adds support for SSO credentials (#1519)

adds support for sso credentials

Author: smoench

CHANGELOG.md

@@ -7,6 +7,7 @@
 - Support for LocationService
 - Support for hostPrefix in requests
 - AWS api-change: API updates for the AWS Security Token Service
+- Support for SSO credentials
 
 ## 1.19.0
 

src/AwsClientFactory.php

@@ -44,6 +44,7 @@
 use AsyncAws\Sns\SnsClient;
 use AsyncAws\Sqs\SqsClient;
 use AsyncAws\Ssm\SsmClient;
+use AsyncAws\Sso\SsoClient;
 use AsyncAws\StepFunctions\StepFunctionsClient;
 use AsyncAws\TimestreamQuery\TimestreamQueryClient;
 use AsyncAws\TimestreamWrite\TimestreamWriteClient;
@@ -519,6 +520,15 @@ public function ssm(): SsmClient
         return $this->serviceCache[__METHOD__];
     }
 
+    public function sso(): SsoClient
+    {
+        if (!isset($this->serviceCache[__METHOD__])) {
+            $this->serviceCache[__METHOD__] = new SsoClient($this->configuration, $this->credentialProvider, $this->httpClient, $this->logger);
+        }
+
+        return $this->serviceCache[__METHOD__];
+    }
+
     public function sts(): StsClient
     {
         if (!isset($this->serviceCache[__METHOD__])) {

src/Credentials/IniFileLoader.php

@@ -23,6 +23,10 @@ final class IniFileLoader
     public const KEY_ROLE_SESSION_NAME = 'role_session_name';
     public const KEY_SOURCE_PROFILE = 'source_profile';
     public const KEY_WEB_IDENTITY_TOKEN_FILE = 'web_identity_token_file';
+    public const KEY_SSO_START_URL = 'sso_start_url';
+    public const KEY_SSO_REGION = 'sso_region';
+    public const KEY_SSO_ACCOUNT_ID = 'sso_account_id';
+    public const KEY_SSO_ROLE_NAME = 'sso_role_name';
 
     /**
      * @var LoggerInterface

src/Credentials/IniFileProvider.php

@@ -7,6 +7,7 @@
 use AsyncAws\Core\Configuration;
 use AsyncAws\Core\Exception\RuntimeException;
 use AsyncAws\Core\Sts\StsClient;
+use AsyncAws\Sso\SsoClient;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
@@ -92,6 +93,16 @@ private function getCredentialsFromProfile(array $profilesData, string $profile,
             return $this->getCredentialsFromRole($profilesData, $profileData, $profile, $circularCollector);
         }
 
+        if (isset($profileData[IniFileLoader::KEY_SSO_START_URL])) {
+            if (class_exists(SsoClient::class)) {
+                return $this->getCredentialsFromLegacySso($profileData, $profile);
+            }
+
+            $this->logger->warning('The profile "{profile}" contains SSO (legacy) config but the "async-aws/sso" package is not installed. Try running "composer require async-aws/sso".', ['profile' => $profile]);
+
+            return null;
+        }
+
         $this->logger->info('No credentials found for profile "{profile}".', ['profile' => $profile]);
 
