@m1a0rz/agent-identity 0.3.2 → 0.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README-cn.md +10 -8
- package/README.md +10 -8
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +7 -5
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +8 -2
- package/dist/src/commands/identity-commands.js +2 -2
- package/dist/src/hooks/before-agent-start.js +1 -1
- package/dist/src/hooks/before-tool-call.js +4 -4
- package/dist/src/hooks/llm-input.js +3 -3
- package/dist/src/hooks/sessions-send-propagation.js +1 -1
- package/dist/src/hooks/sessions-spawn-propagation.js +1 -1
- package/dist/src/hooks/subagent-ended-cleanup.js +1 -1
- package/dist/src/routes/oidc-login.d.ts.map +1 -1
- package/dist/src/routes/oidc-login.js +49 -7
- package/dist/src/services/identity-client.d.ts +2 -0
- package/dist/src/services/identity-client.d.ts.map +1 -1
- package/dist/src/services/identity-client.js +1 -0
- package/dist/src/services/identity-credentials.d.ts +4 -2
- package/dist/src/services/identity-credentials.d.ts.map +1 -1
- package/dist/src/services/identity-credentials.js +69 -3
- package/dist/src/services/identity-service.d.ts +3 -2
- package/dist/src/services/identity-service.d.ts.map +1 -1
- package/dist/src/services/identity-service.js +11 -7
- package/dist/src/services/oidc-client.d.ts +25 -8
- package/dist/src/services/oidc-client.d.ts.map +1 -1
- package/dist/src/services/oidc-client.js +55 -1
- package/dist/src/services/session-refresh.d.ts.map +1 -1
- package/dist/src/services/session-refresh.js +11 -2
- package/dist/src/store/oidc-state-store.d.ts +8 -1
- package/dist/src/store/oidc-state-store.d.ts.map +1 -1
- package/dist/src/store/oidc-state-store.js +3 -1
- package/dist/src/store/{group-sender-store.d.ts → sender-session-store.d.ts} +14 -7
- package/dist/src/store/sender-session-store.d.ts.map +1 -0
- package/dist/src/store/{group-sender-store.js → sender-session-store.js} +41 -12
- package/dist/src/tools/identity-approve-tool.js +1 -1
- package/dist/src/tools/identity-config-suggest.d.ts +2 -2
- package/dist/src/tools/identity-config-suggest.d.ts.map +1 -1
- package/dist/src/tools/identity-config-suggest.js +4 -3
- package/dist/src/tools/identity-fetch.js +1 -1
- package/dist/src/tools/identity-list-credentials.js +1 -1
- package/dist/src/tools/identity-login.js +1 -1
- package/dist/src/tools/identity-logout.js +1 -1
- package/dist/src/tools/identity-set-binding.js +1 -1
- package/dist/src/tools/identity-status.js +1 -1
- package/dist/src/tools/identity-unset-binding.js +1 -1
- package/dist/src/tools/identity-whoami.js +1 -1
- package/dist/src/types.d.ts +2 -0
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/derive-session-key.d.ts +34 -4
- package/dist/src/utils/derive-session-key.d.ts.map +1 -1
- package/dist/src/utils/derive-session-key.js +50 -5
- package/openclaw.plugin.json +6 -2
- package/package.json +4 -3
- package/dist/src/store/group-sender-store.d.ts.map +0 -1
package/README-cn.md
CHANGED
|
@@ -109,10 +109,11 @@ openclaw plugins install --link .
|
|
|
109
109
|
- `workloadPoolName` / `workloadName`:用于签发 TIP Token。默认:`default`、`openclaw-agent`。
|
|
110
110
|
- `audience` / `durationSeconds`:可选,令牌受众与有效期。
|
|
111
111
|
- `credentialsFile`:凭据 JSON 文件路径。默认:`VOLCENGINE_CREDENTIALS_FILE` 环境变量或 `/var/run/secrets/iam/credential`。
|
|
112
|
-
- `
|
|
112
|
+
- `credentialsMetadataUrl`:远程 STS 凭据拉取的 base URL。与 `roleTrn` 同时配置时,从 `{url}/{roleName}` 拉取。响应格式:`AccessKeyId`、`SecretAccessKey`、`SessionToken`、`ExpiredTime`。404 时回退到凭据文件。按过期时间缓存并刷新。需显式配置。
|
|
113
|
+
- `roleTrn`:STS AssumeRole 的 Role TRN。设置后(且未设置 `workloadName`)不传 workload name,后端使用 roleName。优先级:`workloadName` > `roleTrn` > params。与 `credentialsMetadataUrl` 配合时,从 TRN 解析 role 名(如 `role/openclaw-agent` → `openclaw-agent`)。
|
|
113
114
|
- `sessionToken`:STS 会话令牌(或使用 `VOLCENGINE_SESSION_TOKEN` 环境变量)。
|
|
114
115
|
|
|
115
|
-
**凭据解析顺序**(AK/SK):1)显式 config → 2)环境变量(`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`)→ 3)凭据文件(config 的 `credentialsFile`,或 `VOLCENGINE_CREDENTIALS_FILE` 环境变量,或 `/var/run/secrets/iam/credential`)。凭据文件格式(VeFaaS):`access_key_id`、`secret_access_key`、`session_token`(可选)、`role_trn`(可选,用于 AssumeRole)。`RUNTIME_IAM_ROLE_TRN` 环境变量可在从文件加载时提供 role TRN。
|
|
116
|
+
**凭据解析顺序**(AK/SK):1)显式 config → 2)环境变量(`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`)→ 3)远程元数据(`credentialsMetadataUrl` + `roleTrn`,从 `{url}/{roleName}` 拉取;404 时回退)→ 4)凭据文件(config 的 `credentialsFile`,或 `VOLCENGINE_CREDENTIALS_FILE` 环境变量,或 `/var/run/secrets/iam/credential`)。凭据文件格式(VeFaaS):`access_key_id`、`secret_access_key`、`session_token`(可选)、`role_trn`(可选,用于 AssumeRole)。`RUNTIME_IAM_ROLE_TRN` 环境变量可在从文件加载时提供 role TRN。
|
|
116
117
|
|
|
117
118
|
**B. 用户登录配置(UserPool / OIDC)**:用于 `/identity login` 的用户登录与会话建立。
|
|
118
119
|
|
|
@@ -183,14 +184,15 @@ openclaw plugins install --link .
