ydb/contrib/restricted/aws/aws-c-auth/source/credentials_provider_cognito.c

/**
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 * SPDX-License-Identifier: Apache-2.0.
 */

#include <aws/auth/credentials.h>

#include <aws/auth/private/credentials_utils.h>
#include <aws/common/clock.h>
#include <aws/common/json.h>
#include <aws/common/string.h>
#include <aws/http/connection.h>
#include <aws/http/connection_manager.h>
#include <aws/http/request_response.h>
#include <aws/http/status_code.h>
#include <aws/io/channel_bootstrap.h>
#include <aws/io/retry_strategy.h>
#include <aws/io/socket.h>
#include <aws/io/stream.h>
#include <aws/io/tls_channel_handler.h>

#include <inttypes.h>

#define COGNITO_CONNECT_TIMEOUT_DEFAULT_IN_SECONDS 5
#define COGNITO_MAX_RETRIES 8
#define HTTP_REQUEST_BODY_INITIAL_SIZE 1024
#define HTTP_RESPONSE_BODY_INITIAL_SIZE 4096

static void s_on_connection_manager_shutdown(void *user_data);
static void s_on_connection_setup_fn(struct aws_http_connection *connection, int error_code, void *user_data);

struct aws_cognito_login {
    struct aws_byte_cursor identity_provider_name;
    struct aws_byte_cursor identity_provider_token;
    struct aws_byte_buf login_buffer;
};

static int s_aws_cognito_login_init(
    struct aws_cognito_login *login,
    struct aws_allocator *allocator,
    struct aws_byte_cursor identity_provider_name,
    struct aws_byte_cursor identity_provider_token) {
    AWS_ZERO_STRUCT(*login);

    login->identity_provider_name = identity_provider_name;
    login->identity_provider_token = identity_provider_token;

    return aws_byte_buf_init_cache_and_update_cursors(
        &login->login_buffer, allocator, &login->identity_provider_name, &login->identity_provider_token, NULL);
}

static void s_aws_cognito_login_clean_up(struct aws_cognito_login *login) {
    aws_byte_buf_clean_up(&login->login_buffer);

    AWS_ZERO_STRUCT(*login);
}

struct aws_credentials_provider_cognito_impl {
    struct aws_http_connection_manager *connection_manager;
    struct aws_retry_strategy *retry_strategy;
    const struct aws_auth_http_system_vtable *function_table;

    struct aws_string *endpoint;

    struct aws_string *identity;

    struct aws_array_list logins;

    struct aws_string *custom_role_arn;
};

struct cognito_user_data {
    struct aws_allocator *allocator;

    struct aws_credentials_provider *provider;

    aws_on_get_credentials_callback_fn *original_callback;
    void *original_user_data;

    struct aws_http_connection *connection;
    struct aws_http_message *get_credentials_request;
    struct aws_byte_buf request_body_buffer;
    struct aws_input_stream *request_body_stream;

    struct aws_retry_token *retry_token;
    struct aws_credentials *credentials;
    struct aws_byte_buf response_body;
};

static void s_user_data_reset(struct cognito_user_data *user_data) {
    aws_byte_buf_clean_up(&user_data->request_body_buffer);

    user_data->request_body_stream = aws_input_stream_release(user_data->request_body_stream);
    user_data->get_credentials_request = aws_http_message_release(user_data->get_credentials_request);

    struct aws_credentials_provider_cognito_impl *impl = user_data->provider->impl;
    if (user_data->connection != NULL) {
        impl->function_table->aws_http_connection_manager_release_connection(
            impl->connection_manager, user_data->connection);
        user_data->connection = NULL;
    }

    aws_byte_buf_reset(&user_data->response_body, false);
}

static void s_user_data_destroy(struct cognito_user_data *user_data) {
    if (user_data == NULL) {
        return;
    }

    s_user_data_reset(user_data);

    aws_byte_buf_clean_up(&user_data->response_body);
    aws_retry_token_release(user_data->retry_token);
    aws_credentials_provider_release(user_data->provider);
    aws_credentials_release(user_data->credentials);

