opal-security 3.1.1-beta.65d1a96 → 3.1.1-beta.e5e99da

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/3.1.1-beta.65d1a96 linux-x64 node-v20.19.1
+opal-security/3.1.1-beta.e5e99da linux-x64 node-v20.19.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -101,7 +101,7 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/aws/identity.ts)_
 
 ## `opal clear-auth-provider`
 
@@ -121,7 +121,7 @@ EXAMPLES
   $ opal clear-auth-provider
 ```
 
-_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/clear-auth-provider.ts)_
+_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/clear-auth-provider.ts)_
 
 ## `opal curl-example`
 
@@ -138,7 +138,7 @@ DESCRIPTION
   Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/curl-example.ts)_
 
 ## `opal groups get`
 
@@ -159,7 +159,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -209,7 +209,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -240,7 +240,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -261,7 +261,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -281,7 +281,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -318,7 +318,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources get`
 
@@ -339,7 +339,7 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/resources/get.ts)_
 
 ## `opal set-auth-provider`
 
@@ -365,7 +365,7 @@ EXAMPLES
   $ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/set-auth-provider.ts)_
+_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/set-auth-provider.ts)_
 
 ## `opal set-custom-header`
 
@@ -386,7 +386,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -406,7 +406,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -430,7 +430,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -461,7 +461,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -492,7 +492,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -519,7 +519,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.65d1a96/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.1.1-beta.e5e99da/src/commands/ssh/start.ts)_
 
 ## `opal version`
 

package/lib/commands/request/create.js

@@ -10,24 +10,26 @@ class RequestCreate extends core_1.Command {
         await (0, apollo_1.initClient)(this, true);
         const client = await (0, apollo_1.getClient)(this, true);
         (0, utils_1.restrictToDev)(); //TODO: Remove after development is complete
-        const requestMap = new Map();
+        const metadata = (0, requests_1.createEmptyRequestMetadata)();
         (0, displays_1.headerMessage)(this);
         let shouldProceed = false;
         while (!shouldProceed) {
             // Step 1: Select first round of assets from an app
-            await (0, requests_1.selectRequestableItems)(this, client, requestMap);
+            await (0, requests_1.selectRequestableItems)(this, client, metadata.requestMap);
             // Step 2: Display the selected items in a tree format
             (0, displays_1.headerMessage)(this);
-            this.log((0, displays_1.treeifyRequestMap)(requestMap), "\n");
+            this.log((0, displays_1.treeifyRequestMap)(metadata.requestMap), "\n");
             // Step 3: Prompt to add more items, repeat 1-3 if needed
             shouldProceed = await (0, requests_1.doneSelectingAssets)();
         }
+        // Step 4: Set Request Defaults
+        await (0, requests_1.setRequestDefaults)(this, client, metadata);
         // Step 4: Prompt for request reason
-        const { reason } = await (0, requests_1.promptForReason)();
+        const { reason } = await (0, requests_1.promptForReason)(metadata);
         // Step 5: Prompt for expiration
-        const { expiration } = await (0, requests_1.promptForExpiration)();
+        const { expiration } = await (0, requests_1.promptForExpiration)(metadata);
         // Step 6: Display final summary of request
-        (0, displays_1.displayFinalRequestSummary)(this, requestMap, reason, expiration);
+        (0, displays_1.displayFinalRequestSummary)(this, metadata.requestMap, reason, expiration.label);
         // Step 7: Prompt for final submition
         await (0, requests_1.submitFinalRequest)(this);
     }

package/lib/graphql/gql.d.ts

@@ -18,6 +18,7 @@ type Documents = {
     '\n  query GetRequestableAppsQuery($searchQuery: String) {\n    appsV2(\n      filters: {\n        access: REQUESTABLE\n        searchQuery: $searchQuery\n      }\n    ) @connection(key: "paginated-app-dropdown") {\n      edges {\n        node {\n          id\n          displayName\n          ... on Connection {\n            connectionType\n          }\n          ... on Resource {\n            resourceType\n          }\n        }\n      }\n      pageInfo {\n        hasNextPage\n        hasPreviousPage\n        startCursor\n        endCursor\n      }\n    }\n  }\n  ': typeof types.GetRequestableAppsQueryDocument;
     "\n  query PaginatedEntityDropdown(\n  $id: UUID!\n  $searchQuery: String\n) {\n  app(id: $id) {\n    __typename\n    ... on App {\n      id\n      items(\n        input: {\n          access: REQUESTABLE\n          searchQuery: $searchQuery\n          includeOnlyRequestable: true\n        }\n      ) {\n        items {\n          key\n          resource {\n            id\n            name\n          }\n          group {\n            id\n            name\n          }\n        }\n        cursor\n      }\n    }\n    ... on AppNotFoundError {\n      message\n    }\n  }\n}\n": typeof types.PaginatedEntityDropdownDocument;
     "\n  query ResourceAccessLevels($resourceId: ResourceId!) {\n    accessLevels(input: {\n      resourceId: $resourceId,\n      onlyMine: false,\n    }) {\n      __typename\n      ... on ResourceAccessLevelsResult {\n        accessLevels {\n          __typename\n          ... on ResourceAccessLevel {\n            accessLevelName\n            accessLevelRemoteId\n          }\n        }\n      }\n      ... on ResourceNotFoundError {\n        message\n      }\n    }\n  }\n": typeof types.ResourceAccessLevelsDocument;
+    "\n  query RequestDefaults(\n    $requestedResources: [RequestConfigurationResourceInput!]!\n    $requestedGroups: [RequestConfigurationGroupInput!]!\n    ) {\n    requestDefaults(input: {\n      requestedResources: $requestedResources,\n      requestedGroups: $requestedGroups,\n      }\n    ) {\n      durationOptions {\n        durationInMinutes\n        label\n      }\n      recommendedDurationInMinutes\n      defaultDurationInMinutes\n      maxDurationInMinutes\n      requireSupportTicket\n      reasonOptional\n      requesterIsAdmin\n    }\n  }": typeof types.RequestDefaultsDocument;
 };
 declare const documents: Documents;
 /**
@@ -57,5 +58,9 @@ export declare function graphql(source: "\n  query PaginatedEntityDropdown(\n  $
