mirror of
https://github.com/fog/fog.git
synced 2022-11-09 13:51:43 -05:00
Add AssumeRoleWithSAML support for AWS
This commit is contained in:
parent
cf6baf5b53
commit
1016d992e4
3 changed files with 93 additions and 3 deletions
26
lib/fog/aws/parsers/sts/assume_role_with_saml.rb
Normal file
26
lib/fog/aws/parsers/sts/assume_role_with_saml.rb
Normal file
|
@ -0,0 +1,26 @@
|
|||
module Fog
|
||||
module Parsers
|
||||
module AWS
|
||||
module STS
|
||||
class AssumeRoleWithSAML < Fog::Parsers::Base
|
||||
def reset
|
||||
@response = {}
|
||||
end
|
||||
|
||||
def end_element(name)
|
||||
case name
|
||||
when 'SessionToken', 'SecretAccessKey', 'Expiration', 'AccessKeyId'
|
||||
@response[name] = @value.strip
|
||||
when 'Arn', 'AssumedRoleId'
|
||||
@response[name] = @value.strip
|
||||
when 'PackedPolicySize'
|
||||
@response[name] = @value
|
||||
when 'RequestId'
|
||||
@response[name] = @value
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
62
lib/fog/aws/requests/sts/assume_role_with_saml.rb
Normal file
62
lib/fog/aws/requests/sts/assume_role_with_saml.rb
Normal file
|
@ -0,0 +1,62 @@
|
|||
module Fog
|
||||
module AWS
|
||||
class STS
|
||||
class Real
|
||||
require 'fog/aws/parsers/sts/assume_role_with_saml'
|
||||
|
||||
# Assume Role with SAML
|
||||
#
|
||||
# ==== Parameters
|
||||
# * role_arn<~String> - The ARN of the role the caller is assuming.
|
||||
# * principal_arn<~String> - The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
|
||||
# * saml_assertion<~String> - The base-64 encoded SAML authentication response provided by the IdP.
|
||||
# * policy<~String> - An optional JSON policy document
|
||||
# * duration<~Integer> - Duration (of seconds) for the assumed role credentials to be valid (default 3600)
|
||||
#
|
||||
# ==== Returns
|
||||
# * response<~Excon::Response>:
|
||||
# * body<~Hash>:
|
||||
# * 'Arn'<~String>: The ARN of the assumed role/user
|
||||
# * 'AccessKeyId'<~String>: The AWS access key of the temporary credentials for the assumed role
|
||||
# * 'SecretAccessKey'<~String>: The AWS secret key of the temporary credentials for the assumed role
|
||||
# * 'SessionToken'<~String>: The AWS session token of the temporary credentials for the assumed role
|
||||
# * 'Expiration'<~Time>: The expiration time of the temporary credentials for the assumed role
|
||||
#
|
||||
# ==== See Also
|
||||
# http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
|
||||
#
|
||||
|
||||
def assume_role_with_saml(role_arn, principalArn, saml_assertion, policy=nil, duration=3600)
|
||||
idempotent = true
|
||||
parser = Fog::Parsers::AWS::STS::AssumeRoleWithSAML.new
|
||||
headers = { 'Content-Type' => 'application/x-www-form-urlencoded', 'Host' => @host }
|
||||
params = {
|
||||
'Action' => 'AssumeRoleWithSAML',
|
||||
'RoleArn' => role_arn,
|
||||
'PrincipalArn' => principalArn,
|
||||
'SAMLAssertion' => saml_assertion,
|
||||
'Policy' => policy && Fog::JSON.encode(policy),
|
||||
'DurationSeconds' => duration,
|
||||
'Version' => '2011-06-15'
|
||||
}
|
||||
|
||||
body = ''
|
||||
for key in params.keys.sort
|
||||
unless (value = params[key]).nil?
|
||||
body << "#{key}=#{Fog::AWS.escape(value.to_s)}&"
|
||||
end
|
||||
end
|
||||
body.chop!
|
||||
|
||||
if @instrumentor
|
||||
@instrumentor.instrument("#{@instrumentor_name}.request", params) do
|
||||
_request(body, headers, idempotent, parser)
|
||||
end
|
||||
else
|
||||
_request(body, headers, idempotent, parser)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -8,13 +8,13 @@ module Fog
|
|||
class EntityAlreadyExists < Fog::AWS::STS::Error; end
|
||||
class ValidationError < Fog::AWS::STS::Error; end
|
||||
|
||||
requires :aws_access_key_id, :aws_secret_access_key
|
||||
recognizes :host, :path, :port, :scheme, :persistent, :aws_session_token, :use_iam_profile, :aws_credentials_expire_at, :instrumentor, :instrumentor_name
|
||||
recognizes :aws_access_key_id, :aws_secret_access_key, :host, :path, :port, :scheme, :persistent, :aws_session_token, :use_iam_profile, :aws_credentials_expire_at, :instrumentor, :instrumentor_name
|
||||
|
||||
request_path 'fog/aws/requests/sts'
|
||||
request :get_federation_token
|
||||
request :get_session_token
|
||||
request :assume_role
|
||||
request :assume_role_with_saml
|
||||
|
||||
class Mock
|
||||
def self.data
|
||||
|
@ -99,7 +99,9 @@ module Fog
|
|||
@aws_session_token = options[:aws_session_token]
|
||||
@aws_credentials_expire_at = options[:aws_credentials_expire_at]
|
||||
|
||||
@signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, 'us-east-1', 'sts')
|
||||
if (@aws_access_key_id && @aws_secret_access_key)
|
||||
@signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, 'us-east-1', 'sts')
|
||||
end
|
||||
end
|
||||
|
||||
def request(params)
|
||||
|
|
Loading…
Reference in a new issue