some fixing up

Author: dayaffe

Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity/AWSCredentialIdentityResolvers/CognitoAWSCredentialIdentityResolver.swift

@@ -10,38 +10,64 @@ import struct Smithy.Attributes
 import ClientRuntime
 import class Foundation.ProcessInfo
 import enum Smithy.ClientError
-import class Foundation.NSLock
+
 import struct Foundation.Date
+@_spi(FileBasedConfig) import AWSSDKCommon
 
 /// A credential identity resolver that resolves credentials using AWS Cognito Identity.
-public struct CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolver {
+public actor CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolver {
     private let identityPoolId: String?
     private let identityId: String?
     private let accountId: String?
     private var logins: [String: String]?
     private let customRoleArn: String?
     private let cognitoPoolRegion: String
+    private let configFilePath: String?
+    private let credentialsFilePath: String?
+    private let profileName: String?
 
     private var cachedIdentityId: String?
     private var cachedCredentials: AWSCredentialIdentity?
     private var cachedLogins: [String: String]?
-    private let refreshLock = NSLock()
+    // Actor provides thread safety, no need for manual locking
 
     public init(
         identityPoolId: String? = nil,
         identityId: String? = nil,
         accountId: String? = nil,
         logins: [String: String]? = nil,
         customRoleArn: String? = nil,
-        cognitoPoolRegion: String? = nil
+        cognitoPoolRegion: String? = nil,
+        configFilePath: String? = nil,
+        credentialsFilePath: String? = nil,
+        profileName: String? = nil
     ) throws {
         let env = ProcessInfo.processInfo.environment
 
-        // Resolve from environment variables if not provided
-        let resolvedIdentityPoolId = identityPoolId ?? env["AWS_COGNITO_IDENTITY_POOL_ID"]
-        let resolvedIdentityId = identityId ?? env["AWS_COGNITO_IDENTITY_ID"]
-        let resolvedAccountId = accountId ?? env["AWS_ACCOUNT_ID"]
-        let resolvedCustomRoleArn = customRoleArn ?? env["AWS_COGNITO_CUSTOM_ROLE_ARN"]
+        self.configFilePath = configFilePath
+        self.credentialsFilePath = credentialsFilePath
+        self.profileName = profileName
+        
+        // Load config files
+        let fileBasedConfig = try CRTFileBasedConfiguration(
+            configFilePath: configFilePath,
+            credentialsFilePath: credentialsFilePath
+        )
+        let resolvedProfileName = profileName ?? env["AWS_PROFILE"] ?? "default"
+        
+        // Resolve configuration using helper functions
+        let resolvedIdentityPoolId = Self.resolveOptionalField(
+            identityPoolId, "AWS_COGNITO_IDENTITY_POOL_ID", "cognito_identity_pool_id", fileBasedConfig, resolvedProfileName
+        )
+        let resolvedIdentityId = Self.resolveOptionalField(
+            identityId, "AWS_COGNITO_IDENTITY_ID", "cognito_identity_id", fileBasedConfig, resolvedProfileName
+        )
+        let resolvedAccountId = Self.resolveOptionalField(
+            accountId, "AWS_ACCOUNT_ID", "account_id", fileBasedConfig, resolvedProfileName
+        )
+        let resolvedCustomRoleArn = Self.resolveOptionalField(
+            customRoleArn, "AWS_COGNITO_CUSTOM_ROLE_ARN", "cognito_custom_role_arn", fileBasedConfig, resolvedProfileName
+        )
 
         guard resolvedIdentityPoolId != nil || resolvedIdentityId != nil else {
             throw ClientError.invalidValue("Either identityPoolId or identityId must be provided")
@@ -56,18 +82,19 @@ public struct CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolve
         self.logins = logins
         self.customRoleArn = resolvedCustomRoleArn
 
