ag-awsauth 0.0.7 → 0.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/bin/awsauth.js +0 -0
  2. package/dist/config.d.ts +12 -12
  3. package/dist/config.js +55 -55
  4. package/dist/helpers/awsconfig.d.ts +3 -3
  5. package/dist/helpers/awsconfig.js +52 -52
  6. package/dist/helpers/browser.d.ts +12 -12
  7. package/dist/helpers/browser.js +170 -167
  8. package/dist/helpers/input.d.ts +10 -10
  9. package/dist/helpers/input.js +95 -95
  10. package/dist/helpers/oidc.d.ts +5 -5
  11. package/dist/helpers/oidc.js +81 -81
  12. package/dist/helpers/sso.d.ts +21 -21
  13. package/dist/helpers/sso.js +143 -137
  14. package/dist/helpers/sts.d.ts +24 -24
  15. package/dist/helpers/sts.js +98 -98
  16. package/dist/index.d.ts +4 -4
  17. package/dist/index.js +115 -119
  18. package/dist/types.d.ts +55 -55
  19. package/dist/types.js +2 -2
  20. package/package.json +9 -10
  21. package/dist/direct.d.ts +0 -1
  22. package/dist/direct.js +0 -4
package/dist/helpers/sso.js CHANGED
@@ -1,137 +1,143 @@
1
- "use strict";
2
- var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
- function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
- return new (P || (P = Promise))(function (resolve, reject) {
5
- function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
- function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
- function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
- step((generator = generator.apply(thisArg, _arguments || [])).next());
9
- });
10
- };
11
- var __importDefault = (this && this.__importDefault) || function (mod) {
12
- return (mod && mod.__esModule) ? mod : { "default": mod };
13
- };
14
- Object.defineProperty(exports, "__esModule", { value: true });
15
- exports.tryExistingCredentials = exports.getSamlAssertion = exports.appInstances = exports.getOIDCCredentialsFromAccessToken = exports.getAssumedRole = void 0;
16
- const client_sso_1 = require("@aws-sdk/client-sso");
17
- const log_1 = require("ag-common/dist/common/helpers/log");
18
- const string_1 = require("ag-common/dist/common/helpers/string");
19
- const node_fetch_1 = __importDefault(require("node-fetch"));
20
- const config_1 = require("../config");
21
- const awsconfig_1 = require("./awsconfig");
22
- const sts_1 = require("./sts");
23
- const getAssumedRole = (p) => __awaiter(void 0, void 0, void 0, function* () {
24
- var _a, _b, _c, _d;
25
- const sso = new client_sso_1.SSOClient({ region: config_1.identityCenterRegion });
26
- let accountId = p.accountId;
27
- if (!accountId) {
28
- const accounts = yield sso.send(new client_sso_1.ListAccountsCommand({ accessToken: p.accessToken }));
29
- accountId = (_b = (_a = accounts.accountList) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.accountId;
30
- }
31
- if (!accountId) {
32
- throw new Error('no account id');
33
- }
34
- const rolesResult = yield sso.send(new client_sso_1.ListAccountRolesCommand({
35
- accessToken: p.accessToken,
36
- accountId,
37
- }));
38
- const roles = ((_d = (_c = rolesResult.roleList) === null || _c === void 0 ? void 0 : _c.map((r) => ({
39
- accountId: r.accountId || '',
40
- roleName: r.roleName || '',
41
- }))) === null || _d === void 0 ? void 0 : _d.filter((r) => r.accountId && r.roleName)) || [];
42
- if (roles.length === 0) {
43
- throw new Error('no roles can be assumed');
44
- }
45
- if (roles.length > 1) {
46
- throw new Error('too many roles' + JSON.stringify(roles, null, 2));
47
- }
48
- const role = roles[0];
49
- return role;
50
- });
51
- exports.getAssumedRole = getAssumedRole;
52
