diff options
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/aws/session/session.go')
-rw-r--r-- | vendor/github.com/aws/aws-sdk-go/aws/session/session.go | 226 |
1 files changed, 58 insertions, 168 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go index be4b5f0..3a28da5 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go | |||
@@ -8,19 +8,17 @@ import ( | |||
8 | "io/ioutil" | 8 | "io/ioutil" |
9 | "net/http" | 9 | "net/http" |
10 | "os" | 10 | "os" |
11 | "time" | ||
11 | 12 | ||
12 | "github.com/aws/aws-sdk-go/aws" | 13 | "github.com/aws/aws-sdk-go/aws" |
13 | "github.com/aws/aws-sdk-go/aws/awserr" | 14 | "github.com/aws/aws-sdk-go/aws/awserr" |
14 | "github.com/aws/aws-sdk-go/aws/client" | 15 | "github.com/aws/aws-sdk-go/aws/client" |
15 | "github.com/aws/aws-sdk-go/aws/corehandlers" | 16 | "github.com/aws/aws-sdk-go/aws/corehandlers" |
16 | "github.com/aws/aws-sdk-go/aws/credentials" | 17 | "github.com/aws/aws-sdk-go/aws/credentials" |
17 | "github.com/aws/aws-sdk-go/aws/credentials/processcreds" | ||
18 | "github.com/aws/aws-sdk-go/aws/credentials/stscreds" | ||
19 | "github.com/aws/aws-sdk-go/aws/csm" | 18 | "github.com/aws/aws-sdk-go/aws/csm" |
20 | "github.com/aws/aws-sdk-go/aws/defaults" | 19 | "github.com/aws/aws-sdk-go/aws/defaults" |
21 | "github.com/aws/aws-sdk-go/aws/endpoints" | 20 | "github.com/aws/aws-sdk-go/aws/endpoints" |
22 | "github.com/aws/aws-sdk-go/aws/request" | 21 | "github.com/aws/aws-sdk-go/aws/request" |
23 | "github.com/aws/aws-sdk-go/internal/shareddefaults" | ||
24 | ) | 22 | ) |
25 | 23 | ||
26 | const ( | 24 | const ( |
@@ -107,7 +105,15 @@ func New(cfgs ...*aws.Config) *Session { | |||
107 | 105 | ||
108 | s := deprecatedNewSession(cfgs...) | 106 | s := deprecatedNewSession(cfgs...) |
109 | if envCfg.CSMEnabled { | 107 | if envCfg.CSMEnabled { |
110 | enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger) | 108 | err := enableCSM(&s.Handlers, envCfg.CSMClientID, |
109 | envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger) | ||
110 | if err != nil { | ||
111 | err = fmt.Errorf("failed to enable CSM, %v", err) | ||
112 | s.Config.Logger.Log("ERROR:", err.Error()) | ||
113 | s.Handlers.Validate.PushBack(func(r *request.Request) { | ||
114 | r.Error = err | ||
115 | }) | ||
116 | } | ||
111 | } | 117 | } |
112 | 118 | ||
113 | return s | 119 | return s |
@@ -210,6 +216,12 @@ type Options struct { | |||
210 | // the config enables assume role wit MFA via the mfa_serial field. | 216 | // the config enables assume role wit MFA via the mfa_serial field. |
211 | AssumeRoleTokenProvider func() (string, error) | 217 | AssumeRoleTokenProvider func() (string, error) |
212 | 218 | ||
219 | // When the SDK's shared config is configured to assume a role this option | ||
220 | // may be provided to set the expiry duration of the STS credentials. | ||
221 | // Defaults to 15 minutes if not set as documented in the | ||
222 | // stscreds.AssumeRoleProvider. | ||
223 | AssumeRoleDuration time.Duration | ||
224 | |||
213 | // Reader for a custom Credentials Authority (CA) bundle in PEM format that | 225 | // Reader for a custom Credentials Authority (CA) bundle in PEM format that |
214 | // the SDK will use instead of the default system's root CA bundle. Use this | 226 | // the SDK will use instead of the default system's root CA bundle. Use this |
215 | // only if you want to replace the CA bundle the SDK uses for TLS requests. | 227 | // only if you want to replace the CA bundle the SDK uses for TLS requests. |
@@ -224,6 +236,12 @@ type Options struct { | |||
224 | // to also enable this feature. CustomCABundle session option field has priority | 236 | // to also enable this feature. CustomCABundle session option field has priority |
225 | // over the AWS_CA_BUNDLE environment variable, and will be used if both are set. | 237 | // over the AWS_CA_BUNDLE environment variable, and will be used if both are set. |
