Malin
3248cbb029
Adds a new 'S3-Compatible Storage' provider that works with any
S3-API-compatible object storage service, including MinIO, Ceph,
Cloudflare R2, Backblaze B2, and others.
Changes:
- New provider class: classes/providers/storage/s3-compatible-provider.php
- Provider key: s3compatible
- Reads user-configured endpoint URL from settings
- Uses path-style URL access (required by most S3-compatible services)
- Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID /
AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants
- Disables AWS-specific features (Block Public Access, Object Ownership)
- New provider SVG icons (s3compatible.svg, -link.svg, -round.svg)
- Registered provider in main plugin class with endpoint setting support
- Updated StorageProviderSubPage to show endpoint URL input for S3-compatible
- Built pro settings bundle with rollup (Svelte 4.2.19)
- Added package.json and updated rollup.config.mjs for pro-only builds
121 lines
5.6 KiB
PHP
121 lines
5.6 KiB
PHP
<?php
|
|
|
|
namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Credentials;
|
|
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\AwsException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CredentialsException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Result;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Sts\StsClient;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise;
|
|
/**
|
|
* Credential provider that provides credentials via assuming a role with a web identity
|
|
* More Information, see: https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-sts-2011-06-15.html#assumerolewithwebidentity
|
|
*/
|
|
class AssumeRoleWithWebIdentityCredentialProvider
|
|
{
|
|
const ERROR_MSG = "Missing required 'AssumeRoleWithWebIdentityCredentialProvider' configuration option: ";
|
|
const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
|
|
/** @var string */
|
|
private $tokenFile;
|
|
/** @var string */
|
|
private $arn;
|
|
/** @var string */
|
|
private $session;
|
|
/** @var StsClient */
|
|
private $client;
|
|
/** @var integer */
|
|
private $retries;
|
|
/** @var integer */
|
|
private $authenticationAttempts;
|
|
/** @var integer */
|
|
private $tokenFileReadAttempts;
|
|
/**
|
|
* The constructor attempts to load config from environment variables.
|
|
* If not set, the following config options are used:
|
|
* - WebIdentityTokenFile: full path of token filename
|
|
* - RoleArn: arn of role to be assumed
|
|
* - SessionName: (optional) set by SDK if not provided
|
|
*
|
|
* @param array $config Configuration options
|
|
* @throws \InvalidArgumentException
|
|
*/
|
|
public function __construct(array $config = [])
|
|
{
|
|
if (!isset($config['RoleArn'])) {
|
|
throw new \InvalidArgumentException(self::ERROR_MSG . "'RoleArn'.");
|
|
}
|
|
$this->arn = $config['RoleArn'];
|
|
if (!isset($config['WebIdentityTokenFile'])) {
|
|
throw new \InvalidArgumentException(self::ERROR_MSG . "'WebIdentityTokenFile'.");
|
|
}
|
|
$this->tokenFile = $config['WebIdentityTokenFile'];
|
|
if (!\preg_match("/^\\w\\:|^\\/|^\\\\/", $this->tokenFile)) {
|
|
throw new \InvalidArgumentException("'WebIdentityTokenFile' must be an absolute path.");
|
|
}
|
|
$this->retries = (int) \getenv(self::ENV_RETRIES) ?: (isset($config['retries']) ? $config['retries'] : 3);
|
|
$this->authenticationAttempts = 0;
|
|
$this->tokenFileReadAttempts = 0;
|
|
$this->session = isset($config['SessionName']) ? $config['SessionName'] : 'aws-sdk-php-' . \round(\microtime(\true) * 1000);
|
|
$region = isset($config['region']) ? $config['region'] : 'us-east-1';
|
|
if (isset($config['client'])) {
|
|
$this->client = $config['client'];
|
|
} else {
|
|
$this->client = new StsClient(['credentials' => \false, 'region' => $region, 'version' => 'latest']);
|
|
}
|
|
}
|
|
/**
|
|
* Loads assume role with web identity credentials.
|
|
*
|
|
* @return Promise\PromiseInterface
|
|
*/
|
|
public function __invoke()
|
|
{
|
|
return Promise\Coroutine::of(function () {
|
|
$client = $this->client;
|
|
$result = null;
|
|
while ($result == null) {
|
|
try {
|
|
$token = @\file_get_contents($this->tokenFile);
|
|
if (\false === $token) {
|
|
\clearstatcache(\true, \dirname($this->tokenFile) . "/" . \readlink($this->tokenFile));
|
|
\clearstatcache(\true, \dirname($this->tokenFile) . "/" . \dirname(\readlink($this->tokenFile)));
|
|
\clearstatcache(\true, $this->tokenFile);
|
|
if (!@\is_readable($this->tokenFile)) {
|
|
throw new CredentialsException("Unreadable tokenfile at location {$this->tokenFile}");
|
|
}
|
|
$token = @\file_get_contents($this->tokenFile);
|
|
}
|
|
if (empty($token)) {
|
|
if ($this->tokenFileReadAttempts < $this->retries) {
|
|
\sleep((int) \pow(1.2, $this->tokenFileReadAttempts));
|
|
$this->tokenFileReadAttempts++;
|
|
continue;
|
|
}
|
|
throw new CredentialsException("InvalidIdentityToken from file: {$this->tokenFile}");
|
|
}
|
|
} catch (\Exception $exception) {
|
|
throw new CredentialsException("Error reading WebIdentityTokenFile from " . $this->tokenFile, 0, $exception);
|
|
}
|
|
$assumeParams = ['RoleArn' => $this->arn, 'RoleSessionName' => $this->session, 'WebIdentityToken' => $token];
|
|
try {
|
|
$result = $client->assumeRoleWithWebIdentity($assumeParams);
|
|
} catch (AwsException $e) {
|
|
if ($e->getAwsErrorCode() == 'InvalidIdentityToken') {
|
|
if ($this->authenticationAttempts < $this->retries) {
|
|
\sleep((int) \pow(1.2, $this->authenticationAttempts));
|
|
} else {
|
|
throw new CredentialsException("InvalidIdentityToken, retries exhausted");
|
|
}
|
|
} else {
|
|
throw new CredentialsException("Error assuming role from web identity credentials", 0, $e);
|
|
}
|
|
} catch (\Exception $e) {
|
|
throw new CredentialsException("Error retrieving web identity credentials: " . $e->getMessage() . " (" . $e->getCode() . ")");
|
|
}
|
|
$this->authenticationAttempts++;
|
|
}
|
|
(yield $this->client->createCredentials($result));
|
|
});
|
|
}
|
|
}
|