    aws_mem_release(user_data->allocator, user_data);
}

static struct cognito_user_data *s_user_data_new(
    struct aws_credentials_provider *provider,
    aws_on_get_credentials_callback_fn callback,
    void *user_data) {

    struct aws_allocator *allocator = provider->allocator;
    struct cognito_user_data *cognito_user_data = aws_mem_calloc(allocator, 1, sizeof(struct cognito_user_data));
    cognito_user_data->allocator = allocator;

    aws_byte_buf_init(&cognito_user_data->response_body, cognito_user_data->allocator, HTTP_RESPONSE_BODY_INITIAL_SIZE);

    cognito_user_data->provider = aws_credentials_provider_acquire(provider);
    cognito_user_data->original_callback = callback;
    cognito_user_data->original_user_data = user_data;

    return cognito_user_data;
}

static void s_finalize_credentials_query(struct cognito_user_data *user_data, int error_code) {
    AWS_FATAL_ASSERT(user_data != NULL);

    if (user_data->credentials == NULL && error_code == AWS_ERROR_SUCCESS) {
        error_code = AWS_AUTH_CREDENTIALS_PROVIDER_COGNITO_SOURCE_FAILURE;
    }

    (user_data->original_callback)(user_data->credentials, error_code, user_data->original_user_data);

    s_user_data_destroy(user_data);
}

/* Keys per Cognito-Identity service model */
AWS_STATIC_STRING_FROM_LITERAL(s_credentials_key, "Credentials");
AWS_STATIC_STRING_FROM_LITERAL(s_access_key_id_name, "AccessKeyId");
AWS_STATIC_STRING_FROM_LITERAL(s_secret_access_key_name, "SecretKey");
AWS_STATIC_STRING_FROM_LITERAL(s_session_token_name, "SessionToken");
AWS_STATIC_STRING_FROM_LITERAL(s_expiration_name, "Expiration");

static int s_parse_credentials_from_response(struct cognito_user_data *user_data) {

    int result = AWS_OP_ERR;

    struct aws_json_value *response_document =
        aws_json_value_new_from_string(user_data->allocator, aws_byte_cursor_from_buf(&user_data->response_body));
    if (response_document == NULL) {
        goto done;
    }

    struct aws_json_value *credentials_entry =
        aws_json_value_get_from_object(response_document, aws_byte_cursor_from_string(s_credentials_key));
    if (credentials_entry == NULL) {
        goto done;
    }

    struct aws_parse_credentials_from_json_doc_options credentials_parse_options = {
        .access_key_id_name = aws_string_c_str(s_access_key_id_name),
        .secret_access_key_name = aws_string_c_str(s_secret_access_key_name),
        .token_name = aws_string_c_str(s_session_token_name),
        .expiration_name = aws_string_c_str(s_expiration_name),
        .expiration_format = AWS_PCEF_NUMBER_UNIX_EPOCH,
        .token_required = true,
        .expiration_required = true,
    };

    user_data->credentials =
        aws_parse_credentials_from_aws_json_object(user_data->allocator, credentials_entry, &credentials_parse_options);
    if (user_data->credentials == NULL) {
        goto done;
    }

    result = AWS_OP_SUCCESS;

done:

    aws_json_value_destroy(response_document);

    if (result != AWS_OP_SUCCESS) {
        aws_raise_error(AWS_AUTH_PROVIDER_PARSER_UNEXPECTED_RESPONSE);
    }

    return result;
}

static void s_on_retry_ready(struct aws_retry_token *token, int error_code, void *user_data) {
    (void)token;
    struct cognito_user_data *provider_user_data = user_data;

    if (error_code != AWS_ERROR_SUCCESS) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider retry task failed: %s",
            (void *)provider_user_data->provider,
            aws_error_str(error_code));
        s_finalize_credentials_query(user_data, error_code);
        return;
    }

    s_user_data_reset(provider_user_data);

    struct aws_credentials_provider_cognito_impl *impl = provider_user_data->provider->impl;

    impl->function_table->aws_http_connection_manager_acquire_connection(
        impl->connection_manager, s_on_connection_setup_fn, provider_user_data);
}

static void s_on_stream_complete_fn(struct aws_http_stream *stream, int error_code, void *user_data) {

    struct cognito_user_data *provider_user_data = user_data;
    struct aws_credentials_provider_cognito_impl *impl = provider_user_data->provider->impl;

    int http_response_code = 0;
    impl->function_table->aws_http_stream_get_incoming_response_status(stream, &http_response_code);

    if (http_response_code != 200) {
        error_code = AWS_AUTH_CREDENTIALS_PROVIDER_HTTP_STATUS_FAILURE;
    }

    impl->function_table->aws_http_stream_release(stream);