-        // Priority: cognitoPoolRegion parameter -> AWS_COGNITO_POOL_REGION -> AWS_REGION
-        self.cognitoPoolRegion = try cognitoPoolRegion 
-            ?? env["AWS_COGNITO_POOL_REGION"] 
-            ?? env["AWS_REGION"]
-            ?? { throw ClientError.dataNotFound("AWS region not configured") }()
+        // Resolve region with fallback from cognito_pool_region to region
+        self.cognitoPoolRegion = try Self.resolveOptionalField(
+            cognitoPoolRegion, "AWS_COGNITO_POOL_REGION", "cognito_pool_region", fileBasedConfig, resolvedProfileName
+        ) ?? Self.resolveOptionalField(
+            nil, "AWS_REGION", "region", fileBasedConfig, resolvedProfileName
+        ) ?? { throw ClientError.dataNotFound("AWS region not configured") }()
 
         self.cachedIdentityId = nil
         self.cachedCredentials = nil
-        self.cachedLogins = nil
+        self.cachedLogins = logins
     }
 
-    public mutating func getIdentity(identityProperties: Attributes?) async throws -> AWSCredentialIdentity {
+    public func getIdentity(identityProperties: Attributes?) async throws -> AWSCredentialIdentity {
         guard let identityProperties, let internalCognitoClient = identityProperties.get(
             key: InternalClientKeys.internalCognitoIdentityClientKey
         ) else {
@@ -76,9 +103,6 @@ public struct CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolve
                 + "Missing IdentityProvidingCognitoIdentityClient in identity properties."
             )
         }
-
-        refreshLock.lock()
-        defer { refreshLock.unlock() }
 
         // Check if cached credentials are still valid
         if let cached = cachedCredentials,
@@ -101,16 +125,12 @@ public struct CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolve
         return credentials
     }
 
-    private mutating func resolveIdentityId(using client: IdentityProvidingCognitoIdentityClient) async throws -> String {
+    private func resolveIdentityId(using client: IdentityProvidingCognitoIdentityClient) async throws -> String {
         if let existingId = identityId {
             return existingId
         }
 
-        // If logins changed, clear cached identity ID to force refresh
-        if loginsChanged() {
-            cachedIdentityId = nil
-        }
-        
+        // Use cached identity ID if logins haven't changed
         if let cached = cachedIdentityId, !loginsChanged() {
             return cached
         }
@@ -126,25 +146,47 @@ public struct CognitoAWSCredentialIdentityResolver: AWSCredentialIdentityResolve
         )
 
         cachedIdentityId = resolvedId
+        cachedLogins = logins
         return resolvedId
     }
 
     private func loginsChanged() -> Bool {
-        guard let cached = cachedLogins else {
-            return logins != nil
+        // Both nil - no change
+        if cachedLogins == nil && logins == nil {
+            return false
         }
 
-        guard let current = logins else {
+        // One is nil, other isn't - changed
+        guard let cached = cachedLogins, let current = logins else {
             return true
         }
 
+        // Compare the dictionaries
         return cached != current
     }
 
-    public mutating func updateLogins(_ newLogins: [String: String]?) {
+    public func updateLogins(_ newLogins: [String: String]?) {
         logins = newLogins
         // Clear cached data when logins change
         cachedIdentityId = nil
         cachedCredentials = nil
+        cachedLogins = nil
+    }
+    
+    private static func resolveOptionalField(
+        _ configValue: String?,
+        _ envVarName: String,
+        _ configFieldName: String,
+        _ config: CRTFileBasedConfiguration,
+        _ profileName: String
+    ) -> String? {
+        FieldResolver(
+            configValue: configValue,
+            envVarName: envVarName,
+            configFieldName: configFieldName,
+            fileBasedConfig: config,
+            profileName: profileName,
+            converter: { String($0) }
+        ).value
     }
-}
+}

Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity/IdentityProvidingClients/IdentityProvidingCognitoIdentityClient.swift

@@ -6,6 +6,7 @@
 //
 
 import protocol SmithyIdentity.AWSCredentialIdentityResolver
+import struct SmithyIdentity.AWSCredentialIdentity
 
