@vizamodo/aws-sts-core 0.4.6 → 0.4.7

package/dist/sts/issue.d.ts

@@ -9,4 +9,12 @@ export interface IssueAwsCredentialsInput {
     profile: string;
     forceRefresh?: boolean;
 }
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export declare function resetIsolateCache(): void;
 export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;

package/dist/sts/issue.js

@@ -9,6 +9,10 @@ import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
+/**
+ * Per-profile AWS session duration (seconds).
+ * Clamped to [MIN_SESSION_TTL, MAX_SESSION_TTL] at resolution time.
+ */
 const PROFILE_TTL = {
     Runtime: 45 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
@@ -18,59 +22,94 @@ const PROFILE_TTL = {
     BillingAccountant: 3 * 60 * 60,
 };
 const DEFAULT_SESSION_TTL = 2 * 60 * 60;
-const MIN_SESSION_TTL = 45 * 60;
-const MAX_SESSION_TTL = 12 * 60 * 60;
-// ── Isolate-level Caches (L1) ─────────────────────────────────────────────
-// Cache vật liệu ký để tránh re-import CryptoKey liên tục
+const MIN_SESSION_TTL = 45 * 60; // 45 min
+const MAX_SESSION_TTL = 12 * 60 * 60; // 12 h
+// ── Isolate-level signing-material cache ───────────────────────────────────
+// Single Promise slot prevents concurrent cold-start import races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// Cache Serial Number để tránh redundant DER walks (CPU-bound)
+// ── Isolate-level cert-serial cache ───────────────────────────────────────
+// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-// ── Main Export ────────────────────────────────────────────────────────────
+// ── Test utilities ─────────────────────────────────────────────────────────
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export function resetIsolateCache() {
+    signingKeyPromise = null;
+    cachedSigningKey = null;
+    cachedCertBase64 = null;
+    cachedPrivateKeyBase64 = null;
+    cachedCertSerialDec = null;
+    cachedCertSerialSource = null;
+}
+// ── Signing material ───────────────────────────────────────────────────────
+async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
+    // Fast path: same material already imported in this isolate.
+    if (cachedSigningKey &&
+        cachedCertBase64 === certBase64 &&
+        cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
+        return cachedSigningKey;
+    }
+    // Material changed or first call — reset and re-import.
+    // Cache vars are updated inside .then() so concurrent callers
+    // awaiting the same promise all see consistent state after resolve.
+    signingKeyPromise = null;
+    cachedSigningKey = null;
+    cachedCertBase64 = null;
+    cachedPrivateKeyBase64 = null;
+    signingKeyPromise = crypto.subtle
+        .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
+        .then((key) => {
+        // Update cache atomically after successful import.
+        // All concurrent callers awaiting this promise will see
+        // consistent state and hit the fast path on next call.
+        cachedSigningKey = key;
+        cachedCertBase64 = certBase64;
+        cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
+        return key;
+    })
+        .catch(() => {
+        signingKeyPromise = null; // allow retry on next call
+        throw new InternalError("invalid_signing_material");
+    });
+    return signingKeyPromise;
+}
+// ── Session TTL ────────────────────────────────────────────────────────────
+function resolveSessionTtl(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
+    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
+}
+// ── Main export ────────────────────────────────────────────────────────────
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
     const sessionTtl = resolveSessionTtl(profile);
     const normalizedCert = normalizeCert(certBase64);
+    // Cert serial — use isolate cache to avoid redundant DER walks.
