cdk-assets 2.0.0-rc.3 → 2.0.0-rc.30

package/README.md

@@ -42,7 +42,7 @@ itself in the following behaviors:
   image in the local Docker cache) already exists named after the asset's ID, it
   will not be packaged, but will be uploaded directly to the destination
   location.
-  
+
 For assets build by external utilities, the contract is such that cdk-assets
 expects the utility to manage dedupe detection as well as path/image tag generation.
 This means that cdk-assets will call the external utility every time generation
@@ -153,3 +153,36 @@ on the AWS SDK (through environment variables or `~/.aws/...` config files).
 * If `${AWS::Region}` is used, it will principally be replaced with the value
   in the `region` key. If the default region is intended, leave the `region`
   key out of the manifest at all.
+
+## Docker image credentials
+
+For Docker image asset publishing, `cdk-assets` will `docker login` with
+credentials from ECR GetAuthorizationToken prior to building and publishing, so
+that the Dockerfile can reference images in the account's ECR repo.
+
+`cdk-assets` can also be configured to read credentials from both ECR and
+SecretsManager prior to build by creating a credential configuration at
+'~/.cdk/cdk-docker-creds.json' (override this location by setting the
+CDK_DOCKER_CREDS_FILE environment variable). The credentials file has the
+following format:
+
+```json
+{
+  "version": "1.0",
+  "domainCredentials": {
+    "domain1.example.com": {
+      "secretsManagerSecretId": "mySecret", // Can be the secret ID or full ARN
+      "roleArn": "arn:aws:iam::0123456789012:role/my-role" // (Optional) role with permissions to the secret
+    },
+    "domain2.example.com": {
+      "ecrRepository": true,
+      "roleArn": "arn:aws:iam::0123456789012:role/my-role" // (Optional) role with permissions to the repo
+    }
+  }
+}
+```
+
+If the credentials file is present, `docker` will be configured to use the
+`docker-credential-cdk-assets` credential helper for each of the domains listed
+in the file. This helper will assume the role provided (if present), and then fetch
+the login credentials from either SecretsManager or ECR.

package/bin/docker-credential-cdk-assets

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('./docker-credential-cdk-assets.js');

package/bin/docker-credential-cdk-assets.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Docker Credential Helper to retrieve credentials based on an external configuration file.
+ * Supports loading credentials from ECR repositories and from Secrets Manager,
+ * optionally via an assumed role.
+ *
+ * The only operation currently supported by this credential helper at this time is the `get`
+ * command, which receives a domain name as input on stdin and returns a Username/Secret in
+ * JSON format on stdout.
+ *
+ * IMPORTANT - The credential helper must not output anything else besides the final credentials
+ * in any success case; doing so breaks docker's parsing of the output and causes the login to fail.
+ */
+export {};

package/bin/docker-credential-cdk-assets.js

@@ -0,0 +1,43 @@
+"use strict";
+/**
+ * Docker Credential Helper to retrieve credentials based on an external configuration file.
+ * Supports loading credentials from ECR repositories and from Secrets Manager,
+ * optionally via an assumed role.
+ *
+ * The only operation currently supported by this credential helper at this time is the `get`
+ * command, which receives a domain name as input on stdin and returns a Username/Secret in
+ * JSON format on stdout.
+ *
+ * IMPORTANT - The credential helper must not output anything else besides the final credentials
+ * in any success case; doing so breaks docker's parsing of the output and causes the login to fail.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = require("fs");
+const lib_1 = require("../lib");
+const docker_credentials_1 = require("../lib/private/docker-credentials");
+async function main() {
+    // Expected invocation is [node, docker-credential-cdk-assets, get] with input fed via STDIN
+    // For other valid docker commands (store, list, erase), we no-op.
+    if (process.argv.length !== 3 || process.argv[2] !== 'get') {
+        process.exit(0);
+    }
+    const config = docker_credentials_1.cdkCredentialsConfig();
+    if (!config) {
+        throw new Error(`unable to find CDK Docker credentials at: ${docker_credentials_1.cdkCredentialsConfigFile()}`);
+    }
+    // Read the domain to fetch from stdin
+    let rawDomain = fs.readFileSync(0, { encoding: 'utf-8' }).trim();
+    // Paranoid handling to ensure new URL() doesn't throw if the schema is missing.
+    // Not convinced docker will ever pass in a url like 'index.docker.io/v1', but just in case...
+    rawDomain = rawDomain.includes('://') ? rawDomain : `https://${rawDomain}`;
+    const domain = new URL(rawDomain).hostname;
+    const credentials = await docker_credentials_1.fetchDockerLoginCredentials(new lib_1.DefaultAwsClient(), config, domain);
+    // Write the credentials back to stdout
+    fs.writeFileSync(1, JSON.stringify(credentials));
+}
+main().catch(e => {
+    // eslint-disable-next-line no-console
+    console.error(e.stack);
+    process.exitCode = 1;
+});
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9ja2VyLWNyZWRlbnRpYWwtY2RrLWFzc2V0cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbImRvY2tlci1jcmVkZW50aWFsLWNkay1hc3NldHMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBOzs7Ozs7Ozs7OztHQVdHOztBQUVILHlCQUF5QjtBQUN6QixnQ0FBMEM7QUFFMUMsMEVBQWdJO0FBRWhJLEtBQUssVUFBVSxJQUFJO0lBQ2pCLDRGQUE0RjtJQUM1RixrRUFBa0U7SUFDbEUsSUFBSSxPQUFPLENBQUMsSUFBSSxDQUFDLE1BQU0sS0FBSyxDQUFDLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsS0FBSyxLQUFLLEVBQUU7UUFDMUQsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztLQUNqQjtJQUVELE1BQU0sTUFBTSxHQUFHLHlDQUFvQixFQUFFLENBQUM7SUFDdEMsSUFBSSxDQUFDLE1BQU0sRUFBRTtRQUNYLE1BQU0sSUFBSSxLQUFLLENBQUMsNkNBQTZDLDZDQUF3QixFQUFFLEVBQUUsQ0FBQyxDQUFDO0tBQzVGO0lBRUQsc0NBQXNDO0lBQ3RDLElBQUksU0FBUyxHQUFHLEVBQUUsQ0FBQyxZQUFZLENBQUMsQ0FBQyxFQUFFLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDakUsZ0ZBQWdGO0lBQ2hGLDhGQUE4RjtJQUM5RixTQUFTLEdBQUcsU0FBUyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxXQUFXLFNBQVMsRUFBRSxDQUFDO0lBQzNFLE1BQU0sTUFBTSxHQUFHLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxDQUFDLFFBQVEsQ0FBQztJQUUzQyxNQUFNLFdBQVcsR0FBRyxNQUFNLGdEQUEyQixDQUFDLElBQUksc0JBQWdCLEVBQUUsRUFBRSxNQUFNLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFFOUYsdUNBQXVDO0lBQ3ZDLEVBQUUsQ0FBQyxhQUFhLENBQUMsQ0FBQyxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQztBQUNuRCxDQUFDO0FBRUQsSUFBSSxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxFQUFFO0lBQ2Ysc0NBQXNDO0lBQ3RDLE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3ZCLE9BQU8sQ0FBQyxRQUFRLEdBQUcsQ0FBQyxDQUFDO0FBQ3ZCLENBQUMsQ0FBQyxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiLyoqXG4gKiBEb2NrZXIgQ3JlZGVudGlhbCBIZWxwZXIgdG8gcmV0cmlldmUgY3JlZGVudGlhbHMgYmFzZWQgb24gYW4gZXh0ZXJuYWwgY29uZmlndXJhdGlvbiBmaWxlLlxuICogU3VwcG9ydHMgbG9hZGluZyBjcmVkZW50aWFscyBmcm9tIEVDUiByZXBvc2l0b3JpZXMgYW5kIGZyb20gU2VjcmV0cyBNYW5hZ2VyLFxuICogb3B0aW9uYWxseSB2aWEgYW4gYXNzdW1lZCByb2xlLlxuICpcbiAqIFRoZSBvbmx5IG9wZXJhdGlvbiBjdXJyZW50bHkgc3VwcG9ydGVkIGJ5IHRoaXMgY3JlZGVudGlhbCBoZWxwZXIgYXQgdGhpcyB0aW1lIGlzIHRoZSBgZ2V0YFxuICogY29tbWFuZCwgd2hpY2ggcmVjZWl2ZXMgYSBkb21haW4gbmFtZSBhcyBpbnB1dCBvbiBzdGRpbiBhbmQgcmV0dXJucyBhIFVzZXJuYW1lL1NlY3JldCBpblxuICogSlNPTiBmb3JtYXQgb24gc3Rkb3V0LlxuICpcbiAqIElNUE9SVEFOVCAtIFRoZSBjcmVkZW50aWFsIGhlbHBlciBtdXN0IG5vdCBvdXRwdXQgYW55dGhpbmcgZWxzZSBiZXNpZGVzIHRoZSBmaW5hbCBjcmVkZW50aWFsc1xuICogaW4gYW55IHN1Y2Nlc3MgY2FzZTsgZG9pbmcgc28gYnJlYWtzIGRvY2tlcidzIHBhcnNpbmcgb2YgdGhlIG91dHB1dCBhbmQgY2F1c2VzIHRoZSBsb2dpbiB0byBmYWlsLlxuICovXG5cbmltcG9ydCAqIGFzIGZzIGZyb20gJ2ZzJztcbmltcG9ydCB7IERlZmF1bHRBd3NDbGllbnQgfSBmcm9tICcuLi9saWInO1xuXG5pbXBvcnQgeyBjZGtDcmVkZW50aWFsc0NvbmZpZywgY2RrQ3JlZGVudGlhbHNDb25maWdGaWxlLCBmZXRjaERvY2tlckxvZ2luQ3JlZGVudGlhbHMgfSBmcm9tICcuLi9saWIvcHJpdmF0ZS9kb2NrZXItY3JlZGVudGlhbHMnO1xuXG5hc3luYyBmdW5jdGlvbiBtYWluKCkge1xuICAvLyBFeHBlY3RlZCBpbnZvY2F0aW9uIGlzIFtub2RlLCBkb2NrZXItY3JlZGVudGlhbC1jZGstYXNzZXRzLCBnZXRdIHdpdGggaW5wdXQgZmVkIHZpYSBTVERJTlxuICAvLyBGb3Igb3RoZXIgdmFsaWQgZG9ja2VyIGNvbW1hbmRzIChzdG9yZSwgbGlzdCwgZXJhc2UpLCB3ZSBuby1vcC5cbiAgaWYgKHByb2Nlc3MuYXJndi5sZW5ndGggIT09IDMgfHwgcHJvY2Vzcy5hcmd2WzJdICE9PSAnZ2V0Jykge1xuICAgIHByb2Nlc3MuZXhpdCgwKTtcbiAgfVxuXG4gIGNvbnN0IGNvbmZpZyA9IGNka0NyZWRlbnRpYWxzQ29uZmlnKCk7XG4gIGlmICghY29uZmlnKSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKGB1bmFibGUgdG8gZmluZCBDREsgRG9ja2VyIGNyZWRlbnRpYWxzIGF0OiAke2Nka0NyZWRlbnRpYWxzQ29uZmlnRmlsZSgpfWApO1xuICB9XG5cbiAgLy8gUmVhZCB0aGUgZG9tYWluIHRvIGZldGNoIGZyb20gc3RkaW5cbiAgbGV0IHJhd0RvbWFpbiA9IGZzLnJlYWRGaWxlU3luYygwLCB7IGVuY29kaW5nOiAndXRmLTgnIH0pLnRyaW0oKTtcbiAgLy8gUGFyYW5vaWQgaGFuZGxpbmcgdG8gZW5zdXJlIG5ldyBVUkwoKSBkb2Vzbid0IHRocm93IGlmIHRoZSBzY2hlbWEgaXMgbWlzc2luZy5cbiAgLy8gTm90IGNvbnZpbmNlZCBkb2NrZXIgd2lsbCBldmVyIHBhc3MgaW4gYSB1cmwgbGlrZSAnaW5kZXguZG9ja2VyLmlvL3YxJywgYnV0IGp1c3QgaW4gY2FzZS4uLlxuICByYXdEb21haW4gPSByYXdEb21haW4uaW5jbHVkZXMoJzovLycpID8gcmF3RG9tYWluIDogYGh0dHBzOi8vJHtyYXdEb21haW59YDtcbiAgY29uc3QgZG9tYWluID0gbmV3IFVSTChyYXdEb21haW4pLmhvc3RuYW1lO1xuXG4gIGNvbnN0IGNyZWRlbnRpYWxzID0gYXdhaXQgZmV0Y2hEb2NrZXJMb2dpbkNyZWRlbnRpYWxzKG5ldyBEZWZhdWx0QXdzQ2xpZW50KCksIGNvbmZpZywgZG9tYWluKTtcblxuICAvLyBXcml0ZSB0aGUgY3JlZGVudGlhbHMgYmFjayB0byBzdGRvdXRcbiAgZnMud3JpdGVGaWxlU3luYygxLCBKU09OLnN0cmluZ2lmeShjcmVkZW50aWFscykpO1xufVxuXG5tYWluKCkuY2F0Y2goZSA9PiB7XG4gIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBuby1jb25zb2xlXG4gIGNvbnNvbGUuZXJyb3IoZS5zdGFjayk7XG4gIHByb2Nlc3MuZXhpdENvZGUgPSAxO1xufSk7XG4iXX0=

