Add authorizationScopes trait for Cognito scopes

API Gateway supports OAuth scopes on operations that use Cognito
authorizers. In OpenAPI, scopes appear in the security requirement
array for each operation. The existing @Authorizer trait is a
string and cannot be extended to include scopes without a breaking
change.

Add the `aws.apigateway#authorizationScopes` list trait, scoped to
operations that have the @Authorizer trait applied. The existing
`AddAuthorizers` mapper now includes the scope list in the security
requirement when the trait is present. The mapper writes
per-operation security when scopes are present, even if the
operation inherits its authorizer from the service.

Author: mee-aa

.changes/next-release/feature-1d0fb9d2b93784accf545d038bd5b0658cc9ca13.json

@@ -0,0 +1,7 @@
+{
+  "type": "feature",
+  "description": "Added `aws.apigateway#authorizationScopes` trait for Cognito authorizer scopes",
+  "pull_requests": [
+    "[#3084](https://github.com/smithy-lang/smithy/pull/3084)"
+  ]
+}

docs/source-2.0/aws/amazon-apigateway.rst

@@ -584,6 +584,72 @@ endpoint access mode:
     This trait should be considered internal-only and not exposed to your
     customers.
 
+.. smithy-trait:: aws.apigateway#authorizationScopes
+.. _aws.apigateway#authorizationScopes-trait:
+
+--------------------------------------------
+``aws.apigateway#authorizationScopes`` trait
+--------------------------------------------
+
+Summary
+    Defines the list of OAuth scopes required for an API Gateway operation
+    that uses a `Cognito`_ authorizer. Applied alongside the
+    :ref:`aws.apigateway#authorizer-trait` to specify which scopes the
+    caller must have.
+Trait selector
+    ``operation[trait|aws.apigateway#authorizer]``
+
+    *An operation with the aws.apigateway#authorizer trait applied*
+Value type
+    ``list`` of ``string``
+See also
+    - `Control access using Cognito user pools`_ for more information on
+      how scopes work with Cognito authorizers
+
+.. note::
+
+    Authorization scopes are only supported with ``COGNITO_USER_POOLS``
+    authorizers. API Gateway validates the scope values at import time.
+
+The following example requires the ``email`` and ``profile`` scopes on an
+operation that uses a Cognito authorizer:
+
+.. code-block:: smithy
+
+    $version: "2"
+
+    namespace smithy.example
+
+    use aws.apigateway#authorizer
+    use aws.apigateway#authorizers
+    use aws.apigateway#authorizationScopes
+    use aws.auth#sigv4
+
+    @sigv4(name: "service")
+    @authorizer("my-cognito-auth")
+    @authorizers(
+        "my-cognito-auth": {
+            scheme: "aws.auth#sigv4"
+            type: "cognito_user_pools"
+        }
+    )
+    service MyService {
+      version: "2024-01-01"
+      operations: [GetUserProfile]
+    }
+
+    @authorizer("my-cognito-auth")
+    @authorizationScopes(["email", "profile"])
+    operation GetUserProfile {
+        input := {}
+        output := {}
+    }
+
+.. note::
+
+    This trait should be considered internal-only and not exposed to your
+    customers.
+
 .. smithy-trait:: aws.apigateway#integration
 .. _aws.apigateway#integration-trait:
 
@@ -1268,3 +1334,5 @@ integration response to two ``header`` parameters of the method response.
 .. _x-amazon-apigateway-endpoint-configuration: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-endpoint-configuration.html
 .. _API endpoint types for REST APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
 .. _endpoint IDs: https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-vpc-endpoints
+.. _Control access using Cognito user pools: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
+.. _Cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html

