Merge pull request #1513 from aws/imds

Add support for IMDS token

Author: dagnir

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -16,12 +16,18 @@
 package software.amazon.awssdk.auth.credentials;
 
 import java.io.IOException;
+import java.net.SocketTimeoutException;
 import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.exception.SdkServiceException;
+import software.amazon.awssdk.core.internal.util.UserAgentUtils;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
+import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.ToString;
 
 /**
@@ -33,9 +39,15 @@
  */
 @SdkPublicApi
 public final class InstanceProfileCredentialsProvider extends HttpCredentialsProvider {
+    private static final Logger log = Logger.loggerFor(InstanceProfileCredentialsProvider.class);
+
+    private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
+    private static final String EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token";
+    private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
+    private static final String DEFAULT_TOKEN_TTL = "21600";
 
     private static final String SECURITY_CREDENTIALS_RESOURCE = "/latest/meta-data/iam/security-credentials/";
-    private final ResourcesEndpointProvider credentialsEndpointProvider = new InstanceProviderCredentialsEndpointProvider();
+    private final InstanceProviderTokenEndpointProvider tokenEndpointProvider = new InstanceProviderTokenEndpointProvider();
 
     /**
      * @see #builder()
@@ -62,7 +74,7 @@ public static InstanceProfileCredentialsProvider create() {
 
     @Override
     protected ResourcesEndpointProvider getCredentialsEndpointProvider() {
-        return credentialsEndpointProvider;
+        return new InstanceProviderCredentialsEndpointProvider(getToken());
     }
 
     @Override
@@ -75,13 +87,68 @@ public String toString() {
         return ToString.create("InstanceProfileCredentialsProvider");
     }
 
+    private String getToken() {
+        try {
+            return HttpResourcesUtils.instance().readResource(getTokenEndpointProvider(), "PUT");
+        } catch (Exception e) {
+            log.debug(() -> "Error retrieving credentials metadata token", e);
+
+            boolean is400ServiceException = e instanceof SdkServiceException
+                    && ((SdkServiceException) e).statusCode() == 400;
+
+            boolean isSocketTimeout = e instanceof SocketTimeoutException;
+
+            // Credentials resolution must not continue to the token-less flow if either of these errors occur
+            if (is400ServiceException || isSocketTimeout) {
+                throw SdkClientException.builder()
+                        .message("Unable to load credentials from service endpoint")
+                        .cause(e)
+                        .build();
+            }
+
+            return null;
+        }
+    }
+
+    private ResourcesEndpointProvider getTokenEndpointProvider() {
+        return tokenEndpointProvider;
+    }
+
+    private static ResourcesEndpointProvider includeTokenHeader(ResourcesEndpointProvider provider, String token) {
+        return new ResourcesEndpointProvider() {
+            @Override
+            public URI endpoint() throws IOException {
+                return provider.endpoint();
+            }
+
+            @Override
+            public Map<String, String> headers() {
+                Map<String, String> headers = new HashMap<>(provider.headers());
+                headers.put(EC2_METADATA_TOKEN_HEADER, token);
+                return headers;
+            }
+        };
+    }
+
     private static final class InstanceProviderCredentialsEndpointProvider implements ResourcesEndpointProvider {
+        private final String metadataToken;
+
+        private InstanceProviderCredentialsEndpointProvider(String metadataToken) {
+            this.metadataToken = metadataToken;
+        }
+
         @Override
         public URI endpoint() throws IOException {
             String host = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
 
             URI endpoint = URI.create(host + SECURITY_CREDENTIALS_RESOURCE);
-            String securityCredentialsList = HttpResourcesUtils.instance().readResource(endpoint);
+            ResourcesEndpointProvider endpointProvider = () -> endpoint;
+
+            if (metadataToken != null) {
+                endpointProvider = includeTokenHeader(endpointProvider, metadataToken);
+            }
+
+            String securityCredentialsList = HttpResourcesUtils.instance().readResource(endpointProvider);
             String[] securityCredentials = securityCredentialsList.trim().split("\n");
 
             if (securityCredentials.length == 0) {
@@ -90,6 +157,42 @@ public URI endpoint() throws IOException {
 
             return URI.create(host + SECURITY_CREDENTIALS_RESOURCE + securityCredentials[0]);
         }
+
+        @Override
+        public Map<String, String> headers() {
+            Map<String, String> requestHeaders = new HashMap<>();
+            requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
+            requestHeaders.put("Accept", "*/*");
+            requestHeaders.put("Connection", "keep-alive");
+
+            if (metadataToken != null) {
+                requestHeaders.put(EC2_METADATA_TOKEN_HEADER, metadataToken);
+            }
+
+            return requestHeaders;
+        }
+    }
+
+    private static final class InstanceProviderTokenEndpointProvider implements ResourcesEndpointProvider {
+        @Override
+        public URI endpoint() {
+            String host = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
+            if (host.endsWith("/")) {
+                host = host.substring(0, host.length() - 1);
+            }
+            return URI.create(host + TOKEN_RESOURCE_PATH);
+        }
+
+        @Override
+        public Map<String, String> headers() {
+            Map<String, String> requestHeaders = new HashMap<>();
+            requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
+            requestHeaders.put("Accept", "*/*");
+            requestHeaders.put("Connection", "keep-alive");
+            requestHeaders.put(EC2_METADATA_TOKEN_TTL_HEADER, DEFAULT_TOKEN_TTL);
+
+            return requestHeaders;
+        }
     }
 
