From 31a6994c549c055a7ae142a78d79f2f40167ec4f Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Wed, 16 Oct 2024 14:09:43 -0400 Subject: [PATCH 1/6] ENG-2884 Add multi-host support Adds multi-host support to the CLI by optionally looking up the CLI configuration, including the backend host from Firebase. This allows us to specify separate backend hosts for each tenant. - Adds an optional config to the /orgs/{orgId} document - Upon login, If the config is found, the config in stored locally - When executing a command, the local config is used, if found --- package.json | 1 + src/commands/login.ts | 21 ++++++++++-- src/drivers/api.ts | 5 ++- src/drivers/auth.ts | 30 +++++------------ src/drivers/config.ts | 58 ++++++++++++++++++++++++++++++++ src/drivers/env.ts | 2 +- src/drivers/firestore.ts | 66 ++++++++++++++++++++++++++++++------- src/plugins/google/login.ts | 8 ++--- src/types/org.ts | 4 +++ src/util.ts | 6 ++-- 10 files changed, 154 insertions(+), 47 deletions(-) create mode 100644 src/drivers/config.ts diff --git a/package.json b/package.json index 45516b4..eb7bd09 100644 --- a/package.json +++ b/package.json @@ -70,6 +70,7 @@ }, "scripts": { "build": "tsc && cp -r public dist/", + "test:unit": "NODE_ENV=unit jest --color", "clean": "rm -f tsconfig.tsbuildinfo && rm -rf dist/", "lint": "yarn prettier --check . && yarn run eslint --max-warnings 0 .", "p0": "node --no-deprecation ./p0", diff --git a/src/commands/login.ts b/src/commands/login.ts index 7c098c3..33e2ff7 100644 --- a/src/commands/login.ts +++ b/src/commands/login.ts @@ -11,9 +11,15 @@ You should have received a copy of the GNU General Public License along with @p0 import { IDENTITY_CACHE_PATH, IDENTITY_FILE_PATH, - authenticate, + loadCredentials, } from "../drivers/auth"; -import { doc, guard } from "../drivers/firestore"; +import { saveTenantConfig } from "../drivers/config"; +import { + authenticateToFirebase, + doc, + guard, + initializeFirebase, +} from "../drivers/firestore"; import { print2 } from "../drivers/stdio"; import { pluginLoginMap } from "../plugins/login"; import { TokenResponse } from "../types/oidc"; @@ -32,6 +38,8 @@ export const login = async ( args: { org: string }, options?: { skipAuthenticate?: boolean } ) => { + initializeFirebase({ useBootstrapConfig: true }); + const orgDoc = await getDoc(doc(`orgs/${args.org}`)); const orgData = orgDoc.data(); if (!orgData) throw "Could not find organization"; @@ -48,8 +56,15 @@ export const login = async ( await clearIdentityCache(); await writeIdentity(orgWithSlug, tokenResponse); + if (orgData.config) { + await saveTenantConfig(orgData.config); + } + // validate auth - if (!options?.skipAuthenticate) await authenticate({ noRefresh: true }); + if (!options?.skipAuthenticate) { + const identity = await loadCredentials({ noRefresh: true }); + await authenticateToFirebase(identity); + } print2(`You are now logged in, and can use the p0 CLI.`); }; diff --git a/src/drivers/api.ts b/src/drivers/api.ts index 7a14e21..bca3552 100644 --- a/src/drivers/api.ts +++ b/src/drivers/api.ts @@ -8,13 +8,12 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ -import { config } from "../drivers/env"; import { Authn } from "../types/identity"; +import { tenantConfig } from "./config"; import * as path from "node:path"; import yargs from "yargs"; -const tenantUrl = (tenant: string) => `${config.appUrl}/o/${tenant}`; - +const tenantUrl = (tenant: string) => `${tenantConfig.appUrl}/o/${tenant}`; const commandUrl = (tenant: string) => `${tenantUrl(tenant)}/command/`; export const fetchCommand = async ( diff --git a/src/drivers/auth.ts b/src/drivers/auth.ts index 9173d0c..74e2aac 100644 --- a/src/drivers/auth.ts +++ b/src/drivers/auth.ts @@ -11,13 +11,9 @@ You should have received a copy of the GNU General Public License along with @p0 import { login } from "../commands/login"; import { Authn, Identity } from "../types/identity"; import { P0_PATH } from "../util"; -import { auth } from "./firestore"; +import { loadTenantConfig } from "./config"; +import { authenticateToFirebase, initializeFirebase } from "./firestore"; import { print2 } from "./stdio"; -import { - OAuthProvider, - SignInMethod, - signInWithCredential, -} from "firebase/auth"; import * as fs from "fs/promises"; import * as path from "path"; @@ -97,23 +93,13 @@ export const authenticate = async (options?: { noRefresh?: boolean; }): Promise => { const identity = await loadCredentials(options); - const { credential } = identity; - // TODO: Move to map lookup - const provider = new OAuthProvider( - identity.org.ssoProvider === "google" - ? SignInMethod.GOOGLE - : identity.org.providerId - ); - const firebaseCredential = provider.credential({ - accessToken: credential.access_token, - idToken: credential.id_token, - }); - auth.tenantId = identity.org.tenantId; - const userCredential = await signInWithCredential(auth, firebaseCredential); - if (!userCredential?.user?.email) { - throw "Can not sign in: this user has previously signed in with a different identity provider.