WebSVN – Moodle – Diff – /lib/aws-sdk/src/Token/SsoTokenProvider.php

 <?php
 namespace Aws\Token;
+use Aws\Exception\TokenException;
-use Aws\Exception\TokenException;
+use Aws\SSOOIDC\SSOOIDCClient;
 use GuzzleHttp\Promise;
 /**
  * Token that comes from the SSO provider
  */
 class SsoTokenProvider implements RefreshableTokenProviderInterface
+{
+    use ParsesIniTrait;
+    const ENV_PROFILE = 'AWS_PROFILE';
-    use ParsesIniTrait;
+    const REFRESH_WINDOW_IN_SECS = 300;
+    const REFRESH_ATTEMPT_WINDOW_IN_SECS = 30;
+    /** @var string $profileName */
+    private $profileName;
-    const ENV_PROFILE = 'AWS_PROFILE';
+    /** @var string $configFilePath */
+    private $configFilePath;
+    /** @var SSOOIDCClient $ssoOidcClient */
     private $ssoOidcClient;
     private $ssoProfileName;
-    private $filename;
+    /** @var string $ssoSessionName */
-    private $ssoOidcClient;
+    private $ssoSessionName;
     /**
-    /**
+     * Constructs a new SsoTokenProvider object, which will fetch a token from an authenticated SSO profile
-     * Constructs a new SsoTokenProvider object, which will fetch a token from an authenticated SSO profile
+     * @param string $profileName The name of the profile that contains the sso_session key
-     * @param string $ssoProfileName The name of the profile that contains the sso_session key
+     * @param string|null $configFilePath Name of the config file to sso profile from
-     * @param int    $filename Name of the config file to sso profile from
+     * @param SSOOIDCClient|null $ssoOidcClient The sso client for generating a new token
+     */
-     */
+    public function __construct(
-    public function __construct($ssoProfileName, $filename = null, $ssoOidcClient = null) {
+        $profileName,
-        $profileName = getenv(self::ENV_PROFILE) ?: 'default';
+        $configFilePath = null,
-        $this->ssoProfileName = !empty($ssoProfileName) ? $ssoProfileName : $profileName;
+        ?SSOOIDCClient $ssoOidcClient = null
+    ) {
+        $this->profileName = $this->resolveProfileName($profileName);
+        $this->configFilePath =  $this->resolveConfigFile($configFilePath);
+        $this->ssoOidcClient = $ssoOidcClient;
+    }
+    /**
+     * This method resolves the profile name to be used. The
+     * profile provided as instantiation argument takes precedence,
+     * followed by AWS_PROFILE env variable, otherwise `default` is
+     * used.
+     *
+     * @param string|null $argProfileName The profile provided as argument.
+     *
+     * @return string
+     */
+    private function resolveProfileName($argProfileName): string
+    {
+        if (empty($argProfileName)) {
+            return getenv(self::ENV_PROFILE) ?: 'default';
+        } else {
+            return $argProfileName;
+        }
+    }
+    /**
+     * This method resolves the config file from where the profiles
+     * are going to be loaded from. If $argFileName is not empty then,
+     * it takes precedence over the default config file location.
+     *
+     * @param string|null $argConfigFilePath The config path provided as argument.
+     *
+     * @return string
+     */
+    private function resolveConfigFile($argConfigFilePath): string
+    {
+        if (empty($argConfigFilePath)) {
-        $this->filename =  !empty($filename)
+            return self::getHomeDir() . '/.aws/config';
-            ? $filename :
+        } else{
-            self::getHomeDir() . '/.aws/config';
+            return $argConfigFilePath;
-        $this->ssoOidcClient = $ssoOidcClient;
+        }
+    }
-    /*
+    /**
-     * Loads cached sso credentials
+     *  Loads cached sso credentials.
      *
-     * @return PromiseInterface
+     * @return Promise\PromiseInterface
      */
+    public function __invoke()
-    public function __invoke()
+    {
-    {
+        return Promise\Coroutine::of(function () {
-        return Promise\Coroutine::of(function () {
+            if (empty($this->configFilePath) || !is_readable($this->configFilePath)) {
-            if (!@is_readable($this->filename)) {
-                throw new TokenException("Cannot read profiles from $this->filename");
-            }
-            $profiles = self::loadProfiles($this->filename);
-            if (!isset($profiles[$this->ssoProfileName])) {
-                throw new TokenException("Profile {$this->ssoProfileName} does not exist in {$this->filename}.");
                 throw new TokenException("Cannot read profiles from {$this->configFilePath}");
-            $ssoProfile = $profiles[$this->ssoProfileName];
+            }
-            if (empty($ssoProfile['sso_session'])) {
-                throw new TokenException(
+            $profiles = self::loadProfiles($this->configFilePath);
-                    "Profile {$this->ssoProfileName} in {$this->filename} must contain an sso_session."
