feat: add SIGV4A auth scheme integration (#1023)

Author: 0marperez

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/CodegenVisitor.kt

@@ -8,9 +8,15 @@ package software.amazon.smithy.kotlin.codegen
 import software.amazon.smithy.build.FileManifest
 import software.amazon.smithy.build.PluginContext
 import software.amazon.smithy.codegen.core.SymbolProvider
-import software.amazon.smithy.kotlin.codegen.core.*
+import software.amazon.smithy.kotlin.codegen.core.GenerationContext
+import software.amazon.smithy.kotlin.codegen.core.KotlinDelegator
+import software.amazon.smithy.kotlin.codegen.core.KotlinDependency
+import software.amazon.smithy.kotlin.codegen.core.toRenderingContext
 import software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
-import software.amazon.smithy.kotlin.codegen.model.*
+import software.amazon.smithy.kotlin.codegen.model.OperationNormalizer
+import software.amazon.smithy.kotlin.codegen.model.getEndpointRules
+import software.amazon.smithy.kotlin.codegen.model.getEndpointTests
+import software.amazon.smithy.kotlin.codegen.model.hasTrait
 import software.amazon.smithy.kotlin.codegen.rendering.*
 import software.amazon.smithy.kotlin.codegen.rendering.protocol.ApplicationProtocol
 import software.amazon.smithy.kotlin.codegen.rendering.protocol.ProtocolGenerator
@@ -44,10 +50,9 @@ class CodegenVisitor(context: PluginContext) : ShapeVisitor.Default<Unit>() {
         LOGGER.info("Discovering KotlinIntegration providers...")
         integrations = ServiceLoader.load(KotlinIntegration::class.java, classLoader)
             .onEach { integration -> LOGGER.info("Loaded KotlinIntegration: ${integration.javaClass.name}") }
-            .filter { integration -> integration.enabledForService(context.model, settings) }
+            .filter { integration -> integration.enabledForService(context.model, settings) } // TODO: Change so we don't filter until previous integrations model modifications are complete
             .onEach { integration -> LOGGER.info("Enabled KotlinIntegration: ${integration.javaClass.name}") }
             .sortedBy(KotlinIntegration::order)
-            .toList()
 
         LOGGER.info("Preprocessing model")
         // Model pre-processing:

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/core/RuntimeTypes.kt

@@ -323,6 +323,7 @@ object RuntimeTypes {
         object HttpAuthAws : RuntimeTypePackage(KotlinDependency.HTTP_AUTH_AWS) {
             val AwsHttpSigner = symbol("AwsHttpSigner")
             val SigV4AuthScheme = symbol("SigV4AuthScheme")
+            val SigV4AsymmetricAuthScheme = symbol("SigV4AsymmetricAuthScheme")
             val mergeAuthOptions = symbol("mergeAuthOptions")
             val sigV4 = symbol("sigV4")
             val sigV4A = symbol("sigV4A")

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/model/knowledge/AwsSignatureVersion4Asymmetric.kt

@@ -0,0 +1,25 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.kotlin.codegen.model.knowledge
+
+import software.amazon.smithy.aws.traits.auth.SigV4ATrait
+import software.amazon.smithy.kotlin.codegen.model.expectTrait
+import software.amazon.smithy.model.shapes.ServiceShape
+
+/**
+ * AWS Signature Version 4 Asymmetric signing utils
+ */
+object AwsSignatureVersion4Asymmetric {
+    /**
+     * Get the SigV4ATrait auth name to sign request for
+     *
+     * @param serviceShape service shape for the API
+     * @return the service name to use in the credential scope to sign for
+     */
+    fun signingServiceName(serviceShape: ServiceShape): String {
+        val sigv4aTrait = serviceShape.expectTrait<SigV4ATrait>()
+        return sigv4aTrait.name
+    }
+}

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/SigV4AsymmetricAuthSchemeIntegration.kt

