Add basic implementation of Sigv4 AuthScheme + wire up codegen

alextwoods · alextwoods · commit c5c137b9f8c7 · 2025-03-05T13:45:28.000-08:00
diff --git a/codegen/aws/core/src/main/java/software/amazon/smithy/python/aws/codegen/AwsAuthIntegration.java b/codegen/aws/core/src/main/java/software/amazon/smithy/python/aws/codegen/AwsAuthIntegration.java
@@ -4,11 +4,159 @@
  */
 package software.amazon.smithy.python.aws.codegen;
 
+import java.util.Collections;
+import java.util.List;
+import software.amazon.smithy.aws.traits.auth.SigV4Trait;
+import software.amazon.smithy.codegen.core.Symbol;
+import software.amazon.smithy.model.shapes.ShapeId;
+import software.amazon.smithy.model.traits.HttpApiKeyAuthTrait;
+import software.amazon.smithy.python.codegen.ApplicationProtocol;
+import software.amazon.smithy.python.codegen.CodegenUtils;
+import software.amazon.smithy.python.codegen.ConfigProperty;
+import software.amazon.smithy.python.codegen.DerivedProperty;
+import software.amazon.smithy.python.codegen.GenerationContext;
+import software.amazon.smithy.python.codegen.SmithyPythonDependency;
+import software.amazon.smithy.python.codegen.integrations.AuthScheme;
 import software.amazon.smithy.python.codegen.integrations.PythonIntegration;
+import software.amazon.smithy.python.codegen.integrations.RuntimeClientPlugin;
 import software.amazon.smithy.utils.SmithyInternalApi;
 
 /**
  * Adds support for AWS auth traits.
  */
 @SmithyInternalApi
-public class AwsAuthIntegration implements PythonIntegration {}
+public class AwsAuthIntegration implements PythonIntegration {
+    private static final String SIGV4_OPTION_GENERATOR_NAME = "_generate_sigv4_option";
+
+    @Override
+    public List<RuntimeClientPlugin> getClientPlugins(GenerationContext context) {
+        var regionConfig = ConfigProperty.builder()
+                .name("region")
+                .type(Symbol.builder().name("str").build())
+                .documentation(" The AWS region to connect to. The configured region is used to "
+                        + "determine the service endpoint.")
+                .build();
+
+        return List.of(
+                RuntimeClientPlugin.builder()
+                        .servicePredicate((model, service) -> service.hasTrait(SigV4Trait.class))
+                        .addConfigProperty(ConfigProperty.builder()
+                                // TODO: Naming of this config RE: backwards compatability/migation considerations
+                                .name("aws_credentials_identity_resolver")
+                                .documentation("Resolves AWS Credentials. Required for operations that use Sigv4 Auth.")
+                                .type(Symbol.builder()
+                                        .name("IdentityResolver[AWSCredentialIdentity, IdentityProperties]")
+                                        .addReference(Symbol.builder()
+                                                .addDependency(SmithyPythonDependency.SMITHY_CORE)
+                                                .name("IdentityResolver")
+                                                .namespace("smithy_core.aio.interfaces.identity", ".")
+                                                .build())
+                                        .addReference(Symbol.builder()
+                                                .addDependency(AwsPythonDependency.SMITHY_AWS_CORE)
+                                                .name("AWSCredentialIdentity")
+                                                .namespace("smithy_aws_core.identity", ".")
+                                                .build())
+                                        .addReference(Symbol.builder()
+                                                .addDependency(SmithyPythonDependency.SMITHY_CORE)
+                                                .name("IdentityProperties")
+                                                .namespace("smithy_core.interfaces.identity", ".")
+                                                .build())
+                                        .build())
+                                // TODO: Initialize with the provider chain?
+                                .nullable(true)
+                                .build())
+                        .addConfigProperty(regionConfig)
+                        .authScheme(new Sigv4AuthScheme())
+                        .build()
+        );
+    }
+
+    @Override
+    public void customize(GenerationContext context) {
+        if (!hasSigV4Auth(context)) {
+            return;
+        }
+        var trait = context.settings().service(context.model()).expectTrait(SigV4Trait.class);
+        var params = CodegenUtils.getHttpAuthParamsSymbol(context.settings());
+        var resolver = CodegenUtils.getHttpAuthSchemeResolverSymbol(context.settings());
+
+        // Add a function that generates the http auth option for api key auth.
+        // This needs to be generated because there's modeled parameters that
+        // must be accounted for.
+        context.writerDelegator().useFileWriter(resolver.getDefinitionFile(), resolver.getNamespace(), writer -> {
+            writer.addDependency(SmithyPythonDependency.SMITHY_HTTP);
+            writer.addImport("smithy_http.aio.interfaces.auth", "HTTPAuthOption");
+            writer.pushState();
+
+            writer.write("""
+                    def $1L(auth_params: $2T) -> HTTPAuthOption | None:
+                        return HTTPAuthOption(
+                            scheme_id=$3S,
+                            identity_properties={},
+                            signer_properties={
+                                "service": $4S,
+                                "region": auth_params.region
+                            }
+                        )
+                    """,
+                    SIGV4_OPTION_GENERATOR_NAME,
+                    params,
+                    SigV4Trait.ID.toString(),
+                    trait.getName());
+            writer.popState();
+        });
+    }
+
+    private boolean hasSigV4Auth(GenerationContext context) {
+        var service = context.settings().service(context.model());
+        return service.hasTrait(SigV4Trait.class);
+    }
+
+    /**
+     * The AuthScheme representing api key auth.
+     */
+    private static final class Sigv4AuthScheme implements AuthScheme {
+
+        @Override
+        public ShapeId getAuthTrait() {
+            return SigV4Trait.ID;
+        }
+
+        @Override
+        public ApplicationProtocol getApplicationProtocol() {
+            return ApplicationProtocol.createDefaultHttpApplicationProtocol();
+        }
+
+        @Override
+        public List<DerivedProperty> getAuthProperties() {
+            return List.of(
+                    DerivedProperty.builder()
+                            .name("region")
+                            .source(DerivedProperty.Source.CONFIG)
+                            .type(Symbol.builder().name("str").build())
+                            .sourcePropertyName("region")
+                            .build()
+            );
+        }
+
+
+        @Override
+        public Symbol getAuthOptionGenerator(GenerationContext context) {
+            var resolver = CodegenUtils.getHttpAuthSchemeResolverSymbol(context.settings());
+            return Symbol.builder()
+                    .name(SIGV4_OPTION_GENERATOR_NAME)
+                    .namespace(resolver.getNamespace(), ".")
+                    .definitionFile(resolver.getDefinitionFile())
+                    .build();
+        }
+
+        @Override
+        public Symbol getAuthSchemeSymbol(GenerationContext context) {
+            return Symbol.builder()
+                    .name("SigV4AuthScheme")
+                    .namespace("smithy_aws_core.auth.sigv4", ".")
+                    .addDependency(AwsPythonDependency.SMITHY_AWS_CORE)
+                    .build();
+        }
+    }
+}
diff --git a/packages/smithy-aws-core/pyproject.toml b/packages/smithy-aws-core/pyproject.toml
@@ -6,6 +6,8 @@ readme = "README.md"
 requires-python = ">=3.12"
 dependencies = [
     "smithy-core",
+    "smithy-http",
+    "aws-sdk-signers"
 ]
 
