365 lines
10 KiB
PHP
Executable File
365 lines
10 KiB
PHP
Executable File
<?php
|
|
namespace Aws\EndpointV2;
|
|
|
|
use Aws\Api\Operation;
|
|
use Aws\Api\Service;
|
|
use Aws\Auth\Exception\UnresolvedAuthSchemeException;
|
|
use Aws\CommandInterface;
|
|
use Closure;
|
|
use GuzzleHttp\Promise\Promise;
|
|
|
|
/**
|
|
* Handles endpoint rule evaluation and endpoint resolution.
|
|
*
|
|
* IMPORTANT: this middleware must be added to the "build" step.
|
|
* Specifically, it must precede the 'builder' step.
|
|
*
|
|
* @internal
|
|
*/
|
|
class EndpointV2Middleware
|
|
{
|
|
const ACCOUNT_ID_PARAM = 'AccountId';
|
|
const ACCOUNT_ID_ENDPOINT_MODE_PARAM = 'AccountIdEndpointMode';
|
|
private static $validAuthSchemes = [
|
|
'sigv4' => 'v4',
|
|
'sigv4a' => 'v4a',
|
|
'none' => 'anonymous',
|
|
'bearer' => 'bearer',
|
|
'sigv4-s3express' => 'v4-s3express'
|
|
];
|
|
|
|
/** @var callable */
|
|
private $nextHandler;
|
|
|
|
/** @var EndpointProviderV2 */
|
|
private $endpointProvider;
|
|
|
|
/** @var Service */
|
|
private $api;
|
|
|
|
/** @var array */
|
|
private $clientArgs;
|
|
|
|
/** @var Closure */
|
|
private $credentialProvider;
|
|
|
|
/**
|
|
* Create a middleware wrapper function
|
|
*
|
|
* @param EndpointProviderV2 $endpointProvider
|
|
* @param Service $api
|
|
* @param array $args
|
|
* @param callable $credentialProvider
|
|
*
|
|
* @return Closure
|
|
*/
|
|
public static function wrap(
|
|
EndpointProviderV2 $endpointProvider,
|
|
Service $api,
|
|
array $args,
|
|
callable $credentialProvider
|
|
) : Closure
|
|
{
|
|
return function (callable $handler) use ($endpointProvider, $api, $args, $credentialProvider) {
|
|
return new self($handler, $endpointProvider, $api, $args, $credentialProvider);
|
|
};
|
|
}
|
|
|
|
/**
|
|
* @param callable $nextHandler
|
|
* @param EndpointProviderV2 $endpointProvider
|
|
* @param Service $api
|
|
* @param array $args
|
|
*/
|
|
public function __construct(
|
|
callable $nextHandler,
|
|
EndpointProviderV2 $endpointProvider,
|
|
Service $api,
|
|
array $args,
|
|
callable $credentialProvider = null
|
|
)
|
|
{
|
|
$this->nextHandler = $nextHandler;
|
|
$this->endpointProvider = $endpointProvider;
|
|
$this->api = $api;
|
|
$this->clientArgs = $args;
|
|
$this->credentialProvider = $credentialProvider;
|
|
}
|
|
|
|
/**
|
|
* @param CommandInterface $command
|
|
*
|
|
* @return Promise
|
|
*/
|
|
public function __invoke(CommandInterface $command)
|
|
{
|
|
$nextHandler = $this->nextHandler;
|
|
$operation = $this->api->getOperation($command->getName());
|
|
$commandArgs = $command->toArray();
|
|
$providerArgs = $this->resolveArgs($commandArgs, $operation);
|
|
$endpoint = $this->endpointProvider->resolveEndpoint($providerArgs);
|
|
|
|
if (!empty($authSchemes = $endpoint->getProperty('authSchemes'))) {
|
|
$this->applyAuthScheme(
|
|
$authSchemes,
|
|
$command
|
|
);
|
|
}
|
|
|
|
return $nextHandler($command, $endpoint);
|
|
}
|
|
|
|
/**
|
|
* Resolves client, context params, static context params and endpoint provider
|
|
* arguments provided at the command level.
