@karmaniverous/get-dotenv 6.2.2 → 6.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chunks/AwsRestJsonProtocol-Bq1HE-Ln.mjs +932 -0
- package/dist/chunks/createCli-BY6_cfZr.mjs +439 -0
- package/dist/chunks/externalDataInterceptor-CbsdEYa-.mjs +19 -0
- package/dist/chunks/getSSOTokenFromFile-hUSpR7Wf.mjs +22 -0
- package/dist/chunks/helpConfig-CGejgwWW.mjs +12 -0
- package/dist/chunks/index-B5JKTBOL.mjs +443 -0
- package/dist/chunks/index-BEJFiHMX.mjs +522 -0
- package/dist/chunks/index-BPYF6K_G.mjs +82 -0
- package/dist/chunks/index-Bc3h0a95.mjs +374 -0
- package/dist/chunks/index-BpCF5UKx.mjs +272 -0
- package/dist/chunks/index-C_wqbTwI.mjs +187 -0
- package/dist/chunks/index-CeCufHlm.mjs +9374 -0
- package/dist/chunks/index-Cu7rdyqN.mjs +102 -0
- package/dist/chunks/index-DWAtHEA-.mjs +379 -0
- package/dist/chunks/index-Dp1Ip6Ra.mjs +354 -0
- package/dist/chunks/index-DyU5pKKi.mjs +24 -0
- package/dist/chunks/index-c7zKtEuy.mjs +578 -0
- package/dist/chunks/index-cIunyiUQ.mjs +702 -0
- package/dist/chunks/invoke-DuRPU1oC.mjs +60 -0
- package/dist/chunks/loadModuleDefault-Dj8B3Stt.mjs +123 -0
- package/dist/chunks/loadSso-w1eTVg0O.mjs +412 -0
- package/dist/chunks/loader-DnhPeGfq.mjs +346 -0
- package/dist/chunks/overlayEnv-Bs2kVayG.mjs +234 -0
- package/dist/chunks/package-boo9EyYs.mjs +5 -0
- package/dist/chunks/parseKnownFiles-B9cDK21V.mjs +23 -0
- package/dist/chunks/readMergedOptions-Nt0TR7dX.mjs +1626 -0
- package/dist/chunks/resolveCliOptions-TFRzhB2c.mjs +138 -0
- package/dist/chunks/sdk-stream-mixin-BZoJ5jy9.mjs +167 -0
- package/dist/chunks/spawnEnv-CN8a7cNR.mjs +306 -0
- package/dist/chunks/types-DJ-BGABd.mjs +59 -0
- package/dist/chunks/validate-CDl0rE6k.mjs +61 -0
- package/dist/cli.mjs +39 -19307
- package/dist/cliHost.mjs +20 -2800
- package/dist/config.mjs +10 -509
- package/dist/env-overlay.mjs +6 -337
- package/dist/getdotenv.cli.mjs +39 -19305
- package/dist/index.mjs +39 -19396
- package/dist/plugins-aws.d.ts +1 -4
- package/dist/plugins-aws.mjs +65 -2568
- package/dist/plugins-batch.mjs +16 -2573
- package/dist/plugins-cmd.mjs +19 -3094
- package/dist/plugins-init.d.ts +8 -0
- package/dist/plugins-init.mjs +85 -2297
- package/dist/plugins.mjs +36 -18817
- package/package.json +1 -2
- package/dist/templates/cli/index.ts +0 -25
- package/dist/templates/cli/plugins/hello/defaultAction.ts +0 -27
- package/dist/templates/cli/plugins/hello/index.ts +0 -26
- package/dist/templates/cli/plugins/hello/options.ts +0 -31
- package/dist/templates/cli/plugins/hello/strangerAction.ts +0 -20
- package/dist/templates/cli/plugins/hello/types.ts +0 -13
- package/dist/templates/config/js/getdotenv.config.js +0 -20
- package/dist/templates/config/json/local/getdotenv.config.local.json +0 -7
- package/dist/templates/config/json/public/getdotenv.config.json +0 -9
- package/dist/templates/config/public/getdotenv.config.json +0 -8
- package/dist/templates/config/ts/getdotenv.config.ts +0 -28
- package/dist/templates/config/yaml/local/getdotenv.config.local.yaml +0 -7
- package/dist/templates/config/yaml/public/getdotenv.config.yaml +0 -7
- package/dist/templates/defaultAction.ts +0 -27
- package/dist/templates/getdotenv.config.js +0 -20
- package/dist/templates/getdotenv.config.json +0 -9
- package/dist/templates/getdotenv.config.local.json +0 -7
- package/dist/templates/getdotenv.config.local.yaml +0 -7
- package/dist/templates/getdotenv.config.ts +0 -28
- package/dist/templates/getdotenv.config.yaml +0 -7
- package/dist/templates/hello/defaultAction.ts +0 -27
- package/dist/templates/hello/index.ts +0 -26
- package/dist/templates/hello/options.ts +0 -31
- package/dist/templates/hello/strangerAction.ts +0 -20
- package/dist/templates/hello/types.ts +0 -13
- package/dist/templates/index.ts +0 -26
- package/dist/templates/js/getdotenv.config.js +0 -20
- package/dist/templates/json/local/getdotenv.config.local.json +0 -7
- package/dist/templates/json/public/getdotenv.config.json +0 -9
- package/dist/templates/local/getdotenv.config.local.json +0 -7
- package/dist/templates/local/getdotenv.config.local.yaml +0 -7
- package/dist/templates/options.ts +0 -31
- package/dist/templates/plugins/hello/defaultAction.ts +0 -27
- package/dist/templates/plugins/hello/index.ts +0 -26
