Malin
3248cbb029
Adds a new 'S3-Compatible Storage' provider that works with any
S3-API-compatible object storage service, including MinIO, Ceph,
Cloudflare R2, Backblaze B2, and others.
Changes:
- New provider class: classes/providers/storage/s3-compatible-provider.php
- Provider key: s3compatible
- Reads user-configured endpoint URL from settings
- Uses path-style URL access (required by most S3-compatible services)
- Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID /
AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants
- Disables AWS-specific features (Block Public Access, Object Ownership)
- New provider SVG icons (s3compatible.svg, -link.svg, -round.svg)
- Registered provider in main plugin class with endpoint setting support
- Updated StorageProviderSubPage to show endpoint URL input for S3-compatible
- Built pro settings bundle with rollup (Svelte 4.2.19)
- Added package.json and updated rollup.config.mjs for pro-only builds
325 lines
15 KiB
PHP
325 lines
15 KiB
PHP
<?php
|
|
|
|
namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Credentials;
|
|
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Configuration\ConfigurationResolver;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CredentialsException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\InvalidJsonException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Sdk;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Exception\TransferException;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Psr7\Request;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise\PromiseInterface;
|
|
use DeliciousBrains\WP_Offload_Media\Aws3\Psr\Http\Message\ResponseInterface;
|
|
/**
|
|
* Credential provider that provides credentials from the EC2 metadata service.
|
|
*/
|
|
class InstanceProfileProvider
|
|
{
|
|
const CRED_PATH = 'meta-data/iam/security-credentials/';
|
|
const TOKEN_PATH = 'api/token';
|
|
const ENV_DISABLE = 'AWS_EC2_METADATA_DISABLED';
|
|
const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
|
|
const ENV_RETRIES = 'AWS_METADATA_SERVICE_NUM_ATTEMPTS';
|
|
const CFG_EC2_METADATA_V1_DISABLED = 'ec2_metadata_v1_disabled';
|
|
const CFG_EC2_METADATA_SERVICE_ENDPOINT = 'ec2_metadata_service_endpoint';
|
|
const CFG_EC2_METADATA_SERVICE_ENDPOINT_MODE = 'ec2_metadata_service_endpoint_mode';
|
|
const DEFAULT_TIMEOUT = 1.0;
|
|
const DEFAULT_RETRIES = 3;
|
|
const DEFAULT_TOKEN_TTL_SECONDS = 21600;
|
|
const DEFAULT_AWS_EC2_METADATA_V1_DISABLED = \false;
|
|
const ENDPOINT_MODE_IPv4 = 'IPv4';
|
|
const ENDPOINT_MODE_IPv6 = 'IPv6';
|
|
const DEFAULT_METADATA_SERVICE_IPv4_ENDPOINT = 'http://169.254.169.254';
|
|
const DEFAULT_METADATA_SERVICE_IPv6_ENDPOINT = 'http://[fd00:ec2::254]';
|
|
/** @var string */
|
|
private $profile;
|
|
/** @var callable */
|
|
private $client;
|
|
/** @var int */
|
|
private $retries;
|
|
/** @var int */
|
|
private $attempts;
|
|
/** @var float|mixed */
|
|
private $timeout;
|
|
/** @var bool */
|
|
private $secureMode = \true;
|
|
/** @var bool|null */
|
|
private $ec2MetadataV1Disabled;
|
|
/** @var string */
|
|
private $endpoint;
|
|
/** @var string */
|
|
private $endpointMode;
|
|
/** @var array */
|
|
private $config;
|
|
/**
|
|
* The constructor accepts the following options:
|
|
*
|
|
* - timeout: Connection timeout, in seconds.
|
|
* - profile: Optional EC2 profile name, if known.
|
|
* - retries: Optional number of retries to be attempted.
|
|
* - ec2_metadata_v1_disabled: Optional for disabling the fallback to IMDSv1.
|
|
* - endpoint: Optional for overriding the default endpoint to be used for fetching credentials.
|
|
* The value must contain a valid URI scheme. If the URI scheme is not https, it must
|
|
* resolve to a loopback address.
|
|
* - endpoint_mode: Optional for overriding the default endpoint mode (IPv4|IPv6) to be used for
|
|
* resolving the default endpoint.
|
|
* - use_aws_shared_config_files: Decides whether the shared config file should be considered when
|
|
* using the ConfigurationResolver::resolve method.
|
|
*
|
|
* @param array $config Configuration options.
