DynamoDB configurations update:

- Refactored configuration structure - broken down config into dynamodb, AWS, SDK & HTTP client groups
- Added config of TLS Managers for sync/async clients
- Added config of HTTP Proxy for async client
- Added support for SDK client interceptors

Author: marcinczeczko

bom/runtime/pom.xml

@@ -1395,7 +1395,7 @@
                 <artifactId>aesh</artifactId>
                 <version>${aesh.version}</version>
             </dependency>
-            
+
             <dependency>
                 <groupId>com.oracle.substratevm</groupId>
                 <artifactId>svm</artifactId>

docs/src/main/asciidoc/dynamodb-guide.adoc

@@ -1,6 +1,9 @@
 package io.quarkus.dynamodb.deployment;
 
 import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 
 import org.jboss.jandex.DotName;
 import org.jboss.jandex.Type;
@@ -14,19 +17,25 @@
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
+import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
 import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.JniBuildItem;
 import io.quarkus.deployment.builditem.ShutdownContextBuildItem;
+import io.quarkus.deployment.builditem.substrate.ReflectiveClassBuildItem;
 import io.quarkus.deployment.builditem.substrate.ServiceProviderBuildItem;
 import io.quarkus.deployment.builditem.substrate.SubstrateProxyDefinitionBuildItem;
+import io.quarkus.deployment.builditem.substrate.SubstrateResourceBuildItem;
 import io.quarkus.deployment.configuration.ConfigurationError;
-import io.quarkus.dynamodb.runtime.AwsApacheHttpClientConfig;
+import io.quarkus.dynamodb.runtime.ApacheHttpClientConfig;
 import io.quarkus.dynamodb.runtime.AwsCredentialsProviderType;
-import io.quarkus.dynamodb.runtime.AwsNettyNioAsyncHttpClientConfig;
 import io.quarkus.dynamodb.runtime.DynamodbClientProducer;
 import io.quarkus.dynamodb.runtime.DynamodbConfig;
 import io.quarkus.dynamodb.runtime.DynamodbRecorder;
+import io.quarkus.dynamodb.runtime.NettyHttpClientConfig;
+import io.quarkus.dynamodb.runtime.TlsManagersProviderConfig;
+import io.quarkus.dynamodb.runtime.TlsManagersProviderType;
+import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
 import software.amazon.awssdk.http.SdkHttpService;
 import software.amazon.awssdk.http.apache.ApacheSdkHttpService;
 import software.amazon.awssdk.http.async.SdkAsyncHttpService;
@@ -38,6 +47,11 @@
 public class DynamodbProcessor {
     public static final String AWS_SDK_APPLICATION_ARCHIVE_MARKERS = "software/amazon/awssdk";
 
+    private static final List<String> INTERCEPTOR_PATHS = Arrays.asList(
+            "software/amazon/awssdk/global/handlers/execution.interceptors",
+            "software/amazon/awssdk/services/dynamodb/execution.interceptors");
+
+    private static final DotName EXECUTION_INTERCEPTOR_NAME = DotName.createSimple(ExecutionInterceptor.class.getName());
     private static final DotName SYNC_CLIENT_NAME = DotName.createSimple(DynamoDbClient.class.getName());
     private static final DotName ASYNC_CLIENT_NAME = DotName.createSimple(DynamoDbAsyncClient.class.getName());
 
@@ -49,17 +63,29 @@ JniBuildItem jni() {
     }
 
     @BuildStep(applicationArchiveMarkers = { AWS_SDK_APPLICATION_ARCHIVE_MARKERS })
-    void setup(BuildProducer<ExtensionSslNativeSupportBuildItem> extensionSslNativeSupport,
-            BuildProducer<ServiceProviderBuildItem> serviceProvider,
+    void setup(CombinedIndexBuildItem combinedIndexBuildItem,
+            BuildProducer<ExtensionSslNativeSupportBuildItem> extensionSslNativeSupport,
+            BuildProducer<ReflectiveClassBuildItem> reflectiveClasses,
             BuildProducer<FeatureBuildItem> feature,
-            BuildProducer<AdditionalBeanBuildItem> additionalBeans) {
+            BuildProducer<AdditionalBeanBuildItem> additionalBeans,
+            BuildProducer<SubstrateResourceBuildItem> resource) {
 
         feature.produce(new FeatureBuildItem(FeatureBuildItem.DYNAMODB));
 
