refactor: move aws session token resolution to configuration and inject into aws clients

Author: carlalexander

src/CloudProvider/Aws/AbstractClient.php

@@ -58,13 +58,13 @@ abstract class AbstractClient
     /**
      * Constructor.
      */
-    public function __construct(ClientInterface $client, string $key, string $region, string $secret)
+    public function __construct(ClientInterface $client, string $key, string $region, string $secret, string $securityToken = '')
     {
         $this->client = $client;
         $this->key = $key;
         $this->region = $region;
         $this->secret = $secret;
-        $this->securityToken = getenv('AWS_SESSION_TOKEN') ?: '';
+        $this->securityToken = $securityToken;
     }
 
     /**

src/CloudProvider/Aws/CloudFrontClient.php

@@ -39,9 +39,9 @@ class CloudFrontClient extends AbstractClient implements ContentDeliveryNetworkP
     /**
      * {@inheritdoc}
      */
-    public function __construct(ClientInterface $client, string $distributionId, string $key, string $secret)
+    public function __construct(ClientInterface $client, string $distributionId, string $key, string $secret, string $securityToken = '')
     {
-        parent::__construct($client, $key, 'us-east-1', $secret);
+        parent::__construct($client, $key, 'us-east-1', $secret, $securityToken);
 
         $this->distributionId = $distributionId;
         $this->invalidationPaths = [];

src/CloudProvider/Aws/LambdaClient.php

@@ -39,9 +39,9 @@ class LambdaClient extends AbstractClient implements ConsoleClientInterface
     /**
      * {@inheritdoc}
      */
-    public function __construct(ClientInterface $client, string $functionName, string $key, string $region, string $secret, string $siteUrl)
+    public function __construct(ClientInterface $client, string $functionName, string $key, string $region, string $secret, string $siteUrl, string $securityToken = '')
     {
-        parent::__construct($client, $key, $region, $secret);
+        parent::__construct($client, $key, $region, $secret, $securityToken);
 
         $this->functionName = $functionName;
         $this->siteUrl = $siteUrl;

src/CloudProvider/Aws/S3Client.php

@@ -31,9 +31,9 @@ class S3Client extends AbstractClient implements CloudStorageClientInterface
     /**
      * Constructor.
      */
-    public function __construct(ClientInterface $client, string $bucket, string $key, string $region, string $secret)
+    public function __construct(ClientInterface $client, string $bucket, string $key, string $region, string $secret, string $securityToken = '')
     {
-        parent::__construct($client, $key, $region, $secret);
+        parent::__construct($client, $key, $region, $secret, $securityToken);
 
         $this->bucket = $bucket;
     }

src/Configuration/CloudProviderConfiguration.php

@@ -46,6 +46,9 @@ public function modify(Container $container)
         $container['cloud_provider_secret'] = $container->service(function () {
             return getenv('AWS_SECRET_ACCESS_KEY') ?: (defined('YMIR_CLOUD_PROVIDER_SECRET') ? YMIR_CLOUD_PROVIDER_SECRET : '');
         });
+        $container['cloud_provider_security_token'] = $container->service(function () {
+            return getenv('AWS_SESSION_TOKEN') ?: '';
+        });
         $container['cloud_provider_private_store'] = $container->service(function () {
             return getenv('YMIR_PRIVATE_STORE') ?: (defined('YMIR_CLOUD_PROVIDER_PRIVATE_STORE') ? YMIR_CLOUD_PROVIDER_PRIVATE_STORE : '');
         });

src/Configuration/CloudStorageConfiguration.php

@@ -30,11 +30,11 @@ class CloudStorageConfiguration implements ContainerConfigurationInterface
     public function modify(Container $container)
     {
         $container['private_cloud_storage_client'] = $container->service(function (Container $container) {
-            return new S3Client($container['ymir_http_client'], $container['cloud_provider_private_store'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret']);
+            return new S3Client($container['ymir_http_client'], $container['cloud_provider_private_store'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret'], $container['cloud_provider_security_token']);
         });
         $container['private_cloud_storage_protocol'] = PrivateCloudStorageStreamWrapper::getProtocol().'://';
         $container['public_cloud_storage_client'] = $container->service(function (Container $container) {
-            return new S3Client($container['ymir_http_client'], $container['cloud_provider_public_store'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret']);
+            return new S3Client($container['ymir_http_client'], $container['cloud_provider_public_store'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret'], $container['cloud_provider_security_token']);
         });
         $container['public_cloud_storage_protocol'] = PublicCloudStorageStreamWrapper::getProtocol().'://';
     }

