opal-security 4.0.3 → 4.1.0

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/4.0.3 darwin-arm64 node-v24.5.0
+opal-security/4.1.0 darwin-arm64 node-v18.20.5
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -36,6 +36,7 @@ USAGE
 * [`opal autocomplete [SHELL]`](#opal-autocomplete-shell)
 * [`opal aws identity`](#opal-aws-identity)
 * [`opal clear-auth-config`](#opal-clear-auth-config)
+* [`opal curl-example`](#opal-curl-example)
 * [`opal groups get`](#opal-groups-get)
 * [`opal help [COMMANDS]`](#opal-help-commands)
 * [`opal iam-roles start`](#opal-iam-roles-start)
@@ -105,7 +106,7 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/aws/identity.ts)_
 
 ## `opal clear-auth-config`
 
@@ -122,7 +123,24 @@ EXAMPLES
   $ opal clear-auth-config
 ```
 
-_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/clear-auth-config.ts)_
+_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/clear-auth-config.ts)_
+
+## `opal curl-example`
+
+Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
+
+```
+USAGE
+  $ opal curl-example [-h]
+
+FLAGS
+  -h, --help  Show CLI help.
+
+DESCRIPTION
+  Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
+```
+
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/curl-example.ts)_
 
 ## `opal groups get`
 
@@ -143,7 +161,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -193,7 +211,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -224,7 +242,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -247,7 +265,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -267,7 +285,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -305,7 +323,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/postgres-instances/start.ts)_
 
 ## `opal request create`
 
@@ -331,7 +349,7 @@ DESCRIPTION
   Creates an Opal access request via an interactive form
 ```
 
-_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/create.ts)_
+_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/create.ts)_
 
 ## `opal request get`
 
@@ -355,7 +373,7 @@ EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4 --verbose
 ```
 
-_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/get.ts)_
+_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/get.ts)_
 
 ## `opal request list`
 
@@ -387,7 +405,7 @@ EXAMPLES
   $ opal request list --n 5 --pending --verbose
 ```
 
-_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/list.ts)_
+_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/list.ts)_
 
 ## `opal request ls`
 
@@ -438,7 +456,7 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/resources/get.ts)_
 
 ## `opal set-auth-config`
 
@@ -468,7 +486,7 @@ EXAMPLES
   $ opal set-auth-config --organizationID=org-456 --clientID=abc123 --issuerUrl=https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-auth-config.ts)_
+_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-auth-config.ts)_
 
 ## `opal set-custom-header`
 
@@ -489,7 +507,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -509,7 +527,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -533,7 +551,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -564,7 +582,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -595,7 +613,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -622,7 +640,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/start.ts)_
 
