Implement authSchemes support for endpoints (#3455)

This change introduces a new ExecutionInterceptor that takes the resolved
endpoints, and sets the headers and uses the auth scheme properties to modify
the signing configuration for the request.

Author: dagnir

codegen/src/main/java/software/amazon/awssdk/codegen/emitters/tasks/EndpointProviderTasks.java

@@ -26,6 +26,7 @@
 import software.amazon.awssdk.codegen.model.config.customization.CustomizationConfig;
 import software.amazon.awssdk.codegen.model.service.ClientContextParam;
 import software.amazon.awssdk.codegen.poet.rules.ClientContextParamsClassSpec;
+import software.amazon.awssdk.codegen.poet.rules.EndpointAuthSchemeInterceptorClassSpec;
 import software.amazon.awssdk.codegen.poet.rules.EndpointParametersClassSpec;
 import software.amazon.awssdk.codegen.poet.rules.EndpointProviderInterfaceSpec;
 import software.amazon.awssdk.codegen.poet.rules.EndpointProviderSpec;
@@ -75,7 +76,9 @@ private GeneratorTask generateDefaultProvider() {
     private Collection<GeneratorTask> generateInterceptors() {
         return Arrays.asList(
             new PoetGeneratorTask(endpointRulesInternalDir(), model.getFileHeader(), new EndpointResolverInterceptorSpec(model)),
-            new PoetGeneratorTask(endpointRulesInternalDir(), model.getFileHeader(), new RequestEndpointInterceptorSpec(model)));
+            new PoetGeneratorTask(endpointRulesInternalDir(), model.getFileHeader(), new RequestEndpointInterceptorSpec(model)),
+            new PoetGeneratorTask(endpointRulesInternalDir(), model.getFileHeader(),
+                                  new EndpointAuthSchemeInterceptorClassSpec(model)));
     }
 
     private GeneratorTask generateClientTests() {

codegen/src/main/java/software/amazon/awssdk/codegen/poet/builder/BaseClientBuilderClass.java

@@ -240,6 +240,7 @@ private MethodSpec finalizeServiceConfigurationMethod() {
                              ArrayList.class);
 
         builder.addStatement("additionalInterceptors.add(new $T())", endpointRulesSpecUtils.resolverInterceptorName());
+        builder.addStatement("additionalInterceptors.add(new $T())", endpointRulesSpecUtils.authSchemesInterceptorName());
         builder.addStatement("additionalInterceptors.add(new $T())", endpointRulesSpecUtils.requestModifierInterceptorName());
 
         if (model.getMetadata().isQueryProtocol()) {

codegen/src/main/java/software/amazon/awssdk/codegen/poet/rules/EndpointAuthSchemeInterceptorClassSpec.java

