Bearer token auth

Author: SergeyRyabinin

aws-cpp-sdk-core-tests/aws/config/AWSProfileConfigLoaderTest.cpp renamed to aws-cpp-sdk-core-tests/aws/config/AWSConfigFileProfileConfigLoaderTest.cpp

@@ -6,7 +6,6 @@
 #include <aws/core/config/AWSProfileConfigLoader.h>
 #include <aws/core/utils/FileSystemUtils.h>
 #include <aws/core/utils/memory/stl/AWSStreamFwd.h>
-#include <aws/testing/mocks/aws/auth/MockAWSHttpResourceClient.h>
 #include <fstream>
 
 using namespace Aws::Utils;
@@ -167,44 +166,137 @@ TEST(AWSConfigFileProfileConfigLoaderTest, TestCredentialsFileCorrupted)
     ASSERT_EQ(0u, loader.GetProfiles().size());
 }
 
-static const char* const ALLOCATION_TAG = "EC2InstanceProfileConfigLoaderTest";
+bool WriteConfigFileWithSSO(Aws::OStream& stream, const Aws::String& profileName, const Aws::String& ssoSessionName) {
+    const Aws::String configFileContent =
+            R"([ default]
+  aws_access_key_id = ACCESS_KEY_0
+aws_secret_access_key = SECRET_KEY_0
 
-TEST(EC2InstanceProfileConfigLoaderTest, TestSuccesfullyHitsService)
+
+[profile custom-profile    ]
+aws_access_key_id = ACCESS_KEY_1
+aws_secret_access_key = SECRET_KEY_1
+[profile )" + profileName + R"(]
+sso_session = )" + ssoSessionName + R"(
+
+[sso-session )" + ssoSessionName + R"(]
+sso_region = us-east-1
+sso_start_url = https://d-abc123.awsapps.com/start)";
+
+    stream << configFileContent;
+    stream.flush();
+
+    return stream.good();
+}
+
+TEST(AWSConfigFileProfileConfigLoaderTest, TestConfigWithSSOParsing)
 {
-    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
-    mockClient->SetCurrentRegionValue("us-east-1");
-    mockClient->SetMockedCredentialsValue("{ \"AccessKeyId\": \"goodAccessKey\", \"SecretAccessKey\": \"goodSecretKey\", \"Token\": \"goodToken\" }");
+    TempFile configFile(std::ios_base::out | std::ios_base::trunc);
 