src/Configuration/ConsoleConfiguration.php

@@ -39,7 +39,7 @@ public function modify(Container $container)
             ];
         });
         $container['console_client'] = $container->service(function (Container $container) {
-            return new LambdaClient($container['ymir_http_client'], $container['cloud_provider_function_name'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret'], $container['site_url']);
+            return new LambdaClient($container['ymir_http_client'], $container['cloud_provider_function_name'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret'], $container['site_url'], $container['cloud_provider_security_token']);
         });
         $container['wp_cli'] = $container->service(function () {
             return new Console\WpCli();

src/Configuration/EmailConfiguration.php

@@ -29,7 +29,7 @@ class EmailConfiguration implements ContainerConfigurationInterface
     public function modify(Container $container)
     {
         $container['email_client'] = $container->service(function (Container $container) {
-            return new SesClient($container['ymir_http_client'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret']);
+            return new SesClient($container['ymir_http_client'], $container['cloud_provider_key'], $container['cloud_provider_region'], $container['cloud_provider_secret'], $container['cloud_provider_security_token']);
         });
         $container['email'] = function (Container $container) {
             return new Email($container['event_manager'], $container['default_email_from'], $container['file_manager'], $container['phpmailer'], $container['blog_charset']);

src/Configuration/PageCacheConfiguration.php

@@ -28,7 +28,7 @@ class PageCacheConfiguration implements ContainerConfigurationInterface
     public function modify(Container $container)
     {
         $container['cloudfront_client'] = $container->service(function (Container $container) {
-            return new CloudFrontClient($container['ymir_http_client'], getenv('YMIR_DISTRIBUTION_ID'), $container['cloud_provider_key'], $container['cloud_provider_secret']);
+            return new CloudFrontClient($container['ymir_http_client'], getenv('YMIR_DISTRIBUTION_ID'), $container['cloud_provider_key'], $container['cloud_provider_secret'], $container['cloud_provider_security_token']);
         });
         $container['page_caching_invalidation_disabled'] = $container->service(function (Container $container) {
             if (false !== getenv('YMIR_DISABLE_PAGE_CACHING')) {

tests/Unit/CloudProvider/Aws/AbstractClientTest.php

@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Ymir WordPress plugin.
+ *
+ * (c) Carl Alexander <support@ymirapp.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Ymir\Plugin\Tests\Unit\CloudProvider\Aws;
+
+use Ymir\Plugin\CloudProvider\Aws\S3Client;
+use Ymir\Plugin\Tests\Mock\FunctionMockTrait;
+use Ymir\Plugin\Tests\Mock\HttpClientMockTrait;
+use Ymir\Plugin\Tests\Unit\TestCase;
+
+class AbstractClientTest extends TestCase
+{
+    use FunctionMockTrait;
+    use HttpClientMockTrait;
+
+    public function testCreatePresignedRequestWithSecurityToken()
+    {
+        $gmdate = $this->getFunctionMock($this->getNamespace(S3Client::class), 'gmdate');
+        $gmdate->expects($this->exactly(5))
+               ->withConsecutive(
+                   [$this->identicalTo('Ymd')],
+                   [$this->identicalTo('Ymd\THis\Z')],
+                   [$this->identicalTo('Ymd\THis\Z')],
+                   [$this->identicalTo('Ymd')],
+                   [$this->identicalTo('Ymd')]
+               )
+               ->willReturnOnConsecutiveCalls('20200515', '20200515T181004Z', '20200515T181004Z', '20200515', '20200515');
+
+        $client = new S3Client($this->getHttpClientMock(), 'test-bucket', 'aws-key', 'us-east-1', 'aws-secret', 'security-token');
+        $createPresignedRequestMethod = new \ReflectionMethod(S3Client::class, 'createPresignedRequest');
+        $createPresignedRequestMethod->setAccessible(true);
+
+        $request = $createPresignedRequestMethod->invoke($client, '/object-key', 'put');
+
+        $this->assertIsString($request);
+
+        $query = parse_url($request, PHP_URL_QUERY);
+
+        $this->assertIsString($query);
+
+        parse_str($query, $parameters);
+
+        $this->assertSame('security-token', $parameters['X-Amz-Security-Token']);
+    }
+}