@liflig/cdk-cloudfront-auth 1.0.0

package/dist/sign-out/index.js.LICENSE.txt

@@ -0,0 +1,17 @@
+/*!
+ * cookie
+ * Copyright(c) 2012-2014 Roman Shtylman
+ * Copyright(c) 2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
+
+/**
+ * @license
+ * Lodash <https://lodash.com/>
+ * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
+ * Released under MIT license <https://lodash.com/license>
+ * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
+ * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
+ */

package/lib/client-secret.d.ts

@@ -0,0 +1,10 @@
+import * as cognito from "aws-cdk-lib/aws-cognito";
+import { Construct } from "constructs";
+export interface RetrieveClientSecretProps {
+    client: cognito.IUserPoolClient;
+    userPool: cognito.IUserPool;
+}
+export declare class RetrieveClientSecret extends Construct {
+    clientSecretValue: string;
+    constructor(scope: Construct, id: string, props: RetrieveClientSecretProps);
+}

package/lib/client-secret.js

@@ -0,0 +1,54 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RetrieveClientSecret = void 0;
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const cr = __importStar(require("aws-cdk-lib/custom-resources"));
+const constructs_1 = require("constructs");
+class RetrieveClientSecret extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const clientSecret = new cr.AwsCustomResource(this, "Resource", {
+            onUpdate: {
+                service: "CognitoIdentityServiceProvider",
+                action: "describeUserPoolClient",
+                parameters: {
+                    UserPoolId: props.userPool.userPoolId,
+                    ClientId: props.client.userPoolClientId,
+                },
+                physicalResourceId: cr.PhysicalResourceId.of(`${props.userPool.userPoolId}-${props.client.userPoolClientId}`),
+            },
+            policy: cr.AwsCustomResourcePolicy.fromStatements([
+                new iam.PolicyStatement({
+                    actions: ["cognito-idp:DescribeUserPoolClient"],
+                    resources: [props.userPool.userPoolArn],
+                }),
+            ]),
+        });
+        this.clientSecretValue = clientSecret.getResponseField("UserPoolClient.ClientSecret");
+    }
+}
+exports.RetrieveClientSecret = RetrieveClientSecret;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpZW50LXNlY3JldC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9jbGllbnQtc2VjcmV0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQ0EseURBQTBDO0FBQzFDLGlFQUFrRDtBQUNsRCwyQ0FBc0M7QUFPdEMsTUFBYSxvQkFBcUIsU0FBUSxzQkFBUztJQUdqRCxZQUFZLEtBQWdCLEVBQUUsRUFBVSxFQUFFLEtBQWdDO1FBQ3hFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUE7UUFFaEIsTUFBTSxZQUFZLEdBQUcsSUFBSSxFQUFFLENBQUMsaUJBQWlCLENBQUMsSUFBSSxFQUFFLFVBQVUsRUFBRTtZQUM5RCxRQUFRLEVBQUU7Z0JBQ1IsT0FBTyxFQUFFLGdDQUFnQztnQkFDekMsTUFBTSxFQUFFLHdCQUF3QjtnQkFDaEMsVUFBVSxFQUFFO29CQUNWLFVBQVUsRUFBRSxLQUFLLENBQUMsUUFBUSxDQUFDLFVBQVU7b0JBQ3JDLFFBQVEsRUFBRSxLQUFLLENBQUMsTUFBTSxDQUFDLGdCQUFnQjtpQkFDeEM7Z0JBQ0Qsa0JBQWtCLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FDMUMsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDLFVBQVUsSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDLGdCQUFnQixFQUFFLENBQ2hFO2FBQ0Y7WUFDRCxNQUFNLEVBQUUsRUFBRSxDQUFDLHVCQUF1QixDQUFDLGNBQWMsQ0FBQztnQkFDaEQsSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO29CQUN0QixPQUFPLEVBQUUsQ0FBQyxvQ0FBb0MsQ0FBQztvQkFDL0MsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQyxXQUFXLENBQUM7aUJBQ3hDLENBQUM7YUFDSCxDQUFDO1NBQ0gsQ0FBQyxDQUFBO1FBRUYsSUFBSSxDQUFDLGlCQUFpQixHQUFHLFlBQVksQ0FBQyxnQkFBZ0IsQ0FDcEQsNkJBQTZCLENBQzlCLENBQUE7SUFDSCxDQUFDO0NBQ0Y7QUE5QkQsb0RBOEJDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgY29nbml0byBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWNvZ25pdG9cIlxuaW1wb3J0ICogYXMgaWFtIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCJcbmltcG9ydCAqIGFzIGNyIGZyb20gXCJhd3MtY2RrLWxpYi9jdXN0b20tcmVzb3VyY2VzXCJcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCJcblxuZXhwb3J0IGludGVyZmFjZSBSZXRyaWV2ZUNsaWVudFNlY3JldFByb3BzIHtcbiAgY2xpZW50OiBjb2duaXRvLklVc2VyUG9vbENsaWVudFxuICB1c2VyUG9vbDogY29nbml0by5JVXNlclBvb2xcbn1cblxuZXhwb3J0IGNsYXNzIFJldHJpZXZlQ2xpZW50U2VjcmV0IGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHVibGljIGNsaWVudFNlY3JldFZhbHVlOiBzdHJpbmdcblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogUmV0cmlldmVDbGllbnRTZWNyZXRQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIGNvbnN0IGNsaWVudFNlY3JldCA9IG5ldyBjci5Bd3NDdXN0b21SZXNvdXJjZSh0aGlzLCBcIlJlc291cmNlXCIsIHtcbiAgICAgIG9uVXBkYXRlOiB7XG4gICAgICAgIHNlcnZpY2U6IFwiQ29nbml0b0lkZW50aXR5U2VydmljZVByb3ZpZGVyXCIsXG4gICAgICAgIGFjdGlvbjogXCJkZXNjcmliZVVzZXJQb29sQ2xpZW50XCIsXG4gICAgICAgIHBhcmFtZXRlcnM6IHtcbiAgICAgICAgICBVc2VyUG9vbElkOiBwcm9wcy51c2VyUG9vbC51c2VyUG9vbElkLFxuICAgICAgICAgIENsaWVudElkOiBwcm9wcy5jbGllbnQudXNlclBvb2xDbGllbnRJZCxcbiAgICAgICAgfSxcbiAgICAgICAgcGh5c2ljYWxSZXNvdXJjZUlkOiBjci5QaHlzaWNhbFJlc291cmNlSWQub2YoXG4gICAgICAgICAgYCR7cHJvcHMudXNlclBvb2wudXNlclBvb2xJZH0tJHtwcm9wcy5jbGllbnQudXNlclBvb2xDbGllbnRJZH1gLFxuICAgICAgICApLFxuICAgICAgfSxcbiAgICAgIHBvbGljeTogY3IuQXdzQ3VzdG9tUmVzb3VyY2VQb2xpY3kuZnJvbVN0YXRlbWVudHMoW1xuICAgICAgICBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgYWN0aW9uczogW1wiY29nbml0by1pZHA6RGVzY3JpYmVVc2VyUG9vbENsaWVudFwiXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFtwcm9wcy51c2VyUG9vbC51c2VyUG9vbEFybl0sXG4gICAgICAgIH0pLFxuICAgICAgXSksXG4gICAgfSlcblxuICAgIHRoaXMuY2xpZW50U2VjcmV0VmFsdWUgPSBjbGllbnRTZWNyZXQuZ2V0UmVzcG9uc2VGaWVsZChcbiAgICAgIFwiVXNlclBvb2xDbGllbnQuQ2xpZW50U2VjcmV0XCIsXG4gICAgKVxuICB9XG59XG4iXX0=

package/lib/client-update.d.ts

@@ -0,0 +1,14 @@
+import * as cognito from "aws-cdk-lib/aws-cognito";
+import { Construct } from "constructs";
+interface ClientUpdateProps {
+    oauthScopes: string[];
+    client: cognito.IUserPoolClient;
+    userPool: cognito.IUserPool;
+    callbackUrl: string;
+    signOutUrl: string;
+    identityProviders: string[];
+}
+export declare class ClientUpdate extends Construct {
+    constructor(scope: Construct, id: string, props: ClientUpdateProps);
+}
+export {};