- package/dist/templates/plugins/hello/options.ts +0 -31
- package/dist/templates/plugins/hello/strangerAction.ts +0 -20
- package/dist/templates/plugins/hello/types.ts +0 -13
- package/dist/templates/public/getdotenv.config.json +0 -9
- package/dist/templates/public/getdotenv.config.yaml +0 -7
- package/dist/templates/strangerAction.ts +0 -20
- package/dist/templates/ts/getdotenv.config.ts +0 -28
- package/dist/templates/types.ts +0 -13
- package/dist/templates/yaml/local/getdotenv.config.local.yaml +0 -7
- package/dist/templates/yaml/public/getdotenv.config.yaml +0 -7
|
@@ -0,0 +1,522 @@
|
|
|
1
|
+
import { C as CredentialsProviderError, s as setCredentialFeature, u as chain, k as getProfileName, v as readFile, H as HttpRequest } from './index-CeCufHlm.mjs';
|
|
2
|
+
import { createHash, createPrivateKey, createPublicKey, sign } from 'node:crypto';
|
|
3
|
+
import { promises } from 'node:fs';
|
|
4
|
+
import { homedir } from 'node:os';
|
|
5
|
+
import { dirname, join } from 'node:path';
|
|
6
|
+
import { p as parseKnownFiles } from './parseKnownFiles-B9cDK21V.mjs';
|
|
7
|
+
import './readMergedOptions-Nt0TR7dX.mjs';
|
|
8
|
+
import 'zod';
|
|
9
|
+
import '@commander-js/extra-typings';
|
|
10
|
+
import './overlayEnv-Bs2kVayG.mjs';
|
|
11
|
+
import 'fs-extra';
|
|
12
|
+
import './loadModuleDefault-Dj8B3Stt.mjs';
|
|
13
|
+
import 'crypto';
|
|
14
|
+
import 'path';
|
|
15
|
+
import 'url';
|
|
16
|
+
import 'nanoid';
|
|
17
|
+
import 'dotenv';
|
|
18
|
+
import './loader-DnhPeGfq.mjs';
|
|
19
|
+
import 'package-directory';
|
|
20
|
+
import 'yaml';
|
|
21
|
+
import 'execa';
|
|
22
|
+
import 'buffer';
|
|
23
|
+
import 'os';
|
|
24
|
+
import 'node:fs/promises';
|
|
25
|
+
import 'http';
|
|
26
|
+
import 'https';
|
|
27
|
+
import 'stream';
|
|
28
|
+
import 'process';
|
|
29
|
+
|
|
30
|
+
const resolveCredentialSource = (credentialSource, profileName, logger) => {
|
|
31
|
+
const sourceProvidersMap = {
|
|
32
|
+
EcsContainer: async (options) => {
|
|
33
|
+
const { fromHttp } = await import('./index-C_wqbTwI.mjs');
|
|
34
|
+
const { fromContainerMetadata } = await import('./index-DWAtHEA-.mjs');
|
|
35
|
+
logger?.debug("@aws-sdk/credential-provider-ini - credential_source is EcsContainer");
|
|
36
|
+
return async () => chain(fromHttp(options ?? {}), fromContainerMetadata(options))().then(setNamedProvider);
|
|
37
|
+
},
|
|
38
|
+
Ec2InstanceMetadata: async (options) => {
|
|
39
|
+
logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Ec2InstanceMetadata");
|
|
40
|
+
const { fromInstanceMetadata } = await import('./index-DWAtHEA-.mjs');
|
|
41
|
+
return async () => fromInstanceMetadata(options)().then(setNamedProvider);
|
|
42
|
+
},
|
|
43
|
+
Environment: async (options) => {
|
|
44
|
+
logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Environment");
|
|
45
|
+
const { fromEnv } = await import('./index-DyU5pKKi.mjs');
|
|
46
|
+
return async () => fromEnv(options)().then(setNamedProvider);
|
|
47
|
+
},
|
|
48
|
+
};
|
|
49
|
+
if (credentialSource in sourceProvidersMap) {
|
|
50
|
+
return sourceProvidersMap[credentialSource];
|
|
51
|
+
}
|
|
52
|
+
else {
|
|
53
|
+
throw new CredentialsProviderError(`Unsupported credential source in profile ${profileName}. Got ${credentialSource}, ` +
|
|
54
|
+
`expected EcsContainer or Ec2InstanceMetadata or Environment.`, { logger });
|
|
55
|
+
}
|
|
56
|
+
};
|
|
57
|
+
const setNamedProvider = (creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_NAMED_PROVIDER", "p");
|
|
58
|
+
|
|
59
|
+
const isAssumeRoleProfile = (arg, { profile = "default", logger } = {}) => {
|
|
60
|
+
return (Boolean(arg) &&
|
|
61
|
+
typeof arg === "object" &&
|
|
62
|
+
typeof arg.role_arn === "string" &&
|
|
63
|
+
["undefined", "string"].indexOf(typeof arg.role_session_name) > -1 &&
|
|
64
|
+
["undefined", "string"].indexOf(typeof arg.external_id) > -1 &&
|
|
65
|
+
["undefined", "string"].indexOf(typeof arg.mfa_serial) > -1 &&
|
|
66
|
+
(isAssumeRoleWithSourceProfile(arg, { profile, logger }) || isCredentialSourceProfile(arg, { profile, logger })));
|
|
67
|
+
};
|
|
68
|
+
const isAssumeRoleWithSourceProfile = (arg, { profile, logger }) => {
|
|
69
|
+
