@karmaniverous/get-dotenv 7.0.7 → 7.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chunks/{createCli-DRgcaM2D.mjs → createCli-CCxTLJ1j.mjs} +57 -10
- package/dist/chunks/index-Cay5Gzhu.mjs +111 -0
- package/dist/chunks/{index-BzoCat8h.mjs → index-xqvxTkr9.mjs} +6 -6
- package/dist/chunks/{loader-V1vbmtyw.mjs → loader-C3DtD6HB.mjs} +4 -2
- package/dist/chunks/{readDotenvCascade-Dgx4SC1p.mjs → readDotenvCascade-CfFPgLCp.mjs} +52 -21
- package/dist/chunks/{readMergedOptions-x80ltQO_.mjs → readMergedOptions-_hjyCNZ7.mjs} +54 -14
- package/dist/chunks/{resolveCliOptions-CR-BEUmS.mjs → resolveCliOptions-Dp7wPY1K.mjs} +1 -1
- package/dist/chunks/{spawnEnv-CKgnHGpr.mjs → spawnEnv-DvisqPiU.mjs} +28 -3
- package/dist/chunks/{types-poB1VAs_.mjs → types-zXDNhcST.mjs} +1 -1
- package/dist/cli.d.ts +9 -5
- package/dist/cli.mjs +10 -15
- package/dist/cliHost.d.ts +9 -5
- package/dist/cliHost.mjs +6 -6
- package/dist/config.d.ts +1 -1
- package/dist/config.mjs +1 -1
- package/dist/env-overlay.d.ts +13 -9
- package/dist/env-overlay.mjs +2 -2
- package/dist/getdotenv.cli.mjs +10 -15
- package/dist/index.d.ts +10 -6
- package/dist/index.mjs +30 -23
- package/dist/plugins-aws.d.ts +1 -1
- package/dist/plugins-aws.mjs +4 -4
- package/dist/plugins-batch.d.ts +17 -1
- package/dist/plugins-batch.mjs +202 -68
- package/dist/plugins-cmd.d.ts +1 -1
- package/dist/plugins-cmd.mjs +6 -6
- package/dist/plugins-init.d.ts +1 -1
- package/dist/plugins-init.mjs +3 -3
- package/dist/plugins.d.ts +3 -1
- package/dist/plugins.mjs +9 -14
- package/package.json +40 -40
- package/schema/getdotenv.config.schema.json +207 -0
- package/dist/chunks/AwsRestJsonProtocol-BWWvLZiw.mjs +0 -1026
- package/dist/chunks/externalDataInterceptor-Bbvq4sdd.mjs +0 -19
- package/dist/chunks/getSSOTokenFromFile-ClTzvS3i.mjs +0 -22
- package/dist/chunks/index-4kbkrHS9.mjs +0 -12529
- package/dist/chunks/index-B5GwHCSX.mjs +0 -669
- package/dist/chunks/index-Cl6wXPYD.mjs +0 -82
- package/dist/chunks/index-D7Lv-lxm.mjs +0 -349
- package/dist/chunks/index-DFNP_Nrx.mjs +0 -188
- package/dist/chunks/index-DO68RbZ8.mjs +0 -103
- package/dist/chunks/index-Db08BBL5.mjs +0 -519
- package/dist/chunks/index-De2jIOhi.mjs +0 -541
- package/dist/chunks/index-IOQ1o3w3.mjs +0 -290
- package/dist/chunks/index-Tm4WDj9R.mjs +0 -383
- package/dist/chunks/index-fNrNPp4e.mjs +0 -946
- package/dist/chunks/index-w8gK2SKP.mjs +0 -31
- package/dist/chunks/loadSso-Ce3ChPPj.mjs +0 -488
- package/dist/chunks/package-DbbYaehr.mjs +0 -5
- package/dist/chunks/parseKnownFiles-BCL0L7aP.mjs +0 -23
- package/dist/chunks/sdk-stream-mixin-B_ajKWho.mjs +0 -307
|
@@ -1,82 +0,0 @@
|
|
|
1
|
-
import { readFileSync } from 'node:fs';
|
|
2
|
-
import { e as CredentialsProviderError, aO as setCredentialFeature } from './index-4kbkrHS9.mjs';
|
|
3
|
-
import { e as externalDataInterceptor } from './externalDataInterceptor-Bbvq4sdd.mjs';
|
|
4
|
-
import './readMergedOptions-x80ltQO_.mjs';
|
|
5
|
-
import 'zod';
|
|
6
|
-
import '@commander-js/extra-typings';
|
|
7
|
-
import './readDotenvCascade-Dgx4SC1p.mjs';
|
|
8
|
-
import 'fs-extra';
|
|
9
|
-
import 'radash';
|
|
10
|
-
import 'node:buffer';
|
|
11
|
-
import 'node:path';
|
|
12
|
-
import './loadModuleDefault-Dj8B3Stt.mjs';
|
|
13
|
-
import 'crypto';
|
|
14
|
-
import 'path';
|
|
15
|
-
import 'url';
|
|
16
|
-
import 'dotenv';
|
|
17
|
-
import 'nanoid';
|
|
18
|
-
import './loader-V1vbmtyw.mjs';
|
|
19
|
-
import 'package-directory';
|
|
20
|
-
import 'yaml';
|
|
21
|
-
import 'execa';
|
|
22
|
-
import 'node:os';
|
|
23
|
-
import 'node:fs/promises';
|
|
24
|
-
import 'node:stream';
|
|
25
|
-
import 'node:crypto';
|
|
26
|
-
import 'node:https';
|
|
27
|
-
import 'node:process';
|
|
28
|
-
import './getSSOTokenFromFile-ClTzvS3i.mjs';
|
|
29
|
-
|
|
30
|
-
const fromWebToken = (init) => async (awsIdentityProperties) => {
