opal-security 4.0.4 → 5.0.0

package/build/lib/sessions.js

@@ -1,11 +1,9 @@
-import { ux } from "@oclif/core";
-import inquirer from "inquirer";
 import moment from "moment";
-import open from "open";
-import { runMutation, runQueryDeprecated } from "../handler.js";
+import { OidcProviderType } from "../graphql/graphql.js";
+import { runMutation } from "../handler.js";
 import { handleError } from "./apollo.js";
-import { getOrCreateConfigData, urlKey } from "./config.js";
-import { sleep } from "./util.js";
+import { waitForMfa } from "./mfa.js";
+import { waitForValidOidcToken } from "./oidc.js";
 const CreateSessionDocument = `
 mutation CreateSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
   createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
@@ -16,9 +14,9 @@ mutation CreateSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!
         accessLevelRemoteId
         createdAt
         endTime
-        metadata {
-          METADATA_FRAGMENT
-        }
+      }
+      sessionMetadata {
+        METADATA_FRAGMENT
       }
     }
     ... on SessionNotFoundError {
@@ -39,113 +37,8 @@ mutation CreateSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!
   }
 }
 `;
-const ListSessionsDocument = `
-query ListSessions($id: ResourceId!) {
-  sessions(input: {resourceId: $id}) {
-    __typename
-    ... on SessionsResult {
-      sessions {
-        id
-        accessLevelRemoteId
-        createdAt
-        endTime
-        metadata {
-          METADATA_FRAGMENT
-        }
-      }
-    }
-  }
-}
-`;
-const getSession = async (command, resourceId, accessLevelRemoteId, sessionId, metadataFragment, minCreatedAt) => {
-    const { resp, error } = await runQueryDeprecated({
-        command: command,
-        query: ListSessionsDocument.replace("METADATA_FRAGMENT", metadataFragment),
-        variables: {
-            id: resourceId,
-        },
-    });
-    if (error) {
-        return handleError(command, error);
-    }
-    switch (resp === null || resp === void 0 ? void 0 : resp.data.sessions.__typename) {
-        case "SessionsResult": {
-            const sessions = resp.data.sessions.sessions;
-            // biome-ignore lint/suspicious/noImplicitAnyLet: please fix how we do queries in this cli
-            let selectedSession;
-            for (const session of sessions) {
-                if (sessionId && session.id !== sessionId) {
-                    continue;
-                }
-                if (session.accessLevelRemoteId !== accessLevelRemoteId) {
-                    continue;
-                }
-                if (minCreatedAt && moment(session.createdAt).diff(minCreatedAt) < 0) {
-                    // This lets us wait until we get a session that's newly created
-                    continue;
-                }
-                if (!selectedSession ||
-                    moment(session.endTime).diff(selectedSession.endTime) > 0) {
-                    // Select the session with the latest end time
-                    selectedSession = session;
-                }
-            }
-            return selectedSession;
-        }
-        default:
-            return handleError(command, error, resp);
-    }
-};
-const openBrowserAndPollForSession = async (command, authenticationType, resourceId, accessLevelRemoteId, sessionId, metadataFragment, wantNewSession) => {
-    let minCreatedAt;
-    if (wantNewSession) {
-        // Ensure we poll for a new session rather than get an existing one.
-        minCreatedAt = moment();
-    }
-    const configData = getOrCreateConfigData(command.config.configDir);
-    const urlPrefix = configData[urlKey];
-    const url = `${urlPrefix}/resources/${resourceId}?showModal=true&refresh=true`;
-    command.log(`
-🔐 ${authenticationType} Required
-
-To continue, authenicate in your browser:
-
-⚠️  Security Check:
-  • Verify the URL is exactly: ${url}
-  • Never enter this code on any other website
-`);
-    await inquirer.prompt([
-        {
-            type: "input",
-            name: "continue",
-            message: "Press Enter to open your browser and continue",
-        },
-    ]);
-    open(url);
-    ux.action.start("Waiting for session approval");
-    const timeoutMs = 5 * 60 * 1000; // 5 minutes
-    const startTime = Date.now();
-    // biome-ignore lint/suspicious/noImplicitAnyLet: please fix typing for queries
-    let session;
-    try {
-        while (!session) {
-            if (Date.now() - startTime > timeoutMs) {
-                ux.action.stop("✗ Timed out");
-                throw new Error(`Timed out waiting for session after ${timeoutMs / 1000} seconds. Please ensure you've approved the access request in your browser.`);
-            }
-            await sleep(2000);
-            session = await getSession(command, resourceId, accessLevelRemoteId, sessionId, metadataFragment, minCreatedAt);
-        }
-        ux.action.stop("✓ Session approved");
-    }
-    catch (error) {
-        ux.action.stop("✗ Failed");
-        throw error;
-    }
-    return session;
-};
-const createSession = async (command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession) => {
-    var _a, _b, _c, _d;
+export const createSession = async (command, resourceId, accessLevel, sessionId, metadataFragment) => {
+    var _a, _b, _c;
     const { resp, error } = await runMutation({
         command: command,
         query: CreateSessionDocument.replace("METADATA_FRAGMENT", metadataFragment),
@@ -160,32 +53,20 @@ const createSession = async (command, resourceId, accessLevel, sessionId, metada
     }
     switch ((_b = (_a = resp === null || resp === void 0 ? void 0 : resp.data) === null || _a === void 0 ? void 0 : _a.createSession) === null || _b === void 0 ? void 0 : _b.__typename) {
         case "CreateSessionResult": {
-            return (_d = (_c = resp.data) === null || _c === void 0 ? void 0 : _c.createSession) === null || _d === void 0 ? void 0 : _d.session;
+            return (_c = resp.data) === null || _c === void 0 ? void 0 : _c.createSession;
         }
         case "MfaInvalidError": {
-            return openBrowserAndPollForSession(command, "MFA Validation", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
+            await waitForMfa(command);
+            return createSession(command, resourceId, accessLevel, sessionId, metadataFragment);
         }
         case "OidcIDTokenNotFoundError": {
-            return openBrowserAndPollForSession(command, "OIDC Authenication", resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment, wantNewSession);
+            await waitForValidOidcToken(command, OidcProviderType.AwsSession);
+            return createSession(command, resourceId, accessLevel, sessionId, metadataFragment);
         }
         default:
             return handleError(command, error, resp);
     }
 };
-export const getOrCreateSession = async (command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession) => {
-    if (!wantNewSession) {
-        // Use existing session if it exists
-        const existingSession = await getSession(command, resourceId, accessLevel.accessLevelRemoteId, sessionId, metadataFragment);
-        if (existingSession) {
-            return existingSession;
-        }
-    }
-    if (sessionId) {
-        return handleError(command, `Session not found for given id: ${sessionId}`);
-    }
-    // Create new session
-    return createSession(command, resourceId, accessLevel, sessionId, metadataFragment, wantNewSession);
-};
 export const getSessionExpirationMessage = (session) => {
     const diff = moment(session.endTime).diff(moment(), "minutes");
     const hours = Math.floor(diff / 60);

