opal-security 2.3.4 → 3.0.1-beta.4262451

package/lib/commands/login.js

@@ -1,21 +1,21 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CLIAuthSessionCheckDocument = exports.CLIAuthSessionCheckName = exports.CLISignInMethodName = void 0;
+exports.CLITokenExchangeName = exports.CLIAuthSessionCheckDocument = exports.CLIAuthSessionCheckName = exports.CLISignInMethodName = void 0;
 const core_1 = require("@oclif/core");
 const open = require("open");
 const openid_client_1 = require("openid-client");
-const apollo_1 = require("../lib/apollo");
-const credentials_1 = require("../lib/credentials");
 const inquirer = require("inquirer");
 const handler_1 = require("../handler");
+const apollo_1 = require("../lib/apollo");
 const config_1 = require("../lib/config");
-const util_1 = require("../lib/util");
+const credentials_1 = require("../lib/credentials");
 const flags_1 = require("../lib/flags");
-const ISSUER_PROD = 'https://auth.opal.dev';
-const ISSUER_DEV = 'https://authdev.opal.dev';
-const GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
-const CLIENT_ID_PROD = '42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF';
-const CLIENT_ID_DEV = 'XYV8qoAvZG7dHnhRp2g5XMJ1zX9fBP6s';
+const util_1 = require("../lib/util");
+const ISSUER_PROD = "https://auth.opal.dev";
+const ISSUER_DEV = "https://authdev.opal.dev";
+const GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+const CLIENT_ID_PROD = "42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF";
+const CLIENT_ID_DEV = "XYV8qoAvZG7dHnhRp2g5XMJ1zX9fBP6s";
 const CLISignInMethodDocumentLegacy = `
 query CLISignInMethod($input: SignInMethodInput!) {
   signInMethod(input: $input) {
@@ -28,7 +28,7 @@ query CLISignInMethod($input: SignInMethodInput!) {
     }
   }
 }`;
-exports.CLISignInMethodName = 'CLISignInMethod';
+exports.CLISignInMethodName = "CLISignInMethod";
 const CLISignInMethodDocument = `
 query CLISignInMethod($input: SignInMethodInput!) {
   signInMethod(input: $input) {
@@ -42,7 +42,7 @@ query CLISignInMethod($input: SignInMethodInput!) {
     }
   }
 }`;
-exports.CLIAuthSessionCheckName = 'CLIAuthSessionCheck';
+exports.CLIAuthSessionCheckName = "CLIAuthSessionCheck";
 exports.CLIAuthSessionCheckDocument = `
 query CLIAuthSessionCheck {
   organizationSettings {
@@ -54,6 +54,30 @@ query CLIAuthSessionCheck {
   }
 }
 `;
+const SignInDocument = `
+mutation SignIn($input: SignInInput!) {
+  signIn(input: $input) {
+    __typename
+    ... on SignInResult {
+      state
+      forceExtraStep
+      authURL
+      __typename
+    }
+  }
+}
+`;
+exports.CLITokenExchangeName = "CLITokenExchange";
+const CLITokenExchangeDocument = `
+mutation CLITokenExchange($input: CLITokenExchangeInput!) {
+  cliTokenExchange(input: $input) {
+    __typename
+    ... on CLITokenExchangeOutput {
+      sessionID
+    }
+  }
+}
+`;
 class Login extends core_1.Command {
     async run() {
         var _a, _b, _c, _d, _e, _f, _g;
@@ -63,75 +87,84 @@ class Login extends core_1.Command {
             const configDir = this.config.configDir;
             const configData = (0, config_1.getOrCreateConfigData)(configDir);
             let email = flags.email;
-            let organizationID;
-            let clientIdCandidate;
+            let organizationId;
+            let clientIDCandidate;
             const existingCreds = await (0, credentials_1.getOpalCredentials)(this, false);
             // Only use the previous email + organizationID if email isn't explicitly specified.
             if (!email) {
                 email = existingCreds.email;
-                organizationID = existingCreds.organizationID;
-                clientIdCandidate = existingCreds.clientIDCandidate;
+                organizationId = existingCreds.organizationID;
+                clientIDCandidate = existingCreds.clientIDCandidate;
             }
             await (0, credentials_1.removeOpalCredentials)(this);
-            this.log('Welcome to Opal! ⚡️\n');
-            this.log('Connecting to Opal server URL:', configData[config_1.urlKey]);
-            this.log('If this is incorrect, please run `opal set-url --help`\n');
+            this.log("Welcome to Opal! ⚡\n");
+            this.log("Connecting to Opal server URL:", configData[config_1.urlKey]);
+            this.log("If this is incorrect, please run `opal set-url --help`\n");
             if (email) {
-                this.log('Signing in as: ' + email + ' - to use a different account, run `opal login --email [EMAIL]`');
+                this.log(`Signing in as: ${email} - to use a different account, run \`opal login --email [EMAIL]\``);
             }
             else {
-                const { email: promptEmail } = await inquirer.prompt([{
-                        name: 'email',
-                        message: 'Enter your email:',
-                        type: 'input',
-                        validate: email => Boolean(email),
-                    }]);
+                const { email: promptEmail } = await inquirer.prompt([
+                    {
+                        name: "email",
+                        message: "Enter your email:",
+                        type: "input",
+                        validate: (email) => Boolean(email),
+                    },
+                ]);
                 email = promptEmail;
             }
-            if (!organizationID) {
+            if (!organizationId) {
                 let signInOrganizationsLegacyResponse;
-                const { resp: signInOrganizationsResponse, error } = await (0, handler_1.runQuery)({
+                const { resp: signInOrganizationsResponse, error } = await (0, handler_1.runQueryDeprecated)({
                     command: this,
                     query: CLISignInMethodDocument,
                     variables: { input: { email } },
                 });
-                if (error && error.networkError) {