 [build-system]
diff --git a/packages/smithy-aws-core/src/smithy_aws_core/auth/__init__.py b/packages/smithy-aws-core/src/smithy_aws_core/auth/__init__.py
@@ -0,0 +1,2 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
diff --git a/packages/smithy-aws-core/src/smithy_aws_core/auth/sigv4.py b/packages/smithy-aws-core/src/smithy_aws_core/auth/sigv4.py
@@ -0,0 +1,53 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+from dataclasses import dataclass
+from typing import Protocol
+
+from smithy_aws_core.identity import AWSCredentialIdentity
+from smithy_core.aio.interfaces.identity import IdentityResolver
+from smithy_core.exceptions import SmithyIdentityException
+from smithy_core.interfaces.identity import IdentityProperties
+from smithy_http.aio.interfaces.auth import HTTPAuthScheme, HTTPSigner
+from aws_sdk_signers import SigV4SigningProperties, SigV4Signer
+
+
+class SigV4Config(Protocol):
+    aws_credentials_identity_resolver: (
+        IdentityResolver[AWSCredentialIdentity, IdentityProperties] | None
+    )
+
+
+@dataclass(init=False)
+class SigV4AuthScheme(
+    HTTPAuthScheme[
+        AWSCredentialIdentity, SigV4Config, IdentityProperties, SigV4SigningProperties
+    ]
+):
+    """SigV4 AuthScheme."""
+
+    scheme_id: str
+    signer: HTTPSigner[AWSCredentialIdentity, SigV4SigningProperties]
+
+    def __init__(
+        self,
+        *,
+        signer: HTTPSigner[AWSCredentialIdentity, SigV4SigningProperties] | None = None,
+    ) -> None:
+        """Constructor.
+
+        :param identity_resolver: The identity resolver to extract the api key identity.
+        :param signer: The signer used to sign the request.
+        """
+        self.scheme_id = "aws.auth#sigv4"
+        # TODO: There are type mismatches in the signature of the "sign" method.
+        self.signer = signer or SigV4Signer()  # type: ignore
+
+    def identity_resolver(
+        self, *, config: SigV4Config
+    ) -> IdentityResolver[AWSCredentialIdentity, IdentityProperties]:
+        if not config.aws_credentials_identity_resolver:
+            raise SmithyIdentityException(
+                "Attempted to use SigV4 auth, but aws_credentials_identity_resolver was not "
+                "set on the config."
+            )
+        return config.aws_credentials_identity_resolver
diff --git a/packages/smithy-http/src/smithy_http/aio/auth/apikey.py b/packages/smithy-http/src/smithy_http/aio/auth/apikey.py
@@ -74,7 +74,7 @@ def identity_resolver(
     ) -> IdentityResolver[ApiKeyIdentity, IdentityProperties]:
         if not config.api_key_identity_resolver:
             raise SmithyIdentityException(
-                "Attempted to use API key auth, but api_key_identity_resolver was not"
+                "Attempted to use API key auth, but api_key_identity_resolver was not "
                 "set on the config."
             )
         return config.api_key_identity_resolver
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,8 @@ readme = "README.md"`
`6`	`6`	`requires-python = ">=3.12"`
`7`	`7`	`dependencies = [`
`8`	`8`	`"smithy-core",`
	`9`	`+ "smithy-http",`
	`10`	`+ "aws-sdk-signers"`
`9`	`11`	`]`
`10`	`12`
`11`	`13`	`[build-system]`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.`
	`2`	`+# SPDX-License-Identifier: Apache-2.0`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ def identity_resolver(`
`74`	`74`	`) -> IdentityResolver[ApiKeyIdentity, IdentityProperties]:`
`75`	`75`	`if not config.api_key_identity_resolver:`
`76`	`76`	`raise SmithyIdentityException(`
`77`		`- "Attempted to use API key auth, but api_key_identity_resolver was not"`
	`77`	`+ "Attempted to use API key auth, but api_key_identity_resolver was not "`
`78`	`78`	`"set on the config."`
`79`	`79`	`)`
`80`	`80`	`return config.api_key_identity_resolver`