auth.go (10280B)
1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 smithy "github.com/aws/smithy-go" 10 smithyauth "github.com/aws/smithy-go/auth" 11 "github.com/aws/smithy-go/metrics" 12 "github.com/aws/smithy-go/middleware" 13 "github.com/aws/smithy-go/tracing" 14 smithyhttp "github.com/aws/smithy-go/transport/http" 15 "slices" 16 "strings" 17 ) 18 19 func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) { 20 params.Region = options.Region 21 } 22 23 type setLegacyContextSigningOptionsMiddleware struct { 24 } 25 26 func (*setLegacyContextSigningOptionsMiddleware) ID() string { 27 return "setLegacyContextSigningOptions" 28 } 29 30 func (m *setLegacyContextSigningOptionsMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( 31 out middleware.FinalizeOutput, metadata middleware.Metadata, err error, 32 ) { 33 rscheme := getResolvedAuthScheme(ctx) 34 schemeID := rscheme.Scheme.SchemeID() 35 36 if sn := awsmiddleware.GetSigningName(ctx); sn != "" { 37 if schemeID == "aws.auth#sigv4" { 38 smithyhttp.SetSigV4SigningName(&rscheme.SignerProperties, sn) 39 } else if schemeID == "aws.auth#sigv4a" { 40 smithyhttp.SetSigV4ASigningName(&rscheme.SignerProperties, sn) 41 } 42 } 43 44 if sr := awsmiddleware.GetSigningRegion(ctx); sr != "" { 45 if schemeID == "aws.auth#sigv4" { 46 smithyhttp.SetSigV4SigningRegion(&rscheme.SignerProperties, sr) 47 } else if schemeID == "aws.auth#sigv4a" { 48 smithyhttp.SetSigV4ASigningRegions(&rscheme.SignerProperties, []string{sr}) 49 } 50 } 51 52 return next.HandleFinalize(ctx, in) 53 } 54 55 func addSetLegacyContextSigningOptionsMiddleware(stack *middleware.Stack) error { 56 return stack.Finalize.Insert(&setLegacyContextSigningOptionsMiddleware{}, "Signing", middleware.Before) 57 } 58 59 type withAnonymous struct { 60 resolver AuthSchemeResolver 61 } 62 63 var _ AuthSchemeResolver = (*withAnonymous)(nil) 64 65 func (v *withAnonymous) ResolveAuthSchemes(ctx context.Context, params *AuthResolverParameters) ([]*smithyauth.Option, error) { 66 opts, err := v.resolver.ResolveAuthSchemes(ctx, params) 67 if err != nil { 68 return nil, err 69 } 70 71 opts = append(opts, &smithyauth.Option{ 72 SchemeID: smithyauth.SchemeIDAnonymous, 73 }) 74 return opts, nil 75 } 76 77 func wrapWithAnonymousAuth(options *Options) { 78 if _, ok := options.AuthSchemeResolver.(*defaultAuthSchemeResolver); !ok { 79 return 80 } 81 82 options.AuthSchemeResolver = &withAnonymous{ 83 resolver: options.AuthSchemeResolver, 84 } 85 } 86 87 // AuthResolverParameters contains the set of inputs necessary for auth scheme 88 // resolution. 89 type AuthResolverParameters struct { 90 // The name of the operation being invoked. 91 Operation string 92 93 // The region in which the operation is being invoked. 94 Region string 95 } 96 97 func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters { 98 params := &AuthResolverParameters{ 99 Operation: operation, 100 } 101 102 bindAuthParamsRegion(ctx, params, input, options) 103 104 return params 105 } 106 107 // AuthSchemeResolver returns a set of possible authentication options for an 108 // operation. 