UNPKG

aws-delivlib

Version:

A fabulous library for defining continuous pipelines for building, testing and releasing code libraries.

github.com/cdklabs/aws-delivlib

cdklabs/aws-delivlib

192 lines • 26.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.RsaPrivateKeySecret = void 0; const path = __importStar(require("path")); const aws_cdk_lib_1 = require("aws-cdk-lib"); const aws_ecr_assets_1 = require("aws-cdk-lib/aws-ecr-assets"); const constructs_1 = require("constructs"); const certificate_signing_request_1 = require("./certificate-signing-request"); const util_1 = require("../util"); /** * An OpenSSL-generated RSA Private Key. It can for example be used to obtain a Certificate signed by a Certificate * Authority through the use of the ``CertificateSigningRequest`` construct (or via the * ``#newCertificateSigningRequest``) method. */ class RsaPrivateKeySecret extends constructs_1.Construct { constructor(parent, id, props) { super(parent, id); const codeLocation = path.resolve(__dirname, '..', 'custom-resource-handlers'); // change the resource id to force deleting existing function, and create new one, as Package type change is not allowed this.customResource = new aws_cdk_lib_1.aws_lambda.SingletonFunction(this, 'ResourceHandlerV2', { lambdaPurpose: 'RSAPrivate-Key', // change the uuid to force deleting existing function, and create new one, as Package type change is not allowed uuid: '517D342F-A590-447B-B525-5D06E403A406', description: 'Generates an RSA Private Key and stores it in AWS Secrets Manager', runtime: aws_cdk_lib_1.aws_lambda.Runtime.FROM_IMAGE, handler: aws_cdk_lib_1.aws_lambda.Handler.FROM_IMAGE, code: new aws_cdk_lib_1.aws_lambda.AssetImageCode(codeLocation, { file: 'Dockerfile', platform: aws_ecr_assets_1.Platform.LINUX_AMD64, buildArgs: { FUN_SRC_DIR: 'private-key', }, invalidation: { buildArgs: true, }, }), timeout: aws_cdk_lib_1.Duration.seconds(300), }); this.secretArnLike = aws_cdk_lib_1.Stack.of(this).formatArn({ service: 'secretsmanager', resource: 'secret', arnFormat: aws_cdk_lib_1.ArnFormat.COLON_RESOURCE_NAME, // The ARN of a secret has "-" followed by 6 random characters appended at the end resourceName: `${props.secretName}-??????`, }); this.customResource.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: [ 'secretsmanager:CreateSecret', 'secretsmanager:DeleteSecret', 'secretsmanager:UpdateSecret', ], resources: [this.secretArnLike], })); if (props.secretEncryptionKey) { props.secretEncryptionKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ // description: `Allow use via AWS Secrets Manager by CustomResource handler ${customResource.functionName}`, principals: [new aws_cdk_lib_1.aws_iam.ArnPrincipal(this.customResource.role.roleArn)], actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: ['*'], conditions: { StringEquals: { 'kms:ViaService': `secretsmanager.