Merge pull request #4475 from aws/alexwoo/master/loginCredentialProvider_errorUpdates

Error handling/message updates + updates from surface area api review

Author: alextwoods

services/signin/pom.xml

@@ -56,5 +56,10 @@
             <artifactId>http-auth-aws</artifactId>
             <version>${awsjavasdk.version}</version>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>profiles</artifactId>
+            <version>${awsjavasdk.version}</version>
+        </dependency>
     </dependencies>
 </project>

services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java

@@ -24,6 +24,8 @@
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Optional;
+import software.amazon.awssdk.annotations.NotThreadSafe;
+import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.annotations.ThreadSafe;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
@@ -38,9 +40,9 @@
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
+import software.amazon.awssdk.services.signin.model.AccessDeniedException;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenRequest;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenResponse;
-import software.amazon.awssdk.services.signin.model.SigninException;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.SdkAutoCloseable;
 import software.amazon.awssdk.utils.StringUtils;
@@ -55,17 +57,17 @@
  * It periodically sends a {@link CreateOAuth2TokenRequest} to the AWS
  * Sign-On Service to refresh short-lived sessions to use for authentication. These sessions are updated using a single
  * calling thread (by default) or asynchronously (if {@link Builder#asyncCredentialUpdateEnabled(Boolean)} is set).
- *
+ * <p>
  * If the credentials are not successfully updated before expiration, calls to {@link #resolveCredentials()} will block until
  * they are updated successfully.
- *
+ * <p>
  * Users of this provider must {@link #close()} it when they are finished using it.
- *
+ * <p>
  * This is created using {@link LoginCredentialsProvider#builder()}.
  */
 @SdkPublicApi
 @ThreadSafe
-public class LoginCredentialsProvider implements
+public final class LoginCredentialsProvider implements
                                       AwsCredentialsProvider, SdkAutoCloseable,
                                       ToCopyableBuilder<LoginCredentialsProvider.Builder, LoginCredentialsProvider> {
     private static final Logger log = Logger.loggerFor(LoginCredentialsProvider.class);
@@ -196,10 +198,32 @@ private RefreshResult<AwsCredentials> refreshFromSigninService(LoginAccessToken
                                 .staleTime(newExpiration.minus(staleTime))
                                 .prefetchTime(newExpiration.minus(prefetchTime))
                                 .build();
-        } catch (SigninException serviceException) {
-            throw SdkClientException.create(
-                "Unable to refresh AWS Signin Access Token: You must re-authenticate.",
-                serviceException);
+        } catch (AccessDeniedException accessDeniedException) {
+            if (accessDeniedException.error() == null) {
+                throw accessDeniedException;
+            }
+
+            switch (accessDeniedException.error()) {
+                case TOKEN_EXPIRED:
+                    throw SdkClientException.create(
+                        "Your session has expired. Please reauthenticate.",
+                        accessDeniedException);
+                case USER_CREDENTIALS_CHANGED:
+                    throw SdkClientException.create(
+                        "Unable to refresh credentials because of a change in your password. "
+                        + "Please reauthenticate with your new password.",
+                        accessDeniedException
+                    );
+                case INSUFFICIENT_PERMISSIONS:
+                    throw SdkClientException.create(
+                        "Unable to refresh credentials due to insufficient permissions. You may be missing permission "
+                        + "for the 'CreateOAuth2Token' action.",
+                        accessDeniedException
+                    );
+                default:
+                    throw accessDeniedException;
+
+            }
         }
     }
 
@@ -222,7 +246,7 @@ public Duration prefetchTime() {
     /**
      * Get a builder for creating a custom {@link LoginCredentialsProvider}.
      */
-    public static BuilderImpl builder() {
+    public static Builder builder() {
         return new BuilderImpl();
     }
 
@@ -243,7 +267,6 @@ public Builder toBuilder() {
 
 
     /**
-     *
      * @return true if the token does NOT need to be refreshed - it is after the given refresh window, eg stale/prefetch time.
      */
     private static boolean shouldNotRefresh(Instant expiration, Duration refreshWindow) {
@@ -254,6 +277,7 @@ private static boolean shouldNotRefresh(Instant expiration, Duration refreshWind
     /**
      * A builder for creating a custom {@link LoginCredentialsProvider}.
      */
+    @NotThreadSafe
     public interface Builder extends CopyableBuilder<Builder, LoginCredentialsProvider> {
         /**
          * Configure the {@link SigninClient} to use when calling Signin to update the session. This client should not be shut
@@ -265,15 +289,15 @@ public interface Builder extends CopyableBuilder<Builder, LoginCredentialsProvid
          * Configure whether the provider should fetch credentials asynchronously in the background. If this is true, threads are
          * less likely to block when credentials are loaded, but additional resources are used to maintain the provider.
          *
-         * <p>By default, this is disabled.</p>
+         * <p>By default, this is enabled.
          */
         Builder asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled);
 
