Skip to content

Add new Identity interfaces #3773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 4, 2023
Merged

Add new Identity interfaces #3773

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7a8f551
Add new Identity interfaces
gosar Feb 15, 2023
04fd713
Move Impl classes to own files
gosar Feb 17, 2023
b2a44e8
Add missing @Immutable
gosar Feb 17, 2023
444848d
Address feedback - interface override and javadoc edits
gosar Mar 1, 2023
f03400a
Mark the new interfaces @ThreadSafe
gosar Mar 2, 2023
acbd8bf
Remove static create methods in AwsCredentialsIdentity and impls
gosar Mar 2, 2023
c6f4a58
Add japicmp excludes for methods moved to parent interface
gosar Mar 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 8 additions & 11 deletions core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,27 +16,24 @@
package software.amazon.awssdk.auth.credentials;

import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;

/**
* Provides access to the AWS credentials used for accessing AWS services: AWS access key ID and secret access key. These
* credentials are used to securely sign requests to AWS services.
* Provides access to the AWS credentials used for accessing services: AWS access key ID and secret access key. These
* credentials are used to securely sign requests to services (e.g., AWS services) that use them for authentication.
*
* <p>For more details on AWS access keys, see:
* <a href="http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys">
* http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys</a></p>
* <a href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys">
* https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys</a></p>
*
* @see AwsCredentialsProvider
*/
@SdkPublicApi
public interface AwsCredentials {
public interface AwsCredentials extends AwsCredentialsIdentity {

/**
* Retrieve the AWS access key, used to identify the user interacting with AWS.
*/
@Override
String accessKeyId();

/**
* Retrieve the AWS secret access key, used to authenticate the user interacting with AWS.
*/
@Override
String secretAccessKey();
}
16 changes: 15 additions & 1 deletion core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,11 @@

package software.amazon.awssdk.auth.credentials;

import java.util.concurrent.CompletableFuture;
import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.identity.spi.IdentityProvider;
import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;

/**
* Interface for loading {@link AwsCredentials} that are used for authentication.
Expand All @@ -27,7 +31,7 @@
*/
@FunctionalInterface
@SdkPublicApi
public interface AwsCredentialsProvider {
public interface AwsCredentialsProvider extends IdentityProvider<AwsCredentialsIdentity> {
/**
* Returns {@link AwsCredentials} that can be used to authorize an AWS request. Each implementation of AWSCredentialsProvider
* can choose its own strategy for loading credentials. For example, an implementation might load credentials from an existing
Expand All @@ -39,4 +43,14 @@ public interface AwsCredentialsProvider {
* @return AwsCredentials which the caller can use to authorize an AWS request.
*/
AwsCredentials resolveCredentials();

@Override
default Class<AwsCredentialsIdentity> identityType() {
return AwsCredentialsIdentity.class;
}

@Override
default CompletableFuture<AwsCredentialsIdentity> resolveIdentity(ResolveIdentityRequest request) {
return CompletableFuture.completedFuture(resolveCredentials());
}
}
14 changes: 3 additions & 11 deletions core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import java.util.Objects;
import software.amazon.awssdk.annotations.Immutable;
import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
import software.amazon.awssdk.utils.ToString;
import software.amazon.awssdk.utils.Validate;

Expand All @@ -28,7 +29,7 @@
*/
@Immutable
@SdkPublicApi
public final class AwsSessionCredentials implements AwsCredentials {
public final class AwsSessionCredentials implements AwsCredentials, AwsSessionCredentialsIdentity {

private final String accessKeyId;
private final String secretAccessKey;
Expand All @@ -52,26 +53,17 @@ public static AwsSessionCredentials create(String accessKey, String secretKey, S
return new AwsSessionCredentials(accessKey, secretKey, sessionToken);
}

/**
* Retrieve the AWS access key, used to identify the user interacting with AWS.
*/
@Override
public String accessKeyId() {
return accessKeyId;
}

/**
* Retrieve the AWS secret access key, used to authenticate the user interacting with AWS.
*/
@Override
public String secretAccessKey() {
return secretAccessKey;
}

/**
* Retrieve the AWS session token. This token is retrieved from an AWS token service, and is used for authenticating that this
* user has received temporary permission to access some resource.
*/
@Override
public String sessionToken() {
return sessionToken;
}
Expand Down
17 changes: 5 additions & 12 deletions core/auth/src/main/java/software/amazon/awssdk/auth/token/credentials/SdkToken.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@
import java.time.Instant;
import java.util.Optional;
import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.identity.spi.TokenIdentity;

/**
* Provides token which is used to securely authorize requests to AWS services.
* Provides token which is used to securely authorize requests to services.
* A token is a string that the OAuth client uses to make requests to the resource server.
*
* <p>For more details on tokens, see:
Expand All @@ -29,20 +30,12 @@
*
* @see SdkTokenProvider
*/

@SdkPublicApi
public interface SdkToken {

public interface SdkToken extends TokenIdentity {

/**
* Retrieves string field representing the literal token string.
* A token is a string that the OAuth client uses to make requests to the resource server.
*/
@Override
String token();


/**
* Retrieves the time at which the token expires.
*/
@Override
Optional<Instant> expirationTime();
}
17 changes: 15 additions & 2 deletions core/auth/src/main/java/software/amazon/awssdk/auth/token/credentials/SdkTokenProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,19 @@

package software.amazon.awssdk.auth.token.credentials;

import java.util.concurrent.CompletableFuture;
import software.amazon.awssdk.annotations.SdkPublicApi;
import software.amazon.awssdk.auth.token.credentials.SdkToken;
import software.amazon.awssdk.identity.spi.IdentityProvider;
import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
import software.amazon.awssdk.identity.spi.TokenIdentity;

