Cognito credential provider support

.builder/actions/crt-ci-prep-xcodebuild.py

@@ -0,0 +1,9 @@
+import Builder
+
+class CrtCiPrepXCodebuild(Builder.Action):
+    def run(self, env):
+        env.shell.setenv("TEST_RUNNER_AWS_TESTING_STS_ROLE_ARN", env.shell.get_secret("aws-c-auth-testing/sts-role-arn"))
+        actions = [
+            Builder.SetupCrossCICrtEnvironment(use_xcodebuild=True)
+        ]
+        return Builder.Script(actions, name='crt-ci-prep-xcodebuild')

.github/workflows/ci.yml

@@ -6,8 +6,8 @@ on:
       - 'main'
 
 env:
-  BUILDER_VERSION: v0.9.73
-  BUILDER_SOURCE: releases
+  BUILDER_VERSION: xcodebuild_setup
+  BUILDER_SOURCE: channels
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-crt-swift
   RUN: ${{ github.run_id }}-${{ github.run_number }}
@@ -100,6 +100,10 @@ jobs:
             xcode: Xcode_15.2
           - runner: macos-13
             xcode: Xcode_15.2
+          - runner: macos-13-xlarge
+            target: { os: ios, destination: 'iOS Simulator,OS=16.1,name=iPhone 14'}
+          - runner: macos-13
+            target: { os: ios, destination: 'iOS Simulator,OS=16.1,name=iPhone 14'}
           # Don't run new macOS with old Xcode
           - runner: macos-14-large
             xcode: Xcode_14.1

Package.swift

@@ -113,7 +113,6 @@ packageTargets.append(.target(
         .define("S2N_BUILD_RELEASE"),
         .define("_FORTIFY_SOURCE", to: "2"),
         .define("POSIX_C_SOURCE", to: "200809L"),
-
     ]
 ))
 #endif

Source/AwsCommonRuntimeKit/auth/credentials/CredentialsProvider.swift

@@ -10,6 +10,68 @@ public protocol CredentialsProviding {
     func getCredentials() async throws -> Credentials
 }
 
+/// A pair defining an identity provider and a valid login token sourced from it.
+public struct CognitoLoginPair: CStruct {
+    public var IdentityProviderName: String
+    public var IdentityProviderToken: String
+
+    public init(identityProviderName: String,
+                identityProviderToken: String) {
+        self.IdentityProviderName = identityProviderName
+        self.IdentityProviderToken = identityProviderToken
+    }
+
+    typealias RawType = aws_cognito_identity_provider_token_pair
+    func withCStruct<Result>(_ body: (aws_cognito_identity_provider_token_pair) -> Result) -> Result {
+        var token_pair = aws_cognito_identity_provider_token_pair()
+
+        return withByteCursorFromStrings(IdentityProviderName,
+                                         IdentityProviderToken) { identityProviderNameCursor, IdentityProviderTokenCursor in
+            token_pair.identity_provider_name = identityProviderNameCursor
+            token_pair.identity_provider_token = IdentityProviderTokenCursor
+            return body(token_pair)
+        }
+    }
+}
+
+extension Array where Element == CognitoLoginPair {
+    func withCCognitoLoginPair<Result>(_ body: (OpaquePointer) throws -> Result) rethrows -> Result {
+        let array_list: UnsafeMutablePointer<aws_array_list> = allocator.allocate(capacity: 1)
+        defer {
+            aws_array_list_clean_up(array_list)
+            allocator.release(array_list)
+        }
+        guard aws_array_list_init_dynamic(
+            array_list,
+            allocator.rawValue,
+            count,
+            MemoryLayout<aws_cognito_identity_provider_token_pair>.size) == AWS_OP_SUCCESS else {
+            fatalError("Unable to initialize array of user properties")
+        }
+        forEach {
+            $0.withCPointer {
+                // `aws_array_list_push_back` will do a memory copy of $0 into array_list
+                guard aws_array_list_push_back(array_list, $0) == AWS_OP_SUCCESS else {
+                    fatalError("Unable to add user property")
+                }
+            }
+        }
+        return try body(OpaquePointer(array_list.pointee.data))
+    }
+}
+
+/// Helper function to convert Swift [CognitoLoginPair]? into a native aws_cognito_identity_provider_token_pair pointer
+func withOptionalCognitoLoginPair<Result>(
+    of array: Array<CognitoLoginPair>?,
+    _ body: (OpaquePointer?) throws -> Result) rethrows -> Result {
+        guard let _array = array else {
+            return try body(nil)
+        }
+        return try _array.withCCognitoLoginPair { opaquePointer in
+            return try body(opaquePointer)
+        }
+    }
+
 public class CredentialsProvider: CredentialsProviding {
 
