pr feedbacks

Author: xinsong-cui

.changes/b6b48ccb-8aa8-40be-bc5a-f5d184e8631e.json

@@ -1,5 +1,5 @@
 {
     "id": "b6b48ccb-8aa8-40be-bc5a-f5d184e8631e",
     "type": "feature",
-    "description": "Added support for bearer token authentication via environment variable"
+    "description": "Add support for Bearer authentication using a token set in an environment variable for Bedrock services"
 }

codegen/aws-sdk-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/EnvironmentBearerTokenCustomization.kt

@@ -0,0 +1,150 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.codegen.customization
+
+import aws.sdk.kotlin.codegen.ServiceClientCompanionObjectWriter
+import software.amazon.smithy.kotlin.codegen.KotlinSettings
+import software.amazon.smithy.kotlin.codegen.core.*
+import software.amazon.smithy.kotlin.codegen.integration.AppendingSectionWriter
+import software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
+import software.amazon.smithy.kotlin.codegen.integration.SectionWriterBinding
+import software.amazon.smithy.kotlin.codegen.model.buildSymbol
+import software.amazon.smithy.kotlin.codegen.model.expectShape
+import software.amazon.smithy.kotlin.codegen.model.hasTrait
+import software.amazon.smithy.kotlin.codegen.model.knowledge.AwsSignatureVersion4
+import software.amazon.smithy.kotlin.codegen.rendering.ServiceClientGenerator
+import software.amazon.smithy.model.Model
+import software.amazon.smithy.model.shapes.ServiceShape
+import software.amazon.smithy.model.traits.HttpBearerAuthTrait
+
+/**
+ * Customization that enables sourcing Bearer tokens from an environment variable
+ *
+ * When a service-specific environment variable for bearer tokens is present (e.g., AWS_BEARER_TOKEN_BEDROCK),
+ * this customization configures the auth scheme resolver to prefer the smithy.api#httpBearerAuth scheme
+ * over other authentication methods. Additionally, it configures a token provider that extracts the bearer token
+ * from the target environment variable.
+ */
+class EnvironmentBearerTokenCustomization : KotlinIntegration {
+    // Currently only services with sigv4 service name 'bedrock' need this customization
+    private val supportedSigningServiceNames = setOf("bedrock")
+
+    override fun enabledForService(model: Model, settings: KotlinSettings): Boolean {
+        val serviceShape = settings.getService(model)
+        if (!AwsSignatureVersion4.isSupportedAuthentication(model, serviceShape)) {
+            return false
+        }
+        if (!serviceShape.hasTrait<HttpBearerAuthTrait>()) {
+            return false
+        }
+
+        return AwsSignatureVersion4.signingServiceName(serviceShape) in supportedSigningServiceNames
+    }
+
+    override fun writeAdditionalFiles(ctx: CodegenContext, delegator: KotlinDelegator) {
+        val serviceShape = ctx.model.expectShape<ServiceShape>(ctx.settings.service)
+        val serviceName = ctx.symbolProvider.toSymbol(serviceShape).name.removeSuffix("Client")
+        val packageName = ctx.settings.pkg.name
+
+        delegator.useFileWriter(
+            "Finalize${serviceName}EnvironmentBearerTokenConfig.kt",
+            "$packageName.auth",
+        ) { writer ->
+            renderEnvironmentBearerTokenConfig(
+                writer,
+                ctx,
+                serviceShape,
+                serviceName
+            )
+        }
+    }
+
+    private fun renderEnvironmentBearerTokenConfig(
+        writer: KotlinWriter,
+        ctx: CodegenContext,
+        serviceShape: ServiceShape,
+        serviceName: String,
+    ) {
+        val serviceSymbol = ctx.symbolProvider.toSymbol(serviceShape)
+        val signingServiceName = AwsSignatureVersion4.signingServiceName(serviceShape)
+        // Transform signing name to environment variable name
+        val envVarName = "AWS_BEARER_TOKEN_" + signingServiceName.replace("""[-\s]""".toRegex(), "_").uppercase()
+
+        writer.apply {
+            withBlock(
+                "internal fun finalize#LEnvironmentBearerTokenConfig(",
+                ")",
+                serviceName,
+            ) {
+                write(
+                    "builder: #T.Builder,",
+                    serviceSymbol,
+                )
+                write(
+                    "provider: #1T = #1T.System",
+                    RuntimeTypes.Core.Utils.PlatformProvider,
+                )
+            }
+            withBlock("{", "}") {
+                // The customization do nothing if environment variable is not set
+                withBlock(
+                    "if (provider.getenv(#S) != null) {",
+                    "}",
+                    envVarName,
+                ) {
+                    // Configure auth scheme preference if customer hasn't specify one
+                    write(
+                        "builder.config.authSchemePreference = builder.config.authSchemePreference ?: listOf(#T.HttpBearer)",
+                        RuntimeTypes.Auth.Identity.AuthSchemeId,
+                    )
+
+                    // Promote HttpBearer to first position in auth scheme preference list
+                    withBlock(
+                        "val filteredSchemes = builder.config.authSchemePreference?.filterNot {",
+                        " }?: emptyList()",
+                    ) {
+                        write(
+                            "it == #T.HttpBearer",
+                            RuntimeTypes.Auth.Identity.AuthSchemeId,
+                        )
+                    }
+
+                    write(
+                        "builder.config.authSchemePreference = listOf(#1T.HttpBearer) + filteredSchemes",
+                        RuntimeTypes.Auth.Identity.AuthSchemeId,
+                    )
+
+                    write(
+                        "builder.config.bearerTokenProvider = " +
+                            "builder.config.bearerTokenProvider ?: #T(#S, provider)",
+                        RuntimeTypes.Auth.HttpAuth.EnvironmentBearerTokenProvider,
+                        envVarName,
+                    )
+                }
+            }
+        }
+    }
+
+    override val sectionWriters: List<SectionWriterBinding>
+        get() = listOf(
+            SectionWriterBinding(
+                ServiceClientCompanionObjectWriter.FinalizeEnvironmentalConfig,
+                finalizeEnvironmentBearerTokenConfigWriter,
+            ),
+        )
+
+    private val finalizeEnvironmentBearerTokenConfigWriter = AppendingSectionWriter { writer ->
+        val serviceName = writer.getContextValue(ServiceClientGenerator.Sections.CompanionObject.ServiceSymbol)
+            .name
+            .removeSuffix("Client")
+
+        val environmentBearerTokenConfig = buildSymbol {
+            name = "finalize${serviceName}EnvironmentBearerTokenConfig"
+            namespace = "aws.sdk.kotlin.services.${serviceName.lowercase()}.auth"
+        }
+
+        writer.write("#T(builder)", environmentBearerTokenConfig)
+    }
+}

