Add HTTP basic and bearer auth support to the orchestrator (#2622)

## Motivation and Context
This PR adds support for Smithy's `@httpBasicAuth` and `@httpBearerAuth`
auth schemes, and ports the `@httpApiKeyAuth` scheme to the
orchestrator. This is prerequisite work for supporting Amazon
CodeCatalyst since that requires bearer auth.

This PR also fixes a bug in auth orchestrator that caused an error if no
identity is present for a scheme even when an identity for a lower
priority scheme is available.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

---------

Co-authored-by: Zelda Hessler <zhessler@amazon.com>

Author: 2 people

aws/rust-runtime/aws-runtime/src/auth.rs

@@ -12,10 +12,9 @@ pub mod sigv4 {
         UriPathNormalizationMode,
     };
     use aws_smithy_http::property_bag::PropertyBag;
-    use aws_smithy_runtime_api::client::identity::Identity;
+    use aws_smithy_runtime_api::client::identity::{Identity, IdentityResolver, IdentityResolvers};
     use aws_smithy_runtime_api::client::orchestrator::{
-        BoxError, HttpAuthScheme, HttpRequest, HttpRequestSigner, IdentityResolver,
-        IdentityResolvers,
+        BoxError, HttpAuthScheme, HttpRequest, HttpRequestSigner,
     };
     use aws_types::region::SigningRegion;
     use aws_types::SigningService;

aws/rust-runtime/aws-runtime/src/identity.rs

@@ -7,10 +7,8 @@
 pub mod credentials {
     use aws_credential_types::cache::SharedCredentialsCache;
     use aws_smithy_http::property_bag::PropertyBag;
-    use aws_smithy_runtime_api::client::identity::Identity;
-    use aws_smithy_runtime_api::client::orchestrator::{
-        BoxError, BoxFallibleFut, IdentityResolver,
-    };
+    use aws_smithy_runtime_api::client::identity::{Identity, IdentityResolver};
+    use aws_smithy_runtime_api::client::orchestrator::{BoxError, Future};
 
     /// Smithy identity resolver for AWS credentials.
     #[derive(Debug)]
@@ -26,13 +24,13 @@ pub mod credentials {
     }
 
     impl IdentityResolver for CredentialsIdentityResolver {
-        fn resolve_identity(&self, _identity_properties: &PropertyBag) -> BoxFallibleFut<Identity> {
+        fn resolve_identity(&self, _identity_properties: &PropertyBag) -> Future<Identity> {
             let cache = self.credentials_cache.clone();
-            Box::pin(async move {
+            Future::new(Box::pin(async move {
                 let credentials = cache.as_ref().provide_cached_credentials().await?;
                 let expiration = credentials.expiry();
                 Result::<_, BoxError>::Ok(Identity::new(credentials, expiration))
-            })
+            }))
         }
     }
 }

aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/AwsFluentClientDecorator.kt

@@ -5,7 +5,6 @@
 
 package software.amazon.smithy.rustsdk
 
-import software.amazon.smithy.codegen.core.Symbol
 import software.amazon.smithy.rust.codegen.client.smithy.ClientCodegenContext
 import software.amazon.smithy.rust.codegen.client.smithy.ClientRustModule
 import software.amazon.smithy.rust.codegen.client.smithy.customize.ClientCodegenDecorator
@@ -14,6 +13,7 @@ import software.amazon.smithy.rust.codegen.client.smithy.generators.client.Fluen
 import software.amazon.smithy.rust.codegen.client.smithy.generators.client.FluentClientGenerator
 import software.amazon.smithy.rust.codegen.client.smithy.generators.client.FluentClientGenerics
 import software.amazon.smithy.rust.codegen.client.smithy.generators.client.FluentClientSection
+import software.amazon.smithy.rust.codegen.client.smithy.generators.client.NoClientGenerics
 import software.amazon.smithy.rust.codegen.core.rustlang.Attribute
 import software.amazon.smithy.rust.codegen.core.rustlang.Feature
 import software.amazon.smithy.rust.codegen.core.rustlang.GenericTypeArg
@@ -50,37 +50,6 @@ private class Types(runtimeConfig: RuntimeConfig) {
     val timeoutConfig = smithyTypes.resolve("timeout::TimeoutConfig")
 }
 
