vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go

   1 // Package credentials provides credential retrieval and management
   2 //
   3 // The Credentials is the primary method of getting access to and managing
   4 // credentials Values. Using dependency injection retrieval of the credential
   5 // values is handled by a object which satisfies the Provider interface.
   6 //
   7 // By default the Credentials.Get() will cache the successful result of a
   8 // Provider's Retrieve() until Provider.IsExpired() returns true. At which
   9 // point Credentials will call Provider's Retrieve() to get new credential Value.
  10 //
  11 // The Provider is responsible for determining when credentials Value have expired.
  12 // It is also important to note that Credentials will always call Retrieve the
  13 // first time Credentials.Get() is called.
  14 //
  15 // Example of using the environment variable credentials.
  16 //
  17 //     creds := credentials.NewEnvCredentials()
  18 //
  19 //     // Retrieve the credentials value
  20 //     credValue, err := creds.Get()
  21 //     if err != nil {
  22 //         // handle error
  23 //     }
  24 //
  25 // Example of forcing credentials to expire and be refreshed on the next Get().
  26 // This may be helpful to proactively expire credentials and refresh them sooner
  27 // than they would naturally expire on their own.
  28 //
  29 //     creds := credentials.NewCredentials(&ec2rolecreds.EC2RoleProvider{})
  30 //     creds.Expire()
  31 //     credsValue, err := creds.Get()
  32 //     // New credentials will be retrieved instead of from cache.
  33 //
  34 //
  35 // Custom Provider
  36 //
  37 // Each Provider built into this package also provides a helper method to generate
  38 // a Credentials pointer setup with the provider. To use a custom Provider just
  39 // create a type which satisfies the Provider interface and pass it to the
  40 // NewCredentials method.
  41 //
  42 //     type MyProvider struct{}
  43 //     func (m *MyProvider) Retrieve() (Value, error) {...}
  44 //     func (m *MyProvider) IsExpired() bool {...}
  45 //
  46 //     creds := credentials.NewCredentials(&MyProvider{})
  47 //     credValue, err := creds.Get()
  48 //
  49 package credentials
  50
  51 import (
  52         "sync"
  53         "time"
  54 )
  55
  56 // AnonymousCredentials is an empty Credential object that can be used as
  57 // dummy placeholder credentials for requests that do not need signed.
  58 //
  59 // This Credentials can be used to configure a service to not sign requests
  60 // when making service API calls. For example, when accessing public
  61 // s3 buckets.
  62 //
  63 //     svc := s3.New(session.Must(session.NewSession(&aws.Config{
  64 //       Credentials: credentials.AnonymousCredentials,
  65 //     })))
  66 //     // Access public S3 buckets.
  67 //
  68 // @readonly
  69 var AnonymousCredentials = NewStaticCredentials("", "", "")
  70
  71 // A Value is the AWS credentials value for individual credential fields.
  72 type Value struct {
  73         // AWS Access key ID
  74         AccessKeyID string
  75
  76         // AWS Secret Access Key
  77         SecretAccessKey string
  78
  79         // AWS Session Token
  80         SessionToken string
  81
  82         // Provider used to get credentials
  83         ProviderName string
  84 }
  85
  86 // A Provider is the interface for any component which will provide credentials
  87 // Value. A provider is required to manage its own Expired state, and what to
  88 // be expired means.
  89 //
  90 // The Provider should not need to implement its own mutexes, because
  91 // that will be managed by Credentials.
  92 type Provider interface {
  93         // Retrieve returns nil if it successfully retrieved the value.
  94         // Error is returned if the value were not obtainable, or empty.
  95         Retrieve() (Value, error)
  96
  97         // IsExpired returns if the credentials are no longer valid, and need
  98         // to be retrieved.
  99         IsExpired() bool
 100 }
 101
 102 // An ErrorProvider is a stub credentials provider that always returns an error
 103 // this is used by the SDK when construction a known provider is not possible
 104 // due to an error.
 105 type ErrorProvider struct {
 106         // The error to be returned from Retrieve
 107         Err error
 108
 109         // The provider name to set on the Retrieved returned Value
 110         ProviderName string
 111 }
 112
 113 // Retrieve will always return the error that the ErrorProvider was created with.
 114 func (p ErrorProvider) Retrieve() (Value, error) {
 115         return Value{ProviderName: p.ProviderName}, p.Err
 116 }
 117
 118 // IsExpired will always return not expired.
