feat: support S3 Express One Zone (#1033)

Author: lauzadis

.changes/d2f0f8cb-b94d-403e-9db8-5cd61bd8eb1b.json

@@ -0,0 +1,5 @@
+{
+    "id": "d2f0f8cb-b94d-403e-9db8-5cd61bd8eb1b",
+    "type": "feature",
+    "description": "Add support for S3 Express One Zone"
+}

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/IdentityProviderConfigGenerator.kt

@@ -7,10 +7,7 @@ package software.amazon.smithy.kotlin.codegen.rendering.auth
 
 import software.amazon.smithy.codegen.core.Symbol
 import software.amazon.smithy.kotlin.codegen.KotlinSettings
-import software.amazon.smithy.kotlin.codegen.core.KotlinWriter
-import software.amazon.smithy.kotlin.codegen.core.RuntimeTypes
-import software.amazon.smithy.kotlin.codegen.core.clientName
-import software.amazon.smithy.kotlin.codegen.core.withBlock
+import software.amazon.smithy.kotlin.codegen.core.*
 import software.amazon.smithy.kotlin.codegen.model.buildSymbol
 import software.amazon.smithy.kotlin.codegen.model.knowledge.AuthIndex
 import software.amazon.smithy.kotlin.codegen.rendering.protocol.ProtocolGenerator

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/SigV4AuthSchemeIntegration.kt

@@ -186,29 +186,36 @@ private object Sigv4EndpointCustomization : EndpointCustomization {
 // SigV4a requires SigV4 so SigV4 integration renders SigV4a auth scheme.
 // See comment in example model: https://smithy.io/2.0/aws/aws-auth.html?highlight=sigv4#aws-auth-sigv4a-trait
 private fun renderAuthSchemes(writer: KotlinWriter, authSchemes: Expression, expressionRenderer: ExpressionRenderer) {
-    writer.writeInline("#T to ", RuntimeTypes.SmithyClient.Endpoints.SigningContextAttributeKey)
-    writer.withBlock("listOf(", ")") {
-        authSchemes.toNode().expectArrayNode().forEach {
-            val scheme = it.expectObjectNode()
-            val schemeName = scheme.expectStringMember("name").value
-
-            val authFactoryFn = when (schemeName) {
-                "sigv4" -> RuntimeTypes.Auth.HttpAuthAws.sigV4
-                "sigv4a" -> RuntimeTypes.Auth.HttpAuthAws.sigV4A
-                else -> return@forEach
-            }
-
-            withBlock("#T(", "),", authFactoryFn) {
-                // we delegate back to the expression visitor for each of these fields because it's possible to
-                // encounter template strings throughout
-
-                writeInline("serviceName = ")
-                renderOrElse(expressionRenderer, scheme.getStringMember("signingName"), "null")
-
-                writeInline("disableDoubleUriEncode = ")
-                renderOrElse(expressionRenderer, scheme.getBooleanMember("disableDoubleEncoding"), "false")
-
-                renderFieldsForScheme(writer, scheme, expressionRenderer)
+    val schemes = authSchemes.toNode().expectArrayNode().filter {
+        val name = it.expectObjectNode().expectStringMember("name").value
+        name == "sigv4" || name == "sigv4a"
+    }.takeIf { it.isNotEmpty() }
+
+    schemes?.let {
+        writer.writeInline("#T to ", RuntimeTypes.SmithyClient.Endpoints.SigningContextAttributeKey)
+        writer.withBlock("listOf(", ")") {
+            schemes.forEach {
+                val scheme = it.expectObjectNode()
+                val schemeName = scheme.expectStringMember("name").value
+
+                val authFactoryFn = when (schemeName) {
+                    "sigv4" -> RuntimeTypes.Auth.HttpAuthAws.sigV4
+                    "sigv4a" -> RuntimeTypes.Auth.HttpAuthAws.sigV4A
+                    else -> return@forEach
+                }
+
+                withBlock("#T(", "),", authFactoryFn) {
+                    // we delegate back to the expression visitor for each of these fields because it's possible to
+                    // encounter template strings throughout
+
+                    writeInline("serviceName = ")
+                    renderOrElse(expressionRenderer, scheme.getStringMember("signingName"), "null")
+
+                    writeInline("disableDoubleUriEncode = ")
+                    renderOrElse(expressionRenderer, scheme.getBooleanMember("disableDoubleEncoding"), "false")
+
+                    renderFieldsForScheme(writer, scheme, expressionRenderer)
+                }
             }
         }
     }

