Choose next potential scheme if signer not found

This commit fixes the generated auth scheme selection mechanism by
ensuring that auth scheme is able to provide a signer implementation
(i.e. does not throw an exception) before selecting the auth scheme.
This is useful in situations where the signer implementation relies on
components thay may not be available at runtime, such as the
AwsV4aAuthScheme, which relies on CRT which is an optional dependency.

Additional changes:
 - introduce crt-unavailable-tests which is a good candidate for testing
   behavior of components that use CRT when CRT is not present.
 - modify DefaultAwsV4aAuthScheme so that errors thrown during static
   initialization of the singleton holder for the Sigv4a signer are
   caught and thrown directly instead of resulting in
   ExceptionInInitializerError

Author: dagnir

.brazil.json

@@ -101,7 +101,8 @@
         "test-utils": { "skipImport": true },
         "tests-coverage-reporting": { "skipImport": true },
         "third-party": { "skipImport": true },
-        "third-party-slf4j-api": { "skipImport": true }
+        "third-party-slf4j-api": { "skipImport": true },
+        "crt-unavailable-tests": { "skipImport": true }
     },
 
     "dependencies": {

buildspecs/release-javadoc.yml

@@ -18,7 +18,7 @@ phases:
     commands:
     - python ./scripts/doc_crosslinks/generate_cross_link_data.py --apiDefinitionsBasePath ./services/ --apiDefinitionsRelativeFilePath src/main/resources/codegen-resources/service-2.json  --templateFilePath ./scripts/doc_crosslinks/crosslink_redirect.html --outputFilePath ./scripts/crosslink_redirect.html
     - mvn install -P quick -T1C
-    - mvn clean install javadoc:aggregate -B -Ppublic-javadoc -Dcheckstyle.skip -Dspotbugs.skip -DskipTests -Ddoclint=none -pl '!:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:s3-benchmarks,!:module-path-tests,!:test-utils,!:http-client-tests,!:tests-coverage-reporting,!:sdk-native-image-test,!:ruleset-testing-core,!:old-client-version-compatibility-test'
+    - mvn clean install javadoc:aggregate -B -Ppublic-javadoc -Dcheckstyle.skip -Dspotbugs.skip -DskipTests -Ddoclint=none -pl '!:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:s3-benchmarks,!:module-path-tests,!:test-utils,!:http-client-tests,!:tests-coverage-reporting,!:sdk-native-image-test,!:ruleset-testing-core,!:old-client-version-compatibility-test,!:crt-unavailable-tests'
     - RELEASE_VERSION=`mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec`
     -
     - aws s3 sync target/site/apidocs/ $DOC_PATH/$RELEASE_VERSION/ --acl="public-read"

buildspecs/release-to-maven.yml

@@ -34,7 +34,7 @@ phases:
             awk 'BEGIN { var=ENVIRON["SDK_SIGNING_GPG_KEYNAME"] } { gsub("\\$SDK_SIGNING_GPG_KEYNAME", var, $0); print }' > \
             $SETTINGS_XML
 
-          mvn clean deploy -B -s $SETTINGS_XML -Ppublishing -DperformRelease -Dspotbugs.skip -DskipTests -Dcheckstyle.skip -Djapicmp.skip -Ddoclint=none -pl !:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:module-path-tests,!:tests-coverage-reporting,!:stability-tests,!:sdk-native-image-test,!:auth-tests,!:s3-benchmarks,!:region-testing,!:old-client-version-compatibility-test -DautoReleaseAfterClose=true -DstagingProgressTimeoutMinutes=30 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true
+          mvn clean deploy -B -s $SETTINGS_XML -Ppublishing -DperformRelease -Dspotbugs.skip -DskipTests -Dcheckstyle.skip -Djapicmp.skip -Ddoclint=none -pl !:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:module-path-tests,!:tests-coverage-reporting,!:stability-tests,!:sdk-native-image-test,!:auth-tests,!:s3-benchmarks,!:region-testing,!:old-client-version-compatibility-test,!:crt-unavailable-tests -DautoReleaseAfterClose=true -DstagingProgressTimeoutMinutes=30 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true
         else
           echo "This version was already released."
         fi

codegen/src/main/java/software/amazon/awssdk/codegen/poet/auth/scheme/AuthSchemeInterceptorSpec.java

@@ -52,6 +52,7 @@
 import software.amazon.awssdk.endpoints.EndpointProvider;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
 import software.amazon.awssdk.identity.spi.Identity;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
@@ -274,6 +275,22 @@ private MethodSpec generateTrySelectAuthScheme() {
                    .endControlFlow();
         }
 