- const getOIDCCredentialsFromAccessToken = (p) => __awaiter(void 0, void 0, void 0, function* () {
53
- const sso = new client_sso_1.SSOClient({ region: config_1.identityCenterRegion });
54
- const role = yield (0, exports.getAssumedRole)({ accessToken: p.accessToken });
55
- const ssoResp = yield sso.send(new client_sso_1.GetRoleCredentialsCommand(Object.assign(Object.assign({}, role), { accessToken: p.accessToken })));
56
- const rc = ssoResp.roleCredentials;
57
- if (!(rc === null || rc === void 0 ? void 0 : rc.accessKeyId) ||
58
- !(rc === null || rc === void 0 ? void 0 : rc.expiration) ||
59
- !(rc === null || rc === void 0 ? void 0 : rc.secretAccessKey) ||
60
- !(rc === null || rc === void 0 ? void 0 : rc.sessionToken)) {
61
- throw new Error('role creds undefined:' + JSON.stringify(rc, null, 2));
62
- }
63
- return Object.assign(Object.assign({}, p), { accessKeyId: rc.accessKeyId, secretAccessKey: rc.secretAccessKey, sessionToken: rc.sessionToken, region: config_1.identityCenterRegion });
64
- });
65
- exports.getOIDCCredentialsFromAccessToken = getOIDCCredentialsFromAccessToken;
66
- function appInstances(p) {
67
- return __awaiter(this, void 0, void 0, function* () {
68
- const ai = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${config_1.identityCenterRegion}.amazonaws.com/instance/appinstances`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
69
- if (!(ai === null || ai === void 0 ? void 0 : ai.result)) {
70
- throw new Error('appinstance error' + JSON.stringify(ai, null, 2));
71
- }
72
- return ai.result;
73
- });
74
- }
75
- exports.appInstances = appInstances;
76
- function getSamlAssertion(p, instance) {
77
- var _a, _b;
78
- return __awaiter(this, void 0, void 0, function* () {
79
- const det = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${config_1.identityCenterRegion}.amazonaws.com/instance/appinstance/${instance.id}/profiles`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
80
- const asserturl = (_b = (_a = det === null || det === void 0 ? void 0 : det.result) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.url;
81
- if (!asserturl) {
82
- throw new Error('assertion url cant be found');
83
- }
84
- const assertion = (yield (yield (0, node_fetch_1.default)(asserturl, {
85
- headers: { 'x-amz-sso_bearer_token': p.ssoAuthn },
86
- })).json());
87
- const decoded = (0, string_1.fromBase64)(assertion.encodedResponse);
88
- const res = new RegExp(/<saml2:AttributeValue xmlns:xsi="http:\/\/www.w3.org\/2001\/XMLSchema-instance" xsi:type="xsd:string">(arn.*?)</gim).exec(decoded);
89
- if (!(res === null || res === void 0 ? void 0 : res[1])) {
90
- throw new Error('bad saml');
91
- }
92
- const [providerArn, roleArn] = res[1].split(',');
93
- return { samlAssertion: assertion.encodedResponse, providerArn, roleArn };
94
- });
95
- }
96
- exports.getSamlAssertion = getSamlAssertion;
97
- const tryExistingCredentials = () => __awaiter(void 0, void 0, void 0, function* () {
98
- const credraw = yield (0, awsconfig_1.getAwsCredentials)();
99
- if (!credraw.default.aws_access_token) {
100
- return undefined;
101
- }
102
- let credentials = {
103
- accessKeyId: credraw.default.aws_access_key_id,
104
- secretAccessKey: credraw.default.aws_secret_access_key,
105
- sessionToken: credraw.default.aws_session_token,
106
- accessToken: credraw.default.aws_access_token,
107
- ssoAuthn: credraw.default.aws_sso_authn,
108
- region: config_1.identityCenterRegion,
109
- };
110
- const v = yield (0, sts_1.validateCredentials)(credentials);
111
- if (v) {
112
- return credentials;
113
- }
114
- if (credraw.default.aws_access_token && credraw.default.aws_sso_authn) {
