feat: support sigv4aSigningRegionSet config setting (#1043)

Author: 0marperez

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/core/RuntimeTypes.kt

@@ -299,6 +299,7 @@ object RuntimeTypes {
                 val Credentials = symbol("Credentials")
                 val CredentialsProvider = symbol("CredentialsProvider")
                 val CredentialsProviderConfig = symbol("CredentialsProviderConfig")
+                val SigV4aClientConfig = symbol("SigV4aClientConfig")
             }
         }
 

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/lang/KotlinTypes.kt

@@ -61,6 +61,20 @@ object KotlinTypes {
             dependency(KotlinDependency.KOTLIN_STDLIB)
         }
 
+        private fun setType(
+            setType: Symbol,
+            target: Symbol,
+            isNullable: Boolean = false,
+            default: String? = null,
+        ): Symbol = buildSymbol {
+            name = "${setType.fullName}<${target.fullName}>"
+            nullable = isNullable
+            defaultValue = default
+            reference(setType)
+            reference(target)
+            dependency(KotlinDependency.KOTLIN_STDLIB)
+        }
+
         /**
          * Convenience function to get a `List<target>` as a symbol
          */
@@ -78,6 +92,15 @@ object KotlinTypes {
             isNullable: Boolean = false,
             default: String? = null,
         ): Symbol = listType(MutableList, target, isNullable, default)
+
+        /**
+         * Convenience function to get a `Set<target>` as a symbol
+         */
+        fun set(
+            target: Symbol,
+            isNullable: Boolean = false,
+            default: String? = null,
+        ): Symbol = setType(Set, target, isNullable, default)
     }
 
     object Jvm : RuntimeTypePackage(KotlinDependency.KOTLIN_STDLIB, "jvm") {

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/SigV4AsymmetricAuthSchemeIntegration.kt

@@ -10,12 +10,17 @@ import software.amazon.smithy.codegen.core.Symbol
 import software.amazon.smithy.codegen.core.SymbolReference
 import software.amazon.smithy.kotlin.codegen.KotlinSettings
 import software.amazon.smithy.kotlin.codegen.core.*
+import software.amazon.smithy.kotlin.codegen.integration.AppendingSectionWriter
 import software.amazon.smithy.kotlin.codegen.integration.AuthSchemeHandler
 import software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
+import software.amazon.smithy.kotlin.codegen.integration.SectionWriterBinding
+import software.amazon.smithy.kotlin.codegen.lang.KotlinTypes
+import software.amazon.smithy.kotlin.codegen.model.asNullable
 import software.amazon.smithy.kotlin.codegen.model.buildSymbol
 import software.amazon.smithy.kotlin.codegen.model.hasTrait
 import software.amazon.smithy.kotlin.codegen.model.knowledge.AwsSignatureVersion4Asymmetric
 import software.amazon.smithy.kotlin.codegen.rendering.protocol.*
+import software.amazon.smithy.kotlin.codegen.rendering.util.ConfigProperty
 import software.amazon.smithy.model.Model
 import software.amazon.smithy.model.knowledge.ServiceIndex
 import software.amazon.smithy.model.shapes.OperationShape
@@ -34,6 +39,33 @@ class SigV4AsymmetricAuthSchemeIntegration : KotlinIntegration {
 
     override fun authSchemes(ctx: ProtocolGenerator.GenerationContext): List<AuthSchemeHandler> =
         listOf(SigV4AsymmetricAuthSchemeHandler())
+
+    override fun additionalServiceConfigProps(ctx: CodegenContext): List<ConfigProperty> =
+        listOf(
+            ConfigProperty {
+                name = "sigV4aSigningRegionSet"
+                symbol = KotlinTypes.Collections.set(KotlinTypes.String).asNullable()
+                baseClass = RuntimeTypes.Auth.Credentials.AwsCredentials.SigV4aClientConfig
+                useNestedBuilderBaseClass()
+                documentation = """
+                The set of regions to use when signing a request with SigV4a. If not provided this will automatically be set by the SDK.
+                """.trimIndent()
+            },
+        )
+
+    override val sectionWriters: List<SectionWriterBinding>
+        get() = listOf(
+            SectionWriterBinding(HttpProtocolClientGenerator.MergeServiceDefaults, renderMergeServiceDefaults),
+        )
+}
+
+private val renderMergeServiceDefaults = AppendingSectionWriter { writer ->
+    writer.putIfAbsent(
+        RuntimeTypes.Auth.Signing.AwsSigningCommon.AwsSigningAttributes,
+        "ConfigSigningRegionSet",
+        "config.sigV4aSigningRegionSet",
+        true,
+    )
 }
 
 private class SigV4AsymmetricAuthSchemeHandler : AuthSchemeHandler {

runtime/auth/aws-credentials/api/aws-credentials.api

@@ -61,3 +61,12 @@ public final class aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProv
 	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/Throwable;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 }
 
