SigV4 Authentication support for http exporter (#1046)

**Background**
Supporting ADOT auto instrumentation to automatically inject SigV4
authentication headers for outgoing export trace requests to the allow
exporting to the AWS XRay OTLP endpoint. Users will need to configure
the following environment variables in order to enable and properly run
this exporter:


OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=https://xray.[AWS-REGION].amazonaws.com/v1/traces;
**required**
OTEL_EXPORTER_OTLP_TRACES_PROTOCOL=http/protobuf **required**
OTEL_LOGS_EXPORTER=none; 
OTEL_METRICS_EXPORTER=none;

**Description of changes:**
1. Added new OtlpAwsSpanExporter class which uses composition to extend
upstream's OtlpHttpSpanExporter which is responsible for making the
http/grpc client calls to export traces to the given endpoint.

2. The OtlpAwsSpanExporter customizes the headers by adding an
intermediary step to sign the request with SigV4 authentication and
injects the signed headers to the outgoing trace request

3. In order to ensure we don't override any user configurations from
environment variables, the OtlpAwsSpanExporter constructor copies any
existing configurations create by upstream's auto instrumentation except
for the following environment variable:
OTEL_EXPORTER_OTLP_TRACES_HEADERS

Any headers set here will not be acknowledged within this exporter.

4. The ADOT auto instrumentation is now configured to automatically
detect if a user is exporting to XRay OTLP endpoint by checking if the
environment variable OTEL_EXPORTER_OTLP_TRACES_ENDPOINT is configured to
match this url pattern:
https://xray.[AWS-REGION].amazonaws.com/v1/traces

AND by checking if 
OTEL_EXPORTER_OTLP_TRACES_PROTOCOL is set to http/protobuf


**Testing:**
1. Unit tests were added to ensure that the behavior of the exporter was
properly injecting SigV4 headers before making the outgoing request
2. Manual testing was done by configuring the above environment
variables and setting up the sample app locally with ADOT auto
instrumentation and verified the spans in CW Logs.
3. The sample app was run and rerun 30 times and confirmed issues
exporting the traces to the endpoint

Further testing will be done with the Release tests.


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: liustve

awsagentprovider/build.gradle.kts

@@ -45,12 +45,17 @@ dependencies {
   // For Udp emitter
   compileOnly("io.opentelemetry:opentelemetry-exporter-otlp-common")
 
+  // For OtlpAwsSpanExporter SigV4 Authentication
+  implementation("software.amazon.awssdk:auth")
+  implementation("software.amazon.awssdk:http-auth-aws")
+
   testImplementation("io.opentelemetry:opentelemetry-sdk-extension-autoconfigure")
   testImplementation("io.opentelemetry:opentelemetry-sdk-testing")
   testImplementation("io.opentelemetry:opentelemetry-extension-aws")
   testImplementation("io.opentelemetry:opentelemetry-extension-trace-propagators")
   testImplementation("com.google.guava:guava")
   testRuntimeOnly("io.opentelemetry:opentelemetry-exporter-otlp-common")
+  testImplementation("io.opentelemetry:opentelemetry-exporter-otlp")
 
   compileOnly("com.google.code.findbugs:jsr305:3.0.2")
   testImplementation("org.mockito:mockito-core:5.14.2")

awsagentprovider/src/main/java/software/amazon/opentelemetry/javaagent/providers/AwsApplicationSignalsCustomizerProvider.java

@@ -51,6 +51,7 @@
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 
 /**
  * This customizer performs the following customizations:
@@ -70,6 +71,8 @@
 public class AwsApplicationSignalsCustomizerProvider
     implements AutoConfigurationCustomizerProvider {
   static final String AWS_LAMBDA_FUNCTION_NAME_CONFIG = "AWS_LAMBDA_FUNCTION_NAME";
+  private static final String XRAY_OTLP_ENDPOINT_PATTERN =
+      "^https://xray\\.([a-z0-9-]+)\\.amazonaws\\.com/v1/traces$";
 