\nPlease contact support@p0.dev to enable this user."; - } + await loadTenantConfig(); + + // Re-initialize Firebase with the loaded config + initializeFirebase(); + + const userCredential = await authenticateToFirebase(identity); return { userCredential, identity }; }; diff --git a/src/drivers/config.ts b/src/drivers/config.ts new file mode 100644 index 0000000..11a484b --- /dev/null +++ b/src/drivers/config.ts @@ -0,0 +1,58 @@ +/** Copyright © 2024-present P0 Security + +This file is part of @p0security/cli + +@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License. + +@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . +**/ +import { Config } from "../types/org"; +import { P0_PATH } from "../util"; +import { bootstrapConfig } from "./env"; +import { print2 } from "./stdio"; +import fs from "fs/promises"; +import path from "path"; + +export const CONFIG_FILE_PATH = path.join(P0_PATH, "config.json"); + +export let tenantConfig = bootstrapConfig; + +/** + * Configures the CLI to use a tenant-specific configuration instead of the bootstrap configuration. + * The tenant-specific config is also written to the local filesystem for future use. + * + * @param config the tenant-specific config to use + */ +export const saveTenantConfig = async (config: Config) => { + tenantConfig = config; + await writeConfigToFile(config); +}; + +/** + * Configures the CLI to use a tenant-specific configuration, if present. + * + * Loads the tenant-specific config from the local filesystem, if present. + * If not present, it will keep using the bootstrap config. + */ +export const loadTenantConfig = async () => { + const config = await loadConfigFromFile(); + if (config) { + tenantConfig = config; + } +}; + +const loadConfigFromFile = async (): Promise => { + print2(`Loading config from ${CONFIG_FILE_PATH}.`); + const buffer = await fs.readFile(CONFIG_FILE_PATH); + const config: Config = JSON.parse(buffer.toString()); + return config; +}; + +const writeConfigToFile = async (config: Config) => { + print2(`Saving config to ${CONFIG_FILE_PATH}.`); + const dir = path.dirname(CONFIG_FILE_PATH); + await fs.mkdir(dir, { recursive: true }); + await fs.writeFile(CONFIG_FILE_PATH, JSON.stringify(config), { mode: "600" }); +}; diff --git a/src/drivers/env.ts b/src/drivers/env.ts index 84bf4e9..442056e 100644 --- a/src/drivers/env.ts +++ b/src/drivers/env.ts @@ -14,7 +14,7 @@ dotenv.config(); const { env } = process; -export const config = { +export const bootstrapConfig = { fs: { // Falls back to public production Firestore credentials apiKey: env.P0_FS_API_KEY ?? "AIzaSyCaL-Ik_l_5tdmgNUNZ4Nv6NuR4o5_PPfs", diff --git a/src/drivers/firestore.ts b/src/drivers/firestore.ts index 714aaf8..956a340 100644 --- a/src/drivers/firestore.ts +++ b/src/drivers/firestore.ts @@ -8,9 +8,17 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ -import { config } from "./env"; -import { initializeApp } from "firebase/app"; -import { getAuth } from "firebase/auth"; +import { Identity } from "../types/identity"; +import { tenantConfig } from "./config"; +import { bootstrapConfig } from "./env"; +import { FirebaseOptions, initializeApp } from "firebase/app"; +import { + Auth, + getAuth, + OAuthProvider, + SignInMethod, + signInWithCredential, +} from "firebase/auth"; import { collection as fsCollection, CollectionReference, @@ -18,25 +26,59 @@ import { DocumentReference, getFirestore, terminate, + Firestore, } from "firebase/firestore"; -// Your web app's Firebase configuration -const firebaseConfig = config.fs; +let firestore: Firestore; +let auth: Auth; + +export function initializeFirebase(options?: { useBootstrapConfig: boolean }) { + const config: FirebaseOptions = options?.useBootstrapConfig + ? bootstrapConfig.fs + : tenantConfig.fs; + const app = initializeApp(config); + + firestore = getFirestore(app); + auth = getAuth(); +} + +export async function authenticateToFirebase(identity: Identity) { + const { credential } = identity; + const tenantId = identity.org.tenantId; + + // TODO: Move to map lookup + const provider = new OAuthProvider( + identity.org.ssoProvider === "google" + ? SignInMethod.GOOGLE + : identity.org.providerId + ); -// Initialize Firebase -const app = initializeApp(firebaseConfig); -export const FIRESTORE = getFirestore(app); -export const auth = getAuth(); + const firebaseCredential = provider.credential({ + accessToken: credential.access_token, + idToken: credential.id_token, + }); + + auth.tenantId = tenantId; + + const userCredential = await signInWithCredential(auth, firebaseCredential); + + if (!userCredential?.user?.email) { + throw "Can not sign in: this user has previously signed in with a different identity provider.