@sebspark/gcp-iam 3.0.16 → 3.0.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.mjs +1 -3
- package/dist/index.mjs.map +1 -1
- package/package.json +2 -2
package/dist/index.mjs
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
import { IAMCredentialsClient } from "@google-cloud/iam-credentials";
|
|
2
2
|
import { getLogger } from "@sebspark/otel";
|
|
3
3
|
import { GoogleAuth } from "google-auth-library";
|
|
4
|
-
|
|
5
4
|
//#region src/lruCache.ts
|
|
6
5
|
var LruCache = class {
|
|
7
6
|
values = /* @__PURE__ */ new Map();
|
|
@@ -38,7 +37,6 @@ var LruCache = class {
|
|
|
38
37
|
this.values.delete(key);
|
|
39
38
|
}
|
|
40
39
|
};
|
|
41
|
-
|
|
42
40
|
//#endregion
|
|
43
41
|
//#region src/apiGatewayToken.ts
|
|
44
42
|
const expInSeconds = 3600;
|
|
@@ -146,7 +144,7 @@ const getApiGatewayTokenByClientId = async (clientId) => {
|
|
|
146
144
|
generate: () => generateTokenByClientId(clientId)
|
|
147
145
|
});
|
|
148
146
|
};
|
|
149
|
-
|
|
150
147
|
//#endregion
|
|
151
148
|
export { clearCache, getApiGatewayTokenByClientId, getApiGatewayTokenByUrl };
|
|
149
|
+
|
|
152
150
|
//# sourceMappingURL=index.mjs.map
|
package/dist/index.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.mjs","names":[],"sources":["../src/lruCache.ts","../src/apiGatewayToken.ts"],"sourcesContent":["export class LruCache<T> {\n private values: Map<string, { timestamp: number; data: T; ttl: number }> =\n new Map<string, { timestamp: number; data: T; ttl: number }>()\n private readonly maxEntries: number = 10000\n private readonly defaultTTL: number = 1000 * 10 // 10 seconds\n\n constructor(props?: { ttl?: number; maxEntries?: number }) {\n this.defaultTTL = props?.ttl ?? this.defaultTTL\n this.maxEntries = props?.maxEntries ?? this.maxEntries\n }\n\n public get(key: string): T | undefined {\n const hasKey = this.values.has(key)\n\n if (hasKey) {\n // peek the entry, re-insert for LRU strategy\n const entry = this.values.get(key) as {\n timestamp: number\n data: T\n ttl: number\n }\n if (Date.now() - entry.timestamp > entry.ttl) {\n this.values.delete(key)\n return undefined\n }\n this.values.delete(key)\n this.values.set(key, entry)\n return entry.data\n }\n }\n\n public put(key: string, value: T, ttl?: number) {\n if (this.values.size >= this.maxEntries) {\n // least-recently used cache eviction strategy\n const keyToDelete = this.values.keys().next().value as string\n this.values.delete(keyToDelete)\n }\n\n this.values.set(key, {\n data: value,\n timestamp: Date.now(),\n ttl: ttl || this.defaultTTL,\n })\n }\n\n public clear(key: string) {\n this.values.delete(key)\n }\n}\n","import { IAMCredentialsClient } from '@google-cloud/iam-credentials'\nimport { getLogger } from '@sebspark/otel'\nimport { GoogleAuth } from 'google-auth-library'\nimport { LruCache } from './lruCache'\n\nconst expInSeconds = 60 * 60\n// TODO: Make ttl changeable from getApiGatewayToken function\nconst apiGatewayJwtCache = new LruCache<Promise<string>>()\n\nconst logger = getLogger('gcp-iam')\n\nconst generateTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}) => {\n try {\n const iamClient = new IAMCredentialsClient()\n const auth = new GoogleAuth()\n const cred = await auth.getCredentials()\n const serviceAccountEmail = cred.client_email\n\n if (!serviceAccountEmail) {\n throw new Error('No service account e-mail could be found.')\n }\n\n // Remove when verified\n logger.info(`Service account e-mail being used: ${serviceAccountEmail}`)\n\n /**\n * JWT Header.\n */\n\n const header = {\n alg: 'RS256',\n typ: 'JWT',\n }\n const headerBase64 = Buffer.from(JSON.stringify(header)).toString('base64')\n\n /**\n * JWT Payload.\n */\n\n const now = Math.floor(Date.now() / 1000)\n const payload = {\n iss: serviceAccountEmail,\n sub: serviceAccountEmail,\n aud: apiURL,\n iat: now,\n exp: now + expInSeconds,\n }\n\n const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString(\n 'base64'\n )\n\n /**\n * JWT Signature.