Add exception handling for TLS half-close in ApacheHTTPClient #5385 (#5398)

* Check if input is shut down before writing (#5257)

This commit adds a wrapper socket that ensures the read end of the socket is
still open before performing a {@code write()}. In TLS 1.3, it is permitted for
the connection to be in a half-closed state, which is dangerous for the Apache
client because it can get stuck in a state where it continues to write to the
socket and potentially end up a blocked state writing to the socket
indefinitely.

* Delegate write() methods directly to base

* Added test cases to test TLS half close

* feat: Add exception handling for TLS half-close in ApacheHTTPClient

Implemented a feature to handle TLS half-close scenarios by throwing an exception in the ApacheHTTPClient package. In TLS 1.3, the inbound and outbound close_notify alerts are independent. When the client receives a close_notify alert, it only closes the inbound stream but continues to send data to the server. Previously, the SDK could not detect that the connection was closed on the server side, causing it to get stuck while writing to the socket and eventually timing out. This feature ensures proper detection and handling of closed connections, improving overall reliability by preventing client hangs.

* Handled review comemnts

* Updated test case to consider Jdk 1.8 builds which donot support TLS1.3 half close

---------

Co-authored-by: Dongie Agnir <[email protected]>
Co-authored-by: Dongie Agnir <[email protected]>

Author: joviegas

.changes/next-release/bugfix-ApacheHTTPClient-a5c4ad8.json

@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "Apache HTTP Client",
+    "contributor": "",
+    "description": "Added fix to handle TLS half-close scenarios by throwing an exception. In TLS 1.3, the inbound and outbound close_notify alerts are independent. When the client receives a close_notify alert, it only closes the inbound stream but continues to send data to the server. Previously, the SDK could not detect that the connection was closed on the server side, causing it to get stuck while writing to the socket and eventually timing out. With this bug fix, the SDK will now detect the closed connection and throw an appropriate exception, preventing client hangs and improving overall reliability."
+}

http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/conn/SdkTlsSocketFactory.java

@@ -26,6 +26,7 @@
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.protocol.HttpContext;
 import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.http.apache.internal.net.InputShutdownCheckingSslSocket;
 import software.amazon.awssdk.http.apache.internal.net.SdkSocket;
 import software.amazon.awssdk.http.apache.internal.net.SdkSslSocket;
 import software.amazon.awssdk.utils.Logger;
@@ -62,7 +63,7 @@ public Socket connectSocket(int connectTimeout,
         Socket connectedSocket = super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
 
         if (connectedSocket instanceof SSLSocket) {
-            return new SdkSslSocket((SSLSocket) connectedSocket);
+            return new InputShutdownCheckingSslSocket(new SdkSslSocket((SSLSocket) connectedSocket));
         }
 
         return new SdkSocket(connectedSocket);

http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/net/InputShutdownCheckingSslSocket.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.apache.internal.net;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import javax.net.ssl.SSLSocket;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+
+/**
+ * Wrapper socket that ensures the read end of the socket is still open before performing a {@code write()}. In TLS 1.3, it is
+ * permitted for the connection to be in a half-closed state, which is dangerous for the Apache client because it can get stuck in
+ * a state where it continues to write to the socket and potentially end up a blocked state writing to the socket indefinitely.
+ */
+@SdkInternalApi
+public final class InputShutdownCheckingSslSocket extends DelegateSslSocket {
+
+    public InputShutdownCheckingSslSocket(SSLSocket sock) {
+        super(sock);
+    }
+
+    @Override
+    public OutputStream getOutputStream() throws IOException {
+        return new InputShutdownCheckingOutputStream(sock.getOutputStream(), sock);
+    }
+
+    private static class InputShutdownCheckingOutputStream extends FilterOutputStream {
+        private final SSLSocket sock;
+
+        InputShutdownCheckingOutputStream(OutputStream out, SSLSocket sock) {
+            super(out);
+            this.sock = sock;
+        }
+
+        @Override
+        public void write(int b) throws IOException {
+            checkInputShutdown();
+            out.write(b);
+        }
+
+        @Override
+        public void write(byte[] b) throws IOException {
+            checkInputShutdown();
+            out.write(b);
+        }
+
+        @Override
+        public void write(byte[] b, int off, int len) throws IOException {
+            checkInputShutdown();
+            out.write(b, off, len);
+        }
+
+        private void checkInputShutdown() throws IOException {
+            if (sock.isInputShutdown()) {
+                throw new IOException("Remote end is closed.");
+            }
+
+            try {
+                sock.getInputStream();
+            } catch (IOException inputStreamException) {
+                IOException e = new IOException("Remote end is closed.");
+                e.addSuppressed(inputStreamException);
+                throw e;
+            }
+        }
+    }
+}

http-clients/apache-client/src/test/java/software/amazon/awssdk/http/apache/ApacheClientTlsHalfCloseTest.java