         /**
-         * Configure the amount of time, relative to signin token expiration, that the cached credentials are considered stale and
+         * Configure the amount of time, relative to login token expiration, that the cached credentials are considered stale and
          * should no longer be used. All threads will block until the value is updated.
          *
-         * <p>By default, this is 1 minute.</p>
+         * <p>By default, this is 1 minute.
          */
         Builder staleTime(Duration staleTime);
 
@@ -284,7 +308,7 @@ public interface Builder extends CopyableBuilder<Builder, LoginCredentialsProvid
          * Prefetch updates will occur between the specified time and the stale time of the provider. Prefetch updates may be
          * asynchronous. See {@link #asyncCredentialUpdateEnabled}.
          *
-         * <p>By default, this is 5 minutes.</p>
+         * <p>By default, this is 5 minutes.
          */
         Builder prefetchTime(Duration prefetchTime);
 
@@ -303,19 +327,18 @@ public interface Builder extends CopyableBuilder<Builder, LoginCredentialsProvid
          * An optional string denoting previous credentials providers that are chained with this one. This method is primarily
          * intended for use by AWS SDK internal components and should not be used directly by external users.
          */
+        @SdkInternalApi
         Builder sourceChain(String sourceChain);
 
         /**
          * Create a {@link LoginCredentialsProvider} using the configuration applied to this builder.
-         *
-         * @return
          */
         @Override
         LoginCredentialsProvider build();
     }
 
     protected static final class BuilderImpl implements Builder {
-        private Boolean asyncCredentialUpdateEnabled = false;
+        private Boolean asyncCredentialUpdateEnabled = true;
         private SigninClient signinClient;
         private Duration staleTime;
         private Duration prefetchTime;

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthPlugin.java

@@ -21,6 +21,7 @@
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.core.SdkPlugin;
 import software.amazon.awssdk.core.SdkServiceClientConfiguration;
+import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeProvider;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
@@ -63,7 +64,11 @@ public void configureClient(SdkServiceClientConfiguration.Builder config) {
         // the refresh request takes the clientId/refreshToken sourced from the access token on disk as input
         // so we must sign the request with the dpopKey loaded from the same load.  IE: do not read the
         // access token file twice!
-        scb.putAuthScheme(DpopAuthScheme.create(StaticDpopIdentityProvider.create(dpopKeyPem)));
+        try {
+            scb.putAuthScheme(DpopAuthScheme.create(StaticDpopIdentityProvider.create(dpopKeyPem)));
+        } catch (Exception e) {
+            throw SdkClientException.create("Unable to refresh Login credentials. Please reauthenticate ", e);
+        }
     }
 
     private static class DpopAuthSchemeProvider implements SigninAuthSchemeProvider {

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/EcKeyLoader.java

@@ -121,7 +121,6 @@ private static class ParsedEcKey {
         byte[] publicBytes;
     }
 
-
     /**
      * Follows the SEC1 / RFC 5915 ASN.1 format: PrivateKeyInfo ::= SEQUENCE { version INTEGER (0), privateKeyAlgorithm
      * AlgorithmIdentifier, -- ecPublicKey + curve OID privateKey OCTET STRING -- contains the SEC1 DER parameters [0]

services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/OnDiskTokenManager.java

@@ -54,7 +54,7 @@ private OnDiskTokenManager(Path cacheLocation, String loginSession) {
 
     private String deriveCacheKey(String loginSession) {
         try {
-            MessageDigest sha1 = MessageDigest.getInstance("sha256");
+            MessageDigest sha1 = MessageDigest.getInstance("SHA-256");
             sha1.update(loginSession.getBytes(StandardCharsets.UTF_8));
             return BinaryUtils.toHex(sha1.digest()).toLowerCase(Locale.ENGLISH);
         } catch (NoSuchAlgorithmException e) {