|
|
31
|
-
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken");
|
|
32
|
-
const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init;
|
|
33
|
-
let { roleAssumerWithWebIdentity } = init;
|
|
34
|
-
if (!roleAssumerWithWebIdentity) {
|
|
35
|
-
const { getDefaultRoleAssumerWithWebIdentity } = await import('./index-fNrNPp4e.mjs');
|
|
36
|
-
roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity({
|
|
37
|
-
...init.clientConfig,
|
|
38
|
-
credentialProviderLogger: init.logger,
|
|
39
|
-
parentClientConfig: {
|
|
40
|
-
...awsIdentityProperties?.callerClientConfig,
|
|
41
|
-
...init.parentClientConfig,
|
|
42
|
-
},
|
|
43
|
-
}, init.clientPlugins);
|
|
44
|
-
}
|
|
45
|
-
return roleAssumerWithWebIdentity({
|
|
46
|
-
RoleArn: roleArn,
|
|
47
|
-
RoleSessionName: roleSessionName ?? `aws-sdk-js-session-${Date.now()}`,
|
|
48
|
-
WebIdentityToken: webIdentityToken,
|
|
49
|
-
ProviderId: providerId,
|
|
50
|
-
PolicyArns: policyArns,
|
|
51
|
-
Policy: policy,
|
|
52
|
-
DurationSeconds: durationSeconds,
|
|
53
|
-
});
|
|
54
|
-
};
|
|
55
|
-
|
|
56
|
-
const ENV_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
|
|
57
|
-
const ENV_ROLE_ARN = "AWS_ROLE_ARN";
|
|
58
|
-
const ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME";
|
|
59
|
-
const fromTokenFile = (init = {}) => async (awsIdentityProperties) => {
|
|
60
|
-
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile");
|
|
61
|
-
const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE];
|
|
62
|
-
const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN];
|
|
63
|
-
const roleSessionName = init?.roleSessionName ?? process.env[ENV_ROLE_SESSION_NAME];
|
|
64
|
-
if (!webIdentityTokenFile || !roleArn) {
|
|
65
|
-
throw new CredentialsProviderError("Web identity configuration not specified", {
|
|
66
|
-
logger: init.logger,
|
|
67
|
-
});
|
|
68
|
-
}
|
|
69
|
-
const credentials = await fromWebToken({
|
|
70
|
-
...init,
|
|
71
|
-
webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ??
|
|
72
|
-
readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
|
|
73
|
-
roleArn,
|
|
74
|
-
roleSessionName,
|
|
75
|
-
})(awsIdentityProperties);
|
|
76
|
-
if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
|
|
77
|
-
setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
|
|
78
|
-
}
|
|
79
|
-
return credentials;
|
|
80
|
-
};
|
|
81
|
-
|
|
82
|
-
export { fromTokenFile, fromWebToken };
|
|
@@ -1,349 +0,0 @@
|
|
|
1
|
-
import { J as ProviderError, I as IniSectionType, C as CONFIG_PREFIX_SEPARATOR, aB as readFile, ab as getConfigFilepath, aw as parseIni, al as getProfileName, e as CredentialsProviderError, aO as setCredentialFeature } from './index-4kbkrHS9.mjs';
|
|
2
|
-
import { promises } from 'node:fs';
|
|
3
|
-
import { g as getSSOTokenFilepath, a as getSSOTokenFromFile } from './getSSOTokenFromFile-ClTzvS3i.mjs';
|
|
4
|
-
import { p as parseKnownFiles } from './parseKnownFiles-BCL0L7aP.mjs';
|
|
5
|
-
import './readMergedOptions-x80ltQO_.mjs';
|
|
6
|
-
import 'zod';
|
|
7
|
-
import '@commander-js/extra-typings';
|
|
8
|
-
import './readDotenvCascade-Dgx4SC1p.mjs';
|
|
9
|
-
import 'fs-extra';
|
|
10
|
-
import 'radash';
|
|
11
|
-
import 'node:buffer';
|
|
12
|
-
import 'node:path';
|
|
13
|
-
import './loadModuleDefault-Dj8B3Stt.mjs';
|
|
14
|
-
import 'crypto';
|
|
15
|
-
import 'path';
|
|
16
|
-
import 'url';
|
|
17
|
-
import 'dotenv';
|
|
18
|
-
import 'nanoid';
|
|
19
|
-
import './loader-V1vbmtyw.mjs';
|
|
20
|
-
import 'package-directory';
|
|
21
|
-
import 'yaml';
|
|
22
|
-
import 'execa';
|
|
23
|
-
import 'node:os';
|
|
24
|
-
import 'node:fs/promises';
|
|
25
|
-
import 'node:stream';
|
|
26
|
-
import 'node:crypto';
|
|
27
|
-
import 'node:https';
|
|
28
|
-
import 'node:process';
|
|
29
|
-
|
|
30
|
-
