refactor common crt creds impl, add aws login provider

Author: sbiscigl

crt/aws-crt-cpp

@@ -3,21 +3,21 @@
 # SPDX-License-Identifier: Apache-2.0.
 
 CRT_URI_PREFIX=https://codeload.github.com/awslabs
-CRT_URI=${CRT_URI_PREFIX}/aws-crt-cpp/zip/35dad3a8131dc9d761a2ccfc24808308d5ce4680  # v0.35.2
+CRT_URI=${CRT_URI_PREFIX}/aws-crt-cpp/zip/2deaa9120dc23c03ab6feb903dd1d584d6cf7025  # v0.35.3
 
-AWS_C_AUTH_URI=${CRT_URI_PREFIX}/aws-c-auth/zip/ab03bdd996437d9097953ebb9495de71b6adc537  # v0.9.1
-AWS_C_CAL_URI=${CRT_URI_PREFIX}/aws-c-cal/zip/1b56db8ada9840e0e1036997ff4f247e155e51a5  # v0.9.8
-AWS_C_COMMON_URI=${CRT_URI_PREFIX}/aws-c-common/zip/31578beb2309330fece3fb3a66035a568a2641e7  # v0.12.5
+AWS_C_AUTH_URI=${CRT_URI_PREFIX}/aws-c-auth/zip/672feed19bb91bc389876f49aaa7c538dc879be5  # v0.9.2
+AWS_C_CAL_URI=${CRT_URI_PREFIX}/aws-c-cal/zip/de3b28840a59339f24012f25348f2c70a7ea45d6  # v0.9.11
+AWS_C_COMMON_URI=${CRT_URI_PREFIX}/aws-c-common/zip/95515a8b1ff40d5bb14f965ca4cbbe99ad1843df  # v0.12.6
 AWS_C_COMPRESSION_URI=${CRT_URI_PREFIX}/aws-c-compression/zip/f951ab2b819fc6993b6e5e6cfef64b1a1554bfc8  # v0.3.1
 AWS_C_EVENT_STREAM_URI=${CRT_URI_PREFIX}/aws-c-event-stream/zip/31a44ff9108840a8f3fec54006218f4bc6c505e1  # v0.5.7
-AWS_C_HTTP_URI=${CRT_URI_PREFIX}/aws-c-http/zip/bbfc5a7bcf1a6c238205abcac62d5d14dd0da7ef  # v0.10.5
-AWS_C_IO_URI=${CRT_URI_PREFIX}/aws-c-io/zip/1af325b54bba2e95a640a5be5ffe0b27e4ead79c  # v0.23.2
+AWS_C_HTTP_URI=${CRT_URI_PREFIX}/aws-c-http/zip/07302aa4a2892adbbf95ee6d458db3bb240030d3  # v0.10.7
+AWS_C_IO_URI=${CRT_URI_PREFIX}/aws-c-io/zip/9cf142c08c28d5b1195aae09d2c05a6d17502e09  # v0.23.3
 AWS_C_MQTT_URI=${CRT_URI_PREFIX}/aws-c-mqtt/zip/1d512d92709f60b74e2cafa018e69a2e647f28e9  # v0.13.3
 AWS_C_S3_URI=${CRT_URI_PREFIX}/aws-c-s3/zip/332dd22c47a7ed139eee71e7f219b764ef8cdf4c  # v0.9.2
 AWS_C_SDKUTILS_URI=${CRT_URI_PREFIX}/aws-c-sdkutils/zip/f678bda9e21f7217e4bbf35e0d1ea59540687933  # v0.2.4
 AWS_CHECKSUMS_URI=${CRT_URI_PREFIX}/aws-checksums/zip/9978ba2c33a7a259c1a6bd0f62abe26827d03b85  # v0.2.6
-AWS_LC_URI=${CRT_URI_PREFIX}/aws-lc/zip/5a9df2190d9ecab090a62030f94a6ada6789a436  # v1.62.0
-S2N_URI=${CRT_URI_PREFIX}/s2n/zip/30f40f2345a89570ed3c4cee2274942f1ebf85fa  # v1.5.27
+AWS_LC_URI=${CRT_URI_PREFIX}/aws-lc/zip/7187ab572ddcdae4fa408e932d3e878c9941137b  # v1.64.0
+S2N_URI=${CRT_URI_PREFIX}/s2n/zip/6aefe741f17489211f6c28e837c1a65ee66a1ef2  # v1.6.0
 
 
 echo "Removing CRT"