\n */\n\n const unsignedJWT = `${headerBase64}.${payloadBase64}`\n const [response] = await iamClient.signBlob({\n delegates: [serviceAccountEmail],\n name: `projects/-/serviceAccounts/${serviceAccountEmail}`,\n payload: new Uint8Array(Buffer.from(unsignedJWT)),\n })\n\n if (!response.signedBlob) {\n throw new Error(\n 'signBlob(...) returned an empty response. Cannot sign JWT.'\n )\n }\n\n // Debug.\n logger.debug(\n `New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`\n )\n\n // Encode the binary signature to Base64.\n const signature = Buffer.from(response.signedBlob).toString('base64')\n\n // Combine into the final JWT.\n const signedJWT = `${unsignedJWT}.${signature}`\n\n return signedJWT\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generate a system token for the API Gateway.\n * This is intended to be run under the context of the service account signing the JWT.\n * @param apiUrl The URL of the API Gateway including the path of the specific API to be accessed using the token.\n * @param serviceAccountEmail The email of the service account to be used.\n * @param logger An optional logger to use for logging.\n * @returns A JWT.\n */\nexport const getApiGatewayTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}): Promise<string> => {\n return checkCache({\n cacheKey: key || apiURL,\n generate: () => generateTokenByUrl({ apiURL, key }),\n })\n}\n\n/**\n *\n * @param key Clears a cached JWT by key.\n */\nexport const clearCache = async (key: string) => {\n apiGatewayJwtCache.clear(key)\n}\n\nconst checkCache = ({\n cacheKey,\n generate,\n}: {\n cacheKey: string\n generate: () => Promise<string>\n}) => {\n /**\n * Check if there is a cached JWT\n */\n\n const cachedJwt = apiGatewayJwtCache.get(cacheKey)\n if (cachedJwt) {\n logger.debug(`JWT for ${cacheKey} found in cache.`)\n return cachedJwt\n }\n\n const jwtPromise = generate()\n\n // cache generated jwt\n apiGatewayJwtCache.put(cacheKey, jwtPromise, (expInSeconds / 2) * 1000)\n\n return jwtPromise\n}\n\nconst generateTokenByClientId = async (clientId: string) => {\n try {\n const auth = new GoogleAuth({\n scopes: 'https://www.googleapis.com/auth/cloud-platform',\n })\n const client = await auth.getIdTokenClient(clientId)\n\n return await client.idTokenProvider.fetchIdToken(clientId)\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT.')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generates a JWT for the API Gateway, using Client ID as audience.\n * @param clientId OAUTH Client ID.\n * @returns ID Token.\n */\nexport const getApiGatewayTokenByClientId = async (\n clientId: string\n): Promise<string> => {\n return checkCache({\n cacheKey: clientId,\n generate: () => generateTokenByClientId(clientId),\n })\n}\n"],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.mjs","names":[],"sources":["../src/lruCache.ts","../src/apiGatewayToken.ts"],"sourcesContent":["export class LruCache<T> {\n private values: Map<string, { timestamp: number; data: T; ttl: number }> =\n new Map<string, { timestamp: number; data: T; ttl: number }>()\n private readonly maxEntries: number = 10000\n private readonly defaultTTL: number = 1000 * 10 // 10 seconds\n\n constructor(props?: { ttl?: number; maxEntries?: number }) {\n this.defaultTTL = props?.ttl ?? this.defaultTTL\n this.maxEntries = props?.maxEntries ?? this.maxEntries\n }\n\n public get(key: string): T | undefined {\n const hasKey = this.values.has(key)\n\n if (hasKey) {\n // peek the entry, re-insert for LRU strategy\n const entry = this.values.get(key) as {\n timestamp: number\n data: T\n ttl: number\n }\n if (Date.now() - entry.timestamp > entry.ttl) {\n this.values.delete(key)\n return