Add support for client level auth resolution with preferences

Author: sbaluja

src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h

@@ -563,6 +563,12 @@ namespace Aws
               std::chrono::milliseconds credentialCacheCacheTTL = std::chrono::minutes(50);
             } stsCredentialsProviderConfig;
           } credentialProviderConfig;
+
+          /**
+           * Authentication scheme preferences in order of preference.
+           * First available auth scheme will be used for each operation.
+           */
+          Aws::Vector<Aws::String> authPreferences;
         };
 
         /**

src/aws-cpp-sdk-core/include/smithy/client/AwsSmithyClient.h

@@ -163,6 +163,7 @@ namespace client
             identityParams.serviceName = m_serviceName;
             identityParams.operation = ctx.m_requestName;
             identityParams.region = m_clientConfiguration.region;
+            identityParams.authPreferences = m_clientConfiguration.authPreferences;
 
             if (ctx.m_pRequest) {
                 // refactor once auth scheme resolver will use it's own rule set

src/aws-cpp-sdk-core/include/smithy/identity/auth/AuthSchemeResolverBase.h

@@ -9,9 +9,23 @@
 
 #include <aws/crt/Variant.h>
 #include <aws/core/utils/memory/stl/AWSMap.h>
-
+#include <aws/core/utils/memory/stl/AWSVector.h>
 
 namespace smithy {
+
+static char SIGV4_PREFERENCE[] = "sigv4";
+static char SIGV4A_PREFERENCE[] = "sigv4a";
+static char BEARER_PREFERENCE[] = "bearer";
+static char NO_AUTH_PREFERENCE[] = "noauth";
+
+// Global map from auth scheme name (trimmed ID) to full ID for case insensitive lookup
+static const Aws::UnorderedMap<Aws::String, Aws::String> AUTH_SCHEME_NAME_TO_ID = {
+  {SIGV4_PREFERENCE, "aws.auth#sigv4"},
+  {SIGV4A_PREFERENCE, "aws.auth#sigv4a"},
+  {BEARER_PREFERENCE, "smithy.api#HTTPBearerAuth"},
+  {NO_AUTH_PREFERENCE, "smithy.api#noAuth"}
+};
+
 /**
 * A base interface for code-generated interfaces for passing in the data required for determining the
 * authentication scheme. By default, this only includes the operation name.
@@ -22,6 +36,7 @@ class DefaultAuthSchemeResolverParameters
   Aws::String serviceName;
   Aws::String operation;
   Aws::Crt::Optional<Aws::String> region;
+  Aws::Vector<Aws::String> authPreferences;
 
   Aws::UnorderedMap<Aws::String, Aws::Crt::Variant<Aws::String,
           bool,
@@ -43,7 +58,31 @@ class AuthSchemeResolverBase
   using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
 
   virtual ~AuthSchemeResolverBase() = default;
-  // AuthScheme Resolver returns a list of AuthSchemeOptions for some reason, according to the SRA...
-  virtual Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) = 0;
+  
+  virtual Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) {
+    auto options = resolveAuthSchemeImpl(identityProperties);
+    return filterByPreferences(options, identityProperties.authPreferences);
+  }
+
+protected:
+  virtual Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) = 0;
+  
+  virtual Aws::Vector<AuthSchemeOption> filterByPreferences(const Aws::Vector<AuthSchemeOption>& options, 
+                                                           const Aws::Vector<Aws::String>& preferences) {
+    if (preferences.empty()) return options;
+    
+    Aws::Vector<AuthSchemeOption> filtered;
+    for (const auto& pref : preferences) {
+      auto prefSchemeIt = AUTH_SCHEME_NAME_TO_ID.find(Aws::Utils::StringUtils::ToLower(pref.c_str()));
+      if (prefSchemeIt == AUTH_SCHEME_NAME_TO_ID.end()) continue;
+      for (const auto& option : options) {
+        if (option.schemeId == prefSchemeIt->second) {
+          filtered.push_back(option);
+          break;
+        }
+      }
+    }
+    return filtered.empty() ? options : filtered;
+  }
 };
 }

src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h

@@ -11,6 +11,8 @@
 #include <smithy/identity/signer/built-in/BearerTokenSigner.h>
 namespace smithy
 {
+constexpr char BEARER[] = "smithy.api#HTTPBearerAuth";
+
 class BearerTokenAuthScheme : public AuthScheme<AwsBearerTokenIdentityBase>
 {
   public:
@@ -22,7 +24,7 @@ class BearerTokenAuthScheme : public AuthScheme<AwsBearerTokenIdentityBase>
     explicit BearerTokenAuthScheme(
         std::shared_ptr<AwsCredentialIdentityResolverT> identityResolver,
         const Aws::String &serviceName, const Aws::String &region)
-        : AuthScheme("smithy.api#HTTPBearerAuth"),
+        : AuthScheme(BEARER),
           m_identityResolver{identityResolver},
           m_signer{Aws::MakeShared<smithy::BearerTokenSigner>(
               "BearerTokenAuthScheme", serviceName, region)}