package/bin/publish.js

@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.publish = void 0;
-const os = require("os");
 const lib_1 = require("../lib");
 const logging_1 = require("./logging");
 async function publish(args) {
@@ -13,7 +12,7 @@ async function publish(args) {
         logging_1.log('verbose', `Applied selection: ${manifest.entries.length} assets selected.`);
     }
     const pub = new lib_1.AssetPublishing(manifest, {
-        aws: new DefaultAwsClient(args.profile),
+        aws: new lib_1.DefaultAwsClient(args.profile),
         progressListener: new ConsoleProgress(),
         throwOnError: false,
     });
@@ -43,93 +42,4 @@ class ConsoleProgress {
         logging_1.log(EVENT_TO_LEVEL[type], `[${event.percentComplete}%] ${type}: ${event.message}`);
     }
 }
-/**
- * AWS client using the AWS SDK for JS with no special configuration
- */
-class DefaultAwsClient {
-    constructor(profile) {
-        // Force AWS SDK to look in ~/.aws/credentials and potentially use the configured profile.
-        process.env.AWS_SDK_LOAD_CONFIG = '1';
-        process.env.AWS_STS_REGIONAL_ENDPOINTS = 'regional';
-        process.env.AWS_NODEJS_CONNECTION_REUSE_ENABLED = '1';
-        if (profile) {
-            process.env.AWS_PROFILE = profile;
-        }
-        // We need to set the environment before we load this library for the first time.
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        this.AWS = require('aws-sdk');
-    }
-    async s3Client(options) {
-        return new this.AWS.S3(await this.awsOptions(options));
-    }
-    async ecrClient(options) {
-        return new this.AWS.ECR(await this.awsOptions(options));
-    }
-    async discoverPartition() {
-        return (await this.discoverCurrentAccount()).partition;
-    }
-    async discoverDefaultRegion() {
-        return this.AWS.config.region || 'us-east-1';
-    }
-    async discoverCurrentAccount() {
-        if (this.account === undefined) {
-            const sts = new this.AWS.STS();
-            const response = await sts.getCallerIdentity().promise();
-            if (!response.Account || !response.Arn) {
-                logging_1.log('error', `Unrecognized reponse from STS: '${JSON.stringify(response)}'`);
-                throw new Error('Unrecognized reponse from STS');
-            }
-            this.account = {
-                accountId: response.Account,
-                partition: response.Arn.split(':')[1],
-            };
-        }
-        return this.account;
-    }
-    async awsOptions(options) {
-        let credentials;
-        if (options.assumeRoleArn) {
-            credentials = await this.assumeRole(options.region, options.assumeRoleArn, options.assumeRoleExternalId);
-        }
-        return {
-            region: options.region,
-            customUserAgent: `cdk-assets/${logging_1.VERSION}`,
-            credentials,
-        };
-    }
-    /**
-     * Explicit manual AssumeRole call
-     *
-     * Necessary since I can't seem to get the built-in support for ChainableTemporaryCredentials to work.
-     *
-     * It needs an explicit configuration of `masterCredentials`, we need to put
-     * a `DefaultCredentialProverChain()` in there but that is not possible.
-     */
-    async assumeRole(region, roleArn, externalId) {
-        const msg = [
-            `Assume ${roleArn}`,
-            ...externalId ? [`(ExternalId ${externalId})`] : [],
-        ];
-        logging_1.log('verbose', msg.join(' '));
-        return new this.AWS.ChainableTemporaryCredentials({
-            params: {
-                RoleArn: roleArn,
-                ExternalId: externalId,
-                RoleSessionName: `cdk-assets-${safeUsername()}`,
-            },
-            stsConfig: {
-                region,
-                customUserAgent: `cdk-assets/${logging_1.VERSION}`,
-            },
-        });
-    }
-}
-/**
- * Return the username with characters invalid for a RoleSessionName removed
- *
- * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters
- */
-function safeUsername() {
-    return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@');
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHVibGlzaC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInB1Ymxpc2gudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEseUJBQXlCO0FBQ3pCLGdDQUdnQjtBQUVoQix1Q0FBbUQ7QUFFNUMsS0FBSyxVQUFVLE9BQU8sQ0FBQyxJQUk3QjtJQUVDLElBQUksUUFBUSxHQUFHLG1CQUFhLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUNqRCxhQUFHLENBQUMsU0FBUyxFQUFFLHdCQUF3QixJQUFJLENBQUMsSUFBSSxLQUFLLFFBQVEsQ0FBQyxPQUFPLENBQUMsTUFBTSxlQUFlLENBQUMsQ0FBQztJQUU3RixJQUFJLElBQUksQ0FBQyxNQUFNLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFO1FBQ3pDLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsd0JBQWtCLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDcEUsUUFBUSxHQUFHLFFBQVEsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDdEMsYUFBRyxDQUFDLFNBQVMsRUFBRSxzQkFBc0IsUUFBUSxDQUFDLE9BQU8sQ0FBQyxNQUFNLG1CQUFtQixDQUFDLENBQUM7S0FDbEY7SUFFRCxNQUFNLEdBQUcsR0FBRyxJQUFJLHFCQUFlLENBQUMsUUFBUSxFQUFFO1FBQ3hDLEdBQUcsRUFBRSxJQUFJLGdCQUFnQixDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7UUFDdkMsZ0JBQWdCLEVBQUUsSUFBSSxlQUFlLEVBQUU7UUFDdkMsWUFBWSxFQUFFLEtBQUs7S0FDcEIsQ0FBQyxDQUFDO0lBRUgsTUFBTSxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUM7SUFFcEIsSUFBSSxHQUFHLENBQUMsV0FBVyxFQUFFO1FBQ25CLEtBQUssTUFBTSxPQUFPLElBQUksR0FBRyxDQUFDLFFBQVEsRUFBRTtZQUNsQyxzQ0FBc0M7WUFDdEMsT0FBTyxDQUFDLEtBQUssQ0FBQyxVQUFVLEVBQUUsT0FBTyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQztTQUNoRDtRQUVELE9BQU8sQ0FBQyxRQUFRLEdBQUcsQ0FBQyxDQUFDO0tBQ3RCO0FBQ0gsQ0FBQztBQS9CRCwwQkErQkM7QUFFRCxNQUFNLGNBQWMsR0FBZ0M7SUFDbEQsS0FBSyxFQUFFLFNBQVM7SUFDaEIsTUFBTSxFQUFFLFNBQVM7SUFDakIsS0FBSyxFQUFFLFNBQVM7SUFDaEIsS0FBSyxFQUFFLFNBQVM7SUFDaEIsSUFBSSxFQUFFLE9BQU87SUFDYixLQUFLLEVBQUUsU0FBUztJQUNoQixLQUFLLEVBQUUsTUFBTTtJQUNiLE9BQU8sRUFBRSxNQUFNO0lBQ2YsTUFBTSxFQUFFLFNBQVM7Q0FDbEIsQ0FBQztBQUVGLE1BQU0sZUFBZTtJQUNaLGNBQWMsQ0FBQyxJQUFlLEVBQUUsS0FBdUI7UUFDNUQsYUFBRyxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsRUFBRSxJQUFJLEtBQUssQ0FBQyxlQUFlLE1BQU0sSUFBSSxLQUFLLEtBQUssQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO0lBQ3JGLENBQUM7Q0FDRjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxnQkFBZ0I7SUFJcEIsWUFBWSxPQUFnQjtRQUMxQiwwRkFBMEY7UUFDMUYsT0FBTyxDQUFDLEdBQUcsQ0FBQyxtQkFBbUIsR0FBRyxHQUFHLENBQUM7UUFDdEMsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQkFBMEIsR0FBRyxVQUFVLENBQUM7UUFDcEQsT0FBTyxDQUFDLEdBQUcsQ0FBQyxtQ0FBbUMsR0FBRyxHQUFHLENBQUM7UUFDdEQsSUFBSSxPQUFPLEVBQUU7WUFDWCxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsR0FBRyxPQUFPLENBQUM7U0FDbkM7UUFFRCxpRkFBaUY7UUFDakYsaUVBQWlFO1FBQ2pFLElBQUksQ0FBQyxHQUFHLEdBQUcsT0FBTyxDQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQ2hDLENBQUM7SUFFTSxLQUFLLENBQUMsUUFBUSxDQUFDLE9BQXNCO1FBQzFDLE9BQU8sSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUN6RCxDQUFDO0lBRU0sS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFzQjtRQUMzQyxPQUFPLElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7SUFDMUQsQ0FBQztJQUVNLEtBQUssQ0FBQyxpQkFBaUI7UUFDNUIsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixFQUFFLENBQUMsQ0FBQyxTQUFTLENBQUM7SUFDekQsQ0FBQztJQUVNLEtBQUssQ0FBQyxxQkFBcUI7UUFDaEMsT0FBTyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxNQUFNLElBQUksV0FBVyxDQUFDO0lBQy9DLENBQUM7SUFFTSxLQUFLLENBQUMsc0JBQXNCO1FBQ2pDLElBQUksSUFBSSxDQUFDLE9BQU8sS0FBSyxTQUFTLEVBQUU7WUFDOUIsTUFBTSxHQUFHLEdBQUcsSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRSxDQUFDO1lBQy9CLE1BQU0sUUFBUSxHQUFHLE1BQU0sR0FBRyxDQUFDLGlCQUFpQixFQUFFLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDekQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxPQUFPLElBQUksQ0FBQyxRQUFRLENBQUMsR0FBRyxFQUFFO2dCQUN0QyxhQUFHLENBQUMsT0FBTyxFQUFFLG1DQUFtQyxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQztnQkFDN0UsTUFBTSxJQUFJLEtBQUssQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO2FBQ2xEO1lBQ0QsSUFBSSxDQUFDLE9BQU8sR0FBRztnQkFDYixTQUFTLEVBQUUsUUFBUSxDQUFDLE9BQVE7Z0JBQzVCLFNBQVMsRUFBRSxRQUFRLENBQUMsR0FBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7YUFDdkMsQ0FBQztTQUNIO1FBRUQsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDO0lBQ3RCLENBQUM7SUFFTyxLQUFLLENBQUMsVUFBVSxDQUFDLE9BQXNCO1FBQzdDLElBQUksV0FBVyxDQUFDO1FBRWhCLElBQUksT0FBTyxDQUFDLGFBQWEsRUFBRTtZQUN6QixXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLGFBQWEsRUFBRSxPQUFPLENBQUMsb0JBQW9CLENBQUMsQ0FBQztTQUMxRztRQUVELE9BQU87WUFDTCxNQUFNLEVBQUUsT0FBTyxDQUFDLE1BQU07WUFDdEIsZUFBZSxFQUFFLGNBQWMsaUJBQU8sRUFBRTtZQUN4QyxXQUFXO1NBQ1osQ0FBQztJQUNKLENBQUM7SUFFRDs7Ozs7OztPQU9HO0lBQ0ssS0FBSyxDQUFDLFVBQVUsQ0FBQyxNQUEwQixFQUFFLE9BQWUsRUFBRSxVQUFtQjtRQUN2RixNQUFNLEdBQUcsR0FBRztZQUNWLFVBQVUsT0FBTyxFQUFFO1lBQ25CLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsVUFBVSxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRTtTQUNwRCxDQUFDO1FBQ0YsYUFBRyxDQUFDLFNBQVMsRUFBRSxHQUFHLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFFOUIsT0FBTyxJQUFJLElBQUksQ0FBQyxHQUFHLENBQUMsNkJBQTZCLENBQUM7WUFDaEQsTUFBTSxFQUFFO2dCQUNOLE9BQU8sRUFBRSxPQUFPO2dCQUNoQixVQUFVLEVBQUUsVUFBVTtnQkFDdEIsZUFBZSxFQUFFLGNBQWMsWUFBWSxFQUFFLEVBQUU7YUFDaEQ7WUFDRCxTQUFTLEVBQUU7Z0JBQ1QsTUFBTTtnQkFDTixlQUFlLEVBQUUsY0FBYyxpQkFBTyxFQUFFO2FBQ3pDO1NBQ0YsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztDQUNGO0FBRUQ7Ozs7R0FJRztBQUNILFNBQVMsWUFBWTtJQUNuQixPQUFPLEVBQUUsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLGNBQWMsRUFBRSxHQUFHLENBQUMsQ0FBQztBQUM3RCxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgb3MgZnJvbSAnb3MnO1xuaW1wb3J0IHtcbiAgQXNzZXRNYW5pZmVzdCwgQXNzZXRQdWJsaXNoaW5nLCBDbGllbnRPcHRpb25zLCBEZXN0aW5hdGlvblBhdHRlcm4sIEV2ZW50VHlwZSwgSUF3cyxcbiAgSVB1Ymxpc2hQcm9ncmVzcywgSVB1Ymxpc2hQcm9ncmVzc0xpc3RlbmVyLFxufSBmcm9tICcuLi9saWInO1xuaW1wb3J0IHsgQWNjb3VudCB9IGZyb20gJy4uL2xpYi9hd3MnO1xuaW1wb3J0IHsgbG9nLCBMb2dMZXZlbCwgVkVSU0lPTiB9IGZyb20gJy4vbG9nZ2luZyc7XG5cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBwdWJsaXNoKGFyZ3M6IHtcbiAgcGF0aDogc3RyaW5nO1xuICBhc3NldHM/OiBzdHJpbmdbXTtcbiAgcHJvZmlsZT86IHN0cmluZztcbn0pIHtcblxuICBsZXQgbWFuaWZlc3QgPSBBc3NldE1hbmlmZXN0LmZyb21QYXRoKGFyZ3MucGF0aCk7XG4gIGxvZygndmVyYm9zZScsIGBMb2FkZWQgbWFuaWZlc3QgZnJvbSAke2FyZ3MucGF0aH06ICR7bWFuaWZlc3QuZW50cmllcy5sZW5ndGh9IGFzc2V0cyBmb3VuZGApO1xuXG4gIGlmIChhcmdzLmFzc2V0cyAmJiBhcmdzLmFzc2V0cy5sZW5ndGggPiAwKSB7XG4gICAgY29uc3Qgc2VsZWN0aW9uID0gYXJncy5hc3NldHMubWFwKGEgPT4gRGVzdGluYXRpb25QYXR0ZXJuLnBhcnNlKGEpKTtcbiAgICBtYW5pZmVzdCA9IG1hbmlmZXN0LnNlbGVjdChzZWxlY3Rpb24pO1xuICAgIGxvZygndmVyYm9zZScsIGBBcHBsaWVkIHNlbGVjdGlvbjogJHttYW5pZmVzdC5lbnRyaWVzLmxlbmd0aH0gYXNzZXRzIHNlbGVjdGVkLmApO1xuICB9XG5cbiAgY29uc3QgcHViID0gbmV3IEFzc2V0UHVibGlzaGluZyhtYW5pZmVzdCwge1xuICAgIGF3czogbmV3IERlZmF1bHRBd3NDbGllbnQoYXJncy5wcm9maWxlKSxcbiAgICBwcm9ncmVzc0xpc3RlbmVyOiBuZXcgQ29uc29sZVByb2dyZXNzKCksXG4gICAgdGhyb3dPbkVycm9yOiBmYWxzZSxcbiAgfSk7XG5cbiAgYXdhaXQgcHViLnB1Ymxpc2goKTtcblxuICBpZiAocHViLmhhc0ZhaWx1cmVzKSB7XG4gICAgZm9yIChjb25zdCBmYWlsdXJlIG9mIHB1Yi5mYWlsdXJlcykge1xuICAgICAgLy8gZXNsaW50LWRpc2FibGUtbmV4dC1saW5lIG5vLWNvbnNvbGVcbiAgICAgIGNvbnNvbGUuZXJyb3IoJ0ZhaWx1cmU6JywgZmFpbHVyZS5lcnJvci5zdGFjayk7XG4gICAgfVxuXG4gICAgcHJvY2Vzcy5leGl0Q29kZSA9IDE7XG4gIH1cbn1cblxuY29uc3QgRVZFTlRfVE9fTEVWRUw6IFJlY29yZDxFdmVudFR5cGUsIExvZ0xldmVsPiA9IHtcbiAgYnVpbGQ6ICd2ZXJib3NlJyxcbiAgY2FjaGVkOiAndmVyYm9zZScsXG4gIGNoZWNrOiAndmVyYm9zZScsXG4gIGRlYnVnOiAndmVyYm9zZScsXG4gIGZhaWw6ICdlcnJvcicsXG4gIGZvdW5kOiAndmVyYm9zZScsXG4gIHN0YXJ0OiAnaW5mbycsXG4gIHN1Y2Nlc3M6ICdpbmZvJyxcbiAgdXBsb2FkOiAndmVyYm9zZScsXG59O1xuXG5jbGFzcyBDb25zb2xlUHJvZ3Jlc3MgaW1wbGVtZW50cyBJUHVibGlzaFByb2dyZXNzTGlzdGVuZXIge1xuICBwdWJsaWMgb25QdWJsaXNoRXZlbnQodHlwZTogRXZlbnRUeXBlLCBldmVudDogSVB1Ymxpc2hQcm9ncmVzcyk6IHZvaWQge1xuICAgIGxvZyhFVkVOVF9UT19MRVZFTFt0eXBlXSwgYFske2V2ZW50LnBlcmNlbnRDb21wbGV0ZX0lXSAke3R5cGV9OiAke2V2ZW50Lm1lc3NhZ2V9YCk7XG4gIH1cbn1cblxuLyoqXG4gKiBBV1MgY2xpZW50IHVzaW5nIHRoZSBBV1MgU0RLIGZvciBKUyB3aXRoIG5vIHNwZWNpYWwgY29uZmlndXJhdGlvblxuICovXG5jbGFzcyBEZWZhdWx0QXdzQ2xpZW50IGltcGxlbWVudHMgSUF3cyB7XG4gIHByaXZhdGUgcmVhZG9ubHkgQVdTOiB0eXBlb2YgaW1wb3J0KCdhd3Mtc2RrJyk7XG4gIHByaXZhdGUgYWNjb3VudD86IEFjY291bnQ7XG5cbiAgY29uc3RydWN0b3IocHJvZmlsZT86IHN0cmluZykge1xuICAgIC8vIEZvcmNlIEFXUyBTREsgdG8gbG9vayBpbiB+Ly5hd3MvY3JlZGVudGlhbHMgYW5kIHBvdGVudGlhbGx5IHVzZSB0aGUgY29uZmlndXJlZCBwcm9maWxlLlxuICAgIHByb2Nlc3MuZW52LkFXU19TREtfTE9BRF9DT05GSUcgPSAnMSc7XG4gICAgcHJvY2Vzcy5lbnYuQVdTX1NUU19SRUdJT05BTF9FTkRQT0lOVFMgPSAncmVnaW9uYWwnO1xuICAgIHByb2Nlc3MuZW52LkFXU19OT0RFSlNfQ09OTkVDVElPTl9SRVVTRV9FTkFCTEVEID0gJzEnO1xuICAgIGlmIChwcm9maWxlKSB7XG4gICAgICBwcm9jZXNzLmVudi5BV1NfUFJPRklMRSA9IHByb2ZpbGU7XG4gICAgfVxuXG4gICAgLy8gV2UgbmVlZCB0byBzZXQgdGhlIGVudmlyb25tZW50IGJlZm9yZSB3ZSBsb2FkIHRoaXMgbGlicmFyeSBmb3IgdGhlIGZpcnN0IHRpbWUuXG4gICAgLy8gZXNsaW50LWRpc2FibGUtbmV4dC1saW5lIEB0eXBlc2NyaXB0LWVzbGludC9uby1yZXF1aXJlLWltcG9ydHNcbiAgICB0aGlzLkFXUyA9IHJlcXVpcmUoJ2F3cy1zZGsnKTtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBzM0NsaWVudChvcHRpb25zOiBDbGllbnRPcHRpb25zKSB7XG4gICAgcmV0dXJuIG5ldyB0aGlzLkFXUy5TMyhhd2FpdCB0aGlzLmF3c09wdGlvbnMob3B0aW9ucykpO1xuICB9XG5cbiAgcHVibGljIGFzeW5jIGVjckNsaWVudChvcHRpb25zOiBDbGllbnRPcHRpb25zKSB7XG4gICAgcmV0dXJuIG5ldyB0aGlzLkFXUy5FQ1IoYXdhaXQgdGhpcy5hd3NPcHRpb25zKG9wdGlvbnMpKTtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlclBhcnRpdGlvbigpOiBQcm9taXNlPHN0cmluZz4ge1xuICAgIHJldHVybiAoYXdhaXQgdGhpcy5kaXNjb3ZlckN1cnJlbnRBY2NvdW50KCkpLnBhcnRpdGlvbjtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlckRlZmF1bHRSZWdpb24oKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgICByZXR1cm4gdGhpcy5BV1MuY29uZmlnLnJlZ2lvbiB8fCAndXMtZWFzdC0xJztcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlckN1cnJlbnRBY2NvdW50KCk6IFByb21pc2U8QWNjb3VudD4ge1xuICAgIGlmICh0aGlzLmFjY291bnQgPT09IHVuZGVmaW5lZCkge1xuICAgICAgY29uc3Qgc3RzID0gbmV3IHRoaXMuQVdTLlNUUygpO1xuICAgICAgY29uc3QgcmVzcG9uc2UgPSBhd2FpdCBzdHMuZ2V0Q2FsbGVySWRlbnRpdHkoKS5wcm9taXNlKCk7XG4gICAgICBpZiAoIXJlc3BvbnNlLkFjY291bnQgfHwgIXJlc3BvbnNlLkFybikge1xuICAgICAgICBsb2coJ2Vycm9yJywgYFVucmVjb2duaXplZCByZXBvbnNlIGZyb20gU1RTOiAnJHtKU09OLnN0cmluZ2lmeShyZXNwb25zZSl9J2ApO1xuICAgICAgICB0aHJvdyBuZXcgRXJyb3IoJ1VucmVjb2duaXplZCByZXBvbnNlIGZyb20gU1RTJyk7XG4gICAgICB9XG4gICAgICB0aGlzLmFjY291bnQgPSB7XG4gICAgICAgIGFjY291bnRJZDogcmVzcG9uc2UuQWNjb3VudCEsXG4gICAgICAgIHBhcnRpdGlvbjogcmVzcG9uc2UuQXJuIS5zcGxpdCgnOicpWzFdLFxuICAgICAgfTtcbiAgICB9XG5cbiAgICByZXR1cm4gdGhpcy5hY2NvdW50O1xuICB9XG5cbiAgcHJpdmF0ZSBhc3luYyBhd3NPcHRpb25zKG9wdGlvbnM6IENsaWVudE9wdGlvbnMpIHtcbiAgICBsZXQgY3JlZGVudGlhbHM7XG5cbiAgICBpZiAob3B0aW9ucy5hc3N1bWVSb2xlQXJuKSB7XG4gICAgICBjcmVkZW50aWFscyA9IGF3YWl0IHRoaXMuYXNzdW1lUm9sZShvcHRpb25zLnJlZ2lvbiwgb3B0aW9ucy5hc3N1bWVSb2xlQXJuLCBvcHRpb25zLmFzc3VtZVJvbGVFeHRlcm5hbElkKTtcbiAgICB9XG5cbiAgICByZXR1cm4ge1xuICAgICAgcmVnaW9uOiBvcHRpb25zLnJlZ2lvbixcbiAgICAgIGN1c3RvbVVzZXJBZ2VudDogYGNkay1hc3NldHMvJHtWRVJTSU9OfWAsXG4gICAgICBjcmVkZW50aWFscyxcbiAgICB9O1xuICB9XG5cbiAgLyoqXG4gICAqIEV4cGxpY2l0IG1hbnVhbCBBc3N1bWVSb2xlIGNhbGxcbiAgICpcbiAgICogTmVjZXNzYXJ5IHNpbmNlIEkgY2FuJ3Qgc2VlbSB0byBnZXQgdGhlIGJ1aWx0LWluIHN1cHBvcnQgZm9yIENoYWluYWJsZVRlbXBvcmFyeUNyZWRlbnRpYWxzIHRvIHdvcmsuXG4gICAqXG4gICAqIEl0IG5lZWRzIGFuIGV4cGxpY2l0IGNvbmZpZ3VyYXRpb24gb2YgYG1hc3RlckNyZWRlbnRpYWxzYCwgd2UgbmVlZCB0byBwdXRcbiAgICogYSBgRGVmYXVsdENyZWRlbnRpYWxQcm92ZXJDaGFpbigpYCBpbiB0aGVyZSBidXQgdGhhdCBpcyBub3QgcG9zc2libGUuXG4gICAqL1xuICBwcml2YXRlIGFzeW5jIGFzc3VtZVJvbGUocmVnaW9uOiBzdHJpbmcgfCB1bmRlZmluZWQsIHJvbGVBcm46IHN0cmluZywgZXh0ZXJuYWxJZD86IHN0cmluZyk6IFByb21pc2U8QVdTLkNyZWRlbnRpYWxzPiB7XG4gICAgY29uc3QgbXNnID0gW1xuICAgICAgYEFzc3VtZSAke3JvbGVBcm59YCxcbiAgICAgIC4uLmV4dGVybmFsSWQgPyBbYChFeHRlcm5hbElkICR7ZXh0ZXJuYWxJZH0pYF0gOiBbXSxcbiAgICBdO1xuICAgIGxvZygndmVyYm9zZScsIG1zZy5qb2luKCcgJykpO1xuXG4gICAgcmV0dXJuIG5ldyB0aGlzLkFXUy5DaGFpbmFibGVUZW1wb3JhcnlDcmVkZW50aWFscyh7XG4gICAgICBwYXJhbXM6IHtcbiAgICAgICAgUm9sZUFybjogcm9sZUFybixcbiAgICAgICAgRXh0ZXJuYWxJZDogZXh0ZXJuYWxJZCxcbiAgICAgICAgUm9sZVNlc3Npb25OYW1lOiBgY2RrLWFzc2V0cy0ke3NhZmVVc2VybmFtZSgpfWAsXG4gICAgICB9LFxuICAgICAgc3RzQ29uZmlnOiB7XG4gICAgICAgIHJlZ2lvbixcbiAgICAgICAgY3VzdG9tVXNlckFnZW50OiBgY2RrLWFzc2V0cy8ke1ZFUlNJT059YCxcbiAgICAgIH0sXG4gICAgfSk7XG4gIH1cbn1cblxuLyoqXG4gKiBSZXR1cm4gdGhlIHVzZXJuYW1lIHdpdGggY2hhcmFjdGVycyBpbnZhbGlkIGZvciBhIFJvbGVTZXNzaW9uTmFtZSByZW1vdmVkXG4gKlxuICogQHNlZSBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vU1RTL2xhdGVzdC9BUElSZWZlcmVuY2UvQVBJX0Fzc3VtZVJvbGUuaHRtbCNBUElfQXNzdW1lUm9sZV9SZXF1ZXN0UGFyYW1ldGVyc1xuICovXG5mdW5jdGlvbiBzYWZlVXNlcm5hbWUoKSB7XG4gIHJldHVybiBvcy51c2VySW5mbygpLnVzZXJuYW1lLnJlcGxhY2UoL1teXFx3Kz0sLkAtXS9nLCAnQCcpO1xufSJdfQ==
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHVibGlzaC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInB1Ymxpc2gudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsZ0NBR2dCO0FBQ2hCLHVDQUEwQztBQUVuQyxLQUFLLFVBQVUsT0FBTyxDQUFDLElBSTdCO0lBRUMsSUFBSSxRQUFRLEdBQUcsbUJBQWEsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ2pELGFBQUcsQ0FBQyxTQUFTLEVBQUUsd0JBQXdCLElBQUksQ0FBQyxJQUFJLEtBQUssUUFBUSxDQUFDLE9BQU8sQ0FBQyxNQUFNLGVBQWUsQ0FBQyxDQUFDO0lBRTdGLElBQUksSUFBSSxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUU7UUFDekMsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyx3QkFBa0IsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNwRSxRQUFRLEdBQUcsUUFBUSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUN0QyxhQUFHLENBQUMsU0FBUyxFQUFFLHNCQUFzQixRQUFRLENBQUMsT0FBTyxDQUFDLE1BQU0sbUJBQW1CLENBQUMsQ0FBQztLQUNsRjtJQUVELE1BQU0sR0FBRyxHQUFHLElBQUkscUJBQWUsQ0FBQyxRQUFRLEVBQUU7UUFDeEMsR0FBRyxFQUFFLElBQUksc0JBQWdCLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQztRQUN2QyxnQkFBZ0IsRUFBRSxJQUFJLGVBQWUsRUFBRTtRQUN2QyxZQUFZLEVBQUUsS0FBSztLQUNwQixDQUFDLENBQUM7SUFFSCxNQUFNLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztJQUVwQixJQUFJLEdBQUcsQ0FBQyxXQUFXLEVBQUU7UUFDbkIsS0FBSyxNQUFNLE9BQU8sSUFBSSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ2xDLHNDQUFzQztZQUN0QyxPQUFPLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDO1NBQ2hEO1FBRUQsT0FBTyxDQUFDLFFBQVEsR0FBRyxDQUFDLENBQUM7S0FDdEI7QUFDSCxDQUFDO0FBL0JELDBCQStCQztBQUVELE1BQU0sY0FBYyxHQUFnQztJQUNsRCxLQUFLLEVBQUUsU0FBUztJQUNoQixNQUFNLEVBQUUsU0FBUztJQUNqQixLQUFLLEVBQUUsU0FBUztJQUNoQixLQUFLLEVBQUUsU0FBUztJQUNoQixJQUFJLEVBQUUsT0FBTztJQUNiLEtBQUssRUFBRSxTQUFTO0lBQ2hCLEtBQUssRUFBRSxNQUFNO0lBQ2IsT0FBTyxFQUFFLE1BQU07SUFDZixNQUFNLEVBQUUsU0FBUztDQUNsQixDQUFDO0FBRUYsTUFBTSxlQUFlO0lBQ1osY0FBYyxDQUFDLElBQWUsRUFBRSxLQUF1QjtRQUM1RCxhQUFHLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxFQUFFLElBQUksS0FBSyxDQUFDLGVBQWUsTUFBTSxJQUFJLEtBQUssS0FBSyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7SUFDckYsQ0FBQztDQUNGIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHtcbiAgQXNzZXRNYW5pZmVzdCwgQXNzZXRQdWJsaXNoaW5nLCBEZWZhdWx0QXdzQ2xpZW50LCBEZXN0aW5hdGlvblBhdHRlcm4sIEV2ZW50VHlwZSxcbiAgSVB1Ymxpc2hQcm9ncmVzcywgSVB1Ymxpc2hQcm9ncmVzc0xpc3RlbmVyLFxufSBmcm9tICcuLi9saWInO1xuaW1wb3J0IHsgbG9nLCBMb2dMZXZlbCB9IGZyb20gJy4vbG9nZ2luZyc7XG5cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBwdWJsaXNoKGFyZ3M6IHtcbiAgcGF0aDogc3RyaW5nO1xuICBhc3NldHM/OiBzdHJpbmdbXTtcbiAgcHJvZmlsZT86IHN0cmluZztcbn0pIHtcblxuICBsZXQgbWFuaWZlc3QgPSBBc3NldE1hbmlmZXN0LmZyb21QYXRoKGFyZ3MucGF0aCk7XG4gIGxvZygndmVyYm9zZScsIGBMb2FkZWQgbWFuaWZlc3QgZnJvbSAke2FyZ3MucGF0aH06ICR7bWFuaWZlc3QuZW50cmllcy5sZW5ndGh9IGFzc2V0cyBmb3VuZGApO1xuXG4gIGlmIChhcmdzLmFzc2V0cyAmJiBhcmdzLmFzc2V0cy5sZW5ndGggPiAwKSB7XG4gICAgY29uc3Qgc2VsZWN0aW9uID0gYXJncy5hc3NldHMubWFwKGEgPT4gRGVzdGluYXRpb25QYXR0ZXJuLnBhcnNlKGEpKTtcbiAgICBtYW5pZmVzdCA9IG1hbmlmZXN0LnNlbGVjdChzZWxlY3Rpb24pO1xuICAgIGxvZygndmVyYm9zZScsIGBBcHBsaWVkIHNlbGVjdGlvbjogJHttYW5pZmVzdC5lbnRyaWVzLmxlbmd0aH0gYXNzZXRzIHNlbGVjdGVkLmApO1xuICB9XG5cbiAgY29uc3QgcHViID0gbmV3IEFzc2V0UHVibGlzaGluZyhtYW5pZmVzdCwge1xuICAgIGF3czogbmV3IERlZmF1bHRBd3NDbGllbnQoYXJncy5wcm9maWxlKSxcbiAgICBwcm9ncmVzc0xpc3RlbmVyOiBuZXcgQ29uc29sZVByb2dyZXNzKCksXG4gICAgdGhyb3dPbkVycm9yOiBmYWxzZSxcbiAgfSk7XG5cbiAgYXdhaXQgcHViLnB1Ymxpc2goKTtcblxuICBpZiAocHViLmhhc0ZhaWx1cmVzKSB7XG4gICAgZm9yIChjb25zdCBmYWlsdXJlIG9mIHB1Yi5mYWlsdXJlcykge1xuICAgICAgLy8gZXNsaW50LWRpc2FibGUtbmV4dC1saW5lIG5vLWNvbnNvbGVcbiAgICAgIGNvbnNvbGUuZXJyb3IoJ0ZhaWx1cmU6JywgZmFpbHVyZS5lcnJvci5zdGFjayk7XG4gICAgfVxuXG4gICAgcHJvY2Vzcy5leGl0Q29kZSA9IDE7XG4gIH1cbn1cblxuY29uc3QgRVZFTlRfVE9fTEVWRUw6IFJlY29yZDxFdmVudFR5cGUsIExvZ0xldmVsPiA9IHtcbiAgYnVpbGQ6ICd2ZXJib3NlJyxcbiAgY2FjaGVkOiAndmVyYm9zZScsXG4gIGNoZWNrOiAndmVyYm9zZScsXG4gIGRlYnVnOiAndmVyYm9zZScsXG4gIGZhaWw6ICdlcnJvcicsXG4gIGZvdW5kOiAndmVyYm9zZScsXG4gIHN0YXJ0OiAnaW5mbycsXG4gIHN1Y2Nlc3M6ICdpbmZvJyxcbiAgdXBsb2FkOiAndmVyYm9zZScsXG59O1xuXG5jbGFzcyBDb25zb2xlUHJvZ3Jlc3MgaW1wbGVtZW50cyBJUHVibGlzaFByb2dyZXNzTGlzdGVuZXIge1xuICBwdWJsaWMgb25QdWJsaXNoRXZlbnQodHlwZTogRXZlbnRUeXBlLCBldmVudDogSVB1Ymxpc2hQcm9ncmVzcyk6IHZvaWQge1xuICAgIGxvZyhFVkVOVF9UT19MRVZFTFt0eXBlXSwgYFske2V2ZW50LnBlcmNlbnRDb21wbGV0ZX0lXSAke3R5cGV9OiAke2V2ZW50Lm1lc3NhZ2V9YCk7XG4gIH1cbn1cbiJdfQ==

