support configurable auth scheme preference (#3153)

Author: lucix-aws

.changelog/d034a8bd3da745909458e9d2eb054695.json

@@ -1 +1 @@
-a22818fe19b9bc7d4926501907b154d813b309a5
+8ff86680d1bfd5b4cc19329702bd64458ac7f1b6

SMITHY_GO_CODEGEN_VERSION

@@ -196,6 +196,9 @@ type Config struct {
 
 	// Registry of HTTP interceptors.
 	Interceptors smithyhttp.InterceptorRegistry
+
+	// Priority list of preferred auth scheme IDs.
+	AuthSchemePreference []string
 }
 
 // NewConfig returns a new Config pointer that can be chained with builder

aws/config.go

@@ -30,6 +30,7 @@
 import software.amazon.smithy.codegen.core.SymbolProvider;
 import software.amazon.smithy.go.codegen.GoDelegator;
 import software.amazon.smithy.go.codegen.GoSettings;
+import software.amazon.smithy.go.codegen.GoUniverseTypes;
 import software.amazon.smithy.go.codegen.GoWriter;
 import software.amazon.smithy.go.codegen.SmithyGoDependency;
 import software.amazon.smithy.go.codegen.SmithyGoTypes;
@@ -45,6 +46,7 @@
 import software.amazon.smithy.utils.ListUtils;
 
 import static software.amazon.smithy.go.codegen.SymbolUtils.buildPackageSymbol;
+import static software.amazon.smithy.go.codegen.SymbolUtils.sliceOf;
 
 /**
  * Registers additional AWS specific client configuration fields
@@ -266,6 +268,11 @@ public class AddAwsConfigFields implements GoIntegration {
                     .type(SmithyGoDependency.SMITHY_HTTP_TRANSPORT.struct("InterceptorRegistry"))
                     .generatedOnClient(false)
                     .awsResolveFunction(buildPackageSymbol("resolveInterceptors"))
+                    .build(),
+            AwsConfigField.builder()
+                    .name("AuthSchemePreference")
+                    .type(sliceOf(GoUniverseTypes.String))
+                    .generatedOnClient(false)
                     .build()
     );
 

codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AddAwsConfigFields.java

@@ -0,0 +1,19 @@
+package config
+
+import "strings"
+
+func toAuthSchemePreferenceList(cfg string) []string {
+	if len(cfg) == 0 {
+		return nil
+	}
+	parts := strings.Split(cfg, ",")
+	ids := make([]string, 0, len(parts))
+
+	for _, p := range parts {
+		if id := strings.TrimSpace(p); len(id) > 0 {
+			ids = append(ids, id)
+		}
+	}
+
+	return ids
+}

config/auth_scheme_preference.go

@@ -91,6 +91,8 @@ var defaultAWSConfigResolvers = []awsConfigResolver{
 	resolveResponseChecksumValidation,
 
 	resolveInterceptors,
+
+	resolveAuthSchemePreference,
 }
 
 // A Config represents a generic configuration value or set of values. This type

config/config.go

@@ -85,6 +85,8 @@ const (
 
 	awsRequestChecksumCalculation = "AWS_REQUEST_CHECKSUM_CALCULATION"
 	awsResponseChecksumValidation = "AWS_RESPONSE_CHECKSUM_VALIDATION"
+
+	awsAuthSchemePreferenceEnv = "AWS_AUTH_SCHEME_PREFERENCE"
 )
 
 var (
@@ -304,6 +306,9 @@ type EnvConfig struct {
 
 	// Indicates whether response checksum should be validated
 	ResponseChecksumValidation aws.ResponseChecksumValidation
+
+	// Priority list of preferred auth scheme names (e.g. sigv4a).
+	AuthSchemePreference []string
 }
 
 // loadEnvConfig reads configuration values from the OS's environment variables.
@@ -415,6 +420,8 @@ func NewEnvConfig() (EnvConfig, error) {
 		return cfg, err
 	}
 
+	cfg.AuthSchemePreference = toAuthSchemePreferenceList(os.Getenv(awsAuthSchemePreferenceEnv))
+
 	return cfg, nil
 }
 
@@ -916,3 +923,10 @@ func (c EnvConfig) GetS3DisableExpressAuth() (value, ok bool) {
 
 	return *c.S3DisableExpressAuth, true
 }
+
+func (c EnvConfig) getAuthSchemePreference() ([]string, bool) {
+	if len(c.AuthSchemePreference) > 0 {
+		return c.AuthSchemePreference, true
+	}
+	return nil, false
+}

config/env_config.go

@@ -568,6 +568,14 @@ func TestNewEnvConfig(t *testing.T) {
 			Config:  EnvConfig{},
 			WantErr: true,
 		},
+		54: {
+			Env: map[string]string{
+				"AWS_AUTH_SCHEME_PREFERENCE": "  \tsigv4a\t  ,sigv4 ",
+			},
+			Config: EnvConfig{
+				AuthSchemePreference: []string{"sigv4a", "sigv4"},
+			},
+		},
 	}
 
 	for i, c := range cases {

config/env_config_test.go

@@ -232,6 +232,9 @@ type LoadOptions struct {
 
 	// Registry of operation interceptors.
 	Interceptors smithyhttp.InterceptorRegistry
+
+	// Priority list of preferred auth scheme names (e.g. sigv4a).
+	AuthSchemePreference []string
 }
 
 func (o LoadOptions) getDefaultsMode(ctx context.Context) (aws.DefaultsMode, bool, error) {
@@ -1315,3 +1318,20 @@ func WithAfterExecution(i smithyhttp.AfterExecutionInterceptor) LoadOptionsFunc
 		return nil
 	}
 }
+
+// WithAuthSchemePreference sets the priority order of auth schemes on config.
+//
+// Schemes are expressed as names e.g. sigv4a or sigv4.
+func WithAuthSchemePreference(schemeIDs ...string) LoadOptionsFunc {
+	return func(o *LoadOptions) error {
+		o.AuthSchemePreference = schemeIDs
+		return nil
+	}
+}
+
+func (o LoadOptions) getAuthSchemePreference() ([]string, bool) {
+	if len(o.AuthSchemePreference) > 0 {
+		return o.AuthSchemePreference, true
+	}
+	return nil, false
+}

config/load_options.go

@@ -753,3 +753,18 @@ func getRetryMode(ctx context.Context, configs configs) (v aws.RetryMode, found
 	}
 	return v, found, err
 }
+
+func getAuthSchemePreference(ctx context.Context, configs configs) ([]string, bool) {
+	type provider interface {
+		getAuthSchemePreference() ([]string, bool)
+	}
+
+	for _, cfg := range configs {
+		if p, ok := cfg.(provider); ok {
+			if v, ok := p.getAuthSchemePreference(); ok {
+				return v, true
+			}
+		}
+	}
+	return nil, false
+}