Add support for generic ECS provider

jeskew · jeskew · commit 0a29eef733d6 · 2017-05-24T18:03:51.000-07:00
diff --git a/packages/credential-provider/__tests__/chain.ts b/packages/credential-provider/__tests__/chain.ts
@@ -38,6 +38,30 @@ describe('chain', () => {
         expect(providers[2].mock.calls.length).toBe(0);
     });
 
+    it(
+        'should not invoke subsequent providers one is rejected with a terminal error',
+        async () => {
+            const creds = {accessKeyId: 'foo', secretAccessKey: 'bar'};
+            const providers = [
+                jest.fn(() => Promise.reject(new CredentialError('Move along'))),
+                jest.fn(() => Promise.reject(
+                    new CredentialError('Stop here', false)
+                )),
+                jest.fn(() => fail('This provider should not be invoked'))
+            ];
+
+            await chain(...providers)().then(
+                () => { throw new Error('The promise should have been rejected'); },
+                err => {
+                    expect(err.message).toBe('Stop here');
+                    expect(providers[0].mock.calls.length).toBe(1);
+                    expect(providers[1].mock.calls.length).toBe(1);
+                    expect(providers[2].mock.calls.length).toBe(0);
+                }
+            );
+        }
+    );
+
     it('should reject chains with no links', async () => {
         await chain()().then(
             () => { throw new Error('The promise should have been rejected'); },
diff --git a/packages/credential-provider/__tests__/fromContainerMetadata.ts b/packages/credential-provider/__tests__/fromContainerMetadata.ts
@@ -1,4 +1,5 @@
 import {
+    ENV_CMDS_FULL_URI,
     ENV_CMDS_RELATIVE_URI,
     fromContainerMetadata
 } from "../lib/fromContainerMetadata";
@@ -18,14 +19,17 @@ const mockHttpGet = <MockInstance<HttpGet>><any>httpGet;
 jest.mock('../lib/remoteProvider/httpGet', () => ({httpGet: jest.fn()}));
 
 const relativeUri = process.env[ENV_CMDS_RELATIVE_URI];
+const fullUri = process.env[ENV_CMDS_FULL_URI];
 
 beforeEach(() => {
     mockHttpGet.mockReset();
-    process.env[ENV_CMDS_RELATIVE_URI] = '/relative/uri';
+    delete process.env[ENV_CMDS_RELATIVE_URI];
+    delete process.env[ENV_CMDS_FULL_URI];
 });
 
 afterAll(() => {
     process.env[ENV_CMDS_RELATIVE_URI] = relativeUri;
+    process.env[ENV_CMDS_FULL_URI] = fullUri;
 });
 
 describe('fromContainerMetadata', () => {
@@ -37,9 +41,8 @@ describe('fromContainerMetadata', () => {
     });
 
     it(
-        'should reject the promise if the container credentials environment variable is not set',
+        'should reject the promise with a terminal error if the container credentials environment variable is not set',
         async () => {
-            delete process.env[ENV_CMDS_RELATIVE_URI];
             await fromContainerMetadata()().then(
                 () => { throw new Error('The promise should have been rejected'); },
                 err => {
@@ -49,53 +52,142 @@ describe('fromContainerMetadata', () => {
         }
     );
 
-    it(
-        'should resolve credentials by fetching them from the container metadata service',
-        async () => {
-            mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
-            expect(await fromContainerMetadata()())
-                .toEqual(fromImdsCredentials(creds));
-        }
-    );
+    describe(ENV_CMDS_RELATIVE_URI, () => {
+        beforeEach(() => {
+            process.env[ENV_CMDS_RELATIVE_URI] = '/relative/uri';
+        });
 
-    it('should retry the fetching operation up to maxRetries times', async () => {
-        const maxRetries = 5;
-        for (let i = 0; i < maxRetries - 1; i++) {
-            mockHttpGet.mockReturnValueOnce(Promise.reject('No!'));
-        }
-        mockHttpGet.mockReturnValueOnce(
-            Promise.resolve(JSON.stringify(creds))
+        it(
+            'should resolve credentials by fetching them from the container metadata service',
+            async () => {
+                mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+                expect(await fromContainerMetadata()())
+                    .toEqual(fromImdsCredentials(creds));
+            }
         );
 
