-
Notifications
You must be signed in to change notification settings - Fork 879
/
AWSCredentialsProvider.h
275 lines (216 loc) · 12.8 KB
/
AWSCredentialsProvider.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
//
// Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License").
// You may not use this file except in compliance with the License.
// A copy of the License is located at
//
// http://aws.amazon.com/apache2.0
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.
//
#import <Foundation/Foundation.h>
#import "AWSServiceEnum.h"
#import "AWSIdentityProvider.h"
NS_ASSUME_NONNULL_BEGIN
FOUNDATION_EXPORT NSString *const AWSCognitoCredentialsProviderErrorDomain;
typedef NS_ENUM(NSInteger, AWSCognitoCredentialsProviderErrorType) {
AWSCognitoCredentialsProviderErrorUnknown,
AWSCognitoCredentialsProviderIdentityIdIsNil,
AWSCognitoCredentialsProviderInvalidConfiguration,
AWSCognitoCredentialsProviderInvalidCognitoIdentityToken,
AWSCognitoCredentialsProviderCredentialsRefreshTimeout,
};
@class AWSTask<__covariant ResultType>;
@class AWSCancellationTokenSource;
/**
An AWS credentials container class.
*/
@interface AWSCredentials : NSObject <NSCopying>
/**
Access Key component of credentials.
*/
@property (nonatomic, strong, readonly) NSString *accessKey;
/**
Secret Access Key component of credentials.
*/
@property (nonatomic, strong, readonly) NSString *secretKey;
/**
Session Token component of credentials.
*/
@property (nonatomic, strong, readonly, nullable) NSString *sessionKey;
/**
Date at which these credentials will expire.
*/
@property (nonatomic, strong, readonly, nullable) NSDate *expiration;
/**
Initiates an AWS credentials object.
@param accessKey An AWS Access key.
@param secretKey An AWS Secret key.
@param sessionKey An AWS Session key.
@param expiration The expiration date of the temporary AWS credentials.
@return An AWS credentials object.
*/
- (instancetype)initWithAccessKey:(NSString *)accessKey
secretKey:(NSString *)secretKey
sessionKey:(nullable NSString *)sessionKey
expiration:(nullable NSDate *)expiration;
@end
/**
The AWS credentials provider protocol used to provide credentials to the SDK in order to make calls to the AWS services.
*/
@protocol AWSCredentialsProvider <NSObject>
/**
Asynchronously returns a valid AWS credentials or an error object if it cannot retrieve valid credentials. It should cache valid credentials as much as possible and refresh them when they are invalid.
@return A valid AWS credentials or an error object describing the error.
*/
- (AWSTask<AWSCredentials *> *)credentials;
/**
Invalidates the cached temporary AWS credentials. If the credentials provider does not cache temporary credentials, this operation is a no-op.
*/
- (void)invalidateCachedTemporaryCredentials;
@end
/**
@warning This credentials provider is intended only for testing purposes.
We strongly discourage embedding AWS credentials in your production apps because they can be easily extracted and abused. Consider using `AWSCognitoCredentialsProvider`.
*/
@interface AWSStaticCredentialsProvider : NSObject <AWSCredentialsProvider>
/**
Instantiates a static credentials provider.
@param accessKey An AWS Access key.
@param secretKey An AWS Secret key.
@return An AWS credentials object.
*/
- (instancetype)initWithAccessKey:(NSString *)accessKey
secretKey:(NSString *)secretKey;
@end
/**
@warning This credentials provider is intended only for testing purposes.
We strongly discourage embedding AWS credentials in your production apps because they can be easily extracted and abused. Consider using `AWSCognitoCredentialsProvider`.
Simple session credentials with keys and session token.
*/
@interface AWSBasicSessionCredentialsProvider: NSObject <AWSCredentialsProvider>
/**
Instantiates a static credentials provider.
@param accessKey An AWS Access key.
@param secretKey An AWS Secret key.
@param sessionToken The session token for this session.
@return An AWS credentials object.
*/
- (instancetype)initWithAccessKey:(NSString *)accessKey
secretKey:(NSString *)secretKey
sessionToken:(NSString *)sessionToken;
@end
@interface AWSAnonymousCredentialsProvider : NSObject <AWSCredentialsProvider>
@end
/**
A credentials provider that uses AWS STS web identity federation.
*/
@interface AWSWebIdentityCredentialsProvider : NSObject <AWSCredentialsProvider>
@property (nonatomic, strong) NSString *webIdentityToken;
@property (nonatomic, strong) NSString *roleArn;
@property (nonatomic, strong) NSString *roleSessionName;
@property (nonatomic, strong) NSString *providerId;
- (instancetype)initWithRegionType:(AWSRegionType)regionType
providerId:(nullable NSString *)providerId
roleArn:(NSString *)roleArn
roleSessionName:(NSString *)roleSessionName
webIdentityToken:(NSString *)webIdentityToken;
@end
/**
An AWSCredentialsProvider that uses Amazon Cognito to fetch temporary credentials tied to an identity.
To learn more about Amazon Cognito, please visit <a href="https://aws.amazon.com/cognito">https://aws.amazon.com/cognito</a>.
