Prerequisites to Enable smithy client

[sbera87]

Issue #, if available:

Description of changes:
This set of changes are needed to enable Smithy client for S3 with applicable backwards compatible changes.

• Relevant s3 smithy code generation from PR: Smithy Identity and Auth Refactor (S3) - Rollback Fixed #3298
• Added legacy APIs in smithy client for backwards compatibility
• Modify Generate Presigned URL to be smithy compliant workflow

Check all that applies:

• Did a review by yourself.
• Added proper tests to cover this PR. (If tests are not applicable, explain.)
• Checked if this PR is a breaking (APIs have been changed) change.
• Checked if this PR will not introduce cross-platform inconsistent behavior.
• Checked if this PR would require a ReadMe/Wiki update.

Check which platforms you have built SDK on to verify the correctness of this PR.

• Linux
• Windows
• Android
• MacOS
• IOS
• Other Platforms

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[sbera87]

just added code block under null guard since in requestless cases, this is currently not created in requestless call flow.
This is done to emulate legacy behavior:
with request case:

aws-sdk-cpp/src/aws-cpp-sdk-core/source/client/AWSClient.cpp

Line 549 in 44dacf9

InterceptorContext context{request};

vs

request less case:

aws-sdk-cpp/src/aws-cpp-sdk-core/source/client/AWSClient.cpp

Line 616 in 44dacf9

HttpResponseOutcome AWSClient::AttemptOneRequest(const std::shared_ptr<Aws::Http::HttpRequest>& httpRequest,

[sbera87]

This helper abstracts endpoint resolution into a callback and is invoked contextually by different variations of APIs used for backwards compatibilty

[sbera87]

Changes to resolve endpoint after select auth scheme

[sbera87]

This is added to make the backwards compatible api functional.
In legacy client, signer name passed was used to fetch the signer object via
auto signer = GetSignerByName(signerName);
In smithy design, this name passed is simply re-mapped and used to filter desired auth scheme (with requested signer) from list of supported auth schemes

[sbiscigl]

This is added to make the backwards compatible api functional.

This is really confusing me, you say we added this for backwards compatibility, but then we don't declare GetSignerByName so we break backwards incompatibility with that

i.e. this compiles before but is broken after. So why are we doing something for backwards compatibility, then we are actually breaking backwards compatibility?

#include <aws/core/Aws.h>
#include <aws/s3/S3Client.h>

using namespace Aws;
using namespace Aws::S3;

class MyS3Client : public Aws::S3::S3Client {
public:
  MyS3Client() = default;
  ~MyS3Client() override = default;
  void Foo() {
    std::cout << this->GetSignerByName("some_name") << std::endl;
  }
};

auto main() -> int {
  SDKOptions options{};
  options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Debug;
  InitAPI(options);
  {
    MyS3Client client{};
    client.Foo();
  }
  ShutdownAPI(options);
  return 0;
}

[sbera87]

Legacy APIs that need to be supported as external clients found to use some variations.

[sbiscigl]

can we move this to a different class? its makes it hard to understand what is going on here if we add them in the smithy client, move it to a new class then have the smithy client just reference it. we do not want to copy and paste the old work flow into the new one.

[sbera87]

Actually, The interface is old which we have to maintain for backwards compatibility, but internally, it follows the same design as smithy MakeRequestDeserialize API, i.e use executor to submit an Async API implementation with resolve endpoint action as a callback and then deserialize the outcome .

In this example the call flow is: MakeRequest -> MakeRequestWithUriAsync -> MakeRequestAsyncHelper

[sbera87]

Needed to ensure backwards compatibility . External clients use AwsError as a templated type

[sbera87]

Needed as External Users use this

[sbera87]

Interface updated to facilitate legacy API usage where endpoint may not be available

[sbiscigl]

I think we've got a maintainibilty issue here. You've more or less copy and pasted AWSClient into the SmithyClient, which I don't think is the way forward here. If we want to maintain backward compatible interfaces for newer clients we should maintain the interface, but not copy and paste the code directly.

[sbiscigl]

so SmithyS3ExpressIdentityProvider and S3ExpressIdentityProvider are more or less the same thing, and we really should only have one, could we make this a CRT Variant so that either could be provided and we internally can choose what do differently based on which type is present? having two of the same configuration seems misleading.

[sbera87]

Though the functionality is achieved the same, the interfaces are different and hence added to support both old and new
class AWS_S3_API S3ExpressIdentityProvider : public smithy::IdentityResolverBase<S3ExpressIdentity>
vs
class AWS_S3_API SmithyS3ExpressIdentityProvider : public smithy::IdentityResolverBase<smithy::AwsCredentialIdentityBase>

I have made changes in next commit to address this so that there is only one identity provider supplier as before.

[sbiscigl]

why are we returning sigv4 instead of a empty list?

