@aws-cdk/toolkit-lib 0.3.2 → 0.3.4

package/lib/api/aws-auth/account-cache.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccountAccessKeyCache = void 0;
+const path = require("path");
+const fs = require("fs-extra");
+const util_1 = require("../../util");
+/**
+ * Disk cache which maps access key IDs to account IDs.
+ * Usage:
+ *   cache.get(accessKey) => accountId | undefined
+ *   cache.put(accessKey, accountId)
+ */
+class AccountAccessKeyCache {
+    /**
+     * Max number of entries in the cache, after which the cache will be reset.
+     */
+    static MAX_ENTRIES = 1000;
+    /**
+     * The default path used for the accounts access key cache
+     */
+    static get DEFAULT_PATH() {
+        // needs to be a getter because cdkCacheDir can be set via env variable and might change
+        return path.join((0, util_1.cdkCacheDir)(), 'accounts_partitions.json');
+    }
+    cacheFile;
+    debug;
+    /**
+     * @param filePath Path to the cache file
+     */
+    constructor(filePath = AccountAccessKeyCache.DEFAULT_PATH, debugFn) {
+        this.cacheFile = filePath;
+        this.debug = debugFn;
+    }
+    /**
+     * Tries to fetch the account ID from cache. If it's not in the cache, invokes
+     * the resolver function which should retrieve the account ID and return it.
+     * Then, it will be stored into disk cache returned.
+     *
+     * Example:
+     *
+     *    const accountId = cache.fetch(accessKey, async () => {
+     *      return await fetchAccountIdFromSomewhere(accessKey);
+     *    });
+     */
+    async fetch(accessKeyId, resolver) {
+        // try to get account ID based on this access key ID from disk.
+        const cached = await this.get(accessKeyId);
+        if (cached) {
+            await this.debug(`Retrieved account ID ${cached.accountId} from disk cache`);
+            return cached;
+        }
+        // if it's not in the cache, resolve and put in cache.
+        const account = await resolver();
+        if (account) {
+            await this.put(accessKeyId, account);
+        }
+        return account;
+    }
+    /** Get the account ID from an access key or undefined if not in cache */
+    async get(accessKeyId) {
+        const map = await this.loadMap();
+        return map[accessKeyId];
+    }
+    /** Put a mapping between access key and account ID */
+    async put(accessKeyId, account) {
+        let map = await this.loadMap();
+        // nuke cache if it's too big.
+        if (Object.keys(map).length >= AccountAccessKeyCache.MAX_ENTRIES) {
+            map = {};
+        }
+        map[accessKeyId] = account;
+        await this.saveMap(map);
+    }
+    async loadMap() {
+        try {
+            return await fs.readJson(this.cacheFile);
+        }
+        catch (e) {
+            // File doesn't exist or is not readable. This is a cache,
+            // pretend we successfully loaded an empty map.
+            if (e.code === 'ENOENT' || e.code === 'EACCES') {
+                return {};
+            }
+            // File is not JSON, could be corrupted because of concurrent writes.
+            // Again, an empty cache is fine.
+            if (e instanceof SyntaxError) {
+                return {};
+            }
+            throw e;
+        }
+    }
+    async saveMap(map) {
+        try {
+            await fs.ensureFile(this.cacheFile);
+            await fs.writeJson(this.cacheFile, map, { spaces: 2 });
+        }
+        catch (e) {
+            // File doesn't exist or file/dir isn't writable. This is a cache,
+            // if we can't write it then too bad.
+            if (e.code === 'ENOENT' || e.code === 'EACCES' || e.code === 'EROFS') {
+                return;
+            }
+            throw e;
+        }
+    }
+}
+exports.AccountAccessKeyCache = AccountAccessKeyCache;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjb3VudC1jYWNoZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbImFjY291bnQtY2FjaGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsNkJBQTZCO0FBQzdCLCtCQUErQjtBQUUvQixxQ0FBeUM7QUFFekM7Ozs7O0dBS0c7QUFDSCxNQUFhLHFCQUFxQjtJQUNoQzs7T0FFRztJQUNJLE1BQU0sQ0FBVSxXQUFXLEdBQUcsSUFBSSxDQUFDO0lBRTFDOztPQUVHO0lBQ0ksTUFBTSxLQUFLLFlBQVk7UUFDNUIsd0ZBQXdGO1FBQ3hGLE9BQU8sSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFBLGtCQUFXLEdBQUUsRUFBRSwwQkFBMEIsQ0FBQyxDQUFDO0lBQzlELENBQUM7SUFFZ0IsU0FBUyxDQUFTO0lBRWxCLEtBQUssQ0FBaUM7SUFFdkQ7O09BRUc7SUFDSCxZQUFZLFdBQW1CLHFCQUFxQixDQUFDLFlBQVksRUFBRSxPQUF1QztRQUN4RyxJQUFJLENBQUMsU0FBUyxHQUFHLFFBQVEsQ0FBQztRQUMxQixJQUFJLENBQUMsS0FBSyxHQUFHLE9BQU8sQ0FBQztJQUN2QixDQUFDO0lBRUQ7Ozs7Ozs7Ozs7T0FVRztJQUNJLEtBQUssQ0FBQyxLQUFLLENBQW9CLFdBQW1CLEVBQUUsUUFBMEI7UUFDbkYsK0RBQStEO1FBQy9ELE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMzQyxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLENBQUMsS0FBSyxDQUFDLHdCQUF3QixNQUFNLENBQUMsU0FBUyxrQkFBa0IsQ0FBQyxDQUFDO1lBQzdFLE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxzREFBc0Q7UUFDdEQsTUFBTSxPQUFPLEdBQUcsTUFBTSxRQUFRLEVBQUUsQ0FBQztRQUNqQyxJQUFJLE9BQU8sRUFBRSxDQUFDO1lBQ1osTUFBTSxJQUFJLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxPQUFPLENBQUMsQ0FBQztRQUN2QyxDQUFDO1FBRUQsT0FBTyxPQUFPLENBQUM7SUFDakIsQ0FBQztJQUVELHlFQUF5RTtJQUNsRSxLQUFLLENBQUMsR0FBRyxDQUFDLFdBQW1CO1FBQ2xDLE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBQ2pDLE9BQU8sR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQzFCLENBQUM7SUFFRCxzREFBc0Q7SUFDL0MsS0FBSyxDQUFDLEdBQUcsQ0FBQyxXQUFtQixFQUFFLE9BQWdCO1FBQ3BELElBQUksR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBRS9CLDhCQUE4QjtRQUM5QixJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxJQUFJLHFCQUFxQixDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ2pFLEdBQUcsR0FBRyxFQUFFLENBQUM7UUFDWCxDQUFDO1FBRUQsR0FBRyxDQUFDLFdBQVcsQ0FBQyxHQUFHLE9BQU8sQ0FBQztRQUMzQixNQUFNLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDMUIsQ0FBQztJQUVPLEtBQUssQ0FBQyxPQUFPO1FBQ25CLElBQUksQ0FBQztZQUNILE9BQU8sTUFBTSxFQUFFLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUMzQyxDQUFDO1FBQUMsT0FBTyxDQUFNLEVBQUUsQ0FBQztZQUNoQiwwREFBMEQ7WUFDMUQsK0NBQStDO1lBQy9DLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxRQUFRLEVBQUUsQ0FBQztnQkFDL0MsT0FBTyxFQUFFLENBQUM7WUFDWixDQUFDO1lBQ0QscUVBQXFFO1lBQ3JFLGlDQUFpQztZQUNqQyxJQUFJLENBQUMsWUFBWSxXQUFXLEVBQUUsQ0FBQztnQkFDN0IsT0FBTyxFQUFFLENBQUM7WUFDWixDQUFDO1lBQ0QsTUFBTSxDQUFDLENBQUM7UUFDVixDQUFDO0lBQ0gsQ0FBQztJQUVPLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBdUM7UUFDM0QsSUFBSSxDQUFDO1lBQ0gsTUFBTSxFQUFFLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUNwQyxNQUFNLEVBQUUsQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxHQUFHLEVBQUUsRUFBRSxNQUFNLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBQUMsT0FBTyxDQUFNLEVBQUUsQ0FBQztZQUNoQixrRUFBa0U7WUFDbEUscUNBQXFDO1lBQ3JDLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxPQUFPLEVBQUUsQ0FBQztnQkFDckUsT0FBTztZQUNULENBQUM7WUFDRCxNQUFNLENBQUMsQ0FBQztRQUNWLENBQUM7SUFDSCxDQUFDOztBQXZHSCxzREF3R0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBwYXRoIGZyb20gJ3BhdGgnO1xuaW1wb3J0ICogYXMgZnMgZnJvbSAnZnMtZXh0cmEnO1xuaW1wb3J0IHR5cGUgeyBBY2NvdW50IH0gZnJvbSAnLi9zZGstcHJvdmlkZXInO1xuaW1wb3J0IHsgY2RrQ2FjaGVEaXIgfSBmcm9tICcuLi8uLi91dGlsJztcblxuLyoqXG4gKiBEaXNrIGNhY2hlIHdoaWNoIG1hcHMgYWNjZXNzIGtleSBJRHMgdG8gYWNjb3VudCBJRHMuXG4gKiBVc2FnZTpcbiAqICAgY2FjaGUuZ2V0KGFjY2Vzc0tleSkgPT4gYWNjb3VudElkIHwgdW5kZWZpbmVkXG4gKiAgIGNhY2hlLnB1dChhY2Nlc3NLZXksIGFjY291bnRJZClcbiAqL1xuZXhwb3J0IGNsYXNzIEFjY291bnRBY2Nlc3NLZXlDYWNoZSB7XG4gIC8qKlxuICAgKiBNYXggbnVtYmVyIG9mIGVudHJpZXMgaW4gdGhlIGNhY2hlLCBhZnRlciB3aGljaCB0aGUgY2FjaGUgd2lsbCBiZSByZXNldC5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgcmVhZG9ubHkgTUFYX0VOVFJJRVMgPSAxMDAwO1xuXG4gIC8qKlxuICAgKiBUaGUgZGVmYXVsdCBwYXRoIHVzZWQgZm9yIHRoZSBhY2NvdW50cyBhY2Nlc3Mga2V5IGNhY2hlXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGdldCBERUZBVUxUX1BBVEgoKTogc3RyaW5nIHtcbiAgICAvLyBuZWVkcyB0byBiZSBhIGdldHRlciBiZWNhdXNlIGNka0NhY2hlRGlyIGNhbiBiZSBzZXQgdmlhIGVudiB2YXJpYWJsZSBhbmQgbWlnaHQgY2hhbmdlXG4gICAgcmV0dXJuIHBhdGguam9pbihjZGtDYWNoZURpcigpLCAnYWNjb3VudHNfcGFydGl0aW9ucy5qc29uJyk7XG4gIH1cblxuICBwcml2YXRlIHJlYWRvbmx5IGNhY2hlRmlsZTogc3RyaW5nO1xuXG4gIHByaXZhdGUgcmVhZG9ubHkgZGVidWc6IChtc2c6IHN0cmluZykgPT4gUHJvbWlzZTx2b2lkPjtcblxuICAvKipcbiAgICogQHBhcmFtIGZpbGVQYXRoIFBhdGggdG8gdGhlIGNhY2hlIGZpbGVcbiAgICovXG4gIGNvbnN0cnVjdG9yKGZpbGVQYXRoOiBzdHJpbmcgPSBBY2NvdW50QWNjZXNzS2V5Q2FjaGUuREVGQVVMVF9QQVRILCBkZWJ1Z0ZuOiAobXNnOiBzdHJpbmcpID0+IFByb21pc2U8dm9pZD4pIHtcbiAgICB0aGlzLmNhY2hlRmlsZSA9IGZpbGVQYXRoO1xuICAgIHRoaXMuZGVidWcgPSBkZWJ1Z0ZuO1xuICB9XG5cbiAgLyoqXG4gICAqIFRyaWVzIHRvIGZldGNoIHRoZSBhY2NvdW50IElEIGZyb20gY2FjaGUuIElmIGl0J3Mgbm90IGluIHRoZSBjYWNoZSwgaW52b2tlc1xuICAgKiB0aGUgcmVzb2x2ZXIgZnVuY3Rpb24gd2hpY2ggc2hvdWxkIHJldHJpZXZlIHRoZSBhY2NvdW50IElEIGFuZCByZXR1cm4gaXQuXG4gICAqIFRoZW4sIGl0IHdpbGwgYmUgc3RvcmVkIGludG8gZGlzayBjYWNoZSByZXR1cm5lZC5cbiAgICpcbiAgICogRXhhbXBsZTpcbiAgICpcbiAgICogICAgY29uc3QgYWNjb3VudElkID0gY2FjaGUuZmV0Y2goYWNjZXNzS2V5LCBhc3luYyAoKSA9PiB7XG4gICAqICAgICAgcmV0dXJuIGF3YWl0IGZldGNoQWNjb3VudElkRnJvbVNvbWV3aGVyZShhY2Nlc3NLZXkpO1xuICAgKiAgICB9KTtcbiAgICovXG4gIHB1YmxpYyBhc3luYyBmZXRjaDxBIGV4dGVuZHMgQWNjb3VudD4oYWNjZXNzS2V5SWQ6IHN0cmluZywgcmVzb2x2ZXI6ICgpID0+IFByb21pc2U8QT4pIHtcbiAgICAvLyB0cnkgdG8gZ2V0IGFjY291bnQgSUQgYmFzZWQgb24gdGhpcyBhY2Nlc3Mga2V5IElEIGZyb20gZGlzay5cbiAgICBjb25zdCBjYWNoZWQgPSBhd2FpdCB0aGlzLmdldChhY2Nlc3NLZXlJZCk7XG4gICAgaWYgKGNhY2hlZCkge1xuICAgICAgYXdhaXQgdGhpcy5kZWJ1ZyhgUmV0cmlldmVkIGFjY291bnQgSUQgJHtjYWNoZWQuYWNjb3VudElkfSBmcm9tIGRpc2sgY2FjaGVgKTtcbiAgICAgIHJldHVybiBjYWNoZWQ7XG4gICAgfVxuXG4gICAgLy8gaWYgaXQncyBub3QgaW4gdGhlIGNhY2hlLCByZXNvbHZlIGFuZCBwdXQgaW4gY2FjaGUuXG4gICAgY29uc3QgYWNjb3VudCA9IGF3YWl0IHJlc29sdmVyKCk7XG4gICAgaWYgKGFjY291bnQpIHtcbiAgICAgIGF3YWl0IHRoaXMucHV0KGFjY2Vzc0tleUlkLCBhY2NvdW50KTtcbiAgICB9XG5cbiAgICByZXR1cm4gYWNjb3VudDtcbiAgfVxuXG4gIC8qKiBHZXQgdGhlIGFjY291bnQgSUQgZnJvbSBhbiBhY2Nlc3Mga2V5IG9yIHVuZGVmaW5lZCBpZiBub3QgaW4gY2FjaGUgKi9cbiAgcHVibGljIGFzeW5jIGdldChhY2Nlc3NLZXlJZDogc3RyaW5nKTogUHJvbWlzZTxBY2NvdW50IHwgdW5kZWZpbmVkPiB7XG4gICAgY29uc3QgbWFwID0gYXdhaXQgdGhpcy5sb2FkTWFwKCk7XG4gICAgcmV0dXJuIG1hcFthY2Nlc3NLZXlJZF07XG4gIH1cblxuICAvKiogUHV0IGEgbWFwcGluZyBiZXR3ZWVuIGFjY2VzcyBrZXkgYW5kIGFjY291bnQgSUQgKi9cbiAgcHVibGljIGFzeW5jIHB1dChhY2Nlc3NLZXlJZDogc3RyaW5nLCBhY2NvdW50OiBBY2NvdW50KSB7XG4gICAgbGV0IG1hcCA9IGF3YWl0IHRoaXMubG9hZE1hcCgpO1xuXG4gICAgLy8gbnVrZSBjYWNoZSBpZiBpdCdzIHRvbyBiaWcuXG4gICAgaWYgKE9iamVjdC5rZXlzKG1hcCkubGVuZ3RoID49IEFjY291bnRBY2Nlc3NLZXlDYWNoZS5NQVhfRU5UUklFUykge1xuICAgICAgbWFwID0ge307XG4gICAgfVxuXG4gICAgbWFwW2FjY2Vzc0tleUlkXSA9IGFjY291bnQ7XG4gICAgYXdhaXQgdGhpcy5zYXZlTWFwKG1hcCk7XG4gIH1cblxuICBwcml2YXRlIGFzeW5jIGxvYWRNYXAoKTogUHJvbWlzZTx7IFthY2Nlc3NLZXlJZDogc3RyaW5nXTogQWNjb3VudCB9PiB7XG4gICAgdHJ5IHtcbiAgICAgIHJldHVybiBhd2FpdCBmcy5yZWFkSnNvbih0aGlzLmNhY2hlRmlsZSk7XG4gICAgfSBjYXRjaCAoZTogYW55KSB7XG4gICAgICAvLyBGaWxlIGRvZXNuJ3QgZXhpc3Qgb3IgaXMgbm90IHJlYWRhYmxlLiBUaGlzIGlzIGEgY2FjaGUsXG4gICAgICAvLyBwcmV0ZW5kIHdlIHN1Y2Nlc3NmdWxseSBsb2FkZWQgYW4gZW1wdHkgbWFwLlxuICAgICAgaWYgKGUuY29kZSA9PT0gJ0VOT0VOVCcgfHwgZS5jb2RlID09PSAnRUFDQ0VTJykge1xuICAgICAgICByZXR1cm4ge307XG4gICAgICB9XG4gICAgICAvLyBGaWxlIGlzIG5vdCBKU09OLCBjb3VsZCBiZSBjb3JydXB0ZWQgYmVjYXVzZSBvZiBjb25jdXJyZW50IHdyaXRlcy5cbiAgICAgIC8vIEFnYWluLCBhbiBlbXB0eSBjYWNoZSBpcyBmaW5lLlxuICAgICAgaWYgKGUgaW5zdGFuY2VvZiBTeW50YXhFcnJvcikge1xuICAgICAgICByZXR1cm4ge307XG4gICAgICB9XG4gICAgICB0aHJvdyBlO1xuICAgIH1cbiAgfVxuXG4gIHByaXZhdGUgYXN5bmMgc2F2ZU1hcChtYXA6IHsgW2FjY2Vzc0tleUlkOiBzdHJpbmddOiBBY2NvdW50IH0pIHtcbiAgICB0cnkge1xuICAgICAgYXdhaXQgZnMuZW5zdXJlRmlsZSh0aGlzLmNhY2hlRmlsZSk7XG4gICAgICBhd2FpdCBmcy53cml0ZUpzb24odGhpcy5jYWNoZUZpbGUsIG1hcCwgeyBzcGFjZXM6IDIgfSk7XG4gICAgfSBjYXRjaCAoZTogYW55KSB7XG4gICAgICAvLyBGaWxlIGRvZXNuJ3QgZXhpc3Qgb3IgZmlsZS9kaXIgaXNuJ3Qgd3JpdGFibGUuIFRoaXMgaXMgYSBjYWNoZSxcbiAgICAgIC8vIGlmIHdlIGNhbid0IHdyaXRlIGl0IHRoZW4gdG9vIGJhZC5cbiAgICAgIGlmIChlLmNvZGUgPT09ICdFTk9FTlQnIHx8IGUuY29kZSA9PT0gJ0VBQ0NFUycgfHwgZS5jb2RlID09PSAnRVJPRlMnKSB7XG4gICAgICAgIHJldHVybjtcbiAgICAgIH1cbiAgICAgIHRocm93IGU7XG4gICAgfVxuICB9XG59XG4iXX0=

package/lib/api/aws-auth/awscli-compatible.d.ts

@@ -0,0 +1,70 @@
+import type { NodeHttpHandlerOptions } from '@smithy/node-http-handler';
+import type { AwsCredentialIdentityProvider, Logger } from '@smithy/types';
+import type { SdkHttpOptions } from './types';
+import { type IoHelper } from '../io/private';
+/**
+ * Behaviors to match AWS CLI
+ *
+ * See these links:
+ *
+ * https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
+ * https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+ */
+export declare class AwsCliCompatible {
+    private readonly ioHelper;
+    private readonly requestHandler;
+    private readonly logger?;
+    constructor(ioHelper: IoHelper, requestHandler: NodeHttpHandlerOptions, logger?: Logger);
+    baseConfig(profile?: string): Promise<{
+        credentialProvider: AwsCredentialIdentityProvider;
+        defaultRegion: string;
+    }>;
+    /**
+     * Build an AWS CLI-compatible credential chain provider
+     *
+     * The credential chain returned by this function is always caching.
