Malin
3248cbb029
Adds a new 'S3-Compatible Storage' provider that works with any
S3-API-compatible object storage service, including MinIO, Ceph,
Cloudflare R2, Backblaze B2, and others.
Changes:
- New provider class: classes/providers/storage/s3-compatible-provider.php
- Provider key: s3compatible
- Reads user-configured endpoint URL from settings
- Uses path-style URL access (required by most S3-compatible services)
- Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID /
AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants
- Disables AWS-specific features (Block Public Access, Object Ownership)
- New provider SVG icons (s3compatible.svg, -link.svg, -round.svg)
- Registered provider in main plugin class with endpoint setting support
- Updated StorageProviderSubPage to show endpoint URL input for S3-compatible
- Built pro settings bundle with rollup (Svelte 4.2.19)
- Added package.json and updated rollup.config.mjs for pro-only builds
198 lines
7.7 KiB
PHP
198 lines
7.7 KiB
PHP
<?php
|
|
|
|
namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Credentials;
|
|
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CredentialsException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Exception\ConnectException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Exception\GuzzleException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Psr7\Request;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise\PromiseInterface;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Psr\Http\Message\ResponseInterface;
|
|
/**
|
|
* Credential provider that fetches container credentials with GET request.
|
|
* container environment variables are used in constructing request URI.
|
|
*/
|
|
class EcsCredentialProvider
|
|
{
|
|
const SERVER_URI = 'http://169.254.170.2';
|
|
const ENV_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
|
|
const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
|
|
const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
|
|
const ENV_AUTH_TOKEN_FILE = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE";
|
|
const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
|
|
const EKS_SERVER_HOST_IPV4 = '169.254.170.23';
|
|
const EKS_SERVER_HOST_IPV6 = 'fd00:ec2::23';
|
|
const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
|
|
const DEFAULT_ENV_TIMEOUT = 1.0;
|
|
const DEFAULT_ENV_RETRIES = 3;
|
|
/** @var callable */
|
|
private $client;
|
|
/** @var float|mixed */
|
|
private $timeout;
|
|
/** @var int */
|
|
private $retries;
|
|
/** @var int */
|
|
private $attempts;
|
|
/**
|
|
* The constructor accepts following options:
|
|
* - timeout: (optional) Connection timeout, in seconds, default 1.0
|
|
* - retries: Optional number of retries to be attempted, default 3.
|
|
* - client: An EcsClient to make request from
|
|
*
|
|
* @param array $config Configuration options
|
|
*/
|
|
public function __construct(array $config = [])
|
|
{
|
|
$this->timeout = (float) isset($config['timeout']) ? $config['timeout'] : (\getenv(self::ENV_TIMEOUT) ?: self::DEFAULT_ENV_TIMEOUT);
|
|
$this->retries = (int) isset($config['retries']) ? $config['retries'] : ((int) \getenv(self::ENV_RETRIES) ?: self::DEFAULT_ENV_RETRIES);
|
|
$this->client = $config['client'] ?? \DeliciousBrains\WP_Offload_Media\Aws3\Aws\default_http_handler();
|
|
}
|
|
/**
|
|
* Load container credentials.
|
|
*
|
|
* @return PromiseInterface
|
|
* @throws GuzzleException
|
|
*/
|
|
public function __invoke()
|
|
{
|
|
$this->attempts = 0;
|
|
$uri = $this->getEcsUri();
|
|
if ($this->isCompatibleUri($uri)) {
|
|
return Promise\Coroutine::of(function () {
|
|
$client = $this->client;
|
|
$request = new Request('GET', $this->getEcsUri());
|
|
$headers = $this->getHeadersForAuthToken();
|
|
$credentials = null;
|
|
while ($credentials === null) {
|
|
$credentials = (yield $client($request, ['timeout' => $this->timeout, 'proxy' => '', 'headers' => $headers])->then(function (ResponseInterface $response) {
|
|
$result = $this->decodeResult((string) $response->getBody());
|
|
return new Credentials($result['AccessKeyId'], $result['SecretAccessKey'], $result['Token'], \strtotime($result['Expiration']), $result['AccountId'] ?? null);
|
|
})->otherwise(function ($reason) {
|
|
$reason = \is_array($reason) ? $reason['exception'] : $reason;
|
|
$isRetryable = $reason instanceof ConnectException;
|
|
if ($isRetryable && $this->attempts < $this->retries) {
|
|
\sleep((int) \pow(1.2, $this->attempts));
|
|
} else {
|
|
$msg = $reason->getMessage();
|
|
throw new CredentialsException(\sprintf('Error retrieving credentials from container metadata after attempt %d/%d (%s)', $this->attempts, $this->retries, $msg));
|
|
}
|
|
}));
|
|
$this->attempts++;
|
|
}
|
|
(yield $credentials);
|
|
});
|
|
}
|
|
throw new CredentialsException("Uri '{$uri}' contains an unsupported host.");
|
|
}
|
|
/**
|
|
* Returns the number of attempts that have been done.
