Refactored session renewal interceptors

Move more functionality in the CookieBaseInterceptor.
Throw more explicit exceptions for auth problems.
Do not disable auth methods after exceptions.
Prevent multiple simultaneous session renewal attempts.

Author: ricellis

CHANGES.md

@@ -1,6 +1,11 @@
 # Unreleased
-- [UPGRADED] Optional OkHttp dependency to version 3.12.2.
 - [FIXED] Create an array of strings for QueryBuilder.fields() when a single field is provided.
+- [IMPROVED] Return exceptions directly from IAM token request failures instead of logging and
+  deferring the request to the service with no credentials. The exception type is the same, but
+  the message and cause are more clear and a round trip is avoided.
+- [IMPROVED] Prevent multiple session renewal requests happening simultaneously because some auth
+  types apply limits to the number of requests that can be made.
+- [UPGRADED] Optional OkHttp dependency to version 3.12.2.
 
 # 2.17.0 (2019-05-23)
 - [NEW] Added `com.cloudant.client.api.model.DbInfo#getDocDelCountLong()` to return

cloudant-client/src/main/java/com/cloudant/client/org/lightcouch/CouchDbClient.java

@@ -551,9 +551,10 @@ public HttpConnection execute(HttpConnection connection) {
             try {
                 connection = connection.execute();
             } catch (HttpConnectionInterceptorException e) {
-                CouchDbException exception = new CouchDbException(connection.getConnection()
-                        .getResponseMessage(), connection.getConnection().getResponseCode());
+                CouchDbException exception;
                 if (e.deserialize) {
+                    exception = new CouchDbException(connection.getConnection()
+                            .getResponseMessage(), connection.getConnection().getResponseCode());
                     try {
                         JsonObject errorResponse = new Gson().fromJson(e.error, JsonObject
                                 .class);
@@ -563,6 +564,7 @@ public HttpConnection execute(HttpConnection connection) {
                         exception.error = e.error;
                     }
                 } else {
+                    exception = new CouchDbException(e.getMessage(), e);
                     exception.error = e.error;
                     exception.reason = e.reason;
                 }

cloudant-http/src/main/java/com/cloudant/http/HttpConnection.java

@@ -1,4 +1,4 @@
-//  Copyright © 2015, 2017 IBM Corp. All rights reserved.
+//  Copyright © 2015, 2019 IBM Corp. All rights reserved.
 //
 //  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
 //  except in compliance with the License. You may obtain a copy of the License at
@@ -287,7 +287,11 @@ public HttpConnection execute() throws IOException {
                     .interceptorStates);
 
             for (HttpConnectionRequestInterceptor requestInterceptor : requestInterceptors) {
-                currentContext = requestInterceptor.interceptRequest(currentContext);
+                try {
+                    currentContext = requestInterceptor.interceptRequest(currentContext);
+                } catch (HttpConnectionInterceptorException e) {
+                    throw convertAndThrowInterceptorException(e);
+                }
             }
 
             //set request properties after interceptors, in case the interceptors have added
@@ -340,15 +344,7 @@ public HttpConnection execute() throws IOException {
                 try {
                     currentContext = responseInterceptor.interceptResponse(currentContext);
                 } catch (HttpConnectionInterceptorException e) {
-                    // Sadly the current interceptor API doesn't allow an IOException to be thrown
-                    // so to avoid swallowing them the interceptors need to wrap them in the runtime
-                    // HttpConnectionInterceptorException and we can then unwrap them here.
-                    Throwable cause = e.getCause();
-                    if (cause != null && cause instanceof IOException) {
-                        throw (IOException) cause;
-                    } else {
-                        throw e;
-                    }
+                    throw convertAndThrowInterceptorException(e);
                 }
             }
 
@@ -370,6 +366,18 @@ public HttpConnection execute() throws IOException {
         return this;
     }
 
