Главная Обзор Помощь
Регистрация Вход
moonsflyer
/
yunjing_master
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Ветка: master
Ветки Метки
yunjing_master
/
sdk
/
aws
/
Aws
/
Credentials
/
CredentialProvider.php

CredentialProvider.php 32 KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876 
  1. <?php
    2. 

  2. namespace Aws\Credentials;
    3. 

  3. 

  4. use Aws;
    5. 

  5. use Aws\Api\DateTimeResult;
    6. 

  6. use Aws\CacheInterface;
    7. 

  7. use Aws\Exception\CredentialsException;
    8. 

  8. use Aws\Sts\StsClient;
    9. 

  9. use GuzzleHttp\Promise;
    10. 

  10. 

  11. /**
    12. 

  12.  * Credential providers are functions that accept no arguments and return a
    13. 

  13.  * promise that is fulfilled with an {@see \Aws\Credentials\CredentialsInterface}
    14. 

  14.  * or rejected with an {@see \Aws\Exception\CredentialsException}.
    15. 

  15.  *
    16. 

  16.  * <code>
    17. 

  17.  * use Aws\Credentials\CredentialProvider;
    18. 

  18.  * $provider = CredentialProvider::defaultProvider();
    19. 

  19.  * // Returns a CredentialsInterface or throws.
    20. 

  20.  * $creds = $provider()->wait();
    21. 

  21.  * </code>
    22. 

  22.  *
    23. 

  23.  * Credential providers can be composed to create credentials using conditional
    24. 

  24.  * logic that can create different credentials in different environments. You
    25. 

  25.  * can compose multiple providers into a single provider using
    26. 

  26.  * {@see Aws\Credentials\CredentialProvider::chain}. This function accepts
    27. 

  27.  * providers as variadic arguments and returns a new function that will invoke
    28. 

  28.  * each provider until a successful set of credentials is returned.
    29. 

  29.  *
    30. 

  30.  * <code>
    31. 

  31.  * // First try an INI file at this location.
    32. 

  32.  * $a = CredentialProvider::ini(null, '/path/to/file.ini');
    33. 

  33.  * // Then try an INI file at this location.
    34. 

  34.  * $b = CredentialProvider::ini(null, '/path/to/other-file.ini');
    35. 

  35.  * // Then try loading from environment variables.
    36. 

  36.  * $c = CredentialProvider::env();
    37. 

  37.  * // Combine the three providers together.
    38. 

  38.  * $composed = CredentialProvider::chain($a, $b, $c);
    39. 

  39.  * // Returns a promise that is fulfilled with credentials or throws.
    40. 

  40.  * $promise = $composed();
    41. 

  41.  * // Wait on the credentials to resolve.
    42. 

  42.  * $creds = $promise->wait();
    43. 

  43.  * </code>
    44. 

  44.  */
    45. 

  45. class CredentialProvider
    46. 

  46. {
    47. 

  47.     const ENV_ARN = 'AWS_ROLE_ARN';
    48. 

  48.     const ENV_KEY = 'AWS_ACCESS_KEY_ID';
    49. 

  49.     const ENV_PROFILE = 'AWS_PROFILE';
    50. 

  50.     const ENV_ROLE_SESSION_NAME = 'AWS_ROLE_SESSION_NAME';
    51. 

  51.     const ENV_SECRET = 'AWS_SECRET_ACCESS_KEY';
    52. 

  52.     const ENV_SESSION = 'AWS_SESSION_TOKEN';
    53. 

  53.     const ENV_TOKEN_FILE = 'AWS_WEB_IDENTITY_TOKEN_FILE';
    54. 

  54.     const ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE';
    55. 

  55. 

  56.     /**
    57. 

  57.      * Create a default credential provider that first checks for environment
    58. 

  58.      * variables, then checks for the "default" profile in ~/.aws/credentials,
    59. 

  59.      * then checks for "profile default" profile in ~/.aws/config (which is
    60. 

  60.      * the default profile of AWS CLI), then tries to make a GET Request to
    61. 

  61.      * fetch credentials if Ecs environment variable is presented, then checks
    62. 

  62.      * for credential_process in the "default" profile in ~/.aws/credentials,
    63. 

  63.      * then for credential_process in the "default profile" profile in
    64. 

  64.      * ~/.aws/config, and finally checks for EC2 instance profile credentials.
    65. 

  65.      *
    66. 

  66.      * This provider is automatically wrapped in a memoize function that caches
    67. 

  67.      * previously provided credentials.
    68. 

  68.      *
    69. 

  69.      * @param array $config Optional array of ecs/instance profile credentials
    70. 

  70.      *                      provider options.
    71. 

  71.      *
    72. 

  72.      * @return callable
    73. 

  73.      */
    74. 

  74.     public static function defaultProvider(array $config = [])
    75. 

  75.     {
    76. 

  76.         $cacheable = [
    77. 

  77.             'web_identity',
    78. 

  78.             'sso',
    79. 

  79.             'ecs',
    80. 

  80.             'process_credentials',
    81. 

  81.             'process_config',
    82. 

  82.             'instance'
    83. 

  83.         ];
    84. 

  84. 

  85.         $defaultChain = [
    86. 

  86.             'env' => self::env(),
    87. 

  87.             'web_identity' => self::assumeRoleWithWebIdentityCredentialProvider($config),
    88. 

  88.         ];
    89. 

  89.         if (
    90. 

  90.             !isset($config['use_aws_shared_config_files'])
    91. 

  91.             || $config['use_aws_shared_config_files'] !== false
    92. 

  92.         ) {
    93. 