226 | CustomCABundle io.Reader | 238 | CustomCABundle io.Reader |
239 | |||
240 | // The handlers that the session and all API clients will be created with. | ||
241 | // This must be a complete set of handlers. Use the defaults.Handlers() | ||
242 | // function to initialize this value before changing the handlers to be | ||
243 | // used by the SDK. | ||
244 | Handlers request.Handlers | ||
227 | } | 245 | } |
228 | 246 | ||
229 | // NewSessionWithOptions returns a new Session created from SDK defaults, config files, | 247 | // NewSessionWithOptions returns a new Session created from SDK defaults, config files, |
@@ -329,27 +347,36 @@ func deprecatedNewSession(cfgs ...*aws.Config) *Session { | |||
329 | return s | 347 | return s |
330 | } | 348 | } |
331 | 349 | ||
332 | func enableCSM(handlers *request.Handlers, clientID string, port string, logger aws.Logger) { | 350 | func enableCSM(handlers *request.Handlers, |
333 | logger.Log("Enabling CSM") | 351 | clientID, host, port string, |
334 | if len(port) == 0 { | 352 | logger aws.Logger, |
335 | port = csm.DefaultPort | 353 | ) error { |
354 | if logger != nil { | ||
355 | logger.Log("Enabling CSM") | ||
336 | } | 356 | } |
337 | 357 | ||
338 | r, err := csm.Start(clientID, "127.0.0.1:"+port) | 358 | r, err := csm.Start(clientID, csm.AddressWithDefaults(host, port)) |
339 | if err != nil { | 359 | if err != nil { |
340 | return | 360 | return err |
341 | } | 361 | } |
342 | r.InjectHandlers(handlers) | 362 | r.InjectHandlers(handlers) |
363 | |||
364 | return nil | ||
343 | } | 365 | } |
344 | 366 | ||
345 | func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) { | 367 | func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) { |
346 | cfg := defaults.Config() | 368 | cfg := defaults.Config() |
347 | handlers := defaults.Handlers() | 369 | |
370 | handlers := opts.Handlers | ||
371 | if handlers.IsEmpty() { | ||
372 | handlers = defaults.Handlers() | ||
373 | } | ||
348 | 374 | ||
349 | // Get a merged version of the user provided config to determine if | 375 | // Get a merged version of the user provided config to determine if |
350 | // credentials were. | 376 | // credentials were. |
351 | userCfg := &aws.Config{} | 377 | userCfg := &aws.Config{} |
352 | userCfg.MergeIn(cfgs...) | 378 | userCfg.MergeIn(cfgs...) |
379 | cfg.MergeIn(userCfg) | ||
353 | 380 | ||
354 | // Ordered config files will be loaded in with later files overwriting | 381 | // Ordered config files will be loaded in with later files overwriting |
355 | // previous config file values. | 382 | // previous config file values. |
@@ -366,9 +393,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, | |||
366 | } | 393 | } |
367 | 394 | ||
368 | // Load additional config from file(s) | 395 | // Load additional config from file(s) |
369 | sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles) | 396 | sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles, envCfg.EnableSharedConfig) |
370 | if err != nil { | 397 | if err != nil { |
371 | return nil, err | 398 | if _, ok := err.(SharedConfigProfileNotExistsError); !ok { |
399 | return nil, err | ||
400 | } | ||
372 | } | 401 | } |
373 | 402 | ||
374 | if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil { | 403 | if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil { |
@@ -382,7 +411,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, | |||
382 | 411 | ||
383 | initHandlers(s) | 412 | initHandlers(s) |
384 | if envCfg.CSMEnabled { | 413 | if envCfg.CSMEnabled { |
385 | enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger) | 414 | err := enableCSM(&s.Handlers, envCfg.CSMClientID, |
415 | envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger) | ||
416 | if err != nil { | ||
417 | return nil, err | ||
418 | } | ||
386 | } | 419 | } |
387 | 420 | ||
388 | // Setup HTTP client with custom cert bundle if enabled | 421 | // Setup HTTP client with custom cert bundle if enabled |
