2023-11-20 20:28:57 +00:00
|
|
|
// Code generated by smithy-go-codegen DO NOT EDIT.
|
|
|
|
|
|
|
|
package sts
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
|
|
|
|
smithy "github.com/aws/smithy-go"
|
|
|
|
smithyauth "github.com/aws/smithy-go/auth"
|
2024-09-23 20:18:36 +00:00
|
|
|
"github.com/aws/smithy-go/metrics"
|
2023-11-20 20:28:57 +00:00
|
|
|
"github.com/aws/smithy-go/middleware"
|
2024-09-23 20:18:36 +00:00
|
|
|
"github.com/aws/smithy-go/tracing"
|
2023-11-20 20:28:57 +00:00
|
|
|
smithyhttp "github.com/aws/smithy-go/transport/http"
|
|
|
|
)
|
|
|
|
|
2024-06-24 20:58:34 +00:00
|
|
|
func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
|
2023-11-20 20:28:57 +00:00
|
|
|
params.Region = options.Region
|
|
|
|
}
|
|
|
|
|
|
|
|
type setLegacyContextSigningOptionsMiddleware struct {
|
|
|
|
}
|
|
|
|
|
|
|
|
func (*setLegacyContextSigningOptionsMiddleware) ID() string {
|
|
|
|
return "setLegacyContextSigningOptions"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *setLegacyContextSigningOptionsMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
|
|
|
|
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
|
|
|
|
) {
|
|
|
|
rscheme := getResolvedAuthScheme(ctx)
|
|
|
|
schemeID := rscheme.Scheme.SchemeID()
|
|
|
|
|
|
|
|
if sn := awsmiddleware.GetSigningName(ctx); sn != "" {
|
|
|
|
if schemeID == "aws.auth#sigv4" {
|
|
|
|
smithyhttp.SetSigV4SigningName(&rscheme.SignerProperties, sn)
|
|
|
|
} else if schemeID == "aws.auth#sigv4a" {
|
|
|
|
smithyhttp.SetSigV4ASigningName(&rscheme.SignerProperties, sn)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if sr := awsmiddleware.GetSigningRegion(ctx); sr != "" {
|
|
|
|
if schemeID == "aws.auth#sigv4" {
|
|
|
|
smithyhttp.SetSigV4SigningRegion(&rscheme.SignerProperties, sr)
|
|
|
|
} else if schemeID == "aws.auth#sigv4a" {
|
|
|
|
smithyhttp.SetSigV4ASigningRegions(&rscheme.SignerProperties, []string{sr})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return next.HandleFinalize(ctx, in)
|
|
|
|
}
|
|
|
|
|
|
|
|
func addSetLegacyContextSigningOptionsMiddleware(stack *middleware.Stack) error {
|
|
|
|
return stack.Finalize.Insert(&setLegacyContextSigningOptionsMiddleware{}, "Signing", middleware.Before)
|
|
|
|
}
|
|
|
|
|
2023-12-11 20:58:34 +00:00
|
|
|
type withAnonymous struct {
|
|
|
|
resolver AuthSchemeResolver
|
|
|
|
}
|
|
|
|
|
|
|
|
var _ AuthSchemeResolver = (*withAnonymous)(nil)
|
|
|
|
|
|
|
|
func (v *withAnonymous) ResolveAuthSchemes(ctx context.Context, params *AuthResolverParameters) ([]*smithyauth.Option, error) {
|
|
|
|
opts, err := v.resolver.ResolveAuthSchemes(ctx, params)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
opts = append(opts, &smithyauth.Option{
|
|
|
|
SchemeID: smithyauth.SchemeIDAnonymous,
|
|
|
|
})
|
|
|
|
return opts, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func wrapWithAnonymousAuth(options *Options) {
|
|
|
|
if _, ok := options.AuthSchemeResolver.(*defaultAuthSchemeResolver); !ok {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
options.AuthSchemeResolver = &withAnonymous{
|
|
|
|
resolver: options.AuthSchemeResolver,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-20 20:28:57 +00:00
|
|
|
// AuthResolverParameters contains the set of inputs necessary for auth scheme
|
|
|
|
// resolution.
|
|
|
|
type AuthResolverParameters struct {
|
|
|
|
// The name of the operation being invoked.
|
|
|
|
Operation string
|
|
|
|
|
|
|
|
// The region in which the operation is being invoked.
|
|
|
|
Region string
|
|
|
|
}
|
|
|
|
|
2024-06-24 20:58:34 +00:00
|
|
|
func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
|
2023-11-20 20:28:57 +00:00
|
|
|
params := &AuthResolverParameters{
|
|
|
|
Operation: operation,
|
|
|
|
}
|
|
|
|
|
2024-06-24 20:58:34 +00:00
|
|
|
bindAuthParamsRegion(ctx, params, input, options)
|
2023-11-20 20:28:57 +00:00
|
|
|
|
|
|
|
return params
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthSchemeResolver returns a set of possible authentication options for an
|
|
|
|
// operation.
