npm - @cdk8s/awscdk-resolver - Versions diffs - 0.0.42 → 0.0.44 - Mend

@cdk8s/awscdk-resolver 0.0.42 → 0.0.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/aws-sdk/resolveAWSSDKSigV4Config.ts ADDED Viewed

@@ -0,0 +1,216 @@
+import {
+  doesIdentityRequireRefresh,
+  isIdentityExpired,
+  memoizeIdentityProvider,
+  normalizeProvider,
+} from "@smithy/core";
+import { SignatureV4, SignatureV4CryptoInit, SignatureV4Init } from "@smithy/signature-v4";
+import {
+  AuthScheme,
+  AwsCredentialIdentity,
+  AwsCredentialIdentityProvider,
+  ChecksumConstructor,
+  HashConstructor,
+  MemoizedProvider,
+  Provider,
+  RegionInfo,
+  RegionInfoProvider,
+  RequestSigner,
+} from "@smithy/types";
+/**
+ * @internal
+ */
+export interface AWSSDKSigV4AuthInputConfig {
+  /**
+   * The credentials used to sign requests.
+   */
+  credentials?: AwsCredentialIdentity | AwsCredentialIdentityProvider;
+  /**
+   * The signer to use when signing requests.
+   */
+  signer?: RequestSigner | ((authScheme?: AuthScheme) => Promise<RequestSigner>);
+  /**
+   * Whether to escape request path when signing the request.
+   */
+  signingEscapePath?: boolean;
+  /**
+   * An offset value in milliseconds to apply to all signing times.
+   */
+  systemClockOffset?: number;
+  /**
+   * The region where you want to sign your request against. This
+   * can be different to the region in the endpoint.
+   */
+  signingRegion?: string;
+  /**
+   * The injectable SigV4-compatible signer class constructor. If not supplied,
+   * regular SignatureV4 constructor will be used.
+   *
+   * @internal
+   */
+  signerConstructor?: new (options: SignatureV4Init & SignatureV4CryptoInit) => RequestSigner;
+}
+/**
+ * @internal
+ */
+export interface AWSSDKSigV4PreviouslyResolved {
+  credentialDefaultProvider?: (input: any) => MemoizedProvider<AwsCredentialIdentity>;
+  region: string | Provider<string>;
+  sha256: ChecksumConstructor | HashConstructor;
+  signingName?: string;
+  regionInfoProvider?: RegionInfoProvider;
+  defaultSigningName?: string;
+  serviceId: string;
+  useFipsEndpoint: Provider<boolean>;
+  useDualstackEndpoint: Provider<boolean>;
+}
+/**
+ * @internal
+ */
+export interface AWSSDKSigV4AuthResolvedConfig {
+  /**
+   * Resolved value for input config {@link AWSSDKSigV4AuthInputConfig.credentials}
+   * This provider MAY memoize the loaded credentials for certain period.
+   * See {@link MemoizedProvider} for more information.
+   */
+  credentials: AwsCredentialIdentityProvider;
+  /**
+   * Resolved value for input config {@link AWSSDKSigV4AuthInputConfig.signer}
+   */
+  signer: (authScheme?: AuthScheme) => Promise<RequestSigner>;
+  /**
+   * Resolved value for input config {@link AWSSDKSigV4AuthInputConfig.signingEscapePath}
+   */
+  signingEscapePath: boolean;
+  /**
+   * Resolved value for input config {@link AWSSDKSigV4AuthInputConfig.systemClockOffset}
+   */
+  systemClockOffset: number;
+}
+/**
+ * @internal
+ */
+export const resolveAWSSDKSigV4Config = <T>(
+  config: T & AWSSDKSigV4AuthInputConfig & AWSSDKSigV4PreviouslyResolved
+): T & AWSSDKSigV4AuthResolvedConfig => {
+  // Normalize credentials
+  let normalizedCreds: AwsCredentialIdentityProvider | undefined;
+  if (config.credentials) {
+    normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
+  }
+  if (!normalizedCreds) {
+    // credentialDefaultProvider should always be populated, but in case
+    // it isn't, set a default identity provider that throws an error
+    if (config.credentialDefaultProvider) {
+      normalizedCreds = normalizeProvider(config.credentialDefaultProvider(config as any));
+    } else {
+      normalizedCreds = async () => { throw new Error("`credentials` is missing") };
+    }
+  }
+  // Populate sigv4 arguments
+  const {
+    // Default for signingEscapePath
+    signingEscapePath = true,
+    // Default for systemClockOffset
+    systemClockOffset = config.systemClockOffset || 0,
+    // No default for sha256 since it is platform dependent
+    sha256,
+  } = config;
+  // Resolve signer
+  let signer: (authScheme?: AuthScheme) => Promise<RequestSigner>;
+  if (config.signer) {
+    // if signer is supplied by user, normalize it to a function returning a promise for signer.
+    signer = normalizeProvider(config.signer);
+  } else if (config.regionInfoProvider) {
+    // This branch is for endpoints V1.
+    // construct a provider inferring signing from region.
+    signer = () =>
+      normalizeProvider(config.region)()
+        .then(
+          async (region) =>
+            [
+              (await config.regionInfoProvider!(region, {
+                useFipsEndpoint: await config.useFipsEndpoint(),
+                useDualstackEndpoint: await config.useDualstackEndpoint(),
+              })) || {},
+              region,
+            ] as [RegionInfo, string]
+        )
+        .then(([regionInfo, region]) => {
+          const { signingRegion, signingService } = regionInfo;
+          // update client's singing region and signing service config if they are resolved.
+          // signing region resolving order: user supplied signingRegion -> endpoints.json inferred region -> client region
+          config.signingRegion = config.signingRegion || signingRegion || region;
+          // signing name resolving order:
+          // user supplied signingName -> endpoints.json inferred (credential scope -> model arnNamespace) -> model service id
+          config.signingName = config.signingName || signingService || config.serviceId;
+          const params: SignatureV4Init & SignatureV4CryptoInit = {
+            ...config,
+            credentials: normalizedCreds!,
+            region: config.signingRegion,
+            service: config.signingName,
+            sha256,
+            uriEscapePath: signingEscapePath,
+          };
+          const SignerCtor = config.signerConstructor || SignatureV4;
+          return new SignerCtor(params);
+        });
+  } else {
+    // This branch is for endpoints V2.
+    // Handle endpoints v2 that resolved per-command
+    // TODO: need total refactor for reference auth architecture.
+    signer = async (authScheme?: AuthScheme) => {
+      authScheme = Object.assign(
+        {},
+        {
+          name: "sigv4",
+          signingName: config.signingName || config.defaultSigningName!,
+          signingRegion: await normalizeProvider(config.region)(),
+          properties: {},
+        },
+        authScheme
+      );
+      const signingRegion = authScheme.signingRegion;
+      const signingService = authScheme.signingName;
+      // update client's singing region and signing service config if they are resolved.
+      // signing region resolving order: user supplied signingRegion -> endpoints.json inferred region -> client region
+      config.signingRegion = config.signingRegion || signingRegion;
+      // signing name resolving order:
+      // user supplied signingName -> endpoints.json inferred (credential scope -> model arnNamespace) -> model service id
+      config.signingName = config.signingName || signingService || config.serviceId;
+      const params: SignatureV4Init & SignatureV4CryptoInit = {
+        ...config,
+        credentials: normalizedCreds!,
+        region: config.signingRegion,
+        service: config.signingName,
+        sha256,
+        uriEscapePath: signingEscapePath,
+      };
+      const SignerCtor = config.signerConstructor || SignatureV4;
+      return new SignerCtor(params);
+    };
+  }
+  return {
+    ...config,
+    systemClockOffset,
+    signingEscapePath,
+    credentials: normalizedCreds!,
+    signer,
+  };
+};