     const certSerialDec = getCertSerialDec(normalizedCert);
-    // Cache Key duy nhất dựa trên định danh của Role và Certificate
-    const cacheKey = `aws|${region}|${roleArn}|${certSerialDec}`;
-    return getCachedOrFetch(cacheKey, async () => {
-        return fetchAwsCredentials({
-            roleArn, profileArn, trustAnchorArn,
-            region, normalizedCert, privateKeyPkcs8Base64,
-            sessionTtl,
-            certSerialDec
-        });
-    }, {
-        // Cache L2 (Edge) sẽ được refresh khi còn 1/3 thời gian hiệu lực 
-        // hoặc cưỡng bức refresh qua forceRefresh
-        ttlSec: 60,
-        forceRefresh
-    });
+    const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
+    return getCachedOrFetch(cacheKey, () => fetchCredentials({
+        roleArn, profileArn, trustAnchorArn,
+        region, normalizedCert, privateKeyPkcs8Base64,
+        sessionTtl,
+    }), { ttlSec: 60, forceRefresh });
 }
-// ── Core Logic ─────────────────────────────────────────────────────────────
-async function fetchAwsCredentials(params) {
-    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, certSerialDec } = params;
-    // 1. Chuẩn bị Signing Material (Isolate-cached)
+async function fetchCredentials(input) {
+    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, } = input;
     const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
-    // 2. AWS SigV4 Metadata
     const host = `${SERVICE}.${region}.amazonaws.com`;
-    const now = new Date();
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, ""); // e.g. 20260318T220520Z
-    const dateStamp = amzDate.slice(0, 8);
-    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-    // 3. Request Body & Payload Hash
-    const body = JSON.stringify({
-        trustAnchorArn,
-        profileArn,
-        roleArn,
-        durationSeconds: sessionTtl
-    });
+    const iso = new Date().toISOString();
+    const amzDate = isoToAmzDate(iso);
+    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await sha256Hex(body);
-    // 4. Canonical Request & StringToSign
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -78,6 +117,7 @@ async function fetchAwsCredentials(params) {
         "x-amz-x509": normalizedCert,
     };
     const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
     const canonicalRequest = buildCanonicalRequest({
         method: "POST",
         canonicalUri: PATH,
@@ -86,128 +126,190 @@ async function fetchAwsCredentials(params) {
         signedHeaders,
         payloadHash,
     });
+    const canonicalRequestHash = await sha256Hex(canonicalRequest);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
         credentialScope,
-        canonicalRequestHash: await sha256Hex(canonicalRequest),
+        canonicalRequestHash,
     });
-    // 5. Signature
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    // 6. Execution
-    const res = await fetch(`https://${host}${PATH}`, {
-        method: "POST",
-        headers: {
-            "Content-Type": "application/json",
-            "X-Amz-Date": amzDate,
-            "X-Amz-X509": normalizedCert,
-            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-        },
-        body,
+    const certSerialDec = getCertSerialDec(normalizedCert);
+    // 🔍 Deep debug helper (compare with working version)
+    function debugAwsSigning() {
+        try {
+            console.debug("[aws-debug][input]", {
+                roleArn,
+                profileArn,
+                trustAnchorArn,
+                region,
+                sessionTtl,
+            });
+            console.debug("[aws-debug][cert]", {
+                length: normalizedCert.length,
+                preview: normalizedCert.slice(0, 30),
+            });
+            console.debug("[aws-debug][serial]", {
+                serialDec: certSerialDec,
+                serialHex: BigInt(certSerialDec).toString(16),
+            });
+            console.debug("[aws-debug][headers]", baseHeaders);
+            console.debug("[aws-debug][signedHeaders]", signedHeaders);
+            console.debug("[aws-debug][canonicalRequest]", canonicalRequest);
+            console.debug("[aws-debug][stringToSign]", stringToSign);
+            console.debug("[aws-debug][signatureHex]", signatureHex);
+        }
+        catch (e) {
+            console.warn("[aws-debug][error]", e);
+        }
+    }
+    debugAwsSigning();
+    const finalHeaders = new Headers({
+        "Content-Type": "application/json",
+        "X-Amz-Date": amzDate,
+        "X-Amz-X509": normalizedCert,
+        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
     });
+    let res;
+    try {
