aws-amplify
diff --git a/‎Amplify.xcodeproj/project.pbxproj‎
Lines changed: 4 additions & 0 deletions b/‎Amplify.xcodeproj/project.pbxproj‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎AmplifyPlugins/API/APICategoryPlugin.xcodeproj/project.pbxproj‎
Lines changed: 20 additions & 0 deletions b/‎AmplifyPlugins/API/APICategoryPlugin.xcodeproj/project.pbxproj‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎AmplifyPlugins/API/AWSAPICategoryPlugin/Interceptor/SubscriptionInterceptor/IAMAuthInterceptor.swift‎
Lines changed: 99 additions & 34 deletions b/‎AmplifyPlugins/API/AWSAPICategoryPlugin/Interceptor/SubscriptionInterceptor/IAMAuthInterceptor.swift‎
Lines changed: 99 additions & 34 deletions
@@ -47,6 +47,7 @@
 		212CE70E23E9E991007D8E71 /* PaginationDecorator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212CE70923E9E991007D8E71 /* PaginationDecorator.swift */; };
 		212CE70F23E9E991007D8E71 /* ModelDecorator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212CE70A23E9E991007D8E71 /* ModelDecorator.swift */; };
 		212CE71323E9F2ED007D8E71 /* DirectiveNameDecorator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212CE71223E9F2ED007D8E71 /* DirectiveNameDecorator.swift */; };
+		2136FAE72620366700A95F6F /* MockAWSSignatureV4Signer.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2136FAE62620366700A95F6F /* MockAWSSignatureV4Signer.swift */; };
 		21409C552384C55D000A53C9 /* LabelType.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C542384C55D000A53C9 /* LabelType.swift */; };
 		21409C5A2384C57D000A53C9 /* GraphQLMutationType.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C572384C57D000A53C9 /* GraphQLMutationType.swift */; };
 		21409C5B2384C57D000A53C9 /* GraphQLQueryType.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C582384C57D000A53C9 /* GraphQLQueryType.swift */; };
@@ -856,6 +857,7 @@
 		212CE71C23EA1847007D8E71 /* GraphQLSyncQueryTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = GraphQLSyncQueryTests.swift; sourceTree = "<group>"; };
 		212CE72023EA184F007D8E71 /* GraphQLSubscriptionTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = GraphQLSubscriptionTests.swift; sourceTree = "<group>"; };
 		213481D8242AFA62001966DE /* AnyModelTester.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AnyModelTester.swift; sourceTree = "<group>"; };
+		2136FAE62620366700A95F6F /* MockAWSSignatureV4Signer.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockAWSSignatureV4Signer.swift; sourceTree = "<group>"; };
 		21409C4C23847E41000A53C9 /* LabelType.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = LabelType.swift; sourceTree = "<group>"; };
 		21409C542384C55D000A53C9 /* LabelType.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = LabelType.swift; sourceTree = "<group>"; };
 		21409C572384C57D000A53C9 /* GraphQLMutationType.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = GraphQLMutationType.swift; sourceTree = "<group>"; };
@@ -3147,6 +3149,7 @@
 				FA131AE023610B6A0008381C /* AWSPluginsTestCommon.h */,
 				FA131AE123610B6A0008381C /* Info.plist */,
 				2125E2A72321DCDD00B3DEB5 /* MockAWSAuthService.swift */,
+				2136FAE62620366700A95F6F /* MockAWSSignatureV4Signer.swift */,
 			);
 			path = AWSPluginsTestCommon;
 			sourceTree = "<group>";
@@ -4738,6 +4741,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				FAB2C9A52384B21C008EE879 /* MockAWSAuthService.swift in Sources */,
+				2136FAE72620366700A95F6F /* MockAWSSignatureV4Signer.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
 
