1 files changed, 161 insertions, 17 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
index 3d52fc2..96c740d 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@@ -1,7 +1,13 @@
 package session
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -52,7 +58,7 @@ func New(cfgs ...*aws.Config) *Session {
 	envCfg := loadEnvConfig()
 
 	if envCfg.EnableSharedConfig {
-		s, err := newSession(envCfg, cfgs...)
+		s, err := newSession(Options{}, envCfg, cfgs...)
 		if err != nil {
 			// Old session.New expected all errors to be discovered when
 			// a request is made, and would report the errors then. This
@@ -73,7 +79,7 @@ func New(cfgs ...*aws.Config) *Session {
 		return s
 	}
 
-	return oldNewSession(cfgs...)
+	return deprecatedNewSession(cfgs...)
 }
 
 // NewSession returns a new Session created from SDK defaults, config files,
@@ -92,9 +98,10 @@ func New(cfgs ...*aws.Config) *Session {
 // control through code how the Session will be created. Such as specifying the
 // config profile, and controlling if shared config is enabled or not.
 func NewSession(cfgs ...*aws.Config) (*Session, error) {
-	envCfg := loadEnvConfig()
+	opts := Options{}
+	opts.Config.MergeIn(cfgs...)
 
-	return newSession(envCfg, cfgs...)
+	return NewSessionWithOptions(opts)
 }
 
 // SharedConfigState provides the ability to optionally override the state
@@ -147,6 +154,41 @@ type Options struct {
 	// will allow you to override the AWS_SDK_LOAD_CONFIG environment variable
 	// and enable or disable the shared config functionality.
 	SharedConfigState SharedConfigState
+
+	// When the SDK's shared config is configured to assume a role with MFA
+	// this option is required in order to provide the mechanism that will
+	// retrieve the MFA token. There is no default value for this field. If
+	// it is not set an error will be returned when creating the session.
+	//
+	// This token provider will be called when ever the assumed role's
+	// credentials need to be refreshed. Within the context of service clients
+	// all sharing the same session the SDK will ensure calls to the token
+	// provider are atomic. When sharing a token provider across multiple
+	// sessions additional synchronization logic is needed to ensure the
+	// token providers do not introduce race conditions. It is recommend to
+	// share the session where possible.
+	//
+	// stscreds.StdinTokenProvider is a basic implementation that will prompt
+	// from stdin for the MFA token code.
+	//
+	// This field is only used if the shared configuration is enabled, and
+	// the config enables assume role wit MFA via the mfa_serial field.
+	AssumeRoleTokenProvider func() (string, error)
+
+	// Reader for a custom Credentials Authority (CA) bundle in PEM format that
+	// the SDK will use instead of the default system's root CA bundle. Use this
+	// only if you want to replace the CA bundle the SDK uses for TLS requests.
+	//
+	// Enabling this option will attempt to merge the Transport into the SDK's HTTP
+	// client. If the client's Transport is not a http.Transport an error will be
+	// returned. If the Transport's TLS config is set this option will cause the SDK
+	// to overwrite the Transport's TLS config's  RootCAs value. If the CA
+	// bundle reader contains multiple certificates all of them will be loaded.
+	//
+	// The Session option CustomCABundle is also available when creating sessions
+	// to also enable this feature. CustomCABundle session option field has priority
+	// over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
+	CustomCABundle io.Reader
 }
 
 // NewSessionWithOptions returns a new Session created from SDK defaults, config files,
@@ -161,23 +203,23 @@ type Options struct {
 // to be built with retrieving credentials with AssumeRole set in the config.
 //
 //     // Equivalent to session.New
-//     sess, err := session.NewSessionWithOptions(session.Options{})
+//     sess := session.Must(session.NewSessionWithOptions(session.Options{}))
 //
 //     // Specify profile to load for the session's config
-//     sess, err := session.NewSessionWithOptions(session.Options{
+//     sess := session.Must(session.NewSessionWithOptions(session.Options{
 //          Profile: "profile_name",
-//     })
+//     }))
 //
 //     // Specify profile for config and region for requests
-//     sess, err := session.NewSessionWithOptions(session.Options{
+//     sess := session.Must(session.NewSessionWithOptions(session.Options{
 //          Config: aws.Config{Region: aws.String("us-east-1")},
 //          Profile: "profile_name",
-//     })
+//     }))
 //
 //     // Force enable Shared Config support
-//     sess, err := session.NewSessionWithOptions(session.Options{
+//     sess := session.Must(session.NewSessionWithOptions(session.Options{
 //         SharedConfigState: SharedConfigEnable,
-//     })
+//     }))
 func NewSessionWithOptions(opts Options) (*Session, error) {
 	var envCfg envConfig
 	if opts.SharedConfigState == SharedConfigEnable {
@@ -197,7 +239,18 @@ func NewSessionWithOptions(opts Options) (*Session, error) {
 		envCfg.EnableSharedConfig = true
 	}
 