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export declare function graphql(source: "\n  query ResourceAccessLevels($resourceId: ResourceId!) {\n    accessLevels(input: {\n      resourceId: $resourceId,\n      onlyMine: false,\n    }) {\n      __typename\n      ... on ResourceAccessLevelsResult {\n        accessLevels {\n          __typename\n          ... on ResourceAccessLevel {\n            accessLevelName\n            accessLevelRemoteId\n          }\n        }\n      }\n      ... on ResourceNotFoundError {\n        message\n      }\n    }\n  }\n"): (typeof documents)["\n  query ResourceAccessLevels($resourceId: ResourceId!) {\n    accessLevels(input: {\n      resourceId: $resourceId,\n      onlyMine: false,\n    }) {\n      __typename\n      ... on ResourceAccessLevelsResult {\n        accessLevels {\n          __typename\n          ... on ResourceAccessLevel {\n            accessLevelName\n            accessLevelRemoteId\n          }\n        }\n      }\n      ... on ResourceNotFoundError {\n        message\n      }\n    }\n  }\n"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export declare function graphql(source: "\n  query RequestDefaults(\n    $requestedResources: [RequestConfigurationResourceInput!]!\n    $requestedGroups: [RequestConfigurationGroupInput!]!\n    ) {\n    requestDefaults(input: {\n      requestedResources: $requestedResources,\n      requestedGroups: $requestedGroups,\n      }\n    ) {\n      durationOptions {\n        durationInMinutes\n        label\n      }\n      recommendedDurationInMinutes\n      defaultDurationInMinutes\n      maxDurationInMinutes\n      requireSupportTicket\n      reasonOptional\n      requesterIsAdmin\n    }\n  }"): (typeof documents)["\n  query RequestDefaults(\n    $requestedResources: [RequestConfigurationResourceInput!]!\n    $requestedGroups: [RequestConfigurationGroupInput!]!\n    ) {\n    requestDefaults(input: {\n      requestedResources: $requestedResources,\n      requestedGroups: $requestedGroups,\n      }\n    ) {\n      durationOptions {\n        durationInMinutes\n        label\n      }\n      recommendedDurationInMinutes\n      defaultDurationInMinutes\n      maxDurationInMinutes\n      requireSupportTicket\n      reasonOptional\n      requesterIsAdmin\n    }\n  }"];
 export type DocumentType<TDocumentNode extends DocumentNode<any, any>> = TDocumentNode extends DocumentNode<infer TType, any> ? TType : never;
 export {};

package/lib/graphql/gql.js

@@ -10,6 +10,7 @@ const documents = {
     '\n  query GetRequestableAppsQuery($searchQuery: String) {\n    appsV2(\n      filters: {\n        access: REQUESTABLE\n        searchQuery: $searchQuery\n      }\n    ) @connection(key: "paginated-app-dropdown") {\n      edges {\n        node {\n          id\n          displayName\n          ... on Connection {\n            connectionType\n          }\n          ... on Resource {\n            resourceType\n          }\n        }\n      }\n      pageInfo {\n        hasNextPage\n        hasPreviousPage\n        startCursor\n        endCursor\n      }\n    }\n  }\n  ': types.GetRequestableAppsQueryDocument,
     "\n  query PaginatedEntityDropdown(\n  $id: UUID!\n  $searchQuery: String\n) {\n  app(id: $id) {\n    __typename\n    ... on App {\n      id\n      items(\n        input: {\n          access: REQUESTABLE\n          searchQuery: $searchQuery\n          includeOnlyRequestable: true\n        }\n      ) {\n        items {\n          key\n          resource {\n            id\n            name\n          }\n          group {\n            id\n            name\n          }\n        }\n        cursor\n      }\n    }\n    ... on AppNotFoundError {\n      message\n    }\n  }\n}\n": types.PaginatedEntityDropdownDocument,
     "\n  query ResourceAccessLevels($resourceId: ResourceId!) {\n    accessLevels(input: {\n      resourceId: $resourceId,\n      onlyMine: false,\n    }) {\n      __typename\n      ... on ResourceAccessLevelsResult {\n        accessLevels {\n          __typename\n          ... on ResourceAccessLevel {\n            accessLevelName\n            accessLevelRemoteId\n          }\n        }\n      }\n      ... on ResourceNotFoundError {\n        message\n      }\n    }\n  }\n": types.ResourceAccessLevelsDocument,
+    "\n  query RequestDefaults(\n    $requestedResources: [RequestConfigurationResourceInput!]!\n    $requestedGroups: [RequestConfigurationGroupInput!]!\n    ) {\n    requestDefaults(input: {\n      requestedResources: $requestedResources,\n      requestedGroups: $requestedGroups,\n      }\n    ) {\n      durationOptions {\n        durationInMinutes\n        label\n      }\n      recommendedDurationInMinutes\n      defaultDurationInMinutes\n      maxDurationInMinutes\n      requireSupportTicket\n      reasonOptional\n      requesterIsAdmin\n    }\n  }": types.RequestDefaultsDocument,
 };
 function graphql(source) {
     var _a;

package/lib/graphql/graphql.d.ts

@@ -571,6 +571,7 @@ export type AccessLevelsFiltersInput = {
 };
 export declare enum AccessOption {
     All = "ALL",
+    Manageable = "MANAGEABLE",
     Mine = "MINE",
     Requestable = "REQUESTABLE",
     /** @deprecated no longer supported */
@@ -626,6 +627,7 @@ export type AccessReview = Node & RolePermissionTargetEntity & {
     stoppedByUserId?: Maybe<Scalars["UserId"]["output"]>;
     stoppedDate?: Maybe<Scalars["Time"]["output"]>;
     timeZone: Scalars["String"]["output"];
+    updatedAt: Scalars["Time"]["output"];
     usersToReview: UserConnection;
 };
 export type AccessReviewUsersToReviewArgs = {
@@ -1477,7 +1479,11 @@ export type AccessReviewUsersResult = {
     accessReviewUsers: Array<AccessReviewUser>;
 };
 export type AccessReviewsInput = {
-    ongoingOnly?: InputMaybe<Scalars["Boolean"]["input"]>;
+    /**
+     * status filter: by default, accessReviews will return ALL access reviews for
+     * the org, otherwise it will only return access reviews with the given status
+     */
+    status?: InputMaybe<AccessReviewStatus>;
 };
 export type AccessReviewsOutput = AccessReviewsResult;
 export type AccessReviewsResult = {
@@ -1499,6 +1505,11 @@ export declare enum AccessRuleStatus {
     Paused = "PAUSED",
     PausedByFailsafe = "PAUSED_BY_FAILSAFE"
 }
+export type AccessScope = {
+    createdAfter?: InputMaybe<Scalars["Time"]["input"]>;
+    expiresAfter?: InputMaybe<Scalars["Time"]["input"]>;
+    vulnerabilities?: InputMaybe<Array<RecommendationsSubscoreType>>;
+};
 export type AccessStats = {
     managerAccessCount?: Maybe<Scalars["Int"]["output"]>;
     teamAccessCount?: Maybe<Scalars["Int"]["output"]>;
@@ -3749,6 +3760,13 @@ export type DenyRequestResult = {
     __typename?: "DenyRequestResult";
     request: Request;
 };
+export type DirectRoleAssignmentsInput = {
+    after?: InputMaybe<Scalars["String"]["input"]>;
+    first?: InputMaybe<Scalars["Int"]["input"]>;
+    scope: RoleAssignmentScope;
+    sortBy?: InputMaybe<RoleAssignmentsSortBy>;
+    source?: UiSource;
+};
