chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:20:55 +08:00
commit d25d482dc2
13754 changed files with 4996608 additions and 0 deletions
@@ -0,0 +1,55 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsAssumeRoleWithSAMLContract } from '@/lib/api/contracts/tools/aws/sts-assume-role-with-saml'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { assumeRoleWithSAML, createUnauthenticatedSTSClient } from '../utils'
const logger = createLogger('STSAssumeRoleWithSAMLAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsAssumeRoleWithSAMLContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info(`Assuming role ${params.roleArn} with SAML`)
const client = createUnauthenticatedSTSClient(params.region)
try {
const result = await assumeRoleWithSAML(
client,
params.roleArn,
params.principalArn,
params.samlAssertion,
params.policyArns,
params.policy,
params.durationSeconds
)
logger.info('Role assumed successfully with SAML')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to assume role with SAML', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to assume role with SAML: ${toError(error).message}` },
{ status: 500 }
)
}
})
@@ -0,0 +1,56 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsAssumeRoleWithWebIdentityContract } from '@/lib/api/contracts/tools/aws/sts-assume-role-with-web-identity'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { assumeRoleWithWebIdentity, createUnauthenticatedSTSClient } from '../utils'
const logger = createLogger('STSAssumeRoleWithWebIdentityAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsAssumeRoleWithWebIdentityContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info(`Assuming role ${params.roleArn} with web identity`)
const client = createUnauthenticatedSTSClient(params.region)
try {
const result = await assumeRoleWithWebIdentity(
client,
params.roleArn,
params.roleSessionName,
params.webIdentityToken,
params.providerId,
params.policyArns,
params.policy,
params.durationSeconds
)
logger.info('Role assumed successfully with web identity')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to assume role with web identity', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to assume role with web identity: ${toError(error).message}` },
{ status: 500 }
)
}
})
@@ -0,0 +1,63 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsAssumeRoleContract } from '@/lib/api/contracts/tools/aws/sts-assume-role'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { assumeRole, createSTSClient } from '../utils'
const logger = createLogger('STSAssumeRoleAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsAssumeRoleContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info(`Assuming role ${params.roleArn}`)
const client = createSTSClient({
region: params.region,
accessKeyId: params.accessKeyId,
secretAccessKey: params.secretAccessKey,
})
try {
const result = await assumeRole(
client,
params.roleArn,
params.roleSessionName,
params.durationSeconds,
params.policy,
params.externalId,
params.serialNumber,
params.tokenCode,
params.policyArns,
params.tags,
params.transitiveTagKeys
)
logger.info('Role assumed successfully')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to assume role', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to assume role: ${toError(error).message}` },
{ status: 500 }
)
}
})
@@ -0,0 +1,51 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsGetAccessKeyInfoContract } from '@/lib/api/contracts/tools/aws/sts-get-access-key-info'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { createSTSClient, getAccessKeyInfo } from '../utils'
const logger = createLogger('STSGetAccessKeyInfoAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsGetAccessKeyInfoContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info(`Getting access key info for ${params.targetAccessKeyId}`)
const client = createSTSClient({
region: params.region,
accessKeyId: params.accessKeyId,
secretAccessKey: params.secretAccessKey,
})
try {
const result = await getAccessKeyInfo(client, params.targetAccessKeyId)
logger.info('Access key info retrieved successfully')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to get access key info', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to get access key info: ${toError(error).message}` },
{ status: 500 }
)
}
})
@@ -0,0 +1,51 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsGetCallerIdentityContract } from '@/lib/api/contracts/tools/aws/sts-get-caller-identity'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { createSTSClient, getCallerIdentity } from '../utils'