-	return newSession(envCfg, &opts.Config)
+	// Only use AWS_CA_BUNDLE if session option is not provided.
+	if len(envCfg.CustomCABundle) != 0 && opts.CustomCABundle == nil {
+		f, err := os.Open(envCfg.CustomCABundle)
+		if err != nil {
+			return nil, awserr.New("LoadCustomCABundleError",
+				"failed to open custom CA bundle PEM file", err)
+		}
+		defer f.Close()
+		opts.CustomCABundle = f
+	}
+
+	return newSession(opts, envCfg, &opts.Config)
 }
 
 // Must is a helper function to ensure the Session is valid and there was no
@@ -215,7 +268,7 @@ func Must(sess *Session, err error) *Session {
 	return sess
 }
 
-func oldNewSession(cfgs ...*aws.Config) *Session {
+func deprecatedNewSession(cfgs ...*aws.Config) *Session {
 	cfg := defaults.Config()
 	handlers := defaults.Handlers()
 
@@ -242,7 +295,7 @@ func oldNewSession(cfgs ...*aws.Config) *Session {
 	return s
 }
 
-func newSession(envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
+func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
 	cfg := defaults.Config()
 	handlers := defaults.Handlers()
 
@@ -266,7 +319,9 @@ func newSession(envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
 		return nil, err
 	}
 
-	mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers)
+	if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {
+		return nil, err
+	}
 
 	s := &Session{
 		Config:   cfg,
@@ -275,10 +330,62 @@ func newSession(envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
 
 	initHandlers(s)
 
+	// Setup HTTP client with custom cert bundle if enabled
+	if opts.CustomCABundle != nil {
+		if err := loadCustomCABundle(s, opts.CustomCABundle); err != nil {
+			return nil, err
+		}
+	}
+
 	return s, nil
 }
 
-func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers) {
+func loadCustomCABundle(s *Session, bundle io.Reader) error {
+	var t *http.Transport
+	switch v := s.Config.HTTPClient.Transport.(type) {
+	case *http.Transport:
+		t = v
+	default:
+		if s.Config.HTTPClient.Transport != nil {
+			return awserr.New("LoadCustomCABundleError",
+				"unable to load custom CA bundle, HTTPClient's transport unsupported type", nil)
+		}
+	}
+	if t == nil {
+		t = &http.Transport{}
+	}
+
+	p, err := loadCertPool(bundle)
+	if err != nil {
+		return err
+	}
+	if t.TLSClientConfig == nil {
+		t.TLSClientConfig = &tls.Config{}
+	}
+	t.TLSClientConfig.RootCAs = p
+
+	s.Config.HTTPClient.Transport = t
+
+	return nil
+}
+
+func loadCertPool(r io.Reader) (*x509.CertPool, error) {
+	b, err := ioutil.ReadAll(r)
+	if err != nil {
+		return nil, awserr.New("LoadCustomCABundleError",
+			"failed to read custom CA bundle PEM file", err)
+	}
+
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		return nil, awserr.New("LoadCustomCABundleError",
+			"failed to load custom CA bundle PEM file", err)
+	}
+
+	return p, nil
+}
+
+func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error {
 	// Merge in user provided configuration
 	cfg.MergeIn(userCfg)
 
@@ -302,6 +409,11 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
 			cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(
 				sharedCfg.AssumeRoleSource.Creds,
 			)
+			if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
+				// AssumeRole Token provider is required if doing Assume Role
+				// with MFA.
+				return AssumeRoleTokenProviderNotSetError{}
+			}
 			cfg.Credentials = stscreds.NewCredentials(
 				&Session{
 					Config:   &cfgCp,
@@ -311,11 +423,16 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
 				func(opt *stscreds.AssumeRoleProvider) {
 					opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
 
+					// Assume role with external ID
 					if len(sharedCfg.AssumeRole.ExternalID) > 0 {
 						opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
 					}
 
-					// MFA not supported
+					// Assume role with MFA
+					if len(sharedCfg.AssumeRole.MFASerial) > 0 {
+						opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
+						opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
+					}
 				},
 			)
 		} else if len(sharedCfg.Creds.AccessKeyID) > 0 {
@@ -336,6 +453,33 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
 			})
 		}
 	}
+
+	return nil
+}
+
+// AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
+// MFAToken option is not set when shared config is configured load assume a
+// role with an MFA token.
+type AssumeRoleTokenProviderNotSetError struct{}
+
+// Code is the short id of the error.
+func (e AssumeRoleTokenProviderNotSetError) Code() string {
+	return "AssumeRoleTokenProviderNotSetError"
+}
+
+// Message is the description of the error
+func (e AssumeRoleTokenProviderNotSetError) Message() string {
+	return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
+}
+
+// OrigErr is the underlying error that caused the failure.
+func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
+	return nil
+}
+
+// Error satisfies the error interface.
+func (e AssumeRoleTokenProviderNotSetError) Error() string {
+	return awserr.SprintError(e.Code(), e.Message(), "", nil)
 }
 
 type credProviderError struct {