feat: add authSchemePreference configuration (#1582)

Author: lauzadis

.changes/8d7689ef-8acf-4fb3-84b9-712b704725e8.json

@@ -0,0 +1,5 @@
+{
+    "id": "8d7689ef-8acf-4fb3-84b9-712b704725e8",
+    "type": "feature",
+    "description": "Add `authSchemePreference` configuration"
+}

aws-runtime/aws-config/api/aws-config.api

@@ -252,6 +252,7 @@ public final class aws/sdk/kotlin/runtime/config/AwsSdkSetting {
 	public final fun getAwsAccountId ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
 	public final fun getAwsAccountIdEndpointMode ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
 	public final fun getAwsAppId ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
+	public final fun getAwsAuthSchemePreference ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
 	public final fun getAwsConfigFile ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
 	public final fun getAwsContainerAuthorizationToken ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
 	public final fun getAwsContainerAuthorizationTokenFile ()Laws/smithy/kotlin/runtime/config/EnvironmentSetting;
@@ -287,6 +288,11 @@ public final class aws/sdk/kotlin/runtime/config/AwsSdkSettingKt {
 	public static final fun resolveEndpointUrl (Laws/sdk/kotlin/runtime/config/AwsSdkSetting;Laws/smithy/kotlin/runtime/util/PlatformProvider;Ljava/lang/String;Ljava/lang/String;)Laws/smithy/kotlin/runtime/net/url/Url;
 }
 
+public final class aws/sdk/kotlin/runtime/config/auth/ResolveAuthSchemePreferenceKt {
+	public static final fun resolveAuthSchemePreference (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static synthetic fun resolveAuthSchemePreference$default (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
+}
+
 public final class aws/sdk/kotlin/runtime/config/checksums/ResolveFlexibleChecksumsConfigKt {
 	public static final fun resolveRequestChecksumCalculation (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public static synthetic fun resolveRequestChecksumCalculation$default (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
@@ -499,6 +505,7 @@ public final class aws/sdk/kotlin/runtime/config/profile/AwsConfigurationSource
 
 public final class aws/sdk/kotlin/runtime/config/profile/AwsProfileKt {
 	public static final fun getAccountIdEndpointMode (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Laws/sdk/kotlin/runtime/config/endpoints/AccountIdEndpointMode;
+	public static final fun getAuthSchemePreference (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;
 	public static final fun getAwsAccessKeyId (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;
 	public static final fun getAwsSecretAccessKey (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;
 	public static final fun getAwsSessionToken (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/AbstractAwsSdkClientFactory.kt

@@ -6,6 +6,7 @@
 package aws.sdk.kotlin.runtime.config
 
 import aws.sdk.kotlin.runtime.client.AwsSdkClientConfig
+import aws.sdk.kotlin.runtime.config.auth.resolveAuthSchemePreference
 import aws.sdk.kotlin.runtime.config.checksums.resolveRequestChecksumCalculation
 import aws.sdk.kotlin.runtime.config.checksums.resolveResponseChecksumValidation
 import aws.sdk.kotlin.runtime.config.compression.resolveDisableRequestCompression
@@ -26,6 +27,7 @@ import aws.smithy.kotlin.runtime.client.config.ClientSettings
 import aws.smithy.kotlin.runtime.client.config.CompressionClientConfig
 import aws.smithy.kotlin.runtime.client.config.HttpChecksumConfig
 import aws.smithy.kotlin.runtime.config.resolve
+import aws.smithy.kotlin.runtime.http.auth.HttpAuthConfig
 import aws.smithy.kotlin.runtime.telemetry.TelemetryConfig
 import aws.smithy.kotlin.runtime.telemetry.TelemetryProvider
 import aws.smithy.kotlin.runtime.telemetry.trace.withSpan
@@ -105,6 +107,10 @@ public abstract class AbstractAwsSdkClientFactory<
                     config.responseChecksumValidation ?: resolveResponseChecksumValidation(platform, profile)
             }
 
