.Command {
+    async run() {
+        try {
+            const { flags, args } = await this.parse(ClearAuthProvider);
+            const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
+            configData.issuerURL = null;
+            configData.clientID = null;
+            (0, config_1.writeConfigData)(this.config.configDir, configData);
+            await (0, credentials_1.removeOpalCredentials)(this);
+            this.log('Client ID and Issuer URL reset to defaults');
+        }
+        catch (error) {
+            this.error(error);
+        }
+    }
+}
+ClearAuthProvider.description = `Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.`;
+ClearAuthProvider.examples = ['$ opal clear-auth-provider'];
+ClearAuthProvider.flags = {
+    help: flags_1.SHARED_FLAGS.help,
+};
+exports.default = ClearAuthProvider;

package/lib/commands/curl-example.js

@@ -7,15 +7,22 @@ const flags_1 = require("../lib/flags");
 class CurlExample extends core_1.Command {
     async run() {
         const opalCreds = await (0, credentials_1.getOpalCredentials)(this);
-        const accessToken = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.accessToken;
+        const secret = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.secret;
         const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
         const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
         const url = configData[config_1.urlKey];
+        let authStr = '';
+        if (opalCreds.secretType === credentials_1.SecretType.ApiToken) {
+            authStr = `Authorization: Bearer ${secret}`;
+        }
+        else {
+            authStr = `Cookie: ${secret}`;
+        }
         this.log(`
 curl -v ${url}/query \\
   --data-binary '{"query":"query ListSSHSessions {resources(input: {serviceType: SSH, onlyMine: true}) {... on ResourcesResult { resources { name } } } }"}' \\
   --header "Content-Type: application/json" \\
-  --header "Authorization: Bearer ${accessToken}" \\
+  --header "${authStr}" \\
   --header "X-Opal-Organization-ID: ${organizationID}"
 `);
     }

