Detect AWS IAM Auth by looking for common patterns

NiltiakSivad · NiltiakSivad · commit cc2a444c24e2 · 2025-06-03T13:19:28.000-06:00
diff --git a/modules/openapi-generator/src/main/java/org/openapitools/codegen/CodegenSecurity.java b/modules/openapi-generator/src/main/java/org/openapitools/codegen/CodegenSecurity.java
@@ -30,7 +30,7 @@ public class CodegenSecurity {
     // Those are to differentiate basic and bearer authentication
     // isHttpSignature is to support HTTP signature authorization scheme.
     // https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
-    public Boolean isBasicBasic, isBasicBearer, isHttpSignature;
+    public Boolean isBasicBasic, isBasicBearer, isHttpSignature, isAWSV4Signature;
     public String bearerFormat;
     public Map<String, Object> vendorExtensions = new HashMap<String, Object>();
     // ApiKey specific
@@ -56,6 +56,7 @@ public CodegenSecurity(CodegenSecurity original) {
         this.isBasic = original.isBasic;
         this.isBasicBasic = original.isBasicBasic;
         this.isHttpSignature = original.isHttpSignature;
+        this.isAWSV4Signature = original.isAWSV4Signature;
         this.bearerFormat = original.bearerFormat;
         this.isBasicBearer = original.isBasicBearer;
         this.isApiKey = original.isApiKey;
@@ -134,6 +135,7 @@ public boolean equals(Object o) {
                 Objects.equals(isApiKey, that.isApiKey) &&
                 Objects.equals(isBasicBasic, that.isBasicBasic) &&
                 Objects.equals(isHttpSignature, that.isHttpSignature) &&
+                Objects.equals(isAWSV4Signature, that.isAWSV4Signature) &&
                 Objects.equals(isBasicBearer, that.isBasicBearer) &&
                 Objects.equals(bearerFormat, that.bearerFormat) &&
                 Objects.equals(vendorExtensions, that.vendorExtensions) &&
@@ -157,7 +159,7 @@ public boolean equals(Object o) {
     public int hashCode() {
 
         return Objects.hash(name, description, type, scheme, isBasic, isOAuth, isOpenId, isApiKey,
-                isBasicBasic, isHttpSignature, isBasicBearer, bearerFormat, vendorExtensions,
+                isBasicBasic, isHttpSignature, isAWSV4Signature, isBasicBearer, bearerFormat, vendorExtensions,
                 keyParamName, isKeyInQuery, isKeyInHeader, isKeyInCookie, flow,
                 authorizationUrl, tokenUrl, refreshUrl, scopes, isCode, isPassword, isApplication, isImplicit,
                 openIdConnectUrl);
@@ -176,6 +178,7 @@ public String toString() {
         sb.append(", isApiKey=").append(isApiKey);
         sb.append(", isBasicBasic=").append(isBasicBasic);
         sb.append(", isHttpSignature=").append(isHttpSignature);
+        sb.append(", isAWSV4Signature=").append(isAWSV4Signature);
         sb.append(", isBasicBearer=").append(isBasicBearer);
         sb.append(", bearerFormat='").append(bearerFormat).append('\'');
         sb.append(", vendorExtensions=").append(vendorExtensions);
diff --git a/modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/TypeScriptAxiosClientCodegen.java b/modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/TypeScriptAxiosClientCodegen.java
@@ -17,10 +17,12 @@
 
 package org.openapitools.codegen.languages;
 
-import io.swagger.v3.oas.models.media.Schema;
-import io.swagger.v3.parser.util.SchemaTypeUtil;
-import lombok.Getter;
-import lombok.Setter;
+import java.io.File;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.TreeSet;
+
 import org.apache.commons.lang3.StringUtils;
 import org.openapitools.codegen.*;
 import org.openapitools.codegen.meta.features.DocumentationFeature;
@@ -30,12 +32,15 @@
 import org.openapitools.codegen.model.OperationMap;
 import org.openapitools.codegen.model.OperationsMap;
 import org.openapitools.codegen.utils.ModelUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import java.io.File;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.TreeSet;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.media.Schema;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import io.swagger.v3.parser.util.SchemaTypeUtil;
+import lombok.Getter;
+import lombok.Setter;
 
 public class TypeScriptAxiosClientCodegen extends AbstractTypeScriptClientCodegen {
 
