Updates for General HTTP Credentials provider (aka TaskRole credentia…

…ls provider)

src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProvider.h

@@ -5,6 +5,8 @@
 
 
 #pragma once
+#if !defined(AWS_CREDENTIALS_PROVIDER)
+#define AWS_CREDENTIALS_PROVIDER
 
 #include <aws/core/Core_EXPORTS.h>
 #include <aws/core/utils/UnreferencedParam.h>
@@ -24,6 +26,8 @@ namespace Aws
     {
         constexpr int REFRESH_THRESHOLD = 1000 * 60 * 5;
 
+        constexpr int AWS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 1000;
+
         /**
          * Returns the full path of the config file.
          */
@@ -224,54 +228,6 @@ namespace Aws
             long m_loadFrequencyMs;
         };
 
-        /**
-        * ECS credentials provider implementation that loads credentials from the Amazon
-        * ECS metadata service or an arbitrary endpoint.
-        */
-        class AWS_CORE_API TaskRoleCredentialsProvider : public AWSCredentialsProvider
-        {
-        public:
-            /**
-             * Initializes the provider to retrieve credentials from the ECS metadata service every 5 minutes,
-             * or before it expires.
-             * @param resourcePath A path appended to the metadata service endpoint.
-             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
-             */
-            TaskRoleCredentialsProvider(const char* resourcePath, long refreshRateMs = REFRESH_THRESHOLD);
-
-            /**
-             * Initializes the provider to retrieve credentials from a provided endpoint every 5 minutes or before it
-             * expires.
-             * @param endpoint The full URI to resolve to get credentials.
-             * @param token An optional authorization token passed to the URI via the 'Authorization' HTTP header.
-             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
-             */
-            TaskRoleCredentialsProvider(const char* endpoint, const char* token, long refreshRateMs = REFRESH_THRESHOLD);
-
-            /**
-             * Initializes the provider to retrieve credentials using the provided client.
-             * @param client The ECSCredentialsClient instance to use when retrieving credentials.
-             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
-             */
-            TaskRoleCredentialsProvider(const std::shared_ptr<Aws::Internal::ECSCredentialsClient>& client,
-                    long refreshRateMs = REFRESH_THRESHOLD);
-            /**
-            * Retrieves the credentials if found, otherwise returns empty credential set.
-            */
-            AWSCredentials GetAWSCredentials() override;
-
-        protected:
-            void Reload() override;
-        private:
-            bool ExpiresSoon() const;
-            void RefreshIfExpired();
-
-        private:
-            std::shared_ptr<Aws::Internal::ECSCredentialsClient> m_ecsCredentialsClient;
-            long m_loadFrequencyMs;
-            Aws::Auth::AWSCredentials m_credentials;
-        };
-
         /**
          * Process credentials provider that loads credentials by running another command (or program) configured in config file
          * The configuration format is as following:
@@ -315,3 +271,7 @@ namespace Aws
         };
     } // namespace Auth
 } // namespace Aws
+
+// TODO: remove on a next minor API bump from 1.11.x
+#endif // !defined(AWS_CLIENT_H)
+#include <aws/core/auth/GeneralHTTPCredentialsProvider.h>