+            if (config is HttpAuthConfig.Builder) {
+                config.authSchemePreference = config.authSchemePreference ?: resolveAuthSchemePreference(platform, profile)
+            }
+
             finalizeConfig(builder)
             finalizeEnvironmentalConfig(builder, sharedConfig, profile)
         }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/AwsSdkSetting.kt

@@ -230,6 +230,11 @@ public object AwsSdkSetting {
      */
     public val AwsResponseChecksumValidation: EnvironmentSetting<ResponseHttpChecksumConfig> =
         enumEnvSetting<ResponseHttpChecksumConfig>("aws.responseChecksumValidation", "AWS_RESPONSE_CHECKSUM_VALIDATION")
+
+    /**
+     * Configures an ordered preference of auth schemes
+     */
+    public val AwsAuthSchemePreference: EnvironmentSetting<String> = strEnvSetting("aws.authSchemePreference", "AWS_AUTH_SCHEME_PREFERENCE")
 }
 
 /**

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/auth/ResolveAuthSchemePreference.kt

@@ -0,0 +1,23 @@
+package aws.sdk.kotlin.runtime.config.auth
+
+import aws.sdk.kotlin.runtime.InternalSdkApi
+import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.config.profile.AwsProfile
+import aws.sdk.kotlin.runtime.config.profile.authSchemePreference
+import aws.smithy.kotlin.runtime.auth.AuthSchemeId
+import aws.smithy.kotlin.runtime.config.resolve
+import aws.smithy.kotlin.runtime.util.LazyAsyncValue
+import aws.smithy.kotlin.runtime.util.PlatformProvider
+
+@InternalSdkApi
+public suspend fun resolveAuthSchemePreference(platform: PlatformProvider = PlatformProvider.System, profile: LazyAsyncValue<AwsProfile>): List<AuthSchemeId> {
+    val content = AwsSdkSetting.AwsAuthSchemePreference.resolve(platform) ?: profile.get().authSchemePreference
+
+    return content
+        ?.split(",")
+        ?.map { it.trim() }
+        ?.filter { it.isNotEmpty() }
+        ?.map(::AuthSchemeId)
+        ?.toList()
+        ?: emptyList()
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/profile/AwsProfile.kt

@@ -11,6 +11,7 @@ import aws.sdk.kotlin.runtime.config.endpoints.AccountIdEndpointMode
 import aws.smithy.kotlin.runtime.client.config.RequestHttpChecksumConfig
 import aws.smithy.kotlin.runtime.client.config.ResponseHttpChecksumConfig
 import aws.smithy.kotlin.runtime.client.config.RetryMode
+import aws.smithy.kotlin.runtime.http.auth.AuthScheme
 import aws.smithy.kotlin.runtime.net.url.Url
 
 /**
@@ -169,6 +170,13 @@ public val AwsProfile.requestChecksumCalculation: RequestHttpChecksumConfig?
 public val AwsProfile.responseChecksumValidation: ResponseHttpChecksumConfig?
     get() = getEnumOrNull<ResponseHttpChecksumConfig>("response_checksum_validation")
 
+/**
+ * The ordered preference of [AuthScheme] that this client will use
+ */
+@InternalSdkApi
+public val AwsProfile.authSchemePreference: String?
+    get() = getOrNull("auth_scheme_preference")
+
 /**
  * Specifies a named EC2 instance profile to use which allows bypassing auto-discovery
  */

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/config/auth/ResolveAuthSchemePreferenceTest.kt

