Use the SSOTokenProvider in the SSOCredentialProvider (#3532)

* Use the SSOTokenProvider in the SSOCredentialProvider

* Use the SSOTokenProvider in the SSOCredentialProvider , Handled review comments

* Adding sso and auth-test in tests-coverage-reporting/pom.xml

* Added sso_start_url validation check such that profile and sso-session has same sso_start_url

* Updated the error message when common properties mismatch

Author: joviegas

.changes/next-release/feature-AWSSDKforJavav2-532ae2a.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "The SSOCredentialProvider should resolve to SSO Token Provider if the profile has sso_session property defined in it."
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ProfileCredentialsProviderFactory.java

@@ -16,14 +16,13 @@
 package software.amazon.awssdk.auth.credentials;
 
 import software.amazon.awssdk.annotations.SdkProtectedApi;
-import software.amazon.awssdk.profiles.Profile;
 
 /**
- * A factory for {@link AwsCredentialsProvider}s, which can be used to create different credentials providers with
- * different Profile properties.
+ * A factory for {@link AwsCredentialsProvider}s, which can be used to create different credentials providers with different
+ * Provider specifications like profile properties.
  */
 @FunctionalInterface
 @SdkProtectedApi
 public interface ProfileCredentialsProviderFactory {
-    AwsCredentialsProvider create(Profile profile);
+    AwsCredentialsProvider create(ProfileProviderCredentialsContext profileProviderCredentialsContext);
 }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ProfileProviderCredentialsContext.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+
+import java.util.Objects;
+import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.profiles.Profile;
+import software.amazon.awssdk.profiles.ProfileFile;
+
+/**
+ * Context class that defines the required properties for creation of a Credentials provider*
+ */
+@SdkProtectedApi
+public final class ProfileProviderCredentialsContext {
+
+    private final Profile profile;
+    private final ProfileFile profileFile;
+
+    private ProfileProviderCredentialsContext(Profile profile, ProfileFile profileFile) {
+        this.profile = profile;
+        this.profileFile = profileFile;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    /**
+     * Getter method for profile.
+     * @return The profile that should be used to load the configuration necessary to create the credential provider.
+     */
+    public Profile profile() {
+        return profile;
+    }
+
+    /**
+     * Getter for profileFile.
+     * @return ProfileFile that has the profile which is used to create the credential provider.
+     */
+    public ProfileFile profileFile() {
+        return profileFile;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+
+        ProfileProviderCredentialsContext that = (ProfileProviderCredentialsContext) o;
+        return Objects.equals(profile, that.profile) && Objects.equals(profileFile, that.profileFile);
+    }
+
+    @Override
+    public int hashCode() {
+        int result = profile != null ? profile.hashCode() : 0;
+        result = 31 * result + (profileFile != null ? profileFile.hashCode() : 0);
+        return result;
+    }
+
+    public static final class Builder {
+        private Profile profile;
+        private ProfileFile profileFile;
+
+        private Builder() {
+        }
+
+        /**
+         * Builder interface to set profile.
+         * @param profile The profile that should be used to load the configuration necessary to create the credential provider.
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
+        public Builder profile(Profile profile) {
+            this.profile = profile;
+            return this;
+        }
+
+        /**
+         * Builder interface to set ProfileFile.
+         * @param profileFile The ProfileFile that has the profile which is used to create the credential provider. This is *
+         *                    required to fetch the titles like sso-session defined in profile property* *
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
+        public Builder profileFile(ProfileFile profileFile) {
+            this.profileFile = profileFile;
+            return this;
+        }
+
+        public ProfileProviderCredentialsContext build() {
+            return new ProfileProviderCredentialsContext(profile, profileFile);
+        }
+    }
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java

@@ -36,12 +36,14 @@
 import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.ProcessCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.ProfileCredentialsProviderFactory;
+import software.amazon.awssdk.auth.credentials.ProfileProviderCredentialsContext;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider;
 import software.amazon.awssdk.core.internal.util.ClassLoaderHelper;
 import software.amazon.awssdk.profiles.Profile;
 import software.amazon.awssdk.profiles.ProfileFile;
 import software.amazon.awssdk.profiles.ProfileProperty;
+import software.amazon.awssdk.profiles.internal.ProfileSection;
 import software.amazon.awssdk.utils.SdkAutoCloseable;
 import software.amazon.awssdk.utils.Validate;
 
@@ -110,8 +112,11 @@ private Optional<AwsCredentialsProvider> credentialsProvider(Set<String> childre
             return Optional.ofNullable(roleAndWebIdentityTokenProfileCredentialsProvider());
         }
 
-        if (properties.containsKey(ProfileProperty.SSO_ROLE_NAME) || properties.containsKey(ProfileProperty.SSO_ACCOUNT_ID)
-            || properties.containsKey(ProfileProperty.SSO_REGION) || properties.containsKey(ProfileProperty.SSO_START_URL)) {
+        if (properties.containsKey(ProfileProperty.SSO_ROLE_NAME)
+            || properties.containsKey(ProfileProperty.SSO_ACCOUNT_ID)
+            || properties.containsKey(ProfileProperty.SSO_REGION)
+            || properties.containsKey(ProfileProperty.SSO_START_URL)
+            || properties.containsKey(ProfileSection.SSO_SESSION.getPropertyKeyName())) {
             return Optional.ofNullable(ssoProfileCredentialsProvider());
         }
 