-                    if ('statusCode' in error.networkError && error.networkError.statusCode === 422) {
-                        const { resp, error: legacyError } = await (0, handler_1.runQuery)({
+                if (error === null || error === void 0 ? void 0 : error.networkError) {
+                    if ("statusCode" in error.networkError &&
+                        error.networkError.statusCode === 422) {
+                        const { resp, error: legacyError } = await (0, handler_1.runQueryDeprecated)({
                             command: this,
                             query: CLISignInMethodDocumentLegacy,
                             variables: { input: { email } },
                         });
                         signInOrganizationsLegacyResponse = resp;
                         if (legacyError) {
-                            this.log(''); // Intentional newline
-                            return (0, apollo_1.handleError)(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+                            this.log(""); // Intentional newline
+                            return (0, apollo_1.handleError)(this, "Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)");
                         }
                     }
                     else {
-                        this.log(''); // Intentional newline
-                        return (0, apollo_1.handleError)(this, 'Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)');
+                        this.log(""); // Intentional newline
+                        return (0, apollo_1.handleError)(this, "Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)");
                     }
                 }
-                const signInOrganizations = signInOrganizationsResponse ? (_b = (_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _a === void 0 ? void 0 : _a.signInMethod) === null || _b === void 0 ? void 0 : _b.signInOrganizations :
-                    (_d = (_c = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _c === void 0 ? void 0 : _c.signInMethod) === null || _d === void 0 ? void 0 : _d.signInOrganizations;
+                const signInOrganizations = ((_a = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data.signInMethod) === null || _a === void 0 ? void 0 : _a.__typename) ===
+                    "SignInMethodResult"
+                    ? signInOrganizationsResponse.data.signInMethod.signInOrganizations
+                    : ((_b = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _b === void 0 ? void 0 : _b.__typename) === "SignInMethodResult"
+                        ? (_c = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _c === void 0 ? void 0 : _c.signInOrganizations
+                        : undefined;
                 if (signInOrganizations && signInOrganizations.length > 0) {
                     if (signInOrganizations.length === 1) {
-                        organizationID = signInOrganizations[0].organizationId;
-                        clientIdCandidate = signInOrganizations[0].cliClientId;
+                        organizationId = signInOrganizations[0].organizationId;
+                        clientIDCandidate = signInOrganizations[0].cliClientId;
                     }
                     else {
-                        const responses = await inquirer.prompt([{
-                                name: 'signInOrganization',
-                                message: 'Select an organization:',
-                                type: 'list',
-                                choices: signInOrganizations.map(signInOrganization => ({
+                        const responses = await inquirer.prompt([
+                            {
+                                name: "signInOrganization",
+                                message: "Select an organization:",
+                                type: "list",
+                                choices: signInOrganizations.map((signInOrganization) => ({
                                     name: signInOrganization.organizationName,
                                     value: signInOrganization,
                                 })),
-                            }]);
-                        organizationID = responses.signInOrganization.organizationId;
-                        clientIdCandidate = responses.signInOrganization.cliClientId;
+                            },
+                        ]);
+                        organizationId = responses.signInOrganization.organizationId;
+                        clientIDCandidate = responses.signInOrganization.cliClientId;
                     }
                 }
                 else {
@@ -139,76 +172,103 @@ class Login extends core_1.Command {
                     // which is parity with our web app.
                 }
             }
+            const { resp: signInResp } = await (0, handler_1.runMutation)({
+                command: this,
+                query: SignInDocument,
+                variables: {
+                    input: { organizationId },
+                },
+            });
+            const state = (_d = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data.signIn) === null || _d === void 0 ? void 0 : _d.state;
             let issuer;
-            if ((0, config_1.isProduction)(this.config.configDir)) {
+            // issuerURL may come from configData if set by set-airgap-auth
+            if (configData.issuerURL) {
+                issuer = await openid_client_1.Issuer.discover(configData.issuerURL);
+            }
+            else if ((0, config_1.isProduction)(this.config.configDir)) {
                 issuer = await openid_client_1.Issuer.discover(ISSUER_PROD);
             }
             else {
                 issuer = await openid_client_1.Issuer.discover(ISSUER_DEV);
             }
-            let clientId;
-            if (clientIdCandidate) {
-                clientId = clientIdCandidate;