class TokenProviderError extends ProviderError {
|
|
31
|
-
name = "TokenProviderError";
|
|
32
|
-
constructor(message, options = true) {
|
|
33
|
-
super(message, options);
|
|
34
|
-
Object.setPrototypeOf(this, TokenProviderError.prototype);
|
|
35
|
-
}
|
|
36
|
-
}
|
|
37
|
-
|
|
38
|
-
const getSsoSessionData = (data) => Object.entries(data)
|
|
39
|
-
.filter(([key]) => key.startsWith(IniSectionType.SSO_SESSION + CONFIG_PREFIX_SEPARATOR))
|
|
40
|
-
.reduce((acc, [key, value]) => ({ ...acc, [key.substring(key.indexOf(CONFIG_PREFIX_SEPARATOR) + 1)]: value }), {});
|
|
41
|
-
|
|
42
|
-
const swallowError = () => ({});
|
|
43
|
-
const loadSsoSessionData = async (init = {}) => readFile(init.configFilepath ?? getConfigFilepath())
|
|
44
|
-
.then(parseIni)
|
|
45
|
-
.then(getSsoSessionData)
|
|
46
|
-
.catch(swallowError);
|
|
47
|
-
|
|
48
|
-
const isSsoProfile = (arg) => arg &&
|
|
49
|
-
(typeof arg.sso_start_url === "string" ||
|
|
50
|
-
typeof arg.sso_account_id === "string" ||
|
|
51
|
-
typeof arg.sso_session === "string" ||
|
|
52
|
-
typeof arg.sso_region === "string" ||
|
|
53
|
-
typeof arg.sso_role_name === "string");
|
|
54
|
-
|
|
55
|
-
const EXPIRE_WINDOW_MS = 5 * 60 * 1000;
|
|
56
|
-
const REFRESH_MESSAGE = `To refresh this SSO session run 'aws sso login' with the corresponding profile.`;
|
|
57
|
-
|
|
58
|
-
const getSsoOidcClient = async (ssoRegion, init = {}, callerClientConfig) => {
|
|
59
|
-
const { SSOOIDCClient } = await import('./index-B5GwHCSX.mjs');
|
|
60
|
-
const coalesce = (prop) => init.clientConfig?.[prop] ?? init.parentClientConfig?.[prop] ?? callerClientConfig?.[prop];
|
|
61
|
-
const ssoOidcClient = new SSOOIDCClient(Object.assign({}, init.clientConfig ?? {}, {
|
|
62
|
-
region: ssoRegion ?? init.clientConfig?.region,
|
|
63
|
-
logger: coalesce("logger"),
|
|
64
|
-
userAgentAppId: coalesce("userAgentAppId"),
|
|
65
|
-
}));
|
|
66
|
-
return ssoOidcClient;
|
|
67
|
-
};
|
|
68
|
-
|
|
69
|
-
const getNewSsoOidcToken = async (ssoToken, ssoRegion, init = {}, callerClientConfig) => {
|
|
70
|
-
const { CreateTokenCommand } = await import('./index-B5GwHCSX.mjs');
|
|
71
|
-
const ssoOidcClient = await getSsoOidcClient(ssoRegion, init, callerClientConfig);
|
|
72
|
-
return ssoOidcClient.send(new CreateTokenCommand({
|
|
73
|
-
clientId: ssoToken.clientId,
|
|
74
|
-
clientSecret: ssoToken.clientSecret,
|
|
75
|
-
refreshToken: ssoToken.refreshToken,
|
|
76
|
-
grantType: "refresh_token",
|
|
77
|
-
}));
|
|
78
|
-
};
|
|
79
|
-
|
|
80
|
-
const validateTokenExpiry = (token) => {
|
|
81
|
-
if (token.expiration && token.expiration.getTime() < Date.now()) {
|
|
82
|
-
throw new TokenProviderError(`Token is expired. ${REFRESH_MESSAGE}`, false);
|
|
83
|
-
}
|
|
84
|
-
};
|
|
85
|
-
|
|
86
|
-
const validateTokenKey = (key, value, forRefresh = false) => {
|
|
87
|
-
if (typeof value === "undefined") {
|
|
88
|
-
throw new TokenProviderError(`Value not present for '${key}' in SSO Token${forRefresh ? ". Cannot refresh" : ""}. ${REFRESH_MESSAGE}`, false);
|
|
89
|
-
}
|
|
90
|
-
};
|
|
91
|
-
|
|
92
|
-
const { writeFile } = promises;
|
|
93
|
-
const writeSSOTokenToFile = (id, ssoToken) => {
|
|
94
|
-
const tokenFilepath = getSSOTokenFilepath(id);
|
|
95
|
-
const tokenString = JSON.stringify(ssoToken, null, 2);
|
|
96
|
-
return writeFile(tokenFilepath, tokenString);
|
|
97
|
-
};
|
|
98
|
-
|
|
99
|
-
const lastRefreshAttemptTime = new Date(0);
|
|
100
|
-
const fromSso = (init = {}) => async ({ callerClientConfig } = {}) => {
|
|
101
|
-
init.logger?.debug("@aws-sdk/token-providers - fromSso");
|
|
102
|
-
const profiles = await parseKnownFiles(init);
|
|
103
|
-
const profileName = getProfileName({
|
|
104
|
-
profile: init.profile ?? callerClientConfig?.profile,
|
|
105
|
-
});
|
|
106
|
-
const profile = profiles[profileName];
