@vizamodo/runtime-primitives 1.1.9 → 1.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/aws/console-login.d.ts +1 -2
- package/dist/aws/console-login.js +4 -16
- package/dist/aws/credentials.d.ts +16 -0
- package/dist/aws/credentials.js +24 -0
- package/dist/github/github-owner-token.d.ts +6 -1
- package/dist/github/github-owner-token.js +13 -1
- package/dist/github/put-secret.d.ts +1 -1
- package/dist/github/put-secret.js +7 -3
- package/dist/github/put-secrets.js +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +2 -2
|
@@ -7,8 +7,7 @@ export interface AwsConsoleLoginConfig {
|
|
|
7
7
|
certBase64: string;
|
|
8
8
|
privateKeyBase64: string;
|
|
9
9
|
}
|
|
10
|
-
export declare function
|
|
11
|
-
export declare function createAwsFederatedLogin(params: AwsConsoleLoginConfig & {
|
|
10
|
+
export declare function createAwsFederatedLoginWithRetry(params: AwsConsoleLoginConfig & {
|
|
12
11
|
intent?: "console" | "billing" | "dynamodb" | "ssm";
|
|
13
12
|
}): Promise<{
|
|
14
13
|
loginUrl: string;
|
|
@@ -1,21 +1,9 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { buildFederationLoginUrl, } from "@vizamodo/aws-runtime-core";
|
|
2
2
|
import { retryOnce } from "../runtime/retry-once";
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
return await retryOnce((ctx) => issueAwsCredentials({
|
|
6
|
-
trustAnchorArn,
|
|
7
|
-
roleArn,
|
|
8
|
-
profileArn,
|
|
9
|
-
region,
|
|
10
|
-
certBase64,
|
|
11
|
-
privateKeyPkcs8Base64: privateKeyBase64,
|
|
12
|
-
profile,
|
|
13
|
-
...ctx,
|
|
14
|
-
}));
|
|
15
|
-
}
|
|
16
|
-
export async function createAwsFederatedLogin(params) {
|
|
3
|
+
import { issueAwsCredentialsWithRetry } from "./credentials";
|
|
4
|
+
export async function createAwsFederatedLoginWithRetry(params) {
|
|
17
5
|
const { intent, ...config } = params;
|
|
18
|
-
const creds = await
|
|
6
|
+
const creds = await issueAwsCredentialsWithRetry(config);
|
|
19
7
|
const { loginUrl, shortUrl } = await retryOnce((ctx) => buildFederationLoginUrl({
|
|
20
8
|
accessKeyId: creds.accessKeyId,
|
|
21
9
|
secretAccessKey: creds.secretAccessKey,
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
export interface AwsCredentialConfig {
|
|
2
|
+
profile: string;
|
|
3
|
+
region: string;
|
|
4
|
+
trustAnchorArn: string;
|
|
5
|
+
roleArn: string;
|
|
6
|
+
profileArn: string;
|
|
7
|
+
certBase64: string;
|
|
8
|
+
privateKeyBase64: string;
|
|
9
|
+
}
|
|
10
|
+
/**
|
|
11
|
+
* Primitive: Issue AWS credentials with a single retry.
|
|
12
|
+
* - No console-specific logic
|
|
13
|
+
* - No side effects beyond AWS call
|
|
14
|
+
* - Deterministic input/output
|
|
15
|
+
*/
|
|
16
|
+
export declare function issueAwsCredentialsWithRetry(config: AwsCredentialConfig): Promise<import("@vizamodo/aws-runtime-core").AwsCredentialResult>;
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import { issueAwsCredentials } from "@vizamodo/aws-runtime-core";
|
|
2
|
+
import { retryOnce } from "../runtime/retry-once";
|
|
3
|
+
/**
|
|
4
|
+
* Primitive: Issue AWS credentials with a single retry.
