1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*/
use crate::box_error::BoxError;
use crate::client::runtime_components::sealed::ValidateConfig;
use crate::client::runtime_components::{RuntimeComponents, RuntimeComponentsBuilder};
use crate::impl_shared_conversions;
use aws_smithy_types::config_bag::ConfigBag;
use std::any::Any;
use std::fmt;
use std::fmt::Debug;
use std::sync::atomic::{AtomicUsize, Ordering};
use std::sync::Arc;
use std::time::SystemTime;
#[cfg(feature = "http-auth")]
pub mod http;
new_type_future! {
#[doc = "Future for [`IdentityResolver::resolve_identity`]."]
pub struct IdentityFuture<'a, Identity, BoxError>;
}
static NEXT_CACHE_PARTITION: AtomicUsize = AtomicUsize::new(0);
/// Cache partition key for identity caching.
///
/// Identities need cache partitioning because a single identity cache is used across
/// multiple identity providers across multiple auth schemes. In addition, a single auth scheme
/// may have many different identity providers due to operation-level config overrides.
///
/// This partition _must_ be respected when retrieving from the identity cache and _should_
/// be part of the cache key.
///
/// Calling [`IdentityCachePartition::new`] will create a new globally unique cache partition key,
/// and the [`SharedIdentityResolver`] will automatically create and store a partion on construction.
/// Thus, every configured identity resolver will be assigned a unique partition.
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash, Ord, PartialOrd)]
pub struct IdentityCachePartition(usize);
impl IdentityCachePartition {
/// Create a new globally unique cache partition key.
pub fn new() -> Self {
Self(NEXT_CACHE_PARTITION.fetch_add(1, Ordering::Relaxed))
}
/// Helper for unit tests to create an identity cache partition with a known value.
#[cfg(feature = "test-util")]
pub fn new_for_tests(value: usize) -> IdentityCachePartition {
Self(value)
}
}
/// Caching resolver for identities.
pub trait ResolveCachedIdentity: fmt::Debug + Send + Sync {
/// Returns a cached identity, or resolves an identity and caches it if its not already cached.
fn resolve_cached_identity<'a>(
&'a self,
resolver: SharedIdentityResolver,
runtime_components: &'a RuntimeComponents,
config_bag: &'a ConfigBag,
) -> IdentityFuture<'a>;
#[doc = include_str!("../../rustdoc/validate_base_client_config.md")]
fn validate_base_client_config(
&self,
runtime_components: &RuntimeComponentsBuilder,
cfg: &ConfigBag,
) -> Result<(), BoxError> {
let _ = (runtime_components, cfg);
Ok(())
}
#[doc = include_str!("../../rustdoc/validate_final_config.md")]
fn validate_final_config(
&self,
runtime_components: &RuntimeComponents,
cfg: &ConfigBag,
) -> Result<(), BoxError> {
let _ = (runtime_components, cfg);
Ok(())
}
}
/// Shared identity cache.
#[derive(Clone, Debug)]
pub struct SharedIdentityCache(Arc<dyn ResolveCachedIdentity>);
impl SharedIdentityCache {
/// Creates a new [`SharedIdentityCache`] from the given cache implementation.
pub fn new(cache: impl ResolveCachedIdentity + 'static) -> Self {
Self(Arc::new(cache))
}
}
impl ResolveCachedIdentity for SharedIdentityCache {
fn resolve_cached_identity<'a>(
&'a self,
resolver: SharedIdentityResolver,
runtime_components: &'a RuntimeComponents,
config_bag: &'a ConfigBag,
) -> IdentityFuture<'a> {
self.0
.resolve_cached_identity(resolver, runtime_components, config_bag)
}
}
impl ValidateConfig for SharedIdentityResolver {}
impl ValidateConfig for SharedIdentityCache {
fn validate_base_client_config(
&self,
runtime_components: &RuntimeComponentsBuilder,
cfg: &ConfigBag,
) -> Result<(), BoxError> {
self.0.validate_base_client_config(runtime_components, cfg)
}
fn validate_final_config(
&self,
runtime_components: &RuntimeComponents,
cfg: &ConfigBag,
) -> Result<(), BoxError> {
self.0.validate_final_config(runtime_components, cfg)
}
}
impl_shared_conversions!(convert SharedIdentityCache from ResolveCachedIdentity using SharedIdentityCache::new);
/// Resolver for identities.
///
/// Every [`AuthScheme`](crate::client::auth::AuthScheme) has one or more compatible
/// identity resolvers, which are selected from runtime components by the auth scheme
/// implementation itself.
///
/// The identity resolver must return an [`IdentityFuture`] with the resolved identity, or an error
/// if resolution failed. There is no optionality for identity resolvers. The identity either
/// resolves successfully, or it fails. The orchestrator will choose exactly one auth scheme
/// to use, and thus, its chosen identity resolver is the only identity resolver that runs.
/// There is no fallback to other auth schemes in the absence of an identity.
pub trait ResolveIdentity: Send + Sync + Debug {
/// Asynchronously resolves an identity for a request using the given config.
fn resolve_identity<'a>(
&'a self,
runtime_components: &'a RuntimeComponents,
config_bag: &'a ConfigBag,
) -> IdentityFuture<'a>;
/// Returns a fallback identity.
///
/// This method should be used as a fallback plan, i.e., when a call to `resolve_identity`
/// is interrupted by a timeout and its future fails to complete.
