feat: add nucleus connectivity validation

Author: Tianci Shen

src/main/java/com/aws/greengrass/deployment/DeploymentConfigMerger.java

@@ -27,12 +27,26 @@
 import com.aws.greengrass.lifecyclemanager.exceptions.ServiceLoadException;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
+import com.aws.greengrass.mqttclient.MqttClient;
+import com.aws.greengrass.security.SecurityService;
+import com.aws.greengrass.security.exceptions.MqttConnectionProviderException;
 import com.aws.greengrass.util.Coerce;
+import com.aws.greengrass.util.ProxyUtils;
+import com.aws.greengrass.util.Utils;
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
+import software.amazon.awssdk.crt.http.HttpProxyOptions;
+import software.amazon.awssdk.crt.io.ClientTlsContext;
+import software.amazon.awssdk.crt.io.SocketOptions;
+import software.amazon.awssdk.crt.io.TlsContextOptions;
+import software.amazon.awssdk.crt.mqtt.MqttClientConnection;
+import software.amazon.awssdk.crt.mqtt.MqttException;
+import software.amazon.awssdk.iot.AwsIotMqttConnectionBuilder;
 import software.amazon.awssdk.services.greengrassv2.model.DeploymentComponentUpdatePolicyAction;
 
+import java.time.Duration;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -47,9 +61,17 @@
 import javax.inject.Inject;
 
 import static com.aws.greengrass.componentmanager.KernelConfigResolver.CONFIGURATION_CONFIG_KEY;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_MQTT_NAMESPACE;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_NETWORK_PROXY_NAMESPACE;
 import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_AWS_REGION;
 import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_IOT_CRED_ENDPOINT;
 import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_IOT_DATA_ENDPOINT;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_NO_PROXY_ADDRESSES;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_PROXY_URL;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_PROXY_USERNAME;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PARAM_PROXY_PASSWORD;
+import static com.aws.greengrass.deployment.DeviceConfiguration.DEVICE_PROXY_NAMESPACE;
+import static com.aws.greengrass.deployment.DynamicComponentConfigurationValidator.DEFAULT_TIMEOUT_SECOND;
 import static com.aws.greengrass.lifecyclemanager.GreengrassService.SERVICES_NAMESPACE_TOPIC;
 import static com.aws.greengrass.lifecyclemanager.GreengrassService.SERVICE_NAME_KEY;
 
@@ -66,6 +88,9 @@ public class DeploymentConfigMerger {
     private Kernel kernel;
     private DeviceConfiguration deviceConfiguration;
     private DynamicComponentConfigurationValidator validator;
+    private MqttClient mqttClient;
+    private ThingGroupHelper thingGroupHelper;
+    private SecurityService securityService;
 
     /**
      * Merge in new configuration values and new services.
@@ -143,7 +168,8 @@ private void updateActionForDeployment(Map<String, Object> newConfig, Deployment
         }
 
         // Validate the AWS region, IoT credentials endpoint as well as the IoT data endpoint.
-        if (!validateNucleusConfig(totallyCompleteFuture, nucleusConfig)) {
+        if (!validateNucleusConfig(totallyCompleteFuture, nucleusConfig,
+                deployment.getDeploymentDocumentObj().getConfigurationValidationPolicy().timeoutInSeconds())) {
             return;
         }
 
@@ -153,7 +179,7 @@ private void updateActionForDeployment(Map<String, Object> newConfig, Deployment
     }
 