-private class AwsClientGenerics(private val types: Types) : FluentClientGenerics {
-    /** Declaration with defaults set */
-    override val decl = writable { }
-
-    /** Instantiation of the Smithy client generics */
-    override val smithyInst = writable {
-        rustTemplate(
-            "<#{DynConnector}, #{DynMiddleware}<#{DynConnector}>>",
-            "DynConnector" to types.dynConnector,
-            "DynMiddleware" to types.dynMiddleware,
-        )
-    }
-
-    /** Instantiation */
-    override val inst = ""
-
-    /** Trait bounds */
-    override val bounds = writable { }
-
-    /** Bounds for generated `send()` functions */
-    override fun sendBounds(
-        operation: Symbol,
-        operationOutput: Symbol,
-        operationError: Symbol,
-        retryClassifier: RuntimeType,
-    ): Writable =
-        writable { }
-
-    override fun toRustGenerics() = RustGenerics()
-}
-
 class AwsFluentClientDecorator : ClientCodegenDecorator {
     override val name: String = "FluentClient"
 
@@ -90,7 +59,7 @@ class AwsFluentClientDecorator : ClientCodegenDecorator {
     override fun extras(codegenContext: ClientCodegenContext, rustCrate: RustCrate) {
         val runtimeConfig = codegenContext.runtimeConfig
         val types = Types(runtimeConfig)
-        val generics = AwsClientGenerics(types)
+        val generics = NoClientGenerics(runtimeConfig)
         FluentClientGenerator(
             codegenContext,
             reexportSmithyClientBuilder = false,

aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/CredentialProviders.kt

@@ -112,18 +112,24 @@ class CredentialsIdentityResolverRegistration(
 
     override fun section(section: ServiceRuntimePluginSection): Writable = writable {
         when (section) {
-            is ServiceRuntimePluginSection.IdentityResolver -> {
+            is ServiceRuntimePluginSection.AdditionalConfig -> {
                 rustTemplate(
                     """
-                    .identity_resolver(
-                        #{SIGV4_SCHEME_ID},
-                        #{CredentialsIdentityResolver}::new(self.handle.conf.credentials_cache())
-                    )
+                    cfg.set_identity_resolvers(
+                        #{IdentityResolvers}::builder()
+                            .identity_resolver(
+                                #{SIGV4_SCHEME_ID},
+                                #{CredentialsIdentityResolver}::new(self.handle.conf.credentials_cache())
+                            )
+                            .build()
+                    );
                     """,
                     "SIGV4_SCHEME_ID" to AwsRuntimeType.awsRuntime(runtimeConfig)
                         .resolve("auth::sigv4::SCHEME_ID"),
                     "CredentialsIdentityResolver" to AwsRuntimeType.awsRuntime(runtimeConfig)
                         .resolve("identity::credentials::CredentialsIdentityResolver"),
+                    "IdentityResolvers" to RuntimeType.smithyRuntimeApi(runtimeConfig)
+                        .resolve("client::identity::IdentityResolvers"),
                 )
             }
             else -> {}

aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/HttpConnectorConfigCustomization.kt

@@ -15,17 +15,20 @@ import software.amazon.smithy.rust.codegen.core.rustlang.rustTemplate
 import software.amazon.smithy.rust.codegen.core.rustlang.writable
 import software.amazon.smithy.rust.codegen.core.smithy.CodegenContext
 import software.amazon.smithy.rust.codegen.core.smithy.RuntimeType
+import software.amazon.smithy.rust.codegen.core.util.letIf
 
