Break up authscheme into multiple standalone classes, add tests.

Author: alextwoods

services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java

@@ -34,7 +34,7 @@
 import software.amazon.awssdk.core.useragent.BusinessMetricFeatureId;
 import software.amazon.awssdk.services.signin.SigninClient;
 import software.amazon.awssdk.services.signin.internal.AccessTokenManager;
-import software.amazon.awssdk.services.signin.internal.DpopAuthScheme;
+import software.amazon.awssdk.services.signin.internal.DpopAuthPlugin;
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
@@ -161,7 +161,7 @@ private RefreshResult<AwsCredentials> refreshFromSigninService(LoginAccessToken
         log.debug(() -> "Credentials are near expiration/expired, refreshing from Signin service.");
 
         try {
-            SdkPlugin dpopAuthPlugin = DpopAuthScheme.DpopAuthPlugin.create(tokenFromDisc.getDpopKey());
+            SdkPlugin dpopAuthPlugin = DpopAuthPlugin.create(tokenFromDisc.getDpopKey());
             CreateOAuth2TokenRequest refreshRequest =
                 CreateOAuth2TokenRequest
                     .builder()

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthPlugin.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.SdkPlugin;
+import software.amazon.awssdk.core.SdkServiceClientConfiguration;
+import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeProvider;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
+import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
+import software.amazon.awssdk.services.signin.SigninServiceClientConfiguration;
+import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeParams;
+import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeProvider;
+import software.amazon.awssdk.utils.Validate;
+
+/**
+ * An SDK plugin that will use DPoP auth for requests by adding the {@link DpopAuthScheme} and overriding the
+ * {@link AuthSchemeProvider} with a custom provider that will always return Dpop.
+ * The auth scheme uses the {@link DpopSigner} to add the required DPoP header to the request.
+ */
+@SdkInternalApi
+public class DpopAuthPlugin implements SdkPlugin {
+    private final String dpopKeyPem;
+
+    private DpopAuthPlugin(String dpopKeyPem) {
+        this.dpopKeyPem = Validate.paramNotNull(dpopKeyPem, "dpopKeyPem");
+    }
+
+    /**
+     * Create an instance of the DpopAuthPlugin using the dpopKey from the {@link LoginAccessToken}
+     * @param dpopKeyPem - PEM file contents containing the base64-encoding of the ECPrivateKey format defined by
+     *                   RFC5915: Elliptic Curve Private Key Structure. It MUST include the public key coordinates.
+     * @return dpopAuthPlugin
+     */
+    public static DpopAuthPlugin create(String dpopKeyPem) {
+        return new DpopAuthPlugin(dpopKeyPem);
+    }
+
+    @Override
+    public void configureClient(SdkServiceClientConfiguration.Builder config) {
+        SigninServiceClientConfiguration.Builder scb =
+            Validate.isInstanceOf(SigninServiceClientConfiguration.Builder.class, config,
+                                  "DpopAuthPlugin must be applied to a SigninServiceClient");
+        scb.authSchemeProvider(new DpopAuthSchemeProvider());
+        // we must use a static DpopIdentity here rather than one that dynamically loads from the disk cache
+        // the refresh request takes the clientId/refreshToken sourced from the access token on disk as input
+        // so we must sign the request with the dpopKey loaded from the same load.  IE: do not read the
+        // access token file twice!
+        scb.putAuthScheme(DpopAuthScheme.create(StaticDpopIdentityProvider.create(dpopKeyPem)));
+    }
+
+    private static class DpopAuthSchemeProvider implements SigninAuthSchemeProvider {
+
+        @Override
+        public List<AuthSchemeOption> resolveAuthScheme(SigninAuthSchemeParams authSchemeParams) {
+            return Collections.singletonList(AuthSchemeOption.builder().schemeId(DpopAuthScheme.SCHEME_NAME).build());
+        }
+    }
+
+    /**
+     * A identity provider that provides a static {@link DpopIdentity}
+     */
+    private static class StaticDpopIdentityProvider implements IdentityProvider<DpopIdentity> {
+        private final DpopIdentity identity;
+
+        private StaticDpopIdentityProvider(DpopIdentity identity) {
+            this.identity = Validate.paramNotNull(identity, "identity");
+        }
+
+        public static StaticDpopIdentityProvider create(String dpopKeyPem) {
+            return new StaticDpopIdentityProvider(DpopIdentity.create(dpopKeyPem));
+        }
+
+        @Override
+        public Class<DpopIdentity> identityType() {
+            return DpopIdentity.class;
+        }
+
+        @Override
+        public CompletableFuture<? extends DpopIdentity> resolveIdentity(ResolveIdentityRequest request) {
+            return CompletableFuture.completedFuture(identity);
+        }
+    }
+}

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthScheme.java

@@ -15,46 +15,27 @@
 
 package software.amazon.awssdk.services.signin.internal;
 