|
|
|
183
184
|
| `accessKeyId` | string | 否* | 火山引擎 Access Key。不填时从 `VOLCENGINE_ACCESS_KEY` 或 `credentialsFile` 读取 |
|
|
184
185
|
| `secretAccessKey` | string | 否* | 火山引擎 Secret Key。不填时从 `VOLCENGINE_SECRET_KEY` 或 `credentialsFile` 读取 |
|
|
185
186
|
| `workloadPoolName` | string | 否 | 工作负载池名称,默认 `default` |
|
|
186
|
-
| `workloadName` | string | 否 |
|
|
187
|
+
| `workloadName` | string | 否 | 工作负载名称。设置时优先于 roleTrn。两者都未设置时默认:agentId 或 `openclaw-agent` |
|
|
187
188
|
| `audience` | string[] | 否 | TIP token 的 audience |
|
|
188
189
|
| `durationSeconds` | number | 否 | TIP token 有效期(秒),默认 3600 |
|
|
189
|
-
| `roleTrn` | string | 否 | STS AssumeRole 的 Role TRN
|
|
190
|
+
| `roleTrn` | string | 否 | STS AssumeRole 的 Role TRN。设置后(且未设置 workloadName)不传 workload name,后端使用 roleName。优先级:workloadName > roleTrn > params |
|
|
190
191
|
| `credentialsFile` | string | 否 | 凭证 JSON 文件路径。默认 `VOLCENGINE_CREDENTIALS_FILE` 或 `/var/run/secrets/iam/credential` |
|
|
192
|
+
| `credentialsMetadataUrl` | string | 否 | 远程 STS 拉取的 base URL。与 `roleTrn` 同时配置时从 `{url}/{roleName}` 拉取。404 时回退到 `credentialsFile` |
|
|
191
193
|
| `sessionToken` | string | 否 | STS 临时会话令牌(或 `VOLCENGINE_SESSION_TOKEN`) |
|
|
192
194
|
|
|
193
|
-
\* AK/SK 至少通过 `accessKeyId`+`secretAccessKey
|
|
195
|
+
\* AK/SK 至少通过 `accessKeyId`+`secretAccessKey`、环境变量、`credentialsMetadataUrl`+`roleTrn` 或 `credentialsFile` 之一提供。
|
|
194
196
|
|
|
195
197
|
**环境变量**:`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`、`VOLCENGINE_CREDENTIALS_FILE`、`RUNTIME_IAM_ROLE_TRN`(从文件加载时用于 AssumeRole)。
|
|
196
198
|
|
|
@@ -220,9 +222,9 @@ OAuth2 credential fetch 使用控制台配置的 redirect URL 和 scopes。可
|
|
|
220
222
|
|
|
221
223
|
TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
|
|
222
224
|
|
|
223
|
-
- **workloadName**(可选):发送给 API
|
|
224
|
-
- **roleTrn
|
|
225
|
-
- **自动创建工作负载**:当 `GetWorkloadAccessTokenForJWT` 返回 404(工作负载不存在)时,插件调用 `CreateWorkloadIdentity` 创建工作负载(Category: Agent),然后重试。仅在使用 workload name
|
|
225
|
+
- **workloadName**(可选):发送给 API 的工作负载名称。优先级:config.workloadName > config.roleTrn > params(会话 agentId 或 `"openclaw-agent"`)。当 config.workloadName 设置时,优先于 roleTrn。
|
|
226
|
+
- **roleTrn**(可选):设置后(且未设置 workloadName),插件**不**传递 workload name,后端使用 roleName。用于委托执行(如 VeFaaS、K8s IRSA)。
|
|
227
|
+
- **自动创建工作负载**:当 `GetWorkloadAccessTokenForJWT` 返回 404(工作负载不存在)时,插件调用 `CreateWorkloadIdentity` 创建工作负载(Category: Agent),然后重试。仅在使用 workload name 时生效(设置了 workloadName 或两者都未设置)。并发创建产生的 Duplicated (409) 会被忽略。
|
|
226
228
|
|
|
227
229
|
### 飞书通知
|
|
228
230
|
|
package/README.md
CHANGED
|
@@ -109,10 +109,11 @@ The plugin typically needs three types of config:
|
|
|
109
109
|
- `workloadPoolName` / `workloadName`: For issuing TIP Token. Defaults: `default`, `openclaw-agent`.
|
|
110
110
|
- `audience` / `durationSeconds`: Optional, token audience and validity.
|
|
111
111
|
- `credentialsFile`: Path to credential JSON. Default: `VOLCENGINE_CREDENTIALS_FILE` env or `/var/run/secrets/iam/credential`.
|
|
112
|
-
- `
|
|
112
|
+
- `credentialsMetadataUrl`: Base URL for remote STS credential fetch. When set with `roleTrn`, fetches from `{url}/{roleName}`. Response format: `AccessKeyId`, `SecretAccessKey`, `SessionToken`, `ExpiredTime`. 404 falls through to credential file. Cached and refreshed by expiry. Must be explicitly configured.
|
|
113
|
+
- `roleTrn`: Role TRN for STS AssumeRole. When set (and `workloadName` not set), workload name is omitted; backend uses roleName. Priority: `workloadName` > `roleTrn` > params. Also used with `credentialsMetadataUrl` (role name parsed from TRN, e.g. `role/openclaw-agent` → `openclaw-agent`).
|
|
113
114
|
- `sessionToken`: STS session token (or use `VOLCENGINE_SESSION_TOKEN` env).
|
|
114
115
|
|
|
115
|
-
**Credential resolution order** (AK/SK): 1) Explicit config → 2) Env vars (`VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`) → 3) Credential file (`credentialsFile` config, or `VOLCENGINE_CREDENTIALS_FILE` env, or `/var/run/secrets/iam/credential`). Credential file format (VeFaaS): `access_key_id`, `secret_access_key`, `session_token` (optional), `role_trn` (optional for AssumeRole). `RUNTIME_IAM_ROLE_TRN` env can supply role TRN when loading from file.