/**
* Interface for loading {@link SdkToken} that are used for authentication.
*
*/
@FunctionalInterface
@SdkPublicApi
public interface SdkTokenProvider {
public interface SdkTokenProvider extends IdentityProvider<TokenIdentity> {
/**
* Returns an {@link SdkToken} that can be used to authorize a request. Each implementation of SdkTokenProvider
* can choose its own strategy for loading token. For example, an implementation might load token from an existing
Expand All @@ -34,4 +37,14 @@ public interface SdkTokenProvider {
* @return AwsToken which the caller can use to authorize an AWS request using token authorization for a request.
*/
SdkToken resolveToken();

@Override
default Class<TokenIdentity> identityType() {
return TokenIdentity.class;
}

@Override
default CompletableFuture<TokenIdentity> resolveIdentity(ResolveIdentityRequest request) {
return CompletableFuture.completedFuture(resolveToken());
}
}
51 changes: 51 additions & 0 deletions ...dentity-spi/src/main/java/software/amazon/awssdk/identity/spi/AwsCredentialsIdentity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package software.amazon.awssdk.identity.spi;

import software.amazon.awssdk.annotations.SdkPublicApi;

/**
* Provides access to the AWS credentials used for accessing services: AWS access key ID and secret access key. These
* credentials are used to securely sign requests to services (e.g., AWS services) that use them for authentication.
*
* <p>For more details on AWS access keys, see:
* <a href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys">
* https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys</a></p>
*/
@SdkPublicApi
public interface AwsCredentialsIdentity extends Identity {

static AwsCredentialsIdentity create(String accessKeyId,
String secretAccessKey) {
return new AwsCredentialsIdentityImpl(accessKeyId, secretAccessKey);
}

static AwsSessionCredentialsIdentity create(String accessKeyId,
String secretAccessKey,
String sessionToken) {
return new AwsSessionCredentialsIdentityImpl(accessKeyId, secretAccessKey, sessionToken);
}

/**
* Retrieve the AWS access key, used to identify the user interacting with services.
*/
String accessKeyId();

/**
* Retrieve the AWS secret access key, used to authenticate the user interacting with services.
*/
String secretAccessKey();
}
73 changes: 73 additions & 0 deletions ...ity-spi/src/main/java/software/amazon/awssdk/identity/spi/AwsCredentialsIdentityImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package software.amazon.awssdk.identity.spi;

import java.util.Objects;
import software.amazon.awssdk.annotations.Immutable;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.utils.ToString;
import software.amazon.awssdk.utils.Validate;

@Immutable
@SdkInternalApi
final class AwsCredentialsIdentityImpl implements AwsCredentialsIdentity {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't seen any mention in the design doc of a direct implementation of AwsCredentialsIdentity. Do we need this class?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to support the static create methods in AwsCredentialsIdentity which are called out in the design doc. Cannot use the existing AwsBasicCredentials as that would be a circular dependency, so defined copies of them here as @SdkInternalApi and package-private.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're also discussing offline, but if we do decide to keep them they should be in an internal subpackage

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd vote for removing those classes. They are implementation details and we'd need to maintain two copies of the same implementations. We could consider creating a factory class in auth module that makes it easier for people to create static credentials.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 removed for now.


private final String accessKeyId;
private final String secretAccessKey;

AwsCredentialsIdentityImpl(String accessKeyId, String secretAccessKey) {
this.accessKeyId = Validate.paramNotNull(accessKeyId, "accessKeyId");
this.secretAccessKey = Validate.paramNotNull(secretAccessKey, "secretAccessKey");
}

@Override
public String accessKeyId() {
return accessKeyId;
}

@Override
public String secretAccessKey() {
return secretAccessKey;
}

@Override
public String toString() {
return ToString.builder("AwsCredentialsIdentityImpl")
.add("accessKeyId", accessKeyId)
.build();
}

@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
AwsCredentialsIdentityImpl that = (AwsCredentialsIdentityImpl) o;
return Objects.equals(accessKeyId, that.accessKeyId) &&
Objects.equals(secretAccessKey, that.secretAccessKey);
}

@Override
public int hashCode() {
int hashCode = 1;
hashCode = 31 * hashCode + Objects.hashCode(accessKeyId());
hashCode = 31 * hashCode + Objects.hashCode(secretAccessKey());
return hashCode;
}
}
33 changes: 33 additions & 0 deletions ...-spi/src/main/java/software/amazon/awssdk/identity/spi/AwsSessionCredentialsIdentity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package software.amazon.awssdk.identity.spi;

import software.amazon.awssdk.annotations.SdkPublicApi;

/**
* A special type of {@link AwsCredentialsIdentity} that provides a session token to be used in service authentication. Session
* tokens are typically provided by a token broker service, like AWS Security Token Service, and provide temporary access to an
* AWS service.
*/
@SdkPublicApi
public interface AwsSessionCredentialsIdentity extends AwsCredentialsIdentity {

/**
* Retrieve the AWS session token. This token is retrieved from an AWS token service, and is used for authenticating that this
* user has received temporary permission to access some resource.
*/
String sessionToken();
}
Loading