undefined\n }\n this.values.delete(key)\n this.values.set(key, entry)\n return entry.data\n }\n }\n\n public put(key: string, value: T, ttl?: number) {\n if (this.values.size >= this.maxEntries) {\n // least-recently used cache eviction strategy\n const keyToDelete = this.values.keys().next().value as string\n this.values.delete(keyToDelete)\n }\n\n this.values.set(key, {\n data: value,\n timestamp: Date.now(),\n ttl: ttl || this.defaultTTL,\n })\n }\n\n public clear(key: string) {\n this.values.delete(key)\n }\n}\n","import { IAMCredentialsClient } from '@google-cloud/iam-credentials'\nimport { getLogger } from '@sebspark/otel'\nimport { GoogleAuth } from 'google-auth-library'\nimport { LruCache } from './lruCache'\n\nconst expInSeconds = 60 * 60\n// TODO: Make ttl changeable from getApiGatewayToken function\nconst apiGatewayJwtCache = new LruCache<Promise<string>>()\n\nconst logger = getLogger('gcp-iam')\n\nconst generateTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}) => {\n try {\n const iamClient = new IAMCredentialsClient()\n const auth = new GoogleAuth()\n const cred = await auth.getCredentials()\n const serviceAccountEmail = cred.client_email\n\n if (!serviceAccountEmail) {\n throw new Error('No service account e-mail could be found.')\n }\n\n // Remove when verified\n logger.info(`Service account e-mail being used: ${serviceAccountEmail}`)\n\n /**\n * JWT Header.\n */\n\n const header = {\n alg: 'RS256',\n typ: 'JWT',\n }\n const headerBase64 = Buffer.from(JSON.stringify(header)).toString('base64')\n\n /**\n * JWT Payload.\n */\n\n const now = Math.floor(Date.now() / 1000)\n const payload = {\n iss: serviceAccountEmail,\n sub: serviceAccountEmail,\n aud: apiURL,\n iat: now,\n exp: now + expInSeconds,\n }\n\n const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString(\n 'base64'\n )\n\n /**\n * JWT Signature.\n */\n\n const unsignedJWT = `${headerBase64}.${payloadBase64}`\n const [response] = await iamClient.signBlob({\n delegates: [serviceAccountEmail],\n name: `projects/-/serviceAccounts/${serviceAccountEmail}`,\n payload: new Uint8Array(Buffer.from(unsignedJWT)),\n })\n\n if (!response.signedBlob) {\n throw new Error(\n 'signBlob(...) returned an empty response. Cannot sign JWT.'\n )\n }\n\n // Debug.\n logger.debug(\n `New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`\n )\n\n // Encode the binary signature to Base64.\n const signature = Buffer.from(response.signedBlob).toString('base64')\n\n // Combine into the final JWT.\n const signedJWT = `${unsignedJWT}.${signature}`\n\n return signedJWT\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generate a system token for the API Gateway.\n * This is intended to be run under the context of the service account signing the JWT.\n * @param apiUrl The URL of the API Gateway including the path of the specific API to be accessed using the token.\n * @param serviceAccountEmail The email of the service account to be used.\n * @param logger An optional logger to use for logging.\n * @returns A JWT.\n */\nexport const getApiGatewayTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}): Promise<string> => {\n return checkCache({\n cacheKey: key || apiURL,\n generate: () => generateTokenByUrl({ apiURL, key }),\n })\n}\n\n/**\n *\n * @param key Clears a cached JWT by key.\n */\nexport const clearCache = async (key: string) => {\n apiGatewayJwtCache.clear(key)\n}\n\nconst checkCache = ({\n cacheKey,\n generate,\n}: {\n cacheKey: string\n generate: () => Promise<string>\n}) => {\n /**\n * Check if there is a cached JWT\n */\n\n const cachedJwt = apiGatewayJwtCache.get(cacheKey)\n if (cachedJwt) {\n logger.debug(`JWT for ${cacheKey} found in cache.