Add token based authentication (#4192)

Co-authored-by: AllanZhengYP <[email protected]>

Author: trivikr

.changes/next-release/feature-Token-019f9710.json

@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "Token",
+  "description": "Read sso data from sso-session section in SSOTokenProvider"
+}

.changes/next-release/feature-Token-0ea345ef.json

@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "Token",
+  "description": "Set token from AWS.Signers.Bearer when specified by authtype/signatureVersion"
+}

.changes/next-release/feature-token-5f5ccf51.json

@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "token",
+  "description": "Add TokenProviderChain with Token/Static/SSO"
+}

lib/config-base.d.ts

@@ -3,13 +3,19 @@ import {Agent as httpsAgent} from 'https';
 import {AWSError} from './error';
 import {Credentials, CredentialsOptions} from './credentials';
 import {CredentialProviderChain} from './credentials/credential_provider_chain';
+import {Token} from './token';
+import {TokenProviderChain} from './token/token_provider_chain';
 
 export class ConfigBase extends ConfigurationOptions{
     constructor(options?: ConfigurationOptions);
     /**
      * Loads credentials from the configuration object.
      */
     getCredentials(callback: (err: AWSError|null, credentials: Credentials|CredentialsOptions|null) => void): void;
+    /**
+     * Loads token from the token object.
+     */
+    getToken(callback: (err: AWSError|null, token: Token|null) => void): void;
     /**
      * Loads configuration data from a JSON file into this config object.
      * Loading configuration will reset all existing configuration on the object.
@@ -149,6 +155,14 @@ export abstract class ConfigurationOptions {
      * The provider chain used to resolve credentials if no static credentials property is set.
      */
     credentialProvider?: CredentialProviderChain
+    /**
+     * The Token to authenticate requests with.
+     */
+    token?: Token|null
+    /**
+     * The provider chain used to resolve token if no static token property is set.
+     */
+    tokenProvider?: TokenProviderChain
     /**
      * AWS access key ID.
      *

lib/config.js

@@ -442,6 +442,82 @@ AWS.Config = AWS.util.inherit({
     }
   },
 
+  /**
+   * Loads token from the configuration object. This is used internally
+   * by the SDK to ensure that refreshable {Token} objects are properly
+   * refreshed and loaded when sending a request. If you want to ensure that
+   * your token is loaded prior to a request, you can use this method
+   * directly to provide accurate token data stored in the object.
+   *
+   * @note If you configure the SDK with static token, the token data should
+   *   already be present in {token} attribute. This method is primarily necessary
+   *   to load token from asynchronous sources, or sources that can refresh
+   *   token periodically.
+   * @example Getting your access token
+   *   AWS.config.getToken(function(err) {
+   *     if (err) console.log(err.stack); // token not loaded
+   *     else console.log("Token:", AWS.config.token.token);
+   *   })
+   * @callback callback function(err)
+   *   Called when the {token} have been properly set on the configuration object.
+   *
+   *   @param err [Error] if this is set, token was not successfully loaded and
+   *     this error provides information why.
+   * @see token
+   */
+  getToken: function getToken(callback) {
+    var self = this;
+
+    function finish(err) {
+      callback(err, err ? null : self.token);
+    }
+
+    function tokenError(msg, err) {
+      return new AWS.util.error(err || new Error(), {
+        code: 'TokenError',
+        message: msg,
+        name: 'TokenError'
+      });
+    }
+
+    function getAsyncToken() {
+      self.token.get(function(err) {
+        if (err) {
+          var msg = 'Could not load token from ' +
+            self.token.constructor.name;
+          err = tokenError(msg, err);
+        }
+        finish(err);
+      });
+    }
+
+    function getStaticToken() {
+      var err = null;
+      if (!self.token.token) {
+        err = tokenError('Missing token');
+      }
+      finish(err);
+    }
+
+    if (self.token) {
+      if (typeof self.token.get === 'function') {
+        getAsyncToken();
+      } else { // static token
+        getStaticToken();
+      }
+    } else if (self.tokenProvider) {
+      self.tokenProvider.resolve(function(err, token) {
+        if (err) {
+          err = tokenError('Could not load token from any providers', err);
+        }
+        self.token = token;
+        finish(err);
+      });
+    } else {
+      finish(tokenError('No token to load'));
+    }
+  },
+
   /**
    * @!group Loading and Setting Configuration Options
    */
@@ -575,7 +651,8 @@ AWS.Config = AWS.util.inherit({
     hostPrefixEnabled: true,
     stsRegionalEndpoints: 'legacy',
     useFipsEndpoint: false,
-    useDualstackEndpoint: false
+    useDualstackEndpoint: false,
+    token: null
   },
 
   /**

lib/event_listeners.js

@@ -255,37 +255,56 @@ AWS.EventListeners = {
       var authtype = operation ? operation.authtype : '';
       if (!service.api.signatureVersion && !authtype && !service.config.signatureVersion) return done(); // none
 