  93.             $defaultChain['sso'] = self::sso(
    94. 

  94.                 'profile default',
    95. 

  95.                 self::getHomeDir() . '/.aws/config',
    96. 

  96.                 $config
    97. 

  97.             );
    98. 

  98.             $defaultChain['ini'] = self::ini();
    99. 

  99.             $defaultChain['ini_config'] = self::ini(
    100. 

  100.                 'profile default',
    101. 

  101.                 self::getHomeDir() . '/.aws/config'
    102. 

  102.             );
    103. 

  103.         }
    104. 

  104. 

  105.         if (!empty(getenv(EcsCredentialProvider::ENV_URI))) {
    106. 

  106.             $defaultChain['ecs'] = self::ecsCredentials($config);
    107. 

  107.         }
    108. 

  108.         $defaultChain['process_credentials'] = self::process();
    109. 

  109.         $defaultChain['process_config'] = self::process(
    110. 

  110.             'profile default',
    111. 

  111.             self::getHomeDir() . '/.aws/config'
    112. 

  112.         );
    113. 

  113.         $defaultChain['instance'] = self::instanceProfile($config);
    114. 

  114. 

  115.         if (isset($config['credentials'])
    116. 

  116.             && $config['credentials'] instanceof CacheInterface
    117. 

  117.         ) {
    118. 

  118.             foreach ($cacheable as $provider) {
    119. 

  119.                 if (isset($defaultChain[$provider])) {
    120. 

  120.                     $defaultChain[$provider] = self::cache(
    121. 

  121.                         $defaultChain[$provider],
    122. 

  122.                         $config['credentials'],
    123. 

  123.                         'aws_cached_' . $provider . '_credentials'
    124. 

  124.                     );
    125. 

  125.                 }
    126. 

  126.             }
    127. 

  127.         }
    128. 

  128. 

  129.         return self::memoize(
    130. 

  130.             call_user_func_array(
    131. 

  131.                 'self::chain',
    132. 

  132.                 array_values($defaultChain)
    133. 

  133.             )
    134. 

  134.         );
    135. 

  135.     }
    136. 

  136. 

  137.     /**
    138. 

  138.      * Create a credential provider function from a set of static credentials.
    139. 

  139.      *
    140. 

  140.      * @param CredentialsInterface $creds
    141. 

  141.      *
    142. 

  142.      * @return callable
    143. 

  143.      */
    144. 

  144.     public static function fromCredentials(CredentialsInterface $creds)
    145. 

  145.     {
    146. 

  146.         $promise = Promise\promise_for($creds);
    147. 

  147. 

  148.         return function () use ($promise) {
    149. 

  149.             return $promise;
    150. 

  150.         };
    151. 

  151.     }
    152. 

  152. 

  153.     /**
    154. 

  154.      * Creates an aggregate credentials provider that invokes the provided
    155. 

  155.      * variadic providers one after the other until a provider returns
    156. 

  156.      * credentials.
    157. 

  157.      *
    158. 

  158.      * @return callable
    159. 

  159.      */
    160. 

  160.     public static function chain()
    161. 

  161.     {
    162. 

  162.         $links = func_get_args();
    163. 

  163.         if (empty($links)) {
    164. 

  164.             throw new \InvalidArgumentException('No providers in chain');
    165. 

  165.         }
    166. 

  166. 

  167.         return function () use ($links) {
    168. 

  168.             /** @var callable $parent */
    169. 

  169.             $parent = array_shift($links);
    170. 

  170.             $promise = $parent();
    171. 

  171.             while ($next = array_shift($links)) {
    172. 

  172.                 $promise = $promise->otherwise($next);
    173. 

  173.             }
    174. 

  174.             return $promise;
    175. 

  175.         };
    176. 

  176.     }
    177. 

  177. 

  178.     /**
    179. 

  179.      * Wraps a credential provider and caches previously provided credentials.
    180. 

  180.      *
    181. 

  181.      * Ensures that cached credentials are refreshed when they expire.
    182. 

  182.      *
    183. 

  183.      * @param callable $provider Credentials provider function to wrap.
    184. 

  184.      *
    185. 

  185.      * @return callable
    186. 

  186.      */
    187. 

  187.     public static function memoize(callable $provider)
    188. 

  188.     {
    189. 

  189.         return function () use ($provider) {
    190. 

  190.             static $result;
    191. 

  191.             static $isConstant;
    192. 

  192. 

  193.             // Constant credentials will be returned constantly.
    194. 

  194.             if ($isConstant) {
    195. 

  195.                 return $result;
    196. 

  196.             }
    197. 

  197. 

  198.             // Create the initial promise that will be used as the cached value
    199. 

  199.             // until it expires.
    200. 

  200.             if (null === $result) {
    201. 

  201.                 $result = $provider();
    202. 

  202.             }
    203. 

  203. 

  204.             // Return credentials that could expire and refresh when needed.
    205. 

  205.             return $result
    206. 

  206.                 ->then(function (CredentialsInterface $creds) use ($provider, &$isConstant, &$result) {
    207. 

  207.                     // Determine if these are constant credentials.
    208. 

  208.                     if (!$creds->getExpiration()) {
    209. 

  209.                         $isConstant = true;
    210. 

  210.                         return $creds;
    211. 

  211.                     }
    212. 

  212. 

  213.                     // Refresh expired credentials.
    214. 

  214.                     if (!$creds->isExpired()) {
    215. 

  215.                         return $creds;
    216. 

  216.                     }
    217. 

  217.                     // Refresh the result and forward the promise.
    218. 

  218.                     return $result = $provider();
    219. 

