@distilled.cloud/aws 0.2.0-alpha → 0.2.3

package/src/credentials.ts

@@ -7,23 +7,19 @@ import {
   fromProcess as _fromProcess,
   fromTokenFile as _fromTokenFile,
 } from "@aws-sdk/credential-providers";
-import * as ini from "@smithy/shared-ini-file-loader";
+
 import {
   type AwsCredentialIdentity,
   type AwsCredentialIdentityProvider,
 } from "@smithy/types";
-import * as Console from "effect/Console";
 import * as Data from "effect/Data";
 import * as Effect from "effect/Effect";
-import * as FileSystem from "effect/FileSystem";
 import * as Layer from "effect/Layer";
-import * as Option from "effect/Option";
+import type { PlatformError } from "effect/PlatformError";
 import * as Redacted from "effect/Redacted";
 import * as ServiceMap from "effect/ServiceMap";
-import * as HttpClient from "effect/unstable/http/HttpClient";
-import { createHash } from "node:crypto";
-import * as path from "node:path";
-import { parseIni, parseSSOSessionData } from "./util/parse-ini.ts";
+import type { HttpClientError } from "effect/unstable/http/HttpClientError";
+import { Auth } from "./auth.ts";
 export * as AWSTypes from "@aws-sdk/types";
 
 export interface AwsCredentials {
@@ -32,31 +28,61 @@ export interface AwsCredentials {
   readonly sessionToken?: string;
 }
 
+/**
+ * Resolved credential values ready for request signing.
+ */
+export interface ResolvedCredentials {
+  readonly accessKeyId: Redacted.Redacted<string>;
+  readonly secretAccessKey: Redacted.Redacted<string>;
+  readonly sessionToken: Redacted.Redacted<string> | undefined;
+  readonly expiration?: number;
+}
+
+/**
+ * The requirements for resolving credentials (HttpClient for SSO, FileSystem for cache).
+ */
+
+/**
+ * Error types that can occur during credential resolution.
+ */
+export type CredentialsError =
+  | AwsCredentialProviderError
+  | ProfileNotFound
+  | InvalidSSOProfile
+  | InvalidSSOToken
+  | ExpiredSSOToken
+  | ConflictingSSORegion
+  | ConflictingSSOStartUrl
+  | HttpClientError
+  | PlatformError;
+
 export class Credentials extends ServiceMap.Service<
   Credentials,
-  {
-    accessKeyId: Redacted.Redacted<string>;
-    secretAccessKey: Redacted.Redacted<string>;
-    sessionToken: Redacted.Redacted<string> | undefined;
-    expiration?: number;
-  }
+  Effect.Effect<ResolvedCredentials, CredentialsError>
 >()("AWS::Credentials") {}
 
-export const mock = Layer.succeed(Credentials, {
-  accessKeyId: Redacted.make("test"),
-  secretAccessKey: Redacted.make("test"),
-  sessionToken: Redacted.make("test"),
-});
+export const mock = Layer.succeed(
+  Credentials,
+  Effect.succeed({
+    accessKeyId: Redacted.make("test"),
+    secretAccessKey: Redacted.make("test"),
+    sessionToken: Redacted.make("test"),
+  }),
+);
 
-export const fromAwsCredentialIdentity = (identity: AwsCredentialIdentity) =>
-  Credentials.of({
-    accessKeyId: Redacted.make(identity.accessKeyId),
-    secretAccessKey: Redacted.make(identity.secretAccessKey),
-    sessionToken: identity.sessionToken
-      ? Redacted.make(identity.sessionToken)
-      : undefined,
-    expiration: identity.expiration?.getTime(),
-  });
+/**
+ * Create resolved credentials from an AWS credential identity.
+ */
+export const fromAwsCredentialIdentity = (
+  identity: AwsCredentialIdentity,
+): ResolvedCredentials => ({
+  accessKeyId: Redacted.make(identity.accessKeyId),
+  secretAccessKey: Redacted.make(identity.secretAccessKey),
+  sessionToken: identity.sessionToken
+    ? Redacted.make(identity.sessionToken)
+    : undefined,
+  expiration: identity.expiration?.getTime(),
+});
 
 type ProviderName =
   | "env"
@@ -101,59 +127,96 @@ const providerHints = (
 
 export const _providerHints = providerHints;
 
