feat: add thing registry (#103)

Adds ThingRegistry that registers thing <-> certId association and returns locally registered results when cloud is unreachable.

Co-authored-by: Vaibhav Murkute <murkutv@amazon.com>

Author: vaibhavmurkute

src/main/java/com/aws/greengrass/clientdevices/auth/api/ClientDevicesAuthServiceApi.java

@@ -11,7 +11,7 @@
 import com.aws.greengrass.clientdevices.auth.exception.AuthenticationException;
 import com.aws.greengrass.clientdevices.auth.exception.AuthorizationException;
 import com.aws.greengrass.clientdevices.auth.exception.CertificateGenerationException;
-import com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry;
+import com.aws.greengrass.clientdevices.auth.iot.registry.CertificateRegistry;
 import com.aws.greengrass.clientdevices.auth.session.SessionManager;
 
 import java.util.Map;

src/main/java/com/aws/greengrass/clientdevices/auth/iot/CertificateRegistry.java renamed to src/main/java/com/aws/greengrass/clientdevices/auth/iot/registry/CertificateRegistry.java

@@ -3,8 +3,9 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package com.aws.greengrass.clientdevices.auth.iot;
+package com.aws.greengrass.clientdevices.auth.iot.registry;
 
+import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
 import com.aws.greengrass.util.Digest;
@@ -20,14 +21,13 @@
 
 public class CertificateRegistry {
     private static final Logger logger = LogManager.getLogger(CertificateRegistry.class);
-    public static final int REGISTRY_CACHE_SIZE = 50;
     // holds mapping of certificateHash (SHA-256 hash of certificatePem) to IoT Certificate Id;
     // size-bound by default cache size, evicts oldest written entry if the max size is reached
     private static final Map<String, String> certificateHashToIdMap = Collections.synchronizedMap(
-            new LinkedHashMap<String, String>(REGISTRY_CACHE_SIZE, 0.75f, false) {
+            new LinkedHashMap<String, String>(RegistryConfig.REGISTRY_CACHE_SIZE, 0.75f, false) {
                 @Override
                 protected boolean removeEldestEntry(Map.Entry eldest) {
-                    return size() > REGISTRY_CACHE_SIZE;
+                    return size() > RegistryConfig.REGISTRY_CACHE_SIZE;
                 }
             });
 

src/main/java/com/aws/greengrass/clientdevices/auth/iot/registry/RegistryConfig.java

@@ -0,0 +1,10 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.aws.greengrass.clientdevices.auth.iot.registry;
+
+public class RegistryConfig {
+    public static final int REGISTRY_CACHE_SIZE = 50;
+}

