feat: Implement Cognito Credentials Provider

Author: dayaffe

AWSSDKSwiftCLI/Sources/AWSSDKSwiftCLI/Models/PackageManifestBuilder.swift

@@ -111,6 +111,7 @@ struct PackageManifestBuilder {
             buildInternalAWSSTSDependencies(),
             buildInternalAWSSSODependencies(),
             buildInternalAWSSSOOIDCDependencies(),
+            buildInternalAWSCognitoIdentityDependencies(),
             "",
         ]
         return contents.joined(separator: .newline)
@@ -170,6 +171,10 @@ struct PackageManifestBuilder {
         buildInternalClientDependencies(name: "AWSSSOOIDC")
     }
 
+    private func buildInternalAWSCognitoIdentityDependencies() -> String {
+        buildInternalClientDependencies(name: "AWSCognitoIdentity")
+    }
+
     private func buildInternalClientDependencies(name: String) -> String {
         let jsonFilePath = "Sources/Core/AWSSDKIdentity/InternalClients/Internal\(name)/Dependencies.json"
         let service = Service(name: name)

AWSSDKSwiftCLI/Sources/AWSSDKSwiftCLI/Resources/Package.Base.txt

@@ -185,6 +185,7 @@ private var runtimeTargets: [Target] {
                 "InternalAWSSTS",
                 "InternalAWSSSO",
                 "InternalAWSSSOOIDC",
+                "InternalAWSCognitoIdentity",
             ],
             path: "Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity"
         ),
@@ -203,6 +204,11 @@ private var runtimeTargets: [Target] {
             dependencies: internalAWSSSOOIDCDependencies,
             path: "Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSSSOOIDC/Sources/InternalAWSSSOOIDC"
         ),
+        .target(
+            name: "InternalAWSCognitoIdentity",
+            dependencies: internalAWSCognitoIdentityDependencies,
+            path: "Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSCognitoIdentity/Sources/InternalAWSCognitoIdentity"
+        ),
         .target(
             name: "AWSSDKChecksums",
             dependencies: [

AWSSDKSwiftCLI/Tests/AWSSDKSwiftCLITests/Models/PackageManifestBuilderTests.swift

@@ -33,6 +33,7 @@ class PackageManifestBuilderTests: XCTestCase {
         let internalAWSSTSDependencies: [Target.Dependency] = []
         let internalAWSSSODependencies: [Target.Dependency] = []
         let internalAWSSSOOIDCDependencies: [Target.Dependency] = []
+        let internalAWSCognitoIdentityDependencies: [Target.Dependency] = []
 
         <contents of base package>
         """
@@ -75,6 +76,7 @@ class PackageManifestBuilderTests: XCTestCase {
         let internalAWSSTSDependencies: [Target.Dependency] = []
         let internalAWSSSODependencies: [Target.Dependency] = []
         let internalAWSSSOOIDCDependencies: [Target.Dependency] = []
+        let internalAWSCognitoIdentityDependencies: [Target.Dependency] = []
 
         <contents of base package>
         """

IntegrationTests/Package.swift

@@ -94,7 +94,7 @@ private func integrationTestTarget(_ name: String) -> Target {
     case "AWSSTS":
         additionalDependencies = ["AWSIAM", "AWSCognitoIdentity"]
     case "AWSCognitoIdentity":
-        additionalDependencies = ["AWSSTS"]
+        additionalDependencies = ["AWSSTS", "AWSIAM"]
     default:
         break
     }

IntegrationTests/Services/AWSCognitoIdentityIntegrationTests/CognitoAWSCredentialIdentityResolverTests.swift