+            let clientID;
+            if (clientIDCandidate) {
+                // clientIdCandidate gets stored in creds, and is mostly relevant for on-prem envs using Auth0 and SAML
+                clientID = clientIDCandidate;
+            }
+            else if (configData.clientID) {
+                // clientID may come from configData if set by set-airgap-auth
+                clientID = configData.clientID;
             }
             else if ((0, config_1.isProduction)(this.config.configDir)) {
-                clientId = CLIENT_ID_PROD;
+                clientID = CLIENT_ID_PROD;
             }
             else {
-                clientId = CLIENT_ID_DEV;
+                clientID = CLIENT_ID_DEV;
             }
-            /* eslint-disable camelcase */
             const client = new issuer.Client({
                 grant_types: [GRANT_TYPE],
-                client_id: clientId,
+                client_id: clientID,
                 response_types: [],
                 redirect_uris: [],
-                token_endpoint_auth_method: 'none',
-                application_type: 'native',
+                token_endpoint_auth_method: "none",
+                application_type: "native",
             });
-            /* eslint-enable camelcase */
             const handle = await client.deviceAuthorization({
-                audience: 'https://opal.dev',
-                scope: 'openid email profile',
+                audience: "https://opal.dev",
+                scope: "openid email profile",
             });
-            this.log('\nYou are being redirected to your browser to authenticate.\n');
+            this.log("\nYou are being redirected to your browser to authenticate.\n");
             this.log(`      User Code: ${handle.user_code}\n`);
             // Wait before opening the browser window to ensure the user has time to
             // see the User Code.
             await (0, util_1.sleep)(1000);
             await open(handle.verification_uri_complete, { wait: false });
             const tokenSet = await handle.poll();
-            const userInfo = await client.userinfo(tokenSet);
-            let account = (userInfo.email || 'unset-email') + '|' + organizationID;
-            if (clientIdCandidate) {
-                // Save the clientIdCandidate only when SAML is set up for the org.
-                account = account + '|' + clientIdCandidate;
+            const { error: tokenExchangeError } = await (0, handler_1.runMutation)({
+                command: this,
+                query: CLITokenExchangeDocument,
+                variables: {
+                    input: {
+                        accessToken: tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token,
+                        state,
+                    },
+                },
+            });
+            if (tokenExchangeError) {
+                this.log("WARN: Failed to exchange access token for session in Opal. Falling back to using access token for authenticating requests\n");
+                // TODO: consider adding a warn line recommending upgrading Opal to version XYZ, once accompanying PR is pushed to prod
+                await (0, credentials_1.setOpalCredentials)(this, email, organizationId !== null && organizationId !== void 0 ? organizationId : "", clientIDCandidate, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || "", credentials_1.SecretType.ApiToken);
+            }
+            else {
+                await (0, credentials_1.setOpalCredentials)(this, email, organizationId !== null && organizationId !== void 0 ? organizationId : "", clientIDCandidate, apollo_1.cookieStr, credentials_1.SecretType.Cookie);
             }
-            await (0, credentials_1.setOpalCredentials)(this, userInfo.email, organizationID, clientIdCandidate, (tokenSet === null || tokenSet === void 0 ? void 0 : tokenSet.access_token) || '');
             // "Representative" authenticated call to check the log-in worked as expected.
-            const { resp: authCheckResp, error: authCheckErr } = await (0, handler_1.runQuery)({
+            const { resp: authCheckResp, error: authCheckErr } = await (0, handler_1.runQueryDeprecated)({
                 command: this,
                 query: exports.CLIAuthSessionCheckDocument,
                 variables: {},
             });
-            if (authCheckErr || !((_g = (_f = (_e = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _e === void 0 ? void 0 : _e.organizationSettings) === null || _f === void 0 ? void 0 : _f.settings) === null || _g === void 0 ? void 0 : _g.id)) {
-                this.log('Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n');
+            if (authCheckErr ||
+                !((_g = (_f = (_e = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _e === void 0 ? void 0 : _e.organizationSettings) === null || _f === void 0 ? void 0 : _f.settings) === null || _g === void 0 ? void 0 : _g.id)) {
+                this.log("Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n");
                 await (0, credentials_1.removeOpalCredentials)(this);
-                (0, apollo_1.handleError)(this, authCheckErr);
+                process.exit(1);
             }
-            this.log('🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n');
+            this.log("🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n");
         }
         catch (error) {
             this.error(error);
         }
     }
 }
-Login.description = 'Authenticates you with the Opal server.';
-Login.examples = ['$ opal login'];
+Login.description = "Authenticates you with the Opal server.";
+Login.examples = ["$ opal login"];
 Login.flags = {
     help: flags_1.SHARED_FLAGS.help,
     email: core_1.Flags.string({
         multiple: false,
-        description: 'Email address to login with.',
+        description: "Email address to login with.",
     }),
 };
 Login.args = {};