///
/// The fallback identity should be set aside and ready to be returned
/// immediately. Therefore, a new identity should NOT be fetched
/// within this method, which might cause a long-running operation.
fn fallback_on_interrupt(&self) -> Option<Identity> {
None
}
/// Returns the location of an identity cache associated with this identity resolver.
///
/// By default, identity resolvers will use the identity cache stored in runtime components.
/// Implementing types can change the cache location if they want to. Refer to [`IdentityCacheLocation`]
/// explaining why a concrete identity resolver might want to change the cache location.
fn cache_location(&self) -> IdentityCacheLocation {
IdentityCacheLocation::RuntimeComponents
}
/// Returns the identity cache partition associated with this identity resolver.
///
/// By default this returns `None` and cache partitioning is left up to `SharedIdentityResolver`.
fn cache_partition(&self) -> Option<IdentityCachePartition> {
None
}
}
/// Cache location for identity caching.
///
/// Identities are usually cached in the identity cache owned by [`RuntimeComponents`]. However,
/// we do have identities whose caching mechanism is internally managed by their identity resolver,
/// in which case we want to avoid the `RuntimeComponents`-owned identity cache interfering with
/// the internal caching policy.
#[non_exhaustive]
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub enum IdentityCacheLocation {
/// Indicates the identity cache is owned by [`RuntimeComponents`].
RuntimeComponents,
/// Indicates the identity cache is internally managed by the identity resolver.
IdentityResolver,
}
/// Container for a shared identity resolver.
#[derive(Clone, Debug)]
pub struct SharedIdentityResolver {
inner: Arc<dyn ResolveIdentity>,
cache_partition: IdentityCachePartition,
}
impl SharedIdentityResolver {
/// Creates a new [`SharedIdentityResolver`] from the given resolver.
pub fn new(resolver: impl ResolveIdentity + 'static) -> Self {
// NOTE: `IdentityCachePartition` is globally unique by construction so even
// custom implementations of `ResolveIdentity::cache_partition()` are unique.
let partition = match resolver.cache_partition() {
Some(p) => p,
None => IdentityCachePartition::new(),
};
Self {
inner: Arc::new(resolver),
cache_partition: partition,
}
}
/// Returns the globally unique cache partition key for this identity resolver.
///
/// See the [`IdentityCachePartition`] docs for more information on what this is used for
/// and why.
pub fn cache_partition(&self) -> IdentityCachePartition {
self.cache_partition
}
}
impl ResolveIdentity for SharedIdentityResolver {
fn resolve_identity<'a>(
&'a self,
runtime_components: &'a RuntimeComponents,
config_bag: &'a ConfigBag,
) -> IdentityFuture<'a> {
self.inner.resolve_identity(runtime_components, config_bag)
}
fn cache_location(&self) -> IdentityCacheLocation {
self.inner.cache_location()
}
fn cache_partition(&self) -> Option<IdentityCachePartition> {
Some(self.cache_partition())
}
}
impl_shared_conversions!(convert SharedIdentityResolver from ResolveIdentity using SharedIdentityResolver::new);
/// An identity that can be used for authentication.
///
/// The [`Identity`] is a container for any arbitrary identity data that may be used
/// by a [`Sign`](crate::client::auth::Sign) implementation. Under the hood, it
/// has an `Arc<dyn Any>`, and it is the responsibility of the signer to downcast
/// to the appropriate data type using the `data()` function.
///
/// The `Identity` also holds an optional expiration time, which may duplicate
/// an expiration time on the identity data. This is because an `Arc<dyn Any>`
/// can't be downcast to any arbitrary trait, and expiring identities are
/// common enough to be built-in.
#[derive(Clone)]
pub struct Identity {
data: Arc<dyn Any + Send + Sync>,
#[allow(clippy::type_complexity)]
data_debug: Arc<dyn (Fn(&Arc<dyn Any + Send + Sync>) -> &dyn Debug) + Send + Sync>,
expiration: Option<SystemTime>,
}
impl Identity {
/// Creates a new identity with the given data and expiration time.
pub fn new<T>(data: T, expiration: Option<SystemTime>) -> Self
where
T: Any + Debug + Send + Sync,
{
Self {
data: Arc::new(data),
data_debug: Arc::new(|d| d.downcast_ref::<T>().expect("type-checked") as _),
expiration,
}
}
/// Returns the raw identity data.
pub fn data<T: Any + Debug + Send + Sync + 'static>(&self) -> Option<&T> {
self.data.downcast_ref()
}
/// Returns the expiration time for this identity, if any.
pub fn expiration(&self) -> Option<SystemTime> {
self.expiration
}
}
impl Debug for Identity {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("Identity")
.field("data", (self.data_debug)(&self.data))
.field("expiration", &self.expiration)
.finish()
}
}
#[cfg(test)]
mod tests {
use super::*;
use aws_smithy_async::time::{SystemTimeSource, TimeSource};
#[test]
fn check_send_sync() {
fn is_send_sync<T: Send + Sync>(_: T) {}
is_send_sync(Identity::new("foo", None));
}
#[test]
fn create_retrieve_identity() {
#[derive(Debug)]
struct MyIdentityData {
first: String,
last: String,
}
let ts = SystemTimeSource::new();
let expiration = ts.now();
let identity = Identity::new(
MyIdentityData {
first: "foo".into(),
last: "bar".into(),
},
Some(expiration),
);
assert_eq!("foo", identity.data::<MyIdentityData>().unwrap().first);
assert_eq!("bar", identity.data::<MyIdentityData>().unwrap().last);
assert_eq!(Some(expiration), identity.expiration());
}
}