Merge branch 'master' into s3-tranfermaster

Author: zoewangg

.changes/next-release/bugfix-AWSSDKforJavav2-bbc8ecb.json

@@ -0,0 +1,5 @@
+{
+    "category": "AWS SDK for Java v2", 
+    "type": "bugfix", 
+    "description": "Fix the issue where the `content-length` set on the request is not honored for streaming operations."
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/WebIdentityTokenCredentialsProviderFactory.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.auth.credentials.internal.WebIdentityTokenCredentialProperties;
+import software.amazon.awssdk.profiles.Profile;
+
+/**
+ * A factory for {@link AwsCredentialsProvider}s that are derived from web identity tokens.
+ *
+ * Currently this is used to allow a {@link Profile} or environment variable configured with a role that should be assumed with
+ * a web identity token to create a credentials provider via the
+ * 'software.amazon.awssdk.services.sts.internal.StsWebIdentityCredentialsProviderFactory', assuming STS is on the classpath.
+ */
+@FunctionalInterface
+@SdkProtectedApi
+public interface WebIdentityTokenCredentialsProviderFactory {
+    AwsCredentialsProvider create(WebIdentityTokenCredentialProperties credentialProperties);
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/WebIdentityTokenFileCredentialsProvider.java

@@ -0,0 +1,168 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+import static software.amazon.awssdk.utils.StringUtils.trim;
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Optional;
+import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.auth.credentials.internal.WebIdentityCredentialsUtils;
+import software.amazon.awssdk.auth.credentials.internal.WebIdentityTokenCredentialProperties;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.utils.ToString;
+
+/**
+ * A credential provider that will read web identity token file path, aws role arn
+ * and aws session name from system properties or environment variables for using
+ * web identity token credentials with STS. Use of this credentials provider requires
+ * the 'sts' module to be on the classpath.
+ */
+@SdkPublicApi
+public class WebIdentityTokenFileCredentialsProvider implements AwsCredentialsProvider {
+
+    private final AwsCredentialsProvider credentialsProvider;
+    private final RuntimeException loadException;
+
+    private WebIdentityTokenFileCredentialsProvider(BuilderImpl builder) {
+        AwsCredentialsProvider credentialsProvider = null;
+        RuntimeException loadException = null;
+
+        try {
+            Path webIdentityTokenFile =
+                builder.webIdentityTokenFile != null ? builder.webIdentityTokenFile
+                                                     : Paths.get(trim(SdkSystemSetting.AWS_WEB_IDENTITY_TOKEN_FILE
+                                                                          .getStringValueOrThrow()));
+
+            String roleArn = builder.roleArn != null ? builder.roleArn
+                                                     : trim(SdkSystemSetting.AWS_ROLE_ARN.getStringValueOrThrow());
+
+            Optional<String> roleSessionName =
+                builder.roleSessionName != null ? Optional.of(builder.roleSessionName)
+                                                : SdkSystemSetting.AWS_ROLE_SESSION_NAME.getStringValue();
+
+            WebIdentityTokenCredentialProperties credentialProperties =
+                WebIdentityTokenCredentialProperties.builder()
+                                                    .roleArn(roleArn)
+                                                    .roleSessionName(roleSessionName.orElse(null))
+                                                    .webIdentityTokenFile(webIdentityTokenFile)
+                                                    .build();
+
+            credentialsProvider = WebIdentityCredentialsUtils.factory().create(credentialProperties);
+        } catch (RuntimeException e) {
+            // If we couldn't load the credentials provider for some reason, save an exception describing why. This exception
+            // will only be raised on calls to getCredentials. We don't want to raise an exception here because it may be
+            // expected (eg. in the default credential chain).
+            loadException = e;
+        }
+
+        this.loadException = loadException;
+        this.credentialsProvider = credentialsProvider;
+    }
+
+    public static WebIdentityTokenFileCredentialsProvider create() {
+
+        return WebIdentityTokenFileCredentialsProvider.builder().build();
+    }
+
+    @Override
+    public AwsCredentials resolveCredentials() {
+        if (loadException != null) {
+            throw loadException;
+        }
+        return credentialsProvider.resolveCredentials();
+    }
+
+    public static Builder builder() {
+        return new BuilderImpl();
+    }
+
+    @Override
+    public String toString() {
+        return ToString.create("WebIdentityTokenCredentialsProvider");
+    }
+
+    /**
+     * A builder for creating a custom {@link WebIdentityTokenFileCredentialsProvider}.
+     */
+    public interface Builder {
+
+        /**
+         * Define the role arn that should be used by this credentials provider.
+         */
+        Builder roleArn(String roleArn);
+
+        /**
+         * Define the role session name that should be used by this credentials provider.
+         */
+        Builder roleSessionName(String roleSessionName);
+
+        /**
+         * Define the absolute path to the web identity token file that should be used by this credentials provider.
+         */
+        Builder webIdentityTokenFile(Path webIdentityTokenFile);
+
+        /**
+         * Create a {@link WebIdentityTokenFileCredentialsProvider} using the configuration applied to this builder.
+         */
+        WebIdentityTokenFileCredentialsProvider build();
+    }
+
+    static final class BuilderImpl implements Builder {
+        private String roleArn;
+        private String roleSessionName;
+        private Path webIdentityTokenFile;
+
+        BuilderImpl() {
+        }
+
+        @Override
+        public Builder roleArn(String roleArn) {
+            this.roleArn = roleArn;
+            return this;
+        }
+
+        public void setRoleArn(String roleArn) {
+            roleArn(roleArn);
+        }
+
+        @Override
+        public Builder roleSessionName(String roleSessionName) {
+            this.roleSessionName = roleSessionName;
+            return this;
+        }
+
+        public void setRoleSessionName(String roleSessionName) {
+            roleSessionName(roleSessionName);
+        }
+
+        @Override
+        public Builder webIdentityTokenFile(Path webIdentityTokenFile) {
+            this.webIdentityTokenFile = webIdentityTokenFile;
+            return this;
+        }
+
+        public void setwebIdentityTokenFile(Path webIdentityTokenFile) {
+            webIdentityTokenFile(webIdentityTokenFile);
+        }
+
+        @Override
+        public WebIdentityTokenFileCredentialsProvider build() {
+            return new WebIdentityTokenFileCredentialsProvider(this);
+        }
+    }
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java