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.time.Instant;
-import java.util.Collections;
-import java.util.List;
-import java.util.UUID;
-import java.util.concurrent.CompletableFuture;
-import software.amazon.awssdk.core.SdkPlugin;
-import software.amazon.awssdk.core.SdkRequest;
-import software.amazon.awssdk.core.SdkServiceClientConfiguration;
-import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
-import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
-import software.amazon.awssdk.http.auth.spi.signer.AsyncSignRequest;
-import software.amazon.awssdk.http.auth.spi.signer.AsyncSignedRequest;
-import software.amazon.awssdk.http.auth.spi.signer.BaseSignRequest;
 import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
-import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
-import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
-import software.amazon.awssdk.identity.spi.Identity;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
 import software.amazon.awssdk.identity.spi.IdentityProviders;
-import software.amazon.awssdk.identity.spi.ResolveIdentityRequest;
-import software.amazon.awssdk.services.signin.SigninServiceClientConfiguration;
-import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeParams;
-import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeProvider;
-import software.amazon.awssdk.utils.Pair;
 import software.amazon.awssdk.utils.Validate;
-import software.amazon.awssdk.utils.http.SdkHttpUtils;
 
-public class DpopAuthScheme implements AuthScheme<DpopAuthScheme.DpopIdentity> {
+/**
+ * An AuthScheme representing authentication withOAuth 2.0 Demonstrating Proof of Possession (DPoP) header.
+ */
+@SdkInternalApi
+public class DpopAuthScheme implements AuthScheme<DpopIdentity> {
     public static final String SCHEME_NAME = "DPOP";
 
-    private final DpopIdentityProvider identityProvider;
+    private final IdentityProvider<DpopIdentity> identityProvider;
 
-    private DpopAuthScheme(DpopIdentityProvider identityProvider) {
+    private DpopAuthScheme(IdentityProvider<DpopIdentity> identityProvider) {
         this.identityProvider = Validate.paramNotNull(identityProvider, "identityProvider");
     }
 
-    public static DpopAuthScheme create(DpopIdentityProvider identityProvider) {
+    public static DpopAuthScheme create(IdentityProvider<DpopIdentity> identityProvider) {
         return new DpopAuthScheme(identityProvider);
     }
 
