Working auth scheme approach

Author: Matt Muller

gems/smithy-client/lib/smithy-client.rb

@@ -51,7 +51,9 @@
 # identity and auth
 
 require_relative 'smithy-client/auth'
+require_relative 'smithy-client/auth_scheme'
 require_relative 'smithy-client/identity_provider'
+require_relative 'smithy-client/null_signer'
 require_relative 'smithy-client/refreshing_identity_provider'
 
 # stubbing

gems/smithy-client/lib/smithy-client/api_key_signer.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Smithy
+  module Client
+    # Signs requests with the ApiKey identity.
+    class ApiKeySigner
+      def initialize(options = {})
+        @name = options[:name]
+        @in = options[:in]
+        @scheme = options[:scheme]
+      end
+
+      def sign_request(context)
+        case @in
+        when 'header' then sign_in_header(context.http_request, context.config.api_key_provider)
+        when 'query' then sign_in_query_param(context.http_request, context.config.api_key_provider)
+        end
+      end
+
+      def presign_url(_context)
+        raise NotImplementedError
+      end
+
+      private
+
+      def sign_in_header(http_request, provider)
+        http_request.headers.delete(@name)
+        value = "#{@scheme} #{provider.identity.key}".strip
+        http_request.headers[@name] = value
+      end
+
+      def sign_in_query_param(http_request, provider)
+        remove_query_param(http_request)
+        append_query_param(http_request, provider)
+      end
+
+      def append_query_param(http_request, provider)
+        value = provider.identity.key
+        if http_request.endpoint.query
+          http_request.endpoint.query += "&#{@name}=#{value}"
+        else
+          http_request.endpoint.query = "#{@name}=#{value}"
+        end
+      end
+
+      def remove_query_param(http_request)
+        return unless http_request.endpoint.query
+
+        parsed = CGI.parse(http_request.endpoint.query)
+        parsed.delete(@name)
+        # encode_www_form ignores query params without values
+        # (CGI parses these as empty lists)
+        parsed.each do |key, values|
+          parsed[key] = values.empty? ? nil : values
+        end
+        http_request.endpoint.query = URI.encode_www_form(parsed)
+      end
+    end
+  end
+end

gems/smithy-client/lib/smithy-client/auth.rb

@@ -3,29 +3,29 @@ module Client
     # @api private
     module Auth
       class << self
-        def resolve_auth(context, endpoint_properties = {})
+        def resolve(context, endpoint_properties = {})
           if endpoint_properties.key?('authSchemes')
-            resolve_auth_scheme_with_endpoint(context, endpoint_properties['authSchemes'])
+            resolve_with_endpoint_auth(context, endpoint_properties['authSchemes'])
           else
-            resolve_auth_scheme_without_endpoint(context)
+            resolve_without_endpoint_auth(context)
           end
         end
 
         private
 
-        def resolve_auth_scheme_with_endpoint(context, endpoint_auth_schemes)
+        def resolve_with_endpoint_auth(context, endpoint_auth_schemes)
           normalized_endpoint_schemes = []
           endpoint_auth_schemes.each do |scheme|
             scheme_id = context.config.endpoint_auth_schemes[scheme['name']]
             next unless scheme_id
 
-            normalized_scheme = { scheme_id: scheme_id }
+            properties = {}
             scheme.each do |key, value|
               next if key == 'name'
 
-              normalized_scheme[key] = value
+              properties[key] = value
             end
-            normalized_endpoint_schemes << normalized_scheme
+            normalized_endpoint_schemes << { scheme_id: scheme_id, properties: properties }
           end
           resolved_auth_options = prioritize_auth_options(
             normalized_endpoint_schemes,
@@ -34,7 +34,7 @@ def resolve_auth_scheme_with_endpoint(context, endpoint_auth_schemes)
           resolve_auth_scheme(context.config.auth_schemes, resolved_auth_options)
         end
 