[sbera87]

This is to address existing test cases like
TEST_F(BucketAndObjectOperationTest, TestS3AccessPointARN)

S3Client s3Client(config); GetObjectRequest getObjectRequest; getObjectRequest.SetBucket(bucketArn); getObjectRequest.SetKey("fakeObjectKey"); auto getObjectOutcome = s3Client.GetObject(getObjectRequest); ASSERT_FALSE(getObjectOutcome.IsSuccess());

when auth scheme is not found we currently have an assertion for builds which don't strip away asserts.
assert(authSchemeOptionIt != authSchemeOptions.end());
The fallback is added to not hit this assertion. without this it exits with a different core error and not the expected CoreErrors::ENDPOINT_RESOLUTION_FAILURE in the legacy test case.
This core error is only returned when resolve endpoint fails which in smithy workflow happens after select auth schemes.

[sbiscigl]

that doesnt make sense, this should return a empty list. doing something because "it makes a test pass" is not a good reason for a implementation detail

get object shuold be using a auth scheme that is recognized, why isnt it.

[sbiscigl]

per the SRA

The result is a list of authentication schemes, in order of preference, that should be used for the request. The SDK will choose the first scheme that it supports, or fail the request if no schemes are supported.

so why are we returning a single auth scheme option? we should be returning the list of auth scheme options that are supported, then we choose the first one after we call.

[sbera87]

So, its a vector of one for the appropriate scheme id. If you see smithy v4, v4a authscheme resolvers they return respective vector of one authscheme options. Since this is a child of multi auth scheme resolver it simply uses if else condition block for the different scheme ids.

[sbiscigl]

So, its a vector of one for the appropriate scheme id.

no you should be returning a vector of supported auth schemes, and using the first supported one. i.e. if you are using v4a it should return [v4a, v4] then the caller gets to decide which one is supported, thats the way the interface is supposed to wok

[sbiscigl]

your code change is changing formatting on unchanged lines -- please fix

[sbera87]

I double checked. This honors the indentation used in the new smithy code gen template. Changing this will impact other smithy clients too.

[sbiscigl]

well if it was a problem before we should fix it, it doesnt honor the correct indentation, please fix it

[sbera87]

As discussed, this is just the change smithy codegen brings with own consistent indentation that it is consistent with
.

[sbiscigl]

why is the string "bucket" here? the client is not aware of what a bucket is, there are several other presigned operations that exist and do not fit into this paradigm.

[sbera87]

The above example is already handled in another PR (where other rest xml clients use the API you mentioned.) This PR deals with S3 related changes only

[sbera87]

I have made changes to this to eliminate bucket from the interface

[sbiscigl]

This is added to make the backwards compatible api functional.

This is really confusing me, you say we added this for backwards compatibility, but then we don't declare GetSignerByName so we break backwards incompatibility with that

i.e. this compiles before but is broken after. So why are we doing something for backwards compatibility, then we are actually breaking backwards compatibility?

#include <aws/core/Aws.h>
#include <aws/s3/S3Client.h>

using namespace Aws;
using namespace Aws::S3;

class MyS3Client : public Aws::S3::S3Client {
public:
  MyS3Client() = default;
  ~MyS3Client() override = default;
  void Foo() {
    std::cout << this->GetSignerByName("some_name") << std::endl;
  }
};

auto main() -> int {
  SDKOptions options{};
  options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Debug;
  InitAPI(options);
  {
    MyS3Client client{};
    client.Foo();
  }
  ShutdownAPI(options);
  return 0;
}

[sbiscigl]

what backwards compatible APIs?

[sbiscigl]

can we move this to a different class? its makes it hard to understand what is going on here if we add them in the smithy client, move it to a new class then have the smithy client just reference it. we do not want to copy and paste the old work flow into the new one.

[sbiscigl]

you've more or less copy and pasted the old code into the new class, this is not what we want. this diverges the flow significantly. these functions should_call MakeRequestDeserialize and should not diverge the call path. This is just creating both clients in a a single class. we should defer calling to the new methods and emit a warning log about calling these methods directly.

[sbera87]

Its actually new code in old interface. But, I have changed all the legacy APIs to call MakeRequestDeserialize and moved them to a different class using CRTP pattern in smithy client

[sbiscigl]

So, its a vector of one for the appropriate scheme id.

no you should be returning a vector of supported auth schemes, and using the first supported one. i.e. if you are using v4a it should return [v4a, v4] then the caller gets to decide which one is supported, thats the way the interface is supposed to wok

[sbiscigl]

that doesnt make sense, this should return a empty list. doing something because "it makes a test pass" is not a good reason for a implementation detail

get object shuold be using a auth scheme that is recognized, why isnt it.

[sbiscigl]

well if it was a problem before we should fix it, it doesnt honor the correct indentation, please fix it

[sbiscigl]

remove the static pointer class it should not be needed

[sbera87]

For the return auth schemes list comment, we can't return all the auth schemes indiscriminately in a list for multi auth case. For the multi auth support, we do a resolve endpoint twice, the first time happens in select auth scheme.

Based on the auth scheme from endpoint, we build the list as aforementioned. What you are referring to as pick the first supported auth scheme actually happens here inside the resolver. This was done based on previous PR comments to move this auth scheme vector selection inside the auth scheme resolver class from smithy client class (else it would end up doing double endpoint resolution for all clients and not just S3).

So, for the negative test case I mentioned, epResolutionOutcome is not a success and hence we have empty auth schemes list which would trigger the assertion

[sbera87]

Removed the cast in next commit

[sbiscigl]

niiiiiiiiiiiice, i like this a lot