+// TODO(enableNewSmithyRuntime): Delete this decorator since it's now in `codegen-client`
 class HttpConnectorDecorator : ClientCodegenDecorator {
     override val name: String = "HttpConnectorDecorator"
     override val order: Byte = 0
 
     override fun configCustomizations(
         codegenContext: ClientCodegenContext,
         baseCustomizations: List<ConfigCustomization>,
-    ): List<ConfigCustomization> {
-        return baseCustomizations + HttpConnectorConfigCustomization(codegenContext)
-    }
+    ): List<ConfigCustomization> =
+        baseCustomizations.letIf(!codegenContext.settings.codegenConfig.enableNewSmithyRuntime) {
+            it + HttpConnectorConfigCustomization(codegenContext)
+        }
 }
 
 class HttpConnectorConfigCustomization(

aws/sdk-codegen/src/main/kotlin/software/amazon/smithy/rustsdk/SigV4AuthDecorator.kt

@@ -136,6 +136,7 @@ private class AuthOperationRuntimePluginCustomization(private val codegenContext
                         signing_options.normalize_uri_path = $normalizeUrlPath;
                         signing_options.signing_optional = $signingOptional;
                         signing_options.payload_override = #{payload_override};
+                        signing_options.request_timestamp = cfg.request_time().unwrap_or_default().system_time();
 
                         let mut sigv4_properties = #{PropertyBag}::new();
                         sigv4_properties.insert(#{SigV4OperationSigningConfig} {

aws/sra-test/integration-tests/aws-sdk-s3/benches/middleware_vs_orchestrator.rs

@@ -135,8 +135,9 @@ mod orchestrator {
     use aws_smithy_http::endpoint::SharedEndpointResolver;
     use aws_smithy_runtime::client::connections::adapter::DynConnectorAdapter;
     use aws_smithy_runtime::client::orchestrator::endpoints::DefaultEndpointResolver;
+    use aws_smithy_runtime_api::client::interceptors::error::ContextAttachedError;
     use aws_smithy_runtime_api::client::interceptors::{
-        Interceptor, InterceptorContext, InterceptorError, Interceptors,
+        Interceptor, InterceptorContext, Interceptors,
     };
     use aws_smithy_runtime_api::client::orchestrator::{
         BoxError, ConfigBagAccessors, Connection, HttpRequest, HttpResponse, TraceProbe,
@@ -156,7 +157,7 @@ mod orchestrator {
     impl RuntimePlugin for ManualServiceRuntimePlugin {
         fn configure(&self, cfg: &mut ConfigBag) -> Result<(), BoxError> {
             let identity_resolvers =
-                aws_smithy_runtime_api::client::orchestrator::IdentityResolvers::builder()
+                aws_smithy_runtime_api::client::identity::IdentityResolvers::builder()
                     .identity_resolver(
                         aws_runtime::auth::sigv4::SCHEME_ID,
                         aws_runtime::identity::credentials::CredentialsIdentityResolver::new(

aws/sra-test/integration-tests/aws-sdk-s3/tests/interceptors.rs

@@ -6,7 +6,6 @@
 use aws_credential_types::cache::{CredentialsCache, SharedCredentialsCache};
 use aws_credential_types::provider::SharedCredentialsProvider;
 use aws_http::user_agent::{ApiMetadata, AwsUserAgent};
-use aws_runtime::auth::sigv4::SigV4OperationSigningConfig;
 use aws_runtime::recursion_detection::RecursionDetectionInterceptor;
 use aws_runtime::user_agent::UserAgentInterceptor;
 use aws_sdk_s3::config::{Credentials, Region};
@@ -23,7 +22,7 @@ use aws_smithy_runtime::client::orchestrator::endpoints::DefaultEndpointResolver
 use aws_smithy_runtime_api::client::interceptors::error::ContextAttachedError;
 use aws_smithy_runtime_api::client::interceptors::{Interceptor, InterceptorContext, Interceptors};
 use aws_smithy_runtime_api::client::orchestrator::{
-    BoxError, ConfigBagAccessors, Connection, HttpRequest, HttpResponse, TraceProbe,
+    BoxError, ConfigBagAccessors, Connection, HttpRequest, HttpResponse, RequestTime, TraceProbe,
 };
 use aws_smithy_runtime_api::client::runtime_plugin::RuntimePlugin;
 use aws_smithy_runtime_api::config_bag::ConfigBag;
@@ -33,8 +32,6 @@ use aws_types::SigningService;
 use std::sync::Arc;
 use std::time::{Duration, UNIX_EPOCH};
 
