{-# LANGUAGE OverloadedStrings #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Network.AWS.STS.Types
-- Copyright   : (c) 2013-2015 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
module Network.AWS.STS.Types
    (
    -- * Service Configuration
      sTS

    -- * Errors
    , _MalformedPolicyDocumentException
    , _InvalidAuthorizationMessageException
    , _PackedPolicyTooLargeException
    , _IdPCommunicationErrorException
    , _InvalidIdentityTokenException
    , _ExpiredTokenException
    , _IdPRejectedClaimException

    -- * AssumedRoleUser
    , AssumedRoleUser
    , assumedRoleUser
    , aruAssumedRoleId
    , aruARN

    -- * Credentials
    , Credentials
    , credentials
    , cAccessKeyId
    , cSecretAccessKey
    , cSessionToken
    , cExpiration

    -- * FederatedUser
    , FederatedUser
    , federatedUser
    , fuFederatedUserId
    , fuARN
    ) where

import           Network.AWS.Prelude
import           Network.AWS.Sign.V4
import           Network.AWS.STS.Types.Product
import           Network.AWS.STS.Types.Sum

-- | API version '2011-06-15' of the Amazon Security Token Service SDK configuration.
sTS :: Service
sTS =
    Service
    { _svcAbbrev = "STS"
    , _svcSigner = v4
    , _svcPrefix = "sts"
    , _svcVersion = "2011-06-15"
    , _svcEndpoint = defaultEndpoint sTS
    , _svcTimeout = Just 70
    , _svcCheck = statusSuccess
    , _svcError = parseXMLError
    , _svcRetry = retry
    }
  where
    retry =
        Exponential
        { _retryBase = 5.0e-2
        , _retryGrowth = 2
        , _retryAttempts = 5
        , _retryCheck = check
        }
    check e
      | has (hasCode "ThrottlingException" . hasStatus 400) e =
          Just "throttling_exception"
      | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"
      | has (hasStatus 503) e = Just "service_unavailable"
      | has (hasStatus 500) e = Just "general_server_error"
      | has (hasStatus 509) e = Just "limit_exceeded"
      | otherwise = Nothing

-- | The request was rejected because the policy document was malformed. The
-- error message describes the specific error.
_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
_MalformedPolicyDocumentException =
    _ServiceError . hasStatus 400 . hasCode "MalformedPolicyDocument"

-- | The error returned if the message passed to 'DecodeAuthorizationMessage'
-- was invalid. This can happen if the token contains invalid characters,
-- such as linebreaks.
_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
_InvalidAuthorizationMessageException =
    _ServiceError .
    hasStatus 400 . hasCode "InvalidAuthorizationMessageException"

-- | The request was rejected because the policy document was too large. The
-- error message describes how big the policy document is, in packed form,
-- as a percentage of what the API allows.
_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
_PackedPolicyTooLargeException =
    _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge"

-- | The request could not be fulfilled because the non-AWS identity provider
-- (IDP) that was asked to verify the incoming identity token could not be
-- reached. This is often a transient error caused by network conditions.
-- Retry the request a limited number of times so that you don\'t exceed
-- the request rate. If the error persists, the non-AWS identity provider
-- might be down or not responding.
_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
_IdPCommunicationErrorException =
    _ServiceError . hasStatus 400 . hasCode "IDPCommunicationError"

-- | The web identity token that was passed could not be validated by AWS.
-- Get a new identity token from the identity provider and then retry the
-- request.
_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
_InvalidIdentityTokenException =
    _ServiceError . hasStatus 400 . hasCode "InvalidIdentityToken"

-- | The web identity token that was passed is expired or is not valid. Get a
-- new identity token from the identity provider and then retry the
-- request.
_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
_ExpiredTokenException =
    _ServiceError . hasStatus 400 . hasCode "ExpiredTokenException"

-- | The identity provider (IdP) reported that authentication failed. This
-- might be because the claim is invalid.
--
-- If this error is returned for the 'AssumeRoleWithWebIdentity' operation,
-- it can also mean that the claim has expired or has been explicitly
-- revoked.
_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
_IdPRejectedClaimException =
    _ServiceError . hasStatus 403 . hasCode "IDPRejectedClaim"