|
| 1 | +//===----------------------------------------------------------------------===// |
| 2 | +// |
| 3 | +// This source file is part of the Soto for AWS open source project |
| 4 | +// |
| 5 | +// Copyright (c) 2017-2026 the Soto project authors |
| 6 | +// Licensed under Apache License v2.0 |
| 7 | +// |
| 8 | +// See LICENSE.txt for license information |
| 9 | +// See CONTRIBUTORS.txt for the list of Soto project authors |
| 10 | +// |
| 11 | +// SPDX-License-Identifier: Apache-2.0 |
| 12 | +// |
| 13 | +//===----------------------------------------------------------------------===// |
| 14 | + |
| 15 | +#if os(macOS) || os(Linux) |
| 16 | + |
| 17 | +import Foundation |
| 18 | +import Logging |
| 19 | +import SotoSignerV4 |
| 20 | + |
| 21 | +/// Obtains AWS credentials by executing an external process specified via `credential_process`. |
| 22 | +/// |
| 23 | +/// The command is executed via `/bin/sh -c` and must output JSON to stdout matching the |
| 24 | +/// AWS credential_process specification: |
| 25 | +/// https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-sourcing-external.html |
| 26 | +public struct CredentialProcessProvider: CredentialProvider { |
| 27 | + let command: String |
| 28 | + |
| 29 | + public init(command: String) { |
| 30 | + self.command = command |
| 31 | + } |
| 32 | + |
| 33 | + public var description: String { "CredentialProcessProvider" } |
| 34 | + |
| 35 | + public func getCredential(logger: Logger) async throws -> Credential { |
| 36 | + guard !command.isEmpty else { |
| 37 | + throw CredentialProcessError.commandEmpty |
| 38 | + } |
| 39 | + |
| 40 | + logger.debug("Executing credential_process", metadata: ["command": .string(command)]) |
| 41 | + |
| 42 | + let output = try await self.executeProcess() |
| 43 | + |
| 44 | + guard !output.isEmpty else { |
| 45 | + throw CredentialProcessError.failedToDecodeOutput |
| 46 | + } |
| 47 | + |
| 48 | + let decoded: CredentialProcessOutput |
| 49 | + do { |
| 50 | + decoded = try JSONDecoder().decode(CredentialProcessOutput.self, from: output) |
| 51 | + } catch { |
| 52 | + throw CredentialProcessError.failedToDecodeOutput |
| 53 | + } |
| 54 | + |
| 55 | + guard decoded.version == 1 else { |
| 56 | + throw CredentialProcessError.invalidVersion(decoded.version) |
| 57 | + } |
| 58 | + |
| 59 | + if let expirationString = decoded.expiration { |
| 60 | + guard let date = parseISO8601Date(expirationString) else { |
| 61 | + throw CredentialProcessError.invalidExpiration |
| 62 | + } |
| 63 | + return RotatingCredential( |
| 64 | + accessKeyId: decoded.accessKeyId, |
| 65 | + secretAccessKey: decoded.secretAccessKey, |
| 66 | + sessionToken: decoded.sessionToken, |
| 67 | + expiration: date |
| 68 | + ) |
| 69 | + } else { |
| 70 | + return StaticCredential( |
| 71 | + accessKeyId: decoded.accessKeyId, |
| 72 | + secretAccessKey: decoded.secretAccessKey, |
| 73 | + sessionToken: decoded.sessionToken |
| 74 | + ) |
| 75 | + } |
| 76 | + } |
| 77 | + |
| 78 | + private func executeProcess() async throws -> Data { |
| 79 | + try await withCheckedThrowingContinuation { continuation in |
| 80 | + let process = Process() |
| 81 | + process.executableURL = URL(fileURLWithPath: "/bin/sh") |
| 82 | + process.arguments = ["-c", command] |
| 83 | + |
| 84 | + let pipe = Pipe() |
| 85 | + process.standardOutput = pipe |
| 86 | + process.standardError = nil |
| 87 | + |
| 88 | + do { |
| 89 | + try process.run() |
| 90 | + } catch { |
| 91 | + continuation.resume(throwing: CredentialProcessError.failedToDecodeOutput) |
| 92 | + return |
| 93 | + } |
| 94 | + |
| 95 | + process.waitUntilExit() |
| 96 | + |
| 97 | + let status = process.terminationStatus |
| 98 | + guard status == 0 else { |
| 99 | + continuation.resume(throwing: CredentialProcessError.processExitedWithError(status)) |
| 100 | + return |
| 101 | + } |
| 102 | + |
| 103 | + let data = pipe.fileHandleForReading.readDataToEndOfFile() |
| 104 | + continuation.resume(returning: data) |
| 105 | + } |
| 106 | + } |
| 107 | + |
| 108 | +} |
| 109 | + |
| 110 | +// MARK: - Supporting Types |
| 111 | + |
| 112 | +private struct CredentialProcessOutput: Decodable, Sendable { |
| 113 | + let version: Int |
| 114 | + let accessKeyId: String |
| 115 | + let secretAccessKey: String |
| 116 | + let sessionToken: String? |
| 117 | + let expiration: String? |
| 118 | + |
| 119 | + enum CodingKeys: String, CodingKey { |
| 120 | + case version = "Version" |
| 121 | + case accessKeyId = "AccessKeyId" |
| 122 | + case secretAccessKey = "SecretAccessKey" |
| 123 | + case sessionToken = "SessionToken" |
| 124 | + case expiration = "Expiration" |
| 125 | + } |
| 126 | +} |
| 127 | + |
| 128 | +public struct CredentialProcessError: Error, Equatable, CustomStringConvertible { |
| 129 | + enum Internal: Equatable { |
| 130 | + case commandEmpty |
| 131 | + case processExitedWithError(Int32) |
| 132 | + case invalidVersion(Int) |
| 133 | + case failedToDecodeOutput |
| 134 | + case invalidExpiration |
| 135 | + } |
| 136 | + |
| 137 | + let value: Internal |
| 138 | + |
| 139 | + public static var commandEmpty: Self { .init(value: .commandEmpty) } |
| 140 | + public static func processExitedWithError(_ code: Int32) -> Self { .init(value: .processExitedWithError(code)) } |
| 141 | + public static func invalidVersion(_ version: Int) -> Self { .init(value: .invalidVersion(version)) } |
| 142 | + public static var failedToDecodeOutput: Self { .init(value: .failedToDecodeOutput) } |
| 143 | + public static var invalidExpiration: Self { .init(value: .invalidExpiration) } |
| 144 | + |
| 145 | + public var description: String { |
| 146 | + switch value { |
| 147 | + case .commandEmpty: |
| 148 | + "credential_process command is empty" |
| 149 | + case .processExitedWithError(let code): |
| 150 | + "credential_process exited with code \(code)" |
| 151 | + case .invalidVersion(let v): |
| 152 | + "credential_process returned unsupported Version \(v) (expected 1)" |
| 153 | + case .failedToDecodeOutput: |
| 154 | + "credential_process output could not be decoded as JSON" |
| 155 | + case .invalidExpiration: |
| 156 | + "credential_process returned an invalid Expiration timestamp" |
| 157 | + } |
| 158 | + } |
| 159 | +} |
| 160 | + |
| 161 | +#endif |
0 commit comments