    AWS_LOGF_DEBUG(
        AWS_LS_AUTH_CREDENTIALS_PROVIDER,
        "(id=%p): GetCredentialsForIdentity call completed with http status %d",
        (void *)provider_user_data->provider,
        http_response_code);

    if (http_response_code == AWS_HTTP_STATUS_CODE_200_OK) {
        aws_retry_token_record_success(provider_user_data->retry_token);

        if (s_parse_credentials_from_response(provider_user_data) == AWS_OP_SUCCESS) {
            s_finalize_credentials_query(user_data, AWS_ERROR_SUCCESS);
            return;
        }

        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to parse GetCredentialsForIdentity response",
            (void *)provider_user_data->provider);

        error_code = AWS_AUTH_PROVIDER_PARSER_UNEXPECTED_RESPONSE;
    }

    /* Success path is done, error-only from here on out */

    /* Unsure if this should be unconditional or a function of status code. STS does this unconditionally. */
    impl->function_table->aws_http_connection_close(provider_user_data->connection);

    enum aws_retry_error_type error_type =
        aws_credentials_provider_compute_retry_error_type(http_response_code, error_code);
    bool can_retry = http_response_code == 0 || error_type != AWS_RETRY_ERROR_TYPE_CLIENT_ERROR;
    if (!can_retry) {
        s_finalize_credentials_query(user_data, error_code);
        return;
    }

    if (aws_retry_strategy_schedule_retry(
            provider_user_data->retry_token, error_type, s_on_retry_ready, provider_user_data)) {
        error_code = aws_last_error();
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to schedule retry: %s",
            (void *)provider_user_data->provider,
            aws_error_str(error_code));
        s_finalize_credentials_query(user_data, error_code);
        return;
    }
}

static int s_on_incoming_body_fn(struct aws_http_stream *stream, const struct aws_byte_cursor *data, void *user_data) {
    (void)stream;

    struct cognito_user_data *provider_user_data = user_data;
    return aws_byte_buf_append_dynamic(&provider_user_data->response_body, data);
}

AWS_STATIC_STRING_FROM_LITERAL(s_identity_id_key, "IdentityId");
AWS_STATIC_STRING_FROM_LITERAL(s_custom_role_arn_key, "CustomRoleArn");
AWS_STATIC_STRING_FROM_LITERAL(s_logins_key, "Logins");

int s_create_get_credentials_for_identity_body_buffer(
    struct aws_byte_buf *buffer,
    struct cognito_user_data *provider_user_data) {
    struct aws_allocator *allocator = provider_user_data->allocator;
    struct aws_credentials_provider_cognito_impl *impl = provider_user_data->provider->impl;

    int result = AWS_OP_ERR;

    struct aws_json_value *json_body = aws_json_value_new_object(allocator);
    if (json_body == NULL) {
        return AWS_OP_ERR;
    }

    struct aws_json_value *identity_string =
        aws_json_value_new_string(allocator, aws_byte_cursor_from_string(impl->identity));
    if (identity_string == NULL) {
        goto done;
    }

    if (aws_json_value_add_to_object(json_body, aws_byte_cursor_from_string(s_identity_id_key), identity_string)) {
        aws_json_value_destroy(identity_string);
        goto done;
    }

    if (impl->custom_role_arn != NULL) {
        struct aws_json_value *custom_role_arn_string =
            aws_json_value_new_string(allocator, aws_byte_cursor_from_string(impl->custom_role_arn));
        if (custom_role_arn_string == NULL) {
            goto done;
        }

        if (aws_json_value_add_to_object(
                json_body, aws_byte_cursor_from_string(s_custom_role_arn_key), custom_role_arn_string)) {
            aws_json_value_destroy(custom_role_arn_string);
            goto done;
        }
    }

