Skip to content

Adding functionality to config preferred authschemeProvider #6083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Adding functionality to config preferred authschemeProvider #6083

wants to merge 15 commits into from
+1,134 −247

Conversation

RanVaknin
Copy link
Contributor

@RanVaknin RanVaknin commented May 2, 2025
edited
Loading

Motivation and Context

Previously, when multiple auth schemes were available for an operation, the SDK would choose the first one defined in the service model. This PR implements the auth scheme preference configuration that allows users to specify their preferred authentication schemes in order of preference when multiple auth schemes are supported.

Example usage:

// Via client configuration in code
MyServiceClient client = MyServiceClient.builder()
    .authSchemeProvider(MyServiceAuthSchemeProvider.builder()
        .withPreferredAuthSchemes(Arrays.asList("sigv4", "sigv4a"))
        .build())
    .build();

// Via JVM properties:
// in code
System.setProperty("aws.authSchemePreference", "sigv4,sigv4a");
// or as a cmd line argument
java -Daws.authSchemePreference=sigv4,sigv4a -jar your-application.jar

// Via Environment variable:
export AWS_AUTH_SCHEME_PREFERENCE=sigv4,sigv4a

// Via AWS config file (~/.aws/config):
[default]
auth_scheme_preference = sigv4,sigv4a

Modifications

  • [Modified] client builders to read and apply auth scheme preferences

  • [Modified] the auth scheme resolution logic to respect user preferences while maintaining backward compatibility

  • [Added] AuthSchemePreferenceProvider class to resolve auth scheme preferences from various sources:

    • Client configuration
    • JVM system properties (aws.authSchemePreference)
    • Environment variables (AWS_AUTH_SCHEME_PREFERENCE)
    • AWS config file (auth_scheme_preference)

  • [Added] code generation support through PreferredAuthSchemeProviderSpec to generate service-specific auth scheme providers

Testing

  • AuthSchemePreferenceProviderTest verifies proper parsing of auth scheme preferences from different formats (spaces, tabs, etc.)

  • PreferredAuthSchemeProviderTest to test the reordering of auth schemes according to preferences
    comprehensive test cases for preference resolution from multiple sources, verifying proper precedence:

  • Stubbed functional test with mock services to verify the selected auth scheme matches the expected preference in actual requests

@RanVaknin RanVaknin force-pushed the rvaknin/auth-schem-preference-config branch from 362e5f3 to f18fcc2 Compare May 5, 2025 02:22
@alextwoods alextwoods mentioned this pull request May 23, 2025
Draft
12 tasks
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
69.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@RanVaknin RanVaknin marked this pull request as ready for review May 26, 2025 04:51
@RanVaknin RanVaknin requested a review from a team as a code owner May 26, 2025 04:51
zoewangg
zoewangg requested changes May 28, 2025
View reviewed changes
...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
@@ -1,27 +1,15 @@
/*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason we are removing copyright?

...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
return new QueryAuthSchemeProviderBuilder();
}

interface Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make it extend CopyableBuilder? https://github.com/aws/aws-sdk-java-v2/blob/master/docs/design/ClientConfiguration.md

...aws-core/src/main/java/software/amazon/awssdk/awscore/auth/AuthSchemePreferenceProvider.java
import software.amazon.awssdk.utils.Lazy;

@SdkProtectedApi
public class AuthSchemePreferenceProvider {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

final

...aws-core/src/main/java/software/amazon/awssdk/awscore/auth/AuthSchemePreferenceProvider.java
import software.amazon.awssdk.utils.Lazy;

@SdkProtectedApi
public class AuthSchemePreferenceProvider {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some tests for this class? Example: https://github.com/aws/aws-sdk-java-v2/blob/master/core/sdk-core/src/test/java/software/amazon/awssdk/core/internal/checksums/RequestChecksumCalculationResolverTest.java

...rc/test/java/software/amazon/awssdk/services/multiauth/AuthSchemePreferenceProviderTest.java
Comment on lines +123 to +127
try {
client.multiAuthWithOnlySigv4aAndSigv4(MultiAuthWithOnlySigv4AAndSigv4Request.builder().build());
} catch (AutSchemeCapturingInterceptor.CaptureException e) {
// expected
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use assertThatThrownBy

...aws-core/src/main/java/software/amazon/awssdk/awscore/auth/AuthSchemePreferenceProvider.java
Comment on lines +110 to +119
private static List<String> parseAuthSchemeList(String unformattedList) {
if (unformattedList == null) {
return Collections.emptyList();
}

unformattedList = unformattedList.replaceAll("\\s+", "");
String[] splitByTabs = unformattedList.split("\t");
String finalFormat = String.join("", splitByTabs);
return Arrays.asList(finalFormat.split(","));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this work?"\\s+" should handle tab.

   private static List<String> parseAuthSchemeList(String unformattedList) {
       if (unformattedList == null) {
           return Collections.emptyList();
       }

       return Arrays.asList(unformattedList.replaceAll("\\s+", "").split(","));
   }

...in/java/software/amazon/awssdk/codegen/poet/auth/scheme/PreferredAuthSchemeProviderSpec.java
import software.amazon.awssdk.codegen.poet.PoetUtils;
import software.amazon.awssdk.utils.CollectionUtils;

public class PreferredAuthSchemeProviderSpec implements ClassSpec {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add test case for this class?

...in/java/software/amazon/awssdk/codegen/poet/auth/scheme/PreferredAuthSchemeProviderSpec.java
Comment on lines +92 to +94
b.addStatement("String candidateSchemeName = candidate.schemeId().contains(\"#\") ? " +
"candidate.schemeId().split(\"#\")[1] : candidate.schemeId()");
b.addStatement("return candidateSchemeName.equals(preferredSchemeId)");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, why do we need to handle# here?

...rc/test/java/software/amazon/awssdk/services/multiauth/AuthSchemePreferenceProviderTest.java
}

@ParameterizedTest
@MethodSource("schemeParsingCases")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we add a test name for each parameter?

...st/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-provider.java
return new QueryAuthSchemeProviderBuilder();
}

interface Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing javadoc and NotThreadSafe annotation`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoewangg zoewangg zoewangg requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RanVaknin @zoewangg @alextwoods