opal-security 3.1.0 → 3.1.1-beta.4a79f20

package/lib/lib/requests.d.ts

@@ -1,22 +1,42 @@
 import type { NormalizedCacheObject } from "@apollo/client/core";
 import type { ApolloClient } from "@apollo/client/core/ApolloClient";
 import type { Command } from "@oclif/core/lib/command";
-export interface AppNode {
+interface AppNode {
     appName: string;
-    assets: Map<string, AssetNode>;
+    assets: Record<string, AssetNode>;
 }
-export interface AssetNode {
+interface AssetNode {
     assetName: string;
-    roles?: Map<string, RoleNode>;
+    roles?: Record<string, RoleNode>;
 }
-export interface RoleNode {
+interface RoleNode {
     roleName: string;
 }
-export type RequestMap = Map<string, AppNode>;
+export type RequestMap = Record<string, AppNode>;
+interface DurationOption {
+    durationInMinutes: number;
+    label: string;
+}
+interface RequestDefaults {
+    durationOptions?: DurationOption[];
+    recommendedDurationInMinutes?: number | null;
+    defaultDurationInMinutes?: number;
+    maxDurationInMinutes?: number | null;
+    requireSupportTicket?: boolean;
+    reasonOptional?: boolean;
+    requesterIsAdmin?: boolean;
+}
+export interface RequestMetadata {
+    requestMap: RequestMap;
+    requestDefaults: RequestDefaults;
+}
+export declare function createEmptyRequestMetadata(): RequestMetadata;
 export declare function selectRequestableItems(cmd: Command, client: ApolloClient<NormalizedCacheObject>, requestMap: RequestMap): Promise<void>;
 export declare function chooseAssets(cmd: Command, client: ApolloClient<NormalizedCacheObject>, appId: string, requestMap: RequestMap): Promise<void>;
-export declare function chooseRoles(appId: string, assetId: string, requestMap: RequestMap): Promise<void>;
+export declare function chooseRoles(cmd: Command, client: ApolloClient<NormalizedCacheObject>, appId: string, assetId: string, requestMap: RequestMap): Promise<void>;
 export declare function doneSelectingAssets(): Promise<boolean>;
-export declare function promptForReason(): Promise<any>;
-export declare function promptForExpiration(): Promise<any>;
+export declare function setRequestDefaults(cmd: Command, client: ApolloClient<NormalizedCacheObject>, metadata: RequestMetadata): Promise<void>;
+export declare function promptForReason(metadata: RequestMetadata): Promise<any>;
+export declare function promptForExpiration(metadata: RequestMetadata): Promise<any>;
 export declare function submitFinalRequest(cmd: Command): Promise<void>;
+export {};

package/lib/lib/requests.js

@@ -1,16 +1,37 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.createEmptyRequestMetadata = createEmptyRequestMetadata;
 exports.selectRequestableItems = selectRequestableItems;
 exports.chooseAssets = chooseAssets;
 exports.chooseRoles = chooseRoles;
 exports.doneSelectingAssets = doneSelectingAssets;
+exports.setRequestDefaults = setRequestDefaults;
 exports.promptForReason = promptForReason;
 exports.promptForExpiration = promptForExpiration;
 exports.submitFinalRequest = submitFinalRequest;
 const inquirer = require("inquirer");
 const graphql_1 = require("../graphql");
 inquirer.registerPrompt("autocomplete", require("inquirer-autocomplete-prompt"));
+function createEmptyRequestMetadata() {
+    // Initialize with empty defaults
+    const requestDefaults = {
+        durationOptions: [],
+        recommendedDurationInMinutes: undefined,
+        defaultDurationInMinutes: undefined,
+        maxDurationInMinutes: undefined,
+        requireSupportTicket: false,
+        reasonOptional: false,
+        requesterIsAdmin: false,
+    };
+    // Initialize with empty map
+    const requestMap = {};
+    return {
+        requestMap,
+        requestDefaults,
+    };
+}
 // Queries and Mutations
+// TODO: add pagination ability from CLI. (Load more...) option
 const GET_REQUESTABLE_APPS_QUERY = (0, graphql_1.graphql)(`
   query GetRequestableAppsQuery($searchQuery: String) {
     appsV2(
@@ -40,39 +61,6 @@ const GET_REQUESTABLE_APPS_QUERY = (0, graphql_1.graphql)(`
     }
   }
   `);
-const GET_ASSETS_QUERY = (0, graphql_1.graphql)(`
-  query PaginatedEntityDropdown(
-  $id: UUID!
