@m1a0rz/agent-identity 0.4.2 → 0.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README-cn.md +28 -16
- package/README.md +28 -16
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3 -1
- package/dist/src/actions/identity-actions.d.ts.map +1 -1
- package/dist/src/actions/identity-actions.js +9 -2
- package/dist/src/preflight/plugin-preflight.d.ts +1 -1
- package/dist/src/preflight/plugin-preflight.d.ts.map +1 -1
- package/dist/src/preflight/plugin-preflight.js +19 -0
- package/dist/src/services/identity-client.d.ts +27 -4
- package/dist/src/services/identity-client.d.ts.map +1 -1
- package/dist/src/services/identity-client.js +61 -28
- package/dist/src/types.d.ts +6 -0
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/resolve-identity-endpoint.d.ts +26 -0
- package/dist/src/utils/resolve-identity-endpoint.d.ts.map +1 -0
- package/dist/src/utils/resolve-identity-endpoint.js +90 -0
- package/openclaw.plugin.json +5 -1
- package/package.json +1 -1
- package/skills/SKILL.md +9 -9
- package/dist/scripts/demo-get-session.d.ts +0 -15
- package/dist/scripts/demo-get-session.d.ts.map +0 -1
- package/dist/scripts/demo-get-session.js +0 -58
package/README-cn.md
CHANGED
|
@@ -39,6 +39,8 @@ UserPool OIDC 登录、TIP (Trusted Identity Provider) 令牌(通过 Identity
|
|
|
39
39
|
| `list-tips` | 列出所有有效 TIP 令牌及其委托链、过期时间和环境变量绑定。 |
|
|
40
40
|
| `config` | 显示 identity 插件配置(敏感信息脱敏)。 |
|
|
41
41
|
| `list-credentials` 或 `list [page]` | 分页列出控制台 provider 及已绑定的凭据。使用 `list 2` 加载更多。 |
|
|
42
|
+
| `list-roles` | 列出 STS 角色类凭据提供方(非 OAuth/API key)。可选按名称前缀过滤。 |
|
|
43
|
+
| `get-role <provider> [--use-tip] [--show-secrets]` | 获取某角色提供方的 STS 临时凭据(默认脱敏)。 |
|
|
42
44
|
| `fetch <provider> [--flow=...]` | 添加凭据。flow 根据 provider 类型自动推断;可用 `--flow` 覆盖。 |
|
|
43
45
|
| `set <provider> <envVar>` | 将凭据绑定到环境变量供工具注入。无凭据时从 `process.env[envVar]` 导入。 |
|
|
44
46
|
| `unset <provider>` | 移除 provider 的环境变量绑定。 |
|
|
@@ -104,7 +106,8 @@ openclaw plugins install --link .
|
|
|
104
106
|
|
|
105
107
|
**A. 平台侧访问配置(Identity)**:用于获取 TIP Token、拉取/托管凭据、做权限校验(可选)。
|
|
106
108
|
|
|
107
|
-
- `endpoint
|
|
109
|
+
- `endpoint`(可选):Identity API 根地址(例如 `https://id.cn-beijing.volcengineapi.com`)。**优先级最高**。
|
|
110
|
+
- `regionMetadataUrl`(可选):返回 **纯文本 region id**(如 `cn-beijing`)的 HTTP(S) URL。仅当 **未配置 `endpoint`** 时使用:客户端拼接 `https://id.{region}.volcengineapi.com`。单次请求约 10s 超时;失败或正文无效(如 `unknown`)时回退到 `https://id.cn-beijing.volcengineapi.com`。示例:`http://100.96.0.96/latest/region_id`(需网关能访问)。
|
|
108
111
|
- `accessKeyId` / `secretAccessKey`:用于访问 Identity API。**可选**,可使用环境变量或凭据文件(见下)。
|
|
109
112
|
- `workloadPoolName` / `workloadName`:用于签发 TIP Token。默认:`default`、`openclaw-agent`。
|
|
110
113
|
- `audience` / `durationSeconds`:可选,令牌受众与有效期。
|
|
@@ -113,6 +116,10 @@ openclaw plugins install --link .
|
|
|
113
116
|
- `roleTrn`:STS AssumeRole 的 Role TRN。设置后(且未设置 `workloadName`)不传 workload name,后端使用 roleName。优先级:`workloadName` > `roleTrn` > params。与 `credentialsMetadataUrl` 配合时用于 AssumeRole,或与显式 AK/SK 配合。
|
|
114
117
|
- `sessionToken`:STS 会话令牌(或使用 `VOLCENGINE_SESSION_TOKEN` 环境变量)。
|
|
115
118
|
|
|
119
|
+
**Identity API 地址解析**:已配置 `endpoint` → 否则用 `regionMetadataUrl` 拉取 region 拼接 URL → 否则 `https://id.cn-beijing.volcengineapi.com`。**SigV4 签名用 region** 从解析后的主机名匹配 `id.{region}.volcengineapi.com` 推断;否则为 `cn-beijing`。
|
|
120
|
+
|
|
121
|
+
**工作负载池(凭据 / STS)**:`workloadPoolName`(默认 `default`)用于限定 `ListCredentialProviders`、`ListRoleCredentialProviders` 以及 `GetResourceOauth2Token`、`GetResourceApiKey`、`GetUserCredential`、`GetRoleCredentials` 等接口的 `PoolName`。若配置了 `userpool.userPoolName`,角色提供方列表还会在客户端按用户池再过滤。
|
|
122
|
+
|
|
116
123
|
**凭据解析顺序**(AK/SK):1)显式 config → 2)环境变量(`VOLCENGINE_ACCESS_KEY`、`VOLCENGINE_SECRET_KEY`、`VOLCENGINE_SESSION_TOKEN`)→ 3)远程元数据(`credentialsMetadataUrl` + `roleTrn`,从完整 URL 拉取后做 AssumeRole;404 时回退)→ 4)凭据文件(config 的 `credentialsFile`,或 `VOLCENGINE_CREDENTIALS_FILE` 环境变量,或 `/var/run/secrets/iam/credential`)。凭据文件格式(VeFaaS):`access_key_id`、`secret_access_key`、`session_token`(可选)、`role_trn`(可选,用于 AssumeRole)。`RUNTIME_IAM_ROLE_TRN` 环境变量可在从文件加载时提供 role TRN。
|
|
117
124
|
|
|
118
125
|
**B. 用户登录配置(UserPool / OIDC)**:用于 `/identity login` 的用户登录与会话建立。
|
|
@@ -121,6 +128,8 @@ openclaw plugins install --link .
|
|
|
121
128
|
- `clientId` / `clientSecret`(动态模式下可自动解析)
|
|
122
129
|
- `callbackUrl`:OpenClaw 网关对外可访问的回调地址,例如 `http://127.0.0.1:18789/identity/oauth/callback`
|
|
123
130
|
- `scope`:一般包含 `openid profile email`
|
|
131
|
+
- `identityProvider`(可选):授权 URL 中 `identity_provider` 对应的 IdP 名称;不填则使用 `ListIdentityProviders` 返回的第一条。
|
|
132
|
+
- `useRelayCallback`(可选):经 UserPool relay / `redirect_relay_uri` 的 OIDC 回调流程。默认 false。
|
|
124
133
|
|
|
125
134
|
**C. 权限校验与风险审批(AuthZ,可选)**:用于 TIP + CheckPermission + 风险评估与用户审批。各开关独立,无统一 `enable`。
|
|
126
135
|
|
|
@@ -182,7 +191,8 @@ openclaw plugins install --link .
