WebSVN – Moodle – Diff – /lib/aws-sdk/src/Credentials/EcsCredentialProvider.php

 <?php
 namespace Aws\Credentials;
 use Aws\Arn\Arn;
+use Aws\Exception\CredentialsException;
+use GuzzleHttp\Exception\ConnectException;
-use Aws\Exception\CredentialsException;
+use GuzzleHttp\Exception\GuzzleException;
+use GuzzleHttp\Psr7\Request;
-use GuzzleHttp\Psr7\Request;
+use GuzzleHttp\Promise;
 use GuzzleHttp\Promise\PromiseInterface;
 use Psr\Http\Message\ResponseInterface;
 /**
- * Credential provider that fetches credentials with GET request.
+ * Credential provider that fetches container credentials with GET request.
- * ECS environment variable is used in constructing request URI.
+ * container environment variables are used in constructing request URI.
  */
 class EcsCredentialProvider
+{
     const SERVER_URI = 'http://169.254.170.2';
     const ENV_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+    const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
-    const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
+    const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
+    const ENV_AUTH_TOKEN_FILE = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE";
+    const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
+    const EKS_SERVER_HOST_IPV4 = '169.254.170.23';
+    const EKS_SERVER_HOST_IPV6 = 'fd00:ec2::23';
+    const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
-    const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
+    const DEFAULT_ENV_TIMEOUT = 1.0;
-    const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
+    const DEFAULT_ENV_RETRIES = 3;
     /** @var callable */
+    private $client;
+    /** @var float|mixed */
+    private $timeout;
+    /** @var int */
-    private $client;
+    private $retries;
-    /** @var float|mixed */
+    /** @var int */
+    private $attempts;
     private $timeout;
     /**
-    /**
+     *  The constructor accepts following options:
-     *  The constructor accepts following options:
+     *  - timeout: (optional) Connection timeout, in seconds, default 1.0
-     *  - timeout: (optional) Connection timeout, in seconds, default 1.0
+     *  - retries: Optional number of retries to be attempted, default 3.
      *  - client: An EcsClient to make request from
      *
+     * @param array $config Configuration options
+     */
+    public function __construct(array $config = [])
+    {
+        $this->timeout = (float) isset($config['timeout'])
-     * @param array $config Configuration options
-     */
-    public function __construct(array $config = [])
-    {
-        $timeout = getenv(self::ENV_TIMEOUT);
-        if (!$timeout) {
-            $timeout = isset($_SERVER[self::ENV_TIMEOUT])
-                ? $_SERVER[self::ENV_TIMEOUT]
-                : (isset($config['timeout']) ? $config['timeout'] : 1.0);
+            ? $config['timeout']
             : (getenv(self::ENV_TIMEOUT) ?: self::DEFAULT_ENV_TIMEOUT);
         $this->retries = (int) isset($config['retries'])
-        $this->timeout = (float) $timeout;
+            ? $config['retries']
-        $this->client = isset($config['client'])
+            : ((int) getenv(self::ENV_RETRIES) ?: self::DEFAULT_ENV_RETRIES);
             ? $config['client']
+        $this->client = $config['client'] ?? \Aws\default_http_handler();
             : \Aws\default_http_handler();
     /**
+     * Load container credentials.
+     *
+     * @return PromiseInterface
+     * @throws GuzzleException
-    /**
+     */
-     * Load ECS credentials
+    public function __invoke()
-     *
-     * @return PromiseInterface
+    {
-     */
+        $this->attempts = 0;
+        $uri = $this->getEcsUri();
+        if ($this->isCompatibleUri($uri)) {
-    public function __invoke()
+            return Promise\Coroutine::of(function () {
-    {
+                $client = $this->client;
-        $client = $this->client;
+                $request = new Request('GET', $this->getEcsUri());
-        $request = new Request('GET', self::getEcsUri());
+                $headers = $this->getHeadersForAuthToken();
+                $credentials = null;
-        $headers = $this->setHeaderForAuthToken();
+                while ($credentials === null) {
-        return $client(
+                    $credentials = (yield $client(
-            $request,
+                        $request,
+                        [
+                            'timeout' => $this->timeout,
+                            'proxy' => '',
+                            'headers' => $headers,
+                        ]
+                    )->then(function (ResponseInterface $response) {
+                        $result = $this->decodeResult((string)$response->getBody());
+                        if (!isset($result['AccountId']) && isset($result['RoleArn'])) {
+                            try {
-            [
+                                $parsedArn = new Arn($result['RoleArn']);
-                'timeout' => $this->timeout,
+                                $result['AccountId'] = $parsedArn->getAccountId();
-                'proxy' => '',
+                            } catch (\Exception $e) {
-                'headers' => $headers
+                                // AccountId will be null
-            ]
+                            }
+                        }
-        )->then(function (ResponseInterface $response) {
+                        return new Credentials(
-            $result = $this->decodeResult((string) $response->getBody());
+                            $result['AccessKeyId'],
-            return new Credentials(
+                            $result['SecretAccessKey'],