 119 func (p ErrorProvider) IsExpired() bool {
 120         return false
 121 }
 122
 123 // A Expiry provides shared expiration logic to be used by credentials
 124 // providers to implement expiry functionality.
 125 //
 126 // The best method to use this struct is as an anonymous field within the
 127 // provider's struct.
 128 //
 129 // Example:
 130 //     type EC2RoleProvider struct {
 131 //         Expiry
 132 //         ...
 133 //     }
 134 type Expiry struct {
 135         // The date/time when to expire on
 136         expiration time.Time
 137
 138         // If set will be used by IsExpired to determine the current time.
 139         // Defaults to time.Now if CurrentTime is not set.  Available for testing
 140         // to be able to mock out the current time.
 141         CurrentTime func() time.Time
 142 }
 143
 144 // SetExpiration sets the expiration IsExpired will check when called.
 145 //
 146 // If window is greater than 0 the expiration time will be reduced by the
 147 // window value.
 148 //
 149 // Using a window is helpful to trigger credentials to expire sooner than
 150 // the expiration time given to ensure no requests are made with expired
 151 // tokens.
 152 func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration) {
 153         e.expiration = expiration
 154         if window > 0 {
 155                 e.expiration = e.expiration.Add(-window)
 156         }
 157 }
 158
 159 // IsExpired returns if the credentials are expired.
 160 func (e *Expiry) IsExpired() bool {
 161         if e.CurrentTime == nil {
 162                 e.CurrentTime = time.Now
 163         }
 164         return e.expiration.Before(e.CurrentTime())
 165 }
 166
 167 // A Credentials provides synchronous safe retrieval of AWS credentials Value.
 168 // Credentials will cache the credentials value until they expire. Once the value
 169 // expires the next Get will attempt to retrieve valid credentials.
 170 //
 171 // Credentials is safe to use across multiple goroutines and will manage the
 172 // synchronous state so the Providers do not need to implement their own
 173 // synchronization.
 174 //
 175 // The first Credentials.Get() will always call Provider.Retrieve() to get the
 176 // first instance of the credentials Value. All calls to Get() after that
 177 // will return the cached credentials Value until IsExpired() returns true.
 178 type Credentials struct {
 179         creds        Value
 180         forceRefresh bool
 181         m            sync.Mutex
 182
 183         provider Provider
 184 }
 185
 186 // NewCredentials returns a pointer to a new Credentials with the provider set.
 187 func NewCredentials(provider Provider) *Credentials {
 188         return &Credentials{
 189                 provider:     provider,
 190                 forceRefresh: true,
 191         }
 192 }
 193
 194 // Get returns the credentials value, or error if the credentials Value failed
 195 // to be retrieved.
 196 //
 197 // Will return the cached credentials Value if it has not expired. If the
 198 // credentials Value has expired the Provider's Retrieve() will be called
 199 // to refresh the credentials.
 200 //
 201 // If Credentials.Expire() was called the credentials Value will be force
 202 // expired, and the next call to Get() will cause them to be refreshed.
 203 func (c *Credentials) Get() (Value, error) {
 204         c.m.Lock()
 205         defer c.m.Unlock()
 206
 207         if c.isExpired() {
 208                 creds, err := c.provider.Retrieve()
 209                 if err != nil {
 210                         return Value{}, err
 211                 }
 212                 c.creds = creds
 213                 c.forceRefresh = false
 214         }
 215
 216         return c.creds, nil
 217 }
 218
 219 // Expire expires the credentials and forces them to be retrieved on the
 220 // next call to Get().
 221 //
 222 // This will override the Provider's expired state, and force Credentials
 223 // to call the Provider's Retrieve().
 224 func (c *Credentials) Expire() {
 225         c.m.Lock()
 226         defer c.m.Unlock()
 227
 228         c.forceRefresh = true
 229 }
 230
 231 // IsExpired returns if the credentials are no longer valid, and need
 232 // to be retrieved.
 233 //
 234 // If the Credentials were forced to be expired with Expire() this will
 235 // reflect that override.
 236 func (c *Credentials) IsExpired() bool {
 237         c.m.Lock()
 238         defer c.m.Unlock()
 239
 240         return c.isExpired()
 241 }
 242
 243 // isExpired helper method wrapping the definition of expired credentials.
 244 func (c *Credentials) isExpired() bool {
 245         return c.forceRefresh || c.provider.IsExpired()
 246 }