package/lib/client-update.js

@@ -0,0 +1,59 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientUpdate = void 0;
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const cr = __importStar(require("aws-cdk-lib/custom-resources"));
+const constructs_1 = require("constructs");
+class ClientUpdate extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        new cr.AwsCustomResource(this, "Resource", {
+            onUpdate: {
+                service: "CognitoIdentityServiceProvider",
+                action: "updateUserPoolClient",
+                parameters: {
+                    AllowedOAuthFlows: ["code"],
+                    AllowedOAuthFlowsUserPoolClient: true,
+                    SupportedIdentityProviders: props.identityProviders,
+                    AllowedOAuthScopes: props.oauthScopes,
+                    ClientId: props.client.userPoolClientId,
+                    CallbackURLs: [props.callbackUrl],
+                    LogoutURLs: [props.signOutUrl],
+                    UserPoolId: props.userPool.userPoolId,
+                },
+                physicalResourceId: cr.PhysicalResourceId.of(`${props.userPool.userPoolId}-${props.client.userPoolClientId}`),
+            },
+            policy: cr.AwsCustomResourcePolicy.fromStatements([
+                new iam.PolicyStatement({
+                    actions: ["cognito-idp:UpdateUserPoolClient"],
+                    resources: [props.userPool.userPoolArn],
+                }),
+            ]),
+        });
+    }
+}
+exports.ClientUpdate = ClientUpdate;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpZW50LXVwZGF0ZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9jbGllbnQtdXBkYXRlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQ0EseURBQTBDO0FBQzFDLGlFQUFrRDtBQUNsRCwyQ0FBc0M7QUFXdEMsTUFBYSxZQUFhLFNBQVEsc0JBQVM7SUFDekMsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUF3QjtRQUNoRSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFBO1FBRWhCLElBQUksRUFBRSxDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7WUFDekMsUUFBUSxFQUFFO2dCQUNSLE9BQU8sRUFBRSxnQ0FBZ0M7Z0JBQ3pDLE1BQU0sRUFBRSxzQkFBc0I7Z0JBQzlCLFVBQVUsRUFBRTtvQkFDVixpQkFBaUIsRUFBRSxDQUFDLE1BQU0sQ0FBQztvQkFDM0IsK0JBQStCLEVBQUUsSUFBSTtvQkFDckMsMEJBQTBCLEVBQUUsS0FBSyxDQUFDLGlCQUFpQjtvQkFDbkQsa0JBQWtCLEVBQUUsS0FBSyxDQUFDLFdBQVc7b0JBQ3JDLFFBQVEsRUFBRSxLQUFLLENBQUMsTUFBTSxDQUFDLGdCQUFnQjtvQkFDdkMsWUFBWSxFQUFFLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBQztvQkFDakMsVUFBVSxFQUFFLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQztvQkFDOUIsVUFBVSxFQUFFLEtBQUssQ0FBQyxRQUFRLENBQUMsVUFBVTtpQkFDdEM7Z0JBQ0Qsa0JBQWtCLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FDMUMsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDLFVBQVUsSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDLGdCQUFnQixFQUFFLENBQ2hFO2FBQ0Y7WUFDRCxNQUFNLEVBQUUsRUFBRSxDQUFDLHVCQUF1QixDQUFDLGNBQWMsQ0FBQztnQkFDaEQsSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO29CQUN0QixPQUFPLEVBQUUsQ0FBQyxrQ0FBa0MsQ0FBQztvQkFDN0MsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQyxXQUFXLENBQUM7aUJBQ3hDLENBQUM7YUFDSCxDQUFDO1NBQ0gsQ0FBQyxDQUFBO0lBQ0osQ0FBQztDQUNGO0FBOUJELG9DQThCQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvZ25pdG8gZnJvbSBcImF3cy1jZGstbGliL2F3cy1jb2duaXRvXCJcbmltcG9ydCAqIGFzIGlhbSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWlhbVwiXG5pbXBvcnQgKiBhcyBjciBmcm9tIFwiYXdzLWNkay1saWIvY3VzdG9tLXJlc291cmNlc1wiXG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tIFwiY29uc3RydWN0c1wiXG5cbmludGVyZmFjZSBDbGllbnRVcGRhdGVQcm9wcyB7XG4gIG9hdXRoU2NvcGVzOiBzdHJpbmdbXVxuICBjbGllbnQ6IGNvZ25pdG8uSVVzZXJQb29sQ2xpZW50XG4gIHVzZXJQb29sOiBjb2duaXRvLklVc2VyUG9vbFxuICBjYWxsYmFja1VybDogc3RyaW5nXG4gIHNpZ25PdXRVcmw6IHN0cmluZ1xuICBpZGVudGl0eVByb3ZpZGVyczogc3RyaW5nW11cbn1cblxuZXhwb3J0IGNsYXNzIENsaWVudFVwZGF0ZSBleHRlbmRzIENvbnN0cnVjdCB7XG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBDbGllbnRVcGRhdGVQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIG5ldyBjci5Bd3NDdXN0b21SZXNvdXJjZSh0aGlzLCBcIlJlc291cmNlXCIsIHtcbiAgICAgIG9uVXBkYXRlOiB7XG4gICAgICAgIHNlcnZpY2U6IFwiQ29nbml0b0lkZW50aXR5U2VydmljZVByb3ZpZGVyXCIsXG4gICAgICAgIGFjdGlvbjogXCJ1cGRhdGVVc2VyUG9vbENsaWVudFwiLFxuICAgICAgICBwYXJhbWV0ZXJzOiB7XG4gICAgICAgICAgQWxsb3dlZE9BdXRoRmxvd3M6IFtcImNvZGVcIl0sXG4gICAgICAgICAgQWxsb3dlZE9BdXRoRmxvd3NVc2VyUG9vbENsaWVudDogdHJ1ZSxcbiAgICAgICAgICBTdXBwb3J0ZWRJZGVudGl0eVByb3ZpZGVyczogcHJvcHMuaWRlbnRpdHlQcm92aWRlcnMsXG4gICAgICAgICAgQWxsb3dlZE9BdXRoU2NvcGVzOiBwcm9wcy5vYXV0aFNjb3BlcyxcbiAgICAgICAgICBDbGllbnRJZDogcHJvcHMuY2xpZW50LnVzZXJQb29sQ2xpZW50SWQsXG4gICAgICAgICAgQ2FsbGJhY2tVUkxzOiBbcHJvcHMuY2FsbGJhY2tVcmxdLFxuICAgICAgICAgIExvZ291dFVSTHM6IFtwcm9wcy5zaWduT3V0VXJsXSxcbiAgICAgICAgICBVc2VyUG9vbElkOiBwcm9wcy51c2VyUG9vbC51c2VyUG9vbElkLFxuICAgICAgICB9LFxuICAgICAgICBwaHlzaWNhbFJlc291cmNlSWQ6IGNyLlBoeXNpY2FsUmVzb3VyY2VJZC5vZihcbiAgICAgICAgICBgJHtwcm9wcy51c2VyUG9vbC51c2VyUG9vbElkfS0ke3Byb3BzLmNsaWVudC51c2VyUG9vbENsaWVudElkfWAsXG4gICAgICAgICksXG4gICAgICB9LFxuICAgICAgcG9saWN5OiBjci5Bd3NDdXN0b21SZXNvdXJjZVBvbGljeS5mcm9tU3RhdGVtZW50cyhbXG4gICAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbXCJjb2duaXRvLWlkcDpVcGRhdGVVc2VyUG9vbENsaWVudFwiXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFtwcm9wcy51c2VyUG9vbC51c2VyUG9vbEFybl0sXG4gICAgICAgIH0pLFxuICAgICAgXSksXG4gICAgfSlcbiAgfVxufVxuIl19

package/lib/cloudfront-auth.d.ts

@@ -0,0 +1,132 @@
+import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
+import { AddBehaviorOptions, BehaviorOptions, IOrigin } from "aws-cdk-lib/aws-cloudfront";
+import * as cognito from "aws-cdk-lib/aws-cognito";
+import { ClientUpdate } from "./client-update";
+import { AuthLambdas } from "./lambdas";
+import { Construct } from "constructs";
+export interface CloudFrontAuthProps {
+    /**
+     * Cognito Client that will be used to authenticate the user.
+     *
+     * If a custom client is provided, the updateClient method cannot
+     * be used since we cannot know which parameters was set.
+     *
+     * @default - a new client will be generated
+     */
+    client?: cognito.UserPoolClient;
+    userPool: cognito.IUserPool;
+    /**
+     * The domain that is used for Cognito Auth.
+     *
+     * If not using custom domains this will be a name under amazoncognito.com.
+     *
+     * @example `${domain.domainName}.auth.${region}.amazoncognito.com`
+     */
+    cognitoAuthDomain: string;
+    authLambdas: AuthLambdas;
+    /**
+     * @default /auth/callback
+     */
+    callbackPath?: string;
+    /**
+     * @default /
+     */
+    signOutRedirectTo?: string;
+    /**
+     * @default /auth/sign-out
+     */
+    signOutPath?: string;
+    /**
+     * @default /auth/refresh
+     */
+    refreshAuthPath?: string;
+    /**
+     * Log level.
+     *
+     * A log level of debug will log secrets and should only be used in
+     * a development environment.
+     *
+     * @default warn
+     */
+    logLevel?: "none" | "error" | "warn" | "info" | "debug";
+    /**
+     * Require the user to be part of a specific Cognito group to
+     * access any resource.
+     */
+    requireGroupAnyOf?: string[];
+}
+export interface UpdateClientProps {
+    signOutUrl: string;
+    callbackUrl: string;
+    /**
+     * List of identity providers used for the client.
+     *
+     * @default - COGNITO and identity providers registered in the UserPool construct
+     */
+    identityProviders?: string[];
+}
+/**
+ * Configure previously deployed lambda functions, Cognito client
+ * and CloudFront distribution.
+ */
+export declare class CloudFrontAuth extends Construct {
+    readonly callbackPath: string;
+    readonly signOutRedirectTo: string;
+    readonly signOutPath: string;
+    readonly refreshAuthPath: string;
+    private readonly userPool;
+    private readonly clientCreated;
+    readonly client: cognito.UserPoolClient;
+    private readonly checkAuthFn;
+    private readonly httpHeadersFn;
+    private readonly parseAuthFn;
+    private readonly refreshAuthFn;
+    private readonly signOutFn;
+    private readonly oauthScopes;
+    constructor(scope: Construct, id: string, props: CloudFrontAuthProps);
+    private createPathLambda;
+    /**
+     * Create behaviors for authentication pages:
+     *
+     * - callback page
+     * - refresh page
+     * - sign out page
+     *
+     * This is to be used with CloudFrontWebDistribution. See
+     * createAuthPagesBehaviors if using Distribution.
+     */
+    get authPages(): cloudfront.Behavior[];
+    /**
+     * Create behaviors for authentication pages.
+     *
+     * - callback page
+     * - refresh page
+     * - sign out page
+     *
+     * This is to be used with Distribution.
+     */
+    createAuthPagesBehaviors(origin: IOrigin, options?: AddBehaviorOptions): Record<string, BehaviorOptions>;
+    /**
+     * Create lambda function association for viewer request to check
+     * authentication and original response to add headers.
+     *
+     * This is to be used with CloudFrontWebDistribution. See
+     * createProtectedBehavior if using Distribution.
+     */
+    get authFilters(): cloudfront.LambdaFunctionAssociation[];
+    /**
+     * Create behavior that includes authorization check.
+     *
+     * This is to be used with Distribution.
+     */
+    createProtectedBehavior(origin: IOrigin, options?: AddBehaviorOptions): BehaviorOptions;
+    /**
+     * Update Cognito client to use the proper URLs and OAuth scopes.
+     *
+     * TODO: In case the client configuration changes and is updated
+     *  by CloudFormation, this will not be reapplied causing the client
+     *  to not be correctly configured.
+     *  How can we avoid this scenario?
+     */
+    updateClient(id: string, props: UpdateClientProps): ClientUpdate;
+}

