feat: Support auth scheme preference list (#934)

Author: dayaffe

Package.swift

@@ -270,6 +270,10 @@ let package = Package(
             name: "SmithyHTTPAuthTests",
             dependencies: ["SmithyHTTPAuth", "SmithyHTTPAPI", "Smithy", "SmithyIdentity", "ClientRuntime"]
         ),
+        .testTarget(
+            name: "SmithyHTTPAuthAPITests",
+            dependencies: ["SmithyHTTPAuthAPI", "Smithy", "ClientRuntime"]
+        ),
         .testTarget(
             name: "SmithyJSONTests",
             dependencies: ["SmithyJSON", "ClientRuntime", "SmithyTestUtil"]

Sources/SmithyHTTPAuthAPI/ReprioritizeAuthOptions.swift

@@ -0,0 +1,44 @@
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+/// Reprioritize a resolved list of auth options based on a user's preference list
+/// - Parameters:
+///   - authSchemePreference: List of preferred auth scheme IDs
+///   - authOptions: List of auth options to prioritize
+/// - Returns: A new list of auth options with preferred options first, followed by non-preferred options
+public extension AuthSchemeResolver {
+    func reprioritizeAuthOptions(authSchemePreference: [String]?, authOptions: [AuthOption]) -> [AuthOption] {
+        // Add preferred candidates first
+        let preferredAuthOptions: [AuthOption]
+
+        // For comparison, only use the scheme ID with the namespace prefix trimmed.
+        if let authSchemePreference {
+            preferredAuthOptions = authSchemePreference.compactMap { preferredSchemeID in
+                let preferredSchemeName = normalizedSchemeName(preferredSchemeID)
+                return authOptions.first { option in
+                    normalizedSchemeName(option.schemeID) == preferredSchemeName
+                }
+            }
+        } else {
+            preferredAuthOptions = []
+        }
+
+        // Add any remaining candidates that weren't in the preference list
+        let nonPreferredAuthOptions = authOptions.filter { option in
+            !preferredAuthOptions.contains { preferred in
+                normalizedSchemeName(preferred.schemeID) == normalizedSchemeName(option.schemeID)
+            }
+        }
+
+        return preferredAuthOptions + nonPreferredAuthOptions
+    }
+
+    // Trim namespace prefix from scheme ID
+    // Ex. aws.auth#sigv4 -> sigv4
+    func normalizedSchemeName(_ schemeID: String) -> String {
+        return schemeID.split(separator: "#").last.map(String.init) ?? schemeID
+    }
+}

Sources/SmithyIdentityAPI/Context/Context+AuthSchemePreference.swift

@@ -0,0 +1,44 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import struct Smithy.Attributes
+import struct Smithy.AttributeKey
+import class Smithy.Context
+import class Smithy.ContextBuilder
+
+extension Context {
+    /// Gets the auth scheme preference list from the context.
+    /// - Returns: An array of auth scheme IDs in priority order, or nil if not set.
+    public func getAuthSchemePreference() -> [String]? {
+        get(key: authSchemePreferenceKey)
+    }
+}
+
+extension ContextBuilder {
+    /// Removes the auth scheme preference from the context.
+    /// - Returns: Self for method chaining.
+    @discardableResult
+    public func removeAuthSchemePreference() -> Self {
+        attributes.remove(key: authSchemePreferenceKey)
+        return self
+    }
+
+    /// Sets the auth scheme priority from a preference list of IDs.
+    @discardableResult
+    public func withAuthSchemePreference(value: [String]?) -> Self {
+        if value?.isEmpty ?? true {
+            // If value in empty array, remove the attributes
+            attributes.remove(key: authSchemePreferenceKey)
+        } else {
+            attributes.set(key: authSchemePreferenceKey, value: value)
+        }
+        return self
+    }
+}
+
+// Private attribute keys
+private let authSchemePreferenceKey = AttributeKey<[String]>(name: "AuthSchemePreference")

