opal-security 4.1.0 → 5.0.1

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/4.1.0 darwin-arm64 node-v18.20.5
+opal-security/5.0.1 darwin-arm64 node-v22.21.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -68,7 +68,7 @@ USAGE
   $ opal autocomplete [SHELL] [-r]
 
 ARGUMENTS
-  SHELL  shell type
+  [SHELL]  shell type
 
 FLAGS
   -r, --refresh-cache  Refresh cache (ignores displaying instructions)
@@ -106,7 +106,7 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/aws/identity.ts)_
 
 ## `opal clear-auth-config`
 
@@ -123,7 +123,7 @@ EXAMPLES
   $ opal clear-auth-config
 ```
 
-_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/clear-auth-config.ts)_
+_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/clear-auth-config.ts)_
 
 ## `opal curl-example`
 
@@ -140,7 +140,7 @@ DESCRIPTION
   Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/curl-example.ts)_
 
 ## `opal groups get`
 
@@ -161,7 +161,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -172,7 +172,7 @@ USAGE
   $ opal help [COMMANDS...] [-n]
 
 ARGUMENTS
-  COMMANDS...  Command to show help for.
+  [COMMANDS...]  Command to show help for.
 
 FLAGS
   -n, --nested-commands  Include all nested commands in the output.
@@ -189,15 +189,12 @@ Starts a session to assume an IAM role.
 
 ```
 USAGE
-  $ opal iam-roles start [-h] [-i <value>] [-s <value>] [-r] [--profileName <value>]
+  $ opal iam-roles start [-h] [-i <value>] [--profileName <value>]
 
 FLAGS
   -h, --help                 Show CLI help.
   -i, --id=<value>           The Opal ID of the asset. You can find this from the URL, e.g.
                              https://opal.dev/resources/[ID]
-  -r, --refresh              Starts a new session even if one already exists. Useful if a session is about to expire.
-  -s, --sessionId=<value>    The Opal ID of the session to connect to. Uses an existing session that was created via the
-                             web flow.
       --profileName=<value>  Uses a custom AWS profile name for the IAM role. Default value is the role's name.
 
 DESCRIPTION
@@ -211,7 +208,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -219,17 +216,13 @@ Starts a session to assume a Kubernetes cluster IAM role.
 
 ```
 USAGE
-  $ opal kube-roles start [-h] [-i <value>] [-a <value>] [-s <value>] [-r]
+  $ opal kube-roles start [-h] [-i <value>] [-a <value>]
 
 FLAGS
   -a, --accessLevelRemoteId=<value>  The remote ID of the access level with which to access the resource.
   -h, --help                         Show CLI help.
   -i, --id=<value>                   The Opal ID of the asset. You can find this from the URL, e.g.
                                      https://opal.dev/resources/[ID]
-  -r, --refresh                      Starts a new session even if one already exists. Useful if a session is about to
-                                     expire.
-  -s, --sessionId=<value>            The Opal ID of the session to connect to. Uses an existing session that was created
-                                     via the web flow.
 
 DESCRIPTION
   Starts a session to assume a Kubernetes cluster IAM role.
@@ -242,7 +235,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -265,7 +258,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -285,7 +278,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -293,17 +286,13 @@ Starts a session to connect to a Postgres database.
 
 ```
 USAGE
-  $ opal postgres-instances start [-h] [-i <value>] [-a <value>] [-s <value>] [-r] [--action open|psql|view]
+  $ opal postgres-instances start [-h] [-i <value>] [-a <value>] [--action open|psql|view]
 
 FLAGS
   -a, --accessLevelRemoteId=<value>  The remote ID of the access level with which to access the resource.
   -h, --help                         Show CLI help.
   -i, --id=<value>                   The Opal ID of the asset. You can find this from the URL, e.g.
                                      https://opal.dev/resources/[ID]
-  -r, --refresh                      Starts a new session even if one already exists. Useful if a session is about to
-                                     expire.
-  -s, --sessionId=<value>            The Opal ID of the session to connect to. Uses an existing session that was created
-                                     via the web flow.
       --action=<option>              Method of connecting to the database.
                                      - open: Open external database app
                                      - psql: Start psql session in shell
@@ -323,7 +312,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/postgres-instances/start.ts)_
 
 ## `opal request create`
 
@@ -349,7 +338,7 @@ DESCRIPTION
   Creates an Opal access request via an interactive form
 ```
 
-_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/create.ts)_
+_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/request/create.ts)_
 
 ## `opal request get`
 
@@ -373,7 +362,7 @@ EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4 --verbose
 ```
 