docs/source-2.0/guides/model-translations/converting-to-openapi.rst

@@ -2316,6 +2316,73 @@ is converted to the following OpenAPI model:
     }
 
 
+.. _apigateway-authorization-scopes:
+
+Authorization scopes
+====================
+
+When an operation uses a `Cognito`_ authorizer, OAuth scopes can be added to
+the security requirement using the
+:ref:`aws.apigateway#authorizationScopes-trait`. The trait is applied
+alongside the :ref:`aws.apigateway#authorizer-trait` on an operation and
+specifies which scopes the caller must have.
+
+The following Smithy model requires the ``email`` and ``profile`` scopes
+on the ``GetUserProfile`` operation:
+
+.. code-block:: smithy
+
+    $version: "2"
+    namespace smithy.example
+
+    use aws.apigateway#authorizer
+    use aws.apigateway#authorizers
+    use aws.apigateway#authorizationScopes
+    use aws.auth#sigv4
+    use aws.protocols#restJson1
+
+    @restJson1
+    @sigv4(name: "service")
+    @authorizer("my-cognito-auth")
+    @authorizers(
+        "my-cognito-auth": {scheme: "aws.auth#sigv4", type: "cognito_user_pools"}
+    )
+    service Example {
+      version: "2019-06-17"
+      operations: [GetUserProfile]
+    }
+
+    @authorizer("my-cognito-auth")
+    @authorizationScopes(["email", "profile"])
+    @http(uri: "/profile", method: "GET")
+    operation GetUserProfile {}
+
+The scopes are included in the OpenAPI security requirement for the
+operation:
+
+.. code-block:: json
+
+    {
+        "paths": {
+            "/profile": {
+                "get": {
+                    "operationId": "GetUserProfile",
+                    "responses": {
+                        "200": {
+                            "description": "GetUserProfile response"
+                        }
+                    },
+                    "security": [
+                        {
+                            "my-cognito-auth": ["email", "profile"]
+                        }
+                    ]
+                }
+            }
+        }
+    }
+
+
 .. _other-traits:
 
 Other traits that influence API Gateway
@@ -2422,3 +2489,4 @@ The conversion process is highly extensible through
 .. _x-amazon-apigateway-gateway-responses: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-gateway-responses.html
 .. _x-amazon-apigateway-security-policy: https://docs.aws.amazon.com/apigateway/latest/developerguide/openapi-extensions-security-policy.html
 .. _x-amazon-apigateway-endpoint-access-mode: https://docs.aws.amazon.com/apigateway/latest/developerguide/openapi-extensions-endpoint-access-mode.html
+.. _Cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html

smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/AddAuthorizers.java

@@ -9,6 +9,7 @@
 import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Logger;
+import software.amazon.smithy.aws.apigateway.traits.AuthorizationScopesTrait;
 import software.amazon.smithy.aws.apigateway.traits.AuthorizerDefinition;
 import software.amazon.smithy.aws.apigateway.traits.AuthorizerIndex;
 import software.amazon.smithy.aws.apigateway.traits.AuthorizerTrait;
@@ -106,12 +107,18 @@ public OperationObject updateOperation(
         // ...API Gateway's built-in API keys are being used. It requires the
         // security to be specified on every operation.
         // See https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-console.html#api-gateway-usage-plan-configure-apikey-on-method
-        if (Objects.equals(operationAuth, serviceAuth) && !usesApiGatewayApiKeys(service, operationAuth)) {
+        List<String> scopes = shape.getTrait(AuthorizationScopesTrait.class)
+                .map(AuthorizationScopesTrait::getValues)
+                .orElse(ListUtils.of());
+
+        if (Objects.equals(operationAuth, serviceAuth)
+                && !usesApiGatewayApiKeys(service, operationAuth)
+                && scopes.isEmpty()) {
             return operation;
         }
 
         return operation.toBuilder()
-                .addSecurity(MapUtils.of(operationAuth, ListUtils.of()))
+                .addSecurity(MapUtils.of(operationAuth, scopes))
                 .build();
     }
 

smithy-aws-apigateway-openapi/src/test/java/software/amazon/smithy/aws/apigateway/openapi/AddAuthorizationScopesTest.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.aws.apigateway.openapi;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.hasKey;
+import static org.hamcrest.Matchers.is;
+
+import java.util.List;
+import java.util.Map;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import software.amazon.smithy.model.Model;
+import software.amazon.smithy.model.shapes.ShapeId;
+import software.amazon.smithy.openapi.OpenApiConfig;
+import software.amazon.smithy.openapi.fromsmithy.OpenApiConverter;
+import software.amazon.smithy.openapi.model.OpenApi;
+import software.amazon.smithy.openapi.model.OperationObject;
+import software.amazon.smithy.openapi.model.PathItem;
+
+public class AddAuthorizationScopesTest {
+    private static OpenApi result;
+
+    @BeforeAll
+    public static void setup() {
+        Model model = Model.assembler()
+                .discoverModels(AddAuthorizationScopesTest.class.getClassLoader())
+                .addImport(AddAuthorizationScopesTest.class.getResource("authorization-scopes.smithy"))
+                .assemble()
+                .unwrap();
+        OpenApiConfig config = new OpenApiConfig();
+        config.setService(ShapeId.from("smithy.example#Service"));
+        result = OpenApiConverter.create()
+                .config(config)
+                .classLoader(AddAuthorizationScopesTest.class.getClassLoader())
+                .convert(model);
+    }
+
+    @Test
+    public void scopedOperationIncludesScopes() {
+        PathItem path = result.getPaths().get("/scoped");
+        OperationObject operation = path.getGet().get();
+        List<Map<String, List<String>>> security = operation.getSecurity().get();
+
+        // Find the security requirement for our authorizer
+        Map<String, List<String>> authReq = security.stream()
+                .filter(s -> s.containsKey("my-cognito-auth"))
+                .findFirst()
+                .get();
+
+        assertThat(authReq, hasKey("my-cognito-auth"));
+        assertThat(authReq.get("my-cognito-auth"), contains("email", "profile"));
+    }
+
+    @Test
+    public void unscopedOperationInheritsServiceSecurity() {
+        PathItem path = result.getPaths().get("/unscoped");
+        OperationObject operation = path.getGet().get();
+
+        // Unscoped operation has the same authorizer as the service and no
+        // scopes, so no per-operation security is added. The operation
+        // inherits security from the service level.
+        assertThat(operation.getSecurity().isPresent(), is(false));
+    }
+}