-    EC2InstanceProfileConfigLoader loader(mockClient);
+    ASSERT_TRUE(configFile.good());
+    static const Aws::String SSO_AWS_PROFILE = "AwsSdkBearerIntegrationTest-profile"; // arbitrary
+    Aws::String profileFileName = configFile.GetFileName().find_last_of(R"(/\)") == std::string::npos ?
+                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)"));
+    static const Aws::String SSO_SESSION_NAME = profileFileName + "-sso-session"; // arbitrary
+    ASSERT_TRUE(WriteConfigFileWithSSO(configFile, SSO_AWS_PROFILE, SSO_SESSION_NAME));
+
+    AWSConfigFileProfileConfigLoader loader(configFile.GetFileName());
     ASSERT_TRUE(loader.Load());
-    ASSERT_EQ(1u, loader.GetProfiles().size());
     auto profiles = loader.GetProfiles();
-    ASSERT_NE(profiles.end(), profiles.find(Aws::Config::INSTANCE_PROFILE_KEY));
-    auto creds = profiles[Aws::Config::INSTANCE_PROFILE_KEY].GetCredentials();
-    ASSERT_STREQ("goodAccessKey", creds.GetAWSAccessKeyId().c_str());
-    ASSERT_STREQ("goodSecretKey", creds.GetAWSSecretKey().c_str());
-    ASSERT_STREQ("goodToken", creds.GetSessionToken().c_str());
-    ASSERT_STREQ("us-east-1", profiles[Aws::Config::INSTANCE_PROFILE_KEY].GetRegion().c_str());
+
+    ASSERT_EQ(3u, profiles.size());
+    ASSERT_NE(profiles.end(), profiles.find("default"));
+    ASSERT_NE(profiles.end(), profiles.find("custom-profile"));
+    ASSERT_NE(profiles.end(), profiles.find(SSO_AWS_PROFILE));
+
+    const auto ssoProfile = profiles.at(SSO_AWS_PROFILE);
+    ASSERT_EQ(SSO_AWS_PROFILE, ssoProfile.GetName());
+    ASSERT_TRUE(ssoProfile.GetRegion().empty());
+    ASSERT_TRUE(ssoProfile.GetCredentials().GetAWSSecretKey().empty() &&
+                ssoProfile.GetCredentials().GetAWSAccessKeyId().empty() &&
+                ssoProfile.GetCredentials().GetSessionToken().empty());
+    ASSERT_TRUE(ssoProfile.GetSourceProfile().empty());
+    ASSERT_TRUE(ssoProfile.GetCredentialProcess().empty());
+
+    // Important: sso_session pointing to a sso-session section is a different entity than sso_* properties under [profile] section
+    ASSERT_TRUE(ssoProfile.GetSsoStartUrl().empty() &&
+                ssoProfile.GetSsoRegion().empty() &&
+                ssoProfile.GetSsoAccountId().empty() &&
+                ssoProfile.GetSsoRoleName().empty());
+
+    ASSERT_TRUE(ssoProfile.GetDefaultsMode().empty());
+
+    // here is [sso-session] section name that is linked by [profile] by a property "sso_session=<SSO_SESSION_NAME>" under [profile]
+    ASSERT_EQ(SSO_SESSION_NAME, ssoProfile.GetSsoSession().GetName());
+    ASSERT_EQ("us-east-1", ssoProfile.GetSsoSession().GetSsoRegion());
+    ASSERT_EQ("https://d-abc123.awsapps.com/start", ssoProfile.GetSsoSession().GetSsoStartUrl());
 }
 
-TEST(EC2InstanceProfileConfigLoaderTest, TestFailsToHitService)
+TEST(AWSConfigFileProfileConfigLoaderTest, TestProfileDumping)
 {
-    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
-    mockClient->SetCurrentRegionValue("");
-    mockClient->SetMockedCredentialsValue("");
+    TempFile configFile(std::ios_base::out | std::ios_base::trunc);
 
-    EC2InstanceProfileConfigLoader loader(mockClient);
-    ASSERT_FALSE(loader.Load());
-    ASSERT_EQ(0u, loader.GetProfiles().size());
-}
+    ASSERT_TRUE(configFile.good());
+    static const Aws::String SSO_AWS_PROFILE = "AwsSdkBearerIntegrationTest-profile"; // arbitrary
+    Aws::String profileFileName = configFile.GetFileName().find_last_of(R"(/\)") == std::string::npos ?
+                                  configFile.GetFileName() : configFile.GetFileName().substr(configFile.GetFileName().find_last_of(R"(/\)"));
+    static const Aws::String SSO_SESSION_NAME = profileFileName + "-sso-session"; // arbitrary
+    ASSERT_TRUE(WriteConfigFileWithSSO(configFile, SSO_AWS_PROFILE, SSO_SESSION_NAME));
+
+    class TEST_HELPER_AWSConfigFileProfileConfigLoader : public AWSConfigFileProfileConfigLoader
+    {
+    public:
+        TEST_HELPER_AWSConfigFileProfileConfigLoader(const Aws::String& fileName)
+            : AWSConfigFileProfileConfigLoader(fileName, /*useProfilePrefix*/true)
+        {}
+
+        bool Public_PersistInternal(const Aws::Map<Aws::String, Aws::Config::Profile>& profiles)
+        {
+            return this->PersistInternal(profiles);
+        }
+    };
+
+    // Parse static test profile config
+    AWSConfigFileProfileConfigLoader loader(configFile.GetFileName());
+    ASSERT_TRUE(loader.Load());
+    auto initiallyReadProfiles = loader.GetProfiles();
 