     private boolean validateNucleusConfig(CompletableFuture<DeploymentResult> totallyCompleteFuture,
-                                          Map<String, Object> nucleusConfig) {
+                                          Map<String, Object> nucleusConfig, Integer timeoutSec) {
         if (nucleusConfig != null) {
             String awsRegion = tryGetAwsRegionFromNewConfig(nucleusConfig);
             String iotCredEndpoint = tryGetIoTCredEndpointFromNewConfig(nucleusConfig);
@@ -166,10 +192,111 @@ private boolean validateNucleusConfig(CompletableFuture<DeploymentResult> totall
                         .complete(new DeploymentResult(DeploymentResult.DeploymentStatus.FAILED_NO_STATE_CHANGE, e));
                 return false;
             }
+
+            long configTimeout = Duration.ofSeconds(DEFAULT_TIMEOUT_SECOND).toMillis();
+            if (timeoutSec != null) {
+                configTimeout = Duration.ofSeconds(timeoutSec).toMillis();
+            }
+
+            if (configTimeout == 0
+                    || !deviceConfiguration.isDeviceConfiguredToTalkToCloud()) {
+                logger.atDebug().log("Skipping connectivity validation");
+                return true;
+            }
+            try {
+                // Check that MQTT client has reconnected
+                logger.atDebug().log("Checking MQTT Reconnected");
+//                mqttClient.waitForReconnect(configTimeout);
+                MqttClientConnection connection = createMqttConnection(nucleusConfig);
+                // TODO - pass connection into ScheduledExecuterService for wait and retry
+                connection.connect().get();
+
+                // Check that HTTP client works
+                logger.atDebug().log("Checking HTTP Reconnected");
+                // TODO - create new http client
+//                thingGroupHelper.waitForReconnect(configTimeout);
+            } catch (Exception e) {
+                logger.atError().cause(e).log("Nucleus connectivity validation failed");
+                totallyCompleteFuture
+                        .complete(new DeploymentResult(DeploymentResult.DeploymentStatus.FAILED_NO_STATE_CHANGE, e));
+                return false;
+            }
         }
         return true;
     }
 
