UNPKG

serverless-spy

Version:

CDK-based library for writing elegant integration tests on AWS serverless architecture and an additional web console to monitor events in real time.

serverlessspy.com

ServerlessLife/serverless-spy

94 lines (93 loc) • 5.12 kB

JavaScript

import { setCredentialFeature } from "@aws-sdk/core/client"; import { AssumeRoleCommand } from "./commands/AssumeRoleCommand"; import { AssumeRoleWithWebIdentityCommand, } from "./commands/AssumeRoleWithWebIdentityCommand"; const ASSUME_ROLE_DEFAULT_REGION = "us-east-1"; const getAccountIdFromAssumedRoleUser = (assumedRoleUser) => { if (typeof assumedRoleUser?.Arn === "string") { const arnComponents = assumedRoleUser.Arn.split(":"); if (arnComponents.length > 4 && arnComponents[4] !== "") { return arnComponents[4]; } } return undefined; }; const resolveRegion = async (_region, _parentRegion, credentialProviderLogger) => { const region = typeof _region === "function" ? await _region() : _region; const parentRegion = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion; credentialProviderLogger?.debug?.("@aws-sdk/client-sts::resolveRegion", "accepting first of:", `${region} (provider)`, `${parentRegion} (parent client)`, `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`); return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION; }; export const getDefaultRoleAssumer = (stsOptions, stsClientCtor) => { let stsClient; let closureSourceCreds; return async (sourceCreds, params) => { closureSourceCreds = sourceCreds; if (!stsClient) { const { logger = stsOptions?.parentClientConfig?.logger, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions; const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger); const isCompatibleRequestHandler = !isH2(requestHandler); stsClient = new stsClientCtor({ credentialDefaultProvider: () => async () => closureSourceCreds, region: resolvedRegion, requestHandler: isCompatibleRequestHandler ? requestHandler : undefined, logger: logger, }); } const { Credentials, AssumedRoleUser } = await stsClient.send(new AssumeRoleCommand(params)); if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) { throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`); } const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, expiration: Credentials.Expiration, ...(Credentials.CredentialScope && { credentialScope: Credentials.CredentialScope }), ...(accountId && { accountId }), }; setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i"); return credentials; }; }; export const getDefaultRoleAssumerWithWebIdentity = (stsOptions, stsClientCtor) => { let stsClient; return async (params) => { if (!stsClient) { const { logger = stsOptions?.parentClientConfig?.logger, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions; const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger); const isCompatibleRequestHandler = !isH2(requestHandler); stsClient = new stsClientCtor({ region: resolvedRegion, requestHandler: isCompatibleRequestHandler ? requestHandler : undefined, logger: logger, }); } const { Credentials, AssumedRoleUser } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params)); if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) { throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`); } const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, expiration: Credentials.Expiration, ...(Credentials.CredentialScope && { credentialScope: Credentials.CredentialScope }), ...(accountId && { accountId }), }; if (accountId) { setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T"); } setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k"); return credentials; }; }; export const decorateDefaultCredentialProvider = (provider) => (input) => provider({ roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor), roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor), ...input, }); const isH2 = (requestHandler) => { return requestHandler?.metadata?.handlerProtocol === "h2"; };