diff --git a/packages/@aws-cdk/cli-plugin-contract/.eslintrc.js b/packages/@aws-cdk/cli-plugin-contract/.eslintrc.js new file mode 100644 index 0000000000000..b284f20df26e9 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/.eslintrc.js @@ -0,0 +1,8 @@ +const baseConfig = require('@aws-cdk/cdk-build-tools/config/eslintrc'); +baseConfig.parserOptions.project = __dirname + '/tsconfig.json'; + +baseConfig.rules['import/no-extraneous-dependencies'] = ['error', { devDependencies: true, peerDependencies: true } ]; +baseConfig.rules['import/order'] = 'off'; +baseConfig.rules['@aws-cdk/invalid-cfn-imports'] = 'off'; + +module.exports = baseConfig; diff --git a/packages/@aws-cdk/cli-plugin-contract/.gitignore b/packages/@aws-cdk/cli-plugin-contract/.gitignore new file mode 100644 index 0000000000000..573a12d965554 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/.gitignore @@ -0,0 +1,29 @@ +*.js +*.js.map +*.d.ts +*.gz +!lib/init-templates/**/javascript/**/* +node_modules +dist +.jsii +tsconfig.json + +# Generated by generate.sh +build-info.json + +.LAST_BUILD +.nyc_output +coverage +nyc.config.js +.LAST_PACKAGE +*.snk + +assets.json +npm-shrinkwrap.json +!.eslintrc.js +!jest.config.js + +junit.xml + +lib/**/*.wasm +lib/**/*.yaml diff --git a/packages/@aws-cdk/cli-plugin-contract/.npmignore b/packages/@aws-cdk/cli-plugin-contract/.npmignore new file mode 100644 index 0000000000000..5890f9a58f970 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/.npmignore @@ -0,0 +1,23 @@ +# Don't include original .ts files when doing `npm pack` +*.ts +!*.d.ts +coverage +.nyc_output +*.tgz + +dist +.LAST_PACKAGE +.LAST_BUILD +*.snk + +*.tsbuildinfo + +tsconfig.json +.eslintrc.js +jest.config.js + +# exclude cdk artifacts +**/cdk.out +junit.xml +test/ +**/*.snapshot diff --git a/packages/@aws-cdk/cli-plugin-contract/LICENSE b/packages/@aws-cdk/cli-plugin-contract/LICENSE new file mode 100644 index 0000000000000..dcf28b52a83af --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/packages/@aws-cdk/cli-plugin-contract/NOTICE b/packages/@aws-cdk/cli-plugin-contract/NOTICE new file mode 100644 index 0000000000000..9d28b2500bc86 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/NOTICE @@ -0,0 +1,16 @@ +AWS Cloud Development Kit (AWS CDK) +Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Third party attributions of this package can be found in the THIRD_PARTY_LICENSES file diff --git a/packages/@aws-cdk/cli-plugin-contract/README.md b/packages/@aws-cdk/cli-plugin-contract/README.md new file mode 100644 index 0000000000000..1df2892970abc --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/README.md @@ -0,0 +1,59 @@ +# AWS CDK CLI Library + + + +--- + +![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge) + +--- + + + +## Overview + +As any piece of software that interacts with an AWS account, the CDK CLI needs +AWS credentials for authentication and authorization. When it comes to choose +which sources to get credentials from, it has +the [same behavior as the AWS CLI][cli-auth]. But this basic behavior may result +in some failure scenarios: + +- The initial set of credentials to work with cannot be obtained. +- The account to which the initial credentials belong to cannot be obtained. +- The account associated to the credentials is different from the account on + which the CLI is trying to operate on. + +Since these failures may happen for valid use case reasons, the CDK CLI offers +an alternative mechanism for users to provide AWS credentials: credential +provider plugins. + +This package defines the types and the contract between the CLI and the plugins, +which plugin authors are expected to adhere to. + +The entrypoint is communicated to the CLI via the `--plugin` command line +argument. The value of this argument should be a JavaScript file that, when +`require`'d, will return an instance of the `Plugin` interface. + +Once the CLI gets an instance of a plugin, it first initializes plugin by +calling the `Plugin.init()` method, if one is defined. The CLI uses this method +to pass an instance of `IPluginHost` to the plugin. The +plugin, in turn, can use the repository to register one or more instances of +`CredentialProviderSource`, which is where the actual logic for providing +credentials is located. + +If, in the authentication process, the CLI decides to use plugins, it will try +each credential provider source in the order in which they were registered. For +each source, the first thing the CLI will check is whether the source is ready +to interact at all, by calling the `isAvailable()` +method. If it is available, the next check is whether it can provide credentials +for