Optional arnNamespace for condition key traits

This commit makes an arnNamespace prefix in a full condition key
(`arnNamespace:name`) optional in all IAM traits that support
specifying the condition keys. Trait definitions are relaxed,
utility methods are provided, and validators and the ConditionKeysIndex
are updated to use resolve the full names based on the service
in context.

Minor optimization of validation and index computation is also
done.

Author: kstich

docs/source-2.0/aws/aws-iam.rst

@@ -491,9 +491,14 @@ Condition keys derived automatically can be applied to a resource or operation
 explicitly. Condition keys applied this way MUST be either :ref:`inferred <deriving-condition-keys>`
 or explicitly defined via the :ref:`aws.iam#defineConditionKeys-trait` trait.
 
+Values in the list MUST be valid IAM identifiers or names of condition keys,
+meaning they must adhere to the following regular expression:
+``"^(([A-Za-z0-9][A-Za-z0-9-\\.]{0,62}:)?[^:\\s]+)$"``. If only a condition key
+name is specified, the service is inferred to be the ``arnNamespace``.
+
 The following example's ``MyResource`` resource has the
-``myservice:MyResourceFoo`` and  ``myservice:Bar`` condition keys. The
-``MyOperation`` operation has the ``aws:region`` condition key.
+``myservice:MyResourceFoo``, ``myservice:Bar``, and ``myservice:Baz`` condition
+keys. The ``MyOperation`` operation has the ``aws:region`` condition key.
 
 .. code-block:: smithy
 
@@ -506,13 +511,16 @@ The following example's ``MyResource`` resource has the
     use aws.iam#conditionKeys
 
     @service(sdkId: "My Value", arnNamespace: "myservice")
-    @defineConditionKeys("myservice:Bar": { type: "String" })
+    @defineConditionKeys(
+        "myservice:Bar": { type: "String" }
+        "myservice:Baz": { type: "String" }
+    )
     service MyService {
         version: "2017-02-11"
         resources: [MyResource]
     }
 
-    @conditionKeys(["myservice:Bar"])
+    @conditionKeys(["myservice:Bar", "Baz"])
     resource MyResource {
         identifiers: {foo: String}
         operations: [MyOperation]
@@ -547,6 +555,11 @@ MUST also be defined via the :ref:`aws.iam#defineConditionKeys-trait` trait.
 :ref:`Inferred resource condition keys <deriving-condition-keys>` MUST NOT be
 included with the ``serviceResolvedConditionKeys`` trait.
 
+Values in the list MUST be valid IAM identifiers or names of condition keys,
+meaning they must adhere to the following regular expression:
+``"^(([A-Za-z0-9][A-Za-z0-9-\\.]{0,62}:)?[^:\\s]+)$"``. If only a condition key
+name is specified, the service is inferred to be the ``arnNamespace``.
+
 The following example defines two service-specific condition keys:
 
 * ``myservice:ActionContextKey1`` is expected to be resolved by the service.
@@ -565,8 +578,9 @@ The following example defines two service-specific condition keys:
     @defineConditionKeys(
         "myservice:ActionContextKey1": { type: "String" },
         "myservice:ActionContextKey2": { type: "String" }
+        "myservice:AnotherContextKey": { type: "String" }
     )
-    @serviceResolvedConditionKeys(["myservice:ActionContextKey1"])
+    @serviceResolvedConditionKeys(["myservice:ActionContextKey1", "AnotherContextKey"])
     @service(sdkId: "My Value", arnNamespace: "myservice")
     service MyService {
         version: "2018-05-10"
@@ -591,6 +605,11 @@ Members not annotated with the ``conditionKeyValue`` trait, default to the
 condition keys defined with the ``conditionKeyValue`` trait MUST also be
 defined via the :ref:`aws.iam#defineConditionKeys-trait` trait.
 
+The value MUST be a valid IAM identifier or name of a condition key,
+meaning it must adhere to the following regular expression:
+``"^(([A-Za-z0-9][A-Za-z0-9-\\.]{0,62}:)?[^:\\s]+)$"``. If only a condition key
+name is specified, the service is inferred to be the ``arnNamespace``.
+
 In the input shape for ``OperationA``, the trait ``conditionKeyValue``
 explicitly binds ``ActionContextKey1`` to the field ``key``.
 
@@ -607,6 +626,7 @@ explicitly binds ``ActionContextKey1`` to the field ``key``.
 
