aws: Add singleflight support to SafeCredentialsProvider (#503)

skmcgrail · web-flow · commit dbdbb8204134 · 2020-03-17T13:15:51.000-07:00
diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
@@ -31,6 +31,8 @@ SDK Features
 
 SDK Enhancements
 ---
+* `aws`: Add grouping of concurrent refresh of credentials ([#503](https://github.com/aws/aws-sdk-go-v2/pull/503)
+  * Concurrent calls to `Retrieve` are now grouped in order to prevent numerous synchronous calls to refresh the credentials. Replacing the mutex with a singleflight reduces the overall amount of time request signatures need to wait while retrieving credentials. This is improvement becomes pronounced when many requests are made concurrently.
 * `service/s3/s3manager`: Improve memory allocation behavior by replacing sync.Pool with custom pool implementation
   * Improves memory allocations that occur when the provided `io.Reader` to upload does not satisfy both the `io.ReaderAt` and `io.ReadSeeker` interfaces.
 
diff --git a/Makefile b/Makefile
@@ -7,6 +7,7 @@ LINTIGNOREINFLECTS3UPLOAD='service/s3/s3manager/upload\.go:.+struct field SSEKMS
 LINTIGNOREDEPS='vendor/.+\.go'
 LINTIGNOREPKGCOMMENT='service/[^/]+/doc_custom.go:.+package comment should be of the form'
 LINTIGNOREENDPOINTS='aws/endpoints/defaults.go:.+(method|const) .+ should be '
+LINTIGNORESINGLEFIGHT='internal/sync/singleflight/singleflight.go:.+error should be the last type'
 UNIT_TEST_TAGS="example codegen awsinclude"
 ALL_TAGS="example codegen awsinclude integration perftest sdktool"
 
@@ -145,7 +146,16 @@ verify: lint vet sdkv1check
 lint:
 	@echo "go lint SDK and vendor packages"
 	@lint=`golint ./...`; \
-	dolint=`echo "$$lint" | grep -E -v -e ${LINTIGNOREDOC} -e ${LINTIGNORECONST} -e ${LINTIGNORESTUTTER} -e ${LINTIGNOREINFLECT} -e ${LINTIGNOREDEPS} -e ${LINTIGNOREINFLECTS3UPLOAD} -e ${LINTIGNOREPKGCOMMENT} -e ${LINTIGNOREENDPOINTS}`; \
+	dolint=`echo "$$lint" | grep -E -v \
+	-e ${LINTIGNOREDOC} \
+	-e ${LINTIGNORECONST} \
+	-e ${LINTIGNORESTUTTER} \
+	-e ${LINTIGNOREINFLECT} \
+	-e ${LINTIGNOREDEPS} \
+	-e ${LINTIGNOREINFLECTS3UPLOAD} \
+	-e ${LINTIGNOREPKGCOMMENT} \
+	-e ${LINTIGNOREENDPOINTS} \
+	-e ${LINTIGNORESINGLEFIGHT}`; \
 	echo "$$dolint"; \
 	if [ "$$dolint" != "" ]; then exit 1; fi
 
diff --git a/aws/chain_provider.go b/aws/chain_provider.go
@@ -61,10 +61,10 @@ func NewChainProvider(providers []CredentialsProvider) *ChainProvider {
 //
 // If a provider is found it will be cached and any calls to IsExpired()
 // will return the expired state of the cached provider.
-func (c *ChainProvider) retrieveFn(ctx context.Context) (Credentials, error) {
+func (c *ChainProvider) retrieveFn() (Credentials, error) {
 	var errs []error
 	for _, p := range c.Providers {
-		creds, err := p.Retrieve(ctx)
+		creds, err := p.Retrieve(context.Background())
 		if err == nil {
 			return creds, nil
 		}
diff --git a/aws/credentials.go b/aws/credentials.go
@@ -3,11 +3,12 @@ package aws
 import (
 	"context"
 	"math"
-	"sync"
 	"sync/atomic"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws/awserr"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
+	"github.com/aws/aws-sdk-go-v2/internal/sync/singleflight"
 )
 
