No Description

AWSCredentialsProvider.h 12KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
  1. //
  2. // Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  3. //
  4. // Licensed under the Apache License, Version 2.0 (the "License").
  5. // You may not use this file except in compliance with the License.
  6. // A copy of the License is located at
  7. //
  8. // http://aws.amazon.com/apache2.0
  9. //
  10. // or in the "license" file accompanying this file. This file is distributed
  11. // on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  12. // express or implied. See the License for the specific language governing
  13. // permissions and limitations under the License.
  14. //
  15. #import <Foundation/Foundation.h>
  16. #import "AWSServiceEnum.h"
  17. #import "AWSIdentityProvider.h"
  18. NS_ASSUME_NONNULL_BEGIN
  19. FOUNDATION_EXPORT NSString *const AWSCognitoCredentialsProviderErrorDomain;
  20. typedef NS_ENUM(NSInteger, AWSCognitoCredentialsProviderErrorType) {
  21. AWSCognitoCredentialsProviderErrorUnknown,
  22. AWSCognitoCredentialsProviderIdentityIdIsNil,
  23. AWSCognitoCredentialsProviderInvalidConfiguration,
  24. AWSCognitoCredentialsProviderInvalidCognitoIdentityToken,
  25. AWSCognitoCredentialsProviderCredentialsRefreshTimeout,
  26. };
  27. @class AWSTask<__covariant ResultType>;
  28. /**
  29. An AWS credentials container class.
  30. */
  31. @interface AWSCredentials : NSObject
  32. /**
  33. Access Key component of credentials.
  34. */
  35. @property (nonatomic, strong, readonly) NSString *accessKey;
  36. /**
  37. Secret Access Key component of credentials.
  38. */
  39. @property (nonatomic, strong, readonly) NSString *secretKey;
  40. /**
  41. Session Token component of credentials.
  42. */
  43. @property (nonatomic, strong, readonly, nullable) NSString *sessionKey;
  44. /**
  45. Date at which these credentials will expire.
  46. */
  47. @property (nonatomic, strong, readonly, nullable) NSDate *expiration;
  48. /**
  49. Initiates an AWS credentials object.
  50. @param accessKey An AWS Access key.
  51. @param secretKey An AWS Secret key.
  52. @param sessionKey An AWS Session key.
  53. @param expiration The expiration date of the temporary AWS credentials.
  54. @return An AWS credentials object.
  55. */
  56. - (instancetype)initWithAccessKey:(NSString *)accessKey
  57. secretKey:(NSString *)secretKey
  58. sessionKey:(nullable NSString *)sessionKey
  59. expiration:(nullable NSDate *)expiration;
  60. @end
  61. /**
  62. The AWS credentials provider protocol used to provide credentials to the SDK in order to make calls to the AWS services.
  63. */
  64. @protocol AWSCredentialsProvider <NSObject>
  65. /**
  66. Asynchronously returns a valid AWS credentials or an error object if it cannot retrieve valid credentials. It should cache valid credentials as much as possible and refresh them when they are invalid.
  67. @return A valid AWS credentials or an error object describing the error.
  68. */
  69. - (AWSTask<AWSCredentials *> *)credentials;
  70. /**
  71. Invalidates the cached temporary AWS credentials. If the credentials provider does not cache temporary credentials, this operation is a no-op.
  72. */
  73. - (void)invalidateCachedTemporaryCredentials;
  74. @end
  75. /**
  76. @warning This credentials provider is intended only for testing purposes.
  77. We strongly discourage embedding AWS credentials in your production apps because they can be easily extracted and abused. Consider using `AWSCognitoCredentialsProvider`.
  78. */
  79. @interface AWSStaticCredentialsProvider : NSObject <AWSCredentialsProvider>
  80. /**
  81. Instantiates a static credentials provider.
  82. @param accessKey An AWS Access key.
  83. @param secretKey An AWS Secret key.
  84. @return An AWS credentials object.