the specific account the CLI is targeting at that moment. This is the +`canProvideCredentials()` method. + +If both checks pass, the CLI asks the source for credentials by calling +`getProvider()`. In addition to the account ID, this method also receives the +`Mode` of operation, which can be `ForReading` or `ForWriting`. This information +may be useful to tailor the credentials for the use case. For example, if the +CLI needs the credentials only for reading, the plugin may return credentials +with more restricted permissions. + +[cli-auth]: (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-authentication.html) diff --git a/packages/@aws-cdk/cli-plugin-contract/jest.config.js b/packages/@aws-cdk/cli-plugin-contract/jest.config.js new file mode 100644 index 0000000000000..d052cbb29f05d --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/jest.config.js @@ -0,0 +1,10 @@ +const baseConfig = require('@aws-cdk/cdk-build-tools/config/jest.config'); +module.exports = { + ...baseConfig, + coverageThreshold: { + global: { + ...baseConfig.coverageThreshold.global, + branches: 60, + }, + }, +}; diff --git a/packages/@aws-cdk/cli-plugin-contract/lib/index.ts b/packages/@aws-cdk/cli-plugin-contract/lib/index.ts new file mode 100644 index 0000000000000..a29ade62add15 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/lib/index.ts @@ -0,0 +1,222 @@ +/** + * The basic contract for plug-ins to adhere to:: + * + * ```ts + * import { CustomCredentialProviderSource, IPluginHost, Plugin } from '@aws-cdk/cli-plugin-contract'; + * + * export default class FooCDKPlugIn implements Plugin { + * public readonly version = '1'; + * + * public init(host: IPluginHost) { + * host.registerCredentialProviderSource(new CustomCredentialProviderSource()); + * } + * } + * ``` + */ +export interface Plugin { + /** + * The version of the plug-in interface used by the plug-in. This will be used by + * the plug-in host to handle version changes. + */ + version: '1'; + + /** + * When defined, this function is invoked right after the plug-in has been loaded, + * so that the plug-in is able to initialize itself. It may call methods of the + * `CredentialProviderSourceRepository` instance it receives to register new + * `CredentialProviderSource` instances. + */ + init?: (host: IPluginHost) => void; +} + +/** + * Indicates that we want to query read-only credentials + * + * This type definition replaces the legacy `Mode.ForReading` enum value. We + * don't want to use that enum definition anymore, because it requires run-time + * code and we want this library to be a types-only package with no runtime + * implications. + * + * By all rights this should have been a string (`'for-reading'`), but due to + * legacy reasons this is now an integer value. + * + * Use as follows: + * + * ```ts + * 0 satisfies ForReading + * ``` + * + * If this bothers you a lot, you can copy/paste the following into your own + * plugin codebase: + * + * ```ts + * enum Mode { + * ForReading = 0, + * ForWriting = 1, + * } + * ``` + */ +export type ForReading = 0; + +/** + * Indicates that we want to query for read-write credentials + * + * This type definition replaces the legacy `Mode.ForWriting` enum value. We + * don't want to use that enum definition anymore, because it requires run-time + * code and we want this library to be a types-only package with no runtime + * implications. + * + * By all rights this should have been a string (`'for-writing'`), but due to + * legacy reasons this is now an integer value. + * + * Use as follows: + * + * ```ts + * 1 satisfies ForWriting + * ``` + * + * If this bothers you a lot, you can copy/paste the following into your own + * plugin codebase: + * + * ```ts + * enum Mode { + * ForReading = 0, + * ForWriting = 1, + * } + * ``` + */ +export type ForWriting = 1; + +/** + */ +export interface CredentialProviderSource { + name: string; + + /** + * Whether the credential provider is even online + * + * Guaranteed to be called before any of the other functions are called. + */ + isAvailable(): Promise; + + /** + * Whether the credential provider can provide credentials for the given account. + */ + canProvideCredentials(accountId: string): Promise; + + /** + * Construct a credential provider for the given account and the given access mode + * + * Guaranteed to be called only if canProvideCredentails() returned true at some point. + * + * While it is possible for the plugin to return a static set of credentials, it is + * recommended to return a provider. + */ + getProvider(accountId: string, mode: ForReading | ForWriting, options?: PluginProviderOptions): Promise; +} + +/** + * A list of credential