@aws-cdk/toolkit-lib 0.3.1 → 0.3.3

package/lib/api/aws-auth/awscli-compatible.js

@@ -0,0 +1,250 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsCliCompatible = void 0;
+exports.makeRequestHandler = makeRequestHandler;
+const node_util_1 = require("node:util");
+const credential_providers_1 = require("@aws-sdk/credential-providers");
+const ec2_metadata_service_1 = require("@aws-sdk/ec2-metadata-service");
+const shared_ini_file_loader_1 = require("@smithy/shared-ini-file-loader");
+const promptly = require("promptly");
+const provider_caching_1 = require("./provider-caching");
+const proxy_agent_1 = require("./proxy-agent");
+const private_1 = require("../io/private");
+const toolkit_error_1 = require("../toolkit-error");
+const DEFAULT_CONNECTION_TIMEOUT = 10000;
+const DEFAULT_TIMEOUT = 300000;
+/**
+ * Behaviors to match AWS CLI
+ *
+ * See these links:
+ *
+ * https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
+ * https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+ */
+class AwsCliCompatible {
+    ioHelper;
+    requestHandler;
+    logger;
+    constructor(ioHelper, requestHandler, logger) {
+        this.ioHelper = ioHelper;
+        this.requestHandler = requestHandler;
+        this.logger = logger;
+    }
+    async baseConfig(profile) {
+        const credentialProvider = await this.credentialChainBuilder({
+            profile,
+            logger: this.logger,
+        });
+        const defaultRegion = await this.region(profile);
+        return { credentialProvider, defaultRegion };
+    }
+    /**
+     * Build an AWS CLI-compatible credential chain provider
+     *
+     * The credential chain returned by this function is always caching.
+     */
+    async credentialChainBuilder(options = {}) {
+        const clientConfig = {
+            requestHandler: this.requestHandler,
+            customUserAgent: 'aws-cdk',
+            logger: options.logger,
+        };
+        // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
+        //
+        // Summary of the problem: we were reading the region from the config file and passing it to
+        // the credential providers. However, in the case of SSO, this makes the credential provider
+        // use that region to do the SSO flow, which is incorrect. The region that should be used for
+        // that is the one set in the sso_session section of the config file.
+        //
+        // The idea here: the "clientConfig" is for configuring the inner auth client directly,
+        // and has the highest priority, whereas "parentClientConfig" is the upper data client
+        // and has lower priority than the sso_region but still higher priority than STS global region.
+        const parentClientConfig = {
+            region: await this.region(options.profile),
+        };
+        /**
+         * The previous implementation matched AWS CLI behavior:
+         *
+         * If a profile is explicitly set using `--profile`,
+         * we use that to the exclusion of everything else.
+         *
+         * Note: this does not apply to AWS_PROFILE,
+         * environment credentials still take precedence over AWS_PROFILE
+         */
+        if (options.profile) {
+            return (0, provider_caching_1.makeCachingProvider)((0, credential_providers_1.fromIni)({
+                profile: options.profile,
+                ignoreCache: true,
+                mfaCodeProvider: this.tokenCodeFn.bind(this),
+                clientConfig,
+                parentClientConfig,
+                logger: options.logger,
+            }));
+        }
+        const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+        /**
+         * Env AWS - EnvironmentCredentials with string AWS
+         * Env Amazon - EnvironmentCredentials with string AMAZON
+         * Profile Credentials - PatchedSharedIniFileCredentials with implicit profile, credentials file, http options, and token fn
+         *    SSO with implicit profile only
+         *    SharedIniFileCredentials with implicit profile and preferStaticCredentials true (profile with source_profile)
+         *    Shared Credential file that points to Environment Credentials with AWS prefix
+         *    Shared Credential file that points to EC2 Metadata
+         *    Shared Credential file that points to ECS Credentials
+         * SSO Credentials - SsoCredentials with implicit profile and http options
+         * ProcessCredentials with implicit profile
+         * ECS Credentials - ECSCredentials with no input OR Web Identity - TokenFileWebIdentityCredentials with no input OR EC2 Metadata - EC2MetadataCredentials with no input
+         *
+         * These translate to:
+         * fromEnv()
+         * fromSSO()/fromIni()
+         * fromProcess()
+         * fromContainerMetadata()
+         * fromTokenFile()
+         * fromInstanceMetadata()
+         *
+         * The NodeProviderChain is already cached.
+         */
+        const nodeProviderChain = (0, credential_providers_1.fromNodeProviderChain)({
+            profile: envProfile,
+            clientConfig,
+            parentClientConfig,
+            logger: options.logger,
+            mfaCodeProvider: this.tokenCodeFn.bind(this),
+            ignoreCache: true,
+        });
+        return shouldPrioritizeEnv()
+            ? (0, credential_providers_1.createCredentialChain)((0, credential_providers_1.fromEnv)(), nodeProviderChain).expireAfter(60 * 60_000)
+            : nodeProviderChain;
+    }
+    /**
+     * Attempts to get the region from a number of sources and falls back to us-east-1 if no region can be found,
+     * as is done in the AWS CLI.
+     *
+     * The order of priority is the following:
+     *
+     * 1. Environment variables specifying region, with both an AWS prefix and AMAZON prefix
+     *    to maintain backwards compatibility, and without `DEFAULT` in the name because
+     *    Lambda and CodeBuild set the $AWS_REGION variable.
+     * 2. Regions listed in the Shared Ini Files - First checking for the profile provided
+     *    and then checking for the default profile.
+     * 3. IMDS instance identity region from the Metadata Service.
+     * 4. us-east-1
+     */
+    async region(maybeProfile) {
+        const defaultRegion = 'us-east-1';
+        const profile = maybeProfile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
+        const region = process.env.AWS_REGION ||
+            process.env.AMAZON_REGION ||
+            process.env.AWS_DEFAULT_REGION ||
+            process.env.AMAZON_DEFAULT_REGION ||
+            (await this.getRegionFromIni(profile)) ||
+            (await this.regionFromMetadataService());
+        if (!region) {
+            const usedProfile = !profile ? '' : ` (profile: "${profile}")`;
+            await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(`Unable to determine AWS region from environment or AWS configuration${usedProfile}, defaulting to '${defaultRegion}'`));
+            return defaultRegion;
+        }
+        return region;
+    }
+    /**
+     * The MetadataService class will attempt to fetch the instance identity document from
+     * IMDSv2 first, and then will attempt v1 as a fallback.
+     *
+     * If this fails, we will use us-east-1 as the region so no error should be thrown.
+     * @returns The region for the instance identity
+     */
+    async regionFromMetadataService() {
+        await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg('Looking up AWS region in the EC2 Instance Metadata Service (IMDS).'));
+        try {
+            const metadataService = new ec2_metadata_service_1.MetadataService({
+                httpOptions: {
+                    timeout: 1000,
+                },
+            });
+            await metadataService.fetchMetadataToken();
+            const document = await metadataService.request('/latest/dynamic/instance-identity/document', {});
+            return JSON.parse(document).region;
+        }
+        catch (e) {
+            await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(`Unable to retrieve AWS region from IMDS: ${e}`));
+        }
+    }
+    /**
+     * Looks up the region of the provided profile. If no region is present,
+     * it will attempt to lookup the default region.
+     * @param profile The profile to use to lookup the region
+     * @returns The region for the profile or default profile, if present. Otherwise returns undefined.
+     */
+    async getRegionFromIni(profile) {
+        const sharedFiles = await (0, shared_ini_file_loader_1.loadSharedConfigFiles)({ ignoreCache: true });
+        // Priority:
+        //
+        // credentials come before config because aws-cli v1 behaves like that.
+        //
+        // 1. profile-region-in-credentials
+        // 2. profile-region-in-config
+        // 3. default-region-in-credentials
+        // 4. default-region-in-config
+        return this.getRegionFromIniFile(profile, sharedFiles.credentialsFile)
+            ?? this.getRegionFromIniFile(profile, sharedFiles.configFile)
+            ?? this.getRegionFromIniFile('default', sharedFiles.credentialsFile)
+            ?? this.getRegionFromIniFile('default', sharedFiles.configFile);
+    }
+    getRegionFromIniFile(profile, data) {
+        return data?.[profile]?.region;
+    }
+    /**
+     * Ask user for MFA token for given serial
+     *
+     * Result is send to callback function for SDK to authorize the request
+     */
+    async tokenCodeFn(serialArn) {
+        const debugFn = (msg, ...args) => this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg((0, node_util_1.format)(msg, ...args)));
+        await debugFn('Require MFA token for serial ARN', serialArn);
+        try {
+            const token = await promptly.prompt(`MFA token for ${serialArn}: `, {
+                trim: true,
+                default: '',
+            });
+            await debugFn('Successfully got MFA token from user');
+            return token;
+        }
+        catch (err) {
+            await debugFn('Failed to get MFA token', err);
+            const e = new toolkit_error_1.AuthenticationError(`Error fetching MFA token: ${err.message ?? err}`);
+            e.name = 'SharedIniFileCredentialsProviderFailure';
+            throw e;
+        }
+    }
+}
+exports.AwsCliCompatible = AwsCliCompatible;
+/**
+ * We used to support both AWS and AMAZON prefixes for these environment variables.
+ *
+ * Adding this for backward compatibility.