+    private HttpConnectionInterceptorException convertAndThrowInterceptorException(HttpConnectionInterceptorException e) throws IOException {
+        // Sadly the current interceptor API doesn't allow an IOException to be thrown
+        // so to avoid swallowing them the interceptors need to wrap them in the runtime
+        // HttpConnectionInterceptorException and we can then unwrap them here.
+        Throwable cause = e.getCause();
+        if (cause instanceof IOException) {
+            throw (IOException) cause;
+        } else {
+            return e;
+        }
+    }
+
     /**
      * <p>
      * Return response body data from server as a String.

cloudant-http/src/main/java/com/cloudant/http/internal/interceptors/CookieInterceptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2017 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2019 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -14,7 +14,6 @@
 
 package com.cloudant.http.internal.interceptors;
 
-import com.cloudant.http.HttpConnection;
 import com.cloudant.http.HttpConnectionInterceptorContext;
 import com.cloudant.http.internal.Utils;
 
@@ -27,20 +26,12 @@
 import java.util.logging.Level;
 
 /**
- * Adds cookie authentication support to http requests.
- *
- * It does this by adding the cookie header for CouchDB
- * using request interceptor pipeline in {@link HttpConnection}.
- *
- * If a response has a response code of 401, it will fetch a cookie from
- * the server using provided credentials and tell {@link HttpConnection} to reply
- * the request by setting {@link HttpConnectionInterceptorContext#replayRequest} property to true.
- *
- * If the request to get the cookie for use in future request fails with a 401 status code
- * (or any status that indicates client error) cookie authentication will not be attempted again.
+ * Extends the CookieInterceptorBase to provide Apache CouchDB _session cookie support.
  */
 public class CookieInterceptor extends CookieInterceptorBase {
 
+    private final byte[] auth;
+
     /**
      * Constructs a cookie interceptor. Credentials should be supplied not URL encoded, this class
      * will perform the necessary URL encoding.
@@ -50,92 +41,72 @@ public class CookieInterceptor extends CookieInterceptorBase {
      * @param baseURL  The base URL to use when constructing an `_session` request.
      */
     public CookieInterceptor(String username, String password, String baseURL) {
-        super("application/x-www-form-urlencoded", baseURL, "/_session");
+        // Use form encoding for the user/pass submission
+        super(baseURL, "/_session", "application/x-www-form-urlencoded");
         try {
-            this.sessionRequestBody = String.format("name=%s&password=%s", URLEncoder.encode(username, "UTF-8"), URLEncoder.encode(password, "UTF-8"))
-                    .getBytes("UTF-8"); ;
+            this.auth = String.format("name=%s&password=%s", URLEncoder.encode(username, "UTF-8")
+                    , URLEncoder.encode(password, "UTF-8"))
+                    .getBytes("UTF-8");
+            ;
         } catch (UnsupportedEncodingException e) {
             //all JVMs should support UTF-8, so this should not happen
             throw new RuntimeException(e);
         }
     }
 