\nPlease contact support@p0.dev to enable this user."; + } + + return userCredential; +} export const collection = (path: string, ...pathSegments: string[]) => { return fsCollection( - FIRESTORE, + firestore, path, ...pathSegments ) as CollectionReference; }; + export const doc = (path: string) => { - return fsDoc(FIRESTORE, path) as DocumentReference; + return fsDoc(firestore, path) as DocumentReference; }; /** Ensures that Firestore is shutdown at command termination @@ -49,6 +91,6 @@ export const guard = try { await cb(args); } finally { - void terminate(FIRESTORE); + void terminate(firestore); } }; diff --git a/src/plugins/google/login.ts b/src/plugins/google/login.ts index 089654a..1c7c71a 100644 --- a/src/plugins/google/login.ts +++ b/src/plugins/google/login.ts @@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0 import { OIDC_HEADERS } from "../../common/auth/oidc"; import { withRedirectServer } from "../../common/auth/server"; import { urlEncode, validateResponse } from "../../common/fetch"; -import { config } from "../../drivers/env"; +import { tenantConfig } from "../../drivers/config"; import { print2 } from "../../drivers/stdio"; import { AuthorizeRequest, TokenResponse } from "../../types/oidc"; import open from "open"; @@ -31,7 +31,7 @@ const requestAuth = async () => { const pkceChallenge = (await import("pkce-challenge")).default as any; const pkce = await pkceChallenge(PKCE_LENGTH); const authBody: AuthorizeRequest = { - client_id: config.google.clientId, + client_id: tenantConfig.google.clientId, code_challenge: pkce.code_challenge, code_challenge_method: "S256", redirect_uri: GOOGLE_OIDC_REDIRECT_URL, @@ -52,8 +52,8 @@ const requestToken = async ( pkce: { code_challenge: string; code_verifier: string } ) => { const body = { - client_id: config.google.clientId, - client_secret: config.google.clientSecret, + client_id: tenantConfig.google.clientId, + client_secret: tenantConfig.google.clientSecret, code, code_verifier: pkce.code_verifier, grant_type: "authorization_code", diff --git a/src/types/org.ts b/src/types/org.ts index 02868a2..86481db 100644 --- a/src/types/org.ts +++ b/src/types/org.ts @@ -8,6 +8,9 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ +import { bootstrapConfig } from "../drivers/env"; + +export type Config = typeof bootstrapConfig; type BaseOrgData = { clientId: string; @@ -21,6 +24,7 @@ type BaseOrgData = { | "oidc-pkce" | "okta"; tenantId: string; + config: Config; }; /** Publicly readable organization data */ diff --git a/src/util.ts b/src/util.ts index 68dfd3e..3b4f51c 100644 --- a/src/util.ts +++ b/src/util.ts @@ -8,14 +8,16 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ -import { config } from "./drivers/env"; +import { bootstrapConfig } from "./drivers/env"; import child_process from "node:child_process"; import os from "node:os"; import path from "node:path"; export const P0_PATH = path.join( os.homedir(), - config.environment === "production" ? ".p0" : `.p0-${config.environment}` + bootstrapConfig.environment === "production" + ? ".p0" + : `.p0-${bootstrapConfig.environment}` ); /** Waits the specified delay (in ms) From 6b3de7b374efde9745e0c4a4056cf5c858db0d2e Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Thu, 17 Oct 2024 10:48:36 -0400 Subject: [PATCH 2/6] Address review comments. * Add publicDoc() function to read from bootstrap firestore * Ensure updated config is set before authentication * Move auth from global to local scope * Rename guard function to fsShutdownGuard for clarity --- .../__snapshots__/login.test.ts.snap | 9 +++- src/commands/__tests__/login.test.ts | 2 +- src/commands/allow.ts | 4 +- src/commands/aws/role.ts | 6 +-- src/commands/grant.ts | 4 +- src/commands/kubeconfig.ts | 4 +- src/commands/login.ts | 22 +++++----- src/commands/ls.ts | 4 +- src/commands/request.ts | 4 +- src/commands/scp.ts | 4 +- src/commands/ssh.ts | 4 +- src/drivers/auth.ts | 9 ++-- src/drivers/config.ts | 43 ++++--------------- src/drivers/firestore.ts | 25 ++++++----- 14 files changed, 61 insertions(+), 83 deletions(-) diff --git a/src/commands/__tests__/__snapshots__/login.test.ts.snap b/src/commands/__tests__/__snapshots__/login.test.ts.snap index 8475ae4..f715943 100644 --- a/src/commands/__tests__/__snapshots__/login.test.ts.snap +++ b/src/commands/__tests__/__snapshots__/login.test.ts.snap @@ -1,7 +1,14 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`login organization exists should write the user's identity to the file system 1`] = ` +exports[`login organization exists should write the user's identity & config to the file system 1`] = ` [ + [ + "/Users/fabianjoya/.p0/config.json", + "{"fs":{"apiKey":"AIzaSyC9A5VXSwDDS-Vp4WH_UIanEqJvv_7XdlQ","authDomain":"p0-gcp-project.firebaseapp.com","projectId":"p0-gcp-project","storageBucket":"p0-gcp-project.appspot.com","messagingSenderId":"398809717501","appId":"1:398809717501:web:6dd1cab893b2faeb06fc94"},"google":{"clientId":"398809717501-j4j8ldjicsspidl4ecj6nj1oomo9eda1.apps.googleusercontent.com","clientSecret":"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"},"appUrl":"http://localhost:8088","environment":"production"}", + { + "mode": "600", + }, + ], [ "/path/to/home/.p0", "{ diff --git a/src/commands/__tests__/login.test.ts b/src/commands/__tests__/login.test.ts index 481a689..a0fe372 100644 --- a/src/commands/__tests__/login.test.ts +++ b/src/commands/__tests__/login.test.ts @@ -73,7 +73,7 @@ describe("login", () => { await login({ org: "test-org" }); expect(pluginLoginMap.google).toHaveBeenCalled(); }); - it("should write the user's identity to the file system", async () => { + it("should write the user's identity & config to the file system", async () => { await login({ org: "test-org" }); expect(mockWriteFile.mock.calls).toMatchSnapshot(); }); diff --git a/src/commands/allow.ts b/src/commands/allow.ts index c1aa03b..fc98e9e 100644 --- a/src/commands/allow.ts +++ b/src/commands/allow.ts @@ -10,7 +10,7 @@ You should have received a copy of the GNU General Public License along with @p0 **/ import { fetchCommand } from "../drivers/api"; import { authenticate } from "../drivers/auth"; -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { print2 } from "../drivers/stdio"; import { AllowResponse } from "../types/allow"; import { Authn } from "../types/identity"; @@ -37,7 +37,7 @@ export const allowCommand = (yargs: yargs.Argv) => "allow [arguments..]", "Create standing access for a resource", allowArgs, - guard(allow) + fsShutdownGuard(allow) ); export const allow = async ( diff --git a/src/commands/aws/role.ts b/src/commands/aws/role.ts index 3a44f00..54e8a89 100644 --- a/src/commands/aws/role.ts +++ b/src/commands/aws/role.ts @@ -10,7 +10,7 @@ You should have received a copy of the GNU General Public License along with @p0 **/ import { parseXml } from "../../common/xml"; import { authenticate } from "../../drivers/auth"; -import { guard } from "../../drivers/firestore"; +import { fsShutdownGuard } from "../../drivers/firestore"; import { print1, print2 } from "../../drivers/stdio"; import { getAwsConfig } from "../../plugins/aws/config"; import { AwsFederatedLogin, AwsItem } from "../../plugins/aws/types"; @@ -29,7 +29,7 @@ export const role = (yargs: yargs.Argv<{ account: string | undefined }>) => "List available AWS roles", identity, // TODO: select based on uidLocation - guard(oktaAwsListRoles) + fsShutdownGuard(oktaAwsListRoles) ) .command( "assume ", @@ -41,7 +41,7 @@ export const role = (yargs: yargs.Argv<{ account: string | undefined }>) => describe: "An AWS role name", }), // TODO: select based on uidLocation - guard(oktaAwsAssumeRole) + fsShutdownGuard(oktaAwsAssumeRole) ) .demandCommand(1) ); diff --git a/src/commands/grant.ts b/src/commands/grant.ts index 5b77f9b..3eea0fa 100644 --- a/src/commands/grant.ts +++ b/src/commands/grant.ts @@ -8,7 +8,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { request, requestArgs } from "./shared/request"; import yargs from "yargs"; @@ -17,5 +17,5 @@ export const grantCommand = (yargs: yargs.Argv) => "grant [arguments..]", "Grant access to another identity", requestArgs, - guard(request("grant")) + fsShutdownGuard(request("grant")) ); diff --git a/src/commands/kubeconfig.ts b/src/commands/kubeconfig.ts index e00eb22..8e59c6f 100644 --- a/src/commands/kubeconfig.ts +++ b/src/commands/kubeconfig.ts @@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0 import { retryWithSleep } from "../common/retry"; import { AnsiSgr } from "../drivers/ansi"; import { authenticate } from "../drivers/auth"; -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { print2, spinUntil } from "../drivers/stdio"; import { parseArn } from "../plugins/aws/utils"; import { @@ -65,7 +65,7 @@ export const kubeconfigCommand = (yargs: yargs.Argv) => describe: "Requested duration for access (format like '10 minutes', '2 hours', '5 days', or '1 week')", }), - guard(kubeconfigAction) + fsShutdownGuard(kubeconfigAction) ); const kubeconfigAction = async ( diff --git a/src/commands/login.ts b/src/commands/login.ts index 33e2ff7..ac43977 100644 --- a/src/commands/login.ts +++ b/src/commands/login.ts @@ -13,12 +13,12 @@ import { IDENTITY_FILE_PATH, loadCredentials, } from "../drivers/auth"; -import { saveTenantConfig } from "../drivers/config"; +import { saveConfig } from "../drivers/config"; +import { bootstrapConfig } from "../drivers/env"; import { authenticateToFirebase, - doc, - guard, - initializeFirebase, + fsShutdownGuard, + publicDoc, } from "../drivers/firestore"; import { print2 } from "../drivers/stdio"; import { pluginLoginMap } from "../plugins/login"; @@ -38,12 +38,14 @@ export const login = async ( args: { org: string }, options?: { skipAuthenticate?: boolean } ) => { - initializeFirebase({ useBootstrapConfig: true }); - - const orgDoc = await getDoc(doc(`orgs/${args.org}`)); + const orgDoc = await getDoc( + publicDoc(`orgs/${args.org}`) + ); const