feat(rt): STS assume role and web identity credentials providers (#36)

kggilmer · web-flow · commit baaa2a086ed4 · 2021-10-20T11:43:05.000-07:00
diff --git a/src/common/src/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProvider.kt b/src/common/src/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProvider.kt
@@ -0,0 +1,57 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.crt.auth.credentials
+
+import aws.sdk.kotlin.crt.io.ClientBootstrap
+import aws.sdk.kotlin.crt.io.TlsContext
+
+/**
+ * Provides credentials from STS by assuming a role
+ */
+public expect class StsAssumeRoleCredentialsProvider
+internal constructor(builder: StsAssumeRoleCredentialsProviderBuilder) : CredentialsProvider {
+    public companion object
+}
+
+public class StsAssumeRoleCredentialsProviderBuilder {
+    /**
+     * Connection bootstrap to use for any network connections made while sourcing credentials.
+     */
+    public var clientBootstrap: ClientBootstrap? = null
+
+    /**
+     * The tls context to use for any secure network connections made while sourcing credentials.
+     */
+    public var tlsContext: TlsContext? = null
+
+    /**
+     * The underlying Credentials Provider to use for source credentials.
+     */
+    public var credentialsProvider: CredentialsProvider? = null
+
+    /**
+     * The target role's ARN.
+     */
+    public var roleArn: String? = null
+
+    /**
+     * The name to associate with the session
+     */
+    public var sessionName: String? = null
+
+    /**
+     * The number of seconds from authentication that the session is valid for
+     */
+    public var durationSeconds: Int? = null
+
+    public fun build(): StsAssumeRoleCredentialsProvider = StsAssumeRoleCredentialsProvider(this)
+}
+
+/**
+ * Construct a new credentials provider using a builder.
+ */
+public fun StsAssumeRoleCredentialsProvider.Companion.build(block: StsAssumeRoleCredentialsProviderBuilder.() -> Unit):
+    StsAssumeRoleCredentialsProvider = StsAssumeRoleCredentialsProviderBuilder().apply(block).build()
diff --git a/src/common/src/aws/sdk/kotlin/crt/auth/credentials/StsWebIdentityCredentialsProvider.kt b/src/common/src/aws/sdk/kotlin/crt/auth/credentials/StsWebIdentityCredentialsProvider.kt
@@ -0,0 +1,38 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.crt.auth.credentials
+
+import aws.sdk.kotlin.crt.io.ClientBootstrap
+import aws.sdk.kotlin.crt.io.TlsContext
+
+/**
+ * Sts with web identity credentials provider sources a set of temporary security credentials for users who have been
+ * authenticated in a mobile or web application with a web identity provider.
+ */
+public expect class StsWebIdentityCredentialsProvider
+internal constructor(builder: StsWebIdentityCredentialsProviderBuilder) : CredentialsProvider {
+    public companion object
+}
+
+public class StsWebIdentityCredentialsProviderBuilder {
+    /**
+     * Connection bootstrap to use for any network connections made while sourcing credentials.
+     */
+    public var clientBootstrap: ClientBootstrap? = null
+
+    /**
+     * The tls context to use for any secure network connections made while sourcing credentials.
+     */
+    public var tlsContext: TlsContext? = null
+
+    public fun build(): StsWebIdentityCredentialsProvider = StsWebIdentityCredentialsProvider(this)
+}
+
+/**
+ * Construct a new credentials provider using a builder.