package/lib/commands/logout.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class Logout extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/logout.js

@@ -7,15 +7,15 @@ class Logout extends core_1.Command {
     async run() {
         try {
             await (0, credentials_1.removeOpalCredentials)(this);
-            this.log('Successfully removed the saved Account ID and Auth Token from this computer');
+            this.log("Successfully removed the saved Account ID and Auth Token from this computer");
         }
         catch (error) {
             this.error(error);
         }
     }
 }
-Logout.description = 'Clears locally stored Opal server authentication credentials.';
-Logout.examples = ['$ opal logout'];
+Logout.description = "Clears locally stored Opal server authentication credentials.";
+Logout.examples = ["$ opal logout"];
 Logout.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };

package/lib/commands/postgres-instances/start.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class StartPostgresInstanceSession extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/postgres-instances/start.js

@@ -2,12 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
 const inquirer = require("inquirer");
-const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
+const cmd_1 = require("../../lib/cmd");
+const flags_1 = require("../../lib/flags");
 const resources_1 = require("../../lib/resources");
-const util_1 = require("../../lib/util");
 const sessions_1 = require("../../lib/sessions");
-const flags_1 = require("../../lib/flags");
+const util_1 = require("../../lib/util");
 const RdsSessionMetadataFragment = `
 ... on AwsIamFederatedRdsSession {
   dbUser
@@ -18,18 +18,18 @@ const RdsSessionMetadataFragment = `
 }`;
 const methodChoices = [
     {
-        name: 'Start psql session in shell',
-        value: 'psql',
+        name: "Start psql session in shell",
+        value: "psql",
     },
     {
-        name: 'View connection configuration details',
-        value: 'view',
+        name: "View connection configuration details",
+        value: "view",
     },
 ];
-if (process.platform === 'darwin') {
+if (process.platform === "darwin") {
     methodChoices.unshift({
-        name: 'Open external database app',
-        value: 'open',
+        name: "Open external database app",
+        value: "open",
     });
 }
 class StartPostgresInstanceSession extends core_1.Command {
@@ -37,21 +37,21 @@ class StartPostgresInstanceSession extends core_1.Command {
         (0, cmd_1.setMostRecentCommand)(this);
         const { flags } = await this.parse(StartPostgresInstanceSession);
         if (flags.sessionId && flags.refresh) {
-            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, "Cannot use both --sessionId and --refresh");
         }
         let instanceId = flags.id;
         let instanceName = null;
         const sessionId = flags.sessionId;
         let action = flags.action;
         if (!instanceId) {
-            const selectedInstance = await (0, resources_1.promptUserForResource)(this, 'AWS_RDS_POSTGRES_INSTANCE', 'Select an RDS Postgres instance to connect to');
+            const selectedInstance = await (0, resources_1.promptUserForResource)(this, "AWS_RDS_POSTGRES_INSTANCE", "Select an RDS Postgres instance to connect to");
             if (!selectedInstance) {
                 return;
             }
             instanceId = selectedInstance.id;
             instanceName = selectedInstance.name;
         }
-        const accessLevel = await (0, resources_1.promptUserForAccessLevels)(this, instanceId, 'Postgres database', flags.accessLevelRemoteId);
+        const accessLevel = await (0, resources_1.promptUserForAccessLevels)(this, instanceId, "Postgres database", flags.accessLevelRemoteId);
         if (!accessLevel) {
             return;
         }
@@ -61,29 +61,31 @@ class StartPostgresInstanceSession extends core_1.Command {
         }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
-            case 'AwsIamFederatedRdsSession': {
+            case "AwsIamFederatedRdsSession": {
                 // Don't inform the user about RDS session expiration time, since RDS works differently.
                 // Opal RDS sessions expire after 15min because after that time they can no longer be used to connect.
                 // However, once connected, RDS sessions can be used for up to 12h.
                 // Since there's many options for how the user can use RDS credentials, it's unclear which expiration