orgData = orgDoc.data(); if (!orgData) throw "Could not find organization"; + await saveConfig(orgData.config ?? bootstrapConfig); + const orgWithSlug: OrgData = { ...orgData, slug: args.org }; const plugin = orgWithSlug?.ssoProvider; @@ -56,10 +58,6 @@ export const login = async ( await clearIdentityCache(); await writeIdentity(orgWithSlug, tokenResponse); - if (orgData.config) { - await saveTenantConfig(orgData.config); - } - // validate auth if (!options?.skipAuthenticate) { const identity = await loadCredentials({ noRefresh: true }); @@ -110,5 +108,5 @@ export const loginCommand = (yargs: yargs.Argv) => type: "string", describe: "Your P0 organization ID", }), - guard(login) + fsShutdownGuard(login) ); diff --git a/src/commands/ls.ts b/src/commands/ls.ts index e548856..42da519 100644 --- a/src/commands/ls.ts +++ b/src/commands/ls.ts @@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0 import { AnsiSgr } from "../drivers/ansi"; import { fetchCommand } from "../drivers/api"; import { authenticate } from "../drivers/auth"; -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { print2, print1, spinUntil } from "../drivers/stdio"; import { max, orderBy } from "lodash"; import pluralize from "pluralize"; @@ -45,7 +45,7 @@ export const lsCommand = (yargs: yargs.Argv) => "ls [arguments..]", "List request-command arguments", lsArgs, - guard(ls) + fsShutdownGuard(ls) ); const ls = async ( diff --git a/src/commands/request.ts b/src/commands/request.ts index a9d5f4c..8458cd8 100644 --- a/src/commands/request.ts +++ b/src/commands/request.ts @@ -8,7 +8,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { request, requestArgs } from "./shared/request"; import yargs from "yargs"; @@ -17,5 +17,5 @@ export const requestCommand = (yargs: yargs.Argv) => "request [arguments..]", "Manually request permissions on a resource", requestArgs, - guard(request("request")) + fsShutdownGuard(request("request")) ); diff --git a/src/commands/scp.ts b/src/commands/scp.ts index e3fb44f..b067061 100644 --- a/src/commands/scp.ts +++ b/src/commands/scp.ts @@ -9,7 +9,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ import { authenticate } from "../drivers/auth"; -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { sshOrScp } from "../plugins/ssh"; import { SshRequest, SupportedSshProviders } from "../types/ssh"; import { prepareRequest, ScpCommandArgs } from "./shared/ssh"; @@ -69,7 +69,7 @@ export const scpCommand = (yargs: yargs.Argv) => The '--' argument must be specified between P0-specific args on the left and SCP_ARGS on the right.` ), - guard(scpAction) + fsShutdownGuard(scpAction) ); /** Transfers files between a local and remote hosts using SSH. diff --git a/src/commands/ssh.ts b/src/commands/ssh.ts index b2d4555..e643be1 100644 --- a/src/commands/ssh.ts +++ b/src/commands/ssh.ts @@ -9,7 +9,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ import { authenticate } from "../drivers/auth"; -import { guard } from "../drivers/firestore"; +import { fsShutdownGuard } from "../drivers/firestore"; import { sshOrScp } from "../plugins/ssh"; import { SshCommandArgs, prepareRequest } from "./shared/ssh"; import yargs from "yargs"; @@ -69,7 +69,7 @@ export const sshCommand = (yargs: yargs.Argv) => $ p0 ssh example-instance --provider gcloud -- -NR '*:8080:localhost:8088' -o 'GatewayPorts yes'` ), - guard(sshAction) + fsShutdownGuard(sshAction) ); /** Connect to an SSH backend diff --git a/src/drivers/auth.ts b/src/drivers/auth.ts index 74e2aac..0e40b21 100644 --- a/src/drivers/auth.ts +++ b/src/drivers/auth.ts @@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0 import { login } from "../commands/login"; import { Authn, Identity } from "../types/identity"; import { P0_PATH } from "../util"; -import { loadTenantConfig } from "./config"; +import { loadConfig } from "./config"; import { authenticateToFirebase, initializeFirebase } from "./firestore"; import { print2 } from "./stdio"; import * as fs from "fs/promises"; @@ -92,13 +92,10 @@ export const loadCredentials = async (options?: { export const authenticate = async (options?: { noRefresh?: boolean; }): Promise => { - const identity = await loadCredentials(options); - - await loadTenantConfig(); - - // Re-initialize Firebase with the loaded config + await loadConfig(); initializeFirebase(); + const identity = await loadCredentials(options); const userCredential = await authenticateToFirebase(identity); return { userCredential, identity }; diff --git a/src/drivers/config.ts b/src/drivers/config.ts index 11a484b..e600509 100644 --- a/src/drivers/config.ts +++ b/src/drivers/config.ts @@ -10,49 +10,22 @@ You should have received a copy of the GNU General Public License along with @p0 **/ import { Config } from "../types/org"; import { P0_PATH } from "../util"; -import { bootstrapConfig } from "./env"; import { print2 } from "./stdio"; import fs from "fs/promises"; import path from "path"; export const CONFIG_FILE_PATH = path.join(P0_PATH, "config.json"); -export let tenantConfig = bootstrapConfig; - -/** - * Configures the CLI to use a tenant-specific configuration instead of the bootstrap configuration. - * The tenant-specific config is also written to the local filesystem for future use. - * - * @param config the tenant-specific config to use - */ -export const saveTenantConfig = async (config: Config) => { - tenantConfig = config; - await writeConfigToFile(config); -}; - -/** - * Configures the CLI to use a tenant-specific configuration, if present. - * - * Loads the tenant-specific config from the local filesystem, if present. - * If not present, it will keep using the bootstrap config. - */ -export const loadTenantConfig = async () => { - const config = await loadConfigFromFile(); - if (config) { - tenantConfig = config; - } -}; - -const loadConfigFromFile = async (): Promise => { - print2(`Loading config from ${CONFIG_FILE_PATH}.`); - const buffer = await fs.readFile(CONFIG_FILE_PATH); - const config: Config = JSON.parse(buffer.toString()); - return config; -}; +export let tenantConfig: Config; -const writeConfigToFile = async (config: Config) => { +export async function saveConfig(config: Config) { print2(`Saving config to ${CONFIG_FILE_PATH}.`); const dir = path.dirname(CONFIG_FILE_PATH); await fs.mkdir(dir, { recursive: true }); await fs.writeFile(CONFIG_FILE_PATH, JSON.stringify(config), { mode: "600" }); -}; +} + +export async function loadConfig() { + const buffer = await fs.readFile(CONFIG_FILE_PATH); + tenantConfig = JSON.parse(buffer.toString()); +} diff --git a/src/drivers/firestore.ts b/src/drivers/firestore.ts index 956a340..447f67d 100644 --- a/src/drivers/firestore.ts +++ b/src/drivers/firestore.ts @@ -11,9 +11,8 @@ You should have received a copy of the GNU General Public License along with @p0 import { Identity } from "../types/identity"; import { tenantConfig } from "./config"; import { bootstrapConfig } from "./env"; -import { FirebaseOptions, initializeApp } from "firebase/app"; +import { FirebaseApp, initializeApp } from "firebase/app"; import { - Auth, getAuth, OAuthProvider, SignInMethod, @@ -29,17 +28,15 @@ import { Firestore, } from "firebase/firestore"; -let firestore: Firestore; -let auth: Auth; +const bootstrapApp = initializeApp(bootstrapConfig.fs, "bootstrapApp"); +const bootstrapFirestore = getFirestore(bootstrapApp); -export function initializeFirebase(options?: { useBootstrapConfig: boolean }) { - const config: FirebaseOptions = options?.useBootstrapConfig - ? bootstrapConfig.fs - : tenantConfig.fs; - const app = initializeApp(config); +let app: FirebaseApp; +let firestore: Firestore; +export function initializeFirebase() { + app = initializeApp(tenantConfig.fs, "authFirebase"); firestore = getFirestore(app); - auth = getAuth(); } export async function authenticateToFirebase(identity: Identity) { @@ -58,6 +55,7 @@ export async function authenticateToFirebase(identity: Identity) { idToken: credential.id_token, }); + const auth = getAuth(app); auth.tenantId = tenantId; const userCredential = await signInWithCredential(auth, firebaseCredential); @@ -81,16 +79,21 @@ export const doc = (path: string) => { return fsDoc(firestore, path) as DocumentReference; }; +export const publicDoc = (path: string) => { + return fsDoc(bootstrapFirestore, path) as DocumentReference; +}; + /** Ensures that Firestore is shutdown at command termination * * This prevents Firestore from holding the command on execution completion or failure. */ -export const guard = +export const fsShutdownGuard = (cb: (args: P) => Promise) => async (args: P) => { try { await cb(args); } finally { + void terminate(bootstrapFirestore); void terminate(firestore); } }; From 7ae96f6de824e34360db7d44c95fa1655139a112 Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Thu, 17 Oct 2024 11:01:47 -0400 Subject: [PATCH 3/6] Changed tenantConfig from module to file scope and introduced a getter. --- src/drivers/api.ts | 4 ++-- src/drivers/config.ts | 6 +++++- src/drivers/firestore.ts | 3 ++- src/plugins/google/login.ts | 4 +++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/drivers/api.ts b/src/drivers/api.ts index bca3552..64976d6 100644 --- a/src/drivers/api.ts +++ b/src/drivers/api.ts @@ -9,11 +9,11 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ import { Authn } from "../types/identity"; -import { tenantConfig } from "./config"; +import { getTenantConfig } from "./config"; import * as path from "node:path"; import yargs from "yargs"; -const tenantUrl = (tenant: string) => `${tenantConfig.appUrl}/o/${tenant}`; +const tenantUrl = (tenant: string) => `${getTenantConfig().appUrl}/o/${tenant}`; const commandUrl = (tenant: string) => `${tenantUrl(tenant)}/command/`; export const fetchCommand = async ( diff --git a/src/drivers/config.ts b/src/drivers/config.ts index e600509..55d652a 100644 --- a/src/drivers/config.ts +++ b/src/drivers/config.ts @@ -16,7 +16,11 @@ import path from "path"; export const CONFIG_FILE_PATH = path.join(P0_PATH, "config.json"); -export let tenantConfig: Config; +let tenantConfig: Config; + +export function getTenantConfig(): Config { + return tenantConfig; +} export async function saveConfig(config: Config) { print2(`Saving config to ${CONFIG_FILE_PATH}.