Set the signing clock property (#4341)

* Set the signing clock property

* Rename HttpSignerCommon to ClockSignerProperty

* Rename HttpSignerCommon to SharedSignerProperty

* Improve the javadoc

* Move the signing clock property into the HttpSigner interface

* Address PR comments

Author: sugmanue

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/AwsV4HttpSigner.java

@@ -15,7 +15,6 @@
 
 package software.amazon.awssdk.http.auth.aws;
 
-import java.time.Clock;
 import java.time.Duration;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.http.auth.aws.internal.signer.DefaultAwsV4HttpSigner;
@@ -43,12 +42,6 @@ public interface AwsV4HttpSigner extends HttpSigner<AwsCredentialsIdentity> {
     SignerProperty<String> SERVICE_SIGNING_NAME =
         SignerProperty.create(String.class, "ServiceSigningName");
 
-    /**
-     * A {@link Clock} to be used at the time of signing. This property defaults to the time at which signing occurs.
-     */
-    SignerProperty<Clock> SIGNING_CLOCK =
-        SignerProperty.create(Clock.class, "SigningClock");
-
     /**
      * A boolean to indicate whether to double url-encode the resource path when constructing the canonical request. This property
      * defaults to true.

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/AwsV4aHttpSigner.java

@@ -15,7 +15,6 @@
 
 package software.amazon.awssdk.http.auth.aws;
 
-import java.time.Clock;
 import java.time.Duration;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.http.auth.aws.internal.signer.SignerLoader;
@@ -45,12 +44,6 @@ public interface AwsV4aHttpSigner extends HttpSigner<AwsCredentialsIdentity> {
     SignerProperty<String> SERVICE_SIGNING_NAME =
         SignerProperty.create(String.class, "ServiceSigningName");
 
-    /**
-     * A {@link Clock} to be used at the time of signing. This property defaults to the time at which signing occurs.
-     */
-    SignerProperty<Clock> SIGNING_CLOCK =
-        SignerProperty.create(Clock.class, "SigningClock");
-
     /**
      * A boolean to indicate whether to double url-encode the resource path when constructing the canonical request. This property
      * defaults to true.

core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/TestUtils.java

@@ -2,7 +2,7 @@
 
 import static software.amazon.awssdk.http.auth.aws.AwsV4HttpSigner.REGION_NAME;
 import static software.amazon.awssdk.http.auth.aws.AwsV4HttpSigner.SERVICE_SIGNING_NAME;
-import static software.amazon.awssdk.http.auth.aws.AwsV4HttpSigner.SIGNING_CLOCK;
+import static software.amazon.awssdk.http.auth.spi.HttpSigner.SIGNING_CLOCK;
 
 import java.io.ByteArrayInputStream;
 import java.net.URI;

core/http-auth-spi/src/main/java/software/amazon/awssdk/http/auth/spi/HttpSigner.java

@@ -15,6 +15,7 @@
 
 package software.amazon.awssdk.http.auth.spi;
 
+import java.time.Clock;
 import java.util.concurrent.CompletableFuture;
 import java.util.function.Consumer;
 import software.amazon.awssdk.annotations.SdkPublicApi;
@@ -31,6 +32,13 @@
 @SdkPublicApi
 public interface HttpSigner<IdentityT extends Identity> {
 
+    /**
+     * A {@link Clock} to be used to derive the signing time. This property defaults to the system clock.
+     *
+     * <p>Note, signing time may not be relevant to some signers.
+     */
+    SignerProperty<Clock> SIGNING_CLOCK = SignerProperty.create(Clock.class, "SigningClock");
+
     /**
      * Method that takes in inputs to sign a request with sync payload and returns a signed version of the request.
      *

core/sdk-core/src/main/java/software/amazon/awssdk/core/internal/http/pipeline/stages/AsyncSigningStage.java

