fix: override auth attributes from resolved endpoint metadata (#89)

Author: aajtodd

.github/workflows/continuous-integration.yml

@@ -13,7 +13,6 @@ env:
   # host owned by CRT team to host aws-crt-builder releases. Contact their on-call with any issues
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-sdk-kotlin
-  LINUX_BASE_IMAGE: ubuntu-16-x64
   RUN: ${{ github.run_id }}-${{ github.run_number }}
 
 jobs:
@@ -22,22 +21,21 @@ jobs:
     steps:
     - name: Checkout sources
       uses: actions/checkout@v2
-    - uses: actions/cache@v2
-      with:
-        path: |
-          ~/.gradle/caches
-          ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
-        restore-keys: |
-          ${{ runner.os }}-gradle-
     - name: Build and Test ${{ env.PACKAGE_NAME }}
       env:
         CI_USER: ${{ secrets.CI_USER}}
         CI_ACCESS_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
       run: |
-        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder.pyz')"
-        chmod a+x builder.pyz
-        GIT_ASKPASS="$(pwd)/.github/scripts/git-ci-askpass.sh" ./builder.pyz build -p ${{ env.PACKAGE_NAME }}
+        echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u awslabs --password-stdin
+        export DOCKER_IMAGE=docker.pkg.github.com/awslabs/aws-crt-builder/aws-crt-ubuntu-16-x64:${{ env.BUILDER_VERSION }}
+        docker pull $DOCKER_IMAGE
+        docker run --mount type=bind,source=$(pwd),target=/root/${{ env.PACKAGE_NAME }} \
+          --env GITHUB_REF \
+          --env GITHUB_HEAD_REF \
+          --env CI_USER \
+          --env CI_ACCESS_TOKEN \
+          --env GIT_ASKPASS=/root/${{ env.PACKAGE_NAME }}/.github/scripts/git-ci-askpass.sh \
+          $DOCKER_IMAGE build -p ${{ env.PACKAGE_NAME }} --build-dir=/root/${{ env.PACKAGE_NAME }}
 
   macos-compat:
     runs-on: macos-latest

build.gradle.kts

@@ -10,7 +10,6 @@ allprojects {
     repositories {
         mavenLocal()
         mavenCentral()
-        jcenter()
     }
 }
 

client-runtime/auth/common/src/aws/sdk/kotlin/runtime/auth/AwsSigv4Signer.kt

@@ -12,6 +12,7 @@ import aws.sdk.kotlin.crt.auth.signing.AwsSigningConfig
 import aws.sdk.kotlin.crt.toSignableCrtRequest
 import aws.sdk.kotlin.crt.update
 import aws.sdk.kotlin.runtime.InternalSdkApi
+import aws.sdk.kotlin.runtime.execution.AuthAttributes
 import software.aws.clientrt.client.ExecutionContext
 import software.aws.clientrt.http.*
 import software.aws.clientrt.http.operation.SdkHttpOperation

client-runtime/auth/common/test/aws/sdk/kotlin/runtime/auth/AwsSigv4SignerTest.kt

@@ -5,6 +5,7 @@
 
 package aws.sdk.kotlin.runtime.auth
 
+import aws.sdk.kotlin.runtime.execution.AuthAttributes
 import aws.sdk.kotlin.runtime.testing.runSuspendTest
 import software.aws.clientrt.client.ExecutionContext
 import software.aws.clientrt.http.*

…dk/kotlin/runtime/auth/AuthAttributes.kt …tlin/runtime/execution/AuthAttributes.ktclient-runtime/auth/common/src/aws/sdk/kotlin/runtime/auth/AuthAttributes.kt renamed to client-runtime/aws-client-rt/common/src/aws/sdk/kotlin/runtime/execution/AuthAttributes.kt client-runtime/auth/common/src/aws/sdk/kotlin/runtime/auth/AuthAttributes.kt renamed to client-runtime/aws-client-rt/common/src/aws/sdk/kotlin/runtime/execution/AuthAttributes.kt

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0.
  */
 
-package aws.sdk.kotlin.runtime.auth
+package aws.sdk.kotlin.runtime.execution
 
 import software.aws.clientrt.client.ClientOption
 import software.aws.clientrt.time.Instant

client-runtime/protocols/http/common/src/aws/sdk/kotlin/runtime/http/middleware/ServiceEndpointResolver.kt

@@ -8,6 +8,7 @@ package aws.sdk.kotlin.runtime.http.middleware
 import aws.sdk.kotlin.runtime.InternalSdkApi
 import aws.sdk.kotlin.runtime.client.AwsClientOption
 import aws.sdk.kotlin.runtime.endpoint.EndpointResolver
+import aws.sdk.kotlin.runtime.execution.AuthAttributes
 import software.aws.clientrt.http.*
 import software.aws.clientrt.http.operation.HttpOperationContext
 import software.aws.clientrt.http.operation.SdkHttpOperation
@@ -56,6 +57,13 @@ public class ServiceEndpointResolver(
             req.builder.url.host = hostname
             req.builder.headers["Host"] = hostname
 
+            endpoint.signingName?.let {
+                if (it.isNotBlank()) req.context[AuthAttributes.SigningService] = it
+            }
+            endpoint.signingRegion?.let {
+                if (it.isNotBlank()) req.context[AuthAttributes.SigningRegion] = it
+            }
+
             next.call(req)
         }
     }

client-runtime/protocols/http/common/test/aws/sdk/kotlin/runtime/http/middleware/ServiceEndpointResolverTest.kt