-  $searchQuery: String
-) {
-  app(id: $id) {
-    __typename
-    ... on App {
-      id
-      items(
-        input: {
-          access: REQUESTABLE
-          searchQuery: $searchQuery
-          includeOnlyRequestable: true
-        }
-      ) {
-        items {
-          key
-          resource {
-            id
-            name
-          }
-          group {
-            id
-            name
-          }
-        }
-        cursor
-      }
-    }
-  }
-}
-`);
 async function queryRequestableApps(cmd, client, input) {
     var _a, _b;
     try {
@@ -107,8 +95,44 @@ async function queryRequestableApps(cmd, client, input) {
         }
     }
 }
+const GET_ASSETS_QUERY = (0, graphql_1.graphql)(`
+  query PaginatedEntityDropdown(
+  $id: UUID!
+  $searchQuery: String
+) {
+  app(id: $id) {
+    __typename
+    ... on App {
+      id
+      items(
+        input: {
+          access: REQUESTABLE
+          searchQuery: $searchQuery
+          includeOnlyRequestable: true
+        }
+      ) {
+        items {
+          key
+          resource {
+            id
+            name
+          }
+          group {
+            id
+            name
+          }
+        }
+        cursor
+      }
+    }
+    ... on AppNotFoundError {
+      message
+    }
+  }
+}
+`);
 async function queryRequestableAssets(cmd, client, appId, input) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e, _f;
     try {
         const resp = await client.query({
             query: GET_ASSETS_QUERY,
@@ -137,10 +161,10 @@ async function queryRequestableAssets(cmd, client, appId, input) {
                     };
                 });
             case "AppNotFoundError":
-                x = cmd.error("App not found");
+                x = cmd.error((_f = (_e = resp.data) === null || _e === void 0 ? void 0 : _e.app) === null || _f === void 0 ? void 0 : _f.message);
                 break;
             default:
-                cmd.error("Unknown error occurred.");
+                cmd.error(resp.error || "Unknown error occurred.");
         }
     }
     catch (error) {
@@ -149,6 +173,104 @@ async function queryRequestableAssets(cmd, client, appId, input) {
         }
     }
 }
+const RESOURCE_ROLES_QUERY = (0, graphql_1.graphql)(`
+  query ResourceAccessLevels($resourceId: ResourceId!) {
+    accessLevels(input: {
+      resourceId: $resourceId,
+      onlyMine: false,
+    }) {
+      __typename
+      ... on ResourceAccessLevelsResult {
+        accessLevels {
+          __typename
+          ... on ResourceAccessLevel {
+            accessLevelName
+            accessLevelRemoteId
+          }
+        }
+      }
+      ... on ResourceNotFoundError {
+        message
+      }
+    }
+  }
+`);
+async function queryResourceRoles(cmd, client, resourceId) {
+    var _a, _b, _c, _d, _e;
+    try {
+        const resp = await client.query({
+            query: RESOURCE_ROLES_QUERY,
+            variables: {
+                resourceId: resourceId,
+            },
+            fetchPolicy: "network-only", // to avoid caching
+        });
+        // no fall through doesn't consider process.exit();
+        let x;
+        switch (resp.data.accessLevels.__typename) {
+            case "ResourceAccessLevelsResult":
+                return (_c = (_b = (_a = resp.data) === null || _a === void 0 ? void 0 : _a.accessLevels) === null || _b === void 0 ? void 0 : _b.accessLevels) === null || _c === void 0 ? void 0 : _c.map((role) => {
+                    return {
+                        name: role.accessLevelName,
+                        value: {
+                            name: role.accessLevelName,
+                            id: role.accessLevelRemoteId,
+                        },
+                    };
+                });
+            case "ResourceNotFoundError":
+                x = cmd.error((_e = (_d = resp.data) === null || _d === void 0 ? void 0 : _d.accessLevels) === null || _e === void 0 ? void 0 : _e.message);
+                break;
+            default:
+                cmd.error(resp.error || "Unknown error occurred.");
+        }
+    }
+    catch (error) {
+        if (error instanceof Error || typeof error === "string") {
+            cmd.error(error);
+        }
+    }
+}
+const REQUEST_DEFAULTS_QUERY = (0, graphql_1.graphql)(`
+  query RequestDefaults(
+    $requestedResources: [RequestConfigurationResourceInput!]!