provider sources + */ +export interface IPluginHost { + + /** + * Registers a credential provider source. If, in the authentication process, + * the CLI decides to try credentials from the plugins, it will go through the + * sources registered in this way, in the same order as they were registered. + */ + registerCredentialProviderSource(source: CredentialProviderSource): void; +} + +/** + * Options for the `getProvider()` function of a CredentialProviderSource + */ +export interface PluginProviderOptions { + /** + * Whether or not this implementation of the CLI will recognize the `SDKv3CompatibleCredentialProvider` return variant + * + * Unless otherwise indicated, the CLI version will only support SDKv3 + * credentials, not SDKv3 providers. You should avoid returning types that the + * consuming CLI will not understand, because it will most likely crash. + * + * @default false + */ + readonly supportsV3Providers?: boolean; +} + +export type PluginProviderResult = SDKv2CompatibleCredentials | SDKv3CompatibleCredentialProvider | SDKv3CompatibleCredentials; + +/** + * SDKv2-compatible credential provider. + * + * Based on the `Credentials` class in SDKv2. This object is a set of credentials + * and a credential provider in one (it is a set of credentials that remember + * where they came from and can refresh themselves). + */ +export interface SDKv2CompatibleCredentials { + /** + * AWS access key ID. + */ + accessKeyId: string; + + /** + * Time when credentials should be considered expired. + * Used in conjunction with expired. + */ + expireTime?: Date | null; + + /** + * AWS secret access key. + */ + secretAccessKey: string; + + /** + * AWS session token. + */ + sessionToken?: string; + + /** + * Gets the existing credentials, refreshing them if necessary, and returns + * a promise that will be fulfilled immediately (if no refresh is necessary) + * or when the refresh has completed. + */ + getPromise(): Promise; +} + +/** + * Provider for credentials + * + * Based on the `AwsCredentialIdentityProvider` type from SDKv3. This type + * is only a credential factory. It may or may not be cached; that is, + * calling the provider twice may do 2 API requests, or it may do one + * if the result from the first call can be reused. + */ +export type SDKv3CompatibleCredentialProvider = (identityProperties?: Record) => Promise; + +/** + * Based on the `AwsCredentialIdentity` type from SDKv3. + * + * This is a static set of credentials. + */ +export interface SDKv3CompatibleCredentials { + /** + * AWS access key ID + */ + readonly accessKeyId: string; + + /** + * AWS secret access key + */ + readonly secretAccessKey: string; + + /** + * A security or session token to use with these credentials. Usually + * present for temporary credentials. + */ + readonly sessionToken?: string; + + /** + * A `Date` when the identity or credential will no longer be accepted. + */ + readonly expiration?: Date; +} diff --git a/packages/@aws-cdk/cli-plugin-contract/package.json b/packages/@aws-cdk/cli-plugin-contract/package.json new file mode 100644 index 0000000000000..860ea3a2597a8 --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/package.json @@ -0,0 +1,57 @@ +{ + "name": "@aws-cdk/cli-plugin-contract", + "description": "Contract between the CLI and authentication plugins, for the exchange of AWS credentials", + "version": "0.0.0", + "types": "lib/index.d.ts", + "main": "lib/index.js", + "scripts": { + "build": "cdk-build", + "lint": "cdk-lint", + "pkglint": "pkglint -f", + "watch": "cdk-watch", + "build+test": "yarn build && yarn test", + "build+extract": "yarn build", + "build+test+package": "yarn build+test && yarn package", + "build+test+extract": "yarn build+test", + "package": "cdk-package", + "test": "cdk-test" + }, + "ubergen": { + "exclude": true + }, + "author": { + "name": "Amazon Web Services", + "url": "https://aws.amazon.com", + "organization": true + }, + "license": "Apache-2.0", + "devDependencies": { + "@aws-cdk/cdk-build-tools": "0.0.0", + "@aws-cdk/pkglint": "0.0.0", + "ts-node": "^10.9.2" + }, + "repository": { + "url": "https://github.com/aws/aws-cdk.git", + "type": "git", + "directory": "packages/@aws-cdk/cli-plugin-contract" + }, + "keywords": [ + "aws", + "cdk" + ], + "homepage": "https://github.com/aws/aws-cdk", + "separate-module": true, + "engines": { + "node": ">= 14.15.0" + }, + "stability": "stable", + "maturity": "stable", + "publishConfig": { + "tag": "latest" + }, + "awscdkio": { + "announce": false + }, + "dependencies": {}, + "peerDependencies": {} +} diff --git a/packages/@aws-cdk/cli-plugin-contract/tsconfig.json b/packages/@aws-cdk/cli-plugin-contract/tsconfig.json new