|
|
107
|
-
if (!profile) {
|
|
108
|
-
throw new TokenProviderError(`Profile '${profileName}' could not be found in shared credentials file.`, false);
|
|
109
|
-
}
|
|
110
|
-
else if (!profile["sso_session"]) {
|
|
111
|
-
throw new TokenProviderError(`Profile '${profileName}' is missing required property 'sso_session'.`);
|
|
112
|
-
}
|
|
113
|
-
const ssoSessionName = profile["sso_session"];
|
|
114
|
-
const ssoSessions = await loadSsoSessionData(init);
|
|
115
|
-
const ssoSession = ssoSessions[ssoSessionName];
|
|
116
|
-
if (!ssoSession) {
|
|
117
|
-
throw new TokenProviderError(`Sso session '${ssoSessionName}' could not be found in shared credentials file.`, false);
|
|
118
|
-
}
|
|
119
|
-
for (const ssoSessionRequiredKey of ["sso_start_url", "sso_region"]) {
|
|
120
|
-
if (!ssoSession[ssoSessionRequiredKey]) {
|
|
121
|
-
throw new TokenProviderError(`Sso session '${ssoSessionName}' is missing required property '${ssoSessionRequiredKey}'.`, false);
|
|
122
|
-
}
|
|
123
|
-
}
|
|
124
|
-
ssoSession["sso_start_url"];
|
|
125
|
-
const ssoRegion = ssoSession["sso_region"];
|
|
126
|
-
let ssoToken;
|
|
127
|
-
try {
|
|
128
|
-
ssoToken = await getSSOTokenFromFile(ssoSessionName);
|
|
129
|
-
}
|
|
130
|
-
catch (e) {
|
|
131
|
-
throw new TokenProviderError(`The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`, false);
|
|
132
|
-
}
|
|
133
|
-
validateTokenKey("accessToken", ssoToken.accessToken);
|
|
134
|
-
validateTokenKey("expiresAt", ssoToken.expiresAt);
|
|
135
|
-
const { accessToken, expiresAt } = ssoToken;
|
|
136
|
-
const existingToken = { token: accessToken, expiration: new Date(expiresAt) };
|
|
137
|
-
if (existingToken.expiration.getTime() - Date.now() > EXPIRE_WINDOW_MS) {
|
|
138
|
-
return existingToken;
|
|
139
|
-
}
|
|
140
|
-
if (Date.now() - lastRefreshAttemptTime.getTime() < 30 * 1000) {
|
|
141
|
-
validateTokenExpiry(existingToken);
|
|
142
|
-
return existingToken;
|
|
143
|
-
}
|
|
144
|
-
validateTokenKey("clientId", ssoToken.clientId, true);
|
|
145
|
-
validateTokenKey("clientSecret", ssoToken.clientSecret, true);
|
|
146
|
-
validateTokenKey("refreshToken", ssoToken.refreshToken, true);
|
|
147
|
-
try {
|
|
148
|
-
lastRefreshAttemptTime.setTime(Date.now());
|
|
149
|
-
const newSsoOidcToken = await getNewSsoOidcToken(ssoToken, ssoRegion, init, callerClientConfig);
|
|
150
|
-
validateTokenKey("accessToken", newSsoOidcToken.accessToken);
|
|
151
|
-
validateTokenKey("expiresIn", newSsoOidcToken.expiresIn);
|
|
152
|
-
const newTokenExpiration = new Date(Date.now() + newSsoOidcToken.expiresIn * 1000);
|
|
153
|
-
try {
|
|
154
|
-
await writeSSOTokenToFile(ssoSessionName, {
|
|
155
|
-
...ssoToken,
|
|
156
|
-
accessToken: newSsoOidcToken.accessToken,
|
|
157
|
-
expiresAt: newTokenExpiration.toISOString(),
|
|
158
|
-
refreshToken: newSsoOidcToken.refreshToken,
|
|
159
|
-
});
|
|
160
|
-
}
|
|
161
|
-
catch (error) {
|
|
162
|
-
}
|
|
163
|
-
return {
|
|
164
|
-
token: newSsoOidcToken.accessToken,
|
|
165
|
-
expiration: newTokenExpiration,
|
|
166
|
-
};
|
|
167
|
-
}
|
|
168
|
-
catch (error) {
|
|
169
|
-
validateTokenExpiry(existingToken);
|
|
170
|
-
return existingToken;
|
|
171
|
-
}
|
|
172
|
-
};
|
|
173
|
-
|
|
174
|
-
const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
|
|
175
|
-
const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, clientConfig, parentClientConfig, callerClientConfig, profile, filepath, configFilepath, ignoreCache, logger, }) => {
|
|
176
|
-
let token;
|
|
177
|
-
const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
|
|
178
|
-
if (ssoSession) {
|
|
179
|
-
try {
|
|
180
|
-
const _token = await fromSso({
|
|
181
|
-
profile,
|
|
182
|
-
filepath,
|
|
183
|
-
configFilepath,
|
|
184
|
-
ignoreCache,
|
|
185
|
-
})();
|
|
186
|
-
token = {
|
|
187
|
-
