UNPKG

aws-delivlib

Version:

A fabulous library for defining continuous pipelines for building, testing and releasing code libraries.

github.com/cdklabs/aws-delivlib

cdklabs/aws-delivlib

174 lines • 23.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.OpenPGPKeyPair = exports.OpenPGPKeyPairRemovalPolicy = void 0; const path = __importStar(require("path")); const aws_cdk_lib_1 = require("aws-cdk-lib"); const aws_ecr_assets_1 = require("aws-cdk-lib/aws-ecr-assets"); const constructs_1 = require("constructs"); const util_1 = require("./util"); /** * The type of the {@link OpenPGPKeyPairProps.removalPolicy} property. */ var OpenPGPKeyPairRemovalPolicy; (function (OpenPGPKeyPairRemovalPolicy) { /** * Keep the secret when this resource is deleted from the stack. * This is the default setting. */ OpenPGPKeyPairRemovalPolicy[OpenPGPKeyPairRemovalPolicy["RETAIN"] = 0] = "RETAIN"; /** * Remove the secret when this resource is deleted from the stack, * but leave a grace period of a few days that allows you to cancel the deletion from the AWS Console. */ OpenPGPKeyPairRemovalPolicy[OpenPGPKeyPairRemovalPolicy["DESTROY_SAFELY"] = 1] = "DESTROY_SAFELY"; /** * Remove the secret when this resource is deleted from the stack immediately. * Note that if you don't have a backup of this key somewhere, * this means it will be gone forever! */ OpenPGPKeyPairRemovalPolicy[OpenPGPKeyPairRemovalPolicy["DESTROY_IMMEDIATELY"] = 2] = "DESTROY_IMMEDIATELY"; })(OpenPGPKeyPairRemovalPolicy = exports.OpenPGPKeyPairRemovalPolicy || (exports.OpenPGPKeyPairRemovalPolicy = {})); /** * A PGP key that is stored in Secrets Manager. * The SecretsManager secret is by default retained when the resource is deleted, * you can change that with the `removalPolicy` property. * * The string in secrets manager will be a JSON struct of * * { "PrivateKey": "... ASCII repr of key...", "Passphrase": "passphrase of the key" } */ class OpenPGPKeyPair extends constructs_1.Construct { constructor(parent, name, props) { super(parent, name); const codeLocation = path.resolve(__dirname, 'custom-resource-handlers'); const fn = new aws_cdk_lib_1.aws_lambda.SingletonFunction(this, 'Lambda', { // change the uuid to force deleting existing function, and create new one, as Package type change is not allowed uuid: '2422BDC2-DBB0-47C1-B701-5599E0849C54', description: 'Generates an OpenPGP Key and stores the private key in Secrets Manager and the public key in an SSM Parameter', code: new aws_cdk_lib_1.aws_lambda.AssetImageCode(codeLocation, { file: 'Dockerfile', platform: aws_ecr_assets_1.Platform.LINUX_AMD64, buildArgs: { FUN_SRC_DIR: 'pgp-secret', }, invalidation: { buildArgs: true, }, }), handler: aws_cdk_lib_1.aws_lambda.Handler.FROM_IMAGE, timeout: aws_cdk_lib_1.Duration.seconds(300), runtime: aws_cdk_lib_1.aws_lambda.Runtime.FROM_IMAGE, }); fn.