Restore logic to add in UA suffix

Author: Bryan Donlan

src/main/java/com/amazonaws/encryptionsdk/kms/KmsMasterKey.java

@@ -23,6 +23,7 @@
 import java.util.Map;
 
 import com.amazonaws.AmazonServiceException;
+import com.amazonaws.AmazonWebServiceRequest;
 import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.encryptionsdk.AwsCrypto;
@@ -33,6 +34,7 @@
 import com.amazonaws.encryptionsdk.MasterKeyProvider;
 import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
 import com.amazonaws.encryptionsdk.exception.UnsupportedProviderException;
+import com.amazonaws.encryptionsdk.internal.VersionInfo;
 import com.amazonaws.services.kms.AWSKMS;
 import com.amazonaws.services.kms.model.DecryptRequest;
 import com.amazonaws.services.kms.model.DecryptResult;
@@ -51,6 +53,12 @@ public final class KmsMasterKey extends MasterKey<KmsMasterKey> implements KmsMe
     private final String id_;
     private final List<String> grantTokens_ = new ArrayList<>();
 
+    private <T extends AmazonWebServiceRequest> T updateUserAgent(T request) {
+        request.getRequestClientOptions().appendUserAgent(VersionInfo.USER_AGENT);
+
+        return request;
+    }
+
     /**
      *
      * @deprecated Use a {@link KmsMasterKeyProvider} to obtain {@link KmsMasterKey}s.
@@ -93,13 +101,13 @@ public String getKeyId() {
     @Override
     public DataKey<KmsMasterKey> generateDataKey(final CryptoAlgorithm algorithm,
             final Map<String, String> encryptionContext) {
-        final GenerateDataKeyResult gdkResult = kms_.generateDataKey(
+        final GenerateDataKeyResult gdkResult = kms_.generateDataKey(updateUserAgent(
                 new GenerateDataKeyRequest()
                         .withKeyId(getKeyId())
                         .withNumberOfBytes(algorithm.getDataKeyLength())
                         .withEncryptionContext(encryptionContext)
                         .withGrantTokens(grantTokens_)
-                );
+        ));
         final byte[] rawKey = new byte[algorithm.getDataKeyLength()];
         gdkResult.getPlaintext().get(rawKey);
         if (gdkResult.getPlaintext().remaining() > 0) {
@@ -137,12 +145,12 @@ public DataKey<KmsMasterKey> encryptDataKey(final CryptoAlgorithm algorithm,
             throw new IllegalArgumentException("Only RAW encoded keys are supported");
         }
         try {
-            final EncryptResult encryptResult = kms_.encrypt(
+            final EncryptResult encryptResult = kms_.encrypt(updateUserAgent(
                     new EncryptRequest()
                             .withKeyId(id_)
                             .withPlaintext(ByteBuffer.wrap(key.getEncoded()))
                             .withEncryptionContext(encryptionContext)
-                            .withGrantTokens(grantTokens_));
+                            .withGrantTokens(grantTokens_)));
             final byte[] edk = new byte[encryptResult.getCiphertextBlob().remaining()];
             encryptResult.getCiphertextBlob().get(edk);
             return new DataKey<>(dataKey.getKey(), edk, encryptResult.getKeyId().getBytes(StandardCharsets.UTF_8), this);
@@ -159,11 +167,11 @@ public DataKey<KmsMasterKey> decryptDataKey(final CryptoAlgorithm algorithm,
         final List<Exception> exceptions = new ArrayList<>();
         for (final EncryptedDataKey edk : encryptedDataKeys) {
             try {
-                final DecryptResult decryptResult = kms_.decrypt(
+                final DecryptResult decryptResult = kms_.decrypt(updateUserAgent(
                         new DecryptRequest()
                                 .withCiphertextBlob(ByteBuffer.wrap(edk.getEncryptedDataKey()))
                                 .withEncryptionContext(encryptionContext)
-                                .withGrantTokens(grantTokens_));
+                                .withGrantTokens(grantTokens_)));
                 if (decryptResult.getKeyId().equals(id_)) {
                     final byte[] rawKey = new byte[algorithm.getDataKeyLength()];
                     decryptResult.getPlaintext().get(rawKey);

src/test/java/com/amazonaws/services/kms/KMSProviderBuilderIntegrationTests.java

@@ -13,9 +13,12 @@
 import java.util.Arrays;
 