services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProviderTest.java

@@ -20,12 +20,7 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.VALID_TEST_PEM;
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.getJwtPayloadFromEncodedDpopHeader;
 import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.verifySignature;
@@ -41,10 +36,8 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
-import org.mockito.ArgumentCaptor;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
-import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
 import software.amazon.awssdk.core.SdkRequest;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.interceptor.Context;
@@ -61,10 +54,10 @@
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenRequest;
-import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenResponse;
+import software.amazon.awssdk.services.signin.model.OAuth2ErrorCode;
 import software.amazon.awssdk.services.signin.model.SigninException;
-import software.amazon.awssdk.testutils.service.http.MockAsyncHttpClient;
 import software.amazon.awssdk.testutils.service.http.MockSyncHttpClient;
+import software.amazon.awssdk.utils.StringInputStream;
 
 public class LoginCredentialsProviderTest {
     private static final String LOGIN_SESSION_ID = "loginSessionId";
@@ -188,7 +181,7 @@ public void resolveCredentials_whenCredentialsExpired_refreshesAndUpdatesCache()
     }
 
     @Test
-    public void resolveCredentials_whenCredentialsExpired_serviceCallFails_raisesException() {
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithGeneric500_raisesException() {
         // expired
         AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
         LoginAccessToken token = buildAccessToken(creds);
@@ -199,7 +192,43 @@ public void resolveCredentials_whenCredentialsExpired_serviceCallFails_raisesExc
                 .response(SdkHttpResponse.builder().statusCode(500).build())
                 .build()
         );
-        assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertThrows(SigninException.class, () -> loginCredentialsProvider.resolveCredentials());
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithTokenExpired_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.TOKEN_EXPIRED);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("Your session has expired"));
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithUserExpired_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.USER_CREDENTIALS_CHANGED);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("change in your password"));
+    }
+
+    @Test
+    public void resolveCredentials_whenCredentialsExpired_serviceCallFailsWithInsufficentPermissions_raisesException() {
+        // expired
+        AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
+        LoginAccessToken token = buildAccessToken(creds);
+        tokenManager.storeToken(token);
+
+        stubAccessDeniedException(OAuth2ErrorCode.INSUFFICIENT_PERMISSIONS);
+        SdkClientException e = assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
+        assertTrue(e.getMessage().contains("insufficient permissions"));
     }
 
     private static void verifyResolvedCredentialsAreUpdated(AwsCredentials resolvedCredentials) {
@@ -254,6 +283,22 @@ private void stubSuccessfulRefreshResponse() {
         );
     }
 
+    private void stubAccessDeniedException(OAuth2ErrorCode errorCode) {
+        String errorBody = "{\"error\":\"" + errorCode + "\",\"message\":\"The refresh token has expired.\"}";
+        mockHttpClient.stubNextResponse(
+            HttpExecuteResponse
+                .builder()
+                .response(
+                    SdkHttpResponse
+                        .builder()
+                        .putHeader("X-Amzn-Errortype", "AccessDeniedException")
+                        .statusCode(401)
+                        .build())
+                .responseBody(AbortableInputStream.create(new StringInputStream(errorBody)))
+                .build()
+        );
+    }
+
     private AwsSessionCredentials buildCredentials(Instant expirationTime) {
         return AwsSessionCredentials.builder()
                              .accessKeyId("akid")

services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/internal/OnDiskTokenManagerTest.java

@@ -114,16 +114,9 @@ void loadToken_whenCorruptJson_raisesException() throws IOException {
 
     @Test
     void storeToken_whenIoFails_raisesException() {
-        Path readOnlyDir = tempDir.resolve("readonly");
-        try {
-            Files.createDirectory(readOnlyDir);
-            readOnlyDir.toFile().setReadOnly();
-        } catch (IOException e) {
-            fail("Unable to set up readonly dir");
-        }
-
+        Path readOnlyDir = tempDir.resolve("pathdoesnotexist");
         OnDiskTokenManager manager = OnDiskTokenManager.create(readOnlyDir, LOGIN_SESSION_ID);
-        assertThrows(SdkClientException.class, () -> manager.storeToken(token));
+        SdkClientException e = assertThrows(SdkClientException.class, () -> manager.storeToken(token));
     }
 
     @Test
@@ -145,7 +138,7 @@ void unmarshalToken_whenMissingRequiredFields_raisesException() throws IOExcepti
 
     private Path tokenLocation(String loginSession) {
         try {
-            MessageDigest sha1 = MessageDigest.getInstance("sha256");
+            MessageDigest sha1 = MessageDigest.getInstance("SHA-256");
             sha1.update(loginSession.getBytes(StandardCharsets.UTF_8));
             String cacheKey = BinaryUtils.toHex(sha1.digest()).toLowerCase(Locale.ENGLISH);
             return tempDir.resolve(cacheKey + ".json");