    size_t login_count = aws_array_list_length(&impl->logins);
    if (login_count > 0) {
        struct aws_json_value *logins = aws_json_value_new_object(allocator);
        if (logins == NULL) {
            goto done;
        }

        if (aws_json_value_add_to_object(json_body, aws_byte_cursor_from_string(s_logins_key), logins)) {
            aws_json_value_destroy(logins);
            goto done;
        }

        for (size_t i = 0; i < login_count; ++i) {
            struct aws_cognito_login login;
            if (aws_array_list_get_at(&impl->logins, &login, i)) {
                goto done;
            }

            struct aws_json_value *login_value_string =
                aws_json_value_new_string(allocator, login.identity_provider_token);
            if (login_value_string == NULL) {
                goto done;
            }

            if (aws_json_value_add_to_object(logins, login.identity_provider_name, login_value_string)) {
                aws_json_value_destroy(login_value_string);
                goto done;
            }
        }
    }

    if (aws_byte_buf_append_json_string(json_body, buffer)) {
        goto done;
    }

    result = AWS_OP_SUCCESS;

done:

    aws_json_value_destroy(json_body);

    return result;
}

static struct aws_http_header s_content_type_header = {
    .name = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("content-type"),
    .value = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("application/x-amz-json-1.1"),
};

AWS_STATIC_STRING_FROM_LITERAL(s_get_credentials_for_identity_path, "/");

static struct aws_http_header s_x_amz_target_header = {
    .name = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("X-Amz-Target"),
    .value = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("AWSCognitoIdentityService.GetCredentialsForIdentity"),
};

static int s_create_get_credentials_for_identity_request(struct cognito_user_data *provider_user_data) {
    struct aws_credentials_provider_cognito_impl *impl = provider_user_data->provider->impl;

    struct aws_byte_buf body_buffer;
    AWS_ZERO_STRUCT(body_buffer);

    struct aws_input_stream *body_stream = NULL;
    struct aws_http_message *request = aws_http_message_new_request(provider_user_data->allocator);
    if (request == NULL) {
        return AWS_OP_ERR;
    }

    if (aws_http_message_set_request_method(request, aws_http_method_post)) {
        goto on_error;
    }

    if (aws_http_message_set_request_path(request, aws_byte_cursor_from_string(s_get_credentials_for_identity_path))) {
        goto on_error;
    }

    struct aws_http_header host_header = {
        .name = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("host"),
        .value = aws_byte_cursor_from_string(impl->endpoint),
    };

    if (aws_http_message_add_header(request, host_header)) {
        goto on_error;
    }

    if (aws_http_message_add_header(request, s_content_type_header)) {
        goto on_error;
    }

    if (aws_http_message_add_header(request, s_x_amz_target_header)) {
        goto on_error;
    }

    if (aws_byte_buf_init(&body_buffer, provider_user_data->allocator, HTTP_REQUEST_BODY_INITIAL_SIZE)) {
        goto on_error;
    }

    if (s_create_get_credentials_for_identity_body_buffer(&body_buffer, provider_user_data)) {
        goto on_error;
    }

    char content_length[21];
    AWS_ZERO_ARRAY(content_length);
    snprintf(content_length, sizeof(content_length), "%" PRIu64, (uint64_t)body_buffer.len);

    struct aws_http_header content_length_header = {
        .name = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("Content-Length"),
        .value = aws_byte_cursor_from_c_str(content_length),
    };

    if (aws_http_message_add_header(request, content_length_header)) {
        goto on_error;
    }

    struct aws_byte_cursor payload_cur = aws_byte_cursor_from_buf(&body_buffer);
    body_stream = aws_input_stream_new_from_cursor(provider_user_data->allocator, &payload_cur);
    if (body_stream == NULL) {
        goto on_error;
    }

    aws_http_message_set_body_stream(request, body_stream);

    provider_user_data->get_credentials_request = request;
    provider_user_data->request_body_buffer = body_buffer;
    provider_user_data->request_body_stream = body_stream;

    return AWS_OP_SUCCESS;