@@ -16,6 +16,7 @@
 package software.amazon.awssdk.core.internal.http.pipeline.stages;
 
 import java.nio.ByteBuffer;
+import java.time.Clock;
 import java.time.Duration;
 import java.util.Optional;
 import java.util.concurrent.CompletableFuture;
@@ -100,6 +101,7 @@ private <T extends Identity> CompletableFuture<SdkHttpFullRequest> doSraSign(Sdk
         if (context.requestProvider() == null) {
             SyncSignRequest.Builder<T> signRequestBuilder = SyncSignRequest
                 .builder(identity)
+                .putProperty(HttpSigner.SIGNING_CLOCK, signingClock())
                 .request(request)
                 .payload(request.contentStreamProvider().orElse(null));
             authSchemeOption.forEachSignerProperty(signRequestBuilder::putProperty);
@@ -110,6 +112,7 @@ private <T extends Identity> CompletableFuture<SdkHttpFullRequest> doSraSign(Sdk
 
         AsyncSignRequest.Builder<T> signRequestBuilder = AsyncSignRequest
             .builder(identity)
+            .putProperty(HttpSigner.SIGNING_CLOCK, signingClock())
             .request(request)
             .payload(context.requestProvider());
         authSchemeOption.forEachSignerProperty(signRequestBuilder::putProperty);
@@ -226,6 +229,14 @@ private boolean shouldDoSraSigning(RequestExecutionContext context) {
                && context.executionAttributes().getAttribute(SdkInternalExecutionAttribute.SELECTED_AUTH_SCHEME) != null;
     }
 
+    /**
+     * Returns the {@link Clock} used for signing that already accounts for clock skew when detected by the retryable stage.
+     */
+    private Clock signingClock() {
+        int offsetInSeconds = dependencies.timeOffset();
+        return Clock.offset(Clock.systemUTC(), Duration.ofSeconds(-offsetInSeconds));
+    }
+
     /**
      * Always use the client level timeOffset.
      */

core/sdk-core/src/main/java/software/amazon/awssdk/core/internal/http/pipeline/stages/SigningStage.java

@@ -15,6 +15,7 @@
 
 package software.amazon.awssdk.core.internal.http.pipeline.stages;
 
+import java.time.Clock;
 import java.time.Duration;
 import java.util.concurrent.CompletableFuture;
 import software.amazon.awssdk.annotations.SdkInternalApi;
@@ -95,6 +96,7 @@ private <T extends Identity> SdkHttpFullRequest doSraSign(SdkHttpFullRequest req
                                                               T identity) {
         SyncSignRequest.Builder<T> signRequestBuilder = SyncSignRequest
             .builder(identity)
+            .putProperty(HttpSigner.SIGNING_CLOCK, signingClock())
             .request(request)
             .payload(request.contentStreamProvider().orElse(null));
         AuthSchemeOption authSchemeOption = selectedAuthScheme.authSchemeOption();
@@ -185,6 +187,14 @@ private boolean shouldDoSraSigning(RequestExecutionContext context) {
                && context.executionAttributes().getAttribute(SdkInternalExecutionAttribute.SELECTED_AUTH_SCHEME) != null;
     }
 
+    /**
+     * Returns the {@link Clock} used for signing that already accounts for clock skew when detected by the retryable stage.
+     */
+    private Clock signingClock() {
+        int offsetInSeconds = dependencies.timeOffset();
+        return Clock.offset(Clock.systemUTC(), Duration.ofSeconds(-offsetInSeconds));
+    }
+
     /**
      * Always use the client level timeOffset.
      */

core/sdk-core/src/test/java/software/amazon/awssdk/core/internal/http/pipeline/stages/AsyncSigningStageTest.java

@@ -16,6 +16,7 @@
 package software.amazon.awssdk.core.internal.http.pipeline.stages;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.within;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
@@ -28,6 +29,8 @@
 import static software.amazon.awssdk.core.metrics.CoreMetric.SIGNING_DURATION;
 
 import java.nio.ByteBuffer;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.concurrent.CompletableFuture;
 import org.junit.Before;
 import org.junit.Test;
@@ -67,7 +70,7 @@
 
