private static AWSCredentials GetAWSCredentials(string profileName, ICredentialProfileSource profileSource,
CredentialProfileOptions options, RegionEndpoint stsRegion, bool nonCallbackOnly)
{
var profileType = CredentialProfileTypeDetector.DetectProfileType(options);
if (nonCallbackOnly && profileType.HasValue && IsCallbackRequired(profileType.Value))
{
if (profileType == CredentialProfileType.AssumeRoleExternalMFA ||
profileType == CredentialProfileType.AssumeRoleMFA)
{
var mfaMessage = profileName == null
? "The credential options represent AssumeRoleAWSCredentials that require an MFA. This is not allowed here. " +
"Please use credential options for AssumeRoleAWSCredentials that don't require an MFA, or a different type of credentials."
: String.Format(CultureInfo.InvariantCulture,
"The profile [{0}] is an assume role profile that requires an MFA. This type of profile is not allowed here. " +
"Please use an assume role profile that doesn't require an MFA, or a different type of profile.", profileName);
throw new InvalidOperationException(mfaMessage);
}
#if BCL
else if (profileType == CredentialProfileType.SAMLRoleUserIdentity)
{
var samlMessage = profileName == null
? "The credential options represent FederatedAWSCredentials that specify a user identity. This is not allowed here. " +
"Please use credential options for FederatedAWSCredentials without an explicit user identity, or a different type of credentials."
: String.Format(CultureInfo.InvariantCulture,
"The profile [{0}] is a SAML role profile that specifies a user identity. This type of profile is not allowed here. " +
"Please use a SAML role profile without an explicit user identity, or a different type of profile.", profileName);
throw new InvalidOperationException(samlMessage);
}
#endif
}
return(GetAWSCredentialsInternal(profileName, profileType, options, stsRegion, profileSource, true));
}
/// <summary>
/// Return the credentials for the profile if valid credentials can created.
/// </summary>
/// <param name="options">The options to get AWSCredentials for.</param>
/// <param name="profileSource">The profile source, for profiles that reference other profiles.</param>
/// <param name="credentials">The credentials for the profile.</param>
/// <returns>True if credentials can be created from the profile, false otherwise.</returns>
public static bool TryGetAWSCredentials(CredentialProfileOptions options, ICredentialProfileSource profileSource, out AWSCredentials credentials)
{
var profileType = CredentialProfileTypeDetector.DetectProfileType(options);
credentials = GetAWSCredentialsInternal(null, profileType, options, null, profileSource, false);
return(credentials != null);
}
/// <summary>
/// Construct a new CredentialProfile.
/// </summary>
/// <param name="name"></param>
/// <param name="profileOptions"></param>
public CredentialProfile(string name, CredentialProfileOptions profileOptions)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name must not be null or empty.");
}
if (profileOptions == null)
{
throw new ArgumentNullException("profileOptions");
}
Name = name;
Options = profileOptions;
}
/// <summary>
/// Gets the AWSCredentials for this profile if CanCreateAWSCredentials is true
/// and AWSCredentials can be created. Throws an exception otherwise.
///
/// See <see cref="CredentialProfileOptions"/> for a list of AWSCredentials returned by this method.
/// </summary>
/// <param name="options">The options to get AWSCredentials for.</param>
/// <param name="profileSource">The profile source, for options that reference other profiles.</param>
/// <param name="nonCallbackOnly">If true, throw a descriptive exception for any credentials that would not operate as-is.
/// In other words, any credentials that require programmatic callbacks at runtime.</param>
/// <returns>AWSCredentials for the options given.</returns>
public static AWSCredentials GetAWSCredentials(CredentialProfileOptions options, ICredentialProfileSource profileSource, bool nonCallbackOnly)
{
return(GetAWSCredentials(null, profileSource, options, null, nonCallbackOnly));
}
/// <summary>
/// Gets the AWSCredentials for this profile if CanCreateAWSCredentials is true
/// and AWSCredentials can be created. Throws an exception otherwise.
///
/// See <see cref="CredentialProfileOptions"/> for a list of AWSCredentials returned by this method.