on_error:

    aws_byte_buf_clean_up(&body_buffer);
    aws_input_stream_release(body_stream);
    aws_http_message_release(request);

    return AWS_OP_ERR;
}

static void s_on_connection_setup_fn(struct aws_http_connection *connection, int error_code, void *user_data) {
    struct cognito_user_data *wrapped_user_data = user_data;
    struct aws_http_stream *stream = NULL;
    struct aws_credentials_provider_cognito_impl *impl = wrapped_user_data->provider->impl;

    if (connection == NULL) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to acquire http connection: %s",
            (void *)wrapped_user_data->provider,
            aws_error_debug_str(error_code));
        goto on_error;
    }

    wrapped_user_data->connection = connection;
    if (s_create_get_credentials_for_identity_request(wrapped_user_data)) {
        error_code = aws_last_error();
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to create http request: %s",
            (void *)wrapped_user_data->provider,
            aws_error_debug_str(error_code));
        goto on_error;
    }

    struct aws_http_make_request_options options = {
        .user_data = user_data,
        .request = wrapped_user_data->get_credentials_request,
        .self_size = sizeof(struct aws_http_make_request_options),
        .on_response_headers = NULL,
        .on_response_header_block_done = NULL,
        .on_response_body = s_on_incoming_body_fn,
        .on_complete = s_on_stream_complete_fn,
    };

    stream = impl->function_table->aws_http_connection_make_request(connection, &options);
    if (!stream) {
        error_code = aws_last_error();
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to create http stream: %s",
            (void *)wrapped_user_data->provider,
            aws_error_debug_str(error_code));
        goto on_error;
    }

    if (impl->function_table->aws_http_stream_activate(stream)) {
        error_code = aws_last_error();
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to activate http stream: %s",
            (void *)wrapped_user_data->provider,
            aws_error_debug_str(error_code));
        goto on_error;
    }

    return;

on_error:

    impl->function_table->aws_http_stream_release(stream);
    s_finalize_credentials_query(wrapped_user_data, error_code);
}

static void s_on_retry_token_acquired(
    struct aws_retry_strategy *strategy,
    int error_code,
    struct aws_retry_token *token,
    void *user_data) {
    (void)strategy;
    struct cognito_user_data *wrapped_user_data = user_data;

    if (token == NULL) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to acquire retry token: %s",
            (void *)wrapped_user_data->provider,
            aws_error_debug_str(error_code));
        s_finalize_credentials_query(wrapped_user_data, error_code);
        return;
    }

    wrapped_user_data->retry_token = token;

    struct aws_credentials_provider_cognito_impl *impl = wrapped_user_data->provider->impl;

    impl->function_table->aws_http_connection_manager_acquire_connection(
        impl->connection_manager, s_on_connection_setup_fn, wrapped_user_data);
}

static int s_credentials_provider_cognito_get_credentials_async(
    struct aws_credentials_provider *provider,
    aws_on_get_credentials_callback_fn callback,
    void *user_data) {

    struct aws_credentials_provider_cognito_impl *impl = provider->impl;

    struct cognito_user_data *wrapped_user_data = s_user_data_new(provider, callback, user_data);
    if (wrapped_user_data == NULL) {
        goto on_error;
    }

    if (aws_retry_strategy_acquire_retry_token(
            impl->retry_strategy, NULL, s_on_retry_token_acquired, wrapped_user_data, 100)) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to acquire retry token with error %s",
            (void *)provider,
            aws_error_debug_str(aws_last_error()));
        goto on_error;
    }

    return AWS_OP_SUCCESS;

on_error:

    s_user_data_destroy(wrapped_user_data);

    return AWS_OP_ERR;
}

static void s_credentials_provider_cognito_destroy(struct aws_credentials_provider *provider) {
    struct aws_credentials_provider_cognito_impl *impl = provider->impl;
    if (impl == NULL) {
        return;
    }

    /* aws_http_connection_manager_release will eventually leads to call of s_on_connection_manager_shutdown,
     * which will do memory release for provider and impl.
     */
    if (impl->connection_manager) {
        impl->function_table->aws_http_connection_manager_release(impl->connection_manager);
    } else {
        /* If provider setup failed halfway through, connection_manager might not exist.
         * In this case invoke shutdown completion callback directly to finish cleanup */
        s_on_connection_manager_shutdown(provider);
    }