|
|
|
|
type AuthSchemeResolver interface {
|
|
|
|
ResolveAuthSchemes(context.Context, *AuthResolverParameters) ([]*smithyauth.Option, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
type defaultAuthSchemeResolver struct{}
|
|
|
|
|
|
|
|
var _ AuthSchemeResolver = (*defaultAuthSchemeResolver)(nil)
|
|
|
|
|
|
|
|
func (*defaultAuthSchemeResolver) ResolveAuthSchemes(ctx context.Context, params *AuthResolverParameters) ([]*smithyauth.Option, error) {
|
|
|
|
if overrides, ok := operationAuthOptions[params.Operation]; ok {
|
|
|
|
return overrides(params), nil
|
|
|
|
}
|
|
|
|
return serviceAuthOptions(params), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var operationAuthOptions = map[string]func(*AuthResolverParameters) []*smithyauth.Option{
|
|
|
|
"AssumeRoleWithSAML": func(params *AuthResolverParameters) []*smithyauth.Option {
|
|
|
|
return []*smithyauth.Option{
|
|
|
|
{SchemeID: smithyauth.SchemeIDAnonymous},
|
|
|
|
}
|
|
|
|
},
|
|
|
|
|
|
|
|
"AssumeRoleWithWebIdentity": func(params *AuthResolverParameters) []*smithyauth.Option {
|
|
|
|
return []*smithyauth.Option{
|
|
|
|
{SchemeID: smithyauth.SchemeIDAnonymous},
|
|
|
|
}
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
func serviceAuthOptions(params *AuthResolverParameters) []*smithyauth.Option {
|
|
|
|
return []*smithyauth.Option{
|
|
|
|
{
|
|
|
|
SchemeID: smithyauth.SchemeIDSigV4,
|
|
|
|
SignerProperties: func() smithy.Properties {
|
|
|
|
var props smithy.Properties
|
|
|
|
smithyhttp.SetSigV4SigningName(&props, "sts")
|
|
|
|
smithyhttp.SetSigV4SigningRegion(&props, params.Region)
|
|
|
|
return props
|
|
|
|
}(),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type resolveAuthSchemeMiddleware struct {
|
|
|
|
operation string
|
|
|
|
options Options
|
|
|
|
}
|
|
|
|
|
|
|
|
func (*resolveAuthSchemeMiddleware) ID() string {
|
|
|
|
return "ResolveAuthScheme"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
|
|
|
|
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
|
|
|
|
) {
|
2024-09-23 20:18:36 +00:00
|
|
|
_, span := tracing.StartSpan(ctx, "ResolveAuthScheme")
|
|
|
|
defer span.End()
|
|
|
|
|
2024-06-24 20:58:34 +00:00
|
|
|
params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
|
2023-11-20 20:28:57 +00:00
|
|
|
options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
|
|
|
|
if err != nil {
|
2023-12-04 20:53:57 +00:00
|
|
|
return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
|
2023-11-20 20:28:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
scheme, ok := m.selectScheme(options)
|
|
|
|
if !ok {
|
|
|
|
return out, metadata, fmt.Errorf("could not select an auth scheme")
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx = setResolvedAuthScheme(ctx, scheme)
|
2024-09-23 20:18:36 +00:00
|
|
|
|
|
|
|
span.SetProperty("auth.scheme_id", scheme.Scheme.SchemeID())
|
|
|
|
span.End()
|
2023-11-20 20:28:57 +00:00
|
|
|
return next.HandleFinalize(ctx, in)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *resolveAuthSchemeMiddleware) selectScheme(options []*smithyauth.Option) (*resolvedAuthScheme, bool) {
|
|
|
|
for _, option := range options {
|
|
|
|
if option.SchemeID == smithyauth.SchemeIDAnonymous {
|
|
|
|
return newResolvedAuthScheme(smithyhttp.NewAnonymousScheme(), option), true
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, scheme := range m.options.AuthSchemes {
|
|
|
|
if scheme.SchemeID() != option.SchemeID {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if scheme.IdentityResolver(m.options) != nil {
|
|
|
|
return newResolvedAuthScheme(scheme, option), true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
|
|
|
type resolvedAuthSchemeKey struct{}
|
|
|
|
|
|
|
|
type resolvedAuthScheme struct {
|
|
|
|
Scheme smithyhttp.AuthScheme
|
|
|
|
IdentityProperties smithy.Properties
|
|
|
|
SignerProperties smithy.Properties
|
|
|
|
}
|
|
|
|
|
|
|
|
func newResolvedAuthScheme(scheme smithyhttp.AuthScheme, option *smithyauth.Option) *resolvedAuthScheme {
|
|
|
|
return &resolvedAuthScheme{
|
|
|
|
Scheme: scheme,
|
|
|
|
IdentityProperties: option.IdentityProperties,
|
|
|
|
