@vizamodo/aws-sts-core 0.3.50 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +51 -18
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
2
1
|
import { canonicalizeHeaders } from "../sigv4/headers";
|
|
3
2
|
import { buildCanonicalRequest } from "../sigv4/canonical";
|
|
4
3
|
import { buildStringToSign } from "../sigv4/string-to-sign";
|
|
5
4
|
import { signStringToSign } from "./signer";
|
|
6
5
|
import { InternalError } from "./errors";
|
|
7
6
|
import { sha256Hex } from "../crypto/sha256";
|
|
7
|
+
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
8
8
|
// ── Constants ──────────────────────────────────────────────────────────────
|
|
9
9
|
const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
|
|
10
10
|
const SERVICE = "rolesanywhere";
|
|
@@ -58,21 +58,29 @@ async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
|
|
|
58
58
|
cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
|
|
59
59
|
return cachedSigningKey;
|
|
60
60
|
}
|
|
61
|
-
// Material
|
|
61
|
+
// Material changed or first call — reset and re-import.
|
|
62
|
+
// Cache vars are updated inside .then() so concurrent callers
|
|
63
|
+
// awaiting the same promise all see consistent state after resolve.
|
|
62
64
|
signingKeyPromise = null;
|
|
63
65
|
cachedSigningKey = null;
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
66
|
+
cachedCertBase64 = null;
|
|
67
|
+
cachedPrivateKeyBase64 = null;
|
|
68
|
+
signingKeyPromise = crypto.subtle
|
|
69
|
+
.importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
|
|
70
|
+
.then((key) => {
|
|
71
|
+
// Update cache atomically after successful import.
|
|
72
|
+
// All concurrent callers awaiting this promise will see
|
|
73
|
+
// consistent state and hit the fast path on next call.
|
|
74
|
+
cachedSigningKey = key;
|
|
75
|
+
cachedCertBase64 = certBase64;
|
|
76
|
+
cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
|
|
77
|
+
return key;
|
|
78
|
+
})
|
|
79
|
+
.catch(() => {
|
|
80
|
+
signingKeyPromise = null; // allow retry on next call
|
|
81
|
+
throw new InternalError("invalid_signing_material");
|
|
82
|
+
});
|
|
83
|
+
return signingKeyPromise;
|
|
76
84
|
}
|
|
77
85
|
// ── Session TTL ────────────────────────────────────────────────────────────
|
|
78
86
|
function resolveSessionTtl(profile) {
|
|
@@ -127,16 +135,41 @@ async function fetchCredentials(input) {
|
|
|
127
135
|
});
|
|
128
136
|
const signatureHex = await signStringToSign(stringToSign, signingKey);
|
|
129
137
|
const certSerialDec = getCertSerialDec(normalizedCert);
|
|
138
|
+
// 🔍 Deep debug helper (compare with working version)
|
|
139
|
+
function debugAwsSigning() {
|
|
140
|
+
try {
|
|
141
|
+
console.debug("[aws-debug][input]", {
|
|
142
|
+
roleArn,
|
|
143
|
+
profileArn,
|
|
144
|
+
trustAnchorArn,
|
|
145
|
+
region,
|
|
146
|
+
sessionTtl,
|
|
147
|
+
});
|
|
148
|
+
console.debug("[aws-debug][cert]", {
|
|
149
|
+
length: normalizedCert.length,
|
|
150
|
+
preview: normalizedCert.slice(0, 30),
|
|
151
|
+
});
|
|
152
|
+
console.debug("[aws-debug][serial]", {
|
|
153
|
+
serialDec: certSerialDec,
|
|
154
|
+
serialHex: BigInt(certSerialDec).toString(16),
|
|
155
|
+
});
|
|
156
|
+
console.debug("[aws-debug][headers]", baseHeaders);
|
|
157
|
+
console.debug("[aws-debug][signedHeaders]", signedHeaders);
|
|
158
|
+
console.debug("[aws-debug][canonicalRequest]", canonicalRequest);
|
|
159
|
+
console.debug("[aws-debug][stringToSign]", stringToSign);
|
|
160
|
+
console.debug("[aws-debug][signatureHex]", signatureHex);
|
|
161
|
+
}
|
|
162
|
+
catch (e) {
|
|
163
|
+
console.warn("[aws-debug][error]", e);
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
debugAwsSigning();
|
|
130
167
|
const finalHeaders = new Headers({
|
|
131
168
|
"Content-Type": "application/json",
|
|
132
169
|
"X-Amz-Date": amzDate,
|
|
133
170
|
"X-Amz-X509": normalizedCert,
|
|
134
171
|
"Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
|
|
135
172
|
});
|
|
136
|
-
// 🔍 DEBUG signing output (temporary)
|
|
137
|
-
console.debug("[aws-debug] canonicalRequest", canonicalRequest);
|
|
138
|
-
console.debug("[aws-debug] stringToSign", stringToSign);
|
|
139
|
-
console.debug("[aws-debug] authorization", finalHeaders.get("Authorization"));
|
|
140
173
|
let res;
|
|
141
174
|
try {
|
|
142
175
|
res = await fetch(`https://${host}${PATH}`, {
|