    /* freeing the provider takes place in the shutdown callback below */
}

static struct aws_credentials_provider_vtable s_aws_credentials_provider_cognito_vtable = {
    .get_credentials = s_credentials_provider_cognito_get_credentials_async,
    .destroy = s_credentials_provider_cognito_destroy,
};

static void s_on_connection_manager_shutdown(void *user_data) {
    struct aws_credentials_provider *provider = user_data;

    aws_credentials_provider_invoke_shutdown_callback(provider);

    struct aws_credentials_provider_cognito_impl *impl = provider->impl;

    aws_retry_strategy_release(impl->retry_strategy);

    aws_string_destroy(impl->endpoint);
    aws_string_destroy(impl->identity);
    aws_string_destroy(impl->custom_role_arn);

    for (size_t i = 0; i < aws_array_list_length(&impl->logins); ++i) {
        struct aws_cognito_login login;
        if (aws_array_list_get_at(&impl->logins, &login, i)) {
            continue;
        }

        s_aws_cognito_login_clean_up(&login);
    }

    aws_array_list_clean_up(&impl->logins);

    aws_mem_release(provider->allocator, provider);
}

static int s_validate_options(const struct aws_credentials_provider_cognito_options *options) {
    if (options == NULL) {
        return AWS_OP_ERR;
    }

    if (options->tls_ctx == NULL) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(static) Cognito credentials provider options must include a TLS context");
        return AWS_OP_ERR;
    }

    if (options->bootstrap == NULL) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(static) Cognito credentials provider options must include a client bootstrap");
        return AWS_OP_ERR;
    }

    if (options->endpoint.len == 0) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(static) Cognito credentials provider options must have a non-empty endpoint");
        return AWS_OP_ERR;
    }

    if (options->identity.len == 0) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(static) Cognito credentials provider options must have a non-empty identity");
        return AWS_OP_ERR;
    }

    return AWS_OP_SUCCESS;
}

struct aws_credentials_provider *aws_credentials_provider_new_cognito(
    struct aws_allocator *allocator,
    const struct aws_credentials_provider_cognito_options *options) {

    struct aws_credentials_provider *provider = NULL;
    struct aws_credentials_provider_cognito_impl *impl = NULL;

    if (s_validate_options(options)) {
        aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
        return NULL;
    }

    aws_mem_acquire_many(
        allocator,
        2,
        &provider,
        sizeof(struct aws_credentials_provider),
        &impl,
        sizeof(struct aws_credentials_provider_cognito_impl));

    if (!provider) {
        return NULL;
    }

    AWS_ZERO_STRUCT(*provider);
    AWS_ZERO_STRUCT(*impl);

    aws_credentials_provider_init_base(provider, allocator, &s_aws_credentials_provider_cognito_vtable, impl);

    struct aws_tls_connection_options tls_connection_options;
    AWS_ZERO_STRUCT(tls_connection_options);
    aws_tls_connection_options_init_from_ctx(&tls_connection_options, options->tls_ctx);
    struct aws_byte_cursor host = options->endpoint;
    if (aws_tls_connection_options_set_server_name(&tls_connection_options, allocator, &host)) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to create tls connection options with error %s",
            (void *)provider,
            aws_error_debug_str(aws_last_error()));
        goto on_error;
    }

    struct aws_socket_options socket_options;
    AWS_ZERO_STRUCT(socket_options);
    socket_options.type = AWS_SOCKET_STREAM;
    socket_options.domain = AWS_SOCKET_IPV4;
    socket_options.connect_timeout_ms = (uint32_t)aws_timestamp_convert(
        COGNITO_CONNECT_TIMEOUT_DEFAULT_IN_SECONDS, AWS_TIMESTAMP_SECS, AWS_TIMESTAMP_MILLIS, NULL);