+    $requestedGroups: [RequestConfigurationGroupInput!]!
+    ) {
+    requestDefaults(input: {
+      requestedResources: $requestedResources,
+      requestedGroups: $requestedGroups,
+      }
+    ) {
+      durationOptions {
+        durationInMinutes
+        label
+      }
+      recommendedDurationInMinutes
+      defaultDurationInMinutes
+      maxDurationInMinutes
+      requireSupportTicket
+      reasonOptional
+      requesterIsAdmin
+    }
+  }`);
+async function queryRequestDefaults(cmd, client, requestedResources, requestedGroups) {
+    try {
+        const resp = await client.query({
+            query: REQUEST_DEFAULTS_QUERY,
+            variables: {
+                requestedResources: requestedResources,
+                requestedGroups: requestedGroups,
+            },
+            fetchPolicy: "network-only", // to avoid caching
+        });
+        return resp.data.requestDefaults;
+    }
+    catch (error) {
+        if (error instanceof Error || typeof error === "string") {
+            cmd.error(error);
+        }
+    }
+}
 // Helper functions
 async function selectRequestableItems(cmd, client, requestMap) {
     const { App } = await inquirer.prompt([
@@ -164,11 +286,11 @@ async function selectRequestableItems(cmd, client, requestMap) {
         },
     ]);
     // Set the app in the requestMap and call choose assets step
-    if (!requestMap.has(App.id)) {
-        requestMap.set(App.id, {
+    if (!(App.id in requestMap)) {
+        requestMap[App.id] = {
             appName: App.name,
-            assets: new Map(),
-        });
+            assets: {},
+        };
     }
     await chooseAssets(cmd, client, App.id, requestMap);
 }
@@ -187,37 +309,52 @@ async function chooseAssets(cmd, client, appId, requestMap) {
             return true;
         },
     });
-    const entry = requestMap.get(appId);
+    const entry = requestMap[appId];
     for (const asset of Assets) {
         if (entry === undefined) {
             throw new Error(`App ${appId} not found in requestMap`);
         }
-        if (!entry.assets.has(asset.id)) {
-            entry.assets.set(asset.id, {
+        if (!(asset.id in entry.assets)) {
+            entry.assets[asset.id] = {
                 assetName: asset.name,
-                roles: new Map(),
-            });
+                roles: {},
+            };
         }
-        await chooseRoles(appId, asset.id, requestMap);
+        await chooseRoles(cmd, client, appId, asset.id, requestMap);
     }
 }
-async function chooseRoles(appId, assetId, requestMap) {
+async function chooseRoles(cmd, client, appId, assetId, requestMap) {
     var _a;
+    const resourceRoles = (_a = (await queryResourceRoles(cmd, client, assetId))) !== null && _a !== void 0 ? _a : [];
+    if (resourceRoles !== undefined &&
+        (resourceRoles.length === 0 ||
+            (resourceRoles.length === 1 && resourceRoles[0].name === ""))) {
+        return;
+    }
     const { roles } = await inquirer.prompt({
         name: "roles",
         type: "checkbox",
         message: `Select one or more roles for ${assetId}:`,
-        choices: ["push", "pull", "triage", "admin"],
+        choices: resourceRoles,
+        validate: (answer) => {
+            if ((resourceRoles === null || resourceRoles === void 0 ? void 0 : resourceRoles.length) > 1 && answer.length < 1) {
+                return "You must select at least one role.";
+            }
+            return true;
+        },
     });
-    const entry = requestMap.get(appId);
-    const assetEntry = entry === null || entry === void 0 ? void 0 : entry.assets.get(assetId);
+    const entry = requestMap[appId];
+    const assetEntry = entry === null || entry === void 0 ? void 0 : entry.assets[assetId];
     if (entry === undefined || assetEntry === undefined) {
         throw new Error(`App ${appId} or Asset ${assetId} not found in requestMap`);
     }
+    if (!assetEntry.roles) {
+        assetEntry.roles = {};