-_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/get.ts)_
+_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/request/get.ts)_
 
 ## `opal request list`
 
@@ -405,7 +394,7 @@ EXAMPLES
   $ opal request list --n 5 --pending --verbose
 ```
 
-_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/request/list.ts)_
+_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/request/list.ts)_
 
 ## `opal request ls`
 
@@ -456,7 +445,7 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/resources/get.ts)_
 
 ## `opal set-auth-config`
 
@@ -486,7 +475,7 @@ EXAMPLES
   $ opal set-auth-config --organizationID=org-456 --clientID=abc123 --issuerUrl=https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-auth-config.ts)_
+_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/set-auth-config.ts)_
 
 ## `opal set-custom-header`
 
@@ -507,7 +496,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -527,7 +516,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -538,7 +527,7 @@ USAGE
   $ opal set-url [URL] [-h] [--allowSelfSignedCerts]
 
 ARGUMENTS
-  URL  URL of the Opal server to use. If unspecified, defaults to https://app.opal.dev
+  [URL]  URL of the Opal server to use. If unspecified, defaults to https://app.opal.dev
 
 FLAGS
   -h, --help                  Show CLI help.
@@ -551,7 +540,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -559,19 +548,16 @@ Use SCP to copy files from a compute instance.
 
 ```
 USAGE
-  $ opal ssh copyFrom --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>] [-s <value>]
+  $ opal ssh copyFrom --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
-      --dest=<value>       [default: .] The directory you want your files to be copied to.
-      --src=<value>        (required) The directory or file you would like to copy over SCP. Note we only support one
-                           file or directory at a time.
-      --user=<value>       [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
-                           access to each other's home directory.
+  -h, --help          Show CLI help.
+  -i, --id=<value>    The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
+      --dest=<value>  [default: .] The directory you want your files to be copied to.
+      --src=<value>   (required) The directory or file you would like to copy over SCP. Note we only support one file or
+                      directory at a time.
+      --user=<value>  [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have access
+                      to each other's home directory.
 
 DESCRIPTION
   Use SCP to copy files from a compute instance.
@@ -582,7 +568,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -590,19 +576,16 @@ Use SCP to copy files to a compute instance.
 
 ```
 USAGE
-  $ opal ssh copyTo --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>] [-s <value>]
+  $ opal ssh copyTo --src <value> [-h] [--dest <value>] [--user <value>] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
-      --dest=<value>       [default: .] The directory you want your files to be copied to.
-      --src=<value>        (required) The directory or file you would like to copy over SCP. Note we only support one
-                           file or directory at a time.
-      --user=<value>       [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
-                           access to each other's home directory.
+  -h, --help          Show CLI help.
+  -i, --id=<value>    The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
+      --dest=<value>  [default: .] The directory you want your files to be copied to.
+      --src=<value>   (required) The directory or file you would like to copy over SCP. Note we only support one file or
+                      directory at a time.
+      --user=<value>  [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have access
+                      to each other's home directory.
 
 DESCRIPTION
   Use SCP to copy files to a compute instance.
@@ -613,7 +596,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -621,15 +604,11 @@ Starts an SSH session to access a compute instance.
 
 ```
 USAGE
-  $ opal ssh start [-h] [-i <value>] [-s <value>] [-r]
+  $ opal ssh start [-h] [-i <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-  -i, --id=<value>         The Opal ID of the asset. You can find this from the URL, e.g.
-                           https://opal.dev/resources/[ID]
-  -r, --refresh            Starts a new session even if one already exists. Useful if a session is about to expire.
-  -s, --sessionId=<value>  The Opal ID of the session to connect to. Uses an existing session that was created via the
-                           web flow.
+  -h, --help        Show CLI help.
+  -i, --id=<value>  The Opal ID of the asset. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
 
 DESCRIPTION
   Starts an SSH session to access a compute instance.
@@ -640,7 +619,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/ssh/start.ts)_
 