+            if (!isset($profiles[$this->profileName])) {
-                );
+                throw new TokenException("Profile `{$this->profileName}` does not exist in {$this->configFilePath}.");
+            }
-            $sessionProfileName = 'sso-session ' . $ssoProfile['sso_session'];
+            $profile = $profiles[$this->profileName];
-            if (empty($profiles[$sessionProfileName])) {
+            if (empty($profile['sso_session'])) {
                 throw new TokenException(
-                    "Profile {$this->ssoProfileName} does not exist in {$this->filename}"
+                    "Profile `{$this->profileName}` in {$this->configFilePath} must contain an sso_session."
                 );
-            }
+            }
             $sessionProfileData = $profiles[$sessionProfileName];
-            if (empty($sessionProfileData['sso_start_url'])
+            $ssoSessionName = $profile['sso_session'];
+            $this->ssoSessionName = $ssoSessionName;
+            $profileSsoSession = 'sso-session ' . $ssoSessionName;
-                || empty($sessionProfileData['sso_region'])
+            if (empty($profiles[$profileSsoSession])) {
-            ) {
+                throw new TokenException(
+                    "Sso session `{$ssoSessionName}` does not exist in {$this->configFilePath}"
+                );
                 throw new TokenException(
-                    "Profile {$this->ssoProfileName} in {$this->filename} must contain the following keys: "
+            $sessionProfileData = $profiles[$profileSsoSession];
+            foreach (['sso_start_url', 'sso_region'] as $requiredProp) {
-                    . "sso_start_url and sso_region."
+                if (empty($sessionProfileData[$requiredProp])) {
-                );
+                    throw new TokenException(
-            }
+                        "Sso session `{$ssoSessionName}` in {$this->configFilePath} is missing the required property `{$requiredProp}`"
+                    );
-            $tokenLocation = self::getTokenLocation($ssoProfile['sso_session']);
-            if (!@is_readable($tokenLocation)) {
-                throw new TokenException("Unable to read token file at $tokenLocation");
+                }
-            }
-            $tokenData = $this->getTokenData($tokenLocation);
-            $this->validateTokenData($tokenLocation, $tokenData);
-            yield new SsoToken(
+            }
+            $tokenData = $this->refresh();
-                $tokenData['accessToken'],
+            $tokenLocation = self::getTokenLocation($ssoSessionName);
-                $tokenData['expiresAt'],
+            $this->validateTokenData($tokenLocation, $tokenData);
-                isset($tokenData['refreshToken']) ? $tokenData['refreshToken'] : null,
+            $ssoToken = SsoToken::fromTokenData($tokenData);
+            // To make sure the token is not expired
+            if ($ssoToken->isExpired()) {
-                isset($tokenData['clientId']) ? $tokenData['clientId'] : null,
+                throw new TokenException("Cached SSO token returned an expired token.");
+            }
-                isset($tokenData['clientSecret']) ? $tokenData['clientSecret'] : null,
+            yield $ssoToken;
-                isset($tokenData['registrationExpiresAt']) ? $tokenData['registrationExpiresAt'] : null,
+        });
-                isset($tokenData['region']) ? $tokenData['region'] : null,
+    }
-                isset($tokenData['startUrl']) ? $tokenData['startUrl'] : null
-            );
-        });
+    /**
-    }
+     * This method attempt to refresh when possible.
-    /**
+     * If a refresh is not possible then it just returns
-     * Refreshes the token
-     * @return mixed|null
+     * the current token data as it is.
-     */
+     *
+     * @return array
-    public function refresh() {
+     * @throws TokenException
-        try {
+     */
-            //try to reload from disk
+    public function refresh(): array
-            $token = $this();
+    {
-            if (
+        $tokenLocation = self::getTokenLocation($this->ssoSessionName);
+        $tokenData = $this->getTokenData($tokenLocation);
-                $token instanceof SsoToken
+        if (!$this->shouldAttemptRefresh()) {
-                && !$token->shouldAttemptRefresh()
+            return $tokenData;
-            ) {
                 return $token;
-            }
-        } finally {
-            //if reload from disk fails, try refreshing
+        if (null === $this->ssoOidcClient) {
-            $tokenLocation = self::getTokenLocation($this->ssoProfileName);
+            throw new TokenException(
-            $tokenData = $this->getTokenData($tokenLocation);
-            if (
-                empty($this->ssoOidcClient)
-                || empty($tokenData['startUrl'])
-            ) {
-                throw new TokenException(
+                "Cannot refresh this token without an 'ssooidcClient' "
-                    "Cannot refresh this token without an 'ssooidcClient' "
-                    . "and a 'start_url'"
-                );
-            }
-            $response = $this->ssoOidcClient->createToken([
-                'clientId' => $tokenData['clientId'],
-                'clientSecret' => $tokenData['clientSecret'],
-                'grantType' => 'refresh_token', // REQUIRED
-                'refreshToken' => $tokenData['refreshToken'],
-            ]);
-            if ($response['@metadata']['statusCode'] == 200) {
