Code review and self-code review for bearer auth

Author: SergeyRyabinin

aws-cpp-sdk-core-tests/aws/client/AWSClientTest.cpp

@@ -718,7 +718,7 @@ TEST_F(AWSConfigTestSuite, TestClientConfigurationSetsRegionToProfile)
 {
     // create a config file with profile named Dijkstra
     Aws::OFStream configFileNew(m_configFileName.c_str(), Aws::OFStream::out | Aws::OFStream::trunc);
-    configFileNew << "[Dijkstra]" << std::endl;
+    configFileNew << "[profile Dijkstra]" << std::endl;  // profile keyword is mandatory per specification
     configFileNew << "region = " << Aws::Region::US_WEST_2 << std::endl;
 
     configFileNew.flush();

aws-cpp-sdk-core-tests/aws/config/AWSConfigFileProfileConfigLoaderTest.cpp

@@ -221,7 +221,7 @@ TEST(AWSConfigFileProfileConfigLoaderTest, TestConfigWithSSOParsing)
     ASSERT_TRUE(configFile.good());
     static const Aws::String SSO_AWS_PROFILE = "AwsSdkBearerIntegrationTest-profile"; // arbitrary
     Aws::String profileFileName = configFile.GetFileName().find_last_of(R"(/\)") == std::string::npos ?
-                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)"));
+                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)") + 1);
     static const Aws::String SSO_SESSION_NAME = profileFileName + "-sso-session"; // arbitrary
     ASSERT_TRUE(WriteConfigFileWithSSO(configFile, SSO_AWS_PROFILE, SSO_SESSION_NAME));
 
@@ -264,7 +264,7 @@ TEST(AWSConfigFileProfileConfigLoaderTest, TestProfileDumping)
     ASSERT_TRUE(configFile.good());
     static const Aws::String SSO_AWS_PROFILE = "AwsSdkBearerIntegrationTest-profile"; // arbitrary
     Aws::String profileFileName = configFile.GetFileName().find_last_of(R"(/\)") == std::string::npos ?
-                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)"));
+                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)") + 1);
     static const Aws::String SSO_SESSION_NAME = profileFileName + "-sso-session"; // arbitrary
     ASSERT_TRUE(WriteConfigFileWithSSO(configFile, SSO_AWS_PROFILE, SSO_SESSION_NAME));
 

aws-cpp-sdk-core/CMakeLists.txt

@@ -45,7 +45,7 @@ file(GLOB AWS_HEADERS "include/aws/core/*.h")
 file(GLOB AWS_AUTH_HEADERS "include/aws/core/auth/*.h")
 file(GLOB AWS_AUTH_SIGNER_HEADERS "include/aws/core/auth/signer/*.h")
 file(GLOB AWS_AUTH_SIGNER_PROVIDER_HEADERS "include/aws/core/auth/signer-provider/*.h")
-file(GLOB AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS "include/aws/core/auth/bearer-token-provider*.h")
+file(GLOB AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS "include/aws/core/auth/bearer-token-provider/*.h")
 file(GLOB AWS_CLIENT_HEADERS "include/aws/core/client/*.h")
 file(GLOB AWS_INTERNAL_HEADERS "include/aws/core/internal/*.h")
 file(GLOB NET_HEADERS "include/aws/core/net/*.h")

aws-cpp-sdk-core/include/aws/core/auth/AWSAuthSignerProvider.h

@@ -8,6 +8,5 @@
 
 #include <aws/core/auth/signer-provider/AWSAuthSignerProviderBase.h>
 #include <aws/core/auth/signer-provider/DefaultAuthSignerProvider.h>
-#include <aws/core/auth/signer-provider/BearerTokenAuthSignerProvider.h>
 
 // This is a header that represents old legacy all-in-one header to maintain backward compatibility

aws-cpp-sdk-core/include/aws/core/auth/AWSBearerToken.h

@@ -48,7 +48,7 @@ namespace Aws
             }
 
             /**
-             * If token has not been initialized or been initialized to emtpy value.
+             * If token has not been initialized or been initialized to empty value.
              * Expiration date does not affect the result of this function.
              */
             inline bool IsEmpty() const { return m_token.empty(); }

aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h

@@ -68,7 +68,7 @@ namespace Aws
             }
 
             /**
-             * If credentials haven't been initialized or been initialized to emtpy values.
+             * If credentials haven't been initialized or been initialized to empty values.
              * Expiration date does not affect the result of this function.
              */
             inline bool IsEmpty() const { return m_accessKeyId.empty() && m_secretKey.empty(); }

aws-cpp-sdk-core/include/aws/core/auth/bearer-token-provider/DefaultBearerTokenProviderChain.h