115
- try {
116
- (0, log_1.info)('trying oidc refresh');
117
- credentials = yield (0, exports.getOIDCCredentialsFromAccessToken)({
118
- accessToken: credraw.default.aws_access_token,
119
- ssoAuthn: credraw.default.aws_sso_authn,
120
- });
121
- return credentials;
122
- }
123
- catch (e) {
124
- //
125
- (0, log_1.info)('access token or sso expired, need to wipe', e);
126
- }
127
- }
128
- return {
129
- accessToken: '',
130
- ssoAuthn: '',
131
- region: config_1.identityCenterRegion,
132
- accessKeyId: '',
133
- secretAccessKey: '',
134
- sessionToken: '',
135
- };
136
- });
137
- exports.tryExistingCredentials = tryExistingCredentials;
1
+ "use strict";
2
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
+ return new (P || (P = Promise))(function (resolve, reject) {
5
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
9
+ });
10
+ };
11
+ var __importDefault = (this && this.__importDefault) || function (mod) {
12
+ return (mod && mod.__esModule) ? mod : { "default": mod };
13
+ };
14
+ Object.defineProperty(exports, "__esModule", { value: true });
15
+ exports.tryExistingCredentials = exports.getSamlAssertion = exports.appInstances = exports.getOIDCCredentialsFromAccessToken = exports.getAssumedRole = void 0;
16
+ const client_sso_1 = require("@aws-sdk/client-sso");
17
+ const log_1 = require("ag-common/dist/common/helpers/log");
18
+ const string_1 = require("ag-common/dist/common/helpers/string");
19
+ const node_fetch_1 = __importDefault(require("node-fetch"));
20
+ const config_1 = require("../config");
21
+ const awsconfig_1 = require("./awsconfig");
22
+ const sts_1 = require("./sts");
23
+ const getAssumedRole = (p) => __awaiter(void 0, void 0, void 0, function* () {
24
+ var _a, _b, _c, _d;
25
+ const sso = new client_sso_1.SSOClient({ region: config_1.identityCenterRegion });
26
+ let accountId = p.accountId;
27
+ if (!accountId) {
28
+ const accounts = yield sso.send(new client_sso_1.ListAccountsCommand({ accessToken: p.accessToken }));
29
+ accountId = (_b = (_a = accounts.accountList) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.accountId;
30
+ }
31
+ if (!accountId) {
32
+ throw new Error('no account id');
33
+ }
34
+ const rolesResult = yield sso.send(new client_sso_1.ListAccountRolesCommand({
35
+ accessToken: p.accessToken,
36
+ accountId,
37
+ }));
38
+ const roles = ((_d = (_c = rolesResult.roleList) === null || _c === void 0 ? void 0 : _c.map((r) => ({
39
+ accountId: r.accountId || '',
40
+ roleName: r.roleName || '',
41
+ }))) === null || _d === void 0 ? void 0 : _d.filter((r) => r.accountId && r.roleName)) || [];
42
+ if (roles.length === 0) {
43
+ throw new Error('no roles can be assumed');
44
+ }
45
+ if (roles.length > 1) {
46
+ throw new Error('too many roles' + JSON.stringify(roles, null, 2));
47
+ }
48
+ const role = roles[0];
49
+ return role;
50
+ });
51
+ exports.getAssumedRole = getAssumedRole;
52
+ const getOIDCCredentialsFromAccessToken = (p) => __awaiter(void 0, void 0, void 0, function* () {
53
+ const sso = new client_sso_1.SSOClient({ region: config_1.identityCenterRegion });
54
+ const role = yield (0, exports.getAssumedRole)({ accessToken: p.accessToken });
55
+ const ssoResp = yield sso.send(new client_sso_1.GetRoleCredentialsCommand(Object.assign(Object.assign({}, role), { accessToken: p.accessToken })));
56
+ const rc = ssoResp.roleCredentials;
57
+ if (!(rc === null || rc === void 0 ? void 0 : rc.accessKeyId) ||
58
+ !(rc === null || rc === void 0 ? void 0 : rc.expiration) ||
59
+ !(rc === null || rc === void 0 ? void 0 : rc.secretAccessKey) ||