|
|
5
|
+
* - No console-specific logic
|
|
6
|
+
* - No side effects beyond AWS call
|
|
7
|
+
* - Deterministic input/output
|
|
8
|
+
*/
|
|
9
|
+
export async function issueAwsCredentialsWithRetry(config) {
|
|
10
|
+
const { profile, region, trustAnchorArn, roleArn, profileArn, certBase64, privateKeyBase64, } = config;
|
|
11
|
+
if (!profile || !region || !trustAnchorArn || !roleArn || !profileArn) {
|
|
12
|
+
throw new Error("Missing required AWS credential parameters");
|
|
13
|
+
}
|
|
14
|
+
return await retryOnce((ctx) => issueAwsCredentials({
|
|
15
|
+
trustAnchorArn,
|
|
16
|
+
roleArn,
|
|
17
|
+
profileArn,
|
|
18
|
+
region,
|
|
19
|
+
certBase64,
|
|
20
|
+
privateKeyPkcs8Base64: privateKeyBase64,
|
|
21
|
+
profile,
|
|
22
|
+
...ctx,
|
|
23
|
+
}));
|
|
24
|
+
}
|
|
@@ -1,4 +1,9 @@
|
|
|
1
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Use-case helper: get installation token with built-in retry.
|
|
3
|
+
* - wraps getInstallationTokenCached
|
|
4
|
+
* - avoids forcing consumers to compose retry manually
|
|
5
|
+
*/
|
|
6
|
+
export declare function getInstallationTokenWithRetry(params: {
|
|
2
7
|
installationId: number;
|
|
3
8
|
appPrivateKey: string;
|
|
4
9
|
clientId: string;
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
+
import { retryOnce } from "../runtime/retry-once";
|
|
1
2
|
import { getGithubInstallationToken } from "./github-app-token";
|
|
2
3
|
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
3
|
-
|
|
4
|
+
async function getInstallationTokenCached(params) {
|
|
4
5
|
const { installationId, appPrivateKey, clientId, forceRefresh } = params;
|
|
5
6
|
const key = `gh-token:${clientId}:${installationId}`;
|
|
6
7
|
const token = await getCachedOrFetch(key, async () => {
|
|
@@ -14,3 +15,14 @@ export async function getInstallationTokenCached(params) {
|
|
|
14
15
|
);
|
|
15
16
|
return token;
|
|
16
17
|
}
|
|
18
|
+
/**
|
|
19
|
+
* Use-case helper: get installation token with built-in retry.
|
|
20
|
+
* - wraps getInstallationTokenCached
|
|
21
|
+
* - avoids forcing consumers to compose retry manually
|
|
22
|
+
*/
|
|
23
|
+
export async function getInstallationTokenWithRetry(params) {
|
|
24
|
+
return await retryOnce((ctx) => getInstallationTokenCached({
|
|
25
|
+
...params,
|
|
26
|
+
...(ctx ?? {})
|
|
27
|
+
}));
|
|
28
|
+
}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export declare function base64ToBytes(b64: string): Uint8Array;
|
|
2
2
|
export declare function bytesToBase64(bytes: Uint8Array): string;
|
|
3
|
-
export declare function encryptSecret(recipientPub: Uint8Array, secret: string): string
|
|
3
|
+
export declare function encryptSecret(recipientPub: string | Uint8Array, secret: string): Promise<string>;
|
|
4
4
|
export declare function getPublicKey(repo: string, environment: string, headers: Record<string, string>): Promise<{
|
|
5
5
|
key_id: string;
|
|
6
6
|
key: string;
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import
|
|
1
|
+
import sodium from "libsodium-wrappers";
|
|
2
2
|
import { repoUrl } from "./github-env";
|
|
3
3
|
// ─────────────────────────────────────────────
|
|
4
4
|
// Crypto
|
|
@@ -18,9 +18,13 @@ export function bytesToBase64(bytes) {