`); diff --git a/src/drivers/firestore.ts b/src/drivers/firestore.ts index 447f67d..ae11035 100644 --- a/src/drivers/firestore.ts +++ b/src/drivers/firestore.ts @@ -9,7 +9,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ import { Identity } from "../types/identity"; -import { tenantConfig } from "./config"; +import { getTenantConfig } from "./config"; import { bootstrapConfig } from "./env"; import { FirebaseApp, initializeApp } from "firebase/app"; import { @@ -35,6 +35,7 @@ let app: FirebaseApp; let firestore: Firestore; export function initializeFirebase() { + const tenantConfig = getTenantConfig(); app = initializeApp(tenantConfig.fs, "authFirebase"); firestore = getFirestore(app); } diff --git a/src/plugins/google/login.ts b/src/plugins/google/login.ts index 1c7c71a..93c2c07 100644 --- a/src/plugins/google/login.ts +++ b/src/plugins/google/login.ts @@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0 import { OIDC_HEADERS } from "../../common/auth/oidc"; import { withRedirectServer } from "../../common/auth/server"; import { urlEncode, validateResponse } from "../../common/fetch"; -import { tenantConfig } from "../../drivers/config"; +import { getTenantConfig } from "../../drivers/config"; import { print2 } from "../../drivers/stdio"; import { AuthorizeRequest, TokenResponse } from "../../types/oidc"; import open from "open"; @@ -28,6 +28,7 @@ const GOOGLE_OIDC_REDIRECT_URL = `http://127.0.0.1:${GOOGLE_OIDC_REDIRECT_PORT}` const PKCE_LENGTH = 128; const requestAuth = async () => { + const tenantConfig = getTenantConfig(); const pkceChallenge = (await import("pkce-challenge")).default as any; const pkce = await pkceChallenge(PKCE_LENGTH); const authBody: AuthorizeRequest = { @@ -51,6 +52,7 @@ const requestToken = async ( code: string, pkce: { code_challenge: string; code_verifier: string } ) => { + const tenantConfig = getTenantConfig(); const body = { client_id: tenantConfig.google.clientId, client_secret: tenantConfig.google.clientSecret, From d5481a8bd567f6d55a8bb2aa5c292773cf200f2d Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Thu, 17 Oct 2024 20:14:06 -0400 Subject: [PATCH 4/6] Fix failing test. --- src/commands/.DS_Store | Bin 0 -> 6148 bytes .../__tests__/__snapshots__/login.test.ts.snap | 9 +-------- src/commands/__tests__/login.test.ts | 14 +++++++++++++- 3 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 src/commands/.DS_Store diff --git a/src/commands/.DS_Store b/src/commands/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..af692fade7af44202164b7f8c6460d49362514cc GIT binary patch literal 6148 zcmeHKJ5EDE474Fd5KT(Ty#hB_Md1WFKqwN?pdgV?{i>XcqcLM!QKAHlEW*c2^k(!g0sW_VAUhj>}Q??F6|GWPrK3NR3`(vfdf*9(Wlq?_09;q_#%3B}{-xW7fYc~4Z70#e{w zf&1Lf*#BSPKg|EvB<-Yt6!=#P_++tM%<)RqTSqU)UfbZWaMpamX;=pZA=)u8+A%h4 e$4^m|b&YGB_rf7D=*R~hsGkAqB9j7tt-v>Tp%sAu literal 0 HcmV?d00001 diff --git a/src/commands/__tests__/__snapshots__/login.test.ts.snap b/src/commands/__tests__/__snapshots__/login.test.ts.snap index f715943..1f4d31e 100644 --- a/src/commands/__tests__/__snapshots__/login.test.ts.snap +++ b/src/commands/__tests__/__snapshots__/login.test.ts.snap @@ -3,14 +3,7 @@ exports[`login organization exists should write the user's identity & config to the file system 1`] = ` [ [ - "/Users/fabianjoya/.p0/config.json", - "{"fs":{"apiKey":"AIzaSyC9A5VXSwDDS-Vp4WH_UIanEqJvv_7XdlQ","authDomain":"p0-gcp-project.firebaseapp.com","projectId":"p0-gcp-project","storageBucket":"p0-gcp-project.appspot.com","messagingSenderId":"398809717501","appId":"1:398809717501:web:6dd1cab893b2faeb06fc94"},"google":{"clientId":"398809717501-j4j8ldjicsspidl4ecj6nj1oomo9eda1.apps.googleusercontent.com","clientSecret":"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"},"appUrl":"http://localhost:8088","environment":"production"}", - { - "mode": "600", - }, - ], - [ - "/path/to/home/.p0", + "/dummy/identity/file/path", "{ "credential": { "access_token": "test-access-token", diff --git a/src/commands/__tests__/login.test.ts b/src/commands/__tests__/login.test.ts index a0fe372..60b07c0 100644 --- a/src/commands/__tests__/login.test.ts +++ b/src/commands/__tests__/login.test.ts @@ -18,7 +18,11 @@ jest.spyOn(Date, "now").mockReturnValue(1.6e12); jest.mock("fs/promises"); jest.mock("../../drivers/auth", () => ({ ...jest.requireActual("../../drivers/auth"), - IDENTITY_FILE_PATH: "/path/to/home/.p0", + IDENTITY_FILE_PATH: "/dummy/identity/file/path", +})); +jest.mock("../../drivers/config", () => ({ + ...jest.requireActual("../../drivers/config"), + saveConfig: jest.fn(), })); jest.mock("../../drivers/stdio"); jest.mock("../../plugins/login"); @@ -34,6 +38,7 @@ describe("login", () => { `"Could not find organization"` ); }); + it("should print a friendly error if unsupported login", async () => { mockGetDoc({ slug: "test-org", @@ -44,6 +49,7 @@ describe("login", () => { `"Unsupported login for your organization"` ); }); + describe("organization exists", () => { let credentialData: string = ""; mockReadFile.mockImplementation(async () => @@ -60,27 +66,33 @@ describe("login", () => { }, }) ); + beforeEach(() => { credentialData = ""; jest.clearAllMocks(); + mockGetDoc({ slug: "test-org", tenantId: "test-tenant", ssoProvider: "google", }); }); + it("should call the provider's login function", async () => { await login({ org: "test-org" }); expect(pluginLoginMap.google).toHaveBeenCalled(); }); + it("should write the user's identity & config to the file system", async () => { await login({ org: "test-org" }); expect(mockWriteFile.mock.calls).toMatchSnapshot(); }); + it("validates authentication", async () => { await login({ org: "test-org" }); expect((signInWithCredential as jest.Mock).mock.calls).toMatchSnapshot(); }); + it("returns an error message if firebase cannot determine the user's email", async () => { mockSignInWithCredential.mockResolvedValueOnce({ user: {}, From 52043b7dece5a8981962c9f5a9f127bf03c319df Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Fri, 18 Oct 2024 10:28:02 -0400 Subject: [PATCH 5/6] Fix a few minor bugs. --- src/commands/login.ts | 4 ++-- src/drivers/config.ts | 1 + src/drivers/firestore.ts | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/commands/login.ts b/src/commands/login.ts index ac43977..58cf055 100644 --- a/src/commands/login.ts +++ b/src/commands/login.ts @@ -9,6 +9,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ import { + authenticate, IDENTITY_CACHE_PATH, IDENTITY_FILE_PATH, loadCredentials, @@ -60,8 +61,7 @@ export const login = async ( // validate auth if (!options?.skipAuthenticate) { - const identity = await loadCredentials({ noRefresh: true }); - await authenticateToFirebase(identity); + await authenticate(); } print2(`You are now logged in, and can use the p0 CLI.`); diff --git a/src/drivers/config.ts b/src/drivers/config.ts index 55d652a..cd29159 100644 --- a/src/drivers/config.ts +++ b/src/drivers/config.ts @@ -27,6 +27,7 @@ export async function saveConfig(config: Config) { const dir = path.dirname(CONFIG_FILE_PATH); await fs.mkdir(dir, { recursive: true }); await fs.writeFile(CONFIG_FILE_PATH, JSON.stringify(config), { mode: "600" }); + tenantConfig = config; } export async function loadConfig() { diff --git a/src/drivers/firestore.ts b/src/drivers/firestore.ts index ae11035..f196738 100644 --- a/src/drivers/firestore.ts +++ b/src/drivers/firestore.ts @@ -94,7 +94,7 @@ export const fsShutdownGuard = try { await cb(args); } finally { - void terminate(bootstrapFirestore); - void terminate(firestore); + if (bootstrapFirestore) void terminate(bootstrapFirestore); + if (firestore) void terminate(firestore); } }; From 039f83971d1d4f613c25bf4c6747b26630956c7e Mon Sep 17 00:00:00 2001 From: Fabian Joya Date: Fri, 18 Oct 2024 10:47:52 -0400 Subject: [PATCH 6/6] Fix test, linting --- src/commands/__tests__/login.test.ts | 2 ++ src/commands/login.ts | 7 +------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/commands/__tests__/login.test.ts b/src/commands/__tests__/login.test.ts index 60b07c0..698f565 100644 --- a/src/commands/__tests__/login.test.ts +++ b/src/commands/__tests__/login.test.ts @@ -8,6 +8,7 @@ This file is part of @p0security/cli You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see . **/ +import { bootstrapConfig } from "../../drivers/env"; import { pluginLoginMap } from "../../plugins/login"; import { mockGetDoc } from "../../testing/firestore"; import { login } from "../login"; @@ -23,6 +24,7 @@ jest.mock("../../drivers/auth", () => ({ jest.mock("../../drivers/config", () => ({ ...jest.requireActual("../../drivers/config"), saveConfig: jest.fn(), + getTenantConfig: jest.fn(() => bootstrapConfig), })); jest.mock("../../drivers/stdio"); jest.mock("../../plugins/login"); diff --git a/src/commands/login.ts b/src/commands/login.ts index 58cf055..3f2db6f 100644 --- a/src/commands/login.ts +++ b/src/commands/login.ts @@ -12,15 +12,10 @@ import { authenticate, IDENTITY_CACHE_PATH, IDENTITY_FILE_PATH, - loadCredentials, } from "../drivers/auth"; import { saveConfig } from "../drivers/config"; import { bootstrapConfig } from "../drivers/env"; -import { - authenticateToFirebase, - fsShutdownGuard, - publicDoc, -} from "../drivers/firestore"; +import { fsShutdownGuard, publicDoc } from "../drivers/firestore"; import { print2 } from "../drivers/stdio"; import { pluginLoginMap } from "../plugins/login"; import { TokenResponse } from "../types/oidc";