 ## `opal version`
 
@@ -659,5 +677,5 @@ DESCRIPTION
   Describes current url set, organization name, and logged in user if applicable.
 ```
 
-_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/whoami.ts)_
+_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/whoami.ts)_
 <!-- commandsstop -->

package/build/commands/curl-example.d.ts

@@ -0,0 +1,8 @@
+import { Command } from "@oclif/core";
+export default class CurlExample extends Command {
+    static description: string;
+    static flags: {
+        help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
+    };
+    run(): Promise<void>;
+}

package/build/commands/curl-example.js

@@ -0,0 +1,35 @@
+import { Command } from "@oclif/core";
+import chalk from "chalk";
+import { getOrCreateConfigData, urlKey } from "../lib/config.js";
+import { SecretType, getOpalCredentials } from "../lib/credentials/index.js";
+import { SHARED_FLAGS } from "../lib/flags.js";
+class CurlExample extends Command {
+    async run() {
+        const opalCreds = await getOpalCredentials(this);
+        const secret = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.secret;
+        const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
+        const configData = getOrCreateConfigData(this.config.configDir);
+        const url = configData[urlKey];
+        let authStr = "";
+        if (opalCreds.secretType === SecretType.ApiToken) {
+            authStr = `Authorization: Bearer ${secret}`;
+        }
+        else {
+            authStr = `Cookie: ${secret}`;
+        }
+        this.log(chalk.yellow(`WARN: This command will be removed in a future version of the Opal CLI. \n\
+      Opal's GraphQL API is not intended for developer use, please use our REST API instead`));
+        this.log(`
+curl -v ${url}/query \\
+  --data-binary '{"query":"query ListSSHSessions {resources(input: {serviceType: SSH, onlyMine: true}) {... on ResourcesResult { resources { name } } } }"}' \\
+  --header "Content-Type: application/json" \\
+  --header "${authStr}" \\
+  --header "X-Opal-Organization-ID: ${organizationID}"
+`);
+    }
+}
+CurlExample.description = "Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.";
+CurlExample.flags = {
+    help: SHARED_FLAGS.help,
+};
+export default CurlExample;

package/build/commands/login.js

@@ -19,7 +19,6 @@ const ISSUER_PROD = "https://auth.opal.dev";
 const ISSUER_DEV = "https://authdev.opal.dev";
 const CLIENT_ID_PROD = "42rm6E5v7o67LBpRfjdT9KhnjrQHr9UF";
 const CLIENT_ID_DEV = "XYV8qoAvZG7dHnhRp2g5XMJ1zX9fBP6s";
-const REDIRECT_URI = "http://127.0.0.1:8080/callback";
 const CLISignInMethodDocumentLegacy = `
 query CLISignInMethod($input: SignInMethodInput!) {
   signInMethod(input: $input) {
@@ -251,7 +250,7 @@ Verify this code in your browser
                     {
                         type: "input",
                         name: "continue",
-                        message: "Press Enter to open your browser and continue",
+                        message: "Press Enter to open your browser and continue\n",
                     },
                 ]);
                 this.log(`
@@ -271,12 +270,12 @@ If your browser doesn't automatically, go to:
                 }
             }
             else {
-                const serverPromise = startLocalServer();
+                const { port, urlPromise } = await startLocalServer();
                 const code_verifier = client.randomPKCECodeVerifier();
                 const code_challenge = await client.calculatePKCECodeChallenge(code_verifier);
                 const clientState = client.randomState();
                 const parameters = {
-                    redirect_uri: REDIRECT_URI,
+                    redirect_uri: `http://127.0.0.1:${port}/callback`,
                     scope,
                     code_challenge,
                     code_challenge_method: "S256",
@@ -300,18 +299,18 @@ To continue, please authorize this application in your browser.
                     {
                         type: "input",
                         name: "continue",
-                        message: "Press Enter to open your browser and continue",
+                        message: "Press Enter to open your browser and continue\n",
                     },
                 ]);
                 this.log(`
-If your browser doesn't automatically, go to: 
-          
+If your browser doesn't automatically, go to:
+
 ${redirectTo}
 `);
                 ux.action.start("Waiting for authorization");
                 try {
                     await open(redirectTo.toString(), { wait: false });
-                    const url = await serverPromise;
+                    const url = await urlPromise;
                     tokens = await client.authorizationCodeGrant(config, new URL(url), {
                         pkceCodeVerifier: code_verifier,
                         expectedState: clientState,

package/build/lib/local-auth-server.d.ts

@@ -1,5 +1,9 @@
 /**
- * Starts a local HTTP server on port 8080 to handle OAuth callback.
- * Returns a promise that resolves with the full callback URL when authentication succeeds.
+ * Starts a local HTTP server to handle OAuth callback.
+ * Tries ports in order: 49152, 49153, 49154
+ * Returns a promise that resolves with the actual port and a promise for the callback URL.
  */
-export declare function startLocalServer(): Promise<string>;
+export declare function startLocalServer(): Promise<{
+    port: number;
+    urlPromise: Promise<string>;