|
|
|
182
191
|
|
|
183
192
|
| 参数 | 类型 | 必填 | 含义 |
|
|
184
193
|
|------|------|------|------|
|
|
185
|
-
| `endpoint` | string |
|
|
194
|
+
| `endpoint` | string | 否 | Identity API 根地址。不填则通过 `regionMetadataUrl` 或默认 `https://id.cn-beijing.volcengineapi.com` |
|
|
195
|
+
| `regionMetadataUrl` | string | 否 | 返回纯文本 region 的 URL;在未配置 `endpoint` 时拼接 `https://id.{region}.volcengineapi.com` |
|
|
186
196
|
| `accessKeyId` | string | 否* | 火山引擎 Access Key。不填时从 `VOLCENGINE_ACCESS_KEY` 或 `credentialsFile` 读取 |
|
|
187
197
|
| `secretAccessKey` | string | 否* | 火山引擎 Secret Key。不填时从 `VOLCENGINE_SECRET_KEY` 或 `credentialsFile` 读取 |
|
|
188
198
|
| `workloadPoolName` | string | 否 | 工作负载池名称,默认 `default` |
|
|
@@ -275,20 +285,22 @@ TIP token 通过 `GetWorkloadAccessTokenForJWT` 获取。工作负载行为:
|
|
|
275
285
|
|
|
276
286
|
## 工具
|
|
277
287
|
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
- **
|
|
281
|
-
- **
|
|
282
|
-
- **
|
|
283
|
-
- **
|
|
284
|
-
- **
|
|
285
|
-
- **
|
|
286
|
-
- **
|
|
287
|
-
- **
|
|
288
|
-
- **
|
|
289
|
-
- **
|
|
290
|
-
- **
|
|
291
|
-
- **identity_list_risk_patterns**
|
|
288
|
+
面向 Agent 的用法见 [`skills/SKILL.md`](skills/SKILL.md)。本插件注册的工具有:
|
|
289
|
+
|
|
290
|
+
- **identity_whoami** — 会话身份(sub、TIP)
|
|
291
|
+
- **identity_status** — 登录、TIP、凭据、绑定
|
|
292
|
+
- **identity_login** / **identity_logout** — OIDC 登录或刷新 TIP;清除会话
|
|
293
|
+
- **identity_list_credentials** — OAuth/API key 类 provider 与已存凭据(支持 `page`、`name`、`flow`、`type` 过滤)
|
|
294
|
+
- **identity_list_roles** — STS 角色类凭据提供方(`name` 前缀过滤)
|
|
295
|
+
- **identity_fetch** — 添加凭据(`provider`、`flow`、`redirectUrl`、`scopes`、`returnValue`)
|
|
296
|
+
- **identity_get_role_credentials** — 某角色提供方的 STS 临时凭据(`providerName`、`useTip`)
|
|
297
|
+
- **identity_get_tip_token** / **identity_get_session_token** — 原始 TIP JWT 或会话 user token(进阶场景)
|
|
298
|
+
- **identity_config** — 当前生效配置(脱敏)
|
|
299
|
+
- **identity_config_suggest** — 可合并的配置片段(`intent`、`lang`)
|
|
300
|
+
- **identity_set_binding** / **identity_unset_binding** — 工具注入用的环境变量绑定
|
|
301
|
+
- **identity_risk_check** / **identity_list_risk_patterns** — 风险评估(可选插件能力)
|
|
302
|
+
- **identity_approve_tool** — 可选;**仅供人工审批** — 推荐 `/identity approve <id>`(模型不得自批)
|
|
303
|
+
- **identity_list_tips** — 所有有效 TIP 与绑定(运维 / 多会话排查)
|
|
292
304
|
|
|
293
305
|
## 钩子
|
|
294
306
|
|
package/README.md
CHANGED
|
@@ -39,6 +39,8 @@ Single command `/identity` (alias `/id`) with subcommands. Default with no args:
|
|
|
39
39
|
| `list-tips` | List all valid TIP tokens with delegation chain, expiry, and env bindings. |
|
|
40
40
|
| `config` | Show identity plugin config (sensitive values redacted). |
|
|
41
41
|
| `list-credentials` or `list [page]` | List providers from control plane (paginated) and your credentials with bound env. Use `list 2` to load more. |
|
|
42
|
+
| `list-roles` | List STS role credential providers (not OAuth/API key). Optional name prefix filter. |
|
|
43
|
+
| `get-role <provider> [--use-tip] [--show-secrets]` | Get temporary STS credentials for a role provider (masked by default). |
|
|
42
44
|
| `fetch <provider> [--flow=...]` | Add credential. Flow auto-inferred from provider type (api_key/oauth2/m2m); override with `--flow`. |
|
|
43
45
|
| `set <provider> <envVar>` | Bind credential to env var for tool injection. If no credential, import from `process.env[envVar]`. |
|
|
44
46
|
| `unset <provider>` | Remove env binding for provider. |
|
|
@@ -104,7 +106,8 @@ The plugin typically needs three types of config:
|
|
|
104
106
|
|
|
105
107
|
**A. Platform access (Identity)**: For TIP Token, credential fetch/hosting, and optional permission checks.
|
|
106
108
|
|
|
107
|
-
- `endpoint
|
|
109
|
+
- `endpoint` (optional): Full Identity API base URL (e.g. `https://id.cn-beijing.volcengineapi.com`). **Highest priority** for the API host.
|
|
110
|
+
- `regionMetadataUrl` (optional): HTTP(S) URL that returns a **plain-text region id** (e.g. `cn-beijing`). Used only when `endpoint` is **unset**: the client builds `https://id.{region}.volcengineapi.com`. Request timeout ~10s; on failure or invalid body (e.g. `unknown`), falls back to `https://id.cn-beijing.volcengineapi.com`. Example metadata URL: `http://100.96.0.96/latest/region_id` (must be reachable from the gateway).
|
|
108
111
|
- `accessKeyId` / `secretAccessKey`: For Identity API access. **Optional** when using env vars or credential file (see below).
|
|
109
112
|
- `workloadPoolName` / `workloadName`: For issuing TIP Token. Defaults: `default`, `openclaw-agent`.
|
|
110
113
|
- `audience` / `durationSeconds`: Optional, token audience and validity.
|
|
@@ -113,6 +116,10 @@ The plugin typically needs three types of config:
|
|
|
113
116
|
- `roleTrn`: Role TRN for STS AssumeRole. When set (and `workloadName` not set), workload name is omitted; backend uses roleName. Priority: `workloadName` > `roleTrn` > params. Used with `credentialsMetadataUrl` (AssumeRole after fetch) or explicit AK/SK.
|
|
114
117
|
- `sessionToken`: STS session token (or use `VOLCENGINE_SESSION_TOKEN` env).
|
|
115
118
|
|
|
119
|
+
**Identity API host resolution**: `endpoint` if set → else region from `regionMetadataUrl` → else `https://id.cn-beijing.volcengineapi.com`. **SigV4 signing region** is inferred from the resolved host when it matches `id.{region}.volcengineapi.com`; otherwise `cn-beijing`.
|
|
120
|
+
|
|
121
|
+
**Workload pool (credentials / STS)**: `workloadPoolName` (default `default`) scopes `ListCredentialProviders`, `ListRoleCredentialProviders`, and control-plane calls such as `GetResourceOauth2Token`, `GetResourceApiKey`, `GetUserCredential`, and `GetRoleCredentials` via `PoolName`. Role provider listing also filters by `userpool.userPoolName` when configured.
|
|
122
|
+
|
|
116
123
|
**Credential resolution order** (AK/SK): 1) Explicit config → 2) Env vars (`VOLCENGINE_ACCESS_KEY`, `VOLCENGINE_SECRET_KEY`, `VOLCENGINE_SESSION_TOKEN`) → 3) Remote metadata (`credentialsMetadataUrl` + `roleTrn`, fetches from full URL then AssumeRole; 404 falls through) → 4) Credential file (`credentialsFile` config, or `VOLCENGINE_CREDENTIALS_FILE` env, or `/var/run/secrets/iam/credential`). Credential file format (VeFaaS): `access_key_id`, `secret_access_key`, `session_token` (optional), `role_trn` (optional for AssumeRole). `RUNTIME_IAM_ROLE_TRN` env can supply role TRN when loading from file.
|
|
117
124
|
|
|
118
125
|
**B. User login (UserPool / OIDC)**: For `/identity login` and session setup.
|
|
@@ -121,6 +128,8 @@ The plugin typically needs three types of config:
|
|
|
121
128
|
- `clientId` / `clientSecret` (auto-resolved in dynamic mode)
|
|
122
129
|
- `callbackUrl`: Public callback URL for OpenClaw gateway, e.g. `http://127.0.0.1:18789/identity/oauth/callback`
|
|
123
130
|
- `scope`: Typically `openid profile email`
|
|
131
|
+
- `identityProvider` (optional): IdP name for the `identity_provider` authorize param. When omitted, the first entry from `ListIdentityProviders` is used.
|
|
132
|
+
- `useRelayCallback` (optional): UserPool relay / `redirect_relay_uri` flow for OIDC callback. Default false.
|
|
124
133
|
|
|
125
134
|
**C. AuthZ and risk approval (optional)**: For TIP + CheckPermission + risk evaluation. Each flag is independent; no single "enable" switch.
