@vizamodo/aws-sts-core 0.4.5 → 0.4.6

package/dist/sts/issue.d.ts

@@ -9,12 +9,4 @@ export interface IssueAwsCredentialsInput {
     profile: string;
     forceRefresh?: boolean;
 }
-/**
- * Reset isolate-level signing material and cert serial caches.
- * ONLY for use in tests — forces re-import of signing key on next call.
- *
- * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
- * there is no need to expose a cache-clear API from the core library.
- */
-export declare function resetIsolateCache(): void;
 export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;

package/dist/sts/issue.js

@@ -1,18 +1,14 @@
-import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 // ── Constants ──────────────────────────────────────────────────────────────
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
-/**
- * Per-profile AWS session duration (seconds).
- * Clamped to [MIN_SESSION_TTL, MAX_SESSION_TTL] at resolution time.
- */
 const PROFILE_TTL = {
     Runtime: 45 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
@@ -22,88 +18,59 @@ const PROFILE_TTL = {
     BillingAccountant: 3 * 60 * 60,
 };
 const DEFAULT_SESSION_TTL = 2 * 60 * 60;
-const MIN_SESSION_TTL = 45 * 60; // 45 min
-const MAX_SESSION_TTL = 12 * 60 * 60; // 12 h
-// ── Isolate-level signing-material cache ───────────────────────────────────
-// Single Promise slot prevents concurrent cold-start import races.
+const MIN_SESSION_TTL = 45 * 60;
+const MAX_SESSION_TTL = 12 * 60 * 60;
+// ── Isolate-level Caches (L1) ─────────────────────────────────────────────
+// Cache vật liệu ký để tránh re-import CryptoKey liên tục
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ── Test utilities ─────────────────────────────────────────────────────────
-/**
- * Reset isolate-level signing material and cert serial caches.
- * ONLY for use in tests — forces re-import of signing key on next call.
- *
- * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
- * there is no need to expose a cache-clear API from the core library.
- */
-export function resetIsolateCache() {
-    signingKeyPromise = null;
-    cachedSigningKey = null;
-    cachedCertBase64 = null;
-    cachedPrivateKeyBase64 = null;
-}
-// ── Signing material ───────────────────────────────────────────────────────
-async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
-    // Fast path: same material already imported in this isolate.
-    if (cachedSigningKey &&
-        cachedCertBase64 === certBase64 &&
-        cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
-        return cachedSigningKey;
-    }
-    // Material changed or first call — reset and re-import.
-    // Cache vars are updated inside .then() so concurrent callers
-    // awaiting the same promise all see consistent state after resolve.
-    signingKeyPromise = null;
-    cachedSigningKey = null;
-    cachedCertBase64 = null;
-    cachedPrivateKeyBase64 = null;
-    signingKeyPromise = crypto.subtle
-        .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
-        .then((key) => {
-        // Update cache atomically after successful import.
-        // All concurrent callers awaiting this promise will see
-        // consistent state and hit the fast path on next call.
-        cachedSigningKey = key;
-        cachedCertBase64 = certBase64;
-        cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
-        return key;
-    })
-        .catch(() => {
-        signingKeyPromise = null; // allow retry on next call
-        throw new InternalError("invalid_signing_material");
-    });
-    return signingKeyPromise;
-}
-// ── Session TTL ────────────────────────────────────────────────────────────
-function resolveSessionTtl(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
-    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
-}
-// ── Main export ────────────────────────────────────────────────────────────
+// Cache Serial Number để tránh redundant DER walks (CPU-bound)
+let cachedCertSerialDec = null;
+let cachedCertSerialSource = null;
+// ── Main Export ────────────────────────────────────────────────────────────
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
     const sessionTtl = resolveSessionTtl(profile);
     const normalizedCert = normalizeCert(certBase64);
-    // Cert serial — use isolate cache to avoid redundant DER walks.