 // NeverExpire is the time identifier used when a credential provider's
@@ -83,10 +84,10 @@ type CredentialsProvider interface {
 // SafeCredentialsProvider provides caching and concurrency safe credentials
 // retrieval via the RetrieveFn.
 type SafeCredentialsProvider struct {
-	RetrieveFn func(ctx context.Context) (Credentials, error)
+	RetrieveFn func() (Credentials, error)
 
 	creds atomic.Value
-	m     sync.Mutex
+	sf    singleflight.Group
 }
 
 // Retrieve returns the credentials. If the credentials have already been
@@ -99,21 +100,27 @@ func (p *SafeCredentialsProvider) Retrieve(ctx context.Context) (Credentials, er
 		return *creds, nil
 	}
 
-	p.m.Lock()
-	defer p.m.Unlock()
+	resCh := p.sf.DoChan("", p.singleRetrieve)
+	select {
+	case res := <-resCh:
+		return res.Val.(Credentials), res.Err
+	case <-ctx.Done():
+		return Credentials{}, awserr.New("RequestCanceled",
+			"request context canceled", ctx.Err())
+	}
+}
 
-	// Make sure another goroutine didn't already update the credentials.
+func (p *SafeCredentialsProvider) singleRetrieve() (interface{}, error) {
 	if creds := p.getCreds(); creds != nil {
 		return *creds, nil
 	}
 
-	creds, err := p.RetrieveFn(ctx)
-	if err != nil {
-		return Credentials{}, err
+	creds, err := p.RetrieveFn()
+	if err == nil {
+		p.creds.Store(&creds)
 	}
-	p.creds.Store(&creds)
 
-	return creds, nil
+	return creds, err
 }
 
 func (p *SafeCredentialsProvider) getCreds() *Credentials {
diff --git a/aws/credentials_bench_test.go b/aws/credentials_bench_test.go
@@ -10,7 +10,7 @@ import (
 )
 
 func BenchmarkSafeCredentialsProvider_Retrieve(b *testing.B) {
-	retrieveFn := func(ctx context.Context) (Credentials, error) {
+	retrieveFn := func() (Credentials, error) {
 		return Credentials{
 			AccessKeyID:     "key",
 			SecretAccessKey: "secret",
@@ -45,7 +45,7 @@ func BenchmarkSafeCredentialsProvider_Retrieve(b *testing.B) {
 }
 
 func BenchmarkSafeCredentialsProvider_Retrieve_Invalidate(b *testing.B) {
-	retrieveFn := func(ctx context.Context) (Credentials, error) {
+	retrieveFn := func() (Credentials, error) {
 		time.Sleep(time.Millisecond)
 		return Credentials{
 			AccessKeyID:     "key",
diff --git a/aws/credentials_test.go b/aws/credentials_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"math/rand"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -42,7 +43,7 @@ func TestSafeCredentialsProvider_Cache(t *testing.T) {
 
 	var called bool
 	p := &SafeCredentialsProvider{
-		RetrieveFn: func(ctx context.Context) (Credentials, error) {
+		RetrieveFn: func() (Credentials, error) {
 			if called {
 				t.Fatalf("expect RetrieveFn to only be called once")
 			}
@@ -108,7 +109,7 @@ func TestSafeCredentialsProvider_Expires(t *testing.T) {
 	for _, c := range cases {
 		var called int
 		p := &SafeCredentialsProvider{
-			RetrieveFn: func(ctx context.Context) (Credentials, error) {
+			RetrieveFn: func() (Credentials, error) {
 				called++
 				return c.Creds(), nil
 			},
@@ -132,7 +133,7 @@ func TestSafeCredentialsProvider_Expires(t *testing.T) {
 
 func TestSafeCredentialsProvider_Error(t *testing.T) {
 	p := &SafeCredentialsProvider{
-		RetrieveFn: func(ctx context.Context) (Credentials, error) {
+		RetrieveFn: func() (Credentials, error) {
 			return Credentials{}, fmt.Errorf("failed")
 		},
 	}
@@ -156,7 +157,7 @@ func TestSafeCredentialsProvider_Race(t *testing.T) {
 	}
 	var called bool
 	p := &SafeCredentialsProvider{
-		RetrieveFn: func(ctx context.Context) (Credentials, error) {
+		RetrieveFn: func() (Credentials, error) {
 			time.Sleep(time.Duration(rand.Intn(10)) * time.Millisecond)
 			if called {
 				t.Fatalf("expect RetrieveFn only called once")
@@ -186,3 +187,41 @@ func TestSafeCredentialsProvider_Race(t *testing.T) {
 
