removed SSO checking for now

Author: kai-ion

src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h

@@ -33,6 +33,10 @@ enum class UserAgentFeature {
   RESOLVED_ACCOUNT_ID,
   GZIP_REQUEST_COMPRESSION,
   CREDENTIALS_ENV_VARS,
+  CREDENTIALS_PROFILE,
+  CREDENTIALS_PROCESS,
+  CREDENTIALS_IMDS,
+  CREDENTIALS_STS_ASSUME_ROLE,
 };
 
 class AWS_CORE_API UserAgent {

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp

@@ -201,7 +201,11 @@ AWSCredentials ProfileConfigFileAWSCredentialsProvider::GetAWSCredentials()
 
     if(credsFileProfileIter != profiles.end())
     {
-        return credsFileProfileIter->second.GetCredentials();
+        AWSCredentials credentials = credsFileProfileIter->second.GetCredentials();
+        if (!credentials.IsEmpty()) {
+            credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_PROFILE);
+        }
+        return credentials;
     }
 
     return AWSCredentials();
@@ -265,7 +269,11 @@ AWSCredentials InstanceProfileCredentialsProvider::GetAWSCredentials()
         auto profileIter = profiles.find(Aws::Config::INSTANCE_PROFILE_KEY);
 
         if (profileIter != profiles.end()) {
-            return profileIter->second.GetCredentials();
+            AWSCredentials credentials = profileIter->second.GetCredentials();
+            if (!credentials.IsEmpty()) {
+                credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_IMDS);
+            }
+            return credentials;
         }
     }
     else
@@ -357,6 +365,9 @@ void ProcessCredentialsProvider::Reload()
         return;
     }
     m_credentials = GetCredentialsFromProcess(command);
+    if (!m_credentials.IsEmpty()) {
+        m_credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_PROCESS);
+    }
 }
 
 void ProcessCredentialsProvider::RefreshIfExpired()

src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

@@ -104,6 +104,11 @@ AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials()
 
   std::unique_lock<std::mutex> lock{m_refreshMutex};
   m_refreshSignal.wait_for(lock, m_providerFuturesTimeoutMs, [&refreshDone]() -> bool { return refreshDone; });
+
+  if (!credentials.IsEmpty()) {
+    credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE);
+  }
+
   return credentials;
 }
 

src/aws-cpp-sdk-core/source/client/UserAgent.cpp

@@ -43,6 +43,10 @@ const std::pair<UserAgentFeature, const char*> BUSINESS_METRIC_MAPPING[] = {
     {UserAgentFeature::RESOLVED_ACCOUNT_ID, "T"},
     {UserAgentFeature::GZIP_REQUEST_COMPRESSION, "L"},
     {UserAgentFeature::CREDENTIALS_ENV_VARS, "g"},
+    {UserAgentFeature::CREDENTIALS_PROFILE, "n"},
+    {UserAgentFeature::CREDENTIALS_PROCESS, "w"},
+    {UserAgentFeature::CREDENTIALS_IMDS, "0"},
+    {UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE, "i"},
 };
 
 const std::pair<const char*, UserAgentFeature> RETRY_FEATURE_MAPPING[] = {

tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp

@@ -7,18 +7,33 @@
 #include <aws/testing/AwsTestHelpers.h>
 #include <aws/testing/mocks/aws/client/MockAWSClient.h>
 #include <aws/testing/mocks/http/MockHttpClient.h>
+#include <aws/testing/mocks/aws/auth/MockAWSHttpResourceClient.h>
 #include <aws/testing/platform/PlatformTesting.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/core/client/AWSClient.h>
 #include <aws/core/utils/StringUtils.h>
+#include <aws/core/utils/HashingUtils.h>
+#include <aws/core/platform/FileSystem.h>
+#include <aws/core/utils/FileSystemUtils.h>
+#include <fstream>
+#include <sys/stat.h>
 
 using namespace Aws::Client;
 using namespace Aws::Auth;
 using namespace Aws::Http;
 
 static const char ALLOCATION_TAG[] = "CredentialTrackingTest";
 