package/lib/commands/login.d.ts

@@ -2,6 +2,7 @@ import { Command } from '@oclif/core';
 export declare const CLISignInMethodName = "CLISignInMethod";
 export declare const CLIAuthSessionCheckName = "CLIAuthSessionCheck";
 export declare const CLIAuthSessionCheckDocument = "\nquery CLIAuthSessionCheck {\n  organizationSettings {\n      ... on OrganizationSettingsResult {\n        settings {\n          id\n        }\n      }\n  }\n}\n";
+export declare const CLITokenExchangeName = "CLITokenExchange";
 export default class Login extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/login.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CLIAuthSessionCheckDocument = exports.CLIAuthSessionCheckName = exports.CLISignInMethodName = void 0;
+exports.CLITokenExchangeName = exports.CLIAuthSessionCheckDocument = exports.CLIAuthSessionCheckName = exports.CLISignInMethodName = void 0;
 const core_1 = require("@oclif/core");
 const open = require("open");
 const openid_client_1 = require("openid-client");
@@ -54,9 +54,33 @@ query CLIAuthSessionCheck {
   }
 }
 `;
+const SignInDocument = `
+mutation SignIn($input: SignInInput!) {
+  signIn(input: $input) {
+    __typename
+    ... on SignInResult {
+      state
+      forceExtraStep
+      authURL
+      __typename
+    }
+  }
+}
+`;
+exports.CLITokenExchangeName = 'CLITokenExchange';
+const CLITokenExchangeDocument = `
+mutation CLITokenExchange($input: CLITokenExchangeInput!) {
+  cliTokenExchange(input: $input) {
+    __typename
+    ... on CLITokenExchangeOutput {
+      sessionID
+    }
+  }
+}
+`;
 class Login extends core_1.Command {
     async run() {
-        var _a, _b, _c, _d, _e, _f, _g;
+        var _a, _b, _c, _d, _e, _f, _g, _h;
         try {
             await (0, apollo_1.initClient)(this, false);
             const { flags } = await this.parse(Login);
@@ -64,13 +88,13 @@ class Login extends core_1.Command {
             const configData = (0, config_1.getOrCreateConfigData)(configDir);
             let email = flags.email;
             let organizationID;
-            let clientIdCandidate;
+            let clientIDCandidate;
             const existingCreds = await (0, credentials_1.getOpalCredentials)(this, false);
             // Only use the previous email + organizationID if email isn't explicitly specified.
             if (!email) {
                 email = existingCreds.email;
                 organizationID = existingCreds.organizationID;
-                clientIdCandidate = existingCreds.clientIDCandidate;
+                clientIDCandidate = existingCreds.clientIDCandidate;
             }
             await (0, credentials_1.removeOpalCredentials)(this);
             this.log('Welcome to Opal! ⚡️\n');
@@ -118,7 +142,7 @@ class Login extends core_1.Command {
                 if (signInOrganizations && signInOrganizations.length > 0) {
                     if (signInOrganizations.length === 1) {
                         organizationID = signInOrganizations[0].organizationId;
-                        clientIdCandidate = signInOrganizations[0].cliClientId;
+                        clientIDCandidate = signInOrganizations[0].cliClientId;
                     }
                     else {
                         const responses = await inquirer.prompt([{
@@ -131,7 +155,7 @@ class Login extends core_1.Command {
                                 })),
                             }]);
                         organizationID = responses.signInOrganization.organizationId;
-                        clientIdCandidate = responses.signInOrganization.cliClientId;
+                        clientIDCandidate = responses.signInOrganization.cliClientId;
                     }
                 }
                 else {
@@ -139,27 +163,44 @@ class Login extends core_1.Command {
                     // which is parity with our web app.
                 }
             }
+            const { resp: signInResp } = await (0, handler_1.runMutation)({
+                command: this,
+                query: SignInDocument,
+                variables: {
+                    input: { organizationId: organizationID },
+                },
+            });
+            const state = (_e = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data.signIn) === null || _e === void 0 ? void 0 : _e.state;
             let issuer;
-            if ((0, config_1.isProduction)(this.config.configDir)) {
+            // issuerURL may come from configData if set by set-airgap-auth
+            if (!!configData.issuerURL) {
+                issuer = await openid_client_1.Issuer.discover(configData.issuerURL);
+            }
+            else if ((0, config_1.isProduction)(this.config.configDir)) {
                 issuer = await openid_client_1.Issuer.discover(ISSUER_PROD);
             }
             else {
                 issuer = await openid_client_1.Issuer.discover(ISSUER_DEV);
             }
-            let clientId;
-            if (clientIdCandidate) {
-                clientId = clientIdCandidate;
+            let clientID;
+            if (clientIDCandidate) {
+                // clientIdCandidate gets stored in creds, and is mostly relevant for on-prem envs using Auth0 and SAML
+                clientID = clientIDCandidate;
+            }
+            else if (!!configData.clientID) {
+                // clientID may come from configData if set by set-airgap-auth
+                clientID = configData.clientID;
             }
             else if ((0, config_1.isProduction)(this.config.configDir)) {
-                clientId = CLIENT_ID_PROD;
+                clientID = CLIENT_ID_PROD;
             }
             else {
-                clientId = CLIENT_ID_DEV;
+                clientID = CLIENT_ID_DEV;
             }
             /* eslint-disable camelcase */
             const client = new issuer.Client({
                 grant_types: [GRANT_TYPE],
-                client_id: clientId,
+                client_id: clientID,
                 response_types: [],
                 redirect_uris: [],
                 token_endpoint_auth_method: 'none',
@@ -177,23 +218,34 @@ class Login extends core_1.Command {
             await (0, util_1.sleep)(1000);
             await open(handle.verification_uri_complete, { wait: false });
             const tokenSet = await handle.poll();
-            const userInfo = await client.userinfo(tokenSet);
-            let account = (userInfo.email || 'unset-email') + '|' + organizationID;
-            if (clientIdCandidate) {
-                // Save the clientIdCandidate only when SAML is set up for the org.
-                account = account + '|' + clientIdCandidate;
+            const { error: tokenExchangeError } = await (0, handler_1.runMutation)({
+                command: this,
+                query: CLITokenExchangeDocument,
+                variables: {
+                    input: {
+                        accessToken: tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token,
+                        state,
+                    },
+                },
+            });
+            if (tokenExchangeError) {
+                this.log("WARN: Failed to exchange access token for session in Opal. Falling back to using access token for authenticating requests\n");
+                // TODO: consider adding a warn line recommending upgrading Opal to version XYZ, once accompanying PR is pushed to prod
+                await (0, credentials_1.setOpalCredentials)(this, email, organizationID, clientIDCandidate, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '', credentials_1.SecretType.ApiToken);
+            }
+            else {
+                await (0, credentials_1.setOpalCredentials)(this, email, organizationID, clientIDCandidate, apollo_1.cookieStr, credentials_1.SecretType.Cookie);
             }
-            await (0, credentials_1.setOpalCredentials)(this, userInfo.email, organizationID, clientIdCandidate, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
             // "Representative" authenticated call to check the log-in worked as expected.
             const { resp: authCheckResp, error: authCheckErr } = await (0, handler_1.runQuery)({
                 command: this,
                 query: exports.CLIAuthSessionCheckDocument,
                 variables: {},
             });
-            if (authCheckErr || !((_g = (_f = (_e = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _e === void 0 ? void 0 : _e.organizationSettings) === null || _f === void 0 ? void 0 : _f.settings) === null || _g === void 0 ? void 0 : _g.id)) {
+            if (authCheckErr || !((_h = (_g = (_f = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _f === void 0 ? void 0 : _f.organizationSettings) === null || _g === void 0 ? void 0 : _g.settings) === null || _h === void 0 ? void 0 : _h.id)) {
                 this.log('Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n');
                 await (0, credentials_1.removeOpalCredentials)(this);
-                (0, apollo_1.handleError)(this, authCheckErr);
+                process.exit(1);
             }
             this.log('🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n');
         }

