Auth API update (aws#115)

* Update auth implementation against updated signing interface

Author: bretambrose

aws-common-runtime/aws-c-auth

@@ -40,11 +40,12 @@ namespace Aws
             class AWS_CRT_CPP_API Credentials
             {
               public:
-                Credentials(aws_credentials *credentials, Allocator *allocator = g_allocator) noexcept;
+                Credentials(aws_credentials *credentials) noexcept;
                 Credentials(
                     ByteCursor access_key_id,
                     ByteCursor secret_access_key,
                     ByteCursor session_token,
+                    uint64_t expiration_timepoint_in_seconds,
                     Allocator *allocator = g_allocator) noexcept;
 
                 ~Credentials();
@@ -69,6 +70,11 @@ namespace Aws
                  */
                 ByteCursor GetSessionToken() const noexcept;
 
+                /**
+                 * Gets the expiration timestamp for the credentials, or UINT64_MAX if no expiration
+                 */
+                uint64_t GetExpirationTimepointInSeconds() const noexcept;
+
                 /**
                  * Validity check - returns true if the instance is valid, false otherwise
                  */
@@ -87,7 +93,7 @@ namespace Aws
              * Callback invoked by credentials providers when resolution succeeds (credentials will be non-null)
              * or fails (credentials will be null)
              */
-            using OnCredentialsResolved = std::function<void(std::shared_ptr<Credentials>)>;
+            using OnCredentialsResolved = std::function<void(std::shared_ptr<Credentials>, int errorCode)>;
 
             /**
              * Base interface for all credentials providers.  Credentials providers are objects that
@@ -325,7 +331,7 @@ namespace Aws
                     Allocator *allocator = g_allocator);
 
               private:
-                static void s_onCredentialsResolved(aws_credentials *credentials, void *user_data);
+                static void s_onCredentialsResolved(aws_credentials *credentials, int error_code, void *user_data);
 
                 Allocator *m_allocator;
                 aws_credentials_provider *m_provider;

aws-common-runtime/aws-c-common

@@ -20,7 +20,6 @@
 #include <aws/crt/Types.h>
 #include <aws/crt/auth/Signing.h>
 
-struct aws_signer;
 struct aws_signing_config_aws;
 
 namespace Aws
@@ -34,20 +33,33 @@ namespace Aws
 
             enum class SigningAlgorithm
             {
-                SigV4Header = AWS_SIGNING_ALGORITHM_SIG_V4_HEADER,
-                SigV4QueryParam = AWS_SIGNING_ALGORITHM_SIG_V4_QUERY_PARAM,
+                SigV4 = AWS_SIGNING_ALGORITHM_V4,
+            };
 
-                Count = AWS_SIGNING_ALGORITHM_COUNT
+            enum class SignatureType
+            {
+                HttpRequestViaHeaders = AWS_ST_HTTP_REQUEST_HEADERS,
+                HttpRequestViaQueryParams = AWS_ST_HTTP_REQUEST_QUERY_PARAMS,
+                HttpRequestChunk = AWS_ST_HTTP_REQUEST_CHUNK,
+                HttpRequestEvent = AWS_ST_HTTP_REQUEST_EVENT,
+            };
+
+            enum class SignedBodyValueType
+            {
+                Empty = AWS_SBVT_EMPTY,
+                Payload = AWS_SBVT_PAYLOAD,
+                UnsignedPayload = AWS_SBVT_UNSIGNED_PAYLOAD,
+                StreamingAws4HmacSha256Payload = AWS_SBVT_STREAMING_AWS4_HMAC_SHA256_PAYLOAD,
+                StreamingAws4HmacSha256Events = AWS_SBVT_STREAMING_AWS4_HMAC_SHA256_EVENTS,
             };
 
-            enum class BodySigningType
+            enum class SignedBodyHeaderType
             {
-                NoSigning = AWS_BODY_SIGNING_OFF,
-                SignBody = AWS_BODY_SIGNING_ON,
-                UnsignedPayload = AWS_BODY_SIGNING_UNSIGNED_PAYLOAD
+                None = AWS_SBHT_NONE,
+                XAmzContentSha256 = AWS_SBHT_X_AMZ_CONTENT_SHA256,
             };
 
-            using ShouldSignParameterCb = bool (*)(const Crt::ByteCursor *, void *);
+            using ShouldSignHeaderCb = bool (*)(const Crt::ByteCursor *, void *);
 
