# Copyright 2011-2012 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
#     http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.

require 'aws/core'
require 'aws/sts/config'

module AWS

  # This class is a starting point for working with the AWS Security
  # Token Service.  The AWS Security Token Service is a web service
  # that enables you to request temporary, limited-privilege
  # credentials for users that you authenticate (federated users), or
  # IAM users.
  #
  # @example Getting temporary credentials and using them to make an EC2 request
  #   sts = AWS::STS.new(:access_key_id => "LONG_TERM_KEY",
  #                      :secret_access_key => "LONG_TERM_SECRET")
  #   session = sts.new_session(:duration => 60*60)
  #   ec2 = AWS::EC2.new(session.credentials)
  #   ec2.instances.to_a
  #
  # @example Getting temporary credentials with restricted permissions
  #   policy = AWS::STS::Policy.new
  #   policy.allow(:actions => ["s3:*", "ec2:*"],
  #                :resources => :any)
  #   session = sts.new_federated_session("TemporaryUser", :policy => policy)
  #   ec2 = AWS::EC2.new(session.credentials)
  #   ec2.instances.to_a
  #
  class STS

    AWS.register_autoloads(self) do
      autoload :Client,           'client'
      autoload :Errors,           'errors'
      autoload :FederatedSession, 'federated_session'
      autoload :Policy,           'policy'
      autoload :Request,          'request'
      autoload :Session,          'session'
    end

    include Core::ServiceInterface

    # Returns a set of temporary credentials for an AWS account or IAM
    # User. The credentials consist of an Access Key ID, a Secret
    # Access Key, and a security token. These credentials are valid
    # for the specified duration only. The session duration for IAM
    # users can be between one and 36 hours, with a default of 12
    # hours. The session duration for AWS account owners is restricted
    # to one hour.
    #
    # @param [Hash] opts Options for getting temporary credentials.
    #
    # @option opts [Integer] :duration The duration, in seconds, that
    #   the session should last. Acceptable durations for IAM user
    #   sessions range from 3600s (one hour) to 129600s (36 hours),
    #   with 43200s (12 hours) as the default. Sessions for AWS
    #   account owners are restricted to a maximum of 3600s (one
    #   hour).
    #
    # @return [Session]
    def new_session(opts = {})
      get_session(:get_session_token, opts) do |resp, session_opts|
        Session.new(session_opts)
      end
    end

    # Returns a set of temporary credentials for a federated user with
    # the user name and policy specified in the request. The
    # credentials consist of an Access Key ID, a Secret Access Key,
    # and a security token. The credentials are valid for the
    # specified duration, between one and 36 hours.
    #
    # The federated user who holds these credentials has only those
    # permissions allowed by intersection of the specified policy and
    # any resource or user policies that apply to the caller of the
    # GetFederationToken API. For more information about how token
    # permissions work, see
    # {http://docs.amazonwebservices.com/IAM/latest/UserGuide/TokenPermissions.html
    # Controlling Token Permissions} in Using AWS Identity and Access
    # Management.
    #
    # @param [String] name The name of the federated user associated
    #   with the session.  Must be between 2 and 32 characters in
    #   length.
    #
    # @param [Hash] opts Options for getting temporary credentials.
    #
    # @option opts [Integer] :duration The duration, in seconds, that
    #   the session should last. Acceptable durations for federation
    #   sessions range from 3600s (one hour) to 129600s (36 hours),
    #   with one hour as the default.
    #
    # @option opts [String, AWS::STS::Policy] :policy A policy
    #   specifying the permissions to associate with the session. The
    #   caller can delegate their own permissions by specifying a
    #   policy for the session, and both policies will be checked when
    #   a service call is made. In other words, permissions of the
    #   session credentials are the intersection of the policy
    #   specified in the API and the policies associated with the user
    #   who issued the session.
    #
    # @return [FederatedSession]
    #
    def new_federated_session(name, opts = {})
      opts = opts.merge(:name => name)
      case
      when opts[:policy].kind_of?(String) || !opts[:policy]
        # leave it alone
      when opts[:policy].respond_to?(:to_json)
        opts[:policy] = opts[:policy].to_json
      end
      get_session(:get_federation_token, opts) do |resp, session_opts|
        session_opts.merge!(
          :user_id => resp[:federated_user][:federated_user_id],
          :user_arn => resp[:federated_user][:arn],
          :packed_policy_size => resp[:packed_policy_size]
        )
        FederatedSession.new(session_opts)
      end
    end

    # @private
    protected
    def get_session(method, opts = {})
      opts[:duration_seconds] = opts.delete(:duration) if
        opts[:duration]
      resp = client.send(method, opts)
      credentials = resp[:credentials].dup
      session_opts = {
        :credentials => credentials,
        :expires_at => credentials.delete(:expiration),
      }
      yield(resp, session_opts)
    end

  end

end