-
Notifications
You must be signed in to change notification settings - Fork 279
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7eca29d
commit 7eee705
Showing
11 changed files
with
469 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,216 @@ | ||
import Http from 'http' | ||
import Https from 'https' | ||
import {makeDateLong, parseXml, toSha256} from "./helpers" | ||
import {signV4ByServiceName} from "./signing" | ||
import CredentialProvider from "./CredentialProvider" | ||
import Credentials from "./Credentials" | ||
|
||
class AssumeRoleProvider extends CredentialProvider { | ||
constructor({ | ||
stsEndpoint, | ||
accessKey, | ||
secretKey, | ||
durationSeconds = 900, | ||
sessionToken, | ||
policy, | ||
region = '', | ||
roleArn, | ||
roleSessionName, | ||
externalId, | ||
token, | ||
webIdentityToken, | ||
action = "AssumeRole" | ||
}) { | ||
super({}) | ||
|
||
this.stsEndpoint = stsEndpoint | ||
this.accessKey = accessKey | ||
this.secretKey = secretKey | ||
this.durationSeconds = durationSeconds | ||
this.policy = policy | ||
this.region = region | ||
this.roleArn = roleArn | ||
this.roleSessionName = roleSessionName | ||
this.externalId = externalId | ||
this.token = token | ||
this.webIdentityToken = webIdentityToken | ||
this.action = action | ||
this.sessionToken = sessionToken | ||
|
||
/** | ||
* Internal Tracking variables | ||
*/ | ||
this.credentials = null | ||
this.expirySeconds = null | ||
this.accessExpiresAt = null | ||
|
||
} | ||
|
||
|
||
getRequestConfig() { | ||
const url = new URL(this.stsEndpoint) | ||
const hostValue = url.hostname | ||
const portValue = url.port | ||
const isHttp = url.protocol.includes("http:") | ||
const qryParams = new URLSearchParams() | ||
qryParams.set("Action", this.action) | ||
qryParams.set("Version", "2011-06-15") | ||
|
||
const defaultExpiry = 900 | ||
let expirySeconds = parseInt(this.durationSeconds) | ||
if (expirySeconds < defaultExpiry) { | ||
expirySeconds = defaultExpiry | ||
} | ||
this.expirySeconds = expirySeconds // for calculating refresh of credentials. | ||
|
||
qryParams.set("DurationSeconds", this.expirySeconds) | ||
|
||
if (this.policy) { | ||
qryParams.set("Policy", this.policy) | ||
} | ||
if (this.roleArn) { | ||
qryParams.set("RoleArn", this.roleArn) | ||
} | ||
|
||
if (this.roleSessionName != null) { | ||
qryParams.set("RoleSessionName", this.roleSessionName) | ||
} | ||
if (this.token != null) { | ||
qryParams.set("Token", this.token) | ||
} | ||
|
||
if (this.webIdentityToken) { | ||
qryParams.set("WebIdentityToken", this.webIdentityToken) | ||
} | ||
|
||
if (this.externalId) { | ||
qryParams.set("ExternalId", this.externalId) | ||
} | ||
|
||
|
||
const urlParams = qryParams.toString() | ||
const contentSha256 = toSha256(urlParams) | ||
|
||
const date = new Date() | ||
|
||
/** | ||
* Nodejs's Request Configuration. | ||
*/ | ||
const requestOptions = { | ||
hostname: hostValue, | ||
port: portValue, | ||
path: "/", | ||
protocol: url.protocol, | ||
method: "POST", | ||
headers: { | ||
"Content-Type": "application/x-www-form-urlencoded", | ||
"content-length": urlParams.length, | ||
"host": hostValue, | ||
"x-amz-date": makeDateLong(date), | ||
'x-amz-content-sha256': contentSha256 | ||
} | ||
} | ||
|
||
const authorization = signV4ByServiceName(requestOptions, this.accessKey, this.secretKey, this.region, date, "sts") | ||
requestOptions.headers.authorization = authorization | ||
|
||
return { | ||
requestOptions, | ||
requestData: urlParams, | ||
isHttp: isHttp | ||
} | ||
} | ||
|
||
async performRequest() { | ||
const reqObj = this.getRequestConfig() | ||
const requestOptions = reqObj.requestOptions | ||
const requestData = reqObj.requestData | ||
|
||
const isHttp = reqObj.isHttp | ||
const Transport = isHttp ? Http : Https | ||
|
||
const promise = new Promise((resolve, reject) => { | ||
const requestObj = Transport.request(requestOptions, (resp) => { | ||
let resChunks = [] | ||
resp.on('data', rChunk => { | ||