  219.                 })
    220. 

  220.                 ->otherwise(function($reason) use (&$result) {
    221. 

  221.                     // Cleanup rejected promise.
    222. 

  222.                     $result = null;
    223. 

  223.                     return new Promise\RejectedPromise($reason);
    224. 

  224.                 });
    225. 

  225.         };
    226. 

  226.     }
    227. 

  227. 

  228.     /**
    229. 

  229.      * Wraps a credential provider and saves provided credentials in an
    230. 

  230.      * instance of Aws\CacheInterface. Forwards calls when no credentials found
    231. 

  231.      * in cache and updates cache with the results.
    232. 

  232.      *
    233. 

  233.      * @param callable $provider Credentials provider function to wrap
    234. 

  234.      * @param CacheInterface $cache Cache to store credentials
    235. 

  235.      * @param string|null $cacheKey (optional) Cache key to use
    236. 

  236.      *
    237. 

  237.      * @return callable
    238. 

  238.      */
    239. 

  239.     public static function cache(
    240. 

  240.         callable $provider,
    241. 

  241.         CacheInterface $cache,
    242. 

  242.         $cacheKey = null
    243. 

  243.     ) {
    244. 

  244.         $cacheKey = $cacheKey ?: 'aws_cached_credentials';
    245. 

  245. 

  246.         return function () use ($provider, $cache, $cacheKey) {
    247. 

  247.             $found = $cache->get($cacheKey);
    248. 

  248.             if ($found instanceof CredentialsInterface && !$found->isExpired()) {
    249. 

  249.                 return Promise\promise_for($found);
    250. 

  250.             }
    251. 

  251. 

  252.             return $provider()
    253. 

  253.                 ->then(function (CredentialsInterface $creds) use (
    254. 

  254.                     $cache,
    255. 

  255.                     $cacheKey
    256. 

  256.                 ) {
    257. 

  257.                     $cache->set(
    258. 

  258.                         $cacheKey,
    259. 

  259.                         $creds,
    260. 

  260.                         null === $creds->getExpiration() ?
    261. 

  261.                             0 : $creds->getExpiration() - time()
    262. 

  262.                     );
    263. 

  263. 

  264.                     return $creds;
    265. 

  265.                 });
    266. 

  266.         };
    267. 

  267.     }
    268. 

  268. 

  269.     /**
    270. 

  270.      * Provider that creates credentials from environment variables
    271. 

  271.      * AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
    272. 

  272.      *
    273. 

  273.      * @return callable
    274. 

  274.      */
    275. 

  275.     public static function env()
    276. 

  276.     {
    277. 

  277.         return function () {
    278. 

  278.             // Use credentials from environment variables, if available
    279. 

  279.             $key = getenv(self::ENV_KEY);
    280. 

  280.             $secret = getenv(self::ENV_SECRET);
    281. 

  281.             if ($key && $secret) {
    282. 

  282.                 return Promise\promise_for(
    283. 

  283.                     new Credentials($key, $secret, getenv(self::ENV_SESSION) ?: NULL)
    284. 

  284.                 );
    285. 

  285.             }
    286. 

  286. 

  287.             return self::reject('Could not find environment variable '
    288. 

  288.                 . 'credentials in ' . self::ENV_KEY . '/' . self::ENV_SECRET);
    289. 

  289.         };
    290. 

  290.     }
    291. 

  291. 

  292.     /**
    293. 

  293.      * Credential provider that creates credentials using instance profile
    294. 

  294.      * credentials.
    295. 

  295.      *
    296. 

  296.      * @param array $config Array of configuration data.
    297. 

  297.      *
    298. 

  298.      * @return InstanceProfileProvider
    299. 

  299.      * @see Aws\Credentials\InstanceProfileProvider for $config details.
    300. 

  300.      */
    301. 

  301.     public static function instanceProfile(array $config = [])
    302. 

  302.     {
    303. 

  303.         return new InstanceProfileProvider($config);
    304. 

  304.     }
    305. 

  305. 

  306.     /**
    307. 

  307.      * Credential provider that retrieves cached SSO credentials from the CLI
    308. 

  308.      *
    309. 

  309.      * @return callable
    310. 

  310.      */
    311. 

  311.     public static function sso($ssoProfileName, $filename = null, $config = [])
    312. 

  312.     {
    313. 

  313.         $filename = $filename ?: (self::getHomeDir() . '/.aws/config');
    314. 

  314. 

  315.         return function () use ($ssoProfileName, $filename, $config) {
    316. 

  316.             if (!is_readable($filename)) {
    317. 

  317.                 return self::reject("Cannot read credentials from $filename");
    318. 

  318.             }
    319. 

  319.             $data = self::loadProfiles($filename);
    320. 

  320.             if (empty($data[$ssoProfileName])) {
    321. 

  321.                 return self::reject("Profile {$ssoProfileName} does not exist in {$filename}.");
    322. 

  322.             }
    323. 

  323.             $ssoProfile = $data[$ssoProfileName];
    324. 

  324.             if (empty($ssoProfile['sso_start_url'])
    325. 

  325.                 || empty($ssoProfile['sso_region'])
    326. 

  326.                 || empty($ssoProfile['sso_account_id'])
    327. 

  327.                 || empty($ssoProfile['sso_role_name'])
    328. 

  328.             ) {
    329. 

  329.                 return self::reject(
    330. 

  330.                     "Profile {$ssoProfileName} in {$filename} must contain the following keys: "
    331. 

  331.                     . "sso_start_url, sso_region, sso_account_id, and sso_role_name."
    332. 