|
|
126
135
|
|
|
@@ -182,7 +191,8 @@ Add to `openclaw.json` under `plugins.entries.agent-identity.config`:
|
|
|
182
191
|
|
|
183
192
|
| Param | Type | Required | Description |
|
|
184
193
|
|-------|------|----------|--------------|
|
|
185
|
-
| `endpoint` | string |
|
|
194
|
+
| `endpoint` | string | No | Identity API base URL. Omit to use `regionMetadataUrl` or default `https://id.cn-beijing.volcengineapi.com` |
|
|
195
|
+
| `regionMetadataUrl` | string | No | Plain-text region id URL; builds `https://id.{region}.volcengineapi.com` when `endpoint` unset |
|
|
186
196
|
| `accessKeyId` | string | No* | Volcengine Access Key. Omit to load from `VOLCENGINE_ACCESS_KEY` or `credentialsFile` |
|
|
187
197
|
| `secretAccessKey` | string | No* | Volcengine Secret Key. Omit to load from `VOLCENGINE_SECRET_KEY` or `credentialsFile` |
|
|
188
198
|
| `workloadPoolName` | string | No | Workload pool name, default `default` |
|
|
@@ -275,20 +285,22 @@ Follow-up messages (login success, credential fetch done) are not delivered when
|
|
|
275
285
|
|
|
276
286
|
## Tools
|
|
277
287
|
|
|
278
|
-
-
|
|
279
|
-
|
|
280
|
-
- **
|
|
281
|
-
- **
|
|
282
|
-
- **
|
|
283
|
-
- **
|
|
284
|
-
- **
|
|
285
|
-
- **
|
|
286
|
-
- **
|
|
287
|
-
- **
|
|
288
|
-
- **
|
|
289
|
-
- **
|
|
290
|
-
- **
|
|
291
|
-
- **
|
|
288
|
+
Agent-facing behavior is summarized in [`skills/SKILL.md`](skills/SKILL.md). Registered tools:
|
|
289
|
+
|
|
290
|
+
- **identity_whoami** — Session identity (sub, TIP)
|
|
291
|
+
- **identity_status** — Login, TIP, credentials, bindings
|
|
292
|
+
- **identity_login** / **identity_logout** — OIDC login or refresh TIP; clear session
|
|
293
|
+
- **identity_list_credentials** — OAuth/API key providers and stored credentials (`page`, `name`, `flow`, `type` filters)
|
|
294
|
+
- **identity_list_roles** — STS role credential providers (`name` prefix filter)
|
|
295
|
+
- **identity_fetch** — Add credential (`provider`, `flow`, `redirectUrl`, `scopes`, `returnValue`)
|
|
296
|
+
- **identity_get_role_credentials** — STS credentials for a role provider (`providerName`, `useTip`)
|
|
297
|
+
- **identity_get_tip_token** / **identity_get_session_token** — Raw TIP JWT or session user token (advanced)
|
|
298
|
+
- **identity_config** — Effective plugin config (redacted)
|
|
299
|
+
- **identity_config_suggest** — Config merge snippets (`intent`, `lang`)
|
|
300
|
+
- **identity_set_binding** / **identity_unset_binding** — Env var bindings for tool injection
|
|
301
|
+
- **identity_risk_check** / **identity_list_risk_patterns** — Risk evaluation (optional plugin)
|
|
302
|
+
- **identity_approve_tool** — Optional; **human approval only** — prefer `/identity approve <id>` (agents must not self-approve)
|
|
303
|
+
- **identity_list_tips** — All valid TIP tokens and bindings (ops / multi-session debug)
|
|
292
304
|
|
|
293
305
|
## Hooks
|
|
294
306
|
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAmF7D,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,QA+etD"}
|
package/dist/index.js
CHANGED
|
@@ -61,6 +61,7 @@ function hasAnyIdentityConfig(identity) {
|
|
|
61
61
|
if (!identity)
|
|
62
62
|
return false;
|
|
63
63
|
return Boolean(identity.endpoint ||
|
|
64
|
+
identity.regionMetadataUrl ||
|
|
64
65
|
identity.accessKeyId ||
|
|
65
66
|
identity.secretAccessKey ||
|
|
66
67
|
identity.sessionToken ||
|
|
@@ -85,7 +86,8 @@ export default function register(api) {
|
|
|
85
86
|
const userpool = pluginConfig.userpool;
|
|
86
87
|
const identityClient = hasIdentity
|
|
87
88
|
? new IdentityClient({
|
|
88
|
-
endpoint: identityCfg?.endpoint
|
|
89
|
+
endpoint: identityCfg?.endpoint,
|
|
90
|
+
regionMetadataUrl: identityCfg?.regionMetadataUrl,
|
|
89
91
|
accessKeyId: identityCfg?.accessKeyId,
|
|
90
92
|
secretAccessKey: identityCfg?.secretAccessKey,
|
|
91
93
|
sessionToken: identityCfg?.sessionToken,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-actions.d.ts","sourceRoot":"","sources":["../../../src/actions/identity-actions.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAEV,uBAAuB,EAExB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAgB/E,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,8BAA8B,CAAC;AAWtC,MAAM,MAAM,oBAAoB,GAAG;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACnD,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC9D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,qBAAqB,CAAC,EAAE,CACtB,kBAAkB,EAAE,wBAAwB,GAAG,MAAM,EACrD,IAAI,EAAE,MAAM,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;AAmHzE,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA4BvB;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,mBAAmB,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC1C;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,cAAc,CAAC;IAAC,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAA;CAAE,GACtF,OAAO,CAAC,WAAW,CAAC,CAyDtB;AAED,MAAM,MAAM,YAAY,GAAG;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC;AAE3C,wBAAsB,SAAS,CAC7B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CASvB;AAID,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAU,EAChB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,OAAO,CAAC,qBAAqB,CAAC,CA6DhC;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAAC,yBAAyB,CAAC,CA2CpC;AAED,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,KAAK,CAAC;QACV,UAAU,EAAE,MAAM,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,oDAAoD;IACpD,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAC3D,CAAC;AAEF,wBAAsB,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,cAAc,CAAC,CAsBpF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF,wBAAsB,SAAS,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA6ChF;AAED,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,wBAAwB,GAAG,IAAI,CAAC;IACjD,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,kFAAkF;IAClF,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B,GACA,OAAO,CAAC,WAAW,CAAC,CAqKtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,wBAAsB,aAAa,CACjC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3C,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,MAAM,MAAM,kBAAkB,GAAG;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAW7B;AAED,MAAM,MAAM,8BAA8B,GACtC;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE;IACN,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,qBAAqB,EAAE,cAAc,CAAC;CACvD,GACA,OAAO,CAAC,8BAA8B,CAAC,CAsDzC;AAED,MAAM,MAAM,iBAAiB,GACzB;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,cAAc,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,MAAM,qBAAqB,GAC7B;IACA,IAAI,EAAE,SAAS,CAAC;IAChB,4CAA4C;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GACC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC"}
|
|
@@ -67,7 +67,7 @@ function sleep(ms) {
|
|
|
67
67
|
}
|
|
68
68
|
/** Poll GetResourceOauth2Token until accessToken or timeout; store credential and notify. */
|
|
69
69
|
async function pollOAuthAndNotify(params) {
|
|
70
|
-
const { identityClient, provider, identityToken, flow, redirectUrl, scopes, sessionKey, storeDir, deliveryTarget, sendCredentialMessage, logger, } = params;
|
|
70
|
+
const { identityClient, provider, identityToken, flow, redirectUrl, scopes, poolName, sessionKey, storeDir, deliveryTarget, sendCredentialMessage, logger, } = params;
|
|
71
71
|
const start = Date.now();
|
|
72
72
|
while (Date.now() - start < OAUTH_POLL_TIMEOUT_MS) {
|
|
73
73
|
await sleep(OAUTH_POLL_INTERVAL_MS);
|
|
@@ -78,6 +78,7 @@ async function pollOAuthAndNotify(params) {
|
|
|
78
78
|
flow,
|
|
79
79
|
redirectUrl,
|
|
80
80
|
scopes: scopes?.length ? scopes : undefined,
|
|
81
|
+
poolName,
|
|
81
82
|
});
|
|
82
83
|
if (result.accessToken) {
|
|
83
84
|
await setCredential(storeDir, sessionKey, provider, {
|
|
@@ -161,7 +162,7 @@ export async function runLogin(deps, sessionKey, options) {
|
|
|
161
162
|
codeChallenge,
|
|
162
163
|
codeChallengeMethod: "S256",
|
|
163
164
|
nonce,
|
|
164
|
-
redirectRelayUri: oidcConfig.callbackUrl,
|
|
165
|
+
redirectRelayUri: deps.pluginConfig?.userpool?.useRelayCallback ? oidcConfig.callbackUrl : undefined,
|
|
165
166
|
identityProvider,
|
|
166
167
|
});
|
|
167
168
|
logInfo(logger, `login returning IdP URL for sessionKey=${sessionKey.slice(0, 24)}...`);
|
|
@@ -313,6 +314,7 @@ export async function runConfig(deps) {
|
|
|
313
314
|
if (cfg.identity) {
|
|
314
315
|
out.identity = {
|
|
315
316
|
endpoint: cfg.identity.endpoint,
|
|
317
|
+
regionMetadataUrl: cfg.identity.regionMetadataUrl ? "***" : undefined,
|
|
316
318
|
accessKeyId: cfg.identity.accessKeyId ? "***" : undefined,
|
|
317
319
|
secretAccessKey: cfg.identity.secretAccessKey ? "***" : undefined,
|
|
318
320
|
credentialsFile: cfg.identity.credentialsFile,
|
|
@@ -382,6 +384,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
382
384
|
const result = await identityClient.getResourceApiKey({
|
|
383
385
|
providerName: provider,
|
|
384
386
|
identityToken: tip.token,
|
|
387
|
+
poolName: deps.workloadPoolName,
|
|
385
388
|
});
|
|
386
389
|
await setCredential(storeDir, sessionKey, provider, {
|
|
387
390
|
type: "api_key",
|
|
@@ -394,6 +397,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
394
397
|
const result = await identityClient.getUserCredential({
|
|
395
398
|
credentialId: provider,
|
|
396
399
|
identityToken: tip.token,
|
|
400
|
+
poolName: deps.workloadPoolName,
|
|
397
401
|
});
|
|
398
402
|
await setCredential(storeDir, sessionKey, provider, {
|
|
399
403
|
type: "user",
|
|
@@ -409,6 +413,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
409
413
|
flow: oauth2Flow,
|
|
410
414
|
redirectUrl: redirectUrl,
|
|
411
415
|
scopes: scopes?.length ? scopes : undefined,
|
|
416
|
+
poolName: deps.workloadPoolName,
|
|
412
417
|
});
|
|
413
418
|
if (oauthResult.accessToken) {
|
|
414
419
|
await setCredential(storeDir, sessionKey, provider, {
|
|
@@ -431,6 +436,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
431
436
|
flow: oauth2Flow,
|
|
432
437
|
redirectUrl,
|
|
433
438
|
scopes: scopes?.length ? scopes : undefined,
|
|
439
|
+
poolName: deps.workloadPoolName,
|
|
434
440
|
});
|
|
435
441
|
if (retry.accessToken) {
|
|
436
442
|
await setCredential(storeDir, sessionKey, provider, {
|
|
@@ -466,6 +472,7 @@ export async function runFetch(deps, sessionKey, params) {
|
|
|
466
472
|
flow: oauth2Flow,
|
|
467
473
|
redirectUrl,
|
|
468
474
|
scopes,
|
|
475
|
+
poolName: deps.workloadPoolName,
|
|
469
476
|
sessionKey,
|
|
470
477
|
storeDir,
|
|
471
478
|
deliveryTarget: deliveryTarget ?? null,
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* 3. workloadPool — GetWorkloadAccessTokenForJWT returns a pool-level error (not just missing token)
|
|
11
11
|
* 4. namespace — CheckPermission with dummy principal; only namespace-not-found is fatal
|
|
12
12
|
*/
|
|
13
|
-
import type
|
|
13
|
+
import { type IdentityClientInterface } from "../services/identity-client.js";
|
|
14
14
|
import type { IdentityService } from "../services/identity-service.js";
|
|
15
15
|
import type { PreflightFailure } from "./plugin-state.js";
|
|
16
16
|
export type PreflightResult = {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"plugin-preflight.d.ts","sourceRoot":"","sources":["../../../src/preflight/plugin-preflight.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"plugin-preflight.d.ts","sourceRoot":"","sources":["../../../src/preflight/plugin-preflight.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA2B,KAAK,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AACvG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAGvE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAI1D,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,+CAA+C;IAC/C,cAAc,EAAE,uBAAuB,CAAC;IACxC,eAAe,EAAE,eAAe,CAAC;IACjC,8DAA8D;IAC9D,WAAW,EAAE,OAAO,CAAC;IACrB,uDAAuD;IACvD,gBAAgB,CAAC,EAAE;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,sBAAsB,CAAC,EAAE,MAAM,CAAC;QAChC,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,0CAA0C;IAC1C,QAAQ,CAAC,EAAE;QACT,IAAI,EAAE,SAAS,GAAG,UAAU,CAAC;QAC7B,mBAAmB;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,oBAAoB;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;CACzE,CAAC;AA6MF,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,eAAe,CAAC,CA6BtF"}
|
|
@@ -13,6 +13,19 @@
|
|
|
13
13
|
* See the License for the specific language governing permissions and
|
|
14
14
|
* limitations under the License.