             /**
              * Wrapper around the configuration structure specific to the AWS
@@ -71,6 +83,16 @@ namespace Aws
                  */
                 void SetSigningAlgorithm(SigningAlgorithm algorithm) noexcept;
 
+                /**
+                 * Gets the type of signature we want to calculate
+                 */
+                SignatureType GetSignatureType() const noexcept;
+
+                /**
+                 * Sets the type of signature we want to calculate
+                 */
+                void SetSignatureType(SignatureType signatureType) noexcept;
+
                 /**
                  * Gets the AWS region to sign against
                  */
@@ -129,45 +151,91 @@ namespace Aws
                  */
                 void SetShouldNormalizeUriPath(bool shouldNormalizeUriPath) noexcept;
 
+                /**
+                 * Gets whether or not to omit the session token during signing.  Only set to true when performing
+                 * a websocket handshake with IoT Core.
+                 */
+                bool GetOmitSessionToken() const noexcept;
+
+                /**
+                 * Sets whether or not to omit the session token during signing.  Only set to true when performing
+                 * a websocket handshake with IoT Core.
+                 */
+                void SetOmitSessionToken(bool omitSessionToken) noexcept;
+
                 /**
                  * Gets the ShouldSignHeadersCb from the underlying config.
                  */
-                ShouldSignParameterCb GetShouldSignParameterCallback() const noexcept;
+                ShouldSignHeaderCb GetShouldSignHeaderCallback() const noexcept;
 
                 /**
                  * Sets a callback invoked during the signing process for white-listing headers that can be signed.
                  * If you do not set this, all headers will be signed.
                  */
-                void SetShouldSignHeadersCallback(ShouldSignParameterCb shouldSignParameterCb) noexcept;
+                void SetShouldSignHeaderCallback(ShouldSignHeaderCb shouldSignHeaderCb) noexcept;
+
+                /**
+                 * Gets the value to use for the canonical request's payload
+                 */
+                SignedBodyValueType GetSignedBodyValue() const noexcept;
+
+                /**
+                 * Sets the value to use for the canonical request's payload
+                 */
+                void SetSignedBodyValue(SignedBodyValueType signedBodyValue) noexcept;
+
+                /**
+                 * Gets the name of the header to add that stores the signed body value
+                 */
+                SignedBodyHeaderType GetSignedBodyHeader() const noexcept;
 
                 /**
-                 * Gets whether or not the signer should add the x-amz-content-sha256 header (with appropriate value) to
-                 * the canonical request.
+                 * Sets the name of the header to add that stores the signed body value
                  */
-                BodySigningType GetBodySigningType() const noexcept;
+                void SetSignedBodyHeader(SignedBodyHeaderType signedBodyHeader) noexcept;
 
                 /**
-                 * Sets whether or not the signer should add the x-amz-content-sha256 header (with appropriate value) to
-                 * the canonical request.
+                 * (Query param signing only) Gets the amount of time, in seconds, the (pre)signed URI will be good for
+                 */
+                uint64_t GetExpirationInSeconds() const noexcept;
+
+                /**
+                 * (Query param signing only) Sets the amount of time, in seconds, the (pre)signed URI will be good for
+                 */
+                void SetExpirationInSeconds(uint64_t expirationInSeconds) noexcept;
+
+                /*
+                 * For Sigv4 signing, either the credentials provider or the credentials must be set.
+                 * Credentials, if set, takes precedence over the provider.
                  */
-                void SetBodySigningType(BodySigningType bodysigningType) noexcept;
 
                 /**
                  *  Get the credentials provider to use for signing.
                  */
                 const std::shared_ptr<ICredentialsProvider> &GetCredentialsProvider() const noexcept;
 
                 /**
-                 *  Set the credentials provider to use for signing, this is mandatory for sigv4.
+                 *  Set the credentials provider to use for signing.
                  */
                 void SetCredentialsProvider(const std::shared_ptr<ICredentialsProvider> &credsProvider) noexcept;
 
