fix(client-sts): disable auth for public assumeRole commands (#1706)

Author: trivikr

clients/client-sts/STSClient.ts

@@ -30,12 +30,7 @@ import {
 } from "@aws-sdk/middleware-host-header";
 import { getLoggerPlugin } from "@aws-sdk/middleware-logger";
 import { RetryInputConfig, RetryResolvedConfig, getRetryPlugin, resolveRetryConfig } from "@aws-sdk/middleware-retry";
-import {
-  AwsAuthInputConfig,
-  AwsAuthResolvedConfig,
-  getAwsAuthPlugin,
-  resolveAwsAuthConfig,
-} from "@aws-sdk/middleware-signing";
+import { AwsAuthInputConfig, AwsAuthResolvedConfig, resolveAwsAuthConfig } from "@aws-sdk/middleware-signing";
 import {
   UserAgentInputConfig,
   UserAgentResolvedConfig,
@@ -221,7 +216,6 @@ export class STSClient extends __Client<
     let _config_6 = resolveHostHeaderConfig(_config_5);
     super(_config_6);
     this.config = _config_6;
-    this.middlewareStack.use(getAwsAuthPlugin(this.config));
     this.middlewareStack.use(getRetryPlugin(this.config));
     this.middlewareStack.use(getUserAgentPlugin(this.config));
     this.middlewareStack.use(getContentLengthPlugin(this.config));

clients/client-sts/commands/AssumeRoleCommand.ts

@@ -2,6 +2,7 @@ import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "
 import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0";
 import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -151,6 +152,7 @@ export class AssumeRoleCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<AssumeRoleCommandInput, AssumeRoleCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

clients/client-sts/commands/DecodeAuthorizationMessageCommand.ts

@@ -5,6 +5,7 @@ import {
   serializeAws_queryDecodeAuthorizationMessageCommand,
 } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -81,6 +82,7 @@ export class DecodeAuthorizationMessageCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<DecodeAuthorizationMessageCommandInput, DecodeAuthorizationMessageCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

clients/client-sts/commands/GetAccessKeyInfoCommand.ts

@@ -5,6 +5,7 @@ import {
   serializeAws_queryGetAccessKeyInfoCommand,
 } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -63,6 +64,7 @@ export class GetAccessKeyInfoCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<GetAccessKeyInfoCommandInput, GetAccessKeyInfoCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

clients/client-sts/commands/GetCallerIdentityCommand.ts

@@ -5,6 +5,7 @@ import {
   serializeAws_queryGetCallerIdentityCommand,
 } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -55,6 +56,7 @@ export class GetCallerIdentityCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<GetCallerIdentityCommandInput, GetCallerIdentityCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

clients/client-sts/commands/GetFederationTokenCommand.ts

@@ -5,6 +5,7 @@ import {
   serializeAws_queryGetFederationTokenCommand,
 } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -124,6 +125,7 @@ export class GetFederationTokenCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<GetFederationTokenCommandInput, GetFederationTokenCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

clients/client-sts/commands/GetSessionTokenCommand.ts

@@ -5,6 +5,7 @@ import {
   serializeAws_queryGetSessionTokenCommand,
 } from "../protocols/Aws_query";
 import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
 import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
 import { Command as $Command } from "@aws-sdk/smithy-client";
 import {
@@ -97,6 +98,7 @@ export class GetSessionTokenCommand extends $Command<
     options?: __HttpHandlerOptions
   ): Handler<GetSessionTokenCommandInput, GetSessionTokenCommandOutput> {
     this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(getAwsAuthPlugin(configuration));
 
     const stack = clientStack.concat(this.middlewareStack);
 

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddBuiltinPlugins.java

@@ -67,7 +67,10 @@ public List<RuntimeClientPlugin> getClientPlugins() {
                         .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_MIDDLEWARE)
                         // See operationUsesAwsAuth() below for AwsAuth Middleware customizations.
                         .servicePredicate(
-                            (m, s) -> !testServiceId(s, "Cognito Identity") && !hasOptionalAuthOperation(m, s)
+                            (m, s) -> 
+                                !testServiceId(s, "Cognito Identity") &&
+                                !testServiceId(s, "STS") &&
+                                !hasOptionalAuthOperation(m, s)
                         ).build(),
                 RuntimeClientPlugin.builder()
                         .withConventions(TypeScriptDependency.MIDDLEWARE_RETRY.dependency, "Retry")
@@ -174,6 +177,16 @@ private static boolean operationUsesAwsAuth(Model model, ServiceShape service, O
                     .contains(operation.getId().getName());
             return !isUnsignedCommand;
         }
+
+        // STS doesn't need auth for AssumeRoleWithWebIdentity, AssumeRoleWithSAML.
+        // Remove when optionalAuth model update is published in 0533102932.
+        if (testServiceId(service, "STS")) {
+            Boolean isUnsignedCommand = SetUtils
+                    .of("AssumeRoleWithWebIdentity", "AssumeRoleWithSAML")
+                    .contains(operation.getId().getName());
+            return !isUnsignedCommand;
+        }
+
         // optionalAuth trait doesn't require authentication.
         if (hasOptionalAuthOperation(model, service)) {
             return !operation.getTrait(OptionalAuthTrait.class).isPresent();