|
|
15
15
|
*/
|
|
16
|
+
/**
|
|
17
|
+
* Plugin preflight checks.
|
|
18
|
+
*
|
|
19
|
+
* Runs once at plugin startup (non-blocking — register() fires-and-forgets).
|
|
20
|
+
* Any failure sets pluginState.degraded = true so hooks skip all interception.
|
|
21
|
+
*
|
|
22
|
+
* Checks (all run concurrently, each with a 5 s timeout):
|
|
23
|
+
* 1. credentials — AK/SK resolvable from config/env/file/metadata
|
|
24
|
+
* 2. userpool — UserPool + Client reachable (dynamic: listUserPools; explicit: OIDC discovery)
|
|
25
|
+
* 3. workloadPool — GetWorkloadAccessTokenForJWT returns a pool-level error (not just missing token)
|
|
26
|
+
* 4. namespace — CheckPermission with dummy principal; only namespace-not-found is fatal
|
|
27
|
+
*/
|
|
28
|
+
import { isWorkloadNotFoundError } from "../services/identity-client.js";
|
|
16
29
|
import { loadIdentityCredentials } from "../services/identity-credentials.js";
|
|
17
30
|
import { fetchOIDCDiscovery } from "../services/oidc-client.js";
|
|
18
31
|
const PREFLIGHT_TIMEOUT_MS = 30_000;
|
|
@@ -144,6 +157,12 @@ async function checkWorkloadPool(deps) {
|
|
|
144
157
|
reason: `WorkloadPool '${poolName}' not found: ${msg}`,
|
|
145
158
|
};
|
|
146
159
|
}
|
|
160
|
+
else if (isWorkloadNotFoundError(result)) {
|
|
161
|
+
return {
|
|
162
|
+
check: "workloadPool",
|
|
163
|
+
reason: `WorkloadPool '${poolName}' not found: ${msg}`,
|
|
164
|
+
};
|
|
165
|
+
}
|
|
147
166
|
// Timeout or other transient error — not fatal for preflight
|
|
148
167
|
return null;
|
|
149
168
|
}
|
|
@@ -22,8 +22,18 @@ export type GetWorkloadAccessTokenForJWTResult = {
|
|
|
22
22
|
workloadAccessToken: string;
|
|
23
23
|
expiresAt: string;
|
|
24
24
|
};
|
|
25
|
+
export declare function isWorkloadNotFoundError(err: unknown): boolean;
|
|
25
26
|
export type IdentityClientConfig = {
|
|
26
|
-
|
|
27
|
+
/**
|
|
28
|
+
* Identity API base URL. Highest priority.
|
|
29
|
+
* When omitted, derived from regionMetadataUrl or cn-beijing default.
|
|
30
|
+
*/
|
|
31
|
+
endpoint?: string;
|
|
32
|
+
/**
|
|
33
|
+
* Plain-text region id from this URL (e.g. http://100.96.0.96/latest/region_id).
|
|
34
|
+
* Builds https://id.{region}.volcengineapi.com when endpoint is unset.
|
|
35
|
+
*/
|
|
36
|
+
regionMetadataUrl?: string;
|
|
27
37
|
/** Explicit AK/SK. When absent, loaded from env or credentialsFile. */
|
|
28
38
|
accessKeyId?: string;
|
|
29
39
|
secretAccessKey?: string;
|
|
@@ -41,6 +51,7 @@ export type IdentityClientConfig = {
|
|
|
41
51
|
serviceCode?: string;
|
|
42
52
|
/** API version. Default: 2025-10-30. */
|
|
43
53
|
version?: string;
|
|
54
|
+
/** Signing region override. When unset, parsed from id.{region}.volcengineapi.com host when possible. */
|
|
44
55
|
region?: string;
|
|
45
56
|
};
|
|
46
57
|
export type GetResourceOauth2TokenParams = {
|
|
@@ -68,6 +79,8 @@ export type Oauth2CallbackResult = {
|
|
|
68
79
|
export type GetResourceApiKeyParams = {
|
|
69
80
|
providerName: string;
|
|
70
81
|
identityToken: string;
|
|
82
|
+
/** Workload pool; sent as PoolName. */
|
|
83
|
+
poolName?: string;
|
|
71
84
|
};
|
|
72
85
|
export type GetResourceApiKeyResult = {
|
|
73
86
|
apiKey: string;
|
|
@@ -76,6 +89,8 @@ export type GetResourceApiKeyResult = {
|
|
|
76
89
|
export type GetUserCredentialParams = {
|
|
77
90
|
credentialId: string;
|
|
78
91
|
identityToken: string;
|
|
92
|
+
/** Workload pool; sent as PoolName. */
|
|
93
|
+
poolName?: string;
|
|
79
94
|
};
|
|
80
95
|
export type GetUserCredentialResult = {
|
|
81
96
|
credentialId: string;
|
|
@@ -139,8 +154,13 @@ export type RoleCredentialProvider = {
|
|
|
139
154
|
export type ListRoleCredentialProvidersParams = {
|
|
140
155
|
PageNumber?: number;
|
|
141
156
|
PageSize?: number;
|
|
142
|
-
/** Workload pool name.
|
|
157
|
+
/** Workload pool name. Sent as top-level PoolName and Filter.PoolName. */
|
|
143
158
|
PoolName?: string;
|
|
159
|
+
/** Optional API filter fields (PoolName is merged from PoolName when set). */
|
|
160
|
+
Filter?: {
|
|
161
|
+
PoolName?: string;
|
|
162
|
+
Name?: string;
|
|
163
|
+
};
|
|
144
164
|
/** Filter by user pool ID (match IdentityPool.UserPool.PoolId). */
|
|
145
165
|
UserPoolId?: string;
|
|
146
166
|
/** Filter by user pool name (match IdentityPool.UserPool.PoolName). */
|
|
@@ -425,7 +445,10 @@ export interface IdentityClientInterface {
|
|
|
425
445
|
*/
|
|
426
446
|
export declare class IdentityClient implements IdentityClientInterface {
|
|
427
447
|
private readonly config;
|
|
448
|
+
private lazyResolvedEndpoint;
|
|
428
449
|
constructor(config: IdentityClientConfig);
|
|
450
|
+
private getResolvedEndpoint;
|
|
451
|
+
private resolveSigningRegion;
|
|
429
452
|
private resolveCredentials;
|
|
430
453
|
getWorkloadAccessTokenForJWT(params: GetWorkloadAccessTokenForJWTParams): Promise<GetWorkloadAccessTokenForJWTResult>;
|
|
431
454
|
private createWorkloadIdentity;
|
|
@@ -463,8 +486,8 @@ export type ResolveOIDCConfigParams = {
|
|
|
463
486
|
/**
|
|
464
487
|
* Resolve OIDC config from UserPool and Client names (from_veidentity style).
|
|
465
488
|
* If pool/client not found and autoCreate=true, creates them.
|
|
466
|
-
* Also fetches the first identity provider from ListIdentityProviders and
|
|
467
|
-
*
|
|
489
|
+
* Also fetches the first identity provider from ListIdentityProviders and caches poolUid —
|
|
490
|
+
* callers should cache the result to avoid repeated API calls.