@@ -0,0 +1,78 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.kotlin.codegen.rendering.auth
+
+import software.amazon.smithy.aws.traits.auth.SigV4ATrait
+import software.amazon.smithy.aws.traits.auth.UnsignedPayloadTrait
+import software.amazon.smithy.codegen.core.Symbol
+import software.amazon.smithy.codegen.core.SymbolReference
+import software.amazon.smithy.kotlin.codegen.KotlinSettings
+import software.amazon.smithy.kotlin.codegen.core.*
+import software.amazon.smithy.kotlin.codegen.integration.AuthSchemeHandler
+import software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
+import software.amazon.smithy.kotlin.codegen.model.buildSymbol
+import software.amazon.smithy.kotlin.codegen.model.hasTrait
+import software.amazon.smithy.kotlin.codegen.model.knowledge.AwsSignatureVersion4Asymmetric
+import software.amazon.smithy.kotlin.codegen.rendering.protocol.*
+import software.amazon.smithy.model.Model
+import software.amazon.smithy.model.knowledge.ServiceIndex
+import software.amazon.smithy.model.shapes.OperationShape
+import software.amazon.smithy.model.shapes.ShapeId
+
+/**
+ * Register support for the `aws.auth#sigv4a` auth scheme.
+ */
+class SigV4AsymmetricAuthSchemeIntegration : KotlinIntegration {
+    // Needs to happen after the `SigV4AsymmetricTraitCustomization` (-60).
+    override val order: Byte = -50
+
+    // Needs to be true due to the way integrations are filtered out before application and sigV4a customization.
+    // See 'CodegenVisitor' & 'SigV4AsymmetricTraitCustomization'
+    override fun enabledForService(model: Model, settings: KotlinSettings): Boolean = true
+
+    override fun authSchemes(ctx: ProtocolGenerator.GenerationContext): List<AuthSchemeHandler> =
+        if (modelHasSigV4aTrait(ctx)) listOf(SigV4AsymmetricAuthSchemeHandler()) else emptyList()
+}
+
+private class SigV4AsymmetricAuthSchemeHandler : AuthSchemeHandler {
+    override val authSchemeId: ShapeId = SigV4ATrait.ID
+
+    override val authSchemeIdSymbol: Symbol = buildSymbol {
+        name = "AuthSchemeId.AwsSigV4Asymmetric"
+        val ref = RuntimeTypes.Auth.Identity.AuthSchemeId
+        objectRef = ref
+        namespace = ref.namespace
+        reference(ref, SymbolReference.ContextOption.USE)
+    }
+
+    override fun identityProviderAdapterExpression(writer: KotlinWriter) {
+        writer.write("config.credentialsProvider")
+    }
+
+    override fun authSchemeProviderInstantiateAuthOptionExpr(
+        ctx: ProtocolGenerator.GenerationContext,
+        op: OperationShape?,
+        writer: KotlinWriter,
+    ) {
+        val expr = if (op?.hasTrait<UnsignedPayloadTrait>() == true) {
+            "#T(unsignedPayload = true)"
+        } else {
+            "#T()"
+        }
+        writer.write(expr, RuntimeTypes.Auth.HttpAuthAws.sigV4A)
+    }
+
+    override fun instantiateAuthSchemeExpr(ctx: ProtocolGenerator.GenerationContext, writer: KotlinWriter) {
+        val signingService = AwsSignatureVersion4Asymmetric.signingServiceName(ctx.service)
+        writer.write("#T(#T, #S)", RuntimeTypes.Auth.HttpAuthAws.SigV4AsymmetricAuthScheme, RuntimeTypes.Auth.Signing.AwsSigningStandard.DefaultAwsSigner, signingService)
+    }
+}
+
+internal fun modelHasSigV4aTrait(ctx: ProtocolGenerator.GenerationContext): Boolean =
+    ServiceIndex
+        .of(ctx.model)
+        .getAuthSchemes(ctx.service)
+        .values
+        .any { it.javaClass == SigV4ATrait::class.java }

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/SigV4AuthSchemeIntegration.kt