@@ -53,6 +58,8 @@ public class TypeScriptAxiosClientCodegen extends AbstractTypeScriptClientCodege
     public static final String AXIOS_VERSION = "axiosVersion";
     public static final String DEFAULT_AXIOS_VERSION = "^1.6.1";
 
+    private final Logger LOGGER = LoggerFactory.getLogger(TypeScriptAxiosClientCodegen.class);
+
     @Getter @Setter
     protected String npmRepository = null;
     protected Boolean stringEnums = false;
@@ -121,6 +128,76 @@ private static String getRelativeToRoot(String path) {
         return sb.toString();
     }
 
+    @Override
+    public void preprocessOpenAPI(OpenAPI openAPI) {
+        super.preprocessOpenAPI(openAPI);
+
+        boolean hasAwsV4Signature = detectAwsV4Signature(openAPI);
+        additionalProperties.put("withAWSV4Signature", hasAwsV4Signature);
+    }
+
+    /**
+     * Detects if the OpenAPI specification uses AWS V4 signature authentication
+     * by checking for common patterns used in AWS API Gateway specifications.
+     */
+    private boolean detectAwsV4Signature(OpenAPI openAPI) {
+        // Check security schemes for AWS V4 signature patterns
+        if (openAPI.getComponents() != null && openAPI.getComponents().getSecuritySchemes() != null) {
+            return openAPI.getComponents().getSecuritySchemes().entrySet().stream()
+                    .anyMatch(entry -> isAwsV4SecurityScheme(entry.getKey(), entry.getValue(), openAPI));
+        }
+
+        return false;
+    }
+
+    /**
+     * Determines if a security scheme represents AWS V4 signature authentication
+     */
+    private boolean isAwsV4SecurityScheme(String schemeName, SecurityScheme scheme, OpenAPI openAPI) {
+        if (scheme == null) {
+            return false;
+        }
+
+        // Pattern 1: Check for AWS-specific extension
+        if (scheme.getExtensions() != null) {
+            Object authType = scheme.getExtensions().get("x-amazon-apigateway-authtype");
+            if ("awsSigv4".equals(authType)) {
+                return true;
+            }
+        }
+
+        // Pattern 2: Check for common AWS V4 signature scheme names
+        String lowerSchemeName = schemeName.toLowerCase(Locale.ROOT);
+        if (lowerSchemeName.contains("sigv4") ||
+                lowerSchemeName.contains("aws") ||
+                lowerSchemeName.contains("iam")) {
+
+            // Additional validation: should be apiKey type with Authorization header
+            if (SecurityScheme.Type.APIKEY.equals(scheme.getType()) &&
+                    "Authorization".equalsIgnoreCase(scheme.getName()) &&
+                    SecurityScheme.In.HEADER.equals(scheme.getIn())) {
+                return true;
+            }
+        }
+
+        // Pattern 3: Check for AWS API Gateway URL patterns in servers
+        if (openAPI.getServers() != null) {
+            boolean hasAwsApiGatewayUrl = openAPI.getServers().stream()
+                    .anyMatch(server -> server.getUrl() != null &&
+                            (server.getUrl().contains("execute-api") && server.getUrl().contains("amazonaws.com")));
+
+            // If we have AWS API Gateway URL and an Authorization header scheme, likely AWS V4
+            if (hasAwsApiGatewayUrl &&
+                    SecurityScheme.Type.APIKEY.equals(scheme.getType()) &&
+                    "Authorization".equalsIgnoreCase(scheme.getName()) &&
+                    SecurityScheme.In.HEADER.equals(scheme.getIn())) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     @Override
     public void processOpts() {
         super.processOpts();
@@ -182,7 +259,6 @@ public void processOpts() {
             setAxiosVersion(additionalProperties.get(AXIOS_VERSION).toString());
         }
         additionalProperties.put("axiosVersion", getAxiosVersion());
-
     }
 
