@itwin/object-storage-s3/lib/server/S3TransferConfigProvider.js

Object storage implementation base for S3 compatible providers

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.S3TransferConfigProvider = void 0;
/*---------------------------------------------------------------------------------------------
 * Copyright (c) Bentley Systems, Incorporated. All rights reserved.
 * See LICENSE.md in the project root for license terms and full copyright notice.
 *--------------------------------------------------------------------------------------------*/
const client_sts_1 = require("@aws-sdk/client-sts");
const internal_1 = require("@itwin/object-storage-core/lib/common/internal");
const internal_2 = require("@itwin/object-storage-core/lib/server/internal");
const common_1 = require("../common");
const internal_3 = require("./internal");
class S3TransferConfigProvider {
    _config;
    _client;
    constructor(client, config) {
        this._config = config;
        this._client = client;
    }
    async getDownloadConfig(directory, options) {
        /* eslint-disable @typescript-eslint/naming-convention */
        const policy = {
            Version: "2012-10-17",
            Statement: [
                {
                    Effect: "Allow",
                    Action: ["s3:GetObject"],
                    Resource: [
                        `arn:aws:s3:::${this._config.bucket}/${(0, internal_1.buildObjectDirectoryString)(directory)}/*`,
                    ],
                },
            ],
        };
        const { Credentials } = await this._client.client.send(new client_sts_1.AssumeRoleCommand({
            DurationSeconds: (0, internal_3.getExpiresInSeconds)(options),
            Policy: JSON.stringify(policy),
            RoleArn: this._config.roleArn,
            RoleSessionName: (0, internal_2.getRandomString)(),
        }));
        /* eslint-enable @typescript-eslint/naming-convention */
        return {
            authentication: {
                accessKey: Credentials.AccessKeyId,
                secretKey: Credentials.SecretAccessKey,
                sessionToken: Credentials.SessionToken,
            },
            expiration: Credentials.Expiration,
            baseUrl: this._config.baseUrl,
            region: this._config.region,
            bucket: this._config.bucket,
            storageType: common_1.Constants.storageType,
        };
    }
    async getUploadConfig(directory, options) {
        /* eslint-disable @typescript-eslint/naming-convention */
        const policy = {
            Version: "2012-10-17",
            Statement: [
                {
                    Effect: "Allow",
                    Action: ["s3:PutObject"],
                    Resource: [
                        `arn:aws:s3:::${this._config.bucket}/${(0, internal_1.buildObjectDirectoryString)(directory)}/*`,
                    ],
                },
            ],
        };
        const { Credentials } = await this._client.client.send(new client_sts_1.AssumeRoleCommand({
            DurationSeconds: (0, internal_3.getExpiresInSeconds)(options),
            Policy: JSON.stringify(policy),
            RoleArn: this._config.roleArn,
            RoleSessionName: (0, internal_2.getRandomString)(),
        }));
        /* eslint-enable @typescript-eslint/naming-convention */
        return {
            authentication: {
                accessKey: Credentials.AccessKeyId,
                secretKey: Credentials.SecretAccessKey,
                sessionToken: Credentials.SessionToken,
            },
            expiration: Credentials.Expiration,
            baseUrl: this._config.baseUrl,
            region: this._config.region,
            bucket: this._config.bucket,
            storageType: common_1.Constants.storageType,
        };
    }
    async getDirectoryAccessConfig(directory, options) {
        const actions = (0, internal_3.getActions)();
        /* eslint-disable @typescript-eslint/naming-convention */
        const policy = {
            Version: "2012-10-17",
            Statement: [
                {
                    Effect: "Allow",
                    Action: actions,
                    Resource: [
                        `arn:aws:s3:::${this._config.bucket}/${(0, internal_1.buildObjectDirectoryString)(directory)}/*`,
                        `arn:aws:s3:::${this._config.bucket}`,
                    ],
                },
            ],
        };
        const { Credentials } = await this._client.client.send(new client_sts_1.AssumeRoleCommand({
            DurationSeconds: (0, internal_3.getExpiresInSeconds)(options),
            Policy: JSON.stringify(policy),
            RoleArn: this._config.roleArn,
            RoleSessionName: (0, internal_2.getRandomString)(),
        }));
        /* eslint-enable @typescript-eslint/naming-convention */
        return {
            authentication: {
                accessKey: Credentials.AccessKeyId,
                secretKey: Credentials.SecretAccessKey,
                sessionToken: Credentials.SessionToken,
            },
            expiration: Credentials.Expiration,
            baseUrl: this._config.baseUrl,
            region: this._config.region,
            bucket: this._config.bucket,
            storageType: common_1.Constants.storageType,
        };
    }
}
exports.S3TransferConfigProvider = S3TransferConfigProvider;
//# sourceMappingURL=S3TransferConfigProvider.js.map