|
|
468
491
|
*/
|
|
469
492
|
export declare function resolveOIDCConfig(client: IdentityClientInterface, params: ResolveOIDCConfigParams): Promise<ResolvedOIDCConfig>;
|
|
470
493
|
//# sourceMappingURL=identity-client.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-client.d.ts","sourceRoot":"","sources":["../../../src/services/identity-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAIrE,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,MAAM,MAAM,kCAAkC,GAAG;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAOF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2HAA2H;IAC3H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvD,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC3B,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC9F,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,mBAAmB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC/C,IAAI,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,yEAAyE;AACzE,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1F,SAAS,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,CAAC,EAAE,wBAAwB,CAAC;IACxC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,4BAA4B,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,iCAAiC,GAAG;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,iCAAiC,GAAG;IAC9C,uBAAuB,EAAE,sBAAsB,EAAE,CAAC;IAClD,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,WAAW,EAAE,iBAAiB,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,+DAA+D;IAC/D,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wCAAwC;AACxC,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtD,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE,oDAAoD;AACpD,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,0DAA0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,wDAAwD;AACxD,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,2CAA2C;AAC3C,MAAM,MAAM,aAAa,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,qDAAqD;AACrD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,gDAAgD;AAChD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,oDAAoD;AACpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAExD,MAAM,MAAM,2BAA2B,GAAG;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,wBAAwB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,gBAAgB,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,sBAAsB,EAAE,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wFAAwF;IACxF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA+EF,MAAM,WAAW,uBAAuB;IACtC,4BAA4B,CAC1B,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC,CAAC;IAC/C,sBAAsB,CACpB,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACzC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC5E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC/E,uBAAuB,CACrB,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAC1C,2BAA2B,CACzB,MAAM,EAAE,iCAAiC,GACxC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAC9C,kBAAkB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IACxF,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnE,qBAAqB,CACnB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACxC,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC3F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC5F;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,uBAAuB;IAChD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,oBAAoB;YAE3C,kBAAkB;IAqB1B,4BAA4B,CAChC,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC;YA2ChC,sBAAsB;IA4BpC;;;OAGG;YACW,UAAU;IA+DlB,sBAAsB,CAC1B,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC;IAwBlC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiB3E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAkBpF,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAqBpF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAkB9E,uBAAuB,CAC3B,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC;IA0BnC,2BAA2B,CAC/B,MAAM,EAAE,iCAAiC,GACxC,OAAO,CAAC,iCAAiC,CAAC;IA8CvC,kBAAkB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAmCvF,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IASlE,qBAAqB,CACzB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,2BAA2B,CAAC;IAuCjC,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAkDxE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyBxE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAYpF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAoC1F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAmBjG;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,uBAAuB,EAC/B,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CAgH7B"}
|
|
1
|
+
{"version":3,"file":"identity-client.d.ts","sourceRoot":"","sources":["../../../src/services/identity-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAQrE,YAAY,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,MAAM,MAAM,kCAAkC,GAAG;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kCAAkC,GAAG;IAC/C,mBAAmB,EAAE,MAAM,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAG7D;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2HAA2H;IAC3H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvD,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yGAAyG;IACzG,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC3B,IAAI,CAAC,EAAE,iBAAiB,GAAG,KAAK,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC9F,CAAC;AAEF,MAAM,MAAM,6BAA6B,GAAG;IAC1C,mBAAmB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC/C,IAAI,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,yEAAyE;AACzE,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1F,SAAS,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,YAAY,CAAC,EAAE,wBAAwB,CAAC;IACxC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,4BAA4B,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,iCAAiC,GAAG;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,MAAM,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,iCAAiC,GAAG;IAC9C,uBAAuB,EAAE,sBAAsB,EAAE,CAAC;IAClD,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,WAAW,EAAE,iBAAiB,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,+DAA+D;IAC/D,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wCAAwC;AACxC,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtD,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE,oDAAoD;AACpD,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,EAAE,CAAC;CAClD,CAAC;AAEF,0DAA0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,wDAAwD;AACxD,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAEF,2CAA2C;AAC3C,MAAM,MAAM,aAAa,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzD,qDAAqD;AACrD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,4EAA4E;AAC5E,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,gDAAgD;AAChD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,oDAAoD;AACpD,MAAM,MAAM,sBAAsB,GAAG;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAExD,MAAM,MAAM,2BAA2B,GAAG;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,wBAAwB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,gBAAgB,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,8BAA8B,CAAC,EAAE,OAAO,CAAC;IACzC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC;IAClB,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,sBAAsB,EAAE,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wFAAwF;IACxF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA+EF,MAAM,WAAW,uBAAuB;IACtC,4BAA4B,CAC1B,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC,CAAC;IAC/C,sBAAsB,CACpB,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACzC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC5E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC/E,uBAAuB,CACrB,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAC1C,2BAA2B,CACzB,MAAM,EAAE,iCAAiC,GACxC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAC9C,kBAAkB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IACxF,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnE,qBAAqB,CACnB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACxC,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACrF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC3F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC5F;AAED;;;GAGG;AACH,qBAAa,cAAe,YAAW,uBAAuB;IAGhD,OAAO,CAAC,QAAQ,CAAC,MAAM;IAFnC,OAAO,CAAC,oBAAoB,CAAgC;gBAE/B,MAAM,EAAE,oBAAoB;IAEzD,OAAO,CAAC,mBAAmB;YAUb,oBAAoB;YAMpB,kBAAkB;IAqB1B,4BAA4B,CAChC,MAAM,EAAE,kCAAkC,GACzC,OAAO,CAAC,kCAAkC,CAAC;YA0ChC,sBAAsB;IAuBpC;;;OAGG;YACW,UAAU;IA+DlB,sBAAsB,CAC1B,MAAM,EAAE,4BAA4B,GACnC,OAAO,CAAC,4BAA4B,CAAC;IAyBlC,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiB3E,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAmBpF,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAsBpF,eAAe,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAkB9E,uBAAuB,CAC3B,MAAM,EAAE,6BAA6B,GACpC,OAAO,CAAC,6BAA6B,CAAC;IA8BnC,2BAA2B,CAC/B,MAAM,EAAE,iCAAiC,GACxC,OAAO,CAAC,iCAAiC,CAAC;IAiDvC,kBAAkB,CAAC,MAAM,EAAE,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAiCvF,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IASlE,qBAAqB,CACzB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,2BAA2B,CAAC;IAmCjC,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAkDxE,cAAc,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyBxE,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAYpF,mBAAmB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IAoC1F,oBAAoB,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAmBjG;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,uBAAuB,EAC/B,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CAgH7B"}
|
|
@@ -15,8 +15,9 @@
|
|
|
15
15
|
*/
|
|
16
16
|
import { loadIdentityCredentials } from "./identity-credentials.js";
|
|
17
17
|
import { canonicalQueryString, signRequest } from "../utils/sts-signer.js";
|
|
18
|
+
import { resolveIdentityApiEndpoint, signingRegionFromIdentityEndpoint, } from "../utils/resolve-identity-endpoint.js";
|
|
18
19
|
export { loadIdentityCredentials } from "./identity-credentials.js";
|
|
19
|
-
function isWorkloadNotFoundError(err) {
|
|
20
|
+
export function isWorkloadNotFoundError(err) {
|
|
20
21
|
const msg = err instanceof Error ? err.message : String(err);
|
|
21
22
|
return /404|NotFound/i.test(msg);
|
|
22
23
|
}
|
|
@@ -95,9 +96,25 @@ function toUserPoolClientResult(r) {
|
|
|
95
96
|
*/
|
|
96
97
|
export class IdentityClient {
|
|
97
98
|
config;
|
|
99
|
+
lazyResolvedEndpoint = null;
|
|
98
100
|
constructor(config) {
|
|
99
101
|
this.config = config;
|
|
100
102
|
}
|
|
103
|
+
getResolvedEndpoint() {
|
|
104
|
+
if (!this.lazyResolvedEndpoint) {
|
|
105
|
+
this.lazyResolvedEndpoint = resolveIdentityApiEndpoint({
|
|
106
|
+
endpoint: this.config.endpoint,
|
|
107
|
+
regionMetadataUrl: this.config.regionMetadataUrl,
|
|
108
|
+
});
|
|
109
|
+
}
|
|
110
|
+
return this.lazyResolvedEndpoint;
|
|
111
|
+
}
|
|
112
|
+
async resolveSigningRegion(baseUrl) {
|
|
113
|
+
const explicit = this.config.region?.trim();
|
|
114
|
+
if (explicit)
|
|
115
|
+
return explicit;
|
|
116
|
+
return signingRegionFromIdentityEndpoint(baseUrl) ?? "cn-beijing";
|
|
117
|
+
}
|
|
101
118
|
async resolveCredentials() {
|
|
102
119
|
if (this.config.credentialsGetter) {
|
|
103
120
|
return this.config.credentialsGetter();
|
|
@@ -129,7 +146,7 @@ export class IdentityClient {
|
|
|
129
146
|
body.Name = params.name;
|
|
130
147
|
if (params.audience?.length)
|
|
131
148
|
body.Audience = params.audience;
|
|
132
|
-
const result = (await this.signedPost(
|
|
149
|
+
const result = (await this.signedPost("GetWorkloadAccessTokenForJWT", body, "2025-10-30"));
|
|
133
150
|
if (!result?.WorkloadAccessToken) {
|
|
134
151
|
throw new Error("Identity API: missing WorkloadAccessToken in response");
|
|
135
152
|
}
|
|
@@ -164,7 +181,7 @@ export class IdentityClient {
|
|
|
164
181
|
if (params.description)
|
|
165
182
|
body.Description = params.description;
|
|
166
183
|
try {
|
|
167
|
-
await this.signedPost(
|
|
184
|
+
await this.signedPost("CreateWorkloadIdentity", body, "2025-10-30");
|
|
168
185
|
}
|
|
169
186
|
catch (err) {
|
|
170
187
|
// Duplicated (409): workload already exists, e.g. race with another process. Retry will succeed.
|
|
@@ -178,12 +195,13 @@ export class IdentityClient {
|
|
|
178
195
|
* Signed POST using sts-signer (same encoding as volcengine-nodejs-sdk).
|
|
179
196
|
* Service: id (Identity API), method: POST.
