deep-security
Version:
DEEP Security Library
315 lines (245 loc) • 8.96 kB
JavaScript
/**
* Created by CCristi on 11/21/16.
*/
'use strict';
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.CredentialsManager = undefined;
var _createClass = function () { function defineProperties(target, props) { for (var i = 0; i < props.length; i++) { var descriptor = props[i]; descriptor.enumerable = descriptor.enumerable || false; descriptor.configurable = true; if ("value" in descriptor) descriptor.writable = true; Object.defineProperty(target, descriptor.key, descriptor); } } return function (Constructor, protoProps, staticProps) { if (protoProps) defineProperties(Constructor.prototype, protoProps); if (staticProps) defineProperties(Constructor, staticProps); return Constructor; }; }();
var _TokenManager = require('./TokenManager');
var _awsSdk = require('aws-sdk');
var _awsSdk2 = _interopRequireDefault(_awsSdk);
var _IdentityProviderTokenExpiredException = require('./Exception/IdentityProviderTokenExpiredException');
var _AuthException = require('./Exception/AuthException');
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
function _classCallCheck(instance, Constructor) { if (!(instance instanceof Constructor)) { throw new TypeError("Cannot call a class as a function"); } }
let CredentialsManager = exports.CredentialsManager = function () {
/**
* @param {Token} token
*/
function CredentialsManager(token) {
_classCallCheck(this, CredentialsManager);
this._token = token;
this._systemCredentials = null;
this._rolesCredentials = {};
}
/**
* @returns {Token}
*/
_createClass(CredentialsManager, [{
key: 'validCredentials',
/**
* @param {Object} credentials
* @returns {boolean}
*/
value: function validCredentials(credentials) {
return credentials && this.getCredentialsExpireDateTime(credentials) > new Date();
}
/**
* @param {Object} credentials
* @returns {Date}
*/
}, {
key: 'getCredentialsExpireDateTime',
value: function getCredentialsExpireDateTime(credentials) {
let dateTime = null;
if (credentials && credentials.hasOwnProperty('expireTime')) {
dateTime = credentials.expireTime instanceof Date ? credentials.expireTime : new Date(credentials.expireTime);
}
return dateTime;
}
/**
* @param {Object|null} role
* @param {Boolean} refreshOnExpired
* @returns {Promise}
*/
}, {
key: 'getCredentials',
value: function getCredentials() {
let role = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : null;
let refreshOnExpired = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : true;
let credentials = role ? this._rolesCredentials[this.roleSessionKey(role)] : this._systemCredentials;
credentials = credentials || this._createCognitoIdentityCredentials(role);
if (!this.validCredentials(credentials) && refreshOnExpired) {
return this.refreshIdentityProviderIfNeeded().then(() => {
credentials = this._createCognitoIdentityCredentials(role);
if (role) {
this._rolesCredentials[this.roleSessionKey(role)] = credentials;
} else {
this.systemCredentials = credentials;
}
return this._refreshCredentials(credentials);
});
}
return Promise.resolve(credentials);
}
/**
* @returns {Promise}
*/
}, {
key: 'refreshIdentityProviderIfNeeded',
value: function refreshIdentityProviderIfNeeded() {
return this.identityProvider && !this.identityProvider.isTokenValid() ? this.identityProvider.refresh() : Promise.resolve();
}
/**
* @param {AWS.CognitoIdentityCredentials} credentials
* @returns {Promise}
* @private
*/
}, {
key: '_refreshCredentials',
value: function _refreshCredentials(credentials) {
if (!(credentials instanceof _awsSdk2.default.CognitoIdentityCredentials || credentials instanceof _awsSdk2.default.Credentials)) {
let error = new _AuthException.AuthException('Invalid credentials instance. Passed credentials must be an instance of AWS.CognitoIdentityCredentials.');
