npm - @vizamodo/aws-sts-core - Versions diffs - 0.1.45 → 0.1.49 - Mend

@vizamodo/aws-sts-core 0.1.45 → 0.1.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/sts/issue.d.ts CHANGED Viewed

@@ -1,9 +1,6 @@
 import type { AwsCredentialResult } from "../types";
 /**
  * Issue short-lived AWS credentials via Roles Anywhere.
- * Preserve:
- *  - TTL per profile
- *  - isolate-level signing material cache
  */
 export declare function issueAwsCredentials(input: {
     roleArn: string;

package/dist/sts/issue.js CHANGED Viewed

@@ -23,7 +23,7 @@ async function getSigningMaterial(input) {
 function resolveSessionTtlByProfile(profile) {
     switch (profile) {
         case "HubConsoleReadOnly":
-            return 1 * 60 * 60; // 12h
+            return 1 * 60 * 60; // 1h
         case "HubBillingReadonly":
         case "HubBillingAdmin":
             return 2 * 60 * 60; // 2h
@@ -36,14 +36,10 @@ function resolveSessionTtlByProfile(profile) {
 }
 /**
  * Issue short-lived AWS credentials via Roles Anywhere.
- * Preserve:
- *  - TTL per profile
- *  - isolate-level signing material cache
  */
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
     // 1. Kiểm tra đầu vào & Fix TTL an toàn
-    // AWS mặc định chỉ cho phép 3600s, hãy fix cứng 1h để loại trừ lỗi IAM
     const sessionTtl = Math.min(resolveSessionTtlByProfile(profile), 3600);
     const { signingKey } = await getSigningMaterial({ certBase64, privateKeyPkcs8Base64 });
     // 2. Setup constants
@@ -53,33 +49,61 @@ export async function issueAwsCredentials(input) {
     const amzDate = now.toISOString().replace(/\.\d{3}Z$/, "Z").replace(/[:-]/g, "");
     const dateStamp = amzDate.slice(0, 8);
     const service = "rolesanywhere";
-    // 3. Chuẩn bị Body & Cert (base64-encoded DER, không marker, không xuống dòng)
+    // 3. Chuẩn bị Body & Cert
     const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await sha256Hex(body);
-    // AWS Roles Anywhere requires base64-encoded DER (NO PEM markers, NO newlines)
-    const normalizedCert = certBase64.replace(/\s+/g, "");
-    // Extract certificate serial number (hex, uppercase) for Credential field
-    const certDer = base64ToArrayBuffer(normalizedCert);
-    // Extract certificate serial number from DER (ASN.1)
-    const derBytes = new Uint8Array(certDer);
-    // Very small ASN.1 parser: find first INTEGER after TBSCertificate
-    // Assumes standard X.509 v3 structure (safe for our controlled certs)
-    let offset = 0;
-    if (derBytes[offset++] !== 0x30)
-        throw new InternalError("invalid_cert_der");
-    offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
-    if (derBytes[offset++] !== 0x30)
-        throw new InternalError("invalid_cert_der");
-    offset += derBytes[offset] & 0x80 ? (derBytes[offset] & 0x7f) + 1 : 1;
-    if (derBytes[offset++] !== 0x02)
+    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
+    const normalizedCert = certBase64
+        .replace(/-----BEGIN CERTIFICATE-----/g, "")
+        .replace(/-----END CERTIFICATE-----/g, "")
+        .replace(/\s+/g, "");
+    // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
+    // --- MINIMAL DER WALK: extract serial number ---
+    let certSerialDec;
+    try {
+        const der = new Uint8Array(base64ToArrayBuffer(normalizedCert));
+        let offset = 0;
+        // helper: read DER length (short + long form)
+        function readLen() {
+            const b = der[offset++];
+            if ((b & 0x80) === 0)
+                return b;
+            const n = b & 0x7f;
+            let len = 0;
+            for (let i = 0; i < n; i++) {
+                len = (len << 8) | der[offset++];
+            }
+            return len;
+        }
+        // Certificate SEQUENCE
+        if (der[offset++] !== 0x30)
+            throw new Error("bad cert");
+        readLen();
+        // TBSCertificate SEQUENCE
+        if (der[offset++] !== 0x30)
+            throw new Error("bad tbs");
+        readLen();
+        // Optional version [0] EXPLICIT (0xa0)
+        if (der[offset] === 0xa0) {
+            offset++; // tag