@@ -39,6 +39,7 @@ import java.util.*
  */
 class SigV4AuthSchemeIntegration : KotlinIntegration {
     // Allow integrations to customize the service config props, later integrations take precedence
+    // Needs to happen after the `SigV4AsymmetricTraitCustomization` (-60).
     override val order: Byte = -50
 
     override fun enabledForService(model: Model, settings: KotlinSettings): Boolean =
@@ -51,22 +52,7 @@ class SigV4AuthSchemeIntegration : KotlinIntegration {
         resolved: List<ProtocolMiddleware>,
     ): List<ProtocolMiddleware> = resolved + Sigv4SignedBodyHeaderMiddleware()
 
-    override fun additionalServiceConfigProps(ctx: CodegenContext): List<ConfigProperty> {
-        val credentialsProviderProp = ConfigProperty {
-            symbol = RuntimeTypes.Auth.Credentials.AwsCredentials.CredentialsProvider
-            baseClass = RuntimeTypes.Auth.Credentials.AwsCredentials.CredentialsProviderConfig
-            useNestedBuilderBaseClass()
-            documentation = """
-                The AWS credentials provider to use for authenticating requests. 
-                NOTE: The caller is responsible for managing the lifetime of the provider when set. The SDK
-                client will not close it when the client is closed.
-            """.trimIndent()
-
-            propertyType = ConfigPropertyType.Required()
-        }
-
-        return listOf(credentialsProviderProp)
-    }
+    override fun additionalServiceConfigProps(ctx: CodegenContext): List<ConfigProperty> = listOf(credentialsProviderProp)
 
     override fun customizeEndpointResolution(ctx: ProtocolGenerator.GenerationContext): EndpointCustomization =
         Sigv4EndpointCustomization
@@ -174,13 +160,14 @@ open class SigV4AuthSchemeHandler : AuthSchemeHandler {
  * Conditionally updates the operation context to set the signed body header attribute
  * e.g. to set `X-Amz-Content-Sha256` header.
  */
-class Sigv4SignedBodyHeaderMiddleware : ProtocolMiddleware {
+internal class Sigv4SignedBodyHeaderMiddleware : ProtocolMiddleware {
     override val name: String = "Sigv4SignedBodyHeaderMiddleware"
 
     override fun isEnabledFor(ctx: ProtocolGenerator.GenerationContext, op: OperationShape): Boolean {
         val hasEventStream = EventStreamIndex.of(ctx.model).getInputInfo(op).isPresent
         return hasEventStream || op.hasTrait<UnsignedPayloadTrait>()
     }
+
     override fun render(ctx: ProtocolGenerator.GenerationContext, op: OperationShape, writer: KotlinWriter) {
         writer.write(
             "op.context.set(#T.SignedBodyHeader, #T.X_AMZ_CONTENT_SHA256)",
@@ -196,20 +183,20 @@ private object Sigv4EndpointCustomization : EndpointCustomization {
     )
 }
 
-private fun String.toAuthOptionFactoryFn(): Symbol? =
-    when (this) {
-        "sigv4" -> RuntimeTypes.Auth.HttpAuthAws.sigV4
-        "sigv4a" -> RuntimeTypes.Auth.HttpAuthAws.sigV4A
-        else -> null
-    }
-
+// SigV4a requires SigV4 so SigV4 integration renders SigV4a auth scheme.
+// See comment in example model: https://smithy.io/2.0/aws/aws-auth.html?highlight=sigv4#aws-auth-sigv4a-trait
 private fun renderAuthSchemes(writer: KotlinWriter, authSchemes: Expression, expressionRenderer: ExpressionRenderer) {
     writer.writeInline("#T to ", RuntimeTypes.SmithyClient.Endpoints.SigningContextAttributeKey)
     writer.withBlock("listOf(", ")") {
         authSchemes.toNode().expectArrayNode().forEach {
             val scheme = it.expectObjectNode()
             val schemeName = scheme.expectStringMember("name").value
-            val authFactoryFn = schemeName.toAuthOptionFactoryFn() ?: return@forEach
+
+            val authFactoryFn = when (schemeName) {
+                "sigv4" -> RuntimeTypes.Auth.HttpAuthAws.sigV4
+                "sigv4a" -> RuntimeTypes.Auth.HttpAuthAws.sigV4A
+                else -> return@forEach
+            }
 
             withBlock("#T(", "),", authFactoryFn) {
                 // we delegate back to the expression visitor for each of these fields because it's possible to
@@ -221,15 +208,30 @@ private fun renderAuthSchemes(writer: KotlinWriter, authSchemes: Expression, exp
                 writeInline("disableDoubleUriEncode = ")
                 renderOrElse(expressionRenderer, scheme.getBooleanMember("disableDoubleEncoding"), "false")
 
