ホーム エクスプローラ ヘルプ
登録 サインイン
Kirin
/
shenying
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 052acc2e94
ブランチ タグ
shenying
/
vendor
/
async-aws
/
core
/
src
/
Credentials
/
InstanceProvider.php

InstanceProvider.php 5.1 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace AsyncAws\Core\Credentials;
    6. 

  6. 

  7. use AsyncAws\Core\Configuration;
    8. 

  8. use Psr\Log\LoggerInterface;
    9. 

  9. use Psr\Log\NullLogger;
    10. 

  10. use Symfony\Component\HttpClient\Exception\JsonException;
    11. 

  11. use Symfony\Component\HttpClient\Exception\TransportException;
    12. 

  12. use Symfony\Component\HttpClient\HttpClient;
    13. 

  13. use Symfony\Contracts\HttpClient\Exception\DecodingExceptionInterface;
    14. 

  14. use Symfony\Contracts\HttpClient\Exception\HttpExceptionInterface;
    15. 

  15. use Symfony\Contracts\HttpClient\Exception\TransportExceptionInterface;
    16. 

  16. use Symfony\Contracts\HttpClient\HttpClientInterface;
    17. 

  17. use Symfony\Contracts\HttpClient\ResponseInterface;
    18. 

  18. 

  19. /**
    20. 

  20.  * Provides Credentials from the running EC2 metadata server using the IMDSv1 and IMDSv2.
    21. 

  21.  *
    22. 

  22.  * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
    23. 

  23.  *
    24. 

  24.  * @author Jérémy Derussé <jeremy@derusse.com>
    25. 

  25.  */
    26. 

  26. final class InstanceProvider implements CredentialProvider
    27. 

  27. {
    28. 

  28.     private const TOKEN_ENDPOINT = 'http://169.254.169.254/latest/api/token';
    29. 

  29.     private const METADATA_ENDPOINT = 'http://169.254.169.254/latest/meta-data/iam/security-credentials';
    30. 

  30. 

  31.     private $logger;
    32. 

  32. 

  33.     private $httpClient;
    34. 

  34. 

  35.     private $timeout;
    36. 

  36. 

  37.     private $tokenTtl;
    38. 

  38. 

  39.     public function __construct(?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null, float $timeout = 1.0, int $tokenTtl = 21600)
    40. 

  40.     {
    41. 

  41.         $this->logger = $logger ?? new NullLogger();
    42. 

  42.         $this->httpClient = $httpClient ?? HttpClient::create();
    43. 

  43.         $this->timeout = $timeout;
    44. 

  44.         $this->tokenTtl = $tokenTtl;
    45. 

  45.     }
    46. 

  46. 

  47.     public function getCredentials(Configuration $configuration): ?Credentials
    48. 

  48.     {
    49. 

  49.         $token = $this->getToken();
    50. 

  50.         $headers = [];
    51. 

  51. 

  52.         if (null !== $token) {
    53. 

  53.             $headers = ['X-aws-ec2-metadata-token' => $token];
    54. 

  54.         }
    55. 

  55. 

  56.         try {
    57. 

  57.             // Fetch current Profile
    58. 

  58.             $response = $this->httpClient->request('GET', self::METADATA_ENDPOINT, [
    59. 

  59.                 'timeout' => $this->timeout,
    60. 

  60.                 'headers' => $headers,
    61. 

  61.             ]);
    62. 

  62.             $profile = $response->getContent();
    63. 

  63. 

  64.             // Fetch credentials from profile
    65. 

  65.             $response = $this->httpClient->request('GET', self::METADATA_ENDPOINT . '/' . $profile, [
    66. 

  66.                 'timeout' => $this->timeout,
    67. 

  67.                 'headers' => $headers,
    68. 

  68.             ]);
    69. 

  69.             $result = $this->toArray($response);
    70. 

  70. 

  71.             if ('Success' !== $result['Code']) {
    72. 

  72.                 $this->logger->info('Unexpected instance profile.', ['response_code' => $result['Code']]);
    73. 

