@vizamodo/aws-sts-core 0.3.1 → 0.3.3

package/dist/sts/issue.js

@@ -17,12 +17,15 @@ const PROFILE_TTL = {
 };
 const DEFAULT_TTL = 2 * 60 * 60;
 // ---- isolate-level cached signing material ----
+// Promise-based cache to avoid cold-start race during concurrent imports
+let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
 // ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
+const stsCredentialCache = new Map();
 // ---- shared encoder ----
 const textEncoder = new TextEncoder();
 // Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
@@ -34,18 +37,32 @@ async function getSigningMaterial(input) {
     if (cachedSigningKey &&
         cachedCertBase64 === input.certBase64 &&
         cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
-        console.debug("[sts-cache] signingKey HIT");
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
-    console.debug("[sts-cache] signingKey MISS → importing key");
+    // Reset cache only after a signing key has been resolved and material actually changed
+    if (cachedSigningKey &&
+        (cachedCertBase64 !== input.certBase64 ||
+            cachedPrivateKeyBase64 !== input.privateKeyPkcs8Base64)) {
+        signingKeyPromise = null;
+        cachedSigningKey = null;
+    }
+    if (!signingKeyPromise) {
+        try {
+            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
+            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+        }
+        catch {
+            throw new InternalError("invalid_signing_material");
+        }
+    }
     try {
-        const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
-        cachedSigningKey = await crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+        cachedSigningKey = await signingKeyPromise;
         cachedCertBase64 = input.certBase64;
         cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
     catch {
+        signingKeyPromise = null; // allow retry after failure
         throw new InternalError("invalid_signing_material");
     }
 }
@@ -62,31 +79,14 @@ export async function issueAwsCredentials(input) {
     // Normalize certificate once so every subsystem (cache, DER parse, headers)
     // uses the exact same canonical string
     const normalizedCert = normalizeCert(certBase64);
-    const { signingKey } = await getSigningMaterial({
-        certBase64: normalizedCert,
-        privateKeyPkcs8Base64,
-    });
-    // 2. Setup constants
-    const host = `${SERVICE}.${region}.amazonaws.com`;
-    const path = PATH;
-    const now = new Date();
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-    const dateStamp = amzDate.slice(0, 8);
-    const service = SERVICE;
-    // 3. Chuẩn bị Body & Cert
-    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-    const payloadHash = await getPayloadHash(body);
-    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    // const normalizedCert = normalizeCert(certBase64);
+    let cacheKey = "";
     // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
     // --- MINIMAL DER WALK: extract serial number ---
     let certSerialDec;
     if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
-        console.debug("[sts-cache] certSerial HIT");
         certSerialDec = cachedCertSerialDec;
     }
     else {
-        console.debug("[sts-cache] certSerial MISS → parsing DER");
         try {
             const der = base64ToBytes(normalizedCert);
             let offset = 0;
@@ -119,11 +119,12 @@ export async function issueAwsCredentials(input) {
             if (serial.length > 1 && serial[0] === 0x00) {
                 serial = serial.slice(1);
             }
-            let hex = "";
+            // Build BigInt directly from bytes (avoids hex string allocation)
+            let serialBig = 0n;
             for (let i = 0; i < serial.length; i++) {
-                hex += HEX_TABLE[serial[i]];
+                serialBig = (serialBig << 8n) | BigInt(serial[i]);
             }
-            certSerialDec = BigInt("0x" + hex).toString();
+            certSerialDec = serialBig.toString();
             cachedCertSerialDec = certSerialDec;
             cachedCertSerialSource = normalizedCert;
         }
@@ -132,6 +133,37 @@ export async function issueAwsCredentials(input) {
             throw new InternalError("invalid_cert_der");
         }
     }
+    // ---- STS credential cache lookup (using certificate serial) ----
+    cacheKey = `${region}|${roleArn}|${profileArn}|${certSerialDec}`;
+    const cachedEntry = stsCredentialCache.get(cacheKey);
+    // Only reuse cached credentials if they still have >1h1m remaining
+    const MIN_REMAINING_MS = 61 * 60 * 1000;
+    if (cachedEntry) {
+        // If credentials already resolved and still valid → reuse
+        if (cachedEntry.expiresAt > Date.now() + MIN_REMAINING_MS) {
+            return cachedEntry.promise;
+        }
+        // If a refresh is already in-flight → await same promise
+        if (cachedEntry.expiresAt === 0) {
+            return cachedEntry.promise;
+        }
+    }
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
+    // 2. Setup constants
+    const host = `${SERVICE}.${region}.amazonaws.com`;
+    const path = PATH;
+    const now = new Date();
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+    const dateStamp = amzDate.slice(0, 8);
+    const service = SERVICE;
+    // 3. Chuẩn bị Body & Cert
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const payloadHash = await getPayloadHash(body);
+    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
+    // const normalizedCert = normalizeCert(certBase64);
     // 4. Tính toán Signature
     const baseHeaders = {
         "content-type": "application/json",
@@ -149,30 +181,14 @@ export async function issueAwsCredentials(input) {
         signedHeaders,
         payloadHash,
     });
-    console.debug("[sts-debug] canonicalRequest", {
-        amzDate,
-        signedHeaders,
-        payloadHash,
-        canonicalHeadersPreview: canonicalHeaders.slice(0, 120),
-        canonicalRequestPreview: canonicalRequest.slice(0, 200)
-    });
     const canonicalRequestHash = await getCanonicalRequestHash(canonicalRequest);
-    console.debug("[sts-debug] canonicalRequestHash", canonicalRequestHash);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