prefetch_crt_dependency.sh

@@ -0,0 +1,58 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#pragma once
+
+#include <aws/core/Core_EXPORTS.h>
+#include <aws/core/auth/AWSCredentialsProvider.h>
+
+#include <atomic>
+#include <memory>
+
+namespace Aws {
+namespace Crt {
+namespace Auth {
+class ICredentialsProvider;
+class Credentials;
+}  // namespace Auth
+}  // namespace Crt
+}  // namespace Aws
+
+namespace Aws {
+namespace Auth {
+/**
+ * A utility class for wrapping a cached crt credentials provider.
+ */
+class AWS_CORE_API CrtCredentialsProvider : public AWSCredentialsProvider {
+ public:
+  explicit CrtCredentialsProvider(const std::function<std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>()>& credentialsProviderFactory,
+                                  std::chrono::milliseconds providerFuturesTimeoutMs, Aws::Client::UserAgentFeature userAgentFeature,
+                                  const Aws::String& providerName);
+  virtual ~CrtCredentialsProvider();
+
+  /**
+   * Retrieves the credentials if found, otherwise returns empty credential set.
+   */
+  AWSCredentials GetAWSCredentials() override;
+
+ private:
+  enum class STATE {
+    INITIALIZED,
+    NOT_INITIALIZED,
+  };
+
+  static AWSCredentials ExtractCredentialsFromCrt(const Aws::Crt::Auth::Credentials& crtCredentials);
+  void Reload() override;
+  void RefreshIfExpired();
+
+  std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> m_credentialsProvider;
+  AWSCredentials m_credentials;
+  std::chrono::milliseconds m_providerFuturesTimeoutMs;
+  Aws::Client::UserAgentFeature m_userAgentFeature;
+  Aws::String m_providerName;
+  STATE m_state{STATE::NOT_INITIALIZED};
+};
+}  // namespace Auth
+}  // namespace Aws

src/aws-cpp-sdk-core/include/aws/core/auth/CrtCredentialsProvider.h

@@ -0,0 +1,23 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#pragma once
+
+#include <aws/core/Core_EXPORTS.h>
+#include <aws/core/auth/CrtCredentialsProvider.h>
+
+namespace Aws {
+namespace Auth {
+/**
+ * To support retrieving credentials of STS AssumeRole with web identity.
+ * Note that STS accepts request with protocol of queryxml. Calling GetAWSCredentials() will trigger (if expired)
+ * a query request using AWSHttpResourceClient under the hood.
+ */
+class AWS_CORE_API LoginCredentialsProvider : public CrtCredentialsProvider {
+ public:
+  LoginCredentialsProvider(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config);
+  ~LoginCredentialsProvider() override;
+};
+}  // namespace Auth
+}  // namespace Aws

src/aws-cpp-sdk-core/include/aws/core/auth/LoginCredentialsProvider.h

@@ -3,67 +3,24 @@
  * SPDX-License-Identifier: Apache-2.0.
  */
 
-
 #pragma once
 
 #include <aws/core/Core_EXPORTS.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
-
-#include <atomic>
-#include <memory>
+#include <aws/core/auth/CrtCredentialsProvider.h>
 
 namespace Aws {
-namespace Crt {
 namespace Auth {
-class ICredentialsProvider;
-class Credentials;
-}
-}
-}
-
-namespace Aws
-{
-    namespace Auth
-    {
-        /**
-         * To support retrieving credentials of STS AssumeRole with web identity.
-         * Note that STS accepts request with protocol of queryxml. Calling GetAWSCredentials() will trigger (if expired)
-         * a query request using AWSHttpResourceClient under the hood.
-         */
-        class AWS_CORE_API STSAssumeRoleWebIdentityCredentialsProvider : public AWSCredentialsProvider
-        {
-        public:
-            STSAssumeRoleWebIdentityCredentialsProvider();
-            STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration::CredentialProviderConfiguration config);
-            virtual ~STSAssumeRoleWebIdentityCredentialsProvider();
-
-            /**
-             * Retrieves the credentials if found, otherwise returns empty credential set.
-             */
-            AWSCredentials GetAWSCredentials() override;
-
-        protected:
-            void Reload() override;
-
-        private:
-            enum class STATE {
-              INITIALIZED,
-              SHUT_DOWN,
-            } m_state{STATE::SHUT_DOWN};
-            mutable std::mutex m_refreshMutex;
-            mutable std::condition_variable m_refreshSignal;
-            std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> m_credentialsProvider;
-            std::chrono::milliseconds m_providerFuturesTimeoutMs;
-
-            // Thread-safe credential fetch coordination
-            mutable std::atomic<bool> m_refreshInProgress{false};
-            mutable std::atomic<bool> m_refreshDone{false};
-            mutable std::shared_ptr<AWSCredentials> m_pendingCredentials;
-
-            // Helper methods for credential retrieval
-            AWSCredentials waitForSharedCredentials() const;
-            AWSCredentials extractCredentialsFromCrt(const Aws::Crt::Auth::Credentials& crtCredentials) const;
-            AWSCredentials fetchCredentialsAsync();
-        };
-    } // namespace Auth
-} // namespace Aws
+/**
+ * To support retrieving credentials of STS AssumeRole with web identity.
+ * Note that STS accepts request with protocol of queryxml. Calling GetAWSCredentials() will trigger (if expired)
+ * a query request using AWSHttpResourceClient under the hood.
+ */
+class AWS_CORE_API STSAssumeRoleWebIdentityCredentialsProvider : public CrtCredentialsProvider {
+ public:
+  STSAssumeRoleWebIdentityCredentialsProvider();
+  STSAssumeRoleWebIdentityCredentialsProvider(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config);
+  ~STSAssumeRoleWebIdentityCredentialsProvider() override;
+};
+}  // namespace Auth
+}  // namespace Aws