     @Override
@@ -363,4 +439,22 @@ protected void addImport(Schema composed, Schema childSchema, CodegenModel model
         // import everything (including child schema of a composed schema)
         addImport(model, modelName);
     }
+
+    @Override
+    public List<CodegenSecurity> fromSecurity(Map<String, SecurityScheme> securitySchemeMap) {
+        List<CodegenSecurity> securities = super.fromSecurity(securitySchemeMap);
+
+        // Post-process security schemes to detect AWS V4 signature
+        for (CodegenSecurity security : securities) {
+            if (securitySchemeMap.containsKey(security.name)) {
+                SecurityScheme scheme = securitySchemeMap.get(security.name);
+                if (isAwsV4SecurityScheme(security.name, scheme, this.openAPI)) {
+                    security.isAWSV4Signature = true;
+                    LOGGER.info("Detected AWS V4 signature security scheme: {}", security.name);
+                }
+            }
+        }
+
+        return securities;
+    }
 }
diff --git a/modules/openapi-generator/src/test/java/org/openapitools/codegen/typescript/axios/TypeScriptAxiosClientCodegenTest.java b/modules/openapi-generator/src/test/java/org/openapitools/codegen/typescript/axios/TypeScriptAxiosClientCodegenTest.java
@@ -1,13 +1,23 @@
 package org.openapitools.codegen.typescript.axios;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+import java.util.List;
+import java.util.Map;
+
 import org.openapitools.codegen.CodegenConstants;
+import org.openapitools.codegen.CodegenSecurity;
 import org.openapitools.codegen.SupportingFile;
+import org.openapitools.codegen.TestUtils;
 import org.openapitools.codegen.languages.TypeScriptAxiosClientCodegen;
 import org.openapitools.codegen.typescript.TypeScriptGroups;
 import org.testng.annotations.Test;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.testng.Assert.assertEquals;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.security.SecurityScheme;
 
 @Test(groups = {TypeScriptGroups.TYPESCRIPT, TypeScriptGroups.TYPESCRIPT_AXIOS})
 public class TypeScriptAxiosClientCodegenTest {
@@ -130,4 +140,72 @@ public void testAppliesCustomAxiosVersion() {
 
         assertEquals(codegen.additionalProperties().get("axiosVersion"), "^1.2.3");
     }
+
+    @Test
+    public void testDetectsAwsIamAuthenticationWithExtension() {
+        OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
+        TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();
+
+        // Call preprocessOpenAPI which will detect AWS and set the property
+        codegen.preprocessOpenAPI(openAPI);
+
+        // Should detect AWS V4 signature due to x-amazon-apigateway-authtype extension
+        assertTrue((Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
+    }
+
+    @Test
+    public void testDetectsAwsIamAuthenticationWithNaming() {
+        OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
+        TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();
+
+        // Call preprocessOpenAPI which will detect AWS and set the property
+        codegen.preprocessOpenAPI(openAPI);
+
+        // Should detect AWS V4 signature due to scheme name patterns and AWS API Gateway URL
+        assertTrue((Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
+    }
+
+    @Test
+    public void testDoesNotDetectAwsIamInRegularPetstore() {
+        OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/petstore.yaml");
+        TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();
+
+        // Call preprocessOpenAPI
+        codegen.preprocessOpenAPI(openAPI);
+
+        // Should NOT detect AWS V4 signature in regular petstore
+        assertFalse(codegen.additionalProperties().containsKey(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT) &&
+                (Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
+    }
+
+    @Test
+    public void testDoesNotDetectAwsIamInSwagger2Petstore() {
+        OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/2_0/petstore.yaml");
+        TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();
+
+        // Call preprocessOpenAPI
+        codegen.preprocessOpenAPI(openAPI);
+
+        // Should NOT detect AWS V4 signature in Swagger 2.0 petstore either
+        assertFalse(codegen.additionalProperties().containsKey(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT) &&
+                (Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
+    }
+
+    @Test
+    public void testFromSecuritySetsAwsV4Flag() {
+        OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
+        TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();
+
+        // Call preprocessOpenAPI first to set up the openAPI object
+        codegen.preprocessOpenAPI(openAPI);
+
+        // Test fromSecurity method directly
+        Map<String, SecurityScheme> securitySchemes =
+                openAPI.getComponents().getSecuritySchemes();
+        List<CodegenSecurity> securities = codegen.fromSecurity(securitySchemes);
+
+        // Should have AWS V4 signature flagged on individual security schemes
+        boolean hasAwsV4 = securities.stream().anyMatch(s -> Boolean.TRUE.equals(s.isAWSV4Signature));
+        assertTrue(hasAwsV4, "fromSecurity should set isAWSV4Signature=true for AWS schemes");
+    }
 }