+     */
+    credentialChainBuilder(options?: CredentialChainOptions): Promise<AwsCredentialIdentityProvider>;
+    /**
+     * Attempts to get the region from a number of sources and falls back to us-east-1 if no region can be found,
+     * as is done in the AWS CLI.
+     *
+     * The order of priority is the following:
+     *
+     * 1. Environment variables specifying region, with both an AWS prefix and AMAZON prefix
+     *    to maintain backwards compatibility, and without `DEFAULT` in the name because
+     *    Lambda and CodeBuild set the $AWS_REGION variable.
+     * 2. Regions listed in the Shared Ini Files - First checking for the profile provided
+     *    and then checking for the default profile.
+     * 3. IMDS instance identity region from the Metadata Service.
+     * 4. us-east-1
+     */
+    region(maybeProfile?: string): Promise<string>;
+    /**
+     * The MetadataService class will attempt to fetch the instance identity document from
+     * IMDSv2 first, and then will attempt v1 as a fallback.
+     *
+     * If this fails, we will use us-east-1 as the region so no error should be thrown.
+     * @returns The region for the instance identity
+     */
+    private regionFromMetadataService;
+    /**
+     * Looks up the region of the provided profile. If no region is present,
+     * it will attempt to lookup the default region.
+     * @param profile The profile to use to lookup the region
+     * @returns The region for the profile or default profile, if present. Otherwise returns undefined.
+     */
+    private getRegionFromIni;
+    private getRegionFromIniFile;
+    /**
+     * Ask user for MFA token for given serial
+     *
+     * Result is send to callback function for SDK to authorize the request
+     */
+    private tokenCodeFn;
+}
+export interface CredentialChainOptions {
+    readonly profile?: string;
+    readonly logger?: Logger;
+}
+export declare function makeRequestHandler(ioHelper: IoHelper, options?: SdkHttpOptions): Promise<NodeHttpHandlerOptions>;

package/lib/api/aws-auth/awscli-compatible.js

@@ -0,0 +1,250 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsCliCompatible = void 0;
+exports.makeRequestHandler = makeRequestHandler;
+const node_util_1 = require("node:util");
+const credential_providers_1 = require("@aws-sdk/credential-providers");
+const ec2_metadata_service_1 = require("@aws-sdk/ec2-metadata-service");
+const shared_ini_file_loader_1 = require("@smithy/shared-ini-file-loader");
+const promptly = require("promptly");
+const provider_caching_1 = require("./provider-caching");
+const proxy_agent_1 = require("./proxy-agent");
+const toolkit_error_1 = require("../../toolkit/toolkit-error");
+const private_1 = require("../io/private");
+const DEFAULT_CONNECTION_TIMEOUT = 10000;
+const DEFAULT_TIMEOUT = 300000;
+/**
+ * Behaviors to match AWS CLI
+ *
+ * See these links:
+ *
+ * https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
+ * https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+ */
+class AwsCliCompatible {
+    ioHelper;
+    requestHandler;
+    logger;
+    constructor(ioHelper, requestHandler, logger) {
+        this.ioHelper = ioHelper;
+        this.requestHandler = requestHandler;
+        this.logger = logger;
+    }
+    async baseConfig(profile) {
+        const credentialProvider = await this.credentialChainBuilder({
+            profile,
+            logger: this.logger,
+        });
+        const defaultRegion = await this.region(profile);
+        return { credentialProvider, defaultRegion };
+    }
+    /**
+     * Build an AWS CLI-compatible credential chain provider
+     *
+     * The credential chain returned by this function is always caching.
+     */
+    async credentialChainBuilder(options = {}) {
+        const clientConfig = {
+            requestHandler: this.requestHandler,
+            customUserAgent: 'aws-cdk',
+            logger: options.logger,
+        };
+        // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
+        //
+        // Summary of the problem: we were reading the region from the config file and passing it to
+        // the credential providers. However, in the case of SSO, this makes the credential provider
+        // use that region to do the SSO flow, which is incorrect. The region that should be used for
+        // that is the one set in the sso_session section of the config file.
+        //
+        // The idea here: the "clientConfig" is for configuring the inner auth client directly,
+        // and has the highest priority, whereas "parentClientConfig" is the upper data client
+        // and has lower priority than the sso_region but still higher priority than STS global region.
+        const parentClientConfig = {
+            region: await this.region(options.profile),
+        };
+        /**
+         * The previous implementation matched AWS CLI behavior:
+         *
+         * If a profile is explicitly set using `--profile`,
+         * we use that to the exclusion of everything else.
+         *
+         * Note: this does not apply to AWS_PROFILE,
+         * environment credentials still take precedence over AWS_PROFILE
+         */
+        if (options.profile) {
+            return (0, provider_caching_1.makeCachingProvider)((0, credential_providers_1.fromIni)({
+                profile: options.profile,
+                ignoreCache: true,
+                mfaCodeProvider: this.tokenCodeFn.bind(this),
+                clientConfig,
+                parentClientConfig,
+                logger: options.logger,
+            }));
+        }
+        const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+        /**
+         * Env AWS - EnvironmentCredentials with string AWS
+         * Env Amazon - EnvironmentCredentials with string AMAZON
+         * Profile Credentials - PatchedSharedIniFileCredentials with implicit profile, credentials file, http options, and token fn
+         *    SSO with implicit profile only
+         *    SharedIniFileCredentials with implicit profile and preferStaticCredentials true (profile with source_profile)
+         *    Shared Credential file that points to Environment Credentials with AWS prefix
+         *    Shared Credential file that points to EC2 Metadata
+         *    Shared Credential file that points to ECS Credentials
+         * SSO Credentials - SsoCredentials with implicit profile and http options
+         * ProcessCredentials with implicit profile
+         * ECS Credentials - ECSCredentials with no input OR Web Identity - TokenFileWebIdentityCredentials with no input OR EC2 Metadata - EC2MetadataCredentials with no input
+         *
+         * These translate to:
+         * fromEnv()
+         * fromSSO()/fromIni()
+         * fromProcess()
+         * fromContainerMetadata()
+         * fromTokenFile()
+         * fromInstanceMetadata()
+         *
+         * The NodeProviderChain is already cached.
+         */
+        const nodeProviderChain = (0, credential_providers_1.fromNodeProviderChain)({
+            profile: envProfile,
+            clientConfig,
+            parentClientConfig,
+            logger: options.logger,
+            mfaCodeProvider: this.tokenCodeFn.bind(this),
+            ignoreCache: true,
+        });
+        return shouldPrioritizeEnv()
+            ? (0, credential_providers_1.createCredentialChain)((0, credential_providers_1.fromEnv)(), nodeProviderChain).expireAfter(60 * 60_000)
+            : nodeProviderChain;
+    }
+    /**
+     * Attempts to get the region from a number of sources and falls back to us-east-1 if no region can be found,
+     * as is done in the AWS CLI.
+     *
+     * The order of priority is the following:
+     *
+     * 1. Environment variables specifying region, with both an AWS prefix and AMAZON prefix
+     *    to maintain backwards compatibility, and without `DEFAULT` in the name because
+     *    Lambda and CodeBuild set the $AWS_REGION variable.
+     * 2. Regions listed in the Shared Ini Files - First checking for the profile provided
+     *    and then checking for the default profile.
+     * 3. IMDS instance identity region from the Metadata Service.
+     * 4. us-east-1
+     */
+    async region(maybeProfile) {
+        const defaultRegion = 'us-east-1';
+        const profile = maybeProfile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
+        const region = process.env.AWS_REGION ||
+            process.env.AMAZON_REGION ||
+            process.env.AWS_DEFAULT_REGION ||
+            process.env.AMAZON_DEFAULT_REGION ||
+            (await this.getRegionFromIni(profile)) ||
+            (await this.regionFromMetadataService());
+        if (!region) {
+            const usedProfile = !profile ? '' : ` (profile: "${profile}")`;
+            await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(`Unable to determine AWS region from environment or AWS configuration${usedProfile}, defaulting to '${defaultRegion}'`));
+            return defaultRegion;
+        }
+        return region;
+    }
+    /**
+     * The MetadataService class will attempt to fetch the instance identity document from
+     * IMDSv2 first, and then will attempt v1 as a fallback.
+     *
+     * If this fails, we will use us-east-1 as the region so no error should be thrown.
+     * @returns The region for the instance identity
+     */
+    async regionFromMetadataService() {
+        await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg('Looking up AWS region in the EC2 Instance Metadata Service (IMDS).'));
+        try {
+            const metadataService = new ec2_metadata_service_1.MetadataService({
+                httpOptions: {
+                    timeout: 1000,
+                },
+            });
+            await metadataService.fetchMetadataToken();
+            const document = await metadataService.request('/latest/dynamic/instance-identity/document', {});
+            return JSON.parse(document).region;
+        }
+        catch (e) {
+            await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(`Unable to retrieve AWS region from IMDS: ${e}`));
+        }
+    }
+    /**
+     * Looks up the region of the provided profile. If no region is present,
+     * it will attempt to lookup the default region.
+     * @param profile The profile to use to lookup the region
+     * @returns The region for the profile or default profile, if present. Otherwise returns undefined.
+     */
+    async getRegionFromIni(profile) {
+        const sharedFiles = await (0, shared_ini_file_loader_1.loadSharedConfigFiles)({ ignoreCache: true });
+        // Priority:
+        //
+        // credentials come before config because aws-cli v1 behaves like that.