|
|
116
|
+
**Credential resolution order** (AK/SK): 1) Explicit config → 2) Env vars (`VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`) → 3) Remote metadata (`credentialsMetadataUrl` + `roleTrn`, fetches from `{url}/{roleName}`; 404 falls through) → 4) Credential file (`credentialsFile` config, or `VOLCENGINE_CREDENTIALS_FILE` env, or `/var/run/secrets/iam/credential`). Credential file format (VeFaaS): `access_key_id`, `secret_access_key`, `session_token` (optional), `role_trn` (optional for AssumeRole). `RUNTIME_IAM_ROLE_TRN` env can supply role TRN when loading from file.
|
|
116
117
|
|
|
117
118
|
**B. User login (UserPool / OIDC)**: For `/identity login` and session setup.
|
|
118
119
|
|
|
@@ -183,14 +184,15 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
|
|
|
183
184
|
| `accessKeyId` | string | No* | Volcengine Access Key. Omit to load from `VOLCENGINE_ACCESS_KEY` or `credentialsFile` |
|
|
184
185
|
| `secretAccessKey` | string | No* | Volcengine Secret Key. Omit to load from `VOLCENGINE_SECRET_KEY` or `credentialsFile` |
|
|
185
186
|
| `workloadPoolName` | string | No | Workload pool name, default `default` |
|
|
186
|
-
| `workloadName` | string | No | Workload name. Default: agentId or `openclaw-agent` |
|
|
187
|
+
| `workloadName` | string | No | Workload name for TIP. When set, takes precedence over roleTrn. Default when neither set: agentId or `openclaw-agent` |
|
|
187
188
|
| `audience` | string[] | No | TIP token audience |
|
|
188
189
|
| `durationSeconds` | number | No | TIP token TTL (seconds), default 3600 |
|
|
189
|
-
| `roleTrn` | string | No | Role TRN for STS AssumeRole. When set, workload name is omitted; backend uses roleName |
|
|
190
|
+
| `roleTrn` | string | No | Role TRN for STS AssumeRole. When set (and workloadName not set), workload name is omitted; backend uses roleName. Priority: workloadName > roleTrn > params |
|
|
190
191
|
| `credentialsFile` | string | No | Path to credential JSON. Default: `VOLCENGINE_CREDENTIALS_FILE` or `/var/run/secrets/iam/credential` |
|
|
192
|
+
| `credentialsMetadataUrl` | string | No | Base URL for remote STS fetch. When set with `roleTrn`, fetches from `{url}/{roleName}`. 404 falls through to `credentialsFile` |
|
|
191
193
|
| `sessionToken` | string | No | STS session token (or `VOLCENGINE_SESSION_TOKEN`) |
|
|
192
194
|
|
|
193
|
-
\* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, or `credentialsFile`.
|
|
195
|
+
\* AK/SK must be provided via `accessKeyId`+`secretAccessKey`, environment variables, `credentialsMetadataUrl`+`roleTrn`, or `credentialsFile`.
|
|
194
196
|
|
|
195
197
|
**Environment variables**: `VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`, `VOLCENGINE_CREDENTIALS_FILE`, `RUNTIME_IAM_ROLE_TRN` (for AssumeRole when loading from file).
|
|
196
198
|
|
|
@@ -220,9 +222,9 @@ OAuth2 credential fetch uses control-plane redirect URL and scopes. Override via
|
|
|
220
222
|
|
|
221
223
|
TIP token is obtained via `GetWorkloadAccessTokenForJWT`. Workload behavior:
|
|
222
224
|
|
|
223
|
-
- **workloadName** (optional): Workload name sent to the API.
|
|
224
|
-
- **roleTrn** (optional): When set (
|
|
225
|
-
- **Auto-create workload**: When `GetWorkloadAccessTokenForJWT` returns 404 (workload not found), the plugin calls `CreateWorkloadIdentity` to create the workload (Category: Agent), then retries. Only applies when a workload name is used (
|
|
225
|
+
- **workloadName** (optional): Workload name sent to the API. Priority: config.workloadName > config.roleTrn > params (session agentId or `"openclaw-agent"`). When config.workloadName is set, it takes precedence over roleTrn.
|
|
226
|
+
- **roleTrn** (optional): When set (and workloadName not set), the plugin does **not** pass workload name; the backend uses the role name. Use this for delegated execution (e.g. VeFaaS, K8s IRSA).
|
|
227
|
+
- **Auto-create workload**: When `GetWorkloadAccessTokenForJWT` returns 404 (workload not found), the plugin calls `CreateWorkloadIdentity` to create the workload (Category: Agent), then retries. Only applies when a workload name is used (workloadName set or neither workloadName nor roleTrn set). Duplicated (409) from concurrent create is ignored.
