Add new Identity interfaces (#3773)

* Add new Identity interfaces

* Move Impl classes to own files

* Add missing @immutable

* Address feedback - interface override and javadoc edits

* Mark the new interfaces @threadsafe

* Remove static create methods in AwsCredentialsIdentity and impls

* Add japicmp excludes for methods moved to parent interface

Was getting these errors otherwise:
```
[ERROR] Failed to execute goal com.github.siom79.japicmp:japicmp-maven-plugin:0.15.6:cmp (default) on project auth: There is at least one incompatibility: software.amazon.awssdk.auth.credentials.AwsCredentials.accessKeyId():METHOD_REMOVED,software.amazon.awssdk.auth.credentials.AwsCredentials.secretAccessKey():METHOD_REMOVED,software.amazon.awssdk.auth.token.credentials.SdkToken.expirationTime():METHOD_REMOVED,software.amazon.awssdk.auth.token.credentials.SdkToken.token():METHOD_REMOVED -> [Help 1]
```

Author: gosar

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java

@@ -16,27 +16,18 @@
 package software.amazon.awssdk.auth.credentials;
 
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
 
 /**
- * Provides access to the AWS credentials used for accessing AWS services: AWS access key ID and secret access key. These
- * credentials are used to securely sign requests to AWS services.
+ * Provides access to the AWS credentials used for accessing services: AWS access key ID and secret access key. These
+ * credentials are used to securely sign requests to services (e.g., AWS services) that use them for authentication.
  *
  * <p>For more details on AWS access keys, see:
- * <a href="http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys">
- * http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys</a></p>
+ * <a href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys">
+ * https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys</a></p>
  *
  * @see AwsCredentialsProvider
  */
 @SdkPublicApi
-public interface AwsCredentials {
-
-    /**
-     * Retrieve the AWS access key, used to identify the user interacting with AWS.
-     */
-    String accessKeyId();
-
-    /**
-     * Retrieve the AWS secret access key, used to authenticate the user interacting with AWS.
-     */
-    String secretAccessKey();
+public interface AwsCredentials extends AwsCredentialsIdentity {
 }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsCredentialsProvider.java

@@ -15,7 +15,11 @@
 
 package software.amazon.awssdk.auth.credentials;
 
+import java.util.concurrent.CompletableFuture;
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
+import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
 
 /**
  * Interface for loading {@link AwsCredentials} that are used for authentication.
@@ -27,7 +31,7 @@
  */
 @FunctionalInterface
 @SdkPublicApi
-public interface AwsCredentialsProvider {
+public interface AwsCredentialsProvider extends IdentityProvider<AwsCredentialsIdentity> {
     /**
      * Returns {@link AwsCredentials} that can be used to authorize an AWS request. Each implementation of AWSCredentialsProvider
      * can choose its own strategy for loading credentials. For example, an implementation might load credentials from an existing
@@ -39,4 +43,14 @@ public interface AwsCredentialsProvider {
      * @return AwsCredentials which the caller can use to authorize an AWS request.
      */
     AwsCredentials resolveCredentials();
+
+    @Override
+    default Class<AwsCredentialsIdentity> identityType() {
+        return AwsCredentialsIdentity.class;
+    }
+
+    @Override
+    default CompletableFuture<AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest request) {
+        return CompletableFuture.completedFuture(resolveCredentials());
+    }
 }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java

@@ -18,6 +18,7 @@
 import java.util.Objects;
 import software.amazon.awssdk.annotations.Immutable;
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
 import software.amazon.awssdk.utils.ToString;
 import software.amazon.awssdk.utils.Validate;
 
@@ -28,7 +29,7 @@
  */
 @Immutable
 @SdkPublicApi
-public final class AwsSessionCredentials implements AwsCredentials {
+public final class AwsSessionCredentials implements AwsCredentials, AwsSessionCredentialsIdentity {
 
     private final String accessKeyId;
     private final String secretAccessKey;
@@ -52,26 +53,17 @@ public static AwsSessionCredentials create(String accessKey, String secretKey, S
         return new AwsSessionCredentials(accessKey, secretKey, sessionToken);
     }
 