@@ -0,0 +1,113 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import XCTest
+import AWSSTS
+import AWSCognitoIdentity
+import AWSSDKIdentity
+import ClientRuntime
+import AWSIAM
+
+/// Tests CognitoAWSCredentialIdentityResolver using STS::getCallerIdentity.
+class CognitoAWSCredentialIdentityResolverTests: XCTestCase {
+    private let region = "us-west-2"
+
+    private var cognitoIdentityClient: CognitoIdentityClient!
+    private var iamClient: IAMClient!
+    
+    private let identityPoolName = "aws-cognito-integration-test-\(UUID().uuidString.split(separator: "-").first!.lowercased())"
+    private var identityPoolId: String!
+    private var roleName: String!
+
+    override func setUp() async throws {
+        try await super.setUp()
+
+        // CognitoIdentity client for creating & deleting identity pool
+        cognitoIdentityClient = try CognitoIdentityClient(region: region)
+        iamClient = try IAMClient(region: "us-east-1")
+
+        // Create identity pool that allows unauthenticated identities
+        identityPoolId = try await cognitoIdentityClient.createIdentityPool(
+            input: CreateIdentityPoolInput(
+                allowUnauthenticatedIdentities: true,
+                identityPoolName: identityPoolName
+            )
+        ).identityPoolId
+        
+        // Create an IAM role for unauthenticated users
+        roleName = "CognitoUnauth_\(identityPoolName)"
+        let trustPolicy = """
+        {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": {"Federated": "cognito-identity.amazonaws.com"},
+                "Action": "sts:AssumeRoleWithWebIdentity",
+                "Condition": {
+                    "StringEquals": {"cognito-identity.amazonaws.com:aud": "\(identityPoolId!)"},
+                    "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
+                }
+            }]
+        }
+        """
+        
+        let createRoleInput = CreateRoleInput(
+            assumeRolePolicyDocument: trustPolicy,
+            roleName: roleName
+        )
+        let createRoleResponse = try await iamClient.createRole(input: createRoleInput)
+
+        try await Task.sleep(nanoseconds: 10_000_000_000) // 10 seconds
+
+        // Assign the role to the identity pool
+        _ = try await cognitoIdentityClient.setIdentityPoolRoles(
+            input: SetIdentityPoolRolesInput(
+                identityPoolId: identityPoolId,
+                roles: ["unauthenticated": createRoleResponse.role!.arn!]
+            )
+        )
+    }
+
+    override func tearDown() async throws {
+        _ = try? await cognitoIdentityClient.deleteIdentityPool(
+            input: DeleteIdentityPoolInput(identityPoolId: identityPoolId)
+        )
+        
+        _ = try? await iamClient.deleteRole(
+            input: DeleteRoleInput(roleName: roleName)
+        )
+
+        try await super.tearDown()
+    }
+
+    /// Confirm CognitoAWSCredentialIdentityResolver works by calling STS getCallerIdentity
+    func testGetCallerIdentityWithCognitoCredentials() async throws {
+        // Create CognitoAWSCredentialIdentityResolver
+        let cognitoCredentialResolver = try CognitoAWSCredentialIdentityResolver(
+            identityPoolId: identityPoolId,
+            cognitoPoolRegion: region // us-west-2
+        )
+
+        // Configure STS client with Cognito credentials
+        let cognitoStsConfig = try await STSClient.STSClientConfiguration(
+            awsCredentialIdentityResolver: cognitoCredentialResolver,
+            region: "us-east-1" // different from cognito pool region
+        )
+        let cognitoStsClient = STSClient(config: cognitoStsConfig)
+        let response = try await cognitoStsClient.getCallerIdentity(
+            input: GetCallerIdentityInput()
+        )
+
+        let account = try XCTUnwrap(response.account)
+        let userId = try XCTUnwrap(response.userId)
+        let arn = try XCTUnwrap(response.arn)
+
+        XCTAssertNotEqual(account, "")
+        XCTAssertNotEqual(userId, "")
+        XCTAssertTrue(arn.contains(roleName))
+    }
+}

Package.swift

@@ -441,6 +441,7 @@ let serviceTargets: [String: [Target.Dependency]] = [
 let internalAWSSTSDependencies: [Target.Dependency] = [.AWSClientRuntime, .AWSSDKChecksums, .AWSSDKHTTPAuth, .ClientRuntime, .Smithy, .SmithyFormURL, .SmithyHTTPAPI, .SmithyHTTPAuthAPI, .SmithyIdentity, .SmithyReadWrite, .SmithyRetries, .SmithyRetriesAPI, .SmithyTimestamps, .SmithyXML]
 let internalAWSSSODependencies: [Target.Dependency] = [.AWSClientRuntime, .AWSSDKChecksums, .AWSSDKHTTPAuth, .ClientRuntime, .Smithy, .SmithyHTTPAPI, .SmithyHTTPAuthAPI, .SmithyIdentity, .SmithyJSON, .SmithyReadWrite, .SmithyRetries, .SmithyRetriesAPI]
 let internalAWSSSOOIDCDependencies: [Target.Dependency] = [.AWSClientRuntime, .AWSSDKChecksums, .AWSSDKHTTPAuth, .ClientRuntime, .Smithy, .SmithyHTTPAPI, .SmithyHTTPAuthAPI, .SmithyIdentity, .SmithyJSON, .SmithyReadWrite, .SmithyRetries, .SmithyRetriesAPI]
+let internalAWSCognitoIdentityDependencies: [Target.Dependency] = [.AWSClientRuntime, .AWSSDKChecksums, .AWSSDKHTTPAuth, .ClientRuntime, .Smithy, .SmithyHTTPAPI, .SmithyHTTPAuthAPI, .SmithyIdentity, .SmithyJSON, .SmithyReadWrite, .SmithyRetries, .SmithyRetriesAPI, .SmithyTimestamps]
 
