Merge pull request #4446 from aws/alexwoo/master/loginCredentialProvider_refresh_dpop

[LoginCredentialsProvider] Implement DPoP signing of request

Author: alextwoods

services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java

@@ -29,10 +29,12 @@
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.core.SdkPlugin;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.useragent.BusinessMetricFeatureId;
 import software.amazon.awssdk.services.signin.SigninClient;
 import software.amazon.awssdk.services.signin.internal.AccessTokenManager;
+import software.amazon.awssdk.services.signin.internal.DpopAuthPlugin;
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
@@ -159,14 +161,15 @@ private RefreshResult<AwsCredentials> refreshFromSigninService(LoginAccessToken
         log.debug(() -> "Credentials are near expiration/expired, refreshing from Signin service.");
 
         try {
+            SdkPlugin dpopAuthPlugin = DpopAuthPlugin.create(tokenFromDisc.getDpopKey());
             CreateOAuth2TokenRequest refreshRequest =
                 CreateOAuth2TokenRequest
                     .builder()
                     .tokenInput(t -> t
                         .clientId(tokenFromDisc.getClientId())
                         .refreshToken(tokenFromDisc.getRefreshToken())
                         .grantType("refresh_token"))
-                    .dpopProof("TODO") // TODO: This will be implemented in a separate PR
+                    .overrideConfiguration(c -> c.addPlugin(dpopAuthPlugin))
                     .build();
 
             CreateOAuth2TokenResponse createTokenResponse = signinClient.createOAuth2Token(refreshRequest);

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthPlugin.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.SdkPlugin;
+import software.amazon.awssdk.core.SdkServiceClientConfiguration;
+import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeProvider;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
+import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
+import software.amazon.awssdk.services.signin.SigninServiceClientConfiguration;
+import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeParams;
+import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeProvider;
+import software.amazon.awssdk.utils.Validate;
+
+/**
+ * An SDK plugin that will use DPoP auth for requests by adding the {@link DpopAuthScheme} and overriding the
+ * {@link AuthSchemeProvider} with a custom provider that will always return Dpop.
+ * The auth scheme uses the {@link DpopSigner} to add the required DPoP header to the request.
+ */
+@SdkInternalApi
+public class DpopAuthPlugin implements SdkPlugin {
+    private final String dpopKeyPem;
+
+    private DpopAuthPlugin(String dpopKeyPem) {
+        this.dpopKeyPem = Validate.paramNotNull(dpopKeyPem, "dpopKeyPem");
+    }
+
+    /**
+     * Create an instance of the DpopAuthPlugin using the dpopKey from the {@link LoginAccessToken}
+     * @param dpopKeyPem - PEM file contents containing the base64-encoding of the ECPrivateKey format defined by
+     *                   RFC5915: Elliptic Curve Private Key Structure. It MUST include the public key coordinates.
+     * @return dpopAuthPlugin
+     */
+    public static DpopAuthPlugin create(String dpopKeyPem) {
+        return new DpopAuthPlugin(dpopKeyPem);
+    }
+
+    @Override
+    public void configureClient(SdkServiceClientConfiguration.Builder config) {
+        SigninServiceClientConfiguration.Builder scb =
+            Validate.isInstanceOf(SigninServiceClientConfiguration.Builder.class, config,
+                                  "DpopAuthPlugin must be applied to a SigninServiceClient");
+        scb.authSchemeProvider(new DpopAuthSchemeProvider());
+        // we must use a static DpopIdentity here rather than one that dynamically loads from the disk cache
+        // the refresh request takes the clientId/refreshToken sourced from the access token on disk as input
+        // so we must sign the request with the dpopKey loaded from the same load.  IE: do not read the
+        // access token file twice!
+        scb.putAuthScheme(DpopAuthScheme.create(StaticDpopIdentityProvider.create(dpopKeyPem)));
+    }
+
+    private static class DpopAuthSchemeProvider implements SigninAuthSchemeProvider {
+
+        @Override
+        public List<AuthSchemeOption> resolveAuthScheme(SigninAuthSchemeParams authSchemeParams) {
+            return Collections.singletonList(AuthSchemeOption.builder().schemeId(DpopAuthScheme.SCHEME_NAME).build());
+        }
+    }
+
+    /**
+     * A identity provider that provides a static {@link DpopIdentity}
+     */
+    private static class StaticDpopIdentityProvider implements IdentityProvider<DpopIdentity> {
+        private final DpopIdentity identity;
+
+        private StaticDpopIdentityProvider(DpopIdentity identity) {
+            this.identity = Validate.paramNotNull(identity, "identity");
+        }
+
+        public static StaticDpopIdentityProvider create(String dpopKeyPem) {
+            return new StaticDpopIdentityProvider(DpopIdentity.create(dpopKeyPem));
+        }
+
+        @Override
+        public Class<DpopIdentity> identityType() {
+            return DpopIdentity.class;
+        }
+
+        @Override
+        public CompletableFuture<? extends DpopIdentity> resolveIdentity(ResolveIdentityRequest request) {
+            return CompletableFuture.completedFuture(identity);
+        }
+    }
+}

