feat: Bearer token auth (#786)

* Create bearer token signer, auth scheme, token identity, & identity resolver.

* Add the new types (that got added to runtime) to codegen.

* Add bearerTokenIdentityResolver field to client config, codegen it in client inits, codegen it in middleware context build process, and default it to StaticBearerTokenIdentityResolver in smithy-swift.

* Add AuthUtils, extensible in AWS SDK via function override that adds more auth schemes to generated list.

* BearerTokenSigner added to SmithyHTTPAuth module needs SdkHttpRequestBuilder from SmithyHTTPAPI module.

* ktlint & swiftlint.

* Add public initializer for BearerTokenIdentity.

* Fix constructor for default value of bearerTokenIdentityResolver config property.

* Fix auth scheme list codegen

* Override on AWS side must not override the type indicated at declaration.

* Fix typo

* Add doc comments for new customer facing interface. Ktlint.

* Add test for BearerTokenSigner

* swiftlint

* Fix broken codegen tests.

* Remove unnecessary special handling for bearerTokenIdentityResolver in codegen.

* ktlint

* Update with Josh's HTTP type name changes.

* Resolve PR comments

---------

Co-authored-by: Sichan Yoo <[email protected]>

Author: sichanyoo

Package.swift

@@ -162,6 +162,7 @@ let package = Package(
             name: "SmithyHTTPAuth",
             dependencies: [
                 "Smithy",
+                "SmithyHTTPAPI",
                 "SmithyHTTPAuthAPI",
                 "SmithyIdentity",
                 "SmithyIdentityAPI",
@@ -235,6 +236,10 @@ let package = Package(
             name: "SmithyXMLTests",
             dependencies: ["SmithyXML", "ClientRuntime"]
         ),
+        .testTarget(
+            name: "SmithyHTTPAuthTests",
+            dependencies: ["SmithyHTTPAuth", "SmithyHTTPAPI", "Smithy", "SmithyIdentity", "ClientRuntime"]
+        ),
         .testTarget(
             name: "SmithyJSONTests",
             dependencies: ["SmithyJSON", "ClientRuntime"]

Sources/ClientRuntime/Config/DefaultHttpClientConfiguration.swift

@@ -8,6 +8,7 @@
 import protocol SmithyHTTPAPI.HTTPClient
 import protocol SmithyHTTPAuthAPI.AuthScheme
 import protocol SmithyHTTPAuthAPI.AuthSchemeResolver
+import protocol SmithyIdentity.BearerTokenIdentityResolver
 
 public protocol DefaultHttpClientConfiguration: ClientConfiguration {
 
@@ -30,6 +31,11 @@ public protocol DefaultHttpClientConfiguration: ClientConfiguration {
     /// Defaults to a auth scheme resolver generated based on Smithy service model.
     var authSchemeResolver: AuthSchemeResolver { get set }
 
+    /// The token identity resolver to be used for bearer token authentication.
+    ///
+    /// If no resolver is supplied, the SDK will look for token in the `~/.aws/sso/cache` directory.
+    var bearerTokenIdentityResolver: any BearerTokenIdentityResolver { get set }
+
     /// Add an `HttpInterceptorProvider` that will be used to provide interceptors for all HTTP operations.
     ///
     /// - Parameter provider: The `HttpInterceptorProvider` to add.

Sources/SmithyHTTPAuth/AuthSchemes/BearerTokenAuthScheme.swift

@@ -0,0 +1,26 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import class Smithy.Context
+import protocol SmithyHTTPAuthAPI.AuthScheme
+import protocol SmithyHTTPAuthAPI.Signer
+import struct Smithy.Attributes
+
+public struct BearerTokenAuthScheme: AuthScheme {
+    public let schemeID: String = "smithy.api#httpBearerAuth"
+    public var signer: Signer = BearerTokenSigner()
+
+    public init() {}
+
+    public func customizeSigningProperties(
+        signingProperties: Smithy.Attributes,
+        context: Smithy.Context
+    ) throws -> Smithy.Attributes {
+        // no-op
+        return signingProperties
+    }
+}

Sources/SmithyHTTPAuth/Signers/BearerTokenSigner.swift

@@ -0,0 +1,32 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import class SmithyHTTPAPI.HTTPRequestBuilder
+import enum Smithy.ClientError
+import protocol SmithyIdentityAPI.Identity
+import protocol SmithyHTTPAuthAPI.Signer
+import struct Smithy.Attributes
+import struct SmithyIdentity.BearerTokenIdentity
+
+/// The signer for HTTP bearer auth.
+/// Adds the Authorization header to the request using the resolved bearer token identity as its value.
+public class BearerTokenSigner: Signer {
+    public init() {}
+
+    public func signRequest<IdentityT>(
+        requestBuilder: SmithyHTTPAPI.HTTPRequestBuilder,
+        identity: IdentityT,
+        signingProperties: Smithy.Attributes
+    ) async throws -> SmithyHTTPAPI.HTTPRequestBuilder where IdentityT: SmithyIdentityAPI.Identity {
+        guard let identity = identity as? BearerTokenIdentity else {
+            throw Smithy.ClientError.authError(
+                "Identity passed to the BearerTokenSigner must be of type BearerTokenIdentity."
+            )
+        }
+        return requestBuilder.withHeader(name: "Authorization", value: "Bearer \(identity.token)")
+    }
+}