-        def resolve_auth_scheme_without_endpoint(context)
+        def resolve_without_endpoint_auth(context)
           auth_parameters = context.client.class.auth_parameters.create(context)
           auth_options = context.config.auth_resolver.resolve(auth_parameters)
           resolved_auth_options = prioritize_auth_options(auth_options, context.config.auth_scheme_preference)
@@ -66,23 +66,24 @@ def resolve_auth_scheme(auth_schemes, auth_options)
           failures = []
           auth_options.each do |auth_option|
             scheme_id = auth_option[:scheme_id]
+            if scheme_id == 'smithy.api#noAuth'
+              return AuthScheme.new(identity_provider: nil, scheme_id: 'smithy.api#noAuth', signer: NullSigner.new)
+            end
 
-            # Anonymous auth does not have a plugin and does not sign
-            return auth_option if scheme_id == 'smithy.api#noAuth'
-
-            error = validate_auth_scheme(auth_schemes, scheme_id)
-            return auth_option unless error
+            auth_scheme = auth_schemes[scheme_id]
+            error = validate_auth_scheme(auth_scheme, scheme_id)
+            return auth_scheme unless error
 
             failures << error
           end
 
           raise failures.join("\n")
         end
 
-        def validate_auth_scheme(auth_schemes, scheme_id)
-          return "Auth scheme #{scheme_id} was not enabled for this request" unless auth_schemes.key?(scheme_id)
+        def validate_auth_scheme(auth_scheme, scheme_id)
+          return "Auth scheme #{scheme_id} was not enabled for this request" unless auth_scheme
 
-          identity_provider = auth_schemes[scheme_id]
+          identity_provider = auth_scheme.identity_provider
           return "Auth scheme #{scheme_id} did not have an identity provider configured" unless identity_provider
           return "Auth scheme #{scheme_id} failed to resolve identity" unless identity_provider.set?
 

gems/smithy-client/lib/smithy-client/auth_scheme.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Smithy
+  module Client
+    # Contains information about candidate authentication schemes.
+    class AuthScheme
+      def initialize(options = {})
+        @identity_provider = options[:identity_provider]
+        @scheme_id = options[:scheme_id]
+        @signer = options[:signer]
+      end
+
+      # @return [IdentityProvider]
+      attr_reader :identity_provider
+
+      # @return [String]
+      attr_reader :scheme_id
+
+      # @return [Signer]
+      attr_reader :signer
+    end
+  end
+end

gems/smithy-client/lib/smithy-client/bearer_token_signer.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Smithy
+  module Client
+    # Signs requests with the BearerToken identity.
+    class BearerTokenSigner
+      def sign_request(context)
+        context.http_request.headers.delete('Authorization')
+        provider = context.config.bearer_token_provider
+        context.http_request.headers['Authorization'] = "Bearer #{provider.identity.token}"
+      end
+
+      def presign_url(_context)
+        raise NotImplementedError
+      end
+    end
+  end
+end

gems/smithy-client/lib/smithy-client/login_signer.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Smithy
+  module Client
+    # Signs requests with the Login identity.
+    class LoginSigner
+      def initialize(options = {})
+        @scheme_id = options[:scheme_id]
+      end
+
+      def sign_request(context)
+        raise NotImplementedError unless @scheme_id == 'smithy.api#httpBasicAuth'
+
+        sign_with_basic(context.http_request, context.config.login_provider)
+      end
+
+      def presign_url(_context)
+        raise NotImplementedError
+      end
+
+      private
+
+      def sign_with_basic(http_request, provider)
+        http_request.headers.delete('Authorization')
+        identity = provider.identity
+        encoded = Base64.strict_encode64("#{identity.username}:#{identity.password}")
+        http_request.headers['Authorization'] = "Basic #{encoded}"
+      end
+    end
+  end
+end

gems/smithy-client/lib/smithy-client/null_signer.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Smithy
+  module Client
+    # A signer that does not sign requests. Used for anonymous authentication.
+    class NullSigner
+      def sign_request(_context)
+        # no-op
+      end
+
+      def presign_url(_context)
+        # no-op
+      end
+    end
+  end
+end

gems/smithy-client/lib/smithy-client/plugins/http_api_key_auth.rb

@@ -2,6 +2,7 @@
 
 require_relative '../api_key'
 require_relative '../api_key_provider'
+require_relative '../api_key_signer'
 
 module Smithy
   module Client
@@ -27,64 +28,18 @@ class that responds to #identity and returns a {Smithy::Client::ApiKey}.
           provider if provider.set?
         end
 
