feat: interceptors (#775)

Author: aajtodd

.changes/2a4ab4f2-bd6e-4de5-be7e-5bd1fe02b07c.json

@@ -0,0 +1,8 @@
+{
+    "id": "2a4ab4f2-bd6e-4de5-be7e-5bd1fe02b07c",
+    "type": "feature",
+    "description": "Add capability to intercept SDK operations",
+    "issues": [
+        "awslabs/smithy-kotlin#122"
+    ]
+}

docs/design/README.md

@@ -21,3 +21,4 @@ Start here for an overview:
 * [Retries](retries.md)
 * [Tracing](tracing.md)
 * [Waiters](waiters.md)
+* [Interceptors](interceptors.md)

docs/design/interceptors.md

@@ -364,7 +364,12 @@ public interface Interceptor<
 /**
  * [Interceptor] context used for all phases that only have access to the operation input (request)
  */
-public interface RequestInterceptorContext<I> : Attributes {
+public interface RequestInterceptorContext<I> {
+  
+  /**
+   * The [ExecutionContext] used to drive the execution of a single request/response
+   */
+  public val executionContext: ExecutionContext
 
     /**
      * Retrieve the modeled request for the operation being invoked

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/middleware/AwsSigningMiddleware.kt renamed to runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsHttpSigner.kt

@@ -2,35 +2,35 @@
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-package aws.smithy.kotlin.runtime.auth.awssigning.middleware
+package aws.smithy.kotlin.runtime.auth.awssigning
 
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
-import aws.smithy.kotlin.runtime.auth.awssigning.*
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.*
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.isEligibleForAwsChunkedStreaming
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.setAwsChunkedBody
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.setAwsChunkedHeaders
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.useAwsChunkedEncoding
+import aws.smithy.kotlin.runtime.client.ExecutionContext
 import aws.smithy.kotlin.runtime.http.HttpBody
-import aws.smithy.kotlin.runtime.http.operation.*
+import aws.smithy.kotlin.runtime.http.auth.HttpSigner
 import aws.smithy.kotlin.runtime.http.request.HttpRequest
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
 import aws.smithy.kotlin.runtime.util.InternalApi
 import aws.smithy.kotlin.runtime.util.get
 import kotlin.time.Duration
 
 /**
- * HTTP request pipeline middleware that signs outgoing requests
+ * AWS SigV4/SigV4a [HttpSigner] that signs outgoing requests using the given [config]
  */
 @InternalApi
-public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMiddleware {
+public class AwsHttpSigner(private val config: Config) : HttpSigner {
     public companion object {
-        public inline operator fun invoke(block: Config.() -> Unit): AwsSigningMiddleware {
+        public inline operator fun invoke(block: Config.() -> Unit): AwsHttpSigner {
             val config = Config().apply(block)
             requireNotNull(config.credentialsProvider) { "A credentials provider must be specified for the middleware" }
             requireNotNull(config.service) { "A service must be specified for the middleware" }
             requireNotNull(config.signer) { "A signer must be specified for the middleware" }
-            return AwsSigningMiddleware(config)
+            return AwsHttpSigner(config)
         }
 
         @InternalApi
@@ -105,24 +105,20 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
         public var expiresAfter: Duration? = null
     }
 
-    override fun install(op: SdkHttpOperation<*, *>) {
-        op.execution.finalize.register(this)
-    }
-
-    override suspend fun modifyRequest(req: SdkHttpRequest): SdkHttpRequest {
-        val body = req.subject.body
+    override suspend fun sign(context: ExecutionContext, request: HttpRequestBuilder) {
+        val body = request.body
 
         // favor attributes from the current request context
-        val contextHashSpecification = req.context.getOrNull(AwsSigningAttributes.HashSpecification)
-        val contextSignedBodyHeader = req.context.getOrNull(AwsSigningAttributes.SignedBodyHeader)
+        val contextHashSpecification = context.getOrNull(AwsSigningAttributes.HashSpecification)
+        val contextSignedBodyHeader = context.getOrNull(AwsSigningAttributes.SignedBodyHeader)
 