accessToken: _token.token,
|
|
188
|
-
expiresAt: new Date(_token.expiration).toISOString(),
|
|
189
|
-
};
|
|
190
|
-
}
|
|
191
|
-
catch (e) {
|
|
192
|
-
throw new CredentialsProviderError(e.message, {
|
|
193
|
-
tryNextLink: SHOULD_FAIL_CREDENTIAL_CHAIN,
|
|
194
|
-
logger,
|
|
195
|
-
});
|
|
196
|
-
}
|
|
197
|
-
}
|
|
198
|
-
else {
|
|
199
|
-
try {
|
|
200
|
-
token = await getSSOTokenFromFile(ssoStartUrl);
|
|
201
|
-
}
|
|
202
|
-
catch (e) {
|
|
203
|
-
throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, {
|
|
204
|
-
tryNextLink: SHOULD_FAIL_CREDENTIAL_CHAIN,
|
|
205
|
-
logger,
|
|
206
|
-
});
|
|
207
|
-
}
|
|
208
|
-
}
|
|
209
|
-
if (new Date(token.expiresAt).getTime() - Date.now() <= 0) {
|
|
210
|
-
throw new CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, {
|
|
211
|
-
tryNextLink: SHOULD_FAIL_CREDENTIAL_CHAIN,
|
|
212
|
-
logger,
|
|
213
|
-
});
|
|
214
|
-
}
|
|
215
|
-
const { accessToken } = token;
|
|
216
|
-
const { SSOClient, GetRoleCredentialsCommand } = await import('./loadSso-Ce3ChPPj.mjs');
|
|
217
|
-
const sso = ssoClient ||
|
|
218
|
-
new SSOClient(Object.assign({}, clientConfig ?? {}, {
|
|
219
|
-
logger: clientConfig?.logger ?? callerClientConfig?.logger ?? parentClientConfig?.logger,
|
|
220
|
-
region: clientConfig?.region ?? ssoRegion,
|
|
221
|
-
userAgentAppId: clientConfig?.userAgentAppId ?? callerClientConfig?.userAgentAppId ?? parentClientConfig?.userAgentAppId,
|
|
222
|
-
}));
|
|
223
|
-
let ssoResp;
|
|
224
|
-
try {
|
|
225
|
-
ssoResp = await sso.send(new GetRoleCredentialsCommand({
|
|
226
|
-
accountId: ssoAccountId,
|
|
227
|
-
roleName: ssoRoleName,
|
|
228
|
-
accessToken,
|
|
229
|
-
}));
|
|
230
|
-
}
|
|
231
|
-
catch (e) {
|
|
232
|
-
throw new CredentialsProviderError(e, {
|
|
233
|
-
tryNextLink: SHOULD_FAIL_CREDENTIAL_CHAIN,
|
|
234
|
-
logger,
|
|
235
|
-
});
|
|
236
|
-
}
|
|
237
|
-
const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration, credentialScope, accountId } = {}, } = ssoResp;
|
|
238
|
-
if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
|
|
239
|
-
throw new CredentialsProviderError("SSO returns an invalid temporary credential.", {
|
|
240
|
-
tryNextLink: SHOULD_FAIL_CREDENTIAL_CHAIN,
|
|
241
|
-
logger,
|
|
242
|
-
});
|
|
243
|
-
}
|
|
244
|
-
const credentials = {
|
|
245
|
-
accessKeyId,
|
|
246
|
-
secretAccessKey,
|
|
247
|
-
sessionToken,
|
|
248
|
-
expiration: new Date(expiration),
|
|
249
|
-
...(credentialScope && { credentialScope }),
|
|
250
|
-
...(accountId && { accountId }),
|
|
251
|
-
};
|
|
252
|
-
if (ssoSession) {
|
|
253
|
-
setCredentialFeature(credentials, "CREDENTIALS_SSO", "s");
|
|
254
|
-
}
|
|
255
|
-
else {
|
|
256
|
-
setCredentialFeature(credentials, "CREDENTIALS_SSO_LEGACY", "u");
|
|
257
|
-
}
|
|
258
|
-
return credentials;
|
|
259
|
-
};
|
|
260
|
-
|
|
261
|
-
const validateSsoProfile = (profile, logger) => {
|
|
262
|
-
const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
|
|
263
|
-
if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
|
|
264
|
-
throw new CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
|
|
265
|
-
`"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, { tryNextLink: false, logger });
|
|
266
|
-
}
|
|
267
|
-
return profile;
|
|
268
|
-
};
|
|
269
|
-
|
|
270
|
-
const fromSSO = (init = {}) => async ({ callerClientConfig } = {}) => {
|
|
271
|
-
init.logger?.debug("@aws-sdk/credential-provider-sso - fromSSO");
|
|
272
|
-
const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
|
|
273
|
-
const { ssoClient } = init;
|
|
274
|
-
const profileName = getProfileName({
|
|
275
|
-
profile: init.profile ?? callerClientConfig?.profile,
|
|
276
|
-
});
|
|
277
|
-
if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
|
|
278
|
-
const profiles = await parseKnownFiles(init);
|
|
279
|
-