const withSourceProfile = typeof arg.source_profile === "string" && typeof arg.credential_source === "undefined";
|
|
70
|
+
if (withSourceProfile) {
|
|
71
|
+
logger?.debug?.(` ${profile} isAssumeRoleWithSourceProfile source_profile=${arg.source_profile}`);
|
|
72
|
+
}
|
|
73
|
+
return withSourceProfile;
|
|
74
|
+
};
|
|
75
|
+
const isCredentialSourceProfile = (arg, { profile, logger }) => {
|
|
76
|
+
const withProviderProfile = typeof arg.credential_source === "string" && typeof arg.source_profile === "undefined";
|
|
77
|
+
if (withProviderProfile) {
|
|
78
|
+
logger?.debug?.(` ${profile} isCredentialSourceProfile credential_source=${arg.credential_source}`);
|
|
79
|
+
}
|
|
80
|
+
return withProviderProfile;
|
|
81
|
+
};
|
|
82
|
+
const resolveAssumeRoleCredentials = async (profileName, profiles, options, visitedProfiles = {}, resolveProfileData) => {
|
|
83
|
+
options.logger?.debug("@aws-sdk/credential-provider-ini - resolveAssumeRoleCredentials (STS)");
|
|
84
|
+
const profileData = profiles[profileName];
|
|
85
|
+
const { source_profile, region } = profileData;
|
|
86
|
+
if (!options.roleAssumer) {
|
|
87
|
+
const { getDefaultRoleAssumer } = await import('./index-cIunyiUQ.mjs');
|
|
88
|
+
options.roleAssumer = getDefaultRoleAssumer({
|
|
89
|
+
...options.clientConfig,
|
|
90
|
+
credentialProviderLogger: options.logger,
|
|
91
|
+
parentClientConfig: {
|
|
92
|
+
...options?.parentClientConfig,
|
|
93
|
+
region: region ?? options?.parentClientConfig?.region,
|
|
94
|
+
},
|
|
95
|
+
}, options.clientPlugins);
|
|
96
|
+
}
|
|
97
|
+
if (source_profile && source_profile in visitedProfiles) {
|
|
98
|
+
throw new CredentialsProviderError(`Detected a cycle attempting to resolve credentials for profile` +
|
|
99
|
+
` ${getProfileName(options)}. Profiles visited: ` +
|
|
100
|
+
Object.keys(visitedProfiles).join(", "), { logger: options.logger });
|
|
101
|
+
}
|
|
102
|
+
options.logger?.debug(`@aws-sdk/credential-provider-ini - finding credential resolver using ${source_profile ? `source_profile=[${source_profile}]` : `profile=[${profileName}]`}`);
|
|
103
|
+
const sourceCredsProvider = source_profile
|
|
104
|
+
? resolveProfileData(source_profile, profiles, options, {
|
|
105
|
+
...visitedProfiles,
|
|
106
|
+
[source_profile]: true,
|
|
107
|
+
}, isCredentialSourceWithoutRoleArn(profiles[source_profile] ?? {}))
|
|
108
|
+
: (await resolveCredentialSource(profileData.credential_source, profileName, options.logger)(options))();
|
|
109
|
+
if (isCredentialSourceWithoutRoleArn(profileData)) {
|
|
110
|
+
return sourceCredsProvider.then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
|
|
111
|
+
}
|
|
112
|
+
else {
|
|
113
|
+
const params = {
|
|
114
|
+
RoleArn: profileData.role_arn,
|
|
115
|
+
RoleSessionName: profileData.role_session_name || `aws-sdk-js-${Date.now()}`,
|
|
116
|
+
ExternalId: profileData.external_id,
|
|
117
|
+
DurationSeconds: parseInt(profileData.duration_seconds || "3600", 10),
|
|
118
|
+
};
|
|
119
|
+
const { mfa_serial } = profileData;
|
|
120
|
+
if (mfa_serial) {
|
|
121
|
+
if (!options.mfaCodeProvider) {
|
|
122
|
+
throw new CredentialsProviderError(`Profile ${profileName} requires multi-factor authentication, but no MFA code callback was provided.`, { logger: options.logger, tryNextLink: false });
|
|
123
|
+
}
|
|
124
|
+
params.SerialNumber = mfa_serial;
|
|
125
|
+
params.TokenCode = await options.mfaCodeProvider(mfa_serial);
|
|
126
|
+
}
|
|
127
|
+
const sourceCreds = await sourceCredsProvider;
|
|
128
|
+
return options.roleAssumer(sourceCreds, params).then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
|
|
129
|
+
}
|
|
130
|
+
};
|
|
131
|
+
const isCredentialSourceWithoutRoleArn = (section) => {
|
|
132
|
+
return !section.role_arn && !!section.credential_source;
|
|
133
|
+
};
|
|
134
|
+
|
|
135
|
+
class LoginCredentialsFetcher {
|
|
136
|
+
profileData;
|
|
137
|
+
init;
|
|
138
|
+
callerClientConfig;
|
|
139
|
+
static REFRESH_THRESHOLD = 5 * 60 * 1000;
|
|
140
|
+
constructor(profileData, init, callerClientConfig) {
|
|
141
|
+
this.profileData = profileData;
|
|
142
|
+
this.init = init;
|
|
143
|
+
this.callerClientConfig = callerClientConfig;
|
|
144
|
+
}
|
|
145