 export type DismissGroupBindingSuggestionsInput = {
     ids: Array<Scalars["GroupBindingSuggestionId"]["input"]>;
 };
@@ -3833,6 +3851,15 @@ export type EntityIdTupleInput = {
     entityId: Scalars["UUID"]["input"];
     entityType: EntityType;
 };
+export type EntityScope = {
+    entityIDs?: InputMaybe<Array<Scalars["EntityId"]["input"]>>;
+    entitySubtypes?: InputMaybe<EntitySubtypes>;
+    entityTypes?: InputMaybe<Array<EntityType>>;
+};
+export type EntitySubtypes = {
+    groupTypes?: InputMaybe<Array<GroupType>>;
+    resourceTypes?: InputMaybe<Array<ResourceType>>;
+};
 export declare enum EntityType {
     AccessLevel = "ACCESS_LEVEL",
     AccessReview = "ACCESS_REVIEW",
@@ -4295,6 +4322,7 @@ export declare enum EventType {
     RoleAssignmentsDeleted = "ROLE_ASSIGNMENTS_DELETED",
     RoleAssignmentsUpdated = "ROLE_ASSIGNMENTS_UPDATED",
     SessionsCreatedForResources = "SESSIONS_CREATED_FOR_RESOURCES",
+    SoonToExpireNotification = "SOON_TO_EXPIRE_NOTIFICATION",
     ThirdPartyIntegrationCreated = "THIRD_PARTY_INTEGRATION_CREATED",
     ThirdPartyIntegrationDeleted = "THIRD_PARTY_INTEGRATION_DELETED",
     ToxicSetViolationsCreated = "TOXIC_SET_VIOLATIONS_CREATED",
@@ -4488,7 +4516,6 @@ export declare enum GeneralSettingType {
     AutoMergeUsersByEmail = "AUTO_MERGE_USERS_BY_EMAIL",
     DisableNonAdminLogins = "DISABLE_NON_ADMIN_LOGINS",
     GlobalRequesterRole = "GLOBAL_REQUESTER_ROLE",
-    LogRocketDisabled = "LOG_ROCKET_DISABLED",
     NestedGroups = "NESTED_GROUPS",
     RequireManagerCc = "REQUIRE_MANAGER_CC",
     RequireOpalMfaForLogins = "REQUIRE_OPAL_MFA_FOR_LOGINS",
@@ -5108,6 +5135,7 @@ export type GroupUser = {
     __typename?: "GroupUser";
     access?: Maybe<GroupUserAccess>;
     accessLevel?: Maybe<GroupAccessLevel>;
+    accessStats?: Maybe<AccessStats>;
     group?: Maybe<Group>;
     groupId: Scalars["GroupId"]["output"];
     lastUsedAt?: Maybe<Scalars["Time"]["output"]>;
@@ -5923,6 +5951,7 @@ export type Mutation = {
     createEventFilter: CreateEventFilterOutput;
     createEventStream: CreateEventStreamOutput;
     createFirstPartyToken: CreateFirstPartyTokenOutput;
+    /** @deprecated Use createItems instead. */
     createGroup: CreateGroupOutput;
     createGroupBindings: CreateGroupBindingsOutput;
     createIdpConnection: CreateIdpConnectionOutput;
@@ -6069,7 +6098,6 @@ export type Mutation = {
     updateResourceCustomAccessLevel: UpdateResourceCustomAccessLevelOutput;
     updateResourceUserReviewers: UpdateResourceUserReviewersOutput;
     updateResourceUsers: UpdateResourceUsersOutput;
-    updateResourceVisibilityGroups: UpdateResourceVisibilityGroupsOutput;
     /** @deprecated Use bulkUpdateItems instead. */
     updateResources: UpdateResourcesOutput;
     updateRoleAssignments: UpdateRoleAssignmentsOutput;
@@ -6566,9 +6594,6 @@ export type MutationUpdateResourceUserReviewersArgs = {
 export type MutationUpdateResourceUsersArgs = {
     input: UpdateResourceUsersInput;
 };
-export type MutationUpdateResourceVisibilityGroupsArgs = {
-    input: UpdateResourceVisibilityGroupsInput;
-};
 export type MutationUpdateResourcesArgs = {
     input: UpdateResourcesInput;
 };
@@ -7194,6 +7219,10 @@ export type PrincipalEdge = Edge & {
     cursor: Scalars["String"]["output"];
     node: Principal;
 };
+export type PrincipalScope = {
+    principalIDs?: InputMaybe<Array<Scalars["PrincipalId"]["input"]>>;
+    principalTypes?: InputMaybe<Array<EntityType>>;
+};
 export type PrincipalSearchOptions = {
     excludeUsersWithoutPosition: Scalars["Boolean"]["input"];
 };
@@ -7213,9 +7242,11 @@ export type PrincipalsResult = {
 };
 export type PropagationStatus = {
     __typename?: "PropagationStatus";
+    accessLevelRemoteId: Scalars["AccessLevelRemoteId"]["output"];
+    entityId: Scalars["EntityId"]["output"];
     errorMessage?: Maybe<Scalars["String"]["output"]>;
     lastSynced: Scalars["Time"]["output"];
-    roleAssignmentId: Scalars["RoleAssignmentId"]["output"];
+    principalId: Scalars["EntityId"]["output"];
     statusCode: PropagationStatusCode;
     taskType: PropagationTaskType;
 };
@@ -7410,6 +7441,7 @@ export type Query = {
     countFilteredGroups: CountFilteredGroupsOutput;
     countFilteredResources: CountFilteredResourcesOutput;
     currentUserStats: CurrentUserStatsOutput;
+    directRoleAssignments: RoleAssignmentConnection;
     entitiesForRiskScoreRange: EntitiesForRiskScoreRangeResult;
     entityForRemediation: RecommendationsEntity;
     event: EventOutput;
@@ -7682,6 +7714,9 @@ export type QueryCountFilteredGroupsArgs = {
 export type QueryCountFilteredResourcesArgs = {
     input: CountFilteredResourcesInput;
 };
+export type QueryDirectRoleAssignmentsArgs = {
+    input?: InputMaybe<DirectRoleAssignmentsInput>;
+};
 export type QueryEntitiesForRiskScoreRangeArgs = {
     maxRiskScore: Scalars["Int"]["input"];
     minRiskScore: Scalars["Int"]["input"];
@@ -8450,7 +8485,7 @@ export type RequestDefaults = {
 export type RequestDefaultsInput = {
     requestedGroups: Array<RequestConfigurationGroupInput>;
     requestedResources: Array<RequestConfigurationResourceInput>;
-    targetUserId: Scalars["UserId"]["input"];
+    targetUserId?: InputMaybe<Scalars["UserId"]["input"]>;
 };
 export type RequestDurationTooLargeError = Error & {
     __typename?: "RequestDurationTooLargeError";
@@ -8464,6 +8499,12 @@ export type RequestFieldValueMissingError = Error & {
     requestTemplateID: Scalars["RequestTemplateId"]["output"];
     resourceIds?: Maybe<Array<Scalars["ResourceId"]["output"]>>;
 };
+export type RequestFilters = {
+    endDate?: InputMaybe<EndDateFilter>;
+    searchQuery?: InputMaybe<Scalars["String"]["input"]>;
+    showPendingOnly?: Scalars["Boolean"]["input"];
+    startDate?: InputMaybe<StartDateFilter>;
+};
 export type RequestInput = {
     id: Scalars["RequestId"]["input"];
 };
@@ -8655,11 +8696,10 @@ export type RequestedResourceInput = {
 };
 export type RequestsInput = {
     cursor?: InputMaybe<Scalars["String"]["input"]>;
+    filters?: RequestFilters;
     maxNumEntries?: InputMaybe<Scalars["Int"]["input"]>;
     requestType?: InputMaybe<RequestType>;
-    searchQuery?: InputMaybe<Scalars["String"]["input"]>;
-    showPendingOnly?: InputMaybe<Scalars["Boolean"]["input"]>;
-    sortBy?: InputMaybe<RequestsSortBy>;
+    sortBy?: RequestsSortBy;
 };
 export type RequestsOutput = RequestsResult;
 export type RequestsResult = {
@@ -9397,6 +9437,12 @@ export type RoleAssignmentRiskFactor = {
     reason?: Maybe<Scalars["String"]["output"]>;
     riskFactor: RecommendationsSubscoreType;
 };
+export type RoleAssignmentScope = {
+    accessScope: AccessScope;
+    entityScope: EntityScope;
+    principalScope: PrincipalScope;
+    searchQuery?: InputMaybe<Scalars["String"]["input"]>;
+};
 export type RoleAssignmentSearchScope = {
