Reapply "Track credential providers via User-Agent Feature ids" (#3017)

* Reapply "Track credential providers via User-Agent Feature ids (#3008)"This reverts commit 402370d. (#3015)

Author: Madrigal

.changelog/4a11ffade7aa4ac8839139164bcdbd9f.json

@@ -172,6 +172,17 @@ func (p *CredentialsCache) getCreds() (Credentials, bool) {
 	return *c, true
 }
 
+// ProviderSources returns a list of where the underlying credential provider
+// has been sourced, if available. Returns empty if the provider doesn't implement
+// the interface
+func (p *CredentialsCache) ProviderSources() []CredentialSource {
+	asSource, ok := p.provider.(CredentialProviderSource)
+	if !ok {
+		return []CredentialSource{}
+	}
+	return asSource.ProviderSources()
+}
+
 // Invalidate will invalidate the cached credentials. The next call to Retrieve
 // will cause the provider's Retrieve method to be called.
 func (p *CredentialsCache) Invalidate() {

aws/credential_cache.go

@@ -70,6 +70,56 @@ func (AnonymousCredentials) Retrieve(context.Context) (Credentials, error) {
 		fmt.Errorf("the AnonymousCredentials is not a valid credential provider, and cannot be used to sign AWS requests with")
 }
 
+// CredentialSource is the source of the credential provider.
+// A provider can have multiple credential sources: For example, a provider that reads a profile, calls ECS to
+// get credentials and then assumes a role using STS will have all these as part of its provider chain.
+type CredentialSource int
+
+const (
+	// CredentialSourceUndefined is the sentinel zero value
+	CredentialSourceUndefined CredentialSource = iota
+	// CredentialSourceCode credentials resolved from code, cli parameters, session object, or client instance
+	CredentialSourceCode
+	// CredentialSourceEnvVars credentials resolved from environment variables
+	CredentialSourceEnvVars
+	// CredentialSourceEnvVarsSTSWebIDToken credentials resolved from environment variables for assuming a role with STS using a web identity token
+	CredentialSourceEnvVarsSTSWebIDToken
+	// CredentialSourceSTSAssumeRole credentials resolved from STS using AssumeRole
+	CredentialSourceSTSAssumeRole
+	// CredentialSourceSTSAssumeRoleSaml credentials resolved from STS using assume role with SAML
+	CredentialSourceSTSAssumeRoleSaml
+	// CredentialSourceSTSAssumeRoleWebID credentials resolved from STS using assume role with web identity
+	CredentialSourceSTSAssumeRoleWebID
+	// CredentialSourceSTSFederationToken credentials resolved from STS using a federation token
+	CredentialSourceSTSFederationToken
+	// CredentialSourceSTSSessionToken credentials resolved from STS using a session token 	S
+	CredentialSourceSTSSessionToken
+	// CredentialSourceProfile  credentials resolved from a config file(s) profile with static credentials
+	CredentialSourceProfile
+	// CredentialSourceProfileSourceProfile credentials resolved from a source profile in a config file(s) profile
+	CredentialSourceProfileSourceProfile
+	// CredentialSourceProfileNamedProvider credentials resolved from a named provider in a config file(s) profile (like EcsContainer)
+	CredentialSourceProfileNamedProvider
+	// CredentialSourceProfileSTSWebIDToken  credentials resolved from configuration for assuming a role with STS using web identity token in a config file(s) profile
+	CredentialSourceProfileSTSWebIDToken
+	// CredentialSourceProfileSSO credentials resolved from an SSO session in a config file(s) profile
+	CredentialSourceProfileSSO
+	// CredentialSourceSSO credentials resolved from an SSO session
+	CredentialSourceSSO
+	// CredentialSourceProfileSSOLegacy credentials resolved from an SSO session in a config file(s) profile using legacy format
+	CredentialSourceProfileSSOLegacy
+	// CredentialSourceSSOLegacy credentials resolved from an SSO session using legacy format
+	CredentialSourceSSOLegacy
+	// CredentialSourceProfileProcess credentials resolved from a process in a config file(s) profile
+	CredentialSourceProfileProcess
+	// CredentialSourceProcess credentials resolved from a process
+	CredentialSourceProcess
+	// CredentialSourceHTTP credentials resolved from an HTTP endpoint
+	CredentialSourceHTTP
+	// CredentialSourceIMDS credentials resolved from the instance metadata service (IMDS)
+	CredentialSourceIMDS
+)
+
 // A Credentials is the AWS credentials value for individual credential fields.
 type Credentials struct {
 	// AWS Access key ID
@@ -125,6 +175,13 @@ type CredentialsProvider interface {
 	Retrieve(ctx context.Context) (Credentials, error)
 }
 