-const createLayer = (
+/**
+ * Time window (5 mins) to refresh credentials before they actually expire.
+ * This prevents using credentials that are about to expire.
+ */
+const CREDENTIAL_REFRESH_WINDOW_MS = 5 * 60 * 1000;
+
+/**
+ * Create a credentials effect with lazy resolution and expiration-aware caching.
+ * Uses Effect.cachedWithTTL where the TTL is computed from the credentials' expiration.
+ */
+const createCachedCredentialsEffect = <E, R>(
+  resolve: Effect.Effect<ResolvedCredentials, E, R>,
+): Effect.Effect<ResolvedCredentials, E, R> => {
+  let cachedCreds: ResolvedCredentials | undefined;
+  let expiresAt: number | undefined;
+
+  return Effect.suspend(() => {
+    const now = Date.now();
+    if (cachedCreds && expiresAt && now < expiresAt) {
+      return Effect.succeed(cachedCreds);
+    }
+    return Effect.map(resolve, (creds) => {
+      cachedCreds = creds;
+      expiresAt = creds.expiration
+        ? creds.expiration - CREDENTIAL_REFRESH_WINDOW_MS
+        : undefined;
+      return creds;
+    });
+  });
+};
+
+/**
+ * Create a lazy, cached credentials provider from an AWS SDK credential provider.
+ * Credentials are resolved on first access and cached based on their expiration time.
+ */
+const createLazyProvider = (
   provider: (config: {}) => AwsCredentialIdentityProvider,
   providerName: ProviderName,
-) =>
-  Layer.effect(
+): Layer.Layer<Credentials> => {
+  const resolve = Effect.gen(function* () {
+    const hints = providerHints(providerName);
+    const identity = yield* Effect.tryPromise({
+      try: () => provider({})(),
+      catch: (cause) =>
+        new AwsCredentialProviderError({
+          message: `Failed to resolve credentials from ${providerName}.`,
+          provider: providerName,
+          cause,
+          hints,
+        }),
+    });
+    return fromAwsCredentialIdentity(identity);
+  });
+
+  return Layer.succeed(Credentials, createCachedCredentialsEffect(resolve));
+};
+
+/**
+ * Create a credentials provider from static credentials.
+ * No lazy loading or caching needed since credentials are already available.
+ */
+export const fromCredentials = (
+  credentials: AwsCredentialIdentity,
+): Layer.Layer<Credentials> =>
+  Layer.succeed(
     Credentials,
-    Effect.gen(function* () {
-      const hints = providerHints(providerName);
-      const identity = yield* Effect.tryPromise({
-        try: () => provider({})(),
-        catch: (cause) =>
-          new AwsCredentialProviderError({
-            message: `Failed to resolve credentials from ${providerName}.`,
-            provider: providerName,
-            cause,
-            hints,
-          }),
-      });
-      return fromAwsCredentialIdentity(identity);
-    }),
+    Effect.succeed(fromAwsCredentialIdentity(credentials)),
   );
 
-export const fromCredentials = (credentials: AwsCredentialIdentity) =>
-  Layer.succeed(Credentials, fromAwsCredentialIdentity(credentials));
-
-export const fromEnv = () => createLayer(_fromEnv, "env");
+export const fromEnv = () => createLazyProvider(_fromEnv, "env");
 
 export const fromChain = () =>
-  createLayer(() => _fromNodeProviderChain(), "chain");
+  createLazyProvider(() => _fromNodeProviderChain(), "chain");
 
-// export const fromSSO = () => createLayer(_fromSSO);
+// export const fromSSO = () => createLazyProvider(_fromSSO);
 
-export const fromIni = () => createLayer(_fromIni, "ini");
+export const fromIni = () => createLazyProvider(_fromIni, "ini");
 
 export const fromContainerMetadata = () =>
-  createLayer(_fromContainerMetadata, "container");
+  createLazyProvider(_fromContainerMetadata, "container");
 
-export const fromHttp = () => createLayer(_fromHttp, "http");
+export const fromHttp = () => createLazyProvider(_fromHttp, "http");
 
-export const fromProcess = () => createLayer(_fromProcess, "process");
+export const fromProcess = () => createLazyProvider(_fromProcess, "process");
 
-export const fromTokenFile = () => createLayer(_fromTokenFile, "token-file");
+export const fromTokenFile = () =>
+  createLazyProvider(_fromTokenFile, "token-file");
 
 export const ssoRegion = (region: string) => Layer.succeed(SsoRegion, region);
 
-/**
- * The time window (5 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
- * This is needed because server side may have invalidated the token before the defined expiration date.
- */
-const EXPIRE_WINDOW_MS = 5 * 60 * 1000;
-
-const REFRESH_MESSAGE = `To refresh this SSO session run 'aws sso login' with the corresponding profile.`;
-
 export class SsoRegion extends ServiceMap.Service<SsoRegion, string>()(
   "AWS::SsoRegion",
 ) {}
@@ -161,13 +224,15 @@ export class SsoStartUrl extends ServiceMap.Service<SsoStartUrl, string>()(
   "AWS::SsoStartUrl",
 ) {}
 
