feat(rt)!: add sso credential provider; make all providers kmp compatible (#469)

Refactor credential providers to remove CRT dependency and make them KMP compatible. Added SSO provider to default chain. Lots of misc cleanup and improvements.


* feat(rt): standalone sso credentials provider (#462)
* refactor(rt)!: generated sts and sts web identity credential providers (#470)
* refactor(rt)!: implement kmp ecs provider (#475)
* feat(rt)!: implement kmp profile credentials provider (#478)
* feat(rt)!: kmp default credentials provider chain (#491)
* fix: work around machine-specific Gradle bug with aws-config variants (#496)
* fix: credentials provider ownership (#498)

Co-authored-by: Ian Botsford <[email protected]>

Author: aajtodd

.github/workflows/continuous-integration.yml

@@ -4,7 +4,9 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    branches:
+      - main
+      - 'feat-*'
   workflow_dispatch:
 
 env:

aws-runtime/aws-config/build.gradle.kts

@@ -2,22 +2,25 @@
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0.
  */
+import aws.sdk.kotlin.gradle.codegen.dsl.smithyKotlinPlugin
+
+plugins {
+    id("aws.sdk.kotlin.codegen")
+}
 
 description = "Support for AWS configuration"
 extra["moduleName"] = "aws.sdk.kotlin.runtime.config"
 
-val coroutinesVersion: String by project
-val crtKotlinVersion: String by project
-val kotestVersion: String by project
 val smithyKotlinVersion: String by project
+val kotestVersion: String by project
+val coroutinesVersion: String by project
 
 kotlin {
     sourceSets {
         commonMain {
             dependencies {
                 api(project(":aws-runtime:aws-core"))
                 api(project(":aws-runtime:aws-types"))
-
                 implementation("aws.smithy.kotlin:logging:$smithyKotlinVersion")
                 implementation("aws.smithy.kotlin:http:$smithyKotlinVersion")
                 implementation("aws.smithy.kotlin:utils:$smithyKotlinVersion")
@@ -27,9 +30,16 @@ kotlin {
                 // parsing common JSON credentials responses
                 implementation("aws.smithy.kotlin:serde-json:$smithyKotlinVersion")
 
-                // credential providers
-                implementation("aws.sdk.kotlin.crt:aws-crt-kotlin:$crtKotlinVersion")
-                implementation(project(":aws-runtime:crt-util"))
+
+                // additional dependencies required by generated sts provider
+                implementation("aws.smithy.kotlin:serde-form-url:$smithyKotlinVersion")
+                implementation("aws.smithy.kotlin:serde-xml:$smithyKotlinVersion")
+                implementation(project(":aws-runtime:protocols:aws-xml-protocols"))
+                implementation(project(":aws-runtime:aws-endpoint"))
+                implementation(project(":aws-runtime:aws-signing"))
+
+                // additional dependencies required by generated sso provider
+                implementation(project(":aws-runtime:protocols:aws-json-protocols"))
             }
         }
         commonTest {
@@ -55,3 +65,123 @@ kotlin {
         }
     }
 }
+
+fun awsModelFile(name: String): String =
+    rootProject.file("codegen/sdk/aws-models/$name").absolutePath
+
+codegen {
+    val basePackage = "aws.sdk.kotlin.runtime.auth.credentials.internal"
+
+    projections {
+
+        // generate an sts client
+        create("sts-credentials-provider") {
+            imports = listOf(
+                awsModelFile("sts.2011-06-15.json")
+            )
+
+            smithyKotlinPlugin {
+                serviceShapeId = "com.amazonaws.sts#AWSSecurityTokenServiceV20110615"
+                packageName = "${basePackage}.sts"
+                packageVersion = project.version.toString()
+                packageDescription = "Internal STS credentials provider"
+                sdkId = "STS"
+                buildSettings {
+                    generateDefaultBuildFiles = false
+                    generateFullProject = false
+                }
+            }
+
+            // TODO - could we add a trait such that we change visibility to `internal` or a build setting...?
+            transforms = listOf(
+                """
+            {
+                "name": "awsSdkKotlinIncludeOperations",
+                "args": {
+                    "operations": [
+                        "com.amazonaws.sts#AssumeRole",
+                        "com.amazonaws.sts#AssumeRoleWithWebIdentity"
+                    ]
+                }
+            }
+            """
+            )
+        }
+
+        // generate an sso client
+        create("sso-credentials-provider") {
+            imports = listOf(
+                awsModelFile("sso.2019-06-10.json")
+            )
+
+            val serviceShape = "com.amazonaws.sso#SWBPortalService"
+            smithyKotlinPlugin {
+                serviceShapeId = serviceShape
+                packageName = "${basePackage}.sso"
+                packageVersion = project.version.toString()
+                packageDescription = "Internal SSO credentials provider"
+                sdkId = "SSO"
+                buildSettings {
+                    generateDefaultBuildFiles = false
+                    generateFullProject = false
+                }
+            }
+
+            transforms = listOf(
+            """
+            {
+                "name": "awsSdkKotlinIncludeOperations",
+                "args": {
+                    "operations": [
+                        "com.amazonaws.sso#GetRoleCredentials"
+                    ]
+                }
+            }
+            """
+            )
+        }
+    }
+}
+
+/*
+NOTE: We need the following tasks to depend on codegen for gradle caching/up-to-date checks to work correctly:
+
+* `compileKotlinJvm` (Type=KotlinCompile)
+* `compileKotlinMetadata` (Type=KotlinCompileCommon)
+* `sourcesJar` and `jvmSourcesJar` (Type=org.gradle.jvm.tasks.Jar)
+*/
+val codegenTask = tasks.named("generateSmithyProjections")
+tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
+    dependsOn(codegenTask)
+
+    // generated sts/sso credential providers have quite a few warnings
+    kotlinOptions.allWarningsAsErrors = false
+}
+
+tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompileCommon> {
+    dependsOn(codegenTask)
+}
+
+tasks.withType<org.gradle.jvm.tasks.Jar> {
+    dependsOn(codegenTask)
+}
+
+codegen.projections.all {
+    // add this projected source dir to the common sourceSet
+    // NOTE - build.gradle.kts is still being generated, it's NOT used though
+    // TODO - we should probably either have a postProcessing spec or a plugin setting to not generate it to avoid confusion
+    val projectedSrcDir = projectionRootDir.resolve("src/main/kotlin")
+    kotlin.sourceSets.commonMain {
+        println("added $projectedSrcDir to common sourceSet")
+        kotlin.srcDir(projectedSrcDir)
+    }
+}
+
+// Necessary to avoid Gradle problems identifying correct variant of aws-config. This stems from the smithy-gradle
+// plugin (used by codegen plugin) applying the Java plugin which creates these configurations.
+listOf("apiElements", "runtimeElements").forEach {
+    configurations.named(it) {
+        isCanBeConsumed = false
+    }
+}
+

