Fixed issues with use of Instance Principals with the cloud service.

 o ensure that access tokens used are not expired
 o warmup signature cache to reduce security-related latency when a handle is first used
 o reduce time a signature is cached to ensure that it is refreshed before it times out

Author: gmfeinberg

CHANGELOG.md

@@ -24,6 +24,10 @@ of a given type, e.g. FieldValue.isInteger(), etc.
  - Some methods that would throw NullPointerException for missing or
  invalid configurations now throw IllegalArgumentException. Related messages have
  been clarified.
+ - Changed default duration of signature cache of SignatureProvider from 5 to 4 minutes
+ - NoSQLHandle creation now performs SignatureProvider warm-up that will pre-create
+ and cache the signature. Errors or delays occur during creating signature may
+ result in handle creation failure that would not have happened in previous releases (cloud service only)
 
 ### Fixed
 - Use correct netty constructor when using an HTTP proxy without a username or
@@ -37,6 +41,12 @@ TableNotFoundException
  - setProxyPort
  - setProxyUsername
  - setProxyPassword
+- Cloud service only, instance principal issues:
+  - Fixed an issue where the first request issued using instance principal may take
+ longer than 5 seconds and throw RequestTimeoutException if handle uses the default
+ request timeout.
+  - Fixed a problem where SignatureProvider with instance principal may use expired
+ security token issued by IAM to create signature, which causes InvalidAuthorizationException.
 
 ## [5.2.26] - 2021-02-09
 

driver/.classpath

@@ -4,7 +4,7 @@
   <classpathentry kind="src" path="src/main/java" including="**/*.java"/>
   <classpathentry kind="output" path="target/classes"/>
   <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8"/>
-  <classpathentry kind="var" path="M2_REPO/com/fasterxml/jackson/core/jackson-core/2.11.2/jackson-core-2.11.2.jar"/>
+  <classpathentry kind="var" path="M2_REPO/com/fasterxml/jackson/core/jackson-core/2.12.1/jackson-core-2.12.1.jar"/>
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-buffer/4.1.52.Final/netty-buffer-4.1.52.Final.jar"/>
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-common/4.1.52.Final/netty-common-4.1.52.Final.jar"/>
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-codec-http/4.1.52.Final/netty-codec-http-4.1.52.Final.jar"/>
@@ -14,8 +14,8 @@
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-handler/4.1.52.Final/netty-handler-4.1.52.Final.jar"/>
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-handler-proxy/4.1.52.Final/netty-handler-proxy-4.1.52.Final.jar"/>
   <classpathentry kind="var" path="M2_REPO/io/netty/netty-codec-socks/4.1.52.Final/netty-codec-socks-4.1.52.Final.jar"/>
-  <classpathentry kind="var" path="M2_REPO/org/bouncycastle/bcprov-jdk15on/1.66/bcprov-jdk15on-1.66.jar"/>
-  <classpathentry kind="var" path="M2_REPO/org/bouncycastle/bcpkix-jdk15on/1.66/bcpkix-jdk15on-1.66.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/bouncycastle/bcprov-jdk15on/1.68/bcprov-jdk15on-1.68.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/bouncycastle/bcpkix-jdk15on/1.68/bcpkix-jdk15on-1.68.jar"/>
   <classpathentry kind="var" path="M2_REPO/junit/junit/4.12/junit-4.12.jar"/>
   <classpathentry kind="var" path="M2_REPO/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar"/>
-</classpath>
+</classpath>

driver/src/main/java/oracle/nosql/driver/http/NoSQLHandleImpl.java

@@ -146,7 +146,7 @@ private void configAuthProvider(Logger logger, NoSQLHandleConfig config) {
             }
         } else if (ap instanceof SignatureProvider) {
             SignatureProvider sigProvider = (SignatureProvider) ap;
-            sigProvider.setServiceHost(config);
+            sigProvider.prepare(config);
             if (sigProvider.getLogger() == null) {
                 sigProvider.setLogger(logger);
             }

driver/src/main/java/oracle/nosql/driver/iam/AuthenticationProfileProvider.java

@@ -13,10 +13,10 @@
  * @hidden
  * Internal use only
  * <p>
- * The provider to supplies key id and private key that ared used to generate
+ * The provider to supplies key id and private key that are used to generate
  * request signature.
  */
-interface AuthenticationProfileProvider {
+public interface AuthenticationProfileProvider {
 