@@ -74,129 +55,4 @@ public IdentityProvider<DpopIdentity> identityProvider(IdentityProviders provide
     public HttpSigner<DpopIdentity> signer() {
         return new DpopSigner();
     }
-
-    public static class DpopIdentity implements Identity {
-        private final ECPublicKey publicKey;
-        private final ECPrivateKey privateKey;
-
-        private DpopIdentity(ECPublicKey publicKey, ECPrivateKey privateKey) {
-            this.publicKey = publicKey;
-            this.privateKey = privateKey;
-        }
-
-        public static DpopIdentity create(ECPublicKey publicKey, ECPrivateKey privateKey) {
-            return new DpopIdentity(publicKey, privateKey);
-        }
-
-        public static DpopIdentity create(String dpopKeyPem) {
-            Pair<ECPrivateKey, ECPublicKey> keys = EcKeyLoader.loadSec1Pem(dpopKeyPem);
-            return new DpopIdentity(keys.right(), keys.left());
-        }
-
-        public ECPublicKey getPublicKey() {
-            return publicKey;
-        }
-
-        public ECPrivateKey getPrivateKey() {
-            return privateKey;
-        }
-    }
-
-    private static class DpopSigner implements HttpSigner<DpopIdentity> {
-
-        @Override
-        public SignedRequest sign(SignRequest<? extends DpopIdentity> request) {
-            return SignedRequest.builder()
-                                .request(doSign(request))
-                                .payload(request.payload().orElse(null))
-                                .build();
-        }
-
-        @Override
-        public CompletableFuture<AsyncSignedRequest> signAsync(AsyncSignRequest<? extends DpopIdentity> request) {
-            return CompletableFuture.completedFuture(
-                AsyncSignedRequest.builder()
-                                  .request(doSign(request))
-                                  .payload(request.payload().orElse(null))
-                                  .build());
-        }
-
-        /**
-         * Using {@link BaseSignRequest}, sign the request with a {@link BaseSignRequest} and re-build it.
-         */
-        private SdkHttpRequest doSign(BaseSignRequest<?, ? extends DpopIdentity> request) {
-            return request.request().toBuilder()
-                          .putHeader(
-                              "DPoP",
-                              buildDpopHeader(request))
-                          .build();
-        }
-
-        private String buildDpopHeader(BaseSignRequest<?, ? extends DpopIdentity> request) {
-            SdkHttpRequest httpRequest = request.request();
-            String endpoint = extractRequestEndpoint(httpRequest);
-            return DpopHeaderGenerator.generateDPoPProofHeader(
-                request.identity(), endpoint, httpRequest.method().name(),
-                Instant.now().getEpochSecond(), UUID.randomUUID().toString());
-        }
-
-        private static String extractRequestEndpoint(SdkHttpRequest httpRequest) {
-            // using SdkHttpRequest.getUri() results in creating a URI which is slow and we don't need the query components
-            // construct only the endpoint that we require for DPoP.
-            String portString =
-                SdkHttpUtils.isUsingStandardPort(httpRequest.protocol(), httpRequest.port()) ? "" : ":" + httpRequest.port();
-            return httpRequest.protocol() + "://" + httpRequest.host() + portString + httpRequest.encodedPath();
-        }
-    }
-
-    private static class DpopIdentityProvider implements IdentityProvider<DpopIdentity> {
-        private final DpopIdentity identity;
-
-        private DpopIdentityProvider(DpopIdentity identity) {
-            this.identity = Validate.paramNotNull(identity, "identity");
-        }
-
-        public static DpopIdentityProvider create(String dpopKeyPem) {
-            return new DpopIdentityProvider(DpopIdentity.create(dpopKeyPem));
-        }
-
-        @Override
-        public Class<DpopIdentity> identityType() {
-            return DpopIdentity.class;
-        }
-
-        @Override
-        public CompletableFuture<? extends DpopIdentity> resolveIdentity(ResolveIdentityRequest request) {
-            return CompletableFuture.completedFuture(identity);
-        }
-    }
-
-    public static class DpopAuthSchemeResolver implements SigninAuthSchemeProvider {
-
-        @Override
-        public List<AuthSchemeOption> resolveAuthScheme(SigninAuthSchemeParams authSchemeParams) {
-            return Collections.singletonList(AuthSchemeOption.builder().schemeId(SCHEME_NAME).build());
-        }
-    }
-
-    public static class DpopAuthPlugin implements SdkPlugin {
-        private final String dpopKeyPem;
-
-        private DpopAuthPlugin(String dpopKeyPem) {
-            this.dpopKeyPem = Validate.paramNotNull(dpopKeyPem, "dpopKeyPem");
-        }
-
-        public static DpopAuthPlugin create(String dpopKeyPem) {
-            return new DpopAuthPlugin(dpopKeyPem);
-        }
-
-        @Override
-        public void configureClient(SdkServiceClientConfiguration.Builder config) {
-            SigninServiceClientConfiguration.Builder scb =
-                Validate.isInstanceOf(SigninServiceClientConfiguration.Builder.class, config,
-                                      "DpopAuthPlugin must be applied to a SigninServiceClient");
-            scb.authSchemeProvider(new DpopAuthSchemeResolver());
-            scb.putAuthScheme(DpopAuthScheme.create(DpopIdentityProvider.create(dpopKeyPem)));
-        }
-    }
 }

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopHeaderGenerator.java

@@ -27,7 +27,6 @@
 import java.util.Base64;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
-import software.amazon.awssdk.utils.Pair;
 import software.amazon.awssdk.utils.Validate;
 
 /**
@@ -65,7 +64,7 @@ private DpopHeaderGenerator() {
      * @param uuid - Unique identifier for the DPoP proof JWT - should be a UUID4 string.
      * @return DPoP header value
      */
-    public static String generateDPoPProofHeader(DpopAuthScheme.DpopIdentity dpopIdentity, String endpoint, String httpMethod,
+    public static String generateDPoPProofHeader(DpopIdentity dpopIdentity, String endpoint, String httpMethod,
                                                  long epochSeconds, String uuid) {
         Validate.paramNotNull(dpopIdentity, "dpopIdentity");
         Validate.paramNotBlank(endpoint, "endpoint");

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopIdentity.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.services.signin.internal;
+
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.identity.spi.Identity;
+import software.amazon.awssdk.utils.Pair;
+
+/**
+ * An identity representing the public and private keys required to sign a request using DPoP.
+ */
+@SdkInternalApi
+public class DpopIdentity implements Identity {
+    private final ECPublicKey publicKey;
+    private final ECPrivateKey privateKey;
+
+    private DpopIdentity(ECPublicKey publicKey, ECPrivateKey privateKey) {
+        this.publicKey = publicKey;
+        this.privateKey = privateKey;
+    }
+
+    public static DpopIdentity create(ECPublicKey publicKey, ECPrivateKey privateKey) {
+        return new DpopIdentity(publicKey, privateKey);
+    }
+
+    public static DpopIdentity create(String dpopKeyPem) {
+        Pair<ECPrivateKey, ECPublicKey> keys = EcKeyLoader.loadSec1Pem(dpopKeyPem);
+        return new DpopIdentity(keys.right(), keys.left());
+    }
+
+    public ECPublicKey getPublicKey() {
+        return publicKey;
+    }
+
+    public ECPrivateKey getPrivateKey() {
+        return privateKey;
+    }
+}