feat: Support auth scheme preference list (#1953)

Author: dayaffe

Sources/Core/AWSClientRuntime/Sources/AWSClientRuntime/AWSClientConfigDefaultsProvider.swift

@@ -41,6 +41,21 @@ public class AWSClientConfigDefaultsProvider: ClientConfigDefaultsProvider {
         return resolvedAppID
     }
 
+    public static func authSchemePreference(_ preference: String? = nil) throws -> [String]? {
+        let fileBasedConfig = try CRTFileBasedConfiguration.make()
+        let resolvedPreference: [String]?
+        if let authSchemePreference = preference {
+            resolvedPreference = AuthSchemeConfig.normalizeSchemes(authSchemePreference)
+        } else {
+            resolvedPreference = AuthSchemeConfig.authSchemePreference(
+                configValue: nil,
+                profileName: nil,
+                fileBasedConfig: fileBasedConfig
+            )
+        }
+        return resolvedPreference
+    }
+
     public static func requestChecksumCalculation(
         _ requestChecksumCalculation: AWSChecksumCalculationMode? = nil
     ) throws -> AWSChecksumCalculationMode {

Sources/Core/AWSClientRuntime/Sources/AWSClientRuntime/Config/AWSDefaultClientConfiguration.swift

@@ -15,6 +15,8 @@ public protocol AWSDefaultClientConfiguration {
     /// If no resolver is supplied, `AWSSDKIdentity.DefaultAWSCredentialIdentityResolverChain` gets used by default.
     var awsCredentialIdentityResolver: any AWSCredentialIdentityResolver { get set }
 
+    var authSchemePreference: [String]? { get set }
+
     /// Specifies whether FIPS endpoints should be used.
     var useFIPS: Bool? { get set }
 

Sources/Core/AWSClientRuntime/Sources/AWSClientRuntime/Config/AuthSchemeConfig.swift

@@ -0,0 +1,42 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+@_spi(FileBasedConfig) import AWSSDKCommon
+
+enum AuthSchemeConfig {
+
+    /// Determines the auth scheme prioritization to be used from the given config, if any.
+    /// - Parameters:
+    ///   - configValue: The auth scheme priority list passed at client construction, or `nil` if none was passed.
+    ///   - profileName: The profile name passed at client construction.  If `nil` is passed, the SDK will resolve the profile to be used.
+    ///   - fileBasedConfig: The file-based config from which to load configuration, if needed.
+    /// - Returns: The auth scheme priority that was resolved, or `nil` if none was resolved.
+    static func authSchemePreference(
+        configValue: [String]?,
+        profileName: String?,
+        fileBasedConfig: FileBasedConfiguration
+    ) -> [String]? {
+        return FieldResolver(
+            configValue: configValue,
+            envVarName: "AWS_AUTH_SCHEME_PREFERENCE",
+            configFieldName: "auth_scheme_preference",
+            fileBasedConfig: fileBasedConfig,
+            profileName: profileName,
+            converter: { value in
+                let normalized = normalizeSchemes(value)
+                return normalized.isEmpty ? nil : normalized
+            }
+        ).value
+    }
+
+    static func normalizeSchemes(_ input: String) -> [String] {
+        return input
+            .split(separator: ",")
+            .map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
+            .filter { !$0.isEmpty }
+    }
+}

Sources/Core/AWSClientRuntime/Tests/AWSClientRuntimeTests/Config/AuthSchemeConfigTests.swift