  73. 

  74.                 return null;
    75. 

  75.             }
    76. 

  76.         } catch (DecodingExceptionInterface $e) {
    77. 

  77.             $this->logger->info('Failed to decode Credentials.', ['exception' => $e]);
    78. 

  78. 

  79.             return null;
    80. 

  80.         } catch (TransportExceptionInterface|HttpExceptionInterface $e) {
    81. 

  81.             $this->logger->info('Failed to fetch Profile from Instance Metadata.', ['exception' => $e]);
    82. 

  82. 

  83.             return null;
    84. 

  84.         }
    85. 

  85. 

  86.         if (null !== $date = $response->getHeaders(false)['date'][0] ?? null) {
    87. 

  87.             $date = new \DateTimeImmutable($date);
    88. 

  88.         }
    89. 

  89. 

  90.         return new Credentials(
    91. 

  91.             $result['AccessKeyId'],
    92. 

  92.             $result['SecretAccessKey'],
    93. 

  93.             $result['Token'],
    94. 

  94.             Credentials::adjustExpireDate(new \DateTimeImmutable($result['Expiration']), $date)
    95. 

  95.         );
    96. 

  96.     }
    97. 

  97. 

  98.     /**
    99. 

  99.      * Copy of Symfony\Component\HttpClient\Response::toArray without assertion on Content-Type header.
    100. 

  100.      */
    101. 

  101.     private function toArray(ResponseInterface $response): array
    102. 

  102.     {
    103. 

  103.         if ('' === $content = $response->getContent(true)) {
    104. 

  104.             throw new TransportException('Response body is empty.');
    105. 

  105.         }
    106. 

  106. 

  107.         try {
    108. 

  108.             $content = json_decode($content, true, 512, \JSON_BIGINT_AS_STRING | (\PHP_VERSION_ID >= 70300 ? \JSON_THROW_ON_ERROR : 0));
    109. 

  109.         } catch (\JsonException $e) {
    110. 

  110.             /** @psalm-suppress all */
    111. 

  111.             throw new JsonException(sprintf('%s for "%s".', $e->getMessage(), $response->getInfo('url')), $e->getCode());
    112. 

  112.         }
    113. 

  113. 

  114.         if (\PHP_VERSION_ID < 70300 && \JSON_ERROR_NONE !== json_last_error()) {
    115. 

  115.             /** @psalm-suppress InvalidArgument */
    116. 

  116.             throw new JsonException(sprintf('%s for "%s".', json_last_error_msg(), $response->getInfo('url')), json_last_error());
    117. 

  117.         }
    118. 

  118. 

  119.         if (!\is_array($content)) {
    120. 

  120.             /** @psalm-suppress InvalidArgument */
    121. 

  121.             throw new JsonException(sprintf('JSON content was expected to decode to an array, %s returned for "%s".', \gettype($content), $response->getInfo('url')));
    122. 

  122.         }
    123. 

  123. 

  124.         return $content;
    125. 

  125.     }
    126. 

  126. 

  127.     private function getToken(): ?string
    128. 

  128.     {
    129. 

  129.         try {
    130. 

  130.             $response = $this->httpClient->request('PUT', self::TOKEN_ENDPOINT,
    131. 

  131.                 [
    132. 

  132.                     'timeout' => $this->timeout,
    133. 

  133.                     'headers' => ['X-aws-ec2-metadata-token-ttl-seconds' => $this->tokenTtl],
    134. 

  134.                 ]
    135. 

  135.             );
    136. 

  136. 

  137.             return $response->getContent();
    138. 

  138.         } catch (TransportExceptionInterface|HttpExceptionInterface $e) {
    139. 

  139.             $this->logger->info('Failed to fetch metadata token for IMDSv2, fallback to IMDSv1.', ['exception' => $e]);
    140. 

  140. 

  141.             return null;
    142. 

  142.         }
    143. 

  143.     }
    144. 

  144. }
    145.