Proyectos de Subversion Moodle

<?php

namespace Aws\Token;

use Aws\Exception\TokenException;

use GuzzleHttp\Promise;

/**

 * Token that comes from the SSO provider

 */

class SsoTokenProvider implements RefreshableTokenProviderInterface

{

    use ParsesIniTrait;

    const ENV_PROFILE = 'AWS_PROFILE';

    private $ssoProfileName;

    private $filename;

    private $ssoOidcClient;

    /**

     * Constructs a new SsoTokenProvider object, which will fetch a token from an authenticated SSO profile

     * @param string $ssoProfileName The name of the profile that contains the sso_session key

     * @param int    $filename Name of the config file to sso profile from

     */

    public function __construct($ssoProfileName, $filename = null, $ssoOidcClient = null) {

        $profileName = getenv(self::ENV_PROFILE) ?: 'default';

        $this->ssoProfileName = !empty($ssoProfileName) ? $ssoProfileName : $profileName;

        $this->filename =  !empty($filename)

            ? $filename :

            self::getHomeDir() . '/.aws/config';

        $this->ssoOidcClient = $ssoOidcClient;

    }

    /*

     * Loads cached sso credentials

     *

     * @return PromiseInterface

     */

    public function __invoke()

    {

        return Promise\Coroutine::of(function () {

            if (!@is_readable($this->filename)) {

                throw new TokenException("Cannot read profiles from $this->filename");

            }

            $profiles = self::loadProfiles($this->filename);

            if (!isset($profiles[$this->ssoProfileName])) {

                throw new TokenException("Profile {$this->ssoProfileName} does not exist in {$this->filename}.");

            }

            $ssoProfile = $profiles[$this->ssoProfileName];

            if (empty($ssoProfile['sso_session'])) {

                throw new TokenException(

                    "Profile {$this->ssoProfileName} in {$this->filename} must contain an sso_session."

                );

            }

            $sessionProfileName = 'sso-session ' . $ssoProfile['sso_session'];

            if (empty($profiles[$sessionProfileName])) {

                throw new TokenException(

                    "Profile {$this->ssoProfileName} does not exist in {$this->filename}"

                );

            }

            $sessionProfileData = $profiles[$sessionProfileName];

            if (empty($sessionProfileData['sso_start_url'])

                || empty($sessionProfileData['sso_region'])

            ) {

                throw new TokenException(

                    "Profile {$this->ssoProfileName} in {$this->filename} must contain the following keys: "

                    . "sso_start_url and sso_region."

                );

            }

            $tokenLocation = self::getTokenLocation($ssoProfile['sso_session']);

            if (!@is_readable($tokenLocation)) {

                throw new TokenException("Unable to read token file at $tokenLocation");

            }

            $tokenData = $this->getTokenData($tokenLocation);

            $this->validateTokenData($tokenLocation, $tokenData);

            yield new SsoToken(

                $tokenData['accessToken'],

                $tokenData['expiresAt'],

                isset($tokenData['refreshToken']) ? $tokenData['refreshToken'] : null,

                isset($tokenData['clientId']) ? $tokenData['clientId'] : null,

                isset($tokenData['clientSecret']) ? $tokenData['clientSecret'] : null,

                isset($tokenData['registrationExpiresAt']) ? $tokenData['registrationExpiresAt'] : null,

                isset($tokenData['region']) ? $tokenData['region'] : null,

                isset($tokenData['startUrl']) ? $tokenData['startUrl'] : null

            );

        });

    }

    /**

     * Refreshes the token

     * @return mixed|null

     */

    public function refresh() {

        try {

            //try to reload from disk

            $token = $this();

            if (

                $token instanceof SsoToken

                && !$token->shouldAttemptRefresh()

            ) {

                return $token;

            }

        } finally {

            //if reload from disk fails, try refreshing

            $tokenLocation = self::getTokenLocation($this->ssoProfileName);

            $tokenData = $this->getTokenData($tokenLocation);

            if (

                empty($this->ssoOidcClient)

                || empty($tokenData['startUrl'])

            ) {

                throw new TokenException(

                    "Cannot refresh this token without an 'ssooidcClient' "

                    . "and a 'start_url'"

                );

            }

            $response = $this->ssoOidcClient->createToken([

                'clientId' => $tokenData['clientId'],

                'clientSecret' => $tokenData['clientSecret'],

                'grantType' => 'refresh_token', // REQUIRED

                'refreshToken' => $tokenData['refreshToken'],

            ]);

            if ($response['@metadata']['statusCode'] == 200) {

                $tokenData['accessToken'] = $response['accessToken'];

                $tokenData['expiresAt'] = time () + $response['expiresIn'];

                $tokenData['refreshToken'] = $response['refreshToken'];

                $token = new SsoToken(

                    $tokenData['accessToken'],

                    $tokenData['expiresAt'],

                    $tokenData['refreshToken'],

                    isset($tokenData['clientId']) ? $tokenData['clientId'] : null,

                    isset($tokenData['clientSecret']) ? $tokenData['clientSecret'] : null,

                    isset($tokenData['registrationExpiresAt']) ? $tokenData['registrationExpiresAt'] : null,

                    isset($tokenData['region']) ? $tokenData['region'] : null,

                    isset($tokenData['startUrl']) ? $tokenData['startUrl'] : null                );

                $this->writeNewTokenDataToDisk($tokenData, $tokenLocation);

                return $token;

            }

        }

    }

    public function shouldAttemptRefresh()

    {

        $tokenLocation = self::getTokenLocation($this->ssoProfileName);

        $tokenData = $this->getTokenData($tokenLocation);

        return strtotime("-10 minutes") >= strtotime($tokenData['expiresAt']);

    }

    /**

     * @param $sso_session

     * @return string

     */

    public static function getTokenLocation($sso_session)

    {

        return self::getHomeDir()

            . '/.aws/sso/cache/'

            . mb_convert_encoding(sha1($sso_session), "UTF-8")

            . ".json";

    }

    /**

     * @param $tokenLocation

     * @return array

     */

    function getTokenData($tokenLocation)

    {

        return json_decode(file_get_contents($tokenLocation), true);

    }

    /**

     * @param $tokenData

     * @param $tokenLocation

     * @return mixed

     */

    private function validateTokenData($tokenLocation, $tokenData)

    {

        if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {

            throw new TokenException(

                "Token file at {$tokenLocation} must contain an access token and an expiration"

            );

        }

        $expiration = strtotime($tokenData['expiresAt']);

        if ($expiration === false) {

            throw new TokenException("Cached SSO token returned an invalid expiration");

        } elseif ($expiration < time()) {

            throw new TokenException("Cached SSO token returned an expired token");

        }

        return $tokenData;

    }

    /**

     * @param array $tokenData

     * @param string $tokenLocation

     * @return void

     */

    private function writeNewTokenDataToDisk(array $tokenData, $tokenLocation)

    {

        $tokenData['expiresAt'] = gmdate(

            'Y-m-d\TH:i:s\Z',

            $tokenData['expiresAt']

        );

        file_put_contents($tokenLocation, json_encode(array_filter($tokenData)));

    }

}