opal-security 3.2.1 → 3.2.2

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/3.2.1 darwin-arm64 node-v18.20.4
+opal-security/3.2.2 darwin-arm64 node-v18.20.4
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -106,7 +106,7 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/aws/identity.ts)_
 
 ## `opal clear-auth-provider`
 
@@ -126,7 +126,7 @@ EXAMPLES
   $ opal clear-auth-provider
 ```
 
-_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/clear-auth-provider.ts)_
+_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/clear-auth-provider.ts)_
 
 ## `opal curl-example`
 
@@ -143,7 +143,7 @@ DESCRIPTION
   Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/curl-example.ts)_
 
 ## `opal groups get`
 
@@ -164,7 +164,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -214,7 +214,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -245,7 +245,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -266,7 +266,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -286,7 +286,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -324,7 +324,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/postgres-instances/start.ts)_
 
 ## `opal request create`
 
@@ -332,26 +332,29 @@ Creates an Opal access request via an interactive form
 
 ```
 USAGE
-  $ opal request create [-h] [-a <value>...] [-r <value>] [-d <value>]
+  $ opal request create [-h] [-a <value>...] [-r <value>] [-d <value>] [-t <value>] [-b <value>]
 
 FLAGS
   -a, --assets=<value>...  The ids of the assets (resource, group) to request access to. Append a role name using a
                            colon if needed, e.g. `--assets 123:456`.
                            If not provided, an interactive selection flow will be available to select assets to request.
+  -b, --bundle=<value>     A bundle ID to create a new request based on the assets in the bundle.
   -d, --duration=<value>   The duration of access for the request in minutes. Pass in a 0 value for permanent access. If
                            not provided, you will be prompted.
   -h, --help               Show CLI help.
   -r, --reason=<value>     The reason for the request, contained in quotes. If not provided, you will be prompted.
+  -t, --template=<value>   A request ID of a previously finished request (cancelled/denied/approved) to create a new
+                           request based on the completed request.
 
 DESCRIPTION
   Creates an Opal access request via an interactive form
 ```
 
-_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/request/create.ts)_
+_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/request/create.ts)_
 
 ## `opal request get`
 
-Lists access requests
+Fetch details of an access request by request ID
 
 ```
 USAGE
@@ -363,7 +366,7 @@ FLAGS
   -v, --verbose     Enable verbose output, prints full response in JSON format. Defaults to false.
 
 DESCRIPTION
-  Lists access requests
+  Fetch details of an access request by request ID
 
 EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
@@ -371,7 +374,7 @@ EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4 --verbose
 ```
 
-_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/request/get.ts)_
+_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/request/get.ts)_
 
 ## `opal request list`
 
@@ -403,7 +406,7 @@ EXAMPLES
   $ opal request list --n 5 --pending --verbose
 ```
 
-_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/request/list.ts)_
+_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/request/list.ts)_
 
 ## `opal request ls`
 
@@ -454,7 +457,7 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/resources/get.ts)_
 
 ## `opal set-auth-provider`
 
@@ -480,7 +483,7 @@ EXAMPLES
   $ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/set-auth-provider.ts)_
+_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/set-auth-provider.ts)_
 
 ## `opal set-custom-header`
 
@@ -501,7 +504,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -521,7 +524,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -545,7 +548,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -576,7 +579,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -607,7 +610,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -634,7 +637,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/ssh/start.ts)_
 