@@ -0,0 +1,160 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.codegen.poet.rules;
+
+import com.squareup.javapoet.ClassName;
+import com.squareup.javapoet.MethodSpec;
+import com.squareup.javapoet.ParameterizedTypeName;
+import com.squareup.javapoet.TypeSpec;
+import java.util.List;
+import java.util.function.Supplier;
+import javax.lang.model.element.Modifier;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.auth.signer.Aws4Signer;
+import software.amazon.awssdk.auth.signer.AwsS3V4Signer;
+import software.amazon.awssdk.auth.signer.SignerLoader;
+import software.amazon.awssdk.awscore.AwsRequest;
+import software.amazon.awssdk.awscore.rules.AwsEndpointAttribute;
+import software.amazon.awssdk.awscore.rules.AwsEndpointProviderUtils;
+import software.amazon.awssdk.awscore.rules.authscheme.AuthSchemeUtils;
+import software.amazon.awssdk.awscore.rules.authscheme.EndpointAuthScheme;
+import software.amazon.awssdk.awscore.util.SignerOverrideUtils;
+import software.amazon.awssdk.codegen.model.intermediate.IntermediateModel;
+import software.amazon.awssdk.codegen.poet.ClassSpec;
+import software.amazon.awssdk.codegen.poet.PoetUtils;
+import software.amazon.awssdk.core.SdkRequest;
+import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.interceptor.Context;
+import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
+import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
+import software.amazon.awssdk.core.interceptor.SdkInternalExecutionAttribute;
+import software.amazon.awssdk.core.rules.model.Endpoint;
+import software.amazon.awssdk.core.signer.Signer;
+
+/**
+ * Generates the Endpoint Interceptor responsible for applying the {@link AwsEndpointAttribute#AUTH_SCHEMES} property on the
+ * endpoint if they exist. Auth schemes describe auth related requirements for the endpoint, such as signing name, signing
+ * region, and the name of the auth scheme to use, such as SigV4.
+ */
+public class EndpointAuthSchemeInterceptorClassSpec implements ClassSpec {
+    private static final String SIGV4_NAME = "sigv4";
+    private static final String SIGV4A_NAME = "sigv4a";
+
+    private final IntermediateModel intermediateModel;
+    private final EndpointRulesSpecUtils endpointRulesSpecUtils;
+
+    public EndpointAuthSchemeInterceptorClassSpec(IntermediateModel intermediateModel) {
+        this.intermediateModel = intermediateModel;
+        this.endpointRulesSpecUtils = new EndpointRulesSpecUtils(intermediateModel);
+    }
+
+    @Override
+    public TypeSpec poetSpec() {
+        TypeSpec.Builder b = PoetUtils.createClassBuilder(className())
+                                      .addModifiers(Modifier.PUBLIC, Modifier.FINAL)
+                                      .addAnnotation(SdkInternalApi.class)
+                                      .addSuperinterface(ExecutionInterceptor.class);
+
+        b.addMethod(modifyRequestMethod());
+        b.addMethod(signerProviderMethod());
+
+        return b.build();
+    }
+
+    @Override
+    public ClassName className() {
+        return endpointRulesSpecUtils.authSchemesInterceptorName();
+    }
+
+    private MethodSpec modifyRequestMethod() {
+        MethodSpec.Builder builder = MethodSpec.methodBuilder("modifyRequest")
+            .addModifiers(Modifier.PUBLIC)
+            .addAnnotation(Override.class)
+            .addParameter(ClassName.get(Context.ModifyRequest.class), "context")
+            .addParameter(ExecutionAttributes.class, "executionAttributes")
+            .returns(SdkRequest.class);
+
+        builder.addStatement("$T resolvedEndpoint = executionAttributes.getAttribute($T.RESOLVED_ENDPOINT)", Endpoint.class,
+                             SdkInternalExecutionAttribute.class);
+
+        builder.addStatement("$1T request = ($1T) context.request()", AwsRequest.class);
+
+        builder.beginControlFlow("if (resolvedEndpoint.headers() != null)")
+               .addStatement("request = $T.addHeaders(request, resolvedEndpoint.headers())", AwsEndpointProviderUtils.class);
+        builder.endControlFlow();
+
+        builder.addStatement("$T authSchemes = resolvedEndpoint.attribute($T.AUTH_SCHEMES)",
+                             ParameterizedTypeName.get(List.class, EndpointAuthScheme.class), AwsEndpointAttribute.class);
+
+        builder.beginControlFlow("if (authSchemes == null)")
+               .addStatement("return request")
+               .endControlFlow();
+
+        // find the scheme to use
+        builder.addStatement("$T chosenAuthScheme = $T.chooseAuthScheme(authSchemes)", EndpointAuthScheme.class,
+                             AuthSchemeUtils.class);
+
+        // Create a signer provider
+        builder.addStatement("$T signerProvider = signerProvider(chosenAuthScheme)", ParameterizedTypeName.get(Supplier.class,
+                                                                                                               Signer.class));
+
+        // Set signing attributes
+        builder.addStatement("$T.setSigningParams(executionAttributes, chosenAuthScheme)", AuthSchemeUtils.class);
+
+        // Override signer
+        builder.addStatement("return $T.overrideSignerIfNotOverridden(request, executionAttributes, signerProvider)",
+                             SignerOverrideUtils.class);
+
+
+        return builder.build();
+    }
+
+    private MethodSpec signerProviderMethod() {
+        MethodSpec.Builder builder = MethodSpec.methodBuilder("signerProvider")
+            .addModifiers(Modifier.PRIVATE)
+            .addParameter(EndpointAuthScheme.class, "authScheme")
+            .returns(ParameterizedTypeName.get(Supplier.class, Signer.class));
+
+        builder.beginControlFlow("switch (authScheme.name())");
+        builder.addCode("case $S:", SIGV4_NAME);
+        if (isS3()) {
+            builder.addStatement("return $T::create", AwsS3V4Signer.class);
+        } else {
+            builder.addStatement("return $T::create", Aws4Signer.class);
+        }
+
+        builder.addCode("case $S:", SIGV4A_NAME);
+        if (isS3()) {
+            builder.addStatement("return $T::getS3SigV4aSigner", SignerLoader.class);
+        } else {
+            builder.addStatement("return $T::getSigV4aSigner", SignerLoader.class);
+        }
+
+        builder.addCode("default:");
+        builder.addStatement("break");
+        builder.endControlFlow();
+
+        builder.addStatement("throw $T.create($S + authScheme.name())",
+                             SdkClientException.class,
+                             "Don't know how to create signer for auth scheme: ");
+
+        return builder.build();
+    }
+
+    private boolean isS3() {
+        return "S3".equals(intermediateModel.getMetadata().getServiceName());
+    }
+}