     /**

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java

@@ -0,0 +1,184 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.get;
+import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.put;
+import static com.github.tomakehurst.wiremock.client.WireMock.putRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
+import static org.hamcrest.Matchers.instanceOf;
+import com.github.tomakehurst.wiremock.client.WireMock;
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import java.net.SocketTimeoutException;
+import java.time.Duration;
+import java.time.Instant;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.internal.util.UserAgentUtils;
+import software.amazon.awssdk.utils.DateUtils;
+
+public class InstanceProfileCredentialsProviderTest {
+    private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
+    private static final String CREDENTIALS_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials/";
+    private static final String STUB_CREDENTIALS = "{\"AccessKeyId\":\"ACCESS_KEY_ID\",\"SecretAccessKey\":\"SECRET_ACCESS_KEY\","
+            + "\"Expiration\":\"" + DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
+            + "\"}";
+    private static final String TOKEN_HEADER = "x-aws-ec2-metadata-token";
+    private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
+
+
+    @Rule
+    public ExpectedException thrown = ExpectedException.none();
+
+    @Rule
+    public WireMockRule mockMetadataEndpoint = new WireMockRule();
+
+    @Before
+    public void methodSetup() {
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property(), "http://localhost:" + mockMetadataEndpoint.port());
+    }
+
+    @AfterClass
+    public static void teardown() {
+        System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property());
+    }
+
+    @Test
+    public void resolveCredentials_metadataLookupDisabled_throws() {
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_DISABLED.property(), "true");
+        thrown.expect(SdkClientException.class);
+        thrown.expectMessage("Loading credentials from local endpoint is disabled");
+        try {
+            InstanceProfileCredentialsProvider.builder().build().resolveCredentials();
+        } finally {
+            System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_DISABLED.property());
+        }
+    }
+
+    @Test
+    public void resolveCredentials_requestsIncludeUserAgent() {
+        String stubToken = "some-token";
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(stubToken)));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).willReturn(aResponse().withBody("some-profile")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).willReturn(aResponse().withBody(STUB_CREDENTIALS)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+
+        String userAgentHeader = "User-Agent";
+        String userAgent = UserAgentUtils.getUserAgent();
+        WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(userAgentHeader, equalTo(userAgent)));
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).withHeader(userAgentHeader, equalTo(userAgent)));
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).withHeader(userAgentHeader, equalTo(userAgent)));
+    }
+
+    @Test
+    public void resolveCredentials_queriesTokenResource() {
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody("some-token")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).willReturn(aResponse().withBody("some-profile")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).willReturn(aResponse().withBody(STUB_CREDENTIALS)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+
+        WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
+    }
+
+    @Test
+    public void resolveCredentials_queriesTokenResource_includedInCredentialsRequests() {
+        String stubToken = "some-token";
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(stubToken)));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).willReturn(aResponse().withBody("some-profile")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).willReturn(aResponse().withBody(STUB_CREDENTIALS)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).withHeader(TOKEN_HEADER, equalTo(stubToken)));
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).withHeader(TOKEN_HEADER, equalTo(stubToken)));
+    }
+
+    @Test
+    public void resolveCredentials_queriesTokenResource_404Error_fallbackToInsecure() {
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(404).withBody("oops")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).willReturn(aResponse().withBody("some-profile")));
+        stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")).willReturn(aResponse().withBody(STUB_CREDENTIALS)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)));
+        WireMock.verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + "some-profile")));
+    }
+
+    @Test
+    public void resolveCredentials_queriesTokenResource_400Error_throws() {
+        thrown.expect(SdkClientException.class);
+        thrown.expectMessage("Unable to load credentials");
+
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(400).withBody("oops")));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+    }
+
+    @Test
+    public void resolveCredentials_queriesTokenResource_socketTimeout_throws() {
+        thrown.expect(SdkClientException.class);
+        thrown.expectCause(instanceOf(SocketTimeoutException.class));
+        thrown.expectMessage("Unable to load credentials");
+
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody("some-token").withFixedDelay(Integer.MAX_VALUE)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+    }
+
+    @Test
+    public void resolveCredentials_endpointSettingEmpty_throws() {
+        thrown.expect(SdkClientException.class);
+
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property(), "");
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+    }
+
+    @Test
+    public void resolveCredentials_endpointSettingHostNotExists_throws() {
+        thrown.expect(SdkClientException.class);
+
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property(), "some-host-that-does-not-exist");
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        provider.resolveCredentials();
+    }
+}

core/regions/src/main/java/software/amazon/awssdk/regions/internal/util/ConnectionUtils.java

@@ -31,10 +31,14 @@ public static ConnectionUtils create() {
     }
 
     public HttpURLConnection connectToEndpoint(URI endpoint, Map<String, String> headers) throws IOException {
+        return connectToEndpoint(endpoint, headers, "GET");
+    }
+
+    public HttpURLConnection connectToEndpoint(URI endpoint, Map<String, String> headers, String method) throws IOException {
         HttpURLConnection connection = (HttpURLConnection) endpoint.toURL().openConnection(Proxy.NO_PROXY);
         connection.setConnectTimeout(1000 * 2);
         connection.setReadTimeout(1000 * 5);
-        connection.setRequestMethod("GET");
+        connection.setRequestMethod(method);
         connection.setDoOutput(true);
         headers.forEach(connection::addRequestProperty);
         connection.setInstanceFollowRedirects(false);