@@ -14,8 +14,8 @@ namespace Aws
 {
     namespace Auth
     {
-        class AWSBearerTokenProvider;
         /**
+         * Default built-in AWSBearerTokenProviderChainBase implementation that includes Aws::Auth::SSOBearerTokenProvider in the chain.
          */
         class AWS_CORE_API DefaultBearerTokenProviderChain : public AWSBearerTokenProviderChainBase
         {
@@ -24,6 +24,7 @@ namespace Aws
             virtual ~DefaultBearerTokenProviderChain() = default;
 
             /**
+             * Return bearer token, implementation of a base class interface
              */
             virtual AWSBearerToken GetAWSBearerToken() override;
 

aws-cpp-sdk-core/include/aws/core/auth/signer-provider/BearerTokenAuthSignerProvider.h

@@ -3,11 +3,9 @@
  * SPDX-License-Identifier: Apache-2.0.
  */
 
-
 #pragma once
 
 #include <aws/core/auth/signer-provider/AWSAuthSignerProviderBase.h>
-
 #include <aws/core/utils/memory/stl/AWSSet.h>
 #include <aws/core/auth/signer/AWSAuthBearerSigner.h>
 

aws-cpp-sdk-core/include/aws/core/auth/signer/AWSAuthBearerSigner.h

@@ -36,7 +36,7 @@ namespace Aws
 
         public:
             /**
-             *
+             * An implementation of a signer interface that uses bearer token auth signature.
              */
             AWSAuthBearerSigner(const std::shared_ptr<Aws::Auth::AWSBearerTokenProviderBase> bearerTokenProvider)
               : m_bearerTokenProvider(bearerTokenProvider)
@@ -45,46 +45,53 @@ namespace Aws
             virtual ~AWSAuthBearerSigner() {};
 
             /**
-             *
+             * Return the signer's name
              */
             const char* GetName() const override
             {
                 return Aws::Auth::BEARER_SIGNER;
             }
 
             /**
-             *
+             * Sign request with a bearer auth token
+             * @return true if success, false if fail to sign
              */
             bool SignRequest(Aws::Http::HttpRequest& ) const override;
 
             /**
-             *
+             * Dummy function to satisfy the interface requirements of a base Signer interface
+             *   additional arguments are not used.
+             * @return true if success, false if fail to sign
              */
             bool SignRequest(Aws::Http::HttpRequest& ioRequest, const char* /*region*/, const char* /*serviceName*/, bool /*signBody*/) const override
             {
                 return SignRequest(ioRequest);
             }
 
-
             /**
-             *
-            */
+             * Dummy function to satisfy the interface requirements of a base Signer interface
+             * @return true if success, false if fail to sign
+             */
             bool PresignRequest(Aws::Http::HttpRequest& ioRequest, long long /*expirationInSeconds = 0*/) const override
             {
                 return SignRequest(ioRequest);
             }
 
             /**
-             *
-            */
+             * Dummy function to satisfy the interface requirements of a base Signer interface
+             *   additional arguments are not used.
+             * @return true if success, false if fail to sign
+             */
             bool PresignRequest(Aws::Http::HttpRequest& ioRequest, const char* /*region*/, long long expirationInSeconds = 0) const override
             {
                 return PresignRequest(ioRequest, expirationInSeconds);
             }
 
             /**
-             *
-            */
+             * Dummy function to satisfy the interface requirements of a base Signer interface
+             *   additional arguments are not used.
+             * @return true if success, false if fail to sign
+             */
             bool PresignRequest(Aws::Http::HttpRequest& ioRequest, const char* /*region*/, const char* /*serviceName*/, long long expirationInSeconds = 0) const override
             {
                 return PresignRequest(ioRequest, expirationInSeconds);

aws-cpp-sdk-core/source/auth/bearer-token-provider/DefaultBearerTokenProviderChain.cpp

@@ -6,13 +6,20 @@
 #include <aws/core/auth/bearer-token-provider/DefaultBearerTokenProviderChain.h>
 #include <aws/core/auth/AWSBearerToken.h>
 #include <aws/core/auth/bearer-token-provider/SSOBearerTokenProvider.h>
+#include <aws/core/utils/logging/LogMacros.h>
+
 
 static const char SSO_DEFAULT_BEARER_TOKEN_PROVIDER_CHAIN_LOG_TAG[] = "SSOBearerTokenProvider";
 