package/lib/cloudfront-auth.js

@@ -0,0 +1,267 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudFrontAuth = void 0;
+const cloudfront = __importStar(require("aws-cdk-lib/aws-cloudfront"));
+const aws_cloudfront_1 = require("aws-cdk-lib/aws-cloudfront");
+const cdk_lambda_config_1 = require("@liflig/cdk-lambda-config");
+const client_secret_1 = require("./client-secret");
+const client_update_1 = require("./client-update");
+const generate_secret_1 = require("./generate-secret");
+const constructs_1 = require("constructs");
+/**
+ * Configure previously deployed lambda functions, Cognito client
+ * and CloudFront distribution.
+ */
+class CloudFrontAuth extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        var _a, _b, _c, _d, _e, _f;
+        super(scope, id);
+        this.callbackPath = (_a = props.callbackPath) !== null && _a !== void 0 ? _a : "/auth/callback";
+        this.signOutRedirectTo = (_b = props.signOutRedirectTo) !== null && _b !== void 0 ? _b : "/";
+        this.signOutPath = (_c = props.signOutPath) !== null && _c !== void 0 ? _c : "/auth/sign-out";
+        this.refreshAuthPath = (_d = props.refreshAuthPath) !== null && _d !== void 0 ? _d : "/auth/refresh";
+        this.oauthScopes = [
+            "phone",
+            "email",
+            "profile",
+            "openid",
+            "aws.cognito.signin.user.admin",
+        ];
+        this.userPool = props.userPool;
+        this.clientCreated = !props.client;
+        this.client =
+            (_e = props.client) !== null && _e !== void 0 ? _e : props.userPool.addClient("UserPoolClient", {
+                // Note: The following must be kept in sync with the API
+                // call performed in ClientUpdate.
+                authFlows: {
+                    userPassword: true,
+                    userSrp: true,
+                },
+                oAuth: {
+                    flows: {
+                        authorizationCodeGrant: true,
+                    },
+                },
+                preventUserExistenceErrors: true,
+                generateSecret: true,
+            });
+        const nonceSigningSecret = new generate_secret_1.GenerateSecret(this, "NonceSigningSecret")
+            .value;
+        const { clientSecretValue } = new client_secret_1.RetrieveClientSecret(this, "ClientSecret", {
+            client: this.client,
+            userPool: this.userPool,
+        });
+        const config = {
+            httpHeaders: {
+                "Content-Security-Policy": "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self'",
+                "Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
+                "Referrer-Policy": "same-origin",
+                "X-XSS-Protection": "1; mode=block",
+                "X-Frame-Options": "DENY",
+                "X-Content-Type-Options": "nosniff",
+                "Cache-Control": "no-cache",
+            },
+            logLevel: (_f = props.logLevel) !== null && _f !== void 0 ? _f : "warn",
+            userPoolId: this.userPool.userPoolId,
+            clientId: this.client.userPoolClientId,
+            clientSecret: clientSecretValue,
+            oauthScopes: this.oauthScopes,
+            cognitoAuthDomain: props.cognitoAuthDomain,
+            callbackPath: this.callbackPath,
+            signOutRedirectTo: this.signOutRedirectTo,
+            signOutPath: this.signOutPath,
+            refreshAuthPath: this.refreshAuthPath,
+            requireGroupAnyOf: props.requireGroupAnyOf,
+            cookieSettings: {
+                /*
+                spaMode - consider if this should be supported
+                idToken: "Path=/; Secure; SameSite=Lax",
+                accessToken: "Path=/; Secure; SameSite=Lax",
+                refreshToken: "Path=/; Secure; SameSite=Lax",
+                nonce: "Path=/; Secure; HttpOnly; SameSite=Lax",
+                */
+                idToken: "Path=/; Secure; HttpOnly; SameSite=Lax",
+                accessToken: "Path=/; Secure; HttpOnly; SameSite=Lax",
+                refreshToken: "Path=/; Secure; HttpOnly; SameSite=Lax",
+                nonce: "Path=/; Secure; HttpOnly; SameSite=Lax",
+            },
+            nonceSigningSecret,
+        };
+        this.checkAuthFn = new cdk_lambda_config_1.LambdaConfig(this, "CheckAuthFn", {
+            function: props.authLambdas.checkAuthFn.get(this, "CheckAuthFnImport"),
+            config,
+        }).version;
+        this.httpHeadersFn = new cdk_lambda_config_1.LambdaConfig(this, "HttpHeadersFn", {
+            function: props.authLambdas.httpHeadersFn.get(this, "HttpHeadersFnImport"),
+            config,
+        }).version;
+        this.parseAuthFn = new cdk_lambda_config_1.LambdaConfig(this, "ParseAuthFn", {
+            function: props.authLambdas.parseAuthFn.get(this, "ParseAuthFnImport"),
+            config,
+        }).version;
+        this.refreshAuthFn = new cdk_lambda_config_1.LambdaConfig(this, "RefreshAuthFn", {
+            function: props.authLambdas.refreshAuthFn.get(this, "RefreshAuthFnImport"),
+            config,
+        }).version;
+        this.signOutFn = new cdk_lambda_config_1.LambdaConfig(this, "SignOutFn", {
+            function: props.authLambdas.signOutFn.get(this, "SignOutFnImport"),
+            config,
+        }).version;
+    }
+    createPathLambda(path, fn) {
+        return {
+            pathPattern: path,
+            forwardedValues: {
+                queryString: true,
+            },
+            lambdaFunctionAssociations: [
+                {