+ */
+function shouldPrioritizeEnv() {
+    const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
+    const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
+    if (!!id && !!key) {
+        process.env.AWS_ACCESS_KEY_ID = id;
+        process.env.AWS_SECRET_ACCESS_KEY = key;
+        const sessionToken = process.env.AWS_SESSION_TOKEN ?? process.env.AMAZON_SESSION_TOKEN;
+        if (sessionToken) {
+            process.env.AWS_SESSION_TOKEN = sessionToken;
+        }
+        return true;
+    }
+    return false;
+}
+async function makeRequestHandler(ioHelper, options = {}) {
+    const agent = await new proxy_agent_1.ProxyAgentProvider(ioHelper).create(options);
+    return {
+        connectionTimeout: DEFAULT_CONNECTION_TIMEOUT,
+        requestTimeout: DEFAULT_TIMEOUT,
+        httpsAgent: agent,
+        httpAgent: agent,
+    };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzY2xpLWNvbXBhdGlibGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJhd3NjbGktY29tcGF0aWJsZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFnUkEsZ0RBU0M7QUF6UkQseUNBQW1DO0FBQ25DLHdFQUErRztBQUMvRyx3RUFBZ0U7QUFFaEUsMkVBQXVFO0FBRXZFLHFDQUFxQztBQUNyQyx5REFBeUQ7QUFDekQsK0NBQW1EO0FBRW5ELDJDQUFrRDtBQUNsRCxvREFBdUQ7QUFFdkQsTUFBTSwwQkFBMEIsR0FBRyxLQUFLLENBQUM7QUFDekMsTUFBTSxlQUFlLEdBQUcsTUFBTSxDQUFDO0FBRS9COzs7Ozs7O0dBT0c7QUFDSCxNQUFhLGdCQUFnQjtJQUNWLFFBQVEsQ0FBVztJQUNuQixjQUFjLENBQXlCO0lBQ3ZDLE1BQU0sQ0FBVTtJQUVqQyxZQUFtQixRQUFrQixFQUFFLGNBQXNDLEVBQUUsTUFBZTtRQUM1RixJQUFJLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztRQUN6QixJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQztJQUN2QixDQUFDO0lBRU0sS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFnQjtRQUN0QyxNQUFNLGtCQUFrQixHQUFHLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixDQUFDO1lBQzNELE9BQU87WUFDUCxNQUFNLEVBQUUsSUFBSSxDQUFDLE1BQU07U0FDcEIsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxhQUFhLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ2pELE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxhQUFhLEVBQUUsQ0FBQztJQUMvQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxzQkFBc0IsQ0FDakMsVUFBa0MsRUFBRTtRQUVwQyxNQUFNLFlBQVksR0FBRztZQUNuQixjQUFjLEVBQUUsSUFBSSxDQUFDLGNBQWM7WUFDbkMsZUFBZSxFQUFFLFNBQVM7WUFDMUIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNO1NBQ3ZCLENBQUM7UUFFRixpR0FBaUc7UUFDakcsRUFBRTtRQUNGLDRGQUE0RjtRQUM1Riw0RkFBNEY7UUFDNUYsNkZBQTZGO1FBQzdGLHFFQUFxRTtRQUNyRSxFQUFFO1FBQ0YsdUZBQXVGO1FBQ3ZGLHNGQUFzRjtRQUN0RiwrRkFBK0Y7UUFDL0YsTUFBTSxrQkFBa0IsR0FBRztZQUN6QixNQUFNLEVBQUUsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUM7U0FDM0MsQ0FBQztRQUNGOzs7Ozs7OztXQVFHO1FBQ0gsSUFBSSxPQUFPLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDcEIsT0FBTyxJQUFBLHNDQUFtQixFQUFDLElBQUEsOEJBQU8sRUFBQztnQkFDakMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO2dCQUN4QixXQUFXLEVBQUUsSUFBSTtnQkFDakIsZUFBZSxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQztnQkFDNUMsWUFBWTtnQkFDWixrQkFBa0I7Z0JBQ2xCLE1BQU0sRUFBRSxPQUFPLENBQUMsTUFBTTthQUN2QixDQUFDLENBQUMsQ0FBQztRQUNOLENBQUM7UUFFRCxNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixDQUFDO1FBRTlFOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O1dBc0JHO1FBQ0gsTUFBTSxpQkFBaUIsR0FBRyxJQUFBLDRDQUFxQixFQUFDO1lBQzlDLE9BQU8sRUFBRSxVQUFVO1lBQ25CLFlBQVk7WUFDWixrQkFBa0I7WUFDbEIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNO1lBQ3RCLGVBQWUsRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUM7WUFDNUMsV0FBVyxFQUFFLElBQUk7U0FDbEIsQ0FBQyxDQUFDO1FBRUgsT0FBTyxtQkFBbUIsRUFBRTtZQUMxQixDQUFDLENBQUMsSUFBQSw0Q0FBcUIsRUFBQyxJQUFBLDhCQUFPLEdBQUUsRUFBRSxpQkFBaUIsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxFQUFFLEdBQUcsTUFBTSxDQUFDO1lBQzlFLENBQUMsQ0FBQyxpQkFBaUIsQ0FBQztJQUN4QixDQUFDO0lBRUQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNJLEtBQUssQ0FBQyxNQUFNLENBQUMsWUFBcUI7UUFDdkMsTUFBTSxhQUFhLEdBQUcsV0FBVyxDQUFDO1FBQ2xDLE1BQU0sT0FBTyxHQUFHLFlBQVksSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixJQUFJLFNBQVMsQ0FBQztRQUV4RyxNQUFNLE1BQU0sR0FDVixPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVU7WUFDdEIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxhQUFhO1lBQ3pCLE9BQU8sQ0FBQyxHQUFHLENBQUMsa0JBQWtCO1lBQzlCLE9BQU8sQ0FBQyxHQUFHLENBQUMscUJBQXFCO1lBQ2pDLENBQUMsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDdEMsQ0FBQyxNQUFNLElBQUksQ0FBQyx5QkFBeUIsRUFBRSxDQUFDLENBQUM7UUFFM0MsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ1osTUFBTSxXQUFXLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsZUFBZSxPQUFPLElBQUksQ0FBQztZQUMvRCxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLFlBQUUsQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQ2pELHVFQUF1RSxXQUFXLG9CQUFvQixhQUFhLEdBQUcsQ0FDdkgsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxhQUFhLENBQUM7UUFDdkIsQ0FBQztRQUVELE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSyxLQUFLLENBQUMseUJBQXlCO1FBQ3JDLE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsWUFBRSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxvRUFBb0UsQ0FBQyxDQUFDLENBQUM7UUFDM0gsSUFBSSxDQUFDO1lBQ0gsTUFBTSxlQUFlLEdBQUcsSUFBSSxzQ0FBZSxDQUFDO2dCQUMxQyxXQUFXLEVBQUU7b0JBQ1gsT0FBTyxFQUFFLElBQUk7aUJBQ2Q7YUFDRixDQUFDLENBQUM7WUFFSCxNQUFNLGVBQWUsQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQzNDLE1BQU0sUUFBUSxHQUFHLE1BQU0sZUFBZSxDQUFDLE9BQU8sQ0FBQyw0Q0FBNEMsRUFBRSxFQUFFLENBQUMsQ0FBQztZQUNqRyxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ3JDLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLDRDQUE0QyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDeEcsQ0FBQztJQUNILENBQUM7SUFFRDs7Ozs7T0FLRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFlO1FBQzVDLE1BQU0sV0FBVyxHQUFHLE1BQU0sSUFBQSw4Q0FBcUIsRUFBQyxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBRXZFLFlBQVk7UUFDWixFQUFFO1FBQ0YsdUVBQXVFO1FBQ3ZFLEVBQUU7UUFDRixtQ0FBbUM7UUFDbkMsOEJBQThCO1FBQzlCLG1DQUFtQztRQUNuQyw4QkFBOEI7UUFFOUIsT0FBTyxJQUFJLENBQUMsb0JBQW9CLENBQUMsT0FBTyxFQUFFLFdBQVcsQ0FBQyxlQUFlLENBQUM7ZUFDbkUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLE9BQU8sRUFBRSxXQUFXLENBQUMsVUFBVSxDQUFDO2VBQzFELElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLEVBQUUsV0FBVyxDQUFDLGVBQWUsQ0FBQztlQUNqRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxFQUFFLFdBQVcsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUNsRSxDQUFDO0lBRU8sb0JBQW9CLENBQUMsT0FBZSxFQUFFLElBQVU7UUFDdEQsT0FBTyxJQUFJLEVBQUUsQ0FBQyxPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7O09BSUc7SUFDSyxLQUFLLENBQUMsV0FBVyxDQUFDLFNBQWlCO1FBQ3pDLE1BQU0sT0FBTyxHQUFHLENBQUMsR0FBVyxFQUFFLEdBQUcsSUFBVyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLElBQUEsa0JBQU0sRUFBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEgsTUFBTSxPQUFPLENBQUMsa0NBQWtDLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDO1lBQ0gsTUFBTSxLQUFLLEdBQVcsTUFBTSxRQUFRLENBQUMsTUFBTSxDQUFDLGlCQUFpQixTQUFTLElBQUksRUFBRTtnQkFDMUUsSUFBSSxFQUFFLElBQUk7Z0JBQ1YsT0FBTyxFQUFFLEVBQUU7YUFDWixDQUFDLENBQUM7WUFDSCxNQUFNLE9BQU8sQ0FBQyxzQ0FBc0MsQ0FBQyxDQUFDO1lBQ3RELE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUFDLE9BQU8sR0FBUSxFQUFFLENBQUM7WUFDbEIsTUFBTSxPQUFPLENBQUMseUJBQXlCLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDOUMsTUFBTSxDQUFDLEdBQUcsSUFBSSxtQ0FBbUIsQ0FBQyw2QkFBNkIsR0FBRyxDQUFDLE9BQU8sSUFBSSxHQUFHLEVBQUUsQ0FBQyxDQUFDO1lBQ3JGLENBQUMsQ0FBQyxJQUFJLEdBQUcseUNBQXlDLENBQUM7WUFDbkQsTUFBTSxDQUFDLENBQUM7UUFDVixDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBek5ELDRDQXlOQztBQUVEOzs7O0dBSUc7QUFDSCxTQUFTLG1CQUFtQjtJQUMxQixNQUFNLEVBQUUsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLGlCQUFpQixJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsb0JBQW9CLENBQUM7SUFDN0UsTUFBTSxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLHdCQUF3QixDQUFDO0lBRXRGLElBQUksQ0FBQyxDQUFDLEVBQUUsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDbEIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsR0FBRyxFQUFFLENBQUM7UUFDbkMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsR0FBRyxHQUFHLENBQUM7UUFFeEMsTUFBTSxZQUFZLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDO1FBQ3ZGLElBQUksWUFBWSxFQUFFLENBQUM7WUFDakIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsR0FBRyxZQUFZLENBQUM7UUFDL0MsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVELE9BQU8sS0FBSyxDQUFDO0FBQ2YsQ0FBQztBQU9NLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxRQUFrQixFQUFFLFVBQTBCLEVBQUU7SUFDdkYsTUFBTSxLQUFLLEdBQUcsTUFBTSxJQUFJLGdDQUFrQixDQUFDLFFBQVEsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUVyRSxPQUFPO1FBQ0wsaUJBQWlCLEVBQUUsMEJBQTBCO1FBQzdDLGNBQWMsRUFBRSxlQUFlO1FBQy9CLFVBQVUsRUFBRSxLQUFLO1FBQ2pCLFNBQVMsRUFBRSxLQUFLO0tBQ2pCLENBQUM7QUFDSixDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgZm9ybWF0IH0gZnJvbSAnbm9kZTp1dGlsJztcbmltcG9ydCB7IGNyZWF0ZUNyZWRlbnRpYWxDaGFpbiwgZnJvbUVudiwgZnJvbUluaSwgZnJvbU5vZGVQcm92aWRlckNoYWluIH0gZnJvbSAnQGF3cy1zZGsvY3JlZGVudGlhbC1wcm92aWRlcnMnO1xuaW1wb3J0IHsgTWV0YWRhdGFTZXJ2aWNlIH0gZnJvbSAnQGF3cy1zZGsvZWMyLW1ldGFkYXRhLXNlcnZpY2UnO1xuaW1wb3J0IHR5cGUgeyBOb2RlSHR0cEhhbmRsZXJPcHRpb25zIH0gZnJvbSAnQHNtaXRoeS9ub2RlLWh0dHAtaGFuZGxlcic7XG5pbXBvcnQgeyBsb2FkU2hhcmVkQ29uZmlnRmlsZXMgfSBmcm9tICdAc21pdGh5L3NoYXJlZC1pbmktZmlsZS1sb2FkZXInO1xuaW1wb3J0IHR5cGUgeyBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlciwgTG9nZ2VyIH0gZnJvbSAnQHNtaXRoeS90eXBlcyc7XG5pbXBvcnQgKiBhcyBwcm9tcHRseSBmcm9tICdwcm9tcHRseSc7XG5pbXBvcnQgeyBtYWtlQ2FjaGluZ1Byb3ZpZGVyIH0gZnJvbSAnLi9wcm92aWRlci1jYWNoaW5nJztcbmltcG9ydCB7IFByb3h5QWdlbnRQcm92aWRlciB9IGZyb20gJy4vcHJveHktYWdlbnQnO1xuaW1wb3J0IHR5cGUgeyBTZGtIdHRwT3B0aW9ucyB9IGZyb20gJy4vdHlwZXMnO1xuaW1wb3J0IHsgSU8sIHR5cGUgSW9IZWxwZXIgfSBmcm9tICcuLi9pby9wcml2YXRlJztcbmltcG9ydCB7IEF1dGhlbnRpY2F0aW9uRXJyb3IgfSBmcm9tICcuLi90b29sa2l0LWVycm9yJztcblxuY29uc3QgREVGQVVMVF9DT05ORUNUSU9OX1RJTUVPVVQgPSAxMDAwMDtcbmNvbnN0IERFRkFVTFRfVElNRU9VVCA9IDMwMDAwMDtcblxuLyoqXG4gKiBCZWhhdmlvcnMgdG8gbWF0Y2ggQVdTIENMSVxuICpcbiAqIFNlZSB0aGVzZSBsaW5rczpcbiAqXG4gKiBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vY2xpL2xhdGVzdC90b3BpYy9jb25maWctdmFycy5odG1sXG4gKiBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vY2xpL2xhdGVzdC91c2VyZ3VpZGUvY2xpLWNvbmZpZ3VyZS1lbnZ2YXJzLmh0bWxcbiAqL1xuZXhwb3J0IGNsYXNzIEF3c0NsaUNvbXBhdGlibGUge1xuICBwcml2YXRlIHJlYWRvbmx5IGlvSGVscGVyOiBJb0hlbHBlcjtcbiAgcHJpdmF0ZSByZWFkb25seSByZXF1ZXN0SGFuZGxlcjogTm9kZUh0dHBIYW5kbGVyT3B0aW9ucztcbiAgcHJpdmF0ZSByZWFkb25seSBsb2dnZXI/OiBMb2dnZXI7XG5cbiAgcHVibGljIGNvbnN0cnVjdG9yKGlvSGVscGVyOiBJb0hlbHBlciwgcmVxdWVzdEhhbmRsZXI6IE5vZGVIdHRwSGFuZGxlck9wdGlvbnMsIGxvZ2dlcj86IExvZ2dlcikge1xuICAgIHRoaXMuaW9IZWxwZXIgPSBpb0hlbHBlcjtcbiAgICB0aGlzLnJlcXVlc3RIYW5kbGVyID0gcmVxdWVzdEhhbmRsZXI7XG4gICAgdGhpcy5sb2dnZXIgPSBsb2dnZXI7XG4gIH1cblxuICBwdWJsaWMgYXN5bmMgYmFzZUNvbmZpZyhwcm9maWxlPzogc3RyaW5nKTogUHJvbWlzZTx7IGNyZWRlbnRpYWxQcm92aWRlcjogQXdzQ3JlZGVudGlhbElkZW50aXR5UHJvdmlkZXI7IGRlZmF1bHRSZWdpb246IHN0cmluZyB9PiB7XG4gICAgY29uc3QgY3JlZGVudGlhbFByb3ZpZGVyID0gYXdhaXQgdGhpcy5jcmVkZW50aWFsQ2hhaW5CdWlsZGVyKHtcbiAgICAgIHByb2ZpbGUsXG4gICAgICBsb2dnZXI6IHRoaXMubG9nZ2VyLFxuICAgIH0pO1xuICAgIGNvbnN0IGRlZmF1bHRSZWdpb24gPSBhd2FpdCB0aGlzLnJlZ2lvbihwcm9maWxlKTtcbiAgICByZXR1cm4geyBjcmVkZW50aWFsUHJvdmlkZXIsIGRlZmF1bHRSZWdpb24gfTtcbiAgfVxuXG4gIC8qKlxuICAgKiBCdWlsZCBhbiBBV1MgQ0xJLWNvbXBhdGlibGUgY3JlZGVudGlhbCBjaGFpbiBwcm92aWRlclxuICAgKlxuICAgKiBUaGUgY3JlZGVudGlhbCBjaGFpbiByZXR1cm5lZCBieSB0aGlzIGZ1bmN0aW9uIGlzIGFsd2F5cyBjYWNoaW5nLlxuICAgKi9cbiAgcHVibGljIGFzeW5jIGNyZWRlbnRpYWxDaGFpbkJ1aWxkZXIoXG4gICAgb3B0aW9uczogQ3JlZGVudGlhbENoYWluT3B0aW9ucyA9IHt9LFxuICApOiBQcm9taXNlPEF3c0NyZWRlbnRpYWxJZGVudGl0eVByb3ZpZGVyPiB7XG4gICAgY29uc3QgY2xpZW50Q29uZmlnID0ge1xuICAgICAgcmVxdWVzdEhhbmRsZXI6IHRoaXMucmVxdWVzdEhhbmRsZXIsXG4gICAgICBjdXN0b21Vc2VyQWdlbnQ6ICdhd3MtY2RrJyxcbiAgICAgIGxvZ2dlcjogb3B0aW9ucy5sb2dnZXIsXG4gICAgfTtcblxuICAgIC8vIFN1cGVyIGhhY2t5IHNvbHV0aW9uIHRvIGh0dHBzOi8vZ2l0aHViLmNvbS9hd3MvYXdzLWNkay9pc3N1ZXMvMzI1MTAsIHByb3Bvc2VkIGJ5IHRoZSBTREsgdGVhbS5cbiAgICAvL1xuICAgIC8vIFN1bW1hcnkgb2YgdGhlIHByb2JsZW06IHdlIHdlcmUgcmVhZGluZyB0aGUgcmVnaW9uIGZyb20gdGhlIGNvbmZpZyBmaWxlIGFuZCBwYXNzaW5nIGl0IHRvXG4gICAgLy8gdGhlIGNyZWRlbnRpYWwgcHJvdmlkZXJzLiBIb3dldmVyLCBpbiB0aGUgY2FzZSBvZiBTU08sIHRoaXMgbWFrZXMgdGhlIGNyZWRlbnRpYWwgcHJvdmlkZXJcbiAgICAvLyB1c2UgdGhhdCByZWdpb24gdG8gZG8gdGhlIFNTTyBmbG93LCB3aGljaCBpcyBpbmNvcnJlY3QuIFRoZSByZWdpb24gdGhhdCBzaG91bGQgYmUgdXNlZCBmb3JcbiAgICAvLyB0aGF0IGlzIHRoZSBvbmUgc2V0IGluIHRoZSBzc29fc2Vzc2lvbiBzZWN0aW9uIG9mIHRoZSBjb25maWcgZmlsZS5cbiAgICAvL1xuICAgIC8vIFRoZSBpZGVhIGhlcmU6IHRoZSBcImNsaWVudENvbmZpZ1wiIGlzIGZvciBjb25maWd1cmluZyB0aGUgaW5uZXIgYXV0aCBjbGllbnQgZGlyZWN0bHksXG4gICAgLy8gYW5kIGhhcyB0aGUgaGlnaGVzdCBwcmlvcml0eSwgd2hlcmVhcyBcInBhcmVudENsaWVudENvbmZpZ1wiIGlzIHRoZSB1cHBlciBkYXRhIGNsaWVudFxuICAgIC8vIGFuZCBoYXMgbG93ZXIgcHJpb3JpdHkgdGhhbiB0aGUgc3NvX3JlZ2lvbiBidXQgc3RpbGwgaGlnaGVyIHByaW9yaXR5IHRoYW4gU1RTIGdsb2JhbCByZWdpb24uXG4gICAgY29uc3QgcGFyZW50Q2xpZW50Q29uZmlnID0ge1xuICAgICAgcmVnaW9uOiBhd2FpdCB0aGlzLnJlZ2lvbihvcHRpb25zLnByb2ZpbGUpLFxuICAgIH07XG4gICAgLyoqXG4gICAgICogVGhlIHByZXZpb3VzIGltcGxlbWVudGF0aW9uIG1hdGNoZWQgQVdTIENMSSBiZWhhdmlvcjpcbiAgICAgKlxuICAgICAqIElmIGEgcHJvZmlsZSBpcyBleHBsaWNpdGx5IHNldCB1c2luZyBgLS1wcm9maWxlYCxcbiAgICAgKiB3ZSB1c2UgdGhhdCB0byB0aGUgZXhjbHVzaW9uIG9mIGV2ZXJ5dGhpbmcgZWxzZS5cbiAgICAgKlxuICAgICAqIE5vdGU6IHRoaXMgZG9lcyBub3QgYXBwbHkgdG8gQVdTX1BST0ZJTEUsXG4gICAgICogZW52aXJvbm1lbnQgY3JlZGVudGlhbHMgc3RpbGwgdGFrZSBwcmVjZWRlbmNlIG92ZXIgQVdTX1BST0ZJTEVcbiAgICAgKi9cbiAgICBpZiAob3B0aW9ucy5wcm9maWxlKSB7XG4gICAgICByZXR1cm4gbWFrZUNhY2hpbmdQcm92aWRlcihmcm9tSW5pKHtcbiAgICAgICAgcHJvZmlsZTogb3B0aW9ucy5wcm9maWxlLFxuICAgICAgICBpZ25vcmVDYWNoZTogdHJ1ZSxcbiAgICAgICAgbWZhQ29kZVByb3ZpZGVyOiB0aGlzLnRva2VuQ29kZUZuLmJpbmQodGhpcyksXG4gICAgICAgIGNsaWVudENvbmZpZyxcbiAgICAgICAgcGFyZW50Q2xpZW50Q29uZmlnLFxuICAgICAgICBsb2dnZXI6IG9wdGlvbnMubG9nZ2VyLFxuICAgICAgfSkpO1xuICAgIH1cblxuICAgIGNvbnN0IGVudlByb2ZpbGUgPSBwcm9jZXNzLmVudi5BV1NfUFJPRklMRSB8fCBwcm9jZXNzLmVudi5BV1NfREVGQVVMVF9QUk9GSUxFO1xuXG4gICAgLyoqXG4gICAgICogRW52IEFXUyAtIEVudmlyb25tZW50Q3JlZGVudGlhbHMgd2l0aCBzdHJpbmcgQVdTXG4gICAgICogRW52IEFtYXpvbiAtIEVudmlyb25tZW50Q3JlZGVudGlhbHMgd2l0aCBzdHJpbmcgQU1BWk9OXG4gICAgICogUHJvZmlsZSBDcmVkZW50aWFscyAtIFBhdGNoZWRTaGFyZWRJbmlGaWxlQ3JlZGVudGlhbHMgd2l0aCBpbXBsaWNpdCBwcm9maWxlLCBjcmVkZW50aWFscyBmaWxlLCBodHRwIG9wdGlvbnMsIGFuZCB0b2tlbiBmblxuICAgICAqICAgIFNTTyB3aXRoIGltcGxpY2l0IHByb2ZpbGUgb25seVxuICAgICAqICAgIFNoYXJlZEluaUZpbGVDcmVkZW50aWFscyB3aXRoIGltcGxpY2l0IHByb2ZpbGUgYW5kIHByZWZlclN0YXRpY0NyZWRlbnRpYWxzIHRydWUgKHByb2ZpbGUgd2l0aCBzb3VyY2VfcHJvZmlsZSlcbiAgICAgKiAgICBTaGFyZWQgQ3JlZGVudGlhbCBmaWxlIHRoYXQgcG9pbnRzIHRvIEVudmlyb25tZW50IENyZWRlbnRpYWxzIHdpdGggQVdTIHByZWZpeFxuICAgICAqICAgIFNoYXJlZCBDcmVkZW50aWFsIGZpbGUgdGhhdCBwb2ludHMgdG8gRUMyIE1ldGFkYXRhXG4gICAgICogICAgU2hhcmVkIENyZWRlbnRpYWwgZmlsZSB0aGF0IHBvaW50cyB0byBFQ1MgQ3JlZGVudGlhbHNcbiAgICAgKiBTU08gQ3JlZGVudGlhbHMgLSBTc29DcmVkZW50aWFscyB3aXRoIGltcGxpY2l0IHByb2ZpbGUgYW5kIGh0dHAgb3B0aW9uc1xuICAgICAqIFByb2Nlc3NDcmVkZW50aWFscyB3aXRoIGltcGxpY2l0IHByb2ZpbGVcbiAgICAgKiBFQ1MgQ3JlZGVudGlhbHMgLSBFQ1NDcmVkZW50aWFscyB3aXRoIG5vIGlucHV0IE9SIFdlYiBJZGVudGl0eSAtIFRva2VuRmlsZVdlYklkZW50aXR5Q3JlZGVudGlhbHMgd2l0aCBubyBpbnB1dCBPUiBFQzIgTWV0YWRhdGEgLSBFQzJNZXRhZGF0YUNyZWRlbnRpYWxzIHdpdGggbm8gaW5wdXRcbiAgICAgKlxuICAgICAqIFRoZXNlIHRyYW5zbGF0ZSB0bzpcbiAgICAgKiBmcm9tRW52KClcbiAgICAgKiBmcm9tU1NPKCkvZnJvbUluaSgpXG4gICAgICogZnJvbVByb2Nlc3MoKVxuICAgICAqIGZyb21Db250YWluZXJNZXRhZGF0YSgpXG4gICAgICogZnJvbVRva2VuRmlsZSgpXG4gICAgICogZnJvbUluc3RhbmNlTWV0YWRhdGEoKVxuICAgICAqXG4gICAgICogVGhlIE5vZGVQcm92aWRlckNoYWluIGlzIGFscmVhZHkgY2FjaGVkLlxuICAgICAqL1xuICAgIGNvbnN0IG5vZGVQcm92aWRlckNoYWluID0gZnJvbU5vZGVQcm92aWRlckNoYWluKHtcbiAgICAgIHByb2ZpbGU6IGVudlByb2ZpbGUsXG4gICAgICBjbGllbnRDb25maWcsXG4gICAgICBwYXJlbnRDbGllbnRDb25maWcsXG4gICAgICBsb2dnZXI6IG9wdGlvbnMubG9nZ2VyLFxuICAgICAgbWZhQ29kZVByb3ZpZGVyOiB0aGlzLnRva2VuQ29kZUZuLmJpbmQodGhpcyksXG4gICAgICBpZ25vcmVDYWNoZTogdHJ1ZSxcbiAgICB9KTtcblxuICAgIHJldHVybiBzaG91bGRQcmlvcml0aXplRW52KClcbiAgICAgID8gY3JlYXRlQ3JlZGVudGlhbENoYWluKGZyb21FbnYoKSwgbm9kZVByb3ZpZGVyQ2hhaW4pLmV4cGlyZUFmdGVyKDYwICogNjBfMDAwKVxuICAgICAgOiBub2RlUHJvdmlkZXJDaGFpbjtcbiAgfVxuXG4gIC8qKlxuICAgKiBBdHRlbXB0cyB0byBnZXQgdGhlIHJlZ2lvbiBmcm9tIGEgbnVtYmVyIG9mIHNvdXJjZXMgYW5kIGZhbGxzIGJhY2sgdG8gdXMtZWFzdC0xIGlmIG5vIHJlZ2lvbiBjYW4gYmUgZm91bmQsXG4gICAqIGFzIGlzIGRvbmUgaW4gdGhlIEFXUyBDTEkuXG4gICAqXG4gICAqIFRoZSBvcmRlciBvZiBwcmlvcml0eSBpcyB0aGUgZm9sbG93aW5nOlxuICAgKlxuICAgKiAxLiBFbnZpcm9ubWVudCB2YXJpYWJsZXMgc3BlY2lmeWluZyByZWdpb24sIHdpdGggYm90aCBhbiBBV1MgcHJlZml4IGFuZCBBTUFaT04gcHJlZml4XG4gICAqICAgIHRvIG1haW50YWluIGJhY2t3YXJkcyBjb21wYXRpYmlsaXR5LCBhbmQgd2l0aG91dCBgREVGQVVMVGAgaW4gdGhlIG5hbWUgYmVjYXVzZVxuICAgKiAgICBMYW1iZGEgYW5kIENvZGVCdWlsZCBzZXQgdGhlICRBV1NfUkVHSU9OIHZhcmlhYmxlLlxuICAgKiAyLiBSZWdpb25zIGxpc3RlZCBpbiB0aGUgU2hhcmVkIEluaSBGaWxlcyAtIEZpcnN0IGNoZWNraW5nIGZvciB0aGUgcHJvZmlsZSBwcm92aWRlZFxuICAgKiAgICBhbmQgdGhlbiBjaGVja2luZyBmb3IgdGhlIGRlZmF1bHQgcHJvZmlsZS5cbiAgICogMy4gSU1EUyBpbnN0YW5jZSBpZGVudGl0eSByZWdpb24gZnJvbSB0aGUgTWV0YWRhdGEgU2VydmljZS5cbiAgICogNC4gdXMtZWFzdC0xXG4gICAqL1xuICBwdWJsaWMgYXN5bmMgcmVnaW9uKG1heWJlUHJvZmlsZT86IHN0cmluZyk6IFByb21pc2U8c3RyaW5nPiB7XG4gICAgY29uc3QgZGVmYXVsdFJlZ2lvbiA9ICd1cy1lYXN0LTEnO1xuICAgIGNvbnN0IHByb2ZpbGUgPSBtYXliZVByb2ZpbGUgfHwgcHJvY2Vzcy5lbnYuQVdTX1BST0ZJTEUgfHwgcHJvY2Vzcy5lbnYuQVdTX0RFRkFVTFRfUFJPRklMRSB8fCAnZGVmYXVsdCc7XG5cbiAgICBjb25zdCByZWdpb24gPVxuICAgICAgcHJvY2Vzcy5lbnYuQVdTX1JFR0lPTiB8fFxuICAgICAgcHJvY2Vzcy5lbnYuQU1BWk9OX1JFR0lPTiB8fFxuICAgICAgcHJvY2Vzcy5lbnYuQVdTX0RFRkFVTFRfUkVHSU9OIHx8XG4gICAgICBwcm9jZXNzLmVudi5BTUFaT05fREVGQVVMVF9SRUdJT04gfHxcbiAgICAgIChhd2FpdCB0aGlzLmdldFJlZ2lvbkZyb21JbmkocHJvZmlsZSkpIHx8XG4gICAgICAoYXdhaXQgdGhpcy5yZWdpb25Gcm9tTWV0YWRhdGFTZXJ2aWNlKCkpO1xuXG4gICAgaWYgKCFyZWdpb24pIHtcbiAgICAgIGNvbnN0IHVzZWRQcm9maWxlID0gIXByb2ZpbGUgPyAnJyA6IGAgKHByb2ZpbGU6IFwiJHtwcm9maWxlfVwiKWA7XG4gICAgICBhd2FpdCB0aGlzLmlvSGVscGVyLm5vdGlmeShJTy5ERUZBVUxUX1NES19ERUJVRy5tc2coXG4gICAgICAgIGBVbmFibGUgdG8gZGV0ZXJtaW5lIEFXUyByZWdpb24gZnJvbSBlbnZpcm9ubWVudCBvciBBV1MgY29uZmlndXJhdGlvbiR7dXNlZFByb2ZpbGV9LCBkZWZhdWx0aW5nIHRvICcke2RlZmF1bHRSZWdpb259J2AsXG4gICAgICApKTtcbiAgICAgIHJldHVybiBkZWZhdWx0UmVnaW9uO1xuICAgIH1cblxuICAgIHJldHVybiByZWdpb247XG4gIH1cblxuICAvKipcbiAgICogVGhlIE1ldGFkYXRhU2VydmljZSBjbGFzcyB3aWxsIGF0dGVtcHQgdG8gZmV0Y2ggdGhlIGluc3RhbmNlIGlkZW50aXR5IGRvY3VtZW50IGZyb21cbiAgICogSU1EU3YyIGZpcnN0LCBhbmQgdGhlbiB3aWxsIGF0dGVtcHQgdjEgYXMgYSBmYWxsYmFjay5cbiAgICpcbiAgICogSWYgdGhpcyBmYWlscywgd2Ugd2lsbCB1c2UgdXMtZWFzdC0xIGFzIHRoZSByZWdpb24gc28gbm8gZXJyb3Igc2hvdWxkIGJlIHRocm93bi5cbiAgICogQHJldHVybnMgVGhlIHJlZ2lvbiBmb3IgdGhlIGluc3RhbmNlIGlkZW50aXR5XG4gICAqL1xuICBwcml2YXRlIGFzeW5jIHJlZ2lvbkZyb21NZXRhZGF0YVNlcnZpY2UoKSB7XG4gICAgYXdhaXQgdGhpcy5pb0hlbHBlci5ub3RpZnkoSU8uREVGQVVMVF9TREtfREVCVUcubXNnKCdMb29raW5nIHVwIEFXUyByZWdpb24gaW4gdGhlIEVDMiBJbnN0YW5jZSBNZXRhZGF0YSBTZXJ2aWNlIChJTURTKS4nKSk7XG4gICAgdHJ5IHtcbiAgICAgIGNvbnN0IG1ldGFkYXRhU2VydmljZSA9IG5ldyBNZXRhZGF0YVNlcnZpY2Uoe1xuICAgICAgICBodHRwT3B0aW9uczoge1xuICAgICAgICAgIHRpbWVvdXQ6IDEwMDAsXG4gICAgICAgIH0sXG4gICAgICB9KTtcblxuICAgICAgYXdhaXQgbWV0YWRhdGFTZXJ2aWNlLmZldGNoTWV0YWRhdGFUb2tlbigpO1xuICAgICAgY29uc3QgZG9jdW1lbnQgPSBhd2FpdCBtZXRhZGF0YVNlcnZpY2UucmVxdWVzdCgnL2xhdGVzdC9keW5hbWljL2luc3RhbmNlLWlkZW50aXR5L2RvY3VtZW50Jywge30pO1xuICAgICAgcmV0dXJuIEpTT04ucGFyc2UoZG9jdW1lbnQpLnJlZ2lvbjtcbiAgICB9IGNhdGNoIChlKSB7XG4gICAgICBhd2FpdCB0aGlzLmlvSGVscGVyLm5vdGlmeShJTy5ERUZBVUxUX1NES19ERUJVRy5tc2coYFVuYWJsZSB0byByZXRyaWV2ZSBBV1MgcmVnaW9uIGZyb20gSU1EUzogJHtlfWApKTtcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogTG9va3MgdXAgdGhlIHJlZ2lvbiBvZiB0aGUgcHJvdmlkZWQgcHJvZmlsZS4gSWYgbm8gcmVnaW9uIGlzIHByZXNlbnQsXG4gICAqIGl0IHdpbGwgYXR0ZW1wdCB0byBsb29rdXAgdGhlIGRlZmF1bHQgcmVnaW9uLlxuICAgKiBAcGFyYW0gcHJvZmlsZSBUaGUgcHJvZmlsZSB0byB1c2UgdG8gbG9va3VwIHRoZSByZWdpb25cbiAgICogQHJldHVybnMgVGhlIHJlZ2lvbiBmb3IgdGhlIHByb2ZpbGUgb3IgZGVmYXVsdCBwcm9maWxlLCBpZiBwcmVzZW50LiBPdGhlcndpc2UgcmV0dXJucyB1bmRlZmluZWQuXG4gICAqL1xuICBwcml2YXRlIGFzeW5jIGdldFJlZ2lvbkZyb21JbmkocHJvZmlsZTogc3RyaW5nKTogUHJvbWlzZTxzdHJpbmcgfCB1bmRlZmluZWQ+IHtcbiAgICBjb25zdCBzaGFyZWRGaWxlcyA9IGF3YWl0IGxvYWRTaGFyZWRDb25maWdGaWxlcyh7IGlnbm9yZUNhY2hlOiB0cnVlIH0pO1xuXG4gICAgLy8gUHJpb3JpdHk6XG4gICAgLy9cbiAgICAvLyBjcmVkZW50aWFscyBjb21lIGJlZm9yZSBjb25maWcgYmVjYXVzZSBhd3MtY2xpIHYxIGJlaGF2ZXMgbGlrZSB0aGF0LlxuICAgIC8vXG4gICAgLy8gMS4gcHJvZmlsZS1yZWdpb24taW4tY3JlZGVudGlhbHNcbiAgICAvLyAyLiBwcm9maWxlLXJlZ2lvbi1pbi1jb25maWdcbiAgICAvLyAzLiBkZWZhdWx0LXJlZ2lvbi1pbi1jcmVkZW50aWFsc1xuICAgIC8vIDQuIGRlZmF1bHQtcmVnaW9uLWluLWNvbmZpZ1xuXG4gICAgcmV0dXJuIHRoaXMuZ2V0UmVnaW9uRnJvbUluaUZpbGUocHJvZmlsZSwgc2hhcmVkRmlsZXMuY3JlZGVudGlhbHNGaWxlKVxuICAgID8/IHRoaXMuZ2V0UmVnaW9uRnJvbUluaUZpbGUocHJvZmlsZSwgc2hhcmVkRmlsZXMuY29uZmlnRmlsZSlcbiAgICA/PyB0aGlzLmdldFJlZ2lvbkZyb21JbmlGaWxlKCdkZWZhdWx0Jywgc2hhcmVkRmlsZXMuY3JlZGVudGlhbHNGaWxlKVxuICAgID8/IHRoaXMuZ2V0UmVnaW9uRnJvbUluaUZpbGUoJ2RlZmF1bHQnLCBzaGFyZWRGaWxlcy5jb25maWdGaWxlKTtcbiAgfVxuXG4gIHByaXZhdGUgZ2V0UmVnaW9uRnJvbUluaUZpbGUocHJvZmlsZTogc3RyaW5nLCBkYXRhPzogYW55KSB7XG4gICAgcmV0dXJuIGRhdGE/Lltwcm9maWxlXT8ucmVnaW9uO1xuICB9XG5cbiAgLyoqXG4gICAqIEFzayB1c2VyIGZvciBNRkEgdG9rZW4gZm9yIGdpdmVuIHNlcmlhbFxuICAgKlxuICAgKiBSZXN1bHQgaXMgc2VuZCB0byBjYWxsYmFjayBmdW5jdGlvbiBmb3IgU0RLIHRvIGF1dGhvcml6ZSB0aGUgcmVxdWVzdFxuICAgKi9cbiAgcHJpdmF0ZSBhc3luYyB0b2tlbkNvZGVGbihzZXJpYWxBcm46IHN0cmluZyk6IFByb21pc2U8c3RyaW5nPiB7XG4gICAgY29uc3QgZGVidWdGbiA9IChtc2c6IHN0cmluZywgLi4uYXJnczogYW55W10pID0+IHRoaXMuaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfU0RLX0RFQlVHLm1zZyhmb3JtYXQobXNnLCAuLi5hcmdzKSkpO1xuICAgIGF3YWl0IGRlYnVnRm4oJ1JlcXVpcmUgTUZBIHRva2VuIGZvciBzZXJpYWwgQVJOJywgc2VyaWFsQXJuKTtcbiAgICB0cnkge1xuICAgICAgY29uc3QgdG9rZW46IHN0cmluZyA9IGF3YWl0IHByb21wdGx5LnByb21wdChgTUZBIHRva2VuIGZvciAke3NlcmlhbEFybn06IGAsIHtcbiAgICAgICAgdHJpbTogdHJ1ZSxcbiAgICAgICAgZGVmYXVsdDogJycsXG4gICAgICB9KTtcbiAgICAgIGF3YWl0IGRlYnVnRm4oJ1N1Y2Nlc3NmdWxseSBnb3QgTUZBIHRva2VuIGZyb20gdXNlcicpO1xuICAgICAgcmV0dXJuIHRva2VuO1xuICAgIH0gY2F0Y2ggKGVycjogYW55KSB7XG4gICAgICBhd2FpdCBkZWJ1Z0ZuKCdGYWlsZWQgdG8gZ2V0IE1GQSB0b2tlbicsIGVycik7XG4gICAgICBjb25zdCBlID0gbmV3IEF1dGhlbnRpY2F0aW9uRXJyb3IoYEVycm9yIGZldGNoaW5nIE1GQSB0b2tlbjogJHtlcnIubWVzc2FnZSA/PyBlcnJ9YCk7XG4gICAgICBlLm5hbWUgPSAnU2hhcmVkSW5pRmlsZUNyZWRlbnRpYWxzUHJvdmlkZXJGYWlsdXJlJztcbiAgICAgIHRocm93IGU7XG4gICAgfVxuICB9XG59XG5cbi8qKlxuICogV2UgdXNlZCB0byBzdXBwb3J0IGJvdGggQVdTIGFuZCBBTUFaT04gcHJlZml4ZXMgZm9yIHRoZXNlIGVudmlyb25tZW50IHZhcmlhYmxlcy5cbiAqXG4gKiBBZGRpbmcgdGhpcyBmb3IgYmFja3dhcmQgY29tcGF0aWJpbGl0eS5cbiAqL1xuZnVuY3Rpb24gc2hvdWxkUHJpb3JpdGl6ZUVudigpIHtcbiAgY29uc3QgaWQgPSBwcm9jZXNzLmVudi5BV1NfQUNDRVNTX0tFWV9JRCB8fCBwcm9jZXNzLmVudi5BTUFaT05fQUNDRVNTX0tFWV9JRDtcbiAgY29uc3Qga2V5ID0gcHJvY2Vzcy5lbnYuQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZIHx8IHByb2Nlc3MuZW52LkFNQVpPTl9TRUNSRVRfQUNDRVNTX0tFWTtcblxuICBpZiAoISFpZCAmJiAhIWtleSkge1xuICAgIHByb2Nlc3MuZW52LkFXU19BQ0NFU1NfS0VZX0lEID0gaWQ7XG4gICAgcHJvY2Vzcy5lbnYuQVdTX1NFQ1JFVF9BQ0NFU1NfS0VZID0ga2V5O1xuXG4gICAgY29uc3Qgc2Vzc2lvblRva2VuID0gcHJvY2Vzcy5lbnYuQVdTX1NFU1NJT05fVE9LRU4gPz8gcHJvY2Vzcy5lbnYuQU1BWk9OX1NFU1NJT05fVE9LRU47XG4gICAgaWYgKHNlc3Npb25Ub2tlbikge1xuICAgICAgcHJvY2Vzcy5lbnYuQVdTX1NFU1NJT05fVE9LRU4gPSBzZXNzaW9uVG9rZW47XG4gICAgfVxuXG4gICAgcmV0dXJuIHRydWU7XG4gIH1cblxuICByZXR1cm4gZmFsc2U7XG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgQ3JlZGVudGlhbENoYWluT3B0aW9ucyB7XG4gIHJlYWRvbmx5IHByb2ZpbGU/OiBzdHJpbmc7XG4gIHJlYWRvbmx5IGxvZ2dlcj86IExvZ2dlcjtcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIG1ha2VSZXF1ZXN0SGFuZGxlcihpb0hlbHBlcjogSW9IZWxwZXIsIG9wdGlvbnM6IFNka0h0dHBPcHRpb25zID0ge30pOiBQcm9taXNlPE5vZGVIdHRwSGFuZGxlck9wdGlvbnM+IHtcbiAgY29uc3QgYWdlbnQgPSBhd2FpdCBuZXcgUHJveHlBZ2VudFByb3ZpZGVyKGlvSGVscGVyKS5jcmVhdGUob3B0aW9ucyk7XG5cbiAgcmV0dXJuIHtcbiAgICBjb25uZWN0aW9uVGltZW91dDogREVGQVVMVF9DT05ORUNUSU9OX1RJTUVPVVQsXG4gICAgcmVxdWVzdFRpbWVvdXQ6IERFRkFVTFRfVElNRU9VVCxcbiAgICBodHRwc0FnZW50OiBhZ2VudCxcbiAgICBodHRwQWdlbnQ6IGFnZW50LFxuICB9O1xufVxuIl19

package/lib/api/aws-auth/cached.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Cache the result of a function on an object
+ *
+ * We could have used @decorators to make this nicer but we don't use them anywhere yet,
+ * so let's keep it simple and readable.