-export class ProfileNotFound extends Data.TaggedError("AWS::ProfileNotFound")<{
+export class ProfileNotFound extends Data.TaggedError(
+  "Alchemy::AWS::ProfileNotFound",
+)<{
   message: string;
   profile: string;
 }> {}
 
 export class ConflictingSSORegion extends Data.TaggedError(
-  "AWS::ConflictingSSORegion",
+  "Alchemy::AWS::ConflictingSSORegion",
 )<{
   message: string;
   ssoRegion: string;
@@ -175,7 +240,7 @@ export class ConflictingSSORegion extends Data.TaggedError(
 }> {}
 
 export class ConflictingSSOStartUrl extends Data.TaggedError(
-  "AWS::ConflictingSSOStartUrl",
+  "Alchemy::AWS::ConflictingSSOStartUrl",
 )<{
   message: string;
   ssoStartUrl: string;
@@ -183,19 +248,23 @@ export class ConflictingSSOStartUrl extends Data.TaggedError(
 }> {}
 
 export class InvalidSSOProfile extends Data.TaggedError(
-  "AWS::InvalidSSOProfile",
+  "Alchemy::AWS::InvalidSSOProfile",
 )<{
   message: string;
   profile: string;
   missingFields: string[];
 }> {}
 
-export class InvalidSSOToken extends Data.TaggedError("AWS::InvalidSSOToken")<{
+export class InvalidSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::InvalidSSOToken",
+)<{
   message: string;
   sso_session: string;
 }> {}
 
-export class ExpiredSSOToken extends Data.TaggedError("AWS::ExpiredSSOToken")<{
+export class ExpiredSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::ExpiredSSOToken",
+)<{
   message: string;
   profile: string;
 }> {}
@@ -209,238 +278,17 @@ export class AwsCredentialProviderError extends Data.TaggedError(
   hints?: ReadonlyArray<string>;
 }> {}
 