|
|
226
228
|
|
|
227
229
|
### Feishu notifications
|
|
228
230
|
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAsE7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA2YtD"}
|
package/dist/index.js
CHANGED
|
@@ -19,8 +19,8 @@ import { createLlmInputHandler } from "./src/hooks/llm-input.js";
|
|
|
19
19
|
import { createSessionsSendPropagationHandler } from "./src/hooks/sessions-send-propagation.js";
|
|
20
20
|
import { createSessionsSpawnPropagationHandler } from "./src/hooks/sessions-spawn-propagation.js";
|
|
21
21
|
import { createSubagentEndedCleanupHandler } from "./src/hooks/subagent-ended-cleanup.js";
|
|
22
|
-
import { setSender, clearSender } from "./src/store/
|
|
23
|
-
import { deriveSessionKey,
|
|
22
|
+
import { setSender, clearSender } from "./src/store/sender-session-store.js";
|
|
23
|
+
import { deriveSessionKey, needsSenderIsolation, } from "./src/utils/derive-session-key.js";
|
|
24
24
|
import { createBeforeToolCallHandler } from "./src/hooks/before-tool-call.js";
|
|
25
25
|
import { createAfterToolCallHandler } from "./src/hooks/after-tool-call.js";
|
|
26
26
|
import * as skillPathStore from "./src/store/skill-path-store.js";
|
|
@@ -43,7 +43,7 @@ import { createIdentityStatusTool } from "./src/tools/identity-status.js";
|
|
|
43
43
|
import { createIdentityUnsetBindingTool } from "./src/tools/identity-unset-binding.js";
|
|
44
44
|
import { createIdentityWhoamiTool } from "./src/tools/identity-whoami.js";
|
|
45
45
|
import { parseSessionKeyToDeliveryTarget, } from "./src/utils/derive-session-key.js";
|
|
46
|
-
import { logInfo, logWarn } from "./src/utils/logger.js";
|
|
46
|
+
import { logDebug, logInfo, logWarn } from "./src/utils/logger.js";
|
|
47
47
|
import { initEncryptionKey } from "./src/store/encryption.js";
|
|
48
48
|
const PLUGIN_STORE_DIR = "~/.openclaw/plugins/identity";
|
|
49
49
|
/**
|
|
@@ -57,6 +57,7 @@ function hasAnyIdentityConfig(identity) {
|
|
|
57
57
|
identity.secretAccessKey ||
|
|
58
58
|
identity.sessionToken ||
|
|
59
59
|
identity.credentialsFile ||
|
|
60
|
+
identity.credentialsMetadataUrl ||
|
|
60
61
|
identity.roleTrn ||
|
|
61
62
|
identity.workloadPoolName ||
|
|
62
63
|
identity.workloadName ||
|
|
@@ -77,6 +78,7 @@ export default function register(api) {
|
|
|
77
78
|
secretAccessKey: identityCfg?.secretAccessKey,
|
|
78
79
|
sessionToken: identityCfg?.sessionToken,
|
|
79
80
|
credentialsFile: identityCfg?.credentialsFile,
|
|
81
|
+
credentialsMetadataUrl: identityCfg?.credentialsMetadataUrl,
|
|
80
82
|
roleTrn: identityCfg?.roleTrn,
|
|
81
83
|
serviceCode: "id",
|
|
82
84
|
})
|
|
@@ -323,7 +325,7 @@ export default function register(api) {
|
|
|
323
325
|
accountId: ctx.accountId,
|
|
324
326
|
config: api.runtime.config.loadConfig(),
|
|
325
327
|
});
|
|
326
|
-
if (!sessionKey || !
|
|
328
|
+
if (!sessionKey || !needsSenderIsolation(sessionKey))
|
|
327
329
|
return;
|
|
328
330
|
setSender(sessionKey, {
|
|
329
331
|
senderId,
|
|
@@ -333,7 +335,7 @@ export default function register(api) {
|
|
|
333
335
|
messageId: metadata?.messageId,
|
|
334
336
|
capturedAt: Date.now(),
|
|
335
337
|
});
|
|
336
|
-
|
|
338
|
+
logDebug(api.logger, `sender captured session=${sessionKey} sender=${senderId}`);
|
|
337
339
|
}, { priority: 200 });
|
|
338
340
|
api.on("session_end", (_event, ctx) => {
|
|
339
341
|
if (ctx.sessionKey)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAUtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,CAAC;AAgFhE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAsCvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CA0DtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClG,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CAqFhC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA4ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CA4JtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B"}
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
*/
|
|
16
16
|
import { logDebug, logInfo, logWarn } from "../utils/logger.js";
|
|
17
17
|
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
18
|
-
import { fetchOIDCDiscovery, buildAuthorizationUrl, generateState, } from "../services/oidc-client.js";
|
|
18
|
+
import { fetchOIDCDiscovery, buildAuthorizationUrl, generateState, generatePKCE, generateNonce, } from "../services/oidc-client.js";
|
|
19
19
|
import { loadCredentialEnvBindings, loadAllCredentialEnvBindings, setCredentialEnvBinding, deleteCredentialEnvBinding, } from "../store/credential-env-bindings.js";
|
|
20
20
|
import { loadCredentials, setCredential, getCredential, deleteCredentialsForSession, } from "../store/credential-store.js";
|
|
21
21
|
import { getSession, deleteSession } from "../store/session-store.js";
|
|
@@ -134,13 +134,18 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
134
134
|
const oidcConfig = await getOidcConfig();
|
|
135
135
|
const discovery = await fetchOIDCDiscovery(oidcConfig.discoveryUrl);
|
|
136
136
|
const state = await generateState();
|
|
137
|
-
|
|
137
|
+
const { codeVerifier, codeChallenge } = await generatePKCE();
|
|
138
|
+
const nonce = await generateNonce();
|
|
139
|
+
await createState(storeDir, sessionKey, "", state, deliveryTarget, { codeVerifier, nonce });
|
|
138
140
|
const authUrl = buildAuthorizationUrl({
|
|
139
141
|
authorizationEndpoint: discovery.authorization_endpoint,
|
|
140
142
|
clientId: oidcConfig.clientId,
|
|
141
143
|
redirectUri: oidcConfig.callbackUrl,
|
|
142
144
|
scope: oidcConfig.scope ?? "openid profile email offline_access",
|
|
143
145
|
state,
|
|
146
|
+
codeChallenge,
|
|
147
|
+
codeChallengeMethod: "S256",
|
|
148
|
+
nonce,
|
|
144
149
|
});
|
|
145
150
|
logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
146
151
|
return { kind: "auth_url", authUrl };
|
|
@@ -272,6 +277,7 @@ export async function runConfig(deps) {
|
|
|
272
277
|
accessKeyId: cfg.identity.accessKeyId ? "***" : undefined,
|
|
273
278
|
secretAccessKey: cfg.identity.secretAccessKey ? "***" : undefined,
|
|
274
279
|
credentialsFile: cfg.identity.credentialsFile,
|
|
280
|
+
credentialsMetadataUrl: cfg.identity.credentialsMetadataUrl ? "***" : undefined,
|
|
275
281
|
roleTrn: cfg.identity.roleTrn,
|
|
276
282
|
workloadPoolName: cfg.identity.workloadPoolName,
|
|
277
283
|
workloadName: cfg.identity.workloadName,
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
*/
|
|
16
16
|
import { runStatus, runLogin, runLogout, runListCredentials, runListTips, runConfig, runFetch, runSetBinding, runUnsetBinding, } from "../actions/identity-actions.js";
|
|
17
17
|
import { deriveSessionKey, deriveDeliveryTargetFromContext, } from "../utils/derive-session-key.js";
|
|
18
|
-
import { buildEffectiveSessionKey } from "../store/
|
|
18
|
+
import { buildEffectiveSessionKey } from "../store/sender-session-store.js";