src/aws-cpp-sdk-core/include/aws/core/auth/GeneralHTTPCredentialsProvider.h

@@ -0,0 +1,120 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+
+#pragma once
+
+#include <aws/core/auth/AWSCredentialsProvider.h>
+
+namespace Aws
+{
+    namespace Auth
+    {
+        /**
+        * General HTTP Credentials Provider (previously known as ECS credentials provider)
+        * implementation that loads credentials from an arbitrary HTTP(S) endpoint specified by the environment
+        * or loop back / Amazon ECS / Amazon EKS container host metadata services by default.
+        */
+        class AWS_CORE_API GeneralHTTPCredentialsProvider : public AWSCredentialsProvider
+        {
+        private:
+            static bool ShouldCreateGeneralHTTPProvider(const Aws::String& relativeUri, const Aws::String& absoluteUri, const Aws::String authToken);
+        public:
+            using ShouldCreateFunc = std::function<bool(const Aws::String& relativeUri, const Aws::String& absoluteUri, const Aws::String authToken)>;
+
+            /**
+             * Initializes the provider to retrieve credentials from a general http provided endpoint every 5 minutes or before it
+             * expires.
+             * @param relativeUri A path appended to the metadata service endpoint. OR
+             * @param absoluteUri The full URI to resolve to get credentials.
+             * @param authTokenFilePath A path to a file with optional authorization token passed to the URI via the 'Authorization' HTTP header.
+             * @param authToken An optional authorization token passed to the URI via the 'Authorization' HTTP header.
+             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
+             * @param ShouldCreateFunc
+             */
+            GeneralHTTPCredentialsProvider(const Aws::String& relativeUri,
+                                           const Aws::String& absoluteUri,
+                                           const Aws::String& authTokenFilePath = "",
+                                           const Aws::String& authToken = "",
+                                           long refreshRateMs = REFRESH_THRESHOLD,
+                                           ShouldCreateFunc shouldCreateFunc = ShouldCreateGeneralHTTPProvider);
+
+            /**
+             * Check if GeneralHTTPCredentialsProvider was initialized with allowed configuration
+             * @return true if provider configuration is valid
+             */
+            bool IsValid() const
+            {
+                if (!m_ecsCredentialsClient)
+                    return false;
+                if (!m_authTokenFilePath.empty())
+                    return !LoadTokenFromFile().empty();
+                return true;
+            }
+
+            /**
+             * Initializes the provider to retrieve credentials from the ECS metadata service every 5 minutes,
+             * or before it expires.
+             * @param resourcePath A path appended to the metadata service endpoint.
+             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
+             */
+            // TODO: 1.12: AWS_DEPRECATED("This c-tor is deprecated, please use one above.")
+            GeneralHTTPCredentialsProvider(const char* resourcePath, long refreshRateMs = REFRESH_THRESHOLD)
+              : GeneralHTTPCredentialsProvider(resourcePath, "", "", "", refreshRateMs)
+            {}
+
+            /**
+             * Initializes the provider to retrieve credentials from a provided endpoint every 5 minutes or before it
+             * expires.
+             * @param endpoint The full URI to resolve to get credentials.
+             * @param token An optional authorization token passed to the URI via the 'Authorization' HTTP header.
+             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
+             */
+            // TODO: 1.12: AWS_DEPRECATED("This c-tor is deprecated, please use one above.")
+            GeneralHTTPCredentialsProvider(const char* endpoint, const char* token, long refreshRateMs = REFRESH_THRESHOLD)
+              : GeneralHTTPCredentialsProvider("", endpoint, token, "", refreshRateMs)
+            {}
+
+            /**
+             * Initializes the provider to retrieve credentials using the provided client.
+             * @param client The ECSCredentialsClient instance to use when retrieving credentials.
+             * @param refreshRateMs The number of milliseconds after which the credentials will be fetched again.
+             */
+            GeneralHTTPCredentialsProvider(const std::shared_ptr<Aws::Internal::ECSCredentialsClient>& client,
+                    long refreshRateMs = REFRESH_THRESHOLD);
+            /**
+            * Retrieves the credentials if found, otherwise returns empty credential set.
+            */
+            AWSCredentials GetAWSCredentials() override;
+
+            static const char AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE[];
+            static const char AWS_CONTAINER_CREDENTIALS_RELATIVE_URI[];
+            static const char AWS_CONTAINER_CREDENTIALS_FULL_URI[];
+            static const char AWS_CONTAINER_AUTHORIZATION_TOKEN[];
+
+            static const char AWS_ECS_CONTAINER_HOST[];
+            static const char AWS_EKS_CONTAINER_HOST[];
+            static const char AWS_EKS_CONTAINER_HOST_IPV6[];
+
+        protected:
+            void Reload() override;
+
+        private:
+            bool ExpiresSoon() const;
+            void RefreshIfExpired();
+
+            Aws::String LoadTokenFromFile() const;
+
+            std::shared_ptr<Aws::Internal::ECSCredentialsClient> m_ecsCredentialsClient;
+            Aws::String m_authTokenFilePath;
+
+            long m_loadFrequencyMs = REFRESH_THRESHOLD;
+            Aws::Auth::AWSCredentials m_credentials;
+        };
+
+        // GeneralHTTPCredentialsProvider was previously known as TaskRoleCredentialsProvider or "ECS credentials provider"
+        using TaskRoleCredentialsProvider = GeneralHTTPCredentialsProvider;
+    } // namespace Auth
+} // namespace Aws

src/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h

@@ -189,7 +189,14 @@ namespace Aws
              */
             virtual Aws::String GetECSCredentials() const
             {
-                return GetResource(m_endpoint.c_str(), m_resourcePath.c_str(), m_token.c_str());
+                return GetResource(m_endpoint.c_str(),
+                                   m_resourcePath.c_str(),
+                                   m_token.empty() ? nullptr : m_token.c_str());
+            }
+
+            inline void SetToken(Aws::String token)
+            {
+                m_token = std::move(token);
             }
 
         private:

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp

@@ -48,8 +48,6 @@ static const char DEFAULT_CREDENTIALS_FILE[] = "credentials";
 extern const char DEFAULT_CONFIG_FILE[] = "config";
 
 
-static const int AWS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 1000;
-
 void AWSCredentialsProvider::Reload()
 {
     m_lastLoadedMs = DateTime::Now().Millis();
@@ -307,94 +305,6 @@ void InstanceProfileCredentialsProvider::RefreshIfExpired()
     Reload();
 }
 
-static const char TASK_ROLE_LOG_TAG[] = "TaskRoleCredentialsProvider";
-
-TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(const char* URI, long refreshRateMs) :
-    m_ecsCredentialsClient(Aws::MakeShared<Aws::Internal::ECSCredentialsClient>(TASK_ROLE_LOG_TAG, URI)),
-    m_loadFrequencyMs(refreshRateMs)
-{
-    AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs);
-}
-
-TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(const char* endpoint, const char* token, long refreshRateMs) :
-    m_ecsCredentialsClient(Aws::MakeShared<Aws::Internal::ECSCredentialsClient>(TASK_ROLE_LOG_TAG, ""/*resourcePath*/, endpoint, token)),
-    m_loadFrequencyMs(refreshRateMs)
-{
-    AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs);
-}
-
-TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(
-        const std::shared_ptr<Aws::Internal::ECSCredentialsClient>& client, long refreshRateMs) :
-    m_ecsCredentialsClient(client),
-    m_loadFrequencyMs(refreshRateMs)
-{
-    AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs);
-}
-
-AWSCredentials TaskRoleCredentialsProvider::GetAWSCredentials()
-{
-    RefreshIfExpired();
-    ReaderLockGuard guard(m_reloadLock);
-    return m_credentials;
-}
-
-bool TaskRoleCredentialsProvider::ExpiresSoon() const
-{
-    return ((m_credentials.GetExpiration() - Aws::Utils::DateTime::Now()).count() < AWS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD);
-}
-
-void TaskRoleCredentialsProvider::Reload()
-{
-    AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Credentials have expired or will expire, attempting to re-pull from ECS IAM Service.");
-    if (!m_ecsCredentialsClient)
-    {
-        AWS_LOGSTREAM_ERROR(INSTANCE_LOG_TAG, "ECS Credentials client is a nullptr");
-        return;
-    }
-
-    auto credentialsStr = m_ecsCredentialsClient->GetECSCredentials();
-    if (credentialsStr.empty()) return;
-
-    Json::JsonValue credentialsDoc(credentialsStr);
-    if (!credentialsDoc.WasParseSuccessful())
-    {
-        AWS_LOGSTREAM_ERROR(TASK_ROLE_LOG_TAG, "Failed to parse output from ECSCredentialService.");
-        return;
-    }
-
-    Aws::String accessKey, secretKey, token;
-    Utils::Json::JsonView credentialsView(credentialsDoc);
-    accessKey = credentialsView.GetString("AccessKeyId");
-    secretKey = credentialsView.GetString("SecretAccessKey");
-    token = credentialsView.GetString("Token");
-    AWS_LOGSTREAM_DEBUG(TASK_ROLE_LOG_TAG, "Successfully pulled credentials from metadata service with access key " << accessKey);
-
-    m_credentials.SetAWSAccessKeyId(accessKey);
-    m_credentials.SetAWSSecretKey(secretKey);
-    m_credentials.SetSessionToken(token);
-    m_credentials.SetExpiration(Aws::Utils::DateTime(credentialsView.GetString("Expiration"), DateFormat::ISO_8601));
-    AWSCredentialsProvider::Reload();
-}
-
-void TaskRoleCredentialsProvider::RefreshIfExpired()
-{
-    AWS_LOGSTREAM_DEBUG(TASK_ROLE_LOG_TAG, "Checking if latest credential pull has expired.");
-    ReaderLockGuard guard(m_reloadLock);
-    if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon())
-    {
-        return;
-    }
-
-    guard.UpgradeToWriterLock();
-
-    if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon())
-    {
-        return;
-    }
-
-    Reload();
-}
-
 static const char PROCESS_LOG_TAG[] = "ProcessCredentialsProvider";
 ProcessCredentialsProvider::ProcessCredentialsProvider() :
     m_profileToUse(Aws::Auth::GetConfigProfileName())