   private static final Duration DEFAULT_METRIC_EXPORT_INTERVAL = Duration.ofMinutes(1);
   private static final Logger logger =
@@ -95,6 +98,9 @@ public class AwsApplicationSignalsCustomizerProvider
   private static final String OTEL_JMX_TARGET_SYSTEM_CONFIG = "otel.jmx.target.system";
   private static final String OTEL_EXPORTER_OTLP_TRACES_ENDPOINT_CONFIG =
       "OTEL_EXPORTER_OTLP_TRACES_ENDPOINT";
+  private static final String OTEL_EXPORTER_HTTP_PROTOBUF_PROTOCOL = "http/protobuf";
+  private static final String OTEL_EXPORTER_OTLP_TRACES_PROTOCOL_CONFIG =
+      "OTEL_EXPORTER_OTLP_TRACES_PROTOCOL";
   private static final String AWS_XRAY_DAEMON_ADDRESS_CONFIG = "AWS_XRAY_DAEMON_ADDRESS";
   private static final String DEFAULT_UDP_ENDPOINT = "127.0.0.1:2000";
   private static final String OTEL_DISABLED_RESOURCE_PROVIDERS_CONFIG =
@@ -116,8 +122,10 @@ public class AwsApplicationSignalsCustomizerProvider
   // This is a bit of a magic number, as there is no simple way to tell how many spans can make a
   // 64KB batch since spans can vary in size.
   private static final int LAMBDA_SPAN_EXPORT_BATCH_SIZE = 10;
+  private static boolean isSigV4Enabled = false;
 
   public void customize(AutoConfigurationCustomizer autoConfiguration) {
+    isSigV4Enabled = AwsApplicationSignalsCustomizerProvider.isSigV4Enabled();
     autoConfiguration.addPropertiesCustomizer(this::customizeProperties);
     autoConfiguration.addPropertiesCustomizer(this::customizeLambdaEnvProperties);
     autoConfiguration.addResourceCustomizer(this::customizeResource);
@@ -131,6 +139,47 @@ static boolean isLambdaEnvironment() {
     return System.getenv(AWS_LAMBDA_FUNCTION_NAME_CONFIG) != null;
   }
 
+  static boolean isSigV4Enabled() {
+    String otlpEndpoint = System.getenv(OTEL_EXPORTER_OTLP_TRACES_ENDPOINT_CONFIG);
+    boolean isXrayOtlpEndpoint;
+    try {
+      isXrayOtlpEndpoint =
+          otlpEndpoint != null
+              && Pattern.compile(XRAY_OTLP_ENDPOINT_PATTERN)
+                  .matcher(otlpEndpoint.toLowerCase())
+                  .matches();
+
+      if (isXrayOtlpEndpoint) {
+        logger.log(Level.INFO, "Detected using AWS OTLP XRay Endpoint.");
+
+        String otlpTracesProtocol = System.getenv(OTEL_EXPORTER_OTLP_TRACES_PROTOCOL_CONFIG);
+
+        if (otlpTracesProtocol == null
+            || !otlpTracesProtocol.equals(OTEL_EXPORTER_HTTP_PROTOBUF_PROTOCOL)) {
+          logger.info(
+              String.format(
+                  "Improper configuration: Please configure your environment variables and export/set %s=%s",
+                  OTEL_EXPORTER_OTLP_TRACES_PROTOCOL_CONFIG, OTEL_EXPORTER_HTTP_PROTOBUF_PROTOCOL));
+          return false;
+        }
+
+        logger.info(
+            String.format(
+                "Proper configuration detected: Now exporting trace span data to %s",
+                otlpEndpoint));
+        return true;
+      }
+    } catch (Exception e) {
+      logger.log(
+          Level.WARNING,
+          String.format(
+              "Caught error while attempting to validate configuration to export traces to XRay OTLP endpoint: %s",
+              e.getMessage()));
+    }
+
+    return false;
+  }
+
   private boolean isApplicationSignalsEnabled(ConfigProperties configProps) {
     return configProps.getBoolean(
         APPLICATION_SIGNALS_ENABLED_CONFIG,
@@ -257,6 +306,10 @@ private SdkTracerProviderBuilder customizeTracerProviderBuilder(
         return tracerProviderBuilder;
       }
 
+      if (isSigV4Enabled) {
+        return tracerProviderBuilder;
+      }
+
       // Construct meterProvider
       MetricExporter metricsExporter =
           ApplicationSignalsExporterProvider.INSTANCE.createExporter(configProps);
@@ -323,6 +376,16 @@ private SpanExporter customizeSpanExporter(
       }
     }
 