@@ -16,6 +16,8 @@
 package software.amazon.awssdk.auth.credentials.internal;
 
 import java.lang.reflect.InvocationTargetException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Map;
@@ -95,10 +97,16 @@ private Optional<AwsCredentialsProvider> credentialsProvider(Set<String> childre
         if (properties.containsKey(ProfileProperty.ROLE_ARN)) {
             boolean hasSourceProfile = properties.containsKey(ProfileProperty.SOURCE_PROFILE);
             boolean hasCredentialSource = properties.containsKey(ProfileProperty.CREDENTIAL_SOURCE);
+            boolean hasWebIdentityTokenFile = properties.containsKey(ProfileProperty.WEB_IDENTITY_TOKEN_FILE);
+            boolean hasRoleArn = properties.containsKey(ProfileProperty.ROLE_ARN);
             Validate.validState(!(hasSourceProfile && hasCredentialSource),
                                 "Invalid profile file: profile has both %s and %s.",
                                 ProfileProperty.SOURCE_PROFILE, ProfileProperty.CREDENTIAL_SOURCE);
 
+            if (hasWebIdentityTokenFile && hasRoleArn) {
+                return Optional.ofNullable(roleAndWebIdentityTokenProfileCredentialsProvider());
+            }
+
             if (hasSourceProfile) {
                 return Optional.ofNullable(roleAndSourceProfileBasedProfileCredentialsProvider(children));
             }
@@ -155,6 +163,23 @@ private AwsCredentialsProvider credentialProcessCredentialsProvider() {
                                          .build();
     }
 