|
+
async loadCredentials() {
|
|
146
|
+
const token = await this.loadToken();
|
|
147
|
+
if (!token) {
|
|
148
|
+
throw new CredentialsProviderError(`Failed to load a token for session ${this.loginSession}, please re-authenticate using aws login`, { tryNextLink: false, logger: this.logger });
|
|
149
|
+
}
|
|
150
|
+
const accessToken = token.accessToken;
|
|
151
|
+
const now = Date.now();
|
|
152
|
+
const expiryTime = new Date(accessToken.expiresAt).getTime();
|
|
153
|
+
const timeUntilExpiry = expiryTime - now;
|
|
154
|
+
if (timeUntilExpiry <= LoginCredentialsFetcher.REFRESH_THRESHOLD) {
|
|
155
|
+
return this.refresh(token);
|
|
156
|
+
}
|
|
157
|
+
return {
|
|
158
|
+
accessKeyId: accessToken.accessKeyId,
|
|
159
|
+
secretAccessKey: accessToken.secretAccessKey,
|
|
160
|
+
sessionToken: accessToken.sessionToken,
|
|
161
|
+
accountId: accessToken.accountId,
|
|
162
|
+
expiration: new Date(accessToken.expiresAt),
|
|
163
|
+
};
|
|
164
|
+
}
|
|
165
|
+
get logger() {
|
|
166
|
+
return this.init?.logger;
|
|
167
|
+
}
|
|
168
|
+
get loginSession() {
|
|
169
|
+
return this.profileData.login_session;
|
|
170
|
+
}
|
|
171
|
+
async refresh(token) {
|
|
172
|
+
const { SigninClient, CreateOAuth2TokenCommand } = await import('./index-B5JKTBOL.mjs');
|
|
173
|
+
const { logger, userAgentAppId } = this.callerClientConfig ?? {};
|
|
174
|
+
const isH2 = (requestHandler) => {
|
|
175
|
+
return requestHandler?.metadata?.handlerProtocol === "h2";
|
|
176
|
+
};
|
|
177
|
+
const requestHandler = isH2(this.callerClientConfig?.requestHandler)
|
|
178
|
+
? undefined
|
|
179
|
+
: this.callerClientConfig?.requestHandler;
|
|
180
|
+
const region = this.profileData.region ?? (await this.callerClientConfig?.region?.()) ?? process.env.AWS_REGION;
|
|
181
|
+
const client = new SigninClient({
|
|
182
|
+
credentials: {
|
|
183
|
+
accessKeyId: "",
|
|
184
|
+
secretAccessKey: "",
|
|
185
|
+
},
|
|
186
|
+
region,
|
|
187
|
+
requestHandler,
|
|
188
|
+
logger,
|
|
189
|
+
userAgentAppId,
|
|
190
|
+
...this.init?.clientConfig,
|
|
191
|
+
});
|
|
192
|
+
this.createDPoPInterceptor(client.middlewareStack);
|
|
193
|
+
const commandInput = {
|
|
194
|
+
tokenInput: {
|
|
195
|
+
clientId: token.clientId,
|
|
196
|
+
refreshToken: token.refreshToken,
|
|
197
|
+
grantType: "refresh_token",
|
|
198
|
+
},
|
|
199
|
+
};
|
|
200
|
+
try {
|
|
201
|
+
const response = await client.send(new CreateOAuth2TokenCommand(commandInput));
|
|
202
|
+
const { accessKeyId, secretAccessKey, sessionToken } = response.tokenOutput?.accessToken ?? {};
|
|
203
|
+
const { refreshToken, expiresIn } = response.tokenOutput ?? {};
|
|
204
|
+
if (!accessKeyId || !secretAccessKey || !sessionToken || !refreshToken) {
|
|
205
|
+
throw new CredentialsProviderError("Token refresh response missing required fields", {
|
|
206
|
+
logger: this.logger,
|
|
207
|
+
tryNextLink: false,
|
|
208
|
+
});
|
|
209
|
+
}
|
|
210
|
+
const expiresInMs = (expiresIn ?? 900) * 1000;
|
|
211
|
+
const expiration = new Date(Date.now() + expiresInMs);
|
|
212
|
+
const updatedToken = {
|
|
213
|
+
...token,
|
|
214
|
+
accessToken: {
|
|
215
|
+
...token.accessToken,
|
|
216
|
+
accessKeyId: accessKeyId,
|
|
217
|
+
secretAccessKey: secretAccessKey,
|
|
218
|
+
sessionToken: sessionToken,
|
|
219
|
+
expiresAt: expiration.toISOString(),
|
|
220
|
+
},
|
|
221
|
+
refreshToken: refreshToken,
|
|
222
|
+
};
|
|
223
|
+
await this.saveToken(updatedToken);
|
|
224
|
+
const newAccessToken = updatedToken.accessToken;
|
|
225
|
+
return {
|
|
226
|
+
accessKeyId: newAccessToken.accessKeyId,
|
|
227
|
+
secretAccessKey: newAccessToken.secretAccessKey,
|
|
228
|
+
sessionToken: newAccessToken.sessionToken,
|
|
229
|
+
accountId: newAccessToken.accountId,
|
|
230
|
+
expiration,
|
|
231
|
+
};
|
|
232
|
+
}
|
|
233
|
+
catch (error) {
|
|
234
|
+
if (error.name === "AccessDeniedException") {
|
|
235
|
+
const errorType = error.error;
|
|
236
|
+
let message;
|
|
237
|
+
switch (errorType) {
|
|
238
|
+
case "TOKEN_EXPIRED":
|
|
239
|
+
message = "Your session has expired. Please reauthenticate.";
|
|
240
|
+
break;
|
|
241
|
+
case "USER_CREDENTIALS_CHANGED":
|
|
242
|
+
message =
|
|
243
|
+