+static Aws::String WrapEchoStringWithSingleQuoteForUnixShell(Aws::String str)
+{
+#ifndef _WIN32
+  str.insert(0, 1, '\'');
+  str.append(1, '\'');
+#endif
+  return str;
+}
+
 // Custom client that uses default credential provider for testing
 class CredentialTestingClient : public Aws::Client::AWSClient
 {
@@ -32,6 +47,17 @@ class CredentialTestingClient : public Aws::Client::AWSClient
     {
     }
 
+    // Constructor with custom credential provider for IMDS test
+    explicit CredentialTestingClient(const Aws::Client::ClientConfiguration& configuration,
+                                   std::shared_ptr<AWSCredentialsProvider> credentialsProvider)
+        : AWSClient(configuration,
+                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(ALLOCATION_TAG,
+                       credentialsProvider,
+                       "service", configuration.region),
+                   Aws::MakeShared<MockAWSErrorMarshaller>(ALLOCATION_TAG))
+    {
+    }
+
     Aws::Client::HttpResponseOutcome MakeRequest(const Aws::AmazonWebServiceRequest& request)
     {
         auto uri = Aws::Http::URI("https://test.com");
@@ -127,3 +153,194 @@ TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
 
     EXPECT_TRUE(businessMetrics != userAgentParsed.end());
 }
+
+TEST_F(CredentialTrackingTest, TestProfileCredentialsTracking)
+{
+    // Create temporary credentials file
+    Aws::Utils::TempFile credentialsFile(std::ios_base::out | std::ios_base::trunc);
+    ASSERT_TRUE(credentialsFile.good());
+    credentialsFile << "[default]" << std::endl;
+    credentialsFile << "aws_access_key_id = test-profile-access-key" << std::endl;
+    credentialsFile << "aws_secret_access_key = test-profile-secret-key" << std::endl;
+    credentialsFile.close();
+
+    // Set environment to use our test credentials file
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_SHARED_CREDENTIALS_FILE", credentialsFile.GetFileName().c_str()},
+    }};
+    Aws::Config::ReloadCachedCredentialsFile();
+
+    // Setup mock response
+    std::shared_ptr<HttpRequest> requestTmp =
+        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
+                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
+    successResponse->SetResponseCode(HttpResponseCode::OK);
+    successResponse->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(successResponse);
+
+    // Create client configuration
+    Aws::Client::ClientConfigurationInitValues cfgInit;
+    cfgInit.shouldDisableIMDS = true;
+    Aws::Client::ClientConfiguration clientConfig(cfgInit);
+    clientConfig.region = Aws::Region::US_EAST_1;
+
+    // Create credential testing client that uses default provider chain
+    CredentialTestingClient client(clientConfig);
+
+    // Create mock request
+    AmazonWebServiceRequestMock mockRequest;
+
+    // Make request
+    auto outcome = client.MakeRequest(mockRequest);
+    ASSERT_TRUE(outcome.IsSuccess());
+
+    // Verify User-Agent contains profile credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
+    EXPECT_FALSE(userAgent.empty());
+
+    const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
+
+    // Verify there's only one m/ section (no duplicate m/ sections)
+    int mSectionCount = 0;
+    for (const auto& part : userAgentParsed) {
+        if (part.find("m/") != Aws::String::npos) {
+            mSectionCount++;
+        }
+    }
+    EXPECT_EQ(1, mSectionCount);
+
+    // Check for profile credentials business metric (n) in user agent
+    auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
+        [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("n") != Aws::String::npos; });
+
+    EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+}
+
+TEST_F(CredentialTrackingTest, TestProcessCredentialsTracking)
+{
+    // Create temporary config file with credential_process
+    Aws::Utils::TempFile configFile(std::ios_base::out | std::ios_base::trunc);
+    ASSERT_TRUE(configFile.good());
+    configFile << "[default]" << std::endl;
+    configFile << "credential_process = echo " << WrapEchoStringWithSingleQuoteForUnixShell("{\"Version\": 1, \"AccessKeyId\": \"test-process-key\", \"SecretAccessKey\": \"test-process-secret\"}") << std::endl;
+    configFile.close();
+
+    // Set environment to use our test config file
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_CONFIG_FILE", configFile.GetFileName().c_str()},