@@ -443,9 +476,11 @@ func loadCertPool(r io.Reader) (*x509.CertPool, error) { | |||
443 | return p, nil | 476 | return p, nil |
444 | } | 477 | } |
445 | 478 | ||
446 | func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error { | 479 | func mergeConfigSrcs(cfg, userCfg *aws.Config, |
447 | // Merge in user provided configuration | 480 | envCfg envConfig, sharedCfg sharedConfig, |
448 | cfg.MergeIn(userCfg) | 481 | handlers request.Handlers, |
482 | sessOpts Options, | ||
483 | ) error { | ||
449 | 484 | ||
450 | // Region if not already set by user | 485 | // Region if not already set by user |
451 | if len(aws.StringValue(cfg.Region)) == 0 { | 486 | if len(aws.StringValue(cfg.Region)) == 0 { |
@@ -464,164 +499,19 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share | |||
464 | } | 499 | } |
465 | } | 500 | } |
466 | 501 | ||
467 | // Configure credentials if not already set | 502 | // Configure credentials if not already set by the user when creating the |
503 | // Session. | ||
468 | if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil { | 504 | if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil { |
469 | 505 | creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts) | |
470 | // inspect the profile to see if a credential source has been specified. | 506 | if err != nil { |
471 | if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 { | 507 | return err |
472 | |||
473 | // if both credential_source and source_profile have been set, return an error | ||
474 | // as this is undefined behavior. | ||
475 | if len(sharedCfg.AssumeRole.SourceProfile) > 0 { | ||
476 | return ErrSharedConfigSourceCollision | ||
477 | } | ||
478 | |||
479 | // valid credential source values | ||
480 | const ( | ||
481 | credSourceEc2Metadata = "Ec2InstanceMetadata" | ||
482 | credSourceEnvironment = "Environment" | ||
483 | credSourceECSContainer = "EcsContainer" | ||
484 | ) | ||
485 | |||
486 | switch sharedCfg.AssumeRole.CredentialSource { | ||
487 | case credSourceEc2Metadata: | ||
488 | cfgCp := *cfg | ||
489 | p := defaults.RemoteCredProvider(cfgCp, handlers) | ||
490 | cfgCp.Credentials = credentials.NewCredentials(p) | ||
491 | |||
492 | if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil { | ||
493 | // AssumeRole Token provider is required if doing Assume Role | ||
494 | // with MFA. | ||
495 | return AssumeRoleTokenProviderNotSetError{} | ||
496 | } | ||
497 | |||
498 | cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts) | ||
499 | case credSourceEnvironment: | ||
500 | cfg.Credentials = credentials.NewStaticCredentialsFromCreds( | ||
501 | envCfg.Creds, | ||
502 | ) | ||
503 | case credSourceECSContainer: | ||
504 | if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 { | ||
505 | return ErrSharedConfigECSContainerEnvVarEmpty | ||
506 | } | ||
507 | |||
508 | cfgCp := *cfg | ||
509 | p := defaults.RemoteCredProvider(cfgCp, handlers) | ||
510 | creds := credentials.NewCredentials(p) | ||
511 | |||
512 | cfg.Credentials = creds | ||
513 | default: | ||
514 | return ErrSharedConfigInvalidCredSource | ||
515 | } | ||
516 | |||
517 | return nil | ||
518 | } | ||
519 | |||
520 | if len(envCfg.Creds.AccessKeyID) > 0 { | ||
521 | cfg.Credentials = credentials.NewStaticCredentialsFromCreds( | ||
522 | envCfg.Creds, | ||
523 | ) | ||
524 | } else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil { | ||
525 | cfgCp := *cfg | ||
526 | cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds( | ||
527 | sharedCfg.AssumeRoleSource.Creds, | ||
528 | ) | ||
529 | |||
530 | if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil { | ||
531 | // AssumeRole Token provider is required if doing Assume Role | ||
532 | // with MFA. | ||
533 | return AssumeRoleTokenProviderNotSetError{} | ||
534 | } | ||
535 | |||
536 | cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts) | ||
537 | } else if len(sharedCfg.Creds.AccessKeyID) > 0 { | ||