"Unable to refresh credentials because of a change in your password. Please reauthenticate with your new password.";
|
|
244
|
+
break;
|
|
245
|
+
case "INSUFFICIENT_PERMISSIONS":
|
|
246
|
+
message =
|
|
247
|
+
"Unable to refresh credentials due to insufficient permissions. You may be missing permission for the 'CreateOAuth2Token' action.";
|
|
248
|
+
break;
|
|
249
|
+
default:
|
|
250
|
+
message = `Failed to refresh token: ${String(error)}. Please re-authenticate using \`aws login\``;
|
|
251
|
+
}
|
|
252
|
+
throw new CredentialsProviderError(message, { logger: this.logger, tryNextLink: false });
|
|
253
|
+
}
|
|
254
|
+
throw new CredentialsProviderError(`Failed to refresh token: ${String(error)}. Please re-authenticate using aws login`, { logger: this.logger });
|
|
255
|
+
}
|
|
256
|
+
}
|
|
257
|
+
async loadToken() {
|
|
258
|
+
const tokenFilePath = this.getTokenFilePath();
|
|
259
|
+
try {
|
|
260
|
+
let tokenData;
|
|
261
|
+
try {
|
|
262
|
+
tokenData = await readFile(tokenFilePath, { ignoreCache: this.init?.ignoreCache });
|
|
263
|
+
}
|
|
264
|
+
catch {
|
|
265
|
+
tokenData = await promises.readFile(tokenFilePath, "utf8");
|
|
266
|
+
}
|
|
267
|
+
const token = JSON.parse(tokenData);
|
|
268
|
+
const missingFields = ["accessToken", "clientId", "refreshToken", "dpopKey"].filter((k) => !token[k]);
|
|
269
|
+
if (!token.accessToken?.accountId) {
|
|
270
|
+
missingFields.push("accountId");
|
|
271
|
+
}
|
|
272
|
+
if (missingFields.length > 0) {
|
|
273
|
+
throw new CredentialsProviderError(`Token validation failed, missing fields: ${missingFields.join(", ")}`, {
|
|
274
|
+
logger: this.logger,
|
|
275
|
+
tryNextLink: false,
|
|
276
|
+
});
|
|
277
|
+
}
|
|
278
|
+
return token;
|
|
279
|
+
}
|
|
280
|
+
catch (error) {
|
|
281
|
+
throw new CredentialsProviderError(`Failed to load token from ${tokenFilePath}: ${String(error)}`, {
|
|
282
|
+
logger: this.logger,
|
|
283
|
+
tryNextLink: false,
|
|
284
|
+
});
|
|
285
|
+
}
|
|
286
|
+
}
|
|
287
|
+
async saveToken(token) {
|
|
288
|
+
const tokenFilePath = this.getTokenFilePath();
|
|
289
|
+
const directory = dirname(tokenFilePath);
|
|
290
|
+
try {
|
|
291
|
+
await promises.mkdir(directory, { recursive: true });
|
|
292
|
+
}
|
|
293
|
+
catch (error) {
|
|
294
|
+
}
|
|
295
|
+
await promises.writeFile(tokenFilePath, JSON.stringify(token, null, 2), "utf8");
|
|
296
|
+
}
|
|
297
|
+
getTokenFilePath() {
|
|
298
|
+
const directory = process.env.AWS_LOGIN_CACHE_DIRECTORY ?? join(homedir(), ".aws", "login", "cache");
|
|
299
|
+
const loginSessionBytes = Buffer.from(this.loginSession, "utf8");
|
|
300
|
+
const loginSessionSha256 = createHash("sha256").update(loginSessionBytes).digest("hex");
|
|
301
|
+
return join(directory, `${loginSessionSha256}.json`);
|
|
302
|
+
}
|
|
303
|
+
derToRawSignature(derSignature) {
|
|
304
|
+
let offset = 2;
|
|
305
|
+
if (derSignature[offset] !== 0x02) {
|
|
306
|
+
throw new Error("Invalid DER signature");
|
|
307
|
+
}
|
|
308
|
+
offset++;
|
|
309
|
+
const rLength = derSignature[offset++];
|
|
310
|
+
let r = derSignature.subarray(offset, offset + rLength);
|
|
311
|
+
offset += rLength;
|
|
312
|
+
if (derSignature[offset] !== 0x02) {
|
|
313
|
+
throw new Error("Invalid DER signature");
|
|
314
|
+
}
|
|
315
|
+
offset++;
|
|
316
|
+
const sLength = derSignature[offset++];
|
|
317
|
+
let s = derSignature.subarray(offset, offset + sLength);
|
|
318
|
+
r = r[0] === 0x00 ? r.subarray(1) : r;
|
|
319
|
+
s = s[0] === 0x00 ? s.subarray(1) : s;
|
|
320
|
+
const rPadded = Buffer.concat([Buffer.alloc(32 - r.length), r]);
|
|
321
|
+
const sPadded = Buffer.concat([Buffer.alloc(32 - s.length), s]);
|
|
322
|
+
return Buffer.concat([rPadded, sPadded]);
|
|
323
|
+
}
|
|
324
|
+
createDPoPInterceptor(middlewareStack) {
|
|
325
|
+
middlewareStack.add((next) => async (args) => {
|
|
326
|
+
if (HttpRequest.isInstance(args.request)) {
|
|
327
|
+
const request = args.request;
|
|
328
|
+
const actualEndpoint = `${request.protocol}//${request.hostname}${request.port ? `:${request.port}` : ""}${request.path}`;
|
|
329
|
+
const dpop = await this.generateDpop(request.method, actualEndpoint);
|
|
330
|
+
request.headers = {
|
|
331
|
+
