add bedrock env token provider (#3159)

Author: lucix-aws

.changelog/125bc0d174d343edb06aa57c231f55b0.json

@@ -0,0 +1,9 @@
+{
+    "id": "125bc0d1-74d3-43ed-b06a-a57c231f55b0",
+    "type": "feature",
+    "description": "Support configurable bearer token through the environment via AWS_BEARER_TOKEN_BEDROCK.",
+    "modules": [
+        "service/bedrock",
+        "service/bedrockruntime"
+    ]
+}

codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/service/BearerTokenEnvProvider.java

@@ -0,0 +1,80 @@
+package software.amazon.smithy.aws.go.codegen.customization.service;
+
+import static software.amazon.smithy.go.codegen.GoWriter.goTemplate;
+import static software.amazon.smithy.go.codegen.SymbolUtils.buildPackageSymbol;
+
+import java.util.List;
+import java.util.Map;
+import software.amazon.smithy.aws.traits.auth.SigV4Trait;
+import software.amazon.smithy.go.codegen.GoCodegenContext;
+import software.amazon.smithy.go.codegen.GoWriter;
+import software.amazon.smithy.go.codegen.SmithyGoDependency;
+import software.amazon.smithy.go.codegen.integration.ConfigFieldResolver;
+import software.amazon.smithy.go.codegen.integration.GoIntegration;
+import software.amazon.smithy.go.codegen.integration.RuntimeClientPlugin;
+import software.amazon.smithy.model.Model;
+import software.amazon.smithy.model.shapes.ServiceShape;
+import software.amazon.smithy.model.traits.HttpBearerAuthTrait;
+
+public class BearerTokenEnvProvider implements GoIntegration {
+    // Set of signing names to which this customization is applied.
+    private static final List<String> SIGNING_NAMES = List.of(
+            "bedrock"
+    );
+
+    private static final ConfigFieldResolver BEARER_TOKEN_RESOLVER =
+            ConfigFieldResolver.builder()
+                    .location(ConfigFieldResolver.Location.CLIENT)
+                    .target(ConfigFieldResolver.Target.INITIALIZATION)
+                    .resolver(buildPackageSymbol("resolveEnvBearerToken"))
+                    .build();
+
+    private static boolean isApplied(Model model, ServiceShape service) {
+        return service.hasTrait(SigV4Trait.class)
+                && SIGNING_NAMES.contains(service.expectTrait(SigV4Trait.class).getName())
+                && service.hasTrait(HttpBearerAuthTrait.class);
+    }
+
+    @Override
+    public List<RuntimeClientPlugin> getClientPlugins() {
+        return List.of(
+                RuntimeClientPlugin.builder()
+                        .servicePredicate(BearerTokenEnvProvider::isApplied)
+                        .addConfigFieldResolver(BEARER_TOKEN_RESOLVER)
+                        .build()
+        );
+    }
+
+    @Override
+    public void writeAdditionalFiles(GoCodegenContext ctx) {
+        var service = ctx.settings().getService(ctx.model());
+        if (isApplied(ctx.model(), service)) {
+            ctx.writerDelegator().useFileWriter("api_client.go", ctx.settings().getModuleName(), bearerTokenResolver(service));
+        }
+    }
+
+    private GoWriter.Writable bearerTokenResolver(ServiceShape service) {
+        var envSuffix = service.expectTrait(SigV4Trait.class).getName()
+                .toUpperCase()
+                .replace(' ', '_')
+                .replace('-', '_');
+        return goTemplate("""
+                $context:D $os:D $bearer:D
+                func resolveEnvBearerToken(options *Options) {
+                    token := os.Getenv("AWS_BEARER_TOKEN_$envSuffix:L")
+                    if len(token) == 0 { return }
+
+                    options.BearerAuthTokenProvider = bearer.TokenProviderFunc(func(ctx context.Context) (bearer.Token, error) {
+                        return bearer.Token{Value: token}, nil
+                    })
+                    options.AuthSchemePreference = []string{"httpBearerAuth"}
+                }
+                """,
+                Map.of(
+                        "context", SmithyGoDependency.CONTEXT,
+                        "os", SmithyGoDependency.OS,
+                        "bearer", SmithyGoDependency.SMITHY_AUTH_BEARER,
+                        "envSuffix", envSuffix
+                ));
+    }
+}

codegen/smithy-aws-go-codegen/src/main/resources/META-INF/services/software.amazon.smithy.go.codegen.integration.GoIntegration

