aws-sdk-java/src/main/java/com/amazonaws/auth/STSSessionCredentials.java at master · JavaInCloud/aws-sdk-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
 * Copyright 2011-2013 Amazon Technologies, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *    http://aws.amazon.com/apache2.0
 *
 * This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
 * OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and
 * limitations under the License.
 */
package com.amazonaws.auth;

import java.util.Date;

import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetSessionTokenRequest;
import com.amazonaws.services.securitytoken.model.GetSessionTokenResult;

/**
 * Session credentials periodically refreshed by AWS SecurityTokenService.
 * <p>
 * Calls to {@link STSSessionCredentials#getAWSAccessKeyId()},
 * {@link STSSessionCredentials#getAWSSecretKey()}, and
 * {@link STSSessionCredentials#getSessionToken()} should be synchronized on
 * this object to prevent races on the boundary of session expiration.
 * Alternately, clients can call
 * {@link STSSessionCredentials#getImmutableCredentials()} to ensure a
 * consistent set of access key, secret key, and token.
 * <p>
 * This class is deprecated and should not be used anymore.
 * Instead, use {@link STSSessionCredentialsProvider}.
 */
@Deprecated
public class STSSessionCredentials implements AWSRefreshableSessionCredentials {

    private final AWSSecurityTokenService securityTokenService;
    private final int sessionDurationSeconds;

    private Credentials sessionCredentials;

    public static final int DEFAULT_DURATION_SECONDS = 3600;

    /**
     * Create a new credentials object that will periodically and automatically
     * obtain a session from STS.
     *
     * @param credentials
     *            Primary AWS account credentials.
     */
    public STSSessionCredentials(AWSCredentials credentials) {
        this(credentials, DEFAULT_DURATION_SECONDS);
    }

	/**
	 * Create a new credentials object that will periodically and automatically
	 * obtain a session from STS.
	 *
	 * @param credentials
	 *            Primary AWS account credentials.
	 * @param sessionDurationSeconds
	 *            The duration, in seconds, for each session to last.
	 */
    public STSSessionCredentials(AWSCredentials credentials, int sessionDurationSeconds) {
        this.securityTokenService = new AWSSecurityTokenServiceClient(credentials);
        this.sessionDurationSeconds = sessionDurationSeconds;
    }

    /**
     * Create a new credentials object that will periodically and automatically
     * obtain a session from STS, using a preconfigured STS client.
     *
     * @param stsClient
     *            A pre-configured STS client from which to get credentials.
     */
    public STSSessionCredentials(AWSSecurityTokenService stsClient) {
        this(stsClient, DEFAULT_DURATION_SECONDS);
    }

    /**
     * Create a new credentials object that will periodically and automatically
     * obtain a session from STS, using a preconfigured STS client.
     *
     * @param stsClient
     *            A pre-configured STS client from which to get credentials.
     * @param settings
     *            Session settings for all sessions created
     */
    public STSSessionCredentials(AWSSecurityTokenService stsClient, int sessionDuratinSeconds) {
        this.securityTokenService = stsClient;
        this.sessionDurationSeconds = sessionDuratinSeconds;
    }

    /**
     * Returns the AWS access key for the current STS session, beginning a new
     * one if necessary.
     * <p>
     * Clients are encouraged to call the atomic
     * {@link RenewableAWSSessionCredentials#getImmutableCredentials()} as a proxy to this method.
     */
    @Override
    public synchronized String getAWSAccessKeyId() {
        return getSessionCredentials().getAccessKeyId();
    }

    /**
     * Returns the AWS secret key for the current STS session, beginning a new
     * one if necessary.
     * <p>
     * Clients are encouraged to call the atomic
     * {@link RenewableAWSSessionCredentials#getImmutableCredentials()} as a proxy to this method.
     */
    @Override
    public synchronized String getAWSSecretKey() {
        return getSessionCredentials().getSecretAccessKey();
    }

    /**
     * Returns the session token for the current STS session, beginning a new
     * one if necessary.
     * <p>
     * Clients are encouraged to call the atomic
     * {@link RenewableAWSSessionCredentials#getImmutableCredentials()} as a proxy to this method.
     */
    @Override
    public synchronized String getSessionToken() {
        return getSessionCredentials().getSessionToken();
    }

    /**
     * Returns immutable session credentials for this session, beginning a new one if necessary.
     */
    public synchronized AWSSessionCredentials getImmutableCredentials() {
        Credentials creds = getSessionCredentials();
        return new BasicSessionCredentials(creds.getAccessKeyId(), creds.getSecretAccessKey(), creds.getSessionToken());
    }

    /**
     * Refreshes the session credentials from STS.
     */
    @Override
    public synchronized void refreshCredentials() {
        GetSessionTokenResult sessionTokenResult = securityTokenService
                .getSessionToken(new GetSessionTokenRequest().withDurationSeconds(sessionDurationSeconds));
        sessionCredentials = sessionTokenResult.getCredentials();
    }

    /**
     * Gets a current session credentials object, reinitializing if necessary.
     */
    private synchronized Credentials getSessionCredentials() {
        if ( needsNewSession() )
            refreshCredentials();
        return sessionCredentials;
    }

    private boolean needsNewSession() {
        if ( sessionCredentials == null )
            return true;

        Date expiration = sessionCredentials.getExpiration();
        long timeRemaining = expiration.getTime() - System.currentTimeMillis();
        if ( timeRemaining < (60 * 1000) )
            return true;

        return false;
    }
}