109 type AuthSchemeResolver interface { 110 ResolveAuthSchemes(context.Context, *AuthResolverParameters) ([]*smithyauth.Option, error) 111 } 112 113 type defaultAuthSchemeResolver struct{} 114 115 var _ AuthSchemeResolver = (*defaultAuthSchemeResolver)(nil) 116 117 func (*defaultAuthSchemeResolver) ResolveAuthSchemes(ctx context.Context, params *AuthResolverParameters) ([]*smithyauth.Option, error) { 118 if overrides, ok := operationAuthOptions[params.Operation]; ok { 119 return overrides(params), nil 120 } 121 return serviceAuthOptions(params), nil 122 } 123 124 var operationAuthOptions = map[string]func(*AuthResolverParameters) []*smithyauth.Option{ 125 "AssumeRoleWithSAML": func(params *AuthResolverParameters) []*smithyauth.Option { 126 return []*smithyauth.Option{ 127 {SchemeID: smithyauth.SchemeIDAnonymous}, 128 } 129 }, 130 131 "AssumeRoleWithWebIdentity": func(params *AuthResolverParameters) []*smithyauth.Option { 132 return []*smithyauth.Option{ 133 {SchemeID: smithyauth.SchemeIDAnonymous}, 134 } 135 }, 136 } 137 138 func serviceAuthOptions(params *AuthResolverParameters) []*smithyauth.Option { 139 return []*smithyauth.Option{ 140 { 141 SchemeID: smithyauth.SchemeIDSigV4, 142 SignerProperties: func() smithy.Properties { 143 var props smithy.Properties 144 smithyhttp.SetSigV4SigningName(&props, "sts") 145 smithyhttp.SetSigV4SigningRegion(&props, params.Region) 146 return props 147 }(), 148 }, 149 } 150 } 151 152 type resolveAuthSchemeMiddleware struct { 153 operation string 154 options Options 155 } 156 157 func (*resolveAuthSchemeMiddleware) ID() string { 158 return "ResolveAuthScheme" 159 } 160 161 func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( 162 out middleware.FinalizeOutput, metadata middleware.Metadata, err error, 163 ) { 164 _, span := tracing.StartSpan(ctx, "ResolveAuthScheme") 165 defer span.End() 166 167 params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options) 168 options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params) 169 if err != nil { 170 return out, metadata, fmt.Errorf("resolve auth scheme: %w", err) 171 } 172 173 scheme, ok := m.selectScheme(options) 174 if !ok { 175 return out, metadata, fmt.Errorf("could not select an auth scheme") 176 } 177 178 ctx = setResolvedAuthScheme(ctx, scheme) 179 180 span.SetProperty("auth.scheme_id", scheme.Scheme.SchemeID()) 181 span.End() 182 return next.HandleFinalize(ctx, in) 183 } 184 185 func (m *resolveAuthSchemeMiddleware) selectScheme(options []*smithyauth.Option) (*resolvedAuthScheme, bool) { 186 sorted := sortAuthOptions(options, m.options.AuthSchemePreference) 187 for _, option := range sorted { 188 if option.SchemeID == smithyauth.SchemeIDAnonymous { 189 return newResolvedAuthScheme(smithyhttp.NewAnonymousScheme(), option), true 190 } 191 192 for _, scheme := range m.options.AuthSchemes { 193 if scheme.SchemeID() != option.SchemeID { 194 continue 195 } 196 197 if scheme.IdentityResolver(m.options) != nil { 198 return newResolvedAuthScheme(scheme, option), true 199 } 200 } 201 } 202 203 return nil, false 204 } 205 206 func sortAuthOptions(options []*smithyauth.Option, preferred []string) []*smithyauth.Option { 207 byPriority := make([]*smithyauth.Option, 0, len(options)) 208 for _, prefName := range preferred { 209 for _, option := range options { 210 optName := option.SchemeID 211 if parts := strings.Split(option.SchemeID, "#"); len(parts) == 2 { 212 optName = parts[1] 213 } 214 if prefName == optName { 215 byPriority = append(byPriority, option) 216 } 217 } 218 } 219 for _, option := range options { 220 if !slices.ContainsFunc(byPriority, func(o *smithyauth.Option) bool { 221 return o.SchemeID == option.SchemeID 222 }) { 223 byPriority = append(byPriority, option) 224 } 225 } 226 return byPriority 227 } 228 229 type resolvedAuthSchemeKey struct{} 230 231 type resolvedAuthScheme struct { 232 Scheme smithyhttp.AuthScheme 233 IdentityProperties smithy.Properties 234 SignerProperties smithy.Properties 235 } 236 237 func