`)\n return cachedJwt\n }\n\n const jwtPromise = generate()\n\n // cache generated jwt\n apiGatewayJwtCache.put(cacheKey, jwtPromise, (expInSeconds / 2) * 1000)\n\n return jwtPromise\n}\n\nconst generateTokenByClientId = async (clientId: string) => {\n try {\n const auth = new GoogleAuth({\n scopes: 'https://www.googleapis.com/auth/cloud-platform',\n })\n const client = await auth.getIdTokenClient(clientId)\n\n return await client.idTokenProvider.fetchIdToken(clientId)\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT.')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generates a JWT for the API Gateway, using Client ID as audience.\n * @param clientId OAUTH Client ID.\n * @returns ID Token.\n */\nexport const getApiGatewayTokenByClientId = async (\n clientId: string\n): Promise<string> => {\n return checkCache({\n cacheKey: clientId,\n generate: () => generateTokenByClientId(clientId),\n })\n}\n"],"mappings":";;;;AAAA,IAAa,WAAb,MAAyB;CACvB,yBACE,IAAI,KAA0D;CAChE,aAAsC;CACtC,aAAsC,MAAO;CAE7C,YAAY,OAA+C;AACzD,OAAK,aAAa,OAAO,OAAO,KAAK;AACrC,OAAK,aAAa,OAAO,cAAc,KAAK;;CAG9C,IAAW,KAA4B;AAGrC,MAFe,KAAK,OAAO,IAAI,IAAI,EAEvB;GAEV,MAAM,QAAQ,KAAK,OAAO,IAAI,IAAI;AAKlC,OAAI,KAAK,KAAK,GAAG,MAAM,YAAY,MAAM,KAAK;AAC5C,SAAK,OAAO,OAAO,IAAI;AACvB;;AAEF,QAAK,OAAO,OAAO,IAAI;AACvB,QAAK,OAAO,IAAI,KAAK,MAAM;AAC3B,UAAO,MAAM;;;CAIjB,IAAW,KAAa,OAAU,KAAc;AAC9C,MAAI,KAAK,OAAO,QAAQ,KAAK,YAAY;GAEvC,MAAM,cAAc,KAAK,OAAO,MAAM,CAAC,MAAM,CAAC;AAC9C,QAAK,OAAO,OAAO,YAAY;;AAGjC,OAAK,OAAO,IAAI,KAAK;GACnB,MAAM;GACN,WAAW,KAAK,KAAK;GACrB,KAAK,OAAO,KAAK;GAClB,CAAC;;CAGJ,MAAa,KAAa;AACxB,OAAK,OAAO,OAAO,IAAI;;;;;ACzC3B,MAAM,eAAe;AAErB,MAAM,qBAAqB,IAAI,UAA2B;AAE1D,MAAM,SAAS,UAAU,UAAU;AAEnC,MAAM,qBAAqB,OAAO,EAChC,QACA,UAII;AACJ,KAAI;EACF,MAAM,YAAY,IAAI,sBAAsB;EAG5C,MAAM,uBADO,MADA,IAAI,YAAY,CACL,gBAAgB,EACP;AAEjC,MAAI,CAAC,oBACH,OAAM,IAAI,MAAM,4CAA4C;AAI9D,SAAO,KAAK,sCAAsC,sBAAsB;EAUxE,MAAM,eAAe,OAAO,KAAK,KAAK,UAJvB;GACb,KAAK;GACL,KAAK;GACN,CACsD,CAAC,CAAC,SAAS,SAAS;;;;EAM3E,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EACzC,MAAM,UAAU;GACd,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,MAAM;GACZ;;;;EAUD,MAAM,cAAc,GAAG,aAAa,GARd,OAAO,KAAK,KAAK,UAAU,QAAQ,CAAC,CAAC,SACzD,SACD;EAOD,MAAM,CAAC,YAAY,MAAM,UAAU,SAAS;GAC1C,WAAW,CAAC,oBAAoB;GAChC,MAAM,8BAA8B;GACpC,SAAS,IAAI,WAAW,OAAO,KAAK,YAAY,CAAC;GAClD,CAAC;AAEF,MAAI,CAAC,SAAS,WACZ,OAAM,IAAI,MACR,6DACD;AAIH,SAAO,MACL,eAAe,OAAO,OAAO,wBAAwB,SAAS,MAAM,GACrE;AAQD,SAFkB,GAAG,YAAY,GAHf,OAAO,KAAK,SAAS,WAAW,CAAC,SAAS,SAAS;UAM9D,OAAO;AACd,MAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,UAAO,KAAK,yCAAyC;AACrD,UAAO;;AAGT,SAAO,MAAM,+BAA+B,MAAe;AAE3D,QAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;;;;;;;;;;AAY5E,MAAa,0BAA0B,OAAO,EAC5C,QACA,UAIqB;AACrB,QAAO,WAAW;EAChB,UAAU,OAAO;EACjB,gBAAgB,mBAAmB;GAAE;GAAQ;GAAK,CAAC;EACpD,CAAC;;;;;;AAOJ,MAAa,aAAa,OAAO,QAAgB;AAC/C,oBAAmB,MAAM,IAAI;;AAG/B,MAAM,cAAc,EAClB,UACA,eAII;;;;CAKJ,MAAM,YAAY,mBAAmB,IAAI,SAAS;AAClD,KAAI,WAAW;AACb,SAAO,MAAM,WAAW,SAAS,kBAAkB;AACnD,SAAO;;CAGT,MAAM,aAAa,UAAU;AAG7B,oBAAmB,IAAI,UAAU,YAAa,eAAe,IAAK,IAAK;AAEvE,QAAO;;AAGT,MAAM,0BAA0B,OAAO,aAAqB;AAC1D,KAAI;AAMF,SAAO,OAFQ,MAHF,IAAI,WAAW,EAC1B,QAAQ,kDACT,CAAC,CACwB,iBAAiB,SAAS,EAEhC,gBAAgB,aAAa,SAAS;UACnD,OAAO;AACd,MAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,UAAO,KAAK,0CAA0C;AACtD,UAAO;;AAGT,SAAO,MAAM,+BAA+B,MAAe;AAE3D,QAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;;;;;;;AAS5E,MAAa,+BAA+B,OAC1C,aACoB;AACpB,QAAO,WAAW;EAChB,UAAU;EACV,gBAAgB,wBAAwB,SAAS;EAClD,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sebspark/gcp-iam",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.17",
|
|
4
4
|
"license": "Apache-2.0",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.mjs",
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
20
|
"@google-cloud/iam-credentials": "4.2.1",
|
|
21
|
-
"@sebspark/otel": "2.0.
|
|
21
|
+
"@sebspark/otel": "2.0.14",
|
|
22
22
|
"google-auth-library": "10.6.1"
|
|
23
23
|
},
|
|
24
24
|
"repository": {
|