     entityScope?: InputMaybe<RoleAssignmentEntityScope>;
     entityTypeScope?: InputMaybe<RoleAssignmentEntityTypeScope>;
@@ -9440,7 +9486,8 @@ export declare enum RoleAssignmentsSortByField {
     FirstGrantedAt = "FIRST_GRANTED_AT",
     LastUsedAt = "LAST_USED_AT",
     PrincipalName = "PRINCIPAL_NAME",
-    Role = "ROLE"
+    Role = "ROLE",
+    VulnerabilityCount = "VULNERABILITY_COUNT"
 }
 export declare enum RolePermission {
     AssignReviewers = "ASSIGN_REVIEWERS",
@@ -9453,6 +9500,7 @@ export declare enum RolePermission {
     EditSyncSettings = "EDIT_SYNC_SETTINGS",
     EditTags = "EDIT_TAGS",
     Export = "EXPORT",
+    Import = "IMPORT",
     Read = "READ",
     ReadAssignments = "READ_ASSIGNMENTS",
     SendReminders = "SEND_REMINDERS",
@@ -9830,6 +9878,9 @@ export type StartAccessReviewStatsResult = {
     __typename?: "StartAccessReviewStatsResult";
     startAccessReviewStats?: Maybe<StartAccessReviewStats>;
 };
+export type StartDateFilter = {
+    date: Scalars["String"]["input"];
+};
 export type StartSyncInput = {
     accessReviewId?: InputMaybe<Scalars["AccessReviewId"]["input"]>;
     connectionId?: InputMaybe<Scalars["ConnectionId"]["input"]>;
@@ -10803,16 +10854,7 @@ export type UpdateResourceUsersOutput = ResourceNotFoundError | UpdateResourceUs
 export type UpdateResourceUsersResult = {
     __typename?: "UpdateResourceUsersResult";
     resourceUsers?: Maybe<Array<ResourceUser>>;
-};
-export type UpdateResourceVisibilityGroupsInput = {
-    resourceId: Scalars["ResourceId"]["input"];
-    visibility: Visibility;
-    visibilityGroupsIds: Array<Scalars["GroupId"]["input"]>;
-};
-export type UpdateResourceVisibilityGroupsOutput = ConfigurationVisibilityGroupNotFoundError | GroupNotFoundError | InvalidUpdateResourceVisibilityGroupError | ResourceNotFoundError | UpdateResourceVisibilityGroupsResult;
-export type UpdateResourceVisibilityGroupsResult = {
-    __typename?: "UpdateResourceVisibilityGroupsResult";
-    resource: Resource;
+    taskId?: Maybe<Scalars["PushTaskId"]["output"]>;
 };
 export type UpdateResourcesInput = {
     commonMetadata?: InputMaybe<CommonMetadataInput>;
@@ -11387,9 +11429,6 @@ export declare enum RequestDecisionLevel {
     Admin = "ADMIN",
     Regular = "REGULAR"
 }
-export type StartDateFilter = {
-    date: Scalars["String"]["input"];
-};
 export type UpdateScopedRoleAssignmentsInput = {
     newDurationInMinutes?: InputMaybe<NullableInt>;
     scope?: InputMaybe<RoleAssignmentSearchScope>;
@@ -11579,9 +11618,31 @@ export type ResourceAccessLevelsQuery = {
         message: string;
     };
 };
+export type RequestDefaultsQueryVariables = Exact<{
+    requestedResources: Array<RequestConfigurationResourceInput> | RequestConfigurationResourceInput;
+    requestedGroups: Array<RequestConfigurationGroupInput> | RequestConfigurationGroupInput;
+}>;
+export type RequestDefaultsQuery = {
+    __typename?: "Query";
+    requestDefaults: {
+        __typename?: "RequestDefaults";
+        recommendedDurationInMinutes?: number | null;
+        defaultDurationInMinutes: number;
+        maxDurationInMinutes?: number | null;
+        requireSupportTicket: boolean;
+        reasonOptional: boolean;
+        requesterIsAdmin: boolean;
+        durationOptions: Array<{
+            __typename?: "DurationOption";
+            durationInMinutes: number;
+            label: string;
+        }>;
+    };
+};
 export declare const GetGroupDocument: DocumentNode<GetGroupQuery, GetGroupQueryVariables>;
 export declare const GetRequestDocument: DocumentNode<GetRequestQuery, GetRequestQueryVariables>;
 export declare const CheckAuthSessionQueryDocument: DocumentNode<CheckAuthSessionQueryQuery, CheckAuthSessionQueryQueryVariables>;
 export declare const GetRequestableAppsQueryDocument: DocumentNode<GetRequestableAppsQueryQuery, GetRequestableAppsQueryQueryVariables>;
 export declare const PaginatedEntityDropdownDocument: DocumentNode<PaginatedEntityDropdownQuery, PaginatedEntityDropdownQueryVariables>;
 export declare const ResourceAccessLevelsDocument: DocumentNode<ResourceAccessLevelsQuery, ResourceAccessLevelsQueryVariables>;
+export declare const RequestDefaultsDocument: DocumentNode<RequestDefaultsQuery, RequestDefaultsQueryVariables>;

package/lib/graphql/graphql.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.HealthStatus = exports.GroupUserSource = exports.GroupUserSortByField = exports.GroupType = exports.GroupResourceSource = exports.GroupBindingsSortByField = exports.GroupBindingSuggestionsSortByField = exports.GeneralSettingType = exports.FiltersMatchMode = exports.FactorType = exports.EventType = exports.EventSeverity = exports.ErrorNotificationSettingType = exports.EntityType = exports.ConnectionValidationStatus = exports.ConnectionValidationSeverity = exports.ConnectionType = exports.BundlesSortByField = exports.BundleItemsSortByField = exports.AuthType = exports.AuthSessionStatus = exports.AuthFlowType = exports.AssociatedItemsSortByField = exports.AssignmentsSortByField = exports.AppsSortByField = exports.AppType = exports.AppItemsSortByField = exports.AppCategory = exports.ApiAuthType = exports.ApiAccessLevel = exports.AldwinRole = exports.AccessType = exports.AccessRuleStatus = exports.AccessReviewUserWarningType = exports.AccessReviewType = exports.AccessReviewTab = exports.AccessReviewSummaryStatus = exports.AccessReviewStatus = exports.AccessReviewReviewerAssignmentPolicy = exports.AccessReviewItemsSortByField = exports.AccessReviewItemStatus = exports.AccessReviewItemOutcome = exports.AccessReviewGroupResourceVisibilityPolicy = exports.AccessReviewGroupItemKind = exports.AccessReviewEndUserView = exports.AccessReviewAssignedStatus = exports.AccessReviewAction = exports.AccessOption = exports.AccessChangeType = exports.AwsIdentityCenterImportSetting = void 0;
 exports.TaskTrigger = exports.TagsSortByField = exports.TagFilterMatchMode = exports.SyncType = exports.SyncTaskStatus = exports.SubEventsSortByField = exports.StringFormatType = exports.SortDirection = exports.ServiceType = exports.SearchType = exports.RolePermissionTargetType = exports.RolePermission = exports.RoleAssignmentsSortByField = exports.RoleAssignmentSource = exports.RiskLevel = exports.ReviewerUserStatus = exports.ReviewerAction = exports.ReviewStageOperator = exports.ResourceUserSource = exports.ResourceUserSortByField = exports.ResourceType = exports.RequestsSortByField = exports.RequestType = exports.RequestTemplateCustomFieldType = exports.RequestStatus = exports.RequestMessageLevel = exports.RequestMessageCode = exports.RequestApprovalType = exports.RecommendationsSubscoreType = exports.RecommendationsMetricType = exports.RecommendationsFeedbackType = exports.RecommendationsEntityType = exports.PubsubPublishMessageType = exports.PubsubPublishMessageStatusCode = exports.PubsubPublishConnectionType = exports.ProvisionSource = exports.PropagationTaskType = exports.PropagationStatusCode = exports.OwnersSortByField = exports.OrganizationType = exports.OidcProviderType = exports.NotificationType = exports.MessageChannelType = exports.MfaProvider = exports.IntegrationType = exports.ImportSetting = exports.IdpConnectionUserAttributeUseAs = exports.IdpConnectionType = exports.IdentityCategory = exports.HrIdpStatus = void 0;