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/CachedCredentialsProvider.kt

@@ -5,12 +5,23 @@
 
 package aws.sdk.kotlin.runtime.auth.credentials
 
-import aws.sdk.kotlin.crt.auth.credentials.build
+import aws.sdk.kotlin.runtime.config.CachedValue
+import aws.sdk.kotlin.runtime.config.ExpiringValue
+import aws.smithy.kotlin.runtime.io.Closeable
+import aws.smithy.kotlin.runtime.logging.Logger
+import aws.smithy.kotlin.runtime.time.Clock
 import kotlin.time.Duration
-import aws.sdk.kotlin.crt.auth.credentials.CachedCredentialsProvider as CachedCredentialsProviderCrt
+import kotlin.time.Duration.Companion.seconds
 
+private const val DEFAULT_CREDENTIALS_REFRESH_BUFFER_SECONDS = 10
 /**
- * Creates a provider that functions as a caching decorating of another provider.
+ * The amount of time credentials are valid for before being refreshed when an explicit value
+ * is not given to/from a provider
+ */
+public const val DEFAULT_CREDENTIALS_REFRESH_SECONDS: Int = 60 * 15
+
+/**
+ * Creates a provider that functions as a caching decorator of another provider.
  *
  * Credentials sourced through this provider will be cached within it until their expiration time.
  * When the cached credentials expire, new credentials will be fetched when next queried.
@@ -19,41 +30,40 @@ import aws.sdk.kotlin.crt.auth.credentials.CachedCredentialsProvider as CachedCr
  *
  * CachedProvider -> ProviderChain(EnvironmentProvider -> ProfileProvider -> ECS/EC2IMD etc...)
  *
+ * @param source the provider to cache credentials results from
+ * @param expireCredentialsAfter the default expiration time period for sourced credentials. For a given set of
+ * cached credentials, the refresh time period will be the minimum of this time and any expiration timestamp on
+ * the credentials themselves.
+ * @param refreshBufferWindow amount of time before the actual credential expiration time when credentials are
+ * considered expired. For example, if credentials are expiring in 15 minutes, and the buffer time is 10 seconds,
+ * then any requests made after 14 minutes and 50 seconds will load new credentials. Defaults to 10 seconds.
+ * @param clock the source of time for this provider
+ *
  * @return the newly-constructed credentials provider
  */
-public class CachedCredentialsProvider private constructor(builder: Builder) : CrtCredentialsProvider {
-
-    override val crtProvider: CachedCredentialsProviderCrt = CachedCredentialsProviderCrt.build {
-        refreshTimeInMilliseconds = builder.refreshTime.inWholeMilliseconds
+public class CachedCredentialsProvider(
+    private val source: CredentialsProvider,
+    private val expireCredentialsAfter: Duration = DEFAULT_CREDENTIALS_REFRESH_SECONDS.seconds,
+    refreshBufferWindow: Duration = DEFAULT_CREDENTIALS_REFRESH_BUFFER_SECONDS.seconds,
+    private val clock: Clock = Clock.System
+) : CredentialsProvider, Closeable {
 
