Imds region provider (#715)

- User agent construction is now `const fn` (#701)

- Update event stream `Receiver`s to be `Send` (#702, #aws-sdk-rust#224)

- Add `sts::AssumeRoleProvider` to `aws-config` (#703, aws-sdk-rust#3)

- Add IMDS region provider to `aws-config` (#715)

- Add query param signing to the `aws-sigv4` crate (#707)

v0.23 (September 14th, 2021)

**New This Week**

- Add IMDS client to `aws-config`

- Add IMDS credential provider to `aws-config` (smithy-rs#709)

- Add IMDS region provider to `aws-config` (smithy-rs#715, #97)

- Update event stream `Receiver`s to be `Send` (aws-sdk-rust#224)

- Add `sts::AssumeRoleProvider` to `aws-config` (#703, aws-sdk-rust#3)

- Add `sts::AssumeRoleProvider` to `aws-config`. This enables customers to invoke STS directly, instead of using it via `~/.aws/config`. (#703, aws-sdk-rust#3)

- :bug: Fix panic when signing non-ASCII header values (smithy-rs#708, aws-sdk-rust#226)

v0.0.18-alpha (September 14th, 2021)

=======================

- :tada: Add support for `OpenSearch` service & bring in other model updates (#todo)

    use crate::environment::region::EnvironmentVariableRegionProvider;

    use crate::meta::region::{ProvideRegion, RegionProviderChain};

    use crate::profile;

    use crate::{imds, profile};

    use crate::provider_config::ProviderConfig;

    pub struct Builder {

        env_provider: EnvironmentVariableRegionProvider,

        profile_file: profile::region::Builder,

        imds: imds::region::Builder,

    }

    impl Builder {

            self.env_provider =

                EnvironmentVariableRegionProvider::new_with_env(configuration.env());

            self.profile_file = self.profile_file.configure(configuration);

            self.imds = self.imds.configure(configuration);

            self

        }

        pub fn build(self) -> DefaultRegionChain {

            DefaultRegionChain(

                RegionProviderChain::first_try(self.env_provider)

                    .or_else(self.profile_file.build()),

                    .or_else(self.profile_file.build())

                    .or_else(self.imds.build()),

            )

        }

    }

use crate::profile::ProfileParseError;

use crate::provider_config::ProviderConfig;

use crate::{profile, PKG_VERSION};

use tokio::sync::OnceCell;

const USER_AGENT: AwsUserAgent =

    AwsUserAgent::new_from_environment(ApiMetadata::new("imds", PKG_VERSION));

    inner: smithy_client::Client<DynConnector, ImdsMiddleware>,

}

/// Client where build is sync, but usage is async

///

/// Building an imds::Client is actually an async operation, however, for credentials and region

/// providers, we want build to always be a synchronous operation. This allows building to be deferred

/// and cached until request time.

#[derive(Debug)]

pub(super) struct LazyClient {

    client: OnceCell<Result<Client, BuildError>>,

    builder: Builder,

}

impl LazyClient {

    pub fn from_ready_client(client: Client) -> Self {

        Self {

            client: OnceCell::from(Ok(client)),

            // the builder will never be used in this case

            builder: Builder::default(),

        }

    }

    pub(super) async fn client(&self) -> Result<&Client, &BuildError> {

        let builder = &self.builder;

        self.client

            // the clone will only happen once when we actually construct it for the first time,

            // after that, we will use the cache.

            .get_or_init(|| async {

                let client = builder.clone().build().await;

                if let Err(err) = &client {

                    tracing::warn!(err = % err, "failed to create IMDS client")

                }

                client

            })

            .await

            .as_ref()

    }

}

impl Client {

    /// IMDS client builder

    pub fn builder() -> Builder {

/// IMDS can be accessed in two ways:

/// 1. Via the IpV4 endpoint: `http://169.254.169.254`

/// 2. Via the Ipv6 endpoint: `http://[fd00:ec2::254]`

#[derive(Debug)]

#[derive(Debug, Clone)]

#[non_exhaustive]

pub enum EndpointMode {

    /// IpV4 mode: `http://169.254.169.254`

}

/// IMDSv2 Client Builder

#[derive(Default, Debug)]

#[derive(Default, Debug, Clone)]

pub struct Builder {

    num_retries: Option<u32>,

    endpoint: Option<EndpointSource>,

        self

    }*/

    pub(super) fn build_lazy(self) -> LazyClient {

        LazyClient {

            client: OnceCell::new(),

            builder: self,

        }

    }

    /// Build an IMDSv2 Client

    pub async fn build(self) -> Result<Client, BuildError> {

        let config = self.config.unwrap_or_default();

}

/// Endpoint Configuration Abstraction

#[derive(Debug)]