package/lib/aws.d.ts

@@ -1,4 +1,3 @@
-import * as AWS from 'aws-sdk';
 /**
  * AWS SDK operations required by Asset Publishing
  */
@@ -8,6 +7,7 @@ export interface IAws {
     discoverCurrentAccount(): Promise<Account>;
     s3Client(options: ClientOptions): Promise<AWS.S3>;
     ecrClient(options: ClientOptions): Promise<AWS.ECR>;
+    secretsManagerClient(options: ClientOptions): Promise<AWS.SecretsManager>;
 }
 export interface ClientOptions {
     region?: string;
@@ -30,3 +30,27 @@ export interface Account {
      */
     readonly partition: string;
 }
+/**
+ * AWS client using the AWS SDK for JS with no special configuration
+ */
+export declare class DefaultAwsClient implements IAws {
+    private readonly AWS;
+    private account?;
+    constructor(profile?: string);
+    s3Client(options: ClientOptions): Promise<import("aws-sdk/clients/s3")>;
+    ecrClient(options: ClientOptions): Promise<import("aws-sdk/clients/ecr")>;
+    secretsManagerClient(options: ClientOptions): Promise<import("aws-sdk/clients/secretsmanager")>;
+    discoverPartition(): Promise<string>;
+    discoverDefaultRegion(): Promise<string>;
+    discoverCurrentAccount(): Promise<Account>;
+    private awsOptions;
+    /**
+     * Explicit manual AssumeRole call
+     *
+     * Necessary since I can't seem to get the built-in support for ChainableTemporaryCredentials to work.
+     *
+     * It needs an explicit configuration of `masterCredentials`, we need to put
+     * a `DefaultCredentialProverChain()` in there but that is not possible.
+     */
+    private assumeRole;
+}