+                    eventType: cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+                    lambdaFunction: fn,
+                },
+            ],
+        };
+    }
+    /**
+     * Create behaviors for authentication pages:
+     *
+     * - callback page
+     * - refresh page
+     * - sign out page
+     *
+     * This is to be used with CloudFrontWebDistribution. See
+     * createAuthPagesBehaviors if using Distribution.
+     */
+    get authPages() {
+        return [
+            this.createPathLambda(this.callbackPath, this.parseAuthFn),
+            this.createPathLambda(this.refreshAuthPath, this.refreshAuthFn),
+            this.createPathLambda(this.signOutPath, this.signOutFn),
+        ];
+    }
+    /**
+     * Create behaviors for authentication pages.
+     *
+     * - callback page
+     * - refresh page
+     * - sign out page
+     *
+     * This is to be used with Distribution.
+     */
+    createAuthPagesBehaviors(origin, options) {
+        function path(path, fn) {
+            return {
+                [path]: {
+                    origin,
+                    compress: true,
+                    viewerProtocolPolicy: aws_cloudfront_1.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+                    edgeLambdas: [
+                        {
+                            eventType: cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+                            functionVersion: fn,
+                        },
+                    ],
+                    ...options,
+                },
+            };
+        }
+        return {
+            ...path(this.callbackPath, this.parseAuthFn),
+            ...path(this.refreshAuthPath, this.refreshAuthFn),
+            ...path(this.signOutPath, this.signOutFn),
+        };
+    }
+    /**
+     * Create lambda function association for viewer request to check
+     * authentication and original response to add headers.
+     *
+     * This is to be used with CloudFrontWebDistribution. See
+     * createProtectedBehavior if using Distribution.
+     */
+    get authFilters() {
+        return [
+            {
+                eventType: cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+                lambdaFunction: this.checkAuthFn,
+            },
+            {
+                eventType: cloudfront.LambdaEdgeEventType.ORIGIN_RESPONSE,
+                lambdaFunction: this.httpHeadersFn,
+            },
+        ];
+    }
+    /**
+     * Create behavior that includes authorization check.
+     *
+     * This is to be used with Distribution.
+     */
+    createProtectedBehavior(origin, options) {
+        if ((options === null || options === void 0 ? void 0 : options.edgeLambdas) != null) {
+            throw Error("User-defined edgeLambdas is currently not supported");
+        }
+        return {
+            origin,
+            compress: true,
+            viewerProtocolPolicy: aws_cloudfront_1.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            edgeLambdas: [
+                {
+                    eventType: cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+                    functionVersion: this.checkAuthFn,
+                },
+                {
+                    eventType: cloudfront.LambdaEdgeEventType.ORIGIN_RESPONSE,
+                    functionVersion: this.httpHeadersFn,
+                },
+            ],
+            ...options,
+        };
+    }
+    /**
+     * Update Cognito client to use the proper URLs and OAuth scopes.
+     *
+     * TODO: In case the client configuration changes and is updated
+     *  by CloudFormation, this will not be reapplied causing the client
+     *  to not be correctly configured.
+     *  How can we avoid this scenario?
+     */
+    updateClient(id, props) {
+        var _a;
+        if (!this.clientCreated) {
+            throw new Error("You cannot use updateClient with a user-provided Cognito Client " +
+                "since it would override the user-provided settings");
+        }
+        return new client_update_1.ClientUpdate(this, id, {
+            client: this.client,
+            userPool: this.userPool,
+            signOutUrl: props.signOutUrl,
+            callbackUrl: props.callbackUrl,
+            oauthScopes: this.oauthScopes,
+            identityProviders: (_a = props.identityProviders) !== null && _a !== void 0 ? _a : ["COGNITO"].concat(this.userPool.identityProviders.map((it) => it.providerName)),
+        });
+    }
+}
+exports.CloudFrontAuth = CloudFrontAuth;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xvdWRmcm9udC1hdXRoLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2Nsb3VkZnJvbnQtYXV0aC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLHVFQUF3RDtBQUN4RCwrREFLbUM7QUFJbkMsaUVBQXdEO0FBQ3hELG1EQUFzRDtBQUN0RCxtREFBOEM7QUFDOUMsdURBQWtEO0FBR2xELDJDQUFzQztBQWlFdEM7OztHQUdHO0FBQ0gsTUFBYSxjQUFlLFNBQVEsc0JBQVM7SUFrQjNDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBMEI7O1FBQ2xFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUE7UUFFaEIsSUFBSSxDQUFDLFlBQVksR0FBRyxNQUFBLEtBQUssQ0FBQyxZQUFZLG1DQUFJLGdCQUFnQixDQUFBO1FBQzFELElBQUksQ0FBQyxpQkFBaUIsR0FBRyxNQUFBLEtBQUssQ0FBQyxpQkFBaUIsbUNBQUksR0FBRyxDQUFBO1FBQ3ZELElBQUksQ0FBQyxXQUFXLEdBQUcsTUFBQSxLQUFLLENBQUMsV0FBVyxtQ0FBSSxnQkFBZ0IsQ0FBQTtRQUN4RCxJQUFJLENBQUMsZUFBZSxHQUFHLE1BQUEsS0FBSyxDQUFDLGVBQWUsbUNBQUksZUFBZSxDQUFBO1FBRS9ELElBQUksQ0FBQyxXQUFXLEdBQUc7WUFDakIsT0FBTztZQUNQLE9BQU87WUFDUCxTQUFTO1lBQ1QsUUFBUTtZQUNSLCtCQUErQjtTQUNoQyxDQUFBO1FBRUQsSUFBSSxDQUFDLFFBQVEsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFBO1FBRTlCLElBQUksQ0FBQyxhQUFhLEdBQUcsQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFBO1FBQ2xDLElBQUksQ0FBQyxNQUFNO1lBQ1QsTUFBQSxLQUFLLENBQUMsTUFBTSxtQ0FDWixLQUFLLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxnQkFBZ0IsRUFBRTtnQkFDekMsd0RBQXdEO2dCQUN4RCxrQ0FBa0M7Z0JBQ2xDLFNBQVMsRUFBRTtvQkFDVCxZQUFZLEVBQUUsSUFBSTtvQkFDbEIsT0FBTyxFQUFFLElBQUk7aUJBQ2Q7Z0JBQ0QsS0FBSyxFQUFFO29CQUNMLEtBQUssRUFBRTt3QkFDTCxzQkFBc0IsRUFBRSxJQUFJO3FCQUM3QjtpQkFDRjtnQkFDRCwwQkFBMEIsRUFBRSxJQUFJO2dCQUNoQyxjQUFjLEVBQUUsSUFBSTthQUNyQixDQUFDLENBQUE7UUFFSixNQUFNLGtCQUFrQixHQUFHLElBQUksZ0NBQWMsQ0FBQyxJQUFJLEVBQUUsb0JBQW9CLENBQUM7YUFDdEUsS0FBSyxDQUFBO1FBRVIsTUFBTSxFQUFFLGlCQUFpQixFQUFFLEdBQUcsSUFBSSxvQ0FBb0IsQ0FDcEQsSUFBSSxFQUNKLGNBQWMsRUFDZDtZQUNFLE1BQU0sRUFBRSxJQUFJLENBQUMsTUFBTTtZQUNuQixRQUFRLEVBQUUsSUFBSSxDQUFDLFFBQVE7U0FDeEIsQ0FDRixDQUFBO1FBRUQsTUFBTSxNQUFNLEdBQWlCO1lBQzNCLFdBQVcsRUFBRTtnQkFDWCx5QkFBeUIsRUFDdkIsZ0lBQWdJO2dCQUNsSSwyQkFBMkIsRUFDekIsOENBQThDO2dCQUNoRCxpQkFBaUIsRUFBRSxhQUFhO2dCQUNoQyxrQkFBa0IsRUFBRSxlQUFlO2dCQUNuQyxpQkFBaUIsRUFBRSxNQUFNO2dCQUN6Qix3QkFBd0IsRUFBRSxTQUFTO2dCQUNuQyxlQUFlLEVBQUUsVUFBVTthQUM1QjtZQUNELFFBQVEsRUFBRSxNQUFBLEtBQUssQ0FBQyxRQUFRLG1DQUFJLE1BQU07WUFDbEMsVUFBVSxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVTtZQUNwQyxRQUFRLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxnQkFBZ0I7WUFDdEMsWUFBWSxFQUFFLGlCQUFpQjtZQUMvQixXQUFXLEVBQUUsSUFBSSxDQUFDLFdBQVc7WUFDN0IsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLGlCQUFpQjtZQUMxQyxZQUFZLEVBQUUsSUFBSSxDQUFDLFlBQVk7WUFDL0IsaUJBQWlCLEVBQUUsSUFBSSxDQUFDLGlCQUFpQjtZQUN6QyxXQUFXLEVBQUUsSUFBSSxDQUFDLFdBQVc7WUFDN0IsZUFBZSxFQUFFLElBQUksQ0FBQyxlQUFlO1lBQ3JDLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxpQkFBaUI7WUFDMUMsY0FBYyxFQUFFO2dCQUNkOzs7Ozs7a0JBTUU7Z0JBQ0YsT0FBTyxFQUFFLHdDQUF3QztnQkFDakQsV0FBVyxFQUFFLHdDQUF3QztnQkFDckQsWUFBWSxFQUFFLHdDQUF3QztnQkFDdEQsS0FBSyxFQUFFLHdDQUF3QzthQUNoRDtZQUNELGtCQUFrQjtTQUNuQixDQUFBO1FBRUQsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLGdDQUFZLENBQUMsSUFBSSxFQUFFLGFBQWEsRUFBRTtZQUN2RCxRQUFRLEVBQUUsS0FBSyxDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxtQkFBbUIsQ0FBQztZQUN0RSxNQUFNO1NBQ1AsQ0FBQyxDQUFDLE9BQU8sQ0FBQTtRQUVWLElBQUksQ0FBQyxhQUFhLEdBQUcsSUFBSSxnQ0FBWSxDQUFDLElBQUksRUFBRSxlQUFlLEVBQUU7WUFDM0QsUUFBUSxFQUFFLEtBQUssQ0FBQyxXQUFXLENBQUMsYUFBYSxDQUFDLEdBQUcsQ0FDM0MsSUFBSSxFQUNKLHFCQUFxQixDQUN0QjtZQUNELE1BQU07U0FDUCxDQUFDLENBQUMsT0FBTyxDQUFBO1FBRVYsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLGdDQUFZLENBQUMsSUFBSSxFQUFFLGFBQWEsRUFBRTtZQUN2RCxRQUFRLEVBQUUsS0FBSyxDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxtQkFBbUIsQ0FBQztZQUN0RSxNQUFNO1NBQ1AsQ0FBQyxDQUFDLE9BQU8sQ0FBQTtRQUVWLElBQUksQ0FBQyxhQUFhLEdBQUcsSUFBSSxnQ0FBWSxDQUFDLElBQUksRUFBRSxlQUFlLEVBQUU7WUFDM0QsUUFBUSxFQUFFLEtBQUssQ0FBQyxXQUFXLENBQUMsYUFBYSxDQUFDLEdBQUcsQ0FDM0MsSUFBSSxFQUNKLHFCQUFxQixDQUN0QjtZQUNELE1BQU07U0FDUCxDQUFDLENBQUMsT0FBTyxDQUFBO1FBRVYsSUFBSSxDQUFDLFNBQVMsR0FBRyxJQUFJLGdDQUFZLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRTtZQUNuRCxRQUFRLEVBQUUsS0FBSyxDQUFDLFdBQVcsQ0FBQyxTQUFTLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxpQkFBaUIsQ0FBQztZQUNsRSxNQUFNO1NBQ1AsQ0FBQyxDQUFDLE9BQU8sQ0FBQTtJQUNaLENBQUM7SUFFTyxnQkFBZ0IsQ0FDdEIsSUFBWSxFQUNaLEVBQW1CO1FBRW5CLE9BQU87WUFDTCxXQUFXLEVBQUUsSUFBSTtZQUNqQixlQUFlLEVBQUU7Z0JBQ2YsV0FBVyxFQUFFLElBQUk7YUFDbEI7WUFDRCwwQkFBMEIsRUFBRTtnQkFDMUI7b0JBQ0UsU0FBUyxFQUFFLFVBQVUsQ0FBQyxtQkFBbUIsQ0FBQyxjQUFjO29CQUN4RCxjQUFjLEVBQUUsRUFBRTtpQkFDbkI7YUFDRjtTQUNGLENBQUE7SUFDSCxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0gsSUFBVyxTQUFTO1FBQ2xCLE9BQU87WUFDTCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDO1lBQzFELElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsZUFBZSxFQUFFLElBQUksQ0FBQyxhQUFhLENBQUM7WUFDL0QsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQztTQUN4RCxDQUFBO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7OztPQVFHO0lBQ0ksd0JBQXdCLENBQzdCLE1BQWUsRUFDZixPQUE0QjtRQUU1QixTQUFTLElBQUksQ0FBQyxJQUFZLEVBQUUsRUFBWTtZQUN0QyxPQUFPO2dCQUNMLENBQUMsSUFBSSxDQUFDLEVBQUU7b0JBQ04sTUFBTTtvQkFDTixRQUFRLEVBQUUsSUFBSTtvQkFDZCxvQkFBb0IsRUFBRSxxQ0FBb0IsQ0FBQyxpQkFBaUI7b0JBQzVELFdBQVcsRUFBRTt3QkFDWDs0QkFDRSxTQUFTLEVBQUUsVUFBVSxDQUFDLG1CQUFtQixDQUFDLGNBQWM7NEJBQ3hELGVBQWUsRUFBRSxFQUFFO3lCQUNwQjtxQkFDRjtvQkFDRCxHQUFHLE9BQU87aUJBQ1g7YUFDRixDQUFBO1FBQ0gsQ0FBQztRQUVELE9BQU87WUFDTCxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUM7WUFDNUMsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLGVBQWUsRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDO1lBQ2pELEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQztTQUMxQyxDQUFBO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILElBQVcsV0FBVztRQUNwQixPQUFPO1lBQ0w7Z0JBQ0UsU0FBUyxFQUFFLFVBQVUsQ0FBQyxtQkFBbUIsQ0FBQyxjQUFjO2dCQUN4RCxjQUFjLEVBQUUsSUFBSSxDQUFDLFdBQVc7YUFDakM7WUFDRDtnQkFDRSxTQUFTLEVBQUUsVUFBVSxDQUFDLG1CQUFtQixDQUFDLGVBQWU7Z0JBQ3pELGNBQWMsRUFBRSxJQUFJLENBQUMsYUFBYTthQUNuQztTQUNGLENBQUE7SUFDSCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLHVCQUF1QixDQUM1QixNQUFlLEVBQ2YsT0FBNEI7UUFFNUIsSUFBSSxDQUFBLE9BQU8sYUFBUCxPQUFPLHVCQUFQLE9BQU8sQ0FBRSxXQUFXLEtBQUksSUFBSSxFQUFFO1lBQ2hDLE1BQU0sS0FBSyxDQUFDLHFEQUFxRCxDQUFDLENBQUE7U0FDbkU7UUFFRCxPQUFPO1lBQ0wsTUFBTTtZQUNOLFFBQVEsRUFBRSxJQUFJO1lBQ2Qsb0JBQW9CLEVBQUUscUNBQW9CLENBQUMsaUJBQWlCO1lBQzVELFdBQVcsRUFBRTtnQkFDWDtvQkFDRSxTQUFTLEVBQUUsVUFBVSxDQUFDLG1CQUFtQixDQUFDLGNBQWM7b0JBQ3hELGVBQWUsRUFBRSxJQUFJLENBQUMsV0FBVztpQkFDbEM7Z0JBQ0Q7b0JBQ0UsU0FBUyxFQUFFLFVBQVUsQ0FBQyxtQkFBbUIsQ0FBQyxlQUFlO29CQUN6RCxlQUFlLEVBQUUsSUFBSSxDQUFDLGFBQWE7aUJBQ3BDO2FBQ0Y7WUFDRCxHQUFHLE9BQU87U0FDWCxDQUFBO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSSxZQUFZLENBQUMsRUFBVSxFQUFFLEtBQXdCOztRQUN0RCxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWEsRUFBRTtZQUN2QixNQUFNLElBQUksS0FBSyxDQUNiLGtFQUFrRTtnQkFDaEUsb0RBQW9ELENBQ3ZELENBQUE7U0FDRjtRQUVELE9BQU8sSUFBSSw0QkFBWSxDQUFDLElBQUksRUFBRSxFQUFFLEVBQUU7WUFDaEMsTUFBTSxFQUFFLElBQUksQ0FBQyxNQUFNO1lBQ25CLFFBQVEsRUFBRSxJQUFJLENBQUMsUUFBUTtZQUN2QixVQUFVLEVBQUUsS0FBSyxDQUFDLFVBQVU7WUFDNUIsV0FBVyxFQUFFLEtBQUssQ0FBQyxXQUFXO1lBQzlCLFdBQVcsRUFBRSxJQUFJLENBQUMsV0FBVztZQUM3QixpQkFBaUIsRUFDZixNQUFBLEtBQUssQ0FBQyxpQkFBaUIsbUNBQ3ZCLENBQUMsU0FBUyxDQUFDLENBQUMsTUFBTSxDQUNoQixJQUFJLENBQUMsUUFBUSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDLFlBQVksQ0FBQyxDQUM3RDtTQUNKLENBQUMsQ0FBQTtJQUNKLENBQUM7Q0FDRjtBQW5TRCx3Q0FtU0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjbG91ZGZyb250IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtY2xvdWRmcm9udFwiXG5pbXBvcnQge1xuICBBZGRCZWhhdmlvck9wdGlvbnMsXG4gIEJlaGF2aW9yT3B0aW9ucyxcbiAgSU9yaWdpbixcbiAgVmlld2VyUHJvdG9jb2xQb2xpY3ksXG59IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtY2xvdWRmcm9udFwiXG5pbXBvcnQgKiBhcyBjb2duaXRvIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtY29nbml0b1wiXG5pbXBvcnQgKiBhcyBsYW1iZGEgZnJvbSBcImF3cy1jZGstbGliL2F3cy1sYW1iZGFcIlxuaW1wb3J0IHsgSVZlcnNpb24gfSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxhbWJkYVwiXG5pbXBvcnQgeyBMYW1iZGFDb25maWcgfSBmcm9tIFwiQGxpZmxpZy9jZGstbGFtYmRhLWNvbmZpZ1wiXG5pbXBvcnQgeyBSZXRyaWV2ZUNsaWVudFNlY3JldCB9IGZyb20gXCIuL2NsaWVudC1zZWNyZXRcIlxuaW1wb3J0IHsgQ2xpZW50VXBkYXRlIH0gZnJvbSBcIi4vY2xpZW50LXVwZGF0ZVwiXG5pbXBvcnQgeyBHZW5lcmF0ZVNlY3JldCB9IGZyb20gXCIuL2dlbmVyYXRlLXNlY3JldFwiXG5pbXBvcnQgeyBTdG9yZWRDb25maWcgfSBmcm9tIFwiLi9oYW5kbGVycy91dGlsL2NvbmZpZ1wiXG5pbXBvcnQgeyBBdXRoTGFtYmRhcyB9IGZyb20gXCIuL2xhbWJkYXNcIlxuaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIlxuXG5leHBvcnQgaW50ZXJmYWNlIENsb3VkRnJvbnRBdXRoUHJvcHMge1xuICAvKipcbiAgICogQ29nbml0byBDbGllbnQgdGhhdCB3aWxsIGJlIHVzZWQgdG8gYXV0aGVudGljYXRlIHRoZSB1c2VyLlxuICAgKlxuICAgKiBJZiBhIGN1c3RvbSBjbGllbnQgaXMgcHJvdmlkZWQsIHRoZSB1cGRhdGVDbGllbnQgbWV0aG9kIGNhbm5vdFxuICAgKiBiZSB1c2VkIHNpbmNlIHdlIGNhbm5vdCBrbm93IHdoaWNoIHBhcmFtZXRlcnMgd2FzIHNldC5cbiAgICpcbiAgICogQGRlZmF1bHQgLSBhIG5ldyBjbGllbnQgd2lsbCBiZSBnZW5lcmF0ZWRcbiAgICovXG4gIGNsaWVudD86IGNvZ25pdG8uVXNlclBvb2xDbGllbnRcbiAgdXNlclBvb2w6IGNvZ25pdG8uSVVzZXJQb29sXG4gIC8qKlxuICAgKiBUaGUgZG9tYWluIHRoYXQgaXMgdXNlZCBmb3IgQ29nbml0byBBdXRoLlxuICAgKlxuICAgKiBJZiBub3QgdXNpbmcgY3VzdG9tIGRvbWFpbnMgdGhpcyB3aWxsIGJlIGEgbmFtZSB1bmRlciBhbWF6b25jb2duaXRvLmNvbS5cbiAgICpcbiAgICogQGV4YW1wbGUgYCR7ZG9tYWluLmRvbWFpbk5hbWV9LmF1dGguJHtyZWdpb259LmFtYXpvbmNvZ25pdG8uY29tYFxuICAgKi9cbiAgY29nbml0b0F1dGhEb21haW46IHN0cmluZ1xuICBhdXRoTGFtYmRhczogQXV0aExhbWJkYXNcbiAgLyoqXG4gICAqIEBkZWZhdWx0IC9hdXRoL2NhbGxiYWNrXG4gICAqL1xuICBjYWxsYmFja1BhdGg/OiBzdHJpbmdcbiAgLyoqXG4gICAqIEBkZWZhdWx0IC9cbiAgICovXG4gIHNpZ25PdXRSZWRpcmVjdFRvPzogc3RyaW5nXG4gIC8qKlxuICAgKiBAZGVmYXVsdCAvYXV0aC9zaWduLW91dFxuICAgKi9cbiAgc2lnbk91dFBhdGg/OiBzdHJpbmdcbiAgLyoqXG4gICAqIEBkZWZhdWx0IC9hdXRoL3JlZnJlc2hcbiAgICovXG4gIHJlZnJlc2hBdXRoUGF0aD86IHN0cmluZ1xuICAvKipcbiAgICogTG9nIGxldmVsLlxuICAgKlxuICAgKiBBIGxvZyBsZXZlbCBvZiBkZWJ1ZyB3aWxsIGxvZyBzZWNyZXRzIGFuZCBzaG91bGQgb25seSBiZSB1c2VkIGluXG4gICAqIGEgZGV2ZWxvcG1lbnQgZW52aXJvbm1lbnQuXG4gICAqXG4gICAqIEBkZWZhdWx0IHdhcm5cbiAgICovXG4gIGxvZ0xldmVsPzogXCJub25lXCIgfCBcImVycm9yXCIgfCBcIndhcm5cIiB8IFwiaW5mb1wiIHwgXCJkZWJ1Z1wiXG4gIC8qKlxuICAgKiBSZXF1aXJlIHRoZSB1c2VyIHRvIGJlIHBhcnQgb2YgYSBzcGVjaWZpYyBDb2duaXRvIGdyb3VwIHRvXG4gICAqIGFjY2VzcyBhbnkgcmVzb3VyY2UuXG4gICAqL1xuICByZXF1aXJlR3JvdXBBbnlPZj86IHN0cmluZ1tdXG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgVXBkYXRlQ2xpZW50UHJvcHMge1xuICBzaWduT3V0VXJsOiBzdHJpbmdcbiAgY2FsbGJhY2tVcmw6IHN0cmluZ1xuICAvKipcbiAgICogTGlzdCBvZiBpZGVudGl0eSBwcm92aWRlcnMgdXNlZCBmb3IgdGhlIGNsaWVudC5cbiAgICpcbiAgICogQGRlZmF1bHQgLSBDT0dOSVRPIGFuZCBpZGVudGl0eSBwcm92aWRlcnMgcmVnaXN0ZXJlZCBpbiB0aGUgVXNlclBvb2wgY29uc3RydWN0XG4gICAqL1xuICBpZGVudGl0eVByb3ZpZGVycz86IHN0cmluZ1tdXG59XG5cbi8qKlxuICogQ29uZmlndXJlIHByZXZpb3VzbHkgZGVwbG95ZWQgbGFtYmRhIGZ1bmN0aW9ucywgQ29nbml0byBjbGllbnRcbiAqIGFuZCBDbG91ZEZyb250IGRpc3RyaWJ1dGlvbi5cbiAqL1xuZXhwb3J0IGNsYXNzIENsb3VkRnJvbnRBdXRoIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IGNhbGxiYWNrUGF0aDogc3RyaW5nXG4gIHB1YmxpYyByZWFkb25seSBzaWduT3V0UmVkaXJlY3RUbzogc3RyaW5nXG4gIHB1YmxpYyByZWFkb25seSBzaWduT3V0UGF0aDogc3RyaW5nXG4gIHB1YmxpYyByZWFkb25seSByZWZyZXNoQXV0aFBhdGg6IHN0cmluZ1xuXG4gIHByaXZhdGUgcmVhZG9ubHkgdXNlclBvb2w6IGNvZ25pdG8uSVVzZXJQb29sXG4gIHByaXZhdGUgcmVhZG9ubHkgY2xpZW50Q3JlYXRlZDogYm9vbGVhblxuICBwdWJsaWMgcmVhZG9ubHkgY2xpZW50OiBjb2duaXRvLlVzZXJQb29sQ2xpZW50XG5cbiAgcHJpdmF0ZSByZWFkb25seSBjaGVja0F1dGhGbjogbGFtYmRhLklWZXJzaW9uXG4gIHByaXZhdGUgcmVhZG9ubHkgaHR0cEhlYWRlcnNGbjogbGFtYmRhLklWZXJzaW9uXG4gIHByaXZhdGUgcmVhZG9ubHkgcGFyc2VBdXRoRm46IGxhbWJkYS5JVmVyc2lvblxuICBwcml2YXRlIHJlYWRvbmx5IHJlZnJlc2hBdXRoRm46IGxhbWJkYS5JVmVyc2lvblxuICBwcml2YXRlIHJlYWRvbmx5IHNpZ25PdXRGbjogbGFtYmRhLklWZXJzaW9uXG5cbiAgcHJpdmF0ZSByZWFkb25seSBvYXV0aFNjb3Blczogc3RyaW5nW11cblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogQ2xvdWRGcm9udEF1dGhQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIHRoaXMuY2FsbGJhY2tQYXRoID0gcHJvcHMuY2FsbGJhY2tQYXRoID8/IFwiL2F1dGgvY2FsbGJhY2tcIlxuICAgIHRoaXMuc2lnbk91dFJlZGlyZWN0VG8gPSBwcm9wcy5zaWduT3V0UmVkaXJlY3RUbyA/PyBcIi9cIlxuICAgIHRoaXMuc2lnbk91dFBhdGggPSBwcm9wcy5zaWduT3V0UGF0aCA/PyBcIi9hdXRoL3NpZ24tb3V0XCJcbiAgICB0aGlzLnJlZnJlc2hBdXRoUGF0aCA9IHByb3BzLnJlZnJlc2hBdXRoUGF0aCA/PyBcIi9hdXRoL3JlZnJlc2hcIlxuXG4gICAgdGhpcy5vYXV0aFNjb3BlcyA9IFtcbiAgICAgIFwicGhvbmVcIixcbiAgICAgIFwiZW1haWxcIixcbiAgICAgIFwicHJvZmlsZVwiLFxuICAgICAgXCJvcGVuaWRcIixcbiAgICAgIFwiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW5cIixcbiAgICBdXG5cbiAgICB0aGlzLnVzZXJQb29sID0gcHJvcHMudXNlclBvb2xcblxuICAgIHRoaXMuY2xpZW50Q3JlYXRlZCA9ICFwcm9wcy5jbGllbnRcbiAgICB0aGlzLmNsaWVudCA9XG4gICAgICBwcm9wcy5jbGllbnQgPz9cbiAgICAgIHByb3BzLnVzZXJQb29sLmFkZENsaWVudChcIlVzZXJQb29sQ2xpZW50XCIsIHtcbiAgICAgICAgLy8gTm90ZTogVGhlIGZvbGxvd2luZyBtdXN0IGJlIGtlcHQgaW4gc3luYyB3aXRoIHRoZSBBUElcbiAgICAgICAgLy8gY2FsbCBwZXJmb3JtZWQgaW4gQ2xpZW50VXBkYXRlLlxuICAgICAgICBhdXRoRmxvd3M6IHtcbiAgICAgICAgICB1c2VyUGFzc3dvcmQ6IHRydWUsXG4gICAgICAgICAgdXNlclNycDogdHJ1ZSxcbiAgICAgICAgfSxcbiAgICAgICAgb0F1dGg6IHtcbiAgICAgICAgICBmbG93czoge1xuICAgICAgICAgICAgYXV0aG9yaXphdGlvbkNvZGVHcmFudDogdHJ1ZSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgICBwcmV2ZW50VXNlckV4aXN0ZW5jZUVycm9yczogdHJ1ZSxcbiAgICAgICAgZ2VuZXJhdGVTZWNyZXQ6IHRydWUsXG4gICAgICB9KVxuXG4gICAgY29uc3Qgbm9uY2VTaWduaW5nU2VjcmV0ID0gbmV3IEdlbmVyYXRlU2VjcmV0KHRoaXMsIFwiTm9uY2VTaWduaW5nU2VjcmV0XCIpXG4gICAgICAudmFsdWVcblxuICAgIGNvbnN0IHsgY2xpZW50U2VjcmV0VmFsdWUgfSA9IG5ldyBSZXRyaWV2ZUNsaWVudFNlY3JldChcbiAgICAgIHRoaXMsXG4gICAgICBcIkNsaWVudFNlY3JldFwiLFxuICAgICAge1xuICAgICAgICBjbGllbnQ6IHRoaXMuY2xpZW50LFxuICAgICAgICB1c2VyUG9vbDogdGhpcy51c2VyUG9vbCxcbiAgICAgIH0sXG4gICAgKVxuXG4gICAgY29uc3QgY29uZmlnOiBTdG9yZWRDb25maWcgPSB7XG4gICAgICBodHRwSGVhZGVyczoge1xuICAgICAgICBcIkNvbnRlbnQtU2VjdXJpdHktUG9saWN5XCI6XG4gICAgICAgICAgXCJkZWZhdWx0LXNyYyAnbm9uZSc7IGltZy1zcmMgJ3NlbGYnOyBzY3JpcHQtc3JjICdzZWxmJzsgc3R5bGUtc3JjICdzZWxmJyAndW5zYWZlLWlubGluZSc7IG9iamVjdC1zcmMgJ25vbmUnOyBjb25uZWN0LXNyYyAnc2VsZidcIixcbiAgICAgICAgXCJTdHJpY3QtVHJhbnNwb3J0LVNlY3VyaXR5XCI6XG4gICAgICAgICAgXCJtYXgtYWdlPTMxNTM2MDAwOyBpbmNsdWRlU3ViZG9tYWluczsgcHJlbG9hZFwiLFxuICAgICAgICBcIlJlZmVycmVyLVBvbGljeVwiOiBcInNhbWUtb3JpZ2luXCIsXG4gICAgICAgIFwiWC1YU1MtUHJvdGVjdGlvblwiOiBcIjE7IG1vZGU9YmxvY2tcIixcbiAgICAgICAgXCJYLUZyYW1lLU9wdGlvbnNcIjogXCJERU5ZXCIsXG4gICAgICAgIFwiWC1Db250ZW50LVR5cGUtT3B0aW9uc1wiOiBcIm5vc25pZmZcIixcbiAgICAgICAgXCJDYWNoZS1Db250cm9sXCI6IFwibm8tY2FjaGVcIixcbiAgICAgIH0sXG4gICAgICBsb2dMZXZlbDogcHJvcHMubG9nTGV2ZWwgPz8gXCJ3YXJuXCIsXG4gICAgICB1c2VyUG9vbElkOiB0aGlzLnVzZXJQb29sLnVzZXJQb29sSWQsXG4gICAgICBjbGllbnRJZDogdGhpcy5jbGllbnQudXNlclBvb2xDbGllbnRJZCxcbiAgICAgIGNsaWVudFNlY3JldDogY2xpZW50U2VjcmV0VmFsdWUsXG4gICAgICBvYXV0aFNjb3BlczogdGhpcy5vYXV0aFNjb3BlcyxcbiAgICAgIGNvZ25pdG9BdXRoRG9tYWluOiBwcm9wcy5jb2duaXRvQXV0aERvbWFpbixcbiAgICAgIGNhbGxiYWNrUGF0aDogdGhpcy5jYWxsYmFja1BhdGgsXG4gICAgICBzaWduT3V0UmVkaXJlY3RUbzogdGhpcy5zaWduT3V0UmVkaXJlY3RUbyxcbiAgICAgIHNpZ25PdXRQYXRoOiB0aGlzLnNpZ25PdXRQYXRoLFxuICAgICAgcmVmcmVzaEF1dGhQYXRoOiB0aGlzLnJlZnJlc2hBdXRoUGF0aCxcbiAgICAgIHJlcXVpcmVHcm91cEFueU9mOiBwcm9wcy5yZXF1aXJlR3JvdXBBbnlPZixcbiAgICAgIGNvb2tpZVNldHRpbmdzOiB7XG4gICAgICAgIC8qXG4gICAgICAgIHNwYU1vZGUgLSBjb25zaWRlciBpZiB0aGlzIHNob3VsZCBiZSBzdXBwb3J0ZWRcbiAgICAgICAgaWRUb2tlbjogXCJQYXRoPS87IFNlY3VyZTsgU2FtZVNpdGU9TGF4XCIsXG4gICAgICAgIGFjY2Vzc1Rva2VuOiBcIlBhdGg9LzsgU2VjdXJlOyBTYW1lU2l0ZT1MYXhcIixcbiAgICAgICAgcmVmcmVzaFRva2VuOiBcIlBhdGg9LzsgU2VjdXJlOyBTYW1lU2l0ZT1MYXhcIixcbiAgICAgICAgbm9uY2U6IFwiUGF0aD0vOyBTZWN1cmU7IEh0dHBPbmx5OyBTYW1lU2l0ZT1MYXhcIixcbiAgICAgICAgKi9cbiAgICAgICAgaWRUb2tlbjogXCJQYXRoPS87IFNlY3VyZTsgSHR0cE9ubHk7IFNhbWVTaXRlPUxheFwiLFxuICAgICAgICBhY2Nlc3NUb2tlbjogXCJQYXRoPS87IFNlY3VyZTsgSHR0cE9ubHk7IFNhbWVTaXRlPUxheFwiLFxuICAgICAgICByZWZyZXNoVG9rZW46IFwiUGF0aD0vOyBTZWN1cmU7IEh0dHBPbmx5OyBTYW1lU2l0ZT1MYXhcIixcbiAgICAgICAgbm9uY2U6IFwiUGF0aD0vOyBTZWN1cmU7IEh0dHBPbmx5OyBTYW1lU2l0ZT1MYXhcIixcbiAgICAgIH0sXG4gICAgICBub25jZVNpZ25pbmdTZWNyZXQsXG4gICAgfVxuXG4gICAgdGhpcy5jaGVja0F1dGhGbiA9IG5ldyBMYW1iZGFDb25maWcodGhpcywgXCJDaGVja0F1dGhGblwiLCB7XG4gICAgICBmdW5jdGlvbjogcHJvcHMuYXV0aExhbWJkYXMuY2hlY2tBdXRoRm4uZ2V0KHRoaXMsIFwiQ2hlY2tBdXRoRm5JbXBvcnRcIiksXG4gICAgICBjb25maWcsXG4gICAgfSkudmVyc2lvblxuXG4gICAgdGhpcy5odHRwSGVhZGVyc0ZuID0gbmV3IExhbWJkYUNvbmZpZyh0aGlzLCBcIkh0dHBIZWFkZXJzRm5cIiwge1xuICAgICAgZnVuY3Rpb246IHByb3BzLmF1dGhMYW1iZGFzLmh0dHBIZWFkZXJzRm4uZ2V0KFxuICAgICAgICB0aGlzLFxuICAgICAgICBcIkh0dHBIZWFkZXJzRm5JbXBvcnRcIixcbiAgICAgICksXG4gICAgICBjb25maWcsXG4gICAgfSkudmVyc2lvblxuXG4gICAgdGhpcy5wYXJzZUF1dGhGbiA9IG5ldyBMYW1iZGFDb25maWcodGhpcywgXCJQYXJzZUF1dGhGblwiLCB7XG4gICAgICBmdW5jdGlvbjogcHJvcHMuYXV0aExhbWJkYXMucGFyc2VBdXRoRm4uZ2V0KHRoaXMsIFwiUGFyc2VBdXRoRm5JbXBvcnRcIiksXG4gICAgICBjb25maWcsXG4gICAgfSkudmVyc2lvblxuXG4gICAgdGhpcy5yZWZyZXNoQXV0aEZuID0gbmV3IExhbWJkYUNvbmZpZyh0aGlzLCBcIlJlZnJlc2hBdXRoRm5cIiwge1xuICAgICAgZnVuY3Rpb246IHByb3BzLmF1dGhMYW1iZGFzLnJlZnJlc2hBdXRoRm4uZ2V0KFxuICAgICAgICB0aGlzLFxuICAgICAgICBcIlJlZnJlc2hBdXRoRm5JbXBvcnRcIixcbiAgICAgICksXG4gICAgICBjb25maWcsXG4gICAgfSkudmVyc2lvblxuXG4gICAgdGhpcy5zaWduT3V0Rm4gPSBuZXcgTGFtYmRhQ29uZmlnKHRoaXMsIFwiU2lnbk91dEZuXCIsIHtcbiAgICAgIGZ1bmN0aW9uOiBwcm9wcy5hdXRoTGFtYmRhcy5zaWduT3V0Rm4uZ2V0KHRoaXMsIFwiU2lnbk91dEZuSW1wb3J0XCIpLFxuICAgICAgY29uZmlnLFxuICAgIH0pLnZlcnNpb25cbiAgfVxuXG4gIHByaXZhdGUgY3JlYXRlUGF0aExhbWJkYShcbiAgICBwYXRoOiBzdHJpbmcsXG4gICAgZm46IGxhbWJkYS5JVmVyc2lvbixcbiAgKTogY2xvdWRmcm9udC5CZWhhdmlvciB7XG4gICAgcmV0dXJuIHtcbiAgICAgIHBhdGhQYXR0ZXJuOiBwYXRoLFxuICAgICAgZm9yd2FyZGVkVmFsdWVzOiB7XG4gICAgICAgIHF1ZXJ5U3RyaW5nOiB0cnVlLFxuICAgICAgfSxcbiAgICAgIGxhbWJkYUZ1bmN0aW9uQXNzb2NpYXRpb25zOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBldmVudFR5cGU6IGNsb3VkZnJvbnQuTGFtYmRhRWRnZUV2ZW50VHlwZS5WSUVXRVJfUkVRVUVTVCxcbiAgICAgICAgICBsYW1iZGFGdW5jdGlvbjogZm4sXG4gICAgICAgIH0sXG4gICAgICBdLFxuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGUgYmVoYXZpb3JzIGZvciBhdXRoZW50aWNhdGlvbiBwYWdlczpcbiAgICpcbiAgICogLSBjYWxsYmFjayBwYWdlXG4gICAqIC0gcmVmcmVzaCBwYWdlXG4gICAqIC0gc2lnbiBvdXQgcGFnZVxuICAgKlxuICAgKiBUaGlzIGlzIHRvIGJlIHVzZWQgd2l0aCBDbG91ZEZyb250V2ViRGlzdHJpYnV0aW9uLiBTZWVcbiAgICogY3JlYXRlQXV0aFBhZ2VzQmVoYXZpb3JzIGlmIHVzaW5nIERpc3RyaWJ1dGlvbi5cbiAgICovXG4gIHB1YmxpYyBnZXQgYXV0aFBhZ2VzKCk6IGNsb3VkZnJvbnQuQmVoYXZpb3JbXSB7XG4gICAgcmV0dXJuIFtcbiAgICAgIHRoaXMuY3JlYXRlUGF0aExhbWJkYSh0aGlzLmNhbGxiYWNrUGF0aCwgdGhpcy5wYXJzZUF1dGhGbiksXG4gICAgICB0aGlzLmNyZWF0ZVBhdGhMYW1iZGEodGhpcy5yZWZyZXNoQXV0aFBhdGgsIHRoaXMucmVmcmVzaEF1dGhGbiksXG4gICAgICB0aGlzLmNyZWF0ZVBhdGhMYW1iZGEodGhpcy5zaWduT3V0UGF0aCwgdGhpcy5zaWduT3V0Rm4pLFxuICAgIF1cbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGUgYmVoYXZpb3JzIGZvciBhdXRoZW50aWNhdGlvbiBwYWdlcy5cbiAgICpcbiAgICogLSBjYWxsYmFjayBwYWdlXG4gICAqIC0gcmVmcmVzaCBwYWdlXG4gICAqIC0gc2lnbiBvdXQgcGFnZVxuICAgKlxuICAgKiBUaGlzIGlzIHRvIGJlIHVzZWQgd2l0aCBEaXN0cmlidXRpb24uXG4gICAqL1xuICBwdWJsaWMgY3JlYXRlQXV0aFBhZ2VzQmVoYXZpb3JzKFxuICAgIG9yaWdpbjogSU9yaWdpbixcbiAgICBvcHRpb25zPzogQWRkQmVoYXZpb3JPcHRpb25zLFxuICApOiBSZWNvcmQ8c3RyaW5nLCBCZWhhdmlvck9wdGlvbnM+IHtcbiAgICBmdW5jdGlvbiBwYXRoKHBhdGg6IHN0cmluZywgZm46IElWZXJzaW9uKTogUmVjb3JkPHN0cmluZywgQmVoYXZpb3JPcHRpb25zPiB7XG4gICAgICByZXR1cm4ge1xuICAgICAgICBbcGF0aF06IHtcbiAgICAgICAgICBvcmlnaW4sXG4gICAgICAgICAgY29tcHJlc3M6IHRydWUsXG4gICAgICAgICAgdmlld2VyUHJvdG9jb2xQb2xpY3k6IFZpZXdlclByb3RvY29sUG9saWN5LlJFRElSRUNUX1RPX0hUVFBTLFxuICAgICAgICAgIGVkZ2VMYW1iZGFzOiBbXG4gICAgICAgICAgICB7XG4gICAgICAgICAgICAgIGV2ZW50VHlwZTogY2xvdWRmcm9udC5MYW1iZGFFZGdlRXZlbnRUeXBlLlZJRVdFUl9SRVFVRVNULFxuICAgICAgICAgICAgICBmdW5jdGlvblZlcnNpb246IGZuLFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICBdLFxuICAgICAgICAgIC4uLm9wdGlvbnMsXG4gICAgICAgIH0sXG4gICAgICB9XG4gICAgfVxuXG4gICAgcmV0dXJuIHtcbiAgICAgIC4uLnBhdGgodGhpcy5jYWxsYmFja1BhdGgsIHRoaXMucGFyc2VBdXRoRm4pLFxuICAgICAgLi4ucGF0aCh0aGlzLnJlZnJlc2hBdXRoUGF0aCwgdGhpcy5yZWZyZXNoQXV0aEZuKSxcbiAgICAgIC4uLnBhdGgodGhpcy5zaWduT3V0UGF0aCwgdGhpcy5zaWduT3V0Rm4pLFxuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGUgbGFtYmRhIGZ1bmN0aW9uIGFzc29jaWF0aW9uIGZvciB2aWV3ZXIgcmVxdWVzdCB0byBjaGVja1xuICAgKiBhdXRoZW50aWNhdGlvbiBhbmQgb3JpZ2luYWwgcmVzcG9uc2UgdG8gYWRkIGhlYWRlcnMuXG4gICAqXG4gICAqIFRoaXMgaXMgdG8gYmUgdXNlZCB3aXRoIENsb3VkRnJvbnRXZWJEaXN0cmlidXRpb24uIFNlZVxuICAgKiBjcmVhdGVQcm90ZWN0ZWRCZWhhdmlvciBpZiB1c2luZyBEaXN0cmlidXRpb24uXG4gICAqL1xuICBwdWJsaWMgZ2V0IGF1dGhGaWx0ZXJzKCk6IGNsb3VkZnJvbnQuTGFtYmRhRnVuY3Rpb25Bc3NvY2lhdGlvbltdIHtcbiAgICByZXR1cm4gW1xuICAgICAge1xuICAgICAgICBldmVudFR5cGU6IGNsb3VkZnJvbnQuTGFtYmRhRWRnZUV2ZW50VHlwZS5WSUVXRVJfUkVRVUVTVCxcbiAgICAgICAgbGFtYmRhRnVuY3Rpb246IHRoaXMuY2hlY2tBdXRoRm4sXG4gICAgICB9LFxuICAgICAge1xuICAgICAgICBldmVudFR5cGU6IGNsb3VkZnJvbnQuTGFtYmRhRWRnZUV2ZW50VHlwZS5PUklHSU5fUkVTUE9OU0UsXG4gICAgICAgIGxhbWJkYUZ1bmN0aW9uOiB0aGlzLmh0dHBIZWFkZXJzRm4sXG4gICAgICB9LFxuICAgIF1cbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGUgYmVoYXZpb3IgdGhhdCBpbmNsdWRlcyBhdXRob3JpemF0aW9uIGNoZWNrLlxuICAgKlxuICAgKiBUaGlzIGlzIHRvIGJlIHVzZWQgd2l0aCBEaXN0cmlidXRpb24uXG4gICAqL1xuICBwdWJsaWMgY3JlYXRlUHJvdGVjdGVkQmVoYXZpb3IoXG4gICAgb3JpZ2luOiBJT3JpZ2luLFxuICAgIG9wdGlvbnM/OiBBZGRCZWhhdmlvck9wdGlvbnMsXG4gICk6IEJlaGF2aW9yT3B0aW9ucyB7XG4gICAgaWYgKG9wdGlvbnM/LmVkZ2VMYW1iZGFzICE9IG51bGwpIHtcbiAgICAgIHRocm93IEVycm9yKFwiVXNlci1kZWZpbmVkIGVkZ2VMYW1iZGFzIGlzIGN1cnJlbnRseSBub3Qgc3VwcG9ydGVkXCIpXG4gICAgfVxuXG4gICAgcmV0dXJuIHtcbiAgICAgIG9yaWdpbixcbiAgICAgIGNvbXByZXNzOiB0cnVlLFxuICAgICAgdmlld2VyUHJvdG9jb2xQb2xpY3k6IFZpZXdlclByb3RvY29sUG9saWN5LlJFRElSRUNUX1RPX0hUVFBTLFxuICAgICAgZWRnZUxhbWJkYXM6IFtcbiAgICAgICAge1xuICAgICAgICAgIGV2ZW50VHlwZTogY2xvdWRmcm9udC5MYW1iZGFFZGdlRXZlbnRUeXBlLlZJRVdFUl9SRVFVRVNULFxuICAgICAgICAgIGZ1bmN0aW9uVmVyc2lvbjogdGhpcy5jaGVja0F1dGhGbixcbiAgICAgICAgfSxcbiAgICAgICAge1xuICAgICAgICAgIGV2ZW50VHlwZTogY2xvdWRmcm9udC5MYW1iZGFFZGdlRXZlbnRUeXBlLk9SSUdJTl9SRVNQT05TRSxcbiAgICAgICAgICBmdW5jdGlvblZlcnNpb246IHRoaXMuaHR0cEhlYWRlcnNGbixcbiAgICAgICAgfSxcbiAgICAgIF0sXG4gICAgICAuLi5vcHRpb25zLFxuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBVcGRhdGUgQ29nbml0byBjbGllbnQgdG8gdXNlIHRoZSBwcm9wZXIgVVJMcyBhbmQgT0F1dGggc2NvcGVzLlxuICAgKlxuICAgKiBUT0RPOiBJbiBjYXNlIHRoZSBjbGllbnQgY29uZmlndXJhdGlvbiBjaGFuZ2VzIGFuZCBpcyB1cGRhdGVkXG4gICAqICBieSBDbG91ZEZvcm1hdGlvbiwgdGhpcyB3aWxsIG5vdCBiZSByZWFwcGxpZWQgY2F1c2luZyB0aGUgY2xpZW50XG4gICAqICB0byBub3QgYmUgY29ycmVjdGx5IGNvbmZpZ3VyZWQuXG4gICAqICBIb3cgY2FuIHdlIGF2b2lkIHRoaXMgc2NlbmFyaW8/XG4gICAqL1xuICBwdWJsaWMgdXBkYXRlQ2xpZW50KGlkOiBzdHJpbmcsIHByb3BzOiBVcGRhdGVDbGllbnRQcm9wcyk6IENsaWVudFVwZGF0ZSB7XG4gICAgaWYgKCF0aGlzLmNsaWVudENyZWF0ZWQpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihcbiAgICAgICAgXCJZb3UgY2Fubm90IHVzZSB1cGRhdGVDbGllbnQgd2l0aCBhIHVzZXItcHJvdmlkZWQgQ29nbml0byBDbGllbnQgXCIgK1xuICAgICAgICAgIFwic2luY2UgaXQgd291bGQgb3ZlcnJpZGUgdGhlIHVzZXItcHJvdmlkZWQgc2V0dGluZ3NcIixcbiAgICAgIClcbiAgICB9XG5cbiAgICByZXR1cm4gbmV3IENsaWVudFVwZGF0ZSh0aGlzLCBpZCwge1xuICAgICAgY2xpZW50OiB0aGlzLmNsaWVudCxcbiAgICAgIHVzZXJQb29sOiB0aGlzLnVzZXJQb29sLFxuICAgICAgc2lnbk91dFVybDogcHJvcHMuc2lnbk91dFVybCxcbiAgICAgIGNhbGxiYWNrVXJsOiBwcm9wcy5jYWxsYmFja1VybCxcbiAgICAgIG9hdXRoU2NvcGVzOiB0aGlzLm9hdXRoU2NvcGVzLFxuICAgICAgaWRlbnRpdHlQcm92aWRlcnM6XG4gICAgICAgIHByb3BzLmlkZW50aXR5UHJvdmlkZXJzID8/XG4gICAgICAgIFtcIkNPR05JVE9cIl0uY29uY2F0KFxuICAgICAgICAgIHRoaXMudXNlclBvb2wuaWRlbnRpdHlQcm92aWRlcnMubWFwKChpdCkgPT4gaXQucHJvdmlkZXJOYW1lKSxcbiAgICAgICAgKSxcbiAgICB9KVxuICB9XG59XG4iXX0=

package/lib/generate-secret.d.ts

@@ -0,0 +1,15 @@
+import { Construct } from "constructs";
+interface GenerateSecretProps {
+    /**
+     * Nonce to force secret update.
+     */
+    nonce?: string;
+}
+/**
+ * Generate a secret to be used in other parts of the deployment.
+ */
+export declare class GenerateSecret extends Construct {
+    readonly value: string;
+    constructor(scope: Construct, id: string, props?: GenerateSecretProps);
+}
+export {};