         return null;
@@ -146,4 +157,68 @@ private function getCredentialsFromRole(array $profilesData, array $profileData,
             Credentials::adjustExpireDate($credentials->getExpiration(), $this->getDateFromResult($result))
         );
     }
+
+    /**
+     * @param array<string, string> $profileData
+     */
+    private function getCredentialsFromLegacySso(array $profileData, string $profile): ?Credentials
+    {
+        if (!isset(
+            $profileData[IniFileLoader::KEY_SSO_START_URL],
+            $profileData[IniFileLoader::KEY_SSO_REGION],
+            $profileData[IniFileLoader::KEY_SSO_ACCOUNT_ID],
+            $profileData[IniFileLoader::KEY_SSO_ROLE_NAME]
+        )) {
+            $this->logger->warning('Profile "{profile}" does not contains required legacy SSO config.', ['profile' => $profile]);
+
+            return null;
+        }
+
+        $ssoCacheFileLoader = new SsoCacheFileLoader($this->logger);
+        $tokenData = $ssoCacheFileLoader->loadSsoCacheFile($profileData[IniFileLoader::KEY_SSO_START_URL]);
+
+        if ([] === $tokenData) {
+            return null;
+        }
+
+        $ssoClient = new SsoClient(
+            ['region' => $profileData[IniFileLoader::KEY_SSO_REGION]],
+            new NullProvider(), // no credentials required as we provide an access token via the role credentials request
+            $this->httpClient
+        );
+        $result = $ssoClient->getRoleCredentials([
+            'accessToken' => $tokenData[SsoCacheFileLoader::KEY_ACCESS_TOKEN],
+            'accountId' => $profileData[IniFileLoader::KEY_SSO_ACCOUNT_ID],
+            'roleName' => $profileData[IniFileLoader::KEY_SSO_ROLE_NAME],
+        ]);
+
+        try {
+            if (null === $credentials = $result->getRoleCredentials()) {
+                throw new RuntimeException('The RoleCredentials response does not contains credentials');
+            }
+            if (null === $accessKeyId = $credentials->getAccessKeyId()) {
+                throw new RuntimeException('The RoleCredentials response does not contain an accessKeyId');
+            }
+            if (null === $secretAccessKey = $credentials->getSecretAccessKey()) {
+                throw new RuntimeException('The RoleCredentials response does not contain a secretAccessKey');
+            }
+            if (null === $sessionToken = $credentials->getSessionToken()) {
+                throw new RuntimeException('The RoleCredentials response does not contain a sessionToken');
+            }
+            if (null === $expiration = $credentials->getExpiration()) {
+                throw new RuntimeException('The RoleCredentials response does not contain an expiration');
+            }
+        } catch (\Exception $e) {
+            $this->logger->warning('Failed to get credentials from role credentials in profile "{profile}: {exception}".', ['profile' => $profile, 'exception' => $e]);
+
+            return null;
+        }
+
+        return new Credentials(
+            $accessKeyId,
+            $secretAccessKey,
+            $sessionToken,
+            (new \DateTimeImmutable())->setTimestamp($expiration)
+        );
+    }
 }

src/Credentials/SsoCacheFileLoader.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AsyncAws\Core\Credentials;
+
+use AsyncAws\Core\EnvVar;
+use Psr\Log\LoggerInterface;
+use Psr\Log\NullLogger;
+
+/**
+ * Load and parse AWS SSO cache file.
+ */
+final class SsoCacheFileLoader
+{
+    public const KEY_ACCESS_TOKEN = 'accessToken';
+    public const KEY_EXPIRES_AT = 'expiresAt';
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    public function __construct(?LoggerInterface $logger = null)
+    {
+        $this->logger = $logger ?? new NullLogger();
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    public function loadSsoCacheFile(string $ssoStartUrl): array
+    {
+        $filepath = sprintf('%s/.aws/sso/cache/%s.json', $this->getHomeDir(), sha1($ssoStartUrl));
+
+        if (false === ($contents = @file_get_contents($filepath))) {
+            $this->logger->warning('The sso cache file {path} is not readable.', ['path' => $filepath]);
+
+            return [];
+        }
+
+        $tokenData = json_decode($contents, true);
+        if (!isset($tokenData[self::KEY_ACCESS_TOKEN], $tokenData[self::KEY_EXPIRES_AT])) {
+            $this->logger->warning('Token file at {path} must contain an accessToken and an expiresAt.', ['path' => $filepath]);
+
+            return [];
+        }
+
+        try {
+            $expiration = (new \DateTimeImmutable($tokenData[self::KEY_EXPIRES_AT]));
+        } catch (\Exception $e) {
+            $this->logger->warning('Cached SSO credentials returned an invalid expiresAt value.');
+
+            return [];
+        }
+
+        if ($expiration < new \DateTimeImmutable()) {
+            $this->logger->warning('Cached SSO credentials returned an invalid expiresAt value.');
+
+            return [];
+        }
+
+        return $tokenData;
+    }
+
+    private function getHomeDir(): string
+    {
+        // On Linux/Unix-like systems, use the HOME environment variable
+        if (null !== $homeDir = EnvVar::get('HOME')) {
+            return $homeDir;
+        }
+
+        // Get the HOMEDRIVE and HOMEPATH values for Windows hosts
+        $homeDrive = EnvVar::get('HOMEDRIVE');
+        $homePath = EnvVar::get('HOMEPATH');
+
+        return ($homeDrive && $homePath) ? $homeDrive . $homePath : '/';
+    }
+}