|
|
|
18
18
|
}
|
|
19
19
|
return btoa(parts.join(""));
|
|
20
20
|
}
|
|
21
|
-
export function encryptSecret(recipientPub, secret) {
|
|
21
|
+
export async function encryptSecret(recipientPub, secret) {
|
|
22
|
+
await sodium.ready;
|
|
23
|
+
// Chuyển đổi public key từ string (base64) sang Uint8Array nếu cần
|
|
24
|
+
const bkey = typeof recipientPub === "string" ? base64ToBytes(recipientPub) : recipientPub;
|
|
22
25
|
const messageBytes = new TextEncoder().encode(secret);
|
|
23
|
-
|
|
26
|
+
// Thực hiện mã hóa
|
|
27
|
+
const sealed = sodium.crypto_box_seal(messageBytes, bkey);
|
|
24
28
|
return bytesToBase64(sealed);
|
|
25
29
|
}
|
|
26
30
|
// ─────────────────────────────────────────────
|
|
@@ -17,7 +17,7 @@ export async function putGithubSecretsParallel(repo, environment, secrets, heade
|
|
|
17
17
|
for (let i = 0; i < entries.length; i += concurrency) {
|
|
18
18
|
const batch = entries.slice(i, i + concurrency);
|
|
19
19
|
await Promise.all(batch.map(async ([name, plaintext]) => {
|
|
20
|
-
const encryptedValue = encryptSecret(recipientPub, plaintext);
|
|
20
|
+
const encryptedValue = await encryptSecret(recipientPub, plaintext);
|
|
21
21
|
await putSecret(repo, environment, name, encryptedValue, key_id, headers);
|
|
22
22
|
}));
|
|
23
23
|
}
|
package/dist/index.d.ts
CHANGED
|
@@ -3,11 +3,11 @@
|
|
|
3
3
|
* Organized by domain to keep imports explicit and tree-shake friendly
|
|
4
4
|
*/
|
|
5
5
|
export * from "./aws/console-login";
|
|
6
|
+
export * from "./aws/credentials";
|
|
6
7
|
export * from "./aws/load-backup-from-ssm";
|
|
7
8
|
export * from "./aws/resolve-config";
|
|
8
9
|
export { buildSignedAwsRequest } from "@vizamodo/aws-runtime-core";
|
|
9
10
|
export * from "./crypto/age";
|
|
10
|
-
export * from "./github/github-app-token";
|
|
11
11
|
export * from "./github/github-owner-token";
|
|
12
12
|
export * from "./github/list-workflow-runs";
|
|
13
13
|
export * from "./github/put-secret";
|
package/dist/index.js
CHANGED
|
@@ -4,13 +4,13 @@
|
|
|
4
4
|
*/
|
|
5
5
|
// AWS
|
|
6
6
|
export * from "./aws/console-login";
|
|
7
|
+
export * from "./aws/credentials";
|
|
7
8
|
export * from "./aws/load-backup-from-ssm";
|
|
8
9
|
export * from "./aws/resolve-config";
|
|
9
10
|
export { buildSignedAwsRequest } from "@vizamodo/aws-runtime-core";
|
|
10
11
|
// Crypto
|
|
11
12
|
export * from "./crypto/age";
|
|
12
13
|
// GitHub
|
|
13
|
-
export * from "./github/github-app-token";
|
|
14
14
|
export * from "./github/github-owner-token";
|
|
15
15
|
export * from "./github/list-workflow-runs";
|
|
16
16
|
export * from "./github/put-secret";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vizamodo/runtime-primitives",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.11",
|
|
4
4
|
"description": "Edge-compatible runtime primitives for AWS, GitHub, crypto, and caching used across Viza services",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"dependencies": {
|
|
26
26
|
"@vizamodo/aws-runtime-core": "^0.4.38",
|
|
27
27
|
"age-encryption": "^0.3.0",
|
|
28
|
-
"
|
|
28
|
+
"libsodium-wrappers": "^0.8.3"
|
|
29
29
|
},
|
|
30
30
|
"devDependencies": {
|
|
31
31
|
"@types/node": "^25.6.0",
|