-    /**
-     * Retrieve the AWS access key, used to identify the user interacting with AWS.
-     */
     @Override
     public String accessKeyId() {
         return accessKeyId;
     }
 
-    /**
-     * Retrieve the AWS secret access key, used to authenticate the user interacting with AWS.
-     */
     @Override
     public String secretAccessKey() {
         return secretAccessKey;
     }
 
-    /**
-     * Retrieve the AWS session token. This token is retrieved from an AWS token service, and is used for authenticating that this
-     * user has received temporary permission to access some resource.
-     */
+    @Override
     public String sessionToken() {
         return sessionToken;
     }

core/auth/src/main/java/software/amazon/awssdk/auth/token/credentials/SdkToken.java

@@ -15,34 +15,18 @@
 
 package software.amazon.awssdk.auth.token.credentials;
 
-import java.time.Instant;
-import java.util.Optional;
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.identity.spi.TokenIdentity;
 
 /**
- * Provides token which is used to securely authorize requests to AWS services.
- * A token is a string that the OAuth client uses to make requests to the resource server.
+ * Provides token which is used to securely authorize requests to services that use token based auth, e.g., OAuth.
  *
- * <p>For more details on tokens, see:
+ * <p>For more details on OAuth tokens, see:
  * <a href="https://oauth.net/2/access-tokens">
  * https://oauth.net/2/access-tokens</a></p>
  *
  * @see SdkTokenProvider
  */
-
 @SdkPublicApi
-public interface SdkToken {
-
-
-    /**
-     * Retrieves string field representing the literal token string.
-     * A token is a string that the OAuth client uses to make requests to the resource server.
-     */
-    String token();
-
-
-    /**
-     * Retrieves the time at which the token expires.
-     */
-    Optional<Instant> expirationTime();
+public interface SdkToken extends TokenIdentity {
 }

core/auth/src/main/java/software/amazon/awssdk/auth/token/credentials/SdkTokenProvider.java

@@ -15,16 +15,19 @@
 
 package software.amazon.awssdk.auth.token.credentials;
 
+import java.util.concurrent.CompletableFuture;
 import software.amazon.awssdk.annotations.SdkPublicApi;
-import software.amazon.awssdk.auth.token.credentials.SdkToken;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
+import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
+import software.amazon.awssdk.identity.spi.TokenIdentity;
 
 /**
  * Interface for loading {@link SdkToken} that are used for authentication.
  *
  */
 @FunctionalInterface
 @SdkPublicApi
-public interface SdkTokenProvider {
+public interface SdkTokenProvider extends IdentityProvider<TokenIdentity> {
     /**
      * Returns an {@link SdkToken} that can be used to authorize a request. Each implementation of SdkTokenProvider
      * can choose its own strategy for loading token. For example, an implementation might load token from an existing
@@ -34,4 +37,14 @@ public interface SdkTokenProvider {
      * @return AwsToken which the caller can use to authorize an AWS request using token authorization for a request.
      */
     SdkToken resolveToken();
+
+    @Override
+    default Class<TokenIdentity> identityType() {
+        return TokenIdentity.class;
+    }
+
+    @Override
+    default CompletableFuture<TokenIdentity> resolveIdentity(ResolveIdentityRequest request) {
+        return CompletableFuture.completedFuture(resolveToken());
+    }
 }

