npm - @vizamodo/aws-sts-core - Versions diffs - 0.4.6 → 0.4.9 - Mend

@vizamodo/aws-sts-core 0.4.6 → 0.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/sts/issue.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { AwsCredentialResult } from "../types";
-export interface IssueAwsCredentialsInput {
+export declare function issueAwsCredentials(input: {
     roleArn: string;
     profileArn: string;
     trustAnchorArn: string;
@@ -8,5 +8,4 @@ export interface IssueAwsCredentialsInput {
     privateKeyPkcs8Base64: string;
     profile: string;
     forceRefresh?: boolean;
-}
-export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;
+}): Promise<AwsCredentialResult>;

package/dist/sts/issue.js CHANGED Viewed

@@ -1,11 +1,11 @@
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
-import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
-// ── Constants ──────────────────────────────────────────────────────────────
+// ---- constants ----
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
@@ -17,60 +17,89 @@ const PROFILE_TTL = {
     BillingAdmin: 3 * 60 * 60,
     BillingAccountant: 3 * 60 * 60,
 };
-const DEFAULT_SESSION_TTL = 2 * 60 * 60;
-const MIN_SESSION_TTL = 45 * 60;
-const MAX_SESSION_TTL = 12 * 60 * 60;
-// ── Isolate-level Caches (L1) ─────────────────────────────────────────────
-// Cache vật liệu ký để tránh re-import CryptoKey liên tục
+const DEFAULT_TTL = 2 * 60 * 60;
+const MIN_PROFILE_TTL = 45 * 60; // 45 min — lower guard
+const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 h  — upper guard
+// ---- isolate-level signing material cache ----
+// Single Promise-based slot avoids concurrent cold-start races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// Cache Serial Number để tránh redundant DER walks (CPU-bound)
+// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-// ── Main Export ────────────────────────────────────────────────────────────
+// ---------------------------------------------------------------------------
+// Signing material
+// ---------------------------------------------------------------------------
+async function getSigningMaterial(input) {
+    // Fast path: same material already imported.
+    if (cachedSigningKey &&
+        cachedCertBase64 === input.certBase64 &&
+        cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    // Material rotated — discard the stale resolved key so we re-import.
+    if (cachedSigningKey) {
+        signingKeyPromise = null;
+        cachedSigningKey = null;
+    }
+    if (!signingKeyPromise) {
+        try {
+            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
+            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+        }
+        catch {
+            throw new InternalError("invalid_signing_material");
+        }
+    }
+    try {
+        cachedSigningKey = await signingKeyPromise;
+        cachedCertBase64 = input.certBase64;
+        cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    catch {
+        signingKeyPromise = null; // allow retry on next call
+        throw new InternalError("invalid_signing_material");
+    }
+}
+// ---------------------------------------------------------------------------
+// Profile TTL resolution
+// ---------------------------------------------------------------------------
+function resolveSessionTtlByProfile(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
+    return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
+}
+// ---------------------------------------------------------------------------
+// Main export
+// ---------------------------------------------------------------------------
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
-    const sessionTtl = resolveSessionTtl(profile);
+    const sessionTtl = resolveSessionTtlByProfile(profile);
     const normalizedCert = normalizeCert(certBase64);
-    const certSerialDec = getCertSerialDec(normalizedCert);
-    // Cache Key duy nhất dựa trên định danh của Role và Certificate
-    const cacheKey = `aws|${region}|${roleArn}|${certSerialDec}`;
-    return getCachedOrFetch(cacheKey, async () => {
-        return fetchAwsCredentials({
-            roleArn, profileArn, trustAnchorArn,
-            region, normalizedCert, privateKeyPkcs8Base64,
-            sessionTtl,
-            certSerialDec
-        });
-    }, {
-        // Cache L2 (Edge) sẽ được refresh khi còn 1/3 thời gian hiệu lực
-        // hoặc cưỡng bức refresh qua forceRefresh
-        ttlSec: 60,
-        forceRefresh
+    // ---- DER serial extraction (with isolate-level cache) ----
+    let certSerialDec;
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        certSerialDec = cachedCertSerialDec;
+    }
+    else {
+        certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
+        cachedCertSerialDec = certSerialDec;
+        cachedCertSerialSource = normalizedCert;
+    }
+    const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
+    // ---- Build SigV4 request ----
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
     });
-}
-// ── Core Logic ─────────────────────────────────────────────────────────────
-async function fetchAwsCredentials(params) {
-    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, certSerialDec } = params;
-    // 1. Chuẩn bị Signing Material (Isolate-cached)
-    const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
-    // 2. AWS SigV4 Metadata
     const host = `${SERVICE}.${region}.amazonaws.com`;
-    const now = new Date();