     const certSerialDec = getCertSerialDec(normalizedCert);
-    const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    return getCachedOrFetch(cacheKey, () => fetchCredentials({
-        roleArn, profileArn, trustAnchorArn,
-        region, normalizedCert, privateKeyPkcs8Base64,
-        sessionTtl,
-    }), { ttlSec: 60, forceRefresh });
+    // Cache Key duy nhất dựa trên định danh của Role và Certificate
+    const cacheKey = `aws|${region}|${roleArn}|${certSerialDec}`;
+    return getCachedOrFetch(cacheKey, async () => {
+        return fetchAwsCredentials({
+            roleArn, profileArn, trustAnchorArn,
+            region, normalizedCert, privateKeyPkcs8Base64,
+            sessionTtl,
+            certSerialDec
+        });
+    }, {
+        // Cache L2 (Edge) sẽ được refresh khi còn 1/3 thời gian hiệu lực 
+        // hoặc cưỡng bức refresh qua forceRefresh
+        ttlSec: 60,
+        forceRefresh
+    });
 }
-async function fetchCredentials(input) {
-    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, } = input;
+// ── Core Logic ─────────────────────────────────────────────────────────────
+async function fetchAwsCredentials(params) {
+    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, certSerialDec } = params;
+    // 1. Chuẩn bị Signing Material (Isolate-cached)
     const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
+    // 2. AWS SigV4 Metadata
     const host = `${SERVICE}.${region}.amazonaws.com`;
-    const iso = new Date().toISOString();
-    const amzDate = isoToAmzDate(iso);
-    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const now = new Date();
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, ""); // e.g. 20260318T220520Z
+    const dateStamp = amzDate.slice(0, 8);
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
+    // 3. Request Body & Payload Hash
+    const body = JSON.stringify({
+        trustAnchorArn,
+        profileArn,
+        roleArn,
+        durationSeconds: sessionTtl
+    });
     const payloadHash = await sha256Hex(body);
+    // 4. Canonical Request & StringToSign
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -111,7 +78,6 @@ async function fetchCredentials(input) {
         "x-amz-x509": normalizedCert,
     };
     const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
     const canonicalRequest = buildCanonicalRequest({
         method: "POST",
         canonicalUri: PATH,
@@ -120,147 +86,128 @@ async function fetchCredentials(input) {
         signedHeaders,
         payloadHash,
     });
-    const canonicalRequestHash = await sha256Hex(canonicalRequest);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
         credentialScope,
-        canonicalRequestHash,
+        canonicalRequestHash: await sha256Hex(canonicalRequest),
     });
+    // 5. Signature
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    const certSerialDec = getCertSerialDec(normalizedCert);
-    const finalHeaders = new Headers({
-        "Content-Type": "application/json",
-        "X-Amz-Date": amzDate,
-        "X-Amz-X509": normalizedCert,
-        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+    // 6. Execution
+    const res = await fetch(`https://${host}${PATH}`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "X-Amz-Date": amzDate,
+            "X-Amz-X509": normalizedCert,
+            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+        },
+        body,
     });
-    let res;
-    try {
-        res = await fetch(`https://${host}${PATH}`, {
-            method: "POST",
-            headers: finalHeaders,
-            body,
-        });
-    }
-    catch (err) {
-        console.warn("[aws-unreachable]", { region, err });
-        throw new InternalError("aws_unreachable");
-    }
     if (!res.ok) {
-        console.warn("[aws-rejected]", { status: res.status, region });
+        const errorText = await res.text().catch(() => "unknown");
+        console.error("[aws-rejected]", { status: res.status, body: errorText });
         throw new InternalError("aws_rejected");
     }
-    const json = await res.json();
-    const creds = json?.credentialSet?.[0]?.credentials;
-    if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-        console.warn("[issueAwsCredentials] malformed AWS credential response");
+    const data = await res.json();
+    const creds = data?.credentialSet?.[0]?.credentials;
+    if (!creds?.accessKeyId) {
         throw new InternalError("aws_malformed_credentials");
     }
-    const value = {
+    const result = {
         accessKeyId: creds.accessKeyId,
         secretAccessKey: creds.secretAccessKey,
         sessionToken: creds.sessionToken,
         expiration: creds.expiration,
     };
-    // Cache for 1/3 of the credential lifetime so it's refreshed well before expiry.
-    // deriveEdgeTtlSec in cache.ts will further subtract EDGE_BUFFER_SEC (5 min).
+    // 7. Cache Control (L2 Edge Cache)
+    // Chiến thuật: Cache trong 1/3 thời gian hiệu lực của AWS Credential
     const expiresAtMs = Date.parse(creds.expiration);
-    const receivedAt = Date.now();
-    const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
-    if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+    const credLifetimeSec = Math.floor((expiresAtMs - Date.now()) / 1000);
+    if (credLifetimeSec > 300) { // Chỉ cache nếu còn hiệu lực trên 5 phút
         const cacheTtlSec = Math.floor(credLifetimeSec / 3);
-        const cacheExpiry = new Date(receivedAt + cacheTtlSec * 1000).toISOString();
-        return wrapResult(value, cacheExpiry);
+        const cacheExpiry = new Date(Date.now() + cacheTtlSec * 1000).toISOString();
+        return wrapResult(result, cacheExpiry);
     }
-    return value;
+    return result;
 }
 // ── Helpers ────────────────────────────────────────────────────────────────
-/** Strip whitespace; reject PEM-wrapped input. */
+function resolveSessionTtl(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
+    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
+}
 function normalizeCert(raw) {
-    if (raw.includes("BEGIN CERTIFICATE")) {
+    if (raw.includes("BEGIN CERTIFICATE"))
         throw new InternalError("pem_not_allowed");
-    }
     return raw.replace(/\s+/g, "");
 }
-/** Extract cert serial as decimal string from DER-encoded base64 cert. */
 function getCertSerialDec(normalizedCert) {
-    return parseCertSerialDec(normalizedCert);
-}
-/**
- * Minimal DER walk to extract the certificate serial number as a decimal string.