+                            $result['Token'],
+                            strtotime($result['Expiration']),
+                            $result['AccountId'] ?? null,
+                            CredentialSources::ECS
+                        );
-                $result['AccessKeyId'],
+                    })->otherwise(function ($reason) {
-                $result['SecretAccessKey'],
+                        $reason = is_array($reason) ? $reason['exception'] : $reason;
+                        $isRetryable = $reason instanceof ConnectException;
+                        if ($isRetryable && ($this->attempts < $this->retries)) {
+                            sleep((int)pow(1.2, $this->attempts));
+                        } else {
+                            $msg = $reason->getMessage();
+                            throw new CredentialsException(
-                $result['Token'],
+                                sprintf('Error retrieving credentials from container metadata after attempt %d/%d (%s)', $this->attempts, $this->retries, $msg)
-                strtotime($result['Expiration'])
+                            );
-            );
+                        }
+                    }));
+                    $this->attempts++;
+                }
+                yield $credentials;
+            });
+        }
+        throw new CredentialsException("Uri '{$uri}' contains an unsupported host.");
+    }
+    /**
-        })->otherwise(function ($reason) {
+     * Returns the number of attempts that have been done.
-            $reason = is_array($reason) ? $reason['exception'] : $reason;
+     *
+     * @return int
+     */
+    public function getAttempts(): int
+    {
+        return $this->attempts;
             $msg = $reason->getMessage();
             throw new CredentialsException(
+    /**
+     * Retrieves authorization token.
+     *
+     * @return array|false|string
+     */
+    private function getEcsAuthToken()
+    {
+        if (!empty($path = getenv(self::ENV_AUTH_TOKEN_FILE))) {
+            $token =  @file_get_contents($path);
+            if (false === $token) {
+                clearstatcache(true, dirname($path) . DIRECTORY_SEPARATOR . @readlink($path));
+                clearstatcache(true, dirname($path) . DIRECTORY_SEPARATOR . dirname(@readlink($path)));
+                clearstatcache(true, $path);
+            }
+            if (!is_readable($path)) {
+                throw new CredentialsException("Failed to read authorization token from '{$path}': no such file or directory.");
+            }
+            $token = @file_get_contents($path);
-                "Error retrieving credential from ECS ($msg)"
+            if (empty($token)) {
-            );
+                throw new CredentialsException("Invalid authorization token read from `$path`. Token file is empty!");
+            }
+            return $token;
+        }
+        return getenv(self::ENV_AUTH_TOKEN);
+    }
+    /**
+     * Provides headers for credential metadata request.
+     *
+     * @return array|array[]|string[]
+     */
+    private function getHeadersForAuthToken()
+    {
+        $authToken = self::getEcsAuthToken();
+        $headers = [];
-        });
+        if (!empty($authToken))
             $headers = ['Authorization' => $authToken];
-    private function getEcsAuthToken()
+        return $headers;
+    }
         return getenv(self::ENV_AUTH_TOKEN);
     /** @deprecated */
     public function setHeaderForAuthToken()
-    public function setHeaderForAuthToken(){
+    {
         $authToken = self::getEcsAuthToken();
         $headers = [];
-        if(!empty($authToken))
+        if (!empty($authToken))
             $headers = ['Authorization' => $authToken];
         return $headers;
+    }
     /**
-     * Fetch credential URI from ECS environment variable
+     * Fetch container metadata URI from container environment variable.
+     *
-     * @return string Returns ECS URI
+     * @return string Returns container metadata URI
      */
     private function getEcsUri()
     {
         $credsUri = getenv(self::ENV_URI);
         if ($credsUri === false) {
-            $credsUri = isset($_SERVER[self::ENV_URI]) ? $_SERVER[self::ENV_URI] : '';
+            $credsUri = $_SERVER[self::ENV_URI] ?? '';
+        }
-        if(empty($credsUri)){
+        if (empty($credsUri)){
             $credFullUri = getenv(self::ENV_FULL_URI);
-            if($credFullUri === false){
+            if ($credFullUri === false){
-                $credFullUri = isset($_SERVER[self::ENV_FULL_URI]) ? $_SERVER[self::ENV_FULL_URI] : '';
+                $credFullUri = $_SERVER[self::ENV_FULL_URI] ?? '';
+            }
-            if(!empty($credFullUri))
+            if (!empty($credFullUri))
+                return $credFullUri;
+        }
+        return self::SERVER_URI . $credsUri;
+    }
+    private function decodeResult($response)
+    {
+        $result = json_decode($response, true);
+        if (!isset($result['AccessKeyId'])) {
+            throw new CredentialsException('Unexpected container metadata credentials value');
+        }
+        return $result;
+    }
+    /**
+     * Determines whether or not a given request URI is a valid
+     * container credential request URI.
+     *
+     * @param $uri
+     *
+     * @return bool
+     */
+    private function isCompatibleUri($uri)
+    {
+        $parsed = parse_url($uri);
+        if ($parsed['scheme'] !== 'https') {
-                return $credFullUri;
+            $host = trim($parsed['host'], '[]');

Proyectos de Subversion Moodle

(root)/lib/aws-sdk/src/Credentials/EcsCredentialProvider.php – Rev 1 → 1441