|
|
180
197
|
*/
|
|
181
|
-
async signedPost(
|
|
198
|
+
async signedPost(action, body, versionOverride) {
|
|
199
|
+
const baseUrl = await this.getResolvedEndpoint();
|
|
182
200
|
const creds = await this.resolveCredentials();
|
|
183
201
|
const { accessKeyId, secretAccessKey, sessionToken } = creds;
|
|
184
202
|
const serviceCode = this.config.serviceCode ?? "id";
|
|
185
203
|
const version = versionOverride ?? this.config.version ?? "2025-10-30";
|
|
186
|
-
const region = this.
|
|
204
|
+
const region = await this.resolveSigningRegion(baseUrl);
|
|
187
205
|
const url = new URL(baseUrl);
|
|
188
206
|
const pathname = url.pathname || "/";
|
|
189
207
|
const host = url.host;
|
|
@@ -236,9 +254,10 @@ export class IdentityClient {
|
|
|
236
254
|
body.RedirectUrl = params.redirectUrl;
|
|
237
255
|
if (params.forceAuthentication !== undefined)
|
|
238
256
|
body.ForceAuthentication = params.forceAuthentication ? 1 : 0;
|
|
239
|
-
if (params.poolName)
|
|
257
|
+
if (params.poolName) {
|
|
240
258
|
body.PoolName = params.poolName;
|
|
241
|
-
|
|
259
|
+
}
|
|
260
|
+
const result = (await this.signedPost("GetResourceOauth2Token", body));
|
|
242
261
|
return {
|
|
243
262
|
accessToken: result.AccessToken,
|
|
244
263
|
authorizationUrl: result.AuthorizationUrl,
|
|
@@ -252,7 +271,7 @@ export class IdentityClient {
|
|
|
252
271
|
};
|
|
253
272
|
if (params.error)
|
|
254
273
|
body.Error = params.error;
|
|
255
|
-
const result = (await this.signedPost(
|
|
274
|
+
const result = (await this.signedPost("Oauth2Callback", body));
|
|
256
275
|
if (!result.AccessToken) {
|
|
257
276
|
throw new Error("Identity Oauth2Callback: missing AccessToken");
|
|
258
277
|
}
|
|
@@ -263,7 +282,9 @@ export class IdentityClient {
|
|
|
263
282
|
ProviderName: params.providerName,
|
|
264
283
|
IdentityToken: params.identityToken,
|
|
265
284
|
};
|
|
266
|
-
|
|
285
|
+
if (params.poolName)
|
|
286
|
+
body.PoolName = params.poolName;
|
|
287
|
+
const result = (await this.signedPost("GetResourceApiKey", body));
|
|
267
288
|
if (!result.ApiKey) {
|
|
268
289
|
throw new Error("Identity GetResourceApiKey: missing ApiKey");
|
|
269
290
|
}
|
|
@@ -277,7 +298,9 @@ export class IdentityClient {
|
|
|
277
298
|
CredentialId: params.credentialId,
|
|
278
299
|
IdentityToken: params.identityToken,
|
|
279
300
|
};
|
|
280
|
-
|
|
301
|
+
if (params.poolName)
|
|
302
|
+
body.PoolName = params.poolName;
|
|
303
|
+
const result = (await this.signedPost("GetUserCredential", body));
|
|
281
304
|
if (!result.CredentialId) {
|
|
282
305
|
throw new Error("Identity GetUserCredential: missing CredentialId");
|
|
283
306
|
}
|
|
@@ -297,7 +320,7 @@ export class IdentityClient {
|
|
|
297
320
|
Resource: params.resource,
|
|
298
321
|
...(params.originalCallers?.length ? { OriginalCallers: params.originalCallers } : {}),
|
|
299
322
|
};
|
|
300
|
-
const result = (await this.signedPost(
|
|
323
|
+
const result = (await this.signedPost("CheckPermission", body));
|
|
301
324
|
return {
|
|
302
325
|
allowed: result.Allowed ?? false,
|
|
303
326
|
message: result.Message,
|
|
@@ -308,12 +331,15 @@ export class IdentityClient {
|
|
|
308
331
|
PageNumber: params.PageNumber ?? 1,
|
|
309
332
|
PageSize: params.PageSize ?? 20,
|
|
310
333
|
};
|
|
311
|
-
|
|
334
|
+
const mergedFilter = params.Filter ? { ...params.Filter } : {};
|
|
335
|
+
if (params.PoolName) {
|
|
312
336
|
body.PoolName = params.PoolName;
|
|
313
|
-
|
|
314
|
-
|
|
337
|
+
mergedFilter.PoolName = params.PoolName;
|
|
338
|
+
}
|
|
339
|
+
if (Object.keys(mergedFilter).length > 0) {
|
|
340
|
+
body.Filter = mergedFilter;
|
|
315
341
|
}
|
|
316
|
-
const r = (await this.signedPost(
|
|
342
|
+
const r = (await this.signedPost("ListCredentialProviders", body));
|
|
317
343
|
const providers = r.CredentialProviders ?? r.Data ?? [];
|
|
318
344
|
return {
|
|
319
345
|
CredentialProviders: providers,
|
|
@@ -328,9 +354,15 @@ export class IdentityClient {
|
|
|
328
354
|
PageNumber: params.PageNumber ?? 1,
|
|
329
355
|
PageSize: params.PageSize ?? 20,
|
|
330
356
|
};
|
|
331
|
-
|
|
357
|
+
const mergedFilter = params.Filter ? { ...params.Filter } : {};
|
|
358
|
+
if (params.PoolName) {
|
|
332
359
|
body.PoolName = params.PoolName;
|
|
333
|
-
|
|
360
|
+
mergedFilter.PoolName = params.PoolName;
|
|
361
|
+
}
|
|
362
|
+
if (Object.keys(mergedFilter).length > 0) {
|
|
363
|
+
body.Filter = mergedFilter;
|
|
364
|
+
}
|
|
365
|
+
const raw = (await this.signedPost("ListRoleCredentialProviders", body));
|
|
334
366
|
const r = raw.Result ?? raw;
|
|
335
367
|
let providers = r.RoleCredentialProviders ?? [];
|
|
336
368
|
// Client-side filter by user pool when specified
|
|
@@ -358,15 +390,16 @@ export class IdentityClient {
|
|
|
358
390
|
IdentityToken: params.IdentityToken,
|
|
359
391
|
ProviderName: params.ProviderName,
|
|
360
392
|
};
|
|
361
|
-
if (params.PoolName)
|
|
393
|
+
if (params.PoolName) {
|
|
362
394
|
body.PoolName = params.PoolName;
|
|
395
|
+
}
|
|
363
396
|
if (params.RoleSessionName)
|
|
364
397
|
body.RoleSessionName = params.RoleSessionName;
|
|
365
398
|
if (params.RequestedRoleTrn)
|
|
366
399
|
body.RequestedRoleTrn = params.RequestedRoleTrn;
|
|
367
400
|
if (params.WithOIDC !== undefined)
|
|
368
401
|
body.WithOIDC = params.WithOIDC;
|
|
369
|
-
const r = (await this.signedPost(
|
|
402
|
+
const r = (await this.signedPost("GetRoleCredentials", body));
|
|
370
403
|
const creds = r.VolcEngResponse?.Credentials ?? r.Credentials;
|
|
371
404
|
if (!creds?.AccessKeyId || !creds?.SecretAccessKey || !creds?.SessionToken) {
|
|
372
405
|
throw new Error("Identity GetRoleCredentials: missing Credentials in response");
|
|
@@ -383,7 +416,7 @@ export class IdentityClient {
|
|
|
383
416
|
}
|
|
384
417
|
async getUserPool(params) {
|
|
385
418
|
const body = { UserPoolUid: params.userPoolUid };
|
|
386
|
-
const r = (await this.signedPost(
|
|
419
|
+
const r = (await this.signedPost("GetUserPool", body));
|
|
387
420
|
return toUserPoolResult(r);
|
|
388
421
|
}
|
|
389
422
|
async listIdentityProviders(params) {
|
|
@@ -399,7 +432,7 @@ export class IdentityClient {
|
|
|
399
432
|
...(f.connectionType && { ConnectionType: f.connectionType }),
|
|
400
433
|
};
|
|
401
434
|
}
|
|
402
|
-
const r = (await this.signedPost(
|
|
435
|
+
const r = (await this.signedPost("ListIdentityProviders", body));
|
|
403
436
|
const data = (r.Data ?? []).map((d) => ({
|
|
404
437
|
uid: d.Uid ?? "",
|
|
405
438
|
name: d.Name ?? "",
|
|
@@ -440,7 +473,7 @@ export class IdentityClient {
|
|
|
440
473
|
}),
|
|
441
474
|
};
|
|
442
475
|
}
|
|
443
|
-
const r = (await this.signedPost(
|
|
476
|
+
const r = (await this.signedPost("ListUserPools", body));
|
|
444
477
|
const data = (r.Data ?? []).map((d) => {
|
|
445
478
|
const tags = d.Tags;
|
|
446
479
|
return {
|
|
@@ -480,7 +513,7 @@ export class IdentityClient {
|
|
|
480
513
|
Tags: params.tags?.map((t) => ({ Key: t.key, Value: t.value })),
|
|
481
514
|
Brand: params.brand ? { Name: params.brand.name, LogoUri: params.brand.logoUri } : undefined,
|
|
482
515
|
};
|
|
483
|
-
const r = (await this.signedPost(
|
|
516
|
+
const r = (await this.signedPost("CreateUserPool", body));
|
|
484
517
|
return toUserPoolResult(r);
|
|
485
518
|
}
|
|
486
519
|
async getUserPoolClient(params) {
|
|
@@ -488,7 +521,7 @@ export class IdentityClient {
|
|
|
488
521
|
UserPoolUid: params.userPoolUid,
|
|
489
522
|
ClientUid: params.clientUid,
|
|
490
523
|
};
|
|
491
|
-
const r = (await this.signedPost(
|
|
524
|
+
const r = (await this.signedPost("GetUserPoolClient", body));
|
|
492
525
|
return toUserPoolClientResult(r);
|
|
493
526
|
}
|
|
494
527
|
async listUserPoolClients(params) {
|
|
@@ -507,7 +540,7 @@ export class IdentityClient {
|
|
|
507
540
|
...(f.clientTypes && { ClientTypes: f.clientTypes }),
|
|
508
541
|
};
|
|
509
542
|
}
|
|
510
|
-
const r = (await this.signedPost(
|
|
543
|
+
const r = (await this.signedPost("ListUserPoolClients", body));
|
|
511
544
|
const data = (r.Data ?? []).map((d) => ({
|
|
512
545
|
uid: d.Uid ?? "",
|
|
513
546
|
name: d.Name ?? "",
|
|
@@ -536,15 +569,15 @@ export class IdentityClient {
|
|
|
536
569
|
AllowedCors: params.allowedCors,
|
|
537
570
|
SkipConsentEnabled: params.skipConsentEnabled ?? true,
|
|
538
571
|
};
|
|
539
|
-
const r = (await this.signedPost(
|
|
572
|
+
const r = (await this.signedPost("CreateUserPoolClient", body));
|
|
540
573
|
return toUserPoolClientResult(r);
|
|
541
574
|
}
|
|
542
575
|
}
|
|
543
576
|
/**
|
|
544
577
|
* Resolve OIDC config from UserPool and Client names (from_veidentity style).