     /**
      * Returns the keyId used to sign requests.
@@ -42,4 +42,13 @@ interface AuthenticationProfileProvider {
      * @return The passphrase as character array, or null if not applicable
      */
     char[] getPassphraseCharacters();
+
+    /**
+     * Check validity of key identified by given id.
+     * @param keyId key id
+     * @return true if key identified by given id is valid
+     */
+    default boolean isKeyValid(String keyId) {
+        return true;
+    }
 }

driver/src/main/java/oracle/nosql/driver/iam/InstancePrincipalsProvider.java

@@ -29,6 +29,7 @@
 import oracle.nosql.driver.httpclient.HttpClient;
 import oracle.nosql.driver.iam.CertificateSupplier.DefaultCertificateSupplier;
 import oracle.nosql.driver.iam.CertificateSupplier.URLResourceDetails;
+import oracle.nosql.driver.iam.SecurityTokenSupplier.SecurityTokenBasedProvider;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.DefaultSessionKeySupplier;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.JDKKeyPairSupplier;
 import oracle.nosql.driver.util.HttpRequestUtil;
@@ -49,8 +50,10 @@
  * compute instance. It authenticates with instance principal and uses security
  * token issued by IAM to do the actual request signing.
  */
-class InstancePrincipalsProvider
-    implements AuthenticationProfileProvider, RegionProvider {
+public class InstancePrincipalsProvider
+    implements AuthenticationProfileProvider,
+               RegionProvider,
+               SecurityTokenBasedProvider {
 
     protected final SecurityTokenSupplier tokenSupplier;
     protected final DefaultSessionKeySupplier sessionKeySupplier;
@@ -69,6 +72,11 @@ public String getKeyId() {
         return "ST$" + tokenSupplier.getSecurityToken();
     }
 
+    @Override
+    public boolean isKeyValid(String keyId) {
+        return keyId.equals("ST$" + tokenSupplier.getCurrentToken());
+    }
+
     @Override
     public InputStream getPrivateKey() {
         return new ByteArrayInputStream(sessionKeySupplier.getPrivateKeyBytes());
@@ -84,11 +92,17 @@ public Region getRegion() {
         return region;
     }
 
+    @Override
+    public void setTokenExpirationRefreshWindow(long refreshWindowMS) {
+        tokenSupplier.setTokenExpirationRefreshWindow(refreshWindowMS);
+    }
+
     public static InstancePrincipalsProviderBuilder builder() {
         return new InstancePrincipalsProviderBuilder();
     }
 
     /**
+     * @hidden
      * Cloud service only.
      * <p>
      * Builder of InstancePrincipalsProvider

driver/src/main/java/oracle/nosql/driver/iam/ResourcePrincipalProvider.java

@@ -17,6 +17,7 @@
 import oracle.nosql.driver.Region.RegionProvider;
 import oracle.nosql.driver.iam.ResourcePrincipalTokenSupplier.FileSecurityTokenSupplier;
 import oracle.nosql.driver.iam.ResourcePrincipalTokenSupplier.FixedSecurityTokenSupplier;
+import oracle.nosql.driver.iam.SecurityTokenSupplier.SecurityTokenBasedProvider;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.DefaultSessionKeySupplier;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.FileKeyPairSupplier;
 import oracle.nosql.driver.iam.SessionKeyPairSupplier.FixedKeyPairSupplier;
@@ -65,7 +66,9 @@
  * </ul>
  */
 class ResourcePrincipalProvider
-    implements AuthenticationProfileProvider, RegionProvider {
+    implements AuthenticationProfileProvider,
+               RegionProvider,
+               SecurityTokenBasedProvider {
 
     /* Environment variable names used to fetch artifacts */
     private static final String OCI_RESOURCE_PRINCIPAL_VERSION =
@@ -164,6 +167,11 @@ public String getKeyId() {
         return "ST$" + tokenSupplier.getSecurityToken();
     }
 
+    @Override
+    public boolean isKeyValid(String keyId) {
+        return keyId.equals("ST$" + tokenSupplier.getCurrentToken());
+    }
+
     @Override
     public InputStream getPrivateKey() {
         return new ByteArrayInputStream(sessionKeySupplier.getPrivateKeyBytes());
@@ -179,6 +187,11 @@ public Region getRegion() {
         return region;
     }
 