@@ -20,6 +20,9 @@
 		212B29212592454400593ED5 /* AppSyncListPayload.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212B29202592454400593ED5 /* AppSyncListPayload.swift */; };
 		212B298B2592519800593ED5 /* GraphQLConnectionScenario3Tests+List.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212B298A2592519800593ED5 /* GraphQLConnectionScenario3Tests+List.swift */; };
 		212B299F259251F100593ED5 /* GraphQLModelBasedTests+List.swift in Sources */ = {isa = PBXBuildFile; fileRef = 212B299E259251F100593ED5 /* GraphQLModelBasedTests+List.swift */; };
+		2136FAAE261FF96600A95F6F /* GraphQLWithIAMIntegrationTests-credentials.json in Resources */ = {isa = PBXBuildFile; fileRef = 2136FAAC261FF96400A95F6F /* GraphQLWithIAMIntegrationTests-credentials.json */; };
+		2136FAAF261FF96600A95F6F /* GraphQLWithIAMIntegrationTests-amplifyconfiguration.json in Resources */ = {isa = PBXBuildFile; fileRef = 2136FAAD261FF96500A95F6F /* GraphQLWithIAMIntegrationTests-amplifyconfiguration.json */; };
+		2136FABB262022D700A95F6F /* IAMAuthInterceptorTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 2136FABA262022D700A95F6F /* IAMAuthInterceptorTests.swift */; };
 		21409C4F2384BA7E000A53C9 /* APIOperationResponse.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C4E2384BA7E000A53C9 /* APIOperationResponse.swift */; };
 		21409C602384DF17000A53C9 /* RESTOperationRequest+RESTRequest.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C5F2384DF17000A53C9 /* RESTOperationRequest+RESTRequest.swift */; };
 		21409C7223850BEE000A53C9 /* Todo.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21409C7123850BEE000A53C9 /* Todo.swift */; };
@@ -315,6 +318,9 @@
 		212B29202592454400593ED5 /* AppSyncListPayload.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppSyncListPayload.swift; sourceTree = "<group>"; };
 		212B298A2592519800593ED5 /* GraphQLConnectionScenario3Tests+List.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "GraphQLConnectionScenario3Tests+List.swift"; sourceTree = "<group>"; };
 		212B299E259251F100593ED5 /* GraphQLModelBasedTests+List.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "GraphQLModelBasedTests+List.swift"; sourceTree = "<group>"; };
+		2136FAAC261FF96400A95F6F /* GraphQLWithIAMIntegrationTests-credentials.json */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.json; path = "GraphQLWithIAMIntegrationTests-credentials.json"; sourceTree = "<group>"; };
+		2136FAAD261FF96500A95F6F /* GraphQLWithIAMIntegrationTests-amplifyconfiguration.json */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.json; path = "GraphQLWithIAMIntegrationTests-amplifyconfiguration.json"; sourceTree = "<group>"; };
+		2136FABA262022D700A95F6F /* IAMAuthInterceptorTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = IAMAuthInterceptorTests.swift; sourceTree = "<group>"; };
 		21409C4E2384BA7E000A53C9 /* APIOperationResponse.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = APIOperationResponse.swift; sourceTree = "<group>"; };
 		21409C5F2384DF17000A53C9 /* RESTOperationRequest+RESTRequest.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "RESTOperationRequest+RESTRequest.swift"; sourceTree = "<group>"; };
