Connect aws-config token providers to service config via codegen #3443
Conversation
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
jdisanti
force-pushed
the
jdisanti-wire-up-token-providers
branch
from
974a8d2 to
48d3ea4
Compare
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
| @@ -22,29 +24,38 @@ import software.amazon.smithy.rust.codegen.core.smithy.RuntimeType.Companion.pre | |||
| import software.amazon.smithy.rust.codegen.core.smithy.RustCrate | |||
| import software.amazon.smithy.rust.codegen.core.smithy.customize.AdHocCustomization | |||
| import software.amazon.smithy.rust.codegen.core.smithy.customize.adhocCustomization | |||
| import software.amazon.smithy.rust.codegen.core.util.letIf | |||
|
|
|||
| class CredentialsProviderDecorator : ClientCodegenDecorator { | |||
There was a problem hiding this comment.
maybe we should rename this to SigV4CredentialsProviderDecorator
There was a problem hiding this comment.
I'm slightly hesitant to make it more specific, but could be convinced. It applies to both SigV4 and SigV4a right now, and it could apply to more things in the future.
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/SigV4AuthDecorator.kt
Outdated
Show resolved
Hide resolved
| private fun applies(codegenContext: ClientCodegenContext): Boolean = | ||
| ServiceIndex.of(codegenContext.model).getEffectiveAuthSchemes(codegenContext.serviceShape) | ||
| .containsKey(SigV4Trait.ID) || codegenContext.serviceShape.usesSigV4a() | ||
|
|
There was a problem hiding this comment.
these changes are to clean up support for bearer-only services?
There was a problem hiding this comment.
Yeah. For Code Catalyst, it doesn't make sense to have methods to configure credential providers since it doesn't use SigV4.
There was a problem hiding this comment.
I suppose it is in a way, in terms of compiling, except for that the service wouldn't have worked to begin with.
Edit: I'll double check that SigV4 auth didn't work with it.
There was a problem hiding this comment.
Confirmed the currently released aws-sdk-codecatalyst doesn't actually work:
[src/main.rs:5] client.list_spaces().send().await = Err(
DispatchFailure(
DispatchFailure {
source: ConnectorError {
kind: Other(
None,
),
source: NoMatchingAuthSchemeError(
ExploredList {
items: [
ExploredAuthOption {
scheme_id: AuthSchemeId {
scheme_id: "http-bearer-auth",
},
result: NoIdentityResolver,
},
],
truncated: false,
},
),
connection: Unknown,
},
},
),
)
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/SigV4AuthDecorator.kt
Outdated
Show resolved
Hide resolved
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/SigV4AuthDecorator.kt
Outdated
Show resolved
Hide resolved
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/TokenProvidersDecorator.kt
Outdated
Show resolved
Hide resolved
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/TokenProvidersDecorator.kt
Outdated
Show resolved
Hide resolved
aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/TokenProvidersDecorator.kt
Outdated
Show resolved
Hide resolved
| val moduleName = ctx.moduleUseName() | ||
| rustTemplate( | ||
| """ | ||
| // this should compile | ||
| let _ = $moduleName::Config::builder() | ||
| .token_provider(#{TestToken}::for_tests()) | ||
| .build(); | ||
|
|
||
| // this should also compile | ||
| $moduleName::Config::builder() | ||
| .set_token_provider(Some(#{SharedTokenProvider}::new(#{TestToken}::for_tests()))); | ||
| """, | ||
| "TestToken" to AwsRuntimeType.awsCredentialTypesTestUtil(ctx.runtimeConfig).resolve("Token"), | ||
| "SharedTokenProvider" to | ||
| AwsRuntimeType.awsCredentialTypes(ctx.runtimeConfig) | ||
| .resolve("provider::token::SharedTokenProvider"), | ||
| ) | ||
| } |
There was a problem hiding this comment.
do you want to also test that the token is actually readable back? or do we have enough other tests of that?
There was a problem hiding this comment.
There's currently no way to read back the other identity resolvers such as credentials providers. Seems like we should probably address that at some point, but the difference between ProvideCredentials and ResolveIdentity makes that difficult.
There was a problem hiding this comment.
I guess we could have a pub(crate) method on config to read it?
| pub fn for_tests() -> Self { | ||
| Self::new("test-token", None) | ||
| } |
There was a problem hiding this comment.
aws-config::ConfigLoader::with_test_credentials should set a token identity as well
There was a problem hiding this comment.
Do you mean the test_credentials method? I do have the generated Config::with_test_defaults() method setting a token.
There was a problem hiding this comment.
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
| class CredentialsProviderDecorator : ConditionalDecorator( | ||
| predicate = { codegenContext, _ -> codegenContext?.usesSigAuth() ?: false }, | ||
| delegateTo = | ||
| object : ClientCodegenDecorator { |
There was a problem hiding this comment.
I wonder if we can make this slightly cleaner like:
private class Unfiltered(....)
class CredentialsProviderDecorator: ConditionalDecorator(Unfiltered.Filter, Unfiltered())
might be a bit cleaner / less nesting? anyway, up to you
| /** | ||
| * Delegating decorator that only applies when a condition is true | ||
| */ | ||
| open class ConditionalDecorator( |
There was a problem hiding this comment.
I guess this could actually live in codegen-client
| pub fn for_tests() -> Self { | ||
| Self::new("test-token", None) | ||
| } |
There was a problem hiding this comment.
| val moduleName = ctx.moduleUseName() | ||
| rustTemplate( | ||
| """ | ||
| // this should compile | ||
| let _ = $moduleName::Config::builder() | ||
| .token_provider(#{TestToken}::for_tests()) | ||
| .build(); | ||
|
|
||
| // this should also compile | ||
| $moduleName::Config::builder() | ||
| .set_token_provider(Some(#{SharedTokenProvider}::new(#{TestToken}::for_tests()))); | ||
| """, | ||
| "TestToken" to AwsRuntimeType.awsCredentialTypesTestUtil(ctx.runtimeConfig).resolve("Token"), | ||
| "SharedTokenProvider" to | ||
| AwsRuntimeType.awsCredentialTypes(ctx.runtimeConfig) | ||
| .resolve("provider::token::SharedTokenProvider"), | ||
| ) | ||
| } |
There was a problem hiding this comment.
I guess we could have a pub(crate) method on config to read it?
|
A new generated diff is ready to view.
A new doc preview is ready to view. |
This PR adds support for SSO bearer token authentication to the AWS SDK, specifically for Code Catalyst, which requires authentication via SSO with a Builder ID using a bearer token rather than SigV4. This functionality was developed in a feature branch, and this PR merely merges that branch to main. The changes consist of the following previous PRs: - #3381 - #3442 - #3443 All these changes have been reviewed in the previous PRs, but it would be good to review this again as a whole to verify it all looks good. ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._
This PR connects the token providers added in #3442 to the generated service config.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.