const profile = profiles[profileName];
|
|
280
|
-
if (!profile) {
|
|
281
|
-
throw new CredentialsProviderError(`Profile ${profileName} was not found.`, { logger: init.logger });
|
|
282
|
-
}
|
|
283
|
-
if (!isSsoProfile(profile)) {
|
|
284
|
-
throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`, {
|
|
285
|
-
logger: init.logger,
|
|
286
|
-
});
|
|
287
|
-
}
|
|
288
|
-
if (profile?.sso_session) {
|
|
289
|
-
const ssoSessions = await loadSsoSessionData(init);
|
|
290
|
-
const session = ssoSessions[profile.sso_session];
|
|
291
|
-
const conflictMsg = ` configurations in profile ${profileName} and sso-session ${profile.sso_session}`;
|
|
292
|
-
if (ssoRegion && ssoRegion !== session.sso_region) {
|
|
293
|
-
throw new CredentialsProviderError(`Conflicting SSO region` + conflictMsg, {
|
|
294
|
-
tryNextLink: false,
|
|
295
|
-
logger: init.logger,
|
|
296
|
-
});
|
|
297
|
-
}
|
|
298
|
-
if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
|
|
299
|
-
throw new CredentialsProviderError(`Conflicting SSO start_url` + conflictMsg, {
|
|
300
|
-
tryNextLink: false,
|
|
301
|
-
logger: init.logger,
|
|
302
|
-
});
|
|
303
|
-
}
|
|
304
|
-
profile.sso_region = session.sso_region;
|
|
305
|
-
profile.sso_start_url = session.sso_start_url;
|
|
306
|
-
}
|
|
307
|
-
const { sso_start_url, sso_account_id, sso_region, sso_role_name, sso_session } = validateSsoProfile(profile, init.logger);
|
|
308
|
-
return resolveSSOCredentials({
|
|
309
|
-
ssoStartUrl: sso_start_url,
|
|
310
|
-
ssoSession: sso_session,
|
|
311
|
-
ssoAccountId: sso_account_id,
|
|
312
|
-
ssoRegion: sso_region,
|
|
313
|
-
ssoRoleName: sso_role_name,
|
|
314
|
-
ssoClient: ssoClient,
|
|
315
|
-
clientConfig: init.clientConfig,
|
|
316
|
-
parentClientConfig: init.parentClientConfig,
|
|
317
|
-
callerClientConfig: init.callerClientConfig,
|
|
318
|
-
profile: profileName,
|
|
319
|
-
filepath: init.filepath,
|
|
320
|
-
configFilepath: init.configFilepath,
|
|
321
|
-
ignoreCache: init.ignoreCache,
|
|
322
|
-
logger: init.logger,
|
|
323
|
-
});
|
|
324
|
-
}
|
|
325
|
-
else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
|
|
326
|
-
throw new CredentialsProviderError("Incomplete configuration. The fromSSO() argument hash must include " +
|
|
327
|
-
'"ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"', { tryNextLink: false, logger: init.logger });
|
|
328
|
-
}
|
|
329
|
-
else {
|
|
330
|
-
return resolveSSOCredentials({
|
|
331
|
-
ssoStartUrl,
|
|
332
|
-
ssoSession,
|
|
333
|
-
ssoAccountId,
|
|
334
|
-
ssoRegion,
|
|
335
|
-
ssoRoleName,
|
|
336
|
-
ssoClient,
|
|
337
|
-
clientConfig: init.clientConfig,
|
|
338
|
-
parentClientConfig: init.parentClientConfig,
|
|
339
|
-
callerClientConfig: init.callerClientConfig,
|
|
340
|
-
profile: profileName,
|
|
341
|
-
filepath: init.filepath,
|
|
342
|
-
configFilepath: init.configFilepath,
|
|
343
|
-
ignoreCache: init.ignoreCache,
|
|
344
|
-
logger: init.logger,
|
|
345
|
-
});
|
|
346
|
-
}
|
|
347
|
-
};
|
|
348
|
-
|
|
349
|
-
export { fromSSO, isSsoProfile, validateSsoProfile };
|
|
@@ -1,188 +0,0 @@
|
|
|
1
|
-
import fs from 'node:fs/promises';
|
|
2
|
-
import { e as CredentialsProviderError, n as HttpRequest, ax as parseRfc3339DateTime, y as NodeHttpHandler, aO as setCredentialFeature } from './index-4kbkrHS9.mjs';
|
|
3
|
-
import { s as sdkStreamMixin } from './sdk-stream-mixin-B_ajKWho.mjs';
|
|
4
|
-
import './readMergedOptions-x80ltQO_.mjs';
|
|
5
|
-
import 'zod';
|
|
6
|
-
import '@commander-js/extra-typings';
|
|
7
|
-
import './readDotenvCascade-Dgx4SC1p.mjs';
|
|
8
|
-
import 'fs-extra';
|
|
9
|
-
import 'radash';
|
|
10
|
-
import 'node:buffer';
|
|
11
|
-
import 'node:path';
|
|
12
|
-
import './loadModuleDefault-Dj8B3Stt.mjs';
|
|
13
|
-
import 'crypto';
|
|
14
|
-
import 'path';
|
|
15
|
-