@@ -93,3 +93,4 @@ software.amazon.smithy.aws.go.codegen.CredentialSourceFeatureTrackerGenerator
 software.amazon.smithy.aws.go.codegen.customization.SraOperationOrderTest
 software.amazon.smithy.aws.go.codegen.customization.service.bedrockruntime.RemoveOperations
 software.amazon.smithy.aws.go.codegen.customization.RetryInterceptors
+software.amazon.smithy.aws.go.codegen.customization.service.BearerTokenEnvProvider

service/bedrock/api_client.go

@@ -0,0 +1,99 @@
+package bedrock
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/smithy-go/auth/bearer"
+)
+
+// Valid service-specific token configured
+func TestEnvTokenProviderSEP0(t *testing.T) {
+	t.Setenv("AWS_BEARER_TOKEN_BEDROCK", "bedrock-token")
+
+	svc := New(Options{})
+	token, err := svc.Options().BearerAuthTokenProvider.RetrieveBearerToken(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if token.Value != "bedrock-token" {
+		t.Errorf("expect token \"bedrock-token\" != %q", token.Value)
+	}
+
+	expectPref := []string{"httpBearerAuth"}
+	if actual := svc.Options().AuthSchemePreference; !reflect.DeepEqual(expectPref, actual) {
+		t.Errorf("expect auth scheme preference %#v != %#v", expectPref, actual)
+	}
+}
+
+// Token configured for a different service
+func TestEnvTokenProviderSEP1(t *testing.T) {
+	t.Setenv("AWS_BEARER_TOKEN_FOO", "foo-token")
+
+	svc := New(Options{})
+	if actual := svc.Options().BearerAuthTokenProvider; actual != nil {
+		t.Errorf("BearerAuthTokenProvider should be nil but it's %#v", actual)
+	}
+
+	expectPref := []string(nil)
+	if actual := svc.Options().AuthSchemePreference; !reflect.DeepEqual(expectPref, actual) {
+		t.Errorf("expect auth scheme preference %#v != %#v", expectPref, actual)
+	}
+}
+
+// Token configured with auth scheme preference also set in env. The Bedrock
+// token is more specific which is why it takes precedence
+func TestEnvTokenProviderSEP2(t *testing.T) {
+	t.Setenv("AWS_BEARER_TOKEN_BEDROCK", "bedrock-token")
+
+	cfg := aws.Config{
+		// simulate loaded from env/shared config
+		AuthSchemePreference: []string{"sigv4", "httpBearerAuth"},
+	}
+	svc := NewFromConfig(cfg)
+
+	token, err := svc.Options().BearerAuthTokenProvider.RetrieveBearerToken(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if token.Value != "bedrock-token" {
+		t.Errorf("expect token \"bedrock-token\" != %q", token.Value)
+	}
+
+	expectPref := []string{"httpBearerAuth"}
+	if actual := svc.Options().AuthSchemePreference; !reflect.DeepEqual(expectPref, actual) {
+		t.Errorf("expect auth scheme preference %#v != %#v", expectPref, actual)
+	}
+}
+
+// Explicit service config takes precedence
+func TestEnvTokenProviderSEP3(t *testing.T) {
+	t.Setenv("AWS_BEARER_TOKEN_BEDROCK", "bedrock-token")
+
+	expectToken := "explicit-code-token"
+	svc := New(Options{}, func(o *Options) {
+		o.BearerAuthTokenProvider = bearer.TokenProviderFunc(func(ctx context.Context) (bearer.Token, error) {
+			return bearer.Token{Value: expectToken}, nil
+		})
+		// also test explicit code preference
+		o.AuthSchemePreference = []string{"httpBasicAuth", "httpBearerAuth"}
+	})
+
+	token, err := svc.Options().BearerAuthTokenProvider.RetrieveBearerToken(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expectToken != token.Value {
+		t.Errorf("expect token %q != %q", expectToken, token.Value)
+	}
+
+	expectPref := []string{"httpBasicAuth", "httpBearerAuth"}
+	if actual := svc.Options().AuthSchemePreference; !reflect.DeepEqual(expectPref, actual) {
+		t.Errorf("expect auth scheme preference %#v != %#v", expectPref, actual)
+	}
+}