+                /**
+                 *  Get the credentials to use for signing.
+                 */
+                const std::shared_ptr<Credentials> &GetCredentials() const noexcept;
+
+                /**
+                 *  Set the credentials to use for signing.
+                 */
+                void SetCredentials(const std::shared_ptr<Credentials> &credentials) noexcept;
+
                 /// @private
                 const struct aws_signing_config_aws *GetUnderlyingHandle() const noexcept;
 
               private:
                 Allocator *m_allocator;
-                std::shared_ptr<ICredentialsProvider> m_credentials;
+                std::shared_ptr<ICredentialsProvider> m_credentialsProvider;
+                std::shared_ptr<Credentials> m_credentials;
                 struct aws_signing_config_aws m_config;
                 Crt::String m_signingRegion;
                 Crt::String m_serviceName;

aws-common-runtime/aws-c-mqtt

@@ -28,32 +28,40 @@ namespace Aws
     {
         namespace Auth
         {
-            Credentials::Credentials(aws_credentials *credentials, Allocator *allocator) noexcept
-                : m_credentials(aws_credentials_new_copy(allocator, credentials))
+            Credentials::Credentials(aws_credentials *credentials) noexcept : m_credentials(credentials)
             {
+                if (credentials != nullptr)
+                {
+                    aws_credentials_acquire(credentials);
+                }
             }
 
             Credentials::Credentials(
                 ByteCursor access_key_id,
                 ByteCursor secret_access_key,
                 ByteCursor session_token,
+                uint64_t expiration_timepoint_in_seconds,
                 Allocator *allocator) noexcept
-                : m_credentials(
-                      aws_credentials_new_from_cursors(allocator, &access_key_id, &secret_access_key, &session_token))
+                : m_credentials(aws_credentials_new(
+                      allocator,
+                      access_key_id,
+                      secret_access_key,
+                      session_token,
+                      expiration_timepoint_in_seconds))
             {
             }
 
             Credentials::~Credentials()
             {
-                aws_credentials_destroy(m_credentials);
+                aws_credentials_release(m_credentials);
                 m_credentials = nullptr;
             }
 
             ByteCursor Credentials::GetAccessKeyId() const noexcept
             {
                 if (m_credentials)
                 {
-                    return aws_byte_cursor_from_string(m_credentials->access_key_id);
+                    return aws_credentials_get_access_key_id(m_credentials);
                 }
                 else
                 {
@@ -65,7 +73,7 @@ namespace Aws
             {
                 if (m_credentials)
                 {
-                    return aws_byte_cursor_from_string(m_credentials->secret_access_key);
+                    return aws_credentials_get_secret_access_key(m_credentials);
                 }
                 else
                 {
@@ -77,14 +85,26 @@ namespace Aws
             {
                 if (m_credentials)
                 {
-                    return aws_byte_cursor_from_string(m_credentials->session_token);
+                    return aws_credentials_get_session_token(m_credentials);
                 }
                 else
                 {
                     return ByteCursor{0, nullptr};
                 }
             }
 
+            uint64_t Credentials::GetExpirationTimepointInSeconds() const noexcept
+            {
+                if (m_credentials)
+                {
+                    return aws_credentials_get_expiration_timepoint_seconds(m_credentials);
+                }
+                else
+                {
+                    return 0;
+                }
+            }
+
             Credentials::operator bool() const noexcept { return m_credentials != nullptr; }
 
             CredentialsProvider::CredentialsProvider(aws_credentials_provider *provider, Allocator *allocator) noexcept
@@ -109,14 +129,18 @@ namespace Aws
                 std::shared_ptr<const CredentialsProvider> m_provider;
             };
 
-            void CredentialsProvider::s_onCredentialsResolved(aws_credentials *credentials, void *user_data)
+            void CredentialsProvider::s_onCredentialsResolved(
+                aws_credentials *credentials,
+                int error_code,
+                void *user_data)
             {
                 CredentialsProviderCallbackArgs *callbackArgs =
                     static_cast<CredentialsProviderCallbackArgs *>(user_data);
 
-                auto credentialsPtr = std::make_shared<Credentials>(credentials, callbackArgs->m_provider->m_allocator);
+                auto credentialsPtr =
+                    Aws::Crt::MakeShared<Credentials>(callbackArgs->m_provider->m_allocator, credentials);
 
-                callbackArgs->m_onCredentialsResolved(credentialsPtr);
+                callbackArgs->m_onCredentialsResolved(credentialsPtr, error_code);
 
                 Aws::Crt::Delete(callbackArgs, callbackArgs->m_provider->m_allocator);
             }