-exports.ResourceAccessLevelsDocument = exports.PaginatedEntityDropdownDocument = exports.GetRequestableAppsQueryDocument = exports.CheckAuthSessionQueryDocument = exports.GetRequestDocument = exports.GetGroupDocument = exports.RequestDecisionLevel = exports.WebhookPubsubPublishConnectionAuthType = exports.WebhookPubsubPublishConnectionApiKeyLocation = exports.Visibility = exports.VerifyFactorStatus = exports.UsersSortByField = exports.UserProductRole = exports.UserErrorType = exports.UsageAttributionType = exports.UiSource = exports.TimePeriod = exports.TimeBucket = exports.ThirdPartyProvider = void 0;
+exports.RequestDefaultsDocument = exports.ResourceAccessLevelsDocument = exports.PaginatedEntityDropdownDocument = exports.GetRequestableAppsQueryDocument = exports.CheckAuthSessionQueryDocument = exports.GetRequestDocument = exports.GetGroupDocument = exports.RequestDecisionLevel = exports.WebhookPubsubPublishConnectionAuthType = exports.WebhookPubsubPublishConnectionApiKeyLocation = exports.Visibility = exports.VerifyFactorStatus = exports.UsersSortByField = exports.UserProductRole = exports.UserErrorType = exports.UsageAttributionType = exports.UiSource = exports.TimePeriod = exports.TimeBucket = exports.ThirdPartyProvider = void 0;
 var AwsIdentityCenterImportSetting;
 (function (AwsIdentityCenterImportSetting) {
     AwsIdentityCenterImportSetting["All"] = "ALL";
@@ -18,6 +18,7 @@ var AccessChangeType;
 var AccessOption;
 (function (AccessOption) {
     AccessOption["All"] = "ALL";
+    AccessOption["Manageable"] = "MANAGEABLE";
     AccessOption["Mine"] = "MINE";
     AccessOption["Requestable"] = "REQUESTABLE";
     /** @deprecated no longer supported */
@@ -653,6 +654,7 @@ var EventType;
     EventType["RoleAssignmentsDeleted"] = "ROLE_ASSIGNMENTS_DELETED";
     EventType["RoleAssignmentsUpdated"] = "ROLE_ASSIGNMENTS_UPDATED";
     EventType["SessionsCreatedForResources"] = "SESSIONS_CREATED_FOR_RESOURCES";
+    EventType["SoonToExpireNotification"] = "SOON_TO_EXPIRE_NOTIFICATION";
     EventType["ThirdPartyIntegrationCreated"] = "THIRD_PARTY_INTEGRATION_CREATED";
     EventType["ThirdPartyIntegrationDeleted"] = "THIRD_PARTY_INTEGRATION_DELETED";
     EventType["ToxicSetViolationsCreated"] = "TOXIC_SET_VIOLATIONS_CREATED";
@@ -700,7 +702,6 @@ var GeneralSettingType;
     GeneralSettingType["AutoMergeUsersByEmail"] = "AUTO_MERGE_USERS_BY_EMAIL";
     GeneralSettingType["DisableNonAdminLogins"] = "DISABLE_NON_ADMIN_LOGINS";
     GeneralSettingType["GlobalRequesterRole"] = "GLOBAL_REQUESTER_ROLE";
-    GeneralSettingType["LogRocketDisabled"] = "LOG_ROCKET_DISABLED";
     GeneralSettingType["NestedGroups"] = "NESTED_GROUPS";
     GeneralSettingType["RequireManagerCc"] = "REQUIRE_MANAGER_CC";
     GeneralSettingType["RequireOpalMfaForLogins"] = "REQUIRE_OPAL_MFA_FOR_LOGINS";
@@ -1184,6 +1185,7 @@ var RoleAssignmentsSortByField;
     RoleAssignmentsSortByField["LastUsedAt"] = "LAST_USED_AT";
     RoleAssignmentsSortByField["PrincipalName"] = "PRINCIPAL_NAME";
     RoleAssignmentsSortByField["Role"] = "ROLE";
+    RoleAssignmentsSortByField["VulnerabilityCount"] = "VULNERABILITY_COUNT";
 })(RoleAssignmentsSortByField || (exports.RoleAssignmentsSortByField = RoleAssignmentsSortByField = {}));
 var RolePermission;
 (function (RolePermission) {
@@ -1197,6 +1199,7 @@ var RolePermission;
     RolePermission["EditSyncSettings"] = "EDIT_SYNC_SETTINGS";
     RolePermission["EditTags"] = "EDIT_TAGS";
     RolePermission["Export"] = "EXPORT";
+    RolePermission["Import"] = "IMPORT";
     RolePermission["Read"] = "READ";
     RolePermission["ReadAssignments"] = "READ_ASSIGNMENTS";
     RolePermission["SendReminders"] = "SEND_REMINDERS";
@@ -2408,3 +2411,140 @@ exports.ResourceAccessLevelsDocument = {
         },
     ],
 };
+exports.RequestDefaultsDocument = {
+    kind: "Document",
+    definitions: [
+        {
+            kind: "OperationDefinition",
+            operation: "query",
+            name: { kind: "Name", value: "RequestDefaults" },
+            variableDefinitions: [
+                {
+                    kind: "VariableDefinition",
+                    variable: {
+                        kind: "Variable",
+                        name: { kind: "Name", value: "requestedResources" },
+                    },
+                    type: {
+                        kind: "NonNullType",
+                        type: {
+                            kind: "ListType",
+                            type: {
+                                kind: "NonNullType",
+                                type: {
+                                    kind: "NamedType",
+                                    name: {
+                                        kind: "Name",
+                                        value: "RequestConfigurationResourceInput",
+                                    },
+                                },
+                            },
+                        },
+                    },
+                },
+                {
+                    kind: "VariableDefinition",
+                    variable: {
+                        kind: "Variable",
+                        name: { kind: "Name", value: "requestedGroups" },
+                    },
+                    type: {
+                        kind: "NonNullType",
+                        type: {
+                            kind: "ListType",
+                            type: {
+                                kind: "NonNullType",
+                                type: {
+                                    kind: "NamedType",
+                                    name: {
+                                        kind: "Name",
+                                        value: "RequestConfigurationGroupInput",
+                                    },
+                                },
+                            },
+                        },
+                    },
+                },
+            ],
+            selectionSet: {
+                kind: "SelectionSet",
+                selections: [
+                    {
+                        kind: "Field",
+                        name: { kind: "Name", value: "requestDefaults" },
+                        arguments: [
+                            {
+                                kind: "Argument",
+                                name: { kind: "Name", value: "input" },
+                                value: {