import 'url';
|
|
16
|
-
import 'dotenv';
|
|
17
|
-
import 'nanoid';
|
|
18
|
-
import './loader-V1vbmtyw.mjs';
|
|
19
|
-
import 'package-directory';
|
|
20
|
-
import 'yaml';
|
|
21
|
-
import 'execa';
|
|
22
|
-
import 'node:os';
|
|
23
|
-
import 'node:stream';
|
|
24
|
-
import 'node:crypto';
|
|
25
|
-
import 'node:fs';
|
|
26
|
-
import 'node:https';
|
|
27
|
-
import 'node:process';
|
|
28
|
-
|
|
29
|
-
const ECS_CONTAINER_HOST = "169.254.170.2";
|
|
30
|
-
const EKS_CONTAINER_HOST_IPv4 = "169.254.170.23";
|
|
31
|
-
const EKS_CONTAINER_HOST_IPv6 = "[fd00:ec2::23]";
|
|
32
|
-
const checkUrl = (url, logger) => {
|
|
33
|
-
if (url.protocol === "https:") {
|
|
34
|
-
return;
|
|
35
|
-
}
|
|
36
|
-
if (url.hostname === ECS_CONTAINER_HOST ||
|
|
37
|
-
url.hostname === EKS_CONTAINER_HOST_IPv4 ||
|
|
38
|
-
url.hostname === EKS_CONTAINER_HOST_IPv6) {
|
|
39
|
-
return;
|
|
40
|
-
}
|
|
41
|
-
if (url.hostname.includes("[")) {
|
|
42
|
-
if (url.hostname === "[::1]" || url.hostname === "[0000:0000:0000:0000:0000:0000:0000:0001]") {
|
|
43
|
-
return;
|
|
44
|
-
}
|
|
45
|
-
}
|
|
46
|
-
else {
|
|
47
|
-
if (url.hostname === "localhost") {
|
|
48
|
-
return;
|
|
49
|
-
}
|
|
50
|
-
const ipComponents = url.hostname.split(".");
|
|
51
|
-
const inRange = (component) => {
|
|
52
|
-
const num = parseInt(component, 10);
|
|
53
|
-
return 0 <= num && num <= 255;
|
|
54
|
-
};
|
|
55
|
-
if (ipComponents[0] === "127" &&
|
|
56
|
-
inRange(ipComponents[1]) &&
|
|
57
|
-
inRange(ipComponents[2]) &&
|
|
58
|
-
inRange(ipComponents[3]) &&
|
|
59
|
-
ipComponents.length === 4) {
|
|
60
|
-
return;
|
|
61
|
-
}
|
|
62
|
-
}
|
|
63
|
-
throw new CredentialsProviderError(`URL not accepted. It must either be HTTPS or match one of the following:
|
|
64
|
-
- loopback CIDR 127.0.0.0/8 or [::1/128]
|
|
65
|
-
- ECS container host 169.254.170.2
|
|
66
|
-
- EKS container host 169.254.170.23 or [fd00:ec2::23]`, { logger });
|
|
67
|
-
};
|
|
68
|
-
|
|
69
|
-
function createGetRequest(url) {
|
|
70
|
-
return new HttpRequest({
|
|
71
|
-
protocol: url.protocol,
|
|
72
|
-
hostname: url.hostname,
|
|
73
|
-
port: Number(url.port),
|
|
74
|
-
path: url.pathname,
|
|
75
|
-
query: Array.from(url.searchParams.entries()).reduce((acc, [k, v]) => {
|
|
76
|
-
acc[k] = v;
|
|
77
|
-
return acc;
|
|
78
|
-
}, {}),
|
|
79
|
-
fragment: url.hash,
|
|
80
|
-
});
|
|
81
|
-
}
|
|
82
|
-
async function getCredentials(response, logger) {
|
|
83
|
-
const stream = sdkStreamMixin(response.body);
|
|
84
|
-
const str = await stream.transformToString();
|
|
85
|
-
if (response.statusCode === 200) {
|
|
86
|
-
const parsed = JSON.parse(str);
|
|
87
|
-
if (typeof parsed.AccessKeyId !== "string" ||
|
|
88
|
-
typeof parsed.SecretAccessKey !== "string" ||
|
|
89
|
-
typeof parsed.Token !== "string" ||
|
|
90
|
-
typeof parsed.Expiration !== "string") {
|
|
91
|
-
throw new CredentialsProviderError("HTTP credential provider response not of the required format, an object matching: " +
|
|
92
|
-
"{ AccessKeyId: string, SecretAccessKey: string, Token: string, Expiration: string(rfc3339) }", { logger });
|
|
93
|
-
}
|
|
94
|
-
return {
|
|
95
|
-
accessKeyId: parsed.AccessKeyId,
|
|
96
|
-
secretAccessKey: parsed.SecretAccessKey,
|
|
97
|
-
sessionToken: parsed.Token,
|
|
98
|
-
expiration: parseRfc3339DateTime(parsed.Expiration),
|
|
99
|
-
};
|
|
100
|
-
}
|
|
101
|
-
if (response.statusCode >= 400 && response.statusCode < 500) {
|
|
102
|
-
let parsedBody = {};
|
|
103
|
-
try {
|
|
104
|
-
parsedBody = JSON.parse(str);
|
|
105
|
-
}
|
|
106
|
-
catch (e) { }
|
|
107
|
-
throw Object.assign(new CredentialsProviderError(`Server responded with status: ${response.statusCode}`, { logger }), {
|
|
108
|
-
Code: parsedBody.Code,
|
|
109
|
-
Message: parsedBody.Message,
|
|
110
|
-
});
|
|
111
|
-
}
|
|
112
|
