smithy-lang
diff --git a/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityCache.java‎
Lines changed: 11 additions & 0 deletions b/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityCache.java‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProvider.java‎
Lines changed: 21 additions & 7 deletions b/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProvider.java‎
Lines changed: 21 additions & 7 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3VirtualHostStyleInterceptor.java‎
Lines changed: 3 additions & 0 deletions b/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3VirtualHostStyleInterceptor.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/test/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProviderTest.java‎
Lines changed: 88 additions & 0 deletions b/‎aws/aws-sigv4-s3express/src/test/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProviderTest.java‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/test/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3VirtualHostStyleInterceptorTest.java‎
Lines changed: 131 additions & 0 deletions b/‎aws/aws-sigv4-s3express/src/test/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3VirtualHostStyleInterceptorTest.java‎
Lines changed: 131 additions & 0 deletions
@@ -96,6 +96,17 @@ private void evictLeastRecentlyUsed() {
         }
     }
 
+    void invalidateAll() {
+        writeLock.lock();
+        try {
+            for (var entry : entries.values()) {
+                entry.resolver.invalidate();
+            }
+        } finally {
+            writeLock.unlock();
+        }
+    }
+
     @Override
     public void close() {
         writeLock.lock();
 
@@ -6,6 +6,9 @@
 package software.amazon.smithy.java.aws.client.auth.scheme.s3express;
 
 import java.util.Objects;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.atomic.AtomicInteger;
 import software.amazon.smithy.java.auth.api.identity.CachingIdentityResolver;
 import software.amazon.smithy.java.auth.api.identity.IdentityResolver;
 import software.amazon.smithy.java.auth.api.identity.IdentityResult;
@@ -32,6 +35,13 @@
  */
 public final class S3ExpressIdentityProvider implements IdentityResolver<S3ExpressIdentity> {
 
+    private static final AtomicInteger THREAD_COUNTER = new AtomicInteger();
+    private static final ScheduledExecutorService REFRESH_EXECUTOR = Executors.newSingleThreadScheduledExecutor(r -> {
+        Thread t = new Thread(r, "smithy-s3express-session-refresh-" + THREAD_COUNTER.incrementAndGet());
+        t.setDaemon(true);
+        return t;
+    });
+
     private final IdentityResolver<AwsCredentialsIdentity> baseIdentityProvider;
     private final S3ExpressIdentityCache cache;
 
@@ -50,7 +60,7 @@ public S3ExpressIdentityProvider(
         this.cache = new S3ExpressIdentityCache(key -> buildPerBucketResolver(key, createSession));
     }
 
-    private static CachingIdentityResolver<S3ExpressIdentity> buildPerBucketResolver(
+    private CachingIdentityResolver<S3ExpressIdentity> buildPerBucketResolver(
             S3ExpressIdentityKey key,
             CreateSessionCallback createSession
     ) {
@@ -69,7 +79,9 @@ public Class<S3ExpressIdentity> identityType() {
                 return S3ExpressIdentity.class;
             }
         };
-        return CachingIdentityResolver.builder(delegate).build();
+        return CachingIdentityResolver.builder(delegate)
+                .executor(REFRESH_EXECUTOR)
+                .build();
     }
 
     @Override
@@ -85,9 +97,13 @@ public IdentityResult<S3ExpressIdentity> resolveIdentity(Context requestProperti
         IdentityResult<AwsCredentialsIdentity> baseResult = baseIdentityProvider.resolveIdentity(requestProperties);
         AwsCredentialsIdentity base = baseResult.identity();
         if (base == null) {
+            String baseError = baseResult.error();
+            Class<?> resolver = baseResult.resolver() == null ? getClass() : baseResult.resolver();
             return IdentityResult.ofError(
-                    getClass(),
-                    "Could not resolve base AWS credentials for S3 Express CreateSession");
+                    resolver,
+                    baseError == null
+                            ? "Could not resolve base AWS credentials for S3 Express CreateSession"
+                            : "Could not resolve base AWS credentials for S3 Express CreateSession: " + baseError);
         }
 
         var perBucket = cache.get(new S3ExpressIdentityKey(bucket, base));
@@ -101,8 +117,6 @@ public Class<S3ExpressIdentity> identityType() {
 