-
+    /**
+     * Returns form encoded credentials to pass to _session.
+     *
+     * @param context interceptor context
+     * @return form encoded credentials body payload
+     */
     @Override
-    public HttpConnectionInterceptorContext interceptResponse(HttpConnectionInterceptorContext
-                                                                      context) {
-
-        // Check if this interceptor is valid before attempting any kind of renewal
-        if (shouldAttemptCookieRequest.get()) {
-
-            HttpURLConnection connection = context.connection.getConnection();
-
-            // If we got a 401 or 403 we might need to renew the cookie
-            try {
-                boolean renewCookie = false;
-                int statusCode = connection.getResponseCode();
-
-                if (statusCode == HttpURLConnection.HTTP_FORBIDDEN || statusCode ==
-                        HttpURLConnection.HTTP_UNAUTHORIZED) {
-                    // Get the string value of the error stream
-                    InputStream errorStream = connection.getErrorStream();
-                    String errorString = null;
-                    if (errorStream != null) {
-                        errorString = Utils.collectAndCloseStream(connection
-                                .getErrorStream());
-                        logger.log(Level.FINE, String.format(Locale.ENGLISH, "Intercepted " +
-                                "response %d %s", statusCode, errorString));
-                    }
-                    switch (statusCode) {
-                        case HttpURLConnection.HTTP_FORBIDDEN: //403
-                            // Check if it was an expiry case
-                            // Check using a regex to avoid dependency on a JSON library.
-                            // Note (?siu) flags used for . to also match line breaks and for
-                            // unicode
-                            // case insensitivity.
-                            if (errorString != null && errorString.matches("(?siu)" +
-                                    ".*\\\"error\\\"\\s*:\\s*\\\"credentials_expired\\\".*")) {
-                                // Was expired - set boolean to renew cookie
-                                renewCookie = true;
-                            } else {
-                                // Wasn't a credentials expired, throw exception
-                                HttpConnectionInterceptorException toThrow = new
-                                        HttpConnectionInterceptorException(errorString);
-                                // Set the flag for deserialization
-                                toThrow.deserialize = errorString != null;
-                                throw toThrow;
-                            }
-                            break;
-                        case HttpURLConnection.HTTP_UNAUTHORIZED: //401
-                            // We need to get a new cookie
-                            renewCookie = true;
-                            break;
-                        default:
-                            break;
-                    }
+    protected byte[] getSessionRequestPayload(HttpConnectionInterceptorContext context) {
+        return auth;
+    }
 
-                    if (renewCookie) {
-                        logger.finest("Cookie was invalid. Will attempt to get new cookie.");
-                        boolean success = requestCookie(context);
-                        if (success) {
-                            // New cookie obtained, replay the request
-                            context.replayRequest = true;
-                        } else {
-                            // Didn't successfully renew, maybe creds are invalid
-                            context.replayRequest = false; // Don't replay
-                            shouldAttemptCookieRequest.set(false); // Set the flag to stop trying
-                        }
-                    }
+    /**
+     * Adds an additional check for HTTP 403 status codes with "credentials expired" messages that
+     * are returned by some Cloudant versions.
+     *
+     * @param connection the connection to interrogate
+     * @param statusCode the HTTP response status code
+     * @return
+     */
+    @Override
+    protected boolean shouldRenew(HttpURLConnection connection, int statusCode) {
+        try {
+            if (statusCode == HttpURLConnection.HTTP_FORBIDDEN) {
+                // Get the string value of the error stream
+                InputStream errorStream = connection.getErrorStream();
+                String errorString = null;
+                if (errorStream != null) {
+                    errorString = Utils.collectAndCloseStream(connection
+                            .getErrorStream());
+                    logger.log(Level.FINE, String.format(Locale.ENGLISH, "Intercepted " +
+                            "response %d %s", statusCode, errorString));
+                }
+                // Check if it was an expiry case
+                // Check using a regex to avoid dependency on a JSON library.
+                // Note (?siu) flags used for . to also match line breaks and for
+                // unicode
+                // case insensitivity.
+                if (errorString != null && errorString.matches("(?siu)" +
+                        ".*\\\"error\\\"\\s*:\\s*\\\"credentials_expired\\\".*")) {
+                    // Was expired - renew cookie
+                    return true;
                 } else {
-                    // Store any cookies provided on the response
-                    storeCookiesFromResponse(connection);
+                    // Wasn't a credentials expired, throw exception
+                    HttpConnectionInterceptorException toThrow = new
+                            HttpConnectionInterceptorException(errorString, null);
+                    // Set the flag for deserialization
+                    toThrow.deserialize = errorString != null;
+                    throw toThrow;
                 }
-            } catch (IOException e) {
-                logger.log(Level.SEVERE, "Error reading response code or body from request", e);
             }
+        } catch (IOException e) {
+            throw wrapIOException("Failed to read HTTP reponse code or body from", connection, e);
         }
-        return context;
-
+        return false;
     }
-
 }