core/identity-spi/src/main/java/software/amazon/awssdk/identity/spi/AwsCredentialsIdentity.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.identity.spi;
+
+import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.annotations.ThreadSafe;
+
+/**
+ * Provides access to the AWS credentials used for accessing services: AWS access key ID and secret access key. These
+ * credentials are used to securely sign requests to services (e.g., AWS services) that use them for authentication.
+ *
+ * <p>For more details on AWS access keys, see:
+ * <a href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys">
+ * https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys</a></p>
+ */
+@SdkPublicApi
+@ThreadSafe
+public interface AwsCredentialsIdentity extends Identity {
+
+    /**
+     * Retrieve the AWS access key, used to identify the user interacting with services.
+     */
+    String accessKeyId();
+
+    /**
+     * Retrieve the AWS secret access key, used to authenticate the user interacting with services.
+     */
+    String secretAccessKey();
+}

core/identity-spi/src/main/java/software/amazon/awssdk/identity/spi/AwsSessionCredentialsIdentity.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.identity.spi;
+
+import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.annotations.ThreadSafe;
+
+/**
+ * A special type of {@link AwsCredentialsIdentity} that provides a session token to be used in service authentication. Session
+ * tokens are typically provided by a token broker service, like AWS Security Token Service, and provide temporary access to an
+ * AWS service.
+ */
+@SdkPublicApi
+@ThreadSafe
+public interface AwsSessionCredentialsIdentity extends AwsCredentialsIdentity {
+
+    /**
+     * Retrieve the AWS session token. This token is retrieved from an AWS token service, and is used for authenticating that this
+     * user has received temporary permission to access some resource.
+     */
+    String sessionToken();
+}

core/identity-spi/src/main/java/software/amazon/awssdk/identity/spi/Identity.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.identity.spi;
+
+import java.time.Instant;
+import java.util.Optional;
+import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.annotations.ThreadSafe;
+
+/**
+ * Interface to represent <b>who</b> is using the SDK, i.e., the identity of the caller, used for authentication.
+ *
+ * <p>Examples include {@link AwsCredentialsIdentity} and {@link TokenIdentity}.</p>
+ *
+ * @see IdentityProvider
+ */
+@SdkPublicApi
+@ThreadSafe
+public interface Identity {
+    /**
+     * The time after which this identity will no longer be valid. If this is empty,
+     * an expiration time is not known (but the identity may still expire at some
+     * time in the future).
+     */
+    default Optional<Instant> expirationTime() {
+        return Optional.empty();
+    }
+}

core/identity-spi/src/main/java/software/amazon/awssdk/identity/spi/IdentityProperty.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.identity.spi;
+
+import java.util.Objects;
+import software.amazon.awssdk.annotations.Immutable;
+import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.annotations.ThreadSafe;
+import software.amazon.awssdk.utils.ToString;
+import software.amazon.awssdk.utils.Validate;
+
+/**
+ * A strongly-typed property for input to an {@link IdentityProvider}.
+ * @param <T> The type of the attribute.
+ */
+@SdkProtectedApi
+@Immutable
+@ThreadSafe
+public final class IdentityProperty<T> {
+    private final Class<T> clazz;
+    private final String name;
+
+    private IdentityProperty(Class<T> clazz, String name) {
+        Validate.paramNotNull(clazz, "clazz");
+        Validate.paramNotBlank(name, "name");
+
+        this.clazz = clazz;
+        this.name = name;
+    }
+
+    public static <T> IdentityProperty<T> create(Class<T> clazz, String name) {
+        return new IdentityProperty<>(clazz, name);
+    }
+
+    @Override
+    public String toString() {
+        return ToString.builder("IdentityProperty")
+                       .add("clazz", clazz)
+                       .add("name", name)
+                       .build();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+
+        IdentityProperty<?> that = (IdentityProperty<?>) o;
+
+        return Objects.equals(clazz, that.clazz) &&
+               Objects.equals(name, that.name);
+    }
+
+    @Override
+    public int hashCode() {
+        int hashCode = 1;
+        hashCode = 31 * hashCode + Objects.hashCode(clazz);
+        hashCode = 31 * hashCode + Objects.hashCode(name);
+        return hashCode;
+    }
+}