CredentialsEndpointProvider.java: Adds the sending of a User-Agent other than default User-Agent in Java when making requests to metadata service

Similar to AWS Golang SDK and Ruby SDK, send a User-Agent other than the default User-Agent when making requests to the EC2 metadata for credentials.
aws/aws-sdk-java#1562 for aws-sdk-java addresses this also.  PR #1445 for botocore implements this too.

This will enable protection of AWS credentials from Server Side Request Forgery (SSRF) vectors by being able to use a metadata proxy to block requests
that do not have the right User-Agent set.  User-Agent is not controllable by an attacker via SSRF.

Author: Will Bengtson

.changes/next-release/feature-AWSSDKforJavav2-0a2ffb3.json

@@ -0,0 +1,5 @@
+{
+    "category": "AWS SDK for Java v2", 
+    "type": "feature", 
+    "description": "Add a standard User-Agent when making requests to the metadata service.  User-Agent pattern: aws-sdk-java/<version>"
+}

core/src/main/java/software/amazon/awssdk/core/internal/CredentialsEndpointProvider.java

@@ -17,10 +17,11 @@
 
 import java.io.IOException;
 import java.net.URI;
-import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.core.retry.internal.CredentialsEndpointRetryPolicy;
+import software.amazon.awssdk.core.util.VersionInfo;
 
 /**
  * <p>
@@ -56,7 +57,12 @@ default CredentialsEndpointRetryPolicy retryPolicy() {
      * Allows passing additional headers to the request
      */
     default Map<String, String> headers() {
-        return Collections.emptyMap();
+        Map<String, String> requestHeaders = new HashMap<>();
+        requestHeaders.put("User-Agent", String.format("aws-sdk-java/%s", VersionInfo.SDK_VERSION));
+        requestHeaders.put("Accept", "*/*");
+        requestHeaders.put("Connection", "keep-alive");
+
+        return requestHeaders;
     }
 
 }

core/src/test/java/software/amazon/awssdk/core/internal/HttpCredentialsUtilsTest.java

@@ -29,7 +29,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
@@ -43,6 +43,7 @@
 import software.amazon.awssdk.core.internal.net.ConnectionUtils;
 import software.amazon.awssdk.core.retry.internal.CredentialsEndpointRetryParameters;
 import software.amazon.awssdk.core.retry.internal.CredentialsEndpointRetryPolicy;
+import software.amazon.awssdk.core.util.VersionInfo;
 import utils.http.SocketUtils;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -54,7 +55,14 @@ public class HttpCredentialsUtilsTest {
     private static final String SUCCESS_BODY = "{\"AccessKeyId\":\"ACCESS_KEY_ID\",\"SecretAccessKey\":\"SECRET_ACCESS_KEY\","
                                                + "\"Token\":\"TOKEN_TOKEN_TOKEN\",\"Expiration\":\"3000-05-03T04:55:54Z\"}";
     private static URI endpoint;
-    private final Map<String, String> emptyHeaders = Collections.emptyMap();
+    private static Map<String, String> headers = new HashMap<String, String>()
+    {
+        {
+            put("User-Agent", String.format("aws-sdk-java/%s", VersionInfo.SDK_VERSION));
+            put("Accept", "*/*");
+            put("Connection", "keep-alive");
+        }
+    };
 
     private static CustomRetryPolicy customRetryPolicy;
 
@@ -153,13 +161,13 @@ public void readResouceNonJsonErrorBody() throws IOException {
      */
     @Test
     public void readResouceWithDefaultRetryPolicy_DoesNotRetry_ForIoException() throws IOException {
-        Mockito.when(mockConnection.connectToEndpoint(endpoint, emptyHeaders)).thenThrow(new IOException());
+        Mockito.when(mockConnection.connectToEndpoint(endpoint, headers)).thenThrow(new IOException());
 
         try {
             new HttpCredentialsUtils(mockConnection).readResource(endpoint);
             fail("Expected an IOexception");
         } catch (IOException exception) {
-            Mockito.verify(mockConnection, Mockito.times(1)).connectToEndpoint(endpoint, emptyHeaders);
+            Mockito.verify(mockConnection, Mockito.times(1)).connectToEndpoint(endpoint, headers);
         }
     }
 
@@ -170,13 +178,13 @@ public void readResouceWithDefaultRetryPolicy_DoesNotRetry_ForIoException() thro
      */
     @Test
     public void readResouceWithCustomRetryPolicy_DoesRetry_ForIoException() throws IOException {
-        Mockito.when(mockConnection.connectToEndpoint(endpoint, emptyHeaders)).thenThrow(new IOException());
+        Mockito.when(mockConnection.connectToEndpoint(endpoint, headers)).thenThrow(new IOException());
 
         try {
             new HttpCredentialsUtils(mockConnection).readResource(endpointProvider(endpoint, customRetryPolicy));
             fail("Expected an IOexception");
         } catch (IOException exception) {
-            Mockito.verify(mockConnection, Mockito.times(CustomRetryPolicy.MAX_RETRIES + 1)).connectToEndpoint(endpoint, emptyHeaders);
+            Mockito.verify(mockConnection, Mockito.times(CustomRetryPolicy.MAX_RETRIES + 1)).connectToEndpoint(endpoint, headers);
         }
     }
 
@@ -188,13 +196,13 @@ public void readResouceWithCustomRetryPolicy_DoesRetry_ForIoException() throws I
     @Test
     public void readResouceWithCustomRetryPolicy_DoesNotRetry_ForNonIoException() throws IOException {
         generateStub(500, "Non Json error body");
-        Mockito.when(mockConnection.connectToEndpoint(endpoint, emptyHeaders)).thenCallRealMethod();
+        Mockito.when(mockConnection.connectToEndpoint(endpoint, headers)).thenCallRealMethod();
 
         try {
             new HttpCredentialsUtils(mockConnection).readResource(endpointProvider(endpoint, customRetryPolicy));
             fail("Expected an SdkServiceException");
         } catch (SdkServiceException exception) {
-            Mockito.verify(mockConnection, Mockito.times(1)).connectToEndpoint(endpoint, emptyHeaders);
+            Mockito.verify(mockConnection, Mockito.times(1)).connectToEndpoint(endpoint, headers);
         }
     }