+                                    kind: "ObjectValue",
+                                    fields: [
+                                        {
+                                            kind: "ObjectField",
+                                            name: { kind: "Name", value: "requestedResources" },
+                                            value: {
+                                                kind: "Variable",
+                                                name: { kind: "Name", value: "requestedResources" },
+                                            },
+                                        },
+                                        {
+                                            kind: "ObjectField",
+                                            name: { kind: "Name", value: "requestedGroups" },
+                                            value: {
+                                                kind: "Variable",
+                                                name: { kind: "Name", value: "requestedGroups" },
+                                            },
+                                        },
+                                    ],
+                                },
+                            },
+                        ],
+                        selectionSet: {
+                            kind: "SelectionSet",
+                            selections: [
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "durationOptions" },
+                                    selectionSet: {
+                                        kind: "SelectionSet",
+                                        selections: [
+                                            {
+                                                kind: "Field",
+                                                name: { kind: "Name", value: "durationInMinutes" },
+                                            },
+                                            { kind: "Field", name: { kind: "Name", value: "label" } },
+                                        ],
+                                    },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "recommendedDurationInMinutes" },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "defaultDurationInMinutes" },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "maxDurationInMinutes" },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "requireSupportTicket" },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "reasonOptional" },
+                                },
+                                {
+                                    kind: "Field",
+                                    name: { kind: "Name", value: "requesterIsAdmin" },
+                                },
+                            ],
+                        },
+                    },
+                ],
+            },
+        },
+    ],
+};

package/lib/lib/requests.d.ts

@@ -1,22 +1,42 @@
 import type { NormalizedCacheObject } from "@apollo/client/core";
 import type { ApolloClient } from "@apollo/client/core/ApolloClient";
 import type { Command } from "@oclif/core/lib/command";
-export interface AppNode {
+interface AppNode {
     appName: string;
-    assets: Map<string, AssetNode>;
+    assets: Record<string, AssetNode>;
 }
-export interface AssetNode {
+interface AssetNode {
     assetName: string;
-    roles?: Map<string, RoleNode>;
+    roles?: Record<string, RoleNode>;
 }
-export interface RoleNode {
+interface RoleNode {
     roleName: string;
 }
-export type RequestMap = Map<string, AppNode>;
+export type RequestMap = Record<string, AppNode>;
+interface DurationOption {
+    durationInMinutes: number;
+    label: string;
+}
+interface RequestDefaults {
+    durationOptions?: DurationOption[];
+    recommendedDurationInMinutes?: number | null;
+    defaultDurationInMinutes?: number;
+    maxDurationInMinutes?: number | null;
+    requireSupportTicket?: boolean;
+    reasonOptional?: boolean;
+    requesterIsAdmin?: boolean;
+}
+export interface RequestMetadata {
+    requestMap: RequestMap;
+    requestDefaults: RequestDefaults;
+}
+export declare function createEmptyRequestMetadata(): RequestMetadata;
 export declare function selectRequestableItems(cmd: Command, client: ApolloClient<NormalizedCacheObject>, requestMap: RequestMap): Promise<void>;
 export declare function chooseAssets(cmd: Command, client: ApolloClient<NormalizedCacheObject>, appId: string, requestMap: RequestMap): Promise<void>;
 export declare function chooseRoles(cmd: Command, client: ApolloClient<NormalizedCacheObject>, appId: string, assetId: string, requestMap: RequestMap): Promise<void>;
 export declare function doneSelectingAssets(): Promise<boolean>;
-export declare function promptForReason(): Promise<any>;
-export declare function promptForExpiration(): Promise<any>;
+export declare function setRequestDefaults(cmd: Command, client: ApolloClient<NormalizedCacheObject>, metadata: RequestMetadata): Promise<void>;
+export declare function promptForReason(metadata: RequestMetadata): Promise<any>;
+export declare function promptForExpiration(metadata: RequestMetadata): Promise<any>;
 export declare function submitFinalRequest(cmd: Command): Promise<void>;
+export {};

package/lib/lib/requests.js

@@ -1,15 +1,35 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.createEmptyRequestMetadata = createEmptyRequestMetadata;
 exports.selectRequestableItems = selectRequestableItems;
 exports.chooseAssets = chooseAssets;
 exports.chooseRoles = chooseRoles;
 exports.doneSelectingAssets = doneSelectingAssets;
+exports.setRequestDefaults = setRequestDefaults;
 exports.promptForReason = promptForReason;
 exports.promptForExpiration = promptForExpiration;
 exports.submitFinalRequest = submitFinalRequest;
 const inquirer = require("inquirer");
 const graphql_1 = require("../graphql");
 inquirer.registerPrompt("autocomplete", require("inquirer-autocomplete-prompt"));
+function createEmptyRequestMetadata() {
+    // Initialize with empty defaults
+    const requestDefaults = {
+        durationOptions: [],
+        recommendedDurationInMinutes: undefined,
+        defaultDurationInMinutes: undefined,
+        maxDurationInMinutes: undefined,
+        requireSupportTicket: false,
+        reasonOptional: false,
+        requesterIsAdmin: false,
+    };
+    // Initialize with empty map
+    const requestMap = {};
+    return {
+        requestMap,
+        requestDefaults,
+    };
+}
 // Queries and Mutations
 // TODO: add pagination ability from CLI. (Load more...) option
 const GET_REQUESTABLE_APPS_QUERY = (0, graphql_1.graphql)(`
@@ -211,6 +231,46 @@ async function queryResourceRoles(cmd, client, resourceId) {
         }
     }
 }
+const REQUEST_DEFAULTS_QUERY = (0, graphql_1.graphql)(`
+  query RequestDefaults(
+    $requestedResources: [RequestConfigurationResourceInput!]!