|
|
19
19
|
import { logDebug } from "../utils/logger.js";
|
|
20
20
|
import { diagnoseRisk } from "../risk/diagnose-risk.js";
|
|
21
21
|
import { getRiskPatterns } from "../risk/classify-risk.js";
|
|
@@ -169,7 +169,7 @@ function createIdentityHandler(deps) {
|
|
|
169
169
|
config: ctx.config,
|
|
170
170
|
});
|
|
171
171
|
const sessionKey = baseSessionKey
|
|
172
|
-
? buildEffectiveSessionKey(baseSessionKey, ctx.senderId)
|
|
172
|
+
? buildEffectiveSessionKey(baseSessionKey, ctx.senderId, ctx.channel)
|
|
173
173
|
: null;
|
|
174
174
|
const needsSession = [
|
|
175
175
|
"login",
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
17
17
|
import { logDebug, logWarn } from "../utils/logger.js";
|
|
18
18
|
import { isSubagentSessionKey } from "../utils/derive-session-key.js";
|
|
19
|
-
import { resolveEffectiveSessionKey } from "../store/
|
|
19
|
+
import { resolveEffectiveSessionKey } from "../store/sender-session-store.js";
|
|
20
20
|
export function createBeforeAgentStartHandler(deps) {
|
|
21
21
|
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, logger } = deps;
|
|
22
22
|
const tipRefreshOptions = {
|
|
@@ -23,9 +23,9 @@ import { applyEnvSnapshot } from "../store/credential-env-snapshot.js";
|
|
|
23
23
|
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
24
24
|
import { supportsSyncApproval } from "../utils/approval-channel.js";
|
|
25
25
|
import { extractDelegationChainFromJwt } from "../utils/auth.js";
|
|
26
|
-
import { isSubagentSessionKey,
|
|
26
|
+
import { isSubagentSessionKey, needsSenderIsolation } from "../utils/derive-session-key.js";
|
|
27
27
|
import { LOG_PREFIX, logDebug, logWarn } from "../utils/logger.js";
|
|
28
|
-
import { getSender, resolveEffectiveSessionKeyForRun } from "../store/
|
|
28
|
+
import { getSender, resolveEffectiveSessionKeyForRun } from "../store/sender-session-store.js";
|
|
29
29
|
// ─── Exempt tools (bypass session + authz entirely) ──────────────────
|
|
30
30
|
const IDENTITY_EXEMPT_TOOLS = new Set([
|
|
31
31
|
"identity_login",
|
|
@@ -98,8 +98,8 @@ export function createBeforeToolCallHandler(deps) {
|
|
|
98
98
|
if (!sessionKey)
|
|
99
99
|
return;
|
|
100
100
|
const effectiveKey = resolveEffectiveSessionKeyForRun(sessionKey, event.runId);
|
|
101
|
-
// Phase 1: group
|
|
102
|
-
if (
|
|
101
|
+
// Phase 1: sender context for shared sessions (group/channel and default main)
|
|
102
|
+
if (needsSenderIsolation(sessionKey)) {
|
|
103
103
|
const groupSender = getSender(sessionKey);
|
|
104
104
|
if (groupSender) {
|
|
105
105
|
params._enhancedContext = {
|
|
@@ -20,15 +20,15 @@
|
|
|
20
20
|
*/
|
|
21
21
|
import { parseAvailableSkills } from "../utils/parse-available-skills.js";
|
|
22
22
|
import * as skillPathStore from "../store/skill-path-store.js";
|
|
23
|
-
import { freezeRun, resolveEffectiveSessionKey } from "../store/
|
|
24
|
-
import {
|
|
23
|
+
import { freezeRun, resolveEffectiveSessionKey } from "../store/sender-session-store.js";
|
|
24
|
+
import { needsSenderIsolation } from "../utils/derive-session-key.js";
|
|
25
25
|
import { logDebug } from "../utils/logger.js";
|
|
26
26
|
export function createLlmInputHandler(deps) {
|
|
27
27
|
const { enabled, logger } = deps;
|
|
28
28
|
return (event, ctx) => {
|
|
29
29
|
if (!ctx.sessionKey)
|
|
30
30
|
return;
|
|
31
|
-
if (event.runId &&
|
|
31
|
+
if (event.runId && needsSenderIsolation(ctx.sessionKey)) {
|
|
32
32
|
const effectiveKey = resolveEffectiveSessionKey(ctx.sessionKey);
|
|
33
33
|
if (effectiveKey !== ctx.sessionKey) {
|
|
34
34
|
freezeRun(event.runId, effectiveKey);
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
17
17
|
import { propagateTIPToTarget } from "../services/tip-propagation.js";
|
|
18
18
|
import { logWarn } from "../utils/logger.js";
|
|
19
|
-
import { resolveEffectiveSessionKeyForRun } from "../store/
|
|
19
|
+
import { resolveEffectiveSessionKeyForRun } from "../store/sender-session-store.js";
|
|
20
20
|
export function createSessionsSendPropagationHandler(deps) {
|
|
21
21
|
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, subagentTipPropagation, logger, } = deps;
|
|
22
22
|
return async (event, ctx) => {
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
import { getOrRefreshTIPToken } from "../services/tip-with-refresh.js";
|
|
17
17
|
import { propagateTIPToTarget } from "../services/tip-propagation.js";
|
|
18
18
|
import { logWarn } from "../utils/logger.js";
|
|
19
|
-
import { resolveEffectiveSessionKeyForRun } from "../store/
|
|
19
|
+
import { resolveEffectiveSessionKeyForRun } from "../store/sender-session-store.js";
|
|
20
20
|
export function createSessionsSpawnPropagationHandler(deps) {
|
|
21
21
|
const { storeDir, identityService, configWorkloadName, getOidcConfigForRefresh, subagentTipPropagation, logger, } = deps;
|
|
22
22
|
return async (event, ctx) => {
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
*/
|
|
22
22
|
import { deleteSession } from "../store/session-store.js";
|
|
23
23
|
import { deleteTIPToken } from "../store/tip-store.js";
|
|
24
|
-
import { clearFrozenRun } from "../store/
|
|
24
|
+
import { clearFrozenRun } from "../store/sender-session-store.js";
|
|
25
25
|
import { logDebug, logWarn } from "../utils/logger.js";
|
|
26
26
|
export function createSubagentEndedCleanupHandler(deps) {
|
|
27
27
|
const { storeDir, logger } = deps;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oidc-login.d.ts","sourceRoot":"","sources":["../../../src/routes/oidc-login.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"oidc-login.d.ts","sourceRoot":"","sources":["../../../src/routes/oidc-login.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AASvE,MAAM,MAAM,eAAe,GAAG;IAC5B,oGAAoG;IACpG,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kHAAkH;IAClH,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,eAAe,CAAC;IACxB,eAAe,EAAE,eAAe,CAAC;IACjC,oHAAoH;IACpH,cAAc,CAAC,EAAE,CACf,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,EACX,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,KACxE,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,gBAAgB,IAGhD,KAAK,eAAe,EAAE,KAAK,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC,CAsGxE;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClD,eAAe,EAAE,eAAe,CAAC;IACjC,cAAc,CAAC,EAAE,CACf,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,EACX,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,KACxE,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,+FAA+F;AAC/F,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,oBAAoB,IAGxD,KAAK,eAAe,EAAE,KAAK,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC,CAuGxE"}
|
|
@@ -13,7 +13,7 @@
|
|
|
13
13
|
* See the License for the specific language governing permissions and
|
|
14
14
|
* limitations under the License.
