feat(experimentalIdentityAndAuth): customize @aws.auth#sigv4 identity providers for the AWS SDK

Register `AwsCustomizeSigv4AuthPlugin` integration to customize
`@aws.auth#sigv4` to use:

- Browser: a function that throws an error saying `credentials` is
  missing
- Node.js: `decorateDefaultCredentialProvider(credentialDefaultProvider)` from
`@aws-sdk/credential-provider-node` and `aws-sdk/client-sts`.

Author: Steven Yuan

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddAwsAuthPlugin.java

@@ -55,6 +55,8 @@
 
 /**
  * Configure clients with AWS auth configurations and plugin.
+ *
+ * This is the existing control behavior for `experimentalIdentityAndAuth`.
  */
 @SmithyInternalApi
 public final class AddAwsAuthPlugin implements TypeScriptIntegration {
@@ -65,17 +67,21 @@ public final class AddAwsAuthPlugin implements TypeScriptIntegration {
 
     private static final Logger LOGGER = Logger.getLogger(AddAwsAuthPlugin.class.getName());
 
+    /**
+     * Integration should only be used if `experimentalIdentityAndAuth` flag is false.
+     */
+    @Override
+    public boolean matchesSettings(TypeScriptSettings settings) {
+        return !settings.getExperimentalIdentityAndAuth();
+    }
+
     @Override
     public void addConfigInterfaceFields(
         TypeScriptSettings settings,
         Model model,
         SymbolProvider symbolProvider,
         TypeScriptWriter writer
     ) {
-        if (settings.getExperimentalIdentityAndAuth()) {
-            return;
-        }
-        // feat(experimentalIdentityAndAuth): control branch for @aws.auth#sigv4
         ServiceShape service = settings.getService(model);
         if (!isSigV4Service(service) && isAwsService(service)) {
             ServiceTrait serviceTrait = service.getTrait(ServiceTrait.class).get();
@@ -124,14 +130,12 @@ public List<RuntimeClientPlugin> getClientPlugins() {
                             && isAwsService(s)
                             && !testServiceId(s, "STS")
                             && !areAllOptionalAuthOperations(m, s))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "SigV4Auth", HAS_CONFIG)
                     .servicePredicate((m, s) -> isSigV4Service(s)
                             && !isAwsService(s)
                             && !areAllOptionalAuthOperations(m, s))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.STS_MIDDLEWARE.dependency,
@@ -140,7 +144,6 @@ && isAwsService(s)
                         put("stsClientCtor", Symbol.builder().name("STSClient").build());
                     }})
                     .servicePredicate((m, s) -> testServiceId(s, "STS"))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_MIDDLEWARE)
@@ -149,29 +152,25 @@ && isAwsService(s)
                             && isAwsService(s)
                             && !testServiceId(s, "STS")
                             && !hasOptionalAuthOperation(m, s))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "SigV4Auth", HAS_MIDDLEWARE)
                     // See operationUsesAwsAuth() below for AwsAuth Middleware customizations.
                     .servicePredicate((m, s) -> isSigV4Service(s)
                             && !isAwsService(s)
                             && !hasOptionalAuthOperation(m, s))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_MIDDLEWARE)
                     .operationPredicate((m, s, o) -> isSigV4Service(s)
                             && isAwsService(s)
                             && operationUsesAwsAuth(m, s, o))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "SigV4Auth", HAS_MIDDLEWARE)
                     .operationPredicate((m, s, o) -> isSigV4Service(s)
                             && !isAwsService(s)
                             && operationUsesAwsAuth(m, s, o))
-                    .settingsPredicate((m, s, settings) -> !settings.getExperimentalIdentityAndAuth())
                     .build()
 
         );
@@ -184,10 +183,6 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
         SymbolProvider symbolProvider,
         LanguageTarget target
     ) {
-        if (settings.getExperimentalIdentityAndAuth()) {
-            return Collections.emptyMap();
-        }
-        // feat(experimentalIdentityAndAuth): control branch for @aws.auth#sigv4
         ServiceShape service = settings.getService(model);
         if (!isSigV4Service(service) || areAllOptionalAuthOperations(model, service)) {
             return Collections.emptyMap();
@@ -234,10 +229,6 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
 
