Merge branch 'main' into komal/readme-examples

Author: komal-dhull

COPYING.md renamed to LICENSE.md

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

copyright.js

@@ -25,21 +25,25 @@
     "dotenv": "^16.4.1",
     "express": "^4.18.2",
     "firebase": "^10.7.2",
+    "inquirer": "^9.2.15",
     "jsdom": "^24.0.0",
     "lodash": "^4.17.21",
     "open": "^8.4.0",
     "pkce-challenge": "^4.1.0",
     "pluralize": "^8.0.0",
     "typescript": "^4.8.4",
+    "which": "^4.0.0",
     "yargs": "^17.6.0"
   },
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
     "@types/express": "^4.17.21",
+    "@types/inquirer": "^9.0.7",
     "@types/jest": "^29.5.12",
     "@types/jsdom": "^21.1.6",
     "@types/lodash": "^4.14.202",
     "@types/node": "^18.11.7",
+    "@types/which": "^3.0.3",
     "@types/yargs": "^17.0.13",
     "@typescript-eslint/eslint-plugin": "^6.4.0",
     "@typescript-eslint/parser": "^6.0.0",

package.json

@@ -16,21 +16,31 @@ Unknown argument: foo",
 }
 `;
 
-exports[`ls when valid ls command should print list response 1`] = `
+exports[`ls when valid ls command should print friendly message if no items: stderr 1`] = `
 [
   [
-    "instance-1",
+    "No destinations",
   ],
+]
+`;
+
+exports[`ls when valid ls command should print friendly message if no items: stdout 1`] = `[]`;
+
+exports[`ls when valid ls command should print list response: stderr 1`] = `
+[
   [
-    "instance-2",
+    "Showing destinations:",
   ],
 ]
 `;
 
-exports[`ls when valid ls command should print list response 2`] = `
+exports[`ls when valid ls command should print list response: stdout 1`] = `
 [
   [
-    "Showing destinations:",
+    "instance-1",
+  ],
+  [
+    "instance-2",
   ],
 ]
 `;

src/commands/__tests__/__snapshots__/ls.test.ts.snap

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/__tests__/login.test.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 
@@ -23,22 +23,31 @@ const mockPrint1 = print1 as jest.Mock;
 const mockPrint2 = print2 as jest.Mock;
 
 describe("ls", () => {
+  beforeEach(() => jest.clearAllMocks());
+
   describe("when valid ls command", () => {
     const command = "ls ssh destination";
 
-    beforeAll(() => {
+    const mockItems = (items: string[]) =>
       mockFetchCommand.mockResolvedValue({
         ok: true,
         term: "",
         arg: "destination",
-        items: ["instance-1", "instance-2"],
+        items,
       });
-    });
 
     it("should print list response", async () => {
+      mockItems(["instance-1", "instance-2"]);
+      await lsCommand(yargs()).parse(command);
+      expect(mockPrint1.mock.calls).toMatchSnapshot("stdout");
+      expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
+    });
+
+    it("should print friendly message if no items", async () => {
+      mockItems([]);
       await lsCommand(yargs()).parse(command);
-      expect(mockPrint1.mock.calls).toMatchSnapshot();
-      expect(mockPrint2.mock.calls).toMatchSnapshot();
+      expect(mockPrint1.mock.calls).toMatchSnapshot("stdout");
+      expect(mockPrint2.mock.calls).toMatchSnapshot("stderr");
     });
   });
 

src/commands/__tests__/ls.test.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/__tests__/request.test.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/__tests__/ssh.test.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/aws/__tests__/__input__/saml-response.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/aws/__tests__/__input__/sts-response.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/aws/__tests__/role.test.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/aws/index.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/aws/role.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/index.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/commands/login.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 
@@ -52,10 +52,15 @@ const ls = async (
   ]);
 
   if (data && "ok" in data && data.ok) {
+    const label = pluralize(data.arg);
+    if (data.items.length === 0) {
+      print2(`No ${label}`);
+      return;
+    }
     print2(
       `Showing${
         data.isTruncated ? ` the first ${data.items.length}` : ""
-      } ${pluralize(data.arg)}${data.term ? ` matching '${data.term}'` : ""}:`
+      } ${label}${data.term ? ` matching '${data.term}'` : ""}:`
     );
     for (const item of data.items) {
       print1(item);

src/commands/ls.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 
@@ -40,6 +40,7 @@ const isCompletedStatus = (
 const requestArgs = <T>(yargs: yargs.Argv<T>) =>
   yargs
     .parserConfiguration({ "unknown-options-as-args": true })
+    .help(false) // Turn off help in order to forward the --help command to the backend so P0 can provide the available requestable resources
     .option("wait", {
       alias: "w",
       boolean: true,

src/commands/request.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 
@@ -27,20 +27,55 @@ import { getDoc, onSnapshot } from "firebase/firestore";
 import { pick } from "lodash";
 import yargs from "yargs";
 