+    // When running OTLP endpoint for X-Ray backend, use custom exporter for SigV4 authentication.
+    if (isSigV4Enabled) {
+      // can cast here since we've checked that the environment variable is
+      // set to http/protobuf
+      return OtlpAwsSpanExporterBuilder.create(
+              (OtlpHttpSpanExporter) spanExporter,
+              System.getenv(OTEL_EXPORTER_OTLP_TRACES_ENDPOINT_CONFIG))
+          .build();
+    }
+
     if (isApplicationSignalsEnabled(configProps)) {
       return AwsMetricAttributesSpanExporterBuilder.create(
               spanExporter, ResourceHolder.getResource())

awsagentprovider/src/main/java/software/amazon/opentelemetry/javaagent/providers/OtlpAwsSpanExporter.java

@@ -0,0 +1,179 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.opentelemetry.javaagent.providers;
+
+import io.opentelemetry.exporter.internal.otlp.traces.TraceRequestMarshaler;
+import io.opentelemetry.exporter.otlp.http.trace.OtlpHttpSpanExporter;
+import io.opentelemetry.exporter.otlp.http.trace.OtlpHttpSpanExporterBuilder;
+import io.opentelemetry.sdk.common.CompletableResultCode;
+import io.opentelemetry.sdk.common.export.MemoryMode;
+import io.opentelemetry.sdk.trace.data.SpanData;
+import io.opentelemetry.sdk.trace.export.SpanExporter;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.net.URI;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.StringJoiner;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Supplier;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.annotation.Nonnull;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.http.SdkHttpFullRequest;
+import software.amazon.awssdk.http.SdkHttpMethod;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner;
+import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
+
+/**
+ * This exporter extends the functionality of the OtlpHttpSpanExporter to allow spans to be exported
+ * to the XRay OTLP endpoint https://xray.[AWSRegion].amazonaws.com/v1/traces. Utilizes the AWSSDK
+ * library to sign and directly inject SigV4 Authentication to the exported request's headers. <a
+ * href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLPEndpoint.html">...</a>
+ */
+public class OtlpAwsSpanExporter implements SpanExporter {
+  private static final String SERVICE_NAME = "xray";
+  private static final Logger logger = Logger.getLogger(OtlpAwsSpanExporter.class.getName());
+
+  private final OtlpHttpSpanExporterBuilder parentExporterBuilder;
+  private final OtlpHttpSpanExporter parentExporter;
+  private final AtomicReference<Collection<SpanData>> spanData;
+  private final String awsRegion;
+  private final String endpoint;
+
+  static OtlpAwsSpanExporter getDefault(String endpoint) {
+    return new OtlpAwsSpanExporter(endpoint);
+  }
+
+  static OtlpAwsSpanExporter create(OtlpHttpSpanExporter parent, String endpoint) {
+    return new OtlpAwsSpanExporter(parent, endpoint);
+  }
+
+  private OtlpAwsSpanExporter(String endpoint) {
+    this(null, endpoint);
+  }
+
+  private OtlpAwsSpanExporter(OtlpHttpSpanExporter parentExporter, String endpoint) {
+    this.awsRegion = endpoint.split("\\.")[1];
+    this.endpoint = endpoint;
+    this.spanData = new AtomicReference<>(Collections.emptyList());
+
+    if (parentExporter == null) {
+      this.parentExporterBuilder =
+          OtlpHttpSpanExporter.builder()
+              .setMemoryMode(MemoryMode.IMMUTABLE_DATA)
+              .setEndpoint(endpoint)
+              .setHeaders(new SigV4AuthHeaderSupplier());
+      this.parentExporter = this.parentExporterBuilder.build();
+      return;
+    }
+    this.parentExporterBuilder =
+        parentExporter.toBuilder()
+            .setMemoryMode(MemoryMode.IMMUTABLE_DATA)
+            .setEndpoint(endpoint)
+            .setHeaders(new SigV4AuthHeaderSupplier());
+    this.parentExporter = this.parentExporterBuilder.build();
+  }
+
+  /**
+   * Overrides the upstream implementation of export. All behaviors are the same except if the