         // operation signing config is baseConfig + operation specific config/overrides
         val signingConfig = AwsSigningConfig {
-            region = req.context[AwsSigningAttributes.SigningRegion]
-            service = req.context.getOrNull(AwsSigningAttributes.SigningService) ?: checkNotNull(config.service)
+            region = context[AwsSigningAttributes.SigningRegion]
+            service = context.getOrNull(AwsSigningAttributes.SigningService) ?: checkNotNull(config.service)
             credentialsProvider = checkNotNull(config.credentialsProvider)
             algorithm = config.algorithm
-            signingDate = req.context.getOrNull(AwsSigningAttributes.SigningDate)
+            signingDate = context.getOrNull(AwsSigningAttributes.SigningDate)
 
             signatureType = config.signatureType
             omitSessionToken = config.omitSessionToken
@@ -140,7 +136,7 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
                 config.isUnsignedPayload -> HashSpecification.UnsignedPayload
                 body is HttpBody.Empty -> HashSpecification.EmptyBody
                 body.isEligibleForAwsChunkedStreaming -> {
-                    if (req.subject.headers.contains("x-amz-trailer")) {
+                    if (request.headers.contains("x-amz-trailer")) {
                         HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers
                     } else {
                         HashSpecification.StreamingAws4HmacSha256Payload
@@ -152,21 +148,20 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
         }
 
         if (signingConfig.useAwsChunkedEncoding) {
-            req.subject.setAwsChunkedHeaders()
+            request.setAwsChunkedHeaders()
         }
 
-        val signingResult = checkNotNull(config.signer).sign(req.subject.build(), signingConfig)
+        val signingResult = checkNotNull(config.signer).sign(request.build(), signingConfig)
         val signedRequest = signingResult.output
 
         // Add the signature to the request context
-        req.context[AwsSigningAttributes.RequestSignature] = signingResult.signature
+        context[AwsSigningAttributes.RequestSignature] = signingResult.signature
 
-        req.subject.update(signedRequest)
+        request.update(signedRequest)
 
         if (signingConfig.useAwsChunkedEncoding) {
-            req.subject.setAwsChunkedBody(checkNotNull(config.signer), signingConfig, signingResult.signature)
+            request.setAwsChunkedBody(checkNotNull(config.signer), signingConfig, signingResult.signature)
         }
-        return req
     }
 }
 

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedUtil.kt

@@ -5,10 +5,10 @@
 
 package aws.smithy.kotlin.runtime.auth.awssigning.internal
 
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsHttpSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
 import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
-import aws.smithy.kotlin.runtime.auth.awssigning.middleware.AwsSigningMiddleware
 import aws.smithy.kotlin.runtime.http.Headers
 import aws.smithy.kotlin.runtime.http.HttpBody
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
@@ -40,7 +40,7 @@ internal fun SdkBuffer.writeTrailers(
  */
 internal val HttpBody.isEligibleForAwsChunkedStreaming: Boolean
     get() = (this is HttpBody.SourceContent || this is HttpBody.ChannelContent) && contentLength != null &&
-        (isOneShot || contentLength!! > AwsSigningMiddleware.AWS_CHUNKED_THRESHOLD)
+        (isOneShot || contentLength!! > AwsHttpSigner.AWS_CHUNKED_THRESHOLD)
 
 /**
  * @return a boolean representing if the signing configuration is configured (via [HashSpecification]) for aws-chunked content encoding

runtime/auth/aws-signing-crt/common/src/aws/smithy/kotlin/runtime/auth/awssigning/crt/CrtAwsSigner.kt

@@ -24,7 +24,9 @@ import aws.sdk.kotlin.crt.http.Headers as CrtHeaders
 
 public object CrtAwsSigner : AwsSigner {
     override suspend fun sign(request: HttpRequest, config: AwsSigningConfig): AwsSigningResult<HttpRequest> {
-        val crtRequest = request.toSignableCrtRequest()
+        val isUnsigned = config.hashSpecification is HashSpecification.UnsignedPayload
+        val isAwsChunked = request.headers.contains("Content-Encoding", "aws-chunked")
+        val crtRequest = request.toSignableCrtRequest(isUnsigned, isAwsChunked)
         val crtConfig = config.toCrtSigningConfig()
 
         val crtResult = CrtSigner.sign(crtRequest, crtConfig)

runtime/auth/aws-signing-tests/common/src/aws/smithy/kotlin/runtime/auth/awssigning/tests/BasicSigningTestBase.kt

@@ -21,6 +21,7 @@ import kotlinx.coroutines.test.TestResult
 import kotlinx.coroutines.test.runTest
 import kotlin.test.Test
 import kotlin.test.assertEquals
+import kotlin.test.assertFalse
 import kotlin.test.assertTrue
 