|
|
*/
|
|
public function __construct(array $config = [])
|
|
{
|
|
$this->timeout = (float) \getenv(self::ENV_TIMEOUT) ?: $config['timeout'] ?? self::DEFAULT_TIMEOUT;
|
|
$this->profile = $config['profile'] ?? null;
|
|
$this->retries = (int) \getenv(self::ENV_RETRIES) ?: $config['retries'] ?? self::DEFAULT_RETRIES;
|
|
$this->client = $config['client'] ?? \DeliciousBrains\WP_Offload_Media\Aws3\Aws\default_http_handler();
|
|
$this->ec2MetadataV1Disabled = $config[self::CFG_EC2_METADATA_V1_DISABLED] ?? null;
|
|
$this->endpoint = $config[self::CFG_EC2_METADATA_SERVICE_ENDPOINT] ?? null;
|
|
if (!empty($this->endpoint) && !$this->isValidEndpoint($this->endpoint)) {
|
|
throw new \InvalidArgumentException('The provided URI "' . $this->endpoint . '" is invalid, or contains an unsupported host');
|
|
}
|
|
$this->endpointMode = $config[self::CFG_EC2_METADATA_SERVICE_ENDPOINT_MODE] ?? null;
|
|
$this->config = $config;
|
|
}
|
|
/**
|
|
* Loads instance profile credentials.
|
|
*
|
|
* @return PromiseInterface
|
|
*/
|
|
public function __invoke($previousCredentials = null)
|
|
{
|
|
$this->attempts = 0;
|
|
return Promise\Coroutine::of(function () use($previousCredentials) {
|
|
// Retrieve token or switch out of secure mode
|
|
$token = null;
|
|
while ($this->secureMode && \is_null($token)) {
|
|
try {
|
|
$token = (yield $this->request(self::TOKEN_PATH, 'PUT', ['x-aws-ec2-metadata-token-ttl-seconds' => self::DEFAULT_TOKEN_TTL_SECONDS]));
|
|
} catch (TransferException $e) {
|
|
if ($this->getExceptionStatusCode($e) === 500 && $previousCredentials instanceof Credentials) {
|
|
goto generateCredentials;
|
|
} elseif ($this->shouldFallbackToIMDSv1() && (!\method_exists($e, 'getResponse') || empty($e->getResponse()) || !\in_array($e->getResponse()->getStatusCode(), [400, 500, 502, 503, 504]))) {
|
|
$this->secureMode = \false;
|
|
} else {
|
|
$this->handleRetryableException($e, [], $this->createErrorMessage('Error retrieving metadata token'));
|
|
}
|
|
}
|
|
$this->attempts++;
|
|
}
|
|
// Set token header only for secure mode
|
|
$headers = [];
|
|
if ($this->secureMode) {
|
|
$headers = ['x-aws-ec2-metadata-token' => $token];
|
|
}
|
|
// Retrieve profile
|
|
while (!$this->profile) {
|
|
try {
|
|
$this->profile = (yield $this->request(self::CRED_PATH, 'GET', $headers));
|
|
} catch (TransferException $e) {
|
|
// 401 indicates insecure flow not supported, switch to
|
|
// attempting secure mode for subsequent calls
|
|
if (!empty($this->getExceptionStatusCode($e)) && $this->getExceptionStatusCode($e) === 401) {
|
|
$this->secureMode = \true;
|
|
}
|
|
$this->handleRetryableException($e, ['blacklist' => [401, 403]], $this->createErrorMessage($e->getMessage()));
|
|
}
|
|
$this->attempts++;
|
|
}
|
|
// Retrieve credentials
|
|
$result = null;
|
|
while ($result == null) {
|
|
try {
|
|
$json = (yield $this->request(self::CRED_PATH . $this->profile, 'GET', $headers));
|
|
$result = $this->decodeResult($json);
|
|
} catch (InvalidJsonException $e) {
|
|
$this->handleRetryableException($e, ['blacklist' => [401, 403]], $this->createErrorMessage('Invalid JSON response, retries exhausted'));
|
|
} catch (TransferException $e) {
|
|
// 401 indicates insecure flow not supported, switch to
|
|
// attempting secure mode for subsequent calls
|
|
if (($this->getExceptionStatusCode($e) === 500 || \strpos($e->getMessage(), "cURL error 28") !== \false) && $previousCredentials instanceof Credentials) {
|
|
goto generateCredentials;
|
|
} elseif (!empty($this->getExceptionStatusCode($e)) && $this->getExceptionStatusCode($e) === 401) {
|
|
$this->secureMode = \true;
|
|
}
|
|
$this->handleRetryableException($e, ['blacklist' => [401, 403]], $this->createErrorMessage($e->getMessage()));
|
|
}
|
|
$this->attempts++;
|
|
}
|
|
generateCredentials:
|
|
if (!isset($result)) {
|
|
$credentials = $previousCredentials;
|
|
} else {
|
|
$credentials = new Credentials($result['AccessKeyId'], $result['SecretAccessKey'], $result['Token'], \strtotime($result['Expiration']), $result['AccountId'] ?? null);
|
|
}
|
|
if ($credentials->isExpired()) {
|
|
$credentials->extendExpiration();
|
|
}
|
|
(yield $credentials);
|
|
});
|
|
}
|
|
/**
|
|
* @param string $url
|
|
* @param string $method
|
|
* @param array $headers
|
|
* @return PromiseInterface Returns a promise that is fulfilled with the
|
|
* body of the response as a string.