 /// Protocol for providing Cognito Identity credentials
 public protocol IdentityProvidingCognitoIdentityClient {

Sources/Core/AWSSDKIdentity/Tests/AWSSDKIdentityTests/AWSCredentialIdentityResolverTests/CognitoCredentialResolverTests.swift

@@ -7,7 +7,10 @@
 
 import XCTest
 import Foundation
-@testable import YourModule // Replace with actual module name
+@testable import AWSSDKIdentity
+import struct Smithy.Attributes
+import enum Smithy.ClientError
+import struct SmithyIdentity.AWSCredentialIdentity
 
 class CognitoCredentialResolverTests: XCTestCase {
 
@@ -43,7 +46,7 @@ class CognitoCredentialResolverTests: XCTestCase {
         )
 
         let mockClient = MockCognitoClient()
-        let attributes = Attributes()
+        var attributes = Attributes()
         attributes.set(key: InternalClientKeys.internalCognitoIdentityClientKey, value: mockClient)
 
         let credentials = try await resolver.getIdentity(identityProperties: attributes)
@@ -66,7 +69,7 @@ class CognitoCredentialResolverTests: XCTestCase {
         )
 
         let mockClient = MockCognitoClient()
-        let attributes = Attributes()
+        var attributes = Attributes()
         attributes.set(key: InternalClientKeys.internalCognitoIdentityClientKey, value: mockClient)
 
         let credentials = try await resolver.getIdentity(identityProperties: attributes)
@@ -89,6 +92,115 @@ class CognitoCredentialResolverTests: XCTestCase {
         }
     }
 