+    private AwsCredentialsProvider roleAndWebIdentityTokenProfileCredentialsProvider() {
+        requireProperties(ProfileProperty.ROLE_ARN, ProfileProperty.WEB_IDENTITY_TOKEN_FILE);
+
+        String roleArn = properties.get(ProfileProperty.ROLE_ARN);
+        String roleSessionName = properties.get(ProfileProperty.ROLE_SESSION_NAME);
+        Path webIdentityTokenFile = Paths.get(properties.get(ProfileProperty.WEB_IDENTITY_TOKEN_FILE));
+
+        WebIdentityTokenCredentialProperties credentialProperties =
+            WebIdentityTokenCredentialProperties.builder()
+                                                .roleArn(roleArn)
+                                                .roleSessionName(roleSessionName)
+                                                .webIdentityTokenFile(webIdentityTokenFile)
+                                                .build();
+
+        return WebIdentityCredentialsUtils.factory().create(credentialProperties);
+    }
+
     /**
      * Load an assumed-role credentials provider that has been configured in this profile. This will attempt to locate the STS
      * module in order to generate the credentials provider. If it's not available, an illegal state exception will be raised.

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/WebIdentityCredentialsUtils.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials.internal;
+
+import java.lang.reflect.InvocationTargetException;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.auth.credentials.WebIdentityTokenCredentialsProviderFactory;
+
+/**
+ * Utility class used to configure credential providers based on JWT web identity tokens.
+ */
+@SdkInternalApi
+public final class WebIdentityCredentialsUtils {
+
+    private static final String STS_WEB_IDENTITY_CREDENTIALS_PROVIDER_FACTORY =
+        "software.amazon.awssdk.services.sts.internal.StsWebIdentityCredentialsProviderFactory";
+
+    private WebIdentityCredentialsUtils() {}
+
+    /**
+     * Resolves the StsWebIdentityCredentialsProviderFactory from the Sts module if on the classpath to allow
+     * JWT web identity tokens to be used as credentials.
+     *
+     * @return WebIdentityTokenCredentialsProviderFactory
+     */
+    public static WebIdentityTokenCredentialsProviderFactory factory() {
+        try {
+            Class<?> stsCredentialsProviderFactory = Class.forName(STS_WEB_IDENTITY_CREDENTIALS_PROVIDER_FACTORY, true,
+                                                                   Thread.currentThread().getContextClassLoader());
+            return (WebIdentityTokenCredentialsProviderFactory) stsCredentialsProviderFactory.getConstructor().newInstance();
+        } catch (ClassNotFoundException e) {
+            throw new IllegalStateException("To use web identity tokens, the 'sts' service module must be on the class path.", e);
+        } catch (NoSuchMethodException | InvocationTargetException | InstantiationException | IllegalAccessException e) {
+            throw new IllegalStateException("Failed to create a web identity token credentials provider.", e);
+        }
+    }
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/WebIdentityTokenCredentialProperties.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials.internal;
+
+import java.nio.file.Path;
+import software.amazon.awssdk.annotations.SdkProtectedApi;
+
+/**
+ * A container for credential properties.
+ */
+@SdkProtectedApi
+public class WebIdentityTokenCredentialProperties {
+
+    private final String roleArn;
+    private final String roleSessionName;
+    private final Path webIdentityTokenFile;
+
+    private WebIdentityTokenCredentialProperties(Builder builder) {
+        this.roleArn = builder.roleArn;
+        this.roleSessionName = builder.roleSessionName;
+        this.webIdentityTokenFile = builder.webIdentityTokenFile;
+    }
+
+    public String roleArn() {
+        return roleArn;
+    }
+
+    public String roleSessionName() {
+        return roleSessionName;
+    }
+
+    public Path webIdentityTokenFile() {
+        return webIdentityTokenFile;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static final class Builder {
+        private String roleArn;
+        private String roleSessionName;
+        private Path webIdentityTokenFile;
+
+        public Builder roleArn(String roleArn) {
+            this.roleArn = roleArn;
+            return this;
+        }
+
+        public Builder roleSessionName(String roleSessionName) {
+            this.roleSessionName = roleSessionName;
+            return this;
+        }
+
+        public Builder webIdentityTokenFile(Path webIdentityTokenFile) {
+            this.webIdentityTokenFile = webIdentityTokenFile;
+            return this;
+        }
+
+        public WebIdentityTokenCredentialProperties build() {
+            return new WebIdentityTokenCredentialProperties(this);
+        }
+    }
+}