...request.headers,
|
|
332
|
+
DPoP: dpop,
|
|
333
|
+
};
|
|
334
|
+
}
|
|
335
|
+
return next(args);
|
|
336
|
+
}, {
|
|
337
|
+
step: "finalizeRequest",
|
|
338
|
+
name: "dpopInterceptor",
|
|
339
|
+
override: true,
|
|
340
|
+
});
|
|
341
|
+
}
|
|
342
|
+
async generateDpop(method = "POST", endpoint) {
|
|
343
|
+
const token = await this.loadToken();
|
|
344
|
+
try {
|
|
345
|
+
const privateKey = createPrivateKey({
|
|
346
|
+
key: token.dpopKey,
|
|
347
|
+
format: "pem",
|
|
348
|
+
type: "sec1",
|
|
349
|
+
});
|
|
350
|
+
const publicKey = createPublicKey(privateKey);
|
|
351
|
+
const publicDer = publicKey.export({ format: "der", type: "spki" });
|
|
352
|
+
let pointStart = -1;
|
|
353
|
+
for (let i = 0; i < publicDer.length; i++) {
|
|
354
|
+
if (publicDer[i] === 0x04) {
|
|
355
|
+
pointStart = i;
|
|
356
|
+
break;
|
|
357
|
+
}
|
|
358
|
+
}
|
|
359
|
+
const x = publicDer.slice(pointStart + 1, pointStart + 33);
|
|
360
|
+
const y = publicDer.slice(pointStart + 33, pointStart + 65);
|
|
361
|
+
const header = {
|
|
362
|
+
alg: "ES256",
|
|
363
|
+
typ: "dpop+jwt",
|
|
364
|
+
jwk: {
|
|
365
|
+
kty: "EC",
|
|
366
|
+
crv: "P-256",
|
|
367
|
+
x: x.toString("base64url"),
|
|
368
|
+
y: y.toString("base64url"),
|
|
369
|
+
},
|
|
370
|
+
};
|
|
371
|
+
const payload = {
|
|
372
|
+
jti: crypto.randomUUID(),
|
|
373
|
+
htm: method,
|
|
374
|
+
htu: endpoint,
|
|
375
|
+
iat: Math.floor(Date.now() / 1000),
|
|
376
|
+
};
|
|
377
|
+
const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
|
|
378
|
+
const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
|
|
379
|
+
const message = `${headerB64}.${payloadB64}`;
|
|
380
|
+
const asn1Signature = sign("sha256", Buffer.from(message), privateKey);
|
|
381
|
+
const rawSignature = this.derToRawSignature(asn1Signature);
|
|
382
|
+
const signatureB64 = rawSignature.toString("base64url");
|
|
383
|
+
return `${message}.${signatureB64}`;
|
|
384
|
+
}
|
|
385
|
+
catch (error) {
|
|
386
|
+
throw new CredentialsProviderError(`Failed to generate Dpop proof: ${error instanceof Error ? error.message : String(error)}`, { logger: this.logger, tryNextLink: false });
|
|
387
|
+
}
|
|
388
|
+
}
|
|
389
|
+
}
|
|
390
|
+
|
|
391
|
+
const fromLoginCredentials = (init) => async ({ callerClientConfig } = {}) => {
|
|
392
|
+
init?.logger?.debug?.("@aws-sdk/credential-providers - fromLoginCredentials");
|
|
393
|
+
const profiles = await parseKnownFiles(init || {});
|
|
394
|
+
const profileName = getProfileName({
|
|
395
|
+
profile: init?.profile ?? callerClientConfig?.profile,
|
|
396
|
+
});
|
|
397
|
+
const profile = profiles[profileName];
|
|
398
|
+
if (!profile?.login_session) {
|
|
399
|
+
throw new CredentialsProviderError(`Profile ${profileName} does not contain login_session.`, {
|
|
400
|
+
tryNextLink: true,
|
|
401
|
+
logger: init?.logger,
|
|
402
|
+
});
|
|
403
|
+
}
|
|
404
|
+
const fetcher = new LoginCredentialsFetcher(profile, init, callerClientConfig);
|
|
405
|
+
const credentials = await fetcher.loadCredentials();
|
|
406
|
+
return setCredentialFeature(credentials, "CREDENTIALS_LOGIN", "AD");
|
|
407
|
+
};
|
|
408
|
+
|
|
409
|
+
const isLoginProfile = (data) => {
|
|
410
|
+
return Boolean(data && data.login_session);
|
|
411
|
+
};
|
|
412
|
+
const resolveLoginCredentials = async (profileName, options) => {
|
|
413
|
+
const credentials = await fromLoginCredentials({
|
|
414
|
+
...options,
|
|
415
|
+
profile: profileName,
|
|
416
|
+
})();
|
|
417
|
+
return setCredentialFeature(credentials, "CREDENTIALS_PROFILE_LOGIN", "AC");
|
|
418
|
+
};
|
|
419
|
+
|
|
420
|
+
const isProcessProfile = (arg) => Boolean(arg) && typeof arg === "object" && typeof arg.credential_process === "string";
|
|
421
|
+
const resolveProcessCredentials = async (options, profile) => import('./index-Cu7rdyqN.mjs').then(({ fromProcess }) => fromProcess({
|
|
422
|
+
...options,
|
|
423
|
+
profile,
|
|
424
|
+
})().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_PROCESS", "v")));
|
|
425
|
+
|
|
426
|
+
const resolveSsoCredentials = async (profile, profileData, options = {}) => {
|
|
427
|
+
const { fromSSO } = await import('./index-Dp1Ip6Ra.mjs');
|
|
428
|
+
return fromSSO({
|
|
429
|