 ## `opal version`
 
@@ -677,5 +656,5 @@ DESCRIPTION
   Describes current url set, organization name, and logged in user if applicable.
 ```
 
-_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v4.1.0/src/commands/whoami.ts)_
+_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v5.0.1/src/commands/whoami.ts)_
 <!-- commandsstop -->

package/build/commands/iam-roles/start.d.ts

@@ -5,8 +5,6 @@ export default class StartIAMRoleSession extends Command {
     static flags: {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
         profileName: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;

package/build/commands/iam-roles/start.js

@@ -6,7 +6,7 @@ import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
 import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { DEFAULT_ACCESS_LEVEL, promptUserForResource, } from "../../lib/resources.js";
-import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
+import { createSession, getSessionExpirationMessage } from "../../lib/sessions.js";
 const IamSessionMetadataFragment = `
 ... on AwsIamFederatedRoleSession {
   awsAccessKeyId
@@ -52,22 +52,22 @@ class StartIAMRoleSession extends Command {
         if (flags.profileName && flags.profileName !== "") {
             roleName = flags.profileName;
         }
-        const session = await getOrCreateSession(this, roleId, DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
+        const session = await createSession(this, roleId, DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedRoleSession": {
                 const updateAwsConfigCommand = getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const startSessionCmd = `${updateAwsConfigCommand}`;
                 const roleText = roleName ? `"${roleName}" role` : "role";
-                const expirationMessage = getSessionExpirationMessage(session);
+                const expirationMessage = getSessionExpirationMessage(session.session);
                 runCommandExec(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to use ${roleText}.`);
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -80,8 +80,6 @@ StartIAMRoleSession.examples = [
 StartIAMRoleSession.flags = {
     help: SHARED_FLAGS.help,
     id: SHARED_FLAGS.id,
-    sessionId: SHARED_FLAGS.sessionId,
-    refresh: SHARED_FLAGS.refresh,
     profileName: Flags.string({
         multiple: false,
         description: "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",

package/build/commands/kube-roles/start.d.ts

@@ -6,8 +6,6 @@ export default class StartKubeIAMRoleSession extends Command {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }

package/build/commands/kube-roles/start.js

@@ -4,7 +4,7 @@ import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
 import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { promptUserForAccessLevels, promptUserForResource, } from "../../lib/resources.js";
-import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
+import { createSession, getSessionExpirationMessage } from "../../lib/sessions.js";
 const EksSessionMetadataFragment = `
 ... on AwsIamFederatedEksSession {
   awsAccessKeyId
@@ -34,11 +34,11 @@ class StartKubeIAMRoleSession extends Command {
         if (!accessLevel) {
             return;
         }
-        const session = await getOrCreateSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment, flags.refresh);
+        const session = await createSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedEksSession": {
                 const roleName = accessLevel.accessLevelName;
@@ -46,12 +46,12 @@ class StartKubeIAMRoleSession extends Command {
                 const updateKubeConfigCmd = `aws eks update-kubeconfig --name ${metadata.clusterName} --region ${metadata.clusterRegion} --alias ${metadata.clusterName} --profile opal`;
                 const startSessionCmd = `${updateAwsConfigCommand} && ${updateKubeConfigCmd}`;
                 const roleText = roleName ? `"${roleName}" role` : "role";
-                const expirationMessage = getSessionExpirationMessage(session);
+                const expirationMessage = getSessionExpirationMessage(session.session);
                 runCommandExec(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to assume ${roleText} and update Kube config.`);
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -65,7 +65,5 @@ StartKubeIAMRoleSession.flags = {
     help: SHARED_FLAGS.help,
     id: SHARED_FLAGS.id,
     accessLevelRemoteId: SHARED_FLAGS.accessLevelRemoteId,
-    sessionId: SHARED_FLAGS.sessionId,
-    refresh: SHARED_FLAGS.refresh,
 };
 export default StartKubeIAMRoleSession;

package/build/commands/login.js

@@ -11,6 +11,7 @@ if (!globalThis.crypto) {
 import chalk from "chalk";
 import { runMutation, runQueryDeprecated } from "../handler.js";
 import { cookieStr, handleError, initClient } from "../lib/apollo.js";
+import { clearPendingCommandAfterAuth, pendingCommandAfterAuth, } from "../lib/cmd.js";
 import { getOrCreateConfigData, isProduction, urlKey } from "../lib/config.js";
 import { SecretType, getOpalCredentials, removeAuthSecret, setOpalCredentials, } from "../lib/credentials/index.js";
 import { SHARED_FLAGS } from "../lib/flags.js";