  332.                 );
    333. 

  333.             }
    334. 

  334. 

  335.             $tokenLocation = self::getHomeDir()
    336. 

  336.                 . '/.aws/sso/cache/'
    337. 

  337.                 . utf8_encode(sha1($ssoProfile['sso_start_url']))
    338. 

  338.                 . ".json";
    339. 

  339. 

  340.             if (!is_readable($tokenLocation)) {
    341. 

  341.                 return self::reject("Unable to read token file at $tokenLocation");
    342. 

  342.             }
    343. 

  343. 

  344.             $tokenData = json_decode(file_get_contents($tokenLocation), true);
    345. 

  345.             if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {
    346. 

  346.                 return self::reject(
    347. 

  347.                     "Token file at {$tokenLocation} must contain an access token and an expiration"
    348. 

  348.                 );
    349. 

  349.             }
    350. 

  350.             try {
    351. 

  351.                 $expiration = (new DateTimeResult($tokenData['expiresAt']))->getTimestamp();
    352. 

  352.             } catch (\Exception $e) {
    353. 

  353.                 return self::reject("Cached SSO credentials returned an invalid expiration");
    354. 

  354.             }
    355. 

  355.             $now = time();
    356. 

  356.             if ($expiration < $now) {
    357. 

  357.                 return self::reject("Cached SSO credentials returned expired credentials");
    358. 

  358.             }
    359. 

  359. 

  360.             $ssoClient = null;
    361. 

  361.             if (empty($config['ssoClient'])) {
    362. 

  362.                 $ssoClient = new Aws\SSO\SSOClient([
    363. 

  363.                     'region' => $ssoProfile['sso_region'],
    364. 

  364.                     'version' => '2019-06-10',
    365. 

  365.                     'credentials' => false
    366. 

  366.                 ]);
    367. 

  367.             } else {
    368. 

  368.                 $ssoClient = $config['ssoClient'];
    369. 

  369.             }
    370. 

  370.             $ssoResponse = $ssoClient->getRoleCredentials([
    371. 

  371.                 'accessToken' => $tokenData['accessToken'],
    372. 

  372.                 'accountId' => $ssoProfile['sso_account_id'],
    373. 

  373.                 'roleName' => $ssoProfile['sso_role_name']
    374. 

  374.             ]);
    375. 

  375. 

  376.             $ssoCredentials = $ssoResponse['roleCredentials'];
    377. 

  377.             return Promise\promise_for(
    378. 

  378.                 new Credentials(
    379. 

  379.                     $ssoCredentials['accessKeyId'],
    380. 

  380.                     $ssoCredentials['secretAccessKey'],
    381. 

  381.                     $ssoCredentials['sessionToken'],
    382. 

  382.                     $expiration
    383. 

  383.                 )
    384. 

  384.             );
    385. 

  385.         };
    386. 

  386.     }
    387. 

  387. 

  388.     /**
    389. 

  389.      * Credential provider that creates credentials using
    390. 

  390.      * ecs credentials by a GET request, whose uri is specified
    391. 

  391.      * by environment variable
    392. 

  392.      *
    393. 

  393.      * @param array $config Array of configuration data.
    394. 

  394.      *
    395. 

  395.      * @return EcsCredentialProvider
    396. 

  396.      * @see Aws\Credentials\EcsCredentialProvider for $config details.
    397. 

  397.      */
    398. 

  398.     public static function ecsCredentials(array $config = [])
    399. 

  399.     {
    400. 

  400.         return new EcsCredentialProvider($config);
    401. 

  401.     }
    402. 

  402. 

  403.     /**
    404. 

  404.      * Credential provider that creates credentials using assume role
    405. 

  405.      *
    406. 

  406.      * @param array $config Array of configuration data
    407. 

  407.      * @return callable
    408. 

  408.      * @see Aws\Credentials\AssumeRoleCredentialProvider for $config details.
    409. 

  409.      */
    410. 

  410.     public static function assumeRole(array $config=[])
    411. 

  411.     {
    412. 

  412.         return new AssumeRoleCredentialProvider($config);
    413. 

  413.     }
    414. 

  414. 

  415.     /**
    416. 

  416.      * Credential provider that creates credentials by assuming role from a
    417. 

  417.      * Web Identity Token
    418. 

  418.      *
    419. 

  419.      * @param array $config Array of configuration data
    420. 

  420.      * @return callable
    421. 

  421.      * @see Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider for
    422. 

  422.      * $config details.
    423. 

  423.      */
    424. 

  424.     public static function assumeRoleWithWebIdentityCredentialProvider(array $config = [])
    425. 

  425.     {
    426. 

  426.         return function () use ($config) {
    427. 

  427.             $arnFromEnv = getenv(self::ENV_ARN);
    428. 

  428.             $tokenFromEnv = getenv(self::ENV_TOKEN_FILE);
    429. 

  429.             $stsClient = isset($config['stsClient'])
    430. 

  430.                 ? $config['stsClient']
    431. 

  431.                 : null;
    432. 

  432.             $region = isset($config['region'])
    433. 

  433.                 ? $config['region']
    434. 

  434.                 : null;
    435. 

  435. 

  436.             if ($tokenFromEnv && $arnFromEnv) {
    437. 

  437.                 $sessionName = getenv(self::ENV_ROLE_SESSION_NAME)
    438. 

  438.                     ? getenv(self::ENV_ROLE_SESSION_NAME)
    439. 

  439.                     : null;
    440. 

  440.                 $provider = new AssumeRoleWithWebIdentityCredentialProvider([
    441. 