+
profile,
|
|
430
|
+
logger: options.logger,
|
|
431
|
+
parentClientConfig: options.parentClientConfig,
|
|
432
|
+
clientConfig: options.clientConfig,
|
|
433
|
+
})().then((creds) => {
|
|
434
|
+
if (profileData.sso_session) {
|
|
435
|
+
return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r");
|
|
436
|
+
}
|
|
437
|
+
else {
|
|
438
|
+
return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO_LEGACY", "t");
|
|
439
|
+
}
|
|
440
|
+
});
|
|
441
|
+
};
|
|
442
|
+
const isSsoProfile = (arg) => arg &&
|
|
443
|
+
(typeof arg.sso_start_url === "string" ||
|
|
444
|
+
typeof arg.sso_account_id === "string" ||
|
|
445
|
+
typeof arg.sso_session === "string" ||
|
|
446
|
+
typeof arg.sso_region === "string" ||
|
|
447
|
+
typeof arg.sso_role_name === "string");
|
|
448
|
+
|
|
449
|
+
const isStaticCredsProfile = (arg) => Boolean(arg) &&
|
|
450
|
+
typeof arg === "object" &&
|
|
451
|
+
typeof arg.aws_access_key_id === "string" &&
|
|
452
|
+
typeof arg.aws_secret_access_key === "string" &&
|
|
453
|
+
["undefined", "string"].indexOf(typeof arg.aws_session_token) > -1 &&
|
|
454
|
+
["undefined", "string"].indexOf(typeof arg.aws_account_id) > -1;
|
|
455
|
+
const resolveStaticCredentials = async (profile, options) => {
|
|
456
|
+
options?.logger?.debug("@aws-sdk/credential-provider-ini - resolveStaticCredentials");
|
|
457
|
+
const credentials = {
|
|
458
|
+
accessKeyId: profile.aws_access_key_id,
|
|
459
|
+
secretAccessKey: profile.aws_secret_access_key,
|
|
460
|
+
sessionToken: profile.aws_session_token,
|
|
461
|
+
...(profile.aws_credential_scope && { credentialScope: profile.aws_credential_scope }),
|
|
462
|
+
...(profile.aws_account_id && { accountId: profile.aws_account_id }),
|
|
463
|
+
};
|
|
464
|
+
return setCredentialFeature(credentials, "CREDENTIALS_PROFILE", "n");
|
|
465
|
+
};
|
|
466
|
+
|
|
467
|
+
const isWebIdentityProfile = (arg) => Boolean(arg) &&
|
|
468
|
+
typeof arg === "object" &&
|
|
469
|
+
typeof arg.web_identity_token_file === "string" &&
|
|
470
|
+
typeof arg.role_arn === "string" &&
|
|
471
|
+
["undefined", "string"].indexOf(typeof arg.role_session_name) > -1;
|
|
472
|
+
const resolveWebIdentityCredentials = async (profile, options) => import('./index-BPYF6K_G.mjs').then(({ fromTokenFile }) => fromTokenFile({
|
|
473
|
+
webIdentityTokenFile: profile.web_identity_token_file,
|
|
474
|
+
roleArn: profile.role_arn,
|
|
475
|
+
roleSessionName: profile.role_session_name,
|
|
476
|
+
roleAssumerWithWebIdentity: options.roleAssumerWithWebIdentity,
|
|
477
|
+
logger: options.logger,
|
|
478
|
+
parentClientConfig: options.parentClientConfig,
|
|
479
|
+
})().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN", "q")));
|
|
480
|
+
|
|
481
|
+
const resolveProfileData = async (profileName, profiles, options, visitedProfiles = {}, isAssumeRoleRecursiveCall = false) => {
|
|
482
|
+
const data = profiles[profileName];
|
|
483
|
+
if (Object.keys(visitedProfiles).length > 0 && isStaticCredsProfile(data)) {
|
|
484
|
+
return resolveStaticCredentials(data, options);
|
|
485
|
+
}
|
|
486
|
+
if (isAssumeRoleRecursiveCall || isAssumeRoleProfile(data, { profile: profileName, logger: options.logger })) {
|
|
487
|
+
return resolveAssumeRoleCredentials(profileName, profiles, options, visitedProfiles, resolveProfileData);
|
|
488
|
+
}
|
|
489
|
+
if (isStaticCredsProfile(data)) {
|
|
490
|
+
return resolveStaticCredentials(data, options);
|
|
491
|
+
}
|
|
492
|
+
if (isWebIdentityProfile(data)) {
|
|
493
|
+
return resolveWebIdentityCredentials(data, options);
|
|
494
|
+
}
|
|
495
|
+
if (isProcessProfile(data)) {
|
|
496
|
+
return resolveProcessCredentials(options, profileName);
|
|
497
|
+
}
|
|
498
|
+
if (isSsoProfile(data)) {
|
|
499
|
+
return await resolveSsoCredentials(profileName, data, options);
|
|
500
|
+
}
|
|
501
|
+
if (isLoginProfile(data)) {
|
|
502
|
+
return resolveLoginCredentials(profileName, options);
|
|
503
|
+
}
|
|
504
|
+
throw new CredentialsProviderError(`Could not resolve credentials using profile: [${profileName}] in configuration/credentials file(s).`, { logger: options.logger });
|
|
505
|
+
};
|
|
506
|
+
|
|
507
|
+
const fromIni = (_init = {}) => async ({ callerClientConfig } = {}) => {