Tests/SmithyHTTPAuthAPITests/ReprioritizeAuthOptionsTests.swift

@@ -0,0 +1,128 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+@testable import SmithyHTTPAuthAPI
+import class Smithy.Context
+import XCTest
+
+/// A dummy resolver to exercise the AuthSchemeResolver extension
+private struct DummyAuthSchemeResolver: AuthSchemeResolver {
+    func resolveAuthScheme(params: AuthSchemeResolverParameters) throws -> [AuthOption] {
+        // Not used in reprioritizeAuthOptions tests
+        return []
+    }
+
+    func constructParameters(context: Context) throws -> AuthSchemeResolverParameters {
+        // Not used in reprioritizeAuthOptions tests
+        fatalError("constructParameters() is not implemented for tests")
+    }
+}
+
+final class AuthSchemeResolverTests: XCTestCase {
+    private var resolver: DummyAuthSchemeResolver!
+
+    override func setUp() {
+        super.setUp()
+        resolver = DummyAuthSchemeResolver()
+    }
+
+    override func tearDown() {
+        resolver = nil
+        super.tearDown()
+    }
+
+    // Manual Auth Schemes Configuration Tests
+
+    /// Row 1: Supported Auth contains sigv4 and sigv4a, service trait contains sigv4 and sigv4a
+    func testManualConfigRow1() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4"),
+            AuthOption(schemeID: "aws.auth#sigv4a")
+        ]
+
+        // No preference list - should maintain original order
+        let resultNoPreference = resolver.reprioritizeAuthOptions(authSchemePreference: nil, authOptions: options)
+        XCTAssertEqual(resultNoPreference.map { $0.schemeID }, ["aws.auth#sigv4", "aws.auth#sigv4a"])
+
+        // Empty preference list - should maintain original order
+        let resultEmptyPreference = resolver.reprioritizeAuthOptions(authSchemePreference: [], authOptions: options)
+        XCTAssertEqual(resultEmptyPreference.map { $0.schemeID }, ["aws.auth#sigv4", "aws.auth#sigv4a"])
+
+        // Resolved auth should be sigv4
+        let preference = ["sigv4"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        XCTAssertEqual(result.first?.schemeID, "aws.auth#sigv4")
+    }
+
+    /// Row 2: Service trait has sigv4, sigv4a; preference list has sigv4a
+    func testManualConfigRow2() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4"),
+            AuthOption(schemeID: "aws.auth#sigv4a")
+        ]
+        let preference = ["sigv4a"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        XCTAssertEqual(result.first?.schemeID, "aws.auth#sigv4a")
+    }
+
+    /// Row 3: Service trait has sigv4, sigv4a; preference list has sigv4a, sigv4
+    func testManualConfigRow3() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4"),
+            AuthOption(schemeID: "aws.auth#sigv4a")
+        ]
+        let preference = ["sigv4a", "sigv4"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        let expectedOrder = ["aws.auth#sigv4a", "aws.auth#sigv4"]
+        XCTAssertEqual(result.map { $0.schemeID }, expectedOrder)
+    }
+
+    /// Row 4: Service trait has only sigv4; preference list has sigv4a
+    func testManualConfigRow4() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4")
+        ]
+        let preference = ["sigv4a"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        // Since sigv4a is not available, should return sigv4
+        XCTAssertEqual(result.map { $0.schemeID }, ["aws.auth#sigv4"])
+    }
+
+    /// Row 5: Service trait has sigv4, sigv4a; operation trait has sigv4
+    func testManualConfigRow5() {
+        // When operation trait specifies sigv4, only sigv4 should be available
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4")
+        ]
+        let preference = ["sigv4a"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        XCTAssertEqual(result.map { $0.schemeID }, ["aws.auth#sigv4"])
+    }
+
+    /// Row 6: Service trait has sigv4, sigv4a; preference list has sigv4a
+    func testManualConfigRow6() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4"),
+            AuthOption(schemeID: "aws.auth#sigv4a")
+        ]
+        let preference = ["sigv4a"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        XCTAssertEqual(result.first?.schemeID, "aws.auth#sigv4a")
+    }
+
+    /// Row 7: Service trait has sigv4, sigv4a; preference list has sigv3
+    func testManualConfigRow7() {
+        let options = [
+            AuthOption(schemeID: "aws.auth#sigv4"),
+            AuthOption(schemeID: "aws.auth#sigv4a")
+        ]
+        let preference = ["sigv3"]
+        let result = resolver.reprioritizeAuthOptions(authSchemePreference: preference, authOptions: options)
+        // Since sigv3 is not available, should maintain original order
+        XCTAssertEqual(result.map { $0.schemeID }, ["aws.auth#sigv4", "aws.auth#sigv4a"])
+    }
+}