  85. */
  86. - (instancetype)initWithAccessKey:(NSString *)accessKey
  87. secretKey:(NSString *)secretKey;
  88. @end
  89. /**
  90. @warning This credentials provider is intended only for testing purposes.
  91. We strongly discourage embedding AWS credentials in your production apps because they can be easily extracted and abused. Consider using `AWSCognitoCredentialsProvider`.
  92. Simple session credentials with keys and session token.
  93. */
  94. @interface AWSBasicSessionCredentialsProvider: NSObject <AWSCredentialsProvider>
  95. /**
  96. Instantiates a static credentials provider.
  97. @param accessKey An AWS Access key.
  98. @param secretKey An AWS Secret key.
  99. @param sessionToken The session token for this session.
  100. @return An AWS credentials object.
  101. */
  102. - (instancetype)initWithAccessKey:(NSString *)accessKey
  103. secretKey:(NSString *)secretKey
  104. sessionToken:(NSString *)sessionToken;
  105. @end
  106. @interface AWSAnonymousCredentialsProvider : NSObject <AWSCredentialsProvider>
  107. @end
  108. /**
  109. A credentials provider that uses AWS STS web identity federation.
  110. */
  111. @interface AWSWebIdentityCredentialsProvider : NSObject <AWSCredentialsProvider>
  112. @property (nonatomic, strong) NSString *webIdentityToken;
  113. @property (nonatomic, strong) NSString *roleArn;
  114. @property (nonatomic, strong) NSString *roleSessionName;
  115. @property (nonatomic, strong) NSString *providerId;
  116. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  117. providerId:(nullable NSString *)providerId
  118. roleArn:(NSString *)roleArn
  119. roleSessionName:(NSString *)roleSessionName
  120. webIdentityToken:(NSString *)webIdentityToken;
  121. @end
  122. /**
  123. An AWSCredentialsProvider that uses Amazon Cognito to fetch temporary credentials tied to an identity.
  124. To learn more about Amazon Cognito, please visit <a href="https://aws.amazon.com/cognito">https://aws.amazon.com/cognito</a>.
  125. There are 3 different flows supported by this credentials provider, see factory and init methods for choosing the right one for your use case:
  126. 1. Enhanced flow: Uses Cognito for all operations and only requires an identity pool id to initialize.
  127. 2. Basic flow: Uses Cognito + STS and requires identity pool plus IAM roles
  128. 3. Developer authenticated identities: Uses your own AWSCognitoCredentialsProviderHelper to establish identity +
  129. Cognito (and optionally STS) to establish credentials.
  130. */
  131. @interface AWSCognitoCredentialsProvider : NSObject <AWSCredentialsProvider>
  132. /**
  133. The identityProvider which is responsible for establishing the identity id and (optionally) the open id token for use in the Amazon Cognito authflow.
  134. */
  135. @property (nonatomic, strong, readonly) id<AWSCognitoCredentialsProviderHelper> identityProvider;
  136. /**
  137. The identity id associated with this provider. This value will be fetched from the keychain at startup. If you do not want to reuse the existing identity id, you must call the clearKeychain method.
  138. */
  139. @property (nonatomic, strong, readonly, nullable) NSString *identityId;
  140. /**
  141. The identity pool id associated with this provider. Also used to create a namedspaced keychain area to store identity id and credentials.
  142. */
  143. @property (nonatomic, strong, readonly) NSString *identityPoolId;
  144. /**
  145. Initializer for credentials provider with enhanced authentication flow. This is the recommended constructor for first time Amazon Cognito developers. Will create an instance of `AWSEnhancedCognitoIdentityProvider`.
  146. @param regionType The region in which your identity pool exists.
  147. @param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
  148. */
  149. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  150. identityPoolId:(NSString *)identityPoolId;
  151. /**
  152. Initializer for credentials provider with enhanced authentication flow. This is the recommended method for first time Amazon Cognito developers. Will create an instance of `AWSEnhancedCognitoIdentityProvider`.