@@ -0,0 +1,145 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.apache;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledIf;
+import software.amazon.awssdk.http.ContentStreamProvider;
+import software.amazon.awssdk.http.FileStoreTlsKeyManagersProvider;
+import software.amazon.awssdk.http.HttpExecuteRequest;
+import software.amazon.awssdk.http.HttpExecuteResponse;
+import software.amazon.awssdk.http.SdkHttpClient;
+import software.amazon.awssdk.http.SdkHttpFullRequest;
+import software.amazon.awssdk.http.SdkHttpMethod;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.TlsKeyManagersProvider;
+import software.amazon.awssdk.http.server.MockServer;
+
+public class ApacheClientTlsHalfCloseTest extends ClientTlsAuthTestBase {
+
+    private static TlsKeyManagersProvider tlsKeyManagersProvider;
+    private static MockServer mockServer;
+    private SdkHttpClient httpClient;
+
+    private static final int TWO_MB = 2 * 1024 * 1024;
+    private static final byte[] CONTENT = new byte[TWO_MB];
+
+    @Test
+    @EnabledIf("halfCloseSupported")
+    public void errorWhenServerHalfClosesSocketWhileStreamIsOpened() {
+
+        mockServer = MockServer.createMockServer(MockServer.ServerBehavior.HALF_CLOSE);
+        mockServer.startServer(tlsKeyManagersProvider);
+
+        httpClient = ApacheHttpClient.builder()
+                                     .tlsKeyManagersProvider(tlsKeyManagersProvider)
+                                     .build();
+        IOException exception = assertThrows(IOException.class, () -> {
+            executeHttpRequest(httpClient);
+        });
+        assertEquals("Remote end is closed.", exception.getMessage());
+    }
+
+
+    @Test
+    public void errorWhenServerFullClosesSocketWhileStreamIsOpened() throws IOException {
+        mockServer = MockServer.createMockServer(MockServer.ServerBehavior.FULL_CLOSE_IN_BETWEEN);
+        mockServer.startServer(tlsKeyManagersProvider);
+
+        httpClient = ApacheHttpClient.builder()
+                                     .tlsKeyManagersProvider(tlsKeyManagersProvider)
+                                     .build();
+
+        IOException exception = assertThrows(IOException.class, () -> {
+            executeHttpRequest(httpClient);
+        });
+
+        if(halfCloseSupported()){
+            assertEquals("Remote end is closed.", exception.getMessage());
+
+        }else {
+            assertEquals("Socket is closed", exception.getMessage());
+
+        }
+    }
+
+    @Test
+    public void successfulRequestForFullCloseSocketAtTheEnd() throws IOException {
+        mockServer = MockServer.createMockServer(MockServer.ServerBehavior.FULL_CLOSE_AT_THE_END);
+        mockServer.startServer(tlsKeyManagersProvider);
+
+        httpClient = ApacheHttpClient.builder()
+                                     .tlsKeyManagersProvider(tlsKeyManagersProvider)
+                                     .build();
+
+        HttpExecuteResponse response = executeHttpRequest(httpClient);
+
+        assertThat(response.httpResponse().isSuccessful()).isTrue();
+    }
+
+    @AfterEach
+    void tearDown() {
+        if (mockServer != null) {
+            mockServer.stopServer();
+        }
+    }
+
+    @BeforeAll
+    public static void setUp() throws IOException {
+        ClientTlsAuthTestBase.setUp();
+        System.setProperty("javax.net.ssl.trustStore", serverKeyStore.toAbsolutePath().toString());
+        System.setProperty("javax.net.ssl.trustStorePassword", STORE_PASSWORD);
+        System.setProperty("javax.net.ssl.trustStoreType", "jks");
+        tlsKeyManagersProvider = FileStoreTlsKeyManagersProvider.create(clientKeyStore, CLIENT_STORE_TYPE, STORE_PASSWORD);
+    }
+
+    @AfterAll
+    public static void clear() throws IOException {
+        System.clearProperty("javax.net.ssl.trustStore");
+        System.clearProperty("javax.net.ssl.trustStorePassword");
+        System.clearProperty("javax.net.ssl.trustStoreType");
+        ClientTlsAuthTestBase.teardown();
+
+    }
+
+    private static HttpExecuteResponse executeHttpRequest(SdkHttpClient client) throws IOException {
+        ContentStreamProvider contentStreamProvider = () -> new ByteArrayInputStream(CONTENT);
+        SdkHttpRequest httpRequest = SdkHttpFullRequest.builder()
+                                                       .method(SdkHttpMethod.PUT)
+                                                       .protocol("https")
+                                                       .host("localhost:" + mockServer.getPort())
+                                                       .build();
+        HttpExecuteRequest request = HttpExecuteRequest.builder()
+                                                       .request(httpRequest)
+                                                       .contentStreamProvider(contentStreamProvider)
+                                                       .build();
+
+        return client.prepareRequest(request).call();
+    }
+
+    public static boolean halfCloseSupported(){
+        return MockServer.isTlsHalfCloseSupported();
+    }
+}