 Aws::Auth::AWSBearerToken Aws::Auth::DefaultBearerTokenProviderChain::GetAWSBearerToken()
 {
     for (auto&& bearerTokenProvider : m_providerChain)
     {
+        if(!bearerTokenProvider) {
+            AWS_LOGSTREAM_FATAL(SSO_DEFAULT_BEARER_TOKEN_PROVIDER_CHAIN_LOG_TAG,
+                                "Unexpected nullptr in DefaultBearerTokenProviderChain::m_providerChain");
+            break;
+        }
         AWSBearerToken bearerToken = bearerTokenProvider->GetAWSBearerToken();
         if(!bearerToken.IsExpiredOrEmpty())
         {
@@ -25,4 +32,4 @@ Aws::Auth::AWSBearerToken Aws::Auth::DefaultBearerTokenProviderChain::GetAWSBear
 Aws::Auth::DefaultBearerTokenProviderChain::DefaultBearerTokenProviderChain()
 {
     AddProvider(Aws::MakeShared<Aws::Auth::SSOBearerTokenProvider>(SSO_DEFAULT_BEARER_TOKEN_PROVIDER_CHAIN_LOG_TAG));
-}
+}

aws-cpp-sdk-core/source/auth/bearer-token-provider/SSOBearerTokenProvider.cpp

@@ -64,7 +64,7 @@ AWSBearerToken SSOBearerTokenProvider::GetAWSBearerToken()
         /* If a loaded token has expired and has insufficient metadata to perform a refresh the SSO token
          provider must raise an exception that the token has expired and cannot be refreshed.
          Error logging and returning an empty object instead because of disabled exceptions and poor legacy API design. */
-        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider is unable to provide a token!");
+        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider is unable to provide a token");
         return Aws::Auth::AWSBearerToken("", Aws::Utils::DateTime(0.0));
     }
     return m_token;
@@ -109,6 +109,10 @@ void SSOBearerTokenProvider::RefreshFromSso()
     ssoCreateTokenRequest.grantType = SSO_GRANT_TYPE;
     ssoCreateTokenRequest.refreshToken = cachedSsoToken.refreshToken;
 
+    if(!m_client) {
+        AWS_LOGSTREAM_FATAL(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "Unexpected nullptr in SSOBearerTokenProvider::m_client");
+        return;
+    }
     Aws::Internal::SSOCredentialsClient::SSOCreateTokenResult result = m_client->CreateToken(ssoCreateTokenRequest);
     if(!result.accessToken.empty())
     {
@@ -136,7 +140,7 @@ SSOBearerTokenProvider::CachedSsoToken SSOBearerTokenProvider::LoadAccessTokenFi
 
     const Aws::Config::Profile& profile = Aws::Config::GetCachedConfigProfile(m_profileToUse);
     if(!profile.IsSsoSessionSet()) {
-        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider set to use a profile " << m_profileToUse << " without a sso_session. Unable to load cached token");
+        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider set to use a profile " << m_profileToUse << " without a sso_session. Unable to load cached token.");
         return retValue;
     }
 
@@ -183,7 +187,8 @@ bool SSOBearerTokenProvider::WriteAccessTokenFile(const CachedSsoToken& token) c
 {
     const Aws::Config::Profile& profile = Aws::Config::GetCachedConfigProfile(m_profileToUse);
     if(!profile.IsSsoSessionSet()) {
-        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider set to use a profile " << m_profileToUse << " without a sso_session. Unable to write cached token");
+        AWS_LOGSTREAM_ERROR(SSO_BEARER_TOKEN_PROVIDER_LOG_TAG, "SSOBearerTokenProvider set to use a profile "
+                        << m_profileToUse << " without a sso_session. Unable to write a cached token.");
         return false;
     }
 

aws-cpp-sdk-core/source/auth/signer-provider/BearerTokenAuthSignerProvider.cpp

@@ -11,35 +11,30 @@
 #include <aws/core/auth/AWSCredentialsProvider.h>
 #include <aws/core/utils/memory/stl/AWSAllocator.h>
 
-const char BTASP_ALLOC_TAG[] = "BearerTokenAuthSignerProvider";
+const char BEARER_TOKEN_AUTH_SIGNER_PROVIDER_ALLOC_TAG[] = "BearerTokenAuthSignerProvider";
 
 using namespace Aws::Auth;
 
 BearerTokenAuthSignerProvider::BearerTokenAuthSignerProvider(const std::shared_ptr<Aws::Auth::AWSBearerTokenProviderBase> bearerTokenProvider)
 {
-    m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthBearerSigner>(BTASP_ALLOC_TAG, bearerTokenProvider));
-    m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(BTASP_ALLOC_TAG));
+    m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthBearerSigner>(BEARER_TOKEN_AUTH_SIGNER_PROVIDER_ALLOC_TAG, bearerTokenProvider));
+    m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(BEARER_TOKEN_AUTH_SIGNER_PROVIDER_ALLOC_TAG));
 }
 