SignerProperties: option.SignerProperties,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func setResolvedAuthScheme(ctx context.Context, scheme *resolvedAuthScheme) context.Context {
|
|
|
|
return middleware.WithStackValue(ctx, resolvedAuthSchemeKey{}, scheme)
|
|
|
|
}
|
|
|
|
|
|
|
|
func getResolvedAuthScheme(ctx context.Context) *resolvedAuthScheme {
|
|
|
|
v, _ := middleware.GetStackValue(ctx, resolvedAuthSchemeKey{}).(*resolvedAuthScheme)
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
|
|
|
type getIdentityMiddleware struct {
|
|
|
|
options Options
|
|
|
|
}
|
|
|
|
|
|
|
|
func (*getIdentityMiddleware) ID() string {
|
|
|
|
return "GetIdentity"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
|
|
|
|
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
|
|
|
|
) {
|
2024-09-23 20:18:36 +00:00
|
|
|
innerCtx, span := tracing.StartSpan(ctx, "GetIdentity")
|
|
|
|
defer span.End()
|
|
|
|
|
|
|
|
rscheme := getResolvedAuthScheme(innerCtx)
|
2023-11-20 20:28:57 +00:00
|
|
|
if rscheme == nil {
|
|
|
|
return out, metadata, fmt.Errorf("no resolved auth scheme")
|
|
|
|
}
|
|
|
|
|
|
|
|
resolver := rscheme.Scheme.IdentityResolver(m.options)
|
|
|
|
if resolver == nil {
|
|
|
|
return out, metadata, fmt.Errorf("no identity resolver")
|
|
|
|
}
|
|
|
|
|
2024-09-23 20:18:36 +00:00
|
|
|
identity, err := timeOperationMetric(ctx, "client.call.resolve_identity_duration",
|
|
|
|
func() (smithyauth.Identity, error) {
|
|
|
|
return resolver.GetIdentity(innerCtx, rscheme.IdentityProperties)
|
|
|
|
},
|
|
|
|
func(o *metrics.RecordMetricOptions) {
|
|
|
|
o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
|
|
|
|
})
|
2023-11-20 20:28:57 +00:00
|
|
|
if err != nil {
|
2023-12-04 20:53:57 +00:00
|
|
|
return out, metadata, fmt.Errorf("get identity: %w", err)
|
2023-11-20 20:28:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ctx = setIdentity(ctx, identity)
|
2024-09-23 20:18:36 +00:00
|
|
|
|
|
|
|
span.End()
|
2023-11-20 20:28:57 +00:00
|
|
|
return next.HandleFinalize(ctx, in)
|
|
|
|
}
|
|
|
|
|
|
|
|
type identityKey struct{}
|
|
|
|
|
|
|
|
func setIdentity(ctx context.Context, identity smithyauth.Identity) context.Context {
|
|
|
|
return middleware.WithStackValue(ctx, identityKey{}, identity)
|
|
|
|
}
|
|
|
|
|
|
|
|
func getIdentity(ctx context.Context) smithyauth.Identity {
|
|
|
|
v, _ := middleware.GetStackValue(ctx, identityKey{}).(smithyauth.Identity)
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
|
|
|
type signRequestMiddleware struct {
|
2024-09-23 20:18:36 +00:00
|
|
|
options Options
|
2023-11-20 20:28:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (*signRequestMiddleware) ID() string {
|
|
|
|
return "Signing"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
|
|
|
|
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
|
|
|
|
) {
|
2024-09-23 20:18:36 +00:00
|
|
|
_, span := tracing.StartSpan(ctx, "SignRequest")
|
|
|
|
defer span.End()
|
|
|
|
|
2023-11-20 20:28:57 +00:00
|
|
|
req, ok := in.Request.(*smithyhttp.Request)
|
|
|
|
if !ok {
|
|
|
|
return out, metadata, fmt.Errorf("unexpected transport type %T", in.Request)
|
|
|
|
}
|
|
|
|
|
|
|
|
rscheme := getResolvedAuthScheme(ctx)
|
|
|
|
if rscheme == nil {
|
|
|
|
return out, metadata, fmt.Errorf("no resolved auth scheme")
|
|
|
|
}
|
|
|
|
|
|
|
|
identity := getIdentity(ctx)
|
|
|
|
if identity == nil {
|
|
|
|
return out, metadata, fmt.Errorf("no identity")
|
|
|
|
}
|
|
|
|
|
|
|
|
signer := rscheme.Scheme.Signer()
|
|
|
|
if signer == nil {
|
|
|
|
return out, metadata, fmt.Errorf("no signer")
|
|
|
|
}
|
|
|
|
|
2024-09-23 20:18:36 +00:00
|
|
|
_, err = timeOperationMetric(ctx, "client.call.signing_duration", func() (any, error) {
|
|
|
|
return nil, signer.SignRequest(ctx, req, identity, rscheme.SignerProperties)
|
|
|
|
}, func(o *metrics.RecordMetricOptions) {
|
|
|
|
o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
|
|
|
|
})
|
|
|
|
if err != nil {
|
2023-12-04 20:53:57 +00:00
|
|
|
return out, metadata, fmt.Errorf("sign request: %w", err)
|
2023-11-20 20:28:57 +00:00
|
|
|
}
|
|
|
|
|
2024-09-23 20:18:36 +00:00
|
|
|
span.End()
|
2023-11-20 20:28:57 +00:00
|
|
|
return next.HandleFinalize(ctx, in)
|
|
|
|
}
|