         // Indicates that this extension would like the SSL support to be enabled
         extensionSslNativeSupport.produce(new ExtensionSslNativeSupportBuildItem(FeatureBuildItem.DYNAMODB));
 
-        checkConfig(config);
+        INTERCEPTOR_PATHS.stream().forEach(path -> resource.produce(new SubstrateResourceBuildItem(path)));
+
+        List<String> knownInterceptorImpls = combinedIndexBuildItem.getIndex()
+                .getAllKnownImplementors(EXECUTION_INTERCEPTOR_NAME)
+                .stream()
+                .map(c -> c.name().toString()).collect(Collectors.toList());
+
+        checkConfig(config, knownInterceptorImpls);
+
+        reflectiveClasses.produce(new ReflectiveClassBuildItem(false, false,
+                knownInterceptorImpls.toArray(new String[knownInterceptorImpls.size()])));
 
         additionalBeans.produce(AdditionalBeanBuildItem.unremovableOf(DynamodbClientProducer.class));
     }
@@ -122,30 +148,43 @@ void buildClients(DynamodbClientBuildItem clientBuildItem, DynamodbRecorder reco
         }
     }
 
-    private static void checkConfig(DynamodbConfig config) {
-        if (config.endpointOverride.isPresent()) {
-            URI endpointOverride = config.endpointOverride.get();
-            if (StringUtils.isBlank(endpointOverride.getScheme())) {
-                throw new ConfigurationError(
-                        String.format("quarkus.dynamodb.endpoint-override (%s) - scheme must be specified",
-                                endpointOverride.toString()));
+    private static void checkConfig(DynamodbConfig config, List<String> knownInterceptorImpls) {
+        if (config.sdk != null) {
+            if (config.sdk.endpointOverride.isPresent()) {
+                URI endpointOverride = config.sdk.endpointOverride.get();
+                if (StringUtils.isBlank(endpointOverride.getScheme())) {
+                    throw new ConfigurationError(
+                            String.format("quarkus.dynamodb.sdk.endpoint-override (%s) - scheme must be specified",
+                                    endpointOverride.toString()));
+                }
             }
+            config.sdk.interceptors.stream().forEach(interceptorClass -> {
+                if (!knownInterceptorImpls.contains(interceptorClass.getName())) {
+                    throw new ConfigurationError(
+                            String.format(
+                                    "quarkus.dynamodb.sdk.interceptors (%s) - must list only existing implementations of software.amazon.awssdk.core.interceptor.ExecutionInterceptor",
+                                    config.sdk.interceptors.toString()));
+                }
+            });
         }
 