+    func testTC4_ExpiredCredentialsRefreshed() async throws {
+        // TC4: Expired credentials are refreshed using existing IdentityId
+        var resolver = try CognitoAWSCredentialIdentityResolver(
+            identityId: "us-west-2:12345678-1234-1234-1234-123456789012",
+            cognitoPoolRegion: "us-west-2"
+        )
+        
+        let mockClient = MockCognitoClient()
+        // Set expired credentials initially
+        mockClient.mockCredentials = AWSCredentialIdentity(
+            accessKey: "ASIAEXAMPLEKEY",
+            secret: "exampleSecretKey123456789",
+            expiration: Date(timeIntervalSince1970: 100), // Expired
+            sessionToken: "exampleSessionToken..."
+        )
+        
+        var attributes = Attributes()
+        attributes.set(key: InternalClientKeys.internalCognitoIdentityClientKey, value: mockClient)
+        
+        // First call with expired credentials
+        let credentials1 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Update mock to return fresh credentials
+        mockClient.mockCredentials = AWSCredentialIdentity(
+            accessKey: "ASIAEXAMPLEKEY",
+            secret: "exampleSecretKey123456789",
+            expiration: Date(timeIntervalSince1970: 2735689600), // Future
+            sessionToken: "exampleSessionToken..."
+        )
+        
+        // Second call should refresh credentials
+        let credentials2 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Should call GetCredentialsForIdentity twice (no GetId since identityId provided)
+        XCTAssertEqual(mockClient.getIdCalls.count, 0)
+        XCTAssertEqual(mockClient.getCredentialsCalls.count, 2)
+        XCTAssertEqual(mockClient.getCredentialsCalls[0].identityId, "us-west-2:12345678-1234-1234-1234-123456789012")
+        XCTAssertEqual(mockClient.getCredentialsCalls[1].identityId, "us-west-2:12345678-1234-1234-1234-123456789012")
+    }
+    
+    func testTC5_IdentityRefreshedWhenLoginsUpdated() async throws {
+        // TC5: Identity is refreshed when logins are updated
+        var resolver = try CognitoAWSCredentialIdentityResolver(
+            identityPoolId: "us-west-2:test-pool",
+            cognitoPoolRegion: "us-west-2"
+        )
+        
+        let mockClient = MockCognitoClient()
+        var attributes = Attributes()
+        attributes.set(key: InternalClientKeys.internalCognitoIdentityClientKey, value: mockClient)
+        
+        // First call without logins
+        let credentials1 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Update logins
+        resolver.updateLogins(["accounts.google.com": "new-google-token"])
+        
+        // Update mock to return different identity ID for new logins
+        mockClient.mockIdentityId = "us-west-2:12345678-1234-1234-1234-333333333333"
+        
+        // Second call with updated logins
+        let credentials2 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Should call GetId twice (once without logins, once with logins)
+        XCTAssertEqual(mockClient.getIdCalls.count, 2)
+        XCTAssertNil(mockClient.getIdCalls[0].logins)
+        XCTAssertEqual(mockClient.getIdCalls[1].logins?["accounts.google.com"], "new-google-token")
+        
+        // Should call GetCredentialsForIdentity twice
+        XCTAssertEqual(mockClient.getCredentialsCalls.count, 2)
+        XCTAssertNil(mockClient.getCredentialsCalls[0].logins)
+        XCTAssertEqual(mockClient.getCredentialsCalls[1].logins?["accounts.google.com"], "new-google-token")
+    }
+    
+    func testTC6_IdentityNotRefreshedWhenLoginsUnchanged() async throws {
+        // TC6: Identity is NOT refreshed when logins remain unchanged
+        var resolver = try CognitoAWSCredentialIdentityResolver(
+            identityPoolId: "us-west-2:test-pool",
+            logins: ["accounts.google.com": "google-token"],
+            cognitoPoolRegion: "us-west-2"
+        )
+        
+        let mockClient = MockCognitoClient()
+        // Set credentials with future expiration
+        mockClient.mockCredentials = AWSCredentialIdentity(
+            accessKey: "ASIAEXAMPLEKEY",
+            secret: "exampleSecretKey123456789",
+            expiration: Date(timeIntervalSinceNow: 3600), // 1 hour from now
+            sessionToken: "exampleSessionToken..."
+        )
+        
+        var attributes = Attributes()
+        attributes.set(key: InternalClientKeys.internalCognitoIdentityClientKey, value: mockClient)
+        
+        // First call
+        let credentials1 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Second call with same logins (should use cached credentials)
+        let credentials2 = try await resolver.getIdentity(identityProperties: attributes)
+        
+        // Should call GetId only once
+        XCTAssertEqual(mockClient.getIdCalls.count, 1)
+        XCTAssertEqual(mockClient.getIdCalls[0].logins?["accounts.google.com"], "google-token")
+        
+        // Should call GetCredentialsForIdentity only once (second call uses cache)
+        XCTAssertEqual(mockClient.getCredentialsCalls.count, 1)
+        XCTAssertEqual(mockClient.getCredentialsCalls[0].logins?["accounts.google.com"], "google-token")
+    }
+    
     func testTC7_FallbackToAWSRegion() throws {
         // TC7: Fall back to AWS_REGION when a Cognito pool region is not explicitly provided
         setenv("AWS_REGION", "us-west-2", 1)

codegen/smithy-aws-swift-codegen/src/main/kotlin/software/amazon/smithy/aws/swift/codegen/customization/credentialresolverservices/InternalModelIntegration.kt

@@ -21,6 +21,11 @@ class InternalModelIntegration : SwiftIntegration {
         listOf(
             "com.amazonaws.ssooidc#CreateToken",
         )
+    private val cognitoOps =
+        listOf(
+            "com.amazonaws.cognito.identity#GetId",
+            "com.amazonaws.cognito.identity#GetCredentialsForIdentity",
+        )
 
     override fun enabledForService(
         model: Model,
@@ -48,6 +53,7 @@ class InternalModelIntegration : SwiftIntegration {
             "STS" -> stsOps
             "SSO" -> ssoOps
             "SSO OIDC" -> ssoOIDCOps
+            "Cognito Identity" -> cognitoOps
             else -> emptyList()
         }
 }