+        builder.addStatement("$T signer",
+                             ParameterizedTypeName.get(ClassName.get(HttpSigner.class), TypeVariableName.get("T")));
+        builder.beginControlFlow("try");
+        {
+            builder.addStatement("signer = authScheme.signer()");
+            builder.endControlFlow();
+        }
+        builder.beginControlFlow("catch (RuntimeException e)");
+        {
+            builder.addStatement("discardedReasons.add(() -> String.format($S, authOption.schemeId(), e.getMessage()))",
+                                 "'%s' signer could not be retrieved: %s")
+                   .addStatement("return null")
+                   .endControlFlow();
+        }
+
+
         builder.addStatement("$T.Builder identityRequestBuilder = $T.builder()",
                              ResolveIdentityRequest.class,
                              ResolveIdentityRequest.class);
@@ -294,7 +311,7 @@ private MethodSpec generateTrySelectAuthScheme() {
                              MetricUtils.class)
                .endControlFlow();
 
-        builder.addStatement("return new $T<>(identity, authScheme.signer(), authOption)", SelectedAuthScheme.class);
+        builder.addStatement("return new $T<>(identity, signer, authOption)", SelectedAuthScheme.class);
         return builder.build();
     }
 

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-auth-scheme-interceptor.java

@@ -22,6 +22,7 @@
 import software.amazon.awssdk.core.metrics.CoreMetric;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
 import software.amazon.awssdk.identity.spi.Identity;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
@@ -100,6 +101,14 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
                 .add(() -> String.format("'%s' does not have an identity provider configured.", authOption.schemeId()));
             return null;
         }
+        HttpSigner<T> signer;
+        try {
+            signer = authScheme.signer();
+        } catch (RuntimeException e) {
+            discardedReasons.add(() -> String.format("'%s' signer could not be retrieved: %s", authOption.schemeId(),
+                                                     e.getMessage()));
+            return null;
+        }
         ResolveIdentityRequest.Builder identityRequestBuilder = ResolveIdentityRequest.builder();
         authOption.forEachIdentityProperty(identityRequestBuilder::putProperty);
         CompletableFuture<? extends T> identity;
@@ -110,7 +119,7 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
             identity = MetricUtils.reportDuration(() -> identityProvider.resolveIdentity(identityRequestBuilder.build()),
                                                   metricCollector, metric);
         }
-        return new SelectedAuthScheme<>(identity, authScheme.signer(), authOption);
+        return new SelectedAuthScheme<>(identity, signer, authOption);
     }
 
     private SdkMetric<Duration> getIdentityMetric(IdentityProvider<?> identityProvider) {

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-endpoint-auth-params-with-allowlist-auth-scheme-interceptor.java

@@ -22,6 +22,7 @@
 import software.amazon.awssdk.endpoints.EndpointProvider;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
 import software.amazon.awssdk.identity.spi.Identity;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
@@ -117,6 +118,14 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
                 .add(() -> String.format("'%s' does not have an identity provider configured.", authOption.schemeId()));
             return null;
         }
+        HttpSigner<T> signer;
+        try {
+            signer = authScheme.signer();
+        } catch (RuntimeException e) {
+            discardedReasons.add(() -> String.format("'%s' signer could not be retrieved: %s", authOption.schemeId(),
+                                                     e.getMessage()));
+            return null;
+        }
         ResolveIdentityRequest.Builder identityRequestBuilder = ResolveIdentityRequest.builder();
         authOption.forEachIdentityProperty(identityRequestBuilder::putProperty);
         CompletableFuture<? extends T> identity;
@@ -127,7 +136,7 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
             identity = MetricUtils.reportDuration(() -> identityProvider.resolveIdentity(identityRequestBuilder.build()),
                                                   metricCollector, metric);
         }
-        return new SelectedAuthScheme<>(identity, authScheme.signer(), authOption);
+        return new SelectedAuthScheme<>(identity, signer, authOption);
     }
 
     private SdkMetric<Duration> getIdentityMetric(IdentityProvider<?> identityProvider) {

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/auth/scheme/query-endpoint-auth-params-without-allowlist-auth-scheme-interceptor.java