codegen/src/main/java/software/amazon/awssdk/codegen/poet/rules/EndpointRulesSpecUtils.java

@@ -62,6 +62,12 @@ public ClassName resolverInterceptorName() {
                              md.getServiceName() + "ResolveEndpointInterceptor");
     }
 
+    public ClassName authSchemesInterceptorName() {
+        Metadata md = intermediateModel.getMetadata();
+        return ClassName.get(md.getFullInternalEndpointRulesPackageName(),
+                             md.getServiceName() + "EndpointAuthSchemeInterceptor");
+    }
+
     public ClassName requestModifierInterceptorName() {
         Metadata md = intermediateModel.getMetadata();
         return ClassName.get(md.getFullInternalEndpointRulesPackageName(),

codegen/src/main/java/software/amazon/awssdk/codegen/poet/rules/TestGeneratorUtils.java

@@ -27,8 +27,8 @@
 import java.util.List;
 import java.util.Map;
 import software.amazon.awssdk.awscore.rules.AwsEndpointAttribute;
-import software.amazon.awssdk.awscore.rules.SigV4AuthScheme;
-import software.amazon.awssdk.awscore.rules.SigV4aAuthScheme;
+import software.amazon.awssdk.awscore.rules.authscheme.SigV4AuthScheme;
+import software.amazon.awssdk.awscore.rules.authscheme.SigV4aAuthScheme;
 import software.amazon.awssdk.codegen.model.rules.endpoints.ExpectModel;
 import software.amazon.awssdk.core.rules.model.Endpoint;
 import software.amazon.awssdk.core.rules.testing.model.Expect;

codegen/src/test/java/software/amazon/awssdk/codegen/poet/rules/EndpointAuthSchemeInterceptorClassSpecTest.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.codegen.poet.rules;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static software.amazon.awssdk.codegen.poet.PoetMatchers.generatesTo;
+
+import org.junit.jupiter.api.Test;
+import software.amazon.awssdk.codegen.poet.ClassSpec;
+import software.amazon.awssdk.codegen.poet.ClientTestModels;
+
+public class EndpointAuthSchemeInterceptorClassSpecTest {
+
+    @Test
+    public void endpointAuthSchemeInterceptor() {
+        ClassSpec endpointAuthSchemeInterceptor = new EndpointAuthSchemeInterceptorClassSpec(ClientTestModels.queryServiceModels());
+        assertThat(endpointAuthSchemeInterceptor, generatesTo("endpoint-auth-scheme-interceptor.java"));
+    }
+}

