validation-bugsnag-email
This commit is contained in:
RafficMohammed
@@ -95,7 +95,7 @@ class CredentialProvider
|
||||
|| $config['use_aws_shared_config_files'] !== false
|
||||
) {
|
||||
$defaultChain['sso'] = self::sso(
|
||||
'profile '. $profileName,
|
||||
$profileName,
|
||||
self::getHomeDir() . '/.aws/config',
|
||||
$config
|
||||
);
|
||||
@@ -321,8 +321,10 @@ class CredentialProvider
|
||||
*
|
||||
* @return callable
|
||||
*/
|
||||
public static function sso($ssoProfileName, $filename = null, $config = [])
|
||||
{
|
||||
public static function sso($ssoProfileName = 'default',
|
||||
$filename = null,
|
||||
$config = []
|
||||
) {
|
||||
$filename = $filename ?: (self::getHomeDir() . '/.aws/config');
|
||||
|
||||
return function () use ($ssoProfileName, $filename, $config) {
|
||||
@@ -330,69 +332,87 @@ class CredentialProvider
|
||||
return self::reject("Cannot read credentials from $filename");
|
||||
}
|
||||
$profiles = self::loadProfiles($filename);
|
||||
if (!isset($profiles[$ssoProfileName])) {
|
||||
|
||||
if (isset($profiles[$ssoProfileName])) {
|
||||
$ssoProfile = $profiles[$ssoProfileName];
|
||||
} elseif (isset($profiles['profile ' . $ssoProfileName])) {
|
||||
$ssoProfileName = 'profile ' . $ssoProfileName;
|
||||
$ssoProfile = $profiles[$ssoProfileName];
|
||||
} else {
|
||||
return self::reject("Profile {$ssoProfileName} does not exist in {$filename}.");
|
||||
}
|
||||
$ssoProfile = $profiles[$ssoProfileName];
|
||||
|
||||
if (!empty($ssoProfile['sso_session'])) {
|
||||
return self::reject(
|
||||
"Profile {$ssoProfileName} contains an sso_session and will rely on"
|
||||
. " the token provider instead of the legacy sso credential provider."
|
||||
if (empty($config['ssoOidcClient'])) {
|
||||
$sessionName = $ssoProfile['sso_session'];
|
||||
if (empty($profiles['sso-session ' . $sessionName])) {
|
||||
return self::reject(
|
||||
"Could not find sso-session {$sessionName} in {$filename}"
|
||||
);
|
||||
}
|
||||
$ssoSession = $profiles['sso-session ' . $ssoProfile['sso_session']];
|
||||
$ssoOidcClient = new Aws\SSOOIDC\SSOOIDCClient([
|
||||
'region' => $ssoSession['sso_region'],
|
||||
'version' => '2019-06-10',
|
||||
'credentials' => false
|
||||
]);
|
||||
} else {
|
||||
$ssoOidcClient = $config['ssoClient'];
|
||||
}
|
||||
|
||||
$tokenPromise = new Aws\Token\SsoTokenProvider(
|
||||
$ssoProfileName,
|
||||
$filename,
|
||||
$ssoOidcClient
|
||||
);
|
||||
}
|
||||
if (empty($ssoProfile['sso_start_url'])
|
||||
|| empty($ssoProfile['sso_region'])
|
||||
|| empty($ssoProfile['sso_account_id'])
|
||||
|| empty($ssoProfile['sso_role_name'])
|
||||
) {
|
||||
return self::reject(
|
||||
"Profile {$ssoProfileName} in {$filename} must contain the following keys: "
|
||||
. "sso_start_url, sso_region, sso_account_id, and sso_role_name."