538 | cfg.Credentials = credentials.NewStaticCredentialsFromCreds( | ||
539 | sharedCfg.Creds, | ||
540 | ) | ||
541 | } else if len(sharedCfg.CredentialProcess) > 0 { | ||
542 | cfg.Credentials = processcreds.NewCredentials( | ||
543 | sharedCfg.CredentialProcess, | ||
544 | ) | ||
545 | } else { | ||
546 | // Fallback to default credentials provider, include mock errors | ||
547 | // for the credential chain so user can identify why credentials | ||
548 | // failed to be retrieved. | ||
549 | cfg.Credentials = credentials.NewCredentials(&credentials.ChainProvider{ | ||
550 | VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors), | ||
551 | Providers: []credentials.Provider{ | ||
552 | &credProviderError{Err: awserr.New("EnvAccessKeyNotFound", "failed to find credentials in the environment.", nil)}, | ||
553 | &credProviderError{Err: awserr.New("SharedCredsLoad", fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil)}, | ||
554 | defaults.RemoteCredProvider(*cfg, handlers), | ||
555 | }, | ||
556 | }) | ||
557 | } | 508 | } |
509 | cfg.Credentials = creds | ||
558 | } | 510 | } |
559 | 511 | ||
560 | return nil | 512 | return nil |
561 | } | 513 | } |
562 | 514 | ||
563 | func assumeRoleCredentials(cfg aws.Config, handlers request.Handlers, sharedCfg sharedConfig, sessOpts Options) *credentials.Credentials { | ||
564 | return stscreds.NewCredentials( | ||
565 | &Session{ | ||
566 | Config: &cfg, | ||
567 | Handlers: handlers.Copy(), | ||
568 | }, | ||
569 | sharedCfg.AssumeRole.RoleARN, | ||
570 | func(opt *stscreds.AssumeRoleProvider) { | ||
571 | opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName | ||
572 | |||
573 | // Assume role with external ID | ||
574 | if len(sharedCfg.AssumeRole.ExternalID) > 0 { | ||
575 | opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID) | ||
576 | } | ||
577 | |||
578 | // Assume role with MFA | ||
579 | if len(sharedCfg.AssumeRole.MFASerial) > 0 { | ||
580 | opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial) | ||
581 | opt.TokenProvider = sessOpts.AssumeRoleTokenProvider | ||
582 | } | ||
583 | }, | ||
584 | ) | ||
585 | } | ||
586 | |||
587 | // AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the | ||
588 | // MFAToken option is not set when shared config is configured load assume a | ||
589 | // role with an MFA token. | ||
590 | type AssumeRoleTokenProviderNotSetError struct{} | ||
591 | |||
592 | // Code is the short id of the error. | ||
593 | func (e AssumeRoleTokenProviderNotSetError) Code() string { | ||
594 | return "AssumeRoleTokenProviderNotSetError" | ||
595 | } | ||
596 | |||
597 | // Message is the description of the error | ||
598 | func (e AssumeRoleTokenProviderNotSetError) Message() string { | ||
599 | return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.") | ||
600 | } | ||
601 | |||
602 | // OrigErr is the underlying error that caused the failure. | ||
603 | func (e AssumeRoleTokenProviderNotSetError) OrigErr() error { | ||
604 | return nil | ||
605 | } | ||
606 | |||
607 | // Error satisfies the error interface. | ||
608 | func (e AssumeRoleTokenProviderNotSetError) Error() string { | ||
609 | return awserr.SprintError(e.Code(), e.Message(), "", nil) | ||
610 | } | ||
611 | |||
612 | type credProviderError struct { | ||
613 | Err error | ||
614 | } | ||
615 | |||
616 | var emptyCreds = credentials.Value{} | ||
617 | |||
618 | func (c credProviderError) Retrieve() (credentials.Value, error) { | ||
619 | return credentials.Value{}, c.Err | ||
620 | } | ||
621 | func (c credProviderError) IsExpired() bool { | ||
622 | return true | ||
623 | } | ||
624 | |||
625 | func initHandlers(s *Session) { | 515 | func initHandlers(s *Session) { |
626 | // Add the Validate parameter handler if it is not disabled. | 516 | // Add the Validate parameter handler if it is not disabled. |
627 | s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler) | 517 | s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler) |