|
|
*
|
|
* @return int
|
|
*/
|
|
public function getAttempts() : int
|
|
{
|
|
return $this->attempts;
|
|
}
|
|
/**
|
|
* Retrieves authorization token.
|
|
*
|
|
* @return array|false|string
|
|
*/
|
|
private function getEcsAuthToken()
|
|
{
|
|
if (!empty($path = \getenv(self::ENV_AUTH_TOKEN_FILE))) {
|
|
$token = @\file_get_contents($path);
|
|
if (\false === $token) {
|
|
\clearstatcache(\true, \dirname($path) . \DIRECTORY_SEPARATOR . @\readlink($path));
|
|
\clearstatcache(\true, \dirname($path) . \DIRECTORY_SEPARATOR . \dirname(@\readlink($path)));
|
|
\clearstatcache(\true, $path);
|
|
}
|
|
if (!\is_readable($path)) {
|
|
throw new CredentialsException("Failed to read authorization token from '{$path}': no such file or directory.");
|
|
}
|
|
$token = @\file_get_contents($path);
|
|
if (empty($token)) {
|
|
throw new CredentialsException("Invalid authorization token read from `{$path}`. Token file is empty!");
|
|
}
|
|
return $token;
|
|
}
|
|
return \getenv(self::ENV_AUTH_TOKEN);
|
|
}
|
|
/**
|
|
* Provides headers for credential metadata request.
|
|
*
|
|
* @return array|array[]|string[]
|
|
*/
|
|
private function getHeadersForAuthToken()
|
|
{
|
|
$authToken = self::getEcsAuthToken();
|
|
$headers = [];
|
|
if (!empty($authToken)) {
|
|
$headers = ['Authorization' => $authToken];
|
|
}
|
|
return $headers;
|
|
}
|
|
/** @deprecated */
|
|
public function setHeaderForAuthToken()
|
|
{
|
|
$authToken = self::getEcsAuthToken();
|
|
$headers = [];
|
|
if (!empty($authToken)) {
|
|
$headers = ['Authorization' => $authToken];
|
|
}
|
|
return $headers;
|
|
}
|
|
/**
|
|
* Fetch container metadata URI from container environment variable.
|
|
*
|
|
* @return string Returns container metadata URI
|
|
*/
|
|
private function getEcsUri()
|
|
{
|
|
$credsUri = \getenv(self::ENV_URI);
|
|
if ($credsUri === \false) {
|
|
$credsUri = $_SERVER[self::ENV_URI] ?? '';
|
|
}
|
|
if (empty($credsUri)) {
|
|
$credFullUri = \getenv(self::ENV_FULL_URI);
|
|
if ($credFullUri === \false) {
|
|
$credFullUri = $_SERVER[self::ENV_FULL_URI] ?? '';
|
|
}
|
|
if (!empty($credFullUri)) {
|
|
return $credFullUri;
|
|
}
|
|
}
|
|
return self::SERVER_URI . $credsUri;
|
|
}
|
|
private function decodeResult($response)
|
|
{
|
|
$result = \json_decode($response, \true);
|
|
if (!isset($result['AccessKeyId'])) {
|
|
throw new CredentialsException('Unexpected container metadata credentials value');
|
|
}
|
|
return $result;
|
|
}
|
|
/**
|
|
* Determines whether or not a given request URI is a valid
|
|
* container credential request URI.
|
|
*
|
|
* @param $uri
|
|
*
|
|
* @return bool
|
|
*/
|
|
private function isCompatibleUri($uri)
|
|
{
|
|
$parsed = \parse_url($uri);
|
|
if ($parsed['scheme'] !== 'https') {
|
|
$host = \trim($parsed['host'], '[]');
|
|
$ecsHost = \parse_url(self::SERVER_URI)['host'];
|
|
$eksHost = self::EKS_SERVER_HOST_IPV4;
|
|
if ($host !== $ecsHost && $host !== $eksHost && $host !== self::EKS_SERVER_HOST_IPV6 && !CredentialsUtils::isLoopBackAddress(\gethostbyname($host))) {
|
|
return \false;
|
|
}
|
|
}
|
|
return \true;
|
|
}
|
|
}
|