+    @Override
+    public void setTokenExpirationRefreshWindow(long refreshWindowMS) {
+        tokenSupplier.setTokenExpirationRefreshWindow(refreshWindowMS);
+    }
+
     /**
      * @hidden
      * Internal only

driver/src/main/java/oracle/nosql/driver/iam/ResourcePrincipalTokenSupplier.java

@@ -22,19 +22,33 @@
  * @hidden
  * Internal use only
  * <p>
- * This interface to supply security token for resource principal
+ * The class to supply security token for resource principal
  */
-interface ResourcePrincipalTokenSupplier {
+abstract class ResourcePrincipalTokenSupplier {
+    /* Refresh window before token is expired */
+    protected long tokenExpirationRefreshWindow;
 
     /**
      * Return the security token of resource principal.
      */
-    String getSecurityToken();
+    abstract String getSecurityToken();
 
     /**
      * Return the specific claim in security token by given key.
      */
-    String getStringClaim(String key);
+    abstract String getStringClaim(String key);
+
+    /**
+     * Return current cached token.
+     */
+    abstract String getCurrentToken();
+
+    /**
+     * Set token expiration refresh window.
+     */
+    void setTokenExpirationRefreshWindow(long refreshWindowMS) {
+        this.tokenExpirationRefreshWindow = refreshWindowMS;
+    }
 
     /**
      * @hidden
@@ -45,7 +59,7 @@ interface ResourcePrincipalTokenSupplier {
      * <code>com.oracle.bmc.auth.internal.FileBasedResourcePrincipalFederationClient</code>
      */
     static class FileSecurityTokenSupplier
-        implements ResourcePrincipalTokenSupplier {
+        extends ResourcePrincipalTokenSupplier {
 
         private final SessionKeyPairSupplier sessionKeyPairSupplier;
         private final String sessionTokenPath;
@@ -57,7 +71,9 @@ static class FileSecurityTokenSupplier
                                   Logger logger) {
             this.sessionKeyPairSupplier = sessKeyPairSupplier;
             this.sessionTokenPath = sessionTokenPath;
-            this.securityToken = new SecurityToken(null, sessionKeyPairSupplier);
+            this.securityToken = new SecurityToken(null,
+                                                   tokenExpirationRefreshWindow,
+                                                   sessionKeyPairSupplier);
             this.logger = logger;
         }
 
@@ -75,6 +91,14 @@ public String getStringClaim(String key) {
             return securityToken.getStringClaim(key);
         }
 
+        @Override
+        public String getCurrentToken() {
+            if (securityToken.isValid(logger, false)) {
+                return securityToken.getSecurityToken();
+            }
+            return null;
+        }
+
         private String refreshAndGetSecurityToken() {
             synchronized (this) {
                 if (!securityToken.isValid(logger)) {
@@ -107,7 +131,9 @@ SecurityToken getSecurityTokenFromFile() {
                     "Unable to read session token from " + sessionTokenPath, e);
             }
 
-            return new SecurityToken(sessToken, sessionKeyPairSupplier);
+            return new SecurityToken(sessToken,
+                                     tokenExpirationRefreshWindow,
+                                     sessionKeyPairSupplier);
         }
     }
 
@@ -121,13 +147,14 @@ SecurityToken getSecurityTokenFromFile() {
      * <code>com.oracle.bmc.auth.internal.FixedContentResourcePrincipalFederationClient</code>
      */
     static class FixedSecurityTokenSupplier
-        implements ResourcePrincipalTokenSupplier {
+        extends ResourcePrincipalTokenSupplier {
 
         private final SecurityToken securityToken;
 
         FixedSecurityTokenSupplier(SessionKeyPairSupplier sessionKeySupplier,
                                    String sessionToken) {
             this.securityToken = new SecurityToken(sessionToken,
+                                                   tokenExpirationRefreshWindow,
                                                    sessionKeySupplier);
         }
 
@@ -140,5 +167,10 @@ public String getSecurityToken() {
         public String getStringClaim(String key) {
             return securityToken.getStringClaim(key);
         }
+
+        @Override
+        public String getCurrentToken() {
+            return securityToken.getSecurityToken();
+        }
     }
 }