#[derive(Debug, Clone)]

enum EndpointSource {

    Explicit(Uri),

    Env(Env, Fs),

#[derive(Clone)]

struct ImdsErrorPolicy;

impl ImdsErrorPolicy {

    fn classify(response: &operation::Response) -> RetryKind {

        let status = response.http().status();

}

#[cfg(test)]

mod test {

pub(crate) mod test {

    use std::collections::HashMap;

    use std::error::Error;

    use std::time::{Duration, UNIX_EPOCH};

    const TOKEN_A: &str = "AQAEAFTNrA4eEGx0AQgJ1arIq_Cc-t4tWt3fB0Hd8RKhXlKc5ccvhg==";

    const TOKEN_B: &str = "alternatetoken==";

    fn token_request(base: &str, ttl: u32) -> http::Request<SdkBody> {

    pub(crate) fn token_request(base: &str, ttl: u32) -> http::Request<SdkBody> {

        http::Request::builder()

            .uri(format!("{}/latest/api/token", base))

            .header("x-aws-ec2-metadata-token-ttl-seconds", ttl)

            .unwrap()

    }

    fn token_response(ttl: u32, token: &'static str) -> http::Response<&'static str> {

    pub(crate) fn token_response(ttl: u32, token: &'static str) -> http::Response<&'static str> {

        http::Response::builder()

            .status(200)

            .header("X-aws-ec2-metadata-token-ttl-seconds", ttl)

            .unwrap()

    }

    fn imds_request(path: &'static str, token: &str) -> http::Request<SdkBody> {

    pub(crate) fn imds_request(path: &'static str, token: &str) -> http::Request<SdkBody> {

        http::Request::builder()

            .uri(Uri::from_static(path))

            .method("GET")

            .unwrap()

    }

    fn imds_response(body: &'static str) -> http::Response<&'static str> {

    pub(crate) fn imds_response(body: &'static str) -> http::Response<&'static str> {

        http::Response::builder().status(200).body(body).unwrap()

    }

//! This credential provider will NOT fallback to IMDSv1. Ensure that IMDSv2 is enabled on your instances.

use crate::imds;

use crate::imds::client::ImdsError;

use crate::imds::client::{ImdsError, LazyClient};

use crate::provider_config::ProviderConfig;

use aws_types::credentials::{future, CredentialsError, ProvideCredentials};

use aws_types::os_shim_internal::Env;

use aws_types::{credentials, Credentials};

use smithy_client::SdkError;

use smithy_json::deserialize::token::skip_value;

use std::time::SystemTime;

use tokio::sync::OnceCell;

mod env {

    pub(super) const EC2_METADATA_DISABLED: &str = "AWS_EC2_METADATA_DISABLED";

}

/// IMDSv2 Credentials Provider

///

/// **Note**: This credentials provider will NOT fallback to the IMDSv1 flow.

#[derive(Debug)]

pub struct ImdsCredentialsProvider {

    client: OnceCell<Result<imds::Client, imds::client::BuildError>>,

    client: LazyClient,

    env: Env,

    profile: OnceCell<String>,

    provider_config: ProviderConfig,

}

/// Builder for [`ImdsCredentialsProvider`]

    /// Create an [`ImdsCredentialsProvider`] from this builder.

    pub fn build(self) -> ImdsCredentialsProvider {

        let provider_config = self.provider_config.unwrap_or_default();

        let client = if let Some(client) = self.imds_override {

            OnceCell::from(Ok(client))

        } else {

            OnceCell::new()

        };

        let env = provider_config.env();

        let client = self

            .imds_override

            .map(LazyClient::from_ready_client)

            .unwrap_or_else(|| {

                imds::Client::builder()

                    .configure(&provider_config)

                    .build_lazy()

            });

        let profile = OnceCell::new_with(self.profile_override);

        ImdsCredentialsProvider {

            client,

            env,

            profile,

            provider_config,

        }

    }

}

    }

    fn imds_disabled(&self) -> bool {

        match self.provider_config.env().get(env::EC2_METADATA_DISABLED) {

        match self.env.get(super::env::EC2_METADATA_DISABLED) {

            Ok(value) => value.eq_ignore_ascii_case("true"),

            _ => false,

        }

    /// Load an inner IMDS client from the OnceCell

    async fn client(&self) -> Result<&imds::Client, CredentialsError> {

        let provider_config = &self.provider_config;

        self.client

            .get_or_init(|| async {

                imds::Client::builder()

                    .configure(provider_config)

                    .build()

                    .await

            })

            .await

            .as_ref()

            .map_err(|build_error| {

        self.client.client().await.map_err(|build_error| {

            CredentialsError::InvalidConfiguration(format!("{}", build_error).into())

        })

    }