package/lib/commands/set-auth-provider.d.ts

@@ -0,0 +1,11 @@
+import { Command } from '@oclif/core';
+export default class SetAuthProvider extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        clientID: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        issuerUrl: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/lib/commands/set-auth-provider.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const config_1 = require("../lib/config");
+const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
+class SetAuthProvider extends core_1.Command {
+    async run() {
+        try {
+            const { flags, args } = await this.parse(SetAuthProvider);
+            const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
+            configData.issuerURL = flags.issuerUrl;
+            configData.clientID = flags.clientID;
+            (0, config_1.writeConfigData)(this.config.configDir, configData);
+            await (0, credentials_1.removeOpalCredentials)(this);
+            this.log('Client ID and Issuer URL updated');
+        }
+        catch (error) {
+            this.error(error);
+        }
+    }
+}
+SetAuthProvider.description = `Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.
+
+  Note - you will need an OIDC provider that supports the device_code grant.
+  `;
+SetAuthProvider.examples = ['$ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com'];
+SetAuthProvider.flags = {
+    help: flags_1.SHARED_FLAGS.help,
+    clientID: core_1.Flags.string({
+        multiple: false,
+        description: "Client ID of your Auth Provider",
+        required: true
+    }),
+    issuerUrl: core_1.Flags.string({
+        multiple: false,
+        description: "Issuer URL of your Auth Provider",
+        required: true
+    }),
+};
+exports.default = SetAuthProvider;

package/lib/commands/set-token.js

@@ -24,7 +24,7 @@ class SetToken extends core_1.Command {
             let email;
             let organizationID;
             const existingCreds = await (0, credentials_1.getOpalCredentials)(this, false);
-            await (0, credentials_1.setOpalCredentials)(this, existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.email, (existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.organizationID) || 'unset-org-id', existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.clientIDCandidate, apiToken || '');
+            await (0, credentials_1.setOpalCredentials)(this, existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.email, (existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.organizationID) || 'unset-org-id', existingCreds === null || existingCreds === void 0 ? void 0 : existingCreds.clientIDCandidate, apiToken || '', credentials_1.SecretType.ApiToken);
             // "Representative" authenticated call to check the log-in worked as expected.
             const { resp: authCheckResp, error: authCheckErr } = await (0, handler_1.runQuery)({
                 command: this,

package/lib/lib/apollo.d.ts

@@ -1,6 +1,7 @@
 import { ApolloClient, NormalizedCacheObject } from '@apollo/client/core';
 import { Command } from '@oclif/core';
 export declare let client: ApolloClient<NormalizedCacheObject> | null;
+export declare let cookieStr: string;
 export declare const printResponse: (command: Command, resp: any) => void;
 export declare const handleError: (command: Command, err: any, resp?: any) => void;
 export declare const initClient: (command: Command, fetchAccessToken?: boolean) => Promise<void>;

