fix: wait for security service while configuring the http client mutual auth (#1697)

Author: saranyailla

src/main/java/com/aws/greengrass/componentmanager/ClientConfigurationUtils.java

@@ -97,16 +97,12 @@ public static String getGreengrassServiceEndpoint(DeviceConfiguration deviceConf
      *
      * @param deviceConfiguration {@link DeviceConfiguration}
      * @return configured http client
+     * @throws TLSAuthException if there is an issue configuring the http client
      */
-    public static ApacheHttpClient.Builder getConfiguredClientBuilder(DeviceConfiguration deviceConfiguration) {
+    public static ApacheHttpClient.Builder getConfiguredClientBuilder(DeviceConfiguration deviceConfiguration)
+            throws TLSAuthException {
         ApacheHttpClient.Builder httpClient = ProxyUtils.getSdkHttpClientBuilder();
-
-        try {
-            configureClientMutualTLS(httpClient, deviceConfiguration);
-        } catch (TLSAuthException e) {
-            logger.atWarn("configure-greengrass-mutual-auth")
-                    .log("Error during configure greengrass client mutual auth", e);
-        }
+        configureClientMutualTLS(httpClient, deviceConfiguration);
         return httpClient;
     }
 

src/main/java/com/aws/greengrass/deployment/DeploymentDocumentDownloader.java

@@ -25,6 +25,7 @@
 import com.aws.greengrass.util.RetryUtils;
 import com.aws.greengrass.util.SerializerFactory;
 import com.aws.greengrass.util.Utils;
+import com.aws.greengrass.util.exceptions.TLSAuthException;
 import lombok.AccessLevel;
 import lombok.Getter;
 import lombok.Setter;
@@ -222,6 +223,9 @@ private GetDeploymentConfigurationResponse getDeploymentConfiguration(String dep
         } catch (SdkClientException e) {
             throw new RetryableDeploymentDocumentDownloadException(
                     "Failed to contact Greengrass cloud or unable to parse response", e);
+        }  catch (TLSAuthException e) {
+            throw new RetryableClientErrorException(
+                    "Failed to contact Greengrass cloud or unable to parse response", e);
         }
         return deploymentConfiguration;
     }

src/main/java/com/aws/greengrass/iot/IotCloudHelper.java

@@ -11,6 +11,7 @@
 import com.aws.greengrass.util.BaseRetryableAccessor;
 import com.aws.greengrass.util.CrashableSupplier;
 import com.aws.greengrass.util.Utils;
+import com.aws.greengrass.util.exceptions.TLSAuthException;
 import lombok.NoArgsConstructor;
 import software.amazon.awssdk.http.AbortableInputStream;
 import software.amazon.awssdk.http.ExecutableHttpRequest;
@@ -47,10 +48,11 @@ public class IotCloudHelper {
      * @param body        Http body for the request
      * @return Http response corresponding to http request for path
      * @throws AWSIotException when unable to send the request successfully
+     * @throws TLSAuthException when unable to configure the client with mTLS
      */
     public IotCloudResponse sendHttpRequest(final IotConnectionManager connManager, String thingName, final String path,
                                             final String verb, final byte[] body)
-                                            throws AWSIotException {
+                                            throws AWSIotException, TLSAuthException {
         URI uri = null;
         try {
             uri = connManager.getURI();

src/main/java/com/aws/greengrass/iot/IotConnectionManager.java

@@ -13,6 +13,7 @@
 import com.aws.greengrass.util.LockFactory;
 import com.aws.greengrass.util.LockScope;
 import com.aws.greengrass.util.Utils;
+import com.aws.greengrass.util.exceptions.TLSAuthException;
 import software.amazon.awssdk.http.SdkHttpClient;
 
 import java.io.Closeable;
@@ -55,9 +56,9 @@ public URI getURI() throws DeviceConfigurationException {
 
     /**
      * Initializes and returns the SdkHttpClient.
-     *
+     * @throws TLSAuthException when unable to initialize the SdkHttpClient
      */
-    public SdkHttpClient getClient() {
+    public SdkHttpClient getClient() throws TLSAuthException {
         try (LockScope ls = LockScope.lock(lock)) {
             if (this.client == null) {
                 this.client = initConnectionManager();
@@ -81,7 +82,7 @@ private void reconfigureOnConfigChange() {
         });
     }
 