-//BearerTokenAuthSignerProvider::BearerTokenAuthSignerProvider(const std::shared_ptr<Aws::Client::AWSAuthSigner>& signer)
-//{
-//    m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(CLASS_TAG));
-//    if(signer)
-//    {
-//        m_signers.emplace_back(signer);
-//    }
-//}
-
 std::shared_ptr<Aws::Client::AWSAuthSigner> BearerTokenAuthSignerProvider::GetSigner(const Aws::String& signerName) const
 {
     for(const auto& signer : m_signers)
     {
+        if(!signer) {
+            AWS_LOGSTREAM_FATAL(BEARER_TOKEN_AUTH_SIGNER_PROVIDER_ALLOC_TAG, "Unexpected nullptr in BearerTokenAuthSignerProvider::m_signers");
+            break;
+        }
         if(signer->GetName() == signerName)
         {
             return signer;
         }
     }
-    AWS_LOGSTREAM_ERROR(BTASP_ALLOC_TAG, "Request's signer: '" << signerName << "' is not found in the signer's map.");
+    AWS_LOGSTREAM_ERROR(BEARER_TOKEN_AUTH_SIGNER_PROVIDER_ALLOC_TAG, "Request's signer: '" << signerName << "' is not found in the signer's map.");
     assert(false);
     return nullptr;
 }

aws-cpp-sdk-core/source/auth/signer/AWSAuthBearerSigner.cpp

@@ -33,7 +33,7 @@ namespace Aws
             }
             if(!m_bearerTokenProvider)
             {
-                AWS_LOGSTREAM_ERROR(LOGGING_TAG, "Unexpected nullptr AWSAuthBearerSigner::m_bearerTokenProvider");
+                AWS_LOGSTREAM_FATAL(LOGGING_TAG, "Unexpected nullptr AWSAuthBearerSigner::m_bearerTokenProvider");
                 return false;
             }
             const Aws::Auth::AWSBearerToken& token = m_bearerTokenProvider->GetAWSBearerToken();

aws-cpp-sdk-core/source/config/AWSConfigFileProfileConfigLoader.cpp

@@ -347,7 +347,7 @@ namespace Aws
                 } while(0); // end of goto in a form of "do { break; } while(0);"
 
                 ioSectionName.erase();
-                ioState = FAILURE;
+                ioState = UNKNOWN_SECTION_FOUND;
                 return;
             }
 

aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp

@@ -616,12 +616,13 @@ namespace Aws
         // An internal SSO CreateToken implementation to lightweight core package and not introduce a dependency on sso-oidc
         SSOCredentialsClient::SSOCreateTokenResult SSOCredentialsClient::CreateToken(const SSOCreateTokenRequest& request)
         {
-            Aws::StringStream ssUri;
-            ssUri << m_endpoint << SSO_GET_ROLE_RESOURCE;
-
             std::shared_ptr<HttpRequest> httpRequest(CreateHttpRequest(m_endpoint, HttpMethod::HTTP_GET,
                                                                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod));
-
+            SSOCreateTokenResult result;
+            if(!httpRequest) {
+                AWS_LOGSTREAM_FATAL(SSO_RESOURCE_CLIENT_LOG_TAG, "Failed to CreateHttpRequest: nullptr returned");
+                return result;
+            }
             httpRequest->SetUserAgent(ComputeUserAgentString());
 
             Json::JsonValue requestDoc;
@@ -639,6 +640,10 @@ namespace Aws
             }
 
             std::shared_ptr<Aws::IOStream> body = Aws::MakeShared<Aws::StringStream>("SSO_BEARER_TOKEN_CREATE_TOKEN");
+            if(!body) {
+                AWS_LOGSTREAM_FATAL(SSO_RESOURCE_CLIENT_LOG_TAG, "Failed to allocate body");  // exceptions disabled
+                return result;
+            }
             *body << requestDoc.View().WriteReadable();;
 
             httpRequest->AddContentBody(body);
@@ -653,7 +658,7 @@ namespace Aws
             Aws::String rawReply = GetResourceWithAWSWebServiceResult(httpRequest).GetPayload();
             Json::JsonValue refreshTokenDoc(rawReply);
             Utils::Json::JsonView jsonValue = refreshTokenDoc.View();
-            SSOCreateTokenResult result;
+
             if(jsonValue.ValueExists("accessToken")) {
                 result.accessToken = jsonValue.GetString("accessToken");
             }
@@ -664,10 +669,10 @@ namespace Aws
                 result.expiresIn = jsonValue.GetInteger("expiresIn");
             }
             if(jsonValue.ValueExists("idToken")) {
-                result.idToken = jsonValue.GetInteger("idToken");
+                result.idToken = jsonValue.GetString("idToken");
             }
             if(jsonValue.ValueExists("refreshToken")) {
-                result.refreshToken = jsonValue.GetInteger("refreshToken");
+                result.refreshToken = jsonValue.GetString("refreshToken");
             }
 
             return result;