+    }
     for (const role of roles) {
-        (_a = assetEntry.roles) === null || _a === void 0 ? void 0 : _a.set(role, {
-            roleName: role,
-        });
+        assetEntry.roles[role.id] = {
+            roleName: role.name,
+        };
     }
 }
 async function doneSelectingAssets() {
@@ -233,22 +370,84 @@ async function doneSelectingAssets() {
     ]);
     return submitOrAdd === submitMessage;
 }
-async function promptForReason() {
+async function setRequestDefaults(cmd, client, metadata) {
+    const requestMap = metadata.requestMap;
+    const requestedResources = [];
+    const requestedGroups = [];
+    for (const appNode of Object.values(requestMap)) {
+        for (const [assetId, assetNode] of Object.entries(appNode.assets)) {
+            if (assetNode.roles !== undefined) {
+                for (const roleId of Object.keys(assetNode.roles)) {
+                    requestedResources.push({
+                        resourceId: assetId,
+                        accessLevelRemoteId: roleId,
+                    });
+                }
+            }
+        }
+    }
+    try {
+        const requestDefaults = await queryRequestDefaults(cmd, client, requestedResources, requestedGroups);
+        if ((requestDefaults === null || requestDefaults === void 0 ? void 0 : requestDefaults.__typename) === "RequestDefaults") {
+            metadata.requestDefaults.durationOptions =
+                requestDefaults.durationOptions;
+            metadata.requestDefaults.recommendedDurationInMinutes =
+                requestDefaults.recommendedDurationInMinutes;
+            metadata.requestDefaults.defaultDurationInMinutes =
+                requestDefaults.defaultDurationInMinutes;
+            metadata.requestDefaults.maxDurationInMinutes =
+                requestDefaults.maxDurationInMinutes;
+            metadata.requestDefaults.requireSupportTicket =
+                requestDefaults.requireSupportTicket;
+            metadata.requestDefaults.reasonOptional = requestDefaults.reasonOptional;
+            metadata.requestDefaults.requesterIsAdmin =
+                requestDefaults.requesterIsAdmin;
+        }
+    }
+    catch (_a) {
+        cmd.error("Error fetching request defaults.");
+    }
+}
+async function promptForReason(metadata) {
     return await inquirer.prompt([
         {
             name: "reason",
             message: "I need access to this because...",
             type: "input",
+            validate: (answer) => {
+                if (metadata.requestDefaults.reasonOptional && answer.length < 1) {
+                    return "A reason for requesting these assets is required.";
+                }
+                return true;
+            },
         },
     ]);
 }
-async function promptForExpiration() {
+async function promptForExpiration(metadata) {
+    var _a, _b;
+    const durations = ((_b = (_a = metadata.requestDefaults) === null || _a === void 0 ? void 0 : _a.durationOptions) === null || _b === void 0 ? void 0 : _b.map((option) => {
+        return {
+            name: option.durationInMinutes ===
+                metadata.requestDefaults.recommendedDurationInMinutes
+                ? `${option.label} (Recommended)`
+                : option.label,
+            value: {
+                label: option.label,
+                durationInMinutes: option.durationInMinutes,
+            },
+        };
+    })) || [];
+    // TODO: Sort durations by minutes
+    // durations = durations.sort(
+    //   durations.filter((option) => option.value.durationInMinutes),
+    // );
     return await inquirer.prompt([
         {
             name: "expiration",
             message: "When should access expire?",
             type: "list",
-            choices: ["1 hour", "1 day", "7 days", "30 days", "1 year", "Indefinite"],
+            choices: durations,
+            pageSize: 15,
         },
     ]);
 }

package/lib/utils/displays.d.ts

@@ -1,5 +1,8 @@