There are 3 different flows supported by this credentials provider, see factory and init methods for choosing the right one for your use case:
1. Enhanced flow: Uses Cognito for all operations and only requires an identity pool id to initialize.
2. Basic flow: Uses Cognito + STS and requires identity pool plus IAM roles
3. Developer authenticated identities: Uses your own AWSCognitoCredentialsProviderHelper to establish identity +
Cognito (and optionally STS) to establish credentials.
*/
@interface AWSCognitoCredentialsProvider : NSObject <AWSCredentialsProvider>
/**
The identityProvider which is responsible for establishing the identity id and (optionally) the open id token for use in the Amazon Cognito authflow.
*/
@property (nonatomic, strong, readonly) id<AWSCognitoCredentialsProviderHelper> identityProvider;
/**
The identity id associated with this provider. This value will be fetched from the keychain at startup. If you do not want to reuse the existing identity id, you must call the clearKeychain method.
*/
@property (atomic, strong, readonly, nullable) NSString *identityId;
/**
The identity pool id associated with this provider. Also used to create a namedspaced keychain area to store identity id and credentials.
*/
@property (nonatomic, strong, readonly) NSString *identityPoolId;
/**
Initializer for credentials provider with enhanced authentication flow. This is the recommended constructor for first time Amazon Cognito developers. Will create an instance of `AWSEnhancedCognitoIdentityProvider`.
@param regionType The region in which your identity pool exists.
@param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
identityPoolId:(NSString *)identityPoolId;
/**
Initializer for credentials provider with enhanced authentication flow. This is the recommended constructor for first time Amazon Cognito developers. Will create an instance of `AWSEnhancedCognitoIdentityProvider`.
@param regionType The region in which your identity pool exists.
@param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
@param configuration Configuration to be used while creating service client for Identity Pool
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
identityPoolId:(NSString *)identityPoolId
identityPoolConfiguration:(AWSServiceConfiguration *)configuration;
/**
Initializer for credentials provider with enhanced authentication flow. This is the recommended method for first time Amazon Cognito developers. Will create an instance of `AWSEnhancedCognitoIdentityProvider`.
@param regionType The region in which your identity pool exists.
@param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
@param identityProviderManager An object that conforms to the `AWSIdentityProviderManager` protocol. It should return a valid `login` dictionary when requested. Can be nil if identity is unauthenticated.
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
identityPoolId:(NSString *)identityPoolId
identityProviderManager:(nullable id<AWSIdentityProviderManager>)identityProviderManager;
/**
Initializer for credentials provider with pre-created `AWSCognitoCredentialsProviderHelper`. Use this method when using developer authenticated identities.
@param regionType The region in which your identity pool exists.
@param identityProvider Implementation of AWSCognitoCredentialsProviderHelper which is responsible for acquiring identity id and (optionally) OpenId Connect token.
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
identityProvider:(id<AWSCognitoCredentialsProviderHelper>)identityProvider;
/**
Initializer for credentials provider with pre-created `AWSCognitoCredentialsProviderHelper`. Only use this method if you need to set your IAM roles client side and use developer authenticated identities
@param regionType The region in which your identity pool exists.
@param unauthRoleArn The role ARN to use when getting credentials for unauthenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if unauthenticated identities are not supported or if using enhanced authentication flow.
@param authRoleArn The role ARN to use when getting credentials for authenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if authenticated identities are not supported or if using enhanced authentication flow.
@param identityProvider Implementation of AWSCognitoCredentialsProviderHelper which is responsible for acquiring identity id and (optionally) OpenId Connect token.
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
unauthRoleArn:(nullable NSString *)unauthRoleArn
authRoleArn:(nullable NSString *)authRoleArn
identityProvider:(id<AWSCognitoCredentialsProviderHelper>)identityProvider;
/**
Initializer for credentials provider with basic auth flow. Only use this method if you still need to set your IAM roles client side. This method will create an instance of `AWSBasicCognitoIdentityProvider`.
@param regionType The region in which your identity pool exists.
@param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
@param unauthRoleArn The role ARN to use when getting credentials for unauthenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if unauthenticated identities are not supported.
@param authRoleArn The role ARN to use when getting credentials for authenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if authenticated identities are not supported.
@param identityProviderManager An object that conforms to the `AWSIdentityProviderManager` protocol. It should return a valid `login` dictionary when requested. Can be nil if identity is unauthenticated.
*/
- (instancetype)initWithRegionType:(AWSRegionType)regionType
identityPoolId:(NSString *)identityPoolId
unauthRoleArn:(nullable NSString *)unauthRoleArn
authRoleArn:(nullable NSString *)authRoleArn
identityProviderManager:(nullable id<AWSIdentityProviderManager>)identityProviderManager;
/**
Get/retrieve the identity id for this provider. If an identity id is already set on this provider, no remote call is made and the identity will be returned as a result of the AWSTask (the identityId is also available as a property). If no identityId is set on this provider, one will be retrieved from the service.
@return AWSTask
*/
- (AWSTask<NSString *> *)getIdentityId;
/**
Clear ALL saved values for this provider (identityId, credentials, logins).
*/
- (void)clearKeychain;
/**
Clear the cached AWS credentials for this provider.
*/
- (void)clearCredentials;
- (void)setIdentityProviderManagerOnce:(id<AWSIdentityProviderManager>)identityProviderManager;
@end
NS_ASSUME_NONNULL_END