smithy-aws-apigateway-openapi/src/test/resources/software/amazon/smithy/aws/apigateway/openapi/authorization-scopes.smithy

@@ -0,0 +1,28 @@
+$version: "2.0"
+
+namespace smithy.example
+
+use aws.apigateway#authorizer
+use aws.apigateway#authorizers
+use aws.apigateway#authorizationScopes
+use aws.auth#sigv4
+use aws.protocols#restJson1
+
+@restJson1
+@sigv4(name: "service")
+@authorizer("my-cognito-auth")
+@authorizers(
+    "my-cognito-auth": {scheme: "aws.auth#sigv4", type: "cognito_user_pools", uri: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_abc123"}
+)
+service Service {
+    version: "2006-03-01"
+    operations: [ScopedOperation, UnscopedOperation]
+}
+
+@authorizer("my-cognito-auth")
+@authorizationScopes(["email", "profile"])
+@http(uri: "/scoped", method: "GET")
+operation ScopedOperation {}
+
+@http(uri: "/unscoped", method: "GET")
+operation UnscopedOperation {}

smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/AuthorizationScopesTrait.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.smithy.aws.apigateway.traits;
+
+import java.util.List;
+import software.amazon.smithy.model.FromSourceLocation;
+import software.amazon.smithy.model.shapes.ShapeId;
+import software.amazon.smithy.model.traits.StringListTrait;
+import software.amazon.smithy.utils.ToSmithyBuilder;
+
+/**
+ * Defines the list of OAuth scopes required for an API Gateway operation
+ * that uses a Cognito authorizer. Applied alongside the
+ * {@link AuthorizerTrait} to specify which scopes the caller must have.
+ */
+public final class AuthorizationScopesTrait extends StringListTrait
+        implements ToSmithyBuilder<AuthorizationScopesTrait> {
+    public static final ShapeId ID = ShapeId.from("aws.apigateway#authorizationScopes");
+
+    private AuthorizationScopesTrait(List<String> values, FromSourceLocation sourceLocation) {
+        super(ID, values, sourceLocation);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    @Override
+    public Builder toBuilder() {
+        return builder().sourceLocation(getSourceLocation()).values(getValues());
+    }
+
+    public static final class Provider extends StringListTrait.Provider<AuthorizationScopesTrait> {
+        public Provider() {
+            super(ID, AuthorizationScopesTrait::new);
+        }
+    }
+
+    public static final class Builder extends StringListTrait.Builder<AuthorizationScopesTrait, Builder> {
+        private Builder() {}
+
+        @Override
+        public AuthorizationScopesTrait build() {
+            return new AuthorizationScopesTrait(getValues(), getSourceLocation());
+        }
+    }
+}

smithy-aws-apigateway-traits/src/main/resources/META-INF/services/software.amazon.smithy.model.traits.TraitService

@@ -4,6 +4,7 @@ software.amazon.smithy.aws.apigateway.traits.RequestValidatorTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.ApiKeySourceTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.IntegrationTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.MockIntegrationTrait$Provider
+software.amazon.smithy.aws.apigateway.traits.AuthorizationScopesTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.GatewayResponsesTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.ApiKeyRequiredTrait$Provider
 software.amazon.smithy.aws.apigateway.traits.MinimumCompressionSizeTrait$Provider

smithy-aws-apigateway-traits/src/main/resources/META-INF/smithy/aws.apigateway.smithy

@@ -27,6 +27,15 @@ structure apiKeyRequired {}
 @trait(selector: ":test(service, resource, operation)")
 string authorizer
 
+/// Defines the list of OAuth scopes required for an operation that uses a
+/// Cognito authorizer. Applied alongside the @authorizer trait.
+@internal
+@tags(["internal"])
+@trait(selector: "operation[trait|aws.apigateway#authorizer]")
+list authorizationScopes {
+    member: String
+}
+
 /// A list of API Gateway authorizers to augment the service's declared authentication
 /// mechanisms.
 @internal