 ## `opal version`
 
@@ -671,5 +674,5 @@ DESCRIPTION
   Describes current url set, organization name, and logged in user if applicable.
 ```
 
-_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.1/src/commands/whoami.ts)_
+_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.2/src/commands/whoami.ts)_
 <!-- commandsstop -->

package/lib/commands/login.js

@@ -218,12 +218,19 @@ class Login extends core_1.Command {
                 token_endpoint_auth_method: "none",
                 application_type: "native",
             });
+            // Add the mfa:skip scope to the scopes according to appropriate org settings
+            // This scope is evaluated in Auth0 "MFA Rule" Action to skip or enabled MFA
+            let scopes = "openid email profile";
+            if (!(signInResp === null || signInResp === void 0 ? void 0 : signInResp.data.signIn.forceExtraStep)) {
+                scopes += " mfa:skip";
+            }
             const handle = await client.deviceAuthorization({
                 audience: "https://opal.dev",
-                scope: "openid email profile",
+                scope: scopes,
             });
             this.log("\nYou are being redirected to your browser to authenticate.\n");
             this.log(`      User Code: ${handle.user_code}\n`);
+            this.log("If your browser doesn't open, go to:", handle.verification_uri_complete, "\n");
             // Wait before opening the browser window to ensure the user has time to
             // see the User Code.
             await (0, util_1.sleep)(1000);

package/lib/commands/request/create.d.ts

@@ -6,6 +6,8 @@ export default class RequestCreate extends Command {
         assets: import("@oclif/core/lib/interfaces").OptionFlag<string[] | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         reason: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         duration: import("@oclif/core/lib/interfaces").OptionFlag<number | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        template: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        bundle: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }

package/lib/commands/request/create.js

@@ -4,60 +4,73 @@ const core_1 = require("@oclif/core");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const flags_1 = require("../../lib/flags");
-const requests_1 = require("../../lib/requests");
-const displays_1 = require("../../utils/displays");
+const displays_1 = require("../../lib/request/displays");
+const prompts_1 = require("../../lib/request/prompts");
+const request_utils_1 = require("../../lib/request/request-utils");
 class RequestCreate extends core_1.Command {
     async run() {
+        var _a;
         (0, cmd_1.setMostRecentCommand)(this);
         await (0, apollo_1.initClient)(this, true);
         const client = await (0, apollo_1.getClient)(this, true);
         const { flags } = await this.parse(RequestCreate);
-        const metadata = (0, requests_1.initEmptyRequestMetadata)();
+        const metadata = (0, request_utils_1.initEmptyRequestMetadata)();
+        if (flags.template) {
+            await (0, request_utils_1.duplicateRequestTemplate)(this, client, flags.template, metadata);
+        }
+        if (flags.bundle) {
+            await (0, request_utils_1.copyBundleAssets)(this, client, flags.bundle, metadata.requestMap);
+        }
         if (flags.assets) {
             // if IDs are provided, bypass the interactive selection process
-            await (0, requests_1.bypassRequestSelection)(this, client, flags.assets, metadata);
+            await (0, request_utils_1.bypassRequestSelection)(this, client, flags.assets, metadata);
         }
-        else {
+        else if (!flags.template && !flags.bundle) {
             (0, displays_1.headerMessage)(this);
             let shouldProceed = false;
             while (!shouldProceed) {
                 // Step 1: Select first round of assets from an app
-                await (0, requests_1.selectRequestableItems)(this, client, metadata.requestMap);
+                await (0, prompts_1.selectRequestableItems)(this, client, metadata.requestMap);
                 // Step 2: Display the selected items in a tree format
                 (0, displays_1.headerMessage)(this);
                 (0, displays_1.treeifyRequestMap)(this, metadata.requestMap);
                 // Step 3: Prompt to add more items, repeat 1-3 if needed
-                shouldProceed = await (0, requests_1.doneSelectingAssets)();
+                shouldProceed = await (0, prompts_1.doneSelectingAssets)();
             }
         }
         // Step 4: Set Request Defaults
-        await (0, requests_1.setRequestDefaults)(this, client, metadata);
-        // Step 4: Prompt for request reason
+        await (0, request_utils_1.setRequestDefaults)(this, client, metadata);
+        // Step 5: Prompt for request reason
         if (flags.reason) {
             metadata.reason = flags.reason;
         }
         else if (!(metadata.requestDefaults.reasonOptional &&
             flags.assets &&
-            flags.duration)) {
-            await (0, requests_1.promptForReason)(metadata);
+            flags.duration) &&
+            !flags.template) {
+            await (0, prompts_1.promptForReason)(metadata);
         }
-        // Step 5: Prompt for expiration
+        // Step 6: Prompt for expiration
         if (flags.duration !== undefined) {
-            (0, requests_1.bypassDuration)(this, flags.duration, metadata);
+            (0, request_utils_1.bypassDuration)(this, flags.duration, metadata);
+        }
+        else if (!flags.template) {
+            await (0, prompts_1.promptForDuration)(metadata);
         }
         else {
-            await (0, requests_1.promptForExpiration)(metadata);
+            (0, request_utils_1.bypassDuration)(this, (_a = metadata.durationInMinutes) !== null && _a !== void 0 ? _a : 0, metadata);
         }
-        // Step 6: Display final summary of request
+        // Step 7: Display final summary of request
         let canSubmit = true;
-        if (!(flags.assets &&
+        if (!((flags.assets || flags.bundle) &&
             flags.duration !== undefined &&
-            (metadata.requestDefaults.reasonOptional || flags.reason))) {