@@ -182,11 +187,21 @@ private AwsCredentialsProvider credentialProcessCredentialsProvider() {
      * Create the SSO credentials provider based on the related profile properties.
      */
     private AwsCredentialsProvider ssoProfileCredentialsProvider() {
+        validateRequiredPropertiesForSsoCredentialsProvider();
+        return ssoCredentialsProviderFactory().create(
+            ProfileProviderCredentialsContext.builder()
+                                             .profile(profile)
+                                             .profileFile(profileFile)
+                                             .build());
+    }
+
+    private void validateRequiredPropertiesForSsoCredentialsProvider() {
         requireProperties(ProfileProperty.SSO_ACCOUNT_ID,
-                          ProfileProperty.SSO_REGION,
-                          ProfileProperty.SSO_ROLE_NAME,
-                          ProfileProperty.SSO_START_URL);
-        return ssoCredentialsProviderFactory().create(profile);
+                          ProfileProperty.SSO_ROLE_NAME);
+
+        if (!properties.containsKey(ProfileSection.SSO_SESSION.getPropertyKeyName())) {
+            requireProperties(ProfileProperty.SSO_REGION, ProfileProperty.SSO_START_URL);
+        }
     }
 
     private AwsCredentialsProvider roleAndWebIdentityTokenProfileCredentialsProvider() {

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtilsTest.java

@@ -19,15 +19,22 @@
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import java.io.File;
+import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.List;
 import java.util.function.Consumer;
+import java.util.stream.Stream;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 import software.amazon.awssdk.auth.credentials.ProcessCredentialsProviderTest;
+import software.amazon.awssdk.core.checksums.Algorithm;
+import software.amazon.awssdk.core.checksums.SdkChecksum;
 import software.amazon.awssdk.profiles.ProfileFile;
 import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.utils.StringInputStream;
@@ -205,6 +212,60 @@ public void profileFileWithCircularDependencyThrowsExceptionWhenResolvingCredent
                   .hasMessageContaining("Invalid profile file: Circular relationship detected with profiles");
     }
 
+    private static Stream<Arguments> roleProfileWithIncompleteSsoRoleNameSSOCredentialsProperties() {
+        return Stream.of(
+            // No sso_region
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_account_id=accountId\n" +
+                                    "sso_role_name=roleName\n" +
+                                    "sso_start_url=https//d-abc123.awsapps.com/start"),
+                         "Profile property 'sso_region' was not configured for 'test'"),
+            // No sso_account_id
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_region=region\n" +
+                                    "sso_role_name=roleName\n" +
+                                    "sso_start_url=https//d-abc123.awsapps.com/start"),
+                         "Profile property 'sso_account_id' was not configured for 'test'"),
+            // No sso_start_url
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_account_id=accountId\n" +
+                                    "sso_region=region\n" +
+                                    "sso_role_name=roleName\n" +
+                                    "sso_region=region"),
+                         "Profile property 'sso_start_url' was not configured for 'test'"),
+            // No sso_role_name
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_account_id=accountId\n" +
+                                    "sso_region=region\n" +
+                                    "sso_start_url=https//d-abc123.awsapps.com/start"),
+                         "Profile property 'sso_role_name' was not configured for 'test'"),
+            // sso_session with No sso_account_id
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_session=session\n" +
+                                    "sso_role_name=roleName"),
+                         "Profile property 'sso_account_id' was not configured for 'test'"),
+            // sso_session with No sso_role_name
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_session=session\n" +
+                                    "sso_account_id=accountId\n" +
+                                    "sso_start_url=https//d-abc123.awsapps.com/start"),
+                         "Profile property 'sso_role_name' was not configured for 'test'"),
+            Arguments.of(configFile("[profile test]\n" +
+                                    "sso_session=session"),
+                         "Profile property 'sso_account_id' was not configured for 'test'")
+        );
+    }
+
+    @ParameterizedTest
+    @MethodSource("roleProfileWithIncompleteSsoRoleNameSSOCredentialsProperties")
+    void validateCheckSumValues(ProfileFile profiles, String expectedValue) {
+        assertThat(profiles.profile("test")).hasValueSatisfying(profile -> {
+            ProfileCredentialsUtils profileCredentialsUtils = new ProfileCredentialsUtils(profiles, profile, profiles::profile);
+            assertThatThrownBy(profileCredentialsUtils::credentialsProvider)
+                .hasMessageContaining(expectedValue);
+        });
+    }
+
     @Test
     public void profileWithBothCredentialSourceAndSourceProfileThrowsException() {
         ProfileFile configFile = configFile("[profile test]\n" +
@@ -279,7 +340,7 @@ private ProfileFile allTypesProfile() {
                           "role_arn=arn:aws:iam::123456789012:role/testRole\n");
     }
 
-    private ProfileFile configFile(String configFile) {
+    private static ProfileFile configFile(String configFile) {
         return ProfileFile.builder()
                           .content(new StringInputStream(configFile))
                           .type(ProfileFile.Type.CONFIGURATION)

pom.xml

@@ -609,6 +609,7 @@
                             <exclude>software.amazon.awssdk.thirdparty.*</exclude>
                             <exclude>software.amazon.awssdk.regions.*</exclude>
                             <exclude>software.amazon.awssdk.core.signer.NoOpSigner</exclude>
+                            <exclude>software.amazon.awssdk.auth.credentials.ProfileCredentialsProviderFactory</exclude>
                         </excludes>
 
                         <ignoreMissingOldVersion>true</ignoreMissingOldVersion>

services/sso/pom.xml

@@ -79,5 +79,10 @@
             <artifactId>guava</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>