Skip to content

Commit

Permalink
fix(client-sts): disable auth for public assumeRole commands (#1706)
Browse files Browse the repository at this point in the history
  • Loading branch information
trivikr authored Nov 24, 2020
1 parent e932876 commit 891eae2
Show file tree
Hide file tree
Showing 8 changed files with 27 additions and 8 deletions.
8 changes: 1 addition & 7 deletions clients/client-sts/STSClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,7 @@ import {
} from "@aws-sdk/middleware-host-header";
import { getLoggerPlugin } from "@aws-sdk/middleware-logger";
import { RetryInputConfig, RetryResolvedConfig, getRetryPlugin, resolveRetryConfig } from "@aws-sdk/middleware-retry";
import {
AwsAuthInputConfig,
AwsAuthResolvedConfig,
getAwsAuthPlugin,
resolveAwsAuthConfig,
} from "@aws-sdk/middleware-signing";
import { AwsAuthInputConfig, AwsAuthResolvedConfig, resolveAwsAuthConfig } from "@aws-sdk/middleware-signing";
import {
UserAgentInputConfig,
UserAgentResolvedConfig,
Expand Down Expand Up @@ -221,7 +216,6 @@ export class STSClient extends __Client<
let _config_6 = resolveHostHeaderConfig(_config_5);
super(_config_6);
this.config = _config_6;
this.middlewareStack.use(getAwsAuthPlugin(this.config));
this.middlewareStack.use(getRetryPlugin(this.config));
this.middlewareStack.use(getUserAgentPlugin(this.config));
this.middlewareStack.use(getContentLengthPlugin(this.config));
Expand Down
2 changes: 2 additions & 0 deletions clients/client-sts/commands/AssumeRoleCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "
import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0";
import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -151,6 +152,7 @@ export class AssumeRoleCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<AssumeRoleCommandInput, AssumeRoleCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import {
serializeAws_queryDecodeAuthorizationMessageCommand,
} from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -81,6 +82,7 @@ export class DecodeAuthorizationMessageCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<DecodeAuthorizationMessageCommandInput, DecodeAuthorizationMessageCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
2 changes: 2 additions & 0 deletions clients/client-sts/commands/GetAccessKeyInfoCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import {
serializeAws_queryGetAccessKeyInfoCommand,
} from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -63,6 +64,7 @@ export class GetAccessKeyInfoCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<GetAccessKeyInfoCommandInput, GetAccessKeyInfoCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
2 changes: 2 additions & 0 deletions clients/client-sts/commands/GetCallerIdentityCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import {
serializeAws_queryGetCallerIdentityCommand,
} from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -55,6 +56,7 @@ export class GetCallerIdentityCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<GetCallerIdentityCommandInput, GetCallerIdentityCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
2 changes: 2 additions & 0 deletions clients/client-sts/commands/GetFederationTokenCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import {
serializeAws_queryGetFederationTokenCommand,
} from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -124,6 +125,7 @@ export class GetFederationTokenCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<GetFederationTokenCommandInput, GetFederationTokenCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
2 changes: 2 additions & 0 deletions clients/client-sts/commands/GetSessionTokenCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import {
serializeAws_queryGetSessionTokenCommand,
} from "../protocols/Aws_query";
import { getSerdePlugin } from "@aws-sdk/middleware-serde";
import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
import { Command as $Command } from "@aws-sdk/smithy-client";
import {
Expand Down Expand Up @@ -97,6 +98,7 @@ export class GetSessionTokenCommand extends $Command<
options?: __HttpHandlerOptions
): Handler<GetSessionTokenCommandInput, GetSessionTokenCommandOutput> {
this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(getAwsAuthPlugin(configuration));

const stack = clientStack.concat(this.middlewareStack);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,10 @@ public List<RuntimeClientPlugin> getClientPlugins() {
.withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_MIDDLEWARE)
// See operationUsesAwsAuth() below for AwsAuth Middleware customizations.
.servicePredicate(
(m, s) -> !testServiceId(s, "Cognito Identity") && !hasOptionalAuthOperation(m, s)
(m, s) ->
!testServiceId(s, "Cognito Identity") &&
!testServiceId(s, "STS") &&
!hasOptionalAuthOperation(m, s)
).build(),
RuntimeClientPlugin.builder()
.withConventions(TypeScriptDependency.MIDDLEWARE_RETRY.dependency, "Retry")
Expand Down Expand Up @@ -174,6 +177,16 @@ private static boolean operationUsesAwsAuth(Model model, ServiceShape service, O
.contains(operation.getId().getName());
return !isUnsignedCommand;
}

// STS doesn't need auth for AssumeRoleWithWebIdentity, AssumeRoleWithSAML.
// Remove when optionalAuth model update is published in 0533102932.
if (testServiceId(service, "STS")) {
Boolean isUnsignedCommand = SetUtils
.of("AssumeRoleWithWebIdentity", "AssumeRoleWithSAML")
.contains(operation.getId().getName());
return !isUnsignedCommand;
}

// optionalAuth trait doesn't require authentication.
if (hasOptionalAuthOperation(model, service)) {
return !operation.getTrait(OptionalAuthTrait.class).isPresent();
Expand Down

0 comments on commit 891eae2

Please sign in to comment.