Validate one source member for conditionKeyValue

This commit adds validation to ensure that the value for any specific
condition key may only be supplied by one member in the operation input.

Author: kstich

docs/source-2.0/aws/aws-iam.rst

@@ -605,6 +605,10 @@ Members not annotated with the ``conditionKeyValue`` trait, default to the
 condition keys defined with the ``conditionKeyValue`` trait MUST also be
 defined via the :ref:`aws.iam#defineConditionKeys-trait` trait.
 
+Any ``conditionKeyValue`` trait applied to a member that is not a top-level
+input member to an operation will be ignored. Multiple members within a
+top-level input structure MUST NOT supply the value for the same condition key.
+
 The value MUST be a valid IAM identifier or name of a condition key,
 meaning it must adhere to the following regular expression:
 ``"^(([A-Za-z0-9][A-Za-z0-9-\\.]{0,62}:)?[^:\\s]+)$"``. If only a condition key

smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeyValueTraitValidator.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.aws.iam.traits;
+
+import static java.lang.String.format;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import software.amazon.smithy.aws.traits.ServiceTrait;
+import software.amazon.smithy.model.Model;
+import software.amazon.smithy.model.knowledge.OperationIndex;
+import software.amazon.smithy.model.knowledge.TopDownIndex;
+import software.amazon.smithy.model.shapes.MemberShape;
+import software.amazon.smithy.model.shapes.OperationShape;
+import software.amazon.smithy.model.shapes.ServiceShape;
+import software.amazon.smithy.model.validation.AbstractValidator;
+import software.amazon.smithy.model.validation.ValidationEvent;
+import software.amazon.smithy.model.validation.ValidationUtils;
+
+/**
+ * Validates that members match 1:1 with supplying a value for a specific condition key.
+ */
+public class ConditionKeyValueTraitValidator extends AbstractValidator {
+    @Override
+    public List<ValidationEvent> validate(Model model) {
+        List<ValidationEvent> events = new ArrayList<>();
+        if (!model.getAppliedTraits().contains(ConditionKeyValueTrait.ID)) {
+            return events;
+        }
+
+        TopDownIndex topDownIndex = TopDownIndex.of(model);
+        OperationIndex operationIndex = OperationIndex.of(model);
+        for (ServiceShape service : model.getServiceShapesWithTrait(ServiceTrait.class)) {
+            for (OperationShape operation : topDownIndex.getContainedOperations(service)) {
+                Map<String, List<String>> conditionKeyMembers = new HashMap<>();
+
+                // Store each member name where the same condition key value is derived.
+                for (MemberShape memberShape : operationIndex.getInputMembers(operation)
+                        .values()) {
+                    if (memberShape.hasTrait(ConditionKeyValueTrait.ID)) {
+                        ConditionKeyValueTrait trait = memberShape.expectTrait(ConditionKeyValueTrait.class);
+                        String conditionKey = trait.resolveConditionKey(service);
+                        conditionKeyMembers.computeIfAbsent(conditionKey, k -> new ArrayList<>())
+                                .add(memberShape.getMemberName());
+                    }
+                }
+
+                // Emit events if more than one value source member is found for the same key.
+                for (Map.Entry<String, List<String>> entry : conditionKeyMembers.entrySet()) {
+                    if (entry.getValue().size() > 1) {
+                        events.add(error(operationIndex.expectInputShape(operation),
+                                format("The `%s` condition key has its value supplied in the `%s` operation's input "
+                                        + "shape by multiple members [%s]. This value must only be supplied by one "
+                                        + "member.",
+                                        entry.getKey(),
+                                        operation.getId(),
+                                        ValidationUtils.tickedList(entry.getValue()))));
+                    }
+                }
+            }
+        }
+        return events;
+    }
+}

smithy-aws-iam-traits/src/main/resources/META-INF/services/software.amazon.smithy.model.validation.Validator

@@ -1,5 +1,6 @@
 software.amazon.smithy.aws.iam.traits.ConditionKeysValidator
+software.amazon.smithy.aws.iam.traits.ConditionKeyValueTraitValidator
+software.amazon.smithy.aws.iam.traits.DefineConditionKeysTraitValidator
 software.amazon.smithy.aws.iam.traits.IamActionValidator
 software.amazon.smithy.aws.iam.traits.IamResourceTraitValidator
-software.amazon.smithy.aws.iam.traits.DefineConditionKeysTraitValidator
 software.amazon.smithy.aws.iam.traits.IamResourceTraitConflictingNameValidator

smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.errors

@@ -1 +1,2 @@
-[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `smithy:InvalidConditionKey`. Expected one of the following defined condition keys: [`smithy:ActionContextKey1`] | ConditionKeys
+[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `myservice:InvalidConditionKey`. Expected one of the following defined condition keys: [`myservice:ActionContextKey1`] | ConditionKeys
+[ERROR] smithy.example#EchoInput: The `myservice:ActionContextKey1` condition key has its value supplied in the `smithy.example#Echo` operation's input shape by multiple members [`id2`, `id3`]. This value must only be supplied by one member. | ConditionKeyValueTrait

smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.smithy

@@ -2,20 +2,28 @@ $version: "2.0"
 
 namespace smithy.example
 
+use aws.api#service
 use aws.iam#conditionKeyValue
+use aws.iam#defineConditionKeys
 
-@aws.iam#defineConditionKeys(
-    "smithy:ActionContextKey1": { type: "String" }
+@defineConditionKeys(
+    "myservice:ActionContextKey1": { type: "String" }
 )
-@aws.api#service(sdkId: "My")
+@service(sdkId: "My", arnNamespace: "myservice")
 service MyService {
     version: "2019-02-20",
     operations: [Echo]
 }
 
 operation Echo {
     input := {
-        @aws.iam#conditionKeyValue("smithy:InvalidConditionKey")
+        @conditionKeyValue("myservice:InvalidConditionKey")
         id1: String
+
+        @conditionKeyValue("myservice:ActionContextKey1")
+        id2: String
+
+        @conditionKeyValue("myservice:ActionContextKey1")
+        id3: String
     }
 }