  441.                     'RoleArn' => $arnFromEnv,
    442. 

  442.                     'WebIdentityTokenFile' => $tokenFromEnv,
    443. 

  443.                     'SessionName' => $sessionName,
    444. 

  444.                     'client' => $stsClient,
    445. 

  445.                     'region' => $region
    446. 

  446.                 ]);
    447. 

  447. 

  448.                 return $provider();
    449. 

  449.             }
    450. 

  450. 

  451.             $profileName = getenv(self::ENV_PROFILE) ?: 'default';
    452. 

  452.             if (isset($config['filename'])) {
    453. 

  453.                 $profiles = self::loadProfiles($config['filename']);
    454. 

  454.             } else {
    455. 

  455.                 $profiles = self::loadDefaultProfiles();
    456. 

  456.             }
    457. 

  457. 

  458.             if (isset($profiles[$profileName])) {
    459. 

  459.                 $profile = $profiles[$profileName];
    460. 

  460.                 if (isset($profile['region'])) {
    461. 

  461.                     $region = $profile['region'];
    462. 

  462.                 }
    463. 

  463.                 if (isset($profile['web_identity_token_file'])
    464. 

  464.                     && isset($profile['role_arn'])
    465. 

  465.                 ) {
    466. 

  466.                     $sessionName = isset($profile['role_session_name'])
    467. 

  467.                         ? $profile['role_session_name']
    468. 

  468.                         : null;
    469. 

  469.                     $provider = new AssumeRoleWithWebIdentityCredentialProvider([
    470. 

  470.                         'RoleArn' => $profile['role_arn'],
    471. 

  471.                         'WebIdentityTokenFile' => $profile['web_identity_token_file'],
    472. 

  472.                         'SessionName' => $sessionName,
    473. 

  473.                         'client' => $stsClient,
    474. 

  474.                         'region' => $region
    475. 

  475.                     ]);
    476. 

  476. 

  477.                     return $provider();
    478. 

  478.                 }
    479. 

  479.             } else {
    480. 

  480.                 return self::reject("Unknown profile: $profileName");
    481. 

  481.             }
    482. 

  482.             return self::reject("No RoleArn or WebIdentityTokenFile specified");
    483. 

  483.         };
    484. 

  484.     }
    485. 

  485. 

  486.     /**
    487. 

  487.      * Credentials provider that creates credentials using an ini file stored
    488. 

  488.      * in the current user's home directory.  A source can be provided
    489. 

  489.      * in this file for assuming a role using the credential_source config option.
    490. 

  490.      *
    491. 

  491.      * @param string|null $profile  Profile to use. If not specified will use
    492. 

  492.      *                              the "default" profile in "~/.aws/credentials".
    493. 

  493.      * @param string|null $filename If provided, uses a custom filename rather
    494. 

  494.      *                              than looking in the home directory.
    495. 

  495.      * @param array|null $config If provided, may contain the following:
    496. 

  496.      *                           preferStaticCredentials: If true, prefer static
    497. 

  497.      *                           credentials to role_arn if both are present
    498. 

  498.      *                           disableAssumeRole: If true, disable support for
    499. 

  499.      *                           roles that assume an IAM role. If true and role profile
    500. 

  500.      *                           is selected, an error is raised.
    501. 

  501.      *                           stsClient: StsClient used to assume role specified in profile
    502. 

  502.      *
    503. 

  503.      * @return callable
    504. 

  504.      */
    505. 

  505.     public static function ini($profile = null, $filename = null, array $config = [])
    506. 

  506.     {
    507. 

  507.         $filename = self::getFileName($filename);
    508. 

  508.         $profile = $profile ?: (getenv(self::ENV_PROFILE) ?: 'default');
    509. 

  509. 

  510.         return function () use ($profile, $filename, $config) {
    511. 

  511.             $preferStaticCredentials = isset($config['preferStaticCredentials'])
    512. 

  512.                 ? $config['preferStaticCredentials']
    513. 

  513.                 : false;
    514. 

  514.             $disableAssumeRole = isset($config['disableAssumeRole'])
    515. 

  515.                 ? $config['disableAssumeRole']
    516. 

  516.                 : false;
    517. 

  517.             $stsClient = isset($config['stsClient']) ? $config['stsClient'] : null;
    518. 

  518. 

  519.             if (!is_readable($filename)) {
    520. 

  520.                 return self::reject("Cannot read credentials from $filename");
    521. 

  521.             }
    522. 

  522.             $data = self::loadProfiles($filename);
    523. 

  523.             if ($data === false) {
    524. 

  524.                 return self::reject("Invalid credentials file: $filename");
    525. 

  525.             }
    526. 

  526.             if (!isset($data[$profile])) {
    527. 

  527.                 return self::reject("'$profile' not found in credentials file");
    528. 

  528.             }
    529. 

  529. 

  530.             /*
    531. 

  531.             In the CLI, the presence of both a role_arn and static credentials have
    532. 

  532.             different meanings depending on how many profiles have been visited. For
    533. 

  533.             the first profile processed, role_arn takes precedence over any static
    534. 

  534.             credentials, but for all subsequent profiles, static credentials are
    535. 

  535.             used if present, and only in their absence will the profile's
    536. 

  536.             source_profile and role_arn keys be used to load another set of
    537. 

  537.             credentials. This bool is intended to yield compatible behaviour in this
    538. 

  538.             sdk.
    539. 

  539.             */
    540. 

  540.             $preferStaticCredentialsToRoleArn = ($preferStaticCredentials
    541. 

  541.                 && isset($data[$profile]['aws_access_key_id'])
    542. 

