Skip to content

Accept and use the new AWS Credentials interfaces #3829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Apr 3, 2023
Merged

Accept and use the new AWS Credentials interfaces #3829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
8ac22a4
Accept and use the new AWS Credentials interfaces
gosar Mar 7, 2023
6c3095b
Update client codegen for endpoint discovery
gosar Mar 11, 2023
2247529
Address some of Matt's feedback
gosar Mar 24, 2023
30635e2
Switch one usage of overrideConfiguration.credentialsProvider
gosar Mar 27, 2023
093be1f
Update tests to mock new IdentityProvider
gosar Mar 27, 2023
0a6bab3
Handle null for CredentialUtils conversion methods
gosar Mar 27, 2023
96bce3a
Add IdentityProvider overload to S3CrtAsyncClientBuilder
gosar Mar 28, 2023
4d372c9
Add a TODO for removing a join() later
gosar Mar 28, 2023
952a4fc
Add TODO for AwsCredentialsProviderChain
gosar Mar 28, 2023
51834e3
Add unit tests and few other minor changes
gosar Mar 29, 2023
b2098a6
Remove unnecessary fallback from AuthorizationStrategyFactory
gosar Mar 29, 2023
22370c2
Fix test in S3
gosar Mar 29, 2023
c7fb92f
Address PR feedback
gosar Mar 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions codegen/src/main/java/software/amazon/awssdk/codegen/poet/client/AsyncClientClass.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,9 +363,11 @@ protected MethodSpec.Builder operationBody(MethodSpec.Builder builder, Operation
builder.beginControlFlow("if (endpointDiscoveryEnabled)");

builder.addCode("$T key = $N.overrideConfiguration()", String.class, opModel.getInput().getVariableName())
.addCode(" .flatMap($T::credentialsProvider)", AwsRequestOverrideConfiguration.class)
.addCode(" .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_PROVIDER))", AwsClientOption.class)
.addCode(" .resolveCredentials().accessKeyId();");
.addCode(" .flatMap($T::credentialsIdentityProvider)", AwsRequestOverrideConfiguration.class)
.addCode(" .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_IDENTITY_PROVIDER))",
AwsClientOption.class)
// TODO: avoid join inside async
.addCode(" .resolveIdentity().join().accessKeyId();");

builder.addCode("$1T endpointDiscoveryRequest = $1T.builder()", EndpointDiscoveryRequest.class)
.addCode(" .required($L)", opModel.getInputShape().getEndpointDiscovery().isRequired())
Expand Down
7 changes: 4 additions & 3 deletions codegen/src/main/java/software/amazon/awssdk/codegen/poet/client/SyncClientClass.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,10 @@ private List<MethodSpec> operationMethodSpecs(OperationModel opModel) {
method.beginControlFlow("if (endpointDiscoveryEnabled)");

method.addCode("$T key = $N.overrideConfiguration()", String.class, opModel.getInput().getVariableName())
.addCode(" .flatMap($T::credentialsProvider)", AwsRequestOverrideConfiguration.class)
.addCode(" .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_PROVIDER))", AwsClientOption.class)
.addCode(" .resolveCredentials().accessKeyId();");
.addCode(" .flatMap($T::credentialsIdentityProvider)", AwsRequestOverrideConfiguration.class)
.addCode(" .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_IDENTITY_PROVIDER))",
AwsClientOption.class)
.addCode(" .resolveIdentity().join().accessKeyId();");

method.addCode("$1T endpointDiscoveryRequest = $1T.builder()", EndpointDiscoveryRequest.class)
.addCode(" .required($L)", opModel.getInputShape().getEndpointDiscovery().isRequired())
Expand Down
18 changes: 9 additions & 9 deletions ...t/resources/software/amazon/awssdk/codegen/poet/client/test-endpoint-discovery-async.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,9 +174,9 @@ public CompletableFuture<TestDiscoveryIdentifiersRequiredResponse> testDiscovery
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryIdentifiersRequiredRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryIdentifiersRequiredRequest.overrideConfiguration().orElse(null))
Expand Down Expand Up @@ -242,9 +242,9 @@ public CompletableFuture<TestDiscoveryOptionalResponse> testDiscoveryOptional(
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryOptionalRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(false)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryOptionalRequest.overrideConfiguration().orElse(null)).build();
Expand Down Expand Up @@ -317,9 +317,9 @@ public CompletableFuture<TestDiscoveryRequiredResponse> testDiscoveryRequired(
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryRequiredRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryRequiredRequest.overrideConfiguration().orElse(null)).build();
Expand Down
18 changes: 9 additions & 9 deletions ...st/resources/software/amazon/awssdk/codegen/poet/client/test-endpoint-discovery-sync.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,9 +151,9 @@ public TestDiscoveryIdentifiersRequiredResponse testDiscoveryIdentifiersRequired
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryIdentifiersRequiredRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryIdentifiersRequiredRequest.overrideConfiguration().orElse(null)).build();
Expand Down Expand Up @@ -208,9 +208,9 @@ public TestDiscoveryOptionalResponse testDiscoveryOptional(TestDiscoveryOptional
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryOptionalRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(false)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryOptionalRequest.overrideConfiguration().orElse(null)).build();
Expand Down Expand Up @@ -272,9 +272,9 @@ public TestDiscoveryRequiredResponse testDiscoveryRequired(TestDiscoveryRequired
URI cachedEndpoint = null;
if (endpointDiscoveryEnabled) {
String key = testDiscoveryRequiredRequest.overrideConfiguration()
.flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
.accessKeyId();
.flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
.orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
.resolveIdentity().join().accessKeyId();
EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
.defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
.overrideConfiguration(testDiscoveryRequiredRequest.overrideConfiguration().orElse(null)).build();
Expand Down
73 changes: 73 additions & 0 deletions core/auth/src/main/java/software/amazon/awssdk/auth/credentials/CredentialUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@
package software.amazon.awssdk.auth.credentials;