src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h

@@ -562,6 +562,23 @@ namespace Aws
                */
               std::chrono::milliseconds credentialCacheCacheTTL = std::chrono::minutes(50);
             } stsCredentialsProviderConfig;
+            struct LoginProviderConfig {
+              /**
+               * ARN for AWS login session.
+               */
+              Aws::String loginSession{};
+
+              /**
+               * Overrides the login cache directory. by default the cache directory
+               * is located at `~/.aws/login/cache`.
+               */
+              Aws::String loginCacheOverride{};
+
+              /**
+               * Time out for the credentials future call.
+               */
+              std::chrono::milliseconds retrieveCredentialsFutureTimeout = std::chrono::seconds(10);
+            } loginCredentialProviderConfig;
           } credentialProviderConfig;
         };
 

src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h

@@ -42,6 +42,7 @@ enum class UserAgentFeature {
   CREDENTIALS_SSO,
   CREDENTIALS_SSO_LEGACY,
   CREDENTIALS_PROFILE_SOURCE_PROFILE,
+  CREDENTIALS_LOGIN,
   PROTOCOL_RPC_V2_CBOR,
 };
 

src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h

@@ -4,13 +4,14 @@
  */
 
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
-#include <aws/core/auth/STSCredentialsProvider.h>
+#include <aws/core/auth/LoginCredentialsProvider.h>
 #include <aws/core/auth/SSOCredentialsProvider.h>
+#include <aws/core/auth/STSCredentialsProvider.h>
 #include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/platform/Environment.h>
-#include <aws/core/utils/memory/AWSMemory.h>
 #include <aws/core/utils/StringUtils.h>
 #include <aws/core/utils/logging/LogMacros.h>
+#include <aws/core/utils/memory/AWSMemory.h>
 
 using namespace Aws::Auth;
 using namespace Aws::Utils::Threading;
@@ -93,6 +94,7 @@ DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain(const Aws
     AddProvider(Aws::MakeShared<ProcessCredentialsProvider>(DefaultCredentialsProviderChainTag,config.profile));
     AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag, config));
     AddProvider(Aws::MakeShared<SSOCredentialsProvider>(DefaultCredentialsProviderChainTag,config.profile));
+    AddProvider(Aws::MakeShared<LoginCredentialsProvider>(DefaultCredentialsProviderChainTag, config));
 
     // General HTTP Credentials (prev. known as ECS TaskRole credentials) only available when ENVIRONMENT VARIABLE is set
     const auto relativeUri = Aws::Environment::GetEnv(GeneralHTTPCredentialsProvider::AWS_CONTAINER_CREDENTIALS_RELATIVE_URI);