+    private MqttClientConnection createMqttConnection(Map<String, Object> nucleusConfig) {
+        AwsIotMqttConnectionBuilder builder;
+        try {
+            builder = securityService.getDeviceIdentityMqttConnectionBuilder();
+        } catch (MqttConnectionProviderException e) {
+            throw new MqttException(e.getMessage());
+        }
+
+        // get mqtt values from nucleus config to construct a MQTT client
+        Map<String, Object> mqtt = (Map<String, Object>) nucleusConfig.get(DEVICE_MQTT_NAMESPACE);
+        int pingTimeoutMs = Coerce.toInt(mqtt.getOrDefault(MqttClient.MQTT_PING_TIMEOUT_KEY, MqttClient.DEFAULT_MQTT_PING_TIMEOUT));
+        int keepAliveMs = Coerce.toInt(mqtt.getOrDefault(MqttClient.MQTT_KEEP_ALIVE_TIMEOUT_KEY, MqttClient.DEFAULT_MQTT_KEEP_ALIVE_TIMEOUT));
+        if (keepAliveMs != 0 && keepAliveMs <= pingTimeoutMs) {
+            throw new MqttException(String.format("%s must be greater than %s",
+                    MqttClient.MQTT_KEEP_ALIVE_TIMEOUT_KEY, MqttClient.MQTT_PING_TIMEOUT_KEY));
+        }
+        String rootCaPath = Coerce.toString(deviceConfiguration.getRootCAFilePath());
+        String endpoint = Coerce.toString(nucleusConfig.get(DEVICE_PARAM_IOT_DATA_ENDPOINT));
+        short port = (short) Coerce.toInt(mqtt.getOrDefault(MqttClient.MQTT_PORT_KEY, MqttClient.DEFAULT_MQTT_PORT));
+        int operationTimeout = Coerce.toInt(mqtt.getOrDefault(MqttClient.MQTT_OPERATION_TIMEOUT_KEY, MqttClient.DEFAULT_MQTT_OPERATION_TIMEOUT));
+        int socketTimeout = Coerce.toInt(mqtt.getOrDefault(MqttClient.MQTT_SOCKET_TIMEOUT_KEY, MqttClient.DEFAULT_MQTT_SOCKET_TIMEOUT));
+
+        builder.withCertificateAuthorityFromPath(null, rootCaPath)
+                .withClientId("test-id")
+                .withEndpoint(endpoint)
+                .withPort(port)
+                .withCleanSession(true)
+                .withKeepAliveMs(keepAliveMs)
+                .withProtocolOperationTimeoutMs(operationTimeout)
+                .withPingTimeoutMs(pingTimeoutMs)
+                .withSocketOptions(new SocketOptions()).withTimeoutMs(socketTimeout);
+
+        // add proxy settings if needed
+        Map<String, Object> networkProxy = (Map<String, Object>) nucleusConfig.get(DEVICE_NETWORK_PROXY_NAMESPACE);
+        Map<String, Object> proxy = (Map<String, Object>) networkProxy.get(DEVICE_PROXY_NAMESPACE);
+        String proxyUrl = Coerce.toString(proxy.get(DEVICE_PARAM_PROXY_URL));
+        if (!Utils.isEmpty(proxyUrl)) {
+            HttpProxyOptions httpProxyOptions = new HttpProxyOptions();
+            httpProxyOptions.setHost(ProxyUtils.getHostFromProxyUrl(proxyUrl));
+            httpProxyOptions.setPort(ProxyUtils.getPortFromProxyUrl(proxyUrl));
+            httpProxyOptions.setConnectionType(HttpProxyOptions.HttpProxyConnectionType.Tunneling);
+
+            if ("https".equalsIgnoreCase(ProxyUtils.getSchemeFromProxyUrl(proxyUrl))) {
+                TlsContextOptions proxyTlsOptions = MqttClient.getTlsContextOptions(rootCaPath);
+                ClientTlsContext tlsContext = new ClientTlsContext(proxyTlsOptions);
+                httpProxyOptions.setTlsContext(tlsContext);
+            }
+
+            String username = Coerce.toString(proxy.getOrDefault(DEVICE_PARAM_PROXY_USERNAME, ""));
+            String password = Coerce.toString(proxy.getOrDefault(DEVICE_PARAM_PROXY_PASSWORD, ""));
+            String proxyUsername = ProxyUtils.getProxyUsername(proxyUrl, username);
+            if (Utils.isNotEmpty(proxyUsername)) {
+                httpProxyOptions.setAuthorizationType(HttpProxyOptions.HttpProxyAuthorizationType.Basic);
+                httpProxyOptions.setAuthorizationUsername(proxyUsername);
+                httpProxyOptions
+                        .setAuthorizationPassword(ProxyUtils.getProxyPassword(proxyUrl, password));
+            }
+
+            String noProxy = Coerce.toString(proxy.getOrDefault(DEVICE_PARAM_NO_PROXY_ADDRESSES, ""));
+            boolean useProxy = true;
+            // Only use the proxy when the endpoint we're connecting to is not in the NoProxyAddress list
+            if (Utils.isNotEmpty(noProxy) && Utils.isNotEmpty(endpoint)) {
+                useProxy = Arrays.stream(noProxy.split(",")).noneMatch(endpoint::matches);
+            }
+            if (useProxy) {
+                builder.withHttpProxyOptions(httpProxyOptions);
+            }
+        }
+
+        return builder.build();
+    }
+
     /**
      * Completes the provided future when all of the listed services are running.
      *
@@ -307,7 +434,6 @@ public AggregateServicesChangeManager createRollbackManager() {
 
         /**
          * Start the new services the merge intends to add.
-         *
          */
         public void startNewServices() {
             for (String serviceName : servicesToAdd) {

src/main/java/com/aws/greengrass/deployment/ThingGroupHelper.java

@@ -5,6 +5,8 @@
 
 package com.aws.greengrass.deployment;
 