-        def after_initialize(client)
-          client.config.auth_schemes['smithy.api#httpApiKeyAuth'] = client.config.api_key_provider
+        option(:api_key_signer) do |config|
+          trait = config.service.traits['smithy.api#httpApiKeyAuth']
+          ApiKeySigner.new(name: trait['name'], in: trait['in'], scheme: trait['scheme'])
         end
 
-        # @api private
-        class Handler < Client::Handler
-          def call(context)
-            sign(context) if context.auth[:scheme_id] == 'smithy.api#httpApiKeyAuth'
-            @handler.call(context)
-          end
-
-          private
-
-          def sign(context)
-            properties = context.config.service.traits['smithy.api#httpApiKeyAuth']
-            http_request = context.http_request
-            identity = context.config.api_key_provider.identity
-            case properties['in']
-            when 'header' then sign_in_header(properties, http_request, identity)
-            when 'query' then sign_in_query_param(properties, http_request, identity)
-            end
-          end
-
-          def sign_in_header(properties, http_request, identity)
-            http_request.headers.delete(properties['name'])
-            value = "#{properties['scheme']} #{identity.key}".strip
-            http_request.headers[properties['name']] = value
-          end
-
-          def sign_in_query_param(properties, http_request, identity)
-            name = properties['name']
-            remove_query_param(http_request, name)
-            append_query_param(http_request, name, identity.key)
-          end
-
-          def append_query_param(request, name, value)
-            if request.endpoint.query
-              request.endpoint.query += "&#{name}=#{value}"
-            else
-              request.endpoint.query = "#{name}=#{value}"
-            end
-          end
-
-          def remove_query_param(request, name)
-            return unless request.endpoint.query
-
-            parsed = CGI.parse(request.endpoint.query)
-            parsed.delete(name)
-            # encode_www_form ignores query params without values
-            # (CGI parses these as empty lists)
-            parsed.each do |key, values|
-              parsed[key] = values.empty? ? nil : values
-            end
-            request.endpoint.query = URI.encode_www_form(parsed)
-          end
+        def after_initialize(client)
+          client.config.auth_schemes['smithy.api#httpApiKeyAuth'] = AuthScheme.new(
+            identity_provider: client.config.api_key_provider,
+            scheme_id: 'smithy.api#httpApiKeyAuth',
+            signer: client.config.api_key_signer
+          )
         end
-
-        handler(Handler, step: :sign)
       end
     end
   end

gems/smithy-client/lib/smithy-client/plugins/http_basic_auth.rb

@@ -2,6 +2,7 @@
 
 require_relative '../login'
 require_relative '../login_provider'
+require_relative '../login_signer'
 
 module Smithy
   module Client
@@ -35,30 +36,17 @@ class that responds to #identity and returns a {Smithy::Client::Login}.
           provider if provider.set?
         end
 
-        def after_initialize(client)
-          client.config.auth_schemes['smithy.api#httpBasicAuth'] = client.config.login_provider
+        option(:login_signer) do |_config|
+          LoginSigner.new(scheme_id: 'smithy.api#httpBasicAuth')
         end
 
-        # @api private
-        class Handler < Client::Handler
-          def call(context)
-            sign(context) if context.auth[:scheme_id] == 'smithy.api#httpBasicAuth'
-            @handler.call(context)
-          end
-
-          private
-
-          def sign(context)
-            http_request = context.http_request
-            identity = context.config.login_provider.identity
-            http_request.headers.delete('Authorization')
-            identity_string = "#{identity.username}:#{identity.password}"
-            encoded = Base64.strict_encode64(identity_string)
-            http_request.headers['Authorization'] = "Basic #{encoded}"
-          end
+        def after_initialize(client)
+          client.config.auth_schemes['smithy.api#httpBasicAuth'] = AuthScheme.new(
+            identity_provider: client.config.login_provider,
+            scheme_id: 'smithy.api#httpBasicAuth',
+            signer: client.config.login_signer
+          )
         end
-
-        handler(Handler, step: :sign)
       end
     end
   end