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/builder/test-client-builder-class.java

@@ -16,6 +16,7 @@
 import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
 import software.amazon.awssdk.core.signer.Signer;
 import software.amazon.awssdk.services.json.rules.JsonEndpointProvider;
+import software.amazon.awssdk.services.json.rules.internal.JsonEndpointAuthSchemeInterceptor;
 import software.amazon.awssdk.services.json.rules.internal.JsonRequestSetEndpointInterceptor;
 import software.amazon.awssdk.services.json.rules.internal.JsonResolveEndpointInterceptor;
 import software.amazon.awssdk.utils.AttributeMap;
@@ -53,6 +54,7 @@ protected final SdkClientConfiguration finalizeServiceConfiguration(SdkClientCon
             .getInterceptors("software/amazon/awssdk/services/json/execution.interceptors");
         List<ExecutionInterceptor> additionalInterceptors = new ArrayList<>();
         additionalInterceptors.add(new JsonResolveEndpointInterceptor());
+        additionalInterceptors.add(new JsonEndpointAuthSchemeInterceptor());
         additionalInterceptors.add(new JsonRequestSetEndpointInterceptor());
         interceptors = CollectionUtils.mergeLists(interceptors, additionalInterceptors);
         interceptors = CollectionUtils.mergeLists(interceptors, config.option(SdkClientOption.EXECUTION_INTERCEPTORS));

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/builder/test-client-builder-internal-defaults-class.java

@@ -14,6 +14,7 @@
 import software.amazon.awssdk.core.retry.RetryMode;
 import software.amazon.awssdk.core.signer.Signer;
 import software.amazon.awssdk.services.json.rules.JsonEndpointProvider;
+import software.amazon.awssdk.services.json.rules.internal.JsonEndpointAuthSchemeInterceptor;
 import software.amazon.awssdk.services.json.rules.internal.JsonRequestSetEndpointInterceptor;
 import software.amazon.awssdk.services.json.rules.internal.JsonResolveEndpointInterceptor;
 import software.amazon.awssdk.utils.CollectionUtils;
@@ -56,6 +57,7 @@ protected final SdkClientConfiguration finalizeServiceConfiguration(SdkClientCon
             .getInterceptors("software/amazon/awssdk/services/json/execution.interceptors");
         List<ExecutionInterceptor> additionalInterceptors = new ArrayList<>();
         additionalInterceptors.add(new JsonResolveEndpointInterceptor());
+        additionalInterceptors.add(new JsonEndpointAuthSchemeInterceptor());
         additionalInterceptors.add(new JsonRequestSetEndpointInterceptor());
         interceptors = CollectionUtils.mergeLists(interceptors, additionalInterceptors);
         interceptors = CollectionUtils.mergeLists(interceptors, config.option(SdkClientOption.EXECUTION_INTERCEPTORS));

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/builder/test-query-client-builder-class.java

@@ -15,6 +15,7 @@
 import software.amazon.awssdk.protocols.query.interceptor.QueryParametersToBodyInterceptor;
 import software.amazon.awssdk.services.query.rules.QueryClientContextParams;
 import software.amazon.awssdk.services.query.rules.QueryEndpointProvider;
+import software.amazon.awssdk.services.query.rules.internal.QueryEndpointAuthSchemeInterceptor;
 import software.amazon.awssdk.services.query.rules.internal.QueryRequestSetEndpointInterceptor;
 import software.amazon.awssdk.services.query.rules.internal.QueryResolveEndpointInterceptor;
 import software.amazon.awssdk.utils.CollectionUtils;
@@ -49,6 +50,7 @@ protected final SdkClientConfiguration finalizeServiceConfiguration(SdkClientCon
             .getInterceptors("software/amazon/awssdk/services/query/execution.interceptors");
         List<ExecutionInterceptor> additionalInterceptors = new ArrayList<>();
         additionalInterceptors.add(new QueryResolveEndpointInterceptor());
+        additionalInterceptors.add(new QueryEndpointAuthSchemeInterceptor());
         additionalInterceptors.add(new QueryRequestSetEndpointInterceptor());
         additionalInterceptors.add(new QueryParametersToBodyInterceptor());
         interceptors = CollectionUtils.mergeLists(interceptors, additionalInterceptors);