-        if (config.credentials.type == AwsCredentialsProviderType.STATIC) {
-            if (StringUtils.isBlank(config.credentials.staticProvider.accessKeyId)
-                    || StringUtils.isBlank(config.credentials.staticProvider.secretAccessKey)) {
-                throw new ConfigurationError(
-                        "quarkus.dynamodb.credentials.static-provider.access-key-id and "
-                                + "quarkus.dynamodb.credentials.static-provider.secret-access-key cannot be empty if STATIC credentials provider used.");
+        if (config.aws != null) {
+            if (config.aws.credentials.type == AwsCredentialsProviderType.STATIC) {
+                if (StringUtils.isBlank(config.aws.credentials.staticProvider.accessKeyId)
+                        || StringUtils.isBlank(config.aws.credentials.staticProvider.secretAccessKey)) {
+                    throw new ConfigurationError(
+                            "quarkus.dynamodb.aws.credentials.static-provider.access-key-id and "
+                                    + "quarkus.dynamodb.aws.credentials.static-provider.secret-access-key cannot be empty if STATIC credentials provider used.");
+                }
             }
-        }
-        if (config.credentials.type == AwsCredentialsProviderType.PROCESS) {
-            if (StringUtils.isBlank(config.credentials.processProvider.command)) {
-                throw new ConfigurationError(
-                        "quarkus.dynamodb.credentials.process-provider.command cannot be empty if PROCESS credentials provider used.");
+            if (config.aws.credentials.type == AwsCredentialsProviderType.PROCESS) {
+                if (StringUtils.isBlank(config.aws.credentials.processProvider.command)) {
+                    throw new ConfigurationError(
+                            "quarkus.dynamodb.aws.credentials.process-provider.command cannot be empty if PROCESS credentials provider used.");
+                }
             }
         }
+
         if (config.syncClient != null) {
             checkSyncClientConfig(config.syncClient);
         }
@@ -154,45 +193,20 @@ private static void checkConfig(DynamodbConfig config) {
         }
     }
 
-    private static void checkSyncClientConfig(AwsApacheHttpClientConfig syncClient) {
+    private static void checkSyncClientConfig(ApacheHttpClientConfig syncClient) {
         if (syncClient.maxConnections.isPresent() && syncClient.maxConnections.getAsInt() <= 0) {
             throw new ConfigurationError("quarkus.dynamodb.sync-client.max-connections may not be negative or zero.");
         }
         if (syncClient.proxy != null && syncClient.proxy.enabled) {
             URI proxyEndpoint = syncClient.proxy.endpoint;
             if (proxyEndpoint != null) {
-                if (StringUtils.isBlank(proxyEndpoint.getScheme())) {
-                    throw new ConfigurationError(
-                            String.format("quarkus.dynamodb.sync-client.proxy.endpoint (%s) - scheme must be specified",
-                                    proxyEndpoint.toString()));
-                }
-                if (StringUtils.isNotBlank(proxyEndpoint.getUserInfo())) {
-                    throw new ConfigurationError(
-                            String.format(
-                                    "quarkus.dynamodb.sync-client.proxy.endpoint (%s) - user info is not supported.",
-                                    proxyEndpoint.toString()));
-                }
-                if (StringUtils.isNotBlank(proxyEndpoint.getPath())) {
-                    throw new ConfigurationError(
-                            String.format("quarkus.dynamodb.sync-client.proxy.endpoint (%s) - path is not supported.",
-                                    proxyEndpoint.toString()));
-                }
-                if (StringUtils.isNotBlank(proxyEndpoint.getQuery())) {
-                    throw new ConfigurationError(
-                            String.format("quarkus.dynamodb.sync-client.proxy.endpoint (%s) - query is not supported.",
-                                    proxyEndpoint.toString()));
-                }
-                if (StringUtils.isNotBlank(proxyEndpoint.getFragment())) {
-                    throw new ConfigurationError(
-                            String.format(
-                                    "quarkus.dynamodb.sync-client.proxy.endpoint (%s) - fragment is not supported.",
-                                    proxyEndpoint.toString()));
-                }
+                validateProxyEndpoint(proxyEndpoint, "sync");
             }
         }
+        validateTlsManagersProvider(syncClient.tlsManagersProvider, "sync");
     }
 