+        res = await fetch(`https://${host}${PATH}`, {
+            method: "POST",
+            headers: finalHeaders,
+            body,
+        });
+    }
+    catch (err) {
+        console.warn("[aws-unreachable]", { region, err });
+        throw new InternalError("aws_unreachable");
+    }
     if (!res.ok) {
-        const errorText = await res.text().catch(() => "unknown");
-        console.error("[aws-rejected]", { status: res.status, body: errorText });
+        const text = await res.text().catch(() => "<no-body>");
+        console.error("[aws-rejected]", {
+            status: res.status,
+            body: text,
+            region,
+        });
         throw new InternalError("aws_rejected");
     }
-    const data = await res.json();
-    const creds = data?.credentialSet?.[0]?.credentials;
-    if (!creds?.accessKeyId) {
+    const json = await res.json();
+    const creds = json?.credentialSet?.[0]?.credentials;
+    if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+        console.warn("[issueAwsCredentials] malformed AWS credential response");
         throw new InternalError("aws_malformed_credentials");
     }
-    const result = {
+    const value = {
         accessKeyId: creds.accessKeyId,
         secretAccessKey: creds.secretAccessKey,
         sessionToken: creds.sessionToken,
         expiration: creds.expiration,
     };
-    // 7. Cache Control (L2 Edge Cache)
-    // Chiến thuật: Cache trong 1/3 thời gian hiệu lực của AWS Credential
+    // Cache for 1/3 of the credential lifetime so it's refreshed well before expiry.
+    // deriveEdgeTtlSec in cache.ts will further subtract EDGE_BUFFER_SEC (5 min).
     const expiresAtMs = Date.parse(creds.expiration);
-    const credLifetimeSec = Math.floor((expiresAtMs - Date.now()) / 1000);
-    if (credLifetimeSec > 300) { // Chỉ cache nếu còn hiệu lực trên 5 phút
+    const receivedAt = Date.now();
+    const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
+    if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
         const cacheTtlSec = Math.floor(credLifetimeSec / 3);
-        const cacheExpiry = new Date(Date.now() + cacheTtlSec * 1000).toISOString();
-        return wrapResult(result, cacheExpiry);
+        const cacheExpiry = new Date(receivedAt + cacheTtlSec * 1000).toISOString();
+        return wrapResult(value, cacheExpiry);
     }
-    return result;
+    return value;
 }
 // ── Helpers ────────────────────────────────────────────────────────────────
-function resolveSessionTtl(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
-    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
-}
+/** Strip whitespace; reject PEM-wrapped input. */
 function normalizeCert(raw) {
-    if (raw.includes("BEGIN CERTIFICATE"))
+    if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
+    }
     return raw.replace(/\s+/g, "");
 }
+/** Return cert serial as decimal string, using isolate-level cache. */
 function getCertSerialDec(normalizedCert) {
     if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
         return cachedCertSerialDec;
     }
-    const der = base64ToBytes(normalizedCert);
-    let offset = 0;
-    const readLen = () => {
-        const b = der[offset++];
-        if ((b & 0x80) === 0)
-            return b;
-        let n = b & 0x7f;
-        let len = 0;
-        while (n--)
-            len = (len << 8) | der[offset++];
-        return len;
-    };
-    // Strict DER Walk (Sửa lỗi skip sai INTEGER của bản cũ)
-    if (der[offset++] !== 0x30)
-        throw new Error("Not a SEQUENCE"); // Cert
-    readLen();
-    if (der[offset++] !== 0x30)
-        throw new Error("Not a SEQUENCE"); // TBS
-    readLen();
-    if (der[offset] === 0xa0) { // Version tag
-        offset++;
-        offset += readLen();
-    }
-    if (der[offset++] !== 0x02)
-        throw new Error("Serial not an INTEGER");
-    const sLen = readLen();
-    let serial = der.slice(offset, offset + sLen);
-    // Strip ASN.1 padding byte 0x00
-    if (serial.length > 1 && serial[0] === 0x00)
-        serial = serial.slice(1);
-    let big = 0n;
-    for (const b of serial)
-        big = (big << 8n) | BigInt(b);
-    cachedCertSerialDec = big.toString();
+    const serial = parseCertSerialDec(normalizedCert);
+    cachedCertSerialDec = serial;
     cachedCertSerialSource = normalizedCert;
-    return cachedCertSerialDec;
+    return serial;
 }
-async function getSigningMaterial(cert, pk) {
-    if (cachedSigningKey && cachedCertBase64 === cert && cachedPrivateKeyBase64 === pk) {
-        return cachedSigningKey;
+/**
+ * Minimal DER walk to extract the certificate serial number as a decimal string.