+// CredentialProviderSource allows any credential provider to track
+// all providers where a credential provider were sourced. For example, if the credentials came from a
+// call to a role specified in the profile, this method will give the whole breadcrumb trail
+type CredentialProviderSource interface {
+	ProviderSources() []CredentialSource
+}
+
 // CredentialsProviderFunc provides a helper wrapping a function value to
 // satisfy the CredentialsProvider interface.
 type CredentialsProviderFunc func(context.Context) (Credentials, error)

aws/credentials.go

@@ -109,8 +109,57 @@ const (
 	UserAgentFeatureRequestChecksumWhenRequired   = "a"
 	UserAgentFeatureResponseChecksumWhenSupported = "b"
 	UserAgentFeatureResponseChecksumWhenRequired  = "c"
+
+	UserAgentFeatureDynamoDBUserAgent = "d" // not yet implemented
+
+	UserAgentFeatureCredentialsCode                 = "e"
+	UserAgentFeatureCredentialsJvmSystemProperties  = "f" // n/a (this is not a JVM sdk)
+	UserAgentFeatureCredentialsEnvVars              = "g"
+	UserAgentFeatureCredentialsEnvVarsStsWebIDToken = "h"
+	UserAgentFeatureCredentialsStsAssumeRole        = "i"
+	UserAgentFeatureCredentialsStsAssumeRoleSaml    = "j" // not yet implemented
+	UserAgentFeatureCredentialsStsAssumeRoleWebID   = "k"
+	UserAgentFeatureCredentialsStsFederationToken   = "l" // not yet implemented
+	UserAgentFeatureCredentialsStsSessionToken      = "m" // not yet implemented
+	UserAgentFeatureCredentialsProfile              = "n"
+	UserAgentFeatureCredentialsProfileSourceProfile = "o"
+	UserAgentFeatureCredentialsProfileNamedProvider = "p"
+	UserAgentFeatureCredentialsProfileStsWebIDToken = "q"
+	UserAgentFeatureCredentialsProfileSso           = "r"
+	UserAgentFeatureCredentialsSso                  = "s"
+	UserAgentFeatureCredentialsProfileSsoLegacy     = "t"
+	UserAgentFeatureCredentialsSsoLegacy            = "u"
+	UserAgentFeatureCredentialsProfileProcess       = "v"
+	UserAgentFeatureCredentialsProcess              = "w"
+	UserAgentFeatureCredentialsBoto2ConfigFile      = "x" // n/a (this is not boto/Python)
+	UserAgentFeatureCredentialsAwsSdkStore          = "y" // n/a (this is used by .NET based sdk)
+	UserAgentFeatureCredentialsHTTP                 = "z"
+	UserAgentFeatureCredentialsIMDS                 = "0"
 )
 
+var credentialSourceToFeature = map[aws.CredentialSource]UserAgentFeature{
+	aws.CredentialSourceCode:                 UserAgentFeatureCredentialsCode,
+	aws.CredentialSourceEnvVars:              UserAgentFeatureCredentialsEnvVars,
+	aws.CredentialSourceEnvVarsSTSWebIDToken: UserAgentFeatureCredentialsEnvVarsStsWebIDToken,
+	aws.CredentialSourceSTSAssumeRole:        UserAgentFeatureCredentialsStsAssumeRole,
+	aws.CredentialSourceSTSAssumeRoleSaml:    UserAgentFeatureCredentialsStsAssumeRoleSaml,
+	aws.CredentialSourceSTSAssumeRoleWebID:   UserAgentFeatureCredentialsStsAssumeRoleWebID,
+	aws.CredentialSourceSTSFederationToken:   UserAgentFeatureCredentialsStsFederationToken,
+	aws.CredentialSourceSTSSessionToken:      UserAgentFeatureCredentialsStsSessionToken,
+	aws.CredentialSourceProfile:              UserAgentFeatureCredentialsProfile,
+	aws.CredentialSourceProfileSourceProfile: UserAgentFeatureCredentialsProfileSourceProfile,
+	aws.CredentialSourceProfileNamedProvider: UserAgentFeatureCredentialsProfileNamedProvider,
+	aws.CredentialSourceProfileSTSWebIDToken: UserAgentFeatureCredentialsProfileStsWebIDToken,
+	aws.CredentialSourceProfileSSO:           UserAgentFeatureCredentialsProfileSso,
+	aws.CredentialSourceSSO:                  UserAgentFeatureCredentialsSso,
+	aws.CredentialSourceProfileSSOLegacy:     UserAgentFeatureCredentialsProfileSsoLegacy,
+	aws.CredentialSourceSSOLegacy:            UserAgentFeatureCredentialsSsoLegacy,
+	aws.CredentialSourceProfileProcess:       UserAgentFeatureCredentialsProfileProcess,
+	aws.CredentialSourceProcess:              UserAgentFeatureCredentialsProcess,
+	aws.CredentialSourceHTTP:                 UserAgentFeatureCredentialsHTTP,
+	aws.CredentialSourceIMDS:                 UserAgentFeatureCredentialsIMDS,
+}
+
 // RequestUserAgent is a build middleware that set the User-Agent for the request.
 type RequestUserAgent struct {
 	sdkAgent, userAgent *smithyhttp.UserAgentBuilder
@@ -263,6 +312,14 @@ func (u *RequestUserAgent) AddSDKAgentKeyValue(keyType SDKAgentKeyType, key, val
 	u.userAgent.AddKeyValue(keyType.string(), strings.Map(rules, key)+"#"+strings.Map(rules, value))
 }
 