-    private static void checkAsyncClientConfig(AwsNettyNioAsyncHttpClientConfig asyncClient) {
+    private static void checkAsyncClientConfig(NettyHttpClientConfig asyncClient) {
         if (asyncClient.maxConcurrency.isPresent() && asyncClient.maxConcurrency.get() <= 0) {
             throw new ConfigurationError("quarkus.dynamodb.async-client.max-concurrency may not be negative or zero.");
         }
@@ -211,5 +225,76 @@ private static void checkAsyncClientConfig(AwsNettyNioAsyncHttpClientConfig asyn
                         "quarkus.dynamodb.async-client.event-loop.number-of-threads may not be negative or zero.");
             }
         }
+        if (asyncClient.proxy != null && asyncClient.proxy.enabled) {
+            URI proxyEndpoint = asyncClient.proxy.endpoint;
+            if (proxyEndpoint != null) {
+                validateProxyEndpoint(proxyEndpoint, "async");
+            }
+        }
+        validateTlsManagersProvider(asyncClient.tlsManagersProvider, "async");
+    }
+
+    private static void validateProxyEndpoint(URI endpoint, String clientType) {
+        if (StringUtils.isBlank(endpoint.getScheme())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - scheme must be specified",
+                            clientType, endpoint.toString()));
+        }
+        if (StringUtils.isBlank(endpoint.getHost())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - host must be specified",
+                            clientType, endpoint.toString()));
+        }
+        if (StringUtils.isNotBlank(endpoint.getUserInfo())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - user info is not supported.",
+                            clientType, endpoint.toString()));
+        }
+        if (StringUtils.isNotBlank(endpoint.getPath())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - path is not supported.",
+                            clientType, endpoint.toString()));
+        }
+        if (StringUtils.isNotBlank(endpoint.getQuery())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - query is not supported.",
+                            clientType, endpoint.toString()));
+        }
+        if (StringUtils.isNotBlank(endpoint.getFragment())) {
+            throw new ConfigurationError(
+                    String.format("quarkus.dynamodb.%s-client.proxy.endpoint (%s) - fragment is not supported.",
+                            clientType, endpoint.toString()));
+        }
+    }
+
+    private static void validateTlsManagersProvider(TlsManagersProviderConfig config, String clientType) {
+        if (config != null && config.type.isPresent()
+                && config.type.get() == TlsManagersProviderType.FILE_STORE) {
+
+            if (config.fileStore == null) {
+                throw new ConfigurationError(
+                        String.format(
+                                "quarkus.dynamodb.%s-client.tls-managers-provider.file-store must be specified if 'FILE_STORE' provider type is used",
+                                clientType));
+            }
+            if (config.fileStore.path == null) {
+                throw new ConfigurationError(
+                        String.format(
+                                "quarkus.dynamodb.%s-client.tls-managers-provider.file-store.path should not be empty if 'FILE_STORE' provider is used.",
+                                clientType));
+            }
+            if (StringUtils.isBlank(config.fileStore.type)) {
+                throw new ConfigurationError(
+                        String.format(
+                                "quarkus.dynamodb.%s-client.tls-managers-provider.file-store.type should not be empty if 'FILE_STORE' provider is used.",
+                                clientType));
+            }
+            if (StringUtils.isBlank(config.fileStore.password)) {
+                throw new ConfigurationError(
+                        String.format(
+                                "quarkus.dynamodb.%s-client.tls-managers-provider.file-store.password should not be empty if 'FILE_STORE' provider is used.",
+                                clientType));
+            }
+        }
     }
 }

extensions/amazon-dynamodb/deployment/src/main/java/io/quarkus/dynamodb/deployment/DynamodbProcessor.java

@@ -0,0 +1,31 @@
+package io.quarkus.dynamodb.deployment;
+
+import javax.inject.Inject;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.deployment.configuration.ConfigurationError;
+import io.quarkus.test.QuarkusUnitTest;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+
+public class DynamodbAsyncClientBrokenProxyConfigTest {
+
+    @Inject
+    DynamoDbAsyncClient client;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setExpectedException(ConfigurationError.class)
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addAsResource("async-broken-proxy-config.properties", "application.properties"));
+
+    @Test
+    public void test() {
+        // should not be called, deployment exception should happen first.
+        Assertions.fail();
+    }
+}

extensions/amazon-dynamodb/deployment/src/test/java/io/quarkus/dynamodb/deployment/DynamodbAsyncClientBrokenProxyConfigTest.java

