Validate one source member for conditionKeyValue

kstich · kstich · commit b908d233943a · 2025-05-08T21:57:03.000-07:00
This commit adds validation to ensure that the value for any specific
condition key may only be supplied by one member in the operation input.
diff --git a/smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeyValueTraitValidator.java b/smithy-aws-iam-traits/src/main/java/software/amazon/smithy/aws/iam/traits/ConditionKeyValueTraitValidator.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.aws.iam.traits;
+
+import static java.lang.String.format;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import software.amazon.smithy.aws.traits.ServiceTrait;
+import software.amazon.smithy.model.Model;
+import software.amazon.smithy.model.knowledge.OperationIndex;
+import software.amazon.smithy.model.knowledge.TopDownIndex;
+import software.amazon.smithy.model.shapes.MemberShape;
+import software.amazon.smithy.model.shapes.OperationShape;
+import software.amazon.smithy.model.shapes.ServiceShape;
+import software.amazon.smithy.model.validation.AbstractValidator;
+import software.amazon.smithy.model.validation.ValidationEvent;
+import software.amazon.smithy.model.validation.ValidationUtils;
+
+/**
+ * Validates that members match 1:1 with supplying a value for a specific condition key.
+ */
+public class ConditionKeyValueTraitValidator extends AbstractValidator {
+    @Override
+    public List<ValidationEvent> validate(Model model) {
+        List<ValidationEvent> events = new ArrayList<>();
+        if (!model.getAppliedTraits().contains(ConditionKeyValueTrait.ID)) {
+            return events;
+        }
+
+        TopDownIndex topDownIndex = TopDownIndex.of(model);
+        OperationIndex operationIndex = OperationIndex.of(model);
+        for (ServiceShape service : model.getServiceShapesWithTrait(ServiceTrait.class)) {
+            for (OperationShape operation : topDownIndex.getContainedOperations(service)) {
+                Map<String, List<String>> conditionKeyMembers = new HashMap<>();
+
+                // Store each member name where the same condition key value is derived.
+                for (MemberShape memberShape : operationIndex.getInputMembers(operation)
+                        .values()) {
+                    if (memberShape.hasTrait(ConditionKeyValueTrait.ID)) {
+                        ConditionKeyValueTrait trait = memberShape.expectTrait(ConditionKeyValueTrait.class);
+                        String conditionKey = trait.resolveConditionKey(service);
+                        conditionKeyMembers.computeIfAbsent(conditionKey, k -> new ArrayList<>())
+                                .add(memberShape.getMemberName());
+                    }
+                }
+
+                // Emit events if more than one value source member is found for the same key.
+                for (Map.Entry<String, List<String>> entry : conditionKeyMembers.entrySet()) {
+                    if (entry.getValue().size() > 1) {
+                        events.add(error(operationIndex.expectInputShape(operation),
+                                format("The `%s` condition key has its value supplied in the `%s` operation's input "
+                                        + "shape by multiple members [%s]. This value must only be supplied by one "
+                                        + "member.",
+                                        entry.getKey(),
+                                        operation.getId(),
+                                        ValidationUtils.tickedList(entry.getValue()))));
+                    }
+                }
+            }
+        }
+        return events;
+    }
+}
diff --git a/smithy-aws-iam-traits/src/main/resources/META-INF/services/software.amazon.smithy.model.validation.Validator b/smithy-aws-iam-traits/src/main/resources/META-INF/services/software.amazon.smithy.model.validation.Validator
@@ -1,5 +1,6 @@
 software.amazon.smithy.aws.iam.traits.ConditionKeysValidator
+software.amazon.smithy.aws.iam.traits.ConditionKeyValueTraitValidator
+software.amazon.smithy.aws.iam.traits.DefineConditionKeysTraitValidator
 software.amazon.smithy.aws.iam.traits.IamActionValidator
 software.amazon.smithy.aws.iam.traits.IamResourceTraitValidator
-software.amazon.smithy.aws.iam.traits.DefineConditionKeysTraitValidator
 software.amazon.smithy.aws.iam.traits.IamResourceTraitConflictingNameValidator
diff --git a/smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.errors b/smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.errors
@@ -1 +1,2 @@
-[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `smithy:InvalidConditionKey`. Expected one of the following defined condition keys: [`smithy:ActionContextKey1`] | ConditionKeys
+[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `myservice:InvalidConditionKey`. Expected one of the following defined condition keys: [`myservice:ActionContextKey1`] | ConditionKeys
+[ERROR] smithy.example#EchoInput: The `myservice:ActionContextKey1` condition key has its value supplied in the `smithy.example#Echo` operation's input shape by multiple members [`id2`, `id3`]. This value must only be supplied by one member. | ConditionKeyValueTrait
diff --git a/smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.smithy b/smithy-aws-iam-traits/src/test/resources/software/amazon/smithy/aws/iam/traits/errorfiles/invalid-condition-key-value.smithy
@@ -2,20 +2,28 @@ $version: "2.0"
 
 namespace smithy.example
 
+use aws.api#service
 use aws.iam#conditionKeyValue
+use aws.iam#defineConditionKeys
 
-@aws.iam#defineConditionKeys(
-    "smithy:ActionContextKey1": { type: "String" }
+@defineConditionKeys(
+    "myservice:ActionContextKey1": { type: "String" }
 )
-@aws.api#service(sdkId: "My")
+@service(sdkId: "My", arnNamespace: "myservice")
 service MyService {
     version: "2019-02-20",
     operations: [Echo]
 }
 
 operation Echo {
     input := {
-        @aws.iam#conditionKeyValue("smithy:InvalidConditionKey")
+        @conditionKeyValue("myservice:InvalidConditionKey")
         id1: String
+
+        @conditionKeyValue("myservice:ActionContextKey1")
+        id2: String
+
+        @conditionKeyValue("myservice:ActionContextKey1")
+        id3: String
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		-[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `smithy:InvalidConditionKey`. Expected one of the following defined condition keys: [`smithy:ActionContextKey1`] \| ConditionKeys
	`1`	+[ERROR] smithy.example#EchoInput$id1: This operation `smithy.example#Echo` scoped within the `smithy.example#MyService` service with member `smithy.example#EchoInput$id1` refers to an undefined condition key `myservice:InvalidConditionKey`. Expected one of the following defined condition keys: [`myservice:ActionContextKey1`] \| ConditionKeys
	`2`	+[ERROR] smithy.example#EchoInput: The `myservice:ActionContextKey1` condition key has its value supplied in the `smithy.example#Echo` operation's input shape by multiple members [`id2`, `id3`]. This value must only be supplied by one member. \| ConditionKeyValueTrait