Initial

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/fromSSO.js

@@ -0,0 +1,61 @@
+import { CredentialsProviderError } from "@smithy/property-provider";
+import { getProfileName, loadSsoSessionData, parseKnownFiles } from "@smithy/shared-ini-file-loader";
+import { isSsoProfile } from "./isSsoProfile";
+import { resolveSSOCredentials } from "./resolveSSOCredentials";
+import { validateSsoProfile } from "./validateSsoProfile";
+export const fromSSO = (init = {}) => async () => {
+    init.logger?.debug("@aws-sdk/credential-provider-sso", "fromSSO");
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
+    const { ssoClient } = init;
+    const profileName = getProfileName(init);
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
+        const profiles = await parseKnownFiles(init);
+        const profile = profiles[profileName];
+        if (!profile) {
+            throw new CredentialsProviderError(`Profile ${profileName} was not found.`);
+        }
+        if (!isSsoProfile(profile)) {
+            throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
+        }
+        if (profile?.sso_session) {
+            const ssoSessions = await loadSsoSessionData(init);
+            const session = ssoSessions[profile.sso_session];
+            const conflictMsg = ` configurations in profile ${profileName} and sso-session ${profile.sso_session}`;
+            if (ssoRegion && ssoRegion !== session.sso_region) {
+                throw new CredentialsProviderError(`Conflicting SSO region` + conflictMsg, false);
+            }
+            if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+                throw new CredentialsProviderError(`Conflicting SSO start_url` + conflictMsg, false);
+            }
+            profile.sso_region = session.sso_region;
+            profile.sso_start_url = session.sso_start_url;
+        }
+        const { sso_start_url, sso_account_id, sso_region, sso_role_name, sso_session } = validateSsoProfile(profile);
+        return resolveSSOCredentials({
+            ssoStartUrl: sso_start_url,
+            ssoSession: sso_session,
+            ssoAccountId: sso_account_id,
+            ssoRegion: sso_region,
+            ssoRoleName: sso_role_name,
+            ssoClient: ssoClient,
+            clientConfig: init.clientConfig,
+            profile: profileName,
+        });
+    }
+    else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
+        throw new CredentialsProviderError("Incomplete configuration. The fromSSO() argument hash must include " +
+            '"ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"');
+    }
+    else {
+        return resolveSSOCredentials({
+            ssoStartUrl,
+            ssoSession,
+            ssoAccountId,
+            ssoRegion,
+            ssoRoleName,
+            ssoClient,
+            clientConfig: init.clientConfig,
+            profile: profileName,
+        });
+    }
+};

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/index.js

@@ -0,0 +1,4 @@
+export * from "./fromSSO";
+export * from "./isSsoProfile";
+export * from "./types";
+export * from "./validateSsoProfile";

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/isSsoProfile.js

@@ -0,0 +1,6 @@
+export const isSsoProfile = (arg) => arg &&
+    (typeof arg.sso_start_url === "string" ||
+        typeof arg.sso_account_id === "string" ||
+        typeof arg.sso_session === "string" ||
+        typeof arg.sso_region === "string" ||
+        typeof arg.sso_role_name === "string");

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/loadSso.js

@@ -0,0 +1,2 @@
+import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
+export { GetRoleCredentialsCommand, SSOClient };

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/resolveSSOCredentials.js

@@ -0,0 +1,53 @@
+import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers";
+import { CredentialsProviderError } from "@smithy/property-provider";
+import { getSSOTokenFromFile } from "@smithy/shared-ini-file-loader";
+const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
+export const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, clientConfig, profile, }) => {
+    let token;
+    const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
+    if (ssoSession) {
+        try {
+            const _token = await getSsoTokenProvider({ profile })();
+            token = {
+                accessToken: _token.token,
+                expiresAt: new Date(_token.expiration).toISOString(),
+            };
+        }
+        catch (e) {
+            throw new CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
+    }
+    else {
+        try {
+            token = await getSSOTokenFromFile(ssoStartUrl);
+        }
+        catch (e) {
+            throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
+    }
+    if (new Date(token.expiresAt).getTime() - Date.now() <= 0) {
+        throw new CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    const { accessToken } = token;
+    const { SSOClient, GetRoleCredentialsCommand } = await import("./loadSso");
+    const sso = ssoClient ||
+        new SSOClient(Object.assign({}, clientConfig ?? {}, {
+            region: clientConfig?.region ?? ssoRegion,
+        }));
+    let ssoResp;
+    try {
+        ssoResp = await sso.send(new GetRoleCredentialsCommand({
+            accountId: ssoAccountId,
+            roleName: ssoRoleName,
+            accessToken,
+        }));
+    }
+    catch (e) {
+        throw CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration, credentialScope } = {} } = ssoResp;
+    if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
+        throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration), credentialScope };
+};

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/types.js

@@ -0,0 +1 @@
+export {};

resources/app/node_modules/@aws-sdk/credential-provider-sso/dist-es/validateSsoProfile.js

@@ -0,0 +1,9 @@
+import { CredentialsProviderError } from "@smithy/property-provider";
+export const validateSsoProfile = (profile) => {
+    const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
+    if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
+        throw new CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+            `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
+    }
+    return profile;
+};