Add Login Credentials to Credential Provider Chain

Author: alextwoods

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java

@@ -35,6 +35,7 @@
 import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.ProcessCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.ProfileCredentialsProviderFactory;
 import software.amazon.awssdk.auth.credentials.ProfileProviderCredentialsContext;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -57,6 +58,8 @@ public final class ProfileCredentialsUtils {
         "software.amazon.awssdk.services.sts.internal.StsProfileCredentialsProviderFactory";
     private static final String SSO_PROFILE_CREDENTIALS_PROVIDER_FACTORY =
         "software.amazon.awssdk.services.sso.auth.SsoProfileCredentialsProviderFactory";
+    private static final String LOGIN_PROFILE_CREDENTIALS_PROVIDER_FACTORY =
+        "software.amazon.awssdk.services.signin.auth.LoginProfileCredentialsProviderFactory";
 
     /**
      * The profile file containing {@code profile}.
@@ -144,6 +147,10 @@ private Optional<CredentialsWithFeatureId> credentialsProviderWithFeatureID(Set<
             }
         }
 
+        if (properties.containsKey(ProfileProperty.LOGIN_SESSION)) {
+            return Optional.of(loginProfileCredentialsProvider());
+        }
+
         if (properties.containsKey(ProfileProperty.CREDENTIAL_PROCESS)) {
             return Optional.of(credentialProcessCredentialsProvider());
         }
@@ -243,6 +250,20 @@ private boolean isLegacySsoConfiguration() {
         return !properties.containsKey(ProfileSection.SSO_SESSION.getPropertyKeyName());
     }
 
+    /**
+     * Create the SSO credentials provider based on the related profile properties.
+     */
+    private CredentialsWithFeatureId loginProfileCredentialsProvider() {
+        AwsCredentialsProvider provider = loginCredentialsProviderFactory().create(
+            ProfileProviderCredentialsContext.builder()
+                                             .profile(profile)
+                                             .profileFile(profileFile)
+                                             .sourceChain(BusinessMetricFeatureId.CREDENTIALS_PROFILE_LOGIN.value())
+                                             .build());
+
+        return new CredentialsWithFeatureId(provider, BusinessMetricFeatureId.CREDENTIALS_PROFILE_LOGIN.value());
+    }
+
     private CredentialsWithFeatureId roleAndWebIdentityTokenProfileCredentialsProvider() {
         requireProperties(ProfileProperty.ROLE_ARN, ProfileProperty.WEB_IDENTITY_TOKEN_FILE);
 
@@ -418,4 +439,17 @@ private ProfileCredentialsProviderFactory ssoCredentialsProviderFactory() {
             throw new IllegalStateException("Failed to create the '" + name + "' profile credentials provider.", e);
         }
     }
+
+    private ProfileCredentialsProviderFactory loginCredentialsProviderFactory() {
+        try {
+            Class<?> loginProfileCredentialsProviderFactory =
+                ClassLoaderHelper.loadClass(LOGIN_PROFILE_CREDENTIALS_PROVIDER_FACTORY, getClass());
+            return (ProfileCredentialsProviderFactory) loginProfileCredentialsProviderFactory.getConstructor().newInstance();
+        } catch (ClassNotFoundException e) {
+            throw new IllegalStateException("To use login_session property in the '" + name + "' profile, the 'signin' service "
+                                            + "module must be on the class path.", e);
+        } catch (NoSuchMethodException | InvocationTargetException | InstantiationException | IllegalAccessException e) {
+            throw new IllegalStateException("Failed to create the '" + name + "' profile credentials provider.", e);
+        }
+    }
 }

core/profiles/src/main/java/software/amazon/awssdk/profiles/ProfileProperty.java

@@ -201,6 +201,11 @@ public final class ProfileProperty {
      */
     public static final String SIGV4A_SIGNING_REGION_SET = "sigv4a_signing_region_set";
 