return Promise.reject(error);
}
if (this.identityProvider && !this.identityProvider.isTokenValid()) {
let error = new _IdentityProviderTokenExpiredException.IdentityProviderTokenExpiredException(this.identityProvider.domain, this.identityProvider.tokenExpirationTime);
return Promise.reject(error);
}
return new Promise((resolve, reject) => {
credentials.refresh(error => {
if (error) {
return reject(new _AuthException.AuthException(error));
}
return resolve(credentials);
});
});
}
/**
* @param {Object|null} role
* @returns {*}
*/
}, {
key: 'roleSessionKey',
value: function roleSessionKey(role) {
let suffix = role ? role.Id : 'default';
return `${_TokenManager.TokenManager.RECORD_NAME}-${suffix}`;
}
/**
* @param {Object} role
* @returns {AWS.CognitoIdentityCredentials|*}
* @private
*/
}, {
key: '_createCognitoIdentityCredentials',
value: function _createCognitoIdentityCredentials() {
let role = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : null;
let cognitoParams = {
IdentityPoolId: this.identityPoolId
};
if (this.identityProvider) {
cognitoParams.Logins = {};
cognitoParams.Logins[this.identityProvider.domain] = this.identityProvider.userToken;
cognitoParams.LoginId = this.identityProvider.userId;
if (role) {
cognitoParams.RoleArn = role.IamRole.Arn;
cognitoParams.RoleSessionName = this.roleSessionKey(role);
}
}
let credentials = new _awsSdk2.default.CognitoIdentityCredentials(cognitoParams);
// do not replace with arrow function, `this` context should not be overwritten
credentials.toJSON = function () {
return {
expired: this.expired,
expireTime: this.expireTime,
accessKeyId: this.accessKeyId,
secretAccessKey: this.secretAccessKey,
sessionToken: this.sessionToken
};
};
return credentials;
}
/**
* @returns {CredentialsManager}
*/
}, {
key: 'clearCache',
value: function clearCache() {
if (!(this._systemCredentials instanceof _awsSdk2.default.CognitoIdentityCredentials)) {
// cognitoSyncManager failes to wipe data if credentials are a instanceof AWS.Credentials
this.systemCredentials = this._createCognitoIdentityCredentials();
}
this._systemCredentials.clearCachedId();
for (let key in this._rolesCredentials) {
if (this._rolesCredentials.hasOwnProperty(key) && this._rolesCredentials[key] instanceof _awsSdk2.default.CognitoIdentityCredentials) {
this._rolesCredentials[key].clearCachedId();
}
}
return this;
}
/**
* @param {AWS.CognitoIdentityCredentials|AWS.Credentials|*} systemCredentials
*/
}, {
key: 'overwriteAWSCredentials',
/**
* @param {AWS.CognitoIdentityCredentials|AWS.Credentials|*} credentials
* @returns {CredentialsManager}
*/
value: function overwriteAWSCredentials(credentials) {
_awsSdk2.default.config.credentials = credentials;
// tokenManager will create a new instance of CognitoSyncClient
if (this._token) {
this._token._sts.credentials = credentials;
if (this._token._tokenManager) {
this._token._tokenManager._cognitoSyncClient = null;
}
}
return this;
}
}, {
key: 'token',
get: function get() {
return this._token;
}
/**
* @returns {Number}
*/
}, {
key: 'identityPoolId',
get: function get() {
return this.token._identityPoolId;
}
/**
* @returns {IdentityProvider}
*/
}, {
key: 'identityProvider',
get: function get() {
return this.token.identityProvider;
}
/**
* @returns {Array}
*/
}, {
key: 'rolesCredentials',
get: function get() {
return this._rolesCredentials;
}
/**
* @param {Array} rolesCredentials
*/
,
set: function set(rolesCredentials) {
this._rolesCredentials = rolesCredentials;
}
}, {
key: 'systemCredentials',
set: function set(systemCredentials) {
this._systemCredentials = systemCredentials;
if (!this.token.lambdaContext) {
this.overwriteAWSCredentials(systemCredentials);
}
}
/**
* @returns {AWS.CognitoIdentityCredentials|AWS.Credentials|*}
*/
,
get: function get() {
return this._systemCredentials;
}
}]);
return CredentialsManager;
}();