|
|
545
578
|
* If pool/client not found and autoCreate=true, creates them.
|
|
546
|
-
* Also fetches the first identity provider from ListIdentityProviders and
|
|
547
|
-
*
|
|
579
|
+
* Also fetches the first identity provider from ListIdentityProviders and caches poolUid —
|
|
580
|
+
* callers should cache the result to avoid repeated API calls.
|
|
548
581
|
*/
|
|
549
582
|
export async function resolveOIDCConfig(client, params) {
|
|
550
583
|
const { userPoolName, userPoolUid, clientName, clientUid, redirectUri, scope = "openid profile email offline_access", autoCreate = true, clientType = "WEB_APPLICATION", } = params;
|
package/dist/src/types.d.ts
CHANGED
|
@@ -18,6 +18,12 @@ export type PluginToolContext = {
|
|
|
18
18
|
};
|
|
19
19
|
export type IdentityConfig = {
|
|
20
20
|
endpoint?: string;
|
|
21
|
+
/**
|
|
22
|
+
* Plain-text region id metadata URL (e.g. http://100.96.0.96/latest/region_id).
|
|
23
|
+
* When `endpoint` is unset, response body builds `https://id.{region}.volcengineapi.com`.
|
|
24
|
+
* Lower priority than `endpoint`.
|
|
25
|
+
*/
|
|
26
|
+
regionMetadataUrl?: string;
|
|
21
27
|
accessKeyId?: string;
|
|
22
28
|
secretAccessKey?: string;
|
|
23
29
|
sessionToken?: string;
|
package/dist/src/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0GAA0G;IAC1G,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iHAAiH;IACjH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,kGAAkG;IAClG,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iEAAiE;IACjE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oFAAoF;IACpF,YAAY,CAAC,EAAE;QACb,iGAAiG;QACjG,QAAQ,EAAE,MAAM,CAAC;QACjB,6EAA6E;QAC7E,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;QACtC,8CAA8C;QAC9C,KAAK,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,oCAAoC;QACpC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,uFAAuF;QACvF,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qGAAqG;IACrG,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0GAA0G;IAC1G,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iHAAiH;IACjH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,kGAAkG;IAClG,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iEAAiE;IACjE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oFAAoF;IACpF,YAAY,CAAC,EAAE;QACb,iGAAiG;QACjG,QAAQ,EAAE,MAAM,CAAC;QACjB,6EAA6E;QAC7E,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;QACtC,8CAA8C;QAC9C,KAAK,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,oCAAoC;QACpC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,uFAAuF;QACvF,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,cAAc,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resolve Volcengine Identity API base URL.
|
|
3
|
+
* Priority: explicit endpoint > region from regionMetadataUrl -> https://id.{region}.volcengineapi.com > cn-beijing default.
|
|
4
|
+
*/
|
|
5
|
+
export declare const DEFAULT_IDENTITY_ENDPOINT = "https://id.cn-beijing.volcengineapi.com";
|
|
6
|
+
/**
|
|
7
|
+
* GET metadata URL; expect plain-text region id (e.g. cn-beijing).
|
|
8
|
+
* Uses total request timeout (similar to curl --max-time 10).
|
|
9
|
+
*/
|
|
10
|
+
export declare function fetchRegionIdFromMetadata(metadataUrl: string, options?: {
|
|
11
|
+
totalTimeoutMs?: number;
|
|
12
|
+
}): Promise<string | null>;
|
|
13
|
+
export declare function identityEndpointFromRegion(region: string): string;
|
|
14
|
+
export type ResolveIdentityApiEndpointInput = {
|
|
15
|
+
endpoint?: string;
|
|
16
|
+
regionMetadataUrl?: string;
|
|
17
|
+
};
|
|
18
|
+
/**
|
|
19
|
+
* Resolve Identity control/data plane base URL for signing and requests.
|
|
20
|
+
*/
|
|
21
|
+
export declare function resolveIdentityApiEndpoint(input: ResolveIdentityApiEndpointInput): Promise<string>;
|
|
22
|
+
/**
|
|
23
|
+
* Derive Volcengine signing region from Identity endpoint host id.{region}.volcengineapi.com.
|
|
24
|
+
*/
|
|
25
|
+
export declare function signingRegionFromIdentityEndpoint(baseUrl: string): string | null;
|
|
26
|
+
//# sourceMappingURL=resolve-identity-endpoint.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolve-identity-endpoint.d.ts","sourceRoot":"","sources":["../../../src/utils/resolve-identity-endpoint.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH,eAAO,MAAM,yBAAyB,4CAA4C,CAAC;AAUnF;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IAAE,cAAc,CAAC,EAAE,MAAM,CAAA;CAAE,GACpC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjE;AAED,MAAM,MAAM,+BAA+B,GAAG;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,+BAA+B,GACrC,OAAO,CAAC,MAAM,CAAC,CAYjB;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQhF"}
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Copyright (c) 2026 Beijing Volcano Engine Technology Co., Ltd. and/or its affiliates.
|
|
3
|
+
*
|
|
4
|
+
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
5
|
+
* you may not use this file except in compliance with the License.
|
|
6
|
+
* You may obtain a copy of the License at
|
|
7
|
+
*
|
|
8
|
+
* http://www.apache.org/licenses/LICENSE-2.0
|
|
9
|
+
*
|
|
10
|
+
* Unless required by applicable law or agreed to in writing, software
|
|
11
|
+
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
12
|
+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
13
|
+
* See the License for the specific language governing permissions and
|
|
14
|
+
* limitations under the License.
|
|
15
|
+
*/
|
|
16
|
+
/**
|
|
17
|
+
* Resolve Volcengine Identity API base URL.
|
|
18
|
+
* Priority: explicit endpoint > region from regionMetadataUrl -> https://id.{region}.volcengineapi.com > cn-beijing default.
|
|
19
|
+
*/
|
|
20
|
+
export const DEFAULT_IDENTITY_ENDPOINT = "https://id.cn-beijing.volcengineapi.com";
|
|
21
|
+
const DEFAULT_TOTAL_TIMEOUT_MS = 10_000;
|
|
22
|
+
/** Region values that must not be used to build an endpoint. */
|
|
23
|
+
function isInvalidRegionId(text) {
|
|
24
|
+
const t = text.trim().toLowerCase();
|
|
25
|
+
return t.length === 0 || t === "unknown";
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* GET metadata URL; expect plain-text region id (e.g. cn-beijing).
|
|
29
|
+
* Uses total request timeout (similar to curl --max-time 10).
|
|
30
|
+
*/
|
|
31
|
+
export async function fetchRegionIdFromMetadata(metadataUrl, options) {
|
|
32
|
+
const url = metadataUrl.trim();
|
|
33
|
+
if (!url)
|
|
34
|
+
return null;
|
|
35
|
+
const totalTimeoutMs = options?.totalTimeoutMs ?? DEFAULT_TOTAL_TIMEOUT_MS;
|
|
36
|
+
const controller = new AbortController();
|
|
37
|
+
const timer = setTimeout(() => controller.abort(), totalTimeoutMs);
|
|
38
|
+
try {
|
|
39
|
+
const res = await fetch(url, {
|
|
40
|
+
signal: controller.signal,
|
|
41
|
+
redirect: "follow",
|
|
42
|
+
});
|
|
43
|
+
if (!res.ok)
|
|
44
|
+
return null;
|
|
45
|
+
const text = (await res.text()).trim();
|
|
46
|
+
if (isInvalidRegionId(text))
|
|
47
|
+
return null;
|
|
48
|
+
if (!/^[a-z0-9-]+$/i.test(text))
|
|
49
|
+
return null;
|
|
50
|
+
return text;
|
|
51
|
+
}
|
|
52
|
+
catch {
|
|
53
|
+
return null;
|
|
54
|
+
}
|
|
55
|
+
finally {
|
|
56
|
+
clearTimeout(timer);
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
export function identityEndpointFromRegion(region) {
|
|
60
|
+
return `https://id.${region.trim()}.volcengineapi.com`;
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Resolve Identity control/data plane base URL for signing and requests.