+    /**
+     * Property  name for login session used with AWS Login/Sign-In Credentials.
+     */
+    public static final String LOGIN_SESSION = "login_session";
+
     private ProfileProperty() {
     }
 }

services/signin/pom.xml

@@ -56,5 +56,11 @@
             <artifactId>http-auth-aws</artifactId>
             <version>${awsjavasdk.version}</version>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>profiles</artifactId>
+            <version>${awsjavasdk.version}</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 </project>

services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginProfileCredentialsProviderFactory.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.auth;
+
+import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.ProfileCredentialsProviderFactory;
+import software.amazon.awssdk.auth.credentials.ProfileProviderCredentialsContext;
+import software.amazon.awssdk.profiles.Profile;
+import software.amazon.awssdk.profiles.ProfileProperty;
+import software.amazon.awssdk.services.signin.SigninClient;
+import software.amazon.awssdk.utils.IoUtils;
+import software.amazon.awssdk.utils.SdkAutoCloseable;
+
+/**
+ * An implementation of {@link ProfileCredentialsProviderFactory} that allows users to get login credentials using the
+ * login_session specified in a {@link Profile}.
+ */
+@SdkProtectedApi
+public class LoginProfileCredentialsProviderFactory implements ProfileCredentialsProviderFactory {
+
+    /**
+     * Default method to create the {@link LoginProfileCredentialsProviderFactory} object created
+     * with the login_session from {@link Profile}  in the {@link ProfileProviderCredentialsContext}.
+     */
+    @Override
+    public AwsCredentialsProvider create(ProfileProviderCredentialsContext profileProviderCredentialsContext) {
+        return new LoginProfileCredentialsProvider(profileProviderCredentialsContext);
+    }
+
+    private static class LoginProfileCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable {
+        private final LoginCredentialsProvider credentialsProvider;
+        private final SigninClient signinClient;
+
+        private LoginProfileCredentialsProvider(ProfileProviderCredentialsContext credentialsContext) {
+            Profile profile = credentialsContext.profile();
+            String loginSession = profile.property(ProfileProperty.LOGIN_SESSION)
+                                         .orElseThrow(() -> new IllegalArgumentException("login_session property is required"));
+
+            this.signinClient = SigninClient.create();
+            this.credentialsProvider = LoginCredentialsProvider
+                .builder()
+                .loginSession(loginSession)
+                .signinClient(signinClient)
+                .sourceChain(credentialsContext.sourceChain())
+                .build();
+
+        }
+
+        @Override
+        public AwsCredentials resolveCredentials() {
+            return this.credentialsProvider.resolveCredentials();
+        }
+
+        @Override
+        public void close() {
+            IoUtils.closeQuietly(credentialsProvider, null);
+            IoUtils.closeQuietly(signinClient, null);
+        }
+
+    }
+}

services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginProfileCredentialsProviderFactoryTest.java

@@ -0,0 +1,154 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.auth;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.VALID_TEST_PEM;
+
+import java.nio.file.Path;
+import java.time.Instant;
+import java.util.Optional;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.ProfileProviderCredentialsContext;
+import software.amazon.awssdk.auth.credentials.internal.ProfileCredentialsUtils;
+import software.amazon.awssdk.core.useragent.BusinessMetricFeatureId;
+import software.amazon.awssdk.profiles.ProfileFile;
+import software.amazon.awssdk.services.signin.internal.AccessTokenManager;
+import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
+import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
+import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
+import software.amazon.awssdk.utils.StringInputStream;
+
+public class LoginProfileCredentialsProviderFactoryTest {
+    private static final String LOGIN_SESSION_ID = "loginSessionId";
+
+    @TempDir
+    Path tempDir;
+
+    private AccessTokenManager tokenManager;
+
+    @BeforeEach
+    public void setup() {
+        System.setProperty(new LoginCacheDirectorySystemSetting().property(), tempDir.toString());
+        tokenManager = OnDiskTokenManager.create(tempDir, LOGIN_SESSION_ID);
+    }
+
+    @AfterEach
+    public void teardown() {
+        System.clearProperty(new LoginCacheDirectorySystemSetting().property());
+    }
+
+    @Test
+    public void create_returnsLoginCredentialsFromProfile() {
+        AwsSessionCredentials creds = buildCredentials( Instant.now().plusSeconds(600));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        ProfileFile profileFile = configFile("[profile foo]\n" +
+                                             "login_session=" + LOGIN_SESSION_ID + "\n");
+
+        AwsCredentialsProvider provider = new LoginProfileCredentialsProviderFactory().create(
+            ProfileProviderCredentialsContext
+                .builder()
+                .profile(profileFile.profile("foo").get())
+                .profileFile(profileFile)
+                .build()
+        );
+
+        // validate the creds are from cached token file stored above
+        AwsCredentials credentials = provider.resolveCredentials();
+        assertInstanceOf(AwsSessionCredentials.class, credentials);
+        AwsSessionCredentials resolvedCredentials = (AwsSessionCredentials) credentials;
+        assertEquals(creds.accessKeyId(), resolvedCredentials.accessKeyId());
+        assertEquals(creds.secretAccessKey(), resolvedCredentials.secretAccessKey());
+        assertEquals(creds.sessionToken(), resolvedCredentials.sessionToken());
+        assertEquals(creds.accountId(), resolvedCredentials.accountId());
+        assertEquals(BusinessMetricFeatureId.CREDENTIALS_LOGIN.value(), resolvedCredentials.providerName().get());
+    }
+
+    /**
+     * This test validates that the {@link ProfileCredentialsUtils} used in the {@link ProfileCredentialsProvider}
+     * correctly loads and configures login session credentials using the factory.
+     * This test exists in this module because it depends on having the `signin` module available.
+     */
+    @Test
+    public void profileCredentialsUtils_returnsLoginCredentialsFromProfile() {
+        AwsSessionCredentials creds = buildCredentials( Instant.now().plusSeconds(600));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        ProfileFile profileFile = configFile("[profile foo]\n" +
+                                             "login_session=" + LOGIN_SESSION_ID + "\n");
+
+        ProfileCredentialsUtils profileCredentialsUtils = new ProfileCredentialsUtils(
+            profileFile, profileFile.profile("foo").get(), profileFile::profile
+        );
+
+        Optional<AwsCredentialsProvider> resolvedProvider = profileCredentialsUtils.credentialsProvider();
+        assertTrue(resolvedProvider.isPresent());
+
+        // validate the creds are from cached token file stored above
+        AwsCredentials credentials = resolvedProvider.get().resolveCredentials();
+        assertInstanceOf(AwsSessionCredentials.class, credentials);
+        AwsSessionCredentials resolvedCredentials = (AwsSessionCredentials) credentials;
+        assertEquals(creds.accessKeyId(), resolvedCredentials.accessKeyId());
+        assertEquals(creds.secretAccessKey(), resolvedCredentials.secretAccessKey());
+        assertEquals(creds.sessionToken(), resolvedCredentials.sessionToken());
+        assertEquals(creds.accountId(), resolvedCredentials.accountId());
+        String expectedCredSource = BusinessMetricFeatureId.CREDENTIALS_PROFILE_LOGIN.value() + ","
+                                    + BusinessMetricFeatureId.CREDENTIALS_LOGIN.value();
+        assertEquals(expectedCredSource, resolvedCredentials.providerName().get());
+    }
+
+    private static ProfileFile configFile(String configFile) {
+        return ProfileFile.builder()
+                          .content(new StringInputStream(configFile))
+                          .type(ProfileFile.Type.CONFIGURATION)
+                          .build();
+    }
+
+
+
+    private AwsSessionCredentials buildCredentials(Instant expirationTime) {
+        return AwsSessionCredentials.builder()
+                                    .accessKeyId("akid")
+                                    .secretAccessKey("skid")
+                                    .sessionToken("sessionToken")
+                                    .accountId("123456789012")
+                                    .expirationTime(expirationTime)
+                                    .build();
+    }
+
+    private LoginAccessToken buildAccessToken(AwsSessionCredentials credentials) {
+        return LoginAccessToken.builder()
+                               .accessToken(credentials)
+                               .clientId("client-123")
+                               .dpopKey(VALID_TEST_PEM)
+                               .refreshToken("refresh-token")
+                               .tokenType("aws_sigv4")
+                               .identityToken("id-token")
+                               .build();
+    }
+}