+        //
+        // 1. profile-region-in-credentials
+        // 2. profile-region-in-config
+        // 3. default-region-in-credentials
+        // 4. default-region-in-config
+        return this.getRegionFromIniFile(profile, sharedFiles.credentialsFile)
+            ?? this.getRegionFromIniFile(profile, sharedFiles.configFile)
+            ?? this.getRegionFromIniFile('default', sharedFiles.credentialsFile)
+            ?? this.getRegionFromIniFile('default', sharedFiles.configFile);
+    }
+    getRegionFromIniFile(profile, data) {
+        return data?.[profile]?.region;
+    }
+    /**
+     * Ask user for MFA token for given serial
+     *
+     * Result is send to callback function for SDK to authorize the request
+     */
+    async tokenCodeFn(serialArn) {
+        const debugFn = (msg, ...args) => this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg((0, node_util_1.format)(msg, ...args)));
+        await debugFn('Require MFA token for serial ARN', serialArn);
+        try {
+            const token = await promptly.prompt(`MFA token for ${serialArn}: `, {
+                trim: true,
+                default: '',
+            });
+            await debugFn('Successfully got MFA token from user');
+            return token;
+        }
+        catch (err) {
+            await debugFn('Failed to get MFA token', err);
+            const e = new toolkit_error_1.AuthenticationError(`Error fetching MFA token: ${err.message ?? err}`);
+            e.name = 'SharedIniFileCredentialsProviderFailure';
+            throw e;
+        }
+    }
+}
+exports.AwsCliCompatible = AwsCliCompatible;
+/**
+ * We used to support both AWS and AMAZON prefixes for these environment variables.
+ *
+ * Adding this for backward compatibility.
+ */
+function shouldPrioritizeEnv() {
+    const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
+    const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
+    if (!!id && !!key) {
+        process.env.AWS_ACCESS_KEY_ID = id;
+        process.env.AWS_SECRET_ACCESS_KEY = key;
+        const sessionToken = process.env.AWS_SESSION_TOKEN ?? process.env.AMAZON_SESSION_TOKEN;
+        if (sessionToken) {
+            process.env.AWS_SESSION_TOKEN = sessionToken;
+        }
+        return true;
+    }
+    return false;
+}
+async function makeRequestHandler(ioHelper, options = {}) {
+    const agent = await new proxy_agent_1.ProxyAgentProvider(ioHelper).create(options);
+    return {
+        connectionTimeout: DEFAULT_CONNECTION_TIMEOUT,
+        requestTimeout: DEFAULT_TIMEOUT,
+        httpsAgent: agent,
+        httpAgent: agent,
+    };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzY2xpLWNvbXBhdGlibGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJhd3NjbGktY29tcGF0aWJsZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFnUkEsZ0RBU0M7QUF6UkQseUNBQW1DO0FBQ25DLHdFQUErRztBQUMvRyx3RUFBZ0U7QUFFaEUsMkVBQXVFO0FBRXZFLHFDQUFxQztBQUNyQyx5REFBeUQ7QUFDekQsK0NBQW1EO0FBRW5ELCtEQUFrRTtBQUNsRSwyQ0FBa0Q7QUFFbEQsTUFBTSwwQkFBMEIsR0FBRyxLQUFLLENBQUM7QUFDekMsTUFBTSxlQUFlLEdBQUcsTUFBTSxDQUFDO0FBRS9COzs7Ozs7O0dBT0c7QUFDSCxNQUFhLGdCQUFnQjtJQUNWLFFBQVEsQ0FBVztJQUNuQixjQUFjLENBQXlCO0lBQ3ZDLE1BQU0sQ0FBVTtJQUVqQyxZQUFtQixRQUFrQixFQUFFLGNBQXNDLEVBQUUsTUFBZTtRQUM1RixJQUFJLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztRQUN6QixJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQztJQUN2QixDQUFDO0lBRU0sS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFnQjtRQUN0QyxNQUFNLGtCQUFrQixHQUFHLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixDQUFDO1lBQzNELE9BQU87WUFDUCxNQUFNLEVBQUUsSUFBSSxDQUFDLE1BQU07U0FDcEIsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxhQUFhLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ2pELE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxhQUFhLEVBQUUsQ0FBQztJQUMvQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxzQkFBc0IsQ0FDakMsVUFBa0MsRUFBRTtRQUVwQyxNQUFNLFlBQVksR0FBRztZQUNuQixjQUFjLEVBQUUsSUFBSSxDQUFDLGNBQWM7WUFDbkMsZUFBZSxFQUFFLFNBQVM7WUFDMUIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNO1NBQ3ZCLENBQUM7UUFFRixpR0FBaUc7UUFDakcsRUFBRTtRQUNGLDRGQUE0RjtRQUM1Riw0RkFBNEY7UUFDNUYsNkZBQTZGO1FBQzdGLHFFQUFxRTtRQUNyRSxFQUFFO1FBQ0YsdUZBQXVGO1FBQ3ZGLHNGQUFzRjtRQUN0RiwrRkFBK0Y7UUFDL0YsTUFBTSxrQkFBa0IsR0FBRztZQUN6QixNQUFNLEVBQUUsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUM7U0FDM0MsQ0FBQztRQUNGOzs7Ozs7OztXQVFHO1FBQ0gsSUFBSSxPQUFPLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDcEIsT0FBTyxJQUFBLHNDQUFtQixFQUFDLElBQUEsOEJBQU8sRUFBQztnQkFDakMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO2dCQUN4QixXQUFXLEVBQUUsSUFBSTtnQkFDakIsZUFBZSxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQztnQkFDNUMsWUFBWTtnQkFDWixrQkFBa0I7Z0JBQ2xCLE1BQU0sRUFBRSxPQUFPLENBQUMsTUFBTTthQUN2QixDQUFDLENBQUMsQ0FBQztRQUNOLENBQUM7UUFFRCxNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixDQUFDO1FBRTlFOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O1dBc0JHO1FBQ0gsTUFBTSxpQkFBaUIsR0FBRyxJQUFBLDRDQUFxQixFQUFDO1lBQzlDLE9BQU8sRUFBRSxVQUFVO1lBQ25CLFlBQVk7WUFDWixrQkFBa0I7WUFDbEIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNO1lBQ3RCLGVBQWUsRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUM7WUFDNUMsV0FBVyxFQUFFLElBQUk7U0FDbEIsQ0FBQyxDQUFDO1FBRUgsT0FBTyxtQkFBbUIsRUFBRTtZQUMxQixDQUFDLENBQUMsSUFBQSw0Q0FBcUIsRUFBQyxJQUFBLDhCQUFPLEdBQUUsRUFBRSxpQkFBaUIsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxFQUFFLEdBQUcsTUFBTSxDQUFDO1lBQzlFLENBQUMsQ0FBQyxpQkFBaUIsQ0FBQztJQUN4QixDQUFDO0lBRUQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNJLEtBQUssQ0FBQyxNQUFNLENBQUMsWUFBcUI7UUFDdkMsTUFBTSxhQUFhLEdBQUcsV0FBVyxDQUFDO1FBQ2xDLE1BQU0sT0FBTyxHQUFHLFlBQVksSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixJQUFJLFNBQVMsQ0FBQztRQUV4RyxNQUFNLE1BQU0sR0FDVixPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVU7WUFDdEIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxhQUFhO1lBQ3pCLE9BQU8sQ0FBQyxHQUFHLENBQUMsa0JBQWtCO1lBQzlCLE9BQU8sQ0FBQyxHQUFHLENBQUMscUJBQXFCO1lBQ2pDLENBQUMsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDdEMsQ0FBQyxNQUFNLElBQUksQ0FBQyx5QkFBeUIsRUFBRSxDQUFDLENBQUM7UUFFM0MsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ1osTUFBTSxXQUFXLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsZUFBZSxPQUFPLElBQUksQ0FBQztZQUMvRCxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLFlBQUUsQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQ2pELHVFQUF1RSxXQUFXLG9CQUFvQixhQUFhLEdBQUcsQ0FDdkgsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxhQUFhLENBQUM7UUFDdkIsQ0FBQztRQUVELE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSyxLQUFLLENBQUMseUJBQXlCO1FBQ3JDLE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsWUFBRSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxvRUFBb0UsQ0FBQyxDQUFDLENBQUM7UUFDM0gsSUFBSSxDQUFDO1lBQ0gsTUFBTSxlQUFlLEdBQUcsSUFBSSxzQ0FBZSxDQUFDO2dCQUMxQyxXQUFXLEVBQUU7b0JBQ1gsT0FBTyxFQUFFLElBQUk7aUJBQ2Q7YUFDRixDQUFDLENBQUM7WUFFSCxNQUFNLGVBQWUsQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQzNDLE1BQU0sUUFBUSxHQUFHLE1BQU0sZUFBZSxDQUFDLE9BQU8sQ0FBQyw0Q0FBNEMsRUFBRSxFQUFFLENBQUMsQ0FBQztZQUNqRyxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ3JDLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLDRDQUE0QyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDeEcsQ0FBQztJQUNILENBQUM7SUFFRDs7Ozs7T0FLRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFlO1FBQzVDLE1BQU0sV0FBVyxHQUFHLE1BQU0sSUFBQSw4Q0FBcUIsRUFBQyxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBRXZFLFlBQVk7UUFDWixFQUFFO1FBQ0YsdUVBQXVFO1FBQ3ZFLEVBQUU7UUFDRixtQ0FBbUM7UUFDbkMsOEJBQThCO1FBQzlCLG1DQUFtQztRQUNuQyw4QkFBOEI7UUFFOUIsT0FBTyxJQUFJLENBQUMsb0JBQW9CLENBQUMsT0FBTyxFQUFFLFdBQVcsQ0FBQyxlQUFlLENBQUM7ZUFDbkUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLE9BQU8sRUFBRSxXQUFXLENBQUMsVUFBVSxDQUFDO2VBQzFELElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLEVBQUUsV0FBVyxDQUFDLGVBQWUsQ0FBQztlQUNqRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxFQUFFLFdBQVcsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUNsRSxDQUFDO0lBRU8sb0JBQW9CLENBQUMsT0FBZSxFQUFFLElBQVU7UUFDdEQsT0FBTyxJQUFJLEVBQUUsQ0FBQyxPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7O09BSUc7SUFDSyxLQUFLLENBQUMsV0FBVyxDQUFDLFNBQWlCO1FBQ3pDLE1BQU0sT0FBTyxHQUFHLENBQUMsR0FBVyxFQUFFLEdBQUcsSUFBVyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLElBQUEsa0JBQU0sRUFBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEgsTUFBTSxPQUFPLENBQUMsa0NBQWtDLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDO1lBQ0gsTUFBTSxLQUFLLEdBQVcsTUFBTSxRQUFRLENBQUMsTUFBTSxDQUFDLGlCQUFpQixTQUFTLElBQUksRUFBRTtnQkFDMUUsSUFBSSxFQUFFLElBQUk7Z0JBQ1YsT0FBTyxFQUFFLEVBQUU7YUFDWixDQUFDLENBQUM7WUFDSCxNQUFNLE9BQU8sQ0FBQyxzQ0FBc0MsQ0FBQyxDQUFDO1lBQ3RELE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUFDLE9BQU8sR0FBUSxFQUFFLENBQUM7WUFDbEIsTUFBTSxPQUFPLENBQUMseUJBQXlCLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDOUMsTUFBTSxDQUFDLEdBQUcsSUFBSSxtQ0FBbUIsQ0FBQyw2QkFBNkIsR0FBRyxDQUFDLE9BQU8sSUFBSSxHQUFHLEVBQUUsQ0FBQyxDQUFDO1lBQ3JGLENBQUMsQ0FBQyxJQUFJLEdBQUcseUNBQXlDLENBQUM7WUFDbkQsTUFBTSxDQUFDLENBQUM7UUFDVixDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBek5ELDRDQXlOQztBQUVEOzs7O0dBSUc7QUFDSCxTQUFTLG1CQUFtQjtJQUMxQixNQUFNLEVBQUUsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLGlCQUFpQixJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsb0JBQW9CLENBQUM7SUFDN0UsTUFBTSxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLHdCQUF3QixDQUFDO0lBRXRGLElBQUksQ0FBQyxDQUFDLEVBQUUsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDbEIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsR0FBRyxFQUFFLENBQUM7UUFDbkMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsR0FBRyxHQUFHLENBQUM7UUFFeEMsTUFBTSxZQUFZLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDO1FBQ3ZGLElBQUksWUFBWSxFQUFFLENBQUM7WUFDakIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsR0FBRyxZQUFZLENBQUM7UUFDL0MsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVELE9BQU8sS0FBSyxDQUFDO0FBQ2YsQ0FBQztBQU9NLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxRQUFrQixFQUFFLFVBQTBCLEVBQUU7SUFDdkYsTUFBTSxLQUFLLEdBQUcsTUFBTSxJQUFJLGdDQUFrQixDQUFDLFFBQVEsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUVyRSxPQUFPO1FBQ0wsaUJBQWlCLEVBQUUsMEJBQTBCO1FBQzdDLGNBQWMsRUFBRSxlQUFlO1FBQy9CLFVBQVUsRUFBRSxLQUFLO1FBQ2pCLFNBQVMsRUFBRSxLQUFLO0tBQ2pCLENBQUM7QUFDSixDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgZm9ybWF0IH0gZnJvbSAnbm9kZTp1dGlsJztcbmltcG9ydCB7IGNyZWF0ZUNyZWRlbnRpYWxDaGFpbiwgZnJvbUVudiwgZnJvbUluaSwgZnJvbU5vZGVQcm92aWRlckNoYWluIH0gZnJvbSAnQGF3cy1zZGsvY3JlZGVudGlhbC1wcm92aWRlcnMnO1xuaW1wb3J0IHsgTWV0YWRhdGFTZXJ2aWNlIH0gZnJvbSAnQGF3cy1zZGsvZWMyLW1ldGFkYXRhLXNlcnZpY2UnO1xuaW1wb3J0IHR5cGUgeyBOb2RlSHR0cEhhbmRsZXJPcHRpb25zIH0gZnJvbSAnQHNtaXRoeS9ub2RlLWh0dHAtaGFuZGxlcic7XG5pbXBvcnQgeyBsb2FkU2hhcmVkQ29uZmlnRmlsZXMgfSBmcm9tICdAc21pdGh5L3NoYXJlZC1pbmktZmlsZS1sb2FkZXInO1xuaW1wb3J0IHR5cGUgeyBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlciwgTG9nZ2VyIH0gZnJvbSAnQHNtaXRoeS90eXBlcyc7XG5pbXBvcnQgKiBhcyBwcm9tcHRseSBmcm9tICdwcm9tcHRseSc7XG5pbXBvcnQgeyBtYWtlQ2FjaGluZ1Byb3ZpZGVyIH0gZnJvbSAnLi9wcm92aWRlci1jYWNoaW5nJztcbmltcG9ydCB7IFByb3h5QWdlbnRQcm92aWRlciB9IGZyb20gJy4vcHJveHktYWdlbnQnO1xuaW1wb3J0IHR5cGUgeyBTZGtIdHRwT3B0aW9ucyB9IGZyb20gJy4vdHlwZXMnO1xuaW1wb3J0IHsgQXV0aGVudGljYXRpb25FcnJvciB9IGZyb20gJy4uLy4uL3Rvb2xraXQvdG9vbGtpdC1lcnJvcic7XG5pbXBvcnQgeyBJTywgdHlwZSBJb0hlbHBlciB9IGZyb20gJy4uL2lvL3ByaXZhdGUnO1xuXG5jb25zdCBERUZBVUxUX0NPTk5FQ1RJT05fVElNRU9VVCA9IDEwMDAwO1xuY29uc3QgREVGQVVMVF9USU1FT1VUID0gMzAwMDAwO1xuXG4vKipcbiAqIEJlaGF2aW9ycyB0byBtYXRjaCBBV1MgQ0xJXG4gKlxuICogU2VlIHRoZXNlIGxpbmtzOlxuICpcbiAqIGh0dHBzOi8vZG9jcy5hd3MuYW1hem9uLmNvbS9jbGkvbGF0ZXN0L3RvcGljL2NvbmZpZy12YXJzLmh0bWxcbiAqIGh0dHBzOi8vZG9jcy5hd3MuYW1hem9uLmNvbS9jbGkvbGF0ZXN0L3VzZXJndWlkZS9jbGktY29uZmlndXJlLWVudnZhcnMuaHRtbFxuICovXG5leHBvcnQgY2xhc3MgQXdzQ2xpQ29tcGF0aWJsZSB7XG4gIHByaXZhdGUgcmVhZG9ubHkgaW9IZWxwZXI6IElvSGVscGVyO1xuICBwcml2YXRlIHJlYWRvbmx5IHJlcXVlc3RIYW5kbGVyOiBOb2RlSHR0cEhhbmRsZXJPcHRpb25