 	wg.Wait()
 }
+
+type stubSafeProviderConcurrent struct {
+	SafeCredentialsProvider
+	called uint32
+	done   chan struct{}
+}
+
+func TestSafeProviderRetrieveConcurrent(t *testing.T) {
+	stub := &stubSafeProviderConcurrent{
+		done: make(chan struct{}),
+	}
+
+	stub.RetrieveFn = func() (Credentials, error) {
+		atomic.AddUint32(&stub.called, 1)
+		<-stub.done
+		return Credentials{
+			AccessKeyID:     "AKIAIOSFODNN7EXAMPLE",
+			SecretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		}, nil
+	}
+
+	done := make(chan struct{})
+	for i := 0; i < 2; i++ {
+		go func() {
+			stub.Retrieve(context.Background())
+			done <- struct{}{}
+		}()
+	}
+
+	// Validates that a single call to Retrieve is shared between two calls to Get
+	stub.done <- struct{}{}
+	<-done
+	<-done
+
+	if e, a := uint32(1), atomic.LoadUint32(&stub.called); e != a {
+		t.Errorf("expected %v, got %v", e, a)
+	}
+}
diff --git a/aws/ec2rolecreds/provider.go b/aws/ec2rolecreds/provider.go
@@ -68,8 +68,8 @@ func New(client *ec2metadata.Client, options ...func(*ProviderOptions)) *Provide
 // Retrieve retrieves credentials from the EC2 service.
 // Error will be returned if the request fails, or unable to extract
 // the desired credentials.
-func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
-	credsList, err := requestCredList(ctx, p.client)
+func (p *Provider) retrieveFn() (aws.Credentials, error) {
+	credsList, err := requestCredList(context.Background(), p.client)
 	if err != nil {
 		return aws.Credentials{}, err
 	}
@@ -80,7 +80,7 @@ func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
 	}
 	credsName := credsList[0]
 
-	roleCreds, err := requestCred(ctx, p.client, credsName)
+	roleCreds, err := requestCred(context.Background(), p.client, credsName)
 	if err != nil {
 		return aws.Credentials{}, err
 	}
diff --git a/aws/endpointcreds/provider.go b/aws/endpointcreds/provider.go
@@ -30,7 +30,6 @@
 package endpointcreds
 
 import (
-	"context"
 	"encoding/json"
 	"time"
 
@@ -99,8 +98,8 @@ func New(cfg aws.Config, options ...func(*ProviderOptions)) *Provider {
 
 // Retrieve will attempt to request the credentials from the endpoint the Provider
 // was configured for. And error will be returned if the retrieval fails.
-func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
-	resp, err := p.getCredentials(ctx)
+func (p *Provider) retrieveFn() (aws.Credentials, error) {
+	resp, err := p.getCredentials()
 	if err != nil {
 		return aws.Credentials{},
 			awserr.New("CredentialsEndpointError", "failed to load credentials", err)
@@ -133,15 +132,14 @@ type errorOutput struct {
 	Message string `json:"message"`
 }
 
-func (p *Provider) getCredentials(ctx context.Context) (*getCredentialsOutput, error) {
+func (p *Provider) getCredentials() (*getCredentialsOutput, error) {
 	op := &aws.Operation{
 		Name:       "GetCredentials",
 		HTTPMethod: "GET",
 	}
 
 	out := &getCredentialsOutput{}
 	req := p.client.NewRequest(op, nil, out)
-	req.SetContext(ctx)
 	req.HTTPRequest.Header.Set("Accept", "application/json")
 	if authToken := p.options.AuthorizationToken; len(authToken) != 0 {
 		req.HTTPRequest.Header.Set("Authorization", authToken)
diff --git a/aws/processcreds/provider.go b/aws/processcreds/provider.go
@@ -200,8 +200,8 @@ type credentialProcessResponse struct {
 }
 
 // retrieveFn executes the 'credential_process' and returns the credentials.
-func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
-	out, err := p.executeCredentialProcess(ctx)
+func (p *Provider) retrieveFn() (aws.Credentials, error) {
+	out, err := p.executeCredentialProcess()
 	if err != nil {
 		return aws.Credentials{Source: ProviderName}, err
 	}
@@ -253,7 +253,7 @@ func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
 }
 