  542.                 && isset($data[$profile]['aws_secret_access_key']));
    543. 

  543. 

  544.             if (isset($data[$profile]['role_arn'])
    545. 

  545.                 && !$preferStaticCredentialsToRoleArn
    546. 

  546.             ) {
    547. 

  547.                 if ($disableAssumeRole) {
    548. 

  548.                     return self::reject(
    549. 

  549.                         "Role assumption profiles are disabled. "
    550. 

  550.                         . "Failed to load profile " . $profile);
    551. 

  551.                 }
    552. 

  552.                 return self::loadRoleProfile(
    553. 

  553.                     $data,
    554. 

  554.                     $profile,
    555. 

  555.                     $filename,
    556. 

  556.                     $stsClient,
    557. 

  557.                     $config
    558. 

  558.                 );
    559. 

  559.             }
    560. 

  560. 

  561.             if (!isset($data[$profile]['aws_access_key_id'])
    562. 

  562.                 || !isset($data[$profile]['aws_secret_access_key'])
    563. 

  563.             ) {
    564. 

  564.                 return self::reject("No credentials present in INI profile "
    565. 

  565.                     . "'$profile' ($filename)");
    566. 

  566.             }
    567. 

  567. 

  568.             if (empty($data[$profile]['aws_session_token'])) {
    569. 

  569.                 $data[$profile]['aws_session_token']
    570. 

  570.                     = isset($data[$profile]['aws_security_token'])
    571. 

  571.                         ? $data[$profile]['aws_security_token']
    572. 

  572.                         : null;
    573. 

  573.             }
    574. 

  574. 

  575.             return Promise\promise_for(
    576. 

  576.                 new Credentials(
    577. 

  577.                     $data[$profile]['aws_access_key_id'],
    578. 

  578.                     $data[$profile]['aws_secret_access_key'],
    579. 

  579.                     $data[$profile]['aws_session_token']
    580. 

  580.                 )
    581. 

  581.             );
    582. 

  582.         };
    583. 

  583.     }
    584. 

  584. 

  585.     /**
    586. 

  586.      * Credentials provider that creates credentials using a process configured in
    587. 

  587.      * ini file stored in the current user's home directory.
    588. 

  588.      *
    589. 

  589.      * @param string|null $profile  Profile to use. If not specified will use
    590. 

  590.      *                              the "default" profile in "~/.aws/credentials".
    591. 

  591.      * @param string|null $filename If provided, uses a custom filename rather
    592. 

  592.      *                              than looking in the home directory.
    593. 

  593.      *
    594. 

  594.      * @return callable
    595. 

  595.      */
    596. 

  596.     public static function process($profile = null, $filename = null)
    597. 

  597.     {
    598. 

  598.         $filename = self::getFileName($filename);
    599. 

  599.         $profile = $profile ?: (getenv(self::ENV_PROFILE) ?: 'default');
    600. 

  600. 

  601.         return function () use ($profile, $filename) {
    602. 

  602.             if (!is_readable($filename)) {
    603. 

  603.                 return self::reject("Cannot read process credentials from $filename");
    604. 

  604.             }
    605. 

  605.             $data = \Aws\parse_ini_file($filename, true, INI_SCANNER_RAW);
    606. 

  606.             if ($data === false) {
    607. 

  607.                 return self::reject("Invalid credentials file: $filename");
    608. 

  608.             }
    609. 

  609.             if (!isset($data[$profile])) {
    610. 

  610.                 return self::reject("'$profile' not found in credentials file");
    611. 

  611.             }
    612. 

  612.             if (!isset($data[$profile]['credential_process'])) {
    613. 

  613.                 return self::reject("No credential_process present in INI profile "
    614. 

  614.                     . "'$profile' ($filename)");
    615. 

  615.             }
    616. 

  616. 

  617.             $credentialProcess = $data[$profile]['credential_process'];
    618. 

  618.             $json = shell_exec($credentialProcess);
    619. 

  619. 

  620.             $processData = json_decode($json, true);
    621. 

  621. 

  622.             // Only support version 1
    623. 

  623.             if (isset($processData['Version'])) {
    624. 

  624.                 if ($processData['Version'] !== 1) {
    625. 

  625.                     return self::reject("credential_process does not return Version == 1");
    626. 

  626.                 }
    627. 

  627.             }
    628. 

  628. 

  629.             if (!isset($processData['AccessKeyId'])
    630. 

  630.                 || !isset($processData['SecretAccessKey']))
    631. 

  631.             {
    632. 

  632.                 return self::reject("credential_process does not return valid credentials");
    633. 

  633.             }
    634. 

  634. 

  635.             if (isset($processData['Expiration'])) {
    636. 

  636.                 try {
    637. 

  637.                     $expiration = new DateTimeResult($processData['Expiration']);
    638. 

  638.                 } catch (\Exception $e) {
    639. 

  639.                     return self::reject("credential_process returned invalid expiration");
    640. 

  640.                 }
    641. 

  641.                 $now = new DateTimeResult();
    642. 

  642.                 if ($expiration < $now) {
    643. 

  643.                     return self::reject("credential_process returned expired credentials");
    644. 

  644.                 }
    645. 

  645.                 $expires = $expiration->getTimestamp();
    646. 

  646.             } else {
    647. 

  647.                 $expires = null;
    648. 

  648.             }
    649. 

  649. 

  650.             if (empty($processData['SessionToken'])) {
    651. 

  651.                 $processData['SessionToken'] = null;
    652. 

  652.             }
    653. 

  653. 

  654.             return Promise\promise_for(
    655. 