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp

@@ -14,9 +14,6 @@
 using namespace Aws::Auth;
 using namespace Aws::Utils::Threading;
 
-static const char AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI[] = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
-static const char AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI[] = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
-static const char AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN[] = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
 static const char AWS_EC2_METADATA_DISABLED[] = "AWS_EC2_METADATA_DISABLED";
 static const char DefaultCredentialsProviderChainTag[] = "DefaultAWSCredentialsProviderChain";
 
@@ -51,35 +48,35 @@ DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain() : AWSCr
     AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag));
     AddProvider(Aws::MakeShared<SSOCredentialsProvider>(DefaultCredentialsProviderChainTag));
 
-    //ECS TaskRole Credentials only available when ENVIRONMENT VARIABLE is set
-    const auto relativeUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI);
-    AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI
+    // General HTTP Credentials (prev. known as ECS TaskRole credentials) only available when ENVIRONMENT VARIABLE is set
+    const auto relativeUri = Aws::Environment::GetEnv(GeneralHTTPCredentialsProvider::AWS_CONTAINER_CREDENTIALS_RELATIVE_URI);
+    AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << GeneralHTTPCredentialsProvider::AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
             << " is " << relativeUri);
 
-    const auto absoluteUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI);
-    AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI
+    const auto absoluteUri = Aws::Environment::GetEnv(GeneralHTTPCredentialsProvider::AWS_CONTAINER_CREDENTIALS_FULL_URI);
+    AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << GeneralHTTPCredentialsProvider::AWS_CONTAINER_CREDENTIALS_FULL_URI
             << " is " << absoluteUri);
 
     const auto ec2MetadataDisabled = Aws::Environment::GetEnv(AWS_EC2_METADATA_DISABLED);
     AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << AWS_EC2_METADATA_DISABLED
             << " is " << ec2MetadataDisabled);
 
-    if (!relativeUri.empty())
+    if (!relativeUri.empty() || !absoluteUri.empty())
     {
-        AddProvider(Aws::MakeShared<TaskRoleCredentialsProvider>(DefaultCredentialsProviderChainTag, relativeUri.c_str()));
-        AWS_LOGSTREAM_INFO(DefaultCredentialsProviderChainTag, "Added ECS metadata service credentials provider with relative path: ["
-                << relativeUri << "] to the provider chain.");
-    }
-    else if (!absoluteUri.empty())
-    {
-        const auto token = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN);
-        AddProvider(Aws::MakeShared<TaskRoleCredentialsProvider>(DefaultCredentialsProviderChainTag,
-                    absoluteUri.c_str(), token.c_str()));
+        const Aws::String token = Aws::Environment::GetEnv(GeneralHTTPCredentialsProvider::AWS_CONTAINER_AUTHORIZATION_TOKEN);
+        const Aws::String tokenPath = Aws::Environment::GetEnv(GeneralHTTPCredentialsProvider::AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE);
 
-        //DO NOT log the value of the authorization token for security purposes.
-        AWS_LOGSTREAM_INFO(DefaultCredentialsProviderChainTag, "Added ECS credentials provider with URI: ["
-                << absoluteUri << "] to the provider chain with a" << (token.empty() ? "n empty " : " non-empty ")
+        auto genProvider = Aws::MakeShared<GeneralHTTPCredentialsProvider>(DefaultCredentialsProviderChainTag,
+                                                                           relativeUri, absoluteUri, token, tokenPath);
+        if (genProvider && genProvider->IsValid()) {
+            AddProvider(std::move(genProvider));
+            auto& uri = !relativeUri.empty() ? relativeUri : absoluteUri;
+            AWS_LOGSTREAM_INFO(DefaultCredentialsProviderChainTag, "Added General HTTP / ECS credentials provider with ur: ["
+                << uri << "] to the provider chain with a" << ((token.empty() && tokenPath.empty()) ? "n empty " : " non-empty ")
                 << "authorization token.");
+        } else {
+            AWS_LOGSTREAM_ERROR(DefaultCredentialsProviderChainTag, "Unable to create GeneralHTTPCredentialsProvider");
+        }
     }
     else if (Aws::Utils::StringUtils::ToLower(ec2MetadataDisabled.c_str()) != "true")
     {