     @Override
     public void invalidate() {
-        // Per-bucket resolvers manage their own validity; punting on global invalidation for now.
-        // If/when an auth-failure interceptor needs to invalidate, we can extend this to clear
-        // the bucket entry for the call's specific (bucket, identity) key.
+        cache.invalidateAll();
     }
 }
@@ -56,6 +56,9 @@ public <RequestT> RequestT modifyBeforeSigning(RequestHook<?, ?, RequestT> hook)
         if (!path.startsWith(prefix)) {
             return hook.request();
         }
+        if (path.length() > prefix.length() && path.charAt(prefix.length()) != '/') {
+            return hook.request();
+        }
         String rest = path.substring(prefix.length());
         // "/<bucket>" → "/" (CreateSession-shaped), "/<bucket>/key" → "/key".
         if (rest.isEmpty()) {
 
@@ -0,0 +1,88 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package software.amazon.smithy.java.aws.client.auth.scheme.s3express;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+
+import java.util.concurrent.atomic.AtomicInteger;
+import org.junit.jupiter.api.Test;
+import software.amazon.smithy.java.auth.api.identity.IdentityResolver;
+import software.amazon.smithy.java.auth.api.identity.IdentityResult;
+import software.amazon.smithy.java.aws.auth.api.identity.AwsCredentialsIdentity;
+import software.amazon.smithy.java.context.Context;
+
+class S3ExpressIdentityProviderTest {
+
+    @Test
+    void invalidateClearsCachedSessions() {
+        var sessionCount = new AtomicInteger();
+        var provider = new S3ExpressIdentityProvider(
+                staticBaseIdentity(),
+                (bucket, baseCredentials) -> S3ExpressIdentity.create(
+                        "SESSION-" + sessionCount.incrementAndGet(),
+                        "secret",
+                        "token",
+                        null));
+        var context = contextWithBucket("bucket");
+
+        var first = provider.resolveIdentity(context).identity();
+        var cached = provider.resolveIdentity(context).identity();
+        provider.invalidate();
+        var refreshed = provider.resolveIdentity(context).identity();
+
+        assertThat(cached, is(first));
+        assertThat(refreshed.accessKeyId(), equalTo("SESSION-2"));
+        assertThat(sessionCount.get(), equalTo(2));
+    }
+
+    @Test
+    void preservesBaseIdentityError() {
+        IdentityResolver<AwsCredentialsIdentity> failingBase = new IdentityResolver<>() {
+            @Override
+            public IdentityResult<AwsCredentialsIdentity> resolveIdentity(Context requestProperties) {
+                return IdentityResult.ofError(getClass(), "missing base creds");
+            }
+
+            @Override
+            public Class<AwsCredentialsIdentity> identityType() {
+                return AwsCredentialsIdentity.class;
+            }
+        };
+        var provider = new S3ExpressIdentityProvider(
+                failingBase,
+                (bucket, baseCredentials) -> {
+                    throw new AssertionError("CreateSession should not be called");
+                });
+
+        var result = provider.resolveIdentity(contextWithBucket("bucket"));
+
+        assertThat(result.resolver(), equalTo(failingBase.getClass()));
+        assertThat(result.error(), containsString("missing base creds"));
+    }
+
+    private static IdentityResolver<AwsCredentialsIdentity> staticBaseIdentity() {
+        return new IdentityResolver<>() {
+            @Override
+            public IdentityResult<AwsCredentialsIdentity> resolveIdentity(Context requestProperties) {
+                return IdentityResult.of(AwsCredentialsIdentity.create("AKID", "secret"));
+            }
+
+            @Override
+            public Class<AwsCredentialsIdentity> identityType() {
+                return AwsCredentialsIdentity.class;
+            }
+        };
+    }
+
+    private static Context contextWithBucket(String bucket) {
+        var context = Context.create();