Sources/SmithyIdentity/BearerTokenIdentity.swift

@@ -0,0 +1,20 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import protocol SmithyIdentityAPI.Identity
+import struct Foundation.Date
+
+/// The type representing bearer token identity, used in HTTP bearer auth.
+public struct BearerTokenIdentity: Identity {
+    public let token: String
+    public let expiration: Date?
+
+    public init(token: String, expiration: Date? = nil) {
+        self.token = token
+        self.expiration = expiration
+    }
+}

Sources/SmithyIdentity/BearerTokenIdentityResolvers/BearerTokenIdentityResolver.swift

@@ -0,0 +1,12 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import protocol SmithyIdentityAPI.IdentityResolver
+
+/// The type that resolves a bearer token identity for authenticating with a service.
+/// All concrete implementations for bearer token identity resolver must conform to this protocol.
+public protocol BearerTokenIdentityResolver: IdentityResolver where IdentityT == BearerTokenIdentity {}

Sources/SmithyIdentity/BearerTokenIdentityResolvers/StaticBearerTokenIdentityResolver.swift

@@ -0,0 +1,21 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import struct Smithy.Attributes
+
+/// The token identity resolver that returns a static token identity given to it at initialization.
+public struct StaticBearerTokenIdentityResolver: BearerTokenIdentityResolver {
+    private let token: BearerTokenIdentity
+
+    public init(token: BearerTokenIdentity) {
+        self.token = token
+    }
+
+    public func getIdentity(identityProperties: Smithy.Attributes?) async throws -> BearerTokenIdentity {
+        return token
+    }
+}

Tests/SmithyHTTPAuthTests/BearerTokenSignerTests.swift

@@ -0,0 +1,23 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import class SmithyHTTPAuth.BearerTokenSigner
+import class SmithyHTTPAPI.HTTPRequestBuilder
+import struct Smithy.Attributes
+import struct SmithyIdentity.BearerTokenIdentity
+import XCTest
+
+class BearerTokenSignerTests: XCTestCase {
+    func testSignRequest() async throws {
+        let tokenIdentity = BearerTokenIdentity(token: "dummy-token-for-test")
+        let unsignedRequest = HTTPRequestBuilder()
+        let signer = BearerTokenSigner()
+        let signedRequest = try await signer.signRequest(requestBuilder: unsignedRequest, identity: tokenIdentity, signingProperties: Attributes())
+        XCTAssert(signedRequest.headers.exists(name: "Authorization"))
+        XCTAssertEqual(signedRequest.headers.value(for: "Authorization"), "Bearer \(tokenIdentity.token)")
+    }
+}

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/SwiftDependency.kt

@@ -130,6 +130,15 @@ class SwiftDependency(
             "smithy-swift",
             DistributionMethod.SPR,
         )
+        val SMITHY_HTTP_AUTH = SwiftDependency(
+            "SmithyHTTPAuth",
+            "main",
+            "0.0.1",
+            "aws-sdk-swift",
+            "../../../smithy-swift",
+            "smithy-swift",
+            DistributionMethod.SPR,
+        )
         val SMITHY_CHECKSUMS_API = SwiftDependency(
             "SmithyChecksumsAPI",
             "main",

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/config/DefaultHttpClientConfiguration.kt

@@ -10,10 +10,13 @@ import software.amazon.smithy.swift.codegen.integration.ProtocolGenerator
 import software.amazon.smithy.swift.codegen.lang.AccessModifier
 import software.amazon.smithy.swift.codegen.lang.Function
 import software.amazon.smithy.swift.codegen.lang.FunctionParameter
+import software.amazon.smithy.swift.codegen.model.toGeneric
 import software.amazon.smithy.swift.codegen.model.toOptional
 import software.amazon.smithy.swift.codegen.swiftmodules.ClientRuntimeTypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyHTTPAPITypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyHTTPAuthAPITypes
+import software.amazon.smithy.swift.codegen.swiftmodules.SmithyIdentityTypes
+import software.amazon.smithy.swift.codegen.utils.AuthUtils
 
 class DefaultHttpClientConfiguration : ClientConfiguration {
     override val swiftProtocolName: Symbol = ClientRuntimeTypes.Core.DefaultHttpClientConfiguration
@@ -33,7 +36,7 @@ class DefaultHttpClientConfiguration : ClientConfiguration {
             ClientRuntimeTypes.Http.HttpClientConfiguration,
             { it.format("\$N.defaultHttpClientConfiguration", ClientRuntimeTypes.Core.ClientConfigurationDefaults) },
         ),
-        ConfigProperty("authSchemes", SmithyHTTPAuthAPITypes.AuthSchemes.toOptional()),
+        ConfigProperty("authSchemes", SmithyHTTPAuthAPITypes.AuthSchemes.toOptional(), AuthUtils(ctx).authSchemesDefaultProvider),
         ConfigProperty(
             "authSchemeResolver",
             SmithyHTTPAuthAPITypes.AuthSchemeResolver,
@@ -44,6 +47,11 @@ class DefaultHttpClientConfiguration : ClientConfiguration {
             ClientRuntimeTypes.Core.HttpInterceptorProviders,
             { "[]" },
             accessModifier = AccessModifier.PublicPrivateSet
+        ),
+        ConfigProperty(
+            "bearerTokenIdentityResolver",
+            SmithyIdentityTypes.BearerTokenIdentityResolver.toGeneric(),
+            { it.format("\$N(token: \$N(token: \"\"))", SmithyIdentityTypes.StaticBearerTokenIdentityResolver, SmithyIdentityTypes.BearerTokenIdentity) }
         )
     )