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthScheme.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
+import software.amazon.awssdk.identity.spi.IdentityProviders;
+import software.amazon.awssdk.utils.Validate;
+
+/**
+ * An AuthScheme representing authentication withOAuth 2.0 Demonstrating Proof of Possession (DPoP) header.
+ */
+@SdkInternalApi
+public class DpopAuthScheme implements AuthScheme<DpopIdentity> {
+    public static final String SCHEME_NAME = "DPOP";
+
+    private final IdentityProvider<DpopIdentity> identityProvider;
+
+    private DpopAuthScheme(IdentityProvider<DpopIdentity> identityProvider) {
+        this.identityProvider = Validate.paramNotNull(identityProvider, "identityProvider");
+    }
+
+    public static DpopAuthScheme create(IdentityProvider<DpopIdentity> identityProvider) {
+        return new DpopAuthScheme(identityProvider);
+    }
+
+    @Override
+    public String schemeId() {
+        return SCHEME_NAME;
+    }
+
+    @Override
+    public IdentityProvider<DpopIdentity> identityProvider(IdentityProviders providers) {
+        // we don't currently support adding an arbitrary identityProvider as a request level override
+        // return the identity provider configured up front instead
+        return identityProvider;
+    }
+
+    @Override
+    public HttpSigner<DpopIdentity> signer() {
+        return new DpopSigner();
+    }
+}

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopHeaderGenerator.java

@@ -27,7 +27,6 @@
 import java.util.Base64;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
-import software.amazon.awssdk.utils.Pair;
 import software.amazon.awssdk.utils.Validate;
 
 /**
@@ -57,26 +56,25 @@ private DpopHeaderGenerator() {
      * <li><a href="https://datatracker.ietf.org/doc/html/rfc7517">RFC 7517 - JSON Web Key (JWK)</a></li>
      * </ul>
      *
-     * @param pemContent - EC1 / RFC 5915 ASN.1 formated PEM contents
+     * @param dpopIdentity - DpopIdentity containing ECPrivateKey and ECPublicKey
      * @param endpoint - The HTTP target URI (Section 7.1 of [RFC9110]) of the request to which the JWT is attached,
      *                 without query and fragment parts
      * @param httpMethod - the HTTP method of the request (eg: POST).
      * @param epochSeconds - creation time of the JWT in epoch seconds.
      * @param uuid - Unique identifier for the DPoP proof JWT - should be a UUID4 string.
      * @return DPoP header value
      */
-    public static String generateDPoPProofHeader(String pemContent, String endpoint, String httpMethod,
+    public static String generateDPoPProofHeader(DpopIdentity dpopIdentity, String endpoint, String httpMethod,
                                                  long epochSeconds, String uuid) {
-        Validate.paramNotBlank(pemContent, "pemContent");
+        Validate.paramNotNull(dpopIdentity, "dpopIdentity");
         Validate.paramNotBlank(endpoint, "endpoint");
         Validate.paramNotBlank(httpMethod, "httpMethod");
         Validate.paramNotBlank(uuid, "uuid");
 
         try {
             // Load EC public and private key from PEM
-            Pair<ECPrivateKey, ECPublicKey> keys = EcKeyLoader.loadSec1Pem(pemContent);
-            ECPrivateKey privateKey = keys.left();
-            ECPublicKey publicKey = keys.right();
+            ECPrivateKey privateKey = dpopIdentity.getPrivateKey();
+            ECPublicKey publicKey = dpopIdentity.getPublicKey();
 