+        context.put(S3ExpressContext.BUCKET, bucket);
+        return context;
+    }
+}
@@ -0,0 +1,131 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package software.amazon.smithy.java.aws.client.auth.scheme.s3express;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.sameInstance;
+
+import java.net.URI;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+import software.amazon.smithy.java.client.core.interceptors.RequestHook;
+import software.amazon.smithy.java.context.Context;
+import software.amazon.smithy.java.core.schema.ApiOperation;
+import software.amazon.smithy.java.core.schema.ApiService;
+import software.amazon.smithy.java.core.schema.Schema;
+import software.amazon.smithy.java.core.schema.SerializableStruct;
+import software.amazon.smithy.java.core.schema.ShapeBuilder;
+import software.amazon.smithy.java.core.serde.ShapeSerializer;
+import software.amazon.smithy.java.core.serde.TypeRegistry;
+import software.amazon.smithy.java.http.api.HttpRequest;
+import software.amazon.smithy.java.http.api.HttpVersion;
+import software.amazon.smithy.model.shapes.ShapeId;
+
+class S3VirtualHostStyleInterceptorTest {
+
+    @Test
+    void stripsBucketOnlyAtPathSegmentBoundary() {
+        var request = request("/bucket/key");
+        var result = intercept(request, "bucket");
+
+        assertThat(result.uri().getPath(), equalTo("/key"));
+    }
+
+    @Test
+    void doesNotStripBucketPrefixFromLongerPathSegment() {
+        var request = request("/bucket-extra/key");
+        var result = intercept(request, "bucket");
+
+        assertThat(result, sameInstance(request));
+    }
+
+    @Test
+    void stripsBucketOnlyPathToRoot() {
+        var result = intercept(request("/bucket"), "bucket");
+
+        assertThat(result.uri().getPath(), equalTo("/"));
+    }
+
+    private static HttpRequest intercept(HttpRequest request, String bucket) {
+        var context = Context.create();
+        context.put(S3ExpressContext.BUCKET, bucket);
+        var hook = new RequestHook<>(operation(), context, new Input(), request);
+        return S3VirtualHostStyleInterceptor.INSTANCE.modifyBeforeSigning(hook);
+    }
+
+    private static HttpRequest request(String path) {
+        return HttpRequest.create()
+                .setMethod("GET")
+                .setHttpVersion(HttpVersion.HTTP_1_1)
+                .setUri(URI.create("https://example.com" + path))
+                .toUnmodifiable();
+    }
+
+    private static ApiOperation<Input, Input> operation() {
+        return new ApiOperation<>() {
+            @Override
+            public ShapeBuilder<Input> inputBuilder() {
+                return null;
+            }
+
+            @Override
+            public ShapeBuilder<Input> outputBuilder() {
+                return null;
+            }
+
+            @Override
+            public Schema schema() {
+                return null;
+            }
+
+            @Override
+            public Schema inputSchema() {
+                return null;
+            }
+
+            @Override
+            public Schema outputSchema() {
+                return null;
+            }
+
+            @Override
+            public TypeRegistry errorRegistry() {
+                return null;
+            }
+
+            @Override
+            public List<ShapeId> effectiveAuthSchemes() {
+                return List.of();
+            }
+
+            @Override
+            public List<Schema> errorSchemas() {
+                return List.of();
+            }
+
+            @Override
+            public ApiService service() {
+                return null;
+            }
+        };
+    }
+
+    private static final class Input implements SerializableStruct {
+        @Override
+        public Schema schema() {
+            return null;
+        }
+
+        @Override
+        public void serializeMembers(ShapeSerializer serializer) {}
+
+        @Override
+        public <T> T getMemberValue(Schema member) {
+            return null;
+        }
+    }
+}