+            const vLen = readLen(); // length
+            offset += vLen; // skip full version block
+        }
+        // SerialNumber INTEGER
+        if (der[offset++] !== 0x02)
+            throw new Error("bad serial tag");
+        const serialLen = readLen();
+        const serial = der.slice(offset, offset + serialLen);
+        certSerialDec = BigInt("0x" +
+            Array.from(serial)
+                .map(b => b.toString(16).padStart(2, "0"))
+                .join("")).toString();
+    }
+    catch (e) {
+        console.error("[issueAwsCredentials] Failed to parse cert serial", e);
         throw new InternalError("invalid_cert_der");
-    const serialLength = derBytes[offset++];
-    const serialBytes = derBytes.slice(offset, offset + serialLength);
-    const certSerialHex = Array.from(serialBytes)
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("")
-        .toUpperCase();
-    // 4. Tính toán Signature (CẦN Host trong Canonical Request)
+    }
+    // 4. Tính toán Signature
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -103,14 +127,14 @@ export async function issueAwsCredentials(input) {
         canonicalRequestHash: await sha256Hex(canonicalRequest),
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    // 5. Build Headers gửi đi (KHÔNG gửi Host header thủ công trong fetch)
+    // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
-        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
-    // 6. Execution (fetch)
+    // 6. Execution
     try {
         const res = await fetch(`https://${host}${path}`, {
             method: "POST",
@@ -119,51 +143,11 @@ export async function issueAwsCredentials(input) {
         });
         if (!res.ok) {
             const errorBody = await res.text();
-            // ---- Local curl debug command (FULL MATERIAL - ROTATE AFTER DEBUG) ----
-            const localCurlCommand = [
-                `curl -X POST "https://${host}${path}" \\`,
-                `  -H "Content-Type: application/json" \\`,
-                `  -H "X-Amz-Date: ${amzDate}" \\`,
-                `  -H "X-Amz-X509: ${normalizedCert}" \\`,
-                `  -H "Authorization: AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}" \\`,
-                `  -d '${body}'`
-            ].join("\n");
-            console.error("[aws-rejected][LOCAL-CURL-COMMAND]", localCurlCommand);
-            console.error("[aws-rejected][RAW-SIGNING-MATERIAL]", {
-                certBase64,
-                privateKeyPkcs8Base64
-            });
-            console.error("[aws-rejected][FULL-REQUEST-DUMP]", {
+            // Debug logs
+            console.error("[aws-rejected] Request details", {
                 status: res.status,
-                statusText: res.statusText,
-                awsResponse: errorBody,
-                // ---- Input parameters ----
-                roleArn,
-                profileArn,
-                trustAnchorArn,
-                region,
-                profile,
-                // ---- Derived signing values ----
-                host,
-                path,
-                amzDate,
-                dateStamp,
-                credentialScope,
-                signedHeaders,
-                signatureHex,
-                // ---- Body & payload ----
-                requestBody: body,
-                payloadHash,
-                // ---- Canonical ----
-                canonicalRequest,
-                stringToSign,
-                // ---- Headers actually sent ----
-                sentHeaders: {
-                    "Content-Type": "application/json",
-                    "X-Amz-Date": amzDate,
-                    "X-Amz-X509": normalizedCert,
-                    "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialHex}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
-                }
+                response: errorBody,
+                serial: certSerialDec
             });
             throw new InternalError("aws_rejected");
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.1.45",
+  "version": "0.1.49",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",