@@ -8,12 +8,14 @@ package aws.sdk.kotlin.runtime.http.middleware
 import aws.sdk.kotlin.runtime.client.AwsClientOption
 import aws.sdk.kotlin.runtime.endpoint.Endpoint
 import aws.sdk.kotlin.runtime.endpoint.EndpointResolver
+import aws.sdk.kotlin.runtime.execution.AuthAttributes
 import aws.sdk.kotlin.runtime.testing.runSuspendTest
 import software.aws.clientrt.http.*
 import software.aws.clientrt.http.engine.HttpClientEngine
 import software.aws.clientrt.http.operation.*
 import software.aws.clientrt.http.request.HttpRequestBuilder
 import software.aws.clientrt.http.response.HttpResponse
+import software.aws.clientrt.util.get
 import kotlin.test.Test
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
@@ -92,4 +94,45 @@ class ServiceEndpointResolverTest {
         val response = op.roundTrip(client, Unit)
         assertNotNull(response)
     }
+
+    @Test
+    fun `it overrides credential scopes`(): Unit = runSuspendTest {
+        // if an endpoint specifies credential scopes we should override the context
+        val expectedHost = "test.com"
+        val mockEngine = object : HttpClientEngine {
+            override suspend fun roundTrip(requestBuilder: HttpRequestBuilder): HttpResponse {
+                assertEquals(expectedHost, requestBuilder.url.host)
+                assertEquals(expectedHost, requestBuilder.headers["Host"])
+                assertEquals("https", requestBuilder.url.scheme.protocolName)
+                return HttpResponse(HttpStatusCode.fromValue(200), Headers {}, HttpBody.Empty, requestBuilder.build())
+            }
+        }
+
+        val client = sdkHttpClient(mockEngine)
+
+        val op = SdkHttpOperation.build<Unit, HttpResponse> {
+            serializer = UnitSerializer
+            deserializer = IdentityDeserializer
+            context {
+                service = "TestService"
+                operationName = "testOperation"
+            }
+        }
+
+        op.install(ServiceEndpointResolver) {
+            serviceId = "TestService"
+            resolver = object : EndpointResolver {
+                override suspend fun resolve(service: String, region: String): Endpoint {
+                    return Endpoint("test.com", "https", signingName = "foo", signingRegion = "us-west-2")
+                }
+            }
+        }
+
+        op.context[AwsClientOption.Region] = "us-east-1"
+        op.context[AuthAttributes.SigningRegion] = "us-east-1"
+        op.context[AuthAttributes.SigningService] = "quux"
+        op.roundTrip(client, Unit)
+        assertEquals("foo", op.context[AuthAttributes.SigningService])
+        assertEquals("us-west-2", op.context[AuthAttributes.SigningRegion])
+    }
 }

codegen/smithy-aws-kotlin-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/AwsHttpProtocolClientGenerator.kt

@@ -71,14 +71,11 @@ class AwsHttpProtocolClientGenerator(
      * render a utility function to populate an operation's ExecutionContext with defaults from service config, environment, etc
      */
     private fun renderMergeServiceDefaults(writer: KotlinWriter) {
-        writer.addImport("ExecutionContext", KotlinDependency.CLIENT_RT_CORE, "${KotlinDependency.CLIENT_RT_CORE.namespace}.client")
+        writer.addImport(RuntimeTypes.Core.ExecutionContext)
         writer.addImport("SdkClientOption", KotlinDependency.CLIENT_RT_CORE, "${KotlinDependency.CLIENT_RT_CORE.namespace}.client")
         writer.addImport("resolveRegionForOperation", AwsKotlinDependency.AWS_CLIENT_RT_REGIONS)
-        writer.addImport("AuthAttributes", AwsKotlinDependency.AWS_CLIENT_RT_AUTH)
-        writer.addImport(
-            "AwsClientOption",
-            AwsKotlinDependency.AWS_CLIENT_RT_CORE, "${AwsKotlinDependency.AWS_CLIENT_RT_CORE.namespace}.client"
-        )
+        writer.addImport(AwsRuntimeTypes.Core.AuthAttributes)
+        writer.addImport(AwsRuntimeTypes.Core.AwsClientOption)
         writer.addImport("putIfAbsent", KotlinDependency.CLIENT_RT_UTILS)
 
         writer.dokka("merge the defaults configured for the service into the execution context before firing off a request")

codegen/smithy-aws-kotlin-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/AwsRuntimeTypes.kt

@@ -0,0 +1,29 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.codegen
+
+import software.amazon.smithy.kotlin.codegen.buildSymbol
+import software.amazon.smithy.kotlin.codegen.namespace
+
+/**
+ * Commonly used AWS runtime types. Provides a single definition of a runtime symbol such that codegen isn't littered
+ * with inline symbol creation which makes refactoring of the runtime more difficult and error prone.
+ *
+ * NOTE: Not all symbols need be added here but it doesn't hurt to define runtime symbols once.
+ */
+object AwsRuntimeTypes {
+    object Core {
+        val AwsClientOption = buildSymbol {
+            name = "AwsClientOption"
+            namespace(AwsKotlinDependency.AWS_CLIENT_RT_CORE, subpackage = "client")
+        }
+
+        val AuthAttributes = buildSymbol {
+            name = "AuthAttributes"
+            namespace(AwsKotlinDependency.AWS_CLIENT_RT_CORE, subpackage = "execution")
+        }
+    }
+}