|
||||
$token = $tokenPromise()->wait();
|
||||
$ssoCredentials = CredentialProvider::getCredentialsFromSsoService(
|
||||
$ssoProfile,
|
||||
$token->getToken(),
|
||||
$config
|
||||
);
|
||||
}
|
||||
$expiration = $ssoCredentials['expiration'];
|
||||
|
||||
$tokenLocation = self::getHomeDir()
|
||||
. '/.aws/sso/cache/'
|
||||
. sha1($ssoProfile['sso_start_url'])
|
||||
. ".json";
|
||||
|
||||
if (!@is_readable($tokenLocation)) {
|
||||
return self::reject("Unable to read token file at $tokenLocation");
|
||||
}
|
||||
|
||||
$tokenData = json_decode(file_get_contents($tokenLocation), true);
|
||||
if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {
|
||||
return self::reject(
|
||||
"Token file at {$tokenLocation} must contain an access token and an expiration"
|
||||
);
|
||||
}
|
||||
try {
|
||||
$expiration = (new DateTimeResult($tokenData['expiresAt']))->getTimestamp();
|
||||
} catch (\Exception $e) {
|
||||
return self::reject("Cached SSO credentials returned an invalid expiration");
|
||||
}
|
||||
$now = time();
|
||||
if ($expiration < $now) {
|
||||
return self::reject("Cached SSO credentials returned expired credentials");
|
||||
}
|
||||
|
||||
$ssoClient = null;
|
||||
if (empty($config['ssoClient'])) {
|
||||
$ssoClient = new Aws\SSO\SSOClient([
|
||||
'region' => $ssoProfile['sso_region'],
|
||||
'version' => '2019-06-10',
|
||||
'credentials' => false
|
||||
]);
|
||||
} else {
|
||||
$ssoClient = $config['ssoClient'];
|
||||
}
|
||||
$ssoResponse = $ssoClient->getRoleCredentials([
|
||||
'accessToken' => $tokenData['accessToken'],
|
||||
'accountId' => $ssoProfile['sso_account_id'],
|
||||
'roleName' => $ssoProfile['sso_role_name']
|
||||
]);
|
||||
if (empty($ssoProfile['sso_start_url'])
|
||||
|| empty($ssoProfile['sso_region'])
|
||||
|| empty($ssoProfile['sso_account_id'])
|
||||
|| empty($ssoProfile['sso_role_name'])
|
||||
) {
|
||||
return self::reject(
|
||||
"Profile {$ssoProfileName} in {$filename} must contain the following keys: "
|
||||
. "sso_start_url, sso_region, sso_account_id, and sso_role_name."
|
||||
);
|
||||
}
|
||||
$tokenLocation = self::getHomeDir()
|
||||
. '/.aws/sso/cache/'
|
||||
. sha1($ssoProfile['sso_start_url'])
|
||||
. ".json";
|
||||
|
||||
$ssoCredentials = $ssoResponse['roleCredentials'];
|
||||
if (!@is_readable($tokenLocation)) {
|
||||
return self::reject("Unable to read token file at $tokenLocation");
|
||||
}
|
||||
$tokenData = json_decode(file_get_contents($tokenLocation), true);
|
||||
if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {
|
||||
return self::reject(
|
||||
"Token file at {$tokenLocation} must contain an access token and an expiration"
|
||||
);
|
||||
}
|
||||
try {
|
||||
$expiration = (new DateTimeResult($tokenData['expiresAt']))->getTimestamp();
|
||||
} catch (\Exception $e) {
|
||||
return self::reject("Cached SSO credentials returned an invalid expiration");
|
||||
}
|
||||
$now = time();
|
||||
if ($expiration < $now) {
|
||||
return self::reject("Cached SSO credentials returned expired credentials");
|
||||
}
|
||||
$ssoCredentials = CredentialProvider::getCredentialsFromSsoService(
|
||||
$ssoProfile,
|
||||
$tokenData['accessToken'],
|
||||
$config
|
||||
);
|
||||
}
|
||||
return Promise\Create::promiseFor(
|
||||
new Credentials(
|
||||
$ssoCredentials['accessKeyId'],
|
||||
@@ -905,4 +925,31 @@ class CredentialProvider
|
||||
|| !empty(getenv(EcsCredentialProvider::ENV_FULL_URI))
|
||||
|| !empty($_SERVER[EcsCredentialProvider::ENV_FULL_URI]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array $ssoProfile
|
||||
* @param string $accessToken
|
||||
* @param array $config
|
||||
* @return array|null
|
||||
*/
|
||||
private static function getCredentialsFromSsoService($ssoProfile, $accessToken, $config)
|
||||
{
|
||||
if (empty($config['ssoClient'])) {
|
||||
$ssoClient = new Aws\SSO\SSOClient([
|
||||
'region' => $ssoProfile['sso_region'],
|
||||
'version' => '2019-06-10',
|
||||
'credentials' => false
|
||||
]);
|
||||
} else {
|
||||
$ssoClient = $config['ssoClient'];
|
||||
}
|
||||
$ssoResponse = $ssoClient->getRoleCredentials([
|
||||
'accessToken' => $accessToken,
|
||||
'accountId' => $ssoProfile['sso_account_id'],
|
||||
'roleName' => $ssoProfile['sso_role_name']
|
||||
]);
|
||||
|
||||
$ssoCredentials = $ssoResponse['roleCredentials'];
|
||||
return $ssoCredentials;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user