src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthSchemeResolver.h

@@ -0,0 +1,33 @@
+/**
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#pragma once
+
+#include <smithy/identity/auth/AuthSchemeResolverBase.h>
+#include <smithy/identity/auth/built-in/SigV4aAuthSchemeOption.h>
+#include <smithy/identity/auth/built-in/SigV4AuthSchemeOption.h>
+#include <smithy/identity/auth/built-in/BearerTokenAuthSchemeOption.h>
+
+
+namespace smithy {
+    template<typename ServiceAuthSchemeParametersT = DefaultAuthSchemeResolverParameters>
+    class GenericAuthSchemeResolver : public AuthSchemeResolverBase<ServiceAuthSchemeParametersT>
+    {
+    public:
+        using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
+        GenericAuthSchemeResolver(const Aws::Vector<AuthSchemeOption>& allowedAuth) : m_allowedAuth(allowedAuth) {}
+        GenericAuthSchemeResolver() = default;
+        virtual ~GenericAuthSchemeResolver() = default;
+
+    private:
+      Aws::Vector<AuthSchemeOption> m_allowedAuth;
+
+    protected:
+        Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) override
+        {
+          AWS_UNREFERENCED_PARAM(identityProperties);
+          return m_allowedAuth;
+        }
+    };
+}

src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/GenericAuthSchemeResolver.h

@@ -12,12 +12,18 @@
 #include <smithy/identity/auth/built-in/SigV4aAuthSchemeOption.h>
 #include <smithy/identity/auth/built-in/SigV4AuthScheme.h>
 
+/**
+ * This is an auth scheme resolver prioritizing endpoints2.0 auth resolution
+ * used for s3 which supersedes the model based auth resolution we do in GenericAuthResolver.
+ */
+
 namespace smithy {
     template<typename EndPointProviderType, typename ClientConfigType,typename ServiceAuthSchemeParametersT = DefaultAuthSchemeResolverParameters>
     class SigV4MultiAuthSchemeResolver : public AuthSchemeResolverBase<ServiceAuthSchemeParametersT, ClientConfigType>
     {
-    private:
     public:
+        SigV4MultiAuthSchemeResolver(const Aws::Vector<AuthSchemeOption>& allowedAuth) : m_allowedAuth(allowedAuth) {}
+        SigV4MultiAuthSchemeResolver() = default;
 
         void Init(const ClientConfigType& config) override{
             m_endpointProviderForAuth = Aws::MakeShared<EndPointProviderType>("SigV4MultiAuthSchemeResolver");
@@ -27,8 +33,12 @@ namespace smithy {
         using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
         virtual ~SigV4MultiAuthSchemeResolver() = default;
 
-        Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) override
+        Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) override
         {
+            if (!m_allowedAuth.empty()) {
+              // This code path will not currently be taken, but we should enable a way for the user to disable preference for endpoints2.0 resolution and use the preference list
+              return m_allowedAuth;
+            }
             //pack endpoint params from identityProperties
             Aws::Endpoint::EndpointParameters epParams;
 
@@ -66,6 +76,10 @@ namespace smithy {
 
             return {SigV4AuthSchemeOption::sigV4AuthSchemeOption};
         }
+
+    private:
+      Aws::Vector<AuthSchemeOption> m_allowedAuth;
+
     protected:
         std::shared_ptr<EndPointProviderType> m_endpointProviderForAuth;
     };

src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4AuthSchemeResolver.h

@@ -188,6 +188,18 @@ Aws::String calculateRegion() {
   return "";
 }
 
+
+Aws::Vector<Aws::String> calculateAuthPreferences() {
+  // Automatically determine the AWS region from environment variables, configuration file and EC2 metadata.
+  Aws::Vector<Aws::String> res;
+  auto prefs = Aws::Environment::GetEnv("AWS_AUTH_SCHEME_PREFERENCE");
+  Aws::Vector<Aws::String> prefsList  = StringUtils::Split(prefs, ',');
+  for (auto& pref : prefsList) {
+    res.push_back(StringUtils::Trim(pref.c_str()));
+  }
+  return res;
+}
+
 void setLegacyClientConfigurationParameters(ClientConfiguration& clientConfig)
 {
     clientConfig.scheme = Aws::Http::Scheme::HTTPS;
@@ -251,6 +263,7 @@ void setLegacyClientConfigurationParameters(ClientConfiguration& clientConfig)
 
     clientConfig.region = calculateRegion();
     clientConfig.credentialProviderConfig.region = clientConfig.region;
+    clientConfig.authPreferences = calculateAuthPreferences();
 
     // Set the endpoint to interact with EC2 instance's metadata service
     Aws::String ec2MetadataServiceEndpoint = Aws::Environment::GetEnv("AWS_EC2_METADATA_SERVICE_ENDPOINT");