chore: Refactor internal clients

[jbelkins]

Description of changes

Breaks all dependencies between AWSSDKIdentity and internal clients, so that internal clients can be created and used directly by credential resolvers without being injected after creation.

Advantages:

• Credential resolvers have all of their dependencies at creation, making them ready to use without further setup.
• Credential resolvers can create and use internal clients directly, making them easier to understand & debug.
• Complex generated code for interfacing credential resolvers with internal clients can be eliminated. The SDK generates to ~13K less LOC primarily due to the elimination of code for injecting internal clients into credential resolvers.

To accomplish this, all dependencies from the internal clients to AWSSDKIdentity had to be eliminated. This involves eliminating these three dependency cycles:

• There was a dependency from AWSSDKHTTPAuth to AWSSDKIdentity. This existed because the AWSSigV4Signer takes a S3Express identity for signing when used in the S3Express signing mode. This was broken by moving the S3Express identity type & identity resolver protocol into a new module AWSSDKIdentityAPI that contains only data types & interfaces. Typealiases make the S3Express-related types available at their original locations.
• There was a dependency from AWSClientRuntime to AWSSDKIdentity that resulted from the Bedrock API Key customization referencing a credential resolver type directly. The customization was changed so that it no longer needs to reference concrete types in AWSSDKIdentity to do its job.
• Internal clients were creating AWSSDKIdentity identity resolvers as their default values. A new default resolver was created for internal clients which is not located in AWSSDKIdentity. This is okay because internal clients never use the default resolver anyway (they either use noAuth operations or are given static credentials.)

New/existing dependencies impact assessment, if applicable

No new dependencies were added to this change.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jbelkins]

Added this package for identity-related things that aren't credential resolvers.

Right now this is only the S3 Express identity & identity resolver, but this broke a dependency between AWSSDKHTTPAuth & AWSSDKIdentity that was needed to eliminate circular dependencies on the internal clients.

[jbelkins]

AWSSDKIdentityAPI is published for use by customers (if they customize S3 Express) and in tests.

[jbelkins]

Switched the AWSSDKHTTPAuth dependency from AWSSDKIdentity to the new AWSSDKIdentityAPI.

This breaks a AWSSDKIdentity -> InternalAWSClient -> AWSSDKHTTPAuth -> AWSSDKIdentity circular dependency.

[sichanyoo]

Q: Where was AWSSDKIdentity dependent on internal clients?

Oh, I see that AWSSDKIdentity -> internal client dependency was introduced in this PR to allow credential resolvers to instantiate internal clients directly 👍

[jbelkins]

Exactly

[jbelkins]

To be clear, the "circular dependencies" I refer to are those created by adding the internal AWS clients as dependencies of AWSSDKIdentity, before making the changes in this PR to break them.

[jbelkins]

The new AWSSDKIdentityAPI target above depends only on Smithy API modules.

[jbelkins]

AWSSDKIdentity now depends on AWSSDKIdentityAPI, and also depends directly on the 3 internal clients. This is no longer a circular dependency because the internal clients don't depend on AWSSDKIdentity.

This also allows us to get rid of almost all of the boiler plate and code generation that we used to use to allow identity resolvers to access these clients, since they're now direct dependencies.

[jbelkins]

This is a very simple target with a dummy AWS credential identity resolver, not dependent on AWSSDKIdentity, that is used as the default identity resolver in the internal clients.

This target is not published, and is only linked to the internal clients.

[jbelkins]

In this & the other 2 internal clients, the AWSSDKIdentity dependency is removed since that module is no longer referenced in the client. The InternalAWSCommon module is added since that is where the internal clients get their default identity resolvers from.

[jbelkins]

The 3 internal clients are removed since they are not direct dependencies of the client (they are still linked though, as dependencies of AWSSDKIdentity.)

[jbelkins]

AWSSDKIdentityAPI is added as a dependency of the integration test targets, so its types may be accessed in tests.

