feat: refactor out TLSOptions and add TLSConfiguration protocol (#702)

Sources/ClientRuntime/Config/DefaultSDKRuntimeConfiguration.swift

@@ -99,7 +99,7 @@ public extension DefaultSDKRuntimeConfiguration {
         let socketTimeout = UInt32(httpClientConfiguration.socketTimeout)
         let config = CRTClientEngineConfig(
           connectTimeoutMs: connectTimeoutMs,
-          crtTlsOptions: httpClientConfiguration.tlsOptions?.crtTLSOptions,
+          crtTlsOptions: httpClientConfiguration.tlsConfiguration as? CRTClientTLSOptions,
           socketTimeout: socketTimeout
         )
         return CRTClientEngine(config: config)

Sources/ClientRuntime/Networking/Http/CRT/CRTClientTLSOptions.swift

@@ -6,46 +6,46 @@
 //
 import AwsCommonRuntimeKit
 
-public struct CRTClientTLSOptions {
+public struct CRTClientTLSOptions: TLSConfiguration {
 
-    /// Path to the trust store certificate
-    public let certificatePath: String?
+    /// Optional PEM certificate filename
+    public var certificate: String?
 
-    /// Filename of the trust store certificate file in main bundle
-    public let certificateFilename: String?
+    /// Optional path to certificate directory
+    public var certificateDir: String?
 
-    /// Name of key store file. ex. /path/file
-    public let keyStoreFilepath: String?
+    /// Optional path to a PEM format private key
+    public var privateKey: String?
 
-    /// Password for the key store if required.
-    public let keyStorePassword: String?
+    /// Optional path to PKCS #12 certificate , in PEM format
+    public var pkcs12Path: String?
 
-    /// Path to a private key
-    public let privateKeyFilepath: String?
+    /// Optional PKCS#12 password
+    public var pkcs12Password: String?
 
     /// Information is provided to use custom trust store
     public var useSelfSignedCertificate: Bool {
-        return certificatePath != nil && certificateFilename != nil
+        return certificateDir != nil && certificate != nil
     }
 
     /// Information is provided to use custom key store
     public var useProvidedKeystore: Bool {
-        return (keyStoreFilepath != nil && keyStorePassword != nil) ||
-            (privateKeyFilepath != nil && useSelfSignedCertificate)
+        return (pkcs12Path != nil && pkcs12Password != nil) ||
+            (privateKey != nil && useSelfSignedCertificate)
     }
 
     public init(
-        certificatePath: String? = nil,
-        certificateFilename: String? = nil, // .cer
-        keyStoreFilepath: String? = nil, // .p12 PEM
-        keyStorePassword: String? = nil,
-        privateKeyFilepath: String? = nil
+        certificateDir: String? = nil,
+        certificate: String? = nil, // .cer
+        pkcs12Path: String? = nil, // .p12 PEM
+        pkcs12Password: String? = nil,
+        privateKey: String? = nil
     ) {
-        self.certificatePath = certificatePath
-        self.certificateFilename = certificateFilename
-        self.keyStoreFilepath = keyStoreFilepath
-        self.keyStorePassword = keyStorePassword
-        self.privateKeyFilepath = privateKeyFilepath
+        self.certificateDir = certificateDir
+        self.certificate = certificate
+        self.pkcs12Path = pkcs12Path
+        self.pkcs12Password = pkcs12Password
+        self.privateKey = privateKey
     }
 }
 