@@ -0,0 +1,107 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.sdk.kotlin.runtime.config.auth
+
+import aws.sdk.kotlin.runtime.config.profile.AwsConfigurationSource
+import aws.sdk.kotlin.runtime.config.profile.FileType
+import aws.sdk.kotlin.runtime.config.profile.parse
+import aws.sdk.kotlin.runtime.config.profile.toSharedConfig
+import aws.smithy.kotlin.runtime.auth.AuthSchemeId
+import aws.smithy.kotlin.runtime.telemetry.logging.Logger
+import aws.smithy.kotlin.runtime.util.TestPlatformProvider
+import aws.smithy.kotlin.runtime.util.asyncLazy
+import kotlinx.coroutines.test.runTest
+import kotlin.test.Test
+import kotlin.test.assertEquals
+
+class ResolveAuthSchemePreferenceTest {
+    @Test
+    fun testProfile() = runTest {
+        assertEquals(
+            AuthSchemeId("sigv4"),
+            testResolveAuthSchemePreference(
+                profileContent = """
+                    [default]
+                    auth_scheme_preference = sigv4
+                """.trimIndent(),
+            ).single(),
+        )
+    }
+
+    @Test
+    fun testEnvironment() = runTest {
+        // Environment takes precedence over profile
+        assertEquals(
+            AuthSchemeId("sigv4a"),
+            testResolveAuthSchemePreference(
+                env = mapOf("AWS_AUTH_SCHEME_PREFERENCE" to "sigv4a"),
+                profileContent = """
+                    [default]
+                    auth_scheme_preference = sigv4
+                """.trimIndent(),
+            ).single(),
+        )
+    }
+
+    @Test
+    fun testSystemProperties() = runTest {
+        // System properties take precedence over environment and profile
+        assertEquals(
+            AuthSchemeId("httpBearerAuth"),
+            testResolveAuthSchemePreference(
+                env = mapOf("AWS_AUTH_SCHEME_PREFERENCE" to "sigv4a"),
+                sysProps = mapOf("aws.authSchemePreference" to "httpBearerAuth"),
+                profileContent = """
+                    [default]
+                    auth_scheme_preference = sigv4
+                """.trimIndent(),
+            ).single(),
+        )
+    }
+
+    @Test
+    fun testResolveMultipleSchemes() = runTest {
+        assertEquals(
+            listOf(AuthSchemeId("httpBearerAuth"), AuthSchemeId("sigv4a"), AuthSchemeId("sigv4")),
+            testResolveAuthSchemePreference(
+                env = mapOf("AWS_AUTH_SCHEME_PREFERENCE" to "httpBearerAuth, sigv4a, sigv4"),
+            ),
+        )
+    }
+
+    @Test
+    fun testIgnoreWhitespace() = runTest {
+        assertEquals(
+            listOf(AuthSchemeId("httpBearerAuth"), AuthSchemeId("sigv4a")),
+            testResolveAuthSchemePreference(
+                env = mapOf("AWS_AUTH_SCHEME_PREFERENCE" to "httpBearerAuth  ,        sigv4a     "),
+            ),
+        )
+    }
+
+    @Test
+    fun testDontFailOnInvalidSchemes() = runTest {
+        assertEquals(
+            listOf(AuthSchemeId("httpBearerAuth"), AuthSchemeId("whatIsThisScheme"), AuthSchemeId("sigv4")),
+            testResolveAuthSchemePreference(
+                env = mapOf("AWS_AUTH_SCHEME_PREFERENCE" to "httpBearerAuth, whatIsThisScheme, sigv4"),
+            ),
+        )
+    }
+
+    private suspend fun testResolveAuthSchemePreference(
+        env: Map<String, String> = mapOf(),
+        sysProps: Map<String, String> = mapOf(),
+        profileContent: String = "",
+    ): List<AuthSchemeId> {
+        val platform = TestPlatformProvider(env = env, props = sysProps)
+        val source = AwsConfigurationSource("default", "", "")
+        val profile = asyncLazy {
+            parse(Logger.None, FileType.CONFIGURATION, profileContent).toSharedConfig(source).activeProfile
+        }
+
+        return resolveAuthSchemePreference(platform, profile)
+    }
+}

gradle/libs.versions.toml

@@ -12,8 +12,8 @@ atomicfu-version = "0.25.0"
 binary-compatibility-validator-version = "0.16.3"
 
 # smithy-kotlin codegen and runtime are versioned separately
-smithy-kotlin-runtime-version = "1.4.15"
-smithy-kotlin-codegen-version = "0.34.15"
+smithy-kotlin-runtime-version = "1.4.16"
+smithy-kotlin-codegen-version = "0.34.16"
 
 # codegen
 smithy-version = "1.53.0"