60
+ !(rc === null || rc === void 0 ? void 0 : rc.sessionToken)) {
61
+ throw new Error('role creds undefined:' + JSON.stringify(rc, null, 2));
62
+ }
63
+ return Object.assign(Object.assign({}, p), { accessKeyId: rc.accessKeyId, secretAccessKey: rc.secretAccessKey, sessionToken: rc.sessionToken, region: config_1.identityCenterRegion });
64
+ });
65
+ exports.getOIDCCredentialsFromAccessToken = getOIDCCredentialsFromAccessToken;
66
+ function appInstances(p) {
67
+ return __awaiter(this, void 0, void 0, function* () {
68
+ const ai = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${config_1.identityCenterRegion}.amazonaws.com/instance/appinstances`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
69
+ if (!(ai === null || ai === void 0 ? void 0 : ai.result)) {
70
+ throw new Error('appinstance error' + JSON.stringify(ai, null, 2));
71
+ }
72
+ return ai.result;
73
+ });
74
+ }
75
+ exports.appInstances = appInstances;
76
+ function getSamlAssertion(p, instance) {
77
+ var _a, _b;
78
+ return __awaiter(this, void 0, void 0, function* () {
79
+ const det = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${config_1.identityCenterRegion}.amazonaws.com/instance/appinstance/${instance.id}/profiles`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
80
+ const asserturl = (_b = (_a = det === null || det === void 0 ? void 0 : det.result) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.url;
81
+ if (!asserturl) {
82
+ throw new Error('assertion url cant be found');
83
+ }
84
+ const assertion = (yield (yield (0, node_fetch_1.default)(asserturl, {
85
+ headers: { 'x-amz-sso_bearer_token': p.ssoAuthn },
86
+ })).json());
87
+ const decoded = (0, string_1.fromBase64)(assertion.encodedResponse);
88
+ const res = new RegExp(/<saml2:AttributeValue xmlns:xsi="http:\/\/www.w3.org\/2001\/XMLSchema-instance" xsi:type="xsd:string">(arn.*?)</gim).exec(decoded);
89
+ if (!(res === null || res === void 0 ? void 0 : res[1])) {
90
+ throw new Error('bad saml');
91
+ }
92
+ const [providerArn, roleArn] = res[1].split(',');
93
+ return { samlAssertion: assertion.encodedResponse, providerArn, roleArn };
94
+ });
95
+ }
96
+ exports.getSamlAssertion = getSamlAssertion;
97
+ const tryExistingCredentials = () => __awaiter(void 0, void 0, void 0, function* () {
98
+ const credraw = yield (0, awsconfig_1.getAwsCredentials)();
99
+ if (!credraw.default.aws_access_token) {
100
+ return undefined;
101
+ }
102
+ let credentials = {
103
+ accessKeyId: credraw.default.aws_access_key_id,
104
+ secretAccessKey: credraw.default.aws_secret_access_key,
105
+ sessionToken: credraw.default.aws_session_token,
106
+ accessToken: credraw.default.aws_access_token,
107
+ ssoAuthn: credraw.default.aws_sso_authn,
108
+ region: config_1.identityCenterRegion,
109
+ };
110
+ const v = yield (0, sts_1.validateCredentials)(credentials);
111
+ if (v) {
112
+ return credentials;
113
+ }
114
+ if (credraw.default.aws_access_token && credraw.default.aws_sso_authn) {
115
+ try {
116
+ (0, log_1.info)('trying oidc refresh');
117
+ credentials = yield (0, exports.getOIDCCredentialsFromAccessToken)({
118
+ accessToken: credraw.default.aws_access_token,
119
+ ssoAuthn: credraw.default.aws_sso_authn,
120
+ });
121
+ return credentials;
122
+ }
123
+ catch (e) {
124
+ //
125
+ const em = e.toString();
126
+ if (em.includes('is expired') || em.includes('or invalid')) {
127
+ (0, log_1.info)('access token or sso expired, need to wipe');
128
+ }
129
+ else {
130
+ (0, log_1.info)(e);
131
+ }
132
+ }
133
+ }
134
+ return {
135
+ accessToken: '',
136
+ ssoAuthn: '',
