fix(codegen): disable signing for sts operations AssumeRoleWithSaml and AssumeRoleWithWebIdentity (#407)

aajtodd · web-flow · commit 7db715a8f1b2 · 2021-11-05T15:08:27.000-04:00
diff --git a/.github/scripts/mk-generated.sh b/.github/scripts/mk-generated.sh
@@ -14,7 +14,6 @@ set -e
 
 # Redirect stdout to stderr for all the code in `{ .. }`
 {
-  git diff --quiet || (echo 'working tree not clean, aborting' && exit 1)
   gh_branch=${GITHUB_HEAD_REF##*/}
   base_branch=${GITHUB_BASE_REF##*/}
   if [ -n "$base_branch" ]; then
@@ -28,6 +27,15 @@ set -e
   gen_branch="__generated-$current_branch"
   repo_root=$(git rev-parse --show-toplevel)
   cd "$repo_root" && ./gradlew :codegen:sdk:bootstrap
+  # repo may be dirty due to gradle.properties being manipulated to have upstream deps match (e.g. by set_upstream_versions.py)
+  # test that we are running in a GitHub workflow before blowing away any unsaved changes
+  if [[ -z "${GITHUB_WORKFLOW}" ]]; then
+    git diff --quiet || (echo 'working tree not clean, aborting' && exit 1)
+  else
+    echo "working tree dirty, violently resetting HEAD"
+    git reset HEAD --hard
+  fi
+
   target="$(mktemp -d)"
   mv "$repo_root"/services "$target"
   # checkout and reset $gen_branch to be based on the __generated__ history
diff --git a/codegen/smithy-aws-kotlin-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/sts/StsDisableAuthForOperations.kt b/codegen/smithy-aws-kotlin-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/sts/StsDisableAuthForOperations.kt
@@ -0,0 +1,43 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.codegen.customization.sts
+
+import aws.sdk.kotlin.codegen.sdkId
+import software.amazon.smithy.kotlin.codegen.KotlinSettings
+import software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
+import software.amazon.smithy.kotlin.codegen.model.expectShape
+import software.amazon.smithy.model.Model
+import software.amazon.smithy.model.shapes.OperationShape
+import software.amazon.smithy.model.shapes.ServiceShape
+import software.amazon.smithy.model.shapes.ShapeId
+import software.amazon.smithy.model.traits.AuthTrait
+import software.amazon.smithy.model.transform.ModelTransformer
+
+/**
+ * STS needs to have the auth trait manually set to []
+ *
+ * See https://github.com/awslabs/aws-sdk-kotlin/issues/280
+ */
+class StsDisableAuthForOperations : KotlinIntegration {
+
+    private val optionalAuthOperations = setOf(
+        ShapeId.from("com.amazonaws.sts#AssumeRoleWithSAML"),
+        ShapeId.from("com.amazonaws.sts#AssumeRoleWithWebIdentity")
+    )
+
+    override fun enabledForService(model: Model, settings: KotlinSettings): Boolean =
+        model.expectShape<ServiceShape>(settings.service).sdkId == "STS"
+
+    override fun preprocessModel(model: Model, settings: KotlinSettings): Model =
+        ModelTransformer.create()
+            .mapShapes(model) {
+                if (optionalAuthOperations.contains(it.id) && it is OperationShape) {
+                    it.toBuilder().addTrait(AuthTrait(emptySet())).build()
+                } else {
+                    it
+                }
+            }
+}
diff --git a/codegen/smithy-aws-kotlin-codegen/src/main/resources/META-INF/services/software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration b/codegen/smithy-aws-kotlin-codegen/src/main/resources/META-INF/services/software.amazon.smithy.kotlin.codegen.integration.KotlinIntegration
@@ -16,3 +16,4 @@ aws.sdk.kotlin.codegen.customization.polly.PollyPresigner
 aws.sdk.kotlin.codegen.customization.BoxServices
 aws.sdk.kotlin.codegen.customization.glacier.GlacierBodyChecksum
 aws.sdk.kotlin.codegen.customization.machinelearning.MachineLearningEndpointCustomization
+aws.sdk.kotlin.codegen.customization.sts.StsDisableAuthForOperations
diff --git a/services/sts/common/test/aws/sdk/kotlin/services/sts/StsAuthTests.kt b/services/sts/common/test/aws/sdk/kotlin/services/sts/StsAuthTests.kt
@@ -0,0 +1,81 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.services.sts
+
+import aws.sdk.kotlin.runtime.auth.credentials.Credentials
+import aws.sdk.kotlin.runtime.auth.credentials.StaticCredentialsProvider
+import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.HttpBody
+import aws.smithy.kotlin.runtime.http.HttpStatusCode
+import aws.smithy.kotlin.runtime.http.engine.HttpClientEngineBase
+import aws.smithy.kotlin.runtime.http.engine.callContext
+import aws.smithy.kotlin.runtime.http.request.HttpRequest
+import aws.smithy.kotlin.runtime.http.response.HttpCall
+import aws.smithy.kotlin.runtime.http.response.HttpResponse
+import aws.smithy.kotlin.runtime.testing.runSuspendTest
+import aws.smithy.kotlin.runtime.time.Instant
+import kotlin.test.Test
+import kotlin.test.assertFalse
+import kotlin.test.assertNotNull
+import kotlin.test.assertTrue
+
+/**
+ * Tests related to STS model and whether requests need to be signed or not
+ */
+class StsAuthTests {
+
+    private val mockEngine = object : HttpClientEngineBase("mock-engine") {
+        var capturedRequest: HttpRequest? = null
+
+        override suspend fun roundTrip(request: HttpRequest): HttpCall {
+            capturedRequest = request
+            val callContext = callContext()
+            val now = Instant.now()
+            return HttpCall(request, HttpResponse(HttpStatusCode.OK, Headers.Empty, HttpBody.Empty), now, now, callContext)
+        }
+    }
+
+    private val credentials = Credentials("ANOTREAL", "notrealrnrELgWzOk3IFjzDKtFBhDby", "notarealsessiontoken")
+
+    @Test
+    fun testAssumeRoleIsSigned(): Unit = runSuspendTest {
+        val client = StsClient {
+            region = "us-east-2"
+            credentialsProvider = StaticCredentialsProvider(credentials)
+            httpClientEngine = mockEngine
+        }
+
+        runCatching { client.assumeRole { } }
+        val request = assertNotNull(mockEngine.capturedRequest)
+        assertTrue(request.headers.contains("AUTHORIZATION"))
+    }
+
+    @Test
+    fun testWebIdentityIsUnsigned(): Unit = runSuspendTest {
+        val client = StsClient {
+            region = "us-east-2"
+            credentialsProvider = StaticCredentialsProvider(credentials)
+            httpClientEngine = mockEngine
+        }
+
+        runCatching { client.assumeRoleWithWebIdentity { } }
+        val request = assertNotNull(mockEngine.capturedRequest)
+        assertFalse(request.headers.contains("AUTHORIZATION"), "assumeRoleWithWebIdentity should not require a signed request")
+    }
+
+    @Test
+    fun testAssumeRoleSamlIsUnsigned(): Unit = runSuspendTest {
+        val client = StsClient {
+            region = "us-east-2"
+            credentialsProvider = StaticCredentialsProvider(credentials)
+            httpClientEngine = mockEngine
+        }
+
+        runCatching { client.assumeRoleWithSaml { } }
+        val request = assertNotNull(mockEngine.capturedRequest)
+        assertFalse(request.headers.contains("AUTHORIZATION"), "assumeRoleWithSaml should not require a signed request")
+    }
+}
