/*
* Copyright 2010-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.tvm.identity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import com.amazonaws.tvm.Utilities;
import com.amazonaws.tvm.Configuration;
import com.amazonaws.tvm.identity.exception.DataAccessException;
/**
* This class retrieves temporary federation token, i.e. session credentials,
* from Amazon Security Token Service.
*/
public class TemporaryCredentialManagement {
private final AWSSecurityTokenServiceClient sts;
public TemporaryCredentialManagement() {
BasicAWSCredentials creds = new BasicAWSCredentials(Configuration.AWS_ACCESS_KEY_ID,
Configuration.AWS_SECRET_KEY);
sts = new AWSSecurityTokenServiceClient(creds);
}
/**
* Retrieves temporary credentials for the given user.
*
* @param username
* a given user name
* @return temporary AWS credentials
* @throws DataAccessException
* When it fails to get federation token from STS
*/
public Credentials getTemporaryCredentials(String username) throws DataAccessException {
GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest();
getFederationTokenRequest.setName(username);
getFederationTokenRequest.setPolicy(getPolicyObject(username));
getFederationTokenRequest.setDurationSeconds(new Integer(Configuration.SESSION_DURATION));
try {
return sts.getFederationToken(getFederationTokenRequest).getCredentials();
} catch (AmazonClientException e) {
throw new DataAccessException("Failed to get federation token for user: " + username, e);
}
}
protected String getPolicyObject(String username) {
// Ensure the username is valid to prevent injection attacks.
if (!Utilities.isValidUsername(username)) {
throw new IllegalArgumentException("Invalid Username");
}
return Utilities.getRawPolicyFile( "/IdentityTokenVendingMachinePolicy.json" ).replaceAll("__USERNAME__", username)
.replaceAll("__REGION__", Configuration.DYNAMODB_REGION)
.replaceAll("__ACCOUNT_ID__", Configuration.AWS_ACCOUNT_ID)
.replaceAll("__USERS_TABLE__", Configuration.USERS_TABLE)
.replaceAll("__DEVICE_TABLE__", Configuration.DEVICE_TABLE);
}
}