     @defineConditionKeys(
         "myservice:ActionContextKey1": { type: "String" }
+        "myservice:AnotherContextKey": { type: "String" }
     )
     @service(sdkId: "My Value", arnNamespace: "myservice")
     service MyService {
@@ -619,6 +639,9 @@ explicitly binds ``ActionContextKey1`` to the field ``key``.
         input := {
             @conditionKeyValue("myservice:ActionContextKey1")
             key: String
+
+            @conditionKeyValue("AnotherContextKey")
+            key: String
         }
         output := {
             out: String

smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeyValueTrait.java

@@ -6,6 +6,7 @@
 
 import software.amazon.smithy.model.FromSourceLocation;
 import software.amazon.smithy.model.SourceLocation;
+import software.amazon.smithy.model.shapes.ServiceShape;
 import software.amazon.smithy.model.shapes.ShapeId;
 import software.amazon.smithy.model.traits.StringTrait;
 
@@ -20,6 +21,16 @@ public ConditionKeyValueTrait(String conditionKey, FromSourceLocation sourceLoca
         super(ID, conditionKey, sourceLocation);
     }
 
+    /**
+     * Gets the fully resolved condition key based on the service's ARN namespace.
+     *
+     * @param service The service to resolve no-prefix condition key name to.
+     * @return the resolved condition key.
+     */
+    public String resolveConditionKey(ServiceShape service) {
+        return ConditionKeysIndex.resolveFullConditionKey(service, getValue());
+    }
+
     public static final class Provider extends StringTrait.Provider<ConditionKeyValueTrait> {
         public Provider() {
             super(ID, ConditionKeyValueTrait::new);

smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeysIndex.java

@@ -8,6 +8,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import software.amazon.smithy.aws.traits.ArnReferenceTrait;
 import software.amazon.smithy.aws.traits.ServiceTrait;
@@ -21,7 +22,6 @@
 import software.amazon.smithy.model.shapes.ToShapeId;
 import software.amazon.smithy.model.traits.DocumentationTrait;
 import software.amazon.smithy.utils.MapUtils;
-import software.amazon.smithy.utils.OptionalUtils;
 import software.amazon.smithy.utils.SetUtils;
 import software.amazon.smithy.utils.StringUtils;
 
@@ -47,13 +47,7 @@ public ConditionKeysIndex(Model model) {
             if (service.hasTrait(DefineConditionKeysTrait.ID)) {
                 DefineConditionKeysTrait trait = service.expectTrait(DefineConditionKeysTrait.class);
                 for (Map.Entry<String, ConditionKeyDefinition> entry : trait.getConditionKeys().entrySet()) {
-                    // If no colon is present, we infer that this condition key is for the
-                    // current service and apply its ARN namespace.
-                    String key = entry.getKey();
-                    if (!key.contains(":")) {
-                        key = arnNamespace + ":" + key;
-                    }
-                    serviceKeys.put(key, entry.getValue());
+                    serviceKeys.put(resolveFullConditionKey(service, entry.getKey()), entry.getValue());
                 }
             }
             serviceConditionKeys.put(service.getId(), serviceKeys);
@@ -75,11 +69,20 @@ public static ConditionKeysIndex of(Model model) {
         return model.getKnowledge(ConditionKeysIndex.class, ConditionKeysIndex::new);
     }
 
+    static String resolveFullConditionKey(ServiceShape service, String conditionKey) {
+        // If no colon is present, we infer that this condition key is for the
+        // current service and apply its ARN namespace.
+        if (conditionKey.contains(":")) {
+            return conditionKey;
+        }
+        return service.expectTrait(ServiceTrait.class).getArnNamespace() + ":" + conditionKey;
+    }
+
     /**
-     * Get all of the explicit and inferred condition keys used in the entire service.
+     * Get all the explicit and inferred condition keys used in the entire service.
      *
      * <p>The result does not include global condition keys like "aws:accountId".
-     * Use {@link #getConditionKeyNames} to find all of the condition keys used
+     * Use {@link #getConditionKeyNames} to find all the condition keys used
      * but not necessarily defined for a service.
      *
      * @param service Service shape/shapeId to get.
@@ -90,21 +93,25 @@ public Map<String, ConditionKeyDefinition> getDefinedConditionKeys(ToShapeId ser
     }
 
     /**
-     * Get all of the condition key names used in a service.
+     * Get all the condition key names used in a service.
      *
      * @param service Service shape/shapeId use to scope the result.
      * @return Returns the conditions keys of the service or an empty map when not found.
      */
     public Set<String> getConditionKeyNames(ToShapeId service) {
-        return resourceConditionKeys.getOrDefault(service.toShapeId(), MapUtils.of())
-                .values()
-                .stream()
-                .flatMap(Set::stream)
-                .collect(SetUtils.toUnmodifiableSet());
+        if (!resourceConditionKeys.containsKey(service.toShapeId())) {
+            return SetUtils.of();
+        }
+
+        Set<String> names = new HashSet<>();
+        for (Set<String> resourceKeyNames : resourceConditionKeys.get(service.toShapeId()).values()) {
+            names.addAll(resourceKeyNames);
+        }
+        return names;
     }
 
     /**
-     * Get all of the defined condition keys used in an operation or resource, including
+     * Get all the defined condition keys used in an operation or resource, including
      * any inferred keys and keys inherited by parent resource bindings.
      *
      * @param service Service shape/shapeId use to scope the result.
@@ -119,11 +126,11 @@ public Set<String> getConditionKeyNames(ToShapeId service, ToShapeId resourceOrO
     }
 