  655.                 new Credentials(
    656. 

  656.                     $processData['AccessKeyId'],
    657. 

  657.                     $processData['SecretAccessKey'],
    658. 

  658.                     $processData['SessionToken'],
    659. 

  659.                     $expires
    660. 

  660.                 )
    661. 

  661.             );
    662. 

  662.         };
    663. 

  663.     }
    664. 

  664. 

  665.     /**
    666. 

  666.      * Assumes role for profile that includes role_arn
    667. 

  667.      *
    668. 

  668.      * @return callable
    669. 

  669.      */
    670. 

  670.     private static function loadRoleProfile(
    671. 

  671.         $profiles,
    672. 

  672.         $profileName,
    673. 

  673.         $filename,
    674. 

  674.         $stsClient,
    675. 

  675.         $config = []
    676. 

  676.     ) {
    677. 

  677.         $roleProfile = $profiles[$profileName];
    678. 

  678.         $roleArn = isset($roleProfile['role_arn']) ? $roleProfile['role_arn'] : '';
    679. 

  679.         $roleSessionName = isset($roleProfile['role_session_name'])
    680. 

  680.             ? $roleProfile['role_session_name']
    681. 

  681.             : 'aws-sdk-php-' . round(microtime(true) * 1000);
    682. 

  682. 

  683.         if (
    684. 

  684.             empty($roleProfile['source_profile'])
    685. 

  685.             == empty($roleProfile['credential_source'])
    686. 

  686.         ) {
    687. 

  687.             return self::reject("Either source_profile or credential_source must be set " .
    688. 

  688.                 "using profile " . $profileName . ", but not both."
    689. 

  689.             );
    690. 

  690.         }
    691. 

  691. 

  692.         $sourceProfileName = "";
    693. 

  693.         if (!empty($roleProfile['source_profile'])) {
    694. 

  694.             $sourceProfileName = $roleProfile['source_profile'];
    695. 

  695.             if (!isset($profiles[$sourceProfileName])) {
    696. 

  696.                 return self::reject("source_profile " . $sourceProfileName
    697. 

  697.                     . " using profile " . $profileName . " does not exist"
    698. 

  698.                 );
    699. 

  699.             }
    700. 

  700.             if (isset($config['visited_profiles']) &&
    701. 

  701.                 in_array($roleProfile['source_profile'], $config['visited_profiles'])
    702. 

  702.             ) {
    703. 

  703.                 return self::reject("Circular source_profile reference found.");
    704. 

  704.             }
    705. 

  705.             $config['visited_profiles'] [] = $roleProfile['source_profile'];
    706. 

  706.         } else {
    707. 

  707.             if (empty($roleArn)) {
    708. 

  708.                 return self::reject(
    709. 

  709.                     "A role_arn must be provided with credential_source in " .
    710. 

  710.                     "file {$filename} under profile {$profileName} "
    711. 

  711.                 );
    712. 

  712.             }
    713. 

  713.         }
    714. 

  714. 

  715.         if (empty($stsClient)) {
    716. 

  716.             $sourceRegion = isset($profiles[$sourceProfileName]['region'])
    717. 

  717.                 ? $profiles[$sourceProfileName]['region']
    718. 

  718.                 : 'us-east-1';
    719. 

  719.             $config['preferStaticCredentials'] = true;
    720. 

  720.             $sourceCredentials = null;
    721. 

  721.             if (!empty($roleProfile['source_profile'])){
    722. 

  722.                 $sourceCredentials = call_user_func(
    723. 

  723.                     CredentialProvider::ini($sourceProfileName, $filename, $config)
    724. 

  724.                 )->wait();
    725. 

  725.             } else {
    726. 

  726.                 $sourceCredentials = self::getCredentialsFromSource(
    727. 

  727.                     $profileName,
    728. 

  728.                     $filename
    729. 

  729.                 );
    730. 

  730.             }
    731. 

  731.             $stsClient = new StsClient([
    732. 

  732.                 'credentials' => $sourceCredentials,
    733. 

  733.                 'region' => $sourceRegion,
    734. 

  734.                 'version' => '2011-06-15',
    735. 

  735.             ]);
    736. 

  736.         }
    737. 

  737. 

  738.         $result = $stsClient->assumeRole([
    739. 

  739.             'RoleArn' => $roleArn,
    740. 

  740.             'RoleSessionName' => $roleSessionName
    741. 

  741.         ]);
    742. 

  742. 

  743.         $credentials = $stsClient->createCredentials($result);
    744. 

  744.         return Promise\promise_for($credentials);
    745. 

  745.     }
    746. 

  746. 

  747.     /**
    748. 

  748.      * Gets the environment's HOME directory if available.
    749. 

  749.      *
    750. 

  750.      * @return null|string
    751. 

  751.      */
    752. 

  752.     private static function getHomeDir()
    753. 

  753.     {
    754. 

  754.         // On Linux/Unix-like systems, use the HOME environment variable
    755. 

  755.         if ($homeDir = getenv('HOME')) {
    756. 

  756.             return $homeDir;
    757. 

  757.         }
    758. 

  758. 

  759.         // Get the HOMEDRIVE and HOMEPATH values for Windows hosts
    760. 

  760.         $homeDrive = getenv('HOMEDRIVE');
    761. 

  761.         $homePath = getenv('HOMEPATH');
    762. 

  762. 

  763.         return ($homeDrive && $homePath) ? $homeDrive . $homePath : null;
    764. 

  764.     }
    765. 

  765. 

  766.     /**
    767. 

  767.      * Gets profiles from specified $filename, or default ini files.
    768. 