+import com.aws.greengrass.deployment.errorcode.DeploymentErrorCode;
+import com.aws.greengrass.deployment.exceptions.ComponentConfigurationValidationException;
 import com.aws.greengrass.deployment.exceptions.DeviceConfigurationException;
 import com.aws.greengrass.deployment.exceptions.RetryableServerErrorException;
 import com.aws.greengrass.logging.api.Logger;
@@ -102,4 +104,41 @@ public Optional<Set<String>> listThingGroupsForDevice(int maxAttemptCount) throw
             return Optional.of(thingGroupNames);
         }, "get-thing-group-hierarchy", logger);
     }
+
+    public void waitForReconnect(long timeoutMillis) throws Exception {
+        if (!deviceConfiguration.isDeviceConfiguredToTalkToCloud()) {
+            return;
+        }
+        Duration initialInterval = Duration.ofMillis(timeoutMillis / 8);
+        Duration maxRetryInterval = Duration.ofMillis(timeoutMillis / 4);
+
+        try {
+            RetryUtils.runWithRetry(clientExceptionRetryConfig.toBuilder()
+                            .maxAttempt(3)
+                            .initialRetryInterval(initialInterval)
+                            .maxRetryInterval(maxRetryInterval)
+                            .build(),
+                    () -> {
+                        ListThingGroupsForCoreDeviceRequest request = ListThingGroupsForCoreDeviceRequest.builder()
+                                .coreDeviceThingName(Coerce.toString(deviceConfiguration.getThingName()))
+                                .build();
+
+                        ListThingGroupsForCoreDeviceResponse response;
+                        try {
+                            response =
+                                    clientFactory.fetchGreengrassV2DataClient().listThingGroupsForCoreDevice(request);
+                        } catch (GreengrassV2DataException e) {
+                            if (RetryUtils.retryErrorCodes(e.statusCode())) {
+                                throw new RetryableServerErrorException("Failed with retryable error " + e.statusCode()
+                                        + " when calling listThingGroupsForCoreDevice", e);
+                            }
+                            throw e;
+                        }
+                        return response;
+                    }, "get-thing-group-hierarchy", logger);
+        } catch (Exception e) {
+            throw new ComponentConfigurationValidationException("HTTP client failed to reconnect with new configuration: " + e,
+                    DeploymentErrorCode.FAILED_TO_RECONNECT);
+        }
+    }
 }

src/main/java/com/aws/greengrass/deployment/errorcode/DeploymentErrorCode.java

@@ -87,6 +87,7 @@ public enum DeploymentErrorCode {
     UNSUPPORTED_REGION(DeploymentErrorType.REQUEST_ERROR),
     IOT_CRED_ENDPOINT_FORMAT_NOT_VALID(DeploymentErrorType.REQUEST_ERROR),
     IOT_DATA_ENDPOINT_FORMAT_NOT_VALID(DeploymentErrorType.REQUEST_ERROR),
+    FAILED_TO_RECONNECT(DeploymentErrorType.REQUEST_ERROR),
 
