1 | "use strict";
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 | var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
16 | if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
17 | if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
18 | return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
19 | };
|
20 | var _a, _AwsClient_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL;
|
21 | Object.defineProperty(exports, "__esModule", { value: true });
|
22 | exports.AwsClient = void 0;
|
23 | const awsrequestsigner_1 = require("./awsrequestsigner");
|
24 | const baseexternalclient_1 = require("./baseexternalclient");
|
25 | const defaultawssecuritycredentialssupplier_1 = require("./defaultawssecuritycredentialssupplier");
|
26 | const util_1 = require("../util");
|
27 |
|
28 |
|
29 |
|
30 |
|
31 |
|
32 | class AwsClient extends baseexternalclient_1.BaseExternalAccountClient {
|
33 | |
34 |
|
35 |
|
36 |
|
37 |
|
38 |
|
39 |
|
40 |
|
41 |
|
42 |
|
43 |
|
44 | constructor(options, additionalOptions) {
|
45 | super(options, additionalOptions);
|
46 | const opts = (0, util_1.originalOrCamelOptions)(options);
|
47 | const credentialSource = opts.get('credential_source');
|
48 | const awsSecurityCredentialsSupplier = opts.get('aws_security_credentials_supplier');
|
49 |
|
50 | if (!credentialSource && !awsSecurityCredentialsSupplier) {
|
51 | throw new Error('A credential source or AWS security credentials supplier must be specified.');
|
52 | }
|
53 | if (credentialSource && awsSecurityCredentialsSupplier) {
|
54 | throw new Error('Only one of credential source or AWS security credentials supplier can be specified.');
|
55 | }
|
56 | if (awsSecurityCredentialsSupplier) {
|
57 | this.awsSecurityCredentialsSupplier = awsSecurityCredentialsSupplier;
|
58 | this.regionalCredVerificationUrl =
|
59 | __classPrivateFieldGet(_a, _a, "f", _AwsClient_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL);
|
60 | this.credentialSourceType = 'programmatic';
|
61 | }
|
62 | else {
|
63 | const credentialSourceOpts = (0, util_1.originalOrCamelOptions)(credentialSource);
|
64 | this.environmentId = credentialSourceOpts.get('environment_id');
|
65 |
|
66 |
|
67 | const regionUrl = credentialSourceOpts.get('region_url');
|
68 |
|
69 |
|
70 | const securityCredentialsUrl = credentialSourceOpts.get('url');
|
71 | const imdsV2SessionTokenUrl = credentialSourceOpts.get('imdsv2_session_token_url');
|
72 | this.awsSecurityCredentialsSupplier =
|
73 | new defaultawssecuritycredentialssupplier_1.DefaultAwsSecurityCredentialsSupplier({
|
74 | regionUrl: regionUrl,
|
75 | securityCredentialsUrl: securityCredentialsUrl,
|
76 | imdsV2SessionTokenUrl: imdsV2SessionTokenUrl,
|
77 | });
|
78 | this.regionalCredVerificationUrl = credentialSourceOpts.get('regional_cred_verification_url');
|
79 | this.credentialSourceType = 'aws';
|
80 |
|
81 | this.validateEnvironmentId();
|
82 | }
|
83 | this.awsRequestSigner = null;
|
84 | this.region = '';
|
85 | }
|
86 | validateEnvironmentId() {
|
87 | var _b;
|
88 | const match = (_b = this.environmentId) === null || _b === void 0 ? void 0 : _b.match(/^(aws)(\d+)$/);
|
89 | if (!match || !this.regionalCredVerificationUrl) {
|
90 | throw new Error('No valid AWS "credential_source" provided');
|
91 | }
|
92 | else if (parseInt(match[2], 10) !== 1) {
|
93 | throw new Error(`aws version "${match[2]}" is not supported in the current build.`);
|
94 | }
|
95 | }
|
96 | |
97 |
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 | async retrieveSubjectToken() {
|
105 |
|
106 | if (!this.awsRequestSigner) {
|
107 | this.region = await this.awsSecurityCredentialsSupplier.getAwsRegion(this.supplierContext);
|
108 | this.awsRequestSigner = new awsrequestsigner_1.AwsRequestSigner(async () => {
|
109 | return this.awsSecurityCredentialsSupplier.getAwsSecurityCredentials(this.supplierContext);
|
110 | }, this.region);
|
111 | }
|
112 |
|
113 |
|
114 | const options = await this.awsRequestSigner.getRequestOptions({
|
115 | ..._a.RETRY_CONFIG,
|
116 | url: this.regionalCredVerificationUrl.replace('{region}', this.region),
|
117 | method: 'POST',
|
118 | });
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 | const reformattedHeader = [];
|
132 | const extendedHeaders = Object.assign({
|
133 |
|
134 |
|
135 |
|
136 |
|
137 | 'x-goog-cloud-target-resource': this.audience,
|
138 | }, options.headers);
|
139 |
|
140 | for (const key in extendedHeaders) {
|
141 | reformattedHeader.push({
|
142 | key,
|
143 | value: extendedHeaders[key],
|
144 | });
|
145 | }
|
146 |
|
147 | return encodeURIComponent(JSON.stringify({
|
148 | url: options.url,
|
149 | method: options.method,
|
150 | headers: reformattedHeader,
|
151 | }));
|
152 | }
|
153 | }
|
154 | exports.AwsClient = AwsClient;
|
155 | _a = AwsClient;
|
156 | _AwsClient_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL = { value: 'https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15' };
|
157 |
|
158 |
|
159 |
|
160 | AwsClient.AWS_EC2_METADATA_IPV4_ADDRESS = '169.254.169.254';
|
161 |
|
162 |
|
163 |
|
164 | AwsClient.AWS_EC2_METADATA_IPV6_ADDRESS = 'fd00:ec2::254';
|