-        // FIXME - note this won't work until https://github.com/awslabs/aws-crt-java/issues/252 is resolved
-        source = builder.source?.let { CredentialsProviderCrtProxy(it) }
-    }
+    private val cachedCredentials = CachedValue<Credentials>(null, bufferTime = refreshBufferWindow, clock)
 
-    public companion object {
-        /**
-         * Construct a new [CachedCredentialsProvider] using the given [block]
-         */
-        public fun build(block: Builder.() -> Unit): CachedCredentialsProvider = Builder().apply(block).build()
+    override suspend fun getCredentials(): Credentials = cachedCredentials.getOrLoad {
+        val logger = Logger.getLogger<CachedCredentialsProvider>()
+        logger.trace { "refreshing credentials cache" }
+        val providerCreds = source.getCredentials()
+        if (providerCreds.expiration != null) {
+            ExpiringValue(providerCreds, providerCreds.expiration!!)
+        } else {
+            val expiration = clock.now() + expireCredentialsAfter
+            val creds = providerCreds.copy(expiration = expiration)
+            ExpiringValue(creds, expiration)
+        }
     }
 
-    public class Builder {
-        /**
-         * The provider to cache credentials query results from
-         */
-        public var source: CredentialsProvider? = null
-
-        /**
-         * An optional expiration time period for sourced credentials.  For a given set of cached credentials,
-         * the refresh time period will be the minimum of this time and any expiration timestamp on the credentials
-         * themselves.
-         */
-        public var refreshTime: Duration = Duration.ZERO
-
-        public fun build(): CachedCredentialsProvider {
-
-            requireNotNull(source) { "CachedCredentialsProvider requires a source provider to wrap" }
-            return CachedCredentialsProvider(this)
-        }
+    override fun close() {
+        (source as? Closeable)?.close()
     }
 }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/CredentialsProviderChain.kt

@@ -0,0 +1,62 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.runtime.auth.credentials
+
+import aws.smithy.kotlin.runtime.io.Closeable
+import aws.smithy.kotlin.runtime.logging.Logger
+
+// TODO - support caching the provider that actually resolved credentials such that future calls don't involve going through the full chain
+
+/**
+ * Composite [CredentialsProvider] that delegates to a chain of providers. When asked for credentials [providers]
+ * are consulted in the order given until one succeeds. If none of the providers in the chain can provide credentials
+ * then this class will throw an exception. The exception will include the providers tried in the message. Each
+ * individual exception is available as a suppressed exception.
+ *
+ * @param providers the list of providers to delegate to
+ */
+public open class CredentialsProviderChain(
+    protected vararg val providers: CredentialsProvider
+) : CredentialsProvider, Closeable {
+    private val logger = Logger.getLogger<CredentialsProviderChain>()
+
+    init {
+        require(providers.isNotEmpty()) { "at least one provider must be in the chain" }
+    }
+
+    override fun toString(): String =
+        (listOf(this) + providers).map { it::class.simpleName }.joinToString(" -> ")
+
+    override suspend fun getCredentials(): Credentials {
+        val chainException = lazy { CredentialsProviderException("No credentials could be loaded from the chain: $this") }
+        for (provider in providers) {
+            try {
+                return provider.getCredentials()
+            } catch (ex: Exception) {
+                logger.debug { "unable to load credentials from $provider: ${ex.message}" }
+                chainException.value.addSuppressed(ex)
+            }
+        }
+
+        throw chainException.value
+    }
+
+    override fun close() {
+        val exceptions = providers.mapNotNull {
+            try {
+                (it as? Closeable)?.close()
+                null
+            } catch (ex: Exception) {
+                ex
+            }
+        }
+        if (exceptions.isNotEmpty()) {
+            val ex = exceptions.first()
+            exceptions.drop(1).forEach(ex::addSuppressed)
+            throw ex
+        }
+    }
+}