     let rawValue: UnsafeMutablePointer<aws_credentials_provider>
@@ -561,6 +623,66 @@ extension CredentialsProvider.Source {
             return provider
         }
     }
+
+    /// Credential Provider that sources credentials from Cognito Identity service
+    ///  - Parameters:
+    ///    - bootstrap: Connection bootstrap to use for any network connections made while sourcing credentials
+    ///    - tlsContext: TLS configuration for secure socket connections.
+    ///    - endpoint: Cognito service regional endpoint to source credentials from.
+    ///    - identity: Cognito identity to fetch credentials relative to.
+    ///    - logins: (Optional) set of identity provider token pairs to allow for authenticated identity access.
+    ///    - customRoleArn: (Optional) ARN of the role to be assumed when multiple roles were received in the token from the identity provider.
+    ///    - proxyOptions: (Optional) Http proxy configuration for the http request that fetches credentials
+    ///   - shutdownCallback:  (Optional) shutdown callback
+    /// - Returns: `CredentialsProvider`
+    /// - Throws: CommonRuntimeError.crtError
+    public static func `cognito`(bootstrap: ClientBootstrap,
+                                 tlsContext: TLSContext,
+                                 endpoint: String,
+                                 identity: String,
+                                 logins: [CognitoLoginPair]? = nil,
+                                 customRoleArn: String? = nil,
+                                 proxyOptions: HTTPProxyOptions? = nil,
+                                 shutdownCallback: ShutdownCallback? = nil) -> Self {
+        Self {
+            var cognitoOptions = aws_credentials_provider_cognito_options()
+            cognitoOptions.bootstrap = bootstrap.rawValue
+            cognitoOptions.tls_ctx = tlsContext.rawValue
+            let shutdownCallbackCore = ShutdownCallbackCore(shutdownCallback)
+            cognitoOptions.shutdown_options = shutdownCallbackCore.getRetainedCredentialProviderShutdownOptions()
+
+            guard let provider: UnsafeMutablePointer<aws_credentials_provider> = (withByteCursorFromStrings(
+                endpoint,
+                identity) { endpointCursor, identityCursor in
+
+                    cognitoOptions.endpoint = endpointCursor
+                    cognitoOptions.identity = identityCursor
+
+                    return withOptionalCStructPointer(to: proxyOptions) { proxyOptionsPointer in
+                        cognitoOptions.http_proxy_options = proxyOptionsPointer
+
+                        return withOptionalCognitoLoginPair(of: logins, { loginArrayPointer in
+                            if let loginArrayPointer, let loginCount = logins?.count {
+                                cognitoOptions.logins = UnsafeMutablePointer<aws_cognito_identity_provider_token_pair>(loginArrayPointer)
+                                cognitoOptions.login_count = loginCount
+                            }
+
+                            return withOptionalByteCursorPointerFromString(customRoleArn, { customRoleArnCursor in
+                                if let customRoleArnCursor {
+                                    cognitoOptions.custom_role_arn = UnsafeMutablePointer<aws_byte_cursor>(mutating: customRoleArnCursor)
+                                }
+                                return aws_credentials_provider_new_cognito_caching(allocator.rawValue, &cognitoOptions)
+                            })
+                        })
+                    }
+                })
+            else {
+                shutdownCallbackCore.release()
+                throw CommonRunTimeError.crtError(CRTError.makeFromLastError())
+            }
+            return provider
+        }
+    }
 }
 
 private func onGetCredentials(credentials: OpaquePointer?,

Source/AwsCommonRuntimeKit/mqtt/Mqtt5Client.swift

@@ -537,7 +537,7 @@ internal func MqttClientWebsocketTransform(
         }
         let httpRequest = HTTPRequest(nativeHttpMessage: request)
         @Sendable func signerTransform(request: HTTPRequestBase, errorCode: Int32) {
-            complete_fn?(request.rawValue, errorCode, complete_ctx)
+                complete_fn?(request.rawValue, errorCode, complete_ctx)
         }
 
         if clientCore.onWebsocketInterceptor != nil {

Source/AwsCommonRuntimeKit/mqtt/Mqtt5Options.swift

@@ -3,7 +3,6 @@
 
 import Foundation
 import AwsCMqtt
-import LibNative
 
 /// Configuration for all client topic aliasing behavior.
 public class TopicAliasingOptions: CStruct {
@@ -152,11 +151,11 @@
             _willDelayIntervalSec,
             self.receiveMaximum,
             self.maximumPacketSize) { sessionExpiryIntervalSecPointer,
                                       requestResponseInformationPointer,
                                       requestProblemInformationPointer,
                                       willDelayIntervalSecPointer,
                                       receiveMaximumPointer,
                                       maximumPacketSizePointer in
 
                 raw_connect_options.session_expiry_interval_seconds = sessionExpiryIntervalSecPointer
                 raw_connect_options.request_response_information = requestResponseInformationPointer
@@ -449,7 +448,7 @@
             self.httpProxyOptions,
             self.topicAliasingOptions,
             connnectOptions) { socketOptionsCPointer,
                                tlsOptionsCPointer,
                                httpProxyOptionsCPointer,
                                topicAliasingOptionsCPointer,
                                connectOptionsCPointer in

