Use an atomic write for storing/updating the token

Author: alextwoods

services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java

@@ -138,8 +138,8 @@ private RefreshResult<AwsCredentials> updateSigninCredentials() {
             () -> SdkClientException.create("Invalid token expiration time. You must re-authenticate.")
         );
 
-        if (isWithinRefreshWindow(currentExpirationTime, staleTime)
-            && isWithinRefreshWindow(currentExpirationTime, prefetchTime)) {
+        if (shouldRefresh(currentExpirationTime, staleTime)
+            && shouldRefresh(currentExpirationTime, prefetchTime)) {
             log.debug(() -> "Using access token from disk, current expiration time is : " + currentExpirationTime);
             AwsCredentials credentials = tokenFromDisc.getAccessToken()
                 .toBuilder()
@@ -238,9 +238,14 @@ public Builder toBuilder() {
         return new BuilderImpl(this);
     }
 
-    private static boolean isWithinRefreshWindow(Instant expiration, Duration staleTime) {
+
+    /**
+     *
+     * @return true if the token should be refreshed (it is after the given refresh window, eg stale time or prefetch time)
+     */
+    private static boolean shouldRefresh(Instant expiration, Duration refreshWindow) {
         Instant now = Instant.now();
-        return expiration.isAfter(now.plus(staleTime));
+        return expiration.isAfter(now.plus(refreshWindow));
     }
 
     /**

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/OnDiskTokenManager.java

@@ -22,6 +22,7 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
@@ -81,8 +82,13 @@ public Optional<LoginAccessToken> loadToken() {
 
     @Override
     public void storeToken(LoginAccessToken token) {
-        try (OutputStream os = Files.newOutputStream(tokenLocation)) {
-            os.write(marshalToken(token));
+        // atomic write (write to a temp file and then move/replace the destination location).
+        try {
+            Path temp = Files.createTempFile(tokenLocation.getParent(), "token-", ".tmp");
+            try (OutputStream os = Files.newOutputStream(temp)) {
+                os.write(marshalToken(token));
+            }
+            Files.move(temp, tokenLocation, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
         } catch (IOException | UncheckedIOException e) {
             throw SdkClientException.create("Unable to write token to location " + tokenLocation, e);
         }