 // prepareCommand prepares the command to be executed.
-func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context.CancelFunc, error) {
+func (p *Provider) prepareCommand() (context.Context, context.CancelFunc, error) {
 
 	var cmdArgs []string
 	if runtime.GOOS == "windows" {
@@ -278,7 +278,7 @@ func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context
 		}
 	}
 
-	timeoutCtx, cancelFunc := context.WithTimeout(ctx, p.options.Timeout)
+	timeoutCtx, cancelFunc := context.WithTimeout(context.Background(), p.options.Timeout)
 
 	cmdArgs = append(cmdArgs, p.originalCommand...)
 	p.command = exec.CommandContext(timeoutCtx, cmdArgs[0], cmdArgs[1:]...)
@@ -289,8 +289,8 @@ func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context
 
 // executeCredentialProcess starts the credential process on the OS and
 // returns the results or an error.
-func (p *Provider) executeCredentialProcess(ctx context.Context) ([]byte, error) {
-	ctx, cancelFunc, err := p.prepareCommand(ctx)
+func (p *Provider) executeCredentialProcess() ([]byte, error) {
+	ctx, cancelFunc, err := p.prepareCommand()
 	if err != nil {
 		return nil, err
 	}
diff --git a/aws/stscreds/provider.go b/aws/stscreds/provider.go
@@ -211,7 +211,7 @@ func NewAssumeRoleProvider(client AssumeRoler, roleARN string, options ...func(*
 }
 
 // Retrieve generates a new set of temporary credentials using STS.
-func (p *AssumeRoleProvider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
+func (p *AssumeRoleProvider) retrieveFn() (aws.Credentials, error) {
 	// Apply defaults where parameters are not set.
 	if len(p.options.RoleSessionName) == 0 {
 		// Try to work out a role name that will hopefully end up unique.
@@ -246,7 +246,7 @@ func (p *AssumeRoleProvider) retrieveFn(ctx context.Context) (aws.Credentials, e
 	}
 
 	req := p.client.AssumeRoleRequest(input)
-	resp, err := req.Send(ctx)
+	resp, err := req.Send(context.Background())
 	if err != nil {
 		return aws.Credentials{Source: ProviderName}, err
 	}
diff --git a/aws/stscreds/web_identity_provider.go b/aws/stscreds/web_identity_provider.go
@@ -83,7 +83,7 @@ func NewWebIdentityRoleProvider(svc stsiface.ClientAPI, roleARN, roleSessionName
 // retrieve will attempt to assume a role from a token which is located at
 // 'WebIdentityTokenFilePath' specified destination and if that is empty an
 // error will be returned.
-func (p *WebIdentityRoleProvider) retrieveFn(ctx context.Context) (aws.Credentials, error) {
+func (p *WebIdentityRoleProvider) retrieveFn() (aws.Credentials, error) {
 	b, err := p.tokenRetriever.GetIdentityToken()
 	if err != nil {
 		return aws.Credentials{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve jwt from provide source", err)
@@ -104,7 +104,7 @@ func (p *WebIdentityRoleProvider) retrieveFn(ctx context.Context) (aws.Credentia
 	// InvalidIdentityToken error is a temporary error that can occur
 	// when assuming an Role with a JWT web identity token.
 	req.Retryer = retry.AddWithErrorCodes(req.Retryer, sts.ErrCodeInvalidIdentityTokenException)
-	resp, err := req.Send(ctx)
+	resp, err := req.Send(context.Background())
 	if err != nil {
 		return aws.Credentials{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err)
 	}
diff --git a/internal/sync/singleflight/LICENSE b/internal/sync/singleflight/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/internal/sync/singleflight/singleflight.go b/internal/sync/singleflight/singleflight.go
diff --git a/internal/sync/singleflight/singleflight_test.go b/internal/sync/singleflight/singleflight_test.go

