Add bearer auth / token providers (#2746)

Author: alextwoods

build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/plugin_list.rb

@@ -20,7 +20,7 @@ def each(&block)
     def compute_plugins(options)
       plugins = {}
       plugins.update(options[:async_client] ? default_async_plugins : default_plugins)
-      plugins.update(signature_plugins(options.fetch(:signature_version)))
+      plugins.update(signature_plugins(options))
       plugins.update(protocol_plugins(options.fetch(:protocol)))
       plugins.update(options.fetch(:add_plugins))
       options.fetch(:remove_plugins).each do |plugin_name|
@@ -96,15 +96,21 @@ def protocol_plugins(protocol)
       }[protocol]
     end
 
-    def signature_plugins(signature_version)
-      case signature_version
-      when 'v4'
-        { 'Aws::Plugins::SignatureV4' => "#{core_plugins}/signature_v4.rb" }
-      when 'v2'
-        { 'Aws::Plugins::SignatureV2' => "#{core_plugins}/signature_v2.rb" }
-      else
-        {}
+    def signature_plugins(options)
+      auth_types  = [options.fetch(:signature_version)]
+      auth_types += options[:api]['operations'].map { |_n, o| o['authtype'] }.compact
+      plugins = {}
+      auth_types.each do |auth_type|
+        case auth_type
+        when 'v4'
+          plugins['Aws::Plugins::SignatureV4'] = "#{core_plugins}/signature_v4.rb"
+        when 'v2'
+          plugins['Aws::Plugins::SignatureV2'] = "#{core_plugins}/signature_v2.rb"
+        when 'bearer'
+          plugins['Aws::Plugins::BearerAuthorization'] = "#{core_plugins}/bearer_authorization.rb"
+        end
       end
+      plugins
     end
 
     def core_plugins

build_tools/aws-sdk-code-generator/spec/fixtures/interfaces/bearer_auth/api.json

@@ -0,0 +1,47 @@
+{
+  "version":"2.0",
+  "metadata":{
+    "endpointPrefix":"svc",
+    "protocol": "rest-json",
+    "signatureVersion":"bearer"
+  },
+  "operations": {
+    "BearerAuth": {
+      "name": "BearerAuth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"}
+    },
+    "NoAuth": {
+      "name": "NoAuth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"},
+      "authtype":"none"
+    },
+    "Sigv4Auth": {
+      "name": "Sigv4Auth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"},
+      "authtype":"v4"
+    }
+  },
+  "shapes": {
+    "Request": {
+      "type": "structure",
+      "members": {
+        "Value": {
+          "shape": "Value"
+        }
+      }
+    },
+    "Value": {"type": "string"}
+  }
+}

build_tools/aws-sdk-code-generator/spec/fixtures/interfaces/v4_with_bearer/api.json

@@ -0,0 +1,47 @@
+{
+  "version":"2.0",
+  "metadata":{
+    "endpointPrefix":"svc",
+    "protocol": "rest-json",
+    "signatureVersion":"v4"
+  },
+  "operations": {
+    "BearerAuth": {
+      "name": "BearerAuth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"},
+      "authtype":"bearer"
+    },
+    "NoAuth": {
+      "name": "NoAuth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"},
+      "authtype":"none"
+    },
+    "Sigv4Auth": {
+      "name": "Sigv4Auth",
+      "http": {
+        "method": "POST",
+        "requestUri": "/"
+      },
+      "input": {"shape": "Request"}
+    }
+  },
+  "shapes": {
+    "Request": {
+      "type": "structure",
+      "members": {
+        "Value": {
+          "shape": "Value"
+        }
+      }
+    },
+    "Value": {"type": "string"}
+  }
+}