+ */
+public fun StsWebIdentityCredentialsProvider.Companion.build(block: StsWebIdentityCredentialsProviderBuilder.() -> Unit):
+    StsWebIdentityCredentialsProvider = StsWebIdentityCredentialsProviderBuilder().apply(block).build()
diff --git a/src/jvm/src/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProviderJVM.kt b/src/jvm/src/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProviderJVM.kt
@@ -0,0 +1,74 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.crt.auth.credentials
+
+import kotlinx.coroutines.*
+import kotlinx.coroutines.CoroutineStart
+import kotlinx.coroutines.future.asCompletableFuture
+import kotlinx.coroutines.runBlocking
+import java.util.concurrent.CompletableFuture
+import software.amazon.awssdk.crt.auth.credentials.Credentials as CredentialsJni
+import software.amazon.awssdk.crt.auth.credentials.CredentialsProvider as CredentialsProviderJni
+import software.amazon.awssdk.crt.auth.credentials.StsCredentialsProvider as StsCredentialsProviderJni
+
+// Based from the Java SDK default
+// https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/sts/model/AssumeRoleRequest.html#durationSeconds
+private const val DEFAULT_DURATION_SECONDS = 3600
+
+public actual class StsAssumeRoleCredentialsProvider
+internal actual constructor(builder: StsAssumeRoleCredentialsProviderBuilder) :
+    CredentialsProvider, JniCredentialsProvider() {
+    public actual companion object {}
+
+    override val jniCredentials: CredentialsProviderJni =
+        StsCredentialsProviderJni
+            .builder()
+            .withClientBootstrap(builder.clientBootstrap?.jniBootstrap)
+            .withTlsContext(builder.tlsContext?.jniCtx)
+            .withCredsProvider(adapt(builder.credentialsProvider))
+            .withDurationSeconds(builder.durationSeconds ?: DEFAULT_DURATION_SECONDS)
+            .withRoleArn(builder.roleArn)
+            .withSessionName(builder.sessionName)
+            .build()
+}
+
+// Convert the SDK version of CredentialsProvider type to the CRT version
+internal fun adapt(credentialsProvider: CredentialsProvider?): CredentialsProviderJni? {
+    return if (credentialsProvider == null) {
+        null
+    } else {
+        toCrtCredentialsProvider(credentialsProvider)
+    }
+}
+
+private fun toCrtCredentialsProvider(sdkCredentialsProvider: CredentialsProvider): CredentialsProviderJni {
+    return object : CredentialsProviderJni() {
+
+        override fun getCredentials(): CompletableFuture<CredentialsJni> = runBlocking {
+            val deferred = async(start = CoroutineStart.UNDISPATCHED) {
+                toCrtCredentials(sdkCredentialsProvider.getCredentials())
+            }
+
+            deferred.asCompletableFuture()
+        }
+    }
+}
+
+private fun toCrtCredentials(sdkCredentials: Credentials): CredentialsJni {
+    return object : CredentialsJni() {
+        override fun getAccessKeyId(): ByteArray {
+            return sdkCredentials.accessKeyId.encodeToByteArray()
+        }
+
+        override fun getSecretAccessKey(): ByteArray {
+            return sdkCredentials.secretAccessKey.encodeToByteArray()
+        }
+
+        override fun getSessionToken(): ByteArray {
+            return sdkCredentials.sessionToken?.encodeToByteArray() ?: ByteArray(0)
+        }
+    }
+}
diff --git a/src/jvm/src/aws/sdk/kotlin/crt/auth/credentials/StsWebIdentityCredentialsProviderJVM.kt b/src/jvm/src/aws/sdk/kotlin/crt/auth/credentials/StsWebIdentityCredentialsProviderJVM.kt
@@ -0,0 +1,22 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.crt.auth.credentials
+
+import software.amazon.awssdk.crt.auth.credentials.CredentialsProvider as CredentialsProviderJni
+import software.amazon.awssdk.crt.auth.credentials.StsWebIdentityCredentialsProvider as StsWebIdentityCredentialsProviderJni
+
+public actual class StsWebIdentityCredentialsProvider
+internal actual constructor(builder: StsWebIdentityCredentialsProviderBuilder) :
+    CredentialsProvider, JniCredentialsProvider() {
+    public actual companion object {}
+
+    override val jniCredentials: CredentialsProviderJni =
+        StsWebIdentityCredentialsProviderJni
+            .builder()
+            .withClientBootstrap(builder.clientBootstrap?.jniBootstrap)
+            .withTlsContext(builder.tlsContext?.jniCtx)
+            .build()
+}
diff --git a/src/jvm/test/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProviderJVMTest.kt b/src/jvm/test/aws/sdk/kotlin/crt/auth/credentials/StsAssumeRoleCredentialsProviderJVMTest.kt
@@ -0,0 +1,37 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+package aws.sdk.kotlin.crt.auth.credentials
+
+import kotlin.test.Test
+import kotlin.test.assertContentEquals
+import kotlin.test.assertNotNull
+
+private val ACCESS_KEY = "ACCESS_KEY".encodeToByteArray()
+private val SECRET_ACCESS_KEY = "SECRET_ACCESS_KEY".encodeToByteArray()
+private val SESSION_TOKEN = "SESSION_TOKEN".encodeToByteArray()
+
+class StsAssumeRoleCredentialsProviderJVMTest {
+
+    @Test
+    fun itAdaptsSdkToCrtCredentialsProviderTypes() {
+        val sdkCredentialsProvider = object : CredentialsProvider {
+            override suspend fun getCredentials(): Credentials =
+                Credentials(ACCESS_KEY, SECRET_ACCESS_KEY, SESSION_TOKEN)
+
+            override fun close() {}
+            override suspend fun waitForShutdown() {}
+        }
+
+        val adapted = adapt(sdkCredentialsProvider)
+
+        assertNotNull(adapted)
+
+        val adaptedCreds = adapted.credentials.get()
+
+        assertContentEquals(adaptedCreds.accessKeyId, ACCESS_KEY)
+        assertContentEquals(adaptedCreds.secretAccessKey, SECRET_ACCESS_KEY)
+        assertContentEquals(adaptedCreds.sessionToken, SESSION_TOKEN)
+    }
+}