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: [ 'secretsmanager:CreateSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:UpdateSecret', 'secretsmanager:DeleteSecret', ], resources: [aws_cdk_lib_1.Stack.of(this).formatArn({ service: 'secretsmanager', resource: 'secret', arnFormat: aws_cdk_lib_1.ArnFormat.COLON_RESOURCE_NAME, resourceName: `${props.secretName}-??????`, })], })); // To allow easy migration from verison that handled the SSM parameter in the custom resource fn.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: ['ssm:DeleteParameter'], resources: ['*'], })); if (props.encryptionKey) { props.encryptionKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: ['*'], principals: [fn.role.grantPrincipal], conditions: { StringEquals: { 'kms:ViaService': `secretsmanager.${aws_cdk_lib_1.Stack.of(this).region}.amazonaws.com`, }, }, })); } //change the custom resource id to force recreating new one because the change of the underneath lambda function const secret = new aws_cdk_lib_1.CustomResource(this, 'ResourceV2', { serviceToken: fn.functionArn, pascalCaseProperties: true, properties: { resourceVersion: (0, util_1.hashFileOrDirectory)(codeLocation), identity: props.identity, email: props.email, expiry: props.expiry, keySizeBits: props.keySizeBits, secretName: props.secretName, keyArn: props.encryptionKey && props.encryptionKey.keyArn, version: props.version, description: props.description, deleteImmediately: props.removalPolicy === OpenPGPKeyPairRemovalPolicy.DESTROY_IMMEDIATELY, }, removalPolicy: openPgpKeyPairRemovalPolicyToCoreRemovalPolicy(props.removalPolicy), }); secret.node.addDependency(fn); this.credential = aws_cdk_lib_1.aws_secretsmanager.Secret.fromSecretAttributes(this, 'Credential', { encryptionKey: props.encryptionKey, secretCompleteArn: secret.getAtt('SecretArn').toString(), }); this.principal = new aws_cdk_lib_1.aws_ssm.StringParameter(this, 'Principal', { description: `The public part of the OpenPGP key in ${this.credential.secretArn}`, parameterName: props.pubKeyParameterName, stringValue: secret.getAtt('PublicKey').toString(), }); } grantRead(grantee) { // Secret grant, identity-based only grantee.addToPrincipalPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ resources: [this.credential.secretArn], actions: ['secretsmanager:ListSecrets', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue'], })); // Key grant if (this.credential.encryptionKey) { grantee.addToPrincipalPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ resources: [this.credential.encryptionKey.keyArn], actions: ['kms:Decrypt'], })); this.credential.encryptionKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({ resources: ['*'], principals: [grantee.grantPrincipal], actions: ['kms:Decrypt'], })); } } } exports.OpenPGPKeyPair = OpenPGPKeyPair; function openPgpKeyPairRemovalPolicyToCoreRemovalPolicy(removalPolicy) { if (removalPolicy === undefined) { return aws_cdk_lib_1.RemovalPolicy.RETAIN; } return removalPolicy === OpenPGPKeyPairRemovalPolicy.RETAIN ? aws_cdk_lib_1.RemovalPolicy.RETAIN : aws_cdk_lib_1.RemovalPolicy.DESTROY; } //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib3Blbi1wZ3Ata2V5LXBhaXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJvcGVuLXBncC1rZXktcGFpci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDJDQUE2QjtBQUM3Qiw2Q0FTcUI7QUFDckIsK0RBQXNEO0FBQ3RELDJDQUF1QztBQUV2QyxpQ0FBNkM7QUFFN0M7O0dBRUc7QUFDSCxJQUFZLDJCQW1CWDtBQW5CRCxXQUFZLDJCQUEyQjtJQUNyQzs7O09BR0c7SUFDSCxpRkFBTSxDQUFBO0lBRU47OztPQUdHO0lBQ0gsaUdBQWMsQ0FBQTtJQUVkOzs7O09BSUc7SUFDSCwyR0FBbUIsQ0FBQTtBQUNyQixDQUFDLEVBbkJXLDJCQUEyQixHQUEzQixtQ0FBMkIsS0FBM0IsbUNBQTJCLFFBbUJ0QztBQTZERDs7Ozs7Ozs7R0FRRztBQUNILE1BQWEsY0FBZSxTQUFRLHNCQUFTO0lBSTNDLFlBQVksTUFBaUIsRUFBRSxJQUFZLEVBQUUsS0FBMEI7UUFDckUsS0FBSyxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsQ0FBQztRQUVwQixNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSwwQkFBMEIsQ0FBQyxDQUFDO1FBRXpFLE1BQU0sRUFBRSxHQUFHLElBQUksd0JBQU0sQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLEVBQUUsUUFBUSxFQUFFO1lBQ3RELGlIQUFpSDtZQUNqSCxJQUFJLEVBQUUsc0NBQXNDO1lBQzVDLFdBQVcsRUFBRSwrR0FBK0c7WUFDNUgsSUFBSSxFQUFFLElBQUksd0JBQU0sQ0FBQyxjQUFjLENBQUMsWUFBWSxFQUFFO2dCQUM1QyxJQUFJLEVBQUUsWUFBWTtnQkFDbEIsUUFBUSxFQUFFLHlCQUFRLENBQUMsV0FBVztnQkFDOUIsU0FBUyxFQUFFO29CQUNULFdBQVcsRUFBRSxZQUFZO2lCQUMxQjtnQkFDRCxZQUFZLEVBQUU7b0JBQ1osU0FBUyxFQUFFLElBQUk7aUJBQ2hCO2FBQ0YsQ0FBQztZQUNGLE9BQU8sRUFBRSx3QkFBTSxDQUFDLE9BQU8sQ0FBQyxVQUFVO1lBQ2xDLE9BQU8sRUFBRSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUM7WUFDOUIsT0FBTyxFQUFFLHdCQUFNLENBQUMsT0FBTyxDQUFDLFVBQVU7U0FDbkMsQ0FBQyxDQUFDO1FBRUgsRUFBRSxDQUFDLGVBQWUsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO1lBQ3pDLE9BQU8sRUFBRTtnQkFDUCw2QkFBNkI7Z0JBQzdCLCtCQUErQjtnQkFDL0IsNkJBQTZCO2dCQUM3Qiw2QkFBNkI7YUFDOUI7WUFDRCxTQUFTLEVBQUUsQ0FBQyxtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLENBQUM7b0JBQ25DLE9BQU8sRUFBRSxnQkFBZ0I7b0JBQ3pCLFFBQVEsRUFBRSxRQUFRO29CQUNsQixTQUFTLEVBQUUsdUJBQVMsQ0FBQyxtQkFBbUI7b0JBQ3hDLFlBQVksRUFBRSxHQUFHLEtBQUssQ0FBQyxVQUFVLFNBQVM7aUJBQzNDLENBQUMsQ0FBQztTQUNKLENBQUMsQ0FBQyxDQUFDO1FBRUosNkZBQTZGO1FBQzdGLEVBQUUsQ0FBQyxlQUFlLENBQUMsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQztZQUN6QyxPQUFPLEVBQUUsQ0FBQyxxQkFBcUIsQ0FBQztZQUNoQyxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUFDLENBQUM7UUFFSixJQUFJLEtBQUssQ0FBQyxhQUFhLEVBQUU7WUFDdkIsS0FBSyxDQUFDLGFBQWEsQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO2dCQUM5RCxPQUFPLEVBQUUsQ0FBQyxhQUFhLEVBQUUscUJBQXFCLENBQUM7Z0JBQy9DLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztnQkFDaEIsVUFBVSxFQUFFLENBQUMsRUFBRSxDQUFDLElBQUssQ0FBQyxjQUFjLENBQUM7Z0JBQ3JDLFVBQVUsRUFBRTtvQkFDVixZQUFZLEVBQUU7d0JBQ1osZ0JBQWdCLEVBQUUsa0JBQWtCLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sZ0JBQWdCO3FCQUMxRTtpQkFDRjthQUNGLENBQUMsQ0FBQyxDQUFDO1NBQ0w7UUFFRCxnSEFBZ0g7UUFDaEgsTUFBTSxNQUFNLEdBQUcsSUFBSSw0QkFBYyxDQUFDLElBQUksRUFBRSxZQUFZLEVBQUU7WUFDcEQsWUFBWSxFQUFFLEVBQUUsQ0FBQyxXQUFXO1lBQzVCLG9CQUFvQixFQUFFLElBQUk7WUFDMUIsVUFBVSxFQUFFO2dCQUNWLGVBQWUsRUFBRSxJQUFBLDBCQUFtQixFQUFDLFlBQVksQ0FBQztnQkFDbEQsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRO2dCQUN4QixLQUFLLEVBQUUsS0FBSyxDQUFDLEtBQUs7Z0JBQ2xCLE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTTtnQkFDcEIsV0FBVyxFQUFFLEtBQUssQ0FBQyxXQUFXO2dCQUM5QixVQUFVLEVBQUUsS0FBSyxDQUFDLFVBQVU7Z0JBQzVCLE1BQU0sRUFBRSxLQUFLLENBQUMsYUFBYSxJQUFJLEtBQUssQ0FBQyxhQUFhLENBQUMsTUFBTTtnQkFDekQsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPO2dCQUN0QixXQUFXLEVBQUUsS0FBSyxDQUFDLFdBQVc7Z0JBQzlCLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxhQUFhLEtBQUssMkJBQTJCLENBQUMsbUJBQW1CO2FBQzNGO1lBQ0QsYUFBYSxFQUFFLDhDQUE4QyxDQUFDLEtBQUssQ0FBQyxhQUFhLENBQUM7U0FDbkYsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUM7UUFFOUIsSUFBSSxDQUFDLFVBQVUsR0FBRyxnQ0FBYyxDQUFDLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFO1lBQy9FLGFBQWEsRUFBRSxLQUFLLENBQUMsYUFBYTtZQUNsQyxpQkFBaUIsRUFBRSxNQUFNLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtTQUN6RCxDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsU0FBUyxHQUFHLElBQUkscUJBQUcsQ0FBQyxlQUFlLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRTtZQUMxRCxXQUFXLEVBQUUseUNBQXlDLElBQUksQ0FBQyxVQUFVLENBQUMsU0FBUyxFQUFFO1lBQ2pGLGFBQWEsRUFBRSxLQUFLLENBQUMsbUJBQW1CO1lBQ3hDLFdBQVcsRUFBRSxNQUFNLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtTQUNuRCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU0sU0FBUyxDQUFDLE9BQXVCO1FBQ3RDLG9DQUFvQztRQUNwQyxPQUFPLENBQUMsb0JBQW9CLENBQUMsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQztZQUNuRCxTQUFTLEVBQUUsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQztZQUN0QyxPQUFPLEVBQUUsQ0FBQyw0QkFBNEIsRUFBRSwrQkFBK0IsRUFBRSwrQkFBK0IsQ0FBQztTQUMxRyxDQUFDLENBQUMsQ0FBQztRQUVKLFlBQVk7UUFDWixJQUFJLElBQUksQ0FBQyxVQUFVLENBQUMsYUFBYSxFQUFFO1lBQ2pDLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO2dCQUNuRCxTQUFTLEVBQUUsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUM7Z0JBQ2pELE9BQU8sRUFBRSxDQUFDLGFBQWEsQ0FBQzthQUN6QixDQUFDLENBQUMsQ0FBQztZQUVKLElBQUksQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLG1CQUFtQixDQUFDLElBQUkscUJBQUcsQ0FBQyxlQUFlLENBQUM7Z0JBQ3hFLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztnQkFDaEIsVUFBVSxFQUFFLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQztnQkFDcEMsT0FBTyxFQUFFLENBQUMsYUFBYSxDQUFDO2FBQ3pCLENBQUMsQ0FBQyxDQUFDO1NBQ0w7SUFDSCxDQUFDO0NBQ0Y7QUFsSEQsd0NBa0hDO0FBRUQsU0FBUyw4Q0FBOEMsQ0FBQyxhQUEyQztJQUNqRyxJQUFJLGFBQWEsS0FBSyxTQUFTLEVBQUU7UUFDL0IsT0FBTywyQkFBYSxDQUFDLE1BQU0sQ0FBQztLQUM3QjtJQUNELE9BQU8sYUFBYSxLQUFLLDJCQUEyQixDQUFDLE1BQU07UUFDekQsQ0FBQyxDQUFDLDJCQUFhLENBQUMsTUFBTTtRQUN0QixDQUFDLENBQUMsMkJBQWEsQ0FBQyxPQUFPLENBQUM7QUFDNUIsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIHBhdGggZnJvbSAncGF0aCc7XG5pbXBvcnQge1xuICBEdXJhdGlvbiwgU3RhY2ssIFJlbW92YWxQb2xpY3ksXG4gIEN1c3RvbVJlc291cmNlLFxuICBhd3NfaWFtIGFzIGlhbSxcbiAgYXdzX2ttcyBhcyBrbXMsXG4gIGF3c19sYW1iZGEgYXMgbGFtYmRhLFxuICBhd3Nfc2VjcmV0c21hbmFnZXIgYXMgc2VjcmV0c01hbmFnZXIsXG4gIGF3c19zc20gYXMgc3NtLFxuICBBcm5Gb3JtYXQsXG59IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IFBsYXRmb3JtIH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWVjci1hc3NldHMnO1xuaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSAnY29uc3RydWN0cyc7XG5pbXBvcnQgeyBJQ3JlZGVudGlhbFBhaXIgfSBmcm9tICcuL2NyZWRlbnRpYWwtcGFpcic7XG5pbXBvcnQgeyBoYXNoRmlsZU9yRGlyZWN0b3J5IH0gZnJvbSAnLi91dGlsJztcblxuLyoqXG4gKiBUaGUgdHlwZSBvZiB0aGUge0BsaW5rIE9wZW5QR1BLZXlQYWlyUHJvcHMucmVtb3ZhbFBvbGljeX0gcHJvcGVydHkuXG4gKi9cbmV4cG9ydCBlbnVtIE9wZW5QR1BLZXlQYWlyUmVtb3ZhbFBvbGljeSB7XG4gIC8qKlxuICAgKiBLZWVwIHRoZSBzZWNyZXQgd2hlbiB0aGlzIHJlc291cmNlIGlzIGRlbGV0ZWQgZnJvbSB0aGUgc3RhY2suXG4gICAqIFRoaXMgaXMgdGhlIGRlZmF1bHQgc2V0dGluZy5cbiAgICovXG4gIFJFVEFJTixcblxuICAvKipcbiAgICogUmVtb3ZlIHRoZSBzZWNyZXQgd2hlbiB0aGlzIHJlc291cmNlIGlzIGRlbGV0ZWQgZnJvbSB0aGUgc3RhY2ssXG4gICAqIGJ1dCBsZWF2ZSBhIGdyYWNlIHBlcmlvZCBvZiBhIGZldyBkYXlzIHRoYXQgYWxsb3dzIHlvdSB0byBjYW5jZWwgdGhlIGRlbGV0aW9uIGZyb20gdGhlIEFXUyBDb25zb2xlLlxuICAgKi9cbiAgREVTVFJPWV9TQUZFTFksXG5cbiAgLyoqXG4gICAqIFJlbW92ZSB0aGUgc2VjcmV0IHdoZW4gdGhpcyByZXNvdXJjZSBpcyBkZWxldGVkIGZyb20gdGhlIHN0YWNrIGltbWVkaWF0ZWx5LlxuICAgKiBOb3RlIHRoYXQgaWYgeW91IGRvbid0IGhhdmUgYSBiYWNrdXAgb2YgdGhpcyBrZXkgc29tZXdoZXJlLFxuICAgKiB0aGlzIG1lYW5zIGl0IHdpbGwgYmUgZ29uZSBmb3JldmVyIVxuICAgKi9cbiAgREVTVFJPWV9JTU1FRElBVEVMWSxcbn1cblxuaW50ZXJmYWNlIE9wZW5QR1BLZXlQYWlyUHJvcHMge1xuICAvKipcbiAgICogSWRlbnRpdHkgdG8gcHV0IGludG8gdGhlIGtleVxuICAgKi9cbiAgaWRlbnRpdHk6IHN0cmluZztcblxuICAvKipcbiAgICogRW1haWwgYWRkcmVzcyB0byBhdHRhY2ggdG8gdGhlIGtleVxuICAgKi9cbiAgZW1haWw6IHN0cmluZztcblxuICAvKipcbiAgICogS2V5IHNpemUgaW4gYml0cyAoMTAyNCwgMjA0OCwgNDA5NilcbiAgICovXG4gIGtleVNpemVCaXRzOiBudW1iZXI7XG5cbiAgLyoqXG4gICAqIEdQRyBleHBpcnkgc3BlY2lmaWVyXG4gICAqXG4gICAqIEV4YW1wbGU6ICcxeSdcbiAgICovXG4gIGV4cGlyeTogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBOYW1lIG9mIHNlY3JldCB0byBjcmVhdGUgaW4gQVdTIFNlY3JldHMgTWFuYWdlclxuICAgKi9cbiAgc2VjcmV0TmFtZTogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBOYW1lIG9mIFNTTSBwYXJhbWV0ZXIgdG8gc3RvcmUgcHVibGljIGtleVxuICAgKi9cbiAgcHViS2V5UGFyYW1ldGVyTmFtZTogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBLTVMgS2V5IEFSTiB0byB1c2UgdG8gZW5jcnlwdCBTZWNyZXRzIE1hbmFnZXIgU2VjcmV0XG4gICAqL1xuICBlbmNyeXB0aW9uS2V5Pzoga21zLklLZXk7XG5cbiAgLyoqXG4gICAqIFZlcnNpb24gb2YgdGhlIGtleVxuICAgKlxuICAgKiBCdW1wIHRoaXMgbnVtYmVyIHRvIHJlZ2VuZXJhdGUgdGhlIGtleVxuICAgKi9cbiAgdmVyc2lvbjogbnVtYmVyO1xuXG4gIC8qKlxuICAgKiBBIGRlc2NyaXB0aW9uIHRvIGF0dGFjaCB0byB0aGUgQVdTIFNlY3JldHNNYW5hZ2VyIHNlY3JldC5cbiAgICovXG4gIGRlc2NyaXB0aW9uPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBXaGF0IGhhcHBlbnMgdG8gdGhlIFNlY3JldHNNYW5hZ2VyIHNlY3JldCB3aGVuIHRoaXMgcmVzb3VyY2UgaXMgcmVtb3ZlZCBmcm9tIHRoZSBzdGFjay5cbiAgICogVGhlIGRlZmF1bHQgaXMgdG8ga2VlcCB0aGUgc2VjcmV0LlxuICAgKlxuICAgKiBAZGVmYXVsdCBPcGVuUEdQS2V5UGFpclJlbW92YWxQb2xpY3kuUkVUQUlOXG4gICAqL1xuICByZW1vdmFsUG9saWN5PzogT3BlblBHUEtleVBhaXJSZW1vdmFsUG9saWN5O1xufVxuXG4vKipcbiAqIEEgUEdQIGtleSB0aGF0IGlzIHN0b3JlZCBpbiBTZWNyZXRzIE1hbmFnZXIuXG4gKiBUaGUgU2VjcmV0c01hbmFnZXIgc2VjcmV0IGlzIGJ5IGRlZmF1bHQgcmV0YWluZWQgd2hlbiB0aGUgcmVzb3VyY2UgaXMgZGVsZXRlZCxcbiAqIHlvdSBjYW4gY2hhbmdlIHRoYXQgd2l0aCB0aGUgYHJlbW92YWxQb2xpY3lgIHByb3BlcnR5LlxuICpcbiAqIFRoZSBzdHJpbmcgaW4gc2VjcmV0cyBtYW5hZ2VyIHdpbGwgYmUgYSBKU09OIHN0cnVjdCBvZlxuICpcbiAqIHsgXCJQcml2YXRlS2V5XCI6IFwiLi4uIEFTQ0lJIHJlcHIgb2Yga2V5Li4uXCIsIFwiUGFzc3BocmFzZVwiOiBcInBhc3NwaHJhc2Ugb2YgdGhlIGtleVwiIH1cbiAqL1xuZXhwb3J0IGNsYXNzIE9wZW5QR1BLZXlQYWlyIGV4dGVuZHMgQ29uc3RydWN0IGltcGxlbWVudHMgSUNyZWRlbnRpYWxQYWlyIHtcbiAgcHVibGljIHJlYWRvbmx5IHByaW5jaXBhbDogc3NtLklTdHJpbmdQYXJhbWV0ZXI7XG4gIHB1YmxpYyByZWFkb25seSBjcmVkZW50aWFsOiBzZWNyZXRzTWFuYWdlci5JU2VjcmV0O1xuXG4gIGNvbnN0cnVjdG9yKHBhcmVudDogQ29uc3RydWN0LCBuYW1lOiBzdHJpbmcsIHByb3BzOiBPcGVuUEdQS2V5UGFpclByb3BzKSB7XG4gICAgc3VwZXIocGFyZW50LCBuYW1lKTtcblxuICAgIGNvbnN0IGNvZGVMb2NhdGlvbiA9IHBhdGgucmVzb2x2ZShfX2Rpcm5hbWUsICdjdXN0b20tcmVzb3VyY2UtaGFuZGxlcnMnKTtcblxuICAgIGNvbnN0IGZuID0gbmV3IGxhbWJkYS5TaW5nbGV0b25GdW5jdGlvbih0aGlzLCAnTGFtYmRhJywge1xuICAgICAgLy8gY2hhbmdlIHRoZSB1dWlkIHRvIGZvcmNlIGRlbGV0aW5nIGV4aXN0aW5nIGZ1bmN0aW9uLCBhbmQgY3JlYXRlIG5ldyBvbmUsIGFzIFBhY2thZ2UgdHlwZSBjaGFuZ2UgaXMgbm90IGFsbG93ZWRcbiAgICAgIHV1aWQ6ICcyNDIyQkRDMi1EQkIwLTQ3QzEtQjcwMS01NTk5RTA4NDlDNTQnLFxuICAgICAgZGVzY3JpcHRpb246ICdHZW5lcmF0ZXMgYW4gT3BlblBHUCBLZXkgYW5kIHN0b3JlcyB0aGUgcHJpdmF0ZSBrZXkgaW4gU2VjcmV0cyBNYW5hZ2VyIGFuZCB0aGUgcHVibGljIGtleSBpbiBhbiBTU00gUGFyYW1ldGVyJyxcbiAgICAgIGNvZGU6IG5ldyBsYW1iZGEuQXNzZXRJbWFnZUNvZGUoY29kZUxvY2F0aW9uLCB7XG4gICAgICAgIGZpbGU6ICdEb2NrZXJmaWxlJyxcbiAgICAgICAgcGxhdGZvcm06IFBsYXRmb3JtLkxJTlVYX0FNRDY0LFxuICAgICAgICBidWlsZEFyZ3M6IHtcbiAgICAgICAgICBGVU5fU1JDX0RJUjogJ3BncC1zZWNyZXQnLFxuICAgICAgICB9LFxuICAgICAgICBpbnZhbGlkYXRpb246IHtcbiAgICAgICAgICBidWlsZEFyZ3M6IHRydWUsXG4gICAgICAgIH0sXG4gICAgICB9KSxcbiAgICAgIGhhbmRsZXI6IGxhbWJkYS5IYW5kbGVyLkZST01fSU1BR0UsXG4gICAgICB0aW1lb3V0OiBEdXJhdGlvbi5zZWNvbmRzKDMwMCksXG4gICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5GUk9NX0lNQUdFLFxuICAgIH0pO1xuXG4gICAgZm4uYWRkVG9Sb2xlUG9saWN5KG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIGFjdGlvbnM6IFtcbiAgICAgICAgJ3NlY3JldHNtYW5hZ2VyOkNyZWF0ZVNlY3JldCcsXG4gICAgICAgICdzZWNyZXRzbWFuYWdlcjpHZXRTZWNyZXRWYWx1ZScsXG4gICAgICAgICdzZWNyZXRzbWFuYWdlcjpVcGRhdGVTZWNyZXQnLFxuICAgICAgICAnc2VjcmV0c21hbmFnZXI6RGVsZXRlU2VjcmV0JyxcbiAgICAgIF0sXG4gICAgICByZXNvdXJjZXM6IFtTdGFjay5vZih0aGlzKS5mb3JtYXRBcm4oe1xuICAgICAgICBzZXJ2aWNlOiAnc2VjcmV0c21hbmFnZXInLFxuICAgICAgICByZXNvdXJjZTogJ3NlY3JldCcsXG4gICAgICAgIGFybkZvcm1hdDogQXJuRm9ybWF0LkNPTE9OX1JFU09VUkNFX05BTUUsXG4gICAgICAgIHJlc291cmNlTmFtZTogYCR7cHJvcHMuc2VjcmV0TmFtZX0tPz8/Pz8/YCxcbiAgICAgIH0pXSxcbiAgICB9KSk7XG5cbiAgICAvLyBUbyBhbGxvdyBlYXN5IG1pZ3JhdGlvbiBmcm9tIHZlcmlzb24gdGhhdCBoYW5kbGVkIHRoZSBTU00gcGFyYW1ldGVyIGluIHRoZSBjdXN0b20gcmVzb3VyY2VcbiAgICBmbi5hZGRUb1JvbGVQb2xpY3kobmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgYWN0aW9uczogWydzc206RGVsZXRlUGFyYW1ldGVyJ10sXG4gICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgIH0pKTtcblxuICAgIGlmIChwcm9wcy5lbmNyeXB0aW9uS2V5KSB7XG4gICAgICBwcm9wcy5lbmNyeXB0aW9uS2V5LmFkZFRvUmVzb3VyY2VQb2xpY3kobmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbJ2ttczpEZWNyeXB0JywgJ2ttczpHZW5lcmF0ZURhdGFLZXknXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgcHJpbmNpcGFsczogW2ZuLnJvbGUhLmdyYW50UHJpbmNpcGFsXSxcbiAgICAgICAgY29uZGl0aW9uczoge1xuICAgICAgICAgIFN0cmluZ0VxdWFsczoge1xuICAgICAgICAgICAgJ2ttczpWaWFTZXJ2aWNlJzogYHNlY3JldHNtYW5hZ2VyLiR7U3RhY2sub2YodGhpcykucmVnaW9ufS5hbWF6b25hd3MuY29tYCxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSkpO1xuICAgIH1cblxuICAgIC8vY2hhbmdlIHRoZSBjdXN0b20gcmVzb3VyY2UgaWQgdG8gZm9yY2UgcmVjcmVhdGluZyBuZXcgb25lIGJlY2F1c2UgdGhlIGNoYW5nZSBvZiB0aGUgdW5kZXJuZWF0aCBsYW1iZGEgZnVuY3Rpb25cbiAgICBjb25zdCBzZWNyZXQgPSBuZXcgQ3VzdG9tUmVzb3VyY2UodGhpcywgJ1Jlc291cmNlVjInLCB7XG4gICAgICBzZXJ2aWNlVG9rZW46IGZuLmZ1bmN0aW9uQXJuLFxuICAgICAgcGFzY2FsQ2FzZVByb3BlcnRpZXM6IHRydWUsXG4gICAgICBwcm9wZXJ0aWVzOiB7XG4gICAgICAgIHJlc291cmNlVmVyc2lvbjogaGFzaEZpbGVPckRpcmVjdG9yeShjb2RlTG9jYXRpb24pLFxuICAgICAgICBpZGVudGl0eTogcHJvcHMuaWRlbnRpdHksXG4gICAgICAgIGVtYWlsOiBwcm9wcy5lbWFpbCxcbiAgICAgICAgZXhwaXJ5OiBwcm9wcy5leHBpcnksXG4gICAgICAgIGtleVNpemVCaXRzOiBwcm9wcy5rZXlTaXplQml0cyxcbiAgICAgICAgc2VjcmV0TmFtZTogcHJvcHMuc2VjcmV0TmFtZSxcbiAgICAgICAga2V5QXJuOiBwcm9wcy5lbmNyeXB0aW9uS2V5ICYmIHByb3BzLmVuY3J5cHRpb25LZXkua2V5QXJuLFxuICAgICAgICB2ZXJzaW9uOiBwcm9wcy52ZXJzaW9uLFxuICAgICAgICBkZXNjcmlwdGlvbjogcHJvcHMuZGVzY3JpcHRpb24sXG4gICAgICAgIGRlbGV0ZUltbWVkaWF0ZWx5OiBwcm9wcy5yZW1vdmFsUG9saWN5ID09PSBPcGVuUEdQS2V5UGFpclJlbW92YWxQb2xpY3kuREVTVFJPWV9JTU1FRElBVEVMWSxcbiAgICAgIH0sXG4gICAgICByZW1vdmFsUG9saWN5OiBvcGVuUGdwS2V5UGFpclJlbW92YWxQb2xpY3lUb0NvcmVSZW1vdmFsUG9saWN5KHByb3BzLnJlbW92YWxQb2xpY3kpLFxuICAgIH0pO1xuICAgIHNlY3JldC5ub2RlLmFkZERlcGVuZGVuY3koZm4pO1xuXG4gICAgdGhpcy5jcmVkZW50aWFsID0gc2VjcmV0c01hbmFnZXIuU2VjcmV0LmZyb21TZWNyZXRBdHRyaWJ1dGVzKHRoaXMsICdDcmVkZW50aWFsJywge1xuICAgICAgZW5jcnlwdGlvbktleTogcHJvcHMuZW5jcnlwdGlvbktleSxcbiAgICAgIHNlY3JldENvbXBsZXRlQXJuOiBzZWNyZXQuZ2V0QXR0KCdTZWNyZXRBcm4nKS50b1N0cmluZygpLFxuICAgIH0pO1xuICAgIHRoaXMucHJpbmNpcGFsID0gbmV3IHNzbS5TdHJpbmdQYXJhbWV0ZXIodGhpcywgJ1ByaW5jaXBhbCcsIHtcbiAgICAgIGRlc2NyaXB0aW9uOiBgVGhlIHB1YmxpYyBwYXJ0IG9mIHRoZSBPcGVuUEdQIGtleSBpbiAke3RoaXMuY3JlZGVudGlhbC5zZWNyZXRBcm59YCxcbiAgICAgIHBhcmFtZXRlck5hbWU6IHByb3BzLnB1YktleVBhcmFtZXRlck5hbWUsXG4gICAgICBzdHJpbmdWYWx1ZTogc2VjcmV0LmdldEF0dCgnUHVibGljS2V5JykudG9TdHJpbmcoKSxcbiAgICB9KTtcbiAgfVxuXG4gIHB1YmxpYyBncmFudFJlYWQoZ3JhbnRlZTogaWFtLklQcmluY2lwYWwpOiB2b2lkIHtcbiAgICAvLyBTZWNyZXQgZ3JhbnQsIGlkZW50aXR5LWJhc2VkIG9ubHlcbiAgICBncmFudGVlLmFkZFRvUHJpbmNpcGFsUG9saWN5KG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIHJlc291cmNlczogW3RoaXMuY3JlZGVudGlhbC5zZWNyZXRBcm5dLFxuICAgICAgYWN0aW9uczogWydzZWNyZXRzbWFuYWdlcjpMaXN0U2VjcmV0cycsICdzZWNyZXRzbWFuYWdlcjpEZXNjcmliZVNlY3JldCcsICdzZWNyZXRzbWFuYWdlcjpHZXRTZWNyZXRWYWx1ZSddLFxuICAgIH0pKTtcblxuICAgIC8vIEtleSBncmFudFxuICAgIGlmICh0aGlzLmNyZWRlbnRpYWwuZW5jcnlwdGlvbktleSkge1xuICAgICAgZ3JhbnRlZS5hZGRUb1ByaW5jaXBhbFBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIHJlc291cmNlczogW3RoaXMuY3JlZGVudGlhbC5lbmNyeXB0aW9uS2V5LmtleUFybl0sXG4gICAgICAgIGFjdGlvbnM6IFsna21zOkRlY3J5cHQnXSxcbiAgICAgIH0pKTtcblxuICAgICAgdGhpcy5jcmVkZW50aWFsLmVuY3J5cHRpb25LZXkuYWRkVG9SZXNvdXJjZVBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIHJlc291cmNlczogWycqJ10sXG4gICAgICAgIHByaW5jaXBhbHM6IFtncmFudGVlLmdyYW50UHJpbmNpcGFsXSxcbiAgICAgICAgYWN0aW9uczogWydrbXM6RGVjcnlwdCddLFxuICAgICAgfSkpO1xuICAgIH1cbiAgfVxufVxuXG5mdW5jdGlvbiBvcGVuUGdwS2V5UGFpclJlbW92YWxQb2xpY3lUb0NvcmVSZW1vdmFsUG9saWN5KHJlbW92YWxQb2xpY3k/OiBPcGVuUEdQS2V5UGFpclJlbW92YWxQb2xpY3kpOiBSZW1vdmFsUG9saWN5IHtcbiAgaWYgKHJlbW92YWxQb2xpY3kgPT09IHVuZGVmaW5lZCkge1xuICAgIHJldHVybiBSZW1vdmFsUG9saWN5LlJFVEFJTjtcbiAgfVxuICByZXR1cm4gcmVtb3ZhbFBvbGljeSA9PT0gT3BlblBHUEtleVBhaXJSZW1vdmFsUG9saWN5LlJFVEFJTlxuICAgID8gUmVtb3ZhbFBvbGljeS5SRVRBSU5cbiAgICA6IFJlbW92YWxQb2xpY3kuREVTVFJPWTtcbn1cbiJdfQ==