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp

@@ -0,0 +1,91 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/core/auth/CrtCredentialsProvider.h>
+#include <aws/core/client/UserAgent.h>
+#include <aws/core/utils/threading/ReaderWriterLock.h>
+#include <aws/crt/auth/Credentials.h>
+
+using namespace Aws::Auth;
+using namespace Aws::Utils;
+using namespace Aws::Utils::Threading;
+
+namespace {
+const int FIVE_MINUTES_IN_MILLIS = 5 * 60 * 1000;
+}
+
+CrtCredentialsProvider::CrtCredentialsProvider(
+    const std::function<std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>()>& credentialsProviderFactory,
+    std::chrono::milliseconds providerFuturesTimeoutMs, Aws::Client::UserAgentFeature userAgentFeature, const Aws::String& providerName)
+    : m_credentialsProvider{credentialsProviderFactory()},
+      m_providerFuturesTimeoutMs{providerFuturesTimeoutMs},
+      m_userAgentFeature{userAgentFeature},
+      m_providerName{providerName} {
+  if (m_credentialsProvider && m_credentialsProvider->IsValid()) {
+    m_state = STATE::INITIALIZED;
+  }
+}
+
+CrtCredentialsProvider::~CrtCredentialsProvider() = default;
+
+AWSCredentials CrtCredentialsProvider::GetAWSCredentials() {
+  if (m_state != STATE::INITIALIZED) {
+    return AWSCredentials{};
+  }
+  RefreshIfExpired();
+  const ReaderLockGuard guard(m_reloadLock);
+  return m_credentials;
+}
+
+void CrtCredentialsProvider::Reload() {
+  AWSCredentials credentials{};
+  std::mutex refresh_mutex{};
+  std::condition_variable refresh_condition;
+  bool refresh_complete{false};
+  m_credentialsProvider->GetCredentials([&credentials, &refresh_mutex, &refresh_complete, &refresh_condition](
+                                            const std::shared_ptr<Crt::Auth::Credentials>& crtCredentials, int errorCode) -> void {
+    {
+      const std::unique_lock<std::mutex> lock(refresh_mutex);
+      (void)errorCode;
+      credentials = ExtractCredentialsFromCrt(*crtCredentials);
+      refresh_complete = true;
+    }
+    refresh_condition.notify_all();
+  });
+
+  std::unique_lock<std::mutex> lock(refresh_mutex);
+  refresh_condition.wait_for(lock, m_providerFuturesTimeoutMs, [&refresh_complete]() -> bool { return refresh_complete; });
+  if (!credentials.IsEmpty()) {
+    credentials.AddUserAgentFeature(m_userAgentFeature);
+  }
+  m_credentials = credentials;
+}
+
+void CrtCredentialsProvider::RefreshIfExpired() {
+  ReaderLockGuard guard(m_reloadLock);
+  if (!m_credentials.IsEmpty() && !m_credentials.ExpiresSoon(FIVE_MINUTES_IN_MILLIS)) {
+    return;
+  }
+
+  guard.UpgradeToWriterLock();
+  // double-checked lock to avoid refreshing twice
+  if (!m_credentials.IsEmpty() && !m_credentials.ExpiresSoon(FIVE_MINUTES_IN_MILLIS)) {
+    return;
+  }
+
+  Reload();
+}
+
+AWSCredentials CrtCredentialsProvider::ExtractCredentialsFromCrt(const Aws::Crt::Auth::Credentials& crtCredentials) {
+  AWSCredentials credentials{};
+  const auto accountIdCursor = crtCredentials.GetAccessKeyId();
+  credentials.SetAWSAccessKeyId({reinterpret_cast<char*>(accountIdCursor.ptr), accountIdCursor.len});
+  const auto secretKeyCursor = crtCredentials.GetSecretAccessKey();
+  credentials.SetAWSSecretKey({reinterpret_cast<char*>(secretKeyCursor.ptr), secretKeyCursor.len});
+  const auto expiration = crtCredentials.GetExpirationTimepointInSeconds();
+  credentials.SetExpiration(DateTime{static_cast<double>(expiration)});
+  const auto sessionTokenCursor = crtCredentials.GetSessionToken();
+  credentials.SetSessionToken({reinterpret_cast<char*>(sessionTokenCursor.ptr), sessionTokenCursor.len});
+  return credentials;
+}

src/aws-cpp-sdk-core/source/auth/CrtCredentialsProvider.cpp

@@ -0,0 +1,41 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/core/Globals.h>
+#include <aws/core/auth/LoginCredentialsProvider.h>
+#include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/client/UserAgent.h>
+#include <aws/crt/auth/Credentials.h>
+
+using namespace Aws::Auth;
+using namespace Aws::Utils;
+
+namespace {
+std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> GetLoginCrtProvider(
+    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig,
+    Aws::Crt::Io::ClientBootstrap* defaultClientBootstrap) {
+  Aws::Crt::Auth::CredentialsProviderLoginConfig loginConfig{};
+  loginConfig.Bootstrap = defaultClientBootstrap;
+  Aws::Crt::Io::TlsContextOptions tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient();
+  const Aws::Crt::Io::TlsContext tlsContext(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT);
+  const auto tlsOptions = Aws::GetDefaultTlsConnectionOptions();
+  if (tlsOptions) {
+    loginConfig.TlsConnectionOptions = *tlsOptions;
+  }
+  loginConfig.LoginSession = credentialsConfig.loginCredentialProviderConfig.loginSession.c_str();
+  loginConfig.LoginCacheOverride = credentialsConfig.loginCredentialProviderConfig.loginCacheOverride.c_str();
+  loginConfig.LoginRegion = credentialsConfig.region.c_str();
+  return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderLogin(loginConfig);
+}
+}  // namespace
+
+LoginCredentialsProvider::LoginCredentialsProvider(
+    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig)
+    : CrtCredentialsProvider{[&credentialsConfig]() -> std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> {
+                               return GetLoginCrtProvider(credentialsConfig, GetDefaultClientBootstrap());
+                             },
+                             credentialsConfig.loginCredentialProviderConfig.retrieveCredentialsFutureTimeout,
+                             Aws::Client::UserAgentFeature::CREDENTIALS_LOGIN, "LoginCredentialsProvider"} {}
+
+LoginCredentialsProvider::~LoginCredentialsProvider() = default;