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/endpoints/DefaultEndpointProviderGenerator.kt

@@ -80,8 +80,10 @@ class DefaultEndpointProviderGenerator(
 
     private val propertyRenderers = endpointCustomizations
         .map { it.propertyRenderers }
-        .fold(mutableMapOf<String, EndpointPropertyRenderer>()) { acc, propRenderers ->
-            acc.putAll(propRenderers)
+        .fold(mutableMapOf<String, MutableList<EndpointPropertyRenderer>>()) { acc, propRenderers ->
+            propRenderers.forEach { (key, propRenderer) ->
+                acc[key] = acc.getOrDefault(key, mutableListOf()).also { it.add(propRenderer) }
+            }
             acc
         }
 
@@ -190,7 +192,9 @@ class DefaultEndpointProviderGenerator(
 
                             // caller has a chance to generate their own value for a recognized property
                             if (kStr in propertyRenderers) {
-                                propertyRenderers[kStr]!!(writer, v, this@DefaultEndpointProviderGenerator)
+                                propertyRenderers[kStr]!!.forEach { renderer ->
+                                    renderer(writer, v, this@DefaultEndpointProviderGenerator)
+                                }
                                 return@forEach
                             }
 

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/endpoints/DefaultEndpointProviderTestGenerator.kt

@@ -42,8 +42,10 @@ class DefaultEndpointProviderTestGenerator(
     private val endpointCustomizations = ctx.integrations.mapNotNull { it.customizeEndpointResolution(ctx) }
     private val propertyRenderers = endpointCustomizations
         .map { it.propertyRenderers }
-        .fold(mutableMapOf<String, EndpointPropertyRenderer>()) { acc, propRenderers ->
-            acc.putAll(propRenderers)
+        .fold(mutableMapOf<String, MutableList<EndpointPropertyRenderer>>()) { acc, propRenderers ->
+            propRenderers.forEach { (key, propRenderer) ->
+                acc[key] = acc.getOrDefault(key, mutableListOf()).also { it.add(propRenderer) }
+            }
             acc
         }
 
@@ -131,7 +133,9 @@ class DefaultEndpointProviderTestGenerator(
                 withBlock("attributes = #T {", "},", RuntimeTypes.Core.Collections.attributesOf) {
                     endpoint.properties.entries.forEach { (k, v) ->
                         if (k in propertyRenderers) {
-                            propertyRenderers[k]!!(writer, Expression.fromNode(v), this@DefaultEndpointProviderTestGenerator)
+                            propertyRenderers[k]!!.forEach { renderer ->
+                                renderer(writer, Expression.fromNode(v), this@DefaultEndpointProviderTestGenerator)
+                            }
                             return@forEach
                         }
 

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/protocol/HttpProtocolClientGenerator.kt

@@ -348,19 +348,12 @@ open class HttpProtocolClientGenerator(
             return
         }
 
-        val requestAlgorithmMember = ctx.model.getShape(input.get()).getOrNull()
-            ?.members()
-            ?.firstOrNull { it.memberName == httpChecksumTrait?.requestAlgorithmMember?.getOrNull() }
-
         if (hasTrait<HttpChecksumRequiredTrait>() || httpChecksumTrait?.isRequestChecksumRequired == true) {
             val interceptorSymbol = RuntimeTypes.HttpClient.Interceptors.Md5ChecksumInterceptor
             val inputSymbol = ctx.symbolProvider.toSymbol(ctx.model.expectShape(inputShape))
-
-            requestAlgorithmMember?.let {
-                writer.withBlock("op.interceptors.add(#T<#T> { ", "})", interceptorSymbol, inputSymbol) {
-                    writer.write("it.#L?.value == null", requestAlgorithmMember.defaultName())
-                }
-            } ?: writer.write("op.interceptors.add(#T<#T>())", interceptorSymbol, inputSymbol)
+            writer.withBlock("op.interceptors.add(#T<#T> {", "})", interceptorSymbol, inputSymbol) {
+                writer.write("op.context.getOrNull(#T.ChecksumAlgorithm) == null", RuntimeTypes.HttpClient.Operation.HttpOperationContext)
+            }
         }
     }
 