+public abstract interface class aws/smithy/kotlin/runtime/auth/awscredentials/SigV4aClientConfig {
+	public abstract fun getSigV4aSigningRegionSet ()Ljava/util/Set;
+}
+
+public abstract interface class aws/smithy/kotlin/runtime/auth/awscredentials/SigV4aClientConfig$Builder {
+	public abstract fun getSigV4aSigningRegionSet ()Ljava/util/Set;
+	public abstract fun setSigV4aSigningRegionSet (Ljava/util/Set;)V
+}
+

runtime/auth/aws-credentials/common/src/aws/smithy/kotlin/runtime/auth/awscredentials/SigV4aClientConfig.kt

@@ -0,0 +1,22 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.auth.awscredentials
+
+/**
+ * The configuration properties for a client that supports SigV4a
+ */
+public interface SigV4aClientConfig {
+    /**
+     * The set of regions to use when signing a request with SigV4a.
+     */
+    public val sigV4aSigningRegionSet: Set<String>?
+
+    public interface Builder {
+        /**
+         * The set of regions to use when signing a request with SigV4a.
+         */
+        public var sigV4aSigningRegionSet: Set<String>?
+    }
+}

runtime/auth/aws-signing-common/api/aws-signing-common.api

@@ -51,6 +51,7 @@ public final class aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAlgorithm
 
 public final class aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAttributes {
 	public static final field INSTANCE Laws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAttributes;
+	public final fun getConfigSigningRegionSet ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getCredentialsProvider ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getEnableAwsChunked ()Laws/smithy/kotlin/runtime/collections/AttributeKey;
 	public final fun getHashSpecification ()Laws/smithy/kotlin/runtime/collections/AttributeKey;

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningAttributes.kt

@@ -28,6 +28,11 @@ public object AwsSigningAttributes {
      */
     public val SigningRegionSet: AttributeKey<Set<String>> = AttributeKey("aws.smithy.kotlin.signing#AwsSigningRegionSet")
 
+    /**
+     * The user provided AWS region-set used for computing the signature. Overrides [SigningRegionSet].
+     */
+    public val ConfigSigningRegionSet: AttributeKey<Set<String>> = AttributeKey("aws.smithy.kotlin.signing#ConfigSigningRegionSet")
+
     /**
      * The signature version 4 service signing name to use in the credential scope when signing requests.
      * See: https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html

runtime/auth/http-auth-aws/common/src/aws/smithy/kotlin/runtime/http/auth/AwsHttpSigner.kt

@@ -121,6 +121,7 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
         val contextSignedBodyHeader = attributes.getOrNull(AwsSigningAttributes.SignedBodyHeader)
         val contextSigningRegion = attributes[AwsSigningAttributes.SigningRegion]
         val contextSigningRegionSet = attributes.getOrNull(AwsSigningAttributes.SigningRegionSet)
+        val configSigningRegionSet = attributes.getOrNull(AwsSigningAttributes.ConfigSigningRegionSet)
         val contextUseDoubleUriEncode = attributes.getOrNull(AwsSigningAttributes.UseDoubleUriEncode)
         val contextNormalizeUriPath = attributes.getOrNull(AwsSigningAttributes.NormalizeUriPath)
         val contextSigningServiceName = attributes.getOrNull(AwsSigningAttributes.SigningService)
@@ -135,6 +136,10 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
             algorithm = config.algorithm
 
             region = when {
+                // signing region set from client config overrides all other sources like endpoints because it's designed as an
+                // escape hatch for customers to control/limit which regions a request will be valid for (e.g. since some services
+                // use '*')
+                algorithm == AwsSigningAlgorithm.SIGV4_ASYMMETRIC && !configSigningRegionSet.isNullOrEmpty() -> configSigningRegionSet.joinToString(",")
                 algorithm == AwsSigningAlgorithm.SIGV4_ASYMMETRIC && !contextSigningRegionSet.isNullOrEmpty() -> contextSigningRegionSet.joinToString(",")
                 else -> contextSigningRegion
             }