CredentialsEndpointProvider.java: Adds the sending of a User-Agent other than default User-Agent to the metadata service

[willbengtson]

Adds the sending of a User-Agent other than default User-Agent in Java when making requests to metadata service

Similar to AWS Golang SDK and Ruby SDK, send a User-Agent other than the default User-Agent when making requests to the EC2 metadata for credentials.
aws/aws-sdk-java#1562 for aws-sdk-java addresses this also. PR #1445 for botocore implements this too.

This will enable protection of AWS credentials from Server Side Request Forgery (SSRF) vectors by being able to use a metadata proxy to block requests that do not have the right User-Agent set. User-Agent is not controllable by an attacker via SSRF.

Description

Set default headers in the CredentialsEndpointProvider interface

Motivation and Context

This will enable protection of AWS credentials from Server Side Request Forgery (SSRF) vectors by being able to use a metadata proxy to block requests that do not have the right User-Agent set. User-Agent is not controllable by an attacker via SSRF.

Testing

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have read the CONTRIBUTING document
• Local run of mvn install succeeds
• My code follows the code style of this project
• My change requires a change to the Javadoc documentation
• I have updated the Javadoc documentation accordingly
• I have read the README document
• I have added tests to cover my changes
• All new and existing tests passed
• A short description of the change has been added to the CHANGELOG

License

• I confirm that this pull request can be released under the Apache 2 license

[zoewangg]

Looks like HttpCredentialsUtilsTest failed, could you fix that?

[zoewangg]

nit: can we use diamond operator here?

[willbengtson]

sure thing

[willbengtson]

@zoewangg the tests fail because of NullPointerException. I'm trying to use import software.amazon.awssdk.core.util.VersionInfo; but for some reason it's shows Null when running the tests. I'm not super familiar with what to modify to get the test to pick the file up correctly. Am I seeing that correctly?

[zoewangg]

VersionInfo is generated from the build process. I think the tests failed because we are mocking the connectToEndpoint method with empty headers here.

Mockito.when(mockConnection.connectToEndpoint(endpoint, emptyHeaders)).thenThrow(new IOException());

https://github.com/aws/aws-sdk-java-v2/blob/master/core/src/test/java/software/amazon/awssdk/core/internal/HttpCredentialsUtilsTest.java#L156

So we just need to update the empty headers with the default headers.

[zoewangg]

Once the build succeeds, could you add a new-change entry? you can do that by running the scripts/new-change script and following the instructions.

Can you confirm that this PR is submitted under Apache 2.0 license by checking the I confirm that this pull request can be released under the Apache 2 license box under license section in the description?

[willbengtson]

Will do, working on these changes

[willbengtson]

@zoewangg updated

[zoewangg]

@willbengtson Thanks for making the changes! LGTM.

Looks like the branch is out-of-date with master. Could you do a merge from master and then squash all commits to a single commit? I'll merge it afterwards.

[willbengtson]

@zoewangg Done