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/AuthSchemeResolverGenerator.kt

@@ -137,6 +137,8 @@ class AuthSchemeResolverGenerator {
                 defaultResolverName,
                 serviceSpecificAuthResolverProtocol,
             ) {
+                write("")
+                renderInit(writer)
                 write("")
                 renderResolveAuthSchemeMethod(serviceIndex, ctx, writer)
                 write("")
@@ -149,6 +151,19 @@ class AuthSchemeResolverGenerator {
         }
     }
 
+    private fun renderInit(writer: SwiftWriter) {
+        writer.apply {
+            write("public let authSchemePreference: [String]")
+            write("")
+            openBlock(
+                "public init(authSchemePreference: [String] = []) {",
+                "}",
+            ) {
+                write("self.authSchemePreference = authSchemePreference")
+            }
+        }
+    }
+
     private fun renderResolveAuthSchemeMethod(
         serviceIndex: ServiceIndex,
         ctx: ProtocolGenerator.GenerationContext,
@@ -175,8 +190,8 @@ class AuthSchemeResolverGenerator {
                 }
                 // Render switch block
                 renderSwitchBlock(serviceIndex, ctx, writer)
-                // Return result
-                write("return validAuthOptions")
+                // Call reprioritizeAuthOptions and return result
+                write("return self.reprioritizeAuthOptions(authSchemePreference: authSchemePreference, authOptions: validAuthOptions)")
             }
         }
     }

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/config/DefaultHttpClientConfiguration.kt

@@ -16,6 +16,7 @@ import software.amazon.smithy.swift.codegen.swiftmodules.ClientRuntimeTypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyHTTPAPITypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyHTTPAuthAPITypes
 import software.amazon.smithy.swift.codegen.swiftmodules.SmithyIdentityTypes
+import software.amazon.smithy.swift.codegen.swiftmodules.SwiftTypes
 import software.amazon.smithy.swift.codegen.utils.AuthUtils
 
 class DefaultHttpClientConfiguration : ClientConfiguration {
@@ -41,6 +42,7 @@ class DefaultHttpClientConfiguration : ClientConfiguration {
                 { it.format("\$N.defaultHttpClientConfiguration", ClientRuntimeTypes.Core.ClientConfigurationDefaults) },
             ),
             ConfigProperty("authSchemes", SmithyHTTPAuthAPITypes.AuthSchemes.toOptional(), AuthUtils(ctx).authSchemesDefaultProvider),
+            ConfigProperty("authSchemePreference", SwiftTypes.StringList.toOptional(), { "nil" }),
             ConfigProperty(
                 "authSchemeResolver",
                 SmithyHTTPAuthAPITypes.AuthSchemeResolver,

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/middleware/MiddlewareExecutionGenerator.kt

@@ -98,6 +98,7 @@ class MiddlewareExecutionGenerator(
         writer.write("  .withLogger(value: config.logger)")
         writer.write("  .withPartitionID(value: config.partitionID)")
         writer.write("  .withAuthSchemes(value: config.authSchemes ?? [])")
+        writer.write("  .withAuthSchemePreference(value: config.authSchemePreference)")
         writer.write("  .withAuthSchemeResolver(value: config.authSchemeResolver)")
         writer.write("  .withUnsignedPayloadTrait(value: \$L)", op.hasTrait<UnsignedPayloadTrait>())
         writer.write("  .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)")

smithy-swift-codegen/src/main/kotlin/software/amazon/smithy/swift/codegen/swiftmodules/SwiftTypes.kt

@@ -10,6 +10,14 @@ import software.amazon.smithy.swift.codegen.SwiftDeclaration
 import software.amazon.smithy.swift.codegen.SwiftDependency
 
 object SwiftTypes {
+    val StringList =
+        SwiftSymbol.make(
+            "[String]",
+            null,
+            null,
+            emptyList(),
+            emptyList(),
+        )
     val String = builtInSymbol("String", SwiftDeclaration.STRUCT)
     val Int = builtInSymbol("Int", SwiftDeclaration.STRUCT)
     val Int8 = builtInSymbol("Int8", SwiftDeclaration.STRUCT)

smithy-swift-codegen/src/test/kotlin/software/amazon/smithy/swift/codegen/HttpProtocolClientGeneratorTests.kt