file mode 100644 index 0000000000000..4ff0e9d59a3ad --- /dev/null +++ b/packages/@aws-cdk/cli-plugin-contract/tsconfig.json @@ -0,0 +1,24 @@ +{ + "compilerOptions": { + "target":"ES2020", + "module": "commonjs", + "lib": ["es2020", "dom"], + "declaration": true, + "composite": true, + "strict": true, + "noImplicitAny": true, + "strictNullChecks": true, + "noImplicitThis": true, + "alwaysStrict": true, + "noUnusedLocals": true, + "noUnusedParameters": true, + "noImplicitReturns": true, + "noFallthroughCasesInSwitch": false, + "strictPropertyInitialization":false, + "inlineSourceMap": true, + "inlineSources": true, + "experimentalDecorators": true + }, + "include": ["**/*.ts" ], + "exclude": ["node_modules"] +} diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts index 1c9e214eca067..8d7541f42287f 100644 --- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts +++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts @@ -1,9 +1,11 @@ import { inspect } from 'util'; +import type { CredentialProviderSource, ForReading, ForWriting, PluginProviderResult, SDKv2CompatibleCredentials, SDKv3CompatibleCredentialProvider, SDKv3CompatibleCredentials } from '@aws-cdk/cli-plugin-contract'; import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smithy/types'; -import { debug, warning } from '../../logging'; -import { CredentialProviderSource, PluginProviderResult, Mode, PluginHost, SDKv2CompatibleCredentials, SDKv3CompatibleCredentialProvider, SDKv3CompatibleCredentials } from '../plugin'; import { credentialsAboutToExpire, makeCachingProvider } from './provider-caching'; +import { debug, warning } from '../../logging'; import { AuthenticationError } from '../../toolkit/error'; +import { Mode } from '../plugin/mode'; +import { PluginHost } from '../plugin/plugin'; /** * Cache for credential providers. @@ -69,7 +71,7 @@ export class CredentialPlugins { debug(`Using ${source.name} credentials for account ${awsAccountId}`); return { - credentials: await v3ProviderFromPlugin(() => source.getProvider(awsAccountId, mode, { + credentials: await v3ProviderFromPlugin(() => source.getProvider(awsAccountId, mode as ForReading | ForWriting, { supportsV3Providers: true, })), pluginName: source.name, @@ -141,7 +143,7 @@ function v3ProviderFromV2Credentials(x: SDKv2CompatibleCredentials): AwsCredenti accessKeyId: x.accessKeyId, secretAccessKey: x.secretAccessKey, sessionToken: x.sessionToken, - expiration: x.expireTime, + expiration: x.expireTime ?? undefined, }; }; } diff --git a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts index 22e4b357e191d..f4461a7f706b2 100644 --- a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts +++ b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts @@ -20,5 +20,6 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw export function credentialsAboutToExpire(token: AwsCredentialIdentity) { const expiryMarginSecs = 5; + // token.expiration is sometimes null return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000; } diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts index 69fc1923e1dd7..0618cd3503acb 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts @@ -8,12 +8,12 @@ import { AwsCredentialIdentityProvider, Logger } from '@smithy/types'; import { AwsCliCompatible } from './awscli-compatible'; import { cached } from './cached'; import { CredentialPlugins } from './credential-plugins'; +import { makeCachingProvider } from './provider-caching'; import { SDK } from './sdk'; import { debug, warning } from '../../logging'; -import { traceMethods } from '../../util/tracing'; -import { Mode } from '../plugin'; -import { makeCachingProvider } from './provider-caching'; import { AuthenticationError } from '../../toolkit/error'; +import { traceMethods } from '../../util/tracing'; +import { Mode } from '../plugin/mode'; export type AssumeRoleAdditionalOptions = Partial>; diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts b/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts index bb221c6f52869..ad0acf18bf477 100644 --- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts +++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts @@ -10,7 +10,7 @@ import { ToolkitError } from '../../toolkit/error'; import { rootDir } from '../../util/directories'; import type { SDK, SdkProvider } from '../aws-auth'; import type { SuccessfulDeployStackResult } from '../deploy-stack'; -import { Mode } from '../plugin'; +import { Mode } from '../plugin/mode'; export type BootstrapSource = { source: 'legacy' } | { source: 'default' } | { source: 'custom'; templateFile: string }; diff --git a/packages/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts b/packages/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts index 00ef3be686798..ad6ac4516c95c 100644 --- a/packages/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts +++ b/packages/aws-cdk/lib/api/bootstrap/deploy-bootstrap.ts @@ -14,7 +14,7 @@ import * as logging from '../../logging'; import type { SDK, SdkProvider } from '../aws-auth'; import { assertIsSuccessfulDeployStackResult, deployStack, SuccessfulDeployStackResult } from '../deploy-stack'; import { NoBootstrapStackEnvironmentResources } from '../environment-resources'; -import { Mode } from '../plugin'; +import { Mode } from '../plugin/mode'; import { DEFAULT_TOOLKIT_STACK_NAME, ToolkitInfo } from '../toolkit-info'; /** diff --git a/packages/aws-cdk/lib/api/environment-access.ts b/packages/aws-cdk/lib/api/environment-access.ts index 1985801c2151e..64494322dfd2f 100644 --- a/packages/aws-cdk/lib/api/environment-access.ts +++ b/packages/aws-cdk/lib/api/environment-access.ts @@ -3,7 +3,7 @@ import { SDK } from './aws-auth'; import { warning } from '../logging'; import { CredentialsOptions, SdkForEnvironment, SdkProvider } from './aws-auth/sdk-provider'; import { EnvironmentResources, EnvironmentResourcesRegistry } from './environment-resources'; -import { Mode } from './plugin'; +import { Mode } from './plugin/mode'; import { replaceEnvPlaceholders, StringWithoutPlaceholders } from './util/placeholders'; /** diff --git a/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts b/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts index 19441be95f788..ba22174ebeaf1 100644 --- a/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts +++ b/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts @@ -9,7 +9,7 @@ import { DEFAULT_TOOLKIT_STACK_NAME, ToolkitInfo } from '../toolkit-info'; import { ProgressPrinter } from './progress-printer'; import { ActiveAssetCache, BackgroundStackRefresh, refreshStacks } from './stack-refresh'; import { ToolkitError } from '../../toolkit/error'; -import { Mode } from '../plugin'; +import { Mode } from '../plugin/mode'; // Must use a require() otherwise esbuild complains // eslint-disable-next-line @typescript-eslint/no-require-imports diff --git a/packages/aws-cdk/lib/api/hotswap-deployments.ts b/packages/aws-cdk/lib/api/hotswap-deployments.ts index 3bfb3cd04c07c..8ff3103df3fb9 100644 --- a/packages/aws-cdk/lib/api/hotswap-deployments.ts +++ b/packages/aws-cdk/lib/api/hotswap-deployments.ts @@ -27,7 +27,7 @@ import { } from './hotswap/s3-bucket-deployments'; import { isHotswappableStateMachineChange } from './hotswap/stepfunctions-state-machines'; import { NestedStackTemplates, loadCurrentTemplateWithNestedStacks } from './nested-stack-helpers'; -import { Mode } from './plugin'; +import { Mode } from './plugin/mode'; import { CloudFormationStack } from './util/cloudformation'; // Must use a require() otherwise esbuild complains about calling a namespace diff --git a/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts b/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts index 760f63ad0f4c1..ea757c953ff73 100644 --- a/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts +++ b/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts @@ -4,7 +4,7 @@ import { debug } from '../../logging'; import type { SDK, SdkProvider } from '../aws-auth'; import { EnvironmentAccess } from '../environment-access'; import { EvaluateCloudFormationTemplate, LazyListStackResources } from '../evaluate-cloudformation-template'; -import { Mode } from '../plugin'; +import { Mode } from '../plugin/mode'; import { DEFAULT_TOOLKIT_STACK_NAME } from '../toolkit-info'; // resource types that have associated CloudWatch Log Groups that should _not_ be monitored diff --git a/packages/aws-cdk/lib/api/plugin/credential-provider-source.ts b/packages/aws-cdk/lib/api/plugin/credential-provider-source.ts deleted file mode 100644 index 208090675cb2d..0000000000000 --- a/packages/aws-cdk/lib/api/plugin/credential-provider-source.ts +++ /dev/null @@ -1,124 +0,0 @@ -export enum Mode { - ForReading, - ForWriting, -} - -/** - */ -export interface CredentialProviderSource { - name: string; - - /** - * Whether the credential provider is even online - * - * Guaranteed to be called before any of the other functions are called. - */ - isAvailable(): Promise; - - /** - * Whether the credential provider can provide credentials for the given account. - */ - canProvideCredentials(accountId: string): Promise; - - /** - * Construct a credential provider for the given account and the given access mode - * - * Guaranteed to be called only if canProvideCredentails() returned true at some point. - * - * While it is possible