gradle/libs.versions.toml

@@ -12,7 +12,7 @@ okio-version = "3.6.0"
 otel-version = "1.32.0"
 slf4j-version = "2.0.9"
 slf4j-v1x-version = "1.7.36"
-crt-kotlin-version = "0.8.2"
+crt-kotlin-version = "0.8.5"
 
 # codegen
 smithy-version = "1.42.0"

runtime/auth/aws-signing-common/api/aws-signing-common.api

@@ -55,6 +55,7 @@ public final class aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAttribute
 	public final fun getEnableAwsChunked ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getHashSpecification ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getNormalizeUriPath ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
+	public final fun getOmitSessionToken ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getRequestSignature ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getSignedBodyHeader ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getSigner ()Laws/smithy/kotlin/runtime/collections/AttributeKey;

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAttributes.kt

@@ -86,4 +86,9 @@ public object AwsSigningAttributes {
      * @see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html">SigV4 Streaming</a>
      */
     public val EnableAwsChunked: AttributeKey<Boolean> = AttributeKey("aws.smithy.kotlin.signing#EnableAwsChunked")
+
+    /**
+     * Flag indicating whether the X-Amz-Security-Token header should be omitted from the canonical request during signing.
+     */
+    public val OmitSessionToken: AttributeKey<Boolean> = AttributeKey("aws.smithy.kotlin.signing#OmitSessionToken")
 }

runtime/auth/aws-signing-crt/jvm/src/aws/smithy/kotlin/runtime/auth/awssigning/crt/CrtAwsSigner.kt

@@ -22,19 +22,30 @@ import aws.sdk.kotlin.crt.auth.signing.AwsSigningAlgorithm as CrtSigningAlgorith
 import aws.sdk.kotlin.crt.auth.signing.AwsSigningConfig as CrtSigningConfig
 import aws.sdk.kotlin.crt.http.Headers as CrtHeaders
 
+private const val S3_EXPRESS_HEADER_NAME = "X-Amz-S3session-Token"
+
 public object CrtAwsSigner : AwsSigner {
     override suspend fun sign(request: HttpRequest, config: AwsSigningConfig): AwsSigningResult<HttpRequest> {
         val isUnsigned = config.hashSpecification is HashSpecification.UnsignedPayload
         val isAwsChunked = request.headers.contains("Content-Encoding", "aws-chunked")
-        val crtRequest = request.toSignableCrtRequest(isUnsigned, isAwsChunked)
-        val crtConfig = config.toCrtSigningConfig()
+        val isS3Express = request.headers.contains(S3_EXPRESS_HEADER_NAME)
+
+        val requestBuilder = request.toBuilder()
 
-        val crtResult = CrtSigner.sign(crtRequest, crtConfig)
+        val crtConfig = config.toCrtSigningConfig().toBuilder()
+        if (isS3Express) {
+            crtConfig.algorithm = CrtSigningAlgorithm.SIGV4_S3EXPRESS
+            crtConfig.omitSessionToken = false
+            requestBuilder.headers.remove(S3_EXPRESS_HEADER_NAME) // CRT signer fails if this header is already present
+        }
+
+        val crtRequest = requestBuilder.build().toSignableCrtRequest(isUnsigned, isAwsChunked)
+
+        val crtResult = CrtSigner.sign(crtRequest, crtConfig.build())
         coroutineContext.debug<CrtAwsSigner> { "Calculated signature: ${crtResult.signature.decodeToString()}" }
 
         val crtSignedResult = checkNotNull(crtResult.signedRequest) { "Signed request unexpectedly null" }
 
-        val requestBuilder = request.toBuilder()
         requestBuilder.update(crtSignedResult)
         return AwsSigningResult(requestBuilder.build(), crtResult.signature)
     }