-        expect(await fromContainerMetadata({maxRetries})())
-            .toEqual(fromImdsCredentials(creds));
-        expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
-    });
+        it(
+            'should retry the fetching operation up to maxRetries times',
+            async () => {
+                const maxRetries = 5;
+                for (let i = 0; i < maxRetries - 1; i++) {
+                    mockHttpGet.mockReturnValueOnce(Promise.reject('No!'));
+                }
+                mockHttpGet.mockReturnValueOnce(
+                    Promise.resolve(JSON.stringify(creds))
+                );
 
-    it('should retry responses that receive invalid response values', async () => {
-        for (let key of Object.keys(creds)) {
-            const invalidCreds: any = {...creds};
-            delete invalidCreds[key];
-            mockHttpGet.mockReturnValueOnce(
-                Promise.resolve(JSON.stringify(invalidCreds))
-            );
-        }
-        mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+                expect(await fromContainerMetadata({maxRetries})())
+                    .toEqual(fromImdsCredentials(creds));
+                expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
+            }
+        );
 
-        await fromContainerMetadata({maxRetries: 100})();
-        expect(mockHttpGet.mock.calls.length)
-            .toEqual(Object.keys(creds).length + 1);
+        it(
+            'should retry responses that receive invalid response values',
+            async () => {
+                for (let key of Object.keys(creds)) {
+                    const invalidCreds: any = {...creds};
+                    delete invalidCreds[key];
+                    mockHttpGet.mockReturnValueOnce(
+                        Promise.resolve(JSON.stringify(invalidCreds))
+                    );
+                }
+                mockHttpGet.mockReturnValueOnce(
+                    Promise.resolve(JSON.stringify(creds))
+                );
+
+                await fromContainerMetadata({maxRetries: 100})();
+                expect(mockHttpGet.mock.calls.length)
+                    .toEqual(Object.keys(creds).length + 1);
+            }
+        );
+
+        it('should pass relevant configuration to httpGet', async () => {
+            const timeout = Math.ceil(Math.random() * 1000);
+            mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+            await fromContainerMetadata({timeout})();
+            expect(mockHttpGet.mock.calls.length).toEqual(1);
+            expect(mockHttpGet.mock.calls[0][0]).toEqual({
+                hostname: '169.254.170.2',
+                path: process.env[ENV_CMDS_RELATIVE_URI],
+                timeout,
+            });
+        });
     });
 