-TEST(EC2InstanceProfileConfigLoaderTest, TestBadJsonInResponse)
-{
-    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
-    mockClient->SetCurrentRegionValue("us-east-1");
-    mockClient->SetMockedCredentialsValue("{ \"AccessKeyId\": \"goodAccessKey\",");
+    // Dump parsed test profile config
+    TempFile dumpedConfigFile(std::ios_base::out | std::ios_base::trunc);
+    ASSERT_TRUE(dumpedConfigFile.good());
+    TEST_HELPER_AWSConfigFileProfileConfigLoader dumper(dumpedConfigFile.GetFileName());
+    dumper.Public_PersistInternal(initiallyReadProfiles);
 
-    EC2InstanceProfileConfigLoader loader(mockClient);
-    ASSERT_FALSE(loader.Load());
-    ASSERT_EQ(0u, loader.GetProfiles().size());
+    // Parse dumped test profile config
+    AWSConfigFileProfileConfigLoader loaderOfDumped(dumpedConfigFile.GetFileName());
+    ASSERT_TRUE(loaderOfDumped.Load());
+    auto profiles = loaderOfDumped.GetProfiles();
+
+    // Repeat validation from a previous test
+    ASSERT_EQ(3u, profiles.size());
+    ASSERT_NE(profiles.end(), profiles.find("default"));
+    ASSERT_NE(profiles.end(), profiles.find("custom-profile"));
+    ASSERT_NE(profiles.end(), profiles.find(SSO_AWS_PROFILE));
+
+    const auto ssoProfile = profiles.at(SSO_AWS_PROFILE);
+    ASSERT_EQ(SSO_AWS_PROFILE, ssoProfile.GetName());
+    ASSERT_TRUE(ssoProfile.GetRegion().empty());
+    ASSERT_TRUE(ssoProfile.GetCredentials().GetAWSSecretKey().empty() &&
+                ssoProfile.GetCredentials().GetAWSAccessKeyId().empty() &&
+                ssoProfile.GetCredentials().GetSessionToken().empty());
+    ASSERT_TRUE(ssoProfile.GetSourceProfile().empty());
+    ASSERT_TRUE(ssoProfile.GetCredentialProcess().empty());
+
+    // Important: sso_session pointing to a sso-session section is a different entity than sso_* properties under [profile] section
+    ASSERT_TRUE(ssoProfile.GetSsoStartUrl().empty() &&
+                ssoProfile.GetSsoRegion().empty() &&
+                ssoProfile.GetSsoAccountId().empty() &&
+                ssoProfile.GetSsoRoleName().empty());
+
+    ASSERT_TRUE(ssoProfile.GetDefaultsMode().empty());
+
+    // here is [sso-session] section name that is linked by [profile] by a property "sso_session=<SSO_SESSION_NAME>" under [profile]
+    ASSERT_EQ(SSO_SESSION_NAME, ssoProfile.GetSsoSession().GetName());
+    ASSERT_EQ("us-east-1", ssoProfile.GetSsoSession().GetSsoRegion());
+    ASSERT_EQ("https://d-abc123.awsapps.com/start", ssoProfile.GetSsoSession().GetSsoStartUrl());
 }

