feat: STS web identity creds resolver (#933)

* Add visibility setting to SwiftSettings.

* ktlint & build errors.

* Limit visibility of generated types that aren't nested within service client.

* Add access level logic to make model-based auth scheme resolver internal even when service isn't rules-based, if service client visibility is internal.

* ktlint

* Codegen changes for constructing & saving IdentityResolvingSTSClient into auth options returned by auth scheme resolver.

* Add back logic for directly nesting auth option constructino in auth option append function if it's noAuth.

* ktlint

* Update codegen test.

* Add forProtocolTests flag to SwiftSettings, to skip auth option customization w/ internal service clients for protocol test codegen.

* Add new setting to SwiftSettings codegen test.

---------

Co-authored-by: Sichan Yoo <[email protected]>

Author: sichanyoo

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/AuthSchemeResolverGenerator.kt

@@ -10,6 +10,7 @@ import software.amazon.smithy.model.shapes.ShapeId
 import software.amazon.smithy.model.traits.AuthTrait
 import software.amazon.smithy.model.traits.OptionalAuthTrait
 import software.amazon.smithy.model.traits.Trait
+import software.amazon.smithy.model.traits.synthetic.NoAuthTrait
 import software.amazon.smithy.rulesengine.language.EndpointRuleSet
 import software.amazon.smithy.rulesengine.language.syntax.parameters.Parameter
 import software.amazon.smithy.rulesengine.language.syntax.parameters.ParameterType
@@ -26,7 +27,9 @@ import software.amazon.smithy.swift.codegen.utils.clientName
 import software.amazon.smithy.swift.codegen.utils.toLowerCamelCase
 import java.util.Locale
 
-class AuthSchemeResolverGenerator {
+class AuthSchemeResolverGenerator(
+    private val optionCustomization: ((String, SwiftWriter) -> SwiftWriter)? = null,
+) {
     fun render(ctx: ProtocolGenerator.GenerationContext) {
         val serviceIndex = ServiceIndex(ctx.model)
 
@@ -47,7 +50,7 @@ class AuthSchemeResolverGenerator {
     ) {
         writer.apply {
             openBlock(
-                "public struct ${getSdkId(ctx)}${SmithyHTTPAuthAPITypes.AuthSchemeResolverParams.name}: \$N {",
+                "${ctx.settings.visibility} struct ${getSdkId(ctx)}${SmithyHTTPAuthAPITypes.AuthSchemeResolverParams.name}: \$N {",
                 "}",
                 SmithyHTTPAuthAPITypes.AuthSchemeResolverParams,
             ) {
@@ -96,7 +99,7 @@ class AuthSchemeResolverGenerator {
     ) {
         writer.apply {
             openBlock(
-                "public protocol ${getServiceSpecificAuthSchemeResolverName(ctx)}: \$N {",
+                "${ctx.settings.visibility} protocol ${getServiceSpecificAuthSchemeResolverName(ctx)}: \$N {",
                 "}",
                 SmithyHTTPAuthAPITypes.AuthSchemeResolver,
             ) {
@@ -127,13 +130,19 @@ class AuthSchemeResolverGenerator {
 
         // Model-based auth scheme resolver should be private internal impl detail if service uses rules-based resolver.
         val accessModifier = if (usesRulesBasedResolver) "private" else "public"
+        val resolvedAccessModifier =
+            if (accessModifier == "public" && ctx.settings.visibility == "internal") {
+                ctx.settings.visibility
+            } else {
+                accessModifier
+            }
         val serviceSpecificAuthResolverProtocol = sdkId + AUTH_SCHEME_RESOLVER
 
         writer.apply {
             writer.openBlock(
                 "\$L struct \$L: \$L {",
                 "}",
-                accessModifier,
+                resolvedAccessModifier,
                 defaultResolverName,
                 serviceSpecificAuthResolverProtocol,
             ) {
@@ -240,35 +249,50 @@ class AuthSchemeResolverGenerator {
         writer.apply {
             indent()
             schemes.forEach {
-                if (it.key == SigV4Trait.ID) {
-                    renderSigV4AuthOption(it, writer)
-                } else {
+                if (it.key == NoAuthTrait.ID) {
                     write(
                         "validAuthOptions.append(\$N(schemeID: \$S))",
                         SmithyHTTPAuthAPITypes.AuthOption,
                         it.key,
                     )
+                } else {
+                    renderAuthOption(it, writer)
                 }
             }
             dedent()
         }
     }
 