@@ -22,6 +22,7 @@
 import software.amazon.awssdk.endpoints.EndpointProvider;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
+import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
 import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
 import software.amazon.awssdk.identity.spi.Identity;
 import software.amazon.awssdk.identity.spi.IdentityProvider;
@@ -120,6 +121,14 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
                 .add(() -> String.format("'%s' does not have an identity provider configured.", authOption.schemeId()));
             return null;
         }
+        HttpSigner<T> signer;
+        try {
+            signer = authScheme.signer();
+        } catch (RuntimeException e) {
+            discardedReasons.add(() -> String.format("'%s' signer could not be retrieved: %s", authOption.schemeId(),
+                                                     e.getMessage()));
+            return null;
+        }
         ResolveIdentityRequest.Builder identityRequestBuilder = ResolveIdentityRequest.builder();
         authOption.forEachIdentityProperty(identityRequestBuilder::putProperty);
         CompletableFuture<? extends T> identity;
@@ -130,7 +139,7 @@ private <T extends Identity> SelectedAuthScheme<T> trySelectAuthScheme(AuthSchem
             identity = MetricUtils.reportDuration(() -> identityProvider.resolveIdentity(identityRequestBuilder.build()),
                                                   metricCollector, metric);
         }
-        return new SelectedAuthScheme<>(identity, authScheme.signer(), authOption);
+        return new SelectedAuthScheme<>(identity, signer, authOption);
     }
 
     private SdkMetric<Duration> getIdentityMetric(IdentityProvider<?> identityProvider) {

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/scheme/DefaultAwsV4aAuthScheme.java

@@ -52,10 +52,27 @@ public IdentityProvider<AwsCredentialsIdentity> identityProvider(IdentityProvide
      */
     @Override
     public AwsV4aHttpSigner signer() {
+        if (SignerSingletonHolder.ERROR != null) {
+            throw SignerSingletonHolder.ERROR;
+        }
         return SignerSingletonHolder.INSTANCE;
     }
 
     private static class SignerSingletonHolder {
-        private static final AwsV4aHttpSigner INSTANCE = AwsV4aHttpSigner.create();
+        private static final AwsV4aHttpSigner INSTANCE;
+        private static final RuntimeException ERROR;
+
+        // Attempt to load the Sigv4a signer and cache the error if CRT is not available on the classpath.
+        static {
+            AwsV4aHttpSigner instance = null;
+            RuntimeException error = null;
+            try {
+                instance = AwsV4aHttpSigner.create();
+            } catch (RuntimeException e) {
+                error = e;
+            }
+            INSTANCE = instance;
+            ERROR = error;
+        }
     }
 }

pom.xml

@@ -88,6 +88,7 @@
         <module>test/ruleset-testing-core</module>
         <module>test/old-client-version-compatibility-test</module>
         <module>test/bundle-logging-bridge-binding-test</module>
+        <module>test/crt-unavailable-tests</module>
     </modules>
     <scm>
         <url>${scm.github.url}</url>

services/s3/src/main/resources/codegen-resources/endpoint-rule-set.json

@@ -1340,6 +1340,14 @@
                                                         "url": "https://{Bucket}.ec2.{url#authority}",
                                                         "properties": {
                                                             "authSchemes": [
+                                                                {
+                                                                    "disableDoubleEncoding": true,
+                                                                    "name": "sigv4a",
+                                                                    "signingName": "s3-outposts",
+                                                                    "signingRegionSet": [
+                                                                        "*"
+                                                                    ]
+                                                                },
                                                                 {
                                                                     "disableDoubleEncoding": true,
                                                                     "name": "sigv4",
@@ -1445,6 +1453,14 @@
                                                         "url": "https://{Bucket}.op-{outpostId}.{url#authority}",
                                                         "properties": {
                                                             "authSchemes": [
+                                                                {
+                                                                    "disableDoubleEncoding": true,
+                                                                    "name": "sigv4a",
+                                                                    "signingName": "s3-outposts",
+                                                                    "signingRegionSet": [
+                                                                        "*"
+                                                                    ]
+                                                                },
                                                                 {
                                                                     "disableDoubleEncoding": true,
                                                                     "name": "sigv4",
@@ -5512,6 +5528,14 @@
                                                                                                                                         "url": "https://{accessPointName}-{bucketArn#accountId}.{outpostId}.{url#authority}",
                                                                                                                                         "properties": {
                                                                                                                                             "authSchemes": [
+                                                                                                                                                {
+                                                                                                                                                    "disableDoubleEncoding": true,
+                                                                                                                                                    "name": "sigv4a",
+                                                                                                                                                    "signingName": "s3-outposts",
+                                                                                                                                                    "signingRegionSet": [
+                                                                                                                                                        "*"
+                                                                                                                                                    ]
+                                                                                                                                                },
                                                                                                                                                 {
                                                                                                                                                     "disableDoubleEncoding": true,
                                                                                                                                                     "name": "sigv4",