137
+ region: config_1.identityCenterRegion,
138
+ accessKeyId: '',
139
+ secretAccessKey: '',
140
+ sessionToken: '',
141
+ };
142
+ });
143
+ exports.tryExistingCredentials = tryExistingCredentials;
package/dist/helpers/sts.d.ts CHANGED
@@ -1,24 +1,24 @@
1
- import { IAwsCreds, SearchMetadata } from '../types';
2
- export declare function validateCredentials(credentials: IAwsCreds): Promise<{
3
- accountId: string;
4
- principalArn: string;
5
- } | undefined>;
6
- export declare function getApplicationCreds(p: {
7
- originCreds: IAwsCreds;
8
- targetRegion: string;
9
- samlAssertion: string;
10
- providerArn: string;
11
- roleArn: string;
12
- }): Promise<IAwsCreds>;
13
- export declare function directStsAssume(p: {
14
- credentials: IAwsCreds;
15
- targetRegion: string;
16
- metadata: SearchMetadata;
17
- }): Promise<{
18
- region: string;
19
- accessKeyId: string;
20
- secretAccessKey: string;
21
- sessionToken: string;
22
- accessToken: string;
23
- ssoAuthn: string;
24
- }>;
1
+ import { IAwsCreds, SearchMetadata } from '../types';
2
+ export declare function validateCredentials(credentials: IAwsCreds): Promise<{
3
+ accountId: string;
4
+ principalArn: string;
5
+ } | undefined>;
6
+ export declare function getApplicationCreds(p: {
7
+ originCreds: IAwsCreds;
8
+ targetRegion: string;
9
+ samlAssertion: string;
10
+ providerArn: string;
11
+ roleArn: string;
12
+ }): Promise<IAwsCreds>;
13
+ export declare function directStsAssume(p: {
14
+ credentials: IAwsCreds;
15
+ targetRegion: string;
16
+ metadata: SearchMetadata;
17
+ }): Promise<{
18
+ region: string;
19
+ accessKeyId: string;
20
+ secretAccessKey: string;
21
+ sessionToken: string;
22
+ accessToken: string;
23
+ ssoAuthn: string;
24
+ }>;
package/dist/helpers/sts.js CHANGED
@@ -1,98 +1,98 @@
1
- "use strict";
2
- var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
- function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
- return new (P || (P = Promise))(function (resolve, reject) {
5
- function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
- function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
- function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
- step((generator = generator.apply(thisArg, _arguments || [])).next());
9
- });
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.directStsAssume = exports.getApplicationCreds = exports.validateCredentials = void 0;
13
- const client_sts_1 = require("@aws-sdk/client-sts");
14
- const log_1 = require("ag-common/dist/common/helpers/log");
15
- const config_1 = require("../config");
16
- const sso_1 = require("./sso");
17
- function validateCredentials(credentials) {
18
- var _a, _b;
19
- return __awaiter(this, void 0, void 0, function* () {
20
- const sts = new client_sts_1.STS({
21
- credentials,
22
- region: credentials.region,
23
- });
24
- try {
25
- const stub = yield sts.getCallerIdentity({});
26
- yield (0, sso_1.appInstances)(credentials);
27
- if (((_b = (_a = stub === null || stub === void 0 ? void 0 : stub.$metadata) === null || _a === void 0 ? void 0 : _a.httpStatusCode) !== null && _b !== void 0 ? _b : 500) < 400 &&
28
- stub.Account &&
29
- stub.Arn) {
30
- (0, log_1.info)(`test cached credentials OK`);
31
- return { accountId: stub.Account, principalArn: stub.Arn };
32
- }
33
- }
34
- catch (e) {
35
- const es = e.toString();
36
- if (es.includes('expired')) {
37
- (0, log_1.warn)('creds have expired');
38
- }
39
- (0, log_1.warn)('other saml error:' + es);
40
- return undefined;
41
- }
42
- });
43
- }
44
- exports.validateCredentials = validateCredentials;