package/lib/lib/apollo.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.initClient = exports.handleError = exports.printResponse = exports.client = void 0;
+exports.initClient = exports.handleError = exports.printResponse = exports.cookieStr = exports.client = void 0;
 const core_1 = require("@apollo/client/core");
 const context_1 = require("@apollo/client/link/context");
 const error_1 = require("@apollo/client/link/error");
@@ -16,7 +16,9 @@ const fetch = require('node-fetch');
 const https = require('https');
 const http = require('http');
 exports.client = null;
-let alreadyNotifiedRecommendedVersion = false;
+// This is used to keep track of the auth-session cookie during login, before we can persist it into the credential store
+exports.cookieStr = '';
+let alreadyWarnedAboutVersion = false;
 const printResponse = (command, resp) => {
     const filteredJson = JSON.parse(JSON.stringify(resp.data, (k, v) => {
         if (k === '__typename' || v === null || (Array.isArray(v) && v.length === 0)) {
@@ -57,7 +59,6 @@ const initClient = async (command, fetchAccessToken = true) => {
     const currentCLIVersion = command.config.version;
     const configData = (0, config_1.getOrCreateConfigData)(configDir);
     const opalCreds = await (0, credentials_1.getOpalCredentials)(command, fetchAccessToken);
-    const accessToken = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.accessToken;
     const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
     const httpsAgent = new https.Agent({
         rejectUnauthorized: !configData[config_1.allowSelfSignedCertsKey],
@@ -74,13 +75,21 @@ const initClient = async (command, fetchAccessToken = true) => {
     const agent = specifiedUrl.includes('https') ? httpsAgent : httpAgent;
     const httpLink = (0, core_1.createHttpLink)({
         uri: `${specifiedUrl}/query`,
+        credentials: 'include',
         fetch,
         fetchOptions: {
             agent: agent,
+            credentials: 'include'
         },
     });
     const authLink = (0, context_1.setContext)((_, { headers }) => {
-        const baseHeaders = Object.assign(Object.assign({}, headers), { authorization: `Bearer ${accessToken}`, 'X-Opal-Organization-ID': organizationID, 'X-Opal-Cli-Version': currentCLIVersion });
+        const baseHeaders = Object.assign(Object.assign({}, headers), { 'User-Agent': `Opal CLI v${currentCLIVersion}`, 'X-Opal-Organization-ID': organizationID, 'X-Opal-Cli-Version': currentCLIVersion });
+        if (opalCreds.secretType === credentials_1.SecretType.ApiToken) {
+            baseHeaders.authorization = `Bearer ${opalCreds.secret}`;
+        }
+        else if (!!opalCreds.secret || !!exports.cookieStr) {
+            baseHeaders.cookie = opalCreds.secret || exports.cookieStr;
+        }
         if (customHeaderKey) {
             return {
                 headers: Object.assign(Object.assign({}, baseHeaders), { [customHeaderKey]: customHeaderValue }),
@@ -90,33 +99,46 @@ const initClient = async (command, fetchAccessToken = true) => {
             headers: Object.assign({}, baseHeaders),
         };
     });
+    /**
+     * How this check actually works:
+     * - no hard fails throughout, just warns
+     * - Looks for an 'expected CLI major version' header from the backend, and:
+     *   - if CLI version is < that, warns you need to upgrade CLI
+     *   - if CLI version is > that, warns you need to upgrade Opal
+     * - also, if there's a 'recommended version' header and CLI version is less, just suggests that you upgrade your CLI
+     *   - note the backend does not currently send this header)
+     */
     const checkCLIVersion = (operation) => {
         var _a;
         const headers = (_a = operation.getContext().response) === null || _a === void 0 ? void 0 : _a.headers;
-        if (headers) {
+        if (!alreadyWarnedAboutVersion && headers) {
+            // we expect these versions to be a single number - a major version
             const expectedCLIMajorVersion = headers.get('Opal-CLI-Expected-Major-Version');
-            if (expectedCLIMajorVersion) {
+            if (expectedCLIMajorVersion && expectedCLIMajorVersion.match(/^\d+$/)) {
                 const semverExpectedMinCLIVersion = `${expectedCLIMajorVersion}.0.0`;
                 if ((0, semver_1.major)(currentCLIVersion) < (0, semver_1.major)(semverExpectedMinCLIVersion)) {
-                    command.warn(chalk_1.default.yellow(`
+                    command.log(chalk_1.default.yellow(`
 ❗️ Your CLI is outdated and is incompatible with your Opal server.
    Expected major version ${chalk_1.default.blueBright(semverExpectedMinCLIVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
    Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}\n`));
+                    alreadyWarnedAboutVersion = true;
                 }
                 else if ((0, semver_1.major)(currentCLIVersion) > (0, semver_1.major)(semverExpectedMinCLIVersion)) {
-                    command.warn(chalk_1.default.yellow(`
+                    command.log(chalk_1.default.yellow(`
 ❗️ Uh oh! The currently installed Opal server is outdated. Please contact your Opal admins to let them know they need to upgrade their deployment.\n`));
+                    alreadyWarnedAboutVersion = true;
                 }
             }
-            if (!alreadyNotifiedRecommendedVersion) {
-                const recommendedCLIMinorVersion = headers.get('Opal-CLI-Recommended-Version');
-                if (recommendedCLIMinorVersion && (0, semver_1.compare)(currentCLIVersion, recommendedCLIMinorVersion) < 0) {
+            const recommendedCLIMajorVersion = headers.get('Opal-CLI-Recommended-Version');
+            if (recommendedCLIMajorVersion && recommendedCLIMajorVersion.match(/^\d+$/)) {
+                const recommendedSemverString = `${recommendedCLIMajorVersion}.0.0`;
+                if (recommendedSemverString && (0, semver_1.major)(currentCLIVersion) < (0, semver_1.major)(recommendedSemverString)) {
                     command.log(chalk_1.default.yellow(`
 ❗️ Opal recommends that you upgrade your CLI.
-   Recommended version >=${chalk_1.default.blueBright(recommendedCLIMinorVersion)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
-   Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}\n`));
+  Recommended version >=${chalk_1.default.blueBright(recommendedSemverString)}, but version ${chalk_1.default.blueBright(currentCLIVersion)} is installed.
+  Upgrade using the following command: ${chalk_1.default.blueBright('brew upgrade opalsecurity/brew/opal-security')}\n`));
                 }
-                alreadyNotifiedRecommendedVersion = true;
+                alreadyWarnedAboutVersion = true;
             }
         }
     };
@@ -128,15 +150,18 @@ const initClient = async (command, fetchAccessToken = true) => {
     });
     const errorLink = (0, error_1.onError)(({ networkError, operation }) => {
         var _a;
-        if (operation.operationName === login_1.CLIAuthSessionCheckName) {
-            // These operations are triggered after the user just called `opal login` or `opal set-token`,
-            // so we have special handling if they fail and we don't want to trigger an automatic redirect
-            // to the login screen again.
-            return;
-        }
-        if (operation.operationName === login_1.CLISignInMethodName) {
-            // We have special handling for this operation due to the fact that the backend version
+        // There's a few GQL operations where we don't want to use this error handler:
+        const customErrorOperations = [
+            // This is triggered just after the user called `opal login` or `opal set-token`, and has
+            // special handling if they fail, so we don't trigger an automatic re-login
+            login_1.CLIAuthSessionCheckName,
+            // This has special error handling to fall back to an older auth method that uses the OAuth access token
+            login_1.CLITokenExchangeName,
+            // This has special error handling due to the fact that the backend version
             // can be out of date and not include the new cliClientId field.
+            login_1.CLISignInMethodName,
+        ];
+        if (customErrorOperations.includes(operation.operationName)) {
             return;
         }
         if (networkError && 'statusCode' in networkError) {
@@ -170,11 +195,25 @@ const initClient = async (command, fetchAccessToken = true) => {
             }
         }
     });
+    // Parses our auth-session cookie out of the Set-Cookie response header, saving it locally so we can use it for future requests
+    const preserveCookiesLink = new core_1.ApolloLink((operation, forward) => {
+        return forward(operation).map(response => {
+            var _a, _b, _c, _d;
+            const cookieHeaderStr = (_c = (_b = (_a = operation.getContext().response) === null || _a === void 0 ? void 0 : _a.headers) === null || _b === void 0 ? void 0 : _b.get('Set-Cookie')) !== null && _c !== void 0 ? _c : '';
+            const authSessionCookie = (_d = cookieHeaderStr.match(/auth-session=[^;]+;/)) === null || _d === void 0 ? void 0 : _d[0];
+            if (!!authSessionCookie) {
+                exports.cookieStr = authSessionCookie;
+            }
+            return response;
+        });
+    });
     let link = authLink.concat(httpLink);
     link = checkCLIVersionLink.concat(link);
+    link = preserveCookiesLink.concat(link);
     link = errorLink.concat(link);
     exports.client = new core_1.ApolloClient({
         link: link,
+        credentials: 'include',
         cache: new core_1.InMemoryCache(),
     });
 };