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/aws-sdk/throwAWSSDKSigningPropertyError.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * @internal
+ */
+export const throwAWSSDKSigningPropertyError = <T>(name: string, property: T | undefined): T | never => {
+  if (!property) {
+    throw new Error(`Property \`${name}\` is not resolved for AWS SDK SigV4Auth`);
+  }
+  return property;
+};

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/index.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from "./aws-sdk";

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/getDateHeader.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { HttpResponse } from "@smithy/protocol-http";
+/**
+ * @internal
+ */
+export const getDateHeader = (response: unknown): string | undefined =>
+  HttpResponse.isInstance(response) ? response.headers?.date ?? response.headers?.Date : undefined;

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/getSkewCorrectedDate.spec.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { getSkewCorrectedDate } from "./getSkewCorrectedDate";
+describe(getSkewCorrectedDate.name, () => {
+  const mockDateNow = Date.now();
+  beforeEach(() => {
+    jest.spyOn(Date, "now").mockReturnValue(mockDateNow);
+  });
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+  it.each([-100000, -100, 0, 100, 100000])("systemClockOffset: %d", (systemClockOffset) => {
+    expect(getSkewCorrectedDate(systemClockOffset)).toStrictEqual(new Date(mockDateNow + systemClockOffset));
+  });
+});

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/getSkewCorrectedDate.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * @internal
+ *
+ * Returns a date that is corrected for clock skew.
+ *
+ * @param systemClockOffset The offset of the system clock in milliseconds.
+ */
+export const getSkewCorrectedDate = (systemClockOffset: number) => new Date(Date.now() + systemClockOffset);