src/main/java/com/aws/greengrass/clientdevices/auth/iot/registry/ThingRegistry.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.aws.greengrass.clientdevices.auth.iot.registry;
+
+import com.aws.greengrass.clientdevices.auth.exception.CloudServiceInteractionException;
+import com.aws.greengrass.clientdevices.auth.iot.Certificate;
+import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
+import com.aws.greengrass.clientdevices.auth.iot.Thing;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Optional;
+import javax.inject.Inject;
+
+public class ThingRegistry {
+    // holds mapping of thingName to IoT Certificate ID;
+    // size-bound by default cache size, evicts oldest written entry if the max size is reached
+    static final Map<String, String> registry = Collections.synchronizedMap(
+            new LinkedHashMap<String, String>(RegistryConfig.REGISTRY_CACHE_SIZE, 0.75f, false) {
+                @Override
+                protected boolean removeEldestEntry(Map.Entry eldest) {
+                    return size() > RegistryConfig.REGISTRY_CACHE_SIZE;
+                }
+            });
+
+    private final IotAuthClient iotAuthClient;
+
+    @Inject
+    public ThingRegistry(IotAuthClient iotAuthClient) {
+        this.iotAuthClient = iotAuthClient;
+    }
+
+    /**
+     * Returns whether the Thing is associated to the given IoT Certificate.
+     * Returns locally registered result when IoT Core cannot be reached.
+     * TODO: add a separate refreshable caching layer for offline auth
+     *
+     * @param thing IoT Thing
+     * @param certificate IoT Certificate
+     * @return whether thing is attached to the certificate
+     */
+    public boolean isThingAttachedToCertificate(Thing thing, Certificate certificate) {
+        try {
+            if (iotAuthClient.isThingAttachedToCertificate(thing, certificate)) {
+                registerCertificateForThing(thing, certificate);
+                return true;
+            } else {
+                clearRegistryForThing(thing);
+            }
+        } catch (CloudServiceInteractionException e) {
+            return isCertificateRegisteredForThing(thing, certificate);
+        }
+        return false;
+    }
+
+    private void registerCertificateForThing(Thing thing, Certificate certificate) {
+        registry.put(thing.getThingName(), certificate.getIotCertificateId());
+    }
+
+    private void clearRegistryForThing(Thing thing) {
+        registry.remove(thing.getThingName());
+    }
+
+    private boolean isCertificateRegisteredForThing(Thing thing, Certificate certificate) {
+        return Optional.ofNullable(registry.get(thing.getThingName()))
+                .filter(certId -> certId.equals(certificate.getIotCertificateId()))
+                .isPresent();
+    }
+}

src/main/java/com/aws/greengrass/clientdevices/auth/session/MqttSessionFactory.java

@@ -9,34 +9,34 @@
 import com.aws.greengrass.clientdevices.auth.exception.AuthenticationException;
 import com.aws.greengrass.clientdevices.auth.exception.CloudServiceInteractionException;
 import com.aws.greengrass.clientdevices.auth.iot.Certificate;
-import com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry;
 import com.aws.greengrass.clientdevices.auth.iot.Component;
-import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
 import com.aws.greengrass.clientdevices.auth.iot.Thing;
+import com.aws.greengrass.clientdevices.auth.iot.registry.CertificateRegistry;
+import com.aws.greengrass.clientdevices.auth.iot.registry.ThingRegistry;
 
 import java.util.Map;
 import java.util.Optional;
 import javax.inject.Inject;
 
 public class MqttSessionFactory implements SessionFactory {
-    private final IotAuthClient iotAuthClient;
     private final DeviceAuthClient deviceAuthClient;
     private final CertificateRegistry certificateRegistry;
+    private final ThingRegistry thingRegistry;
 
     /**
      * Constructor.
      *
-     * @param iotAuthClient       Iot auth client
      * @param deviceAuthClient    Device auth client
      * @param certificateRegistry device Certificate registry
+     * @param thingRegistry       thing registry
      */
     @Inject
-    public MqttSessionFactory(IotAuthClient iotAuthClient,
-                              DeviceAuthClient deviceAuthClient,
-                              CertificateRegistry certificateRegistry) {
-        this.iotAuthClient = iotAuthClient;
+    public MqttSessionFactory(DeviceAuthClient deviceAuthClient,
+                              CertificateRegistry certificateRegistry,
+                              ThingRegistry thingRegistry) {
         this.deviceAuthClient = deviceAuthClient;
         this.certificateRegistry = certificateRegistry;
+        this.thingRegistry = thingRegistry;
     }
 
     @Override
@@ -61,7 +61,7 @@ private Session createIotThingSession(MqttCredential mqttCredential) throws Auth
             }
             Thing thing = new Thing(mqttCredential.clientId);
             Certificate cert = new Certificate(certificateId.get());
-            if (!iotAuthClient.isThingAttachedToCertificate(thing, cert)) {
+            if (!thingRegistry.isThingAttachedToCertificate(thing, cert)) {
                 throw new AuthenticationException("unable to authenticate device");
             }
             Session session = new SessionImpl(cert);

src/test/java/com/aws/greengrass/clientdevices/auth/iot/CertificateRegistryTest.java renamed to src/test/java/com/aws/greengrass/clientdevices/auth/iot/registry/CertificateRegistryTest.java