    struct aws_http_connection_manager_options manager_options;
    AWS_ZERO_STRUCT(manager_options);
    manager_options.bootstrap = options->bootstrap;
    manager_options.initial_window_size = SIZE_MAX;
    manager_options.socket_options = &socket_options;
    manager_options.host = options->endpoint;
    manager_options.port = 443;
    manager_options.max_connections = 2;
    manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
    manager_options.shutdown_complete_user_data = provider;
    manager_options.tls_connection_options = &tls_connection_options;
    manager_options.proxy_options = options->http_proxy_options;

    impl->function_table = options->function_table;
    if (impl->function_table == NULL) {
        impl->function_table = g_aws_credentials_provider_http_function_table;
    }

    impl->connection_manager = impl->function_table->aws_http_connection_manager_new(allocator, &manager_options);
    if (impl->connection_manager == NULL) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to create http connection manager with error %s",
            (void *)provider,
            aws_error_debug_str(aws_last_error()));
        goto on_error;
    }

    impl->endpoint = aws_string_new_from_cursor(allocator, &options->endpoint);
    impl->identity = aws_string_new_from_cursor(allocator, &options->identity);

    if (options->custom_role_arn != NULL) {
        impl->custom_role_arn = aws_string_new_from_cursor(allocator, options->custom_role_arn);
    }

    aws_array_list_init_dynamic(&impl->logins, allocator, options->login_count, sizeof(struct aws_cognito_login));

    for (size_t i = 0; i < options->login_count; ++i) {
        struct aws_cognito_identity_provider_token_pair *login_token_pair = &options->logins[i];

        struct aws_cognito_login login;
        if (s_aws_cognito_login_init(
                &login,
                allocator,
                login_token_pair->identity_provider_name,
                login_token_pair->identity_provider_token)) {
            AWS_LOGF_ERROR(
                AWS_LS_AUTH_CREDENTIALS_PROVIDER,
                "(id=%p): Cognito credentials provider failed to initialize login entry with error %s",
                (void *)provider,
                aws_error_debug_str(aws_last_error()));
            goto on_error;
        }

        aws_array_list_push_back(&impl->logins, &login);
    }

    struct aws_standard_retry_options retry_options = {
        .backoff_retry_options =
            {
                .el_group = options->bootstrap->event_loop_group,
                .max_retries = COGNITO_MAX_RETRIES,
            },
    };

    impl->retry_strategy = aws_retry_strategy_new_standard(allocator, &retry_options);
    if (!impl->retry_strategy) {
        AWS_LOGF_ERROR(
            AWS_LS_AUTH_CREDENTIALS_PROVIDER,
            "(id=%p): Cognito credentials provider failed to create a retry strategy with error %s",
            (void *)provider,
            aws_error_debug_str(aws_last_error()));
        goto on_error;
    }

    provider->shutdown_options = options->shutdown_options;

    aws_tls_connection_options_clean_up(&tls_connection_options);

    return provider;

on_error:

    aws_tls_connection_options_clean_up(&tls_connection_options);
    aws_credentials_provider_destroy(provider);

    return NULL;
}

/*************************************************************************/

#define DEFAULT_CREDENTIAL_PROVIDER_REFRESH_MS (15 * 60 * 1000)

/*
 * Cognito provider with caching implementation
 */
struct aws_credentials_provider *aws_credentials_provider_new_cognito_caching(
    struct aws_allocator *allocator,
    const struct aws_credentials_provider_cognito_options *options) {

    struct aws_credentials_provider *cognito_provider = NULL;
    struct aws_credentials_provider *caching_provider = NULL;

    cognito_provider = aws_credentials_provider_new_cognito(allocator, options);
    if (cognito_provider == NULL) {
        goto on_error;
    }

    struct aws_credentials_provider_cached_options cached_options = {
        .source = cognito_provider,
        .refresh_time_in_milliseconds = DEFAULT_CREDENTIAL_PROVIDER_REFRESH_MS,
    };

    caching_provider = aws_credentials_provider_new_cached(allocator, &cached_options);
    if (caching_provider == NULL) {
        goto on_error;
    }

    aws_credentials_provider_release(cognito_provider);

    return caching_provider;

on_error:

    aws_credentials_provider_release(caching_provider);
    aws_credentials_provider_release(cognito_provider);

    return NULL;
}