http-clients/apache-client/src/test/java/software/amazon/awssdk/http/apache/internal/conn/InputShutdownCheckingSslSocketTest.java

@@ -0,0 +1,101 @@
+package software.amazon.awssdk.http.apache.internal.conn;
+
+import org.junit.jupiter.api.Test;
+import javax.net.ssl.SSLSocket;
+import java.io.IOException;
+import java.io.OutputStream;
+import software.amazon.awssdk.http.apache.internal.net.InputShutdownCheckingSslSocket;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class InputShutdownCheckingSslSocketTest {
+
+    @Test
+    public void outputStreamChecksInputShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        when(mockSocket.isInputShutdown()).thenReturn(true);
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+        assertThrows(IOException.class, () -> os.write(1));
+    }
+
+    @Test
+    public void outputStreamWritesNormallyWhenInputNotShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        OutputStream mockOutputStream = mock(OutputStream.class);
+        when(mockSocket.isInputShutdown()).thenReturn(false);
+        when(mockSocket.getOutputStream()).thenReturn(mockOutputStream);
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+        os.write(1);
+        verify(mockOutputStream).write(1);
+    }
+
+    @Test
+    public void writeByteArrayThrowsIOExceptionWhenInputIsShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        when(mockSocket.isInputShutdown()).thenReturn(true);
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+        assertThrows(IOException.class, () -> os.write(new byte[10]));
+    }
+
+    @Test
+    public void writeByteArraySucceedsWhenInputNotShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        OutputStream mockOutputStream = mock(OutputStream.class);
+        when(mockSocket.isInputShutdown()).thenReturn(false);
+        when(mockSocket.getOutputStream()).thenReturn(mockOutputStream);
+
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+
+        byte[] data = new byte[10];
+        os.write(data);
+        verify(mockOutputStream).write(data);
+    }
+
+    @Test
+    public void writeByteArrayWithOffsetThrowsIOExceptionWhenInputIsShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        when(mockSocket.isInputShutdown()).thenReturn(true);
+
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+
+        assertThrows(IOException.class, () -> os.write(new byte[10], 0, 10));
+    }
+
+    @Test
+    public void writeByteArrayWithOffsetSucceedsWhenInputNotShutdown() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        OutputStream mockOutputStream = mock(OutputStream.class);
+        when(mockSocket.isInputShutdown()).thenReturn(false);
+        when(mockSocket.getOutputStream()).thenReturn(mockOutputStream);
+
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+
+        byte[] data = new byte[10];
+        os.write(data, 0, 10);
+        verify(mockOutputStream).write(data, 0, 10);
+    }
+
+    @Test
+    public void checkInputShutdownThrowsIOExceptionWithSuppressed() throws IOException {
+        SSLSocket mockSocket = mock(SSLSocket.class);
+        when(mockSocket.isInputShutdown()).thenReturn(false);
+        when(mockSocket.getInputStream()).thenThrow(new IOException("InputStream exception"));
+
+        InputShutdownCheckingSslSocket socket = new InputShutdownCheckingSslSocket(mockSocket);
+        OutputStream os = socket.getOutputStream();
+
+        IOException thrown = assertThrows(IOException.class, () -> os.write(1));
+        assertTrue(thrown.getMessage().contains("Remote end is closed."));
+        assertTrue(thrown.getSuppressed()[0].getMessage().contains("InputStream exception"));
+    }
+}