Malin/WPS3Media
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
WPS3Media/vendor/Aws3/Aws/Auth/AuthSchemeResolver.php

135 lines
5.1 KiB
PHP
Raw Permalink Normal View History

feat: add S3-compatible storage provider (MinIO, Ceph, R2, etc.) Adds a new 'S3-Compatible Storage' provider that works with any S3-API-compatible object storage service, including MinIO, Ceph, Cloudflare R2, Backblaze B2, and others. Changes: - New provider class: classes/providers/storage/s3-compatible-provider.php - Provider key: s3compatible - Reads user-configured endpoint URL from settings - Uses path-style URL access (required by most S3-compatible services) - Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID / AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants - Disables AWS-specific features (Block Public Access, Object Ownership) - New provider SVG icons (s3compatible.svg, -link.svg, -round.svg) - Registered provider in main plugin class with endpoint setting support - Updated StorageProviderSubPage to show endpoint URL input for S3-compatible - Built pro settings bundle with rollup (Svelte 4.2.19) - Added package.json and updated rollup.config.mjs for pro-only builds
2026-03-03 12:30:18 +01:00
<?php
namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Auth;
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Auth\Exception\UnresolvedAuthSchemeException;
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Identity\AwsCredentialIdentity;
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Identity\BearerTokenIdentity;
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise\PromiseInterface;
/**
* Houses logic for selecting an auth scheme modeled in a service's `auth` trait.
* The `auth` trait can be modeled either in a service's metadata, or at the operation level.
*/
class AuthSchemeResolver implements AuthSchemeResolverInterface
{
const UNSIGNED_BODY = '-unsigned-body';
/**
* @var string[] Default mapping of modeled auth trait auth schemes
* to the SDK's supported signature versions.
*/
private static $defaultAuthSchemeMap = ['aws.auth#sigv4' => 'v4', 'aws.auth#sigv4a' => 'v4a', 'smithy.api#httpBearerAuth' => 'bearer', 'smithy.api#noAuth' => 'anonymous'];
/**
* @var array Mapping of auth schemes to signature versions used in
* resolving a signature version.
*/
private $authSchemeMap;
private $tokenProvider;
private $credentialProvider;
public function __construct(callable $credentialProvider, callable $tokenProvider = null, array $authSchemeMap = [])
{
$this->credentialProvider = $credentialProvider;
$this->tokenProvider = $tokenProvider;
$this->authSchemeMap = empty($authSchemeMap) ? self::$defaultAuthSchemeMap : $authSchemeMap;
}
/**
* Accepts a priority-ordered list of auth schemes and an Identity
* and selects the first compatible auth schemes, returning a normalized
* signature version. For example, based on the default auth scheme mapping,
* if `aws.auth#sigv4` is selected, `v4` will be returned.
*
* @param array $authSchemes
* @param $identity
*
* @return string
* @throws UnresolvedAuthSchemeException
*/
public function selectAuthScheme(array $authSchemes, array $args = []) : string
{
$failureReasons = [];
foreach ($authSchemes as $authScheme) {
$normalizedAuthScheme = $this->authSchemeMap[$authScheme] ?? $authScheme;
if ($this->isCompatibleAuthScheme($normalizedAuthScheme)) {
if ($normalizedAuthScheme === 'v4' && !empty($args['unsigned_payload'])) {
return $normalizedAuthScheme . self::UNSIGNED_BODY;
}
return $normalizedAuthScheme;
} else {
$failureReasons[] = $this->getIncompatibilityMessage($normalizedAuthScheme);
}
}
throw new UnresolvedAuthSchemeException('Could not resolve an authentication scheme: ' . \implode('; ', $failureReasons));
}
/**
* Determines compatibility based on either Identity or the availability
* of the CRT extension.
*
* @param $authScheme
*
* @return bool
*/
private function isCompatibleAuthScheme($authScheme) : bool
{
switch ($authScheme) {
case 'v4':
case 'anonymous':
return $this->hasAwsCredentialIdentity();
case 'v4a':
return \extension_loaded('awscrt') && $this->hasAwsCredentialIdentity();
case 'bearer':
return $this->hasBearerTokenIdentity();
default:
return \false;
}
}
/**
* Provides incompatibility messages in the event an incompatible auth scheme
* is encountered.
*
* @param $authScheme
*
* @return string
*/
private function getIncompatibilityMessage($authScheme) : string
{
switch ($authScheme) {
case 'v4':
return 'Signature V4 requires AWS credentials for request signing';
case 'anonymous':
return 'Anonymous signatures require AWS credentials for request signing';
case 'v4a':
return 'The aws-crt-php extension and AWS credentials are required to use Signature V4A';
case 'bearer':
return 'Bearer token credentials must be provided to use Bearer authentication';
default:
return "The service does not support `{$authScheme}` authentication.";
}
}
/**
* @return bool
*/
private function hasAwsCredentialIdentity() : bool
{
$fn = $this->credentialProvider;
$result = $fn();
if ($result instanceof PromiseInterface) {
return $result->wait() instanceof AwsCredentialIdentity;
}
return $result instanceof AwsCredentialIdentity;
}
/**
* @return bool
*/
private function hasBearerTokenIdentity() : bool
{
if ($this->tokenProvider) {
$fn = $this->tokenProvider;
$result = $fn();
if ($result instanceof PromiseInterface) {
return $result->wait() instanceof BearerTokenIdentity;
}
return $result instanceof BearerTokenIdentity;
}
return \false;
}
}
Reference in New Issue Copy Permalink