[jbelkins]

For this file, see comments on Package.base.txt above

[jbelkins]

No need to get the internal SSO client from identity properties anymore, since it can now be directly created by this type (just below).

[jbelkins]

Same change made in the following identity resolvers.

[jbelkins]

This file and the next two are basically unchanged from the previous IdentityProviding...Client types, except that they are now permanent runtime files & not code-generated. (I only adjusted imports & formatting, and removed the protocol conformances.) Since AWSSDKIdentity can now depend on the internal clients, these wrappers are moved into AWSSDKIdentity and no longer need to be generated. The protocols for these wrappers' interfaces were removed because they are also not needed anymore.

I chose to keep these wrappers even though they're technically no longer needed because:

• they keep a lot of setup code out of the credential resolvers
• there's less change (and less chance of introducing bugs) from our current arrangement.

[jbelkins]

This AWS credential identity resolver is used as the default value for AWS credential identity resolver in the "internal" clients. Using this in place of the "default chain" resolvers eliminates the internal clients' dependence on AWSSDKIdentity.

Note that this client throws if you attempt to resolve credentials with it. That's okay because the internal clients never actually use it; they either access "noAuth" operations or the identity resolver statically provides it credentials.

[jbelkins]

The visibility of this and the other internal clients has been changed from internal to package so that AWSSDKIdentity can access these clients, but they are invisible to customers.

[jbelkins]

This and the other internal client "wrappers" have been moved to AWSSDKIdentity (see above) and are no longer code-generated.

[jbelkins]

Notice in all 3 internal clients' source files that the references to AWSSDKIdentity are all gone.

[jbelkins]

Internal clients are no longer set in identity properties since the AWS credential resolvers can now create them directly.

[jbelkins]

Here & below, default value for awsCredentialIdentityResolver is set differently for internal or normal clients.

[jbelkins]

Re-enabling this integration test; it's the one which was causing problems on systems that assume a role before testing.

[jbelkins]

BTW I re-ran this test on the internal build system, it now passes after the refactor.

[jbelkins]

The bearer token identity resolver is wrapped in a ClientConfigDefaultBearerTokenIdentityResolver to signify that it was not customer-supplied.

[jbelkins]

This interceptor now looks for ClientConfigDefaultBearerTokenIdentityResolver (located in SmithyIdentity) instead of DefaultBearerTokenIdentityResolverChain (located in AWSSDKIdentity).

As a result, AWSClientRuntime no longer depends on AWSSDKIdentity, breaking this dependency cycle:
AWSSDKIdentity -> InternalClient -> AWSClientRuntime -> AWSSDKIdentity

[jbelkins]

Above, internal clients get a private type of AWSCredentialIdentityResolver that does not depend on AWSSDKIdentity. This, combined with breaking a couple other dependency cycles in runtime modules, means that the internal clients have no reference back to AWSSDKIdentity, and the credential resolvers in those packages can create and use those internal clients directly.

External clients continue to get the same "default chain" identity resolver from AWSSDKIdentity.

[jbelkins]

Above, the DefaultBearerTokenIdentityResolverChain resolver is wrapped in a ClientConfigDefaultBearerTokenIdentityResolver to signify that it was set as a default value.

[jbelkins]

Codegen test changes are below. Note that auth scheme resolvers don't have to set clients in identity properties anymore; this results in about 13,000 lines less code across the SDK.

[sichanyoo]

Really nice improvements to internal client consumption for credential resolution process! Everything looks good, but just got one comment on companion PR: smithy-lang/smithy-swift#952 (comment). After that comment is resolved will approve both PRs.

[jbelkins]

Below, added ClientConfigDefaultIdentityResolver conformance to this type.

When it's created by passing in a chain, it's not a client config default.
When it's created with no params, it's a client config default. (This initializer is package-scoped so customers can't use it.)

[jbelkins]

This file adds support for the new internalClient field on SwiftSettings and uses that field for generating internal clients for use in identity resolvers.