|
|
15
15
|
*/
|
|
16
|
-
import { fetchOIDCDiscovery, exchangeCodeForTokens } from "../services/oidc-client.js";
|
|
16
|
+
import { fetchOIDCDiscovery, exchangeCodeForTokens, verifyIdToken, } from "../services/oidc-client.js";
|
|
17
17
|
import { consumeState } from "../store/oidc-state-store.js";
|
|
18
18
|
import { setSession } from "../store/session-store.js";
|
|
19
19
|
export function createOIDCCallbackHandler(deps) {
|
|
@@ -56,10 +56,31 @@ export function createOIDCCallbackHandler(deps) {
|
|
|
56
56
|
clientSecret: config.clientSecret,
|
|
57
57
|
code,
|
|
58
58
|
redirectUri: config.callbackUrl,
|
|
59
|
+
codeVerifier: entry.codeVerifier,
|
|
59
60
|
});
|
|
60
|
-
const
|
|
61
|
-
|
|
62
|
-
|
|
61
|
+
const idToken = tokens.id_token;
|
|
62
|
+
if (!idToken) {
|
|
63
|
+
res.statusCode = 400;
|
|
64
|
+
res.setHeader("Content-Type", "application/json");
|
|
65
|
+
res.end(JSON.stringify({ error: "Token response missing id_token (required for OIDC)" }));
|
|
66
|
+
return;
|
|
67
|
+
}
|
|
68
|
+
if (!discovery.jwks_uri || !discovery.issuer) {
|
|
69
|
+
res.statusCode = 500;
|
|
70
|
+
res.setHeader("Content-Type", "application/json");
|
|
71
|
+
res.end(JSON.stringify({
|
|
72
|
+
error: "OIDC discovery missing jwks_uri or issuer; cannot verify id_token",
|
|
73
|
+
}));
|
|
74
|
+
return;
|
|
75
|
+
}
|
|
76
|
+
const { sub } = await verifyIdToken({
|
|
77
|
+
idToken,
|
|
78
|
+
jwksUri: discovery.jwks_uri,
|
|
79
|
+
issuer: discovery.issuer,
|
|
80
|
+
audience: config.clientId,
|
|
81
|
+
nonce: entry.nonce,
|
|
82
|
+
});
|
|
83
|
+
const userToken = idToken;
|
|
63
84
|
await setSession(storeDir, entry.sessionKey, {
|
|
64
85
|
userToken,
|
|
65
86
|
sub,
|
|
@@ -128,10 +149,31 @@ export function createOIDCCallbackHandlerLazy(deps) {
|
|
|
128
149
|
clientSecret: config.clientSecret,
|
|
129
150
|
code,
|
|
130
151
|
redirectUri: config.callbackUrl,
|
|
152
|
+
codeVerifier: entry.codeVerifier,
|
|
153
|
+
});
|
|
154
|
+
const idToken = tokens.id_token;
|
|
155
|
+
if (!idToken) {
|
|
156
|
+
res.statusCode = 400;
|
|
157
|
+
res.setHeader("Content-Type", "application/json");
|
|
158
|
+
res.end(JSON.stringify({ error: "Token response missing id_token (required for OIDC)" }));
|
|
159
|
+
return;
|
|
160
|
+
}
|
|
161
|
+
if (!discovery.jwks_uri || !discovery.issuer) {
|
|
162
|
+
res.statusCode = 500;
|
|
163
|
+
res.setHeader("Content-Type", "application/json");
|
|
164
|
+
res.end(JSON.stringify({
|
|
165
|
+
error: "OIDC discovery missing jwks_uri or issuer; cannot verify id_token",
|
|
166
|
+
}));
|
|
167
|
+
return;
|
|
168
|
+
}
|
|
169
|
+
const { sub } = await verifyIdToken({
|
|
170
|
+
idToken,
|
|
171
|
+
jwksUri: discovery.jwks_uri,
|
|
172
|
+
issuer: discovery.issuer,
|
|
173
|
+
audience: config.clientId,
|
|
174
|
+
nonce: entry.nonce,
|
|
131
175
|
});
|
|
132
|
-
const userToken =
|
|
133
|
-
const parsed = identityService.parseUserToken(userToken);
|
|
134
|
-
const sub = parsed.sub ?? "unknown";
|
|
176
|
+
const userToken = idToken;
|
|
135
177
|
await setSession(storeDir, entry.sessionKey, {
|
|
136
178
|
userToken,
|
|
137
179
|
sub,
|
|
@@ -31,6 +31,8 @@ export type IdentityClientConfig = {
|
|
|
31
31
|
sessionToken?: string;
|
|
32
32
|
/** Path to credential JSON file (VeFaaS style). Default: VOLCENGINE_CREDENTIALS_FILE or /var/run/secrets/iam/credential */
|
|
33
33
|
credentialsFile?: string;
|
|
34
|
+
/** Base URL for remote STS fetch. When set with roleTrn, fetches from {url}/{roleName}. */
|
|
35
|
+
credentialsMetadataUrl?: string;
|
|
34
36
|
/** Role TRN for STS AssumeRole when AK/SK present but no session token. */
|
|
35
37
|
roleTrn?: string;
|
|
36
38
|
/** Override credential resolution. When set, used instead of explicit/env/file. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-client.d.ts","sourceRoot":"","sources":["../../../src/services/identity-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAGrE,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,MAAM,MAAM,kCAAkC,GAAG;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAOF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2HAA2H;IAC3H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvD,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC3B,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC9F,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,mBAAmB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC/C,IAAI,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,+DAA+D;IAC/D,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wCAAwC;AACxC,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtD,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE,oDAAoD;AACpD,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,0DAA0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,wDAAwD;AACxD,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,2CAA2C;AAC3C,MAAM,MAAM,aAAa,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,qDAAqD;AACrD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,gDAAgD;AAChD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,oDAAoD;AACpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAExD,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,gBAAgB,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,sBAAsB,EAAE,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AA+EF,MAAM,WAAW,uBAAuB;IACtC,4BAA4B,CAC1B,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC,CAAC;IAC/C,sBAAsB,CACpB,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACzC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC5E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC/E,uBAAuB,CACrB,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAC1C,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnE,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC3F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC5F;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,uBAAuB;IAChD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,oBAAoB;YAE3C,kBAAkB;IAoB1B,4BAA4B,CAChC,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC;YA2ChC,sBAAsB;YA4BtB,SAAS;YAKT,UAAU;YAKV,aAAa;IAK3B,8EAA8E;IAC9E,OAAO,CAAC,mBAAmB;IAoB3B,yFAAyF;IACzF,OAAO,CAAC,WAAW;YAOL,UAAU;IA8FlB,sBAAsB,CAC1B,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC;IAwBlC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiB3E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAkBpF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAkB9E,uBAAuB,CAC3B,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC;IA0BnC,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IASlE,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAkDxE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyBxE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAYpF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAoC1F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAkBjG;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,uBAAuB,EAC/B,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CAgG7B"}