             // Build JSON strings (header, payload) with JsonGenerator
             byte[] headerJson = buildHeaderJson(publicKey);

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopIdentity.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.identity.spi.Identity;
+import software.amazon.awssdk.utils.Pair;
+
+/**
+ * An identity representing the public and private keys required to sign a request using DPoP.
+ */
+@SdkInternalApi
+public class DpopIdentity implements Identity {
+    private final ECPublicKey publicKey;
+    private final ECPrivateKey privateKey;
+
+    private DpopIdentity(ECPublicKey publicKey, ECPrivateKey privateKey) {
+        this.publicKey = publicKey;
+        this.privateKey = privateKey;
+    }
+
+    public static DpopIdentity create(ECPublicKey publicKey, ECPrivateKey privateKey) {
+        return new DpopIdentity(publicKey, privateKey);
+    }
+
+    public static DpopIdentity create(String dpopKeyPem) {
+        Pair<ECPrivateKey, ECPublicKey> keys = EcKeyLoader.loadSec1Pem(dpopKeyPem);
+        return new DpopIdentity(keys.right(), keys.left());
+    }
+
+    public ECPublicKey getPublicKey() {
+        return publicKey;
+    }
+
+    public ECPrivateKey getPrivateKey() {
+        return privateKey;
+    }
+}

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopSigner.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import java.time.Instant;
+import java.util.UUID;
+import java.util.concurrent.CompletableFuture;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.auth.spi.signer.AsyncSignRequest;
+import software.amazon.awssdk.http.auth.spi.signer.AsyncSignedRequest;
+import software.amazon.awssdk.http.auth.spi.signer.BaseSignRequest;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
+import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
+import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
+import software.amazon.awssdk.utils.http.SdkHttpUtils;
+
+/**
+ * Signs request with a DPoP header using the requests endpoint and http method and the
+ * key from the resolved Identity.
+ */
+@SdkInternalApi
+public class DpopSigner implements HttpSigner<DpopIdentity> {
+
+    @Override
+    public SignedRequest sign(SignRequest<? extends DpopIdentity> request) {
+        return SignedRequest.builder()
+                            .request(doSign(request))
+                            .payload(request.payload().orElse(null))
+                            .build();
+    }
+
+    @Override
+    public CompletableFuture<AsyncSignedRequest> signAsync(AsyncSignRequest<? extends DpopIdentity> request) {
+        return CompletableFuture.completedFuture(
+            AsyncSignedRequest.builder()
+                              .request(doSign(request))
+                              .payload(request.payload().orElse(null))
+                              .build());
+    }
+
+    /**
+     * Using {@link BaseSignRequest}, sign the request with a {@link BaseSignRequest} and re-build it.
+     */
+    private SdkHttpRequest doSign(BaseSignRequest<?, ? extends DpopIdentity> request) {
+        return request.request().toBuilder()
+                      .putHeader(
+                          "DPoP",
+                          buildDpopHeader(request))
+                      .build();
+    }
+
+    private String buildDpopHeader(BaseSignRequest<?, ? extends DpopIdentity> request) {
+        SdkHttpRequest httpRequest = request.request();
+        String endpoint = extractRequestEndpoint(httpRequest);
+        return DpopHeaderGenerator.generateDPoPProofHeader(
+            request.identity(), endpoint, httpRequest.method().name(),
+            Instant.now().getEpochSecond(), UUID.randomUUID().toString());
+    }
+
+    private static String extractRequestEndpoint(SdkHttpRequest httpRequest) {
+        // using SdkHttpRequest.getUri() results in creating a URI which is slow and we don't need the query components
+        // construct only the endpoint that we require for DPoP.
+        String portString =
+            SdkHttpUtils.isUsingStandardPort(httpRequest.protocol(), httpRequest.port()) ? "" : ":" + httpRequest.port();
+        return httpRequest.protocol() + "://" + httpRequest.host() + portString + httpRequest.encodedPath();
+    }
+}