${aws_cdk_lib_1.Stack.of(this).region}.amazonaws.com`, }, ArnLike: { 'kms:EncryptionContext:SecretARN': this.secretArnLike, }, }, })); } //change the custom resource id to force recreating new one because the change of the underneath lambda function const privateKey = new aws_cdk_lib_1.CustomResource(this, 'ResourceV2', { serviceToken: this.customResource.functionArn, resourceType: 'Custom::RsaPrivateKeySecret', pascalCaseProperties: true, properties: { resourceVersion: (0, util_1.hashFileOrDirectory)(codeLocation), description: props.description, keySize: props.keySize, secretName: props.secretName, kmsKeyId: props.secretEncryptionKey && props.secretEncryptionKey.keyArn, }, removalPolicy: props.removalPolicy || aws_cdk_lib_1.RemovalPolicy.RETAIN, }); if (this.customResource.role) { privateKey.node.addDependency(this.customResource.role); if (props.secretEncryptionKey) { // Modeling as a separate Policy to evade a dependency cycle (Role -> Key -> Role), as the Key refers to the // role in it's resource policy. privateKey.node.addDependency(new aws_cdk_lib_1.aws_iam.Policy(this, 'GrantLambdaRoleKeyAccess', { roles: [this.customResource.role], statements: [ new aws_cdk_lib_1.aws_iam.PolicyStatement({ // description: `AWSSecretsManager${props.secretName.replace(/[^0-9A-Za-z]/g, '')}CMK`, actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: [props.secretEncryptionKey.keyArn], conditions: { StringEquals: { 'kms:ViaService': `secretsmanager.${aws_cdk_lib_1.Stack.of(this).region}.amazonaws.com`, }, StringLike: { 'kms:EncryptionContext:SecretARN': [this.secretArnLike, 'RequestToValidateKeyAccess'] }, }, }), ], })); } } this.masterKey = props.secretEncryptionKey; this.secretArn = privateKey.getAtt('SecretArn').toString(); } /** * Creates a new CSR resource using this private key. * * @param id the ID of the construct in the construct tree. * @param dn the distinguished name to record on the CSR. * @param keyUsage the intended key usage (for example: "critical,digitalSignature") * @param extendedKeyUsage the indended extended key usage, if any (for example: "critical,digitalSignature") * * @returns a new ``CertificateSigningRequest`` instance that can be used to access the actual CSR document. */ newCertificateSigningRequest(id, dn, keyUsage, extendedKeyUsage) { return new certificate_signing_request_1.CertificateSigningRequest(this, id, { privateKey: this, dn, keyUsage, extendedKeyUsage, }); } /** * Allows a given IAM Role to read the secret value. * * @param grantee the principal to which permissions should be granted. */ grantGetSecretValue(grantee) { grantee.addToPrincipalPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: ['secretsmanager:GetSecretValue'], resources: [this.secretArn], })); if (this.masterKey) { // Add a key grant since we're using a CMK this.masterKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: ['kms:Decrypt'], resources: ['*'], principals: [grantee.grantPrincipal], conditions: { StringEquals: { 'kms:ViaService': `secretsmanager.