|
|
*/
|
|
private function request($url, $method = 'GET', $headers = [])
|
|
{
|
|
$disabled = \getenv(self::ENV_DISABLE) ?: \false;
|
|
if (\strcasecmp($disabled, 'true') === 0) {
|
|
throw new CredentialsException($this->createErrorMessage('EC2 metadata service access disabled'));
|
|
}
|
|
$fn = $this->client;
|
|
$request = new Request($method, $this->resolveEndpoint() . $url);
|
|
$userAgent = 'aws-sdk-php/' . Sdk::VERSION;
|
|
if (\defined('DeliciousBrains\\WP_Offload_Media\\Aws3\\HHVM_VERSION')) {
|
|
$userAgent .= ' HHVM/' . HHVM_VERSION;
|
|
}
|
|
$userAgent .= ' ' . \DeliciousBrains\WP_Offload_Media\Aws3\Aws\default_user_agent();
|
|
$request = $request->withHeader('User-Agent', $userAgent);
|
|
foreach ($headers as $key => $value) {
|
|
$request = $request->withHeader($key, $value);
|
|
}
|
|
return $fn($request, ['timeout' => $this->timeout])->then(function (ResponseInterface $response) {
|
|
return (string) $response->getBody();
|
|
})->otherwise(function (array $reason) {
|
|
$reason = $reason['exception'];
|
|
if ($reason instanceof TransferException) {
|
|
throw $reason;
|
|
}
|
|
$msg = $reason->getMessage();
|
|
throw new CredentialsException($this->createErrorMessage($msg));
|
|
});
|
|
}
|
|
private function handleRetryableException(\Exception $e, $retryOptions, $message)
|
|
{
|
|
$isRetryable = \true;
|
|
if (!empty($status = $this->getExceptionStatusCode($e)) && isset($retryOptions['blacklist']) && \in_array($status, $retryOptions['blacklist'])) {
|
|
$isRetryable = \false;
|
|
}
|
|
if ($isRetryable && $this->attempts < $this->retries) {
|
|
\sleep((int) \pow(1.2, $this->attempts));
|
|
} else {
|
|
throw new CredentialsException($message);
|
|
}
|
|
}
|
|
private function getExceptionStatusCode(\Exception $e)
|
|
{
|
|
if (\method_exists($e, 'getResponse') && !empty($e->getResponse())) {
|
|
return $e->getResponse()->getStatusCode();
|
|
}
|
|
return null;
|
|
}
|
|
private function createErrorMessage($previous)
|
|
{
|
|
return "Error retrieving credentials from the instance profile " . "metadata service. ({$previous})";
|
|
}
|
|
private function decodeResult($response)
|
|
{
|
|
$result = \json_decode($response, \true);
|
|
if (\json_last_error() > 0) {
|
|
throw new InvalidJsonException();
|
|
}
|
|
if ($result['Code'] !== 'Success') {
|
|
throw new CredentialsException('Unexpected instance profile ' . 'response code: ' . $result['Code']);
|
|
}
|
|
return $result;
|
|
}
|
|
/**
|
|
* This functions checks for whether we should fall back to IMDSv1 or not.
|
|
* If $ec2MetadataV1Disabled is null then we will try to resolve this value from
|
|
* the following sources:
|
|
* - From environment: "AWS_EC2_METADATA_V1_DISABLED".