 		21409C6723850A9E000A53C9 /* AWSAPICategoryPluginTestCommon.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = AWSAPICategoryPluginTestCommon.framework; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -650,6 +656,14 @@
 			path = AuthDirective;
 			sourceTree = "<group>";
 		};
+		2136FAB9262022C000A95F6F /* SubscriptionInterceptor */ = {
+			isa = PBXGroup;
+			children = (
+				2136FABA262022D700A95F6F /* IAMAuthInterceptorTests.swift */,
+			);
+			path = SubscriptionInterceptor;
+			sourceTree = "<group>";
+		};
 		21409C612384F7FD000A53C9 /* Models */ = {
 			isa = PBXGroup;
 			children = (
@@ -772,6 +786,8 @@
 		217856612380C60400A30D19 /* GraphQLWithIAMIntegrationTests */ = {
 			isa = PBXGroup;
 			children = (
+				2136FAAD261FF96500A95F6F /* GraphQLWithIAMIntegrationTests-amplifyconfiguration.json */,
+				2136FAAC261FF96400A95F6F /* GraphQLWithIAMIntegrationTests-credentials.json */,
 				217856622380C60400A30D19 /* GraphQLWithIAMIntegrationTests.swift */,
 				217856642380C60400A30D19 /* Info.plist */,
 				21598CE823A0037800529F29 /* README.md */,
@@ -1186,6 +1202,7 @@
 			children = (
 				B4DFA5DB237A611D0013E17B /* APIKeyURLRequestInterceptorTests.swift */,
 				B4DFA5DC237A611D0013E17B /* IAMURLRequestInterceptorTests.swift */,
+				2136FAB9262022C000A95F6F /* SubscriptionInterceptor */,
 				B4DFA5DA237A611D0013E17B /* UserPoolRequestInterceptorTests.swift */,
 			);
 			path = Interceptor;
@@ -1611,10 +1628,12 @@
 				219A88A223EE034F00BBC5F2 /* RESTWithUserPoolIntegrationTests-amplifyconfiguration.json in Resources */,
 				21598CE3239FF54E00529F29 /* RESTWithIAMIntegrationTests-amplifyconfiguration.json in Resources */,
 				21233D0B2469EBA000039337 /* GraphQLAuthDirectiveIntegrationTests-amplifyconfiguration.json in Resources */,
+				2136FAAF261FF96600A95F6F /* GraphQLWithIAMIntegrationTests-amplifyconfiguration.json in Resources */,
 				B478F6E32374E0CF00C4F92B /* Main.storyboard in Resources */,
 				B478F6E12374E0CF00C4F92B /* Assets.xcassets in Resources */,
 				21598CF223A0164A00529F29 /* GraphQLWithUserPoolIntegrationTests-amplifyconfiguration.json in Resources */,
 				21F40A2B23A0423C0074678E /* GraphQLSyncBasedTests-amplifyconfiguration.json in Resources */,
+				2136FAAE261FF96600A95F6F /* GraphQLWithIAMIntegrationTests-credentials.json in Resources */,
 				21F40A2E23A0707E0074678E /* GraphQLModelBasedTests-amplifyconfiguration.json in Resources */,
 				219A88A523EE054000BBC5F2 /* RESTWithUserPoolIntegrationTests-credentials.json in Resources */,
 				21A3EFC623A946590095D8E6 /* GraphQLWithUserPoolIntegrationTests-credentials.json in Resources */,
@@ -2374,6 +2393,7 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				2136FABB262022D700A95F6F /* IAMAuthInterceptorTests.swift in Sources */,
 				B4DFA5EE237A611D0013E17B /* RESTRequestUtilsTests.swift in Sources */,
 				B4DFA5F0237A611D0013E17B /* RESTRequestUtils+ValidatorTests.swift in Sources */,
 				B4DFA5F2237A611D0013E17B /* RESTOperationRequestValidateTests.swift in Sources */,
 