|
|
*
|
|
* @param array $commandArgs
|
|
* @param Operation $operation
|
|
*
|
|
* @return array
|
|
*/
|
|
private function resolveArgs(array $commandArgs, Operation $operation): array
|
|
{
|
|
$rulesetParams = $this->endpointProvider->getRuleset()->getParameters();
|
|
|
|
if (isset($rulesetParams[self::ACCOUNT_ID_PARAM])
|
|
&& isset($rulesetParams[self::ACCOUNT_ID_ENDPOINT_MODE_PARAM])) {
|
|
$this->clientArgs[self::ACCOUNT_ID_PARAM] = $this->resolveAccountId();
|
|
}
|
|
|
|
$endpointCommandArgs = $this->filterEndpointCommandArgs(
|
|
$rulesetParams,
|
|
$commandArgs
|
|
);
|
|
$staticContextParams = $this->bindStaticContextParams(
|
|
$operation->getStaticContextParams()
|
|
);
|
|
$contextParams = $this->bindContextParams(
|
|
$commandArgs, $operation->getContextParams()
|
|
);
|
|
|
|
return array_merge(
|
|
$this->clientArgs,
|
|
$contextParams,
|
|
$staticContextParams,
|
|
$endpointCommandArgs
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Compares Ruleset parameters against Command arguments
|
|
* to create a mapping of arguments to pass into the
|
|
* endpoint provider for endpoint resolution.
|
|
*
|
|
* @param array $rulesetParams
|
|
* @param array $commandArgs
|
|
* @return array
|
|
*/
|
|
private function filterEndpointCommandArgs(
|
|
array $rulesetParams,
|
|
array $commandArgs
|
|
): array
|
|
{
|
|
$endpointMiddlewareOpts = [
|
|
'@use_dual_stack_endpoint' => 'UseDualStack',
|
|
'@use_accelerate_endpoint' => 'Accelerate',
|
|
'@use_path_style_endpoint' => 'ForcePathStyle'
|
|
];
|
|
|
|
$filteredArgs = [];
|
|
|
|
foreach($rulesetParams as $name => $value) {
|
|
if (isset($commandArgs[$name])) {
|
|
if (!empty($value->getBuiltIn())) {
|
|
continue;
|
|
}
|
|
$filteredArgs[$name] = $commandArgs[$name];
|
|
}
|
|
}
|
|
|
|
if ($this->api->getServiceName() === 's3') {
|
|
foreach($endpointMiddlewareOpts as $optionName => $newValue) {
|
|
if (isset($commandArgs[$optionName])) {
|
|
$filteredArgs[$newValue] = $commandArgs[$optionName];
|
|
}
|
|
}
|
|
}
|
|
|
|
return $filteredArgs;
|
|
}
|
|
|
|
/**
|
|
* Binds static context params to their corresponding values.
|
|
*
|
|
* @param $staticContextParams
|
|
*
|
|
* @return array
|
|
*/
|
|
private function bindStaticContextParams($staticContextParams): array
|
|
{
|
|
$scopedParams = [];
|
|
|
|
forEach($staticContextParams as $paramName => $paramValue) {
|
|
$scopedParams[$paramName] = $paramValue['value'];
|
|
}
|
|
|
|
return $scopedParams;
|
|
}
|
|
|
|
/**
|
|
* Binds context params to their corresponding values found in
|
|
* command arguments.
|
|
*
|
|
* @param array $commandArgs
|
|
* @param array $contextParams
|
|
*
|
|
* @return array
|
|
*/
|
|
private function bindContextParams(
|
|
array $commandArgs,
|
|
array $contextParams
|
|
): array
|
|
{
|
|
$scopedParams = [];
|
|
|
|
foreach($contextParams as $name => $spec) {
|
|
if (isset($commandArgs[$spec['shape']])) {
|
|
$scopedParams[$name] = $commandArgs[$spec['shape']];
|
|
}
|
|
}
|
|
|
|
return $scopedParams;
|
|
}
|
|
|
|
/**
|
|
* Applies resolved auth schemes to the command object.
|
|
*
|
|
* @param $authSchemes
|
|
* @param $command
|
|
*
|
|
* @return void
|
|
*/
|
|
private function applyAuthScheme(
|
|
array $authSchemes,
|
|
CommandInterface $command
|
|
): void
|
|
{
|
|
$authScheme = $this->resolveAuthScheme($authSchemes);
|
|
|
|
$command['@context']['signature_version'] = $authScheme['version'];
|
|
|
|
if (isset($authScheme['name'])) {
|
|
$command['@context']['signing_service'] = $authScheme['name'];
|
|
}
|
|
|
|
if (isset($authScheme['region'])) {
|
|
$command['@context']['signing_region'] = $authScheme['region'];
|
|
} elseif (isset($authScheme['signingRegionSet'])) {
|
|
$command['@context']['signing_region_set'] = $authScheme['signingRegionSet'];
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns the first compatible auth scheme in an endpoint object's
|
|
* auth schemes.