package/lib/lib/config.js

@@ -47,9 +47,8 @@ const isProduction = (configDir) => {
     const configData = (0, exports.getOrCreateConfigData)(configDir);
     // Custom URLs are considered production since it includes on-prem
     return configData[exports.urlKey] !== 'https://dev.opal.dev' &&
-        configData[exports.urlKey] !== 'http://localhost:3000' &&
-        configData[exports.urlKey] !== 'http://localhost:4000' &&
         configData[exports.urlKey] !== 'https://demo.opal.dev' &&
-        configData[exports.urlKey] !== 'https://staging.opal.dev';
+        configData[exports.urlKey] !== 'https://staging.opal.dev' &&
+        !configData[exports.urlKey].match(/https?:\/\/localhost/);
 };
 exports.isProduction = isProduction;

package/lib/lib/credentials/index.d.ts

@@ -3,9 +3,14 @@ interface OpalCredentials {
     email?: string;
     organizationID?: string;
     clientIDCandidate?: string;
-    accessToken?: string;
+    secret?: string;
+    secretType?: SecretType;
 }
-export declare const setOpalCredentials: (command: Command, email: string | undefined, organizationID: string, clientIDCandidate: string | undefined | null, accessToken: string) => Promise<void>;
-export declare const getOpalCredentials: (command: Command, includeAccessToken?: boolean) => Promise<OpalCredentials>;
+export declare enum SecretType {
+    Cookie = "COOKIE",
+    ApiToken = "API_TOKEN"
+}
+export declare const setOpalCredentials: (command: Command, email: string | undefined, organizationID: string, clientIDCandidate: string | undefined | null, secret: string, secretType: SecretType) => Promise<void>;
+export declare const getOpalCredentials: (command: Command, includeAuthSecret?: boolean) => Promise<OpalCredentials>;
 export declare const removeOpalCredentials: (command: Command) => Promise<void>;
 export {};