@@ -83,7 +84,7 @@ mutation CLITokenExchange($input: CLITokenExchangeInput!) {
 `;
 class Login extends Command {
     async run() {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
         try {
             await initClient(this, false);
             const { flags } = await this.parse(Login);
@@ -93,7 +94,7 @@ class Login extends Command {
             let email = flags.email;
             let organizationId = existingCreds.organizationID;
             let organizationName;
-            let clientIDCandidate = (_a = existingCreds.clientID) !== null && _a !== void 0 ? _a : configData.creds.clientIDCandidate; // configData.creds.clientIDCandidate is pre-4.0, load from here for backwards-compat
+            let clientIDCandidate = (_a = existingCreds.clientID) !== null && _a !== void 0 ? _a : (_b = configData === null || configData === void 0 ? void 0 : configData.creds) === null || _b === void 0 ? void 0 : _b.clientIDCandidate; // configData.creds.clientIDCandidate is pre-4.0, load from here for backwards-compat
             const useDeviceCodeFlow = flags["device-code"];
             // If user starts a new login, remove their existing auth cookie / API token
             await removeAuthSecret(this);
@@ -144,11 +145,11 @@ class Login extends Command {
                         return handleError(this, "Could not connect to Opal. Did you set the right URL? (`opal set-url --help`)");
                     }
                 }
-                const signInOrganizations = ((_c = (_b = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _b === void 0 ? void 0 : _b.signInMethod) === null || _c === void 0 ? void 0 : _c.__typename) ===
+                const signInOrganizations = ((_d = (_c = signInOrganizationsResponse === null || signInOrganizationsResponse === void 0 ? void 0 : signInOrganizationsResponse.data) === null || _c === void 0 ? void 0 : _c.signInMethod) === null || _d === void 0 ? void 0 : _d.__typename) ===
                     "SignInMethodResult"
                     ? signInOrganizationsResponse.data.signInMethod.signInOrganizations
-                    : ((_e = (_d = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _d === void 0 ? void 0 : _d.signInMethod) === null || _e === void 0 ? void 0 : _e.__typename) === "SignInMethodResult"
-                        ? (_f = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _f === void 0 ? void 0 : _f.signInOrganizations
+                    : ((_f = (_e = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data) === null || _e === void 0 ? void 0 : _e.signInMethod) === null || _f === void 0 ? void 0 : _f.__typename) === "SignInMethodResult"
+                        ? (_g = signInOrganizationsLegacyResponse === null || signInOrganizationsLegacyResponse === void 0 ? void 0 : signInOrganizationsLegacyResponse.data.signInMethod) === null || _g === void 0 ? void 0 : _g.signInOrganizations
                         : undefined;
                 if (signInOrganizations && signInOrganizations.length > 0) {
                     if (signInOrganizations.length === 1) {
@@ -191,7 +192,7 @@ class Login extends Command {
                     input: { organizationId },
                 },
             });
-            const signInRespState = (_h = (_g = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _g === void 0 ? void 0 : _g.signIn) === null || _h === void 0 ? void 0 : _h.state;
+            const signInRespState = (_j = (_h = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _h === void 0 ? void 0 : _h.signIn) === null || _j === void 0 ? void 0 : _j.state;
             let server; // Authorization Server's Issuer Identifier
             let clientId; // Client identifier at the Authorization Server
             let isAuth0Issuer = true;
@@ -220,7 +221,7 @@ class Login extends Command {
             // This scope is evaluated in Auth0 "MFA Rule" Action to skip or enabled MFA
             let scope = "openid email profile";
             // This extra scope is only supported in Auth0, so if the user has a custom issuer, we omit it
-            if (!((_k = (_j = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _j === void 0 ? void 0 : _j.signIn) === null || _k === void 0 ? void 0 : _k.forceExtraStep) && isAuth0Issuer) {
+            if (!((_l = (_k = signInResp === null || signInResp === void 0 ? void 0 : signInResp.data) === null || _k === void 0 ? void 0 : _k.signIn) === null || _l === void 0 ? void 0 : _l.forceExtraStep) && isAuth0Issuer) {
                 scope += " mfa:skip";
             }
             let tokens;
@@ -347,12 +348,21 @@ ${redirectTo}
                 variables: {},
             });
             if (authCheckErr ||
-                !((_o = (_m = (_l = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _l === void 0 ? void 0 : _l.organizationSettings) === null || _m === void 0 ? void 0 : _m.settings) === null || _o === void 0 ? void 0 : _o.id)) {
+                !((_p = (_o = (_m = authCheckResp === null || authCheckResp === void 0 ? void 0 : authCheckResp.data) === null || _m === void 0 ? void 0 : _m.organizationSettings) === null || _o === void 0 ? void 0 : _o.settings) === null || _p === void 0 ? void 0 : _p.id)) {
