profile credential provider binding (#214)

- Profile credential provider
- Process credential provider
- Environment credential provider
- Chain credential provider

Co-authored-by: Dengke Tang <dengket@amazon.com>
Co-authored-by: Michael Graeb <graebm@amazon.com>

Author: TingDaoK

awscrt/auth.py

@@ -117,6 +117,9 @@ def new_default_chain(cls, client_bootstrap):
         3.  (conditional, off by default) ECS
         4.  (conditional, on by default) EC2 Instance Metadata
 
+        Args:
+            client_bootstrap (ClientBootstrap): Client bootstrap to use when initiating socket connection.
+
         Returns:
             AwsCredentialsProvider:
         """
@@ -130,6 +133,11 @@ def new_static(cls, access_key_id, secret_access_key, session_token=None):
         """
         Create a simple provider that just returns a fixed set of credentials.
 
+        Args:
+            access_key_id (str): Access key ID
+            secret_access_key (str): Secret access key
+            session_token (Optional[str]): Optional session token
+
         Returns:
             AwsCredentialsProvider:
         """
@@ -140,6 +148,113 @@ def new_static(cls, access_key_id, secret_access_key, session_token=None):
         binding = _awscrt.credentials_provider_new_static(access_key_id, secret_access_key, session_token)
         return cls(binding)
 
+    @classmethod
+    def new_profile(
+            cls,
+            client_bootstrap,
+            profile_name=None,
+            config_filepath=None,
+            credentials_filepath=None):
+        """
+        Creates a provider that sources credentials from key-value profiles
+        loaded from the aws credentials file.
+
+        Args:
+            client_bootstrap: Client bootstrap to use when initiating socket connection.
+
+            profile_name (Optional[str]): Name of profile to use.
+                If not set, uses value from AWS_PROFILE environment variable.
+                If that is not set, uses value of "default"
+
+            config_filepath (Optional[str]): Path to profile config file.
+                If not set, uses value from AWS_CONFIG_FILE environment variable.
+                If that is not set, uses value of "~/.aws/config"
+
+            credentials_filepath (Optional[str]): Path to profile credentials file.
+                If not set, uses value from AWS_SHARED_CREDENTIALS_FILE environment variable.
+                If that is not set, uses value of "~/.aws/credentials"
+
+        Returns:
+            AwsCredentialsProvider:
+        """
+        assert isinstance(client_bootstrap, ClientBootstrap)
+        assert isinstance(profile_name, str) or profile_name is None
+        assert isinstance(config_filepath, str) or config_filepath is None
+        assert isinstance(credentials_filepath, str) or credentials_filepath is None
+
+        binding = _awscrt.credentials_provider_new_profile(
+            client_bootstrap, profile_name, config_filepath, credentials_filepath)
+        return cls(binding)
+
+    @classmethod
+    def new_process(cls, profile_to_use=None):
+        """
+        Creates a provider that sources credentials from running an external command or process.
+
+        The command to run is sourced from a profile in the AWS config file, using the standard
+        profile selection rules. The profile key the command is read from is "credential_process."
+        E.g.:
+         [default]
+         credential_process=/opt/amazon/bin/my-credential-fetcher --argsA=abc
+        On successfully running the command, the output should be a json data with the following
+        format:
+        {
+           "Version": 1,
+           "AccessKeyId": "accesskey",
+           "SecretAccessKey": "secretAccessKey"
+           "SessionToken": "....",
+           "Expiration": "2019-05-29T00:21:43Z"
+        }
+        Version here identifies the command output format version.
+        This provider is not part of the default provider chain.
+
+        Args:
+            profile_to_use (Optional[str]): Name of profile in which to look for credential_process.
+                If not set, uses value from AWS_PROFILE environment variable.
+                If that is not set, uses value of "default"
+
+        Returns:
+            AwsCredentialsProvider:
+        """
+
+        binding = _awscrt.credentials_provider_new_process(profile_to_use)
+        return cls(binding)
+
+    @classmethod
+    def new_environment(cls):
+        """
+        Creates a provider that returns credentials sourced from environment variables.
+
+        * AWS_ACCESS_KEY_ID
+        * AWS_SECRET_ACCESS_KEY
+        * AWS_SESSION_TOKEN
+
+        Returns:
+            AwsCredentialsProvider:
+        """
+
+        binding = _awscrt.credentials_provider_new_environment()
+        return cls(binding)
+
+    @classmethod
+    def new_chain(cls, providers):
+        """
+        Creates a provider that sources credentials from an ordered sequence of providers.
+
+        This provider uses the first set of credentials successfully queried.
+        Providers are queried one at a time; a provider is not queried until the
+        preceding provider has failed to source credentials.
+
+        Args:
+            providers (List[AwsCredentialsProvider]): List of credentials providers.
+
+        Returns:
+            AwsCredentialsProvider:
+        """
+
+        binding = _awscrt.credentials_provider_new_chain(providers)
+        return cls(binding)
+
     def get_credentials(self):
         future = Future()
 