-    private SdkHttpClient initConnectionManager() {
+    private SdkHttpClient initConnectionManager() throws TLSAuthException {
         return ClientConfigurationUtils.getConfiguredClientBuilder(deviceConfiguration).build();
     }
 

src/main/java/com/aws/greengrass/security/SecurityService.java

@@ -48,11 +48,11 @@ public final class SecurityService {
     private static final String KEY_TYPE = "keyType";
     private static final String KEY_URI = "keyUri";
     private static final String CERT_URI = "certificateUri";
-
     // retry 3 times with exponential backoff, start with 200ms,
     // if service still not available, pop exception to the caller
     private static final RetryUtils.RetryConfig GET_KEY_MANAGERS_RETRY_CONFIG = RetryUtils.RetryConfig.builder()
-            .initialRetryInterval(Duration.ofMillis(200)).maxAttempt(3)
+            .initialRetryInterval(Duration.ofSeconds(5)).maxAttempt(Integer.MAX_VALUE)
+            .maxRetryInterval(Duration.ofSeconds(30))
             .retryableExceptions(Collections.singletonList(ServiceUnavailableException.class)).build();
 
     // retry 4 times with exponential backoff, start with 300ms,

src/main/java/com/aws/greengrass/tes/CredentialRequestHandler.java

@@ -21,6 +21,7 @@
 import com.aws.greengrass.util.DefaultConcurrentHashMap;
 import com.aws.greengrass.util.LockFactory;
 import com.aws.greengrass.util.LockScope;
+import com.aws.greengrass.util.exceptions.TLSAuthException;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.JsonNode;
@@ -312,7 +313,7 @@ private byte[] getCredentialsBypassCache() {
 
             tesCache.get(iotCredentialsPath).expiry = newExpiry;
             tesCache.get(iotCredentialsPath).credentials = response;
-        } catch (AWSIotException e) {
+        } catch (AWSIotException | TLSAuthException e) {
             // Http connection error should expire immediately
             String responseString = "Failed to get connection";
             response = responseString.getBytes(StandardCharsets.UTF_8);

src/main/java/com/aws/greengrass/util/GreengrassServiceClientFactory.java

@@ -12,6 +12,7 @@
 import com.aws.greengrass.deployment.exceptions.DeviceConfigurationException;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
+import com.aws.greengrass.util.exceptions.TLSAuthException;
 import lombok.AccessLevel;
 import lombok.Getter;
 import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
@@ -138,9 +139,10 @@ public String getConfigValidationError() {
      * Initializes and returns GreengrassV2DataClient.
      * Note that this method can return null if there is a config validation error.
      * @deprecated use fetchGreengrassV2DataClient instead.
+     * @throws TLSAuthException if the client is not configured properly.
      */
     @Deprecated
-    public GreengrassV2DataClient getGreengrassV2DataClient() {
+    public GreengrassV2DataClient getGreengrassV2DataClient() throws TLSAuthException {
         try (LockScope ls = LockScope.lock(lock)) {
             if (getConfigValidationError() != null) {
                 logger.atWarn()
@@ -158,8 +160,9 @@ public GreengrassV2DataClient getGreengrassV2DataClient() {
     /**
      * Initializes and returns GreengrassV2DataClient.
      * @throws DeviceConfigurationException when fails to validate configs.
+     * @throws TLSAuthException when fails to configure the client
      */
-    public GreengrassV2DataClient fetchGreengrassV2DataClient() throws DeviceConfigurationException {
+    public GreengrassV2DataClient fetchGreengrassV2DataClient() throws DeviceConfigurationException, TLSAuthException {
         try (LockScope ls = LockScope.lock(lock)) {
             if (getConfigValidationError() != null) {
                 logger.atWarn()
@@ -176,14 +179,14 @@ public GreengrassV2DataClient fetchGreengrassV2DataClient() throws DeviceConfigu
     }
 