/// </summary>
/// <param name="options">The options to get AWSCredentials for.</param>
/// <param name="profileSource">The profile source, for options that reference other profiles.</param>
/// <returns>AWSCredentials for the options given.</returns>
public static AWSCredentials GetAWSCredentials(CredentialProfileOptions options, ICredentialProfileSource profileSource)
{
return(GetAWSCredentials(null, profileSource, options, null, false));
}
private static AWSCredentials GetAWSCredentialsInternal(string profileName, CredentialProfileType?profileType,
CredentialProfileOptions options, RegionEndpoint stsRegion, ICredentialProfileSource profileSource, bool throwIfInvalid)
{
if (profileType.HasValue)
{
switch (profileType)
{
case CredentialProfileType.Basic:
return(new BasicAWSCredentials(options.AccessKey, options.SecretKey));
case CredentialProfileType.Session:
return(new SessionAWSCredentials(options.AccessKey, options.SecretKey, options.Token));
case CredentialProfileType.AssumeRole:
case CredentialProfileType.AssumeRoleExternal:
case CredentialProfileType.AssumeRoleMFA:
case CredentialProfileType.AssumeRoleExternalMFA:
AWSCredentials sourceCredentials;
// get basic or session credentials from profileSource
try
{
sourceCredentials = GetSourceAWSCredentials(options.SourceProfile, profileSource, throwIfInvalid);
}
catch (InvalidDataException e)
{
var sourceMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for the credential options provided.", options.SourceProfile)
: string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for profile [{1}].", options.SourceProfile, profileName);
return(ThrowOrReturnNull(sourceMessage, e, throwIfInvalid));
}
#pragma warning disable CS0612 // Type or member is obsolete
var roleSessionName = RoleSessionNamePrefix + AWSSDKUtils.CorrectedUtcNow.Ticks;
#pragma warning restore CS0612 // Type or member is obsolete
var assumeRoleOptions = new AssumeRoleAWSCredentialsOptions()
{
ExternalId = options.ExternalID,
MfaSerialNumber = options.MfaSerial
};
return(new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions));
case CredentialProfileType.AssumeRoleCredentialSource:
// get credentials specified by credentialSource
try
{
sourceCredentials = GetCredentialSourceAWSCredentials(options.CredentialSource, throwIfInvalid);
}
catch (InvalidDataException e)
{
var sourceMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Error reading credential source [{0}] for the credential options provided.", options.CredentialSource)
: string.Format(CultureInfo.InvariantCulture,
"Error reading credential source [{0}] for profile [{1}].", options.CredentialSource, profileName);
return(ThrowOrReturnNull(sourceMessage, e, throwIfInvalid));
}
#pragma warning disable CS0612 // Type or member is obsolete
roleSessionName = RoleSessionNamePrefix + AWSSDKUtils.CorrectedUtcNow.Ticks;
#pragma warning restore CS0612 // Type or member is obsolete
assumeRoleOptions = new AssumeRoleAWSCredentialsOptions();
return(new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions));
#if BCL
case CredentialProfileType.SAMLRole:
case CredentialProfileType.SAMLRoleUserIdentity:
if (UserCrypto.IsUserCryptAvailable)
{
var federatedOptions = new FederatedAWSCredentialsOptions()
{
STSRegion = stsRegion,
UserIdentity = options.UserIdentity,
ProfileName = profileName
};
return(new FederatedAWSCredentials(new SAMLEndpointManager().GetEndpoint(options.EndpointName),
options.RoleArn, federatedOptions));
}
else
{
return(ThrowOrReturnNull("Federated credentials are not available on this platform.", null, throwIfInvalid));
}
#endif
default:
var defaultMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for the credential options provided.", profileType)
: string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for credential profile [{1}].", profileType, profileName);
return(ThrowOrReturnNull(defaultMessage, null, throwIfInvalid));
}
}
else
{
return(ThrowInvalidOrReturnNull(profileName, throwIfInvalid));
}
}
private static AWSCredentials GetAWSCredentialsInternal(
string profileName,
CredentialProfileType?profileType,
CredentialProfileOptions options,
RegionEndpoint stsRegion,
ICredentialProfileSource profileSource,
bool throwIfInvalid,
HashSet <string> profileLoopAvoidance = null)
{
if (profileType.HasValue)
{
switch (profileType)
{
case CredentialProfileType.Basic:
return(new BasicAWSCredentials(options.AccessKey, options.SecretKey));
case CredentialProfileType.Session:
return(new SessionAWSCredentials(options.AccessKey, options.SecretKey, options.Token));
case CredentialProfileType.AssumeRole:
case CredentialProfileType.AssumeRoleExternal:
case CredentialProfileType.AssumeRoleMFA:
case CredentialProfileType.AssumeRoleExternalMFA:
case CredentialProfileType.AssumeRoleSessionName:
case CredentialProfileType.AssumeRoleExternalSessionName:
case CredentialProfileType.AssumeRoleMFASessionName:
case CredentialProfileType.AssumeRoleExternalMFASessionName:
if (profileName != null)
{
if (profileLoopAvoidance == null)
{
profileLoopAvoidance = new HashSet <string>();
}
else if (profileLoopAvoidance.Contains(profileName))
{
var sourceMessage = string.Format(CultureInfo.InvariantCulture,
"Error reading profile [{0}]: the source profile definition is cyclical.", profileName);
return(ThrowOrReturnNull(sourceMessage, null, throwIfInvalid));
}
profileLoopAvoidance.Add(profileName);
}
AWSCredentials sourceCredentials;
try
{
sourceCredentials = GetSourceAWSCredentials(options.SourceProfile, profileSource, throwIfInvalid, profileLoopAvoidance);
}
catch (InvalidDataException e)
{
var sourceMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for the credential options provided.", options.SourceProfile)
: string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for profile [{1}].", options.SourceProfile, profileName);
return(ThrowOrReturnNull(sourceMessage, e, throwIfInvalid));
}
#pragma warning disable CS0612 // Type or member is obsolete
var roleSessionName = options.RoleSessionName ?? RoleSessionNamePrefix + AWSSDKUtils.CorrectedUtcNow.Ticks;
#pragma warning restore CS0612 // Type or member is obsolete
var assumeRoleOptions = new AssumeRoleAWSCredentialsOptions()
{
ExternalId = options.ExternalID,
MfaSerialNumber = options.MfaSerial
};
return(new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions));
case CredentialProfileType.AssumeRoleCredentialSource:
case CredentialProfileType.AssumeRoleCredentialSourceSessionName:
// get credentials specified by credentialSource
try
{
sourceCredentials = GetCredentialSourceAWSCredentials(options.CredentialSource, throwIfInvalid);
}
catch (InvalidDataException e)
{
var sourceMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Error reading credential source [{0}] for the credential options provided.", options.CredentialSource)
: string.Format(CultureInfo.InvariantCulture,
"Error reading credential source [{0}] for profile [{1}].", options.CredentialSource, profileName);
return(ThrowOrReturnNull(sourceMessage, e, throwIfInvalid));
}
#pragma warning disable CS0612 // Type or member is obsolete
roleSessionName = options.RoleSessionName ?? RoleSessionNamePrefix + AWSSDKUtils.CorrectedUtcNow.Ticks;
#pragma warning restore CS0612 // Type or member is obsolete
assumeRoleOptions = new AssumeRoleAWSCredentialsOptions();
return(new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions));
case CredentialProfileType.AssumeRoleWithWebIdentity:
case CredentialProfileType.AssumeRoleWithWebIdentitySessionName:
return(new AssumeRoleWithWebIdentityCredentials(options.WebIdentityTokenFile, options.RoleArn, options.RoleSessionName));
#if !BCL35
case CredentialProfileType.SSO:
{
var ssoCredentialsOptions = new SSOAWSCredentialsOptions();
return(new SSOAWSCredentials(
options.SsoAccountId, options.SsoRegion,
options.SsoRoleName, options.SsoStartUrl,
ssoCredentialsOptions
));
}
#endif
case CredentialProfileType.SAMLRole:
case CredentialProfileType.SAMLRoleUserIdentity:
if (UserCrypto.IsUserCryptAvailable)
{
var federatedOptions = new FederatedAWSCredentialsOptions()
{
STSRegion = stsRegion,
UserIdentity = options.UserIdentity,
ProfileName = profileName
};
return(new FederatedAWSCredentials(new SAMLEndpointManager().GetEndpoint(options.EndpointName),
options.RoleArn, federatedOptions));
}
else
{
return(ThrowOrReturnNull("Federated credentials are not available on this platform.", null, throwIfInvalid));
}
case CredentialProfileType.CredentialProcess:
return(new ProcessAWSCredentials(options.CredentialProcess));
default:
var defaultMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for the credential options provided.", profileType)
: string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for credential profile [{1}].", profileType, profileName);
return(ThrowOrReturnNull(defaultMessage, null, throwIfInvalid));
}
}
else
{
return(ThrowInvalidOrReturnNull(profileName, throwIfInvalid));
}
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Enable CORS.
