credentials.js
9.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
var AWS = require('./core');
/**
* Represents your AWS security credentials, specifically the
* {accessKeyId}, {secretAccessKey}, and optional {sessionToken}.
* Creating a `Credentials` object allows you to pass around your
* security information to configuration and service objects.
*
* Note that this class typically does not need to be constructed manually,
* as the {AWS.Config} and {AWS.Service} classes both accept simple
* options hashes with the three keys. These structures will be converted
* into Credentials objects automatically.
*
* ## Expiring and Refreshing Credentials
*
* Occasionally credentials can expire in the middle of a long-running
* application. In this case, the SDK will automatically attempt to
* refresh the credentials from the storage location if the Credentials
* class implements the {refresh} method.
*
* If you are implementing a credential storage location, you
* will want to create a subclass of the `Credentials` class and
* override the {refresh} method. This method allows credentials to be
* retrieved from the backing store, be it a file system, database, or
* some network storage. The method should reset the credential attributes
* on the object.
*
* @!attribute expired
* @return [Boolean] whether the credentials have been expired and
* require a refresh. Used in conjunction with {expireTime}.
* @!attribute expireTime
* @return [Date] a time when credentials should be considered expired. Used
* in conjunction with {expired}.
* @!attribute accessKeyId
* @return [String] the AWS access key ID
* @!attribute secretAccessKey
* @return [String] the AWS secret access key
* @!attribute sessionToken
* @return [String] an optional AWS session token
*/
AWS.Credentials = AWS.util.inherit({
/**
* A credentials object can be created using positional arguments or an options
* hash.
*
* @overload AWS.Credentials(accessKeyId, secretAccessKey, sessionToken=null)
* Creates a Credentials object with a given set of credential information
* as positional arguments.
* @param accessKeyId [String] the AWS access key ID
* @param secretAccessKey [String] the AWS secret access key
* @param sessionToken [String] the optional AWS session token
* @example Create a credentials object with AWS credentials
* var creds = new AWS.Credentials('akid', 'secret', 'session');
* @overload AWS.Credentials(options)
* Creates a Credentials object with a given set of credential information
* as an options hash.
* @option options accessKeyId [String] the AWS access key ID
* @option options secretAccessKey [String] the AWS secret access key
* @option options sessionToken [String] the optional AWS session token
* @example Create a credentials object with AWS credentials
* var creds = new AWS.Credentials({
* accessKeyId: 'akid', secretAccessKey: 'secret', sessionToken: 'session'
* });
*/
constructor: function Credentials() {
// hide secretAccessKey from being displayed with util.inspect
AWS.util.hideProperties(this, ['secretAccessKey']);
this.expired = false;
this.expireTime = null;
this.refreshCallbacks = [];
if (arguments.length === 1 && typeof arguments[0] === 'object') {
var creds = arguments[0].credentials || arguments[0];
this.accessKeyId = creds.accessKeyId;
this.secretAccessKey = creds.secretAccessKey;
this.sessionToken = creds.sessionToken;
} else {
this.accessKeyId = arguments[0];
this.secretAccessKey = arguments[1];
this.sessionToken = arguments[2];
}
},
/**
* @return [Integer] the number of seconds before {expireTime} during which
* the credentials will be considered expired.
*/
expiryWindow: 15,
/**
* @return [Boolean] whether the credentials object should call {refresh}
* @note Subclasses should override this method to provide custom refresh
* logic.
*/
needsRefresh: function needsRefresh() {
var currentTime = AWS.util.date.getDate().getTime();
var adjustedTime = new Date(currentTime + this.expiryWindow * 1000);
if (this.expireTime && adjustedTime > this.expireTime) {
return true;
} else {
return this.expired || !this.accessKeyId || !this.secretAccessKey;
}
},
/**
* Gets the existing credentials, refreshing them if they are not yet loaded
* or have expired. Users should call this method before using {refresh},
* as this will not attempt to reload credentials when they are already
* loaded into the object.
*
* @callback callback function(err)
* When this callback is called with no error, it means either credentials
* do not need to be refreshed or refreshed credentials information has
* been loaded into the object (as the `accessKeyId`, `secretAccessKey`,
* and `sessionToken` properties).