package/lib/lib/credentials/index.js

@@ -1,41 +1,52 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.removeOpalCredentials = exports.getOpalCredentials = exports.setOpalCredentials = void 0;
+exports.removeOpalCredentials = exports.getOpalCredentials = exports.setOpalCredentials = exports.SecretType = void 0;
 const config_1 = require("../config");
 const keychain_1 = require("./keychain");
 const localEncryption_1 = require("./localEncryption");
-const setOpalCredentials = async (command, email, organizationID, clientIDCandidate, accessToken) => {
+var SecretType;
+(function (SecretType) {
+    SecretType["Cookie"] = "COOKIE";
+    SecretType["ApiToken"] = "API_TOKEN";
+})(SecretType || (exports.SecretType = SecretType = {}));
+const setOpalCredentials = async (command, email, organizationID, clientIDCandidate, secret, secretType) => {
     email = email || 'email-unset';
     const configData = (0, config_1.getOrCreateConfigData)(command.config.configDir);
     configData.creds = {
         clientIDCandidate,
         email,
         organizationID,
+        secretType
     };
     (0, config_1.writeConfigData)(command.config.configDir, configData);
     if (process.platform === "darwin") {
-        await (0, keychain_1.setTokenInKeychain)(email, accessToken);
+        await (0, keychain_1.setSecretInKeychain)(email, secret);
     }
     else {
-        await (0, localEncryption_1.setTokenInConfig)(command, configData, accessToken);
+        await (0, localEncryption_1.setSecretInConfig)(command, configData, secret);
     }
 };
 exports.setOpalCredentials = setOpalCredentials;
-const getOpalCredentials = async (command, includeAccessToken = true) => {
+const getOpalCredentials = async (command, includeAuthSecret = true) => {
     var _a, _b;
     let creds = (_b = (_a = (0, config_1.getOrCreateConfigData)(command.config.configDir)) === null || _a === void 0 ? void 0 : _a.creds) !== null && _b !== void 0 ? _b : {};
-    if (!includeAccessToken) {
+    if (!includeAuthSecret) {
         return creds;
     }
-    let accessToken = null;
+    let secret = null;
     if (process.platform === "darwin") {
-        accessToken = await (0, keychain_1.getTokenFromKeychain)((creds === null || creds === void 0 ? void 0 : creds.email) || 'email-unset');
+        secret = await (0, keychain_1.getSecretFromKeychain)((creds === null || creds === void 0 ? void 0 : creds.email) || 'email-unset');
     }
     else {
-        accessToken = await (0, localEncryption_1.getTokenFromConfig)(creds);
+        secret = await (0, localEncryption_1.getSecretFromConfig)(creds);
     }
-    if (accessToken) {
-        creds.accessToken = accessToken;
+    if (secret) {
+        creds.secret = secret;
+        // This is a fallback for users with stored credentials from before we converted to session auth with the CLITokenExchange mutation
+        // It will allow them to continue authenticating with an access token in an Authorization header, which will work until we remove support for that
+        if (!creds.secretType) {
+            creds.secretType = SecretType.ApiToken;
+        }
     }
     return creds;
 };
@@ -49,7 +60,7 @@ const removeOpalCredentials = async (command) => {
     (0, config_1.writeConfigData)(command.config.configDir, configData);
     // but on OSX, we need an extra step to delete the token from the keychain
     if (process.platform === "darwin") {
-        await (0, keychain_1.deleteTokenFromKeychain)(email);
+        await (0, keychain_1.deleteSecretFromKeychain)(email);
     }
 };
 exports.removeOpalCredentials = removeOpalCredentials;

package/lib/lib/credentials/keychain.d.ts

@@ -1,3 +1,3 @@
-export declare const setTokenInKeychain: (email: string, accessToken: string) => Promise<void>;
-export declare const getTokenFromKeychain: (email: string) => Promise<string>;
-export declare const deleteTokenFromKeychain: (email: string) => Promise<void>;
+export declare const setSecretInKeychain: (email: string, secret: string) => Promise<void>;
+export declare const getSecretFromKeychain: (email: string) => Promise<string>;
+export declare const deleteSecretFromKeychain: (email: string) => Promise<void>;