@@ -61,22 +61,22 @@ extension CRTClientTLSOptions {
 
             if self.useProvidedKeystore {
                 #if os(tvOS) || os(iOS) || os(watchOS) || os(macOS) // visionOS not supported
-                if let path = keyStoreFilepath, let password = keyStorePassword {
+                if let path = pkcs12Path, let password = pkcs12Password {
                     tlsOptions = try .makeMTLS(pkcs12Path: path, password: password)
                 }
                 #endif
             } else if self.useSelfSignedCertificate {
                 #if os(Linux) || os(macOS)
-                if let certPath = certificatePath,
-                    let certFilename = certificateFilename,
-                    let privateKeyPath = privateKeyFilepath {
+                if let certPath = certificateDir,
+                    let certFilename = certificate,
+                    let privateKeyPath = pkcs12Path {
                     let certFilepath = "\(certPath)/\(certFilename)"
                     tlsOptions = try .makeMTLS(certificatePath: certFilepath, privateKeyPath: privateKeyPath)
                 }
                 #endif
             }
 
-            if self.useSelfSignedCertificate, let certPath = certificatePath, let certFilename = certificateFilename {
+            if self.useSelfSignedCertificate, let certPath = certificateDir, let certFilename = certificate {
                 try tlsOptions.overrideDefaultTrustStore(caPath: certPath, caFile: certFilename)
             }
 

Sources/ClientRuntime/Networking/Http/CRT/TLSConfiguration.swift

@@ -0,0 +1,29 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+/**
+ * Configuration settings about TLS set up.
+ * All settings are optional.
+ * Not specifying them will use the SDK defaults
+ */
+public protocol TLSConfiguration {
+
+    // Optional path to a PEM certificate
+    var certificate: String? { get set }
+
+    // Optional path to certificate directory
+    var certificateDir: String? { get set }
+
+    // Optional path to a PEM format private key
+    var privateKey: String? { get set }
+
+    // Optional path to PKCS #12 certificate , in PEM format
+    var pkcs12Path: String? { get set }
+
+    // Optional PKCS#12 password
+    var pkcs12Password: String? { get set }
+}

Sources/ClientRuntime/Networking/Http/HttpClientConfiguration.swift

@@ -39,7 +39,7 @@ public class HttpClientConfiguration {
     ///
     /// Enables specifying client certificates and trust stores for secure communication.
     /// Defaults to system's TLS settings if `nil`.
-    public var tlsOptions: TLSOptions?
+    public var tlsConfiguration: (any TLSConfiguration)?
 
     /// Creates a configuration object for a SDK HTTP client.
     ///
@@ -50,18 +50,18 @@ public class HttpClientConfiguration {
     ///   - defaultHeaders: HTTP headers to be included with every HTTP request.
     ///   Note that certain headers may cause your API request to fail.  Defaults to no headers.
     ///   - protocolType: The HTTP scheme (`http` or `https`) to be used for API requests.  Defaults to the operation's standard configuration.
-    ///   - tlsOptions: Optional custom TLS configuration for HTTPS requests. If `nil`, defaults to a standard configuration.
+    ///   - tlsConfiguration: Optional custom TLS configuration for HTTPS requests. If `nil`, defaults to a standard configuration.
     public init(
         connectTimeout: TimeInterval? = nil,
         socketTimeout: TimeInterval = 60.0,
         protocolType: ProtocolType = .https,
         defaultHeaders: Headers = Headers(),
-        tlsOptions: TLSOptions? = nil
+        tlsConfiguration: (any TLSConfiguration)? = nil
     ) {
         self.socketTimeout = socketTimeout
         self.protocolType = protocolType
         self.defaultHeaders = defaultHeaders
         self.connectTimeout = connectTimeout
-        self.tlsOptions = tlsOptions
+        self.tlsConfiguration = tlsConfiguration
     }
 }