newResolvedAuthScheme(scheme smithyhttp.AuthScheme, option *smithyauth.Option) *resolvedAuthScheme { 238 return &resolvedAuthScheme{ 239 Scheme: scheme, 240 IdentityProperties: option.IdentityProperties, 241 SignerProperties: option.SignerProperties, 242 } 243 } 244 245 func setResolvedAuthScheme(ctx context.Context, scheme *resolvedAuthScheme) context.Context { 246 return middleware.WithStackValue(ctx, resolvedAuthSchemeKey{}, scheme) 247 } 248 249 func getResolvedAuthScheme(ctx context.Context) *resolvedAuthScheme { 250 v, _ := middleware.GetStackValue(ctx, resolvedAuthSchemeKey{}).(*resolvedAuthScheme) 251 return v 252 } 253 254 type getIdentityMiddleware struct { 255 options Options 256 } 257 258 func (*getIdentityMiddleware) ID() string { 259 return "GetIdentity" 260 } 261 262 func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( 263 out middleware.FinalizeOutput, metadata middleware.Metadata, err error, 264 ) { 265 innerCtx, span := tracing.StartSpan(ctx, "GetIdentity") 266 defer span.End() 267 268 rscheme := getResolvedAuthScheme(innerCtx) 269 if rscheme == nil { 270 return out, metadata, fmt.Errorf("no resolved auth scheme") 271 } 272 273 resolver := rscheme.Scheme.IdentityResolver(m.options) 274 if resolver == nil { 275 return out, metadata, fmt.Errorf("no identity resolver") 276 } 277 278 identity, err := timeOperationMetric(ctx, "client.call.resolve_identity_duration", 279 func() (smithyauth.Identity, error) { 280 return resolver.GetIdentity(innerCtx, rscheme.IdentityProperties) 281 }, 282 func(o *metrics.RecordMetricOptions) { 283 o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID()) 284 }) 285 if err != nil { 286 return out, metadata, fmt.Errorf("get identity: %w", err) 287 } 288 289 ctx = setIdentity(ctx, identity) 290 291 span.End() 292 return next.HandleFinalize(ctx, in) 293 } 294 295 type identityKey struct{} 296 297 func setIdentity(ctx context.Context, identity smithyauth.Identity) context.Context { 298 return middleware.WithStackValue(ctx, identityKey{}, identity) 299 } 300 301 func getIdentity(ctx context.Context) smithyauth.Identity { 302 v, _ := middleware.GetStackValue(ctx, identityKey{}).(smithyauth.Identity) 303 return v 304 } 305 306 type signRequestMiddleware struct { 307 options Options 308 } 309 310 func (*signRequestMiddleware) ID() string { 311 return "Signing" 312 } 313 314 func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( 315 out middleware.FinalizeOutput, metadata middleware.Metadata, err error, 316 ) { 317 _, span := tracing.StartSpan(ctx, "SignRequest") 318 defer span.End() 319 320 req, ok := in.Request.(*smithyhttp.Request) 321 if !ok { 322 return out, metadata, fmt.Errorf("unexpected transport type %T", in.Request) 323 } 324 325 rscheme := getResolvedAuthScheme(ctx) 326 if rscheme == nil { 327 return out, metadata, fmt.Errorf("no resolved auth scheme") 328 } 329 330 identity := getIdentity(ctx) 331 if identity == nil { 332 return out, metadata, fmt.Errorf("no identity") 333 } 334 335 signer := rscheme.Scheme.Signer() 336 if signer == nil { 337 return out, metadata, fmt.Errorf("no signer") 338 } 339 340 _, err = timeOperationMetric(ctx, "client.call.signing_duration", func() (any, error) { 341 return nil, signer.SignRequest(ctx, req, identity, rscheme.SignerProperties) 342 }, func(o *metrics.RecordMetricOptions) { 343 o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID()) 344 }) 345 if err != nil { 346 return out, metadata, fmt.Errorf("sign request: %w", err) 347 } 348 349 span.End() 350 return next.HandleFinalize(ctx, in) 351 }