-
throw new CredentialsProviderError(`Server responded with status: ${response.statusCode}`, { logger });
|
|
113
|
-
}
|
|
114
|
-
|
|
115
|
-
const retryWrapper = (toRetry, maxRetries, delayMs) => {
|
|
116
|
-
return async () => {
|
|
117
|
-
for (let i = 0; i < maxRetries; ++i) {
|
|
118
|
-
try {
|
|
119
|
-
return await toRetry();
|
|
120
|
-
}
|
|
121
|
-
catch (e) {
|
|
122
|
-
await new Promise((resolve) => setTimeout(resolve, delayMs));
|
|
123
|
-
}
|
|
124
|
-
}
|
|
125
|
-
return await toRetry();
|
|
126
|
-
};
|
|
127
|
-
};
|
|
128
|
-
|
|
129
|
-
const AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
|
|
130
|
-
const DEFAULT_LINK_LOCAL_HOST = "http://169.254.170.2";
|
|
131
|
-
const AWS_CONTAINER_CREDENTIALS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
|
|
132
|
-
const AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE";
|
|
133
|
-
const AWS_CONTAINER_AUTHORIZATION_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
|
|
134
|
-
const fromHttp = (options = {}) => {
|
|
135
|
-
options.logger?.debug("@aws-sdk/credential-provider-http - fromHttp");
|
|
136
|
-
let host;
|
|
137
|
-
const relative = options.awsContainerCredentialsRelativeUri ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI];
|
|
138
|
-
const full = options.awsContainerCredentialsFullUri ?? process.env[AWS_CONTAINER_CREDENTIALS_FULL_URI];
|
|
139
|
-
const token = options.awsContainerAuthorizationToken ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN];
|
|
140
|
-
const tokenFile = options.awsContainerAuthorizationTokenFile ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE];
|
|
141
|
-
const warn = options.logger?.constructor?.name === "NoOpLogger" || !options.logger?.warn
|
|
142
|
-
? console.warn
|
|
143
|
-
: options.logger.warn.bind(options.logger);
|
|
144
|
-
if (relative && full) {
|
|
145
|
-
warn("@aws-sdk/credential-provider-http: " +
|
|
146
|
-
"you have set both awsContainerCredentialsRelativeUri and awsContainerCredentialsFullUri.");
|
|
147
|
-
warn("awsContainerCredentialsFullUri will take precedence.");
|
|
148
|
-
}
|
|
149
|
-
if (token && tokenFile) {
|
|
150
|
-
warn("@aws-sdk/credential-provider-http: " +
|
|
151
|
-
"you have set both awsContainerAuthorizationToken and awsContainerAuthorizationTokenFile.");
|
|
152
|
-
warn("awsContainerAuthorizationToken will take precedence.");
|
|
153
|
-
}
|
|
154
|
-
if (full) {
|
|
155
|
-
host = full;
|
|
156
|
-
}
|
|
157
|
-
else if (relative) {
|
|
158
|
-
host = `${DEFAULT_LINK_LOCAL_HOST}${relative}`;
|
|
159
|
-
}
|
|
160
|
-
else {
|
|
161
|
-
throw new CredentialsProviderError(`No HTTP credential provider host provided.
|
|
162
|
-
Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`, { logger: options.logger });
|
|
163
|
-
}
|
|
164
|
-
const url = new URL(host);
|
|
165
|
-
checkUrl(url, options.logger);
|
|
166
|
-
const requestHandler = NodeHttpHandler.create({
|
|
167
|
-
requestTimeout: options.timeout ?? 1000,
|
|
168
|
-
connectionTimeout: options.timeout ?? 1000,
|
|
169
|
-
});
|
|
170
|
-
return retryWrapper(async () => {
|
|
171
|
-
const request = createGetRequest(url);
|
|
172
|
-
if (token) {
|
|
173
|
-
request.headers.Authorization = token;
|
|
174
|
-
}
|
|
175
|
-
else if (tokenFile) {
|
|
176
|
-
request.headers.Authorization = (await fs.readFile(tokenFile)).toString();
|
|
177
|
-
}
|
|
178
|
-
try {
|
|
179
|
-
const result = await requestHandler.handle(request);
|
|
180
|
-
return getCredentials(result.response).then((creds) => setCredentialFeature(creds, "CREDENTIALS_HTTP", "z"));
|
|
181
|
-
}
|
|
182
|
-
catch (e) {
|
|
183
|
-
throw new CredentialsProviderError(String(e), { logger: options.logger });
|
|
184
|
-
}
|
|
185
|
-
}, options.maxRetries ?? 3, options.timeout ?? 1000);
|
|
186
|
-
};
|
|
187
|
-
|
|
188
|
-
export { fromHttp };
|