+// AddCredentialsSource adds the credential source as a feature on the User-Agent string
+func (u *RequestUserAgent) AddCredentialsSource(source aws.CredentialSource) {
+	x, ok := credentialSourceToFeature[source]
+	if ok {
+		u.AddUserAgentFeature(x)
+	}
+}
+
 // ID the name of the middleware.
 func (u *RequestUserAgent) ID() string {
 	return "UserAgent"

aws/middleware/user_agent.go

@@ -0,0 +1,85 @@
+package software.amazon.smithy.aws.go.codegen;
+
+import software.amazon.smithy.go.codegen.SmithyGoDependency;
+import software.amazon.smithy.go.codegen.integration.GoIntegration;
+import software.amazon.smithy.go.codegen.integration.MiddlewareRegistrar;
+import software.amazon.smithy.go.codegen.integration.RuntimeClientPlugin;
+import software.amazon.smithy.go.codegen.GoCodegenContext;
+
+import java.util.List;
+import java.util.Map;
+
+import static software.amazon.smithy.go.codegen.GoWriter.goTemplate;
+import static software.amazon.smithy.go.codegen.SymbolUtils.buildPackageSymbol;
+
+/**
+ * Generates code to track which credential provider was used on
+ * the User Agent
+ */
+public class CredentialSourceFeatureTrackerGenerator implements GoIntegration {
+
+    private static final MiddlewareRegistrar MIDDLEWARE = MiddlewareRegistrar.builder()
+            .resolvedFunction(buildPackageSymbol("addCredentialSource"))
+            .useClientOptions()
+            .build();
+
+    @Override
+    public List<RuntimeClientPlugin> getClientPlugins() {
+        return List.of(
+                RuntimeClientPlugin.builder()
+                        .registerMiddleware(MIDDLEWARE)
+                        .servicePredicate(AwsSignatureVersion4::hasSigV4X)
+                        .build()
+        );
+    }
+
+    @Override
+    public void writeAdditionalFiles(GoCodegenContext ctx) {
+        if (!AwsSignatureVersion4.hasSigV4X(ctx.model(), ctx.settings().getService(ctx.model()))) {
+            return;
+        }
+
+        ctx.writerDelegator().useFileWriter("api_client.go", ctx.settings().getModuleName(), goTemplate("""
+                $aws:D $awsMiddleware:D
+
+                type setCredentialSourceMiddleware struct {
+                       ua *awsmiddleware.RequestUserAgent
+                       options Options
+                }
+
+                func (m setCredentialSourceMiddleware) ID() string { return "SetCredentialSourceMiddleware" }
+
+                func (m setCredentialSourceMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
+                       out middleware.BuildOutput, metadata middleware.Metadata, err error,
+                ) {
+                       asProviderSource, ok := m.options.Credentials.(aws.CredentialProviderSource)
+                       if !ok {
+                               return next.HandleBuild(ctx, in)
+                       }
+                       providerSources := asProviderSource.ProviderSources()
+                       for _, source := range providerSources {
+                               m.ua.AddCredentialsSource(source)
+                       }
+                       return next.HandleBuild(ctx, in)
+                }
+
+                func addCredentialSource(stack *middleware.Stack, options Options) error {
+                       ua, err := getOrAddRequestUserAgent(stack)
+                       if err != nil {
+                               return err
+                       }
+
+                       mw := setCredentialSourceMiddleware{ua: ua, options: options}
+                       return stack.Build.Insert(&mw, "UserAgent", middleware.Before)
+                }
+                """,
+                Map.of(
+                        "aws", AwsGoDependency.AWS_CORE,
+                        "awsMiddleware", AwsGoDependency.AWS_MIDDLEWARE,
+                        "stack", SmithyGoDependency.SMITHY_MIDDLEWARE.struct("Stack")
+                )));
+    }
+
+
+
+}

codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/CredentialSourceFeatureTrackerGenerator.java

@@ -89,3 +89,4 @@ software.amazon.smithy.aws.go.codegen.customization.DeprecateService
 software.amazon.smithy.aws.go.codegen.customization.BasicUserAgentFeatures
 software.amazon.smithy.aws.go.codegen.customization.ChecksumMetricsTracking
 software.amazon.smithy.aws.go.codegen.customization.AccountIdEndpointModeUserAgent
+software.amazon.smithy.aws.go.codegen.CredentialSourceFeatureTrackerGenerator