|
|
*
|
|
* @param array $authSchemes
|
|
*
|
|
* @return array
|
|
*/
|
|
private function resolveAuthScheme(array $authSchemes): array
|
|
{
|
|
$invalidAuthSchemes = [];
|
|
|
|
foreach($authSchemes as $authScheme) {
|
|
if ($this->isValidAuthScheme($authScheme['name'])) {
|
|
return $this->normalizeAuthScheme($authScheme);
|
|
}
|
|
$invalidAuthSchemes[$authScheme['name']] = false;
|
|
}
|
|
|
|
$invalidAuthSchemesString = '`' . implode(
|
|
'`, `',
|
|
array_keys($invalidAuthSchemes))
|
|
. '`';
|
|
$validAuthSchemesString = '`'
|
|
. implode('`, `', array_keys(
|
|
array_diff_key(self::$validAuthSchemes, $invalidAuthSchemes))
|
|
)
|
|
. '`';
|
|
throw new UnresolvedAuthSchemeException(
|
|
"This operation requests {$invalidAuthSchemesString}"
|
|
. " auth schemes, but the client currently supports {$validAuthSchemesString}."
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Normalizes an auth scheme's name, signing region or signing region set
|
|
* to the auth keys recognized by the SDK.
|
|
*
|
|
* @param array $authScheme
|
|
* @return array
|
|
*/
|
|
private function normalizeAuthScheme(array $authScheme): array
|
|
{
|
|
/*
|
|
sigv4a will contain a regionSet property. which is guaranteed to be `*`
|
|
for now. The SigV4 class handles this automatically for now. It seems
|
|
complexity will be added here in the future.
|
|
*/
|
|
$normalizedAuthScheme = [];
|
|
|
|
if (isset($authScheme['disableDoubleEncoding'])
|
|
&& $authScheme['disableDoubleEncoding'] === true
|
|
&& $authScheme['name'] !== 'sigv4a'
|
|
&& $authScheme['name'] !== 'sigv4-s3express'
|
|
) {
|
|
$normalizedAuthScheme['version'] = 's3v4';
|
|
} else {
|
|
$normalizedAuthScheme['version'] = self::$validAuthSchemes[$authScheme['name']];
|
|
}
|
|
|
|
$normalizedAuthScheme['name'] = $authScheme['signingName'] ?? null;
|
|
$normalizedAuthScheme['region'] = $authScheme['signingRegion'] ?? null;
|
|
$normalizedAuthScheme['signingRegionSet'] = $authScheme['signingRegionSet'] ?? null;
|
|
|
|
return $normalizedAuthScheme;
|
|
}
|
|
|
|
private function isValidAuthScheme($signatureVersion): bool
|
|
{
|
|
if (isset(self::$validAuthSchemes[$signatureVersion])) {
|
|
if ($signatureVersion === 'sigv4a') {
|
|
return extension_loaded('awscrt');
|
|
}
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* This method tries to resolve an `AccountId` parameter from a resolved identity.
|
|
* We will just perform this operation if the parameter `AccountId` is part of the ruleset parameters and
|
|
* `AccountIdEndpointMode` is not disabled, otherwise, we will ignore it.
|
|
*
|
|
* @return null|string
|
|
*/
|
|
private function resolveAccountId(): ?string
|
|
{
|
|
if (isset($this->clientArgs[self::ACCOUNT_ID_ENDPOINT_MODE_PARAM])
|
|
&& $this->clientArgs[self::ACCOUNT_ID_ENDPOINT_MODE_PARAM] === 'disabled') {
|
|
return null;
|
|
}
|
|
|
|
if (is_null($this->credentialProvider)) {
|
|
return null;
|
|
}
|
|
|
|
$identityProviderFn = $this->credentialProvider;
|
|
$identity = $identityProviderFn()->wait();
|
|
|
|
return $identity->getAccountId();
|
|
}
|
|
}
|