 @RunWith(MockitoJUnitRunner.class)
 public class AsyncSigningStageTest {
-
+    private static final int TEST_TIME_OFFSET = 17;
     private static final SignerProperty<String> SIGNER_PROPERTY = SignerProperty.create(String.class, "key");
 
     @Mock
@@ -134,6 +137,59 @@ public void execute_selectedAuthScheme_doesSraSign() throws Exception {
         assertThat(signRequest.request()).isSameAs(request);
         assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
 
+        // Assert that the time offset set was zero
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now(), within(10, ChronoUnit.MILLIS));
+
+        // assert that metrics are collected
+        verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
+
+        verifyNoInteractions(oldSigner);
+    }
+
+
+    @Test
+    public void execute_selectedAuthSchemeAndTimeOffsetSet_doesSraSignAndAdjustTheSigningClock() throws Exception {
+        // Set up a scheme with a signer property
+        SelectedAuthScheme<Identity> selectedAuthScheme = new SelectedAuthScheme<>(
+            CompletableFuture.completedFuture(identity),
+            signer,
+            AuthSchemeOption.builder()
+                            .schemeId("my.auth#myAuth")
+                            .putSignerProperty(SIGNER_PROPERTY, "value")
+                            .build());
+        RequestExecutionContext context = createContext(selectedAuthScheme);
+
+        // Setup the timeoffset to test that the clock is setup properly.
+        httpClientDependencies.updateTimeOffset(TEST_TIME_OFFSET);
+
+        SdkHttpRequest signedRequest = ValidSdkObjects.sdkHttpFullRequest().build();
+        when(signer.sign(Mockito.<SyncSignRequest<? extends Identity>>any()))
+            .thenReturn(SyncSignedRequest.builder()
+                                         .request(signedRequest)
+                                         .build());
+
+        SdkHttpFullRequest request = ValidSdkObjects.sdkHttpFullRequest().build();
+        SdkHttpFullRequest result = stage.execute(request, context).join();
+
+        assertThat(result).isSameAs(signedRequest);
+        // assert that interceptor context is updated with result
+        assertThat(context.executionContext().interceptorContext().httpRequest()).isSameAs(result);
+
+        // assert that the input to the signer is as expected, including that signer properties are set
+        verify(signer).sign(syncSignRequestCaptor.capture());
+        SyncSignRequest<? extends Identity> signRequest = syncSignRequestCaptor.getValue();
+        assertThat(signRequest.identity()).isSameAs(identity);
+        assertThat(signRequest.request()).isSameAs(request);
+        assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
+
+        // Assert that the signing clock is setup properly
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now().minusSeconds(17)
+                , within(10, ChronoUnit.MILLIS));
+
         // assert that metrics are collected
         verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
 
@@ -177,8 +233,13 @@ public void execute_selectedAuthScheme_asyncRequestBody_doesSraSignAsync() throw
         AsyncSignRequest<? extends Identity> signRequest = asyncSignRequestCaptor.getValue();
         assertThat(signRequest.identity()).isSameAs(identity);
         assertThat(signRequest.request()).isSameAs(request);
-        assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
         assertThat(signRequest.payload().get()).isSameAs(asyncPayload);
+        assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
+
+        // Assert that the time offset set was zero
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now(), within(10, ChronoUnit.MILLIS));
 
         // assert that metrics are collected
         verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
@@ -225,6 +286,11 @@ public void execute_selectedNoAuthAuthScheme_doesSraSignAsync() throws Exception
         assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
         assertThat(signRequest.payload().get()).isSameAs(asyncPayload);
 
+        // Assert that the time offset set was zero
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now(), within(10, ChronoUnit.MILLIS));
+
         // assert that metrics are collected
         verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
 

core/sdk-core/src/test/java/software/amazon/awssdk/core/internal/http/pipeline/stages/SigningStageTest.java