package/lib/lib/credentials/keychain.js

@@ -1,12 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.deleteTokenFromKeychain = exports.getTokenFromKeychain = exports.setTokenInKeychain = void 0;
+exports.deleteSecretFromKeychain = exports.getSecretFromKeychain = exports.setSecretInKeychain = void 0;
 const keychain = require("keychain");
 const OPAL_KEYCHAIN_SERVICE = 'opal-cli';
 // On OSX, we can easily work with the system Keychain to store the access token.
-const setTokenInKeychain = async (email, accessToken) => {
+const setSecretInKeychain = async (email, secret) => {
     return new Promise((resolve, reject) => {
-        keychain.setPassword({ account: email, service: OPAL_KEYCHAIN_SERVICE, password: accessToken }, function (err) {
+        keychain.setPassword({ account: email, service: OPAL_KEYCHAIN_SERVICE, password: secret }, function (err) {
             if (err) {
                 reject(err);
             }
@@ -16,8 +16,8 @@ const setTokenInKeychain = async (email, accessToken) => {
         });
     });
 };
-exports.setTokenInKeychain = setTokenInKeychain;
-const getTokenFromKeychain = async (email) => {
+exports.setSecretInKeychain = setSecretInKeychain;
+const getSecretFromKeychain = async (email) => {
     return new Promise((resolve, reject) => {
         keychain.getPassword({ account: email, service: OPAL_KEYCHAIN_SERVICE }, function (err, password) {
             if (err && (err === null || err === void 0 ? void 0 : err.type) !== 'PasswordNotFoundError') {
@@ -29,8 +29,8 @@ const getTokenFromKeychain = async (email) => {
         });
     });
 };
-exports.getTokenFromKeychain = getTokenFromKeychain;
-const deleteTokenFromKeychain = async (email) => {
+exports.getSecretFromKeychain = getSecretFromKeychain;
+const deleteSecretFromKeychain = async (email) => {
     return new Promise((resolve) => {
         keychain.deletePassword({ service: OPAL_KEYCHAIN_SERVICE, account: email }, function () {
             // we might get errors here if the password doesn't exist, which we want to swallow
@@ -38,4 +38,4 @@ const deleteTokenFromKeychain = async (email) => {
         });
     });
 };
-exports.deleteTokenFromKeychain = deleteTokenFromKeychain;
+exports.deleteSecretFromKeychain = deleteSecretFromKeychain;

package/lib/lib/credentials/localEncryption.d.ts

@@ -1,3 +1,3 @@
 import { Command } from '@oclif/core';
-export declare const setTokenInConfig: (command: Command, configData: Record<string, any>, accessToken: string) => Promise<void>;
-export declare const getTokenFromConfig: (credsConfig: Record<string, any>) => Promise<string | undefined>;
+export declare const setSecretInConfig: (command: Command, configData: Record<string, any>, secret: string) => Promise<void>;
+export declare const getSecretFromConfig: (credsConfig: Record<string, any>) => Promise<string | undefined>;

package/lib/lib/credentials/localEncryption.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTokenFromConfig = exports.setTokenInConfig = void 0;
+exports.getSecretFromConfig = exports.setSecretInConfig = void 0;
 const inquirer = require("inquirer");
 const argon2 = require("argon2");
 const crypto_1 = require("crypto");
@@ -28,7 +28,7 @@ const promptForPassword = async (msg) => {
     ]);
     return customKey;
 };
-const setTokenInConfig = async (command, configData, accessToken) => {
+const setSecretInConfig = async (command, configData, secret) => {
     if (!password) {
         password = await promptForPassword('Enter a password to encrypt your credentials: ');
     }
@@ -36,20 +36,20 @@ const setTokenInConfig = async (command, configData, accessToken) => {
     const key = await argon2.hash(password, { hashLength: 32, raw: true, salt: salt });
     const iv = (0, crypto_1.randomBytes)(12);
     const cipher = (0, crypto_1.createCipheriv)(ENCRYPTION_ALGORITHM, key, iv);
-    let accessTokenEncrypted = cipher.update(accessToken, 'utf8', 'base64');
-    accessTokenEncrypted += cipher.final('base64');
+    let secretEncrypted = cipher.update(secret, 'utf8', 'base64');
+    secretEncrypted += cipher.final('base64');
     // In addition to storing the encrypted text, we need to store the argon2 salt, and AES authTag + IV so we can decrypt
     configData.creds.accessTokenDetails = {
-        encryptedText: accessTokenEncrypted,
+        encryptedText: secretEncrypted,
         authTag: cipher.getAuthTag().toString('base64'),
         salt: salt.toString('base64'),
         iv: iv.toString('base64')
     };
     (0, config_1.writeConfigData)(command.config.configDir, configData);
 };
-exports.setTokenInConfig = setTokenInConfig;
-const getTokenFromConfig = async (credsConfig) => {
-    let accessToken;
+exports.setSecretInConfig = setSecretInConfig;
+const getSecretFromConfig = async (credsConfig) => {
+    let secret;
     if (credsConfig === null || credsConfig === void 0 ? void 0 : credsConfig.accessTokenDetails) {
         if (!password) {
             password = await promptForPassword('Enter the password used to encrypt your credentials: ');
@@ -60,8 +60,8 @@ const getTokenFromConfig = async (credsConfig) => {
         try {
             const decipher = (0, crypto_1.createDecipheriv)(ENCRYPTION_ALGORITHM, key, iv);
             decipher.setAuthTag(Buffer.from(credsConfig.accessTokenDetails.authTag, 'base64'));
-            accessToken = decipher.update(credsConfig.accessTokenDetails.encryptedText, 'base64', 'utf8');
-            accessToken += decipher.final('utf8');
+            secret = decipher.update(credsConfig.accessTokenDetails.encryptedText, 'base64', 'utf8');
+            secret += decipher.final('utf8');
         }
         catch (error) {
             console.error("ERROR: Failed to decrypt local credentials.\n" +
@@ -70,6 +70,6 @@ const getTokenFromConfig = async (credsConfig) => {
         }
         delete credsConfig.accessTokenDetails;
     }
-    return accessToken;
+    return secret;
 };
-exports.getTokenFromConfig = getTokenFromConfig;
+exports.getSecretFromConfig = getSecretFromConfig;