|
|
64
|
+
*/
|
|
65
|
+
export async function resolveIdentityApiEndpoint(input) {
|
|
66
|
+
const explicit = input.endpoint?.trim();
|
|
67
|
+
if (explicit)
|
|
68
|
+
return explicit;
|
|
69
|
+
const fallback = DEFAULT_IDENTITY_ENDPOINT;
|
|
70
|
+
const metaUrl = input.regionMetadataUrl?.trim();
|
|
71
|
+
if (metaUrl) {
|
|
72
|
+
const region = await fetchRegionIdFromMetadata(metaUrl);
|
|
73
|
+
if (region)
|
|
74
|
+
return identityEndpointFromRegion(region);
|
|
75
|
+
}
|
|
76
|
+
return fallback;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Derive Volcengine signing region from Identity endpoint host id.{region}.volcengineapi.com.
|
|
80
|
+
*/
|
|
81
|
+
export function signingRegionFromIdentityEndpoint(baseUrl) {
|
|
82
|
+
try {
|
|
83
|
+
const host = new URL(baseUrl).host;
|
|
84
|
+
const m = /^id\.([a-z0-9-]+)\.volcengineapi\.com$/i.exec(host);
|
|
85
|
+
return m ? m[1] : null;
|
|
86
|
+
}
|
|
87
|
+
catch {
|
|
88
|
+
return null;
|
|
89
|
+
}
|
|
90
|
+
}
|
package/openclaw.plugin.json
CHANGED
|
@@ -13,7 +13,11 @@
|
|
|
13
13
|
"properties": {
|
|
14
14
|
"endpoint": {
|
|
15
15
|
"type": "string",
|
|
16
|
-
"description": "Identity API endpoint, e.g. https://id.cn-beijing.volcengineapi.com"
|
|
16
|
+
"description": "Identity API endpoint, e.g. https://id.cn-beijing.volcengineapi.com. Highest priority; when set, regionMetadataUrl is ignored for the base URL."
|
|
17
|
+
},
|
|
18
|
+
"regionMetadataUrl": {
|
|
19
|
+
"type": "string",
|
|
20
|
+
"description": "GET this URL for plain-text region id (e.g. http://100.96.0.96/latest/region_id). When endpoint is unset, builds https://id.{region}.volcengineapi.com. Request timeout ~10s; on failure falls back to https://id.cn-beijing.volcengineapi.com"
|
|
17
21
|
},
|
|
18
22
|
"accessKeyId": {
|
|
19
23
|
"type": "string",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@m1a0rz/agent-identity",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.4",
|
|
4
4
|
"description": "Agent Identity: UserPool (用户池) login, TIP token (工作负载令牌), credential hosting (凭据托管 OAuth2/API key), optional tool/skill permission control (CheckPermission) and risk approval. Integrates with Volcengine 智能体身份和权限管理平台.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
package/skills/SKILL.md
CHANGED
|
@@ -74,6 +74,14 @@ When looking for a specific provider (e.g. before `identity_fetch`), prefer pass
|
|
|
74
74
|
|
|
75
75
|
Returns: `providers`, `storedOnly`, `page`, `hasMore`.
|
|
76
76
|
|
|
77
|
+
### identity_list_roles
|
|
78
|
+
|
|
79
|
+
Lists **STS role credential providers** (not OAuth/API key — use `identity_list_credentials` for those). **Call when:** "role credentials", "STS providers", "IAM role 凭据", "有哪些角色凭据". Requires login session.
|
|
80
|
+
|
|
81
|
+
Optional param: `name` — prefix filter on provider name.
|
|
82
|
+
|
|
83
|
+
Returns: `providers` (each may include `identitySource`). To obtain temporary keys for a provider, use `identity_get_role_credentials` with that provider name.
|
|
84
|
+
|
|
77
85
|
### identity_fetch
|
|
78
86
|
|
|
79
87
|
Adds a credential for a provider (OAuth2 or API key). **Call when the user wants to add, get, or configure credentials:**
|
|
@@ -142,17 +150,9 @@ Generates config snippets. **Call when:** "如何配置 identity 插件", "帮
|
|
|
142
150
|
|
|
143
151
|
Returns: `configPath`, `config` (JSON to merge), `instructions`, `nextSteps`.
|
|
144
152
|
|
|
145
|
-
### identity_list_tips
|
|
146
|
-
|
|
147
|
-
List valid TIP tokens and bindings. No params.
|
|
148
|
-
|
|
149
153
|
### identity_approve_tool
|
|
150
154
|
|
|
151
|
-
|
|
152
|
-
| ------------- | ------ | -------- | -------------------------------------------------------- |
|
|
153
|
-
| `approval_id` | string | Yes | ID from the approval prompt |
|
|
154
|
-
|
|
155
|
-
**Agent must NOT call this tool.** This is for human approval only — user runs `/identity approve <id>` or replies "approve" in chat.
|
|
155
|
+
**Do not call this tool as the agent.** High-risk approvals are for humans only. When the user must approve, relay the **approval ID** and timeout from the error; they complete approval via `/identity approve <id>` or the channel workflow your gateway uses — not via this tool from the model.
|
|
156
156
|
|
|
157
157
|
## Workflow: Adding a Credential
|
|
158
158
|
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
|
|
3
|
-
*
|
|
4
|
-
* Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
|
|
5
|
-
*
|
|
6
|
-
* Usage (after `pnpm build`):
|
|
7
|
-
* node dist/scripts/demo-get-session.js <sessionKey>
|
|
8
|
-
* node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
|
|
9
|
-
* pnpm demo:get-session -- <sessionKey>
|
|
10
|
-
*
|
|
11
|
-
* Flags:
|
|
12
|
-
* --print-token Print full userToken (default: only prefix + length)
|
|
13
|
-
*/
|
|
14
|
-
export {};
|
|
15
|
-
//# sourceMappingURL=demo-get-session.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"demo-get-session.d.ts","sourceRoot":"","sources":["../../scripts/demo-get-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}
|
|
@@ -1,58 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Demo: read local sessions.json (with field-level decryption), resolve one sessionKey, print userToken.
|
|
3
|
-
*
|
|
4
|
-
* Same path as the plugin: initEncryptionKey(storeDir) then getSession(storeDir, sessionKey).
|
|
5
|
-
*
|
|
6
|
-
* Usage (after `pnpm build`):
|
|
7
|
-
* node dist/scripts/demo-get-session.js <sessionKey>
|
|
8
|
-
* node dist/scripts/demo-get-session.js <storeDir> <sessionKey>
|
|
9
|
-
* pnpm demo:get-session -- <sessionKey>
|
|
10
|
-
*
|
|
11
|
-
* Flags:
|
|
12
|
-
* --print-token Print full userToken (default: only prefix + length)
|
|
13
|
-
*/
|
|
14
|
-
import path from "node:path";
|
|
15
|
-
import os from "node:os";
|
|
16
|
-
import { initEncryptionKey } from "../src/store/encryption.js";
|
|
17
|
-
import { getSession } from "../src/store/session-store.js";
|
|
18
|
-
function usage() {
|
|
19
|
-
console.error(`Usage: demo-get-session [--print-token] <sessionKey>
|
|
20
|
-
demo-get-session [--print-token] <storeDir> <sessionKey>
|
|
21
|
-
|
|
22
|
-
storeDir defaults to ~/.openclaw/plugins/identity`);
|
|
23
|
-
process.exit(1);
|
|
24
|
-
}
|
|
25
|
-
async function main() {
|
|
26
|
-
const printToken = process.argv.includes("--print-token");
|
|
27
|
-
const args = process.argv.slice(2).filter((a) => a !== "--print-token");
|
|
28
|
-
if (args.length < 1 || args.length > 2)
|
|
29
|
-
usage();
|
|
30
|
-
const storeDir = args.length === 2
|
|
31
|
-
? path.resolve(args[0])
|
|
32
|
-
: path.join(os.homedir(), ".openclaw", "plugins", "identity");
|
|
33
|
-
const sessionKey = args.length === 2 ? args[1] : args[0];
|
|
34
|
-
initEncryptionKey(storeDir);
|
|
35
|
-
const session = await getSession(storeDir, sessionKey);
|
|
36
|
-
if (!session) {
|
|
37
|
-
console.log(JSON.stringify({ ok: false, reason: "no session or expired", storeDir, sessionKey }, null, 2));
|
|
38
|
-
process.exit(2);
|
|
39
|
-
}
|
|
40
|
-
const tokenPreview = printToken
|
|
41
|
-
? session.userToken
|
|
42
|
-
: `${session.userToken.slice(0, 12)}… (${session.userToken.length} chars)`;
|
|
43
|
-
console.log(JSON.stringify({
|
|
44
|
-
ok: true,
|
|
45
|
-
storeDir,
|
|
46
|
-
sessionKey,
|
|
47
|
-
sub: session.sub,
|
|
48
|
-
loginAt: session.loginAt,
|
|
49
|
-
expiresAt: session.expiresAt ?? null,
|
|
50
|
-
hasRefreshToken: Boolean(session.refreshToken),
|
|
51
|
-
claims: session.claims ?? null,
|
|
52
|
-
userToken: tokenPreview,
|
|
53
|
-
}, null, 2));
|
|
54
|
-
}
|
|
55
|
-
main().catch((err) => {
|
|
56
|
-
console.error(err);
|
|
57
|
-
process.exit(1);
|
|
58
|
-
});
|