npm - @vizamodo/aws-sts-core - Versions diffs - 0.1.43 → 0.1.47 - Mend

@vizamodo/aws-sts-core 0.1.43 → 0.1.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/sts/issue.d.ts CHANGED Viewed

@@ -1,9 +1,6 @@
 import type { AwsCredentialResult } from "../types";
 /**
  * Issue short-lived AWS credentials via Roles Anywhere.
- * Preserve:
- *  - TTL per profile
- *  - isolate-level signing material cache
  */
 export declare function issueAwsCredentials(input: {
     roleArn: string;

package/dist/sts/issue.js CHANGED Viewed

@@ -23,7 +23,7 @@ async function getSigningMaterial(input) {
 function resolveSessionTtlByProfile(profile) {
     switch (profile) {
         case "HubConsoleReadOnly":
-            return 1 * 60 * 60; // 12h
+            return 1 * 60 * 60; // 1h
         case "HubBillingReadonly":
         case "HubBillingAdmin":
             return 2 * 60 * 60; // 2h
@@ -36,14 +36,10 @@ function resolveSessionTtlByProfile(profile) {
 }
 /**
  * Issue short-lived AWS credentials via Roles Anywhere.
- * Preserve:
- *  - TTL per profile
- *  - isolate-level signing material cache
  */
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
     // 1. Kiểm tra đầu vào & Fix TTL an toàn
-    // AWS mặc định chỉ cho phép 3600s, hãy fix cứng 1h để loại trừ lỗi IAM
     const sessionTtl = Math.min(resolveSessionTtlByProfile(profile), 3600);
     const { signingKey } = await getSigningMaterial({ certBase64, privateKeyPkcs8Base64 });
     // 2. Setup constants
@@ -53,12 +49,46 @@ export async function issueAwsCredentials(input) {
     const amzDate = now.toISOString().replace(/\.\d{3}Z$/, "Z").replace(/[:-]/g, "");
     const dateStamp = amzDate.slice(0, 8);
     const service = "rolesanywhere";
-    // 3. Chuẩn bị Body & Cert (base64-encoded DER, không marker, không xuống dòng)
+    // 3. Chuẩn bị Body & Cert
     const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await sha256Hex(body);
-    // AWS Roles Anywhere requires base64-encoded DER (NO PEM markers, NO newlines)
-    const normalizedCert = certBase64.replace(/\s+/g, "");
-    // 4. Tính toán Signature (CẦN Host trong Canonical Request)
+    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
+    const normalizedCert = certBase64
+        .replace(/-----BEGIN CERTIFICATE-----/g, "")
+        .replace(/-----END CERTIFICATE-----/g, "")
+        .replace(/\s+/g, "");
+    // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
+    let certSerialDec;
+    try {
+        const certDer = base64ToArrayBuffer(normalizedCert);
+        const derBytes = new Uint8Array(certDer);
+        let offset = 0;
+        // X509v3 structure check
+        if (derBytes[offset++] !== 0x30)
+            throw new Error("Not a sequence");
+        offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
+        if (derBytes[offset++] !== 0x30)
+            throw new Error("Not a sequence");
+        offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
+        // INTEGER (Serial Number)
+        if (derBytes[offset++] !== 0x02)
+            throw new Error("Not an integer");
+        const serialLength = derBytes[offset++];
+        // Bounds check
+        if (offset + serialLength > derBytes.length)
+            throw new Error("Bounds error");
+        const serialBytes = derBytes.slice(offset, offset + serialLength);
+        // Convert to Decimal string
+        certSerialDec = BigInt("0x" + Array.from(serialBytes)
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join(""))
+            .toString();
+    }
+    catch (e) {
+        console.error("[issueAwsCredentials] Failed to parse cert serial", e);
+        throw new InternalError("invalid_cert_der");
+    }
+    // 4. Tính toán Signature
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -82,14 +112,14 @@ export async function issueAwsCredentials(input) {
         canonicalRequestHash: await sha256Hex(canonicalRequest),
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    // 5. Build Headers gửi đi (KHÔNG gửi Host header thủ công trong fetch)
+    // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
-        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${profileArn}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
-    // 6. Execution (fetch)
+    // 6. Execution
     try {
         const res = await fetch(`https://${host}${path}`, {
             method: "POST",
@@ -98,51 +128,11 @@ export async function issueAwsCredentials(input) {
         });
         if (!res.ok) {
             const errorBody = await res.text();
-            // ---- Local curl debug command (FULL MATERIAL - ROTATE AFTER DEBUG) ----
-            const localCurlCommand = [
-                `curl -X POST "https://${host}${path}" \\`,
-                `  -H "Content-Type: application/json" \\`,
-                `  -H "X-Amz-Date: ${amzDate}" \\`,
-                `  -H "X-Amz-X509: ${normalizedCert}" \\`,
-                `  -H "Authorization: AWS4-X509-ECDSA-SHA256 Credential=${profileArn}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}" \\`,
-                `  -d '${body}'`
-            ].join("\n");
-            console.error("[aws-rejected][LOCAL-CURL-COMMAND]", localCurlCommand);
-            console.error("[aws-rejected][RAW-SIGNING-MATERIAL]", {
-                certBase64,
-                privateKeyPkcs8Base64
-            });
-            console.error("[aws-rejected][FULL-REQUEST-DUMP]", {
+            // Debug logs
+            console.error("[aws-rejected] Request details", {
                 status: res.status,
-                statusText: res.statusText,
-                awsResponse: errorBody,
-                // ---- Input parameters ----
-                roleArn,
-                profileArn,
-                trustAnchorArn,
-                region,
-                profile,
-                // ---- Derived signing values ----
-                host,
-                path,
-                amzDate,
-                dateStamp,
-                credentialScope,
-                signedHeaders,
-                signatureHex,
-                // ---- Body & payload ----
-                requestBody: body,
-                payloadHash,
-                // ---- Canonical ----
-                canonicalRequest,
-                stringToSign,
-                // ---- Headers actually sent ----
-                sentHeaders: {
-                    "Content-Type": "application/json",
-                    "X-Amz-Date": amzDate,
-                    "X-Amz-X509": normalizedCert,
-                    "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${profileArn}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
-                }
+                response: errorBody,
+                serial: certSerialDec
             });
             throw new InternalError("aws_rejected");
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.1.43",
+  "version": "0.1.47",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",