Source/AwsCommonRuntimeKit/mqtt/Mqtt5Packets.swift

@@ -4,7 +4,6 @@
 import Foundation
 import AwsCHttp
 import AwsCMqtt
-import LibNative
 
 /// Mqtt5 User Property
 public class UserProperty: CStruct {

Test/AwsCommonRuntimeKitTests/XCBaseTestCase.swift

@@ -68,6 +68,8 @@ extension XCTestCase {
     }
 
     func skipIfPlatformDoesntSupportTLS() throws {
+        // Skipped for secitem support as the unit tests requires enetitlement setup to have acces to
+        // the data protection keychain.
         try skipIfiOS()
         try skipIfwatchOS()
         try skipIftvOS()

Test/AwsCommonRuntimeKitTests/auth/CredentialsProviderTests.swift

@@ -218,6 +218,50 @@ class CredentialsProviderTests: XCBaseTestCase {
         wait(for: [shutdownWasCalled], timeout: 15)
     }
 
+
+    func testCreateDestroyCognitoCredsProviderWithoutHttpProxy() async throws {
+        let exceptionWasThrown = XCTestExpectation(description: "Exception was thrown")
+        do {
+            let cognitoEndpoint = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT5_COGNITO_ENDPOINT")
+            let cognitoIdentity = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT5_COGNITO_IDENTITY")
+
+
+            let provider = try CredentialsProvider(source: .cognito(bootstrap: getClientBootstrap(), tlsContext: getTlsContext(), endpoint: cognitoEndpoint, identity: cognitoIdentity, shutdownCallback: getShutdownCallback()))
+            let credentials = try await provider.getCredentials()
+            XCTAssertNotNil(credentials)
+        } catch is XCTSkip{ // skip the test as the environment var is not set
+            shutdownWasCalled.fulfill()
+        }catch {
+            exceptionWasThrown.fulfill()
+        }
+        wait(for: [shutdownWasCalled], timeout: 15)
+    }
+
+    // Http proxy related tests could only run behind vpc to access the proxy
+    func testCreateDestroyCognitoCredsProviderWithHttpProxy() async throws {
+        let exceptionWasThrown = XCTestExpectation(description: "Exception was thrown")
+        do {
+            let cognitoEndpoint = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT5_COGNITO_ENDPOINT")
+            let cognitoIdentity = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT5_COGNITO_IDENTITY")
+
+            let httpproxyHost = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_HTTP_PROXY_HOST")
+            let httpproxyPort = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_HTTP_PROXY_PORT")
+
+            let httpProxys = HTTPProxyOptions(hostName: httpproxyHost, port: UInt32(httpproxyPort)!, connectionType: .tunnel)
+
+            let provider = try CredentialsProvider(source: .cognito(bootstrap: getClientBootstrap(), tlsContext: getTlsContext(), endpoint: cognitoEndpoint, identity: cognitoIdentity, shutdownCallback: getShutdownCallback()))
+            let credentials = try await provider.getCredentials()
+            XCTAssertNotNil(credentials)
+        }
+        catch is XCTSkip{ // skip the test as the environment var is not set
+            shutdownWasCalled.fulfill()
+        }
+        catch {
+            exceptionWasThrown.fulfill()
+        }
+        wait(for: [shutdownWasCalled], timeout: 15)
+    }
+
     func testCreateDestroyStsWebIdentityInvalidEnv() async throws {
         XCTAssertThrowsError(try CredentialsProvider(source: .stsWebIdentity(
                 bootstrap: getClientBootstrap(),

Test/AwsCommonRuntimeKitTests/io/TLSContextTests.swift

@@ -42,6 +42,7 @@ class TLSContextTests: XCBaseTestCase {
 
 #if AWS_USE_SECITEM
     func testCreateTlsContextWithSecitemOptions() throws {
+        try skipIfPlatformDoesntSupportTLS()
         let certPath = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT311_IOT_CORE_X509_CERT")
         let privateKeyPath = try getEnvironmentVarOrSkipTest(environmentVarName: "AWS_TEST_MQTT311_IOT_CORE_X509_KEY")