zO1xuICBwcml2YXRlIHJlYWRvbmx5IGxvZ2dlcj86IExvZ2dlcjtcblxuICBwdWJsaWMgY29uc3RydWN0b3IoaW9IZWxwZXI6IElvSGVscGVyLCByZXF1ZXN0SGFuZGxlcjogTm9kZUh0dHBIYW5kbGVyT3B0aW9ucywgbG9nZ2VyPzogTG9nZ2VyKSB7XG4gICAgdGhpcy5pb0hlbHBlciA9IGlvSGVscGVyO1xuICAgIHRoaXMucmVxdWVzdEhhbmRsZXIgPSByZXF1ZXN0SGFuZGxlcjtcbiAgICB0aGlzLmxvZ2dlciA9IGxvZ2dlcjtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBiYXNlQ29uZmlnKHByb2ZpbGU/OiBzdHJpbmcpOiBQcm9taXNlPHsgY3JlZGVudGlhbFByb3ZpZGVyOiBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlcjsgZGVmYXVsdFJlZ2lvbjogc3RyaW5nIH0+IHtcbiAgICBjb25zdCBjcmVkZW50aWFsUHJvdmlkZXIgPSBhd2FpdCB0aGlzLmNyZWRlbnRpYWxDaGFpbkJ1aWxkZXIoe1xuICAgICAgcHJvZmlsZSxcbiAgICAgIGxvZ2dlcjogdGhpcy5sb2dnZXIsXG4gICAgfSk7XG4gICAgY29uc3QgZGVmYXVsdFJlZ2lvbiA9IGF3YWl0IHRoaXMucmVnaW9uKHByb2ZpbGUpO1xuICAgIHJldHVybiB7IGNyZWRlbnRpYWxQcm92aWRlciwgZGVmYXVsdFJlZ2lvbiB9O1xuICB9XG5cbiAgLyoqXG4gICAqIEJ1aWxkIGFuIEFXUyBDTEktY29tcGF0aWJsZSBjcmVkZW50aWFsIGNoYWluIHByb3ZpZGVyXG4gICAqXG4gICAqIFRoZSBjcmVkZW50aWFsIGNoYWluIHJldHVybmVkIGJ5IHRoaXMgZnVuY3Rpb24gaXMgYWx3YXlzIGNhY2hpbmcuXG4gICAqL1xuICBwdWJsaWMgYXN5bmMgY3JlZGVudGlhbENoYWluQnVpbGRlcihcbiAgICBvcHRpb25zOiBDcmVkZW50aWFsQ2hhaW5PcHRpb25zID0ge30sXG4gICk6IFByb21pc2U8QXdzQ3JlZGVudGlhbElkZW50aXR5UHJvdmlkZXI+IHtcbiAgICBjb25zdCBjbGllbnRDb25maWcgPSB7XG4gICAgICByZXF1ZXN0SGFuZGxlcjogdGhpcy5yZXF1ZXN0SGFuZGxlcixcbiAgICAgIGN1c3RvbVVzZXJBZ2VudDogJ2F3cy1jZGsnLFxuICAgICAgbG9nZ2VyOiBvcHRpb25zLmxvZ2dlcixcbiAgICB9O1xuXG4gICAgLy8gU3VwZXIgaGFja3kgc29sdXRpb24gdG8gaHR0cHM6Ly9naXRodWIuY29tL2F3cy9hd3MtY2RrL2lzc3Vlcy8zMjUxMCwgcHJvcG9zZWQgYnkgdGhlIFNESyB0ZWFtLlxuICAgIC8vXG4gICAgLy8gU3VtbWFyeSBvZiB0aGUgcHJvYmxlbTogd2Ugd2VyZSByZWFkaW5nIHRoZSByZWdpb24gZnJvbSB0aGUgY29uZmlnIGZpbGUgYW5kIHBhc3NpbmcgaXQgdG9cbiAgICAvLyB0aGUgY3JlZGVudGlhbCBwcm92aWRlcnMuIEhvd2V2ZXIsIGluIHRoZSBjYXNlIG9mIFNTTywgdGhpcyBtYWtlcyB0aGUgY3JlZGVudGlhbCBwcm92aWRlclxuICAgIC8vIHVzZSB0aGF0IHJlZ2lvbiB0byBkbyB0aGUgU1NPIGZsb3csIHdoaWNoIGlzIGluY29ycmVjdC4gVGhlIHJlZ2lvbiB0aGF0IHNob3VsZCBiZSB1c2VkIGZvclxuICAgIC8vIHRoYXQgaXMgdGhlIG9uZSBzZXQgaW4gdGhlIHNzb19zZXNzaW9uIHNlY3Rpb24gb2YgdGhlIGNvbmZpZyBmaWxlLlxuICAgIC8vXG4gICAgLy8gVGhlIGlkZWEgaGVyZTogdGhlIFwiY2xpZW50Q29uZmlnXCIgaXMgZm9yIGNvbmZpZ3VyaW5nIHRoZSBpbm5lciBhdXRoIGNsaWVudCBkaXJlY3RseSxcbiAgICAvLyBhbmQgaGFzIHRoZSBoaWdoZXN0IHByaW9yaXR5LCB3aGVyZWFzIFwicGFyZW50Q2xpZW50Q29uZmlnXCIgaXMgdGhlIHVwcGVyIGRhdGEgY2xpZW50XG4gICAgLy8gYW5kIGhhcyBsb3dlciBwcmlvcml0eSB0aGFuIHRoZSBzc29fcmVnaW9uIGJ1dCBzdGlsbCBoaWdoZXIgcHJpb3JpdHkgdGhhbiBTVFMgZ2xvYmFsIHJlZ2lvbi5cbiAgICBjb25zdCBwYXJlbnRDbGllbnRDb25maWcgPSB7XG4gICAgICByZWdpb246IGF3YWl0IHRoaXMucmVnaW9uKG9wdGlvbnMucHJvZmlsZSksXG4gICAgfTtcbiAgICAvKipcbiAgICAgKiBUaGUgcHJldmlvdXMgaW1wbGVtZW50YXRpb24gbWF0Y2hlZCBBV1MgQ0xJIGJlaGF2aW9yOlxuICAgICAqXG4gICAgICogSWYgYSBwcm9maWxlIGlzIGV4cGxpY2l0bHkgc2V0IHVzaW5nIGAtLXByb2ZpbGVgLFxuICAgICAqIHdlIHVzZSB0aGF0IHRvIHRoZSBleGNsdXNpb24gb2YgZXZlcnl0aGluZyBlbHNlLlxuICAgICAqXG4gICAgICogTm90ZTogdGhpcyBkb2VzIG5vdCBhcHBseSB0byBBV1NfUFJPRklMRSxcbiAgICAgKiBlbnZpcm9ubWVudCBjcmVkZW50aWFscyBzdGlsbCB0YWtlIHByZWNlZGVuY2Ugb3ZlciBBV1NfUFJPRklMRVxuICAgICAqL1xuICAgIGlmIChvcHRpb25zLnByb2ZpbGUpIHtcbiAgICAgIHJldHVybiBtYWtlQ2FjaGluZ1Byb3ZpZGVyKGZyb21Jbmkoe1xuICAgICAgICBwcm9maWxlOiBvcHRpb25zLnByb2ZpbGUsXG4gICAgICAgIGlnbm9yZUNhY2hlOiB0cnVlLFxuICAgICAgICBtZmFDb2RlUHJvdmlkZXI6IHRoaXMudG9rZW5Db2RlRm4uYmluZCh0aGlzKSxcbiAgICAgICAgY2xpZW50Q29uZmlnLFxuICAgICAgICBwYXJlbnRDbGllbnRDb25maWcsXG4gICAgICAgIGxvZ2dlcjogb3B0aW9ucy5sb2dnZXIsXG4gICAgICB9KSk7XG4gICAgfVxuXG4gICAgY29uc3QgZW52UHJvZmlsZSA9IHByb2Nlc3MuZW52LkFXU19QUk9GSUxFIHx8IHByb2Nlc3MuZW52LkFXU19ERUZBVUxUX1BST0ZJTEU7XG5cbiAgICAvKipcbiAgICAgKiBFbnYgQVdTIC0gRW52aXJvbm1lbnRDcmVkZW50aWFscyB3aXRoIHN0cmluZyBBV1NcbiAgICAgKiBFbnYgQW1hem9uIC0gRW52aXJvbm1lbnRDcmVkZW50aWFscyB3aXRoIHN0cmluZyBBTUFaT05cbiAgICAgKiBQcm9maWxlIENyZWRlbnRpYWxzIC0gUGF0Y2hlZFNoYXJlZEluaUZpbGVDcmVkZW50aWFscyB3aXRoIGltcGxpY2l0IHByb2ZpbGUsIGNyZWRlbnRpYWxzIGZpbGUsIGh0dHAgb3B0aW9ucywgYW5kIHRva2VuIGZuXG4gICAgICogICAgU1NPIHdpdGggaW1wbGljaXQgcHJvZmlsZSBvbmx5XG4gICAgICogICAgU2hhcmVkSW5pRmlsZUNyZWRlbnRpYWxzIHdpdGggaW1wbGljaXQgcHJvZmlsZSBhbmQgcHJlZmVyU3RhdGljQ3JlZGVudGlhbHMgdHJ1ZSAocHJvZmlsZSB3aXRoIHNvdXJjZV9wcm9maWxlKVxuICAgICAqICAgIFNoYXJlZCBDcmVkZW50aWFsIGZpbGUgdGhhdCBwb2ludHMgdG8gRW52aXJvbm1lbnQgQ3JlZGVudGlhbHMgd2l0aCBBV1MgcHJlZml4XG4gICAgICogICAgU2hhcmVkIENyZWRlbnRpYWwgZmlsZSB0aGF0IHBvaW50cyB0byBFQzIgTWV0YWRhdGFcbiAgICAgKiAgICBTaGFyZWQgQ3JlZGVudGlhbCBmaWxlIHRoYXQgcG9pbnRzIHRvIEVDUyBDcmVkZW50aWFsc1xuICAgICAqIFNTTyBDcmVkZW50aWFscyAtIFNzb0NyZWRlbnRpYWxzIHdpdGggaW1wbGljaXQgcHJvZmlsZSBhbmQgaHR0cCBvcHRpb25zXG4gICAgICogUHJvY2Vzc0NyZWRlbnRpYWxzIHdpdGggaW1wbGljaXQgcHJvZmlsZVxuICAgICAqIEVDUyBDcmVkZW50aWFscyAtIEVDU0NyZWRlbnRpYWxzIHdpdGggbm8gaW5wdXQgT1IgV2ViIElkZW50aXR5IC0gVG9rZW5GaWxlV2ViSWRlbnRpdHlDcmVkZW50aWFscyB3aXRoIG5vIGlucHV0IE9SIEVDMiBNZXRhZGF0YSAtIEVDMk1ldGFkYXRhQ3JlZGVudGlhbHMgd2l0aCBubyBpbnB1dFxuICAgICAqXG4gICAgICogVGhlc2UgdHJhbnNsYXRlIHRvOlxuICAgICAqIGZyb21FbnYoKVxuICAgICAqIGZyb21TU08oKS9mcm9tSW5pKClcbiAgICAgKiBmcm9tUHJvY2VzcygpXG4gICAgICogZnJvbUNvbnRhaW5lck1ldGFkYXRhKClcbiAgICAgKiBmcm9tVG9rZW5GaWxlKClcbiAgICAgKiBmcm9tSW5zdGFuY2VNZXRhZGF0YSgpXG4gICAgICpcbiAgICAgKiBUaGUgTm9kZVByb3ZpZGVyQ2hhaW4gaXMgYWxyZWFkeSBjYWNoZWQuXG4gICAgICovXG4gICAgY29uc3Qgbm9kZVByb3ZpZGVyQ2hhaW4gPSBmcm9tTm9kZVByb3ZpZGVyQ2hhaW4oe1xuICAgICAgcHJvZmlsZTogZW52UHJvZmlsZSxcbiAgICAgIGNsaWVudENvbmZpZyxcbiAgICAgIHBhcmVudENsaWVudENvbmZpZyxcbiAgICAgIGxvZ2dlcjogb3B0aW9ucy5sb2dnZXIsXG4gICAgICBtZmFDb2RlUHJvdmlkZXI6IHRoaXMudG9rZW5Db2RlRm4uYmluZCh0aGlzKSxcbiAgICAgIGlnbm9yZUNhY2hlOiB0cnVlLFxuICAgIH0pO1xuXG4gICAgcmV0dXJuIHNob3VsZFByaW9yaXRpemVFbnYoKVxuICAgICAgPyBjcmVhdGVDcmVkZW50aWFsQ2hhaW4oZnJvbUVudigpLCBub2RlUHJvdmlkZXJDaGFpbikuZXhwaXJlQWZ0ZXIoNjAgKiA2MF8wMDApXG4gICAgICA6IG5vZGVQcm92aWRlckNoYWluO1xuICB9XG5cbiAgLyoqXG4gICAqIEF0dGVtcHRzIHRvIGdldCB0aGUgcmVnaW9uIGZyb20gYSBudW1iZXIgb2Ygc291cmNlcyBhbmQgZmFsbHMgYmFjayB0byB1cy1lYXN0LTEgaWYgbm8gcmVnaW9uIGNhbiBiZSBmb3VuZCxcbiAgICogYXMgaXMgZG9uZSBpbiB0aGUgQVdTIENMSS5cbiAgICpcbiAgICogVGhlIG9yZGVyIG9mIHByaW9yaXR5IGlzIHRoZSBmb2xsb3dpbmc6XG4gICAqXG4gICAqIDEuIEVudmlyb25tZW50IHZhcmlhYmxlcyBzcGVjaWZ5aW5nIHJlZ2lvbiwgd2l0aCBib3RoIGFuIEFXUyBwcmVmaXggYW5kIEFNQVpPTiBwcmVmaXhcbiAgICogICAgdG8gbWFpbnRhaW4gYmFja3dhcmRzIGNvbXBhdGliaWxpdHksIGFuZCB3aXRob3V0IGBERUZBVUxUYCBpbiB0aGUgbmFtZSBiZWNhdXNlXG4gICAqICAgIExhbWJkYSBhbmQgQ29kZUJ1aWxkIHNldCB0aGUgJEFXU19SRUdJT04gdmFyaWFibGUuXG4gICAqIDIuIFJlZ2lvbnMgbGlzdGVkIGluIHRoZSBTaGFyZWQgSW5pIEZpbGVzIC0gRmlyc3QgY2hlY2tpbmcgZm9yIHRoZSBwcm9maWxlIHByb3ZpZGVkXG4gICAqICAgIGFuZCB0aGVuIGNoZWNraW5nIGZvciB0aGUgZGVmYXVsdCBwcm9maWxlLlxuICAgKiAzLiBJTURTIGluc3RhbmNlIGlkZW50aXR5IHJlZ2lvbiBmcm9tIHRoZSBNZXRhZGF0YSBTZXJ2aWNlLlxuICAgKiA0LiB1cy1lYXN0LTFcbiAgICovXG4gIHB1YmxpYyBhc3luYyByZWdpb24obWF5YmVQcm9maWxlPzogc3RyaW5nKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgICBjb25zdCBkZWZhdWx0UmVnaW9uID0gJ3VzLWVhc3QtMSc7XG4gICAgY29uc3QgcHJvZmlsZSA9IG1heWJlUHJvZmlsZSB8fCBwcm9jZXNzLmVudi5BV1NfUFJPRklMRSB8fCBwcm9jZXNzLmVudi5BV1NfREVGQVVMVF9QUk9GSUxFIHx8ICdkZWZhdWx0JztcblxuICAgIGNvbnN0IHJlZ2lvbiA9XG4gICAgICBwcm9jZXNzLmVudi5BV1NfUkVHSU9OIHx8XG4gICAgICBwcm9jZXNzLmVudi5BTUFaT05fUkVHSU9OIHx8XG4gICAgICBwcm9jZXNzLmVudi5BV1NfREVGQVVMVF9SRUdJT04gfHxcbiAgICAgIHByb2Nlc3MuZW52LkFNQVpPTl9ERUZBVUxUX1JFR0lPTiB8fFxuICAgICAgKGF3YWl0IHRoaXMuZ2V0UmVnaW9uRnJvbUluaShwcm9maWxlKSkgfHxcbiAgICAgIChhd2FpdCB0aGlzLnJlZ2lvbkZyb21NZXRhZGF0YVNlcnZpY2UoKSk7XG5cbiAgICBpZiAoIXJlZ2lvbikge1xuICAgICAgY29uc3QgdXNlZFByb2ZpbGUgPSAhcHJvZmlsZSA/ICcnIDogYCAocHJvZmlsZTogXCIke3Byb2ZpbGV9XCIpYDtcbiAgICAgIGF3YWl0IHRoaXMuaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfU0RLX0RFQlVHLm1zZyhcbiAgICAgICAgYFVuYWJsZSB0byBkZXRlcm1pbmUgQVdTIHJlZ2lvbiBmcm9tIGVudmlyb25tZW50IG9yIEFXUyBjb25maWd1cmF0aW9uJHt1c2VkUHJvZmlsZX0sIGRlZmF1bHRpbmcgdG8gJyR7ZGVmYXVsdFJlZ2lvbn0nYCxcbiAgICAgICkpO1xuICAgICAgcmV0dXJuIGRlZmF1bHRSZWdpb247XG4gICAgfVxuXG4gICAgcmV0dXJuIHJlZ2lvbjtcbiAgfVxuXG4gIC8qKlxuICAgKiBUaGUgTWV0YWRhdGFTZXJ2aWNlIGNsYXNzIHdpbGwgYXR0ZW1wdCB0byBmZXRjaCB0aGUgaW5zdGFuY2UgaWRlbnRpdHkgZG9jdW1lbnQgZnJvbVxuICAgKiBJTURTdjIgZmlyc3QsIGFuZCB0aGVuIHdpbGwgYXR0ZW1wdCB2MSBhcyBhIGZhbGxiYWNrLlxuICAgKlxuICAgKiBJZiB0aGlzIGZhaWxzLCB3ZSB3aWxsIHVzZSB1cy1lYXN0LTEgYXMgdGhlIHJlZ2lvbiBzbyBubyBlcnJvciBzaG91bGQgYmUgdGhyb3duLlxuICAgKiBAcmV0dXJucyBUaGUgcmVnaW9uIGZvciB0aGUgaW5zdGFuY2UgaWRlbnRpdHlcbiAgICovXG4gIHByaXZhdGUgYXN5bmMgcmVnaW9uRnJvbU1ldGFkYXRhU2VydmljZSgpIHtcbiAgICBhd2FpdCB0aGlzLmlvSGVscGVyLm5vdGlmeShJTy5ERUZBVUxUX1NES19ERUJVRy5tc2coJ0xvb2tpbmcgdXAgQVdTIHJlZ2lvbiBpbiB0aGUgRUMyIEluc3RhbmNlIE1ldGFkYXRhIFNlcnZpY2UgKElNRFMpLicpKTtcbiAgICB0cnkge1xuICAgICAgY29uc3QgbWV0YWRhdGFTZXJ2aWNlID0gbmV3IE1ldGFkYXRhU2VydmljZSh7XG4gICAgICAgIGh0dHBPcHRpb25zOiB7XG4gICAgICAgICAgdGltZW91dDogMTAwMCxcbiAgICAgICAgfSxcbiAgICAgIH0pO1xuXG4gICAgICBhd2FpdCBtZXRhZGF0YVNlcnZpY2UuZmV0Y2hNZXRhZGF0YVRva2VuKCk7XG4gICAgICBjb25zdCBkb2N1bWVudCA9IGF3YWl0IG1ldGFkYXRhU2VydmljZS5yZXF1ZXN0KCcvbGF0ZXN0L2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQnLCB7fSk7XG4gICAgICByZXR1cm4gSlNPTi5wYXJzZShkb2N1bWVudCkucmVnaW9uO1xuICAgIH0gY2F0Y2ggKGUpIHtcbiAgICAgIGF3YWl0IHRoaXMuaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfU0RLX0RFQlVHLm1zZyhgVW5hYmxlIHRvIHJldHJpZXZlIEFXUyByZWdpb24gZnJvbSBJTURTOiAke2V9YCkpO1xuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBMb29rcyB1cCB0aGUgcmVnaW9uIG9mIHRoZSBwcm92aWRlZCBwcm9maWxlLiBJZiBubyByZWdpb24gaXMgcHJlc2VudCxcbiAgICogaXQgd2lsbCBhdHRlbXB0IHRvIGxvb2t1cCB0aGUgZGVmYXVsdCByZWdpb24uXG4gICAqIEBwYXJhbSBwcm9maWxlIFRoZSBwcm9maWxlIHRvIHVzZSB0byBsb29rdXAgdGhlIHJlZ2lvblxuICAgKiBAcmV0dXJucyBUaGUgcmVnaW9uIGZvciB0aGUgcHJvZmlsZSBvciBkZWZhdWx0IHByb2ZpbGUsIGlmIHByZXNlbnQuIE90aGVyd2lzZSByZXR1cm5zIHVuZGVmaW5lZC5cbiAgICovXG4gIHByaXZhdGUgYXN5bmMgZ2V0UmVnaW9uRnJvbUluaShwcm9maWxlOiBzdHJpbmcpOiBQcm9taXNlPHN0cmluZyB8IHVuZGVmaW5lZD4ge1xuICAgIGNvbnN0IHNoYXJlZEZpbGVzID0gYXdhaXQgbG9hZFNoYXJlZENvbmZpZ0ZpbGVzKHsgaWdub3JlQ2FjaGU6IHRydWUgfSk7XG5cbiAgICAvLyBQcmlvcml0eTpcbiAgICAvL1xuICAgIC8vIGNyZWRlbnRpYWxzIGNvbWUgYmVmb3JlIGNvbmZpZyBiZWNhdXNlIGF3cy1jbGkgdjEgYmVoYXZlcyBsaWtlIHRoYXQuXG4gICAgLy9cbiAgICAvLyAxLiBwcm9maWxlLXJlZ2lvbi1pbi1jcmVkZW50aWFsc1xuICAgIC8vIDIuIHByb2ZpbGUtcmVnaW9uLWluLWNvbmZpZ1xuICAgIC8vIDMuIGRlZmF1bHQtcmVnaW9uLWluLWNyZWRlbnRpYWxzXG4gICAgLy8gNC4gZGVmYXVsdC1yZWdpb24taW4tY29uZmlnXG5cbiAgICByZXR1cm4gdGhpcy5nZXRSZWdpb25Gcm9tSW5pRmlsZShwcm9maWxlLCBzaGFyZWRGaWxlcy5jcmVkZW50aWFsc0ZpbGUpXG4gICAgPz8gdGhpcy5nZXRSZWdpb25Gcm9tSW5pRmlsZShwcm9maWxlLCBzaGFyZWRGaWxlcy5jb25maWdGaWxlKVxuICAgID8/IHRoaXMuZ2V0UmVnaW9uRnJvbUluaUZpbGUoJ2RlZmF1bHQnLCBzaGFyZWRGaWxlcy5jcmVkZW50aWFsc0ZpbGUpXG4gICAgPz8gdGhpcy5nZXRSZWdpb25Gcm9tSW5pRmlsZSgnZGVmYXVsdCcsIHNoYXJlZEZpbGVzLmNvbmZpZ0ZpbGUpO1xuICB9XG5cbiAgcHJpdmF0ZSBnZXRSZWdpb25Gcm9tSW5pRmlsZShwcm9maWxlOiBzdHJpbmcsIGRhdGE/OiBhbnkpIHtcbiAgICByZXR1cm4gZGF0YT8uW3Byb2ZpbGVdPy5yZWdpb247XG4gIH1cblxuICAvKipcbiAgICogQXNrIHVzZXIgZm9yIE1GQSB0b2tlbiBmb3IgZ2l2ZW4gc2VyaWFsXG4gICAqXG4gICAqIFJlc3VsdCBpcyBzZW5kIHRvIGNhbGxiYWNrIGZ1bmN0aW9uIGZvciBTREsgdG8gYXV0aG9yaXplIHRoZSByZXF1ZXN0XG4gICAqL1xuICBwcml2YXRlIGFzeW5jIHRva2VuQ29kZUZuKHNlcmlhbEFybjogc3RyaW5nKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgICBjb25zdCBkZWJ1Z0ZuID0gKG1zZzogc3RyaW5nLCAuLi5hcmdzOiBhbnlbXSkgPT4gdGhpcy5pb0hlbHBlci5ub3RpZnkoSU8uREVGQVVMVF9TREtfREVCVUcubXNnKGZvcm1hdChtc2csIC4uLmFyZ3MpKSk7XG4gICAgYXdhaXQgZGVidWdGbignUmVxdWlyZSBNRkEgdG9rZW4gZm9yIHNlcmlhbCBBUk4nLCBzZXJpYWxBcm4pO1xuICAgIHRyeSB7XG4gICAgICBjb25zdCB0b2tlbjogc3RyaW5nID0gYXdhaXQgcHJvbXB0bHkucHJvbXB0KGBNRkEgdG9rZW4gZm9yICR7c2VyaWFsQXJufTogYCwge1xuICAgICAgICB0cmltOiB0cnVlLFxuICAgICAgICBkZWZhdWx0OiAnJyxcbiAgICAgIH0pO1xuICAgICAgYXdhaXQgZGVidWdGbignU3VjY2Vzc2Z1bGx5IGdvdCBNRkEgdG9rZW4gZnJvbSB1c2VyJyk7XG4gICAgICByZXR1cm4gdG9rZW47XG4gICAgfSBjYXRjaCAoZXJyOiBhbnkpIHtcbiAgICAgIGF3YWl0IGRlYnVnRm4oJ0ZhaWxlZCB0byBnZXQgTUZBIHRva2VuJywgZXJyKTtcbiAgICAgIGNvbnN0IGUgPSBuZXcgQXV0aGVudGljYXRpb25FcnJvcihgRXJyb3IgZmV0Y2hpbmcgTUZBIHRva2VuOiAke2Vyci5tZXNzYWdlID8/IGVycn1gKTtcbiAgICAgIGUubmFtZSA9ICdTaGFyZWRJbmlGaWxlQ3JlZGVudGlhbHNQcm92aWRlckZhaWx1cmUnO1xuICAgICAgdGhyb3cgZTtcbiAgICB9XG4gIH1cbn1cblxuLyoqXG4gKiBXZSB1c2VkIHRvIHN1cHBvcnQgYm90aCBBV1MgYW5kIEFNQVpPTiBwcmVmaXhlcyBmb3IgdGhlc2UgZW52aXJvbm1lbnQgdmFyaWFibGVzLlxuICpcbiAqIEFkZGluZyB0aGlzIGZvciBiYWNrd2FyZCBjb21wYXRpYmlsaXR5LlxuICovXG5mdW5jdGlvbiBzaG91bGRQcmlvcml0aXplRW52KCkge1xuICBjb25zdCBpZCA9IHByb2Nlc3MuZW52LkFXU19BQ0NFU1NfS0VZX0lEIHx8IHByb2Nlc3MuZW52LkFNQVpPTl9BQ0NFU1NfS0VZX0lEO1xuICBjb25zdCBrZXkgPSBwcm9jZXNzLmVudi5BV1NfU0VDUkVUX0FDQ0VTU19LRVkgfHwgcHJvY2Vzcy5lbnYuQU1BWk9OX1NFQ1JFVF9BQ0NFU1NfS0VZO1xuXG4gIGlmICghIWlkICYmICEha2V5KSB7XG4gICAgcHJvY2Vzcy5lbnYuQVdTX0FDQ0VTU19LRVlfSUQgPSBpZDtcbiAgICBwcm9jZXNzLmVudi5BV1NfU0VDUkVUX0FDQ0VTU19LRVkgPSBrZXk7XG5cbiAgICBjb25zdCBzZXNzaW9uVG9rZW4gPSBwcm9jZXNzLmVudi5BV1NfU0VTU0lPTl9UT0tFTiA/PyBwcm9jZXNzLmVudi5BTUFaT05fU0VTU0lPTl9UT0tFTjtcbiAgICBpZiAoc2Vzc2lvblRva2VuKSB7XG4gICAgICBwcm9jZXNzLmVudi5BV1NfU0VTU0lPTl9UT0tFTiA9IHNlc3Npb25Ub2tlbjtcbiAgICB9XG5cbiAgICByZXR1cm4gdHJ1ZTtcbiAgfVxuXG4gIHJldHVybiBmYWxzZTtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBDcmVkZW50aWFsQ2hhaW5PcHRpb25zIHtcbiAgcmVhZG9ubHkgcHJvZmlsZT86IHN0cmluZztcbiAgcmVhZG9ubHkgbG9nZ2VyPzogTG9nZ2VyO1xufVxuXG5leHBvcnQgYXN5bmMgZnVuY3Rpb24gbWFrZVJlcXVlc3RIYW5kbGVyKGlvSGVscGVyOiBJb0hlbHBlciwgb3B0aW9uczogU2RrSHR0cE9wdGlvbnMgPSB7fSk6IFByb21pc2U8Tm9kZUh0dHBIYW5kbGVyT3B0aW9ucz4ge1xuICBjb25zdCBhZ2VudCA9IGF3YWl0IG5ldyBQcm94eUFnZW50UHJvdmlkZXIoaW9IZWxwZXIpLmNyZWF0ZShvcHRpb25zKTtcblxuICByZXR1cm4ge1xuICAgIGNvbm5lY3Rpb25UaW1lb3V0OiBERUZBVUxUX0NPTk5FQ1RJT05fVElNRU9VVCxcbiAgICByZXF1ZXN0VGltZW91dDogREVGQVVMVF9USU1FT1VULFxuICAgIGh0dHBzQWdlbnQ6IGFnZW50LFxuICAgIGh0dHBBZ2VudDogYWdlbnQsXG4gIH07XG59XG4iXX0=

package/lib/api/aws-auth/cached.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Cache the result of a function on an object
+ *
+ * We could have used @decorators to make this nicer but we don't use them anywhere yet,
+ * so let's keep it simple and readable.
+ */
+export declare function cached<A extends object, B>(obj: A, sym: symbol, fn: () => B): B;
+/**
+ * Like 'cached', but async
+ */
+export declare function cachedAsync<A extends object, B>(obj: A, sym: symbol, fn: () => Promise<B>): Promise<B>;

package/lib/api/aws-auth/cached.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cached = cached;
+exports.cachedAsync = cachedAsync;
+/**
+ * Cache the result of a function on an object
+ *
+ * We could have used @decorators to make this nicer but we don't use them anywhere yet,
+ * so let's keep it simple and readable.
+ */
+function cached(obj, sym, fn) {
+    if (!(sym in obj)) {
+        obj[sym] = fn();
+    }
+    return obj[sym];
+}
+/**
+ * Like 'cached', but async
+ */
+async function cachedAsync(obj, sym, fn) {
+    if (!(sym in obj)) {
+        obj[sym] = await fn();
+    }
+    return obj[sym];
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2FjaGVkLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiY2FjaGVkLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBTUEsd0JBS0M7QUFLRCxrQ0FLQztBQXJCRDs7Ozs7R0FLRztBQUNILFNBQWdCLE1BQU0sQ0FBc0IsR0FBTSxFQUFFLEdBQVcsRUFBRSxFQUFXO0lBQzFFLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQ2pCLEdBQVcsQ0FBQyxHQUFHLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBQ0QsT0FBUSxHQUFXLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDM0IsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLFdBQVcsQ0FBc0IsR0FBTSxFQUFFLEdBQVcsRUFBRSxFQUFvQjtJQUM5RixJQUFJLENBQUMsQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNqQixHQUFXLENBQUMsR0FBRyxDQUFDLEdBQUcsTUFBTSxFQUFFLEVBQUUsQ0FBQztJQUNqQyxDQUFDO0lBQ0QsT0FBUSxHQUFXLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDM0IsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQ2FjaGUgdGhlIHJlc3VsdCBvZiBhIGZ1bmN0aW9uIG9uIGFuIG9iamVjdFxuICpcbiAqIFdlIGNvdWxkIGhhdmUgdXNlZCBAZGVjb3JhdG9ycyB0byBtYWtlIHRoaXMgbmljZXIgYnV0IHdlIGRvbid0IHVzZSB0aGVtIGFueXdoZXJlIHlldCxcbiAqIHNvIGxldCdzIGtlZXAgaXQgc2ltcGxlIGFuZCByZWFkYWJsZS5cbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGNhY2hlZDxBIGV4dGVuZHMgb2JqZWN0LCBCPihvYmo6IEEsIHN5bTogc3ltYm9sLCBmbjogKCkgPT4gQik6IEIge1xuICBpZiAoIShzeW0gaW4gb2JqKSkge1xuICAgIChvYmogYXMgYW55KVtzeW1dID0gZm4oKTtcbiAgfVxuICByZXR1cm4gKG9iaiBhcyBhbnkpW3N5bV07XG59XG5cbi8qKlxuICogTGlrZSAnY2FjaGVkJywgYnV0IGFzeW5jXG4gKi9cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBjYWNoZWRBc3luYzxBIGV4dGVuZHMgb2JqZWN0LCBCPihvYmo6IEEsIHN5bTogc3ltYm9sLCBmbjogKCkgPT4gUHJvbWlzZTxCPik6IFByb21pc2U8Qj4ge1xuICBpZiAoIShzeW0gaW4gb2JqKSkge1xuICAgIChvYmogYXMgYW55KVtzeW1dID0gYXdhaXQgZm4oKTtcbiAgfVxuICByZXR1cm4gKG9iaiBhcyBhbnkpW3N5bV07XG59XG4iXX0=

package/lib/api/aws-auth/credential-plugins.d.ts

@@ -0,0 +1,38 @@
+import type { AwsCredentialIdentityProvider } from '@smithy/types';
+import { type IoHelper } from '../io/private';
+import type { PluginHost } from '../plugin';
+import type { Mode } from '../plugin/mode';
+/**
+ * Cache for credential providers.
+ *
+ * Given an account and an operating mode (read or write) will return an
+ * appropriate credential provider for credentials for the given account. The
+ * credential provider will be cached so that multiple AWS clients for the same
+ * environment will not make multiple network calls to obtain credentials.
+ *
+ * Will use default credentials if they are for the right account; otherwise,
+ * all loaded credential provider plugins will be tried to obtain credentials
+ * for the given account.
+ */
+export declare class CredentialPlugins {
+    private readonly host;
+    private readonly ioHelper;
+    private readonly cache;
+    constructor(host: PluginHost, ioHelper: IoHelper);
+    fetchCredentialsFor(awsAccountId: string, mode: Mode): Promise<PluginCredentialsFetchResult | undefined>;
+    get availablePluginNames(): string[];
+    private lookupCredentials;
+}
+/**
+ * Result from trying to fetch credentials from the Plugin host
+ */
+export interface PluginCredentialsFetchResult {
+    /**
+     * SDK-v3 compatible credential provider
+     */
+    readonly credentials: AwsCredentialIdentityProvider;
+    /**
+     * Name of plugin that successfully provided credentials
+     */
+    readonly pluginName: string;
+}