package/lib/aws.js

@@ -1,3 +1,92 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiYXdzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiIiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBBV1MgZnJvbSAnYXdzLXNkayc7XG5cbi8qKlxuICogQVdTIFNESyBvcGVyYXRpb25zIHJlcXVpcmVkIGJ5IEFzc2V0IFB1Ymxpc2hpbmdcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBJQXdzIHtcbiAgZGlzY292ZXJQYXJ0aXRpb24oKTogUHJvbWlzZTxzdHJpbmc+O1xuICBkaXNjb3ZlckRlZmF1bHRSZWdpb24oKTogUHJvbWlzZTxzdHJpbmc+O1xuICBkaXNjb3ZlckN1cnJlbnRBY2NvdW50KCk6IFByb21pc2U8QWNjb3VudD47XG5cbiAgczNDbGllbnQob3B0aW9uczogQ2xpZW50T3B0aW9ucyk6IFByb21pc2U8QVdTLlMzPjtcbiAgZWNyQ2xpZW50KG9wdGlvbnM6IENsaWVudE9wdGlvbnMpOiBQcm9taXNlPEFXUy5FQ1I+O1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIENsaWVudE9wdGlvbnMge1xuICByZWdpb24/OiBzdHJpbmc7XG4gIGFzc3VtZVJvbGVBcm4/OiBzdHJpbmc7XG4gIGFzc3VtZVJvbGVFeHRlcm5hbElkPzogc3RyaW5nO1xufVxuXG4vKipcbiAqIEFuIEFXUyBhY2NvdW50XG4gKlxuICogQW4gQVdTIGFjY291bnQgYWx3YXlzIGV4aXN0cyBpbiBvbmx5IG9uZSBwYXJ0aXRpb24uIFVzdWFsbHkgd2UgZG9uJ3QgY2FyZSBhYm91dFxuICogdGhlIHBhcnRpdGlvbiwgYnV0IHdoZW4gd2UgbmVlZCB0byBmb3JtIEFSTnMgd2UgZG8uXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgQWNjb3VudCB7XG4gIC8qKlxuICAgKiBUaGUgYWNjb3VudCBudW1iZXJcbiAgICovXG4gIHJlYWRvbmx5IGFjY291bnRJZDogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBUaGUgcGFydGl0aW9uICgnYXdzJyBvciAnYXdzLWNuJyBvciBvdGhlcndpc2UpXG4gICAqL1xuICByZWFkb25seSBwYXJ0aXRpb246IHN0cmluZztcbn1cbiJdfQ==
+exports.DefaultAwsClient = void 0;
+const os = require("os");
+/**
+ * AWS client using the AWS SDK for JS with no special configuration
+ */
+class DefaultAwsClient {
+    constructor(profile) {
+        // Force AWS SDK to look in ~/.aws/credentials and potentially use the configured profile.
+        process.env.AWS_SDK_LOAD_CONFIG = '1';
+        process.env.AWS_STS_REGIONAL_ENDPOINTS = 'regional';
+        process.env.AWS_NODEJS_CONNECTION_REUSE_ENABLED = '1';
+        if (profile) {
+            process.env.AWS_PROFILE = profile;
+        }
+        // We need to set the environment before we load this library for the first time.
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        this.AWS = require('aws-sdk');
+    }
+    async s3Client(options) {
+        return new this.AWS.S3(await this.awsOptions(options));
+    }
+    async ecrClient(options) {
+        return new this.AWS.ECR(await this.awsOptions(options));
+    }
+    async secretsManagerClient(options) {
+        return new this.AWS.SecretsManager(await this.awsOptions(options));
+    }
+    async discoverPartition() {
+        return (await this.discoverCurrentAccount()).partition;
+    }
+    async discoverDefaultRegion() {
+        return this.AWS.config.region || 'us-east-1';
+    }
+    async discoverCurrentAccount() {
+        if (this.account === undefined) {
+            const sts = new this.AWS.STS();
+            const response = await sts.getCallerIdentity().promise();
+            if (!response.Account || !response.Arn) {
+                throw new Error(`Unrecognized reponse from STS: '${JSON.stringify(response)}'`);
+            }
+            this.account = {
+                accountId: response.Account,
+                partition: response.Arn.split(':')[1],
+            };
+        }
+        return this.account;
+    }
+    async awsOptions(options) {
+        let credentials;
+        if (options.assumeRoleArn) {
+            credentials = await this.assumeRole(options.region, options.assumeRoleArn, options.assumeRoleExternalId);
+        }
+        return {
+            region: options.region,
+            customUserAgent: 'cdk-assets',
+            credentials,
+        };
+    }
+    /**
+     * Explicit manual AssumeRole call
+     *
+     * Necessary since I can't seem to get the built-in support for ChainableTemporaryCredentials to work.
+     *
+     * It needs an explicit configuration of `masterCredentials`, we need to put
+     * a `DefaultCredentialProverChain()` in there but that is not possible.
+     */
+    async assumeRole(region, roleArn, externalId) {
+        return new this.AWS.ChainableTemporaryCredentials({
+            params: {
+                RoleArn: roleArn,
+                ExternalId: externalId,
+                RoleSessionName: `cdk-assets-${safeUsername()}`,
+            },
+            stsConfig: {
+                region,
+                customUserAgent: 'cdk-assets',
+            },
+        });
+    }
+}
+exports.DefaultAwsClient = DefaultAwsClient;
+/**
+ * Return the username with characters invalid for a RoleSessionName removed
+ *
+ * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters
+ */
+function safeUsername() {
+    return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@');
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXdzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiYXdzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHlCQUF5QjtBQXVDekI7O0dBRUc7QUFDSCxNQUFhLGdCQUFnQjtJQUkzQixZQUFZLE9BQWdCO1FBQzFCLDBGQUEwRjtRQUMxRixPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixHQUFHLEdBQUcsQ0FBQztRQUN0QyxPQUFPLENBQUMsR0FBRyxDQUFDLDBCQUEwQixHQUFHLFVBQVUsQ0FBQztRQUNwRCxPQUFPLENBQUMsR0FBRyxDQUFDLG1DQUFtQyxHQUFHLEdBQUcsQ0FBQztRQUN0RCxJQUFJLE9BQU8sRUFBRTtZQUNYLE9BQU8sQ0FBQyxHQUFHLENBQUMsV0FBVyxHQUFHLE9BQU8sQ0FBQztTQUNuQztRQUVELGlGQUFpRjtRQUNqRixpRUFBaUU7UUFDakUsSUFBSSxDQUFDLEdBQUcsR0FBRyxPQUFPLENBQUMsU0FBUyxDQUFDLENBQUM7SUFDaEMsQ0FBQztJQUVNLEtBQUssQ0FBQyxRQUFRLENBQUMsT0FBc0I7UUFDMUMsT0FBTyxJQUFJLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO0lBQ3pELENBQUM7SUFFTSxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQXNCO1FBQzNDLE9BQU8sSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUMxRCxDQUFDO0lBRU0sS0FBSyxDQUFDLG9CQUFvQixDQUFDLE9BQXNCO1FBQ3RELE9BQU8sSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUNyRSxDQUFDO0lBRU0sS0FBSyxDQUFDLGlCQUFpQjtRQUM1QixPQUFPLENBQUMsTUFBTSxJQUFJLENBQUMsc0JBQXNCLEVBQUUsQ0FBQyxDQUFDLFNBQVMsQ0FBQztJQUN6RCxDQUFDO0lBRU0sS0FBSyxDQUFDLHFCQUFxQjtRQUNoQyxPQUFPLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLE1BQU0sSUFBSSxXQUFXLENBQUM7SUFDL0MsQ0FBQztJQUVNLEtBQUssQ0FBQyxzQkFBc0I7UUFDakMsSUFBSSxJQUFJLENBQUMsT0FBTyxLQUFLLFNBQVMsRUFBRTtZQUM5QixNQUFNLEdBQUcsR0FBRyxJQUFJLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDL0IsTUFBTSxRQUFRLEdBQUcsTUFBTSxHQUFHLENBQUMsaUJBQWlCLEVBQUUsQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUN6RCxJQUFJLENBQUMsUUFBUSxDQUFDLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLEVBQUU7Z0JBQ3RDLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDO2FBQ2pGO1lBQ0QsSUFBSSxDQUFDLE9BQU8sR0FBRztnQkFDYixTQUFTLEVBQUUsUUFBUSxDQUFDLE9BQVE7Z0JBQzVCLFNBQVMsRUFBRSxRQUFRLENBQUMsR0FBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7YUFDdkMsQ0FBQztTQUNIO1FBRUQsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDO0lBQ3RCLENBQUM7SUFFTyxLQUFLLENBQUMsVUFBVSxDQUFDLE9BQXNCO1FBQzdDLElBQUksV0FBVyxDQUFDO1FBRWhCLElBQUksT0FBTyxDQUFDLGFBQWEsRUFBRTtZQUN6QixXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLGFBQWEsRUFBRSxPQUFPLENBQUMsb0JBQW9CLENBQUMsQ0FBQztTQUMxRztRQUVELE9BQU87WUFDTCxNQUFNLEVBQUUsT0FBTyxDQUFDLE1BQU07WUFDdEIsZUFBZSxFQUFFLFlBQVk7WUFDN0IsV0FBVztTQUNaLENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7Ozs7T0FPRztJQUNLLEtBQUssQ0FBQyxVQUFVLENBQUMsTUFBMEIsRUFBRSxPQUFlLEVBQUUsVUFBbUI7UUFDdkYsT0FBTyxJQUFJLElBQUksQ0FBQyxHQUFHLENBQUMsNkJBQTZCLENBQUM7WUFDaEQsTUFBTSxFQUFFO2dCQUNOLE9BQU8sRUFBRSxPQUFPO2dCQUNoQixVQUFVLEVBQUUsVUFBVTtnQkFDdEIsZUFBZSxFQUFFLGNBQWMsWUFBWSxFQUFFLEVBQUU7YUFDaEQ7WUFDRCxTQUFTLEVBQUU7Z0JBQ1QsTUFBTTtnQkFDTixlQUFlLEVBQUUsWUFBWTthQUM5QjtTQUNGLENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQXpGRCw0Q0F5RkM7QUFFRDs7OztHQUlHO0FBQ0gsU0FBUyxZQUFZO0lBQ25CLE9BQU8sRUFBRSxDQUFDLFFBQVEsRUFBRSxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsY0FBYyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0FBQzdELENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBvcyBmcm9tICdvcyc7XG5cbi8qKlxuICogQVdTIFNESyBvcGVyYXRpb25zIHJlcXVpcmVkIGJ5IEFzc2V0IFB1Ymxpc2hpbmdcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBJQXdzIHtcbiAgZGlzY292ZXJQYXJ0aXRpb24oKTogUHJvbWlzZTxzdHJpbmc+O1xuICBkaXNjb3ZlckRlZmF1bHRSZWdpb24oKTogUHJvbWlzZTxzdHJpbmc+O1xuICBkaXNjb3ZlckN1cnJlbnRBY2NvdW50KCk6IFByb21pc2U8QWNjb3VudD47XG5cbiAgczNDbGllbnQob3B0aW9uczogQ2xpZW50T3B0aW9ucyk6IFByb21pc2U8QVdTLlMzPjtcbiAgZWNyQ2xpZW50KG9wdGlvbnM6IENsaWVudE9wdGlvbnMpOiBQcm9taXNlPEFXUy5FQ1I+O1xuICBzZWNyZXRzTWFuYWdlckNsaWVudChvcHRpb25zOiBDbGllbnRPcHRpb25zKTogUHJvbWlzZTxBV1MuU2VjcmV0c01hbmFnZXI+O1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIENsaWVudE9wdGlvbnMge1xuICByZWdpb24/OiBzdHJpbmc7XG4gIGFzc3VtZVJvbGVBcm4/OiBzdHJpbmc7XG4gIGFzc3VtZVJvbGVFeHRlcm5hbElkPzogc3RyaW5nO1xufVxuXG4vKipcbiAqIEFuIEFXUyBhY2NvdW50XG4gKlxuICogQW4gQVdTIGFjY291bnQgYWx3YXlzIGV4aXN0cyBpbiBvbmx5IG9uZSBwYXJ0aXRpb24uIFVzdWFsbHkgd2UgZG9uJ3QgY2FyZSBhYm91dFxuICogdGhlIHBhcnRpdGlvbiwgYnV0IHdoZW4gd2UgbmVlZCB0byBmb3JtIEFSTnMgd2UgZG8uXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgQWNjb3VudCB7XG4gIC8qKlxuICAgKiBUaGUgYWNjb3VudCBudW1iZXJcbiAgICovXG4gIHJlYWRvbmx5IGFjY291bnRJZDogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBUaGUgcGFydGl0aW9uICgnYXdzJyBvciAnYXdzLWNuJyBvciBvdGhlcndpc2UpXG4gICAqL1xuICByZWFkb25seSBwYXJ0aXRpb246IHN0cmluZztcbn1cblxuLyoqXG4gKiBBV1MgY2xpZW50IHVzaW5nIHRoZSBBV1MgU0RLIGZvciBKUyB3aXRoIG5vIHNwZWNpYWwgY29uZmlndXJhdGlvblxuICovXG5leHBvcnQgY2xhc3MgRGVmYXVsdEF3c0NsaWVudCBpbXBsZW1lbnRzIElBd3Mge1xuICBwcml2YXRlIHJlYWRvbmx5IEFXUzogdHlwZW9mIGltcG9ydCgnYXdzLXNkaycpO1xuICBwcml2YXRlIGFjY291bnQ/OiBBY2NvdW50O1xuXG4gIGNvbnN0cnVjdG9yKHByb2ZpbGU/OiBzdHJpbmcpIHtcbiAgICAvLyBGb3JjZSBBV1MgU0RLIHRvIGxvb2sgaW4gfi8uYXdzL2NyZWRlbnRpYWxzIGFuZCBwb3RlbnRpYWxseSB1c2UgdGhlIGNvbmZpZ3VyZWQgcHJvZmlsZS5cbiAgICBwcm9jZXNzLmVudi5BV1NfU0RLX0xPQURfQ09ORklHID0gJzEnO1xuICAgIHByb2Nlc3MuZW52LkFXU19TVFNfUkVHSU9OQUxfRU5EUE9JTlRTID0gJ3JlZ2lvbmFsJztcbiAgICBwcm9jZXNzLmVudi5BV1NfTk9ERUpTX0NPTk5FQ1RJT05fUkVVU0VfRU5BQkxFRCA9ICcxJztcbiAgICBpZiAocHJvZmlsZSkge1xuICAgICAgcHJvY2Vzcy5lbnYuQVdTX1BST0ZJTEUgPSBwcm9maWxlO1xuICAgIH1cblxuICAgIC8vIFdlIG5lZWQgdG8gc2V0IHRoZSBlbnZpcm9ubWVudCBiZWZvcmUgd2UgbG9hZCB0aGlzIGxpYnJhcnkgZm9yIHRoZSBmaXJzdCB0aW1lLlxuICAgIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tcmVxdWlyZS1pbXBvcnRzXG4gICAgdGhpcy5BV1MgPSByZXF1aXJlKCdhd3Mtc2RrJyk7XG4gIH1cblxuICBwdWJsaWMgYXN5bmMgczNDbGllbnQob3B0aW9uczogQ2xpZW50T3B0aW9ucykge1xuICAgIHJldHVybiBuZXcgdGhpcy5BV1MuUzMoYXdhaXQgdGhpcy5hd3NPcHRpb25zKG9wdGlvbnMpKTtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBlY3JDbGllbnQob3B0aW9uczogQ2xpZW50T3B0aW9ucykge1xuICAgIHJldHVybiBuZXcgdGhpcy5BV1MuRUNSKGF3YWl0IHRoaXMuYXdzT3B0aW9ucyhvcHRpb25zKSk7XG4gIH1cblxuICBwdWJsaWMgYXN5bmMgc2VjcmV0c01hbmFnZXJDbGllbnQob3B0aW9uczogQ2xpZW50T3B0aW9ucykge1xuICAgIHJldHVybiBuZXcgdGhpcy5BV1MuU2VjcmV0c01hbmFnZXIoYXdhaXQgdGhpcy5hd3NPcHRpb25zKG9wdGlvbnMpKTtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlclBhcnRpdGlvbigpOiBQcm9taXNlPHN0cmluZz4ge1xuICAgIHJldHVybiAoYXdhaXQgdGhpcy5kaXNjb3ZlckN1cnJlbnRBY2NvdW50KCkpLnBhcnRpdGlvbjtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlckRlZmF1bHRSZWdpb24oKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgICByZXR1cm4gdGhpcy5BV1MuY29uZmlnLnJlZ2lvbiB8fCAndXMtZWFzdC0xJztcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBkaXNjb3ZlckN1cnJlbnRBY2NvdW50KCk6IFByb21pc2U8QWNjb3VudD4ge1xuICAgIGlmICh0aGlzLmFjY291bnQgPT09IHVuZGVmaW5lZCkge1xuICAgICAgY29uc3Qgc3RzID0gbmV3IHRoaXMuQVdTLlNUUygpO1xuICAgICAgY29uc3QgcmVzcG9uc2UgPSBhd2FpdCBzdHMuZ2V0Q2FsbGVySWRlbnRpdHkoKS5wcm9taXNlKCk7XG4gICAgICBpZiAoIXJlc3BvbnNlLkFjY291bnQgfHwgIXJlc3BvbnNlLkFybikge1xuICAgICAgICB0aHJvdyBuZXcgRXJyb3IoYFVucmVjb2duaXplZCByZXBvbnNlIGZyb20gU1RTOiAnJHtKU09OLnN0cmluZ2lmeShyZXNwb25zZSl9J2ApO1xuICAgICAgfVxuICAgICAgdGhpcy5hY2NvdW50ID0ge1xuICAgICAgICBhY2NvdW50SWQ6IHJlc3BvbnNlLkFjY291bnQhLFxuICAgICAgICBwYXJ0aXRpb246IHJlc3BvbnNlLkFybiEuc3BsaXQoJzonKVsxXSxcbiAgICAgIH07XG4gICAgfVxuXG4gICAgcmV0dXJuIHRoaXMuYWNjb3VudDtcbiAgfVxuXG4gIHByaXZhdGUgYXN5bmMgYXdzT3B0aW9ucyhvcHRpb25zOiBDbGllbnRPcHRpb25zKSB7XG4gICAgbGV0IGNyZWRlbnRpYWxzO1xuXG4gICAgaWYgKG9wdGlvbnMuYXNzdW1lUm9sZUFybikge1xuICAgICAgY3JlZGVudGlhbHMgPSBhd2FpdCB0aGlzLmFzc3VtZVJvbGUob3B0aW9ucy5yZWdpb24sIG9wdGlvbnMuYXNzdW1lUm9sZUFybiwgb3B0aW9ucy5hc3N1bWVSb2xlRXh0ZXJuYWxJZCk7XG4gICAgfVxuXG4gICAgcmV0dXJuIHtcbiAgICAgIHJlZ2lvbjogb3B0aW9ucy5yZWdpb24sXG4gICAgICBjdXN0b21Vc2VyQWdlbnQ6ICdjZGstYXNzZXRzJyxcbiAgICAgIGNyZWRlbnRpYWxzLFxuICAgIH07XG4gIH1cblxuICAvKipcbiAgICogRXhwbGljaXQgbWFudWFsIEFzc3VtZVJvbGUgY2FsbFxuICAgKlxuICAgKiBOZWNlc3Nhcnkgc2luY2UgSSBjYW4ndCBzZWVtIHRvIGdldCB0aGUgYnVpbHQtaW4gc3VwcG9ydCBmb3IgQ2hhaW5hYmxlVGVtcG9yYXJ5Q3JlZGVudGlhbHMgdG8gd29yay5cbiAgICpcbiAgICogSXQgbmVlZHMgYW4gZXhwbGljaXQgY29uZmlndXJhdGlvbiBvZiBgbWFzdGVyQ3JlZGVudGlhbHNgLCB3ZSBuZWVkIHRvIHB1dFxuICAgKiBhIGBEZWZhdWx0Q3JlZGVudGlhbFByb3ZlckNoYWluKClgIGluIHRoZXJlIGJ1dCB0aGF0IGlzIG5vdCBwb3NzaWJsZS5cbiAgICovXG4gIHByaXZhdGUgYXN5bmMgYXNzdW1lUm9sZShyZWdpb246IHN0cmluZyB8IHVuZGVmaW5lZCwgcm9sZUFybjogc3RyaW5nLCBleHRlcm5hbElkPzogc3RyaW5nKTogUHJvbWlzZTxBV1MuQ3JlZGVudGlhbHM+IHtcbiAgICByZXR1cm4gbmV3IHRoaXMuQVdTLkNoYWluYWJsZVRlbXBvcmFyeUNyZWRlbnRpYWxzKHtcbiAgICAgIHBhcmFtczoge1xuICAgICAgICBSb2xlQXJuOiByb2xlQXJuLFxuICAgICAgICBFeHRlcm5hbElkOiBleHRlcm5hbElkLFxuICAgICAgICBSb2xlU2Vzc2lvbk5hbWU6IGBjZGstYXNzZXRzLSR7c2FmZVVzZXJuYW1lKCl9YCxcbiAgICAgIH0sXG4gICAgICBzdHNDb25maWc6IHtcbiAgICAgICAgcmVnaW9uLFxuICAgICAgICBjdXN0b21Vc2VyQWdlbnQ6ICdjZGstYXNzZXRzJyxcbiAgICAgIH0sXG4gICAgfSk7XG4gIH1cbn1cblxuLyoqXG4gKiBSZXR1cm4gdGhlIHVzZXJuYW1lIHdpdGggY2hhcmFjdGVycyBpbnZhbGlkIGZvciBhIFJvbGVTZXNzaW9uTmFtZSByZW1vdmVkXG4gKlxuICogQHNlZSBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vU1RTL2xhdGVzdC9BUElSZWZlcmVuY2UvQVBJX0Fzc3VtZVJvbGUuaHRtbCNBUElfQXNzdW1lUm9sZV9SZXF1ZXN0UGFyYW1ldGVyc1xuICovXG5mdW5jdGlvbiBzYWZlVXNlcm5hbWUoKSB7XG4gIHJldHVybiBvcy51c2VySW5mbygpLnVzZXJuYW1lLnJlcGxhY2UoL1teXFx3Kz0sLkAtXS9nLCAnQCcpO1xufVxuXG4iXX0=

