ceph-csi/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go

package aws

import (
	"context"
	"fmt"
	"time"

	"github.com/aws/aws-sdk-go-v2/internal/sdk"
)

// AnonymousCredentials provides a sentinel CredentialsProvider that should be
// used to instruct the SDK's signing middleware to not sign the request.
//
// Using `nil` credentials when configuring an API client will achieve the same
// result. The AnonymousCredentials type allows you to configure the SDK's
// external config loading to not attempt to source credentials from the shared
// config or environment.
//
// For example you can use this CredentialsProvider with an API client's
// Options to instruct the client not to sign a request for accessing public
// S3 bucket objects.
//
// The following example demonstrates using the AnonymousCredentials to prevent
// SDK's external config loading attempt to resolve credentials.
//
//     cfg, err := config.LoadDefaultConfig(context.TODO(),
//          config.WithCredentialsProvider(aws.AnonymousCredentials{}),
//     )
//     if err != nil {
//          log.Fatalf("failed to load config, %v", err)
//     }
//
//     client := s3.NewFromConfig(cfg)
//
// Alternatively you can leave the API client Option's `Credential` member to
// nil. If using the `NewFromConfig` constructor you'll need to explicitly set
// the `Credentials` member to nil, if the external config resolved a
// credential provider.
//
//     client := s3.New(s3.Options{
//          // Credentials defaults to a nil value.
//     })
//
// This can also be configured for specific operations calls too.
//
//     cfg, err := config.LoadDefaultConfig(context.TODO())
//     if err != nil {
//          log.Fatalf("failed to load config, %v", err)
//     }
//
//     client := s3.NewFromConfig(config)
//
//     result, err := client.GetObject(context.TODO(), s3.GetObject{
//          Bucket: aws.String("example-bucket"),
//          Key: aws.String("example-key"),
//     }, func(o *s3.Options) {
//          o.Credentials = nil
//          // Or
//          o.Credentials = aws.AnonymousCredentials{}
//     })
type AnonymousCredentials struct{}

// Retrieve implements the CredentialsProvider interface, but will always
// return error, and cannot be used to sign a request. The AnonymousCredentials
// type is used as a sentinel type instructing the AWS request signing
// middleware to not sign a request.
func (AnonymousCredentials) Retrieve(context.Context) (Credentials, error) {
	return Credentials{Source: "AnonymousCredentials"},
		fmt.Errorf("the AnonymousCredentials is not a valid credential provider, and cannot be used to sign AWS requests with")
}

// A Credentials is the AWS credentials value for individual credential fields.
type Credentials struct {
	// AWS Access key ID
	AccessKeyID string

	// AWS Secret Access Key
	SecretAccessKey string

	// AWS Session Token
	SessionToken string

	// Source of the credentials
	Source string

	// Time the credentials will expire.
	CanExpire bool
	Expires   time.Time
}

// Expired returns if the credentials have expired.
func (v Credentials) Expired() bool {
	if v.CanExpire {
		// Calling Round(0) on the current time will truncate the monotonic reading only. Ensures credential expiry
		// time is always based on reported wall-clock time.
		return !v.Expires.After(sdk.NowTime().Round(0))
	}

	return false
}

// HasKeys returns if the credentials keys are set.
func (v Credentials) HasKeys() bool {
	return len(v.AccessKeyID) > 0 && len(v.SecretAccessKey) > 0
}

// A CredentialsProvider is the interface for any component which will provide
// credentials Credentials. A CredentialsProvider is required to manage its own
// Expired state, and what to be expired means.
//
// A credentials provider implementation can be wrapped with a CredentialCache
// to cache the credential value retrieved. Without the cache the SDK will
// attempt to retrieve the credentials for every request.
type CredentialsProvider interface {
	// Retrieve returns nil if it successfully retrieved the value.
	// Error is returned if the value were not obtainable, or empty.
	Retrieve(ctx context.Context) (Credentials, error)
}

// CredentialsProviderFunc provides a helper wrapping a function value to
// satisfy the CredentialsProvider interface.
type CredentialsProviderFunc func(context.Context) (Credentials, error)

// Retrieve delegates to the function value the CredentialsProviderFunc wraps.
func (fn CredentialsProviderFunc) Retrieve(ctx context.Context) (Credentials, error) {
	return fn(ctx)
}
rbd: add `aws-sts-metdata` encryption type With Amazon STS and kubernetes cluster is configured with OIDC identity provider, credentials to access Amazon KMS can be fetched using oidc-token(serviceaccount token). Each tenant/namespace needs to create a secret with aws region, role and CMK ARN. Ceph-CSI will assume the given role with oidc token and access aws KMS, with given CMK to encrypt/decrypt DEK which will stored in the image metdata. Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html Resolves: #2879 Signed-off-by: Rakshith R <rar@redhat.com> 2022-03-02 10:30:48 +00:00			`package aws`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"github.com/aws/aws-sdk-go-v2/internal/sdk"`
			`)`