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/getUpdatedSystemClockOffset.spec.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { getUpdatedSystemClockOffset } from "./getUpdatedSystemClockOffset";
+import { isClockSkewed } from "./isClockSkewed";
+jest.mock("./isClockSkewed");
+describe(getUpdatedSystemClockOffset.name, () => {
+  // Mock ServerTime is accurate to last second, to remove milliseconds information.
+  const mockClockTime = new Date(Math.floor(Date.now() / 1000) * 1000);
+  const mockSystemClockOffset = 100;
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+  it("returns passed systemClockOffset when clock is not skewed", () => {
+    (isClockSkewed as jest.Mock).mockReturnValue(false);
+    expect(getUpdatedSystemClockOffset(mockClockTime.toString(), mockSystemClockOffset)).toEqual(mockSystemClockOffset);
+  });
+  describe("returns difference between serverTime and current time when clock is skewed", () => {
+    const dateDotNowFn = Date.now;
+    beforeEach(() => {
+      (isClockSkewed as jest.Mock).mockReturnValue(true);
+      jest.spyOn(Date, "now").mockReturnValueOnce(mockClockTime.getTime());
+    });
+    afterEach(() => {
+      Date.now = dateDotNowFn;
+    });
+    it.each([1000, 100000])("difference: %d", (difference) => {
+      const updatedClockTime = new Date(mockClockTime.getTime() + difference);
+      expect(getUpdatedSystemClockOffset(updatedClockTime.toString(), mockSystemClockOffset)).toEqual(difference);
+    });
+  });
+});

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/getUpdatedSystemClockOffset.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { isClockSkewed } from "./isClockSkewed";
+/**
+ * @internal
+ *
+ * If clock is skewed, it returns the difference between serverTime and current time.
+ * If clock is not skewed, it returns currentSystemClockOffset.
+ *
+ * @param clockTime The string value of the server time.
+ * @param currentSystemClockOffset The current system clock offset.
+ */
+export const getUpdatedSystemClockOffset = (clockTime: string, currentSystemClockOffset: number): number => {
+  const clockTimeInMs = Date.parse(clockTime);
+  if (isClockSkewed(clockTimeInMs, currentSystemClockOffset)) {
+    return clockTimeInMs - Date.now();
+  }
+  return currentSystemClockOffset;
+};

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/index.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export * from "./getDateHeader";
+export * from "./getSkewCorrectedDate";
+export * from "./getUpdatedSystemClockOffset";

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/isClockSkewed.spec.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { getSkewCorrectedDate } from "./getSkewCorrectedDate";
+import { isClockSkewed } from "./isClockSkewed";
+jest.mock("./getSkewCorrectedDate");
+describe(isClockSkewed.name, () => {
+  const mockSystemClockOffset = 100;
+  const mockSkewCorrectedDate = new Date();
+  beforeEach(() => {
+    (getSkewCorrectedDate as jest.Mock).mockReturnValue(mockSkewCorrectedDate);
+  });
+  afterEach(() => {
+    expect(getSkewCorrectedDate).toHaveBeenCalledWith(mockSystemClockOffset);
+    jest.clearAllMocks();
+  });
+  describe("returns true for time difference >=300000", () => {
+    it.each([300000, 500000])("difference: %d", (difference) => {
+      expect(isClockSkewed(mockSkewCorrectedDate.getTime() + difference, mockSystemClockOffset)).toBe(true);
+      expect(isClockSkewed(mockSkewCorrectedDate.getTime() - difference, mockSystemClockOffset)).toBe(true);
+    });
+  });
+  describe("returns false for time difference <300000", () => {
+    it.each([299999, 100000, 0])("difference: %d", (difference) => {
+      expect(isClockSkewed(mockSkewCorrectedDate.getTime() + difference, mockSystemClockOffset)).toBe(false);
+      expect(isClockSkewed(mockSkewCorrectedDate.getTime() - difference, mockSystemClockOffset)).toBe(false);
+    });
+  });
+});

package/node_modules/@aws-sdk/core/src/httpAuthSchemes/utils/isClockSkewed.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { getSkewCorrectedDate } from "./getSkewCorrectedDate";
+/**
+ * @internal
+ *
+ * Checks if the provided date is within the skew window of 300000ms.
+ *
+ * @param clockTime - The time to check for skew in milliseconds.
+ * @param systemClockOffset - The offset of the system clock in milliseconds.
+ */
+export const isClockSkewed = (clockTime: number, systemClockOffset: number) =>
+  Math.abs(getSkewCorrectedDate(systemClockOffset).getTime() - clockTime) >= 300000;

package/node_modules/@aws-sdk/core/src/index.ts CHANGED Viewed

@@ -1,2 +1,3 @@
 export * from "./client/index";
+export * from "./httpAuthSchemes/index";
 export * from "./protocols/index";