Original file line number	Diff line number	Diff line change
`@@ -68,8 +68,8 @@ func New(client ec2metadata.Client, options ...func(ProviderOptions)) *Provide`
`68`	`68`	`// Retrieve retrieves credentials from the EC2 service.`
`69`	`69`	`// Error will be returned if the request fails, or unable to extract`
`70`	`70`	`// the desired credentials.`
`71`		`-func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {`
`72`		`- credsList, err := requestCredList(ctx, p.client)`
	`71`	`+func (p *Provider) retrieveFn() (aws.Credentials, error) {`
	`72`	`+ credsList, err := requestCredList(context.Background(), p.client)`
`73`	`73`	`if err != nil {`
`74`	`74`	`return aws.Credentials{}, err`
`75`	`75`	`}`
`@@ -80,7 +80,7 @@ func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {`
`80`	`80`	`}`
`81`	`81`	`credsName := credsList[0]`
`82`	`82`
`83`		`- roleCreds, err := requestCred(ctx, p.client, credsName)`
	`83`	`+ roleCreds, err := requestCred(context.Background(), p.client, credsName)`
`84`	`84`	`if err != nil {`
`85`	`85`	`return aws.Credentials{}, err`
`86`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -200,8 +200,8 @@ type credentialProcessResponse struct {`
`200`	`200`	`}`
`201`	`201`
`202`	`202`	`// retrieveFn executes the 'credential_process' and returns the credentials.`
`203`		`-func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {`
`204`		`- out, err := p.executeCredentialProcess(ctx)`
	`203`	`+func (p *Provider) retrieveFn() (aws.Credentials, error) {`
	`204`	`+ out, err := p.executeCredentialProcess()`
`205`	`205`	`if err != nil {`
`206`	`206`	`return aws.Credentials{Source: ProviderName}, err`
`207`	`207`	`}`
`@@ -253,7 +253,7 @@ func (p *Provider) retrieveFn(ctx context.Context) (aws.Credentials, error) {`
`253`	`253`	`}`
`254`	`254`
`255`	`255`	`// prepareCommand prepares the command to be executed.`
`256`		`-func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context.CancelFunc, error) {`
	`256`	`+func (p *Provider) prepareCommand() (context.Context, context.CancelFunc, error) {`
`257`	`257`
`258`	`258`	`var cmdArgs []string`
`259`	`259`	`if runtime.GOOS == "windows" {`
`@@ -278,7 +278,7 @@ func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context`
`278`	`278`	`}`
`279`	`279`	`}`
`280`	`280`
`281`		`- timeoutCtx, cancelFunc := context.WithTimeout(ctx, p.options.Timeout)`
	`281`	`+ timeoutCtx, cancelFunc := context.WithTimeout(context.Background(), p.options.Timeout)`
`282`	`282`
`283`	`283`	`cmdArgs = append(cmdArgs, p.originalCommand...)`
`284`	`284`	`p.command = exec.CommandContext(timeoutCtx, cmdArgs[0], cmdArgs[1:]...)`
`@@ -289,8 +289,8 @@ func (p *Provider) prepareCommand(ctx context.Context) (context.Context, context`
`289`	`289`
`290`	`290`	`// executeCredentialProcess starts the credential process on the OS and`
`291`	`291`	`// returns the results or an error.`
`292`		`-func (p *Provider) executeCredentialProcess(ctx context.Context) ([]byte, error) {`
`293`		`- ctx, cancelFunc, err := p.prepareCommand(ctx)`
	`292`	`+func (p *Provider) executeCredentialProcess() ([]byte, error) {`
	`293`	`+ ctx, cancelFunc, err := p.prepareCommand()`
`294`	`294`	`if err != nil {`
`295`	`295`	`return nil, err`
`296`	`296`	`}`
Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ func NewAssumeRoleProvider(client AssumeRoler, roleARN string, options ...func(*`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`// Retrieve generates a new set of temporary credentials using STS.`
`214`		`-func (p *AssumeRoleProvider) retrieveFn(ctx context.Context) (aws.Credentials, error) {`
	`214`	`+func (p *AssumeRoleProvider) retrieveFn() (aws.Credentials, error) {`
`215`	`215`	`// Apply defaults where parameters are not set.`
`216`	`216`	`if len(p.options.RoleSessionName) == 0 {`
`217`	`217`	`// Try to work out a role name that will hopefully end up unique.`
`@@ -246,7 +246,7 @@ func (p *AssumeRoleProvider) retrieveFn(ctx context.Context) (aws.Credentials, e`
`246`	`246`	`}`
`247`	`247`
`248`	`248`	`req := p.client.AssumeRoleRequest(input)`
`249`		`- resp, err := req.Send(ctx)`
	`249`	`+ resp, err := req.Send(context.Background())`
`250`	`250`	`if err != nil {`
`251`	`251`	`return aws.Credentials{Source: ProviderName}, err`
`252`	`252`	`}`