                 // we want to show the user.
                 if (!action) {
-                    const selectedMethodInfo = await inquirer.prompt([{
-                            name: 'method',
-                            message: 'Select how to access the database',
-                            type: 'list',
+                    const selectedMethodInfo = await inquirer.prompt([
+                        {
+                            name: "method",
+                            message: "Select how to access the database",
+                            type: "list",
                             choices: methodChoices,
-                        }]);
+                        },
+                    ]);
                     action = selectedMethodInfo.method;
                 }
                 const dbUrl = `postgresql://${metadata.dbUser}:${encodeURIComponent(metadata.dbPassword)}@${metadata.dbHostname}:${metadata.dbPort}/${metadata.dbName}`;
                 switch (action) {
-                    case 'open': {
-                        let startSessionCmd = `open ${dbUrl}`;
-                        (0, cmd_1.runCommandExec)(startSessionCmd, `Opened external app for ${instanceName ? `"${instanceName}" instance` : 'instance'}`, `Failed to open external app for ${instanceName ? `"${instanceName}" instance` : 'instance'}`);
+                    case "open": {
+                        const startSessionCmd = `open ${dbUrl}`;
+                        (0, cmd_1.runCommandExec)(startSessionCmd, `Opened external app for ${instanceName ? `"${instanceName}" instance` : "instance"}`, `Failed to open external app for ${instanceName ? `"${instanceName}" instance` : "instance"}`);
                         break;
                     }
-                    case 'view': {
+                    case "view": {
                         const contentParts = [
                             `[Connection URL]\n${dbUrl}`,
                             `[Hostname]\n${metadata.dbHostname}`,
@@ -92,13 +94,13 @@ class StartPostgresInstanceSession extends core_1.Command {
                             `[Password]\n${metadata.dbPassword}`,
                             `[Database]\n${metadata.dbName}`,
                         ];
-                        const content = contentParts.join('\n\n');
+                        const content = contentParts.join("\n\n");
                         (0, util_1.displayContent)(content);
                         break;
                     }
-                    case 'psql': {
+                    case "psql": {
                         const startSessionCmd = `psql ${dbUrl}`;
-                        (0, cmd_1.startInteractiveShell)(startSessionCmd, `shell with psql session for ${instanceName ? `"${instanceName}" instance` : 'instance'}`);
+                        (0, cmd_1.startInteractiveShell)(startSessionCmd, `shell with psql session for ${instanceName ? `"${instanceName}" instance` : "instance"}`);
                         break;
                     }
                 }
@@ -109,12 +111,12 @@ class StartPostgresInstanceSession extends core_1.Command {
         }
     }
 }
-StartPostgresInstanceSession.description = 'Starts a session to connect to a Postgres database.';
+StartPostgresInstanceSession.description = "Starts a session to connect to a Postgres database.";
 StartPostgresInstanceSession.examples = [
-    'opal postgres-instances:start',
-    'opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398',
-    'opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess',
-    'opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view',
+    "opal postgres-instances:start",
+    "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
+    "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess",
+    "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view",
 ];
 StartPostgresInstanceSession.flags = {
     help: flags_1.SHARED_FLAGS.help,
@@ -124,9 +126,8 @@ StartPostgresInstanceSession.flags = {
     refresh: flags_1.SHARED_FLAGS.refresh,
     action: core_1.Flags.string({
         multiple: false,
-        description: 'Method of connecting to the database.\n' +
-            methodChoices.map(c => `- ${c.value}: ${c.name}`).join('\n'),
-        options: methodChoices.map(c => c.value),
+        description: `Method of connecting to the database.\n${methodChoices.map((c) => `- ${c.value}: ${c.name}`).join("\n")}`,
+        options: methodChoices.map((c) => c.value),
     }),
 };
 exports.default = StartPostgresInstanceSession;