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, ""); // e.g. 20260318T220520Z
-    const dateStamp = amzDate.slice(0, 8);
-    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-    // 3. Request Body & Payload Hash
-    const body = JSON.stringify({
-        trustAnchorArn,
-        profileArn,
-        roleArn,
-        durationSeconds: sessionTtl
-    });
+    const iso = new Date().toISOString();
+    const amzDate = isoToAmzDate(iso);
+    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await sha256Hex(body);
-    // 4. Canonical Request & StringToSign
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -78,6 +107,7 @@ async function fetchAwsCredentials(params) {
         "x-amz-x509": normalizedCert,
     };
     const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
     const canonicalRequest = buildCanonicalRequest({
         method: "POST",
         canonicalUri: PATH,
@@ -86,128 +116,143 @@ async function fetchAwsCredentials(params) {
         signedHeaders,
         payloadHash,
     });
+    const canonicalRequestHash = await sha256Hex(canonicalRequest);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
         credentialScope,
-        canonicalRequestHash: await sha256Hex(canonicalRequest),
+        canonicalRequestHash,
     });
-    // 5. Signature
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    // 6. Execution
-    const res = await fetch(`https://${host}${PATH}`, {
-        method: "POST",
-        headers: {
-            "Content-Type": "application/json",
-            "X-Amz-Date": amzDate,
-            "X-Amz-X509": normalizedCert,
-            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-        },
-        body,
+    const finalHeaders = new Headers({
+        "Content-Type": "application/json",
+        "X-Amz-Date": amzDate,
+        "X-Amz-X509": normalizedCert,
+        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+    });
+    const issuedAt = Date.now(); // snapshot before the network round-trip
+    return getCachedOrFetch(cacheKey, async () => {
+        const res = await fetch(`https://${host}${PATH}`, {
+            method: "POST",
+            headers: finalHeaders,
+            body,
+        });
+        if (!res.ok) {
+            console.warn("[aws-rejected]", { status: res.status, region, profile });
+            throw new InternalError("aws_rejected");
+        }
+        const json = await res.json();
+        const creds = json?.credentialSet?.[0]?.credentials;
+        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+            console.warn("[issueAwsCredentials] malformed AWS credential response");
+            throw new InternalError("aws_malformed_credentials");
+        }
+        const value = {
+            accessKeyId: creds.accessKeyId,
+            secretAccessKey: creds.secretAccessKey,
+            sessionToken: creds.sessionToken,
+            expiration: creds.expiration,
+        };
+        // derive TTL = 1/3 lifetime
+        const expiresAtMs = Date.parse(creds.expiration);
+        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
+        if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+            const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
+            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
+            return wrapResult(value, edgeCacheExpiry);
+        }
+        return value;
+    }, {
+        ttlSec: 60,
+        ...(forceRefresh !== undefined ? { forceRefresh } : {})
     });
-    if (!res.ok) {
-        const errorText = await res.text().catch(() => "unknown");
-        console.error("[aws-rejected]", { status: res.status, body: errorText });
-        throw new InternalError("aws_rejected");
-    }
-    const data = await res.json();
-    const creds = data?.credentialSet?.[0]?.credentials;
-    if (!creds?.accessKeyId) {
-        throw new InternalError("aws_malformed_credentials");
-    }
-    const result = {
-        accessKeyId: creds.accessKeyId,
-        secretAccessKey: creds.secretAccessKey,
-        sessionToken: creds.sessionToken,
-        expiration: creds.expiration,
-    };
-    // 7. Cache Control (L2 Edge Cache)
-    // Chiến thuật: Cache trong 1/3 thời gian hiệu lực của AWS Credential
-    const expiresAtMs = Date.parse(creds.expiration);
-    const credLifetimeSec = Math.floor((expiresAtMs - Date.now()) / 1000);
-    if (credLifetimeSec > 300) { // Chỉ cache nếu còn hiệu lực trên 5 phút
-        const cacheTtlSec = Math.floor(credLifetimeSec / 3);
-        const cacheExpiry = new Date(Date.now() + cacheTtlSec * 1000).toISOString();
-        return wrapResult(result, cacheExpiry);
-    }
-    return result;
-}
-// ── Helpers ────────────────────────────────────────────────────────────────
-function resolveSessionTtl(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
-    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
 }
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Strip whitespace and reject PEM-wrapped input. */
 function normalizeCert(raw) {
-    if (raw.includes("BEGIN CERTIFICATE"))
+    if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
+    }
     return raw.replace(/\s+/g, "");
 }
-function getCertSerialDec(normalizedCert) {
-    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
-        return cachedCertSerialDec;
+/**
+ * Minimal DER walk to extract the certificate serial number as a decimal string.
+ * Throws InternalError("invalid_cert_der") on any parse failure.