resChunks.push(rChunk) | ||
}) | ||
resp.on('end', () => { | ||
let body = Buffer.concat(resChunks).toString() | ||
const xmlobj = parseXml(body) | ||
resolve(xmlobj) | ||
}) | ||
resp.on('error', (err) => { | ||
reject(err) | ||
}) | ||
}) | ||
requestObj.on('error', (e) => { | ||
reject(e) | ||
}) | ||
requestObj.write(requestData) | ||
requestObj.end() | ||
}) | ||
return promise | ||
|
||
} | ||
|
||
parseCredentials(respObj={}) { | ||
|
||
const { | ||
AssumeRoleResponse: { | ||
AssumeRoleResult: { | ||
Credentials: { | ||
AccessKeyId: accessKey, | ||
SecretAccessKey: secretKey, | ||
SessionToken: sessionToken, | ||
Expiration: expiresAt | ||
} = {} | ||
} = {} | ||
} = {} | ||
} = respObj | ||
|
||
|
||
this.accessExpiresAt = expiresAt | ||
|
||
const newCreds = new Credentials({ | ||
accessKey, | ||
secretKey, | ||
sessionToken | ||
}) | ||
|
||
this.setCredentials(newCreds) | ||
return this.credentials | ||
|
||
} | ||
|
||
|
||
async refreshCredentials() { | ||
try { | ||
const assumeRoleCredentials = await this.performRequest() | ||
this.credentials = this.parseCredentials(assumeRoleCredentials) | ||
} catch (err) { | ||
this.credentials = null | ||
throw new Error(`Error getting credentials:` + err) | ||
} | ||
return this.credentials | ||
} | ||
|
||
async getCredentials() { | ||
let credConfig | ||
if (!this.credentials || (this.credentials && this.isAboutToExpire())) { | ||
credConfig = await this.refreshCredentials() | ||
} else { | ||
credConfig = this.credentials | ||
} | ||
return credConfig | ||
} | ||
|
||
isAboutToExpire() { | ||
const expiresAt = new Date(this.accessExpiresAt) | ||
const provisionalExpiry = new Date(Date.now() + 1000 * 10)//check before 10 seconds. | ||
const isAboutToExpire = provisionalExpiry > expiresAt | ||
return isAboutToExpire | ||
} | ||
} | ||
|
||
export default AssumeRoleProvider |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
import Credentials from "./Credentials" | ||
|
||
class CredentialProvider { | ||
constructor({ | ||
accessKey, | ||
secretKey, | ||
sessionToken | ||
}) { | ||
this.credentials = new Credentials({ | ||
accessKey, | ||
secretKey, | ||
sessionToken | ||
}) | ||
} | ||
|
||
getCredentials() { | ||
return this.credentials.get() | ||
} | ||
|
||
setCredentials(credentials) { | ||
if (credentials instanceof Credentials) { | ||
this.credentials = credentials | ||
} else { | ||
throw new Error("Unable to set Credentials . it should be an instance of Credentials class") | ||
} | ||
} | ||
|
||
|
||
setAccessKey(accessKey) { | ||
this.credentials.setAccessKey(accessKey) | ||
} | ||
|
||
getAccessKey() { | ||
return this.credentials.getAccessKey() | ||
} | ||
|
||
setSecretKey(secretKey) { | ||
this.credentials.setSecretKey(secretKey) | ||
} | ||
|
||
getSecretKey() { | ||
return this.credentials.getSecretKey() | ||
} | ||
|
||
setSessionToken(sessionToken) { | ||
this.credentials.setSessionToken(sessionToken) | ||
} | ||
|
||
getSessionToken() { | ||
return this.credentials.getSessionToken() | ||
} | ||
|
||
|
||
} | ||
|
||
export default CredentialProvider |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
class Credentials{ | ||
constructor({ | ||
accessKey, | ||
secretKey, | ||
sessionToken | ||
}) { | ||
this.accessKey = accessKey | ||
this.secretKey = secretKey | ||
this.sessionToken=sessionToken | ||
} | ||
|
||
|
||
setAccessKey(accessKey){ | ||
this.accessKey = accessKey | ||
} | ||
getAccessKey(){ | ||
return this.accessKey | ||
} | ||
setSecretKey(secretKey){ | ||
this.secretKey=secretKey | ||
} | ||
getSecretKey(){ | ||
return this.secretKey | ||
} | ||
setSessionToken (sessionToken){ | ||
this.sessionToken = sessionToken | ||
} | ||
getSessionToken (){ | ||
return this.sessionToken | ||
} | ||
|
||
get(){ | ||
return { | ||
accessKey:this.accessKey, | ||
secretKey:this.secretKey, | ||
sessionToken:this.sessionToken | ||
} | ||
} | ||
|
||
} | ||
|
||
export default Credentials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.