| 1 |
efrain |
1 |
<?php
|
|
|
2 |
namespace Aws\Sts;
|
|
|
3 |
|
| 1441 |
ariadna |
4 |
use Aws\Arn\ArnParser;
|
| 1 |
efrain |
5 |
use Aws\AwsClient;
|
|
|
6 |
use Aws\CacheInterface;
|
|
|
7 |
use Aws\Credentials\Credentials;
|
|
|
8 |
use Aws\Result;
|
|
|
9 |
use Aws\Sts\RegionalEndpoints\ConfigurationProvider;
|
|
|
10 |
|
|
|
11 |
/**
|
|
|
12 |
* This client is used to interact with the **AWS Security Token Service (AWS STS)**.
|
|
|
13 |
*
|
|
|
14 |
* @method \Aws\Result assumeRole(array $args = [])
|
|
|
15 |
* @method \GuzzleHttp\Promise\Promise assumeRoleAsync(array $args = [])
|
|
|
16 |
* @method \Aws\Result assumeRoleWithSAML(array $args = [])
|
|
|
17 |
* @method \GuzzleHttp\Promise\Promise assumeRoleWithSAMLAsync(array $args = [])
|
|
|
18 |
* @method \Aws\Result assumeRoleWithWebIdentity(array $args = [])
|
|
|
19 |
* @method \GuzzleHttp\Promise\Promise assumeRoleWithWebIdentityAsync(array $args = [])
|
| 1441 |
ariadna |
20 |
* @method \Aws\Result assumeRoot(array $args = [])
|
|
|
21 |
* @method \GuzzleHttp\Promise\Promise assumeRootAsync(array $args = [])
|
| 1 |
efrain |
22 |
* @method \Aws\Result decodeAuthorizationMessage(array $args = [])
|
|
|
23 |
* @method \GuzzleHttp\Promise\Promise decodeAuthorizationMessageAsync(array $args = [])
|
|
|
24 |
* @method \Aws\Result getAccessKeyInfo(array $args = [])
|
|
|
25 |
* @method \GuzzleHttp\Promise\Promise getAccessKeyInfoAsync(array $args = [])
|
|
|
26 |
* @method \Aws\Result getCallerIdentity(array $args = [])
|
|
|
27 |
* @method \GuzzleHttp\Promise\Promise getCallerIdentityAsync(array $args = [])
|
|
|
28 |
* @method \Aws\Result getFederationToken(array $args = [])
|
|
|
29 |
* @method \GuzzleHttp\Promise\Promise getFederationTokenAsync(array $args = [])
|
|
|
30 |
* @method \Aws\Result getSessionToken(array $args = [])
|
|
|
31 |
* @method \GuzzleHttp\Promise\Promise getSessionTokenAsync(array $args = [])
|
|
|
32 |
*/
|
|
|
33 |
class StsClient extends AwsClient
|
|
|
34 |
{
|
|
|
35 |
|
|
|
36 |
/**
|
|
|
37 |
* {@inheritdoc}
|
|
|
38 |
*
|
|
|
39 |
* In addition to the options available to
|
|
|
40 |
* {@see \Aws\AwsClient::__construct}, StsClient accepts the following
|
|
|
41 |
* options:
|
|
|
42 |
*
|
|
|
43 |
* - sts_regional_endpoints:
|
|
|
44 |
* (Aws\Sts\RegionalEndpoints\ConfigurationInterface|Aws\CacheInterface\|callable|string|array)
|
|
|
45 |
* Specifies whether to use regional or legacy endpoints for legacy regions.