+export type SshCommandArgs = {
+  instance: string;
+  command?: string;
+  L?: string; // port forwarding option
+  arguments: string[];
+};
+
+// Matches strings with the pattern "digits:digits" (e.g. 1234:5678)
+const LOCAL_PORT_FORWARD_PATTERN = /^\d+:\d+$/;
+
 /** Maximum amount of time to wait after access is approved to wait for access
  *  to be configured
  */
 const GRANT_TIMEOUT_MILLIS = 60e3;
 
 export const sshCommand = (yargs: yargs.Argv) =>
-  yargs.command<{ instance: string }>(
-    "ssh <instance>",
+  yargs.command<SshCommandArgs>(
+    "ssh <instance> [command [arguments..]]",
     "SSH into a virtual machine",
     (yargs) =>
-      yargs.positional("instance", {
-        type: "string",
-        demandOption: true,
-      }),
+      yargs
+        .positional("instance", {
+          type: "string",
+          demandOption: true,
+        })
+        .positional("command", {
+          type: "string",
+          describe: "Pass command to the shell",
+        })
+        .positional("arguments", {
+          describe: "Command arguments",
+          array: true,
+          string: true,
+          default: [] as string[],
+        })
+        .check((argv: yargs.ArgumentsCamelCase<SshCommandArgs>) => {
+          if (argv.L == null) return true;
+
+          return (
+            argv.L.match(LOCAL_PORT_FORWARD_PATTERN) ||
+            "Local port forward should be in the format `local_port:remote_port`"
+          );
+        })
+        .option("L", {
+          type: "string",
+          describe:
+            // the order of the sockets in the address matches the ssh man page
+            "Forward a local port to the remote host; `local_socket:remote_socket`",
+        }),
     guard(ssh)
   );
 
@@ -107,8 +142,7 @@ const waitForProvisioning = async <P extends PluginRequest>(
  * Supported SSH mechanisms:
  * - AWS EC2 via SSM with Okta SAML
  */
-const ssh = async (args: yargs.ArgumentsCamelCase<{ instance: string }>) => {
-  // Prefix is required because the backend uses it to determine that this is an AWS request
+const ssh = async (args: yargs.ArgumentsCamelCase<SshCommandArgs>) => {
   const authn = await authenticate();
   await validateSshInstall(authn);
   const response = await request(
@@ -126,6 +160,9 @@ const ssh = async (args: yargs.ArgumentsCamelCase<{ instance: string }>) => {
   }
   const { id, isPreexisting } = response;
   if (!isPreexisting) print2("Waiting for access to be provisioned");
+
   const requestData = await waitForProvisioning<AwsSsh>(authn, id);
-  await ssm(authn, { ...requestData, id });
+  const requestWithId = { ...requestData, id };
+
+  await ssm(authn, requestWithId, args);
 };

src/commands/ssh.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/common/auth/oidc.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/common/auth/server.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/common/fetch.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/common/mime.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/common/xml.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/drivers/__mocks__/auth.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/drivers/api.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 
@@ -32,11 +32,13 @@ export const cached = async <T>(
   loader: () => Promise<T>,
   options: { duration: number }
 ): Promise<T> => {
-  const loc = path.join(
-    path.dirname(IDENTITY_FILE_PATH),
-    "cache",
-    `${name}.json`
-  );
+  const cachePath = path.join(path.dirname(IDENTITY_FILE_PATH), "cache");
+  // Following lines sanitize input
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+  const loc = path.resolve(path.join(cachePath, `${name}.json`));
+  if (!loc.startsWith(cachePath)) {
+    throw new Error("Illegal path traversal");
+  }
 
   const loadCache = async () => {
     const data = await loader();

src/drivers/auth.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/drivers/env.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/drivers/firestore.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/drivers/stdio.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli
 

src/index.ts

@@ -1,4 +1,4 @@
-/** Copyright © 2024-present P0 Security 
+/** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/p0cli