45
- function getApplicationCreds(p) {
46
- var _a, _b, _c, _d;
47
- return __awaiter(this, void 0, void 0, function* () {
48
- const sts = new client_sts_1.STS({
49
- credentials: p.originCreds,
50
- region: p.targetRegion,
51
- });
52
- const ret = yield sts.assumeRoleWithSAML({
53
- PrincipalArn: p.providerArn,
54
- RoleArn: p.roleArn,
55
- SAMLAssertion: p.samlAssertion,
56
- DurationSeconds: config_1.stsDurationSeconds,
57
- });
58
- if (((_a = ret.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
59
- (0, log_1.error)('bad assume saml role', ret);
60
- throw new Error('bad assume saml role');
61
- }
62
- if (!((_b = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
63
- !((_c = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
64
- !((_d = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
65
- throw new Error('no creds');
66
- }
67
- return Object.assign(Object.assign({}, p.originCreds), { region: p.targetRegion, accessKeyId: ret.Credentials.AccessKeyId, secretAccessKey: ret.Credentials.SecretAccessKey, sessionToken: ret.Credentials.SessionToken });
68
- });
69
- }
70
- exports.getApplicationCreds = getApplicationCreds;
71
- function directStsAssume(p) {
72
- var _a, _b, _c, _d;
73
- return __awaiter(this, void 0, void 0, function* () {
74
- const role = yield (0, sso_1.getAssumedRole)({
75
- accessToken: p.credentials.accessToken,
76
- accountId: p.metadata.AccountId,
77
- });
78
- const sts = new client_sts_1.STS({
79
- credentials: p.credentials,
80
- region: p.targetRegion,
81
- });
82
- const ar = yield sts.assumeRole({
83
- RoleArn: `arn:aws:iam::${role.accountId}:role/${role.roleName}`,
84
- RoleSessionName: 'awsauth',
85
- DurationSeconds: config_1.nativeStsDurationSeconds,
86
- });
87
- if (((_a = ar.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
88
- throw new Error('assume role error' + JSON.stringify(ar, null, 2));
89
- }
90
- if (!((_b = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
91
- !((_c = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
92
- !((_d = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
93
- throw new Error('no creds');
94
- }
95
- return Object.assign(Object.assign({}, p.credentials), { region: p.targetRegion, accessKeyId: ar.Credentials.AccessKeyId, secretAccessKey: ar.Credentials.SecretAccessKey, sessionToken: ar.Credentials.SessionToken });
96
- });
97
- }
98
- exports.directStsAssume = directStsAssume;
1
+ "use strict";
2
+ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
+ function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
+ return new (P || (P = Promise))(function (resolve, reject) {
5
+ function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
+ function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
+ function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
+ step((generator = generator.apply(thisArg, _arguments || [])).next());
9
+ });
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.directStsAssume = exports.getApplicationCreds = exports.validateCredentials = void 0;
13
+ const client_sts_1 = require("@aws-sdk/client-sts");
14
+ const log_1 = require("ag-common/dist/common/helpers/log");
15
+ const config_1 = require("../config");
16
+ const sso_1 = require("./sso");
17
+ function validateCredentials(credentials) {
18
+ var _a, _b;
19
+ return __awaiter(this, void 0, void 0, function* () {
20
+ const sts = new client_sts_1.STS({
21
+ credentials,
22
+ region: credentials.region,
23
+ });
24
+ try {
25
+ const stub = yield sts.getCallerIdentity({});
26
+ yield (0, sso_1.appInstances)(credentials);