${aws_cdk_lib_1.Stack.of(this).region}.amazonaws.com`, }, ArnLike: { 'kms:EncryptionContext:SecretARN': this.secretArnLike, }, }, })); grantee.addToPrincipalPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: ['kms:Decrypt'], resources: [this.masterKey.keyArn], conditions: { StringEquals: { 'kms:ViaService': `secretsmanager.${aws_cdk_lib_1.Stack.of(this).region}.amazonaws.com`, }, ArnEquals: { 'kms:EncryptionContext:SecretARN': this.secretArn, }, }, })); } } } exports.RsaPrivateKeySecret = RsaPrivateKeySecret; //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJpdmF0ZS1rZXkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJwcml2YXRlLWtleS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDJDQUE2QjtBQUM3Qiw2Q0FNcUI7QUFDckIsK0RBQXNEO0FBQ3RELDJDQUF1QztBQUN2QywrRUFBNkY7QUFDN0Ysa0NBQThDO0FBcUM5Qzs7OztHQUlHO0FBQ0gsTUFBYSxtQkFBb0IsU0FBUSxzQkFBUztJQVVoRCxZQUFZLE1BQWlCLEVBQUUsRUFBVSxFQUFFLEtBQStCO1FBQ3hFLEtBQUssQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFbEIsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxTQUFTLEVBQUUsSUFBSSxFQUFFLDBCQUEwQixDQUFDLENBQUM7UUFDL0Usd0hBQXdIO1FBQ3hILElBQUksQ0FBQyxjQUFjLEdBQUcsSUFBSSx3QkFBTSxDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxtQkFBbUIsRUFBRTtZQUM1RSxhQUFhLEVBQUUsZ0JBQWdCO1lBQy9CLGlIQUFpSDtZQUNqSCxJQUFJLEVBQUUsc0NBQXNDO1lBQzVDLFdBQVcsRUFBRSxtRUFBbUU7WUFDaEYsT0FBTyxFQUFFLHdCQUFNLENBQUMsT0FBTyxDQUFDLFVBQVU7WUFDbEMsT0FBTyxFQUFFLHdCQUFNLENBQUMsT0FBTyxDQUFDLFVBQVU7WUFDbEMsSUFBSSxFQUFFLElBQUksd0JBQU0sQ0FBQyxjQUFjLENBQUMsWUFBWSxFQUFFO2dCQUM1QyxJQUFJLEVBQUUsWUFBWTtnQkFDbEIsUUFBUSxFQUFFLHlCQUFRLENBQUMsV0FBVztnQkFDOUIsU0FBUyxFQUFFO29CQUNULFdBQVcsRUFBRSxhQUFhO2lCQUMzQjtnQkFDRCxZQUFZLEVBQUU7b0JBQ1osU0FBUyxFQUFFLElBQUk7aUJBQ2hCO2FBQ0YsQ0FBQztZQUNGLE9BQU8sRUFBRSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUM7U0FDL0IsQ0FBQyxDQUFDO1FBRUgsSUFBSSxDQUFDLGFBQWEsR0FBRyxtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLENBQUM7WUFDNUMsT0FBTyxFQUFFLGdCQUFnQjtZQUN6QixRQUFRLEVBQUUsUUFBUTtZQUNsQixTQUFTLEVBQUUsdUJBQVMsQ0FBQyxtQkFBbUI7WUFDeEMsa0ZBQWtGO1lBQ2xGLFlBQVksRUFBRSxHQUFHLEtBQUssQ0FBQyxVQUFVLFNBQVM7U0FDM0MsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLGNBQWMsQ0FBQyxlQUFlLENBQUMsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQztZQUMxRCxPQUFPLEVBQUU7Z0JBQ1AsNkJBQTZCO2dCQUM3Qiw2QkFBNkI7Z0JBQzdCLDZCQUE2QjthQUM5QjtZQUNELFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUM7U0FDaEMsQ0FBQyxDQUFDLENBQUM7UUFFSixJQUFJLEtBQUssQ0FBQyxtQkFBbUIsRUFBRTtZQUM3QixLQUFLLENBQUMsbUJBQW1CLENBQUMsbUJBQW1CLENBQUMsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQztnQkFDcEUsNkdBQTZHO2dCQUM3RyxVQUFVLEVBQUUsQ0FBQyxJQUFJLHFCQUFHLENBQUMsWUFBWSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUNyRSxPQUFPLEVBQUUsQ0FBQyxhQUFhLEVBQUUscUJBQXFCLENBQUM7Z0JBQy9DLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztnQkFDaEIsVUFBVSxFQUFFO29CQUNWLFlBQVksRUFBRTt3QkFDWixnQkFBZ0IsRUFBRSxrQkFBa0IsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxnQkFBZ0I7cUJBQzFFO29CQUNELE9BQU8sRUFBRTt3QkFDUCxpQ0FBaUMsRUFBRSxJQUFJLENBQUMsYUFBYTtxQkFDdEQ7aUJBQ0Y7YUFDRixDQUFDLENBQUMsQ0FBQztTQUNMO1FBRUQsZ0hBQWdIO1FBQ2hILE1BQU0sVUFBVSxHQUFHLElBQUksNEJBQWMsQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFO1lBQ3hELFlBQVksRUFBRSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVc7WUFDN0MsWUFBWSxFQUFFLDZCQUE2QjtZQUMzQyxvQkFBb0IsRUFBRSxJQUFJO1lBQzFCLFVBQVUsRUFBRTtnQkFDVixlQUFlLEVBQUUsSUFBQSwwQkFBbUIsRUFBQyxZQUFZLENBQUM7Z0JBQ2xELFdBQVcsRUFBRSxLQUFLLENBQUMsV0FBVztnQkFDOUIsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPO2dCQUN0QixVQUFVLEVBQUUsS0FBSyxDQUFDLFVBQVU7Z0JBQzVCLFFBQVEsRUFBRSxLQUFLLENBQUMsbUJBQW1CLElBQUksS0FBSyxDQUFDLG1CQUFtQixDQUFDLE1BQU07YUFDeEU7WUFDRCxhQUFhLEVBQUUsS0FBSyxDQUFDLGFBQWEsSUFBSSwyQkFBYSxDQUFDLE1BQU07U0FDM0QsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxJQUFJLENBQUMsY0FBYyxDQUFDLElBQUksRUFBRTtZQUM1QixVQUFVLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ3hELElBQUksS0FBSyxDQUFDLG1CQUFtQixFQUFFO2dCQUM3Qiw0R0FBNEc7Z0JBQzVHLGdDQUFnQztnQkFDaEMsVUFBVSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxxQkFBRyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsMEJBQTBCLEVBQUU7b0JBQzdFLEtBQUssRUFBRSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDO29CQUNqQyxVQUFVLEVBQUU7d0JBQ1YsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQzs0QkFDdEIsdUZBQXVGOzRCQUN2RixPQUFPLEVBQUUsQ0FBQyxhQUFhLEVBQUUscUJBQXFCLENBQUM7NEJBQy9DLFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQyxtQkFBbUIsQ0FBQyxNQUFNLENBQUM7NEJBQzdDLFVBQVUsRUFBRTtnQ0FDVixZQUFZLEVBQUU7b0NBQ1osZ0JBQWdCLEVBQUUsa0JBQWtCLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sZ0JBQWdCO2lDQUMxRTtnQ0FDRCxVQUFVLEVBQUUsRUFBRSxpQ0FBaUMsRUFBRSxDQUFDLElBQUksQ0FBQyxhQUFhLEVBQUUsNEJBQTRCLENBQUMsRUFBRTs2QkFDdEc7eUJBQ0YsQ0FBQztxQkFDSDtpQkFDRixDQUFDLENBQUMsQ0FBQzthQUNMO1NBQ0Y7UUFFRCxJQUFJLENBQUMsU0FBUyxHQUFHLEtBQUssQ0FBQyxtQkFBbUIsQ0FBQztRQUMzQyxJQUFJLENBQUMsU0FBUyxHQUFHLFVBQVUsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUM7SUFDN0QsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLDRCQUE0QixDQUFDLEVBQVUsRUFBRSxFQUFxQixFQUFFLFFBQWdCLEVBQUUsZ0JBQXlCO1FBQ2hILE9BQU8sSUFBSSx1REFBeUIsQ0FBQyxJQUFJLEVBQUUsRUFBRSxFQUFFO1lBQzdDLFVBQVUsRUFBRSxJQUFJO1lBQ2hCLEVBQUU7WUFDRixRQUFRO1lBQ1IsZ0JBQWdCO1NBQ2pCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7OztPQUlHO0lBQ0ksbUJBQW1CLENBQUMsT0FBdUI7UUFDaEQsT0FBTyxDQUFDLG9CQUFvQixDQUFDLElBQUkscUJBQUcsQ0FBQyxlQUFlLENBQUM7WUFDbkQsT0FBTyxFQUFFLENBQUMsK0JBQStCLENBQUM7WUFDMUMsU0FBUyxFQUFFLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQztTQUM1QixDQUFDLENBQUMsQ0FBQztRQUNKLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRTtZQUNsQiwwQ0FBMEM7WUFDMUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO2dCQUN6RCxPQUFPLEVBQUUsQ0FBQyxhQUFhLENBQUM7Z0JBQ3hCLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztnQkFDaEIsVUFBVSxFQUFFLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQztnQkFDcEMsVUFBVSxFQUFFO29CQUNWLFlBQVksRUFBRTt3QkFDWixnQkFBZ0IsRUFBRSxrQkFBa0IsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxnQkFBZ0I7cUJBQzFFO29CQUNELE9BQU8sRUFBRTt3QkFDUCxpQ0FBaUMsRUFBRSxJQUFJLENBQUMsYUFBYTtxQkFDdEQ7aUJBQ0Y