+   * endpoint is an XRay OTLP endpoint, we will sign the request with SigV4 in headers before
+   * sending it to the endpoint. Otherwise, we will skip signing.
+   */
+  @Override
+  public CompletableResultCode export(@Nonnull Collection<SpanData> spans) {
+    this.spanData.set(spans);
+    return this.parentExporter.export(spans);
+  }
+
+  @Override
+  public CompletableResultCode flush() {
+    return this.parentExporter.flush();
+  }
+
+  @Override
+  public CompletableResultCode shutdown() {
+    return this.parentExporter.shutdown();
+  }
+
+  @Override
+  public String toString() {
+    StringJoiner joiner = new StringJoiner(", ", "OtlpAwsSpanExporter{", "}");
+    joiner.add(this.parentExporterBuilder.toString());
+    joiner.add("memoryMode=" + MemoryMode.IMMUTABLE_DATA);
+    return joiner.toString();
+  }
+
+  private final class SigV4AuthHeaderSupplier implements Supplier<Map<String, String>> {
+
+    @Override
+    public Map<String, String> get() {
+      try {
+        Collection<SpanData> spans = OtlpAwsSpanExporter.this.spanData.get();
+        ByteArrayOutputStream encodedSpans = new ByteArrayOutputStream();
+        TraceRequestMarshaler.create(spans).writeBinaryTo(encodedSpans);
+
+        SdkHttpRequest httpRequest =
+            SdkHttpFullRequest.builder()
+                .uri(URI.create(OtlpAwsSpanExporter.this.endpoint))
+                .method(SdkHttpMethod.POST)
+                .putHeader("Content-Type", "application/x-protobuf")
+                .contentStreamProvider(() -> new ByteArrayInputStream(encodedSpans.toByteArray()))
+                .build();
+
+        AwsCredentials credentials = DefaultCredentialsProvider.create().resolveCredentials();
+
+        SignedRequest signedRequest =
+            AwsV4HttpSigner.create()
+                .sign(
+                    b ->
+                        b.identity(credentials)
+                            .request(httpRequest)
+                            .putProperty(AwsV4HttpSigner.SERVICE_SIGNING_NAME, SERVICE_NAME)
+                            .putProperty(
+                                AwsV4HttpSigner.REGION_NAME, OtlpAwsSpanExporter.this.awsRegion)
+                            .payload(() -> new ByteArrayInputStream(encodedSpans.toByteArray())));
+
+        Map<String, String> result = new HashMap<>();
+
+        Map<String, List<String>> headers = signedRequest.request().headers();
+        headers.forEach(
+            (key, values) -> {
+              if (!values.isEmpty()) {
+                result.put(key, values.get(0));
+              }
+            });
+
+        return result;
+
+      } catch (Exception e) {
+        logger.log(
+            Level.WARNING,
+            String.format(
+                "Failed to sign/authenticate the given exported Span request to OTLP CloudWatch endpoint with error: %s",
+                e.getMessage()));
+
+        return Collections.emptyMap();
+      }
+    }
+  }
+}

awsagentprovider/src/main/java/software/amazon/opentelemetry/javaagent/providers/OtlpAwsSpanExporterBuilder.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.opentelemetry.javaagent.providers;
+
+import io.opentelemetry.exporter.otlp.http.trace.OtlpHttpSpanExporter;
+
+public class OtlpAwsSpanExporterBuilder {
+  private final OtlpHttpSpanExporter parentExporter;
+  private final String endpoint;
+
+  public static OtlpAwsSpanExporterBuilder create(
+      OtlpHttpSpanExporter parentExporter, String endpoint) {
+    return new OtlpAwsSpanExporterBuilder(parentExporter, endpoint);
+  }
+
+  public static OtlpAwsSpanExporter getDefault(String endpoint) {
+    return OtlpAwsSpanExporter.getDefault(endpoint);
+  }
+
+  private OtlpAwsSpanExporterBuilder(OtlpHttpSpanExporter parentExporter, String endpoint) {
+    this.parentExporter = parentExporter;
+    this.endpoint = endpoint;
+  }
+
+  public OtlpAwsSpanExporter build() {
+    return OtlpAwsSpanExporter.create(this.parentExporter, this.endpoint);
+  }
+}