27
+ if (((_b = (_a = stub === null || stub === void 0 ? void 0 : stub.$metadata) === null || _a === void 0 ? void 0 : _a.httpStatusCode) !== null && _b !== void 0 ? _b : 500) < 400 &&
28
+ stub.Account &&
29
+ stub.Arn) {
30
+ (0, log_1.info)(`test cached credentials OK`);
31
+ return { accountId: stub.Account, principalArn: stub.Arn };
32
+ }
33
+ }
34
+ catch (e) {
35
+ const es = e.toString();
36
+ if (es.includes('expired')) {
37
+ (0, log_1.warn)('creds have expired');
38
+ }
39
+ (0, log_1.warn)('other saml error:' + es);
40
+ return undefined;
41
+ }
42
+ });
43
+ }
44
+ exports.validateCredentials = validateCredentials;
45
+ function getApplicationCreds(p) {
46
+ var _a, _b, _c, _d;
47
+ return __awaiter(this, void 0, void 0, function* () {
48
+ const sts = new client_sts_1.STS({
49
+ credentials: p.originCreds,
50
+ region: p.targetRegion,
51
+ });
52
+ const ret = yield sts.assumeRoleWithSAML({
53
+ PrincipalArn: p.providerArn,
54
+ RoleArn: p.roleArn,
55
+ SAMLAssertion: p.samlAssertion,
56
+ DurationSeconds: config_1.stsDurationSeconds,
57
+ });
58
+ if (((_a = ret.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
59
+ (0, log_1.error)('bad assume saml role', ret);
60
+ throw new Error('bad assume saml role');
61
+ }
62
+ if (!((_b = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
63
+ !((_c = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
64
+ !((_d = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
65
+ throw new Error('no creds');
66
+ }
67
+ return Object.assign(Object.assign({}, p.originCreds), { region: p.targetRegion, accessKeyId: ret.Credentials.AccessKeyId, secretAccessKey: ret.Credentials.SecretAccessKey, sessionToken: ret.Credentials.SessionToken });
68
+ });
69
+ }
70
+ exports.getApplicationCreds = getApplicationCreds;
71
+ function directStsAssume(p) {
72
+ var _a, _b, _c, _d;
73
+ return __awaiter(this, void 0, void 0, function* () {
74
+ const role = yield (0, sso_1.getAssumedRole)({
75
+ accessToken: p.credentials.accessToken,
76
+ accountId: p.metadata.AccountId,
77
+ });
78
+ const sts = new client_sts_1.STS({
79
+ credentials: p.credentials,
80
+ region: p.targetRegion,
81
+ });
82
+ const ar = yield sts.assumeRole({
83
+ RoleArn: `arn:aws:iam::${role.accountId}:role/${role.roleName}`,
84
+ RoleSessionName: 'awsauth',
85
+ DurationSeconds: config_1.nativeStsDurationSeconds,
86
+ });
87
+ if (((_a = ar.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
88
+ throw new Error('assume role error' + JSON.stringify(ar, null, 2));
89
+ }
90
+ if (!((_b = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
91
+ !((_c = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
92
+ !((_d = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
93
+ throw new Error('no creds');
94
+ }
95
+ return Object.assign(Object.assign({}, p.credentials), { region: p.targetRegion, accessKeyId: ar.Credentials.AccessKeyId, secretAccessKey: ar.Credentials.SecretAccessKey, sessionToken: ar.Credentials.SessionToken });
96
+ });
97
+ }
98
+ exports.directStsAssume = directStsAssume;
package/dist/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { IApplicationArgs } from './types';
2
- export declare let globalargs: IApplicationArgs | undefined;
3
- export declare function main(args: IApplicationArgs): Promise<void>;
4
- export declare function run(): Promise<void>;
1
+ import { IApplicationArgs } from './types';
2
+ export declare let globalargs: IApplicationArgs | undefined;
3
+ export declare function main(args: IApplicationArgs): Promise<void>;
4
+ export declare function run(): Promise<void>;