+ */
+export declare function cached<A extends object, B>(obj: A, sym: symbol, fn: () => B): B;
+/**
+ * Like 'cached', but async
+ */
+export declare function cachedAsync<A extends object, B>(obj: A, sym: symbol, fn: () => Promise<B>): Promise<B>;

package/lib/api/aws-auth/cached.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cached = cached;
+exports.cachedAsync = cachedAsync;
+/**
+ * Cache the result of a function on an object
+ *
+ * We could have used @decorators to make this nicer but we don't use them anywhere yet,
+ * so let's keep it simple and readable.
+ */
+function cached(obj, sym, fn) {
+    if (!(sym in obj)) {
+        obj[sym] = fn();
+    }
+    return obj[sym];
+}
+/**
+ * Like 'cached', but async
+ */
+async function cachedAsync(obj, sym, fn) {
+    if (!(sym in obj)) {
+        obj[sym] = await fn();
+    }
+    return obj[sym];
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2FjaGVkLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiY2FjaGVkLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBTUEsd0JBS0M7QUFLRCxrQ0FLQztBQXJCRDs7Ozs7R0FLRztBQUNILFNBQWdCLE1BQU0sQ0FBc0IsR0FBTSxFQUFFLEdBQVcsRUFBRSxFQUFXO0lBQzFFLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQ2pCLEdBQVcsQ0FBQyxHQUFHLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBQ0QsT0FBUSxHQUFXLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDM0IsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLFdBQVcsQ0FBc0IsR0FBTSxFQUFFLEdBQVcsRUFBRSxFQUFvQjtJQUM5RixJQUFJLENBQUMsQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNqQixHQUFXLENBQUMsR0FBRyxDQUFDLEdBQUcsTUFBTSxFQUFFLEVBQUUsQ0FBQztJQUNqQyxDQUFDO0lBQ0QsT0FBUSxHQUFXLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDM0IsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQ2FjaGUgdGhlIHJlc3VsdCBvZiBhIGZ1bmN0aW9uIG9uIGFuIG9iamVjdFxuICpcbiAqIFdlIGNvdWxkIGhhdmUgdXNlZCBAZGVjb3JhdG9ycyB0byBtYWtlIHRoaXMgbmljZXIgYnV0IHdlIGRvbid0IHVzZSB0aGVtIGFueXdoZXJlIHlldCxcbiAqIHNvIGxldCdzIGtlZXAgaXQgc2ltcGxlIGFuZCByZWFkYWJsZS5cbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGNhY2hlZDxBIGV4dGVuZHMgb2JqZWN0LCBCPihvYmo6IEEsIHN5bTogc3ltYm9sLCBmbjogKCkgPT4gQik6IEIge1xuICBpZiAoIShzeW0gaW4gb2JqKSkge1xuICAgIChvYmogYXMgYW55KVtzeW1dID0gZm4oKTtcbiAgfVxuICByZXR1cm4gKG9iaiBhcyBhbnkpW3N5bV07XG59XG5cbi8qKlxuICogTGlrZSAnY2FjaGVkJywgYnV0IGFzeW5jXG4gKi9cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBjYWNoZWRBc3luYzxBIGV4dGVuZHMgb2JqZWN0LCBCPihvYmo6IEEsIHN5bTogc3ltYm9sLCBmbjogKCkgPT4gUHJvbWlzZTxCPik6IFByb21pc2U8Qj4ge1xuICBpZiAoIShzeW0gaW4gb2JqKSkge1xuICAgIChvYmogYXMgYW55KVtzeW1dID0gYXdhaXQgZm4oKTtcbiAgfVxuICByZXR1cm4gKG9iaiBhcyBhbnkpW3N5bV07XG59XG4iXX0=

package/lib/api/aws-auth/credential-plugins.d.ts

@@ -0,0 +1,38 @@
+import type { AwsCredentialIdentityProvider } from '@smithy/types';
+import { type IoHelper } from '../io/private';
+import type { PluginHost } from '../plugin';
+import type { Mode } from '../plugin/mode';
+/**
+ * Cache for credential providers.
+ *
+ * Given an account and an operating mode (read or write) will return an
+ * appropriate credential provider for credentials for the given account. The
+ * credential provider will be cached so that multiple AWS clients for the same
+ * environment will not make multiple network calls to obtain credentials.
+ *
+ * Will use default credentials if they are for the right account; otherwise,
+ * all loaded credential provider plugins will be tried to obtain credentials
+ * for the given account.
+ */
+export declare class CredentialPlugins {
+    private readonly host;
+    private readonly ioHelper;
+    private readonly cache;
+    constructor(host: PluginHost, ioHelper: IoHelper);
+    fetchCredentialsFor(awsAccountId: string, mode: Mode): Promise<PluginCredentialsFetchResult | undefined>;
+    get availablePluginNames(): string[];
+    private lookupCredentials;
+}
+/**
+ * Result from trying to fetch credentials from the Plugin host
+ */
+export interface PluginCredentialsFetchResult {
+    /**
+     * SDK-v3 compatible credential provider
+     */
+    readonly credentials: AwsCredentialIdentityProvider;
+    /**
+     * Name of plugin that successfully provided credentials
+     */
+    readonly pluginName: string;
+}

package/lib/api/aws-auth/credential-plugins.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialPlugins = void 0;
+const util_1 = require("util");
+const provider_caching_1 = require("./provider-caching");
+const util_2 = require("../../util");
+const private_1 = require("../io/private");
+const toolkit_error_1 = require("../toolkit-error");
+/**
+ * Cache for credential providers.
+ *
+ * Given an account and an operating mode (read or write) will return an
+ * appropriate credential provider for credentials for the given account. The
+ * credential provider will be cached so that multiple AWS clients for the same
+ * environment will not make multiple network calls to obtain credentials.
+ *
+ * Will use default credentials if they are for the right account; otherwise,
+ * all loaded credential provider plugins will be tried to obtain credentials
+ * for the given account.
+ */
+class CredentialPlugins {
+    host;
+    ioHelper;
+    cache = {};
+    constructor(host, ioHelper) {
+        this.host = host;
+        this.ioHelper = ioHelper;
+    }
+    async fetchCredentialsFor(awsAccountId, mode) {
+        const key = `${awsAccountId}-${mode}`;
+        if (!(key in this.cache)) {
+            this.cache[key] = await this.lookupCredentials(awsAccountId, mode);
+        }
+        return this.cache[key];
+    }
+    get availablePluginNames() {
+        return this.host.credentialProviderSources.map((s) => s.name);
+    }
+    async lookupCredentials(awsAccountId, mode) {
+        const triedSources = [];
+        // Otherwise, inspect the various credential sources we have
+        for (const source of this.host.credentialProviderSources) {
+            let available;
+            try {
+                available = await source.isAvailable();
+            }
+            catch (e) {
+                // This shouldn't happen, but let's guard against it anyway
+                await this.ioHelper.notify(private_1.IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${(0, util_2.formatErrorMessage)(e)}`));
+                available = false;
+            }
+            if (!available) {
+                await this.ioHelper.notify(private_1.IO.DEFAULT_TOOLKIT_DEBUG.msg(`Credentials source ${source.name} is not available, ignoring it.`));
+                continue;
+            }
+            triedSources.push(source);
+            let canProvide;
+            try {
+                canProvide = await source.canProvideCredentials(awsAccountId);
+            }
+            catch (e) {
+                // This shouldn't happen, but let's guard against it anyway
+                await this.ioHelper.notify(private_1.IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${(0, util_2.formatErrorMessage)(e)}`));
+                canProvide = false;
+            }
+            if (!canProvide) {
+                continue;
+            }
+            await this.ioHelper.notify(private_1.IO.DEFAULT_TOOLKIT_DEBUG.msg(`Using ${source.name} credentials for account ${awsAccountId}`));
+            return {
+                credentials: await v3ProviderFromPlugin(() => source.getProvider(awsAccountId, mode, {
+                    supportsV3Providers: true,
+                })),
+                pluginName: source.name,
+            };
+        }
+        return undefined;
+    }
+}
+exports.CredentialPlugins = CredentialPlugins;
+/**
+ * Take a function that calls the plugin, and turn it into an SDKv3-compatible credential provider.
+ *
+ * What we will do is the following:
+ *
+ * - Query the plugin and see what kind of result it gives us.
+ * - If the result is self-refreshing or doesn't need refreshing, we turn it into an SDKv3 provider
+ *   and return it directly.
+ *   * If the underlying return value is a provider, we will make it a caching provider
+ *     (because we can't know if it will cache by itself or not).
+ *   * If the underlying return value is a static credential, caching isn't relevant.
+ *   * If the underlying return value is V2 credentials, those have caching built-in.
+ * - If the result is a static credential that expires, we will wrap it in an SDKv3 provider
+ *   that will query the plugin again when the credential expires.