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 
 import com.amazonaws.AbortedException;
+import com.amazonaws.AmazonWebServiceRequest;
 import com.amazonaws.ClientConfiguration;
+import com.amazonaws.Request;
 import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
@@ -24,6 +27,7 @@
 import com.amazonaws.encryptionsdk.CryptoResult;
 import com.amazonaws.encryptionsdk.MasterKeyProvider;
 import com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException;
+import com.amazonaws.encryptionsdk.internal.VersionInfo;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
 import com.amazonaws.handlers.RequestHandler2;
 import com.amazonaws.http.exception.HttpRequestTimeoutException;
@@ -197,6 +201,34 @@ public void whenBogusEndpointIsSet_constructionFails() throws Exception {
                             );
     }
 
+    @Test
+    public void whenUserAgentsOverridden_originalUAsPreserved() throws Exception {
+        RequestHandler2 handler = spy(new RequestHandler2() {});
+
+        KmsMasterKeyProvider mkp = KmsMasterKeyProvider.builder()
+                                                       .withClientBuilder(
+                                                               AWSKMSClientBuilder.standard().withRequestHandlers(handler)
+                                                               .withClientConfiguration(
+                                                                       new ClientConfiguration()
+                                                                           .withUserAgentPrefix("TEST-UA-PREFIX")
+                                                                           .withUserAgentSuffix("TEST-UA-SUFFIX")
+                                                               )
+                                                       )
+                                                       .withKeysForEncryption(KMSTestFixtures.TEST_KEY_IDS[0])
+                                                       .clone().build();
+
+        new AwsCrypto().encryptData(mkp, new byte[0]);
+
+        ArgumentCaptor<Request> captor = ArgumentCaptor.forClass(Request.class);
+        verify(handler, atLeastOnce()).beforeRequest(captor.capture());
+
+        String ua = (String)captor.getValue().getHeaders().get("User-Agent");
+
+        assertTrue(ua.contains("TEST-UA-PREFIX"));
+        assertTrue(ua.contains("TEST-UA-SUFFIX"));
+        assertTrue(ua.contains(VersionInfo.USER_AGENT));
+    }
+
     @Test
     public void whenDefaultRegionSet_itIsUsedForBareKeyIds() throws Exception {
         // TODO: Need to set up a role to assume as bare key IDs are relative to the caller account

src/test/java/com/amazonaws/services/kms/KMSProviderBuilderMockTests.java

@@ -23,8 +23,11 @@
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
 
+import com.amazonaws.AmazonWebServiceRequest;
+import com.amazonaws.RequestClientOptions;
 import com.amazonaws.encryptionsdk.AwsCrypto;
 import com.amazonaws.encryptionsdk.MasterKeyProvider;
+import com.amazonaws.encryptionsdk.internal.VersionInfo;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider.RegionalClientSupplier;
@@ -157,4 +160,37 @@ public void testLegacyGrantTokenPassthrough() throws Exception {
         assertFalse(grantTokens.contains("x"));
         assertFalse(grantTokens.contains("z"));
     }
+
+    @Test
+    public void testUserAgentPassthrough() throws Exception {
+        MockKMSClient client = spy(new MockKMSClient());
+
+        String key1 = client.createKey().getKeyMetadata().getArn();
+        String key2 = client.createKey().getKeyMetadata().getArn();
+
+        KmsMasterKeyProvider mkp = KmsMasterKeyProvider.builder()
+                                                       .withKeysForEncryption(key1, key2)
+                                                       .withCustomClientFactory(ignored -> client)
+                                                       .build();
+
+        new AwsCrypto().decryptData(mkp, new AwsCrypto().encryptData(mkp, new byte[0]).getResult());
+
+        ArgumentCaptor<GenerateDataKeyRequest> gdkr = ArgumentCaptor.forClass(GenerateDataKeyRequest.class);
+        verify(client, times(1)).generateDataKey(gdkr.capture());
+        assertTrue(getUA(gdkr.getValue()).contains(VersionInfo.USER_AGENT));
+
+        ArgumentCaptor<EncryptRequest> encr = ArgumentCaptor.forClass(EncryptRequest.class);
+        verify(client, times(1)).encrypt(encr.capture());
+        assertTrue(getUA(encr.getValue()).contains(VersionInfo.USER_AGENT));
+
+        ArgumentCaptor<DecryptRequest> decr = ArgumentCaptor.forClass(DecryptRequest.class);
+        verify(client, times(1)).decrypt(decr.capture());
+        assertTrue(getUA(decr.getValue()).contains(VersionInfo.USER_AGENT));
+    }
+
+    private String getUA(AmazonWebServiceRequest request) {
+        // Note: This test may break in future versions of the AWS SDK, as Marker is documented as being for internal
+        // use only.
+        return request.getRequestClientOptions().getClientMarker(RequestClientOptions.Marker.USER_AGENT);
+    }
 }