const logger = createLogger('STSGetCallerIdentityAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsGetCallerIdentityContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info('Getting caller identity')
const client = createSTSClient({
region: params.region,
accessKeyId: params.accessKeyId,
secretAccessKey: params.secretAccessKey,
})
try {
const result = await getCallerIdentity(client)
logger.info('Caller identity retrieved successfully')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to get caller identity', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to get caller identity: ${toError(error).message}` },
{ status: 500 }
)
}
})
@@ -0,0 +1,56 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { awsStsGetSessionTokenContract } from '@/lib/api/contracts/tools/aws/sts-get-session-token'
import { parseToolRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { createSTSClient, getSessionToken } from '../utils'
const logger = createLogger('STSGetSessionTokenAPI')
export const POST = withRouteHandler(async (request: NextRequest) => {
const auth = await checkInternalAuth(request)
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseToolRequest(awsStsGetSessionTokenContract, request, {
errorFormat: 'details',
logger,
})
if (!parsed.success) return parsed.response
const params = parsed.data.body
logger.info('Getting session token')
const client = createSTSClient({
region: params.region,
accessKeyId: params.accessKeyId,
secretAccessKey: params.secretAccessKey,
})
try {
const result = await getSessionToken(
client,
params.durationSeconds,
params.serialNumber,
params.tokenCode
)
logger.info('Session token retrieved successfully')
return NextResponse.json(result)
} finally {
client.destroy()
}
} catch (error) {
logger.error('Failed to get session token', { error: toError(error).message })
return NextResponse.json(
{ error: `Failed to get session token: ${toError(error).message}` },
{ status: 500 }
)
}
})
+242
View File
@@ -0,0 +1,242 @@
import {
AssumeRoleCommand,
AssumeRoleWithSAMLCommand,
AssumeRoleWithWebIdentityCommand,
GetAccessKeyInfoCommand,
GetCallerIdentityCommand,
GetSessionTokenCommand,
type PolicyDescriptorType,
STSClient,
type Tag,
} from '@aws-sdk/client-sts'
import type { STSConnectionConfig } from '@/tools/sts/types'
export function createSTSClient(config: STSConnectionConfig): STSClient {
return new STSClient({
region: config.region,
credentials: {
accessKeyId: config.accessKeyId,
secretAccessKey: config.secretAccessKey,
},
})
}
/**
* Creates an STS client for AssumeRoleWithWebIdentity / AssumeRoleWithSAML,
* which authenticate the caller via the supplied token/assertion rather than
* an IAM access key — AWS does not check the request signature for these two
* operations. The SDK's signing middleware still requires a `credentials`
* value to be resolvable, though, so static placeholder credentials are
* supplied explicitly to skip the default credential provider chain (env
* vars, shared config, container/IMDS role). Without this, the client would
* throw a CredentialsProviderError before the request is even sent in
* environments with no ambient AWS identity, even though a real IAM identity
* was never required.
*/
export function createUnauthenticatedSTSClient(region: string): STSClient {
return new STSClient({
region,
credentials: { accessKeyId: 'anonymous', secretAccessKey: 'anonymous' },
})
}
function parsePolicyArns(policyArns?: string | null): PolicyDescriptorType[] | undefined {
if (!policyArns) return undefined
const arns = policyArns
.split(',')
.map((arn) => arn.trim())
.filter((arn) => arn.length > 0)
return arns.length > 0 ? arns.map((arn) => ({ arn })) : undefined
}
function parseTags(tags?: string | null): Tag[] | undefined {
if (!tags) return undefined
const parsed = JSON.parse(tags) as Record<string, string>
const entries = Object.entries(parsed)
return entries.length > 0
? entries.map(([Key, Value]) => ({ Key, Value: String(Value) }))
: undefined
}
function parseTransitiveTagKeys(transitiveTagKeys?: string | null): string[] | undefined {
if (!transitiveTagKeys) return undefined
const keys = transitiveTagKeys
.split(',')
.map((key) => key.trim())
.filter((key) => key.length > 0)
return keys.length > 0 ? keys : undefined
}
export async function assumeRole(
client: STSClient,
roleArn: string,
roleSessionName: string,
durationSeconds?: number | null,
policy?: string | null,
externalId?: string | null,
serialNumber?: string | null,
tokenCode?: string | null,