@@ -0,0 +1,164 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+import XCTest
+@testable @_spi(FileBasedConfig) import AWSClientRuntime
+@testable @_spi(FileBasedConfig) import AWSSDKCommon
+
+class AuthSchemeConfigTests: XCTestCase {
+    let envVarName = "AWS_AUTH_SCHEME_PREFERENCE"
+    let configFieldName = "auth_scheme_preference"
+    var fileBasedConfig: FileBasedConfiguration!
+    
+    override func setUp() {
+        super.setUp()
+        fileBasedConfig = try! CRTFileBasedConfiguration(
+            configFilePath: Bundle.module.path(forResource: "auth_scheme_config_tests", ofType: nil)!,
+            credentialsFilePath: nil
+        )
+    }
+    
+    override func tearDown() {
+        unsetenv(envVarName)
+        super.tearDown()
+    }
+    
+    // authSchemePreference Tests
+    
+    func test_authSchemePreference_returnsConfigValueWhenProvided() {
+        let expected = ["sigv4", "sigv4a"]
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: expected,
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, ["sigv4", "sigv4a"])
+    }
+    
+    func test_authSchemePreference_returnsNilWhenConfigValueIsEmpty() {
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: [],
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, [])
+    }
+    
+    func test_authSchemePreference_returnsEnvironmentValueWhenNoConfigValue() {
+        let expected = "sigv4a,sigv4"
+        setenv(envVarName, expected, 1)
+        
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, ["sigv4a", "sigv4"])
+    }
+    
+    func test_authSchemePreference_returnsNilWhenEnvironmentValueIsEmpty() {
+        setenv(envVarName, "", 1)
+        
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        // When env var is empty, FieldResolver falls through to file config
+        // which has "sigv4" in the default profile
+        XCTAssertEqual(result, ["sigv4"])
+    }
+    
+    func test_authSchemePreference_returnsFileConfigValueFromDefaultProfile() {
+        // Assuming the test config file has auth_scheme_preference = "sigv4" in default profile
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, ["sigv4"])
+    }
+    
+    func test_authSchemePreference_returnsFileConfigValueFromSpecifiedProfile() {
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: "alt-profile",
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, ["sigv4a", "sigv4"])
+    }
+    
+    func test_authSchemePreference_returnsNilWhenNoSourceIsSet() {
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: "non-existent-profile",
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertNil(result)
+    }
+    
+    // normalizeSchemes Tests
+    
+    func test_normalizeSchemes_handlesSingleScheme() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4")
+        XCTAssertEqual(result, ["sigv4"])
+    }
+    
+    func test_normalizeSchemes_handlesMultipleSchemes() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4,sigv4a,bearer")
+        XCTAssertEqual(result, ["sigv4", "sigv4a", "bearer"])
+    }
+    
+    func test_normalizeSchemes_removesSpaces() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4, sigv4a , bearer")
+        XCTAssertEqual(result, ["sigv4", "sigv4a", "bearer"])
+    }
+    
+    func test_normalizeSchemes_removesTabs() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4,\tsigv4a\t,\tbearer")
+        XCTAssertEqual(result, ["sigv4", "sigv4a", "bearer"])
+    }
+    
+    func test_normalizeSchemes_removesMultipleSpacesAndTabs() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4  ,  \t sigv4a\t\t,   bearer  ")
+        XCTAssertEqual(result, ["sigv4", "sigv4a", "bearer"])
+    }
+    
+    func test_normalizeSchemes_handlesEmptyElements() {
+        let result = AuthSchemeConfig.normalizeSchemes("sigv4,,sigv4a,,,bearer,")
+        XCTAssertEqual(result, ["sigv4", "sigv4a", "bearer"])
+    }
+    
+    func test_normalizeSchemes_handlesEmptyString() {
+        let result = AuthSchemeConfig.normalizeSchemes("")
+        XCTAssertEqual(result, [])
+    }
+    
+    func test_normalizeSchemes_handlesOnlyCommas() {
+        let result = AuthSchemeConfig.normalizeSchemes(",,,")
+        XCTAssertEqual(result, [])
+    }
+    
+    func test_normalizeSchemes_handlesOnlyWhitespace() {
+        let result = AuthSchemeConfig.normalizeSchemes("   \t   ")
+        XCTAssertEqual(result, [])
+    }
+    
+    // authSchemePreference Tests with environment and config
+    
+    func test_authSchemePreference_normalizesEnvironmentValue() {
+        setenv(envVarName, "sigv4  ,  sigv4a", 1)
+        
+        let result = AuthSchemeConfig.authSchemePreference(
+            configValue: nil,
+            profileName: nil,
+            fileBasedConfig: fileBasedConfig
+        )
+        XCTAssertEqual(result, ["sigv4", "sigv4a"])
+    }
+}

Sources/Core/AWSClientRuntime/Tests/AWSClientRuntimeTests/Resources/auth_scheme_config_tests

@@ -0,0 +1,5 @@
+[default]
+auth_scheme_preference = sigv4
+
+[profile alt-profile]
+auth_scheme_preference = sigv4a,sigv4

codegen/smithy-aws-swift-codegen/src/main/kotlin/software/amazon/smithy/aws/swift/codegen/plugins/AuthSchemePlugin.kt