7YUFDRixDQUFDLENBQUMsQ0FBQztZQUNKLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO2dCQUNuRCxPQUFPLEVBQUUsQ0FBQyxhQUFhLENBQUM7Z0JBQ3hCLFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsTUFBTSxDQUFDO2dCQUNsQyxVQUFVLEVBQUU7b0JBQ1YsWUFBWSxFQUFFO3dCQUNaLGdCQUFnQixFQUFFLGtCQUFrQixtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLGdCQUFnQjtxQkFDMUU7b0JBQ0QsU0FBUyxFQUFFO3dCQUNULGlDQUFpQyxFQUFFLElBQUksQ0FBQyxTQUFTO3FCQUNsRDtpQkFDRjthQUNGLENBQUMsQ0FBQyxDQUFDO1NBQ0w7SUFDSCxDQUFDO0NBQ0Y7QUF4S0Qsa0RBd0tDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgcGF0aCBmcm9tICdwYXRoJztcbmltcG9ydCB7XG4gIER1cmF0aW9uLCBSZW1vdmFsUG9saWN5LCBTdGFjayxcbiAgQXJuRm9ybWF0LCBDdXN0b21SZXNvdXJjZSxcbiAgYXdzX2lhbSBhcyBpYW0sXG4gIGF3c19rbXMgYXMga21zLFxuICBhd3NfbGFtYmRhIGFzIGxhbWJkYSxcbn0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHsgUGxhdGZvcm0gfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtZWNyLWFzc2V0cyc7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcbmltcG9ydCB7IENlcnRpZmljYXRlU2lnbmluZ1JlcXVlc3QsIERpc3Rpbmd1aXNoZWROYW1lIH0gZnJvbSAnLi9jZXJ0aWZpY2F0ZS1zaWduaW5nLXJlcXVlc3QnO1xuaW1wb3J0IHsgaGFzaEZpbGVPckRpcmVjdG9yeSB9IGZyb20gJy4uL3V0aWwnO1xuXG5cbmV4cG9ydCBpbnRlcmZhY2UgUnNhUHJpdmF0ZUtleVNlY3JldFByb3BzIHtcbiAgLyoqXG4gICAqIFRoZSBtb2R1bHVzIHNpemUgb2YgdGhlIFJTQSBrZXkgdGhhdCB3aWxsIGJlIGdlbmVyYXRlZC5cbiAgICpcbiAgICogVGhlIE5JU1QgcHVibGlzaGVzIGEgZG9jdW1lbnQgdGhhdCBwcm92aWRlcyBndWlkYW5jZSBvbiBob3cgdG8gc2VsZWN0IGFuIGFwcHJvcHJpYXRlIGtleSBzaXplOlxuICAgKiBAc2VlIGh0dHBzOi8vY3NyYy5uaXN0Lmdvdi9wdWJsaWNhdGlvbnMvZGV0YWlsL3NwLzgwMC01Ny1wYXJ0LTEvcmV2LTQvZmluYWxcbiAgICovXG4gIGtleVNpemU6IG51bWJlcjtcblxuICAvKipcbiAgICogVGhlIG5hbWUgb2YgdGhlIEFXUyBTZWNyZXRzIE1hbmFnZXIgZW50aXR5IHRoYXQgd2lsbCBiZSBjcmVhdGVkIHRvIGhvbGQgdGhlIHByaXZhdGUga2V5LlxuICAgKi9cbiAgc2VjcmV0TmFtZTogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBUaGUgZGVzY3JpcHRpb24gdG8gYXR0YWNoIHRvIHRoZSBBV1MgU2VjcmV0cyBNYW5hZ2VyIGVudGl0eSB0aGF0IHdpbGwgaG9sZCB0aGUgcHJpdmF0ZSBrZXkuXG4gICAqL1xuICBkZXNjcmlwdGlvbj86IHN0cmluZztcblxuICAvKipcbiAgICogVGhlIEtNUyBrZXkgdG8gYmUgdXNlZCBmb3IgZW5jcnlwdGluZyB0aGUgQVdTIFNlY3JldHMgTWFuYWdlciBlbnRpdHkuXG4gICAqXG4gICAqIEBkZWZhdWx0IHRoZSBkZWZhdWx0IEtNUyBrZXkgd2lsbCBiZSB1c2VkIGluIGFjY29yZGFuY2Ugd2l0aCBBV1MgU2VjcmV0cyBNYW5hZ2VyIGRlZmF1bHQgYmVoYXZpb3IuXG4gICAqL1xuICBzZWNyZXRFbmNyeXB0aW9uS2V5Pzoga21zLklLZXk7XG5cbiAgLyoqXG4gICAqIFRoZSBkZWxldGlvbiBwb2xpY3kgdG8gYXBwbHkgb24gdGhlIFByaXZhdGUgS2V5IHNlY3JldC5cbiAgICpcbiAgICogQGRlZmF1bHQgUmV0YWluXG4gICAqL1xuICByZW1vdmFsUG9saWN5PzogUmVtb3ZhbFBvbGljeTtcbn1cblxuLyoqXG4gKiBBbiBPcGVuU1NMLWdlbmVyYXRlZCBSU0EgUHJpdmF0ZSBLZXkuIEl0IGNhbiBmb3IgZXhhbXBsZSBiZSB1c2VkIHRvIG9idGFpbiBhIENlcnRpZmljYXRlIHNpZ25lZCBieSBhIENlcnRpZmljYXRlXG4gKiBBdXRob3JpdHkgdGhyb3VnaCB0aGUgdXNlIG9mIHRoZSBgYENlcnRpZmljYXRlU2lnbmluZ1JlcXVlc3RgYCBjb25zdHJ1Y3QgKG9yIHZpYSB0aGVcbiAqIGBgI25ld0NlcnRpZmljYXRlU2lnbmluZ1JlcXVlc3RgYCkgbWV0aG9kLlxuICovXG5leHBvcnQgY2xhc3MgUnNhUHJpdmF0ZUtleVNlY3JldCBleHRlbmRzIENvbnN0cnVjdCB7XG4gIC8qKlxuICAgKiBUaGUgQVJOIG9mIHRoZSBzZWNyZXQgdGhhdCBob2xkcyB