source/auth.h

@@ -16,6 +16,10 @@ PyObject *aws_py_credentials_session_token(PyObject *self, PyObject *args);
 PyObject *aws_py_credentials_provider_get_credentials(PyObject *self, PyObject *args);
 PyObject *aws_py_credentials_provider_new_chain_default(PyObject *self, PyObject *args);
 PyObject *aws_py_credentials_provider_new_static(PyObject *self, PyObject *args);
+PyObject *aws_py_credentials_provider_new_profile(PyObject *self, PyObject *args);
+PyObject *aws_py_credentials_provider_new_process(PyObject *self, PyObject *args);
+PyObject *aws_py_credentials_provider_new_environment(PyObject *self, PyObject *args);
+PyObject *aws_py_credentials_provider_new_chain(PyObject *self, PyObject *args);
 
 PyObject *aws_py_signing_config_new(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_algorithm(PyObject *self, PyObject *args);

source/auth_credentials.c

@@ -120,15 +120,10 @@ PyObject *aws_py_credentials_session_token(PyObject *self, PyObject *args) {
  */
 struct credentials_provider_binding {
     struct aws_credentials_provider *native;
-
-    /* Dependencies that must outlive this.
-     * Note that different types of providers have different dependencies */
-    PyObject *bootstrap;
 };
 
 /* Finally clean up binding (after capsule destructor runs and credentials provider shutdown completes) */
 static void s_credentials_provider_binding_clean_up(struct credentials_provider_binding *binding) {
-    Py_XDECREF(binding->bootstrap);
     aws_mem_release(aws_py_get_allocator(), binding);
 }
 
@@ -273,9 +268,6 @@ PyObject *aws_py_credentials_provider_new_chain_default(PyObject *self, PyObject
     /* From hereon, we need to clean up if errors occur.
      * Fortunately, the capsule destructor will clean up anything stored inside the binding */
 