import software.amazon.awssdk.annotations.SdkProtectedApi;
import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
import software.amazon.awssdk.identity.spi.IdentityProvider;

@SdkProtectedApi
public final class CredentialUtils {
Expand All @@ -28,6 +31,76 @@ private CredentialUtils() {
* authenticate themselves.
*/
public static boolean isAnonymous(AwsCredentials credentials) {
return isAnonymous((AwsCredentialsIdentity) credentials);
}

/**
* Determine whether the provided credentials are anonymous credentials, indicating that the customer is not attempting to
* authenticate themselves.
*/
public static boolean isAnonymous(AwsCredentialsIdentity credentials) {
return credentials.secretAccessKey() == null && credentials.accessKeyId() == null;
}

/**
* Converts an {@link AwsCredentialsIdentity} to {@link AwsCredentials}.
*
* <p>Usage of the new AwsCredentialsIdentity type is preferred over AwsCredentials. But some places may need to still
* convert to the older AwsCredentials type to work with existing code.</p>
*
* <p>The conversion is only aware of {@link AwsCredentialsIdentity} and {@link AwsSessionCredentialsIdentity} types. If the
* input is another sub-type that has other properties, they are not carried over. i.e.,
* <ul>
* <li>AwsSessionCredentialsIdentity -> AwsSessionCredentials</li>
* <li>AwsCredentialsIdentity -> AwsBasicCredentials</li>
* </ul>
* </p>
*
* @param awsCredentialsIdentity The {@link AwsCredentialsIdentity} to convert
* @return The corresponding {@link AwsCredentials}
*/
public static AwsCredentials toCredentials(AwsCredentialsIdentity awsCredentialsIdentity) {
if (awsCredentialsIdentity == null) {
return null;
}
if (awsCredentialsIdentity instanceof AwsCredentials) {
return (AwsCredentials) awsCredentialsIdentity;
}

// identity-spi defines 2 known types - AwsCredentialsIdentity and a sub-type AwsSessionCredentialsIdentity
if (awsCredentialsIdentity instanceof AwsSessionCredentialsIdentity) {
AwsSessionCredentialsIdentity awsSessionCredentialsIdentity = (AwsSessionCredentialsIdentity) awsCredentialsIdentity;
return AwsSessionCredentials.create(awsSessionCredentialsIdentity.accessKeyId(),
awsSessionCredentialsIdentity.secretAccessKey(),
awsSessionCredentialsIdentity.sessionToken());
}
if (isAnonymous(awsCredentialsIdentity)) {
return AwsBasicCredentials.ANONYMOUS_CREDENTIALS;
}
return AwsBasicCredentials.create(awsCredentialsIdentity.accessKeyId(),
awsCredentialsIdentity.secretAccessKey());
}

/**
* Converts an {@link IdentityProvider<? extends AwsCredentialsIdentity>} to {@link AwsCredentialsProvider} based on
* {@link #toCredentials(AwsCredentialsIdentity)}.
*
* <p>Usage of the new IdentityProvider type is preferred over AwsCredentialsProvider. But some places may need to still
* convert to the older AwsCredentialsProvider type to work with existing code.
* </p>
*
* @param identityProvider The {@link IdentityProvider<? extends AwsCredentialsIdentity>} to convert
* @return The corresponding {@link AwsCredentialsProvider}
*/
public static AwsCredentialsProvider toCredentialsProvider(
IdentityProvider<? extends AwsCredentialsIdentity> identityProvider) {
if (identityProvider == null) {
return null;
}
return () -> {
// TODO: Exception handling for CompletionException thrown from join?
AwsCredentialsIdentity awsCredentialsIdentity = identityProvider.resolveIdentity().join();
return toCredentials(awsCredentialsIdentity);
};
}
}
Loading