|
|
|
46 |
* Provide an Aws\Sts\RegionalEndpoints\ConfigurationInterface object, an
|
|
|
47 |
* instance of Aws\CacheInterface, a callable configuration provider used
|
|
|
48 |
* to create endpoint configuration, a string value of `legacy` or
|
|
|
49 |
* `regional`, or an associative array with the following keys:
|
|
|
50 |
* endpoint_types (string) Set to `legacy` or `regional`, defaults to
|
|
|
51 |
* `legacy`
|
|
|
52 |
*
|
|
|
53 |
* @param array $args
|
|
|
54 |
*/
|
|
|
55 |
public function __construct(array $args)
|
|
|
56 |
{
|
|
|
57 |
if (
|
|
|
58 |
!isset($args['sts_regional_endpoints'])
|
|
|
59 |
|| $args['sts_regional_endpoints'] instanceof CacheInterface
|
|
|
60 |
) {
|
|
|
61 |
$args['sts_regional_endpoints'] = ConfigurationProvider::defaultProvider($args);
|
|
|
62 |
}
|
|
|
63 |
$this->addBuiltIns($args);
|
|
|
64 |
parent::__construct($args);
|
|
|
65 |
}
|
|
|
66 |
|
|
|
67 |
/**
|
|
|
68 |
* Creates credentials from the result of an STS operations
|
|
|
69 |
*
|
|
|
70 |
* @param Result $result Result of an STS operation
|
|
|
71 |
*
|
|
|
72 |
* @return Credentials
|
|
|
73 |
* @throws \InvalidArgumentException if the result contains no credentials
|
|
|
74 |
*/
|
| 1441 |
ariadna |
75 |
public function createCredentials(Result $result, $source=null)
|
| 1 |
efrain |
76 |
{
|
|
|
77 |
if (!$result->hasKey('Credentials')) {
|
|
|
78 |
throw new \InvalidArgumentException('Result contains no credentials');
|
|
|
79 |
}
|
|
|
80 |
|
| 1441 |
ariadna |
81 |
$accountId = null;
|
|
|
82 |
if ($result->hasKey('AssumedRoleUser')) {
|
|
|
83 |
$parsedArn = ArnParser::parse($result->get('AssumedRoleUser')['Arn']);
|
|
|
84 |
$accountId = $parsedArn->getAccountId();
|
|
|
85 |
} elseif ($result->hasKey('FederatedUser')) {
|
|
|
86 |
$parsedArn = ArnParser::parse($result->get('FederatedUser')['Arn']);
|
|
|
87 |
$accountId = $parsedArn->getAccountId();
|
|
|
88 |
}
|
| 1 |
efrain |
89 |
|
| 1441 |
ariadna |
90 |
$credentials = $result['Credentials'];
|
|
|
91 |
$expiration = isset($credentials['Expiration']) && $credentials['Expiration'] instanceof \DateTimeInterface
|
|
|
92 |
? (int) $credentials['Expiration']->format('U')
|
|
|
93 |
: null;
|
|
|
94 |
|
| 1 |
efrain |
95 |
return new Credentials(
|
| 1441 |
ariadna |
96 |
$credentials['AccessKeyId'],
|
|
|
97 |
$credentials['SecretAccessKey'],
|
|
|
98 |
isset($credentials['SessionToken']) ? $credentials['SessionToken'] : null,
|
|
|
99 |
$expiration,
|
|
|
100 |
$accountId,
|
|
|
101 |
$source
|
| 1 |
efrain |
102 |
);
|
|
|
103 |
}
|
|
|
104 |
|
|
|
105 |
/**
|
|
|
106 |
* Adds service-specific client built-in value
|
|
|
107 |
*
|
|
|
108 |
* @return void
|
|
|
109 |
*/
|
|
|
110 |
private function addBuiltIns($args)
|
|
|
111 |
{
|
|
|
112 |
$key = 'AWS::STS::UseGlobalEndpoint';
|
|
|
113 |
$result = $args['sts_regional_endpoints'] instanceof \Closure ?
|
|
|
114 |
$args['sts_regional_endpoints']()->wait() : $args['sts_regional_endpoints'];
|
|
|
115 |
|
|
|
116 |
if (is_string($result)) {
|
|
|
117 |
if ($result === 'regional') {
|
|
|
118 |
$value = false;
|
|
|
119 |
} else if ($result === 'legacy') {
|
|
|
120 |
$value = true;
|
|
|
121 |
} else {
|
|
|
122 |
return;
|
|
|
123 |
}
|
|
|
124 |
} else {
|
|
|
125 |
if ($result->getEndpointsType() === 'regional') {
|
|
|
126 |
$value = false;
|
|
|
127 |
} else {
|
|
|
128 |
$value = true;
|
|
|
129 |
}
|
|
|
130 |
}
|
|
|
131 |
|
|
|
132 |
$this->clientBuiltIns[$key] = $value;
|
|
|
133 |
}
|
|
|
134 |
}
|