policyArns?: string | null,
tags?: string | null,
transitiveTagKeys?: string | null
) {
const command = new AssumeRoleCommand({
RoleArn: roleArn,
RoleSessionName: roleSessionName,
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
...(policy ? { Policy: policy } : {}),
...(externalId ? { ExternalId: externalId } : {}),
...(serialNumber ? { SerialNumber: serialNumber } : {}),
...(tokenCode ? { TokenCode: tokenCode } : {}),
...(() => {
const arns = parsePolicyArns(policyArns)
return arns ? { PolicyArns: arns } : {}
})(),
...(() => {
const sessionTags = parseTags(tags)
return sessionTags ? { Tags: sessionTags } : {}
})(),
...(() => {
const keys = parseTransitiveTagKeys(transitiveTagKeys)
return keys ? { TransitiveTagKeys: keys } : {}
})(),
})
const response = await client.send(command)
return {
accessKeyId: response.Credentials?.AccessKeyId ?? '',
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
sessionToken: response.Credentials?.SessionToken ?? '',
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
packedPolicySize: response.PackedPolicySize ?? null,
sourceIdentity: response.SourceIdentity ?? null,
}
}
export async function assumeRoleWithWebIdentity(
client: STSClient,
roleArn: string,
roleSessionName: string,
webIdentityToken: string,
providerId?: string | null,
policyArns?: string | null,
policy?: string | null,
durationSeconds?: number | null
) {
const command = new AssumeRoleWithWebIdentityCommand({
RoleArn: roleArn,
RoleSessionName: roleSessionName,
WebIdentityToken: webIdentityToken,
...(providerId ? { ProviderId: providerId } : {}),
...(policy ? { Policy: policy } : {}),
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
...(() => {
const arns = parsePolicyArns(policyArns)
return arns ? { PolicyArns: arns } : {}
})(),
})
const response = await client.send(command)
return {
accessKeyId: response.Credentials?.AccessKeyId ?? '',
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
sessionToken: response.Credentials?.SessionToken ?? '',
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
subjectFromWebIdentityToken: response.SubjectFromWebIdentityToken ?? '',
audience: response.Audience ?? null,
provider: response.Provider ?? null,
packedPolicySize: response.PackedPolicySize ?? null,
sourceIdentity: response.SourceIdentity ?? null,
}
}
export async function assumeRoleWithSAML(
client: STSClient,
roleArn: string,
principalArn: string,
samlAssertion: string,
policyArns?: string | null,
policy?: string | null,
durationSeconds?: number | null
) {
const command = new AssumeRoleWithSAMLCommand({
RoleArn: roleArn,
PrincipalArn: principalArn,
SAMLAssertion: samlAssertion,
...(policy ? { Policy: policy } : {}),
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
...(() => {
const arns = parsePolicyArns(policyArns)
return arns ? { PolicyArns: arns } : {}
})(),
})
const response = await client.send(command)
return {
accessKeyId: response.Credentials?.AccessKeyId ?? '',
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
sessionToken: response.Credentials?.SessionToken ?? '',
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
subject: response.Subject ?? null,
subjectType: response.SubjectType ?? null,
issuer: response.Issuer ?? null,
audience: response.Audience ?? null,
nameQualifier: response.NameQualifier ?? null,
packedPolicySize: response.PackedPolicySize ?? null,
sourceIdentity: response.SourceIdentity ?? null,
}
}
export async function getCallerIdentity(client: STSClient) {
const command = new GetCallerIdentityCommand({})
const response = await client.send(command)
return {
account: response.Account ?? '',
arn: response.Arn ?? '',
userId: response.UserId ?? '',
}
}
export async function getSessionToken(
client: STSClient,
durationSeconds?: number | null,
serialNumber?: string | null,
tokenCode?: string | null
) {
const command = new GetSessionTokenCommand({
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
...(serialNumber ? { SerialNumber: serialNumber } : {}),
...(tokenCode ? { TokenCode: tokenCode } : {}),
})
const response = await client.send(command)
return {
accessKeyId: response.Credentials?.AccessKeyId ?? '',
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
sessionToken: response.Credentials?.SessionToken ?? '',
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
}
}
export async function getAccessKeyInfo(client: STSClient, accessKeyId: string) {
const command = new GetAccessKeyInfoCommand({
AccessKeyId: accessKeyId,
})
const response = await client.send(command)
return {
account: response.Account ?? '',
}
}