+    $requestedGroups: [RequestConfigurationGroupInput!]!
+    ) {
+    requestDefaults(input: {
+      requestedResources: $requestedResources,
+      requestedGroups: $requestedGroups,
+      }
+    ) {
+      durationOptions {
+        durationInMinutes
+        label
+      }
+      recommendedDurationInMinutes
+      defaultDurationInMinutes
+      maxDurationInMinutes
+      requireSupportTicket
+      reasonOptional
+      requesterIsAdmin
+    }
+  }`);
+async function queryRequestDefaults(cmd, client, requestedResources, requestedGroups) {
+    try {
+        const resp = await client.query({
+            query: REQUEST_DEFAULTS_QUERY,
+            variables: {
+                requestedResources: requestedResources,
+                requestedGroups: requestedGroups,
+            },
+            fetchPolicy: "network-only", // to avoid caching
+        });
+        return resp.data.requestDefaults;
+    }
+    catch (error) {
+        if (error instanceof Error || typeof error === "string") {
+            cmd.error(error);
+        }
+    }
+}
 // Helper functions
 async function selectRequestableItems(cmd, client, requestMap) {
     const { App } = await inquirer.prompt([
@@ -226,11 +286,11 @@ async function selectRequestableItems(cmd, client, requestMap) {
         },
     ]);
     // Set the app in the requestMap and call choose assets step
-    if (!requestMap.has(App.id)) {
-        requestMap.set(App.id, {
+    if (!(App.id in requestMap)) {
+        requestMap[App.id] = {
             appName: App.name,
-            assets: new Map(),
-        });
+            assets: {},
+        };
     }
     await chooseAssets(cmd, client, App.id, requestMap);
 }
@@ -249,22 +309,22 @@ async function chooseAssets(cmd, client, appId, requestMap) {
             return true;
         },
     });
-    const entry = requestMap.get(appId);
+    const entry = requestMap[appId];
     for (const asset of Assets) {
         if (entry === undefined) {
             throw new Error(`App ${appId} not found in requestMap`);
         }
-        if (!entry.assets.has(asset.id)) {
-            entry.assets.set(asset.id, {
+        if (!(asset.id in entry.assets)) {
+            entry.assets[asset.id] = {
                 assetName: asset.name,
-                roles: new Map(),
-            });
+                roles: {},
+            };
         }
         await chooseRoles(cmd, client, appId, asset.id, requestMap);
     }
 }
 async function chooseRoles(cmd, client, appId, assetId, requestMap) {
-    var _a, _b;
+    var _a;
     const resourceRoles = (_a = (await queryResourceRoles(cmd, client, assetId))) !== null && _a !== void 0 ? _a : [];
     if (resourceRoles !== undefined &&
         (resourceRoles.length === 0 ||
@@ -283,15 +343,18 @@ async function chooseRoles(cmd, client, appId, assetId, requestMap) {
             return true;
         },
     });
-    const entry = requestMap.get(appId);
-    const assetEntry = entry === null || entry === void 0 ? void 0 : entry.assets.get(assetId);
+    const entry = requestMap[appId];
+    const assetEntry = entry === null || entry === void 0 ? void 0 : entry.assets[assetId];
     if (entry === undefined || assetEntry === undefined) {
         throw new Error(`App ${appId} or Asset ${assetId} not found in requestMap`);
     }
+    if (!assetEntry.roles) {
+        assetEntry.roles = {};
+    }
     for (const role of roles) {
-        (_b = assetEntry.roles) === null || _b === void 0 ? void 0 : _b.set(role.id, {
+        assetEntry.roles[role.id] = {
             roleName: role.name,
-        });
+        };
     }
 }
 async function doneSelectingAssets() {
@@ -307,22 +370,84 @@ async function doneSelectingAssets() {
     ]);
     return submitOrAdd === submitMessage;
 }
-async function promptForReason() {
+async function setRequestDefaults(cmd, client, metadata) {
+    const requestMap = metadata.requestMap;
+    const requestedResources = [];
+    const requestedGroups = [];
+    for (const appNode of Object.values(requestMap)) {
+        for (const [assetId, assetNode] of Object.entries(appNode.assets)) {
+            if (assetNode.roles !== undefined) {
+                for (const roleId of Object.keys(assetNode.roles)) {
+                    requestedResources.push({
+                        resourceId: assetId,
+                        accessLevelRemoteId: roleId,
+                    });
+                }
+            }
+        }
+    }
+    try {
+        const requestDefaults = await queryRequestDefaults(cmd, client, requestedResources, requestedGroups);
+        if ((requestDefaults === null || requestDefaults === void 0 ? void 0 : requestDefaults.__typename) === "RequestDefaults") {
+            metadata.requestDefaults.durationOptions =
+                requestDefaults.durationOptions;
+            metadata.requestDefaults.recommendedDurationInMinutes =
+                requestDefaults.recommendedDurationInMinutes;
+            metadata.requestDefaults.defaultDurationInMinutes =
+                requestDefaults.defaultDurationInMinutes;
+            metadata.requestDefaults.maxDurationInMinutes =
+                requestDefaults.maxDurationInMinutes;
+            metadata.requestDefaults.requireSupportTicket =
+                requestDefaults.requireSupportTicket;
+            metadata.requestDefaults.reasonOptional = requestDefaults.reasonOptional;
+            metadata.requestDefaults.requesterIsAdmin =
+                requestDefaults.requesterIsAdmin;
+        }
+    }
+    catch (_a) {
+        cmd.error("Error fetching request defaults.");
+    }
+}
+async function promptForReason(metadata) {
     return await inquirer.prompt([
         {
             name: "reason",
             message: "I need access to this because...",
             type: "input",
+            validate: (answer) => {
+                if (metadata.requestDefaults.reasonOptional && answer.length < 1) {
+                    return "A reason for requesting these assets is required.";
+                }
+                return true;
+            },
         },
     ]);
 }
-async function promptForExpiration() {
+async function promptForExpiration(metadata) {
+    var _a, _b;
+    const durations = ((_b = (_a = metadata.requestDefaults) === null || _a === void 0 ? void 0 : _a.durationOptions) === null || _b === void 0 ? void 0 : _b.map((option) => {
+        return {
+            name: option.durationInMinutes ===
+                metadata.requestDefaults.recommendedDurationInMinutes
+                ? `${option.label} (Recommended)`
+                : option.label,
+            value: {
+                label: option.label,
+                durationInMinutes: option.durationInMinutes,
+            },
+        };
+    })) || [];
+    // TODO: Sort durations by minutes
+    // durations = durations.sort(
+    //   durations.filter((option) => option.value.durationInMinutes),
+    // );
     return await inquirer.prompt([
         {
             name: "expiration",
             message: "When should access expire?",