package/lib/private/docker-credentials.d.ts

@@ -0,0 +1,31 @@
+import { IAws } from '../aws';
+import { Logger } from './shell';
+export interface DockerCredentials {
+    readonly Username: string;
+    readonly Secret: string;
+}
+export interface DockerCredentialsConfig {
+    readonly version: string;
+    readonly domainCredentials: Record<string, DockerDomainCredentialSource>;
+}
+export interface DockerDomainCredentialSource {
+    readonly secretsManagerSecretId?: string;
+    readonly secretsUsernameField?: string;
+    readonly secretsPasswordField?: string;
+    readonly ecrRepository?: boolean;
+    readonly assumeRoleArn?: string;
+}
+/** Returns the presumed location of the CDK Docker credentials config file */
+export declare function cdkCredentialsConfigFile(): string;
+/** Loads and parses the CDK Docker credentials configuration, if it exists. */
+export declare function cdkCredentialsConfig(): DockerCredentialsConfig | undefined;
+/** Fetches login credentials from the configured source (e.g., SecretsManager, ECR) */
+export declare function fetchDockerLoginCredentials(aws: IAws, config: DockerCredentialsConfig, domain: string): Promise<{
+    Username: any;
+    Secret: any;
+}>;
+export declare function obtainEcrCredentials(ecr: AWS.ECR, logger?: Logger): Promise<{
+    username: string;
+    password: string;
+    endpoint: string;
+}>;