@@ -0,0 +1,27 @@
+package io.quarkus.dynamodb.deployment;
+
+import javax.inject.Inject;
+
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.JavaArchive;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+
+public class DynamodbAsyncClientTlsFileStoreConfigTest {
+
+    @Inject
+    DynamoDbAsyncClient client;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
+                    .addAsResource("async-tls-filestore-config.properties", "application.properties"));
+
+    @Test
+    public void test() {
+        // Application should start with full config.
+    }
+}

extensions/amazon-dynamodb/deployment/src/test/java/io/quarkus/dynamodb/deployment/DynamodbAsyncClientTlsFileStoreConfigTest.java

@@ -0,0 +1,5 @@
+quarkus.dynamodb.async-client.proxy.enabled = true
+quarkus.dynamodb.async-client.proxy.endpoint = http://user:[email protected]?foo=bar
+
+
+

extensions/amazon-dynamodb/deployment/src/test/resources/async-broken-proxy-config.properties

@@ -1,10 +1,10 @@
-quarkus.dynamodb.region=us-east-1
 quarkus.dynamodb.enable-endpoint-discovery=false
 quarkus.dynamodb.endpoint-override=http://localhost:8000
 
-quarkus.dynamodb.credentials.type=STATIC
-quarkus.dynamodb.credentials.static-provider.access-key-id=test-key
-quarkus.dynamodb.credentials.static-provider.secret-access-key=test-secret
+quarkus.dynamodb.aws.region=us-east-1
+quarkus.dynamodb.aws.credentials.type=STATIC
+quarkus.dynamodb.aws.credentials.static-provider.access-key-id=test-key
+quarkus.dynamodb.aws.credentials.static-provider.secret-access-key=test-secret
 
 quarkus.dynamodb.async-client.max-concurrency=10
 quarkus.dynamodb.async-client.max-pending-connection-acquires=10
@@ -21,3 +21,7 @@ quarkus.dynamodb.async-client.ssl-provider = JDK
 quarkus.dynamodb.async-client.event-loop.override = true
 quarkus.dynamodb.async-client.event-loop.number-of-threads = 5
 quarkus.dynamodb.async-client.event-loop.thread-name-prefix = Quarkus-Netty-EventLoop-
+quarkus.dynamodb.async-client.proxy.enabled = true
+quarkus.dynamodb.async-client.proxy.endpoint = http://127.1.1.1
+quarkus.dynamodb.async-client.proxy.non-proxy-hosts = localhost, hostlocal
+quarkus.dynamodb.async-client.tls-managers-provider.type=SYSTEM_PROPERTY

extensions/amazon-dynamodb/deployment/src/test/resources/async-full-config.properties

@@ -0,0 +1,6 @@
+quarkus.dynamodb.aws.region=us-east-1
+
+quarkus.dynamodb.async-client.tls-managers-provider.type=FILE_STORE
+quarkus.dynamodb.async-client.tls-managers-provider.file-store.path=/tmp/file.key
+quarkus.dynamodb.async-client.tls-managers-provider.file-store.type=pkcs11
+quarkus.dynamodb.async-client.tls-managers-provider.file-store.password=thePassword

extensions/amazon-dynamodb/deployment/src/test/resources/async-tls-filestore-config.properties

@@ -1,2 +1,4 @@
+quarkus.dynamodb.aws.region=us-east-1
+
 quarkus.dynamodb.endpoint-override=127.0.0.1
 

extensions/amazon-dynamodb/deployment/src/test/resources/broken-endpoint-config.properties

@@ -1,6 +1,6 @@
-quarkus.dynamodb.region=us-east-2
+quarkus.dynamodb.aws.region=us-east-2
 
-quarkus.dynamodb.credentials.type=DEFAULT
-quarkus.dynamodb.credentials.default-provider.async-credential-update-enabled=true
-quarkus.dynamodb.credentials.default-provider.reuse-last-provider-enabled=true
+quarkus.dynamodb.aws.credentials.type=DEFAULT
+quarkus.dynamodb.aws.credentials.default-provider.async-credential-update-enabled=true
+quarkus.dynamodb.aws.credentials.default-provider.reuse-last-provider-enabled=true