     /**
-     * Get all of the defined condition keys used in an operation or resource, including
+     * Get all the defined condition keys used in an operation or resource, including
      * any inferred keys and keys inherited by parent resource bindings.
      *
      * <p>The result does not include global condition keys like "aws:accountId".
-     * Use {@link #getConditionKeyNames} to find all of the condition keys used
+     * Use {@link #getConditionKeyNames} to find all the condition keys used
      * but not necessarily defined for a resource or operation.
      *
      * @param service Service shape/shapeId use to scope the result.
@@ -170,7 +177,9 @@ private void compute(
             definitions.addAll(parentDefinitions);
         }
         resourceConditionKeys.get(service.getId()).put(subject.getId(), definitions);
-        subject.getTrait(ConditionKeysTrait.class).ifPresent(trait -> definitions.addAll(trait.getValues()));
+        if (subject.hasTrait(ConditionKeysTrait.ID)) {
+            definitions.addAll(subject.expectTrait(ConditionKeysTrait.class).resolveConditionKeys(service));
+        }
 
         // Continue recursing into resources and computing keys.
         subject.asResourceShape().ifPresent(resource -> {
@@ -183,18 +192,23 @@ private void compute(
                     : MapUtils.of();
 
             // Compute the keys of each child operation, passing no keys.
-            resource.getAllOperations()
-                    .stream()
-                    .flatMap(id -> OptionalUtils.stream(model.getShape(id)))
-                    .forEach(child -> compute(model, service, arnRoot, child, resource));
+            for (ShapeId operationId : resource.getOperations()) {
+                Optional<Shape> operationOptional = model.getShape(operationId);
+                if (operationOptional.isPresent()) {
+                    compute(model, service, arnRoot, operationOptional.get(), resource);
+                }
+            }
 
             // Child resources always inherit the identifiers of the parent.
             definitions.addAll(childIdentifiers.values());
 
             // Compute the keys of each child resource.
-            resource.getResources().stream().flatMap(id -> OptionalUtils.stream(model.getShape(id))).forEach(child -> {
-                compute(model, service, arnRoot, child, resource, definitions);
-            });
+            for (ShapeId resourceId : resource.getResources()) {
+                Optional<Shape> resourceOptional = model.getShape(resourceId);
+                if (resourceOptional.isPresent()) {
+                    compute(model, service, arnRoot, resourceOptional.get(), resource, definitions);
+                }
+            }
         });
     }
 
@@ -230,7 +244,7 @@ private Map<String, String> inferChildResourceIdentifiers(
                 builder.documentation(shape.getTrait(DocumentationTrait.class)
                         .map(DocumentationTrait::getValue)
                         .orElse(computeIdentifierDocs(resource, childId)));
-                // The identifier name is comprised of "[arn service]:[Resource name][uppercase identifier name]
+                // The identifier name consists of "[arn service]:[Resource name][uppercase identifier name]".
                 String computeIdentifierName = computeIdentifierName(arnRoot, resource, childId);
                 // Add the computed identifier binding and resolved context key to the result map.
                 result.put(childId, computeIdentifierName);

smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeysTrait.java

@@ -4,18 +4,22 @@
  */
 package software.amazon.smithy.aws.iam.traits;
 
+import java.util.ArrayList;
 import java.util.List;
 import software.amazon.smithy.model.FromSourceLocation;
 import software.amazon.smithy.model.SourceLocation;
+import software.amazon.smithy.model.shapes.ServiceShape;
 import software.amazon.smithy.model.shapes.ShapeId;
 import software.amazon.smithy.model.traits.StringListTrait;
+import software.amazon.smithy.utils.ListUtils;
 import software.amazon.smithy.utils.ToSmithyBuilder;
 
 /**
  * Applies condition keys to an operation or resource.
  */
 public final class ConditionKeysTrait extends StringListTrait implements ToSmithyBuilder<ConditionKeysTrait> {
     public static final ShapeId ID = ShapeId.from("aws.iam#conditionKeys");
+    private List<String> resolvedConditionKeys;
 
     public ConditionKeysTrait(List<String> keys, FromSourceLocation sourceLocation) {
         super(ID, keys, sourceLocation);
@@ -29,6 +33,23 @@ public static Builder builder() {
         return new Builder();
     }
 
+    /**
+     * Gets the fully resolved condition key names based on the service's ARN namespace.
+     *
+     * @param service The service to resolve no-prefix condition key names to.
+     * @return the resolved condition key names.
+     */
+    public List<String> resolveConditionKeys(ServiceShape service) {
+        if (resolvedConditionKeys == null) {
+            List<String> keys = new ArrayList<>();
+            for (String value : getValues()) {
+                keys.add(ConditionKeysIndex.resolveFullConditionKey(service, value));
+            }
+            resolvedConditionKeys = ListUtils.copyOf(keys);
+        }
+        return resolvedConditionKeys;
+    }
+
     public static final class Provider extends StringListTrait.Provider<ConditionKeysTrait> {
         public Provider() {
             super(ID, ConditionKeysTrait::new);