* @param err [Error] if an error occurred, this value will be filled
*/
get: function get(callback) {
var self = this;
if (this.needsRefresh()) {
this.refresh(function(err) {
if (!err) self.expired = false; // reset expired flag
if (callback) callback(err);
});
} else if (callback) {
callback();
}
},
/**
* @!method getPromise()
* Returns a 'thenable' promise.
* Gets the existing credentials, refreshing them if they are not yet loaded
* or have expired. Users should call this method before using {refresh},
* as this will not attempt to reload credentials when they are already
* loaded into the object.
*
* Two callbacks can be provided to the `then` method on the returned promise.
* The first callback will be called if the promise is fulfilled, and the second
* callback will be called if the promise is rejected.
* @callback fulfilledCallback function()
* Called if the promise is fulfilled. When this callback is called, it
* means either credentials do not need to be refreshed or refreshed
* credentials information has been loaded into the object (as the
* `accessKeyId`, `secretAccessKey`, and `sessionToken` properties).
* @callback rejectedCallback function(err)
* Called if the promise is rejected.
* @param err [Error] if an error occurred, this value will be filled
* @return [Promise] A promise that represents the state of the `get` call.
* @example Calling the `getPromise` method.
* var promise = credProvider.getPromise();
* promise.then(function() { ... }, function(err) { ... });
*/
/**
* @!method refreshPromise()
* Returns a 'thenable' promise.
* Refreshes the credentials. Users should call {get} before attempting
* to forcibly refresh credentials.
*
* Two callbacks can be provided to the `then` method on the returned promise.
* The first callback will be called if the promise is fulfilled, and the second
* callback will be called if the promise is rejected.
* @callback fulfilledCallback function()
* Called if the promise is fulfilled. When this callback is called, it
* means refreshed credentials information has been loaded into the object
* (as the `accessKeyId`, `secretAccessKey`, and `sessionToken` properties).
* @callback rejectedCallback function(err)
* Called if the promise is rejected.
* @param err [Error] if an error occurred, this value will be filled
* @return [Promise] A promise that represents the state of the `refresh` call.
* @example Calling the `refreshPromise` method.
* var promise = credProvider.refreshPromise();
* promise.then(function() { ... }, function(err) { ... });
*/
/**
* Refreshes the credentials. Users should call {get} before attempting
* to forcibly refresh credentials.
*
* @callback callback function(err)
* When this callback is called with no error, it means refreshed
* credentials information has been loaded into the object (as the
* `accessKeyId`, `secretAccessKey`, and `sessionToken` properties).
* @param err [Error] if an error occurred, this value will be filled
* @note Subclasses should override this class to reset the
* {accessKeyId}, {secretAccessKey} and optional {sessionToken}
* on the credentials object and then call the callback with
* any error information.
* @see get
*/
refresh: function refresh(callback) {
this.expired = false;
callback();
},
/**
* @api private
* @param callback
*/
coalesceRefresh: function coalesceRefresh(callback, sync) {
var self = this;
if (self.refreshCallbacks.push(callback) === 1) {
self.load(function onLoad(err) {
AWS.util.arrayEach(self.refreshCallbacks, function(callback) {
if (sync) {
callback(err);
} else {
// callback could throw, so defer to ensure all callbacks are notified
AWS.util.defer(function () {
callback(err);
});
}
});
self.refreshCallbacks.length = 0;
});
}
},
/**
* @api private
* @param callback
*/
load: function load(callback) {
callback();
}
});
/**
* @api private
*/
AWS.Credentials.addPromisesToClass = function addPromisesToClass(PromiseDependency) {
this.prototype.getPromise = AWS.util.promisifyMethod('get', PromiseDependency);
this.prototype.refreshPromise = AWS.util.promisifyMethod('refresh', PromiseDependency);
};
/**
* @api private
*/
AWS.Credentials.deletePromisesFromClass = function deletePromisesFromClass() {
delete this.prototype.getPromise;
delete this.prototype.refreshPromise;
};
AWS.util.addPromises(AWS.Credentials);