codegen/aws-sdk-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/EnvironmentTokenCustomization.kt

@@ -49,4 +49,4 @@ aws.sdk.kotlin.codegen.smoketests.testing.SmokeTestSuccessHttpEngineIntegration
 aws.sdk.kotlin.codegen.smoketests.testing.SmokeTestFailHttpEngineIntegration
 aws.sdk.kotlin.codegen.customization.AwsQueryModeCustomization
 aws.sdk.kotlin.codegen.ModuleDocumentationIntegration
-aws.sdk.kotlin.codegen.customization.EnvironmentTokenCustomization
+aws.sdk.kotlin.codegen.customization.EnvironmentBearerTokenCustomization

codegen/aws-sdk-codegen/src/main/resources/META-INF/services/software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration

@@ -60,15 +60,15 @@ class BedrockEnvironmentTokenTest {
             authSchemePreference = listOf(AuthSchemeId.AwsSigV4)
         }
 
-        var expectedAuthSchemePreference = listOf(AuthSchemeId.HttpBearer, AuthSchemeId.AwsSigV4)
+        val expectedAuthSchemePreference = listOf(AuthSchemeId.HttpBearer, AuthSchemeId.AwsSigV4)
         assertEquals(expectedAuthSchemePreference, client.config.authSchemePreference)
+        client.close()
 
         client = BedrockClient.fromEnvironment {
             region = "us-west-2"
             authSchemePreference = listOf(AuthSchemeId.AwsSigV4, AuthSchemeId.HttpBearer)
         }
 
-        expectedAuthSchemePreference = listOf(AuthSchemeId.HttpBearer, AuthSchemeId.AwsSigV4)
         assertEquals(expectedAuthSchemePreference, client.config.authSchemePreference)
 
         client.close()
@@ -134,5 +134,7 @@ class BedrockEnvironmentTokenTest {
         val token = client.config.bearerTokenProvider.resolve()
         assertNotNull(token)
         assertEquals("different-bedrock-token", token.token)
+
+        client.close()
     }
 }