-export interface AwsProfileConfig {
-  sso_session?: string;
-  sso_account_id?: string;
-  sso_role_name?: string;
-  region?: string;
-  output?: string;
-  sso_start_url?: string;
-  sso_region?: string;
-}
-export interface SsoProfileConfig extends AwsProfileConfig {
-  sso_start_url: string;
-  sso_region: string;
-  sso_account_id: string;
-  sso_role_name: string;
-}
-
 /**
- * Cached SSO token retrieved from SSO login flow.
- * @public
+ * Create a lazy, cached SSO credentials provider.
+ * SSO credential resolution is deferred until the Effect is run,
+ * and credentials are cached until they expire.
  */
-export interface SSOToken {
-  accessToken: string;
-  expiresAt: string;
-  refreshToken?: string;
-  clientId?: string;
-  clientSecret?: string;
-  registrationExpiresAt?: string;
-  region?: string;
-  startUrl?: string;
-}
-
 export const fromSSO = (profileName: string = "default") =>
-  Layer.effect(Credentials, loadSSOCredentials(profileName));
-
-export const loadSSOCredentials = Effect.fn(function* (profileName: string) {
-  const client = yield* HttpClient.HttpClient;
-  const fs = yield* FileSystem.FileSystem;
-  const awsDir = path.join(ini.getHomeDir(), ".aws");
-  const cachePath = path.join(awsDir, "sso", "cache");
-
-  const profile = yield* loadProfile(profileName);
-
-  if (profile.sso_session) {
-    const hasher = createHash("sha1");
-    const cacheName = hasher.update(profile.sso_session).digest("hex");
-    const ssoTokenFilepath = path.join(cachePath, `${cacheName}.json`);
-    const cachedCredsFilePath = path.join(
-      cachePath,
-      `${cacheName}.credentials.json`,
-    );
-
-    const cachedCreds = yield* fs.readFileString(cachedCredsFilePath).pipe(
-      Effect.map((text) => JSON.parse(text)),
-      Effect.catch(() => Effect.void),
-    );
-
-    const isExpired = (expiry: number | string | undefined) => {
-      return (
-        expiry === undefined ||
-        new Date(expiry).getTime() - Date.now() <= EXPIRE_WINDOW_MS
-      );
-    };
-
-    if (cachedCreds && !isExpired(cachedCreds.expiry)) {
-      return Credentials.of({
-        accessKeyId: Redacted.make(cachedCreds.accessKeyId),
-        secretAccessKey: Redacted.make(cachedCreds.secretAccessKey),
-        sessionToken: cachedCreds.sessionToken
-          ? Redacted.make(cachedCreds.sessionToken)
-          : undefined,
-        expiration: cachedCreds.expiry,
-      });
-    }
-
-    const ssoToken = yield* fs.readFileString(ssoTokenFilepath).pipe(
-      Effect.map((text) => JSON.parse(text) as SSOToken),
-      Effect.catch(() =>
-        Effect.fail(
-          new InvalidSSOToken({
-            message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-            sso_session: profile.sso_session!,
-          }),
-        ),
+  Layer.effect(
+    Credentials,
+    Auth.use((auth) =>
+      Effect.succeed(
+        createCachedCredentialsEffect(auth.loadProfileCredentials(profileName)),
       ),
-    );
-
-    if (isExpired(ssoToken.expiresAt)) {
-      yield* Console.log(
-        `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-      );
-      yield* Effect.fail(
-        new ExpiredSSOToken({
-          message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-          profile: profileName,
-        }),
-      );
-    }
-
-    const response = yield* client.get(
-      `https://portal.sso.${profile.sso_region}.amazonaws.com/federation/credentials?account_id=${profile.sso_account_id}&role_name=${profile.sso_role_name}`,
-      {
-        headers: {
-          "User-Agent": "alchemy.run",
-          "Content-Type": "application/json",
-          "x-amz-sso_bearer_token": ssoToken.accessToken,
-        },
-      },
-    );
-
-    const credentials = (
-      (yield* response.json) as {
-        roleCredentials: {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-          expiration: number;
-        };
-      }
-    ).roleCredentials;
-
-    yield* fs.writeFileString(
-      cachedCredsFilePath,
-      JSON.stringify({
-        accessKeyId: credentials.accessKeyId,
-        secretAccessKey: credentials.secretAccessKey,
-        sessionToken: credentials.sessionToken,
-        expiry: credentials.expiration,
-      }),
-    );
-
-    return Credentials.of({
-      accessKeyId: Redacted.make(credentials.accessKeyId),
-      secretAccessKey: Redacted.make(credentials.secretAccessKey),
-      sessionToken: Redacted.make(credentials.sessionToken),
-      expiration: credentials.expiration,
-    });
-  }
-
-  return yield* Effect.fail(
-    new ProfileNotFound({
-      message: `Profile ${profileName} not found`,
-      profile: profileName,
-    }),
-  );
-});
-
-export const loadProfile = Effect.fn(function* (profileName: string) {
-  const fs = yield* FileSystem.FileSystem;
-  const profiles: {
-    [profileName: string]: AwsProfileConfig;
-  } = yield* Effect.promise(() =>
-    ini.parseKnownFiles({ profile: profileName }),
+    ),
   );
-
-  const profile = profiles[profileName];
-
-  if (!profile) {
-    yield* Effect.fail(
-      new ProfileNotFound({
-        message: `Profile ${profileName} not found`,
-        profile: profileName,
-      }),
-    );
-  }
-
-  const awsDir = path.join(ini.getHomeDir(), ".aws");
-  const configPath = path.join(awsDir, "config");
-
-  if (profile.sso_session) {
-    const ssoRegion = Option.getOrUndefined(
-      yield* Effect.serviceOption(SsoRegion),
-    );
-    const ssoStartUrl = Option.getOrElse(
-      yield* Effect.serviceOption(SsoStartUrl),
-      () => profile.sso_start_url,
-    );
-
-    const ssoSessions = yield* fs.readFileString(configPath).pipe(
-      Effect.flatMap((config) => Effect.promise(async () => parseIni(config))),
-      Effect.map(parseSSOSessionData),
-    );
-    const session = ssoSessions[profile.sso_session];
-    if (ssoRegion && ssoRegion !== session.sso_region) {
-      yield* Effect.fail(
-        new ConflictingSSORegion({
-          message: `Conflicting SSO region`,
-          ssoRegion: ssoRegion,
-          profile: profile.sso_session,
-        }),
-      );
-    }
-    if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
-      yield* Effect.fail(
-        new ConflictingSSOStartUrl({
-          message: `Conflicting SSO start url`,
-          ssoStartUrl: ssoStartUrl,
-          profile: profile.sso_session,
-        }),
-      );
-    }
-    profile.sso_region = session.sso_region;
-    profile.sso_start_url = session.sso_start_url;
-
-    const ssoFields = [
-      "sso_start_url",
-      "sso_account_id",
-      "sso_region",
-      "sso_role_name",
-    ] as const satisfies (keyof SsoProfileConfig)[];
-    const missingFields = ssoFields.filter((field) => !profile[field]);
-    if (missingFields.length > 0) {
-      yield* Effect.fail(
-        new InvalidSSOProfile({
-          profile: profileName,
-          missingFields,
-          message:
-            `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
-            `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(
-              profile,
-            ).join(
-              ", ",
-            )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
-        }),
-      );
-    }
-    return profile;
-  }
-
-  return yield* Effect.fail(
-    new ProfileNotFound({
-      message: `Profile ${profileName} not found`,
-      profile: profileName,
-    }),
-  );
-});

package/src/index.ts

@@ -1,3 +1,10 @@
+/**
+ * AWS Authentication service for loading AWS profiles and credentials.
+ *
+ * @since 0.0.0
+ */
+export * as Auth from "./auth.ts";
+
 /**
  * AWS Credentials providers for obtaining temporary or long-lived credentials.
  *