-    private fun renderSigV4AuthOption(
+    private fun renderAuthOption(
+        scheme: Map.Entry<ShapeId, Trait>,
+        writer: SwiftWriter,
+    ) {
+        writer.apply {
+            val authOptionName = "${scheme.key.name}Option"
+            write("var $authOptionName = \$N(schemeID: \$S)", SmithyHTTPAuthAPITypes.AuthOption, scheme.key)
+            if (scheme.key == SigV4Trait.ID) renderSigV4AuthOptionCustomization(authOptionName, scheme, writer)
+            optionCustomization?.invoke(authOptionName, writer)
+            write("validAuthOptions.append($authOptionName)")
+        }
+    }
+
+    private fun renderSigV4AuthOptionCustomization(
+        authOptionName: String,
         scheme: Map.Entry<ShapeId, Trait>,
         writer: SwiftWriter,
     ) {
         writer.apply {
-            write("var sigV4Option = \$N(schemeID: \$S)", SmithyHTTPAuthAPITypes.AuthOption, scheme.key)
             write(
-                "sigV4Option.signingProperties.set(key: \$N.signingName, value: \"${(scheme.value as SigV4Trait).name}\")",
+                "$authOptionName.signingProperties.set(key: \$N.signingName, value: \"${(scheme.value as SigV4Trait).name}\")",
                 SmithyHTTPAuthAPITypes.SigningPropertyKeys,
             )
             openBlock("guard let region = serviceParams.region else {", "}") {
                 write("throw \$N.authError(\"Missing region in auth scheme parameters for SigV4 auth scheme.\")", SmithyTypes.ClientError)
             }
-            write("sigV4Option.signingProperties.set(key: \$N.signingRegion, value: region)", SmithyHTTPAuthAPITypes.SigningPropertyKeys)
-            write("validAuthOptions.append(sigV4Option)")
+            write(
+                "$authOptionName.signingProperties.set(key: \$N.signingRegion, value: region)",
+                SmithyHTTPAuthAPITypes.SigningPropertyKeys,
+            )
         }
     }
 

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/EnumGenerator.kt

@@ -142,7 +142,7 @@ class EnumGenerator(
         writer.writeShapeDocs(shape)
         writer.writeAvailableAttribute(null, shape)
         writer.openBlock(
-            "public enum \$enum.name:L: \$N, \$N, \$N, \$N, \$N {",
+            "${settings.visibility} enum \$enum.name:L: \$N, \$N, \$N, \$N, \$N {",
             "}",
             SwiftTypes.Protocols.Sendable,
             SwiftTypes.Protocols.Equatable,

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/IntEnumGenerator.kt

@@ -42,7 +42,7 @@ class IntEnumGenerator(
         writer.writeShapeDocs(shape)
         writer.writeAvailableAttribute(null, shape)
         writer.openBlock(
-            "public enum \$enum.name:L: \$N, \$N, \$N, \$N, \$N {",
+            "${settings.visibility} enum \$enum.name:L: \$N, \$N, \$N, \$N, \$N {",
             "}",
             SwiftTypes.Protocols.Sendable,
             SwiftTypes.Protocols.Equatable,

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/ServiceNamespaceIntegration.kt

@@ -22,7 +22,7 @@ class ServiceNamespaceIntegration : SwiftIntegration {
         val namespaceName = service.nestedNamespaceType(ctx.symbolProvider).name
         val filename = ModelFileUtils.filename(ctx.settings, namespaceName)
         delegator.useFileWriter(filename) { writer ->
-            writer.write("public enum \$L {}", namespaceName)
+            writer.write("${ctx.settings.visibility} enum \$L {}", namespaceName)
         }
     }
 }

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/StructureGenerator.kt

@@ -118,7 +118,7 @@ class StructureGenerator(
         val equatableConformance =
             writer.format(", \$N", SwiftTypes.Protocols.Equatable).takeIf { shape.hasTrait<EquatableConformanceTrait>() } ?: ""
         writer
-            .openBlock("public struct \$struct.name:L: \$N$equatableConformance {", SwiftTypes.Protocols.Sendable)
+            .openBlock("${settings.visibility} struct \$struct.name:L: \$N$equatableConformance {", SwiftTypes.Protocols.Sendable)
             .call { generateStructMembers() }
             .write("")
             .call { generateInitializerForStructure(false) }
@@ -220,7 +220,7 @@ class StructureGenerator(
         writer.writeAvailableAttribute(model, shape)
         writer
             .openBlock(
-                "public struct \$struct.name:L: \$N, \$error.protocol:N, \$N, \$N, \$N {",
+                "${settings.visibility} struct \$struct.name:L: \$N, \$error.protocol:N, \$N, \$N, \$N {",
                 ClientRuntimeTypes.Core.ModeledError,
                 ClientRuntimeTypes.Http.HttpError,
                 SwiftTypes.Error,
@@ -239,7 +239,7 @@ class StructureGenerator(
     private fun generateErrorStructMembers() {
         if (membersSortedByName.isNotEmpty()) {
             writer.write("")
-            writer.openBlock("public struct Properties: \$N {", "}", SwiftTypes.Protocols.Sendable) {
+            writer.openBlock("${settings.visibility} struct Properties: \$N {", "}", SwiftTypes.Protocols.Sendable) {
                 membersSortedByName.forEach {
                     val (memberName, memberSymbol) = memberShapeDataContainer.getOrElse(it) { return@forEach }
                     writer.writeMemberDocs(model, it)