|
|
1
|
+
{"version":3,"file":"identity-client.d.ts","sourceRoot":"","sources":["../../../src/services/identity-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAGrE,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,MAAM,MAAM,kCAAkC,GAAG;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAOF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2HAA2H;IAC3H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2FAA2F;IAC3F,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvD,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC3B,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC9F,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,mBAAmB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC/C,IAAI,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,+DAA+D;IAC/D,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wCAAwC;AACxC,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtD,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE,oDAAoD;AACpD,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,0DAA0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,wDAAwD;AACxD,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,2CAA2C;AAC3C,MAAM,MAAM,aAAa,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,qDAAqD;AACrD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,gDAAgD;AAChD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,oDAAoD;AACpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAExD,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,gBAAgB,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,sBAAsB,EAAE,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AA+EF,MAAM,WAAW,uBAAuB;IACtC,4BAA4B,CAC1B,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC,CAAC;IAC/C,sBAAsB,CACpB,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACzC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC5E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC/E,uBAAuB,CACrB,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAC1C,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnE,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC3F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC5F;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,uBAAuB;IAChD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,oBAAoB;YAE3C,kBAAkB;IAqB1B,4BAA4B,CAChC,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC;YA2ChC,sBAAsB;YA4BtB,SAAS;YAKT,UAAU;YAKV,aAAa;IAK3B,8EAA8E;IAC9E,OAAO,CAAC,mBAAmB;IAoB3B,yFAAyF;IACzF,OAAO,CAAC,WAAW;YAOL,UAAU;IA8FlB,sBAAsB,CAC1B,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC;IAwBlC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiB3E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAkBpF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAkB9E,uBAAuB,CAC3B,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC;IA0BnC,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IASlE,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAkDxE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyBxE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAYpF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAoC1F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAkBjG;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,uBAAuB,EAC/B,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CAgG7B"}
|
|
@@ -113,6 +113,7 @@ export class IdentityClient {
|
|
|
113
113
|
secretAccessKey: this.config.secretAccessKey,
|
|
114
114
|
sessionToken: this.config.sessionToken,
|
|
115
115
|
credentialsFile: this.config.credentialsFile,
|
|
116
|
+
credentialsMetadataUrl: this.config.credentialsMetadataUrl,
|
|
116
117
|
roleTrn: this.config.roleTrn,
|
|
117
118
|
});
|
|
118
119
|
}
|
|
@@ -8,12 +8,14 @@ export type LoadCredentialsOptions = {
|
|
|
8
8
|
secretAccessKey?: string;
|
|
9
9
|
sessionToken?: string;
|
|
10
10
|
credentialsFile?: string;
|
|
11
|
+
/** Base URL for remote STS fetch. When set with roleTrn, fetches from {url}/{roleName}. */
|
|
12
|
+
credentialsMetadataUrl?: string;
|
|
11
13
|
roleTrn?: string;
|
|
12
14
|
resolvePath?: (p: string) => string;
|
|
13
15
|
};
|
|
14
16
|
/**
|
|
15
|
-
* Load credentials from config, env, or file (veadk-style).
|
|
16
|
-
* Order: explicit > env > file.
|
|
17
|
+
* Load credentials from config, env, remote metadata, or file (veadk-style).
|
|
18
|
+
* Order: explicit > env > remote metadata (credentialsMetadataUrl + roleTrn) > file.
|
|
17
19
|
* Returns resolved credentials or throws if none found.
|
|
18
20
|
*/
|
|
19
21
|
export declare function loadIdentityCredentials(opts?: LoadCredentialsOptions): Promise<IdentityCredentials>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-credentials.d.ts","sourceRoot":"","sources":["../../../src/services/identity-credentials.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"identity-credentials.d.ts","sourceRoot":"","sources":["../../../src/services/identity-credentials.ts"],"names":[],"mappings":"AA8BA,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AASF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2FAA2F;IAC3F,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;CACrC,CAAC;AAyEF;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,mBAAmB,CAAC,CAuD9B"}
|
|
@@ -18,7 +18,8 @@
|
|
|
18
18
|
* Loads AK/SK from:
|
|
19
19
|
* 1. Explicit config (accessKeyId, secretAccessKey, sessionToken)
|
|
20
20
|
* 2. Environment variables (VOLCENGINE_ACCESS_KEY, VOLCENGINE_SECRET_KEY, VOLCENGINE_SESSION_TOKEN)
|
|
21
|
-
* 3.
