UNPKG

aws-delivlib

Version:

A fabulous library for defining continuous pipelines for building, testing and releasing code libraries.

github.com/cdklabs/aws-delivlib

cdklabs/aws-delivlib

81 lines (77 loc) 2.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
function string2ArrayBuffer(str) { const buf = new ArrayBuffer(str.length); const bufView = new Uint8Array(buf); for (let i = 0, strLen = str.length; i < strLen; i++) { bufView[i] = str.charCodeAt(i); } return buf; } function getDERfromPEM(pem) { const pemB64 = pem .trim() .split("\n") .slice(1, -1) // Remove the --- BEGIN / END PRIVATE KEY --- .join(""); const decoded = atob(pemB64); return string2ArrayBuffer(decoded); } function getEncodedMessage(header, payload) { return `${base64encodeJSON(header)}.${base64encodeJSON(payload)}`; } function base64encode(buffer) { var binary = ""; var bytes = new Uint8Array(buffer); var len = bytes.byteLength; for (var i = 0; i < len; i++) { binary += String.fromCharCode(bytes[i]); } return fromBase64(btoa(binary)); } function fromBase64(base64) { return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_"); } function base64encodeJSON(obj) { return fromBase64(btoa(JSON.stringify(obj))); } const getToken = async ({ privateKey, payload, }) => { // WebCrypto only supports PKCS#8, unfortunately if (/BEGIN RSA PRIVATE KEY/.test(privateKey)) { throw new Error("[universal-github-app-jwt] Private Key is in PKCS#1 format, but only PKCS#8 is supported. See https://github.com/gr2m/universal-github-app-jwt#readme"); } const algorithm = { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" }, }; const header = { alg: "RS256", typ: "JWT" }; const privateKeyDER = getDERfromPEM(privateKey); const importedKey = await crypto.subtle.importKey("pkcs8", privateKeyDER, algorithm, false, ["sign"]); const encodedMessage = getEncodedMessage(header, payload); const encodedMessageArrBuf = string2ArrayBuffer(encodedMessage); const signatureArrBuf = await crypto.subtle.sign(algorithm.name, importedKey, encodedMessageArrBuf); const encodedSignature = base64encode(signatureArrBuf); return `${encodedMessage}.${encodedSignature}`; }; async function githubAppJwt({ id, privateKey, now = Math.floor(Date.now() / 1000), }) { // When creating a JSON Web Token, it sets the "issued at time" (iat) to 30s // in the past as we have seen people running situations where the GitHub API // claimed the iat would be in future. It turned out the clocks on the // different machine were not in sync. const nowWithSafetyMargin = now - 30; const expiration = nowWithSafetyMargin + 60 * 10; // JWT expiration time (10 minute maximum) const payload = { iat: nowWithSafetyMargin, exp: expiration, iss: id, }; const token = await getToken({ privateKey, payload, }); return { appId: id, expiration, token, }; } export { githubAppJwt }; //# sourceMappingURL=index.js.map