-mod interceptors;
-
 // TODO(orchestrator-test): unignore
 #[ignore]
 #[tokio::test]
@@ -83,21 +80,6 @@ async fn sra_manual_test() {
 
     impl RuntimePlugin for ManualServiceRuntimePlugin {
         fn configure(&self, cfg: &mut ConfigBag) -> Result<(), BoxError> {
-            let identity_resolvers =
-                aws_smithy_runtime_api::client::orchestrator::IdentityResolvers::builder()
-                    .identity_resolver(
-                        aws_runtime::auth::sigv4::SCHEME_ID,
-                        aws_runtime::identity::credentials::CredentialsIdentityResolver::new(
-                            self.credentials_cache.clone(),
-                        ),
-                    )
-                    .identity_resolver(
-                        "anonymous",
-                        aws_smithy_runtime_api::client::identity::AnonymousIdentityResolver::new(),
-                    )
-                    .build();
-            cfg.set_identity_resolvers(identity_resolvers);
-
             let http_auth_schemes =
                 aws_smithy_runtime_api::client::orchestrator::HttpAuthSchemes::builder()
                     .auth_scheme(
@@ -107,6 +89,7 @@ async fn sra_manual_test() {
                     .build();
             cfg.set_http_auth_schemes(http_auth_schemes);
 
+            // Set an empty auth option resolver to be overridden by operations that need auth.
             cfg.set_auth_option_resolver(
                 aws_smithy_runtime_api::client::auth::option_resolver::AuthOptionListResolver::new(
                     Vec::new(),
@@ -142,31 +125,26 @@ async fn sra_manual_test() {
 
             cfg.put(SigningService::from_static("s3"));
             cfg.put(SigningRegion::from(Region::from_static("us-east-1")));
-
-            #[derive(Debug)]
-            struct OverrideSigningTimeInterceptor;
-            impl Interceptor<HttpRequest, HttpResponse> for OverrideSigningTimeInterceptor {
-                fn read_before_signing(
-                    &self,
-                    _context: &InterceptorContext<HttpRequest, HttpResponse>,
-                    cfg: &mut ConfigBag,
-                ) -> Result<(), BoxError> {
-                    let mut signing_config =
-                        cfg.get::<SigV4OperationSigningConfig>().unwrap().clone();
-                    signing_config.signing_options.request_timestamp =
-                        UNIX_EPOCH + Duration::from_secs(1624036048);
-                    cfg.put(signing_config);
-                    Ok(())
-                }
-            }
+            cfg.set_request_time(RequestTime::new(
+                UNIX_EPOCH + Duration::from_secs(1624036048),
+            ));
 
             cfg.put(ApiMetadata::new("unused", "unused"));
             cfg.put(AwsUserAgent::for_tests()); // Override the user agent with the test UA
             cfg.get::<Interceptors<HttpRequest, HttpResponse>>()
                 .expect("interceptors set")
                 .register_client_interceptor(Arc::new(UserAgentInterceptor::new()) as _)
-                .register_client_interceptor(Arc::new(RecursionDetectionInterceptor::new()) as _)
-                .register_client_interceptor(Arc::new(OverrideSigningTimeInterceptor) as _);
+                .register_client_interceptor(Arc::new(RecursionDetectionInterceptor::new()) as _);
+            cfg.set_identity_resolvers(
+                aws_smithy_runtime_api::client::identity::IdentityResolvers::builder()
+                    .identity_resolver(
+                        aws_runtime::auth::sigv4::SCHEME_ID,
+                        aws_runtime::identity::credentials::CredentialsIdentityResolver::new(
+                            self.credentials_cache.clone(),
+                        ),
+                    )
+                    .build(),
+            );
             Ok(())
         }
     }