+import type { ApolloQueryResult } from "@apollo/client";
 import type { Command } from "@oclif/core/lib/command";
+import type { GetRequestQuery } from "../graphql/graphql";
 import type { RequestMap } from "../lib/requests";
 export declare function headerMessage(cmd: Command): void;
 export declare function treeifyRequestMap(requestMap: RequestMap): string;
 export declare function displayFinalRequestSummary(cmd: Command, requestMap: RequestMap, reason: string, expiration: string): void;
+export declare function displayRequestDetails(cmd: Command, requestResp: ApolloQueryResult<GetRequestQuery>): void;

package/lib/utils/displays.js

@@ -3,6 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.headerMessage = headerMessage;
 exports.treeifyRequestMap = treeifyRequestMap;
 exports.displayFinalRequestSummary = displayFinalRequestSummary;
+exports.displayRequestDetails = displayRequestDetails;
+const chalk_1 = require("chalk");
+const prettyjson_1 = require("prettyjson");
 const treeify = require("object-treeify");
 const Table = require("cli-table3");
 const tableStyle = {
@@ -32,18 +35,18 @@ function treeifyRequestMap(requestMap) {
     const requestTree = {};
     // Create a tree structure from the requestMap
     // Iterate over apps
-    for (const [_appId, appNode] of requestMap.entries()) {
+    for (const [_appId, appNode] of Object.entries(requestMap)) {
         const appKey = `🔧${appNode.appName}`;
         requestTree[appKey] = {}; // Initialize the app key
         // Iterate over assets
-        for (const [_assetId, assetNode] of appNode.assets.entries()) {
+        for (const [_assetId, assetNode] of Object.entries(appNode.assets)) {
             const assetKey = `📦${assetNode.assetName}`;
             if (assetNode.roles !== undefined) {
                 // If no roles were previously selected
                 requestTree[appKey][assetKey] = {}; // Initialize the asset key
                 // Iterate over roles
-                for (const [roleName, _] of assetNode.roles.entries()) {
-                    requestTree[appKey][assetKey][roleName] = null; // Initialize the role key
+                for (const [_roleId, roleNode] of Object.entries(assetNode.roles)) {
+                    requestTree[appKey][assetKey][roleNode.roleName] = null; // Initialize the role key
                 }
             }
             else {
@@ -63,3 +66,64 @@ function displayFinalRequestSummary(cmd, requestMap, reason, expiration) {
     table.push(["Requested Assets", requestedAssets], ["Reason", reason], ["Expiration", expiration]);
     cmd.log(table.toString());
 }
+function displayRequestDetails(cmd, requestResp) {
+    var _a, _b;
+    switch (requestResp.data.request.__typename) {
+        case "RequestResult": {
+            cmd.log(`REQUEST ${requestResp.data.request.request.id}`);
+            const status = requestResp.data.request.request.status;
+            // If status is "PENDING" or "APPROVED", display it
+            // If status is "DENIED", display it in red
+            if (status === "PENDING") {
+                cmd.log(`Status: ${chalk_1.default.yellowBright(status)}`);
+            }
+            else if (status === "APPROVED") {
+                cmd.log(`Status: ${chalk_1.default.greenBright(status)}`);
+            }
+            else if (status === "DENIED") {
+                cmd.log(`Status: ${chalk_1.default.redBright(status)}`);
+            }
+            else if (status === "CANCELED") {
+                cmd.log(`Status: ${chalk_1.default.redBright(status)}`);
+            }
+            // Request users "Requester: <requester> -> Target: <targetUser>"
+            const requester = (_a = requestResp.data.request.request.requester) === null || _a === void 0 ? void 0 : _a.displayName;
+            const targetUser = (_b = requestResp.data.request.request.targetUser) === null || _b === void 0 ? void 0 : _b.displayName;
+            if (requester && targetUser) {