for the plugin to return a static set of credentials, it is - * recommended to return a provider. - */ - getProvider(accountId: string, mode: Mode, options?: PluginProviderOptions): Promise; -} - -/** - * Options for the `getProvider()` function of a CredentialProviderSource - */ -export interface PluginProviderOptions { - /** - * Whether or not this implementation of the CLI will recognize the `SDKv3CompatibleCredentialProvider` return variant - * - * Unless otherwise indicated, the CLI version will only support SDKv3 - * credentials, not SDKv3 providers. You should avoid returning types that the - * consuming CLI will not understand, because it will most likely crash. - * - * @default false - */ - readonly supportsV3Providers?: boolean; -} - -export type PluginProviderResult = SDKv2CompatibleCredentials | SDKv3CompatibleCredentialProvider | SDKv3CompatibleCredentials; - -/** - * SDKv2-compatible credential provider. - * - * Based on the `Credentials` class in SDKv2. This object is a set of credentials - * and a credential provider in one (it is a set of credentials that remember - * where they came from and can refresh themselves). - */ -export interface SDKv2CompatibleCredentials { - /** - * AWS access key ID. - */ - accessKeyId: string; - /** - * Whether the credentials have been expired and require a refresh. - * Used in conjunction with expireTime. - */ - expired: boolean; - /** - * Time when credentials should be considered expired. - * Used in conjunction with expired. - */ - expireTime: Date; - /** - * AWS secret access key. - */ - secretAccessKey: string; - /** - * AWS session token. - */ - sessionToken: string; - - /** - * Gets the existing credentials, refreshing them if necessary, and returns - * a promise that will be fulfilled immediately (if no refresh is necessary) - * or when the refresh has completed. - */ - getPromise(): Promise; -} - -/** - * Provider for credentials - * - * Based on the `AwsCredentialIdentityProvider` type from SDKv3. This type - * is only a credential factory. It may or may not be cached; that is, - * calling the provider twice may do 2 API requests, or it may do one - * if the result from the first call can be reused. - */ -export type SDKv3CompatibleCredentialProvider = (identityProperties?: Record) => Promise; - -/** - * Based on the `AwsCredentialIdentity` type from SDKv3. - * - * This is a static set of credentials. - */ -export interface SDKv3CompatibleCredentials { - /** - * AWS access key ID - */ - readonly accessKeyId: string; - /** - * AWS secret access key - */ - readonly secretAccessKey: string; - /** - * A security or session token to use with these credentials. Usually - * present for temporary credentials. - */ - readonly sessionToken?: string; - /** - * A `Date` when the identity or credential will no longer be accepted. - */ - readonly expiration?: Date; -} diff --git a/packages/aws-cdk/lib/api/plugin/index.ts b/packages/aws-cdk/lib/api/plugin/index.ts index 5309a2ff7eba4..f759fe0f59d8a 100644 --- a/packages/aws-cdk/lib/api/plugin/index.ts +++ b/packages/aws-cdk/lib/api/plugin/index.ts @@ -1,3 +1,2 @@ export * from './plugin'; export * from './context-provider-plugin'; -export * from './credential-provider-source'; diff --git a/packages/aws-cdk/lib/api/plugin/mode.ts b/packages/aws-cdk/lib/api/plugin/mode.ts new file mode 100644 index 0000000000000..5ed9d115ad75b --- /dev/null +++ b/packages/aws-cdk/lib/api/plugin/mode.ts @@ -0,0 +1,6 @@ +import type { ForReading as PluginForReading, ForWriting as PluginForWriting } from '@aws-cdk/cli-plugin-contract'; + +export enum Mode { + ForReading = 0 satisfies PluginForReading, + ForWriting = 1 satisfies PluginForWriting, +} diff --git a/packages/aws-cdk/lib/api/plugin/plugin.ts b/packages/aws-cdk/lib/api/plugin/plugin.ts index 270c8343be404..484dd9fa2ec8c 100644 --- a/packages/aws-cdk/lib/api/plugin/plugin.ts +++ b/packages/aws-cdk/lib/api/plugin/plugin.ts @@ -1,8 +1,8 @@ import { inspect } from 'util'; +import type { CredentialProviderSource, IPluginHost, Plugin } from '@aws-cdk/cli-plugin-contract'; import * as chalk from 'chalk'; import { type ContextProviderPlugin, isContextProviderPlugin } from './context-provider-plugin'; -import type { CredentialProviderSource } from './credential-provider-source'; import { error } from '../../logging'; import { ToolkitError } from '../../toolkit/error'; @@ -12,42 +12,11 @@ export function markTesting() { TESTING = true; } -/** - * The basic contract for plug-ins to adhere to:: - * - * import { Plugin, PluginHost } from 'aws-cdk'; - * import { CustomCredentialProviderSource } from './custom-credential-provider-source'; - * - * export default