npm - @vizamodo/aws-sts-core - Versions diffs - 0.3.2 → 0.3.5 - Mend

@vizamodo/aws-sts-core 0.3.2 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/sts/issue.js +100 -62
package/package.json +1 -1

package/dist/sts/issue.js CHANGED Viewed

@@ -8,7 +8,7 @@ const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
 const PROFILE_TTL = {
-    Runtime: 90 * 60,
+    Runtime: 30 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
     ConsoleViewOnlyProd: 12 * 60 * 60,
     BillingReadOnly: 2 * 60 * 60,
@@ -25,6 +25,7 @@ let cachedPrivateKeyBase64 = null;
 // ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
+const stsCredentialCache = new Map();
 // ---- shared encoder ----
 const textEncoder = new TextEncoder();
 // Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
@@ -78,22 +79,7 @@ export async function issueAwsCredentials(input) {
     // Normalize certificate once so every subsystem (cache, DER parse, headers)
     // uses the exact same canonical string
     const normalizedCert = normalizeCert(certBase64);
-    const { signingKey } = await getSigningMaterial({
-        certBase64: normalizedCert,
-        privateKeyPkcs8Base64,
-    });
-    // 2. Setup constants
-    const host = `${SERVICE}.${region}.amazonaws.com`;
-    const path = PATH;
-    const now = new Date();
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-    const dateStamp = amzDate.slice(0, 8);
-    const service = SERVICE;
-    // 3. Chuẩn bị Body & Cert
-    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-    const payloadHash = await getPayloadHash(body);
-    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    // const normalizedCert = normalizeCert(certBase64);
+    let cacheKey = "";
     // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
     // --- MINIMAL DER WALK: extract serial number ---
     let certSerialDec;
@@ -105,11 +91,15 @@ export async function issueAwsCredentials(input) {
             const der = base64ToBytes(normalizedCert);
             let offset = 0;
             function readLen() {
+                if (offset >= der.length)
+                    throw new Error("DER overflow");
                 const b = der[offset++];
                 if ((b & 0x80) === 0)
                     return b;
                 const n = b & 0x7f;
                 let len = 0;
+                if (offset + n > der.length)
+                    throw new Error("DER overflow");
                 for (let i = 0; i < n; i++) {
                     len = (len << 8) | der[offset++];
                 }
@@ -129,15 +119,18 @@ export async function issueAwsCredentials(input) {
             if (der[offset++] !== 0x02)
                 throw new Error("bad serial tag");
             const serialLen = readLen();
+            if (offset + serialLen > der.length)
+                throw new Error("DER overflow");
             let serial = der.slice(offset, offset + serialLen);
             if (serial.length > 1 && serial[0] === 0x00) {
                 serial = serial.slice(1);
             }
-            let hex = "";
+            // Build BigInt directly from bytes (avoids hex string allocation)
+            let serialBig = 0n;
             for (let i = 0; i < serial.length; i++) {
-                hex += HEX_TABLE[serial[i]];
+                serialBig = (serialBig << 8n) | BigInt(serial[i]);
             }
-            certSerialDec = BigInt("0x" + hex).toString();
+            certSerialDec = serialBig.toString();
             cachedCertSerialDec = certSerialDec;
             cachedCertSerialSource = normalizedCert;
         }
@@ -146,6 +139,37 @@ export async function issueAwsCredentials(input) {
             throw new InternalError("invalid_cert_der");
         }
     }
+    // ---- STS credential cache lookup (using certificate serial) ----
+    cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
+    const cachedEntry = stsCredentialCache.get(cacheKey);
+    // Only reuse cached credentials if they still have >10p remaining
+    const MIN_REMAINING_MS = 5 * 60 * 1000;
+    if (cachedEntry) {
+        // If refresh already in-flight → await the same promise
+        if (cachedEntry.expiresAt === 0) {
+            return cachedEntry.promise;
+        }
+        // If credentials still valid with safe remaining window → reuse
+        if (cachedEntry.expiresAt > Date.now() + MIN_REMAINING_MS) {
+            return cachedEntry.promise;
+        }
+    }
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
+    // 2. Setup constants
+    const host = `${SERVICE}.${region}.amazonaws.com`;
+    const path = PATH;
+    const iso = new Date().toISOString(); // e.g. 2026-03-07T12:00:00.000Z
+    const amzDate = `${iso.slice(0, 4)}${iso.slice(5, 7)}${iso.slice(8, 10)}T${iso.slice(11, 13)}${iso.slice(14, 16)}${iso.slice(17, 19)}Z`;
+    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+    const service = SERVICE;
+    // 3. Chuẩn bị Body & Cert
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const payloadHash = await getPayloadHash(body);
+    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