     @Override
     public void customize(TypeScriptCodegenContext codegenContext) {
-        if (codegenContext.settings().getExperimentalIdentityAndAuth()) {
-            return;
-        }
-        // feat(experimentalIdentityAndAuth): control branch for @aws.auth#sigv4
         TypeScriptSettings settings = codegenContext.settings();
         Model model = codegenContext.model();
         BiConsumer<String, Consumer<TypeScriptWriter>> writerFactory = codegenContext.writerDelegator()::useFileWriter;

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/auth/http/integration/AwsCustomizeSigv4AuthPlugin.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package software.amazon.smithy.aws.typescript.codegen.auth.http.integration;
+
+import java.util.List;
+import software.amazon.smithy.aws.traits.auth.SigV4Trait;
+import software.amazon.smithy.aws.typescript.codegen.AwsDependency;
+import software.amazon.smithy.typescript.codegen.LanguageTarget;
+import software.amazon.smithy.typescript.codegen.TypeScriptSettings;
+import software.amazon.smithy.typescript.codegen.auth.http.HttpAuthScheme;
+import software.amazon.smithy.typescript.codegen.auth.http.SupportedHttpAuthSchemesIndex;
+import software.amazon.smithy.typescript.codegen.auth.http.integration.AddSigV4AuthPlugin;
+import software.amazon.smithy.typescript.codegen.auth.http.integration.HttpAuthTypeScriptIntegration;
+
+/**
+ * Customize @aws.auth#sigv4 for AWS SDKs.
+ *
+ * This is the experimental behavior for `experimentalIdentityAndAuth`.
+ */
+public class AwsCustomizeSigv4AuthPlugin implements HttpAuthTypeScriptIntegration {
+
+    /**
+     * Integration should only be used if `experimentalIdentityAndAuth` flag is true.
+     */
+    @Override
+    public boolean matchesSettings(TypeScriptSettings settings) {
+        return settings.getExperimentalIdentityAndAuth();
+    }
+
+    /**
+     * Run after default AddSigV4AuthPlugin.
+     */
+    @Override
+    public List<String> runAfter() {
+        return List.of(AddSigV4AuthPlugin.class.getCanonicalName());
+    }
+
+    @Override
+    public void customizeSupportedHttpAuthSchemes(SupportedHttpAuthSchemesIndex supportedHttpAuthSchemesIndex) {
+        HttpAuthScheme authScheme = supportedHttpAuthSchemesIndex.getHttpAuthScheme(SigV4Trait.ID).toBuilder()
+            // Current behavior of unconfigured `credentials` is to throw an error.
+            // This may need to be customized if a service is released with multiple auth schemes.
+            .putDefaultIdentityProvider(LanguageTarget.BROWSER, w ->
+                w.write("async () => { throw new Error(\"`credentials` is missing\"); }"))
+            // Use `@aws-sdk/credential-provider-node` with `@aws-sdk/client-sts` as the
+            // default identity provider chain for Node.js
+            .putDefaultIdentityProvider(LanguageTarget.NODE, w -> {
+                w.addDependency(AwsDependency.STS_CLIENT);
+                w.addImport("decorateDefaultCredentialProvider", null, AwsDependency.STS_CLIENT);
+                w.addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE);
+                w.addImport("defaultProvider", "credentialDefaultProvider",
+                    AwsDependency.CREDENTIAL_PROVIDER_NODE);
+                w.write("decorateDefaultCredentialProvider(credentialDefaultProvider)");
+            })
+            .build();
+        supportedHttpAuthSchemesIndex.putHttpAuthScheme(authScheme.getSchemeId(), authScheme);
+    }
+}

codegen/smithy-aws-typescript-codegen/src/main/resources/META-INF/services/software.amazon.smithy.typescript.codegen.integration.TypeScriptIntegration

@@ -23,4 +23,5 @@ software.amazon.smithy.aws.typescript.codegen.AddCrossRegionCopyingPlugin
 software.amazon.smithy.aws.typescript.codegen.AddDocumentClientPlugin
 software.amazon.smithy.aws.typescript.codegen.AddEndpointDiscoveryPlugin
 software.amazon.smithy.aws.typescript.codegen.AddHttpChecksumDependency
-software.amazon.smithy.aws.typescript.codegen.AddEventBridgePlugin
+software.amazon.smithy.aws.typescript.codegen.AddEventBridgePlugin
+software.amazon.smithy.aws.typescript.codegen.auth.http.integration.AwsCustomizeSigv4AuthPlugin