aws-cpp-sdk-core-tests/aws/config/EC2InstanceProfileConfigLoaderTest.cpp

@@ -0,0 +1,53 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <gtest/gtest.h>
+#include <aws/core/config/AWSProfileConfigLoader.h>
+#include <aws/testing/mocks/aws/auth/MockAWSHttpResourceClient.h>
+#include <fstream>
+
+using namespace Aws::Utils;
+using namespace Aws::Config;
+
+static const char* const ALLOCATION_TAG = "EC2InstanceProfileConfigLoaderTest";
+
+TEST(EC2InstanceProfileConfigLoaderTest, TestSuccesfullyHitsService)
+{
+    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
+    mockClient->SetCurrentRegionValue("us-east-1");
+    mockClient->SetMockedCredentialsValue("{ \"AccessKeyId\": \"goodAccessKey\", \"SecretAccessKey\": \"goodSecretKey\", \"Token\": \"goodToken\" }");
+
+    EC2InstanceProfileConfigLoader loader(mockClient);
+    ASSERT_TRUE(loader.Load());
+    ASSERT_EQ(1u, loader.GetProfiles().size());
+    auto profiles = loader.GetProfiles();
+    ASSERT_NE(profiles.end(), profiles.find(Aws::Config::INSTANCE_PROFILE_KEY));
+    auto creds = profiles[Aws::Config::INSTANCE_PROFILE_KEY].GetCredentials();
+    ASSERT_STREQ("goodAccessKey", creds.GetAWSAccessKeyId().c_str());
+    ASSERT_STREQ("goodSecretKey", creds.GetAWSSecretKey().c_str());
+    ASSERT_STREQ("goodToken", creds.GetSessionToken().c_str());
+    ASSERT_STREQ("us-east-1", profiles[Aws::Config::INSTANCE_PROFILE_KEY].GetRegion().c_str());
+}
+
+TEST(EC2InstanceProfileConfigLoaderTest, TestFailsToHitService)
+{
+    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
+    mockClient->SetCurrentRegionValue("");
+    mockClient->SetMockedCredentialsValue("");
+
+    EC2InstanceProfileConfigLoader loader(mockClient);
+    ASSERT_FALSE(loader.Load());
+    ASSERT_EQ(0u, loader.GetProfiles().size());
+}
+
+TEST(EC2InstanceProfileConfigLoaderTest, TestBadJsonInResponse)
+{
+    std::shared_ptr<MockEC2MetadataClient> mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
+    mockClient->SetCurrentRegionValue("us-east-1");
+    mockClient->SetMockedCredentialsValue("{ \"AccessKeyId\": \"goodAccessKey\",");
+
+    EC2InstanceProfileConfigLoader loader(mockClient);
+    ASSERT_FALSE(loader.Load());
+    ASSERT_EQ(0u, loader.GetProfiles().size());
+}