             type: "list",
-            choices: ["1 hour", "1 day", "7 days", "30 days", "1 year", "Indefinite"],
+            choices: durations,
+            pageSize: 15,
         },
     ]);
 }

package/lib/utils/displays.js

@@ -32,17 +32,17 @@ function treeifyRequestMap(requestMap) {
     const requestTree = {};
     // Create a tree structure from the requestMap
     // Iterate over apps
-    for (const appNode of requestMap.values()) {
+    for (const [_appId, appNode] of Object.entries(requestMap)) {
         const appKey = `🔧${appNode.appName}`;
         requestTree[appKey] = {}; // Initialize the app key
         // Iterate over assets
-        for (const assetNode of appNode.assets.values()) {
+        for (const [_assetId, assetNode] of Object.entries(appNode.assets)) {
             const assetKey = `📦${assetNode.assetName}`;
             if (assetNode.roles !== undefined) {
                 // If no roles were previously selected
                 requestTree[appKey][assetKey] = {}; // Initialize the asset key
                 // Iterate over roles
-                for (const roleNode of assetNode.roles.values()) {
+                for (const [_roleId, roleNode] of Object.entries(assetNode.roles)) {
                     requestTree[appKey][assetKey][roleNode.roleName] = null; // Initialize the role key
                 }
             }

package/oclif.manifest.json

@@ -452,15 +452,14 @@
         "start.js"
       ]
     },
-    "postgres-instances:start": {
+    "kube-roles:start": {
       "aliases": [],
       "args": {},
-      "description": "Starts a session to connect to a Postgres database.",
+      "description": "Starts a session to assume a Kubernetes cluster IAM role.",
       "examples": [
-        "opal postgres-instances:start",
-        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
-        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess",
-        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view"
+        "opal kube-roles:start",
+        "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
+        "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""
       ],
       "flags": {
         "help": {
@@ -500,22 +499,11 @@
           "name": "refresh",
           "allowNo": false,
           "type": "boolean"
-        },
-        "action": {
-          "description": "Method of connecting to the database.\n- psql: Start psql session in shell\n- view: View connection configuration details",
-          "name": "action",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "options": [
-            "psql",
-            "view"
-          ],
-          "type": "option"
         }
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "postgres-instances:start",
+      "id": "kube-roles:start",
       "pluginAlias": "opal-security",
       "pluginName": "opal-security",
       "pluginType": "core",
@@ -525,18 +513,19 @@
       "relativePath": [
         "lib",
         "commands",
-        "postgres-instances",
+        "kube-roles",
         "start.js"
       ]
     },
-    "kube-roles:start": {
+    "postgres-instances:start": {
       "aliases": [],
       "args": {},
-      "description": "Starts a session to assume a Kubernetes cluster IAM role.",
+      "description": "Starts a session to connect to a Postgres database.",
       "examples": [
-        "opal kube-roles:start",
-        "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
-        "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId \"arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role\""
+        "opal postgres-instances:start",
+        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
+        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess",
+        "opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view"
       ],
       "flags": {
         "help": {
@@ -576,51 +565,22 @@
           "name": "refresh",
           "allowNo": false,
           "type": "boolean"
-        }
-      },
-      "hasDynamicHelp": false,
-      "hiddenAliases": [],
-      "id": "kube-roles:start",
-      "pluginAlias": "opal-security",
-      "pluginName": "opal-security",
-      "pluginType": "core",
-      "strict": true,
-      "enableJsonFlag": false,
-      "isESM": false,
-      "relativePath": [
-        "lib",
-        "commands",
-        "kube-roles",
-        "start.js"
-      ]
-    },
-    "resources:get": {
-      "aliases": [],
-      "args": {},
-      "description": "Get resource info for a particular resource.",
-      "examples": [
-        "opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"
-      ],
-      "flags": {
-        "help": {
-          "char": "h",
-          "description": "Show CLI help.",
-          "name": "help",
-          "allowNo": false,
-          "type": "boolean"
         },
-        "id": {
-          "char": "i",
-          "description": "The Opal ID of the resource. You can find this from the URL, e.g. https://opal.dev/resources/[ID]",
-          "name": "id",
+        "action": {
+          "description": "Method of connecting to the database.\n- psql: Start psql session in shell\n- view: View connection configuration details",
+          "name": "action",
           "hasDynamicHelp": false,
           "multiple": false,
+          "options": [
+            "psql",
+            "view"
+          ],
           "type": "option"
         }
       },
       "hasDynamicHelp": false,
       "hiddenAliases": [],
-      "id": "resources:get",
+      "id": "postgres-instances:start",
       "pluginAlias": "opal-security",
       "pluginName": "opal-security",
       "pluginType": "core",
@@ -630,8 +590,8 @@
       "relativePath": [
         "lib",
         "commands",
-        "resources",
-        "get.js"
+        "postgres-instances",
+        "start.js"
       ]
     },
     "request:create": {
@@ -716,6 +676,46 @@
         "list.js"
       ]
     },
+    "resources:get": {
+      "aliases": [],
+      "args": {},
+      "description": "Get resource info for a particular resource.",
+      "examples": [
+        "opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4"
+      ],
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "id": {
+          "char": "i",
+          "description": "The Opal ID of the resource. You can find this from the URL, e.g. https://opal.dev/resources/[ID]",
+          "name": "id",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "resources:get",
+      "pluginAlias": "opal-security",
+      "pluginName": "opal-security",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": false,
+      "relativePath": [
+        "lib",
+        "commands",
+        "resources",
+        "get.js"
+      ]
+    },
     "ssh:copyFrom": {
       "aliases": [],
       "args": {},
@@ -923,5 +923,5 @@
       ]
     }
   },
-  "version": "3.1.1-beta.65d1a96"
+  "version": "3.1.1-beta.e5e99da"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "3.1.1-beta.65d1a96",
+  "version": "3.1.1-beta.e5e99da",
   "author": "Stephen Cobbe",
   "bin": {
     "opal": "./bin/run"