  768.      */
    769. 

  769.     private static function loadProfiles($filename)
    770. 

  770.     {
    771. 

  771.         $profileData = \Aws\parse_ini_file($filename, true, INI_SCANNER_RAW);
    772. 

  772. 

  773.         // If loading .aws/credentials, also load .aws/config when AWS_SDK_LOAD_NONDEFAULT_CONFIG is set
    774. 

  774.         if ($filename === self::getHomeDir() . '/.aws/credentials'
    775. 

  775.             && getenv('AWS_SDK_LOAD_NONDEFAULT_CONFIG')
    776. 

  776.         ) {
    777. 

  777.             $configFilename = self::getHomeDir() . '/.aws/config';
    778. 

  778.             $configProfileData = \Aws\parse_ini_file($configFilename, true, INI_SCANNER_RAW);
    779. 

  779.             foreach ($configProfileData as $name => $profile) {
    780. 

  780.                 // standardize config profile names
    781. 

  781.                 $name = str_replace('profile ', '', $name);
    782. 

  782.                 if (!isset($profileData[$name])) {
    783. 

  783.                     $profileData[$name] = $profile;
    784. 

  784.                 }
    785. 

  785.             }
    786. 

  786.         }
    787. 

  787. 

  788.         return $profileData;
    789. 

  789.     }
    790. 

  790. 

  791.     /**
    792. 

  792.      * Gets profiles from ~/.aws/credentials and ~/.aws/config ini files
    793. 

  793.      */
    794. 

  794.     private static function loadDefaultProfiles() {
    795. 

  795.         $profiles = [];
    796. 

  796.         $credFile = self::getHomeDir() . '/.aws/credentials';
    797. 

  797.         $configFile = self::getHomeDir() . '/.aws/config';
    798. 

  798.         if (file_exists($credFile)) {
    799. 

  799.             $profiles = \Aws\parse_ini_file($credFile, true, INI_SCANNER_RAW);
    800. 

  800.         }
    801. 

  801. 

  802.         if (file_exists($configFile)) {
    803. 

  803.             $configProfileData = \Aws\parse_ini_file($configFile, true, INI_SCANNER_RAW);
    804. 

  804.             foreach ($configProfileData as $name => $profile) {
    805. 

  805.                 // standardize config profile names
    806. 

  806.                 $name = str_replace('profile ', '', $name);
    807. 

  807.                 if (!isset($profiles[$name])) {
    808. 

  808.                     $profiles[$name] = $profile;
    809. 

  809.                 }
    810. 

  810.             }
    811. 

  811.         }
    812. 

  812. 

  813.         return $profiles;
    814. 

  814.     }
    815. 

  815. 

  816.     public static function getCredentialsFromSource(
    817. 

  817.         $profileName = '',
    818. 

  818.         $filename = '',
    819. 

  819.         $config = []
    820. 

  820.     ) {
    821. 

  821.         $data = self::loadProfiles($filename);
    822. 

  822.         $credentialSource = !empty($data[$profileName]['credential_source'])
    823. 

  823.             ? $data[$profileName]['credential_source']
    824. 

  824.             : null;
    825. 

  825.         $credentialsPromise = null;
    826. 

  826. 

  827.         switch ($credentialSource) {
    828. 

  828.             case 'Environment':
    829. 

  829.                 $credentialsPromise = self::env();
    830. 

  830.                 break;
    831. 

  831.             case 'Ec2InstanceMetadata':
    832. 

  832.                 $credentialsPromise = self::instanceProfile($config);
    833. 

  833.                 break;
    834. 

  834.             case 'EcsContainer':
    835. 

  835.                 $credentialsPromise = self::ecsCredentials($config);
    836. 

  836.                 break;
    837. 

  837.             default:
    838. 

  838.                 throw new CredentialsException(
    839. 

  839.                     "Invalid credential_source found in config file: {$credentialSource}. Valid inputs "
    840. 

  840.                     . "include Environment, Ec2InstanceMetadata, and EcsContainer."
    841. 

  841.                 );
    842. 

  842.         }
    843. 

  843. 

  844.         $credentialsResult = null;
    845. 

  845.         try {
    846. 

  846.             $credentialsResult = $credentialsPromise()->wait();
    847. 

  847.         } catch (\Exception $reason) {
    848. 

  848.             return self::reject(
    849. 

  849.                 "Unable to successfully retrieve credentials from the source specified in the"
    850. 

  850.                 . " credentials file: {$credentialSource}; failure message was: "
    851. 

  851.                 . $reason->getMessage()
    852. 

  852.             );
    853. 

  853.         }
    854. 

  854.         return function () use ($credentialsResult) {
    855. 

  855.             return Promise\promise_for($credentialsResult);
    856. 

  856.         };
    857. 

  857.     }
    858. 

  858. 

  859.     private static function reject($msg)
    860. 

  860.     {
    861. 

  861.         return new Promise\RejectedPromise(new CredentialsException($msg));
    862. 

  862.     }
    863. 

  863. 

  864.     /**
    865. 

  865.      * @param $filename
    866. 

  866.      * @return string
    867. 

  867.      */
    868. 

  868.     private static function getFileName($filename)
    869. 

  869.     {
    870. 

  870.         if (!isset($filename)) {
    871. 

  871.             $filename = getenv(self::ENV_SHARED_CREDENTIALS_FILE) ?:
    872. 

  872.                 (self::getHomeDir() . '/.aws/credentials');
    873. 

  873.         }
    874. 

  874.         return $filename;
    875. 

  875.     }
    876. 

  876. }
    877.