@@ -13,6 +13,13 @@ import AppSyncRealTimeClient
 
 class IAMAuthInterceptor: AuthInterceptor {
 
+    private static let defaultLowercasedHeaderKeys: Set = [SubscriptionConstants.authorizationkey.lowercased(),
+                                                           RealtimeProviderConstants.acceptKey.lowercased(),
+                                                           RealtimeProviderConstants.contentEncodingKey.lowercased(),
+                                                           RealtimeProviderConstants.contentTypeKey.lowercased(),
+                                                           RealtimeProviderConstants.amzDate.lowercased(),
+                                                           RealtimeProviderConstants.iamSecurityTokenKey.lowercased()]
+
     let authProvider: AWSCredentialsProvider
     let region: AWSRegionType
 
@@ -77,12 +84,34 @@ class IAMAuthInterceptor: AuthInterceptor {
         }
         let signer: AWSSignatureV4Signer = AWSSignatureV4Signer(credentialsProvider: authProvider,
                                                                 endpoint: awsEndpoint)
-        let semaphore = DispatchSemaphore(value: 0)
         let mutableRequest = NSMutableURLRequest(url: endpoint)
+        return getAuthHeader(host: host,
+                             mutableRequest: mutableRequest,
+                             signer: signer,
+                             amzDate: date,
+                             payload: payload)
+    }
+
+    /// The process of getting the auth header for an IAM based authencation request is as follows:
+    ///
+    /// 1. A request is created with the IAM based auth headers (date,  accept, content encoding, content type, and
+    /// additional headers from the `mutableRequest`.
+    ///
+    /// 2. The request is SigV4 signed by using all the available headers on the request. By signing the request, the signature is added to
+    /// the request headers as authorization and security token.
+    ///
+    /// 3. The signed request headers are stored in an `IAMAuthenticationHeader` object, used for further encoding to
+    /// be added to the request for establishing the subscription connection.
+    func getAuthHeader(host: String,
+                       mutableRequest: NSMutableURLRequest,
+                       signer: AWSSignatureV4Signer,
+                       amzDate: String,
+                       payload: String) -> IAMAuthenticationHeader {
+        let semaphore = DispatchSemaphore(value: 0)
         mutableRequest.httpMethod = "POST"
         mutableRequest.addValue(RealtimeProviderConstants.iamAccept,
                                 forHTTPHeaderField: RealtimeProviderConstants.acceptKey)
-        mutableRequest.addValue(date, forHTTPHeaderField: RealtimeProviderConstants.amzDate)
+        mutableRequest.addValue(amzDate, forHTTPHeaderField: RealtimeProviderConstants.amzDate)
         mutableRequest.addValue(RealtimeProviderConstants.iamEncoding,
                                 forHTTPHeaderField: RealtimeProviderConstants.contentEncodingKey)
         mutableRequest.addValue(RealtimeProviderConstants.iamConentType,
@@ -94,61 +123,97 @@ class IAMAuthInterceptor: AuthInterceptor {
             return nil
         }
         semaphore.wait()
+
         let authorization = mutableRequest.allHTTPHeaderFields?[SubscriptionConstants.authorizationkey] ?? ""
         let securityToken = mutableRequest.allHTTPHeaderFields?[RealtimeProviderConstants.iamSecurityTokenKey] ?? ""
-        let authHeader = IAMAuthenticationHeader(authorization: authorization,
-                                                 host: host,
-                                                 token: securityToken,
-                                                 date: date,
-                                                 accept: RealtimeProviderConstants.iamAccept,
-                                                 contentEncoding: RealtimeProviderConstants.iamEncoding,
-                                                 contentType: RealtimeProviderConstants.iamConentType)
-        return authHeader
+        let additionalHeaders = mutableRequest.allHTTPHeaderFields?.filter {
+            !Self.defaultLowercasedHeaderKeys.contains($0.key.lowercased())
+        }
+
+        return IAMAuthenticationHeader(host: host,
+                                       authorization: authorization,
+                                       securityToken: securityToken,
+                                       amzDate: amzDate,
+                                       accept: RealtimeProviderConstants.iamAccept,
+                                       contentEncoding: RealtimeProviderConstants.iamEncoding,
+                                       contentType: RealtimeProviderConstants.iamConentType,
+                                       additionalHeaders: additionalHeaders)
     }
 }
 
-/// Authentication header for IAM based auth
-private class IAMAuthenticationHeader: AuthenticationHeader {
+/// Stores the headers for an IAM based authentication. This object can be serialized to a JSON object and passed as the
+/// headers value for establishing subscription connections. This is used as part of the overall interceptor logic
+/// which expects a subclass of `AuthenticationHeader` to be returned.
+/// See `IAMAuthInterceptor.getAuthHeader` for more details.
+class IAMAuthenticationHeader: AuthenticationHeader {
     let authorization: String
     let securityToken: String
-    let date: String
+    let amzDate: String
     let accept: String
     let contentEncoding: String
     let contentType: String
 