package/oclif.manifest.json

@@ -1,5 +1,36 @@
 {
   "commands": {
+    "clear-auth-provider": {
+      "aliases": [],
+      "args": {},
+      "description": "Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.",
+      "examples": [
+        "$ opal clear-auth-provider"
+      ],
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "clear-auth-provider",
+      "pluginAlias": "opal-security",
+      "pluginName": "opal-security",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": false,
+      "relativePath": [
+        "lib",
+        "commands",
+        "clear-auth-provider.js"
+      ]
+    },
     "curl-example": {
       "aliases": [],
       "args": {},
@@ -97,10 +128,13 @@
         "logout.js"
       ]
     },
-    "migrate-creds": {
+    "set-auth-provider": {
       "aliases": [],
       "args": {},
-      "description": "Migrates credentials from old keystore to new store. Should only need to be run once",
+      "description": "Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.\n  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.\n\n  Note - you will need an OIDC provider that supports the device_code grant.\n  ",
+      "examples": [
+        "$ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com"
+      ],
       "flags": {
         "help": {
           "char": "h",
@@ -108,11 +142,27 @@
           "name": "help",
           "allowNo": false,
           "type": "boolean"
+        },
+        "clientID": {
+          "description": "Client ID of your Auth Provider",
+          "name": "clientID",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "issuerUrl": {
+          "description": "Issuer URL of your Auth Provider",
+          "name": "issuerUrl",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
         }
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "migrate-creds",
+      "id": "set-auth-provider",
       "pluginAlias": "opal-security",
       "pluginName": "opal-security",
       "pluginType": "core",
@@ -122,7 +172,7 @@
       "relativePath": [
         "lib",
         "commands",
-        "migrate-creds.js"
+        "set-auth-provider.js"
       ]
     },
     "set-custom-header": {
@@ -752,5 +802,5 @@
       ]
     }
   },
-  "version": "2.3.4"
+  "version": "3.0.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "2.3.4",
+  "version": "3.0.0",
   "author": "Stephen Cobbe",
   "bin": {
     "opal": "./bin/run"

package/lib/commands/migrate-creds.js

@@ -1,48 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const core_1 = require("@oclif/core");
-const keytar = require("keytar");
-const credentials_1 = require("../lib/credentials");
-const flags_1 = require("../lib/flags");
-const OPAL_KEYTAR_CREDS_KEY = 'opal';
-/**
- * This command helps users migrate from the old credential store w/ keytar to the new credential store
- * It should only be recommended to users on OSX, since keytar does not reliably work on linux/WSL
- *
- * TODO: delete this after some time has passed, and users have likely migrated their credentials over
- */
-const removeKeytarCreds = async () => {
-    const keyContents = await keytar.findCredentials(OPAL_KEYTAR_CREDS_KEY);
-    keyContents === null || keyContents === void 0 ? void 0 : keyContents.forEach(credential => keytar.deletePassword(OPAL_KEYTAR_CREDS_KEY, credential.account));
-};
-const getKeytarCreds = async () => {
-    const keyContents = await keytar.findCredentials(OPAL_KEYTAR_CREDS_KEY);
-    if (!keyContents[0]) {
-        return undefined;
-    }
-    const { account, password } = keyContents[0];
-    const parts = account.split('|') || [];
-    return {
-        email: parts[0],
-        organizationID: parts[1],
-        clientIDCandidate: parts[2],
-        accessToken: password
-    };
-};
-class MigrateCreds extends core_1.Command {
-    async run() {
-        const creds = await getKeytarCreds();
-        if (!creds) {
-            this.log("No credentials found in system keystore that need to be migrated");
-            return;
-        }
-        (0, credentials_1.setOpalCredentials)(this, creds.email, creds.organizationID, creds.clientIDCandidate, creds.accessToken);
-        await removeKeytarCreds();
-        this.log("Successfully migrated credentials from system keystore to new store. You should now be able to use the CLI normally, without re-authenticating");
-    }
-}
-MigrateCreds.description = 'Migrates credentials from old keystore to new store. Should only need to be run once';
-MigrateCreds.flags = {
-    help: flags_1.SHARED_FLAGS.help,
-};
-exports.default = MigrateCreds;