0aGUgcHJpdmF0ZSBrZXkuXG4gICAqL1xuICBwdWJsaWMgc2VjcmV0QXJuOiBzdHJpbmc7XG4gIHB1YmxpYyBjdXN0b21SZXNvdXJjZTogbGFtYmRhLlNpbmdsZXRvbkZ1bmN0aW9uO1xuXG4gIHByaXZhdGUgc2VjcmV0QXJuTGlrZTogc3RyaW5nO1xuICBwcml2YXRlIG1hc3RlcktleT86IGttcy5JS2V5O1xuXG4gIGNvbnN0cnVjdG9yKHBhcmVudDogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogUnNhUHJpdmF0ZUtleVNlY3JldFByb3BzKSB7XG4gICAgc3VwZXIocGFyZW50LCBpZCk7XG5cbiAgICBjb25zdCBjb2RlTG9jYXRpb24gPSBwYXRoLnJlc29sdmUoX19kaXJuYW1lLCAnLi4nLCAnY3VzdG9tLXJlc291cmNlLWhhbmRsZXJzJyk7XG4gICAgLy8gY2hhbmdlIHRoZSByZXNvdXJjZSBpZCB0byBmb3JjZSBkZWxldGluZyBleGlzdGluZyBmdW5jdGlvbiwgYW5kIGNyZWF0ZSBuZXcgb25lLCBhcyBQYWNrYWdlIHR5cGUgY2hhbmdlIGlzIG5vdCBhbGxvd2VkXG4gICAgdGhpcy5jdXN0b21SZXNvdXJjZSA9IG5ldyBsYW1iZGEuU2luZ2xldG9uRnVuY3Rpb24odGhpcywgJ1Jlc291cmNlSGFuZGxlclYyJywge1xuICAgICAgbGFtYmRhUHVycG9zZTogJ1JTQVByaXZhdGUtS2V5JyxcbiAgICAgIC8vIGNoYW5nZSB0aGUgdXVpZCB0byBmb3JjZSBkZWxldGluZyBleGlzdGluZyBmdW5jdGlvbiwgYW5kIGNyZWF0ZSBuZXcgb25lLCBhcyBQYWNrYWdlIHR5cGUgY2hhbmdlIGlzIG5vdCBhbGxvd2VkXG4gICAgICB1dWlkOiAnNTE3RDM0MkYtQTU5MC00NDdCLUI1MjUtNUQwNkU0MDNBNDA2JyxcbiAgICAgIGRlc2NyaXB0aW9uOiAnR2VuZXJhdGVzIGFuIFJTQSBQcml2YXRlIEtleSBhbmQgc3RvcmVzIGl0IGluIEFXUyBTZWNyZXRzIE1hbmFnZXInLFxuICAgICAgcnVudGltZTogbGFtYmRhLlJ1bnRpbWUuRlJPTV9JTUFHRSxcbiAgICAgIGhhbmRsZXI6IGxhbWJkYS5IYW5kbGVyLkZST01fSU1BR0UsXG4gICAgICBjb2RlOiBuZXcgbGFtYmRhLkFzc2V0SW1hZ2VDb2RlKGNvZGVMb2NhdGlvbiwge1xuICAgICAgICBmaWxlOiAnRG9ja2VyZmlsZScsXG4gICAgICAgIHBsYXRmb3JtOiBQbGF0Zm9ybS5MSU5VWF9BTUQ2NCxcbiAgICAgICAgYnVpbGRBcmdzOiB7XG4gICAgICAgICAgRlVOX1NSQ19ESVI6ICdwcml2YXRlLWtleScsXG4gICAgICAgIH0sXG4gICAgICAgIGludmFsaWRhdGlvbjoge1xuICAgICAgICAgIGJ1aWxkQXJnczogdHJ1ZSxcbiAgICAgICAgfSxcbiAgICAgIH0pLFxuICAgICAgdGltZW91dDogRHVyYXRpb24uc2Vjb25kcygzMDApLFxuICAgIH0pO1xuXG4gICAgdGhpcy5zZWNyZXRBcm5MaWtlID0gU3RhY2sub2YodGhpcykuZm9ybWF0QXJuKHtcbiAgICAgIHNlcnZpY2U6ICdzZWNyZXRzbWFuYWdlcicsXG4gICAgICByZXNvdXJjZTogJ3NlY3JldCcsXG4gICAgICBhcm5Gb3JtYXQ6IEFybkZvcm1hdC5DT0xPTl9SRVNPVVJDRV9OQU1FLFxuICAgICAgLy8gVGhlIEFSTiBvZiBhIHNlY3JldCBoYXMgXCItXCIgZm9sbG93ZWQgYnkgNiByYW5kb20gY2hhcmFjdGVycyBhcHBlbmRlZCBhdCB0aGUgZW5kXG4gICAgICByZXNvdXJjZU5hbWU6IGAke3Byb3BzLnNlY3JldE5hbWV9LT8/Pz8/P2AsXG4gICAgfSk7XG4gICAgdGhpcy5jdXN0b21SZXNvdXJjZS5hZGRUb1JvbGVQb2xpY3kobmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgYWN0aW9uczogW1xuICAgICAgICAnc2VjcmV0c21hbmFnZXI6Q3JlYXRlU2VjcmV0JyxcbiAgICAgICAgJ3NlY3JldHNtYW5hZ2VyOkRlbGV0ZVNlY3JldCcsXG4gICAgICAgICdzZWNyZXRzbWFuYWdlcjpVcGRhdGVTZWNyZXQnLFxuICAgICAgXSxcbiAgICAgIHJlc291cmNlczogW3RoaXMuc2VjcmV0QXJuTGlrZV0sXG4gICAgfSkpO1xuXG4gICAgaWYgKHByb3BzLnNlY3JldEVuY3J5cHRpb25LZXkpIHtcbiAgICAgIHByb3BzLnNlY3JldEVuY3J5cHRpb25LZXkuYWRkVG9SZXNvdXJjZVBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIC8vIGRlc2NyaXB0aW9uOiBgQWxsb3cgdXNlIHZpYSBBV1MgU2VjcmV0cyBNYW5hZ2VyIGJ5IEN1c3RvbVJlc291cmNlIGhhbmRsZXIgJHtjdXN0b21SZXNvdXJjZS5mdW5jdGlvbk5hbWV9YCxcbiAgICAgICAgcHJpbmNpcGFsczogW25ldyBpYW0uQXJuUHJpbmNpcGFsKHRoaXMuY3VzdG9tUmVzb3VyY2Uucm9sZSEucm9sZUFybildLFxuICAgICAgICBhY3Rpb25zOiBbJ2ttczpEZWNyeXB0