|
|
* - From config file: aws_ec2_metadata_v1_disabled
|
|
* - Defaulted to false
|
|
*
|
|
* @return bool
|
|
*/
|
|
private function shouldFallbackToIMDSv1() : bool
|
|
{
|
|
$isImdsV1Disabled = \DeliciousBrains\WP_Offload_Media\Aws3\Aws\boolean_value($this->ec2MetadataV1Disabled) ?? \DeliciousBrains\WP_Offload_Media\Aws3\Aws\boolean_value(ConfigurationResolver::resolve(self::CFG_EC2_METADATA_V1_DISABLED, self::DEFAULT_AWS_EC2_METADATA_V1_DISABLED, 'bool', $this->config)) ?? self::DEFAULT_AWS_EC2_METADATA_V1_DISABLED;
|
|
return !$isImdsV1Disabled;
|
|
}
|
|
/**
|
|
* Resolves the metadata service endpoint. If the endpoint is not provided
|
|
* or configured then, the default endpoint, based on the endpoint mode resolved,
|
|
* will be used.
|
|
* Example: if endpoint_mode is resolved to be IPv4 and the endpoint is not provided
|
|
* then, the endpoint to be used will be http://169.254.169.254.
|
|
*
|
|
* @return string
|
|
*/
|
|
private function resolveEndpoint() : string
|
|
{
|
|
$endpoint = $this->endpoint;
|
|
if (\is_null($endpoint)) {
|
|
$endpoint = ConfigurationResolver::resolve(self::CFG_EC2_METADATA_SERVICE_ENDPOINT, $this->getDefaultEndpoint(), 'string', $this->config);
|
|
}
|
|
if (!$this->isValidEndpoint($endpoint)) {
|
|
throw new CredentialsException('The provided URI "' . $endpoint . '" is invalid, or contains an unsupported host');
|
|
}
|
|
if (\substr($endpoint, \strlen($endpoint) - 1) !== '/') {
|
|
$endpoint = $endpoint . '/';
|
|
}
|
|
return $endpoint . 'latest/';
|
|
}
|
|
/**
|
|
* Resolves the default metadata service endpoint.
|
|
* If endpoint_mode is resolved as IPv4 then:
|
|
* - endpoint = http://169.254.169.254
|
|
* If endpoint_mode is resolved as IPv6 then:
|
|
* - endpoint = http://[fd00:ec2::254]
|
|
*
|
|
* @return string
|
|
*/
|
|
private function getDefaultEndpoint() : string
|
|
{
|
|
$endpointMode = $this->resolveEndpointMode();
|
|
switch ($endpointMode) {
|
|
case self::ENDPOINT_MODE_IPv4:
|
|
return self::DEFAULT_METADATA_SERVICE_IPv4_ENDPOINT;
|
|
case self::ENDPOINT_MODE_IPv6:
|
|
return self::DEFAULT_METADATA_SERVICE_IPv6_ENDPOINT;
|
|
}
|
|
throw new CredentialsException("Invalid endpoint mode '{$endpointMode}' resolved");
|
|
}
|
|
/**
|
|
* Resolves the endpoint mode to be considered when resolving the default
|
|
* metadata service endpoint.
|
|
*
|
|
* @return string
|
|
*/
|
|
private function resolveEndpointMode() : string
|
|
{
|
|
$endpointMode = $this->endpointMode;
|
|
if (\is_null($endpointMode)) {
|
|
$endpointMode = ConfigurationResolver::resolve(self::CFG_EC2_METADATA_SERVICE_ENDPOINT_MODE, self::ENDPOINT_MODE_IPv4, 'string', $this->config);
|
|
}
|
|
return $endpointMode;
|
|
}
|
|
/**
|
|
* This method checks for whether a provide URI is valid.
|
|
* @param string $uri this parameter is the uri to do the validation against to.
|
|
*
|
|
* @return string|null
|
|
*/
|
|
private function isValidEndpoint($uri) : bool
|
|
{
|
|
// We make sure first the provided uri is a valid URL
|
|
$isValidURL = \filter_var($uri, \FILTER_VALIDATE_URL) !== \false;
|
|
if (!$isValidURL) {
|
|
return \false;
|
|
}
|
|
// We make sure that if is a no secure host then it must be a loop back address.
|
|
$parsedUri = \parse_url($uri);
|
|
if ($parsedUri['scheme'] !== 'https') {
|
|
$host = \trim($parsedUri['host'], '[]');
|
|
return CredentialsUtils::isLoopBackAddress(\gethostbyname($host)) || \in_array($uri, [self::DEFAULT_METADATA_SERVICE_IPv4_ENDPOINT, self::DEFAULT_METADATA_SERVICE_IPv6_ENDPOINT]);
|
|
}
|
|
return \true;
|
|
}
|
|
}
|