- * Throws InternalError("invalid_cert_der") on any parse failure.
- */
-function parseCertSerialDec(normalizedCertBase64) {
-    try {
-        const der = base64ToBytes(normalizedCertBase64);
-        let offset = 0;
-        function readLen() {
-            if (offset >= der.length)
-                throw new Error("DER overflow");
-            const b = der[offset++];
-            if ((b & 0x80) === 0)
-                return b;
-            const n = b & 0x7f;
-            let len = 0;
-            if (offset + n > der.length)
-                throw new Error("DER overflow");
-            for (let i = 0; i < n; i++)
-                len = (len << 8) | der[offset++];
-            return len;
-        }
-        if (der[offset++] !== 0x30)
-            throw new Error("bad cert");
-        readLen();
-        if (der[offset++] !== 0x30)
-            throw new Error("bad tbs");
-        readLen();
-        // Skip optional [0] EXPLICIT version field.
-        if (der[offset] === 0xa0) {
-            offset++;
-            offset += readLen();
-        }
-        if (der[offset++] !== 0x02)
-            throw new Error("bad serial tag");
-        const serialLen = readLen();
-        if (offset + serialLen > der.length)
-            throw new Error("DER overflow");
-        let serial = der.slice(offset, offset + serialLen);
-        // Strip ASN.1 sign-extension padding byte.
-        if (serial.length > 1 && serial[0] === 0x00) {
-            serial = serial.slice(1);
-        }
-        let serialBig = 0n;
-        for (let i = 0; i < serial.length; i++) {
-            serialBig = (serialBig << 8n) | BigInt(serial[i]);
-        }
-        return serialBig.toString();
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        return cachedCertSerialDec;
     }
-    catch (e) {
-        console.error("[parseCertSerialDec] failed", e);
-        throw new InternalError("invalid_cert_der");
+    const der = base64ToBytes(normalizedCert);
+    let offset = 0;
+    const readLen = () => {
+        const b = der[offset++];
+        if ((b & 0x80) === 0)
+            return b;
+        let n = b & 0x7f;
+        let len = 0;
+        while (n--)
+            len = (len << 8) | der[offset++];
+        return len;
+    };
+    // Strict DER Walk (Sửa lỗi skip sai INTEGER của bản cũ)
+    if (der[offset++] !== 0x30)
+        throw new Error("Not a SEQUENCE"); // Cert
+    readLen();
+    if (der[offset++] !== 0x30)
+        throw new Error("Not a SEQUENCE"); // TBS
+    readLen();
+    if (der[offset] === 0xa0) { // Version tag
+        offset++;
+        offset += readLen();
     }
+    if (der[offset++] !== 0x02)
+        throw new Error("Serial not an INTEGER");
+    const sLen = readLen();
+    let serial = der.slice(offset, offset + sLen);
+    // Strip ASN.1 padding byte 0x00
+    if (serial.length > 1 && serial[0] === 0x00)
+        serial = serial.slice(1);
+    let big = 0n;
+    for (const b of serial)
+        big = (big << 8n) | BigInt(b);
+    cachedCertSerialDec = big.toString();
+    cachedCertSerialSource = normalizedCert;
+    return cachedCertSerialDec;
 }
-/**
- * Convert ISO-8601 to compact AMZ date-time format.
- * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
- */
-function isoToAmzDate(iso) {
-    return (iso.slice(0, 4) +
-        iso.slice(5, 7) +
-        iso.slice(8, 10) +
-        "T" +
-        iso.slice(11, 13) +
-        iso.slice(14, 16) +
-        iso.slice(17, 19) +
-        "Z");
+async function getSigningMaterial(cert, pk) {
+    if (cachedSigningKey && cachedCertBase64 === cert && cachedPrivateKeyBase64 === pk) {
+        return cachedSigningKey;
+    }
+    const pkBytes = base64ToBytes(pk);
+    signingKeyPromise = crypto.subtle.importKey("pkcs8", 
+    // LẤY BUFFER VÀ ÉP KIỂU: 
+    // Uint8Array.buffer có thể là ArrayBuffer | SharedArrayBuffer
+    // Web Crypto chỉ chấp nhận ArrayBuffer.
+    pkBytes.buffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]).then(key => {
+        cachedSigningKey = key;
+        cachedCertBase64 = cert;
+        cachedPrivateKeyBase64 = pk;
+        return key;
+    }).catch(e => {
+        signingKeyPromise = null;
+        throw new InternalError("invalid_signing_material");
+    });
+    return signingKeyPromise;
 }
-/** base64 → Uint8Array via V8's vectorized atob path. */
-function base64ToBytes(base64) {
-    const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
+function base64ToBytes(b64) {
+    const bin = atob(b64);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        bytes[i] = bin.charCodeAt(i);
     }
     return bytes;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",