  153. @param regionType The region in which your identity pool exists.
  154. @param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
  155. @param identityProviderManager An object that conforms to the `AWSIdentityProviderManager` protocol. It should return a valid `login` dictionary when requested. Can be nil if identity is unauthenticated.
  156. */
  157. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  158. identityPoolId:(NSString *)identityPoolId
  159. identityProviderManager:(nullable id<AWSIdentityProviderManager>)identityProviderManager;
  160. /**
  161. Initializer for credentials provider with pre-created `AWSCognitoCredentialsProviderHelper`. Use this method when using developer authenticated identities.
  162. @param regionType The region in which your identity pool exists.
  163. @param identityProvider Implementation of AWSCognitoCredentialsProviderHelper which is responsible for acquiring identity id and (optionally) OpenId Connect token.
  164. */
  165. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  166. identityProvider:(id<AWSCognitoCredentialsProviderHelper>)identityProvider;
  167. /**
  168. Initializer for credentials provider with pre-created `AWSCognitoCredentialsProviderHelper`. Only use this method if you need to set your IAM roles client side and use developer authenticated identities
  169. @param regionType The region in which your identity pool exists.
  170. @param unauthRoleArn The role ARN to use when getting credentials for unauthenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if unauthenticated identities are not supported or if using enhanced authentication flow.
  171. @param authRoleArn The role ARN to use when getting credentials for authenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if authenticated identities are not supported or if using enhanced authentication flow.
  172. @param identityProvider Implementation of AWSCognitoCredentialsProviderHelper which is responsible for acquiring identity id and (optionally) OpenId Connect token.
  173. */
  174. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  175. unauthRoleArn:(nullable NSString *)unauthRoleArn
  176. authRoleArn:(nullable NSString *)authRoleArn
  177. identityProvider:(id<AWSCognitoCredentialsProviderHelper>)identityProvider;
  178. /**
  179. Initializer for credentials provider with basic auth flow. Only use this method if you still need to set your IAM roles client side. This method will create an instance of `AWSBasicCognitoIdentityProvider`.
  180. @param regionType The region in which your identity pool exists.
  181. @param identityPoolId The identity pool id for this provider. Value is used to communicate with Amazon Cognito as well as namespace values stored in the keychain.
  182. @param unauthRoleArn The role ARN to use when getting credentials for unauthenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if unauthenticated identities are not supported.
  183. @param authRoleArn The role ARN to use when getting credentials for authenticated identities. Provider will check the `isAuthenticated` property of the identity provider to determine which role to use. Can be nil if authenticated identities are not supported.
  184. @param identityProviderManager An object that conforms to the `AWSIdentityProviderManager` protocol. It should return a valid `login` dictionary when requested. Can be nil if identity is unauthenticated.
  185. */
  186. - (instancetype)initWithRegionType:(AWSRegionType)regionType
  187. identityPoolId:(NSString *)identityPoolId
  188. unauthRoleArn:(nullable NSString *)unauthRoleArn
  189. authRoleArn:(nullable NSString *)authRoleArn
  190. identityProviderManager:(nullable id<AWSIdentityProviderManager>)identityProviderManager;
  191. /**
  192. Get/retrieve the identity id for this provider. If an identity id is already set on this provider, no remote call is made and the identity will be returned as a result of the AWSTask (the identityId is also available as a property). If no identityId is set on this provider, one will be retrieved from the service.
  193. @return AWSTask
  194. */
  195. - (AWSTask<NSString *> *)getIdentityId;
  196. /**
  197. Clear ALL saved values for this provider (identityId, credentials, logins).
  198. */
  199. - (void)clearKeychain;
  200. /**
  201. Clear the cached AWS credentials for this provider.
  202. */
  203. - (void)clearCredentials;
  204. - (void)setIdentityProviderManagerOnce:(id<AWSIdentityProviderManager>)identityProviderManager;
  205. @end
  206. NS_ASSUME_NONNULL_END