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/rules/endpoint-auth-scheme-interceptor.java

@@ -0,0 +1,55 @@
+package software.amazon.awssdk.services.query.rules.internal;
+
+import java.util.List;
+import java.util.function.Supplier;
+import software.amazon.awssdk.annotations.Generated;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.auth.signer.Aws4Signer;
+import software.amazon.awssdk.auth.signer.SignerLoader;
+import software.amazon.awssdk.awscore.AwsRequest;
+import software.amazon.awssdk.awscore.rules.AwsEndpointAttribute;
+import software.amazon.awssdk.awscore.rules.AwsEndpointProviderUtils;
+import software.amazon.awssdk.awscore.rules.authscheme.AuthSchemeUtils;
+import software.amazon.awssdk.awscore.rules.authscheme.EndpointAuthScheme;
+import software.amazon.awssdk.awscore.util.SignerOverrideUtils;
+import software.amazon.awssdk.core.SdkRequest;
+import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.interceptor.Context;
+import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
+import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
+import software.amazon.awssdk.core.interceptor.SdkInternalExecutionAttribute;
+import software.amazon.awssdk.core.rules.model.Endpoint;
+import software.amazon.awssdk.core.signer.Signer;
+
+@Generated("software.amazon.awssdk:codegen")
+@SdkInternalApi
+public final class QueryEndpointAuthSchemeInterceptor implements ExecutionInterceptor {
+    @Override
+    public SdkRequest modifyRequest(Context.ModifyRequest context, ExecutionAttributes executionAttributes) {
+        Endpoint resolvedEndpoint = executionAttributes.getAttribute(SdkInternalExecutionAttribute.RESOLVED_ENDPOINT);
+        AwsRequest request = (AwsRequest) context.request();
+        if (resolvedEndpoint.headers() != null) {
+            request = AwsEndpointProviderUtils.addHeaders(request, resolvedEndpoint.headers());
+        }
+        List<EndpointAuthScheme> authSchemes = resolvedEndpoint.attribute(AwsEndpointAttribute.AUTH_SCHEMES);
+        if (authSchemes == null) {
+            return request;
+        }
+        EndpointAuthScheme chosenAuthScheme = AuthSchemeUtils.chooseAuthScheme(authSchemes);
+        Supplier<Signer> signerProvider = signerProvider(chosenAuthScheme);
+        AuthSchemeUtils.setSigningParams(executionAttributes, chosenAuthScheme);
+        return SignerOverrideUtils.overrideSignerIfNotOverridden(request, executionAttributes, signerProvider);
+    }
+
+    private Supplier<Signer> signerProvider(EndpointAuthScheme authScheme) {
+        switch (authScheme.name()) {
+            case "sigv4":
+                return Aws4Signer::create;
+            case "sigv4a":
+                return SignerLoader::getSigV4aSigner;
+            default:
+                break;
+        }
+        throw SdkClientException.create("Don't know how to create signer for auth scheme: " + authScheme.name());
+    }
+}

core/aws-core/src/main/java/software/amazon/awssdk/awscore/rules/AwsEndpointAttribute.java

@@ -18,6 +18,7 @@
 import java.util.Collections;
 import java.util.List;
 import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.awscore.rules.authscheme.EndpointAuthScheme;
 import software.amazon.awssdk.core.rules.model.EndpointAttributeKey;
 
 /**