+                cmd.log(`Requester: ${requester} -> Target: ${targetUser}`);
+            }
+            const durationInMinutes = requestResp.data.request.request.durationInMinutes;
+            if (durationInMinutes) {
+                const days = Math.floor(durationInMinutes / 1440);
+                const remainingMinutes = durationInMinutes % 1440;
+                const hours = Math.floor(remainingMinutes / 60);
+                const minutes = remainingMinutes % 60;
+                let durationStr = "";
+                if (days > 0)
+                    durationStr += `${days}d`;
+                if (hours > 0)
+                    durationStr += `${hours}h`;
+                if (minutes > 0)
+                    durationStr += `${minutes}m`;
+                if (durationStr === "")
+                    durationStr = `${durationInMinutes}m`;
+                durationStr += ` (${durationInMinutes}m)`;
+                cmd.log(`Duration: ${durationStr}`);
+            }
+            const reason = requestResp.data.request.request.reason;
+            if (reason) {
+                cmd.log(`Reason: "${reason}"`);
+            }
+            const requestedResources = requestResp.data.request.request.requestedResources;
+            const requestedGroups = requestResp.data.request.request.requestedGroups;
+            if (requestedResources && requestedResources.length > 0) {
+                cmd.log("Requested Resources:");
+                cmd.log((0, prettyjson_1.render)(requestedResources));
+            }
+            if (requestedGroups && requestedGroups.length > 0) {
+                cmd.log("Requested Groups:");
+                cmd.log((0, prettyjson_1.render)(requestedGroups));
+            }
+        }
+    }
+}

package/oclif.manifest.json

@@ -620,7 +620,30 @@
       "aliases": [],
       "args": {},
       "description": "Lists access requests",
-      "flags": {},
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "id": {
+          "char": "i",
+          "description": "The Opal ID of the resource. You can find this from the URL, e.g. https://opal.dev/resources/[ID]",
+          "name": "id",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "verbose": {
+          "char": "v",
+          "description": "Enable verbose output",
+          "name": "verbose",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
       "hasDynamicHelp": false,
       "hidden": true,
       "hiddenAliases": [],
@@ -639,12 +662,33 @@
       ]
     },
     "request:list": {
-      "aliases": [
-        "request:ls"
-      ],
+      "aliases": [],
       "args": {},
-      "description": "Lists access requests",
-      "flags": {},
+      "description": "Lists your recent outgoing access requests.      \n--pageSize flag sets number of requests to be returned. Defaults to 10 requests.      \n--showPendingOnly flag will show only pending requests. Defaults to false.",
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "id": {
+          "char": "i",
+          "description": "The Opal ID of the resource. You can find this from the URL, e.g. https://opal.dev/resources/[ID]",
+          "name": "id",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "pageSize": {
+          "description": "Sets number of requests to be returned. Defaults to 10 requests.",
+          "name": "pageSize",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
       "hasDynamicHelp": false,
       "hidden": true,
       "hiddenAliases": [],
@@ -909,5 +953,5 @@
       ]
     }
   },
-  "version": "3.1.0"
+  "version": "3.1.1-beta.4a79f20"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "3.1.0",
+  "version": "3.1.1-beta.4a79f20",
   "author": "Stephen Cobbe",
   "bin": {
     "opal": "./bin/run"
@@ -39,6 +39,7 @@
     "@types/lodash": "^4.14.169",
     "@types/node": "^22.14.0",
     "@types/prettyjson": "0.0.29",
+    "@types/react": "^19.1.4",
     "@types/semver": "^7.3.8",
     "better-npm-audit": "^3.7.3",
     "get-graphql-schema": "^2.1.2",