 // based on: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html#example-signature-calculations-streaming
@@ -47,6 +48,14 @@ private const val EXPECTED_FINAL_CHUNK_SIGNATURE = "b6c6ea8a5354eaf15b3cb7646744
 @Suppress("HttpUrlsUsage")
 @OptIn(ExperimentalCoroutinesApi::class)
 public abstract class BasicSigningTestBase : HasSigner {
+    private val defaultSigningConfig = AwsSigningConfig {
+        region = "us-east-1"
+        service = "demo"
+        signatureType = AwsSignatureType.HTTP_REQUEST_VIA_HEADERS
+        signingDate = Instant.fromIso8601("2020-10-16T19:56:00Z")
+        credentialsProvider = testCredentialsProvider
+    }
+
     @Test
     public fun testSignRequestSigV4(): TestResult = runTest {
         // sanity test
@@ -62,15 +71,7 @@ public abstract class BasicSigningTestBase : HasSigner {
             headers.append("Content-Length", body.contentLength?.toString() ?: "0")
         }.build()
 
-        val config = AwsSigningConfig {
-            region = "us-east-1"
-            service = "demo"
-            signatureType = AwsSignatureType.HTTP_REQUEST_VIA_HEADERS
-            signingDate = Instant.fromIso8601("2020-10-16T19:56:00Z")
-            credentialsProvider = testCredentialsProvider
-        }
-
-        val result = signer.sign(request, config)
+        val result = signer.sign(request, defaultSigningConfig)
 
         val expectedDate = "20201016T195600Z"
         val expectedSig = "e60a4adad4ae15e05c96a0d8ac2482fbcbd66c88647c4457db74e4dad1648608"
@@ -98,14 +99,12 @@ public abstract class BasicSigningTestBase : HasSigner {
             headers.append("Content-Length", body.contentLength?.toString() ?: "0")
         }.build()
 
-        val config = AwsSigningConfig {
-            region = "us-east-1"
-            service = "service"
-            signatureType = AwsSignatureType.HTTP_REQUEST_VIA_HEADERS
-            algorithm = AwsSigningAlgorithm.SIGV4_ASYMMETRIC
-            signingDate = Instant.fromIso8601("2015-08-30T12:36:00Z")
-            credentialsProvider = testCredentialsProvider
-        }
+        val config = defaultSigningConfig.toBuilder()
+            .apply {
+                service = "service"
+                algorithm = AwsSigningAlgorithm.SIGV4_ASYMMETRIC
+                signingDate = Instant.fromIso8601("2015-08-30T12:36:00Z")
+            }.build()
 
         val result = signer.sign(request, config)
 
@@ -190,4 +189,42 @@ public abstract class BasicSigningTestBase : HasSigner {
         val finalChunkResult = signer.signChunk(ByteArray(0), prevSignature, chunkedSigningConfig)
         assertEquals(EXPECTED_FINAL_CHUNK_SIGNATURE, finalChunkResult.signature.decodeToString())
     }
+
+    @Test
+    public fun testSigningCopiesInput(): TestResult = runTest {
+        // sanity test the signer doesn't mutate the input and instead copies to a new request
+        val requestBuilder = HttpRequestBuilder().apply {
+            method = HttpMethod.POST
+            url.scheme = Protocol.HTTP
+            url.host = Host.Domain("test.amazonaws.com")
+            url.path = "/"
+            headers.append("Host", "test.amazonaws.com")
+            headers.appendAll("x-amz-archive-description", listOf("test", "test"))
+            body = ByteArrayContent("body".encodeToByteArray())
+            headers.append("Content-Length", body.contentLength?.toString() ?: "0")
+        }
+
+        val request = requestBuilder.build()
+
+        val result = signer.sign(request, defaultSigningConfig)
+
+        val originalHeaders = listOf("Content-Length", "Host", "x-amz-archive-description")
+        val updatedHeaders = listOf("X-Amz-Date", "X-Amz-Security-Token", "Authorization")
+
+        assertEquals(originalHeaders.size, requestBuilder.headers.names().size)
+        assertEquals(originalHeaders.size, request.headers.names().size)
+        assertEquals(originalHeaders.size + updatedHeaders.size, result.output.headers.names().size)
+
+        originalHeaders.forEach { name ->
+            assertTrue(requestBuilder.headers.contains(name), "${requestBuilder.headers} did not contain $name")
+            assertTrue(request.headers.contains(name), "${request.headers} did not contain $name")
+            assertTrue(result.output.headers.contains(name), "${result.output.headers} did not contain $name")
+        }
+
+        updatedHeaders.forEach { name ->
+            assertFalse(requestBuilder.headers.contains(name), "${requestBuilder.headers} contained $name")
+            assertFalse(request.headers.contains(name), "${request.headers} contained $name")
+            assertTrue(result.output.headers.contains(name), "${result.output.headers} did not contain $name")
+        }
+    }
 }