|
|
508
|
+
const init = {
|
|
509
|
+
..._init,
|
|
510
|
+
parentClientConfig: {
|
|
511
|
+
...callerClientConfig,
|
|
512
|
+
..._init.parentClientConfig,
|
|
513
|
+
},
|
|
514
|
+
};
|
|
515
|
+
init.logger?.debug("@aws-sdk/credential-provider-ini - fromIni");
|
|
516
|
+
const profiles = await parseKnownFiles(init);
|
|
517
|
+
return resolveProfileData(getProfileName({
|
|
518
|
+
profile: _init.profile ?? callerClientConfig?.profile,
|
|
519
|
+
}), profiles, init);
|
|
520
|
+
};
|
|
521
|
+
|
|
522
|
+
export { fromIni };
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
import { readFileSync } from 'fs';
|
|
2
|
+
import { e as externalDataInterceptor } from './externalDataInterceptor-CbsdEYa-.mjs';
|
|
3
|
+
import { C as CredentialsProviderError, s as setCredentialFeature } from './index-CeCufHlm.mjs';
|
|
4
|
+
import './getSSOTokenFromFile-hUSpR7Wf.mjs';
|
|
5
|
+
import 'fs/promises';
|
|
6
|
+
import 'crypto';
|
|
7
|
+
import 'path';
|
|
8
|
+
import './readMergedOptions-Nt0TR7dX.mjs';
|
|
9
|
+
import 'zod';
|
|
10
|
+
import '@commander-js/extra-typings';
|
|
11
|
+
import './overlayEnv-Bs2kVayG.mjs';
|
|
12
|
+
import 'fs-extra';
|
|
13
|
+
import './loadModuleDefault-Dj8B3Stt.mjs';
|
|
14
|
+
import 'url';
|
|
15
|
+
import 'nanoid';
|
|
16
|
+
import 'dotenv';
|
|
17
|
+
import './loader-DnhPeGfq.mjs';
|
|
18
|
+
import 'package-directory';
|
|
19
|
+
import 'yaml';
|
|
20
|
+
import 'execa';
|
|
21
|
+
import 'buffer';
|
|
22
|
+
import 'os';
|
|
23
|
+
import 'node:fs/promises';
|
|
24
|
+
import 'http';
|
|
25
|
+
import 'https';
|
|
26
|
+
import 'stream';
|
|
27
|
+
import 'process';
|
|
28
|
+
import 'node:fs';
|
|
29
|
+
|
|
30
|
+
const fromWebToken = (init) => async (awsIdentityProperties) => {
|
|
31
|
+
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken");
|
|
32
|
+
const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init;
|
|
33
|
+
let { roleAssumerWithWebIdentity } = init;
|
|
34
|
+
if (!roleAssumerWithWebIdentity) {
|
|
35
|
+
const { getDefaultRoleAssumerWithWebIdentity } = await import('./index-cIunyiUQ.mjs');
|
|
36
|
+
roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity({
|
|
37
|
+
...init.clientConfig,
|
|
38
|
+
credentialProviderLogger: init.logger,
|
|
39
|
+
parentClientConfig: {
|
|
40
|
+
...awsIdentityProperties?.callerClientConfig,
|
|
41
|
+
...init.parentClientConfig,
|
|
42
|
+
},
|
|
43
|
+
}, init.clientPlugins);
|
|
44
|
+
}
|
|
45
|
+
return roleAssumerWithWebIdentity({
|
|
46
|
+
RoleArn: roleArn,
|
|
47
|
+
RoleSessionName: roleSessionName ?? `aws-sdk-js-session-${Date.now()}`,
|
|
48
|
+
WebIdentityToken: webIdentityToken,
|
|
49
|
+
ProviderId: providerId,
|
|
50
|
+
PolicyArns: policyArns,
|
|
51
|
+
Policy: policy,
|
|
52
|
+
DurationSeconds: durationSeconds,
|
|
53
|
+
});
|
|
54
|
+
};
|
|
55
|
+
|
|
56
|
+
const ENV_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
|
|
57
|
+
const ENV_ROLE_ARN = "AWS_ROLE_ARN";
|
|
58
|
+
const ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME";
|
|
59
|
+
const fromTokenFile = (init = {}) => async (awsIdentityProperties) => {
|
|
60
|
+
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile");
|
|
61
|
+
const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE];
|
|
62
|
+
const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN];
|
|
63
|
+
const roleSessionName = init?.roleSessionName ?? process.env[ENV_ROLE_SESSION_NAME];
|
|
64
|
+
if (!webIdentityTokenFile || !roleArn) {
|
|
65
|
+
throw new CredentialsProviderError("Web identity configuration not specified", {
|
|
66
|
+
logger: init.logger,
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
const credentials = await fromWebToken({
|
|
70
|
+
...init,
|
|
71
|
+
webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ??
|
|
72
|
+
readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
|
|
73
|
+
roleArn,
|
|
74
|
+
roleSessionName,
|
|
75
|
+
})(awsIdentityProperties);
|
|
76
|
+
if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
|
|
77
|
+
setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
|
|
78
|
+
}
|
|
79
|
+
return credentials;
|
|
80
|
+
};
|
|
81
|
+
|
|
82
|
+
export { fromTokenFile, fromWebToken };
|