@@ -3,8 +3,9 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package com.aws.greengrass.clientdevices.auth.iot;
+package com.aws.greengrass.clientdevices.auth.iot.registry;
 
+import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
 import com.aws.greengrass.testcommons.testutilities.GGExtension;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;

src/test/java/com/aws/greengrass/clientdevices/auth/iot/registry/ThingRegistryTest.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.aws.greengrass.clientdevices.auth.iot.registry;
+
+
+import com.aws.greengrass.clientdevices.auth.exception.CloudServiceInteractionException;
+import com.aws.greengrass.clientdevices.auth.iot.Certificate;
+import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
+import com.aws.greengrass.clientdevices.auth.iot.Thing;
+import com.aws.greengrass.testcommons.testutilities.GGExtension;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.reset;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith({MockitoExtension.class, GGExtension.class})
+class ThingRegistryTest {
+    private static final Thing mockThing = new Thing("mock-thing");
+    private static final Certificate mockCertificate = new Certificate("mock-certificateId");
+
+    @Mock
+    private IotAuthClient mockIotAuthClient;
+
+    private ThingRegistry registry;
+
+    @BeforeEach
+    void beforeEach() {
+        registry = new ThingRegistry(mockIotAuthClient);
+    }
+
+    @Test
+    void GIVEN_valid_thing_and_certificate_WHEN_isThingAttachedToCertificate_THEN_pass() {
+        // positive result
+        when(mockIotAuthClient.isThingAttachedToCertificate(any(Thing.class), any(Certificate.class))).thenReturn(true);
+        assertTrue(registry.isThingAttachedToCertificate(mockThing, mockCertificate));
+        verify(mockIotAuthClient, times(1)).isThingAttachedToCertificate(any(), any());
+
+        // negative result
+        reset(mockIotAuthClient);
+        when(mockIotAuthClient.isThingAttachedToCertificate(any(Thing.class), any(Certificate.class))).thenReturn(false);
+        assertFalse(registry.isThingAttachedToCertificate(mockThing, mockCertificate));
+        // registry should be cleared for negative result
+        assertNull(ThingRegistry.registry.get(mockThing.getThingName()));
+    }
+
+    @Test
+    void GIVEN_unreachable_cloud_WHEN_isThingAttachedToCertificate_THEN_return_cached_result() {
+        // cache result before going offline
+        when(mockIotAuthClient.isThingAttachedToCertificate(any(Thing.class), any(Certificate.class))).thenReturn(true);
+        assertTrue(registry.isThingAttachedToCertificate(mockThing, mockCertificate));
+
+        // go offline
+        reset(mockIotAuthClient);
+        doThrow(CloudServiceInteractionException.class)
+                .when(mockIotAuthClient).isThingAttachedToCertificate(any(), any());
+
+        // verify cached result
+        assertTrue(registry.isThingAttachedToCertificate(mockThing, mockCertificate));
+        verify(mockIotAuthClient, times(1)).isThingAttachedToCertificate(any(), any());
+    }
+
+    @Test
+    void GIVEN_offline_initialization_WHEN_isThingAttachedToCertificate_THEN_return_false_by_default() {
+        doThrow(CloudServiceInteractionException.class)
+                .when(mockIotAuthClient).isThingAttachedToCertificate(any(), any());
+
+        assertFalse(registry.isThingAttachedToCertificate(mockThing, mockCertificate));
+        verify(mockIotAuthClient, times(1)).isThingAttachedToCertificate(any(), any());
+    }
+
+}

src/test/java/com/aws/greengrass/clientdevices/auth/session/MqttSessionFactoryTest.java