+ * Throws InternalError("invalid_cert_der") on any parse failure.
+ */
+function parseCertSerialDec(normalizedCertBase64) {
+    try {
+        const der = base64ToBytes(normalizedCertBase64);
+        let offset = 0;
+        function readLen() {
+            if (offset >= der.length)
+                throw new Error("DER overflow");
+            const b = der[offset++];
+            if ((b & 0x80) === 0)
+                return b;
+            const n = b & 0x7f;
+            let len = 0;
+            if (offset + n > der.length)
+                throw new Error("DER overflow");
+            for (let i = 0; i < n; i++)
+                len = (len << 8) | der[offset++];
+            return len;
+        }
+        // Certificate ::= SEQUENCE
+        if (der[offset++] !== 0x30)
+            throw new Error("bad cert");
+        readLen();
+        // tbsCertificate ::= SEQUENCE
+        if (der[offset++] !== 0x30)
+            throw new Error("bad tbs");
+        readLen();
+        // Optional version [0] EXPLICIT
+        if (der[offset] === 0xa0) {
+            offset++; // tag
+            offset += readLen(); // skip content
+        }
+        // 👉 SERIAL MUST be the next INTEGER after optional version
+        if (der[offset++] !== 0x02)
+            throw new Error("bad serial tag");
+        const len = readLen();
+        if (offset + len > der.length)
+            throw new Error("DER overflow");
+        let serial = der.slice(offset, offset + len);
+        // Strip leading 0x00 only if it's padding for signed INTEGER
+        if (serial.length > 1 && serial[0] === 0x00) {
+            serial = serial.slice(1);
+        }
+        let serialBig = 0n;
+        for (let i = 0; i < serial.length; i++) {
+            serialBig = (serialBig << 8n) | BigInt(serial[i]);
+        }
+        return serialBig.toString();
     }
-    const pkBytes = base64ToBytes(pk);
-    signingKeyPromise = crypto.subtle.importKey("pkcs8", 
-    // LẤY BUFFER VÀ ÉP KIỂU: 
-    // Uint8Array.buffer có thể là ArrayBuffer | SharedArrayBuffer
-    // Web Crypto chỉ chấp nhận ArrayBuffer.
-    pkBytes.buffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]).then(key => {
-        cachedSigningKey = key;
-        cachedCertBase64 = cert;
-        cachedPrivateKeyBase64 = pk;
-        return key;
-    }).catch(e => {
-        signingKeyPromise = null;
-        throw new InternalError("invalid_signing_material");
-    });
-    return signingKeyPromise;
+    catch (e) {
+        console.error("[parseCertSerialDec] failed", e);
+        throw new InternalError("invalid_cert_der");
+    }
+}
+/**
+ * Convert ISO-8601 to compact AMZ date-time format.
+ * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
+ */
+function isoToAmzDate(iso) {
+    return (iso.slice(0, 4) +
+        iso.slice(5, 7) +
+        iso.slice(8, 10) +
+        "T" +
+        iso.slice(11, 13) +
+        iso.slice(14, 16) +
+        iso.slice(17, 19) +
+        "Z");
 }
-function base64ToBytes(b64) {
-    const bin = atob(b64);
-    const bytes = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) {
-        bytes[i] = bin.charCodeAt(i);
+/** base64 → Uint8Array via V8's vectorized atob path. */
+function base64ToBytes(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
     }
     return bytes;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",