Added boto/ to depot_tools/third_party

third_party/boto/sts/connection.py

+# Copyright (c) 2011 Mitch Garnaat http://garnaat.org/
+# Copyright (c) 2011, Eucalyptus Systems, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish, dis-
+# tribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the fol-
+# lowing conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
+# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+from boto.connection import AWSQueryConnection
+from boto.regioninfo import RegionInfo
+from credentials import Credentials, FederationToken, AssumedRole
+import boto
+import boto.utils
+import datetime
+import threading
+
+_session_token_cache = {}
+
+
+class STSConnection(AWSQueryConnection):
+
+    DefaultRegionName = 'us-east-1'
+    DefaultRegionEndpoint = 'sts.amazonaws.com'
+    APIVersion = '2011-06-15'
+
+    def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
+                 is_secure=True, port=None, proxy=None, proxy_port=None,
+                 proxy_user=None, proxy_pass=None, debug=0,
+                 https_connection_factory=None, region=None, path='/',
+                 converter=None, validate_certs=True):
+        if not region:
+            region = RegionInfo(self, self.DefaultRegionName,
+                                self.DefaultRegionEndpoint,
+                                connection_cls=STSConnection)
+        self.region = region
+        self._mutex = threading.Semaphore()
+        AWSQueryConnection.__init__(self, aws_access_key_id,
+                                    aws_secret_access_key,
+                                    is_secure, port, proxy, proxy_port,
+                                    proxy_user, proxy_pass,
+                                    self.region.endpoint, debug,
+                                    https_connection_factory, path,
+                                    validate_certs=validate_certs)
+
+    def _required_auth_capability(self):
+        return ['sign-v2']
+
+    def _check_token_cache(self, token_key, duration=None, window_seconds=60):
+        token = _session_token_cache.get(token_key, None)
+        if token:
+            now = datetime.datetime.utcnow()
+            expires = boto.utils.parse_ts(token.expiration)
+            delta = expires - now
+            if delta < datetime.timedelta(seconds=window_seconds):
+                msg = 'Cached session token %s is expired' % token_key
+                boto.log.debug(msg)
+                token = None
+        return token
+
+    def _get_session_token(self, duration=None,
+                           mfa_serial_number=None, mfa_token=None):
+        params = {}
+        if duration:
+            params['DurationSeconds'] = duration
+        if mfa_serial_number:
+            params['SerialNumber'] = mfa_serial_number
+        if mfa_token:
+            params['TokenCode'] = mfa_token
+        return self.get_object('GetSessionToken', params,
+                                Credentials, verb='POST')
+
+    def get_session_token(self, duration=None, force_new=False,
+                          mfa_serial_number=None, mfa_token=None):
+        """
+        Return a valid session token.  Because retrieving new tokens
+        from the Secure Token Service is a fairly heavyweight operation
+        this module caches previously retrieved tokens and returns
+        them when appropriate.  Each token is cached with a key
+        consisting of the region name of the STS endpoint
+        concatenated with the requesting user's access id.  If there
+        is a token in the cache meeting with this key, the session
+        expiration is checked to make sure it is still valid and if
+        so, the cached token is returned.  Otherwise, a new session
+        token is requested from STS and it is placed into the cache
+        and returned.
+
+        :type duration: int
+        :param duration: The number of seconds the credentials should
+            remain valid.
+
+        :type force_new: bool
+        :param force_new: If this parameter is True, a new session token
+            will be retrieved from the Secure Token Service regardless
+            of whether there is a valid cached token or not.
+
+        :type mfa_serial_number: str
+        :param mfa_serial_number: The serial number of an MFA device.
+            If this is provided and if the mfa_passcode provided is
+            valid, the temporary session token will be authorized with
+            to perform operations requiring the MFA device authentication.
+
+        :type mfa_token: str
+        :param mfa_token: The 6 digit token associated with the
+            MFA device.
+        """
+        token_key = '%s:%s' % (self.region.name, self.provider.access_key)
+        token = self._check_token_cache(token_key, duration)
+        if force_new or not token:
+            boto.log.debug('fetching a new token for %s' % token_key)
+            try:
+                self._mutex.acquire()
+                token = self._get_session_token(duration,
+                                                mfa_serial_number,
+                                                mfa_token)
+                _session_token_cache[token_key] = token
+            finally:
+                self._mutex.release()
+        return token
+
+    def get_federation_token(self, name, duration=None, policy=None):
+        """
+        :type name: str
+        :param name: The name of the Federated user associated with
+                     the credentials.
+
+        :type duration: int
+        :param duration: The number of seconds the credentials should
+                         remain valid.
+
+        :type policy: str
+        :param policy: A JSON policy to associate with these credentials.
+
+        """
+        params = {'Name': name}
+        if duration:
+            params['DurationSeconds'] = duration
+        if policy:
+            params['Policy'] = policy
+        return self.get_object('GetFederationToken', params,
+                                FederationToken, verb='POST')
+
+    def assume_role(self, role_arn, role_session_name, policy=None,
+                    duration_seconds=None, external_id=None):
+        """
+        Returns a set of temporary credentials that the caller can use to
+        access resources that are allowed by the temporary credentials.  The
+        credentials are valid for the duration that the caller specified, which
+        can be from 15 minutes (900 seconds) to 1 hour (3600 seconds)
+
+        :type role_arn: str
+        :param role_arn: The Amazon Resource Name (ARN) of the role that the
+            caller is assuming.
+
+        :type role_session_name: str
+        :param role_session_name: The session name of the temporary security
+            credentials. The session name is part of the AssumedRoleUser.
+
+        :type policy: str
+        :param policy: A supplemental policy that can be associated with the
+            temporary security credentials. The caller can limit the
+            permissions that are available on the role's temporary security
+            credentials to maintain the least amount of privileges.  When a
+            service call is made with the temporary security credentials, both
+            policies (the role policy and supplemental policy) are checked.
+
+
+        :type duration_seconds: int
+        :param duration_seconds: he duration, in seconds, of the role session.
+            The value can range from 900 seconds (15 minutes) to 3600 seconds
+            (1 hour).  By default, the value is set to 3600 seconds.
+
+        :type external_id: str
+        :param external_id: A unique identifier that is used by
+            third-party services to ensure that they are assuming a role that
+            corresponds to the correct users. For third-party services that
+            have access to resources across multiple AWS accounts, the unique
+            client ID helps third-party services simplify access control
+            verification.
+
+        :return: An instance of :class:`boto.sts.credentials.AssumedRole`
+
+        """
+        params = {
+            'RoleArn': role_arn,
+            'RoleSessionName': role_session_name
+        }
+        if policy is not None:
+            params['Policy'] = policy
+        if duration_seconds is not None:
+            params['DurationSeconds'] = duration_seconds
+        if external_id is not None:
+            params['ExternalId'] = external_id
+        return self.get_object('AssumeRole', params, AssumedRole, verb='POST')