         credentialScope,
         canonicalRequestHash,
     });
-    console.debug("[sts-debug] stringToSign", {
-        credentialScope,
-        stringPreview: stringToSign.slice(0, 200)
-    });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    console.debug("[sts-debug] signature", {
-        length: signatureHex.length,
-        prefix: signatureHex.slice(0, 32)
-    });
     // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
@@ -180,69 +196,58 @@ export async function issueAwsCredentials(input) {
         "X-Amz-X509": normalizedCert,
         "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
-    console.debug("[sts-debug] requestHeaders", {
-        host,
-        amzDate,
-        signedHeaders,
-        certLen: normalizedCert.length
-    });
-    console.debug("[sts-request] issuing rolesanywhere session", {
-        region,
-        profile,
-        roleArn,
-        profileArn,
-        trustAnchorArn,
-        amzDate,
-        cacheState: {
-            hasSigningKey: !!cachedSigningKey,
-            cachedCertMatch: cachedCertBase64 === normalizedCert,
-        }
-    });
-    // 6. Execution
-    try {
-        const res = await fetch(`https://${host}${path}`, {
-            method: "POST",
-            headers: finalHeaders,
-            body,
-        });
-        if (!res.ok) {
-            const errorBody = await res.text();
-            // Debug logs
-            console.error("[aws-rejected] Request details", {
-                status: res.status,
-                response: errorBody,
-                region,
-                profile,
-                amzDate
+    const refreshPromise = (async () => {
+        try {
+            const res = await fetch(`https://${host}${path}`, {
+                method: "POST",
+                headers: finalHeaders,
+                body,
             });
-            throw new InternalError("aws_rejected");
+            if (!res.ok) {
+                const errorBody = await res.text();
+                console.error("[aws-rejected] Request details", {
+                    status: res.status,
+                    response: errorBody,
+                    region,
+                    profile,
+                    amzDate
+                });
+                throw new InternalError("aws_rejected");
+            }
+            const json = await res.json();
+            const creds = json?.credentialSet?.[0]?.credentials;
+            if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+                console.error("[issueAwsCredentials] malformed AWS credential response", { json });
+                throw new InternalError("aws_malformed_credentials");
+            }
+            const result = {
+                accessKeyId: creds.accessKeyId,
+                secretAccessKey: creds.secretAccessKey,
+                sessionToken: creds.sessionToken,
+                expiration: creds.expiration,
+            };
+            const exp = new Date(creds.expiration).getTime();
+            // update cache expiration after success
+            const entry = stsCredentialCache.get(cacheKey);
+            if (entry) {
+                entry.expiresAt = exp;
+            }
+            return result;
         }
-        const json = await res.json();
-        const creds = json?.credentialSet?.[0]?.credentials;
-        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-            console.error("[issueAwsCredentials] malformed AWS credential response", { json });
-            throw new InternalError("aws_malformed_credentials");
+        catch (e) {
+            // remove broken cache entry so next call can retry
+            stsCredentialCache.delete(cacheKey);
+            if (e instanceof InternalError)
+                throw e;
+            throw new InternalError("aws_unreachable");
         }
-        return {
-            accessKeyId: creds.accessKeyId,
-            secretAccessKey: creds.secretAccessKey,
-            sessionToken: creds.sessionToken,
-            expiration: creds.expiration,
-        };
-    }
-    catch (e) {
-        console.error("[sts-debug] fetch failure", {
-            error: String(e),
-            region,
-            roleArn,
-            profileArn,
-            trustAnchorArn,
-            amzDate
-        });
-        if (e instanceof InternalError)
-            throw e;
-        throw new InternalError("aws_unreachable");
-    }
+    })();
+    // store promise immediately to deduplicate concurrent refresh
+    stsCredentialCache.set(cacheKey, {
+        promise: refreshPromise,
+        expiresAt: 0,
+    });
+    return refreshPromise;
 }
 // ---- helpers ----
 function normalizeCert(raw) {
@@ -252,15 +257,14 @@ function normalizeCert(raw) {
     return raw.trim();
 }
 async function sha256Hex(input) {
-    const data = textEncoder.encode(input);
-    const hash = await crypto.subtle.digest("SHA-256", data);
+    // Tận dụng textEncoder có sẵn
+    const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(input));
     const bytes = new Uint8Array(hash);
-    // build hex string with minimal allocations
-    let out = "";
-    for (let i = 0; i < bytes.length; i++) {
-        out += HEX_TABLE[bytes[i]];
+    const hexParts = new Array(32); // SHA-256 luôn là 32 bytes
+    for (let i = 0; i < 32; i++) {
+        hexParts[i] = HEX_TABLE[bytes[i]];
     }
-    return out;
+    return hexParts.join("");
 }
 async function getCanonicalRequestHash(canonicalRequest) {
     return sha256Hex(canonicalRequest);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",
@@ -13,6 +13,7 @@
   ],
   "scripts": {
     "build": "tsc",
+    "test": "vitest run",
     "clean": "rm -rf dist",
     "prepublishOnly": "npm run build",
     "dev": "ts-node bin/viza.ts",
@@ -20,6 +21,10 @@
     "release:full": "rm -rf dist && npx npm-check-updates -u && npm install && git add package.json package-lock.json && git commit -m 'chore(deps): auto update dependencies before release' || echo 'No changes' && node versioning.js && npm login && npm publish --tag latest --access public && git push"
   },
   "devDependencies": {
-    "typescript": "^5.9.3"
+    "@aws-crypto/sha256-js": "^5.2.0",
+    "@aws-sdk/signature-v4": "^3.374.0",
+    "@vitest/coverage-v8": "^4.0.18",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
   }
 }