@@ -47,6 +47,7 @@ extension RestJsonProtocolClient {
         public var httpClientEngine: SmithyHTTPAPI.HTTPClient
         public var httpClientConfiguration: ClientRuntime.HttpClientConfiguration
         public var authSchemes: SmithyHTTPAuthAPI.AuthSchemes?
+        public var authSchemePreference: [String]?
         public var authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver
         public var bearerTokenIdentityResolver: any SmithyIdentity.BearerTokenIdentityResolver
         public private(set) var interceptorProviders: [ClientRuntime.InterceptorProvider]
@@ -61,6 +62,7 @@ extension RestJsonProtocolClient {
             _ httpClientEngine: SmithyHTTPAPI.HTTPClient,
             _ httpClientConfiguration: ClientRuntime.HttpClientConfiguration,
             _ authSchemes: SmithyHTTPAuthAPI.AuthSchemes?,
+            _ authSchemePreference: [String]?,
             _ authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver,
             _ bearerTokenIdentityResolver: any SmithyIdentity.BearerTokenIdentityResolver,
             _ interceptorProviders: [ClientRuntime.InterceptorProvider],
@@ -74,6 +76,7 @@ extension RestJsonProtocolClient {
             self.httpClientEngine = httpClientEngine
             self.httpClientConfiguration = httpClientConfiguration
             self.authSchemes = authSchemes
+            self.authSchemePreference = authSchemePreference
             self.authSchemeResolver = authSchemeResolver
             self.bearerTokenIdentityResolver = bearerTokenIdentityResolver
             self.interceptorProviders = interceptorProviders
@@ -89,6 +92,7 @@ extension RestJsonProtocolClient {
             httpClientEngine: SmithyHTTPAPI.HTTPClient? = nil,
             httpClientConfiguration: ClientRuntime.HttpClientConfiguration? = nil,
             authSchemes: SmithyHTTPAuthAPI.AuthSchemes? = nil,
+            authSchemePreference: [String]? = nil,
             authSchemeResolver: SmithyHTTPAuthAPI.AuthSchemeResolver? = nil,
             bearerTokenIdentityResolver: (any SmithyIdentity.BearerTokenIdentityResolver)? = nil,
             interceptorProviders: [ClientRuntime.InterceptorProvider]? = nil,
@@ -103,6 +107,7 @@ extension RestJsonProtocolClient {
                 httpClientEngine ?? ClientRuntime.ClientConfigurationDefaults.makeClient(httpClientConfiguration: httpClientConfiguration ?? ClientRuntime.ClientConfigurationDefaults.defaultHttpClientConfiguration),
                 httpClientConfiguration ?? ClientRuntime.ClientConfigurationDefaults.defaultHttpClientConfiguration,
                 authSchemes ?? [],
+                authSchemePreference ?? nil,
                 authSchemeResolver ?? ClientRuntime.ClientConfigurationDefaults.defaultAuthSchemeResolver,
                 bearerTokenIdentityResolver ?? SmithyIdentity.StaticBearerTokenIdentityResolver(token: SmithyIdentity.BearerTokenIdentity(token: "")),
                 interceptorProviders ?? [],
@@ -120,6 +125,7 @@ extension RestJsonProtocolClient {
                 httpClientEngine: nil,
                 httpClientConfiguration: nil,
                 authSchemes: nil,
+                authSchemePreference: nil,
                 authSchemeResolver: nil,
                 bearerTokenIdentityResolver: nil,
                 interceptorProviders: nil,
@@ -165,6 +171,7 @@ extension RestJsonProtocolClient {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)
@@ -197,6 +204,7 @@ extension RestJsonProtocolClient {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)

smithy-swift-codegen/src/test/kotlin/software/amazon/smithy/swift/codegen/requestandresponse/EventStreamTests.kt

@@ -220,6 +220,7 @@ extension EventStreamTestClientTypes.TestStream {
                       .withLogger(value: config.logger)
                       .withPartitionID(value: config.partitionID)
                       .withAuthSchemes(value: config.authSchemes ?? [])
+                      .withAuthSchemePreference(value: config.authSchemePreference)
                       .withAuthSchemeResolver(value: config.authSchemeResolver)
                       .withUnsignedPayloadTrait(value: false)
                       .withSocketTimeout(value: config.httpClientConfiguration.socketTimeout)