package/lib/commands/resources/get.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export declare const GetResourceDocument = "\nquery GetResource($id: ResourceId!) {\n  resource(input: {id: $id}) {\n    __typename\n    ... on ResourceResult {\n      resource {\n        name\n        id\n        description\n        resourceType\n        connection {\n          name\n          id\n          connectionType\n        }\n        parentResource {\n          name\n          id\n          resourceType\n        }\n        resourceUsers {\n          user {\n            fullName\n            email\n            id\n          }\n        }\n      }\n    }\n    ... on ResourceNotFoundError {\n      message\n    }\n  }\n}";
 export default class GetResource extends Command {
     static description: string;

package/lib/commands/resources/get.js

@@ -3,8 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.GetResourceDocument = void 0;
 const core_1 = require("@oclif/core");
 const handler_1 = require("../../handler");
-const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
+const cmd_1 = require("../../lib/cmd");
 const flags_1 = require("../../lib/flags");
 exports.GetResourceDocument = `
 query GetResource($id: ResourceId!) {
@@ -44,7 +44,7 @@ class GetResource extends core_1.Command {
     async run() {
         (0, cmd_1.setMostRecentCommand)(this);
         const { flags } = await this.parse(GetResource);
-        const { resp, error } = await (0, handler_1.runQuery)({
+        const { resp, error } = await (0, handler_1.runQueryDeprecated)({
             command: this,
             query: exports.GetResourceDocument,
             variables: flags,
@@ -55,8 +55,10 @@ class GetResource extends core_1.Command {
         (0, apollo_1.printResponse)(this, resp);
     }
 }
-GetResource.description = 'Get resource info for a particular resource.';
-GetResource.examples = ['opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4'];
+GetResource.description = "Get resource info for a particular resource.";
+GetResource.examples = [
+    "opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4",
+];
 GetResource.flags = {
     help: flags_1.SHARED_FLAGS.help,
     id: flags_1.SHARED_FLAGS.id,

package/lib/commands/set-auth-provider.d.ts

@@ -0,0 +1,11 @@
+import { Command } from "@oclif/core";
+export default class SetAuthProvider extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+        clientID: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        issuerUrl: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/lib/commands/set-auth-provider.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const config_1 = require("../lib/config");
+const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
+class SetAuthProvider extends core_1.Command {
+    async run() {
+        try {
+            const { flags, args } = await this.parse(SetAuthProvider);
+            const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
+            configData.issuerURL = flags.issuerUrl;
+            configData.clientID = flags.clientID;
+            (0, config_1.writeConfigData)(this.config.configDir, configData);
+            await (0, credentials_1.removeOpalCredentials)(this);
+            this.log("Client ID and Issuer URL updated");
+        }
+        catch (error) {
+            this.error(error);
+        }
+    }
+}
+SetAuthProvider.description = `Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.
+
+  Note - you will need an OIDC provider that supports the device_code grant.
+  `;
+SetAuthProvider.examples = [
+    "$ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com",
+];
+SetAuthProvider.flags = {
+    help: flags_1.SHARED_FLAGS.help,
+    clientID: core_1.Flags.string({
+        multiple: false,
+        description: "Client ID of your Auth Provider",
+        required: true,
+    }),
+    issuerUrl: core_1.Flags.string({
+        multiple: false,
+        description: "Issuer URL of your Auth Provider",
+        required: true,
+    }),
+};
+exports.default = SetAuthProvider;

package/lib/commands/set-custom-header.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class SetCustomHeader extends Command {
     static description: string;
     static examples: string[];