aws-cdk-lib/custom-resource-handlers/dist/aws-iam/oidc-handler/index.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var v=Object.create,l=Object.defineProperty,y=Object.getOwnPropertyDescriptor,O=Object.getOwnPropertyNames,w=Object.getPrototypeOf,R=Object.prototype.hasOwnProperty,A=(e,r)=>{for(var t in r)l(e,t,{get:r[t],enumerable:!0})},D=(e,r,t,i)=>{if(r&&typeof r=="object"||typeof r=="function")for(let o of O(r))!R.call(e,o)&&o!==t&&l(e,o,{get:()=>r[o],enumerable:!(i=y(r,o))||i.enumerable});return e},m=(e,r,t)=>(t=e!=null?v(w(e)):{},D(r||!e||!e.__esModule?l(t,"default",{value:e,enumerable:!0}):t,e)),$=e=>D(l({},"__esModule",{value:!0}),e),j={};A(j,{handler:()=>x}),module.exports=$(j);function h(e,r){let t=new Set(e),i=new Set;for(let o of new Set(r))t.has(o)?t.delete(o):i.add(o);return{adds:Array.from(i),deletes:Array.from(t)}}var g=m(require("tls")),P=m(require("url")),T=m(require("@aws-sdk/client-iam")),C;function u(){return C||(C=new T.IAM({})),C}function U(e,...r){console.log(e,...r)}async function L(e,r){return new Promise((t,i)=>{let o=P.parse(e),p=o.port?parseInt(o.port,10):443;if(!o.host)return i(new Error(`unable to determine host from issuer url ${e}`));n.log(`Fetching x509 certificate chain from issuer ${e}`);let s=g.connect(p,o.host,{rejectUnauthorized:r,servername:o.host});s.once("error",i),s.once("secureConnect",()=>{let a=s.getPeerX509Certificate();if(!a)throw new Error(`Unable to retrieve X509 certificate from host ${o.host}`);for(;a.issuerCertificate;)E(a),a=a.issuerCertificate;let d=new Date(a.validTo),c=S(d);if(c<0)return i(new Error(`The certificate has already expired on: ${d.toUTCString()}`));c<180&&console.warn(`The root certificate obtained would expire in ${c} days!`),s.end();let I=f(a);n.log(`Certificate Authority thumbprint for ${e} is ${I}`),t(I)})})}function f(e){return e.fingerprint.split(":").join("")}function E(e){n.log("-------------BEGIN CERT----------------"),n.log(`Thumbprint: ${f(e)}`),n.log(`Valid To: ${e.validTo}`),e.issuerCertificate&&n.log(`Issuer Thumbprint: ${f(e.issuerCertificate)}`),n.log(`Issuer: ${e.issuer}`),n.log(`Subject: ${e.subject}`),n.log("-------------END CERT------------------")}function S(e){let t=new Date;return Math.round((e.getTime()-t.getTime())/864e5)}var n={downloadThumbprint:L,log:U,createOpenIDConnectProvider:e=>u().createOpenIDConnectProvider(e),deleteOpenIDConnectProvider:e=>u().deleteOpenIDConnectProvider(e),updateOpenIDConnectProviderThumbprint:e=>u().updateOpenIDConnectProviderThumbprint(e),addClientIDToOpenIDConnectProvider:e=>u().addClientIDToOpenIDConnectProvider(e),removeClientIDFromOpenIDConnectProvider:e=>u().removeClientIDFromOpenIDConnectProvider(e)};async function x(e){if(e.RequestType==="Create")return b(e);if(e.RequestType==="Update")return F(e);if(e.RequestType==="Delete")return k(e);throw new Error("invalid request type")}async function b(e){let r=e.ResourceProperties.Url,t=(e.ResourceProperties.ThumbprintList??[]).sort(),i=(e.ResourceProperties.ClientIDList??[]).sort(),o=e.ResourceProperties.RejectUnauthorized??!1;return t.length===0&&t.push(await n.downloadThumbprint(r,o)),{PhysicalResourceId:(await n.createOpenIDConnectProvider({Url:r,ClientIDList:i,ThumbprintList:t})).OpenIDConnectProviderArn,Data:{Thumbprints:JSON.stringify(t)}}}async function F(e){let r=e.ResourceProperties.Url,t=(e.ResourceProperties.ThumbprintList??[]).sort(),i=(e.ResourceProperties.ClientIDList??[]).sort(),o=e.ResourceProperties.RejectUnauthorized??!1;if(e.OldResourceProperties.Url!==r)return b({...e,RequestType:"Create"});let s=e.PhysicalResourceId;t.length===0&&t.push(await n.downloadThumbprint(r,o)),n.log("updating thumbprint to",t),await n.updateOpenIDConnectProviderThumbprint({OpenIDConnectProviderArn:s,ThumbprintList:t});let a=(e.OldResourceProperties.ClientIDList||[]).sort(),d=h(a,i);n.log(`client ID diff: ${JSON.stringify(d)}`);for(let c of d.adds)n.log(`adding client id "${c}" to provider ${s}`),await n.addClientIDToOpenIDConnectProvider({OpenIDConnectProviderArn:s,ClientID:c});for(let c of d.deletes)n.log(`removing client id "${c}" from provider ${s}`),await n.removeClientIDFromOpenIDConnectProvider({OpenIDConnectProviderArn:s,ClientID:c});return{Data:{Thumbprints:JSON.stringify(t)}}}async function k(e){await n.deleteOpenIDConnectProvider({OpenIDConnectProviderArn:e.PhysicalResourceId})}