-    binding->bootstrap = bootstrap_py;
-    Py_INCREF(binding->bootstrap);
-
     struct aws_credentials_provider_chain_default_options options = {
         .bootstrap = bootstrap,
         .shutdown_options = {s_credentials_provider_shutdown_complete, binding},
@@ -340,3 +332,215 @@ PyObject *aws_py_credentials_provider_new_static(PyObject *self, PyObject *args)
     Py_DECREF(capsule);
     return NULL;
 }
+
+PyObject *aws_py_credentials_provider_new_profile(PyObject *self, PyObject *args) {
+    (void)self;
+    struct aws_allocator *allocator = aws_py_get_allocator();
+
+    PyObject *bootstrap_py;
+    struct aws_byte_cursor profile_name;
+    struct aws_byte_cursor config_file_name;
+    struct aws_byte_cursor credentials_file_name;
+
+    if (!PyArg_ParseTuple(
+            args,
+            "Oz#z#z#",
+            &bootstrap_py,
+            &profile_name.ptr,
+            &profile_name.len,
+            &config_file_name.ptr,
+            &config_file_name.len,
+            &credentials_file_name.ptr,
+            &credentials_file_name.len)) {
+        return NULL;
+    }
+
+    struct aws_client_bootstrap *bootstrap = aws_py_get_client_bootstrap(bootstrap_py);
+    if (!bootstrap) {
+        return NULL;
+    }
+
+    struct credentials_provider_binding *binding;
+    PyObject *capsule = s_new_credentials_provider_binding_and_capsule(&binding);
+    if (!capsule) {
+        return NULL;
+    }
+
+    /* From hereon, we need to clean up if errors occur.
+     * Fortunately, the capsule destructor will clean up anything stored inside the binding */
+
+    struct aws_credentials_provider_profile_options options = {
+        .bootstrap = bootstrap,
+        .profile_name_override = profile_name,
+        .config_file_name_override = config_file_name,
+        .credentials_file_name_override = credentials_file_name,
+        .shutdown_options =
+            {
+                .shutdown_callback = s_credentials_provider_shutdown_complete,
+                .shutdown_user_data = binding,
+            },
+    };
+
+    binding->native = aws_credentials_provider_new_profile(allocator, &options);
+    if (!binding->native) {
+        PyErr_SetAwsLastError();
+        goto error;
+    }
+
+    return capsule;
+error:
+    Py_DECREF(capsule);
+    return NULL;
+}
+
+PyObject *aws_py_credentials_provider_new_process(PyObject *self, PyObject *args) {
+    (void)self;
+    struct aws_allocator *allocator = aws_py_get_allocator();
+
+    struct aws_byte_cursor profile_to_use;
+
+    if (!PyArg_ParseTuple(args, "z#", &profile_to_use.ptr, &profile_to_use.len)) {
+        return NULL;
+    }
+
+    struct credentials_provider_binding *binding;
+    PyObject *capsule = s_new_credentials_provider_binding_and_capsule(&binding);
+    if (!capsule) {
+        return NULL;
+    }
+
+    /* From hereon, we need to clean up if errors occur.
+     * Fortunately, the capsule destructor will clean up anything stored inside the binding */
+
+    struct aws_credentials_provider_process_options options = {
+        .profile_to_use = profile_to_use,
+        .shutdown_options =
+            {
+                .shutdown_callback = s_credentials_provider_shutdown_complete,
+                .shutdown_user_data = binding,
+            },
+    };
+
+    binding->native = aws_credentials_provider_new_process(allocator, &options);
+    if (!binding->native) {
+        PyErr_SetAwsLastError();
+        goto error;
+    }
+
+    return capsule;
+error:
+    Py_DECREF(capsule);
+    return NULL;
+}
+
+PyObject *aws_py_credentials_provider_new_environment(PyObject *self, PyObject *args) {
+    (void)self;
+    (void)args;
+    struct aws_allocator *allocator = aws_py_get_allocator();
+
+    struct credentials_provider_binding *binding;
+    PyObject *capsule = s_new_credentials_provider_binding_and_capsule(&binding);
+    if (!capsule) {
+        return NULL;
+    }
+
+    /* From hereon, we need to clean up if errors occur.
+     * Fortunately, the capsule destructor will clean up anything stored inside the binding */
+
+    struct aws_credentials_provider_environment_options options = {
+        .shutdown_options =
+            {
+                .shutdown_callback = s_credentials_provider_shutdown_complete,
+                .shutdown_user_data = binding,
+            },
+    };
+
+    binding->native = aws_credentials_provider_new_environment(allocator, &options);
+    if (!binding->native) {
+        PyErr_SetAwsLastError();
+        goto error;
+    }
+
+    return capsule;
+error:
+    Py_DECREF(capsule);
+    return NULL;
+}
+
+PyObject *aws_py_credentials_provider_new_chain(PyObject *self, PyObject *args) {
+    (void)self;
+    struct aws_allocator *allocator = aws_py_get_allocator();
+
+    PyObject *providers_arg;
+
+    if (!PyArg_ParseTuple(args, "O", &providers_arg)) {
+        return NULL;
+    }
+
+    /* From hereon, we need to clean up if errors occur.
+     * Fortunately, the capsule destructor will clean up anything stored inside the binding */
+    bool success = false;
+    PyObject *providers_pyseq = NULL;
+    struct aws_credentials_provider **providers_carray = NULL;
+    PyObject *capsule = NULL;
+
+    /* Need temporary C-array of pointers to underlying aws_credentials_provider structs */
+    providers_pyseq = PySequence_Fast(providers_arg, "Expected sequence of AwsCredentialsProviders");
+    if (!providers_pyseq) {
+        goto done;
+    }
+    size_t provider_count = (size_t)PySequence_Fast_GET_SIZE(providers_pyseq);
+    if (provider_count == 0) {
+        PyErr_SetString(PyExc_ValueError, "Must supply at least one AwsCredentialsProvider.");
+        goto done;
+    }
+
+    providers_carray = aws_mem_calloc(allocator, provider_count, sizeof(void *));
+    if (!providers_carray) {
+        PyErr_SetAwsLastError();
+        goto done;
+    }
+
+    for (size_t i = 0; i < provider_count; ++i) {
+        PyObject *provider_py = PySequence_Fast_GET_ITEM(providers_pyseq, i);
+        providers_carray[i] = aws_py_get_credentials_provider(provider_py);
+        if (!providers_carray[i]) {
+            goto done;
+        }
+    }
+
+    struct credentials_provider_binding *binding;
+    capsule = s_new_credentials_provider_binding_and_capsule(&binding);
+    if (!capsule) {
+        goto done;
+    }
+
+    struct aws_credentials_provider_chain_options options = {
+        .provider_count = provider_count,
+        .providers = providers_carray,
+        .shutdown_options =
+            {
+                .shutdown_callback = s_credentials_provider_shutdown_complete,
+                .shutdown_user_data = binding,
+            },
+    };
+
+    binding->native = aws_credentials_provider_new_chain(allocator, &options);
+    if (!binding->native) {
+        PyErr_SetAwsLastError();
+        goto done;
+    }
+
+    success = true;
+
+done:
+    Py_XDECREF(providers_pyseq);
+    aws_mem_release(allocator, providers_carray);
+
+    if (success) {
+        return capsule;
+    }
+
+    Py_XDECREF(capsule);
+    return NULL;
+}