Sources/ClientRuntime/Networking/Http/URLSession/URLSessionHTTPClient.swift

@@ -141,7 +141,7 @@ public final class URLSessionHTTPClient: HTTPClient {
             completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
         ) {
             guard let tlsOptions = tlsOptions, tlsOptions.useSelfSignedCertificate,
-                  let certFile = tlsOptions.certificateFile,
+                  let certFile = tlsOptions.certificate,
                   let serverTrust = challenge.protectionSpace.serverTrust else {
                 logger.error(
                     "Either TLSOptions not set or missing values! Using default trust store."
@@ -175,8 +175,8 @@ public final class URLSessionHTTPClient: HTTPClient {
             completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
         ) {
             guard let tlsOptions, tlsOptions.useProvidedKeystore,
-                  let keystoreName = tlsOptions.keyStoreName,
-                  let keystorePasword = tlsOptions.keyStorePassword else {
+                  let keystoreName = tlsOptions.pkcs12Path,
+                  let keystorePasword = tlsOptions.pkcs12Password else {
                 logger.error(
                     "Either TLSOptions not set or missing values! Using default keystore."
                 )
@@ -299,7 +299,7 @@ public final class URLSessionHTTPClient: HTTPClient {
     private var logger: LogAgent
 
     /// The TLS options for this HTTP client.
-    private let tlsOptions: URLSessionTLSOptions?
+    private let tlsConfiguration: URLSessionTLSOptions?
 
     /// The initial connection timeout for this HTTP client.
     let connectionTimeout: TimeInterval
@@ -314,8 +314,8 @@ public final class URLSessionHTTPClient: HTTPClient {
     public init(httpClientConfiguration: HttpClientConfiguration) {
         self.config = httpClientConfiguration
         self.logger = SwiftLogger(label: "URLSessionHTTPClient")
-        self.tlsOptions = config.tlsOptions?.urlSessionTLSOptions
-        self.delegate = SessionDelegate(logger: logger, tlsOptions: tlsOptions)
+        self.tlsConfiguration = config.tlsConfiguration as? URLSessionTLSOptions
+        self.delegate = SessionDelegate(logger: logger, tlsOptions: tlsConfiguration)
         self.connectionTimeout = httpClientConfiguration.connectTimeout ?? 60.0
         var urlsessionConfiguration = URLSessionConfiguration.default
         urlsessionConfiguration = URLSessionConfiguration.from(httpClientConfiguration: httpClientConfiguration)

Sources/ClientRuntime/Networking/Http/URLSession/URLSessionTLSOptions.swift

@@ -5,34 +5,40 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-public struct URLSessionTLSOptions {
+public struct URLSessionTLSOptions: TLSConfiguration {
 
-    /// Filename of the trust store certificate file in main bundle (.cer).
-    public let certificateFile: String?
+    /// Filename of the turst certificate file in main bundle (.cer)
+    public var certificate: String?
 
-    /// Name of key store file (.p12).
-    public let keyStoreName: String?
+    /// Not supported for URLSession HTTP Client
+    public var certificateDir: String?
 
-    /// Password for the key store if required.
-    public let keyStorePassword: String?
+    /// Not supported for URLSession HTTP Client
+    public var privateKey: String?
+
+    /// Optional path to PKCS #12 certificate , in PEM format
+    public var pkcs12Path: String?
+
+    /// Optional PKCS#12 password
+    public var pkcs12Password: String?
 
     /// Information is provided to use custom trust store
     public var useSelfSignedCertificate: Bool {
-        return certificateFile != nil
+        return certificate != nil
     }
 
     /// Information is provided to use custom key store
     public var useProvidedKeystore: Bool {
-        return keyStoreName != nil && keyStorePassword != nil
+        return pkcs12Path != nil && pkcs12Password != nil
     }
 
     public init(
-        certificateFile: String? = nil, // .cer
-        keyStoreName: String? = nil, // .p12
-        keyStorePassword: String? = nil
+        certificate: String? = nil, // .cer
+        pkcs12Path: String? = nil, // .p12
+        pkcs12Password: String? = nil
     ) {
-        self.certificateFile = certificateFile
-        self.keyStoreName = keyStoreName
-        self.keyStorePassword = keyStorePassword
+        self.certificate = certificate
+        self.pkcs12Path = pkcs12Path
+        self.pkcs12Password = pkcs12Password
     }
 }