@@ -16,6 +16,7 @@
 package software.amazon.awssdk.core.internal.http.pipeline.stages;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.within;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.verify;
@@ -26,6 +27,8 @@
 import static software.amazon.awssdk.core.interceptor.SdkInternalExecutionAttribute.SELECTED_AUTH_SCHEME;
 import static software.amazon.awssdk.core.metrics.CoreMetric.SIGNING_DURATION;
 
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.concurrent.CompletableFuture;
 import org.junit.Before;
 import org.junit.Test;
@@ -60,6 +63,7 @@
 @RunWith(MockitoJUnitRunner.class)
 public class SigningStageTest {
 
+    private static final int TEST_TIME_OFFSET = 17;
     private static final SignerProperty<String> SIGNER_PROPERTY = SignerProperty.create(String.class, "key");
 
     @Mock
@@ -122,6 +126,56 @@ public void execute_selectedAuthScheme_doesSraSign() throws Exception {
         assertThat(signRequest.identity()).isSameAs(identity);
         assertThat(signRequest.request()).isSameAs(request);
         assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now(), within(10, ChronoUnit.MILLIS));
+
+        // assert that metrics are collected
+        verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
+
+        verifyNoInteractions(oldSigner);
+    }
+
+    @Test
+    public void execute_selectedAuthSchemeAndTimeOffsetSet_doesSraSignAndAdjustTheSigningClock() throws Exception {
+        // Set up a scheme with a signer property
+        SelectedAuthScheme<Identity> selectedAuthScheme = new SelectedAuthScheme<>(
+            CompletableFuture.completedFuture(identity),
+            signer,
+            AuthSchemeOption.builder()
+                            .schemeId("my.auth#myAuth")
+                            .putSignerProperty(SIGNER_PROPERTY, "value")
+                            .build());
+        RequestExecutionContext context = createContext(selectedAuthScheme);
+
+        // Setup the timeoffset to test that the clock is setup properly.
+        httpClientDependencies.updateTimeOffset(TEST_TIME_OFFSET);
+
+        SdkHttpRequest signedRequest = ValidSdkObjects.sdkHttpFullRequest().build();
+        when(signer.sign(Mockito.<SyncSignRequest<? extends Identity>>any()))
+            .thenReturn(SyncSignedRequest.builder()
+                                         .request(signedRequest)
+                                         .build());
+
+        SdkHttpFullRequest request = ValidSdkObjects.sdkHttpFullRequest().build();
+        SdkHttpFullRequest result = stage.execute(request, context);
+
+        assertThat(result).isSameAs(signedRequest);
+        // Assert that interceptor context is updated with result
+        assertThat(context.executionContext().interceptorContext().httpRequest()).isSameAs(result);
+
+        // Assert that the input to the signer is as expected, including that signer properties are set
+        verify(signer).sign(signRequestCaptor.capture());
+        SyncSignRequest<? extends Identity> signRequest = signRequestCaptor.getValue();
+        assertThat(signRequest.identity()).isSameAs(identity);
+        assertThat(signRequest.request()).isSameAs(request);
+        assertThat(signRequest.property(SIGNER_PROPERTY)).isEqualTo("value");
+
+        // Assert that the signing clock is setup properly
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now().minusSeconds(17)
+                , within(10, ChronoUnit.MILLIS));
 
         // assert that metrics are collected
         verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());
@@ -160,6 +214,11 @@ public void execute_selectedNoAuthAuthScheme_doesSraSign() throws Exception {
         assertThat(signRequest.request()).isSameAs(request);
         assertThat(signRequest.property(SIGNER_PROPERTY)).isNull();
 
+        // Assert that the time offset set was zero
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK)).isNotNull();
+        assertThat(signRequest.property(HttpSigner.SIGNING_CLOCK).instant())
+            .isCloseTo(Instant.now(), within(10, ChronoUnit.MILLIS));
+
         // assert that metrics are collected
         verify(metricCollector).reportMetric(eq(SIGNING_DURATION), any());