build_tools/aws-sdk-code-generator/spec/interfaces/client/bearer_authorization_spec.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require_relative '../../spec_helper'
+
+describe 'Client Interface:' do
+  describe 'SignatureVersion: bearer' do
+    before(:all) do
+      SpecHelper.generate_service(['BearerAuth'], multiple_files: false)
+    end
+
+    let(:token) { 'token' }
+
+    let(:token_provider) { Aws::StaticTokenProvider.new(token) }
+
+    let(:client) do
+      BearerAuth::Client.new(
+        region: 'us-west-2',
+        stub_responses: true,
+        token_provider: token_provider,
+        endpoint: 'https://svc.us-west-2.amazonaws.com'
+      )
+    end
+
+    describe '#bearer_auth' do
+      it 'sets the Authorization header' do
+        client.stub_responses(:bearer_auth, -> (context) {
+          expect(context.http_request.headers['Authorization']).to eq('Bearer token')
+        })
+        client.bearer_auth
+      end
+    end
+
+    describe '#sigv_4_auth' do
+      it 'sets the Authorization header' do
+        client.stub_responses(:sigv_4_auth, -> (context) {
+          expect(context.http_request.headers['Authorization']).to include('AWS4-HMAC-SHA256')
+        })
+        client.sigv_4_auth
+      end
+    end
+
+    describe '#no_auth' do
+      it 'does not set the Authorization header' do
+        client.stub_responses(:no_auth, -> (context) {
+          expect(context.http_request.headers.key?('Authorization')).to be_falsey
+        })
+        client.no_auth
+      end
+    end
+  end
+
+  describe 'SignatureVersion: v4' do
+    before(:all) do
+      SpecHelper.generate_service(['V4WithBearer'], multiple_files: false)
+    end
+
+    let(:token) { 'token' }
+
+    let(:token_provider) { Aws::StaticTokenProvider.new(token) }
+
+    let(:client) do
+      V4WithBearer::Client.new(
+        region: 'us-west-2',
+        stub_responses: true,
+        token_provider: token_provider,
+        endpoint: 'https://svc.us-west-2.amazonaws.com'
+      )
+    end
+
+    describe '#bearer_auth' do
+      it 'sets the Authorization header' do
+        resp = client.bearer_auth
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer token')
+      end
+    end
+
+    describe '#sigv_4_auth' do
+      it 'sets the Authorization header' do
+        resp = client.sigv_4_auth
+        expect(resp.context.http_request.headers['Authorization']).to include('AWS4-HMAC-SHA256')
+      end
+    end
+
+    describe '#no_auth' do
+      it 'does not set the Authorization header' do
+        resp = client.no_auth
+        expect(resp.context.http_request.headers.key?('Authorization')).to be_falsey
+      end
+    end
+  end
+
+end

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,7 @@
 Unreleased Changes
 ------------------
 
+* Feature - Add support for Bearer Token Authentication and TokenProviders.
 * Issue - Validate that `_X_AMZN_TRACE_ID` ENV value contains only valid, non-control characters.
 
 3.133.0 (2022-08-22)

gems/aws-sdk-core/lib/aws-sdk-core.rb

@@ -20,6 +20,15 @@
 require_relative 'aws-sdk-core/process_credentials'
 require_relative 'aws-sdk-core/sso_credentials'
 
+# tokens and token providers
+require_relative 'aws-sdk-core/token'
+require_relative 'aws-sdk-core/token_provider'
+require_relative 'aws-sdk-core/static_token_provider'
+require_relative 'aws-sdk-core/refreshing_token'
+require_relative 'aws-sdk-core/sso_token_provider'
+require_relative 'aws-sdk-core/token_provider_chain'
+require_relative 'aws-sdk-core/plugins/bearer_authorization'
+
 # client modules
 
 require_relative 'aws-sdk-core/client_stubs'

gems/aws-sdk-core/lib/aws-sdk-core/errors.rb

@@ -210,6 +210,19 @@ class InvalidProcessCredentialsPayload < RuntimeError; end
     # Raised when SSO Credentials are invalid
     class InvalidSSOCredentials < RuntimeError; end
 
+    # Raised when SSO Token is invalid
+    class InvalidSSOToken < RuntimeError; end
+
+    # Raised when a client is unable to sign a request because
+    # the bearer token is not configured or available
+    class MissingBearerTokenError < RuntimeError
+      def initialize(*args)
+        msg = 'unable to sign request without token set'
+        super(msg)
+      end
+    end
+
+
     # Raised when there is a circular reference in chained
     # source_profiles
     class SourceProfileCircularReferenceError < RuntimeError; end

gems/aws-sdk-core/lib/aws-sdk-core/plugins/bearer_authorization.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
+
+      def add_handlers(handlers, cfg)
+        bearer_operations =
+          if cfg.api.metadata['signatureVersion'] == 'bearer'
+            # select operations where authtype is either not set or is bearer
+            cfg.api.operation_names.select do |o|
+              !cfg.api.operation(o)['authtype'] || cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          else # service is not bearer auth
+            # select only operations where authtype is explicitly bearer
+            cfg.api.operation_names.select do |o|
+              cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          end
+        handlers.add(Handler, step: :sign, operations: bearer_operations)
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+          if token_provider && token_provider.set?
+            context.http_request.headers['Authorization'] = "Bearer #{token_provider.token.token}"
+          else
+            raise Errors::MissingBearerTokenError
+          end
+          @handler.call(context)
+        end
+      end
+    end
+  end
+end

gems/aws-sdk-core/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -7,6 +7,8 @@ module Plugins
     # @api private
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +34,16 @@ class SignatureV4 < Seahorse::Client::Plugin
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end