All files aws-codecommit-git-credentials-manager.ts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
1x
1x
1x
 
 
1x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1x
 
 
 
 
 
 
4x
4x
1x
 
 
 
 
 
 
 
 
 
 
2x
 
2x
 
 
 
 
 
 
 
 
1x
1x
1x
 
 
 
 
 
 
 
 
4x
4x
4x
4x
4x
 
4x
 
 
 
 
 
 
 
 
 
 
 
 
4x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
4x
 
4x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
4x
4x
4x
4x
4x
 
 
 
 
 
 
 
 
4x
1x
 
 
 
1x
 
 
 
 
 
3x
 
3x
 
 
 
 
 
import { DateTimeHelper } from "./date-time-helper";
import { createHash, createHmac } from 'node:crypto';
import {
    fromNodeProviderChain,
  } from '@aws-sdk/credential-providers';
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
import { AwsCredentialIdentityProvider } from "@smithy/types";
 
/**
 * @typedef AwsCodeCommitGitCredentials
 * @typedef AwsCredentialIdentity
 */
 
export interface AwsCodeCommitGitCredentials {
    username:string;
    password:string;
}
 
/** 
 * A class to request temporary git credentials to be used with the default GIT Protocol 
 */
export class AwsCodeCommitGitCredentialsManager {
    private _stsClient?:STSClient;
    /**
     * Create an AwsCodeCommitGitCredentialsManager for a specific region
     * @param {string} region - The region to which the AwsCodeCommitGitCredentialsManager applies
     * @param {string?} assumeRoleArn - optional arn of the role to assume for retrieving the GIT credentials from AWS
     */
    constructor(readonly region:string,readonly assumeRoleArn?:string) {
        if(assumeRoleArn) {
            this._stsClient = new STSClient()
        }
    }
 
    /**
     * Get the git url that can be used for running for example 'git clone'-commands.
     * The url itself will contain the generated credentials for GIT authentication.
     * @param {string} repositoryName - The name of the git repository for which we want a url
     * @return {string} Git url including git credentials
     */
    public async GetGitUrlWithCredentials(repositoryName:string):Promise<string> {
        const credentials:AwsCodeCommitGitCredentials = await this.GetCredentials(repositoryName);
 
        return 'https://'+encodeURIComponent(credentials.username)+':'+encodeURIComponent(credentials.password)+`@git-codecommit.${this.region}.amazonaws.com/v1/repos/${repositoryName}`;
    }
 
    /**
     * Get the http authorization header that can be used for 'git'-commands.
     * @param {string} repositoryName - The name of the git repository for which we want the authorization header
     * @return {string} Authorization header in the format `Authorization: Basic <base64-credentialstring>`
     */
    public async GetAuthorizationHeader(repositoryName:string):Promise<string> {
        const creds:AwsCodeCommitGitCredentials = await this.GetCredentials(repositoryName);
        const authString = `${creds.username}:${creds.password}`;
        return `Authorization: Basic ${Buffer.from(authString).toString('base64')}`;
    }
 
    /**
     * Get the credentials (username,password) to use to authenticate to GIT.
     * @param {string} repositoryName - The name of the git repository for which we want the credentials
     * @return {AwsCodeCommitGitCredentials} The credentials to use to authenticate to GIT 
     */
    public async GetCredentials(repositoryName:string):Promise<AwsCodeCommitGitCredentials> {          
        const date = new Date();
        const canonicalRequest = this.getCanonicalRequest(repositoryName);
        const stringToSign = this.getStringToSign(canonicalRequest,date);
        const awsCredentials = await this.getAwsCredentials();
        const signature = this.getSignature(stringToSign,awsCredentials.secretAccessKey,date)
 
        return {
            username: `${awsCredentials.accessKeyId}%${awsCredentials.sessionToken}`,
            password: `${DateTimeHelper.GetTimestampString(date)}Z${signature}`
        }
    }
 
    /**
     * Get the canonical request to generate the GIT credentials
     * @param {string} repositoryName - The name of the git repository for which we want the credentials
     * @return {string} The canonical request
     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#create-canonical-request
     */
    private getCanonicalRequest(repositoryName:string):string {
        return [
            `GIT`,
            `/v1/repos/${repositoryName}`,
            ``,
            `host:git-codecommit.${this.region}.amazonaws.com`,
            ``,
            `host`,
            ``
        ].join("\n");
    }
 
    /**
     * Get the "stringToSign" to generate the GIT credentials
     * @param {string} canonicalRequest - The canonical request to use to create the "stringToSign"
     * @param {Date} date - The date to use to create the "stringToSign"
     * @return {string} The stringToSign value
     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#create-string-to-sign
     */
    private getStringToSign(canonicalRequest:string,date:Date):string {
        const hashString = createHash('sha256').update(canonicalRequest).digest('hex');
 
        return [
            `AWS4-HMAC-SHA256`,
            DateTimeHelper.GetTimestampString(date),
            `${DateTimeHelper.GetDateString(date)}/${this.region}/codecommit/aws4_request`,
            hashString
        ].join("\n");
    }
 
    /**
     * Get the signature to generate the GIT credentials
     * @param {string} stringToSign - The "stringToSign" value to create the signature
     * @param {string} secretAccessKey - The AWS secret key that is required to calculate the signature
     * @param {Date} date - The date to use to create the "stringToSign"
     * @return {string} The signature
     * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#calculate-signature
     * @private
     */
    private getSignature(stringToSign:string, secretAccessKey:string, date:Date):string {
        const hmacDate = createHmac('sha256', "AWS4"+secretAccessKey).update(DateTimeHelper.GetDateString(date)).digest()
        const hmacRegion = createHmac('sha256', hmacDate).update(this.region).digest()
        const hmacService = createHmac('sha256', hmacRegion).update("codecommit").digest()
        const hmacSigning  = createHmac('sha256', hmacService).update("aws4_request").digest()
        return createHmac('sha256', hmacSigning).update(stringToSign).digest("hex")
    }
 
    /**
     * Retrieve the AWS credentials from the default AWS provider chain
     * @return {AwsCredentialIdentity} The AWS credential provider
     * @private
     */
    private async getAwsCredentials():Promise<{secretAccessKey:string,accessKeyId:string,sessionToken?:string}> {
        if(this.assumeRoleArn && this._stsClient) {
            const response = await this._stsClient.send(new AssumeRoleCommand({
                RoleArn: this.assumeRoleArn,
                RoleSessionName: `git-credential-manager`
            }));
            return {
                accessKeyId: response.Credentials!.AccessKeyId!,
                secretAccessKey: response.Credentials!.SecretAccessKey!,
                sessionToken: response.Credentials!.SessionToken
            };
        } else {
            const defaultProvider: AwsCredentialIdentityProvider = fromNodeProviderChain();
 
            return {
                ...(await defaultProvider())
            };
        }
    }
}