     /* Docker issues */
     DOCKER_ERROR(DeploymentErrorType.DEPENDENCY_ERROR),

src/main/java/com/aws/greengrass/mqttclient/MqttClient.java

@@ -8,6 +8,8 @@
 import com.aws.greengrass.config.Topics;
 import com.aws.greengrass.config.WhatHappened;
 import com.aws.greengrass.deployment.DeviceConfiguration;
+import com.aws.greengrass.deployment.errorcode.DeploymentErrorCode;
+import com.aws.greengrass.deployment.exceptions.ComponentConfigurationValidationException;
 import com.aws.greengrass.lifecyclemanager.Kernel;
 import com.aws.greengrass.logging.api.LogEventBuilder;
 import com.aws.greengrass.logging.api.Logger;
@@ -94,18 +96,18 @@
 @SuppressWarnings({"PMD.AvoidDuplicateLiterals"})
 public class MqttClient implements Closeable {
     private static final Logger logger = LogManager.getLogger(MqttClient.class);
-    static final String MQTT_KEEP_ALIVE_TIMEOUT_KEY = "keepAliveTimeoutMs";
-    static final int DEFAULT_MQTT_KEEP_ALIVE_TIMEOUT = (int) Duration.ofSeconds(60).toMillis();
-    static final String MQTT_PING_TIMEOUT_KEY = "pingTimeoutMs";
-    private static final int DEFAULT_MQTT_PING_TIMEOUT = (int) Duration.ofSeconds(30).toMillis();
+    public static final String MQTT_KEEP_ALIVE_TIMEOUT_KEY = "keepAliveTimeoutMs";
+    public static final int DEFAULT_MQTT_KEEP_ALIVE_TIMEOUT = (int) Duration.ofSeconds(60).toMillis();
+    public static final String MQTT_PING_TIMEOUT_KEY = "pingTimeoutMs";
+    public static final int DEFAULT_MQTT_PING_TIMEOUT = (int) Duration.ofSeconds(30).toMillis();
     private static final String MQTT_THREAD_POOL_SIZE_KEY = "threadPoolSize";
     public static final int DEFAULT_MQTT_PORT = 8883;
     public static final String MQTT_PORT_KEY = "port";
-    private static final String MQTT_SOCKET_TIMEOUT_KEY = "socketTimeoutMs";
+    public static final String MQTT_SOCKET_TIMEOUT_KEY = "socketTimeoutMs";
     // Default taken from AWS SDK
-    private static final int DEFAULT_MQTT_SOCKET_TIMEOUT = (int) Duration.ofSeconds(3).toMillis();
-    static final String MQTT_OPERATION_TIMEOUT_KEY = "operationTimeoutMs";
-    static final int DEFAULT_MQTT_OPERATION_TIMEOUT = (int) Duration.ofSeconds(30).toMillis();
+    public static final int DEFAULT_MQTT_SOCKET_TIMEOUT = (int) Duration.ofSeconds(3).toMillis();
+    public static final String MQTT_OPERATION_TIMEOUT_KEY = "operationTimeoutMs";
+    public static final int DEFAULT_MQTT_OPERATION_TIMEOUT = (int) Duration.ofSeconds(30).toMillis();
     static final int DEFAULT_MQTT_CLOSE_TIMEOUT = (int) Duration.ofSeconds(2).toMillis();
     static final String MQTT_MAX_IN_FLIGHT_PUBLISHES_KEY = "maxInFlightPublishes";
     static final int DEFAULT_MAX_IN_FLIGHT_PUBLISHES = 5;
@@ -159,6 +161,7 @@ public class MqttClient implements Closeable {
     private int maxPublishRetryCount;
     private int maxPublishMessageSize;
     private final AtomicBoolean isClosed = new AtomicBoolean(false);
+    private boolean isReconnected = true;
 
     @Getter(AccessLevel.PROTECTED)
     private final MqttClientConnectionEvents callbacks = new MqttClientConnectionEvents() {
@@ -312,6 +315,7 @@ protected MqttClient(DeviceConfiguration deviceConfiguration,
 
                 logger.atDebug().kv("modifiedNode", node.getFullName()).kv("changeType", what)
                         .log("Reconfiguring MQTT clients");
+                isReconnected = false;
                 return false;
             }, (what) -> {
                 validateAndSetMqttPublishConfiguration();
@@ -351,6 +355,9 @@ protected MqttClient(DeviceConfiguration deviceConfiguration,
                                         .log("Error while reconnecting MQTT client");
                             }
                         }
+                        if (brokenConnections.isEmpty()){
+                            isReconnected = true;
+                        }
                     } while (!brokenConnections.isEmpty());
                 }, 1, TimeUnit.SECONDS));
 
@@ -390,7 +397,7 @@ public MqttClient(DeviceConfiguration deviceConfiguration, Spool spool, boolean
         validateAndSetMqttPublishConfiguration();
     }
 
-    private TlsContextOptions getTlsContextOptions(String rootCaPath) {
+    public static TlsContextOptions getTlsContextOptions(String rootCaPath) {
         return Utils.isNotEmpty(rootCaPath)
                 ? TlsContextOptions.createDefaultClient().withCertificateAuthorityFromPath(null, rootCaPath)
                 : TlsContextOptions.createDefaultClient();