1 /* 2 * Copyright 2023 Google LLC 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are 6 * met: 7 * 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above 11 * copyright notice, this list of conditions and the following disclaimer 12 * in the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * * Neither the name of Google LLC nor the names of its 16 * contributors may be used to endorse or promote products derived from 17 * this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 package com.google.auth.oauth2; 33 34 import java.util.Map; 35 import java.util.regex.Matcher; 36 import java.util.regex.Pattern; 37 38 /** The AWS credential source. Stores data required to retrieve the AWS credential. */ 39 public class AwsCredentialSource extends ExternalAccountCredentials.CredentialSource { 40 41 static final String IMDSV2_SESSION_TOKEN_URL_FIELD_NAME = "imdsv2_session_token_url"; 42 static final long serialVersionUID = -4180558200808134436L; 43 44 final String regionUrl; 45 final String url; 46 final String regionalCredentialVerificationUrl; 47 final String imdsv2SessionTokenUrl; 48 49 /** 50 * The source of the AWS credential. The credential source map must contain the 51 * `regional_cred_verification_url` field. 52 * 53 * <p>The `regional_cred_verification_url` is the regional GetCallerIdentity action URL, used to 54 * determine the account ID and its roles. 55 * 56 * <p>The `environment_id` is the environment identifier, in the format “aws${version}”. This 57 * indicates whether breaking changes were introduced to the underlying AWS implementation. 58 * 59 * <p>The `region_url` identifies the targeted region. Optional. 60 * 61 * <p>The `url` locates the metadata server used to retrieve the AWS credentials. Optional. 62 */ AwsCredentialSource(Map<String, Object> credentialSourceMap)63 public AwsCredentialSource(Map<String, Object> credentialSourceMap) { 64 super(credentialSourceMap); 65 if (!credentialSourceMap.containsKey("regional_cred_verification_url")) { 66 throw new IllegalArgumentException( 67 "A regional_cred_verification_url representing the" 68 + " GetCallerIdentity action URL must be specified."); 69 } 70 71 String environmentId = (String) credentialSourceMap.get("environment_id"); 72 73 // Environment version is prefixed by "aws". e.g. "aws1". 74 Matcher matcher = Pattern.compile("(aws)([\\d]+)").matcher(environmentId); 75 if (!matcher.matches()) { 76 throw new IllegalArgumentException("Invalid AWS environment ID."); 77 } 78 79 int environmentVersion = Integer.parseInt(matcher.group(2)); 80 if (environmentVersion != 1) { 81 throw new IllegalArgumentException( 82 String.format( 83 "AWS version %s is not supported in the current build.", environmentVersion)); 84 } 85 86 this.regionUrl = (String) credentialSourceMap.get("region_url"); 87 this.url = (String) credentialSourceMap.get("url"); 88 this.regionalCredentialVerificationUrl = 89 (String) credentialSourceMap.get("regional_cred_verification_url"); 90 91 if (credentialSourceMap.containsKey(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME)) { 92 this.imdsv2SessionTokenUrl = 93 (String) credentialSourceMap.get(IMDSV2_SESSION_TOKEN_URL_FIELD_NAME); 94 } else { 95 this.imdsv2SessionTokenUrl = null; 96 } 97 } 98 } 99