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/SwiftSettings.kt

@@ -36,6 +36,8 @@ private const val GIT_REPO = "gitRepo"
 private const val SWIFT_VERSION = "swiftVersion"
 private const val MERGE_MODELS = "mergeModels"
 private const val COPYRIGHT_NOTICE = "copyrightNotice"
+private const val VISIBILITY = "visibility"
+private const val FOR_PROTOCOL_TESTS = "forProtocolTests"
 
 // Prioritized list of protocols supported for code generation
 private val DEFAULT_PROTOCOL_RESOLUTION_PRIORITY =
@@ -61,6 +63,8 @@ class SwiftSettings(
     val swiftVersion: String,
     val mergeModels: Boolean,
     val copyrightNotice: String,
+    val visibility: String,
+    val forProtocolTests: Boolean,
 ) {
     companion object {
         private val LOGGER: Logger = Logger.getLogger(SwiftSettings::class.java.name)
@@ -90,6 +94,8 @@ class SwiftSettings(
                     SWIFT_VERSION,
                     MERGE_MODELS,
                     COPYRIGHT_NOTICE,
+                    VISIBILITY,
+                    FOR_PROTOCOL_TESTS,
                 ),
             )
 
@@ -113,6 +119,8 @@ class SwiftSettings(
                     COPYRIGHT_NOTICE,
                     "// Code generated by smithy-swift-codegen. DO NOT EDIT!\n\n",
                 )
+            val visibility = config.getStringMemberOrDefault(VISIBILITY, "public")
+            val forProtocolTests = config.getBooleanMemberOrDefault(FOR_PROTOCOL_TESTS, false)
 
             return SwiftSettings(
                 serviceId,
@@ -126,6 +134,8 @@ class SwiftSettings(
                 swiftVersion,
                 mergeModels,
                 copyrightNotice,
+                visibility,
+                forProtocolTests,
             )
         }
 

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/endpoints/EndpointParamsGenerator.kt

@@ -41,7 +41,7 @@ class EndpointParamsGenerator(
         writer: SwiftWriter,
         endpointRuleSet: EndpointRuleSet?,
     ) {
-        writer.openBlock("public struct EndpointParams: Sendable {", "}") {
+        writer.openBlock("${ctx.settings.visibility} struct EndpointParams: Sendable {", "}") {
             endpointRuleSet?.parameters?.toList()?.sortedBy { it.name.toString() }?.let { sortedParameters ->
                 renderMembers(writer, sortedParameters)
                 writer.write("")

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/endpoints/EndpointResolverGenerator.kt

@@ -26,16 +26,19 @@ class EndpointResolverGenerator(
         val ruleSet = if (ruleSetNode != null) EndpointRuleSet.fromNode(ruleSetNode) else null
 
         ctx.delegator.useFileWriter("Sources/${ctx.settings.moduleName}/Endpoints.swift") {
-            renderResolverProtocol(it)
+            renderResolverProtocol(it, ctx.settings.visibility)
             it.write("")
             renderResolver(it, ruleSet)
             renderStaticResolver(it)
             it.write("")
         }
     }
 
-    private fun renderResolverProtocol(writer: SwiftWriter) {
-        writer.openBlock("public protocol \$N {", "}", EndpointTypes.EndpointResolver) {
+    private fun renderResolverProtocol(
+        writer: SwiftWriter,
+        visibility: String,
+    ) {
+        writer.openBlock("$visibility protocol \$N {", "}", EndpointTypes.EndpointResolver) {
             writer.write("func resolve(params: EndpointParams) throws -> \$N", SmithyHTTPAPITypes.Endpoint)
         }
     }

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/integration/HttpProtocolServiceClient.kt

@@ -24,7 +24,7 @@ open class HttpProtocolServiceClient(
 
     fun render(serviceSymbol: Symbol) {
         writer.openBlock(
-            "public class \$L: \$N {",
+            "${ctx.settings.visibility} class \$L: \$N {",
             "}",
             serviceSymbol.name,
             ClientRuntimeTypes.Core.Client,

smithy-swift-codegen/src/test/kotlin/software/amazon/smithy/swift/codegen/codegencomponents/SwiftSettingsTest.kt

@@ -191,6 +191,8 @@ class SwiftSettingsTest {
             swiftVersion = "5.7",
             mergeModels = false,
             copyrightNotice = "// Test copyright",
+            visibility = "public",
+            forProtocolTests = false,
         )
 
     private fun createServiceWithProtocols(protocols: Set<ShapeId>): ServiceShape {