 // MARK: - Static Content
 
@@ -629,6 +630,7 @@ private var runtimeTargets: [Target] {
                 "InternalAWSSTS",
                 "InternalAWSSSO",
                 "InternalAWSSSOOIDC",
+                "InternalAWSCognitoIdentity",
             ],
             path: "Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity"
         ),
@@ -647,6 +649,11 @@ private var runtimeTargets: [Target] {
             dependencies: internalAWSSSOOIDCDependencies,
             path: "Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSSSOOIDC/Sources/InternalAWSSSOOIDC"
         ),
+        .target(
+            name: "InternalAWSCognitoIdentity",
+            dependencies: internalAWSCognitoIdentityDependencies,
+            path: "Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSCognitoIdentity/Sources/InternalAWSCognitoIdentity"
+        ),
         .target(
             name: "AWSSDKChecksums",
             dependencies: [

Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSCognitoIdentity/Dependencies.json

@@ -0,0 +1,16 @@
+[
+    "AWSClientRuntime",
+    "AWSSDKChecksums",
+    "AWSSDKHTTPAuth",
+    "ClientRuntime",
+    "Smithy",
+    "SmithyHTTPAPI",
+    "SmithyHTTPAuthAPI",
+    "SmithyIdentity",
+    "SmithyJSON",
+    "SmithyReadWrite",
+    "SmithyRetries",
+    "SmithyRetriesAPI",
+    "SmithyTestUtil",
+    "SmithyTimestamps"
+]

Sources/Core/AWSSDKIdentity/InternalClients/InternalAWSCognitoIdentity/Sources/InternalAWSCognitoIdentity/AuthSchemeResolver.swift

@@ -0,0 +1,62 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+// Code generated by smithy-swift-codegen. DO NOT EDIT!
+
+import class Smithy.Context
+import enum Smithy.ClientError
+import enum SmithyHTTPAuthAPI.SigningPropertyKeys
+import protocol SmithyHTTPAuthAPI.AuthSchemeResolver
+import protocol SmithyHTTPAuthAPI.AuthSchemeResolverParameters
+import struct SmithyHTTPAuthAPI.AuthOption
+
+package struct CognitoIdentityAuthSchemeResolverParameters: SmithyHTTPAuthAPI.AuthSchemeResolverParameters {
+    public let authSchemePreference: [String]?
+    public let operation: Swift.String
+    // Region is used for SigV4 auth scheme
+    public let region: Swift.String?
+}
+
+package protocol CognitoIdentityAuthSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver {
+    // Intentionally empty.
+    // This is the parent protocol that all auth scheme resolver implementations of
+    // the service CognitoIdentity must conform to.
+}
+
+package struct DefaultCognitoIdentityAuthSchemeResolver: CognitoIdentityAuthSchemeResolver {
+
+    public func resolveAuthScheme(params: SmithyHTTPAuthAPI.AuthSchemeResolverParameters) throws -> [SmithyHTTPAuthAPI.AuthOption] {
+        var validAuthOptions = [SmithyHTTPAuthAPI.AuthOption]()
+        guard let serviceParams = params as? CognitoIdentityAuthSchemeResolverParameters else {
+            throw Smithy.ClientError.authError("Service specific auth scheme parameters type must be passed to auth scheme resolver.")
+        }
+        switch serviceParams.operation {
+            case "getCredentialsForIdentity":
+                validAuthOptions.append(SmithyHTTPAuthAPI.AuthOption(schemeID: "smithy.api#noAuth"))
+            case "getId":
+                validAuthOptions.append(SmithyHTTPAuthAPI.AuthOption(schemeID: "smithy.api#noAuth"))
+            default:
+                var sigv4Option = SmithyHTTPAuthAPI.AuthOption(schemeID: "aws.auth#sigv4")
+                sigv4Option.signingProperties.set(key: SmithyHTTPAuthAPI.SigningPropertyKeys.signingName, value: "cognito-identity")
+                guard let region = serviceParams.region else {
+                    throw Smithy.ClientError.authError("Missing region in auth scheme parameters for SigV4 auth scheme.")
+                }
+                sigv4Option.signingProperties.set(key: SmithyHTTPAuthAPI.SigningPropertyKeys.signingRegion, value: region)
+                validAuthOptions.append(sigv4Option)
+        }
+        return self.reprioritizeAuthOptions(authSchemePreference: serviceParams.authSchemePreference, authOptions: validAuthOptions)
+    }
+
+    public func constructParameters(context: Smithy.Context) throws -> SmithyHTTPAuthAPI.AuthSchemeResolverParameters {
+        guard let opName = context.getOperation() else {
+            throw Smithy.ClientError.dataNotFound("Operation name not configured in middleware context for auth scheme resolver params construction.")
+        }
+        let authSchemePreference = context.getAuthSchemePreference()
+        let opRegion = context.getRegion()
+        return CognitoIdentityAuthSchemeResolverParameters(authSchemePreference: authSchemePreference, operation: opName, region: opRegion)
+    }
+}