package/oclif.manifest.json

@@ -23,6 +23,34 @@
         "clear-auth-config.js"
       ]
     },
+    "curl-example": {
+      "aliases": [],
+      "args": {},
+      "description": "Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.",
+      "flags": {
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "curl-example",
+      "pluginAlias": "opal-security",
+      "pluginName": "opal-security",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "build",
+        "commands",
+        "curl-example.js"
+      ]
+    },
     "login": {
       "aliases": [],
       "args": {},
@@ -420,21 +448,6 @@
           "multiple": false,
           "type": "option"
         },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "refresh": {
-          "char": "r",
-          "description": "Starts a new session even if one already exists. Useful if a session is about to expire.",
-          "name": "refresh",
-          "allowNo": false,
-          "type": "boolean"
-        },
         "profileName": {
           "description": "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",
           "name": "profileName",
@@ -491,21 +504,6 @@
           "hasDynamicHelp": false,
           "multiple": false,
           "type": "option"
-        },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "refresh": {
-          "char": "r",
-          "description": "Starts a new session even if one already exists. Useful if a session is about to expire.",
-          "name": "refresh",
-          "allowNo": false,
-          "type": "boolean"
         }
       },
       "hasDynamicHelp": false,
@@ -558,21 +556,6 @@
           "multiple": false,
           "type": "option"
         },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "refresh": {
-          "char": "r",
-          "description": "Starts a new session even if one already exists. Useful if a session is about to expire.",
-          "name": "refresh",
-          "allowNo": false,
-          "type": "boolean"
-        },
         "action": {
           "description": "Method of connecting to the database.\n- open: Open external database app\n- psql: Start psql session in shell\n- view: View connection configuration details",
           "name": "action",
@@ -868,14 +851,6 @@
           "hasDynamicHelp": false,
           "multiple": false,
           "type": "option"
-        },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
         }
       },
       "hasDynamicHelp": false,
@@ -943,14 +918,6 @@
           "hasDynamicHelp": false,
           "multiple": false,
           "type": "option"
-        },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
         }
       },
       "hasDynamicHelp": false,
@@ -992,21 +959,6 @@
           "hasDynamicHelp": false,
           "multiple": false,
           "type": "option"
-        },
-        "sessionId": {
-          "char": "s",
-          "description": "The Opal ID of the session to connect to. Uses an existing session that was created via the web flow.",
-          "name": "sessionId",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "refresh": {
-          "char": "r",
-          "description": "Starts a new session even if one already exists. Useful if a session is about to expire.",
-          "name": "refresh",
-          "allowNo": false,
-          "type": "boolean"
         }
       },
       "hasDynamicHelp": false,
@@ -1026,5 +978,5 @@
       ]
     }
   },
-  "version": "4.0.4"
+  "version": "5.0.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opal-security",
   "description": "Opal allows you to centrally manage access to all of your sensitive systems.",
-  "version": "4.0.4",
+  "version": "5.0.0",
   "type": "module",
   "author": "Opal Security",
   "bin": {
@@ -72,7 +72,9 @@
     "/scripts"
   ],
   "homepage": "https://github.com/opalsecurity/opal-cli/",
-  "keywords": ["oclif"],
+  "keywords": [
+    "oclif"
+  ],
   "license": "MIT",
   "main": "build/index.js",
   "oclif": {