@@ -12,6 +12,7 @@ import software.amazon.smithy.swift.codegen.model.toOptional
 import software.amazon.smithy.swift.codegen.swiftmodules.ClientRuntimeTypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyHTTPAuthAPITypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyIdentityTypes
+import software.amazon.smithy.swift.codegen.swiftmodules.SwiftTypes
 import software.amazon.smithy.swift.codegen.utils.toUpperCamelCase
 
 class AuthSchemePlugin(
@@ -31,6 +32,7 @@ class AuthSchemePlugin(
     ) {
         writer.openBlock("public class $pluginName: \$N {", "}", ClientRuntimeTypes.Core.Plugin) {
             writer.write("private var authSchemes: \$N", SmithyHTTPAuthAPITypes.AuthSchemes.toOptional())
+            writer.write("private var authSchemePreference: \$N", SwiftTypes.StringList)
             writer.write("private var authSchemeResolver: \$N", SmithyHTTPAuthAPITypes.AuthSchemeResolver.toOptional())
             writer.write(
                 "private var awsCredentialIdentityResolver: \$N",
@@ -43,15 +45,17 @@ class AuthSchemePlugin(
 
             writer.write("")
             writer.openBlock(
-                "public init(authSchemes: \$N = nil, authSchemeResolver: \$N = nil, awsCredentialIdentityResolver: \$N = nil, bearerTokenIdentityResolver: \$N = nil) {",
+                "public init(authSchemes: \$N = nil, authSchemePreference: \$N = nil, authSchemeResolver: \$N = nil, awsCredentialIdentityResolver: \$N = nil, bearerTokenIdentityResolver: \$N = nil) {",
                 "}",
                 SmithyHTTPAuthAPITypes.AuthSchemes.toOptional(),
+                SwiftTypes.StringList.toOptional(),
                 AuthSchemeResolverGenerator.getServiceSpecificAuthSchemeResolverName(ctx).toOptional(),
                 SmithyIdentityTypes.AWSCredentialIdentityResolver.toGeneric().toOptional(),
                 SmithyIdentityTypes.BearerTokenIdentityResolver.toGeneric().toOptional(),
             ) {
                 writer.write("self.authSchemeResolver = authSchemeResolver")
                 writer.write("self.authSchemes = authSchemes")
+                writer.write("self.authSchemePreference = authSchemePreference ?? []")
                 writer.write("self.awsCredentialIdentityResolver = awsCredentialIdentityResolver")
                 writer.write("self.bearerTokenIdentityResolver = bearerTokenIdentityResolver")
             }
@@ -65,6 +69,9 @@ class AuthSchemePlugin(
                     writer.openBlock("if (self.authSchemes != nil) {", "}") {
                         writer.write("config.authSchemes = self.authSchemes")
                     }
+                    writer.openBlock("if (self.authSchemePreference != nil) {", "}") {
+                        writer.write("config.authSchemePreference = self.authSchemePreference")
+                    }
                     writer.openBlock("if (self.authSchemeResolver != nil) {", "}") {
                         writer.write("config.authSchemeResolver = self.authSchemeResolver!")
                     }

codegen/smithy-aws-swift-codegen/src/test/kotlin/software/amazon/smithy/aws/swift/codegen/PresignerGeneratorTests.kt

@@ -28,6 +28,7 @@ extension GetFooInput {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)
@@ -102,6 +103,7 @@ extension PostFooInput {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)
@@ -179,6 +181,7 @@ extension PutFooInput {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)
@@ -256,6 +259,7 @@ extension PutObjectInput {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)

codegen/smithy-aws-swift-codegen/src/test/kotlin/software/amazon/smithy/aws/swift/codegen/awsrestjson/AWSRestJson1ProtocolGeneratorTests.kt

