X509 Credentials Provider Binding (aws#151)

* X509 Binding 
* Submodules

Author: bretambrose

aws-common-runtime/aws-c-http

@@ -6,6 +6,8 @@
 
 #include <aws/crt/Exports.h>
 #include <aws/crt/Types.h>
+#include <aws/crt/http/HttpConnection.h>
+#include <aws/crt/io/TlsOptions.h>
 
 #include <chrono>
 #include <functional>
@@ -22,6 +24,11 @@ namespace Aws
             class ClientBootstrap;
         }
 
+        namespace Http
+        {
+            class HttpClientConnectionProxyOptions;
+        }
+
         namespace Auth
         {
             /**
@@ -228,6 +235,45 @@ namespace Aws
                 Io::ClientBootstrap *Bootstrap;
             };
 
+            /**
+             * Configuration options for the X509 credentials provider
+             */
+            struct AWS_CRT_CPP_API CredentialsProviderX509Config
+            {
+                CredentialsProviderX509Config()
+                    : Bootstrap(nullptr), TlsOptions(), ThingName(), RoleAlias(), Endpoint(), ProxyOptions()
+                {
+                }
+
+                /**
+                 * Connection bootstrap to use to create the http connection required to
+                 * query credentials from the x509 provider
+                 */
+                Io::ClientBootstrap *Bootstrap;
+
+                /* TLS connection options that have been initialized with your x509 certificate and private key */
+                Io::TlsConnectionOptions TlsOptions;
+
+                /* IoT thing name you registered with AWS IOT for your device, it will be used in http request header */
+                String ThingName;
+
+                /* Iot role alias you created with AWS IoT for your IAM role, it will be used in http request path */
+                String RoleAlias;
+
+                /**
+                 * AWS account specific endpoint that can be acquired using AWS CLI following instructions from the demo
+                 * example: c2sakl5huz0afv.credentials.iot.us-east-1.amazonaws.com
+                 *
+                 * This a different endpoint than the IoT data mqtt broker endpoint.
+                 */
+                String Endpoint;
+
+                /**
+                 * (Optional) Http proxy configuration for the http request that fetches credentials
+                 */
+                Optional<Http::HttpClientConnectionProxyOptions> ProxyOptions;
+            };
+
             /**
              * Simple credentials provider implementation that wraps one of the internal C-based implementations.
              *
@@ -313,13 +359,21 @@ namespace Aws
                 /**
                  * Creates the SDK-standard default credentials provider which is a cache-fronted chain of:
                  *
-                 *   Environment -> Profile -> IMDS
+                 *   Environment -> Profile -> IMDS/ECS
                  *
                  */
                 static std::shared_ptr<ICredentialsProvider> CreateCredentialsProviderChainDefault(
                     const CredentialsProviderChainDefaultConfig &config,
                     Allocator *allocator = g_allocator);
 
+                /**
+                 * Creates a provider that sources credentials from the IoT X509 provider service
+                 *
+                 */
+                static std::shared_ptr<ICredentialsProvider> CreateCredentialsProviderX509(
+                    const CredentialsProviderX509Config &config,
+                    Allocator *allocator = g_allocator);
+
               private:
                 static void s_onCredentialsResolved(aws_credentials *credentials, int error_code, void *user_data);
 
@@ -328,4 +382,4 @@ namespace Aws
             };
         } // namespace Auth
     }     // namespace Crt
-} // namespace Aws
+} // namespace Aws

aws-common-runtime/aws-c-io

@@ -5,12 +5,14 @@
 
 #include <aws/crt/auth/Credentials.h>
 
+#include <aws/crt/http/HttpConnection.h>
 #include <aws/crt/io/Bootstrap.h>
 
 #include <aws/auth/credentials.h>
 #include <aws/common/string.h>
 
 #include <algorithm>
+#include <aws/http/connection.h>
 
 namespace Aws
 {
@@ -267,6 +269,45 @@ namespace Aws
                 return s_CreateWrappedProvider(
                     aws_credentials_provider_new_chain_default(allocator, &raw_config), allocator);
             }
+
+            std::shared_ptr<ICredentialsProvider> CredentialsProvider::CreateCredentialsProviderX509(
+                const CredentialsProviderX509Config &config,
+                Allocator *allocator)
+            {
+                struct aws_credentials_provider_x509_options raw_config;
+                AWS_ZERO_STRUCT(raw_config);
+
+                raw_config.bootstrap = config.Bootstrap->GetUnderlyingHandle();
+                raw_config.tls_connection_options = config.TlsOptions.GetUnderlyingHandle();
+                raw_config.thing_name = aws_byte_cursor_from_c_str(config.ThingName.c_str());
+                raw_config.role_alias = aws_byte_cursor_from_c_str(config.RoleAlias.c_str());
+                raw_config.endpoint = aws_byte_cursor_from_c_str(config.Endpoint.c_str());
+
+                struct aws_http_proxy_options proxy_options;
+                AWS_ZERO_STRUCT(proxy_options);
+                if (config.ProxyOptions.has_value())
+                {
+                    const Http::HttpClientConnectionProxyOptions &proxy_config = config.ProxyOptions.value();
+
+                    proxy_options.host = aws_byte_cursor_from_c_str(proxy_config.HostName.c_str());
+                    proxy_options.port = proxy_config.Port;
+                    proxy_options.tls_options = proxy_config.TlsOptions->GetUnderlyingHandle();
+                    proxy_options.auth_type = (enum aws_http_proxy_authentication_type)proxy_config.AuthType;
+                    proxy_options.auth_username = aws_byte_cursor_from_c_str(proxy_config.BasicAuthUsername.c_str());
+                    proxy_options.auth_password = aws_byte_cursor_from_c_str(proxy_config.BasicAuthPassword.c_str());
+
+                    raw_config.proxy_options = &proxy_options;
+                }
+
+                /**
+                 * Sets the TLS options for the proxy connection.
+                 * Optional.
+                 */
+                Optional<Io::TlsConnectionOptions> TlsOptions;
+
+                return s_CreateWrappedProvider(aws_credentials_provider_new_x509(allocator, &raw_config), allocator);
+            }
+
         } // namespace Auth
     }     // namespace Crt
-} // namespace Aws
+} // namespace Aws

include/aws/crt/auth/Credentials.h

@@ -236,7 +236,8 @@ namespace Aws
             return *this;
         }
 
-        MqttClientConnectionConfigBuilder &MqttClientConnectionConfigBuilder::WithMinimumTlsVersion(aws_tls_versions minimumTlsVersion) noexcept
+        MqttClientConnectionConfigBuilder &MqttClientConnectionConfigBuilder::WithMinimumTlsVersion(
+            aws_tls_versions minimumTlsVersion) noexcept
         {
             m_contextOptions.SetMinimumTlsVersion(minimumTlsVersion);
             return *this;