+    // const normalizedCert = normalizeCert(certBase64);
     // 4. Tính toán Signature
     const baseHeaders = {
         "content-type": "application/json",
@@ -178,60 +202,74 @@ export async function issueAwsCredentials(input) {
         "X-Amz-X509": normalizedCert,
         "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
-    try {
-        const res = await fetch(`https://${host}${path}`, {
-            method: "POST",
-            headers: finalHeaders,
-            body,
-        });
-        if (!res.ok) {
-            const errorBody = await res.text();
-            // Debug logs
-            console.error("[aws-rejected] Request details", {
-                status: res.status,
-                response: errorBody,
-                region,
-                profile,
-                amzDate
+    const refreshPromise = (async () => {
+        try {
+            const res = await fetch(`https://${host}${path}`, {
+                method: "POST",
+                headers: finalHeaders,
+                body,
             });
-            throw new InternalError("aws_rejected");
+            if (!res.ok) {
+                console.warn("[aws-rejected]", {
+                    status: res.status,
+                    region,
+                    profile
+                });
+                throw new InternalError("aws_rejected");
+            }
+            const json = await res.json();
+            const creds = json?.credentialSet?.[0]?.credentials;
+            if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+                console.warn("[issueAwsCredentials] malformed AWS credential response");
+                throw new InternalError("aws_malformed_credentials");
+            }
+            const result = {
+                accessKeyId: creds.accessKeyId,
+                secretAccessKey: creds.secretAccessKey,
+                sessionToken: creds.sessionToken,
+                expiration: creds.expiration,
+            };
+            // subtract small clock‑skew safety window (5s)
+            const exp = new Date(creds.expiration).getTime() - 5000;
+            // update cache expiration after success
+            const entry = stsCredentialCache.get(cacheKey);
+            if (entry) {
+                entry.expiresAt = exp;
+            }
+            return result;
         }
-        const json = await res.json();
-        const creds = json?.credentialSet?.[0]?.credentials;
-        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-            console.error("[issueAwsCredentials] malformed AWS credential response", { json });
-            throw new InternalError("aws_malformed_credentials");
+        catch (e) {
+            // remove broken cache entry so next call can retry
+            stsCredentialCache.delete(cacheKey);
+            if (e instanceof InternalError)
+                throw e;
+            throw new InternalError("aws_unreachable");
         }
-        return {
-            accessKeyId: creds.accessKeyId,
-            secretAccessKey: creds.secretAccessKey,
-            sessionToken: creds.sessionToken,
-            expiration: creds.expiration,
-        };
-    }
-    catch (e) {
-        if (e instanceof InternalError)
-            throw e;
-        throw new InternalError("aws_unreachable");
-    }
+    })();
+    // store promise immediately to deduplicate concurrent refresh
+    stsCredentialCache.set(cacheKey, {
+        promise: refreshPromise,
+        expiresAt: 0,
+    });
+    return refreshPromise;
 }
 // ---- helpers ----
 function normalizeCert(raw) {
     if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
     }
-    return raw.trim();
+    // remove whitespace and newlines to ensure stable cache keys
+    return raw.replace(/\s+/g, "");
 }
 async function sha256Hex(input) {
-    const data = textEncoder.encode(input);
-    const hash = await crypto.subtle.digest("SHA-256", data);
+    // Tận dụng textEncoder có sẵn
+    const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(input));
     const bytes = new Uint8Array(hash);
-    // build hex string with minimal allocations
-    let out = "";
-    for (let i = 0; i < bytes.length; i++) {
-        out += HEX_TABLE[bytes[i]];
+    const hexParts = new Array(32); // SHA-256 luôn là 32 bytes
+    for (let i = 0; i < 32; i++) {
+        hexParts[i] = HEX_TABLE[bytes[i]];
     }
-    return out;
+    return hexParts.join("");
 }
 async function getCanonicalRequestHash(canonicalRequest) {
     return sha256Hex(canonicalRequest);
@@ -241,7 +279,7 @@ async function getPayloadHash(body) {
     // so caching adds complexity without measurable benefit.
     return sha256Hex(body);
 }
-// Faster base64 decode → Uint8Array (avoids extra ArrayBuffer wrapping)
+// Faster base64 decode → Uint8Array (V8 optimized path using built‑in vectorized conversion)
 function base64ToBytes(base64) {
     const binary = atob(base64);
     const len = binary.length;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.2",
+  "version": "0.3.5",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",