			`// AnonymousCredentials provides a sentinel CredentialsProvider that should be`
			`// used to instruct the SDK's signing middleware to not sign the request.`
			`//`
			// Using `nil` credentials when configuring an API client will achieve the same
			`// result. The AnonymousCredentials type allows you to configure the SDK's`
			`// external config loading to not attempt to source credentials from the shared`
			`// config or environment.`
			`//`
			`// For example you can use this CredentialsProvider with an API client's`
			`// Options to instruct the client not to sign a request for accessing public`
			`// S3 bucket objects.`
			`//`
			`// The following example demonstrates using the AnonymousCredentials to prevent`
			`// SDK's external config loading attempt to resolve credentials.`
			`//`
			`// cfg, err := config.LoadDefaultConfig(context.TODO(),`
			`// config.WithCredentialsProvider(aws.AnonymousCredentials{}),`
			`// )`
			`// if err != nil {`
			`// log.Fatalf("failed to load config, %v", err)`
			`// }`
			`//`
			`// client := s3.NewFromConfig(cfg)`
			`//`
			// Alternatively you can leave the API client Option's `Credential` member to
			// nil. If using the `NewFromConfig` constructor you'll need to explicitly set
			// the `Credentials` member to nil, if the external config resolved a
			`// credential provider.`
			`//`
			`// client := s3.New(s3.Options{`
			`// // Credentials defaults to a nil value.`
			`// })`
			`//`
			`// This can also be configured for specific operations calls too.`
			`//`
			`// cfg, err := config.LoadDefaultConfig(context.TODO())`
			`// if err != nil {`
			`// log.Fatalf("failed to load config, %v", err)`
			`// }`
			`//`
			`// client := s3.NewFromConfig(config)`
			`//`
			`// result, err := client.GetObject(context.TODO(), s3.GetObject{`
			`// Bucket: aws.String("example-bucket"),`
			`// Key: aws.String("example-key"),`
			`// }, func(o *s3.Options) {`
			`// o.Credentials = nil`
			`// // Or`
			`// o.Credentials = aws.AnonymousCredentials{}`
			`// })`
			`type AnonymousCredentials struct{}`

			`// Retrieve implements the CredentialsProvider interface, but will always`
			`// return error, and cannot be used to sign a request. The AnonymousCredentials`
			`// type is used as a sentinel type instructing the AWS request signing`
			`// middleware to not sign a request.`
			`func (AnonymousCredentials) Retrieve(context.Context) (Credentials, error) {`
			`return Credentials{Source: "AnonymousCredentials"},`
			`fmt.Errorf("the AnonymousCredentials is not a valid credential provider, and cannot be used to sign AWS requests with")`
			`}`

			`// A Credentials is the AWS credentials value for individual credential fields.`
			`type Credentials struct {`
			`// AWS Access key ID`
			`AccessKeyID string`

			`// AWS Secret Access Key`
			`SecretAccessKey string`

			`// AWS Session Token`
			`SessionToken string`

			`// Source of the credentials`
			`Source string`

			`// Time the credentials will expire.`
			`CanExpire bool`
			`Expires time.Time`
			`}`

			`// Expired returns if the credentials have expired.`
			`func (v Credentials) Expired() bool {`
			`if v.CanExpire {`
			`// Calling Round(0) on the current time will truncate the monotonic reading only. Ensures credential expiry`
			`// time is always based on reported wall-clock time.`
			`return !v.Expires.After(sdk.NowTime().Round(0))`
			`}`

			`return false`
			`}`

			`// HasKeys returns if the credentials keys are set.`
			`func (v Credentials) HasKeys() bool {`
			`return len(v.AccessKeyID) > 0 && len(v.SecretAccessKey) > 0`
			`}`

			`// A CredentialsProvider is the interface for any component which will provide`
			`// credentials Credentials. A CredentialsProvider is required to manage its own`
			`// Expired state, and what to be expired means.`
			`//`
			`// A credentials provider implementation can be wrapped with a CredentialCache`
			`// to cache the credential value retrieved. Without the cache the SDK will`
			`// attempt to retrieve the credentials for every request.`
			`type CredentialsProvider interface {`
			`// Retrieve returns nil if it successfully retrieved the value.`
			`// Error is returned if the value were not obtainable, or empty.`
			`Retrieve(ctx context.Context) (Credentials, error)`
			`}`

			`// CredentialsProviderFunc provides a helper wrapping a function value to`
			`// satisfy the CredentialsProvider interface.`
			`type CredentialsProviderFunc func(context.Context) (Credentials, error)`

			`// Retrieve delegates to the function value the CredentialsProviderFunc wraps.`
			`func (fn CredentialsProviderFunc) Retrieve(ctx context.Context) (Credentials, error) {`
			`return fn(ctx)`
			`}`