@@ -104,6 +104,7 @@ extension ExampleClient {
         public var httpClientEngine: SmithyHTTPAPI.HTTPClient
         public var httpClientConfiguration: ClientRuntime.HttpClientConfiguration
         public var authSchemes: SmithyHTTPAuthAPI.AuthSchemes?
+        public var authSchemePreference: [String]?
         public var authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver
         public var bearerTokenIdentityResolver: any SmithyIdentity.BearerTokenIdentityResolver
         public private(set) var interceptorProviders: [ClientRuntime.InterceptorProvider]
@@ -131,6 +132,7 @@ extension ExampleClient {
             _ httpClientEngine: SmithyHTTPAPI.HTTPClient,
             _ httpClientConfiguration: ClientRuntime.HttpClientConfiguration,
             _ authSchemes: SmithyHTTPAuthAPI.AuthSchemes?,
+            _ authSchemePreference: [String]?,
             _ authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver,
             _ bearerTokenIdentityResolver: any SmithyIdentity.BearerTokenIdentityResolver,
             _ interceptorProviders: [ClientRuntime.InterceptorProvider],
@@ -156,6 +158,7 @@ extension ExampleClient {
             self.httpClientEngine = httpClientEngine
             self.httpClientConfiguration = httpClientConfiguration
             self.authSchemes = authSchemes
+            self.authSchemePreference = authSchemePreference
             self.authSchemeResolver = authSchemeResolver
             self.bearerTokenIdentityResolver = bearerTokenIdentityResolver
             self.interceptorProviders = interceptorProviders
@@ -184,6 +187,7 @@ extension ExampleClient {
             httpClientEngine: SmithyHTTPAPI.HTTPClient? = nil,
             httpClientConfiguration: ClientRuntime.HttpClientConfiguration? = nil,
             authSchemes: SmithyHTTPAuthAPI.AuthSchemes? = nil,
+            authSchemePreference: [String]? = nil,
             authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver? = nil,
             bearerTokenIdentityResolver: (any SmithyIdentity.BearerTokenIdentityResolver)? = nil,
             interceptorProviders: [ClientRuntime.InterceptorProvider]? = nil,
@@ -210,6 +214,7 @@ extension ExampleClient {
                 httpClientEngine ?? AWSClientConfigDefaultsProvider.httpClientEngine(httpClientConfiguration),
                 httpClientConfiguration ?? AWSClientConfigDefaultsProvider.httpClientConfiguration(),
                 authSchemes ?? [AWSSDKHTTPAuth.SigV4AuthScheme()],
+                authSchemePreference ?? nil,
                 authSchemeResolver ?? DefaultExampleAuthSchemeResolver(),
                 bearerTokenIdentityResolver ?? SmithyIdentity.StaticBearerTokenIdentityResolver(token: SmithyIdentity.BearerTokenIdentity(token: "")),
                 interceptorProviders ?? [],
@@ -238,6 +243,7 @@ extension ExampleClient {
             httpClientEngine: SmithyHTTPAPI.HTTPClient? = nil,
             httpClientConfiguration: ClientRuntime.HttpClientConfiguration? = nil,
             authSchemes: SmithyHTTPAuthAPI.AuthSchemes? = nil,
+            authSchemePreference: [String]? = nil,
             authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver? = nil,
             bearerTokenIdentityResolver: (any SmithyIdentity.BearerTokenIdentityResolver)? = nil,
             interceptorProviders: [ClientRuntime.InterceptorProvider]? = nil,
@@ -264,6 +270,7 @@ extension ExampleClient {
                 httpClientEngine ?? AWSClientConfigDefaultsProvider.httpClientEngine(httpClientConfiguration),
                 httpClientConfiguration ?? AWSClientConfigDefaultsProvider.httpClientConfiguration(),
                 authSchemes ?? [AWSSDKHTTPAuth.SigV4AuthScheme()],
+                authSchemePreference ?? nil,
                 authSchemeResolver ?? DefaultExampleAuthSchemeResolver(),
                 bearerTokenIdentityResolver ?? SmithyIdentity.StaticBearerTokenIdentityResolver(token: SmithyIdentity.BearerTokenIdentity(token: "")),
                 interceptorProviders ?? [],
@@ -293,6 +300,7 @@ extension ExampleClient {
                 httpClientEngine: nil,
                 httpClientConfiguration: nil,
                 authSchemes: nil,
+                authSchemePreference: nil,
                 authSchemeResolver: nil,
                 bearerTokenIdentityResolver: nil,
                 interceptorProviders: nil,
@@ -322,6 +330,7 @@ extension ExampleClient {
                 AWSClientConfigDefaultsProvider.httpClientEngine(),
                 AWSClientConfigDefaultsProvider.httpClientConfiguration(),
                 [AWSSDKHTTPAuth.SigV4AuthScheme()],
+                nil,
                 DefaultExampleAuthSchemeResolver(),
                 SmithyIdentity.StaticBearerTokenIdentityResolver(token: SmithyIdentity.BearerTokenIdentity(token: "")),
                 [],