@@ -8,9 +8,9 @@
 import com.aws.greengrass.clientdevices.auth.DeviceAuthClient;
 import com.aws.greengrass.clientdevices.auth.exception.AuthenticationException;
 import com.aws.greengrass.clientdevices.auth.exception.CloudServiceInteractionException;
-import com.aws.greengrass.clientdevices.auth.iot.CertificateRegistry;
+import com.aws.greengrass.clientdevices.auth.iot.registry.CertificateRegistry;
 import com.aws.greengrass.clientdevices.auth.iot.Component;
-import com.aws.greengrass.clientdevices.auth.iot.IotAuthClient;
+import com.aws.greengrass.clientdevices.auth.iot.registry.ThingRegistry;
 import com.aws.greengrass.testcommons.testutilities.GGExtension;
 import org.hamcrest.core.IsNull;
 import org.junit.jupiter.api.Assertions;
@@ -33,12 +33,12 @@
 
 @ExtendWith({MockitoExtension.class, GGExtension.class})
 public class MqttSessionFactoryTest {
-    @Mock
-    private IotAuthClient mockIotAuthClient;
     @Mock
     private DeviceAuthClient mockDeviceAuthClient;
     @Mock
     private CertificateRegistry mockCertificateRegistry;
+    @Mock
+    private ThingRegistry mockThingRegistry;
     private MqttSessionFactory mqttSessionFactory;
     private final Map<String, String> credentialMap = ImmutableMap.of(
             "certificatePem", "PEM",
@@ -49,13 +49,13 @@ public class MqttSessionFactoryTest {
 
     @BeforeEach
     void beforeEach() {
-        mqttSessionFactory = new MqttSessionFactory(mockIotAuthClient, mockDeviceAuthClient, mockCertificateRegistry);
+        mqttSessionFactory = new MqttSessionFactory(mockDeviceAuthClient, mockCertificateRegistry, mockThingRegistry);
     }
 
     @Test
     void GIVEN_credentialsWithUnknownClientId_WHEN_createSession_THEN_throwsAuthenticationException() {
         when(mockCertificateRegistry.getIotCertificateIdForPem(any())).thenReturn(Optional.of("id"));
-        when(mockIotAuthClient.isThingAttachedToCertificate(any(), any())).thenReturn(false);
+        when(mockThingRegistry.isThingAttachedToCertificate(any(), any())).thenReturn(false);
 
         Assertions.assertThrows(AuthenticationException.class,
                 () -> mqttSessionFactory.createSession(credentialMap));
@@ -71,7 +71,7 @@ void GIVEN_credentialsWithInvalidCertificate_WHEN_createSession_THEN_throwsAuthe
     @Test
     void GIVEN_credentialsWithCertificate_WHEN_createSession_AND_cloudError_THEN_throwsAuthenticationException() {
         when(mockCertificateRegistry.getIotCertificateIdForPem(any())).thenReturn(Optional.of("id"));
-        when(mockIotAuthClient.isThingAttachedToCertificate(any(), any()))
+        when(mockThingRegistry.isThingAttachedToCertificate(any(), any()))
                 .thenThrow(CloudServiceInteractionException.class);
         Assertions.assertThrows(AuthenticationException.class,
                 () -> mqttSessionFactory.createSession(credentialMap));
@@ -80,7 +80,7 @@ void GIVEN_credentialsWithCertificate_WHEN_createSession_AND_cloudError_THEN_thr
     @Test
     void GIVEN_credentialsWithValidClientId_WHEN_createSession_THEN_returnsSession() throws AuthenticationException {
         when(mockCertificateRegistry.getIotCertificateIdForPem(any())).thenReturn(Optional.of("id"));
-        when(mockIotAuthClient.isThingAttachedToCertificate(any(), any())).thenReturn(true);
+        when(mockThingRegistry.isThingAttachedToCertificate(any(), any())).thenReturn(true);
 
         Session session = mqttSessionFactory.createSession(credentialMap);
         assertThat(session, is(IsNull.notNullValue()));