+    }};
+
+    // Force reload config file after setting environment variable
+    Aws::Config::ReloadCachedConfigFile();
+
+    // Setup mock response
+    std::shared_ptr<HttpRequest> requestTmp =
+        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
+                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
+    successResponse->SetResponseCode(HttpResponseCode::OK);
+    successResponse->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(successResponse);
+
+    // Create client configuration
+    Aws::Client::ClientConfigurationInitValues cfgInit;
+    cfgInit.shouldDisableIMDS = true;
+    Aws::Client::ClientConfiguration clientConfig(cfgInit);
+    clientConfig.region = Aws::Region::US_EAST_1;
+
+    // Create credential testing client that uses default provider chain
+    CredentialTestingClient client(clientConfig);
+
+    // Create mock request
+    AmazonWebServiceRequestMock mockRequest;
+
+    // Make request
+    auto outcome = client.MakeRequest(mockRequest);
+    ASSERT_TRUE(outcome.IsSuccess());
+
+    // Verify User-Agent contains process credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
+    EXPECT_FALSE(userAgent.empty());
+
+    const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
+
+    // Verify there's only one m/ section (no duplicate m/ sections)
+    int mSectionCount = 0;
+    for (const auto& part : userAgentParsed) {
+        if (part.find("m/") != Aws::String::npos) {
+            mSectionCount++;
+        }
+    }
+    EXPECT_EQ(1, mSectionCount);
+
+    // Check for process credentials business metric (w) in user agent
+    auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
+        [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("w") != Aws::String::npos; });
+
+    EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+}
+
+TEST_F(CredentialTrackingTest, TestInstanceProfileCredentialsTracking)
+{
+    // Create mock EC2 metadata client with valid credentials
+    auto mockClient = Aws::MakeShared<MockEC2MetadataClient>(ALLOCATION_TAG);
+    const char* validCredentials = R"({ "AccessKeyId": "test-imds-access-key", "SecretAccessKey": "test-imds-secret-key", "Token": "test-imds-token", "Code": "Success", "Expiration": "2037-04-19T00:00:00Z" })";
+    mockClient->SetMockedCredentialsValue(validCredentials);
+
+    // Create IMDS credential provider with mock client
+    auto imdsProvider = Aws::MakeShared<InstanceProfileCredentialsProvider>(ALLOCATION_TAG,
+        Aws::MakeShared<Aws::Config::EC2InstanceProfileConfigLoader>(ALLOCATION_TAG, mockClient), 1000 * 60 * 15);
+
+    // Setup mock response for service call
+    std::shared_ptr<HttpRequest> requestTmp =
+        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
+                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
+    successResponse->SetResponseCode(HttpResponseCode::OK);
+    successResponse->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(successResponse);
+
+    // Create client configuration
+    Aws::Client::ClientConfigurationInitValues cfgInit;
+    cfgInit.shouldDisableIMDS = false;
+    Aws::Client::ClientConfiguration clientConfig(cfgInit);
+    clientConfig.region = Aws::Region::US_EAST_1;
+
+    // Create credential testing client with IMDS provider
+    CredentialTestingClient client(clientConfig, imdsProvider);
+
+    // Create mock request
+    AmazonWebServiceRequestMock mockRequest;
+
+    // Make request
+    auto outcome = client.MakeRequest(mockRequest);
+    ASSERT_TRUE(outcome.IsSuccess());
+
+    // Verify User-Agent contains IMDS credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
+    EXPECT_FALSE(userAgent.empty());
+
+    const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
+
+    // Verify there's only one m/ section (no duplicate m/ sections)
+    int mSectionCount = 0;
+    for (const auto& part : userAgentParsed) {
+        if (part.find("m/") != Aws::String::npos) {
+            mSectionCount++;
+        }
+    }
+    EXPECT_EQ(1, mSectionCount);
+
+    // Check for IMDS credentials business metric (0) in user agent
+    auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
+        [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("0") != Aws::String::npos; });
+
+    EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+}