package/lib/private/docker-credentials.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.obtainEcrCredentials = exports.fetchDockerLoginCredentials = exports.cdkCredentialsConfig = exports.cdkCredentialsConfigFile = void 0;
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+/** Returns the presumed location of the CDK Docker credentials config file */
+function cdkCredentialsConfigFile() {
+    var _a, _b;
+    return (_a = process.env.CDK_DOCKER_CREDS_FILE) !== null && _a !== void 0 ? _a : path.join(((_b = os.userInfo().homedir) !== null && _b !== void 0 ? _b : os.homedir()).trim() || '/', '.cdk', 'cdk-docker-creds.json');
+}
+exports.cdkCredentialsConfigFile = cdkCredentialsConfigFile;
+let _cdkCredentials;
+/** Loads and parses the CDK Docker credentials configuration, if it exists. */
+function cdkCredentialsConfig() {
+    if (!_cdkCredentials) {
+        try {
+            _cdkCredentials = JSON.parse(fs.readFileSync(cdkCredentialsConfigFile(), { encoding: 'utf-8' }));
+        }
+        catch (err) { }
+    }
+    return _cdkCredentials;
+}
+exports.cdkCredentialsConfig = cdkCredentialsConfig;
+/** Fetches login credentials from the configured source (e.g., SecretsManager, ECR) */
+async function fetchDockerLoginCredentials(aws, config, domain) {
+    var _a, _b;
+    if (!Object.keys(config.domainCredentials).includes(domain)) {
+        throw new Error(`unknown domain ${domain}`);
+    }
+    const domainConfig = config.domainCredentials[domain];
+    if (domainConfig.secretsManagerSecretId) {
+        const sm = await aws.secretsManagerClient({ assumeRoleArn: domainConfig.assumeRoleArn });
+        const secretValue = await sm.getSecretValue({ SecretId: domainConfig.secretsManagerSecretId }).promise();
+        if (!secretValue.SecretString) {
+            throw new Error(`unable to fetch SecretString from secret: ${domainConfig.secretsManagerSecretId}`);
+        }
+        ;
+        const secret = JSON.parse(secretValue.SecretString);
+        const usernameField = (_a = domainConfig.secretsUsernameField) !== null && _a !== void 0 ? _a : 'username';
+        const secretField = (_b = domainConfig.secretsPasswordField) !== null && _b !== void 0 ? _b : 'secret';
+        if (!secret[usernameField] || !secret[secretField]) {
+            throw new Error(`malformed secret string ("${usernameField}" or "${secretField}" field missing)`);
+        }
+        return { Username: secret[usernameField], Secret: secret[secretField] };
+    }
+    else if (domainConfig.ecrRepository) {
+        const ecr = await aws.ecrClient({ assumeRoleArn: domainConfig.assumeRoleArn });
+        const ecrAuthData = await obtainEcrCredentials(ecr);
+        return { Username: ecrAuthData.username, Secret: ecrAuthData.password };
+    }
+    else {
+        throw new Error('unknown credential type: no secret ID or ECR repo');
+    }
+}
+exports.fetchDockerLoginCredentials = fetchDockerLoginCredentials;
+async function obtainEcrCredentials(ecr, logger) {
+    if (logger) {
+        logger('Fetching ECR authorization token');
+    }
+    const authData = (await ecr.getAuthorizationToken({}).promise()).authorizationData || [];
+    if (authData.length === 0) {
+        throw new Error('No authorization data received from ECR');
+    }
+    const token = Buffer.from(authData[0].authorizationToken, 'base64').toString('ascii');
+    const [username, password] = token.split(':');
+    if (!username || !password) {
+        throw new Error('unexpected ECR authData format');
+    }
+    return {
+        username,
+        password,
+        endpoint: authData[0].proxyEndpoint,
+    };
+}
+exports.obtainEcrCredentials = obtainEcrCredentials;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9ja2VyLWNyZWRlbnRpYWxzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiZG9ja2VyLWNyZWRlbnRpYWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHlCQUF5QjtBQUN6Qix5QkFBeUI7QUFDekIsNkJBQTZCO0FBc0I3Qiw4RUFBOEU7QUFDOUUsU0FBZ0Isd0JBQXdCOztJQUN0QyxhQUFPLE9BQU8sQ0FBQyxHQUFHLENBQUMscUJBQXFCLG1DQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBQyxFQUFFLENBQUMsUUFBUSxFQUFFLENBQUMsT0FBTyxtQ0FBSSxFQUFFLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQyxJQUFJLEVBQUUsSUFBSSxHQUFHLEVBQUUsTUFBTSxFQUFFLHVCQUF1QixDQUFDLENBQUM7QUFDaEosQ0FBQztBQUZELDREQUVDO0FBRUQsSUFBSSxlQUFvRCxDQUFDO0FBQ3pELCtFQUErRTtBQUMvRSxTQUFnQixvQkFBb0I7SUFDbEMsSUFBSSxDQUFDLGVBQWUsRUFBRTtRQUNwQixJQUFJO1lBQ0YsZUFBZSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLFlBQVksQ0FBQyx3QkFBd0IsRUFBRSxFQUFFLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSxDQUFDLENBQTRCLENBQUM7U0FDN0g7UUFBQyxPQUFPLEdBQUcsRUFBRSxHQUFHO0tBQ2xCO0lBQ0QsT0FBTyxlQUFlLENBQUM7QUFDekIsQ0FBQztBQVBELG9EQU9DO0FBRUQsdUZBQXVGO0FBQ2hGLEtBQUssVUFBVSwyQkFBMkIsQ0FBQyxHQUFTLEVBQUUsTUFBK0IsRUFBRSxNQUFjOztJQUMxRyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsaUJBQWlCLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUU7UUFDM0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQkFBa0IsTUFBTSxFQUFFLENBQUMsQ0FBQztLQUM3QztJQUVELE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUV0RCxJQUFJLFlBQVksQ0FBQyxzQkFBc0IsRUFBRTtRQUN2QyxNQUFNLEVBQUUsR0FBRyxNQUFNLEdBQUcsQ0FBQyxvQkFBb0IsQ0FBQyxFQUFFLGFBQWEsRUFBRSxZQUFZLENBQUMsYUFBYSxFQUFFLENBQUMsQ0FBQztRQUN6RixNQUFNLFdBQVcsR0FBRyxNQUFNLEVBQUUsQ0FBQyxjQUFjLENBQUMsRUFBRSxRQUFRLEVBQUUsWUFBWSxDQUFDLHNCQUFzQixFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUN6RyxJQUFJLENBQUMsV0FBVyxDQUFDLFlBQVksRUFBRTtZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsNkNBQTZDLFlBQVksQ0FBQyxzQkFBc0IsRUFBRSxDQUFDLENBQUM7U0FBRTtRQUFBLENBQUM7UUFFeEksTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFcEQsTUFBTSxhQUFhLFNBQUcsWUFBWSxDQUFDLG9CQUFvQixtQ0FBSSxVQUFVLENBQUM7UUFDdEUsTUFBTSxXQUFXLFNBQUcsWUFBWSxDQUFDLG9CQUFvQixtQ0FBSSxRQUFRLENBQUM7UUFDbEUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsRUFBRTtZQUNsRCxNQUFNLElBQUksS0FBSyxDQUFDLDZCQUE2QixhQUFhLFNBQVMsV0FBVyxrQkFBa0IsQ0FBQyxDQUFDO1NBQ25HO1FBRUQsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLENBQUMsYUFBYSxDQUFDLEVBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO0tBQ3pFO1NBQU0sSUFBSSxZQUFZLENBQUMsYUFBYSxFQUFFO1FBQ3JDLE1BQU0sR0FBRyxHQUFHLE1BQU0sR0FBRyxDQUFDLFNBQVMsQ0FBQyxFQUFFLGFBQWEsRUFBRSxZQUFZLENBQUMsYUFBYSxFQUFFLENBQUMsQ0FBQztRQUMvRSxNQUFNLFdBQVcsR0FBRyxNQUFNLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRXBELE9BQU8sRUFBRSxRQUFRLEVBQUUsV0FBVyxDQUFDLFFBQVEsRUFBRSxNQUFNLEVBQUUsV0FBVyxDQUFDLFFBQVEsRUFBRSxDQUFDO0tBQ3pFO1NBQU07UUFDTCxNQUFNLElBQUksS0FBSyxDQUFDLG1EQUFtRCxDQUFDLENBQUM7S0FDdEU7QUFDSCxDQUFDO0FBN0JELGtFQTZCQztBQUVNLEtBQUssVUFBVSxvQkFBb0IsQ0FBQyxHQUFZLEVBQUUsTUFBZTtJQUN0RSxJQUFJLE1BQU0sRUFBRTtRQUFFLE1BQU0sQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFDO0tBQUU7SUFDM0QsTUFBTSxRQUFRLEdBQUcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxxQkFBcUIsQ0FBQyxFQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDLGlCQUFpQixJQUFJLEVBQUUsQ0FBQztJQUMxRixJQUFJLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFO1FBQ3pCLE1BQU0sSUFBSSxLQUFLLENBQUMseUNBQXlDLENBQUMsQ0FBQztLQUM1RDtJQUNELE1BQU0sS0FBSyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLGtCQUFtQixFQUFFLFFBQVEsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUN2RixNQUFNLENBQUMsUUFBUSxFQUFFLFFBQVEsQ0FBQyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDOUMsSUFBSSxDQUFDLFFBQVEsSUFBSSxDQUFDLFFBQVEsRUFBRTtRQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztLQUFFO0lBRWxGLE9BQU87UUFDTCxRQUFRO1FBQ1IsUUFBUTtRQUNSLFFBQVEsRUFBRSxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUMsYUFBYztLQUNyQyxDQUFDO0FBQ0osQ0FBQztBQWZELG9EQWVDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgZnMgZnJvbSAnZnMnO1xuaW1wb3J0ICogYXMgb3MgZnJvbSAnb3MnO1xuaW1wb3J0ICogYXMgcGF0aCBmcm9tICdwYXRoJztcbmltcG9ydCB7IElBd3MgfSBmcm9tICcuLi9hd3MnO1xuaW1wb3J0IHsgTG9nZ2VyIH0gZnJvbSAnLi9zaGVsbCc7XG5cbmV4cG9ydCBpbnRlcmZhY2UgRG9ja2VyQ3JlZGVudGlhbHMge1xuICByZWFkb25seSBVc2VybmFtZTogc3RyaW5nO1xuICByZWFkb25seSBTZWNyZXQ6IHN0cmluZztcbn1cblxuZXhwb3J0IGludGVyZmFjZSBEb2NrZXJDcmVkZW50aWFsc0NvbmZpZyB7XG4gIHJlYWRvbmx5IHZlcnNpb246IHN0cmluZztcbiAgcmVhZG9ubHkgZG9tYWluQ3JlZGVudGlhbHM6IFJlY29yZDxzdHJpbmcsIERvY2tlckRvbWFpbkNyZWRlbnRpYWxTb3VyY2U+O1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIERvY2tlckRvbWFpbkNyZWRlbnRpYWxTb3VyY2Uge1xuICByZWFkb25seSBzZWNyZXRzTWFuYWdlclNlY3JldElkPzogc3RyaW5nO1xuICByZWFkb25seSBzZWNyZXRzVXNlcm5hbWVGaWVsZD86IHN0cmluZztcbiAgcmVhZG9ubHkgc2VjcmV0c1Bhc3N3b3JkRmllbGQ/OiBzdHJpbmc7XG4gIHJlYWRvbmx5IGVjclJlcG9zaXRvcnk/OiBib29sZWFuO1xuICByZWFkb25seSBhc3N1bWVSb2xlQXJuPzogc3RyaW5nO1xufVxuXG4vKiogUmV0dXJucyB0aGUgcHJlc3VtZWQgbG9jYXRpb24gb2YgdGhlIENESyBEb2NrZXIgY3JlZGVudGlhbHMgY29uZmlnIGZpbGUgKi9cbmV4cG9ydCBmdW5jdGlvbiBjZGtDcmVkZW50aWFsc0NvbmZpZ0ZpbGUoKTogc3RyaW5nIHtcbiAgcmV0dXJuIHByb2Nlc3MuZW52LkNES19ET0NLRVJfQ1JFRFNfRklMRSA/PyBwYXRoLmpvaW4oKG9zLnVzZXJJbmZvKCkuaG9tZWRpciA/PyBvcy5ob21lZGlyKCkpLnRyaW0oKSB8fCAnLycsICcuY2RrJywgJ2Nkay1kb2NrZXItY3JlZHMuanNvbicpO1xufVxuXG5sZXQgX2Nka0NyZWRlbnRpYWxzOiBEb2NrZXJDcmVkZW50aWFsc0NvbmZpZyB8IHVuZGVmaW5lZDtcbi8qKiBMb2FkcyBhbmQgcGFyc2VzIHRoZSBDREsgRG9ja2VyIGNyZWRlbnRpYWxzIGNvbmZpZ3VyYXRpb24sIGlmIGl0IGV4aXN0cy4gKi9cbmV4cG9ydCBmdW5jdGlvbiBjZGtDcmVkZW50aWFsc0NvbmZpZygpOiBEb2NrZXJDcmVkZW50aWFsc0NvbmZpZyB8IHVuZGVmaW5lZCB7XG4gIGlmICghX2Nka0NyZWRlbnRpYWxzKSB7XG4gICAgdHJ5IHtcbiAgICAgIF9jZGtDcmVkZW50aWFscyA9IEpTT04ucGFyc2UoZnMucmVhZEZpbGVTeW5jKGNka0NyZWRlbnRpYWxzQ29uZmlnRmlsZSgpLCB7IGVuY29kaW5nOiAndXRmLTgnIH0pKSBhcyBEb2NrZXJDcmVkZW50aWFsc0NvbmZpZztcbiAgICB9IGNhdGNoIChlcnIpIHsgfVxuICB9XG4gIHJldHVybiBfY2RrQ3JlZGVudGlhbHM7XG59XG5cbi8qKiBGZXRjaGVzIGxvZ2luIGNyZWRlbnRpYWxzIGZyb20gdGhlIGNvbmZpZ3VyZWQgc291cmNlIChlLmcuLCBTZWNyZXRzTWFuYWdlciwgRUNSKSAqL1xuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGZldGNoRG9ja2VyTG9naW5DcmVkZW50aWFscyhhd3M6IElBd3MsIGNvbmZpZzogRG9ja2VyQ3JlZGVudGlhbHNDb25maWcsIGRvbWFpbjogc3RyaW5nKSB7XG4gIGlmICghT2JqZWN0LmtleXMoY29uZmlnLmRvbWFpbkNyZWRlbnRpYWxzKS5pbmNsdWRlcyhkb21haW4pKSB7XG4gICAgdGhyb3cgbmV3IEVycm9yKGB1bmtub3duIGRvbWFpbiAke2RvbWFpbn1gKTtcbiAgfVxuXG4gIGNvbnN0IGRvbWFpbkNvbmZpZyA9IGNvbmZpZy5kb21haW5DcmVkZW50aWFsc1tkb21haW5dO1xuXG4gIGlmIChkb21haW5Db25maWcuc2VjcmV0c01hbmFnZXJTZWNyZXRJZCkge1xuICAgIGNvbnN0IHNtID0gYXdhaXQgYXdzLnNlY3JldHNNYW5hZ2VyQ2xpZW50KHsgYXNzdW1lUm9sZUFybjogZG9tYWluQ29uZmlnLmFzc3VtZVJvbGVBcm4gfSk7XG4gICAgY29uc3Qgc2VjcmV0VmFsdWUgPSBhd2FpdCBzbS5nZXRTZWNyZXRWYWx1ZSh7IFNlY3JldElkOiBkb21haW5Db25maWcuc2VjcmV0c01hbmFnZXJTZWNyZXRJZCB9KS5wcm9taXNlKCk7XG4gICAgaWYgKCFzZWNyZXRWYWx1ZS5TZWNyZXRTdHJpbmcpIHsgdGhyb3cgbmV3IEVycm9yKGB1bmFibGUgdG8gZmV0Y2ggU2VjcmV0U3RyaW5nIGZyb20gc2VjcmV0OiAke2RvbWFpbkNvbmZpZy5zZWNyZXRzTWFuYWdlclNlY3JldElkfWApOyB9O1xuXG4gICAgY29uc3Qgc2VjcmV0ID0gSlNPTi5wYXJzZShzZWNyZXRWYWx1ZS5TZWNyZXRTdHJpbmcpO1xuXG4gICAgY29uc3QgdXNlcm5hbWVGaWVsZCA9IGRvbWFpbkNvbmZpZy5zZWNyZXRzVXNlcm5hbWVGaWVsZCA/PyAndXNlcm5hbWUnO1xuICAgIGNvbnN0IHNlY3JldEZpZWxkID0gZG9tYWluQ29uZmlnLnNlY3JldHNQYXNzd29yZEZpZWxkID8/ICdzZWNyZXQnO1xuICAgIGlmICghc2VjcmV0W3VzZXJuYW1lRmllbGRdIHx8ICFzZWNyZXRbc2VjcmV0RmllbGRdKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoYG1hbGZvcm1lZCBzZWNyZXQgc3RyaW5nIChcIiR7dXNlcm5hbWVGaWVsZH1cIiBvciBcIiR7c2VjcmV0RmllbGR9XCIgZmllbGQgbWlzc2luZylgKTtcbiAgICB9XG5cbiAgICByZXR1cm4geyBVc2VybmFtZTogc2VjcmV0W3VzZXJuYW1lRmllbGRdLCBTZWNyZXQ6IHNlY3JldFtzZWNyZXRGaWVsZF0gfTtcbiAgfSBlbHNlIGlmIChkb21haW5Db25maWcuZWNyUmVwb3NpdG9yeSkge1xuICAgIGNvbnN0IGVjciA9IGF3YWl0IGF3cy5lY3JDbGllbnQoeyBhc3N1bWVSb2xlQXJuOiBkb21haW5Db25maWcuYXNzdW1lUm9sZUFybiB9KTtcbiAgICBjb25zdCBlY3JBdXRoRGF0YSA9IGF3YWl0IG9idGFpbkVjckNyZWRlbnRpYWxzKGVjcik7XG5cbiAgICByZXR1cm4geyBVc2VybmFtZTogZWNyQXV0aERhdGEudXNlcm5hbWUsIFNlY3JldDogZWNyQXV0aERhdGEucGFzc3dvcmQgfTtcbiAgfSBlbHNlIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ3Vua25vd24gY3JlZGVudGlhbCB0eXBlOiBubyBzZWNyZXQgSUQgb3IgRUNSIHJlcG8nKTtcbiAgfVxufVxuXG5leHBvcnQgYXN5bmMgZnVuY3Rpb24gb2J0YWluRWNyQ3JlZGVudGlhbHMoZWNyOiBBV1MuRUNSLCBsb2dnZXI/OiBMb2dnZXIpIHtcbiAgaWYgKGxvZ2dlcikgeyBsb2dnZXIoJ0ZldGNoaW5nIEVDUiBhdXRob3JpemF0aW9uIHRva2VuJyk7IH1cbiAgY29uc3QgYXV0aERhdGEgPSAoYXdhaXQgZWNyLmdldEF1dGhvcml6YXRpb25Ub2tlbih7IH0pLnByb21pc2UoKSkuYXV0aG9yaXphdGlvbkRhdGEgfHwgW107XG4gIGlmIChhdXRoRGF0YS5sZW5ndGggPT09IDApIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ05vIGF1dGhvcml6YXRpb24gZGF0YSByZWNlaXZlZCBmcm9tIEVDUicpO1xuICB9XG4gIGNvbnN0IHRva2VuID0gQnVmZmVyLmZyb20oYXV0aERhdGFbMF0uYXV0aG9yaXphdGlvblRva2VuISwgJ2Jhc2U2NCcpLnRvU3RyaW5nKCdhc2NpaScpO1xuICBjb25zdCBbdXNlcm5hbWUsIHBhc3N3b3JkXSA9IHRva2VuLnNwbGl0KCc6Jyk7XG4gIGlmICghdXNlcm5hbWUgfHwgIXBhc3N3b3JkKSB7IHRocm93IG5ldyBFcnJvcigndW5leHBlY3RlZCBFQ1IgYXV0aERhdGEgZm9ybWF0Jyk7IH1cblxuICByZXR1cm4ge1xuICAgIHVzZXJuYW1lLFxuICAgIHBhc3N3b3JkLFxuICAgIGVuZHBvaW50OiBhdXRoRGF0YVswXS5wcm94eUVuZHBvaW50ISxcbiAgfTtcbn1cbiJdfQ==

package/lib/private/docker.d.ts

@@ -9,8 +9,17 @@ interface BuildOptions {
     readonly file?: string;
     readonly buildArgs?: Record<string, string>;
 }
+export interface DockerCredentialsConfig {
+    readonly version: string;
+    readonly domainCredentials: Record<string, DockerDomainCredentials>;
+}
+export interface DockerDomainCredentials {
+    readonly secretsManagerSecretId?: string;
+    readonly ecrRepository?: string;
+}
 export declare class Docker {
     private readonly logger?;
+    private configDir;
     constructor(logger?: Logger | undefined);
     /**
      * Whether an image with the given tag exists
@@ -23,6 +32,23 @@ export declare class Docker {
     login(ecr: AWS.ECR): Promise<void>;
     tag(sourceTag: string, targetTag: string): Promise<void>;
     push(tag: string): Promise<void>;
+    /**
+     * If a CDK Docker Credentials file exists, creates a new Docker config directory.
+     * Sets up `docker-credential-cdk-assets` to be the credential helper for each domain in the CDK config.
+     * All future commands (e.g., `build`, `push`) will use this config.
+     *
+     * See https://docs.docker.com/engine/reference/commandline/login/#credential-helpers for more details on cred helpers.
+     *
+     * @returns true if CDK config was found and configured, false otherwise
+     */
+    configureCdkCredentials(): boolean;
+    /**
+     * Removes any configured Docker config directory.
+     * All future commands (e.g., `build`, `push`) will use the default config.
+     *
+     * This is useful after calling `configureCdkCredentials` to reset to default credentials.
+     */
+    resetAuthPlugins(): void;
     private execute;
 }
 export {};