JywgJ2ttczpHZW5lcmF0ZURhdGFLZXknXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgY29uZGl0aW9uczoge1xuICAgICAgICAgIFN0cmluZ0VxdWFsczoge1xuICAgICAgICAgICAgJ2ttczpWaWFTZXJ2aWNlJzogYHNlY3JldHNtYW5hZ2VyLiR7U3RhY2sub2YodGhpcykucmVnaW9ufS5hbWF6b25hd3MuY29tYCxcbiAgICAgICAgICB9LFxuICAgICAgICAgIEFybkxpa2U6IHtcbiAgICAgICAgICAgICdrbXM6RW5jcnlwdGlvbkNvbnRleHQ6U2VjcmV0QVJOJzogdGhpcy5zZWNyZXRBcm5MaWtlLFxuICAgICAgICAgIH0sXG4gICAgICAgIH0sXG4gICAgICB9KSk7XG4gICAgfVxuXG4gICAgLy9jaGFuZ2UgdGhlIGN1c3RvbSByZXNvdXJjZSBpZCB0byBmb3JjZSByZWNyZWF0aW5nIG5ldyBvbmUgYmVjYXVzZSB0aGUgY2hhbmdlIG9mIHRoZSB1bmRlcm5lYXRoIGxhbWJkYSBmdW5jdGlvblxuICAgIGNvbnN0IHByaXZhdGVLZXkgPSBuZXcgQ3VzdG9tUmVzb3VyY2UodGhpcywgJ1Jlc291cmNlVjInLCB7XG4gICAgICBzZXJ2aWNlVG9rZW46IHRoaXMuY3VzdG9tUmVzb3VyY2UuZnVuY3Rpb25Bcm4sXG4gICAgICByZXNvdXJjZVR5cGU6ICdDdXN0b206OlJzYVByaXZhdGVLZXlTZWNyZXQnLFxuICAgICAgcGFzY2FsQ2FzZVByb3BlcnRpZXM6IHRydWUsXG4gICAgICBwcm9wZXJ0aWVzOiB7XG4gICAgICAgIHJlc291cmNlVmVyc2lvbjogaGFzaEZpbGVPckRpcmVjdG9yeShjb2RlTG9jYXRpb24pLFxuICAgICAgICBkZXNjcmlwdGlvbjogcHJvcHMuZGVzY3JpcHRpb24sXG4gICAgICAgIGtleVNpemU6IHByb3BzLmtleVNpemUsXG4gICAgICAgIHNlY3JldE5hbWU6IHByb3BzLnNlY3JldE5hbWUsXG4gICAgICAgIGttc0tleUlkOiBwcm9wcy5zZWNyZXRFbmNyeXB0aW9uS2V5ICYmIHByb3BzLnNlY3JldEVuY3J5cHRpb25LZXkua2V5QXJuLFxuICAgICAgfSxcbiAgICAgIHJlbW92YWxQb2xpY3k6IHByb3BzLnJlbW92YWxQb2xpY3kgfHwgUmVtb3ZhbFBvbGljeS5SRVRBSU4sXG4gICAgfSk7XG4gICAgaWYgKHRoaXMuY3VzdG9tUmVzb3VyY2Uucm9sZSkge1xuICAgICAgcHJpdmF0ZUtleS5ub2RlLmFkZERlcGVuZGVuY3kodGhpcy5jdXN0b21SZXNvdXJjZS5yb2xlKTtcbiAgICAgIGlmIChwcm9wcy5zZWNyZXRFbmNyeXB0aW9uS2V5KSB7XG4gICAgICAgIC8vIE1vZGVsaW5nIGFzIGEgc2VwYXJhdGUgUG9saWN5IHRvIGV2YWRlIGEgZGVwZW5kZW5jeSBjeWNsZSAoUm9sZSAtPiBLZXkgLT4gUm9sZSksIGFzIHRoZSBLZXkgcmVmZXJzIHRvIHRoZVxuICAgICAgICAvLyByb2xlIGluIGl0J3MgcmVzb3VyY2UgcG9saWN5LlxuICAgICAgICBwcml2YXRlS2V5Lm5vZGUuYWRkRGVwZW5kZW5jeShuZXcgaWFtLlBvbGljeSh0aGlzLCAnR3JhbnRMYW1iZGFSb2xlS2V5QWNjZXNzJywge1xuICAgICAgICAgIHJvbGVzOiBbdGhpcy5jdXN0b21SZXNvdXJjZS5yb2xlXSxcbiAgICAgICAgICBzdGF0ZW1lbnRzOiBbXG4gICAgICAgICAgICBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgICAgIC8vIGRlc2NyaXB0aW9uOiBgQVdTU2VjcmV0c01hbmFnZXIke3Byb3BzLnNlY3JldE5hbWUucmVwbGFjZSgvW14wLTlBLVphLXpdL2csICcnKX1DTUtgLFxuICAgICAgICAgICAgICBhY3Rpb25zOiBbJ2ttczpEZWNyeXB0JywgJ2ttczpHZW5lcmF0ZURhdGFLZXknXSxcbiAgICAgICAgICAgICAgcmVzb3VyY2VzOiBbcHJvcHMuc2VjcmV0RW5jcnlwdGlvbktleS5rZXlBcm5dLFxuICAgICAgICAgICAgICBjb25kaXRpb25zOiB7XG4gICAgICAgICAgICAgICAgU3RyaW5nRXF1YWxzOiB7XG4gICAgICAgICAgICAgICAgICAna21zOlZpYVNlcnZpY2UnOiBgc2VjcmV0c21hbmFnZXIuJHtTdGFjay5vZih0aGlzKS5yZWdpb259LmFtYXpvbmF3cy5jb21gLFxuICAgICAgICAgICAgICAgIH0sXG4gICAgICAgICAgICAgICAgU3RyaW5nTGlrZTogeyAna21zOkVuY3J5cHRpb25Db250ZXh0OlNlY3JldEFSTic6IFt0aGlzLnNlY3JldEFybkxpa2UsICdSZXF1ZXN0VG9WYWxpZGF0ZUtleUFjY2VzcyddIH0sXG4gICAgICAgICAgICAgIH0sXG4gICAgICAgICAgICB9KSxcbiAgICAgICAgICBdLFxuICAgICAgICB9KSk7XG4gICAgICB9XG4gICAgfVxuXG4gICAgdGhpcy5tYXN0ZXJLZXkgPSBwcm9wcy5zZWNyZXRFbmNyeXB0aW9uS2V5O1xuICAgIHRoaXMuc2VjcmV0QXJuID0gcHJpdmF0ZUtleS5nZXRBdHQoJ1NlY3JldEFybicpLnRvU3RyaW5nKCk7XG4gIH1cblxuICAvKipcbiAgICogQ3JlYXRlcyBhIG5ldyBDU1IgcmVzb3VyY2UgdXNpbmcgdGhpcyBwcml2YXRlIGtleS5cbiAgICpcbiAgICogQHBhcmFtIGlkICAgICAgICAgICAgICAgdGhlIElEIG9mIHRoZSBjb25zdHJ1Y3QgaW4gdGhlIGNvbnN0cnVjdCB0cmVlLlxuICAgKiBAcGFyYW0gZG4gICAgICAgICAgICAgICB0aGUgZGlzdGluZ3Vpc2hlZCBuYW1lIHRvIHJlY29yZCBvbiB0aGUgQ1NSLlxuICAgKiBAcGFyYW0ga2V5VXNhZ2UgICAgICAgICB0aGUgaW50ZW5kZWQga2V5IHVzYWdlIChmb3IgZXhhbXBsZTogXCJjcml0aWNhbCxkaWdpdGFsU2lnbmF0dXJlXCIpXG4gICAqIEBwYXJhbSBleHRlbmRlZEtleVVzYWdlIHRoZSBpbmRlbmRlZCBleHRlbmRlZCBrZXkgdXNhZ2UsIGlmIGFueSAoZm9yIGV4YW1wbGU6IFwiY3JpdGljYWwsZGlnaXRhbFNpZ25hdHVyZVwiKVxuICAgKlxuICAgKiBAcmV0dXJucyBhIG5ldyBgYENlcnRpZmljYXRlU2lnbmluZ1JlcXVlc3RgYCBpbnN0YW5jZSB0aGF0IGNhbiBiZSB1c2VkIHRvIGFjY2VzcyB0aGUgYWN0dWFsIENTUiBkb2N1bWVudC5cbiAgICovXG4gIHB1YmxpYyBuZXdDZXJ0aWZpY2F0ZVNpZ25pbmdSZXF1ZXN0KGlkOiBzdHJpbmcsIGRuOiBEaXN0aW5ndWlzaGVkTmFtZSwga2V5VXNhZ2U6IHN0cmluZywgZXh0ZW5kZWRLZXlVc2FnZT86IHN0cmluZykge1xuICAgIHJldHVybiBuZXcgQ2VydGlmaWNhdGVTaWduaW5nUmVxdWVzdCh0aGlzLCBpZCwge1xuICAgICAgcHJpdmF0ZUtleTogdGhpcyxcbiAgICAgIGRuLFxuICAgICAga2V5VXNhZ2UsXG4gICAgICBleHRlbmRlZEtleVVzYWdlLFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIEFsbG93cyBhIGdpdmVuIElBTSBSb2xlIHRvIHJlYWQgdGhlIHNlY3JldCB2YWx1ZS5cbiAgICpcbiAgICogQHBhcmFtIGdyYW50ZWUgdGhlIHByaW5jaXBhbCB0byB3aGljaCBwZXJtaXNzaW9ucyBzaG91bGQgYmUgZ3JhbnRlZC5cbiAgICovXG4gIHB1YmxpYyBncmFudEdldFNlY3JldFZhbHVlKGdyYW50ZWU6IGlhbS5JUHJpbmNpcGFsKTogdm9pZCB7XG4gICAgZ3JhbnRlZS5hZGRUb1ByaW5jaXBhbFBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBhY3Rpb25zOiBbJ3NlY3JldHNtYW5hZ2VyOkdldFNlY3JldFZhbHVlJ10sXG4gICAgICByZXNvdXJjZXM6IFt0aGlzLnNlY3JldEFybl0sXG4gICAgfSkpO1xuICAgIGlmICh0aGlzLm1hc3RlcktleSkge1xuICAgICAgLy8gQWRkIGEga2V5IGdyYW50IHNpbmNlIHdlJ3JlIHVzaW5nIGEgQ01LXG4gICAgICB0aGlzLm1hc3RlcktleS5hZGRUb1Jlc291cmNlUG9saWN5KG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogWydrbXM6RGVjcnlwdCddLFxuICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICBwcmluY2lwYWxzOiBbZ3JhbnRlZS5ncmFudFByaW5jaXBhbF0sXG4gICAgICAgIGNvbmRpdGlvbnM6IHtcbiAgICAgICAgICBTdHJpbmdFcXVhbHM6IHtcbiAgICAgICAgICAgICdrbXM6VmlhU2VydmljZSc6IGBzZWNyZXRzbWFuYWdlci4ke1N0YWNrLm9mKHRoaXMpLnJlZ2lvbn0uYW1hem9uYXdzLmNvbWAsXG4gICAgICAgICAgfSxcbiAgICAgICAgICBBcm5MaWtlOiB7XG4gICAgICAgICAgICAna21zOkVuY3J5cHRpb25Db250ZXh0OlNlY3JldEFSTic6IHRoaXMuc2VjcmV0QXJuTGlrZSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSkpO1xuICAgICAgZ3JhbnRlZS5hZGRUb1ByaW5jaXBhbFBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGFjdGlvbnM6IFsna21zOkRlY3J5cHQnXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbdGhpcy5tYXN0ZXJLZXkua2V5QXJuXSxcbiAgICAgICAgY29uZGl0aW9uczoge1xuICAgICAgICAgIFN0cmluZ0VxdWFsczoge1xuICAgICAgICAgICAgJ2ttczpWaWFTZXJ2aWNlJzogYHNlY3JldHNtYW5hZ2VyLiR7U3RhY2sub2YodGhpcykucmVnaW9ufS5hbWF6b25hd3MuY29tYCxcbiAgICAgICAgICB9LFxuICAgICAgICAgIEFybkVxdWFsczoge1xuICAgICAgICAgICAgJ2ttczpFbmNyeXB0aW9uQ29udGV4dDpTZWNyZXRBUk4nOiB0aGlzLnNlY3JldEFybixcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSkpO1xuICAgIH1cbiAgfVxufVxuIl19