-                $tokenData['accessToken'] = $response['accessToken'];
-                $tokenData['expiresAt'] = time () + $response['expiresIn'];
-                $tokenData['refreshToken'] = $response['refreshToken'];
-                $token = new SsoToken(
+            );
-                    $tokenData['accessToken'],
+        }
+        foreach (['clientId', 'clientSecret', 'refreshToken'] as $requiredProp) {
+            if (empty($tokenData[$requiredProp])) {
-                    $tokenData['expiresAt'],
+                throw new TokenException(
+                    "Cannot refresh this token without `{$requiredProp}` being set"
+                );
                     $tokenData['refreshToken'],
+        }
+        $response = $this->ssoOidcClient->createToken([
+            'clientId' => $tokenData['clientId'],
+            'clientSecret' => $tokenData['clientSecret'],
+            'grantType' => 'refresh_token', // REQUIRED
-                    isset($tokenData['clientId']) ? $tokenData['clientId'] : null,
+            'refreshToken' => $tokenData['refreshToken'],
+        ]);
+        if ($response['@metadata']['statusCode'] !== 200) {
+            throw new TokenException('Unable to create a new sso token');
+        }
+        $tokenData['accessToken'] = $response['accessToken'];
+        $tokenData['expiresAt'] = time () + $response['expiresIn'];
+        $tokenData['refreshToken'] = $response['refreshToken'];
-                    isset($tokenData['clientSecret']) ? $tokenData['clientSecret'] : null,
-                    isset($tokenData['registrationExpiresAt']) ? $tokenData['registrationExpiresAt'] : null,
+        return $this->writeNewTokenDataToDisk($tokenData, $tokenLocation);
-                    isset($tokenData['region']) ? $tokenData['region'] : null,
+    }
                     isset($tokenData['startUrl']) ? $tokenData['startUrl'] : null                );
+    /**
+     * This method checks for whether a token refresh should happen.
+     * It will return true just if more than 30 seconds has happened
+     * since last refresh, and if the expiration is within a 5-minutes
+     * window from the current time.
+     *
+     * @return bool
+     */
+    public function shouldAttemptRefresh(): bool
+    {
+        $tokenLocation = self::getTokenLocation($this->ssoSessionName);
+        $tokenData = $this->getTokenData($tokenLocation);
+        if (empty($tokenData['expiresAt'])) {
+            throw new TokenException(
-                $this->writeNewTokenDataToDisk($tokenData, $tokenLocation);
+                "Token file at $tokenLocation must contain an expiration date"
             );
                 return $token;
         $tokenExpiresAt = strtotime($tokenData['expiresAt']);
-    }
+        $lastRefreshAt = filemtime($tokenLocation);
         $now = \time();
     public function shouldAttemptRefresh()
         // If last refresh happened after 30 seconds
-        $tokenLocation = self::getTokenLocation($this->ssoProfileName);
+        // and if the token expiration is in the 5 minutes window
-        $tokenData = $this->getTokenData($tokenLocation);
+        return ($now - $lastRefreshAt) > self::REFRESH_ATTEMPT_WINDOW_IN_SECS
     /**
      * @param $tokenLocation
      * @return array
      */
-    function getTokenData($tokenLocation)
+    function getTokenData($tokenLocation): array
+    {
+        if (empty($tokenLocation) || !is_readable($tokenLocation)) {
+            throw new TokenException("Unable to read token file at {$tokenLocation}");
+        }
         return json_decode(file_get_contents($tokenLocation), true);
+    }
     /**
      * @param $tokenData
      * @param $tokenLocation
      * @return mixed
      */
     private function validateTokenData($tokenLocation, $tokenData)
+    {
-    {
+        foreach (['accessToken', 'expiresAt'] as $requiredProp) {
-        if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {
+            if (empty($tokenData[$requiredProp])) {
+                throw new TokenException(
-            throw new TokenException(
+                    "Token file at {$tokenLocation} must contain the required property `{$requiredProp}`"
-                "Token file at {$tokenLocation} must contain an access token and an expiration"
+                );
             );
+        }
         $expiration = strtotime($tokenData['expiresAt']);
         if ($expiration === false) {
             throw new TokenException("Cached SSO token returned an invalid expiration");
+        } elseif ($expiration < time()) {
-        } elseif ($expiration < time()) {
+            throw new TokenException("Cached SSO token returned an expired token");
             throw new TokenException("Cached SSO token returned an expired token");
         return $tokenData;
+    }
+    /**
-    /**
+     * @param array $tokenData
-     * @param array $tokenData
+     * @param string $tokenLocation
      * @param string $tokenLocation
-     * @return void
+     * @return array
      */
-    private function writeNewTokenDataToDisk(array $tokenData, $tokenLocation)
+    private function writeNewTokenDataToDisk(array $tokenData, $tokenLocation): array
+    {
         $tokenData['expiresAt'] = gmdate(
+            'Y-m-d\TH:i:s\Z',
+            $tokenData['expiresAt']
-            'Y-m-d\TH:i:s\Z',
+        );
-            $tokenData['expiresAt']
+        file_put_contents($tokenLocation, json_encode(array_filter($tokenData)));

Proyectos de Subversion Moodle

(root)/lib/aws-sdk/src/Token/SsoTokenProvider.php – Rev 1 → 1441