     // Caching a http client since it only needs to be recreated if the cert/keys change
-    private void configureHttpClient(DeviceConfiguration deviceConfiguration) {
+    private void configureHttpClient(DeviceConfiguration deviceConfiguration) throws TLSAuthException {
         logger.atDebug().log("Configuring http client for greengrass v2 data client");
         ApacheHttpClient.Builder httpClientBuilder =
                 ClientConfigurationUtils.getConfiguredClientBuilder(deviceConfiguration);
         cachedHttpClient = httpClientBuilder.build();
     }
 
-    private void configureClient(DeviceConfiguration deviceConfiguration) {
+    private void configureClient(DeviceConfiguration deviceConfiguration) throws TLSAuthException {
         if (cachedHttpClient == null) {
             configureHttpClient(deviceConfiguration);
         }

src/test/java/com/aws/greengrass/componentmanager/ComponentServiceHelperTest.java

@@ -124,7 +124,7 @@ void GIVEN_component_version_requirements_WHEN_resolve_component_version_THEN_se
 
     @Test
     void GIVEN_component_version_requirements_WHEN_service_no_resource_found_THEN_throw_no_available_version_exception()
-            throws DeviceConfigurationException {
+            throws Exception {
         String expMessage = "Component A has no usable version satisfying requirements B";
         when(clientFactory.fetchGreengrassV2DataClient()).thenReturn(client);
         when(client.resolveComponentCandidates(any(ResolveComponentCandidatesRequest.class)))
@@ -142,7 +142,7 @@ void GIVEN_component_version_requirements_WHEN_service_no_resource_found_THEN_th
 
     @Test
     void GIVEN_component_version_requirements_WHEN_service_incompatible_platform_claim_THEN_throw_incompatible_platform_claim_exception()
-            throws DeviceConfigurationException {
+            throws Exception {
         String expMessage = "The latest version of Component A doesn't claim platform B compatibility";
         when(clientFactory.fetchGreengrassV2DataClient()).thenReturn(client);
         when(client.resolveComponentCandidates(any(ResolveComponentCandidatesRequest.class)))

src/test/java/com/aws/greengrass/componentmanager/builtins/GreengrassRepositoryDownloaderTest.java

@@ -14,7 +14,6 @@
 import com.aws.greengrass.config.Topic;
 import com.aws.greengrass.dependency.Context;
 import com.aws.greengrass.deployment.DeviceConfiguration;
-import com.aws.greengrass.deployment.exceptions.DeviceConfigurationException;
 import com.aws.greengrass.deployment.exceptions.RetryableServerErrorException;
 import com.aws.greengrass.testcommons.testutilities.GGExtension;
 import com.aws.greengrass.util.GreengrassServiceClientFactory;
@@ -87,7 +86,7 @@ class GreengrassRepositoryDownloaderTest {
     Context context;
 
     @BeforeEach
-    void beforeEach() throws DeviceConfigurationException {
+    void beforeEach() throws Exception {
         lenient().when(clientFactory.fetchGreengrassV2DataClient()).thenReturn(client);
     }
 

src/test/java/com/aws/greengrass/deployment/DeploymentDocumentDownloaderTest.java

@@ -10,7 +10,6 @@
 import com.aws.greengrass.dependency.Context;
 import com.aws.greengrass.deployment.converter.DeploymentDocumentConverter;
 import com.aws.greengrass.deployment.exceptions.DeploymentTaskFailureException;
-import com.aws.greengrass.deployment.exceptions.DeviceConfigurationException;
 import com.aws.greengrass.deployment.exceptions.RetryableClientErrorException;
 import com.aws.greengrass.deployment.exceptions.RetryableDeploymentDocumentDownloadException;
 import com.aws.greengrass.deployment.exceptions.RetryableServerErrorException;
@@ -98,7 +97,7 @@ class DeploymentDocumentDownloaderTest {
     private DeploymentDocumentDownloader downloader;
 
     @BeforeEach
-    void beforeEach() throws DeviceConfigurationException {
+    void beforeEach() throws Exception {
         when(greengrassServiceClientFactory.fetchGreengrassV2DataClient()).thenReturn(greengrassV2DataClient);
         lenient().when(deviceConfiguration.isDeviceConfiguredToTalkToCloud()).thenReturn(true);
         when(deviceConfiguration.getThingName()).thenReturn(thingNameTopic);