                 this.log("Error verifying log in. Authenticated commands may fail. Please double check your URL and use `opal logout; opal login` to try again.\n");
                 await removeAuthSecret(this);
                 process.exit(1);
             }
             this.log("\n🎉 You have successfully authenticated with Opal! You can now run authenticated commands.\n");
+            // If authentication was triggered by another command, re-run that command
+            if (pendingCommandAfterAuth) {
+                const { commandId, args } = pendingCommandAfterAuth;
+                clearPendingCommandAfterAuth();
+                this.log(`Resuming command: ${commandId}\n`);
+                // Re-run the original command
+                const { run } = await import("@oclif/core");
+                await run([commandId, ...args], this.config);
+            }
             process.exit(0);
         }
         catch (error) {

package/build/commands/postgres-instances/start.d.ts

@@ -6,8 +6,6 @@ export default class StartPostgresInstanceSession extends Command {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         accessLevelRemoteId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
         action: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;

package/build/commands/postgres-instances/start.js

@@ -4,7 +4,7 @@ import { handleError } from "../../lib/apollo.js";
 import { runCommandExec, setMostRecentCommand, startInteractiveShell, } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { promptUserForAccessLevels, promptUserForResource, } from "../../lib/resources.js";
-import { getOrCreateSession } from "../../lib/sessions.js";
+import { createSession } from "../../lib/sessions.js";
 import { displayContent } from "../../lib/util.js";
 const RdsSessionMetadataFragment = `
 ... on AwsIamFederatedRdsSession {
@@ -53,11 +53,11 @@ class StartPostgresInstanceSession extends Command {
         if (!accessLevel) {
             return;
         }
-        const session = await getOrCreateSession(this, instanceId, accessLevel, sessionId, RdsSessionMetadataFragment, flags.refresh);
+        const session = await createSession(this, instanceId, accessLevel, sessionId, RdsSessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedRdsSession": {
                 // Don't inform the user about RDS session expiration time, since RDS works differently.
@@ -105,7 +105,7 @@ class StartPostgresInstanceSession extends Command {
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -120,8 +120,6 @@ StartPostgresInstanceSession.flags = {
     help: SHARED_FLAGS.help,
     id: SHARED_FLAGS.id,
     accessLevelRemoteId: SHARED_FLAGS.accessLevelRemoteId,
-    sessionId: SHARED_FLAGS.sessionId,
-    refresh: SHARED_FLAGS.refresh,
     action: Flags.string({
         multiple: false,
         description: `Method of connecting to the database.\n${methodChoices.map((c) => `- ${c.value}: ${c.name}`).join("\n")}`,

package/build/commands/ssh/copyFrom.d.ts

@@ -8,7 +8,6 @@ export default class StartSCPSession extends Command {
         dest: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         user: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
         id: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
-        sessionId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }

package/build/commands/ssh/copyFrom.js

@@ -3,7 +3,7 @@ import { handleError } from "../../lib/apollo.js";
 import { runCommandSpawn, setMostRecentCommand } from "../../lib/cmd.js";
 import { SHARED_FLAGS } from "../../lib/flags.js";
 import { DEFAULT_ACCESS_LEVEL } from "../../lib/resources.js";
-import { getOrCreateSession } from "../../lib/sessions.js";
+import { createSession } from "../../lib/sessions.js";
 import { assertSessionManagerPluginExists, selectComputeInstance, } from "../../lib/ssh.js";
 import { Ec2SessionMetadataFragment } from "./start.js";
 class StartSCPSession extends Command {
@@ -25,11 +25,11 @@ class StartSCPSession extends Command {
             instanceId = selectedInstance.id;
             instanceName = selectedInstance.name;
         }
-        const session = await getOrCreateSession(this, instanceId, DEFAULT_ACCESS_LEVEL, sessionId, Ec2SessionMetadataFragment);
+        const session = await createSession(this, instanceId, DEFAULT_ACCESS_LEVEL, sessionId, Ec2SessionMetadataFragment);
         if (!session) {
             return;
         }
-        const metadata = session.metadata;
+        const metadata = session.sessionMetadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedSSMSession": {
                 const envVars = {
@@ -44,7 +44,7 @@ class StartSCPSession extends Command {
                 break;
             }
             default:
-                return handleError(this, undefined, session);
+                return handleError(this, undefined);
         }
     }
 }
@@ -73,6 +73,5 @@ StartSCPSession.flags = {
         description: "The user you want to run SCP over. Keep in mind not all users will have access to each other's home directory.",
     }),
     id: SHARED_FLAGS.id,
-    sessionId: SHARED_FLAGS.sessionId,
 };
 export default StartSCPSession;