Adding DefaultAWSCredentialsProviderChainDebugger so that issues can …

…be debugged from log messages (#40)

src/main/java/com/nike/cerberus/client/auth/aws/BaseAwsCredentialsProvider.java

@@ -20,6 +20,7 @@
 import com.amazonaws.regions.Regions;
 import com.amazonaws.services.kms.AWSKMS;
 import com.amazonaws.services.kms.AWSKMSClient;
+import com.amazonaws.services.kms.model.AWSKMSException;
 import com.amazonaws.services.kms.model.DecryptRequest;
 import com.amazonaws.services.kms.model.DecryptResult;
 import com.amazonaws.util.Base64;
@@ -295,26 +296,34 @@ protected CerberusAuthResponse decryptToken(AWSKMS kmsClient, String encryptedTo
             throw new CerberusClientException("Encrypted token not Base64 encoded", iae);
         }
 
-        final DecryptRequest request = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(decodedToken));
-        final DecryptResult result = kmsClient.decrypt(request);
+        try {
+            final DecryptRequest request = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(decodedToken));
+            final DecryptResult result = kmsClient.decrypt(request);
+
+            final String decryptedAuthData = new String(result.getPlaintext().array(), Charset.forName("UTF-8"));
 
-        final String decryptedAuthData = new String(result.getPlaintext().array(), Charset.forName("UTF-8"));
+            return gson.fromJson(decryptedAuthData, CerberusAuthResponse.class);
 
-        return gson.fromJson(decryptedAuthData, CerberusAuthResponse.class);
+        } catch (AWSKMSException e) {
+            new DefaultAWSCredentialsProviderChainDebugger().logExtraDebuggingIfAppropriate(e);
+            throw e;
+        }
     }
 
+
     /**
      * Executes an HTTP request and retries if a 500 level error is returned
-     * @param request                The request to execute
-     * @param numRetries             The maximum number of times to retry
-     * @param sleepIntervalInMillis  Time in milliseconds to sleep between retries. Zero for no sleep.
+     *
+     * @param request               The request to execute
+     * @param numRetries            The maximum number of times to retry
+     * @param sleepIntervalInMillis Time in milliseconds to sleep between retries. Zero for no sleep.
      * @return Any HTTP response with status code below 500, or the last error response if only 500's are returned
-     * @throws IOException  If an IOException occurs during the last retry, then rethrow the error
+     * @throws IOException If an IOException occurs during the last retry, then rethrow the error
      */
     protected Response executeRequestWithRetry(Request request, int numRetries, int sleepIntervalInMillis) throws IOException {
         IOException exception = null;
         Response response = null;
-        for(int retryNumber = 0; retryNumber < numRetries; retryNumber++) {
+        for (int retryNumber = 0; retryNumber < numRetries; retryNumber++) {
             try {
                 response = httpClient.newCall(request).execute();
                 if (response.code() < 500) {

src/main/java/com/nike/cerberus/client/auth/aws/DefaultAWSCredentialsProviderChainDebugger.java

@@ -0,0 +1,57 @@
+package com.nike.cerberus.client.auth.aws;
+
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
+import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
+import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
+import com.amazonaws.auth.profile.ProfileCredentialsProvider;
+import com.amazonaws.services.kms.model.AWSKMSException;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Sometimes Bad AWS Credentials get picked up from the provider chain
+ * and people aren't sure where they came from.
+ */
+public class DefaultAWSCredentialsProviderChainDebugger {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultAWSCredentialsProviderChainDebugger.class);
+
+    /**
+     * This chain should match that found in DefaultAWSCredentialsProviderChain
+     */
+    private final AWSCredentialsProvider[] credentialProviderChain = new AWSCredentialsProvider[]{
+            new EnvironmentVariableCredentialsProvider(),
+            new SystemPropertiesCredentialsProvider(),
+            new ProfileCredentialsProvider(),
+            new EC2ContainerCredentialsProviderWrapper()
+    };
+
+    /**
+     * Log extra debugging information if appropriate
+     */
+    public void logExtraDebuggingIfAppropriate(AWSKMSException kmsException) {
+        if (StringUtils.contains(kmsException.getMessage(), "The security token included in the request is invalid.")) {
+            LOGGER.warn("Bad credentials may have been picked up from the DefaultAWSCredentialsProviderChain");
+            boolean firstCredentialsFound = false;
+            for (AWSCredentialsProvider provider : credentialProviderChain) {
+                try {
+                    AWSCredentials credentials = provider.getCredentials();
+                    if (credentials.getAWSAccessKeyId() != null &&
+                            credentials.getAWSSecretKey() != null) {
+                        if (!firstCredentialsFound) {
+                            firstCredentialsFound = true;
+                            LOGGER.info("AWS Credentials were loaded from " + provider.toString());
+                        } else {
+                            LOGGER.info("AWS Credentials were also available from " + provider.toString() + " but those were not used");
+                        }
+                    }
+                } catch (Exception ex) {
+                    LOGGER.info("Unable to load credentials from " + provider.toString());
+                }
+            }
+        }
+    }
+}