-            canSubmit = await (0, requests_1.promptRequestSubmission)(this, metadata);
+            (metadata.requestDefaults.reasonOptional || flags.reason)) &&
+            !flags.template) {
+            canSubmit = await (0, prompts_1.promptRequestSubmission)(this, metadata);
         }
-        // Step 7: Prompt for final submission
+        // Step 8: Prompt for final submission
         if (canSubmit)
-            await (0, requests_1.submitFinalRequest)(this, client, metadata);
+            await (0, request_utils_1.submitFinalRequest)(this, client, metadata);
     }
 }
 RequestCreate.description = "Creates an Opal access request via an interactive form";
@@ -77,5 +90,13 @@ RequestCreate.flags = {
         char: "d",
         description: "The duration of access for the request in minutes. Pass in a 0 value for permanent access. If not provided, you will be prompted.",
     }),
+    template: core_1.Flags.string({
+        char: "t",
+        description: "A request ID of a previously finished request (cancelled/denied/approved) to create a new request based on the completed request.",
+    }),
+    bundle: core_1.Flags.string({
+        char: "b",
+        description: "A bundle ID to create a new request based on the assets in the bundle.",
+    }),
 };
 exports.default = RequestCreate;

package/lib/commands/request/get.js

@@ -2,59 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
 const chalk_1 = require("chalk");
-const graphql_1 = require("../../graphql");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const config_1 = require("../../lib/config");
 const flags_1 = require("../../lib/flags");
-const displays_1 = require("../../utils/displays");
-const GET_REQUEST = (0, graphql_1.graphql)(`
-  query GetRequest(
-  $id: RequestId!
-) {
-  request(input: {id: $id}) {
-    __typename
-    ... on RequestResult {
-      request {
-        id
-        createdAt
-        status
-        requester {
-          displayName
-        }
-        targetUser {
-          displayName
-        }
-        requestedResources {
-          resource {
-            displayName
-            id
-          }
-          accessLevel {
-            accessLevelName
-            accessLevelRemoteId
-          }
-        }
-        durationInMinutes
-        requestedGroups {
-          group {
-            id
-            name
-          }
-          accessLevel {
-            accessLevelName
-            accessLevelRemoteId
-          }
-        }
-        reason
-      }
-    }
-    ... on RequestNotFoundError {
-      message
-    }
-  }
-}
-`);
+const api_1 = require("../../lib/request/api");
+const displays_1 = require("../../lib/request/displays");
 class GetRequest extends core_1.Command {
     async run() {
         (0, cmd_1.setMostRecentCommand)(this);
@@ -67,13 +20,7 @@ class GetRequest extends core_1.Command {
             this.log("ex. opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4");
             return;
         }
-        const resp = await client.query({
-            query: GET_REQUEST,
-            variables: {
-                id: flags.id,
-            },
-            fetchPolicy: "network-only", // to avoid caching
-        });
+        const resp = await (0, api_1.queryRequest)(client, flags.id);
         switch (resp.data.request.__typename) {
             case "RequestResult": {
                 if (flags.verbose) {
@@ -84,6 +31,7 @@ class GetRequest extends core_1.Command {
                 }
                 const url = `${configData[config_1.urlKey]}/requests/sent/${flags.id}`;
                 this.log(`\n💡Link to request details: ${chalk_1.default.underline(url)}`);
+                (0, displays_1.displayRequestAgain)(this, flags.id);
                 return;
             }
             case "RequestNotFoundError":
@@ -94,7 +42,7 @@ class GetRequest extends core_1.Command {
         }
     }
 }
-GetRequest.description = "Lists access requests";
+GetRequest.description = "Fetch details of an access request by request ID";
 GetRequest.flags = {
     help: flags_1.SHARED_FLAGS.help,
     id: flags_1.SHARED_FLAGS.id,

package/lib/commands/request/list.js

@@ -1,61 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
-const graphql_1 = require("../../graphql");
 const apollo_1 = require("../../lib/apollo");
 const cmd_1 = require("../../lib/cmd");
 const flags_1 = require("../../lib/flags");
-const displays_1 = require("../../utils/displays");
-// Add date filters, search query,
-const GET_REQUESTS = (0, graphql_1.graphql)(`
-  query GetRequests($pageSize: Int, $showPendingOnly: Boolean!) {
-  requests(input: {
-    requestType: OUTGOING
-    maxNumEntries: $pageSize
-    filters: {
-      showPendingOnly: $showPendingOnly
-    }
-    }) {
-    __typename
-    ... on RequestsResult {
-      requestType
-      requests {
-        durationInMinutes
-        id
-        requester {
-          displayName
-        }
-        targetUser {
-          displayName
-        }
-        reason
-        requestedResources {
-          resource {
-            displayName
-            id
-          }
-          accessLevel {
-            accessLevelName
-            accessLevelRemoteId
-          }
-        }
-        requestedGroups {
-          group {
-            name
-            id
-          }
-          accessLevel {
-            accessLevelName
-            accessLevelRemoteId
-          }
-        }
-        status
-      }
-      
-    }
-  
-  }
-}`);
+const api_1 = require("../../lib/request/api");
+const displays_1 = require("../../lib/request/displays");
 class ListRequests extends core_1.Command {
     async run() {
         (0, cmd_1.setMostRecentCommand)(this);
@@ -69,14 +19,7 @@ class ListRequests extends core_1.Command {
         if (flags.showPendingOnly) {
             showPendingOnly = flags.showPendingOnly;
         }
-        const resp = await client.query({
-            query: GET_REQUESTS,
-            variables: {
-                pageSize: pageSize,
-                showPendingOnly: showPendingOnly,
-            },
-            fetchPolicy: "network-only", // to avoid caching
-        });
+        const resp = await (0, api_1.queryRequests)(client, pageSize, showPendingOnly);
         //TODO: Make this pretty
         if (flags.verbose) {
             (0, apollo_1.printResponse)(this, resp);