+ */
+function parseCertSerialDec(normalizedCertBase64) {
+    try {
+        const der = base64ToBytes(normalizedCertBase64);
+        let offset = 0;
+        function readLen() {
+            if (offset >= der.length)
+                throw new Error("DER overflow");
+            const b = der[offset++];
+            if ((b & 0x80) === 0)
+                return b;
+            const n = b & 0x7f;
+            let len = 0;
+            if (offset + n > der.length)
+                throw new Error("DER overflow");
+            for (let i = 0; i < n; i++)
+                len = (len << 8) | der[offset++];
+            return len;
+        }
+        if (der[offset++] !== 0x30)
+            throw new Error("bad cert");
+        readLen();
+        if (der[offset++] !== 0x30)
+            throw new Error("bad tbs");
+        readLen();
+        // Skip optional [0] EXPLICIT version field.
+        if (der[offset] === 0xa0) {
+            offset++;
+            const vLen = readLen();
+            offset += vLen;
+        }
+        if (der[offset++] !== 0x02)
+            throw new Error("bad serial tag");
+        const serialLen = readLen();
+        if (offset + serialLen > der.length)
+            throw new Error("DER overflow");
+        let serial = der.slice(offset, offset + serialLen);
+        // Strip ASN.1 sign-extension padding byte.
+        if (serial.length > 1 && serial[0] === 0x00) {
+            serial = serial.slice(1);
+        }
+        // Accumulate directly to BigInt — avoids intermediate hex string allocation.
+        let serialBig = 0n;
+        for (let i = 0; i < serial.length; i++) {
+            serialBig = (serialBig << 8n) | BigInt(serial[i]);
+        }
+        return serialBig.toString();
     }
-    const der = base64ToBytes(normalizedCert);
-    let offset = 0;
-    const readLen = () => {
-        const b = der[offset++];
-        if ((b & 0x80) === 0)
-            return b;
-        let n = b & 0x7f;
-        let len = 0;
-        while (n--)
-            len = (len << 8) | der[offset++];
-        return len;
-    };
-    // Strict DER Walk (Sửa lỗi skip sai INTEGER của bản cũ)
-    if (der[offset++] !== 0x30)
-        throw new Error("Not a SEQUENCE"); // Cert
-    readLen();
-    if (der[offset++] !== 0x30)
-        throw new Error("Not a SEQUENCE"); // TBS
-    readLen();
-    if (der[offset] === 0xa0) { // Version tag
-        offset++;
-        offset += readLen();
+    catch (e) {
+        console.error("[parseCertSerialDec] failed", e);
+        throw new InternalError("invalid_cert_der");
     }
-    if (der[offset++] !== 0x02)
-        throw new Error("Serial not an INTEGER");
-    const sLen = readLen();
-    let serial = der.slice(offset, offset + sLen);
-    // Strip ASN.1 padding byte 0x00
-    if (serial.length > 1 && serial[0] === 0x00)
-        serial = serial.slice(1);
-    let big = 0n;
-    for (const b of serial)
-        big = (big << 8n) | BigInt(b);
-    cachedCertSerialDec = big.toString();
-    cachedCertSerialSource = normalizedCert;
-    return cachedCertSerialDec;
 }
-async function getSigningMaterial(cert, pk) {
-    if (cachedSigningKey && cachedCertBase64 === cert && cachedPrivateKeyBase64 === pk) {
-        return cachedSigningKey;
-    }
-    const pkBytes = base64ToBytes(pk);
-    signingKeyPromise = crypto.subtle.importKey("pkcs8",
-    // LẤY BUFFER VÀ ÉP KIỂU:
-    // Uint8Array.buffer có thể là ArrayBuffer | SharedArrayBuffer
-    // Web Crypto chỉ chấp nhận ArrayBuffer.
-    pkBytes.buffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]).then(key => {
-        cachedSigningKey = key;
-        cachedCertBase64 = cert;
-        cachedPrivateKeyBase64 = pk;
-        return key;
-    }).catch(e => {
-        signingKeyPromise = null;
-        throw new InternalError("invalid_signing_material");
-    });
-    return signingKeyPromise;
+/**
+ * Convert an ISO-8601 timestamp to the compact AMZ date-time format.
+ * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
+ */
+function isoToAmzDate(iso) {
+    return (iso.slice(0, 4) +
+        iso.slice(5, 7) +
+        iso.slice(8, 10) +
+        "T" +
+        iso.slice(11, 13) +
+        iso.slice(14, 16) +
+        iso.slice(17, 19) +
+        "Z");
 }
-function base64ToBytes(b64) {
-    const bin = atob(b64);
-    const bytes = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) {
-        bytes[i] = bin.charCodeAt(i);
+/** Faster base64 → Uint8Array using V8's vectorized atob path. */
+function base64ToBytes(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
     }
     return bytes;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.6",
+  "version": "0.4.9",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",