+}>;

package/build/lib/local-auth-server.js

@@ -1,14 +1,29 @@
 import * as http from "node:http";
 import { authErrorHtml, authMissingCodeHtml, authSuccessHtml, } from "./auth-success-template.js";
 /**
- * Starts a local HTTP server on port 8080 to handle OAuth callback.
- * Returns a promise that resolves with the full callback URL when authentication succeeds.
+ * Starts a local HTTP server to handle OAuth callback.
+ * Tries ports in order: 49152, 49153, 49154
+ * Returns a promise that resolves with the actual port and a promise for the callback URL.
  */
 export function startLocalServer() {
-    return new Promise((resolve, reject) => {
+    const portsToTry = [49152, 49153, 49154];
+    return tryPorts(portsToTry, 0);
+}
+function tryPorts(ports, index) {
+    if (index >= ports.length) {
+        return Promise.reject(new Error(`Failed to start server: all ports (${ports.join(", ")}) are occupied`));
+    }
+    const port = ports[index];
+    return new Promise((resolveServer, rejectServer) => {
+        let resolveUrl;
+        let rejectUrl;
+        const urlPromise = new Promise((resolve, reject) => {
+            resolveUrl = resolve;
+            rejectUrl = reject;
+        });
         const server = http.createServer(async (req, res) => {
             try {
-                const url = new URL(req.url || "", "http://127.0.0.1:8080");
+                const url = new URL(req.url || "", `http://127.0.0.1:${port}`);
                 if (url.pathname === "/callback") {
                     const error = url.searchParams.get("error");
                     if (error) {
@@ -16,17 +31,17 @@ export function startLocalServer() {
                         res.end(authErrorHtml(error));
                         server.closeAllConnections();
                         server.close(() => {
-                            reject(new Error(`Authentication failed: ${error}`));
+                            rejectUrl(new Error(`Authentication failed: ${error}`));
                         });
                         return;
                     }
                     if (req.url) {
                         res.writeHead(200, { "Content-Type": "text/html" });
                         res.end(authSuccessHtml);
-                        const fullUrl = `http://127.0.0.1:8080${req.url}`;
+                        const fullUrl = `http://127.0.0.1:${port}${req.url}`;
                         server.closeAllConnections();
                         server.close(() => {
-                            resolve(fullUrl);
+                            resolveUrl(fullUrl);
                         });
                     }
                     else {
@@ -34,7 +49,7 @@ export function startLocalServer() {
                         res.end(authMissingCodeHtml);
                         server.closeAllConnections();
                         server.close(() => {
-                            reject(new Error("Missing authorization code"));
+                            rejectUrl(new Error("Missing authorization code"));
                         });
                     }
                 }
@@ -48,21 +63,31 @@ export function startLocalServer() {
                 res.end();
                 server.closeAllConnections();
                 server.close(() => {
-                    reject(err);
+                    rejectUrl(err);
                 });
             }
         });
-        server.listen(8080, "127.0.0.1", () => {
-            console.log("Local server started on http://127.0.0.1:8080");
+        server.listen(port, "127.0.0.1", () => {
+            console.log(`Local server started on http://127.0.0.1:${port}`);
+            // Server successfully bound to port, resolve with port and urlPromise
+            resolveServer({ port, urlPromise });
         });
         server.on("error", (err) => {
-            reject(err);
+            // If port is occupied, try the next one
+            if (err.code === "EADDRINUSE") {
+                tryPorts(ports, index + 1)
+                    .then(resolveServer)
+                    .catch(rejectServer);
+            }
+            else {
+                rejectServer(err);
+            }
         });
         // Timeout after 5 minutes
         setTimeout(() => {
             server.closeAllConnections();
             server.close(() => {
-                reject(new Error("Authentication timeout"));
+                rejectUrl(new Error("Authentication timeout"));
             });
         }, 5 * 60 * 1000);
     });

package/oclif.manifest.json

@@ -23,6 +23,34 @@
         "clear-auth-config.js"
       ]
     },
+    "curl-example": {
+      "aliases": [],
+      "args": {},
+      "description": "Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.",
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "curl-example",
+      "pluginAlias": "opal-security",
+      "pluginName": "opal-security",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "build",
+        "commands",
+        "curl-example.js"
+      ]
+    },
     "login": {
       "aliases": [],
       "args": {},
@@ -1026,5 +1054,5 @@
       ]
     }
   },
-  "version": "4.0.3"
+  "version": "4.1.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "4.0.3",
+  "version": "4.1.0",
   "type": "module",
   "author": "Opal Security",
   "bin": {
@@ -62,7 +62,7 @@
     "vitest": "^3.1.1"
   },
   "engines": {
-    "node": ">=24.0.0"
+    "node": ">=18.0.0"
   },
   "files": [
     "/bin",