-                when (schemeName) {
-                    "sigv4" -> renderSigV4Fields(writer, scheme, expressionRenderer)
-                    "sigv4a" -> renderSigV4AFields(writer, scheme, expressionRenderer)
-                }
+                renderFieldsForScheme(writer, scheme, expressionRenderer)
             }
         }
     }
 }
 
+private fun renderFieldsForScheme(writer: KotlinWriter, scheme: ObjectNode, expressionRenderer: ExpressionRenderer) {
+    when (scheme.expectStringMember("name").value) {
+        "sigv4" -> renderSigV4Fields(writer, scheme, expressionRenderer)
+        "sigv4a" -> renderSigV4AFields(writer, scheme, expressionRenderer)
+    }
+}
+
+private fun renderSigV4Fields(writer: KotlinWriter, scheme: ObjectNode, expressionRenderer: ExpressionRenderer) {
+    writer.writeInline("signingRegion = ")
+    writer.renderOrElse(expressionRenderer, scheme.getStringMember("signingRegion"), "null")
+}
+
+private fun renderSigV4AFields(writer: KotlinWriter, scheme: ObjectNode, expressionRenderer: ExpressionRenderer) {
+    writer.writeInline("signingRegionSet = ")
+    expressionRenderer.renderExpression(Expression.fromNode(scheme.expectArrayMember("signingRegionSet")))
+    writer.write(",")
+}
+
 private fun KotlinWriter.renderOrElse(
     expressionRenderer: ExpressionRenderer,
     optionalNode: Optional<out Node>,
@@ -243,13 +245,15 @@ private fun KotlinWriter.renderOrElse(
     write(",")
 }
 
-private fun renderSigV4Fields(writer: KotlinWriter, scheme: ObjectNode, expressionRenderer: ExpressionRenderer) {
-    writer.writeInline("signingRegion = ")
-    writer.renderOrElse(expressionRenderer, scheme.getStringMember("signingRegion"), "null")
-}
+internal val credentialsProviderProp = ConfigProperty {
+    symbol = RuntimeTypes.Auth.Credentials.AwsCredentials.CredentialsProvider
+    baseClass = RuntimeTypes.Auth.Credentials.AwsCredentials.CredentialsProviderConfig
+    useNestedBuilderBaseClass()
+    documentation = """
+                The AWS credentials provider to use for authenticating requests. 
+                NOTE: The caller is responsible for managing the lifetime of the provider when set. The SDK
+                client will not close it when the client is closed.
+    """.trimIndent()
 
-private fun renderSigV4AFields(writer: KotlinWriter, scheme: ObjectNode, expressionRenderer: ExpressionRenderer) {
-    writer.writeInline("signingRegionSet = ")
-    expressionRenderer.renderExpression(Expression.fromNode(scheme.expectArrayMember("signingRegionSet")))
-    writer.write(",")
+    propertyType = ConfigPropertyType.Required()
 }

codegen/smithy-kotlin-codegen/src/main/resources/META-INF/services/software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration

@@ -11,3 +11,4 @@ software.amazon.smithy.kotlin.codegen.rendering.auth.BearerTokenAuthSchemeIntegr
 software.amazon.smithy.kotlin.codegen.rendering.endpoints.discovery.EndpointDiscoveryIntegration
 software.amazon.smithy.kotlin.codegen.rendering.endpoints.SdkEndpointBuiltinIntegration
 software.amazon.smithy.kotlin.codegen.rendering.compression.RequestCompressionIntegration
+software.amazon.smithy.kotlin.codegen.rendering.auth.SigV4AsymmetricAuthSchemeIntegration