+ */
+async function v3ProviderFromPlugin(producer) {
+    const initial = await producer();
+    if (isV3Provider(initial)) {
+        // Already a provider, make caching
+        return (0, provider_caching_1.makeCachingProvider)(initial);
+    }
+    else if (isV3Credentials(initial) && initial.expiration === undefined) {
+        // Static credentials that don't need refreshing nor caching
+        return () => Promise.resolve(initial);
+    }
+    else if (isV3Credentials(initial) && initial.expiration !== undefined) {
+        // Static credentials that do need refreshing and caching
+        return refreshFromPluginProvider(initial, producer);
+    }
+    else if (isV2Credentials(initial)) {
+        // V2 credentials that refresh and cache themselves
+        return v3ProviderFromV2Credentials(initial);
+    }
+    else {
+        throw new toolkit_error_1.AuthenticationError(`Plugin returned a value that doesn't resemble AWS credentials: ${(0, util_1.inspect)(initial)}`);
+    }
+}
+/**
+ * Converts a V2 credential into a V3-compatible provider
+ */
+function v3ProviderFromV2Credentials(x) {
+    return async () => {
+        // Get will fetch or refresh as necessary
+        await x.getPromise();
+        return {
+            accessKeyId: x.accessKeyId,
+            secretAccessKey: x.secretAccessKey,
+            sessionToken: x.sessionToken,
+            expiration: x.expireTime ?? undefined,
+        };
+    };
+}
+function refreshFromPluginProvider(current, producer) {
+    return async () => {
+        if ((0, provider_caching_1.credentialsAboutToExpire)(current)) {
+            const newCreds = await producer();
+            if (!isV3Credentials(newCreds)) {
+                throw new toolkit_error_1.AuthenticationError(`Plugin initially returned static V3 credentials but now returned something else: ${(0, util_1.inspect)(newCreds)}`);
+            }
+            current = newCreds;
+        }
+        return current;
+    };
+}
+function isV3Provider(x) {
+    return typeof x === 'function';
+}
+function isV2Credentials(x) {
+    return !!(x && typeof x === 'object' && x.getPromise);
+}
+function isV3Credentials(x) {
+    return !!(x && typeof x === 'object' && x.accessKeyId && !isV2Credentials(x));
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3JlZGVudGlhbC1wbHVnaW5zLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiY3JlZGVudGlhbC1wbHVnaW5zLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLCtCQUErQjtBQUcvQix5REFBbUY7QUFDbkYscUNBQWdEO0FBQ2hELDJDQUFrRDtBQUdsRCxvREFBdUQ7QUFFdkQ7Ozs7Ozs7Ozs7O0dBV0c7QUFDSCxNQUFhLGlCQUFpQjtJQUdDO0lBQW1DO0lBRi9DLEtBQUssR0FBZ0UsRUFBRSxDQUFDO0lBRXpGLFlBQTZCLElBQWdCLEVBQW1CLFFBQWtCO1FBQXJELFNBQUksR0FBSixJQUFJLENBQVk7UUFBbUIsYUFBUSxHQUFSLFFBQVEsQ0FBVTtJQUNsRixDQUFDO0lBRU0sS0FBSyxDQUFDLG1CQUFtQixDQUFDLFlBQW9CLEVBQUUsSUFBVTtRQUMvRCxNQUFNLEdBQUcsR0FBRyxHQUFHLFlBQVksSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUN0QyxJQUFJLENBQUMsQ0FBQyxHQUFHLElBQUksSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDekIsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxZQUFZLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDckUsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUN6QixDQUFDO0lBRUQsSUFBVyxvQkFBb0I7UUFDN0IsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLHlCQUF5QixDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ2hFLENBQUM7SUFFTyxLQUFLLENBQUMsaUJBQWlCLENBQUMsWUFBb0IsRUFBRSxJQUFVO1FBQzlELE1BQU0sWUFBWSxHQUErQixFQUFFLENBQUM7UUFDcEQsNERBQTREO1FBQzVELEtBQUssTUFBTSxNQUFNLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyx5QkFBeUIsRUFBRSxDQUFDO1lBQ3pELElBQUksU0FBa0IsQ0FBQztZQUN2QixJQUFJLENBQUM7Z0JBQ0gsU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ3pDLENBQUM7WUFBQyxPQUFPLENBQU0sRUFBRSxDQUFDO2dCQUNoQiwyREFBMkQ7Z0JBQzNELE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsWUFBRSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyx5QkFBeUIsTUFBTSxDQUFDLElBQUksS0FBSyxJQUFBLHlCQUFrQixFQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO2dCQUN2SCxTQUFTLEdBQUcsS0FBSyxDQUFDO1lBQ3BCLENBQUM7WUFFRCxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7Z0JBQ2YsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMscUJBQXFCLENBQUMsR0FBRyxDQUFDLHNCQUFzQixNQUFNLENBQUMsSUFBSSxpQ0FBaUMsQ0FBQyxDQUFDLENBQUM7Z0JBQzdILFNBQVM7WUFDWCxDQUFDO1lBQ0QsWUFBWSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUMxQixJQUFJLFVBQW1CLENBQUM7WUFDeEIsSUFBSSxDQUFDO2dCQUNILFVBQVUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxxQkFBcUIsQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNoRSxDQUFDO1lBQUMsT0FBTyxDQUFNLEVBQUUsQ0FBQztnQkFDaEIsMkRBQTJEO2dCQUMzRCxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLFlBQUUsQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMseUJBQXlCLE1BQU0sQ0FBQyxJQUFJLEtBQUssSUFBQSx5QkFBa0IsRUFBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztnQkFDdkgsVUFBVSxHQUFHLEtBQUssQ0FBQztZQUNyQixDQUFDO1lBQ0QsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO2dCQUNoQixTQUFTO1lBQ1gsQ0FBQztZQUNELE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsWUFBRSxDQUFDLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxTQUFTLE1BQU0sQ0FBQyxJQUFJLDRCQUE0QixZQUFZLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFFekgsT0FBTztnQkFDTCxXQUFXLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLFlBQVksRUFBRSxJQUErQixFQUFFO29CQUM5RyxtQkFBbUIsRUFBRSxJQUFJO2lCQUMxQixDQUFDLENBQUM7Z0JBQ0gsVUFBVSxFQUFFLE1BQU0sQ0FBQyxJQUFJO2FBQ3hCLENBQUM7UUFDSixDQUFDO1FBQ0QsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztDQUNGO0FBMURELDhDQTBEQztBQWlCRDs7Ozs7Ozs7Ozs7Ozs7R0FjRztBQUNILEtBQUssVUFBVSxvQkFBb0IsQ0FBQyxRQUE2QztJQUMvRSxNQUFNLE9BQU8sR0FBRyxNQUFNLFFBQVEsRUFBRSxDQUFDO0lBRWpDLElBQUksWUFBWSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDMUIsbUNBQW1DO1FBQ25DLE9BQU8sSUFBQSxzQ0FBbUIsRUFBQyxPQUFPLENBQUMsQ0FBQztJQUN0QyxDQUFDO1NBQU0sSUFBSSxlQUFlLENBQUMsT0FBTyxDQUFDLElBQUksT0FBTyxDQUFDLFVBQVUsS0FBSyxTQUFTLEVBQUUsQ0FBQztRQUN4RSw0REFBNEQ7UUFDNUQsT0FBTyxHQUFHLEVBQUUsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQ3hDLENBQUM7U0FBTSxJQUFJLGVBQWUsQ0FBQyxPQUFPLENBQUMsSUFBSSxPQUFPLENBQUMsVUFBVSxLQUFLLFNBQVMsRUFBRSxDQUFDO1FBQ3hFLHlEQUF5RDtRQUN6RCxPQUFPLHlCQUF5QixDQUFDLE9BQU8sRUFBRSxRQUFRLENBQUMsQ0FBQztJQUN0RCxDQUFDO1NBQU0sSUFBSSxlQUFlLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNwQyxtREFBbUQ7UUFDbkQsT0FBTywyQkFBMkIsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO1NBQU0sQ0FBQztRQUNOLE1BQU0sSUFBSSxtQ0FBbUIsQ0FBQyxrRUFBa0UsSUFBQSxjQUFPLEVBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQ3RILENBQUM7QUFDSCxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxTQUFTLDJCQUEyQixDQUFDLENBQTZCO0lBQ2hFLE9BQU8sS0FBSyxJQUFJLEVBQUU7UUFDaEIseUNBQXlDO1FBQ3pDLE1BQU0sQ0FBQyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBRXJCLE9BQU87WUFDTCxXQUFXLEVBQUUsQ0FBQyxDQUFDLFdBQVc7WUFDMUIsZUFBZSxFQUFFLENBQUMsQ0FBQyxlQUFlO1lBQ2xDLFlBQVksRUFBRSxDQUFDLENBQUMsWUFBWTtZQUM1QixVQUFVLEVBQUUsQ0FBQyxDQUFDLFVBQVUsSUFBSSxTQUFTO1NBQ3RDLENBQUM7SUFDSixDQUFDLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBUyx5QkFBeUIsQ0FBQyxPQUE4QixFQUFFLFFBQTZDO0lBQzlHLE9BQU8sS0FBSyxJQUFJLEVBQUU7UUFDaEIsSUFBSSxJQUFBLDJDQUF3QixFQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDdEMsTUFBTSxRQUFRLEdBQUcsTUFBTSxRQUFRLEVBQUUsQ0FBQztZQUNsQyxJQUFJLENBQUMsZUFBZSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7Z0JBQy9CLE1BQU0sSUFBSSxtQ0FBbUIsQ0FBQyxvRkFBb0YsSUFBQSxjQUFPLEVBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1lBQ3pJLENBQUM7WUFDRCxPQUFPLEdBQUcsUUFBUSxDQUFDO1FBQ3JCLENBQUM7UUFDRCxPQUFPLE9BQU8sQ0FBQztJQUNqQixDQUFDLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBUyxZQUFZLENBQUMsQ0FBdUI7SUFDM0MsT0FBTyxPQUFPLENBQUMsS0FBSyxVQUFVLENBQUM7QUFDakMsQ0FBQztBQUVELFNBQVMsZUFBZSxDQUFDLENBQXVCO0lBQzlDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSyxDQUFnQyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0FBQ3hGLENBQUM7QUFFRCxTQUFTLGVBQWUsQ0FBQyxDQUF1QjtJQUM5QyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxPQUFPLENBQUMsS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLFdBQVcsSUFBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO0FBQ2hGLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBpbnNwZWN0IH0gZnJvbSAndXRpbCc7XG5pbXBvcnQgdHlwZSB7IENyZWRlbnRpYWxQcm92aWRlclNvdXJjZSwgRm9yUmVhZGluZywgRm9yV3JpdGluZywgUGx1Z2luUHJvdmlkZXJSZXN1bHQsIFNES3YyQ29tcGF0aWJsZUNyZWRlbnRpYWxzLCBTREt2M0NvbXBhdGlibGVDcmVkZW50aWFsUHJvdmlkZXIsIFNES3YzQ29tcGF0aWJsZUNyZWRlbnRpYWxzIH0gZnJvbSAnQGF3cy1jZGsvY2xpLXBsdWdpbi1jb250cmFjdCc7XG5pbXBvcnQgdHlwZSB7IEF3c0NyZWRlbnRpYWxJZGVudGl0eSwgQXdzQ3JlZGVudGlhbElkZW50aXR5UHJvdmlkZXIgfSBmcm9tICdAc21pdGh5L3R5cGVzJztcbmltcG9ydCB7IGNyZWRlbnRpYWxzQWJvdXRUb0V4cGlyZSwgbWFrZUNhY2hpbmdQcm92aWRlciB9IGZyb20gJy4vcHJvdmlkZXItY2FjaGluZyc7XG5pbXBvcnQgeyBmb3JtYXRFcnJvck1lc3NhZ2UgfSBmcm9tICcuLi8uLi91dGlsJztcbmltcG9ydCB7IElPLCB0eXBlIElvSGVscGVyIH0gZnJvbSAnLi4vaW8vcHJpdmF0ZSc7XG5pbXBvcnQgdHlwZSB7IFBsdWdpbkhvc3QgfSBmcm9tICcuLi9wbHVnaW4nO1xuaW1wb3J0IHR5cGUgeyBNb2RlIH0gZnJvbSAnLi4vcGx1Z2luL21vZGUnO1xuaW1wb3J0IHsgQXV0aGVudGljYXRpb25FcnJvciB9IGZyb20gJy4uL3Rvb2xraXQtZXJyb3InO1xuXG4vKipcbiAqIENhY2hlIGZvciBjcmVkZW50aWFsIHByb3ZpZGVycy5cbiAqXG4gKiBHaXZlbiBhbiBhY2NvdW50IGFuZCBhbiBvcGVyYXRpbmcgbW9kZSAocmVhZCBvciB3cml0ZSkgd2lsbCByZXR1cm4gYW5cbiAqIGFwcHJvcHJpYXRlIGNyZWRlbnRpYWwgcHJvdmlkZXIgZm9yIGNyZWRlbnRpYWxzIGZvciB0aGUgZ2l2ZW4gYWNjb3VudC4gVGhlXG4gKiBjcmVkZW50aWFsIHByb3ZpZGVyIHdpbGwgYmUgY2FjaGVkIHNvIHRoYXQgbXVsdGlwbGUgQVdTIGNsaWVudHMgZm9yIHRoZSBzYW1lXG4gKiBlbnZpcm9ubWVudCB3aWxsIG5vdCBtYWtlIG11bHRpcGxlIG5ldHdvcmsgY2FsbHMgdG8gb2J0YWluIGNyZWRlbnRpYWxzLlxuICpcbiAqIFdpbGwgdXNlIGRlZmF1bHQgY3JlZGVudGlhbHMgaWYgdGhleSBhcmUgZm9yIHRoZSByaWdodCBhY2NvdW50OyBvdGhlcndpc2UsXG4gKiBhbGwgbG9hZGVkIGNyZWRlbnRpYWwgcHJvdmlkZXIgcGx1Z2lucyB3aWxsIGJlIHRyaWVkIHRvIG9idGFpbiBjcmVkZW50aWFsc1xuICogZm9yIHRoZSBnaXZlbiBhY2NvdW50LlxuICovXG5leHBvcnQgY2xhc3MgQ3JlZGVudGlhbFBsdWdpbnMge1xuICBwcml2YXRlIHJlYWRvbmx5IGNhY2hlOiB7IFtrZXk6IHN0cmluZ106IFBsdWdpbkNyZWRlbnRpYWxzRmV0Y2hSZXN1bHQgfCB1bmRlZmluZWQgfSA9IHt9O1xuXG4gIGNvbnN0cnVjdG9yKHByaXZhdGUgcmVhZG9ubHkgaG9zdDogUGx1Z2luSG9zdCwgcHJpdmF0ZSByZWFkb25seSBpb0hlbHBlcjogSW9IZWxwZXIpIHtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBmZXRjaENyZWRlbnRpYWxzRm9yKGF3c0FjY291bnRJZDogc3RyaW5nLCBtb2RlOiBNb2RlKTogUHJvbWlzZTxQbHVnaW5DcmVkZW50aWFsc0ZldGNoUmVzdWx0IHwgdW5kZWZpbmVkPiB7XG4gICAgY29uc3Qga2V5ID0gYCR7YXdzQWNjb3VudElkfS0ke21vZGV9YDtcbiAgICBpZiAoIShrZXkgaW4gdGhpcy5jYWNoZSkpIHtcbiAgICAgIHRoaXMuY2FjaGVba2V5XSA9IGF3YWl0IHRoaXMubG9va3VwQ3JlZGVudGlhbHMoYXdzQWNjb3VudElkLCBtb2RlKTtcbiAgICB9XG4gICAgcmV0dXJuIHRoaXMuY2FjaGVba2V5XTtcbiAgfVxuXG4gIHB1YmxpYyBnZXQgYXZhaWxhYmxlUGx1Z2luTmFtZXMoKTogc3RyaW5nW10ge1xuICAgIHJldHVybiB0aGlzLmhvc3QuY3JlZGVudGlhbFByb3ZpZGVyU291cmNlcy5tYXAoKHMpID0+IHMubmFtZSk7XG4gIH1cblxuICBwcml2YXRlIGFzeW5jIGxvb2t1cENyZWRlbnRpYWxzKGF3c0FjY291bnRJZDogc3RyaW5nLCBtb2RlOiBNb2RlKTogUHJvbWlzZTxQbHVnaW5DcmVkZW50aWFsc0ZldGNoUmVzdWx0IHwgdW5kZWZpbmVkPiB7XG4gICAgY29uc3QgdHJpZWRTb3VyY2VzOiBDcmVkZW50aWFsUHJvdmlkZXJTb3VyY2VbXSA9IFtdO1xuICAgIC8vIE90aGVyd2lzZSwgaW5zcGVjdCB0aGUgdmFyaW91cyBjcmVkZW50aWFsIHNvdXJjZXMgd2UgaGF2ZVxuICAgIGZvciAoY29uc3Qgc291cmNlIG9mIHRoaXMuaG9zdC5jcmVkZW50aWFsUHJvdmlkZXJTb3VyY2VzKSB7XG4gICAgICBsZXQgYXZhaWxhYmxlOiBib29sZWFuO1xuICAgICAgdHJ5IHtcbiAgICAgICAgYXZhaWxhYmxlID0gYXdhaXQgc291cmNlLmlzQXZhaWxhYmxlKCk7XG4gICAgICB9IGNhdGNoIChlOiBhbnkpIHtcbiAgICAgICAgLy8gVGhpcyBzaG91bGRuJ3QgaGFwcGVuLCBidXQgbGV0J3MgZ3VhcmQgYWdhaW5zdCBpdCBhbnl3YXlcbiAgICAgICAgYXdhaXQgdGhpcy5pb0hlbHBlci5ub3RpZnkoSU8uQ0RLX1RPT0xLSVRfVzAxMDAubXNnKGBVbmNhdWdodCBleGNlcHRpb24gaW4gJHtzb3VyY2UubmFtZX06ICR7Zm9ybWF0RXJyb3JNZXNzYWdlKGUpfWApKTtcbiAgICAgICAgYXZhaWxhYmxlID0gZmFsc2U7XG4gICAgICB9XG5cbiAgICAgIGlmICghYXZhaWxhYmxlKSB7XG4gICAgICAgIGF3YWl0IHRoaXMuaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfVE9PTEtJVF9ERUJVRy5tc2coYENyZWRlbnRpYWxzIHNvdXJjZSAke3NvdXJjZS5uYW1lfSBpcyBub3QgYXZhaWxhYmxlLCBpZ25vcmluZyBpdC5gKSk7XG4gICAgICAgIGNvbnRpbnVlO1xuICAgICAgfVxuICAgICAgdHJpZWRTb3VyY2VzLnB1c2goc291cmNlKTtcbiAgICAgIGxldCBjYW5Qcm92aWRlOiBib29sZWFuO1xuICAgICAgdHJ5IHtcbiAgICAgICAgY2FuUHJvdmlkZSA9IGF3YWl0IHNvdXJjZS5jYW5Qcm92aWRlQ3JlZGVudGlhbHMoYXdzQWNjb3VudElkKTtcbiAgICAgIH0gY2F0Y2ggKGU6IGFueSkge1xuICAgICAgICAvLyBUaGlzIHNob3VsZG4ndCBoYXBwZW4sIGJ1dCBsZXQncyBndWFyZCBhZ2FpbnN0IGl0IGFueXdheVxuICAgICAgICBhd2FpdCB0aGlzLmlvSGVscGVyLm5vdGlmeShJTy5DREtfVE9PTEtJVF9XMDEwMC5tc2coYFVuY2F1Z2h0IGV4Y2VwdGlvbiBpbiAke3NvdXJjZS5uYW1lfTogJHtmb3JtYXRFcnJvck1lc3NhZ2UoZSl9YCkpO1xuICAgICAgICBjYW5Qcm92aWRlID0gZmFsc2U7XG4gICAgICB9XG4gICAgICBpZiAoIWNhblByb3ZpZGUpIHtcbiAgICAgICAgY29udGludWU7XG4gICAgICB9XG4gICAgICBhd2FpdCB0aGlzLmlvSGVscGVyLm5vdGlmeShJTy5ERUZBVUxUX1RPT0xLSVRfREVCVUcubXNnKGBVc2luZyAke3NvdXJjZS5uYW1lfSBjcmVkZW50aWFscyBmb3IgYWNjb3VudCAke2F3c0FjY291bnRJZH1gKSk7XG5cbiAgICAgIHJldHVybiB7XG4gICAgICAgIGNyZWRlbnRpYWxzOiBhd2FpdCB2M1Byb3ZpZGVyRnJvbVBsdWdpbigoKSA9PiBzb3VyY2UuZ2V0UHJvdmlkZXIoYXdzQWNjb3VudElkLCBtb2RlIGFzIEZvclJlYWRpbmcgfCBGb3JXcml0aW5nLCB7XG4gICAgICAgICAgc3VwcG9ydHNWM1Byb3ZpZGVyczogdHJ1ZSxcbiAgICAgICAgfSkpLFxuICAgICAgICBwbHVnaW5OYW1lOiBzb3VyY2UubmFtZSxcbiAgICAgIH07XG4gICAgfVxuICAgIHJldHVybiB1bmRlZmluZWQ7XG4gIH1cbn1cblxuLyoqXG4gKiBSZXN1bHQgZnJvbSB0cnlpbmcgdG8gZmV0Y2ggY3JlZGVudGlhbHMgZnJvbSB0aGUgUGx1Z2luIGhvc3RcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBQbHVnaW5DcmVkZW50aWFsc0ZldGNoUmVzdWx0IHtcbiAgLyoqXG4gICAqIFNESy12MyBjb21wYXRpYmxlIGNyZWRlbnRpYWwgcHJvdmlkZXJcbiAgICovXG4gIHJlYWRvbmx5IGNyZWRlbnRpYWxzOiBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlcjtcblxuICAvKipcbiAgICogTmFtZSBvZiBwbHVnaW4gdGhhdCBzdWNjZXNzZnVsbHkgcHJvdmlkZWQgY3JlZGVudGlhbHNcbiAgICovXG4gIHJlYWRvbmx5IHBsdWdpbk5hbWU6IHN0cmluZztcbn1cblxuLyoqXG4gKiBUYWtlIGEgZnVuY3Rpb24gdGhhdCBjYWxscyB0aGUgcGx1Z2luLCBhbmQgdHVybiBpdCBpbnRvIGFuIFNES3YzLWNvbXBhdGlibGUgY3JlZGVudGlhbCBwcm92aWRlci5cbiAqXG4gKiBXaGF0IHdlIHdpbGwgZG8gaXMgdGhlIGZvbGxvd2luZzpcbiAqXG4gKiAtIFF1ZXJ5IHRoZSBwbHVnaW4gYW5kIHNlZSB3aGF0IGtpbmQgb2YgcmVzdWx0IGl0IGdpdmVzIHVzLlxuICogLSBJZiB0aGUgcmVzdWx0IGlzIHNlbGYtcmVmcmVzaGluZyBvciBkb2Vzbid0IG5lZWQgcmVmcmVzaGluZywgd2UgdHVybiBpdCBpbnRvIGFuIFNES3YzIHByb3ZpZGVyXG4gKiAgIGFuZCByZXR1cm4gaXQgZGlyZWN0bHkuXG4gKiAgICogSWYgdGhlIHVuZGVybHlpbmcgcmV0dXJuIHZhbHVlIGlzIGEgcHJvdmlkZXIsIHdlIHdpbGwgbWFrZSBpdCBhIGNhY2hpbmcgcHJvdmlkZXJcbiAqICAgICAoYmVjYXVzZSB3ZSBjYW4ndCBrbm93IGlmIGl0IHdpbGwgY2FjaGUgYnkgaXRzZWxmIG9yIG5vdCkuXG4gKiAgICogSWYgdGhlIHVuZGVybHlpbmcgcmV0dXJuIHZhbHVlIGlzIGEgc3RhdGljIGNyZWRlbnRpYWwsIGNhY2hpbmcgaXNuJ3QgcmVsZXZhbnQuXG4gKiAgICogSWYgdGhlIHVuZGVybHlpbmcgcmV0dXJuIHZhbHVlIGlzIFYyIGNyZWRlbnRpYWxzLCB0aG9zZSBoYXZlIGNhY2hpbmcgYnVpbHQtaW4uXG4gKiAtIElmIHRoZSByZXN1bHQgaXMgYSBzdGF0aWMgY3JlZGVudGlhbCB0aGF0IGV4cGlyZXMsIHdlIHdpbGwgd3JhcCBpdCBpbiBhbiBTREt2MyBwcm92aWRlclxuICogICB0aGF0IHdpbGwgcXVlcnkgdGhlIHBsdWdpbiBhZ2FpbiB3aGVuIHRoZSBjcmVkZW50aWFsIGV4cGlyZXMuXG4gKi9cbmFzeW5jIGZ1bmN0aW9uIHYzUHJvdmlkZXJGcm9tUGx1Z2luKHByb2R1Y2VyOiAoKSA9PiBQcm9taXNlPFBsdWdpblByb3ZpZGVyUmVzdWx0Pik6IFByb21pc2U8QXdzQ3JlZGVudGlhbElkZW50aXR5UHJvdmlkZXI+IHtcbiAgY29uc3QgaW5pdGlhbCA9IGF3YWl0IHByb2R1Y2VyKCk7XG5cbiAgaWYgKGlzVjNQcm92aWRlcihpbml0aWFsKSkge1xuICAgIC8vIEFscmVhZHkgYSBwcm92aWRlciwgbWFrZSBjYWNoaW5nXG4gICAgcmV0dXJuIG1ha2VDYWNoaW5nUHJvdmlkZXIoaW5pdGlhbCk7XG4gIH0gZWxzZSBpZiAoaXNWM0NyZWRlbnRpYWxzKGluaXRpYWwpICYmIGluaXRpYWwuZXhwaXJhdGlvbiA9PT0gdW5kZWZpbmVkKSB7XG4gICAgLy8gU3RhdGljIGNyZWRlbnRpYWxzIHRoYXQgZG9uJ3QgbmVlZCByZWZyZXNoaW5nIG5vciBjYWNoaW5nXG4gICAgcmV0dXJuICgpID0+IFByb21pc2UucmVzb2x2ZShpbml0aWFsKTtcbiAgfSBlbHNlIGlmIChpc1YzQ3JlZGVudGlhbHMoaW5pdGlhbCkgJiYgaW5pdGlhbC5leHBpcmF0aW9uICE9PSB1bmRlZmluZWQpIHtcbiAgICAvLyBTdGF0aWMgY3JlZGVudGlhbHMgdGhhdCBkbyBuZWVkIHJlZnJlc2hpbmcgYW5kIGNhY2hpbmdcbiAgICByZXR1cm4gcmVmcmVzaEZyb21QbHVnaW5Qcm92aWRlcihpbml0aWFsLCBwcm9kdWNlcik7XG4gIH0gZWxzZSBpZiAoaXNWMkNyZWRlbnRpYWxzKGluaXRpYWwpKSB7XG4gICAgLy8gVjIgY3JlZGVudGlhbHMgdGhhdCByZWZyZXNoIGFuZCBjYWNoZSB0aGVtc2VsdmVzXG4gICAgcmV0dXJuIHYzUHJvdmlkZXJGcm9tVjJDcmVkZW50aWFscyhpbml0aWFsKTtcbiAgfSBlbHNlIHtcbiAgICB0aHJvdyBuZXcgQXV0aGVudGljYXRpb25FcnJvcihgUGx1Z2luIHJldHVybmVkIGEgdmFsdWUgdGhhdCBkb2Vzbid0IHJlc2VtYmxlIEFXUyBjcmVkZW50aWFsczogJHtpbnNwZWN0KGluaXRpYWwpfWApO1xuICB9XG59XG5cbi8qKlxuICogQ29udmVydHMgYSBWMiBjcmVkZW50aWFsIGludG8gYSBWMy1jb21wYXRpYmxlIHByb3ZpZGVyXG4gKi9cbmZ1bmN0aW9uIHYzUHJvdmlkZXJGcm9tVjJDcmVkZW50aWFscyh4OiBTREt2MkNvbXBhdGlibGVDcmVkZW50aWFscyk6IEF3c0NyZWRlbnRpYWxJZGVudGl0eVByb3ZpZGVyIHtcbiAgcmV0dXJuIGFzeW5jICgpID0+IHtcbiAgICAvLyBHZXQgd2lsbCBmZXRjaCBvciByZWZyZXNoIGFzIG5lY2Vzc2FyeVxuICAgIGF3YWl0IHguZ2V0UHJvbWlzZSgpO1xuXG4gICAgcmV0dXJuIHtcbiAgICAgIGFjY2Vzc0tleUlkOiB4LmFjY2Vzc0tleUlkLFxuICAgICAgc2VjcmV0QWNjZXNzS2V5OiB4LnNlY3JldEFjY2Vzc0tleSxcbiAgICAgIHNlc3Npb25Ub2tlbjogeC5zZXNzaW9uVG9rZW4sXG4gICAgICBleHBpcmF0aW9uOiB4LmV4cGlyZVRpbWUgPz8gdW5kZWZpbmVkLFxuICAgIH07XG4gIH07XG59XG5cbmZ1bmN0aW9uIHJlZnJlc2hGcm9tUGx1Z2luUHJvdmlkZXIoY3VycmVudDogQXdzQ3JlZGVudGlhbElkZW50aXR5LCBwcm9kdWNlcjogKCkgPT4gUHJvbWlzZTxQbHVnaW5Qcm92aWRlclJlc3VsdD4pOiBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlciB7XG4gIHJldHVybiBhc3luYyAoKSA9PiB7XG4gICAgaWYgKGNyZWRlbnRpYWxzQWJvdXRUb0V4cGlyZShjdXJyZW50KSkge1xuICAgICAgY29uc3QgbmV3Q3JlZHMgPSBhd2FpdCBwcm9kdWNlcigpO1xuICAgICAgaWYgKCFpc1YzQ3JlZGVudGlhbHMobmV3Q3JlZHMpKSB7XG4gICAgICAgIHRocm93IG5ldyBBdXRoZW50aWNhdGlvbkVycm9yKGBQbHVnaW4gaW5pdGlhbGx5IHJldHVybmVkIHN0YXRpYyBWMyBjcmVkZW50aWFscyBidXQgbm93IHJldHVybmVkIHNvbWV0aGluZyBlbHNlOiAke2luc3BlY3QobmV3Q3JlZHMpfWApO1xuICAgICAgfVxuICAgICAgY3VycmVudCA9IG5ld0NyZWRzO1xuICAgIH1cbiAgICByZXR1cm4gY3VycmVudDtcbiAgfTtcbn1cblxuZnVuY3Rpb24gaXNWM1Byb3ZpZGVyKHg6IFBsdWdpblByb3ZpZGVyUmVzdWx0KTogeCBpcyBTREt2M0NvbXBhdGlibGVDcmVkZW50aWFsUHJvdmlkZXIge1xuICByZXR1cm4gdHlwZW9mIHggPT09ICdmdW5jdGlvbic7XG59XG5cbmZ1bmN0aW9uIGlzVjJDcmVkZW50aWFscyh4OiBQbHVnaW5Qcm92aWRlclJlc3VsdCk6IHggaXMgU0RLdjJDb21wYXRpYmxlQ3JlZGVudGlhbHMge1xuICByZXR1cm4gISEoeCAmJiB0eXBlb2YgeCA9PT0gJ29iamVjdCcgJiYgKHggYXMgU0RLdjJDb21wYXRpYmxlQ3JlZGVudGlhbHMpLmdldFByb21pc2UpO1xufVxuXG5mdW5jdGlvbiBpc1YzQ3JlZGVudGlhbHMoeDogUGx1Z2luUHJvdmlkZXJSZXN1bHQpOiB4IGlzIFNES3YzQ29tcGF0aWJsZUNyZWRlbnRpYWxzIHtcbiAgcmV0dXJuICEhKHggJiYgdHlwZW9mIHggPT09ICdvYmplY3QnICYmIHguYWNjZXNzS2V5SWQgJiYgIWlzVjJDcmVkZW50aWFscyh4KSk7XG59XG4iXX0=

package/lib/api/aws-auth/private/index.d.ts

@@ -0,0 +1,11 @@
+export * from '../proxy-agent';
+export * from '../sdk';
+export * from '../sdk-provider';
+export * from '../sdk-logger';
+export { AccountAccessKeyCache } from '../account-cache';
+export { cached } from '../cached';
+export { AwsCliCompatible } from '../awscli-compatible';
+export { setSdkTracing } from '../tracing';
+export { CredentialPlugins } from '../credential-plugins';
+export { credentialsAboutToExpire } from '../provider-caching';
+export { defaultCliUserAgent } from '../user-agent';

package/lib/api/aws-auth/private/index.js

@@ -0,0 +1,37 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultCliUserAgent = exports.credentialsAboutToExpire = exports.CredentialPlugins = exports.setSdkTracing = exports.AwsCliCompatible = exports.cached = exports.AccountAccessKeyCache = void 0;
+__exportStar(require("../proxy-agent"), exports);
+__exportStar(require("../sdk"), exports);
+__exportStar(require("../sdk-provider"), exports);
+__exportStar(require("../sdk-logger"), exports);
+// temporary testing exports
+var account_cache_1 = require("../account-cache");
+Object.defineProperty(exports, "AccountAccessKeyCache", { enumerable: true, get: function () { return account_cache_1.AccountAccessKeyCache; } });
+var cached_1 = require("../cached");
+Object.defineProperty(exports, "cached", { enumerable: true, get: function () { return cached_1.cached; } });
+var awscli_compatible_1 = require("../awscli-compatible");
+Object.defineProperty(exports, "AwsCliCompatible", { enumerable: true, get: function () { return awscli_compatible_1.AwsCliCompatible; } });
+var tracing_1 = require("../tracing");
+Object.defineProperty(exports, "setSdkTracing", { enumerable: true, get: function () { return tracing_1.setSdkTracing; } });
+var credential_plugins_1 = require("../credential-plugins");
+Object.defineProperty(exports, "CredentialPlugins", { enumerable: true, get: function () { return credential_plugins_1.CredentialPlugins; } });
+var provider_caching_1 = require("../provider-caching");
+Object.defineProperty(exports, "credentialsAboutToExpire", { enumerable: true, get: function () { return provider_caching_1.credentialsAboutToExpire; } });
+var user_agent_1 = require("../user-agent");
+Object.defineProperty(exports, "defaultCliUserAgent", { enumerable: true, get: function () { return user_agent_1.defaultCliUserAgent; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlEQUErQjtBQUMvQix5Q0FBdUI7QUFDdkIsa0RBQWdDO0FBQ2hDLGdEQUE4QjtBQUU5Qiw0QkFBNEI7QUFDNUIsa0RBQXlEO0FBQWhELHNIQUFBLHFCQUFxQixPQUFBO0FBQzlCLG9DQUFtQztBQUExQixnR0FBQSxNQUFNLE9BQUE7QUFDZiwwREFBd0Q7QUFBL0MscUhBQUEsZ0JBQWdCLE9BQUE7QUFDekIsc0NBQTJDO0FBQWxDLHdHQUFBLGFBQWEsT0FBQTtBQUN0Qiw0REFBMEQ7QUFBakQsdUhBQUEsaUJBQWlCLE9BQUE7QUFDMUIsd0RBQStEO0FBQXRELDRIQUFBLHdCQUF3QixPQUFBO0FBQ2pDLDRDQUFvRDtBQUEzQyxpSEFBQSxtQkFBbUIsT0FBQSIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCAqIGZyb20gJy4uL3Byb3h5LWFnZW50JztcbmV4cG9ydCAqIGZyb20gJy4uL3Nkayc7XG5leHBvcnQgKiBmcm9tICcuLi9zZGstcHJvdmlkZXInO1xuZXhwb3J0ICogZnJvbSAnLi4vc2RrLWxvZ2dlcic7XG5cbi8vIHRlbXBvcmFyeSB0ZXN0aW5nIGV4cG9ydHNcbmV4cG9ydCB7IEFjY291bnRBY2Nlc3NLZXlDYWNoZSB9IGZyb20gJy4uL2FjY291bnQtY2FjaGUnO1xuZXhwb3J0IHsgY2FjaGVkIH0gZnJvbSAnLi4vY2FjaGVkJztcbmV4cG9ydCB7IEF3c0NsaUNvbXBhdGlibGUgfSBmcm9tICcuLi9hd3NjbGktY29tcGF0aWJsZSc7XG5leHBvcnQgeyBzZXRTZGtUcmFjaW5nIH0gZnJvbSAnLi4vdHJhY2luZyc7XG5leHBvcnQgeyBDcmVkZW50aWFsUGx1Z2lucyB9IGZyb20gJy4uL2NyZWRlbnRpYWwtcGx1Z2lucyc7XG5leHBvcnQgeyBjcmVkZW50aWFsc0Fib3V0VG9FeHBpcmUgfSBmcm9tICcuLi9wcm92aWRlci1jYWNoaW5nJztcbmV4cG9ydCB7IGRlZmF1bHRDbGlVc2VyQWdlbnQgfSBmcm9tICcuLi91c2VyLWFnZW50JztcbiJdfQ==

package/lib/api/aws-auth/provider-caching.d.ts

@@ -0,0 +1,13 @@
+import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smithy/types';
+/**
+ * Wrap a credential provider in a cache
+ *
+ * Some credential providers in the SDKv3 are cached (the default Node
+ * chain, specifically) but most others are not.
+ *
+ * Since we want to avoid duplicate calls to `AssumeRole`, or duplicate
+ * MFA prompts or what have you, we are going to liberally wrap providers
+ * in caches which will return the cached value until it expires.
+ */
+export declare function makeCachingProvider(provider: AwsCredentialIdentityProvider): AwsCredentialIdentityProvider;
+export declare function credentialsAboutToExpire(token: AwsCredentialIdentity): boolean;