-      service.config.getCredentials(function (err, credentials) {
-        if (err) {
-          req.response.error = err;
-          return done();
-        }
+      if (authtype === 'bearer' || service.config.signatureVersion === 'bearer') {
+        service.config.getToken(function (err, token) {
+          if (err) {
+            req.response.error = err;
+            return done();
+          }
 
-        try {
-          var date = service.getSkewCorrectedDate();
-          var SignerClass = service.getSignerClass(req);
-          var signer = new SignerClass(req.httpRequest,
-            service.getSigningName(req),
-            {
-              signatureCache: service.config.signatureCache,
-              operation: operation,
-              signatureVersion: service.api.signatureVersion
-            });
-          signer.setServiceClientId(service._clientId);
-
-          // clear old authorization headers
-          delete req.httpRequest.headers['Authorization'];
-          delete req.httpRequest.headers['Date'];
-          delete req.httpRequest.headers['X-Amz-Date'];
-
-          // add new authorization
-          signer.addAuthorization(credentials, date);
-          req.signedAt = date;
-        } catch (e) {
-          req.response.error = e;
-        }
-        done();
-      });
+          try {
+            var SignerClass = service.getSignerClass(req);
+            var signer = new SignerClass(req.httpRequest);
+            signer.addAuthorization(token);
+          } catch (e) {
+            req.response.error = e;
+          }
+          done();
+        });
+      } else {
+        service.config.getCredentials(function (err, credentials) {
+          if (err) {
+            req.response.error = err;
+            return done();
+          }
+
+          try {
+            var date = service.getSkewCorrectedDate();
+            var SignerClass = service.getSignerClass(req);
+            var signer = new SignerClass(req.httpRequest,
+              service.getSigningName(req),
+              {
+                signatureCache: service.config.signatureCache,
+                operation: operation,
+                signatureVersion: service.api.signatureVersion
+              });
+            signer.setServiceClientId(service._clientId);
+
+            // clear old authorization headers
+            delete req.httpRequest.headers['Authorization'];
+            delete req.httpRequest.headers['Date'];
+            delete req.httpRequest.headers['X-Amz-Date'];
+
+            // add new authorization
+            signer.addAuthorization(credentials, date);
+            req.signedAt = date;
+          } catch (e) {
+            req.response.error = e;
+          }
+          done();
+        });
+
+      }
     });
 
     add('VALIDATE_RESPONSE', 'validateResponse', function VALIDATE_RESPONSE(resp) {

lib/node_loader.js

@@ -87,7 +87,7 @@ require('./credentials/shared_ini_file_credentials');
 require('./credentials/process_credentials');
 require('./credentials/sso_credentials');
 
-// Setup default chain providers
+// Setup default providers for credentials chain
 // If this changes, please update documentation for
 // AWS.CredentialProviderChain.defaultProviders in
 // credentials/credential_provider_chain.js
@@ -102,6 +102,19 @@ AWS.CredentialProviderChain.defaultProviders = [
   function () { return new AWS.EC2MetadataCredentials(); }
 ];
 
+// Load custom token providers
+require('./token');
+require('./token/token_provider_chain');
+require('./token/sso_token_provider');
+
+// Setup default providers for token chain
+// If this changes, please update documentation for
+// AWS.TokenProviderChain.defaultProviders in
+// token/token_provider_chain.js
+AWS.TokenProviderChain.defaultProviders = [
+  function () { return new AWS.SSOTokenProvider(); },
+];
+
 var getRegion = function() {
   var env = process.env;
   var region = env.AWS_REGION || env.AMAZON_REGION;
@@ -173,6 +186,9 @@ AWS.util.update(AWS.Config.prototype.keys, {
     var region = getRegion();
     return region ? getRealRegion(region): undefined;
   },
+  tokenProvider: function() {
+    return new AWS.TokenProviderChain();
+  },
   useFipsEndpoint: function() {
     var region = getRegion();
     return isFipsRegion(region)

lib/service.js

@@ -499,6 +499,8 @@ AWS.Service = inherit({
       version = this.config.signatureVersion;
     } else if (authtype === 'v4' || authtype === 'v4-unsigned-body') {
       version = 'v4';
+    } else if (authtype === 'bearer') {
+      version = 'bearer';
     } else {
       version = this.api.signatureVersion;
     }

lib/shared-ini/ini-loader.d.ts

@@ -27,15 +27,4 @@ export class IniLoader{
  * @returns {object} object of all profile information in the file
  */
   loadFrom(options: LoadFileOptions): IniFileContent;
-}
-
-/**
- * Read specified file and return parsed config object. This method will always
- * read from disk and won't update cache. This is a lower level function of 
- * loadFrom().
- * @param filename [string] valid readable file path containing aws credentials
- * or aws configs
- * @param isConfig [boolean] true if specified file is an aws config file; false
- * if the file is an aws credentials file
- */
-export function parseFile(filename: string, isConfig: boolean): IniFileContent;
+}