|
|
21
|
+
* 3. Remote metadata (credentialsMetadataUrl + roleTrn) - fetches STS from HTTP, caches by ExpiredTime
|
|
22
|
+
* 4. Credential file (VOLCENGINE_CREDENTIALS_FILE or /var/run/secrets/iam/credential)
|
|
22
23
|
* Supports STS session token. Optional AssumeRole via roleTrn.
|
|
23
24
|
*/
|
|
24
25
|
import { existsSync } from "node:fs";
|
|
@@ -31,8 +32,68 @@ const ENV_CRED_FILE = "VOLCENGINE_CREDENTIALS_FILE";
|
|
|
31
32
|
const DEFAULT_CRED_PATH = "/var/run/secrets/iam/credential";
|
|
32
33
|
const ENV_ROLE_TRN = "RUNTIME_IAM_ROLE_TRN";
|
|
33
34
|
/**
|
|
34
|
-
*
|
|
35
|
-
|
|
35
|
+
* Parse role name from role TRN. E.g. trn:iam::2000080000:role/openclaw-agent -> openclaw-agent.
|
|
36
|
+
*/
|
|
37
|
+
function parseRoleNameFromTrn(roleTrn) {
|
|
38
|
+
const m = roleTrn.match(/role\/([^/]+)$/);
|
|
39
|
+
return m ? m[1] : null;
|
|
40
|
+
}
|
|
41
|
+
const REMOTE_METADATA_REFRESH_BUFFER_SEC = 300;
|
|
42
|
+
const remoteMetadataCache = new Map();
|
|
43
|
+
/**
|
|
44
|
+
* Fetch credentials from remote metadata URL. Returns null on 404 or parse failure (fall through).
|
|
45
|
+
* Caches by ExpiredTime and refreshes when within refresh buffer.
|
|
46
|
+
*/
|
|
47
|
+
async function fetchRemoteMetadataCredentials(baseUrl, roleTrn) {
|
|
48
|
+
const roleName = parseRoleNameFromTrn(roleTrn);
|
|
49
|
+
if (!roleName)
|
|
50
|
+
return null;
|
|
51
|
+
const url = `${baseUrl.replace(/\/$/, "")}/${roleName}`;
|
|
52
|
+
const cacheKey = url;
|
|
53
|
+
const cached = remoteMetadataCache.get(cacheKey);
|
|
54
|
+
const nowSec = Math.floor(Date.now() / 1000);
|
|
55
|
+
if (cached && cached.expiresAt > nowSec + REMOTE_METADATA_REFRESH_BUFFER_SEC) {
|
|
56
|
+
return cached.cred;
|
|
57
|
+
}
|
|
58
|
+
let res;
|
|
59
|
+
try {
|
|
60
|
+
res = await fetch(url);
|
|
61
|
+
}
|
|
62
|
+
catch {
|
|
63
|
+
return null;
|
|
64
|
+
}
|
|
65
|
+
if (!res.ok)
|
|
66
|
+
return null;
|
|
67
|
+
let json;
|
|
68
|
+
try {
|
|
69
|
+
json = (await res.json());
|
|
70
|
+
}
|
|
71
|
+
catch {
|
|
72
|
+
return null;
|
|
73
|
+
}
|
|
74
|
+
const ak = json.AccessKeyId;
|
|
75
|
+
const sk = json.SecretAccessKey;
|
|
76
|
+
const token = json.SessionToken;
|
|
77
|
+
if (!ak || !sk || !token)
|
|
78
|
+
return null;
|
|
79
|
+
let expiresAt = nowSec + 3600;
|
|
80
|
+
const expiredTime = json.ExpiredTime;
|
|
81
|
+
if (expiredTime) {
|
|
82
|
+
const parsed = Date.parse(expiredTime);
|
|
83
|
+
if (!Number.isNaN(parsed))
|
|
84
|
+
expiresAt = Math.floor(parsed / 1000);
|
|
85
|
+
}
|
|
86
|
+
const cred = {
|
|
87
|
+
accessKeyId: ak.trim(),
|
|
88
|
+
secretAccessKey: sk.trim(),
|
|
89
|
+
sessionToken: token.trim(),
|
|
90
|
+
};
|
|
91
|
+
remoteMetadataCache.set(cacheKey, { cred, expiresAt });
|
|
92
|
+
return cred;
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Load credentials from config, env, remote metadata, or file (veadk-style).
|
|
96
|
+
* Order: explicit > env > remote metadata (credentialsMetadataUrl + roleTrn) > file.
|
|
36
97
|
* Returns resolved credentials or throws if none found.
|
|
37
98
|
*/
|
|
38
99
|
export async function loadIdentityCredentials(opts = {}) {
|
|
@@ -62,6 +123,11 @@ export async function loadIdentityCredentials(opts = {}) {
|
|
|
62
123
|
};
|
|
63
124
|
}
|
|
64
125
|
}
|
|
126
|
+
if (opts.credentialsMetadataUrl && opts.roleTrn) {
|
|
127
|
+
const cred = await fetchRemoteMetadataCredentials(opts.credentialsMetadataUrl, opts.roleTrn);
|
|
128
|
+
if (cred)
|
|
129
|
+
return cred;
|
|
130
|
+
}
|
|
65
131
|
const credPath = opts.credentialsFile ?? process.env[ENV_CRED_FILE] ?? DEFAULT_CRED_PATH;
|
|
66
132
|
const resolvedPath = resolvePath(credPath);
|
|
67
133
|
if (existsSync(resolvedPath)) {
|
|
@@ -24,8 +24,9 @@ export declare class IdentityService {
|
|
|
24
24
|
sub?: string;
|
|
25
25
|
}): Promise<TIPTokenEntry>;
|
|
26
26
|
/**
|
|
27
|
-
*
|
|
28
|
-
*
|
|
27
|
+
* Lightweight expiry check for stored user tokens.
|
|
28
|
+
* Signature verification is performed at the trust boundary (OIDC callback and token refresh),
|
|
29
|
+
* so tokens stored in session are already verified. This method only checks format and expiry.
|
|
29
30
|
*/
|
|
30
31
|
parseUserToken(userToken: string): {
|
|
31
32
|
valid: boolean;
|