aws-cpp-sdk-core/CMakeLists.txt

@@ -45,6 +45,7 @@ file(GLOB AWS_HEADERS "include/aws/core/*.h")
 file(GLOB AWS_AUTH_HEADERS "include/aws/core/auth/*.h")
 file(GLOB AWS_AUTH_SIGNER_HEADERS "include/aws/core/auth/signer/*.h")
 file(GLOB AWS_AUTH_SIGNER_PROVIDER_HEADERS "include/aws/core/auth/signer-provider/*.h")
+file(GLOB AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS "include/aws/core/auth/bearer-token-provider*.h")
 file(GLOB AWS_CLIENT_HEADERS "include/aws/core/client/*.h")
 file(GLOB AWS_INTERNAL_HEADERS "include/aws/core/internal/*.h")
 file(GLOB NET_HEADERS "include/aws/core/net/*.h")
@@ -75,6 +76,7 @@ file(GLOB CJSON_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/external/cjson/*.cpp"
 file(GLOB AWS_AUTH_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/auth/*.cpp")
 file(GLOB AWS_AUTH_SIGNER_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/auth/signer/*.cpp")
 file(GLOB AWS_AUTH_SIGNER_PROVIDER_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/auth/signer-provider/*.cpp")
+file(GLOB AWS_AUTH_BEARER_TOKEN_PROVIDER_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/auth/bearer-token-provider/*.cpp")
 file(GLOB AWS_CLIENT_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/client/*.cpp")
 file(GLOB AWS_INTERNAL_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/internal/*.cpp")
 file(GLOB AWS_MODEL_SOURCE "${CMAKE_CURRENT_SOURCE_DIR}/source/aws/model/*.cpp")
@@ -219,6 +221,7 @@ file(GLOB AWS_NATIVE_SDK_COMMON_SRC
     ${AWS_AUTH_SOURCE}
     ${AWS_AUTH_SIGNER_SOURCE}
     ${AWS_AUTH_SIGNER_PROVIDER_SOURCE}
+    ${AWS_AUTH_BEARER_TOKEN_PROVIDER_SOURCE}
     ${AWS_CLIENT_SOURCE}
     ${HTTP_STANDARD_SOURCE}
     ${HTTP_CLIENT_SOURCE}
@@ -241,6 +244,7 @@ file(GLOB AWS_NATIVE_SDK_COMMON_HEADERS
   ${AWS_AUTH_HEADERS}
   ${AWS_AUTH_SIGNER_HEADERS}
   ${AWS_AUTH_SIGNER_PROVIDER_HEADERS}
+  ${AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS}
   ${AWS_CLIENT_HEADERS}
   ${AWS_INTERNAL_HEADERS}
   ${NET_HEADERS}
@@ -355,6 +359,7 @@ if(MSVC)
     source_group("Header Files\\aws\\core\\auth" FILES ${AWS_AUTH_HEADERS})
     source_group("Header Files\\aws\\core\\auth\\signer" FILES ${AWS_AUTH_SIGNER_HEADERS})
     source_group("Header Files\\aws\\core\\auth\\signer-provider" FILES ${AWS_AUTH_SIGNER_PROVIDER_HEADERS})
+    source_group("Header Files\\aws\\core\\auth\\bearer-token-provider" FILES ${AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS})
     source_group("Header Files\\aws\\core\\client" FILES ${AWS_CLIENT_HEADERS})
     source_group("Header Files\\aws\\core\\internal" FILES ${AWS_INTERNAL_HEADERS})
     source_group("Header Files\\aws\\core\\net" FILES ${NET_HEADERS})
@@ -402,6 +407,7 @@ if(MSVC)
     source_group("Source Files\\auth" FILES ${AWS_AUTH_SOURCE})
     source_group("Source Files\\auth\\signer" FILES ${AWS_AUTH_SIGNER_SOURCE})
     source_group("Source Files\\auth\\signer-provider" FILES ${AWS_AUTH_SIGNER_PROVIDER_SOURCE})
+    source_group("Source Files\\auth\\bearer-token-provider" FILES ${AWS_AUTH_BEARER_TOKEN_PROVIDER_SOURCE})
     source_group("Source Files\\client" FILES ${AWS_CLIENT_SOURCE})
     source_group("Source Files\\internal" FILES ${AWS_INTERNAL_SOURCE})
     source_group("Source Files\\net\\windows" FILES ${NET_SOURCE})
@@ -571,6 +577,7 @@ install (FILES ${AWS_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core)
 install (FILES ${AWS_AUTH_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/auth)
 install (FILES ${AWS_AUTH_SIGNER_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/auth/signer)
 install (FILES ${AWS_AUTH_SIGNER_PROVIDER_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/auth/signer-provider)
+install (FILES ${AWS_AUTH_BEARER_TOKEN_PROVIDER_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/auth/bearer-token-provider)
 install (FILES ${AWS_CLIENT_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/client)
 install (FILES ${AWS_INTERNAL_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/internal)
 install (FILES ${NET_HEADERS} DESTINATION ${INCLUDE_DIRECTORY}/aws/core/net)

aws-cpp-sdk-core/include/aws/core/auth/AWSAuthSignerProvider.h

@@ -8,5 +8,6 @@
 
 #include <aws/core/auth/signer-provider/AWSAuthSignerProviderBase.h>
 #include <aws/core/auth/signer-provider/DefaultAuthSignerProvider.h>
+#include <aws/core/auth/signer-provider/BearerTokenAuthSignerProvider.h>
 
 // This is a header that represents old legacy all-in-one header to maintain backward compatibility