<?php
namespace Aws\Credentials;
use Aws\Exception\CredentialsException;
use GuzzleHttp\Exception\ConnectException;
use GuzzleHttp\Exception\GuzzleException;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Promise;
use GuzzleHttp\Promise\PromiseInterface;
use Psr\Http\Message\ResponseInterface;
/**
* Credential provider that fetches container credentials with GET request.
* container environment variables are used in constructing request URI.
*/
class EcsCredentialProvider
{
const SERVER_URI = 'http://169.254.170.2';
const ENV_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
const ENV_AUTH_TOKEN_FILE = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE";
const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
const EKS_SERVER_HOST_IPV4 = '169.254.170.23';
const EKS_SERVER_HOST_IPV6 = 'fd00:ec2::23';
const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
const DEFAULT_ENV_TIMEOUT = 1.0;
const DEFAULT_ENV_RETRIES = 3;
/** @var callable */
private $client;
/** @var float|mixed */
private $timeout;
/** @var int */
private $retries;
/** @var int */
private $attempts;
/**
* The constructor accepts following options:
* - timeout: (optional) Connection timeout, in seconds, default 1.0
* - retries: Optional number of retries to be attempted, default 3.
* - client: An EcsClient to make request from
*
* @param array $config Configuration options
*/
public function __construct(array $config = [])
{
$this->timeout = (float) isset($config['timeout'])
? $config['timeout']
: (getenv(self::ENV_TIMEOUT) ?: self::DEFAULT_ENV_TIMEOUT);
$this->retries = (int) isset($config['retries'])
? $config['retries']
: ((int) getenv(self::ENV_RETRIES) ?: self::DEFAULT_ENV_RETRIES);
$this->client = $config['client'] ?? \Aws\default_http_handler();
}
/**
* Load container credentials.
*
* @return PromiseInterface
* @throws GuzzleException
*/
public function __invoke()
{
$this->attempts = 0;
$uri = $this->getEcsUri();
if ($this->isCompatibleUri($uri)) {
return Promise\Coroutine::of(function () {
$client = $this->client;
$request = new Request('GET', $this->getEcsUri());
$headers = $this->getHeadersForAuthToken();
$credentials = null;
while ($credentials === null) {
$credentials = (yield $client(
$request,
[
'timeout' => $this->timeout,
'proxy' => '',
'headers' => $headers,
]
)->then(function (ResponseInterface $response) {
$result = $this->decodeResult((string)$response->getBody());
return new Credentials(
$result['AccessKeyId'],
$result['SecretAccessKey'],
$result['Token'],
strtotime($result['Expiration']),
$result['AccountId'] ?? null
);
})->otherwise(function ($reason) {
$reason = is_array($reason) ? $reason['exception'] : $reason;
$isRetryable = $reason instanceof ConnectException;
if ($isRetryable && ($this->attempts < $this->retries)) {
sleep((int)pow(1.2, $this->attempts));
} else {
$msg = $reason->getMessage();
throw new CredentialsException(
sprintf('Error retrieving credentials from container metadata after attempt %d/%d (%s)', $this->attempts, $this->retries, $msg)
);
}
}));
$this->attempts++;
}
yield $credentials;
});
}
throw new CredentialsException("Uri '{$uri}' contains an unsupported host.");
}
/**
* Returns the number of attempts that have been done.
*
* @return int
*/
public function getAttempts(): int
{
return $this->attempts;
}
/**
* Retrieves authorization token.
*
* @return array|false|string
*/
private function getEcsAuthToken()
{
if (!empty($path = getenv(self::ENV_AUTH_TOKEN_FILE))) {
$token = @file_get_contents($path);
if (false === $token) {
clearstatcache(true, dirname($path) . DIRECTORY_SEPARATOR . @readlink($path));
clearstatcache(true, dirname($path) . DIRECTORY_SEPARATOR . dirname(@readlink($path)));
clearstatcache(true, $path);
}
if (!is_readable($path)) {
throw new CredentialsException("Failed to read authorization token from '{$path}': no such file or directory.");
}
$token = @file_get_contents($path);
if (empty($token)) {
throw new CredentialsException("Invalid authorization token read from `$path`. Token file is empty!");
}
return $token;
}
return getenv(self::ENV_AUTH_TOKEN);
}
/**
* Provides headers for credential metadata request.
*
* @return array|array[]|string[]
*/
private function getHeadersForAuthToken()
{
$authToken = self::getEcsAuthToken();
$headers = [];
if (!empty($authToken))
$headers = ['Authorization' => $authToken];
return $headers;
}
/** @deprecated */
public function setHeaderForAuthToken()
{
$authToken = self::getEcsAuthToken();
$headers = [];
if (!empty($authToken))
$headers = ['Authorization' => $authToken];
return $headers;
}
/**
* Fetch container metadata URI from container environment variable.
*
* @return string Returns container metadata URI
*/
private function getEcsUri()
{
$credsUri = getenv(self::ENV_URI);
if ($credsUri === false) {
$credsUri = $_SERVER[self::ENV_URI] ?? '';
}
if (empty($credsUri)){
$credFullUri = getenv(self::ENV_FULL_URI);
if ($credFullUri === false){
$credFullUri = $_SERVER[self::ENV_FULL_URI] ?? '';
}
if (!empty($credFullUri))
return $credFullUri;
}
return self::SERVER_URI . $credsUri;
}
private function decodeResult($response)
{
$result = json_decode($response, true);
if (!isset($result['AccessKeyId'])) {
throw new CredentialsException('Unexpected container metadata credentials value');
}
return $result;
}
/**
* Determines whether or not a given request URI is a valid
* container credential request URI.
*
* @param $uri
*
* @return bool
*/
private function isCompatibleUri($uri)
{
$parsed = parse_url($uri);
if ($parsed['scheme'] !== 'https') {
$host = trim($parsed['host'], '[]');
$ecsHost = parse_url(self::SERVER_URI)['host'];
$eksHost = self::EKS_SERVER_HOST_IPV4;
if ($host !== $ecsHost
&& $host !== $eksHost
&& $host !== self::EKS_SERVER_HOST_IPV6
&& !CredentialsUtils::isLoopBackAddress(gethostbyname($host))
) {
return false;
}
}
return true;
}
}