services.AddCors();
// Add MVC service.
services.AddMvc();
// Create AWS Profile options for basic profile.
var awsProfileOptions = new Amazon.Runtime.CredentialManagement.CredentialProfileOptions()
{
AccessKey = Configuration.GetValue <string>("Secrets:AWS:AccessKey"),
SecretKey = Configuration.GetValue <string>("Secrets:AWS:AccessKeySecret"),
};
// Creates basic profile with above options, then set AWS region.
var awsProfile = new Amazon.Runtime.CredentialManagement.CredentialProfile("basic-profile", awsProfileOptions);
awsProfile.Region = RegionEndpoint.APNortheast2;
// Registers AWS profile to AWS SDK's .NET SDK credentials file.
var sdkFile = new NetSDKCredentialsFile();
sdkFile.RegisterProfile(awsProfile);
// Add AWS options.
services.AddDefaultAWSOptions(new AWSOptions()
{
Region = RegionEndpoint.APNortheast2, Profile = awsProfile.Name
});
// Add DynamoDB service.
services.AddAWSService <IAmazonDynamoDB>();
// Add UserServices.
// If want to use classic user service, use `UserService`.
services.AddScoped <IUserService, DynamoDBUserService>();
// Configure JWT authentication.
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false; // NOTE: This should be set to `true` on production.
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(System.Text.Encoding.ASCII.GetBytes(Configuration.GetValue <string>("Secrets:JWT"))),
ValidateIssuer = false,
ValidateAudience = false
};
});
// In production, the React files will be served from this directory
// This code portion is not related to webpack_hmr.
services.AddSpaStaticFiles(configuration =>
{
configuration.RootPath = "wwwroot/dist";
});
}
private static AWSCredentials GetAWSCredentialsInternal(string profileName, CredentialProfileType?profileType,
CredentialProfileOptions options, RegionEndpoint stsRegion, ICredentialProfileSource profileSource, bool throwIfInvalid)
{
if (profileType.HasValue)
{
switch (profileType)
{
case CredentialProfileType.Basic:
return(new BasicAWSCredentials(options.AccessKey, options.SecretKey));
case CredentialProfileType.Session:
return(new SessionAWSCredentials(options.AccessKey, options.SecretKey, options.Token));
case CredentialProfileType.AssumeRole:
case CredentialProfileType.AssumeRoleExternal:
case CredentialProfileType.AssumeRoleMFA:
case CredentialProfileType.AssumeRoleExternalMFA:
BasicAWSCredentials sourceCredentials;
// get basic credentials from profileSource
try
{
sourceCredentials = GetSourceAWSCredentials(options.SourceProfile, profileSource, throwIfInvalid);
}
catch (InvalidDataException e)
{
var sourceMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for the credential options provided.", options.SourceProfile)
: string.Format(CultureInfo.InvariantCulture,
"Error reading source profile [{0}] for profile [{1}].", options.SourceProfile, profileName);
return(ThrowOrReturnNull(sourceMessage, e, throwIfInvalid));
}
var roleSessionName = RoleSessionNamePrefix + DateTime.UtcNow.Ticks;
var assumeRoleOptions = new AssumeRoleAWSCredentialsOptions()
{
ExternalId = options.ExternalID,
MfaSerialNumber = options.MfaSerial
};
return(new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions));
#if BCL
case CredentialProfileType.SAMLRole:
case CredentialProfileType.SAMLRoleUserIdentity:
var federatedOptions = new FederatedAWSCredentialsOptions()
{
STSRegion = stsRegion,
UserIdentity = options.UserIdentity,
ProfileName = profileName
};
return(new FederatedAWSCredentials(EndpointManager.GetEndpoint(options.EndpointName),
options.RoleArn, federatedOptions));
#endif
default:
var defaultMessage = profileName == null
? string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for the credential options provided.", profileType)
: string.Format(CultureInfo.InvariantCulture,
"Invalid ProfileType {0} for credential profile [{1}].", profileType, profileName);
return(ThrowOrReturnNull(defaultMessage, null, throwIfInvalid));
}
}
else
{
return(ThrowInvalidOrReturnNull(profileName, throwIfInvalid));
}
}