class FooCDKPlugIn implements PluginHost { - * public readonly version = '1'; - * - * public init(host: PluginHost) { - * host.registerCredentialProviderSource(new CustomCredentialProviderSource()); - * } - * } - * - */ -export interface Plugin { - /** - * The version of the plug-in interface used by the plug-in. This will be used by - * the plug-in host to handle version changes. - */ - version: '1'; - - /** - * When defined, this function is invoked right after the plug-in has been loaded, - * so that the plug-in is able to initialize itself. It may call methods of the - * ``PluginHost`` instance it receives to register new ``CredentialProviderSource`` - * instances. - */ - init?: (host: PluginHost) => void; -} - /** * A utility to manage plug-ins. * */ -export class PluginHost { +export class PluginHost implements IPluginHost { public static instance = new PluginHost(); /** diff --git a/packages/aws-cdk/lib/api/util/placeholders.ts b/packages/aws-cdk/lib/api/util/placeholders.ts index 2d38d05db531d..28814a31a2235 100644 --- a/packages/aws-cdk/lib/api/util/placeholders.ts +++ b/packages/aws-cdk/lib/api/util/placeholders.ts @@ -1,7 +1,7 @@ import { type Environment, EnvironmentPlaceholders } from '@aws-cdk/cx-api'; import { Branded } from '../../util/type-brands'; import type { SdkProvider } from '../aws-auth/sdk-provider'; -import { Mode } from '../plugin/credential-provider-source'; +import { Mode } from '../plugin/mode'; /** * Replace the {ACCOUNT} and {REGION} placeholders in all strings found in a complex object. diff --git a/packages/aws-cdk/lib/commands/migrate.ts b/packages/aws-cdk/lib/commands/migrate.ts index 15a9115efbdc0..a6da22715ddc5 100644 --- a/packages/aws-cdk/lib/commands/migrate.ts +++ b/packages/aws-cdk/lib/commands/migrate.ts @@ -2,6 +2,7 @@ /* eslint-disable @typescript-eslint/no-var-requires */ import * as fs from 'fs'; import * as path from 'path'; +import type { ForReading } from '@aws-cdk/cli-plugin-contract'; import { Environment, UNKNOWN_ACCOUNT, UNKNOWN_REGION } from '@aws-cdk/cx-api'; import type { DescribeGeneratedTemplateCommandOutput, @@ -20,7 +21,6 @@ import * as chalk from 'chalk'; import { cliInit } from '../../lib/init'; import { print } from '../../lib/logging'; import type { ICloudFormationClient, SdkProvider } from '../api/aws-auth'; -import { Mode } from '../api/plugin'; import { CloudFormationStack } from '../api/util/cloudformation'; import { zipDirectory } from '../util/archive'; const camelCase = require('camelcase'); @@ -141,7 +141,7 @@ export async function readFromStack( sdkProvider: SdkProvider, environment: Environment, ): Promise { - const cloudFormation = (await sdkProvider.forEnvironment(environment, Mode.ForReading)).sdk.cloudFormation(); + const cloudFormation = (await sdkProvider.forEnvironment(environment, 0 satisfies ForReading)).sdk.cloudFormation(); const stack = await CloudFormationStack.lookup(cloudFormation, stackName, true); if (stack.stackStatus.isDeploySuccess || stack.stackStatus.isRollbackSuccess) { @@ -603,7 +603,7 @@ export function buildGenertedTemplateOutput( * @returns A CloudFormation sdk client */ export async function buildCfnClient(sdkProvider: SdkProvider, environment: Environment) { - const sdk = (await sdkProvider.forEnvironment(environment, Mode.ForReading)).sdk; + const sdk = (await sdkProvider.forEnvironment(environment, 0 satisfies ForReading)).sdk; sdk.appendCustomUserAgent('cdk-migrate'); return sdk.cloudFormation(); } diff --git a/packages/aws-cdk/lib/util/asset-publishing.ts b/packages/aws-cdk/lib/util/asset-publishing.ts index bc89be1211af6..b35cedb3209d4 100644 --- a/packages/aws-cdk/lib/util/asset-publishing.ts +++ b/packages/aws-cdk/lib/util/asset-publishing.ts @@ -14,7 +14,7 @@ import { } from 'cdk-assets'; import type { SDK } from '../api'; import type { SdkProvider } from '../api/aws-auth/sdk-provider'; -import { Mode } from '../api/plugin'; +import { Mode } from '../api/plugin/mode'; import { debug, error, print } from '../logging'; export interface PublishAssetsOptions { diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 589a3563f1791..af41fbc6059c9 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -68,6 +68,7 @@ "license": "Apache-2.0", "devDependencies": { "@aws-cdk/cdk-build-tools": "0.0.0", + "@aws-cdk/cli-plugin-contract": "0.0.0", "@aws-cdk/pkglint": "0.0.0", "@aws-cdk/cli-args-gen": "0.0.0", "@octokit/rest": "^18.12.0", diff --git a/packages/aws-cdk/test/api/credential-plugins.test.ts b/packages/aws-cdk/test/api/credential-plugins.test.ts new file mode 100644 index 0000000000000..7f212f6f1a5cb --- /dev/null +++ b/packages/aws-cdk/test/api/credential-plugins.test.ts @@ -0,0 +1,41 @@ +import type { PluginProviderResult, SDKv2CompatibleCredentials } from '@aws-cdk/cli-plugin-contract'; +import { CredentialPlugins } from '../../lib/api/aws-auth/credential-plugins'; +import { PluginHost } from '../../lib/api/plugin'; +import { Mode } from '../../lib/api/plugin/mode'; + +test('returns credential from plugin', async () => { + // GIVEN + const creds = { + accessKeyId: 'aaa', + secretAccessKey: 'bbb', + getPromise: () => Promise.resolve(), + } satisfies SDKv2CompatibleCredentials; + const host = PluginHost.instance; + + host.registerCredentialProviderSource({ + name: 'Fake', + + canProvideCredentials(_accountId: string): Promise { + return Promise.resolve(true); + }, + + isAvailable(): Promise { + return Promise.resolve(true); + }, + + getProvider(_accountId: string, _mode: Mode): Promise { + return Promise.resolve(creds); + }, + }); + + const plugins = new CredentialPlugins(); + + // WHEN + const pluginCredentials = await plugins.fetchCredentialsFor('aaa', Mode.ForReading); + + // THEN + await expect(pluginCredentials?.credentials()).resolves.toEqual(expect.objectContaining({ + accessKeyId: 'aaa', + secretAccessKey: 'bbb', + })); +}); diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts index af5f6012ed09d..0db7916c00079 100644 --- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts +++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts @@ -1,6 +1,7 @@ +import { CredentialProviderSource, SDKv3CompatibleCredentials } from '@aws-cdk/cli-plugin-contract'; import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins'; import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching'; -import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source'; +import { Mode } from '../../../lib/api/plugin/mode'; import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin'; markTesting(); diff --git a/packages/aws-cdk/test/api/plugin/plugin-host.test.ts b/packages/aws-cdk/test/api/plugin/plugin-host.test.ts index 593d96ae6c77f..7d5ee82eb502e 100644 --- a/packages/aws-cdk/test/api/plugin/plugin-host.test.ts +++ b/packages/aws-cdk/test/api/plugin/plugin-host.test.ts @@ -1,6 +1,5 @@ -import { ContextProviderPlugin } from '../../../lib/api/plugin/context-provider-plugin'; -import { CredentialProviderSource } from '../../../lib/api/plugin/credential-provider-source'; -import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin'; +import type { CredentialProviderSource } from '@aws-cdk/cli-plugin-contract'; +import { ContextProviderPlugin, PluginHost, markTesting } from '../../../lib/api/plugin'; markTesting(); diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts index 7afe99a376175..6d87e891a93ea 100644 --- a/packages/aws-cdk/test/api/sdk-provider.test.ts +++ b/packages/aws-cdk/test/api/sdk-provider.test.ts @@ -8,7 +8,8 @@ import { FakeSts, RegisterRoleOptions, RegisterUserOptions } from './fake-sts'; import { ConfigurationOptions, CredentialsOptions, SDK, SdkProvider } from '../../lib/api/aws-auth'; import { AwsCliCompatible } from '../../lib/api/aws-auth/awscli-compatible'; import { defaultCliUserAgent } from '../../lib/api/aws-auth/user-agent'; -import { Mode, PluginHost } from '../../lib/api/plugin'; +import { PluginHost } from '../../lib/api/plugin'; +import { Mode } from '../../lib/api/plugin/mode'; import * as logging from '../../lib/logging'; import { withMocked } from '../util'; import { mockSTSClient, restoreSdkMocksToDefault } from '../util/mock-sdk'; diff --git a/packages/aws-cdk/test/cdk-toolkit.test.ts b/packages/aws-cdk/test/cdk-toolkit.test.ts index 5e4081e66dcb5..8dad7142baea7 100644 --- a/packages/aws-cdk/test/cdk-toolkit.test.ts +++ b/packages/aws-cdk/test/cdk-toolkit.test.ts @@ -86,7 +86,7 @@ import { RollbackStackResult, } from '../lib/api/deployments'; import { HotswapMode } from '../lib/api/hotswap/common'; -import { Mode } from '../lib/api/plugin'; +import { Mode } from '../lib/api/plugin/mode'; import { Template } from '../lib/api/util/cloudformation'; import { CdkToolkit, markTesting, Tag } from '../lib/cdk-toolkit'; import { RequireApproval } from '../lib/diff'; diff --git a/tools/@aws-cdk/pkglint/lib/rules.ts b/tools/@aws-cdk/pkglint/lib/rules.ts index 849c17f4ce067..808911a78e36d 100644 --- a/tools/@aws-cdk/pkglint/lib/rules.ts +++ b/tools/@aws-cdk/pkglint/lib/rules.ts @@ -1663,6 +1663,7 @@ export class UbergenPackageVisibility extends ValidationRule { // The ONLY (non-alpha) packages that should be published for v2. // These include dependencies of the CDK CLI (aws-cdk). private readonly v2PublicPackages = [ + '@aws-cdk/cli-plugin-contract', '@aws-cdk/cloudformation-diff', '@aws-cdk/cx-api', '@aws-cdk/region-info',