-    init(authorization: String,
-         host: String,
-         token: String,
-         date: String,
+    /// Additional headers that are not one of the expected headers in the request, but because additional headers are
+    /// also signed (and added the authorization header), they are required to be stored here to be further encoded.
+    let additionalHeaders: [String: String]?
+
+    init(host: String,
+         authorization: String,
+         securityToken: String,
+         amzDate: String,
          accept: String,
          contentEncoding: String,
-         contentType: String) {
-        self.date = date
+         contentType: String,
+         additionalHeaders: [String: String]?) {
         self.authorization = authorization
-        self.securityToken = token
+        self.securityToken = securityToken
+        self.amzDate = amzDate
         self.accept = accept
         self.contentEncoding = contentEncoding
         self.contentType = contentType
+        self.additionalHeaders = additionalHeaders
         super.init(host: host)
     }
 
-    private enum CodingKeys: String, CodingKey {
-        case authorization = "Authorization"
-        case accept
-        case contentEncoding = "content-encoding"
-        case contentType = "content-type"
-        case date = "x-amz-date"
-        case securityToken = "x-amz-security-token"
+    private struct DynamicCodingKeys: CodingKey {
+        var stringValue: String
+        init?(stringValue: String) {
+            self.stringValue = stringValue
+        }
+        var intValue: Int?
+        init?(intValue: Int) {
+            // We are not using this, thus just return nil. If we don't return nil, then it is expected all of the
+            // stored properties are initialized, forcing the implementation to have logic that maintains the two
+            // properties `stringValue` and `intValue`. Since we don't have a string representation of an int value
+            // and aren't using int values for determining the coding key, then simply return nil since the encoder
+            // will always pass in the header key string.
+            self.intValue = intValue
+            self.stringValue = ""
+
+        }
     }
 
     override func encode(to encoder: Encoder) throws {
-        var container = encoder.container(keyedBy: CodingKeys.self)
-        try container.encode(authorization, forKey: .authorization)
-        try container.encode(accept, forKey: .accept)
-        try container.encode(contentEncoding, forKey: .contentEncoding)
-        try container.encode(contentType, forKey: .contentType)
-        try container.encode(date, forKey: .date)
-        try container.encode(securityToken, forKey: .securityToken)
+        var container = encoder.container(keyedBy: DynamicCodingKeys.self)
+        // Force unwrapping when creating a `DynamicCodingKeys` will always be successful since the string constructor
+        // will never return nil even though the constructor is optional (conformance to CodingKey).
+        try container.encode(authorization,
+                             forKey: DynamicCodingKeys(stringValue: SubscriptionConstants.authorizationkey)!)
+        try container.encode(securityToken,
+                             forKey: DynamicCodingKeys(stringValue: RealtimeProviderConstants.iamSecurityTokenKey)!)
+        try container.encode(amzDate,
+                             forKey: DynamicCodingKeys(stringValue: RealtimeProviderConstants.amzDate)!)
+        try container.encode(accept,
+                             forKey: DynamicCodingKeys(stringValue: RealtimeProviderConstants.acceptKey)!)
+        try container.encode(contentEncoding,
+                             forKey: DynamicCodingKeys(stringValue: RealtimeProviderConstants.contentEncodingKey)!)
+        try container.encode(contentType,
+                             forKey: DynamicCodingKeys(stringValue: RealtimeProviderConstants.contentTypeKey)!)
+        if let headers = additionalHeaders {
+            for (key, value) in headers {
+                try container.encode(value, forKey: DynamicCodingKeys(stringValue: key)!)
+            }
+        }
         try super.encode(to: encoder)
     }
 }