160 lines
5.0 KiB
PHP
160 lines
5.0 KiB
PHP
<?php
|
|
namespace Aws\Auth;
|
|
|
|
use Aws\Api\Service;
|
|
use Aws\Auth\Exception\UnresolvedAuthSchemeException;
|
|
use Aws\CommandInterface;
|
|
use Closure;
|
|
use GuzzleHttp\Promise\Promise;
|
|
|
|
/**
|
|
* Handles auth scheme resolution. If a service models and auth scheme using
|
|
* the `auth` trait and the operation or metadata levels, this middleware will
|
|
* attempt to select the first compatible auth scheme it encounters and apply its
|
|
* signature version to the command's `@context` property bag.
|
|
*
|
|
* IMPORTANT: this middleware must be added to the "build" step.
|
|
*
|
|
* @internal
|
|
*/
|
|
class AuthSelectionMiddleware
|
|
{
|
|
/** @var callable */
|
|
private $nextHandler;
|
|
|
|
/** @var AuthSchemeResolverInterface */
|
|
private $authResolver;
|
|
|
|
/** @var Service */
|
|
private $api;
|
|
|
|
/** @var array|null */
|
|
private ?array $configuredAuthSchemes;
|
|
|
|
/**
|
|
* Create a middleware wrapper function
|
|
*
|
|
* @param AuthSchemeResolverInterface $authResolver
|
|
* @param Service $api
|
|
* @param array|null $configuredAuthSchemes
|
|
*
|
|
* @return Closure
|
|
*/
|
|
public static function wrap(
|
|
AuthSchemeResolverInterface $authResolver,
|
|
Service $api,
|
|
?array $configuredAuthSchemes
|
|
): Closure
|
|
{
|
|
return function (callable $handler) use (
|
|
$authResolver,
|
|
$api,
|
|
$configuredAuthSchemes
|
|
) {
|
|
return new self($handler, $authResolver, $api, $configuredAuthSchemes);
|
|
};
|
|
}
|
|
|
|
/**
|
|
* @param callable $nextHandler
|
|
* @param AuthSchemeResolverInterface $authResolver
|
|
* @param Service $api
|
|
* @param array|null $configuredAuthSchemes
|
|
*/
|
|
public function __construct(
|
|
callable $nextHandler,
|
|
AuthSchemeResolverInterface $authResolver,
|
|
Service $api,
|
|
?array $configuredAuthSchemes = null
|
|
)
|
|
{
|
|
$this->nextHandler = $nextHandler;
|
|
$this->authResolver = $authResolver;
|
|
$this->api = $api;
|
|
$this->configuredAuthSchemes = $configuredAuthSchemes;
|
|
}
|
|
|
|
/**
|
|
* @param CommandInterface $command
|
|
*
|
|
* @return Promise
|
|
*/
|
|
public function __invoke(CommandInterface $command)
|
|
{
|
|
$nextHandler = $this->nextHandler;
|
|
$serviceAuth = $this->api->getMetadata('auth') ?: [];
|
|
$operation = $this->api->getOperation($command->getName());
|
|
$operationAuth = $operation['auth'] ?? [];
|
|
$unsignedPayload = $operation['unsignedpayload'] ?? false;
|
|
$resolvableAuth = $operationAuth ?: $serviceAuth;
|
|
|
|
if (!empty($resolvableAuth)) {
|
|
if (isset($command['@context']['auth_scheme_resolver'])
|
|
&& $command['@context']['auth_scheme_resolver'] instanceof AuthSchemeResolverInterface
|
|
){
|
|
$resolver = $command['@context']['auth_scheme_resolver'];
|
|
} else {
|
|
$resolver = $this->authResolver;
|
|
}
|
|
|
|
try {
|
|
$authSchemeList = $this->buildAuthSchemeList(
|
|
$resolvableAuth,
|
|
$command['@context']['auth_scheme_preference']
|
|
?? null,
|
|
);
|
|
$selectedAuthScheme = $resolver->selectAuthScheme(
|
|
$authSchemeList,
|
|
['unsigned_payload' => $unsignedPayload]
|
|
);
|
|
|
|
if (!empty($selectedAuthScheme)) {
|
|
$command['@context']['signature_version'] = $selectedAuthScheme;
|
|
}
|
|
} catch (UnresolvedAuthSchemeException $ignored) {
|
|
// There was an error resolving auth
|
|
// The signature version will fall back to the modeled `signatureVersion`
|
|
// or auth schemes resolved during endpoint resolution
|
|
}
|
|
}
|
|
|
|
return $nextHandler($command);
|
|
}
|
|
|
|
/**
|
|
* Prioritizes auth schemes according to user preference order.
|
|
* User-preferred schemes that are available will be placed first,
|
|
* followed by remaining available schemes.
|
|
*
|
|
* @param array $resolvableAuthSchemeList Available auth schemes
|
|
* @param array|null $commandConfiguredAuthSchemes Command-level preferences (overrides config)
|
|
*
|
|
* @return array Reordered auth schemes with user preferences first
|
|
*/
|
|
private function buildAuthSchemeList(
|
|
array $resolvableAuthSchemeList,
|
|
?array $commandConfiguredAuthSchemes,
|
|
): array
|
|
{
|
|
$userConfiguredAuthSchemes = $commandConfiguredAuthSchemes
|
|
?? $this->configuredAuthSchemes;
|
|
|
|
if (empty($userConfiguredAuthSchemes)) {
|
|
return $resolvableAuthSchemeList;
|
|
}
|
|
|
|
$prioritizedAuthSchemes = array_intersect(
|
|
$userConfiguredAuthSchemes,
|
|
$resolvableAuthSchemeList
|
|
);
|
|
|
|
// Get remaining schemes not in user preferences
|
|
$remainingAuthSchemes = array_diff(
|
|
$resolvableAuthSchemeList,
|
|
$prioritizedAuthSchemes
|
|
);
|
|
|
|
return array_merge($prioritizedAuthSchemes, $remainingAuthSchemes);
|
|
}
|
|
}
|