170 lines
5.0 KiB
PHP
Executable File
170 lines
5.0 KiB
PHP
Executable File
<?php
|
|
|
|
namespace Aws\Auth;
|
|
|
|
use Aws\Auth\Exception\UnresolvedAuthSchemeException;
|
|
use Aws\Identity\AwsCredentialIdentity;
|
|
use Aws\Identity\BearerTokenIdentity;
|
|
use GuzzleHttp\Promise\PromiseInterface;
|
|
|
|
/**
|
|
* Houses logic for selecting an auth scheme modeled in a service's `auth` trait.
|
|
* The `auth` trait can be modeled either in a service's metadata, or at the operation level.
|
|
*/
|
|
class AuthSchemeResolver implements AuthSchemeResolverInterface
|
|
{
|
|
const UNSIGNED_BODY = '-unsigned-body';
|
|
|
|
/**
|
|
* @var string[] Default mapping of modeled auth trait auth schemes
|
|
* to the SDK's supported signature versions.
|
|
*/
|
|
private static $defaultAuthSchemeMap = [
|
|
'aws.auth#sigv4' => 'v4',
|
|
'aws.auth#sigv4a' => 'v4a',
|
|
'smithy.api#httpBearerAuth' => 'bearer',
|
|
'smithy.api#noAuth' => 'anonymous'
|
|
];
|
|
|
|
/**
|
|
* @var array Mapping of auth schemes to signature versions used in
|
|
* resolving a signature version.
|
|
*/
|
|
private $authSchemeMap;
|
|
private $tokenProvider;
|
|
private $credentialProvider;
|
|
|
|
|
|
public function __construct(
|
|
callable $credentialProvider,
|
|
callable $tokenProvider = null,
|
|
array $authSchemeMap = []
|
|
){
|
|
$this->credentialProvider = $credentialProvider;
|
|
$this->tokenProvider = $tokenProvider;
|
|
$this->authSchemeMap = empty($authSchemeMap)
|
|
? self::$defaultAuthSchemeMap
|
|
: $authSchemeMap;
|
|
}
|
|
|
|
/**
|
|
* Accepts a priority-ordered list of auth schemes and an Identity
|
|
* and selects the first compatible auth schemes, returning a normalized
|
|
* signature version. For example, based on the default auth scheme mapping,
|
|
* if `aws.auth#sigv4` is selected, `v4` will be returned.
|
|
*
|
|
* @param array $authSchemes
|
|
* @param $identity
|
|
*
|
|
* @return string
|
|
* @throws UnresolvedAuthSchemeException
|
|
*/
|
|
public function selectAuthScheme(
|
|
array $authSchemes,
|
|
array $args = []
|
|
): string
|
|
{
|
|
$failureReasons = [];
|
|
|
|
foreach($authSchemes as $authScheme) {
|
|
$normalizedAuthScheme = $this->authSchemeMap[$authScheme] ?? $authScheme;
|
|
|
|
if ($this->isCompatibleAuthScheme($normalizedAuthScheme)) {
|
|
if ($normalizedAuthScheme === 'v4' && !empty($args['unsigned_payload'])) {
|
|
return $normalizedAuthScheme . self::UNSIGNED_BODY;
|
|
}
|
|
|
|
return $normalizedAuthScheme;
|
|
} else {
|
|
$failureReasons[] = $this->getIncompatibilityMessage($normalizedAuthScheme);
|
|
}
|
|
}
|
|
|
|
throw new UnresolvedAuthSchemeException(
|
|
'Could not resolve an authentication scheme: '
|
|
. implode('; ', $failureReasons)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Determines compatibility based on either Identity or the availability
|
|
* of the CRT extension.
|
|
*
|
|
* @param $authScheme
|
|
*
|
|
* @return bool
|
|
*/
|
|
private function isCompatibleAuthScheme($authScheme): bool
|
|
{
|
|
switch ($authScheme) {
|
|
case 'v4':
|
|
case 'anonymous':
|
|
return $this->hasAwsCredentialIdentity();
|
|
case 'v4a':
|
|
return extension_loaded('awscrt') && $this->hasAwsCredentialIdentity();
|
|
case 'bearer':
|
|
return $this->hasBearerTokenIdentity();
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provides incompatibility messages in the event an incompatible auth scheme
|
|
* is encountered.
|
|
*
|
|
* @param $authScheme
|
|
*
|
|
* @return string
|
|
*/
|
|
private function getIncompatibilityMessage($authScheme): string
|
|
{
|
|
switch ($authScheme) {
|
|
case 'v4':
|
|
return 'Signature V4 requires AWS credentials for request signing';
|
|
case 'anonymous':
|
|
return 'Anonymous signatures require AWS credentials for request signing';
|
|
case 'v4a':
|
|
return 'The aws-crt-php extension and AWS credentials are required to use Signature V4A';
|
|
case 'bearer':
|
|
return 'Bearer token credentials must be provided to use Bearer authentication';
|
|
default:
|
|
return "The service does not support `{$authScheme}` authentication.";
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @return bool
|
|
*/
|
|
private function hasAwsCredentialIdentity(): bool
|
|
{
|
|
$fn = $this->credentialProvider;
|
|
$result = $fn();
|
|
|
|
if ($result instanceof PromiseInterface) {
|
|
return $result->wait() instanceof AwsCredentialIdentity;
|
|
}
|
|
|
|
return $result instanceof AwsCredentialIdentity;
|
|
}
|
|
|
|
/**
|
|
* @return bool
|
|
*/
|
|
private function hasBearerTokenIdentity(): bool
|
|
{
|
|
if ($this->tokenProvider) {
|
|
$fn = $this->tokenProvider;
|
|
$result = $fn();
|
|
|
|
if ($result instanceof PromiseInterface) {
|
|
return $result->wait() instanceof BearerTokenIdentity;
|
|
}
|
|
|
|
return $result instanceof BearerTokenIdentity;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|