-    it('should pass relevant configuration to httpGet', async () => {
-        const timeout = Math.ceil(Math.random() * 1000);
-        mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
-        await fromContainerMetadata({timeout})();
-        expect(mockHttpGet.mock.calls.length).toEqual(1);
-        expect(mockHttpGet.mock.calls[0][0]).toEqual({
-            host: '169.254.170.2',
-            path: process.env[ENV_CMDS_RELATIVE_URI],
-            timeout,
+    describe(ENV_CMDS_FULL_URI, () => {
+        it('should pass relevant configuration to httpGet', async () => {
+            process.env[ENV_CMDS_FULL_URI] = 'http://localhost:8080/path';
+
+            const timeout = Math.ceil(Math.random() * 1000);
+            mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+            await fromContainerMetadata({timeout})();
+            expect(mockHttpGet.mock.calls.length).toEqual(1);
+            const {
+                protocol,
+                hostname,
+                path,
+                port,
+                timeout: actualTimeout,
+            } = mockHttpGet.mock.calls[0][0];
+            expect(protocol).toBe('http:');
+            expect(hostname).toBe('localhost');
+            expect(path).toBe('/path');
+            expect(port).toBe(8080);
+            expect(actualTimeout).toBe(timeout);
         });
+
+        it(
+            `should prefer ${ENV_CMDS_RELATIVE_URI} to ${ENV_CMDS_FULL_URI}`,
+            async () => {
+                process.env[ENV_CMDS_RELATIVE_URI] = 'foo';
+                process.env[ENV_CMDS_FULL_URI] = 'http://localhost:8080/path';
+
+                const timeout = Math.ceil(Math.random() * 1000);
+                mockHttpGet.mockReturnValue(
+                    Promise.resolve(JSON.stringify(creds))
+                );
+                await fromContainerMetadata({timeout})();
+                expect(mockHttpGet.mock.calls.length).toEqual(1);
+                expect(mockHttpGet.mock.calls[0][0]).toEqual({
+                    hostname: '169.254.170.2',
+                    path: 'foo',
+                    timeout,
+                });
+            }
+        );
+
+        it(
+            'should reject the promise with a terminal error if a unexpected protocol is specified',
+            async () => {
+                process.env[ENV_CMDS_FULL_URI] = 'wss://localhost:8080/path';
+
+                await fromContainerMetadata()().then(
+                    () => {
+                        throw new Error('The promise should have been rejected');
+                    },
+                    err => {
+                        expect((err as any).tryNextLink).toBeFalsy();
+                    }
+                );
+            }
+        );
+
+        it(
+            'should reject the promise with a terminal error if a unexpected hostname is specified',
+            async () => {
+                process.env[ENV_CMDS_FULL_URI] = 'https://bucket.s3.amazonaws.com/key';
+
+                await fromContainerMetadata()().then(
+                    () => {
+                        throw new Error('The promise should have been rejected');
+                    },
+                    err => {
+                        expect((err as any).tryNextLink).toBeFalsy();
+                    }
+                );
+            }
+        );
     });
 });
diff --git a/packages/credential-provider/lib/fromContainerMetadata.ts b/packages/credential-provider/lib/fromContainerMetadata.ts
@@ -10,28 +10,20 @@ import {
 } from './remoteProvider/ImdsCredentials';
 import {retry} from './remoteProvider/retry';
 import {CredentialError} from "./CredentialError";
+import {parse} from "url";
+import {RequestOptions} from "http";
 
+export const ENV_CMDS_FULL_URI = 'AWS_CONTAINER_CREDENTIALS_FULL_URI';
 export const ENV_CMDS_RELATIVE_URI = 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI';
 
 export function fromContainerMetadata(
     init: RemoteProviderInit = {}
 ): CredentialProvider {
     const {timeout, maxRetries} = providerConfigFromInit(init);
     return () => {
-        const path = process.env[ENV_CMDS_RELATIVE_URI];
-
-        if (!path) {
-            return Promise.reject(new CredentialError(
-                'The container metadata credential provider cannot be used' +
-                ` unless the ${ENV_CMDS_RELATIVE_URI}  environment variable` +
-                ' is set',
-                false
-            ));
-        }
-
-        return retry(async () => {
+        return getCmdsUri().then(url => retry(async () => {
             const credsResponse = JSON.parse(
-                await requestFromEcsImds(timeout, path)
+                await requestFromEcsImds(timeout, url)
             );
             if (!isImdsCredentials(credsResponse)) {
                 throw new CredentialError(
@@ -40,17 +32,65 @@ export function fromContainerMetadata(
             }
 
             return fromImdsCredentials(credsResponse);
-        }, maxRetries);
+        }, maxRetries));
     }
 }
 
-const CMDS_IP = '169.254.170.2';
-
-function requestFromEcsImds(timeout: number, path: string): Promise<string> {
+function requestFromEcsImds(
+    timeout: number,
+    options: RequestOptions
+): Promise<string> {
     return httpGet({
-        host: CMDS_IP,
-        path,
+        ...options,
         timeout,
     })
         .then(buffer => buffer.toString());
 }
+
+const CMDS_IP = '169.254.170.2';
+const GREENGRASS_HOSTS = new Set([
+    'localhost',
+    '127.0.0.1',
+]);
+const GREENGRASS_PROTOCOLS = new Set([
+    'http:',
+    'https:',
+]);
+
+function getCmdsUri(): Promise<RequestOptions> {
+    if (process.env[ENV_CMDS_RELATIVE_URI]) {
+        return Promise.resolve({
+            hostname: CMDS_IP,
+            path: process.env[ENV_CMDS_RELATIVE_URI],
+        });
+    }
+
+    if (process.env[ENV_CMDS_FULL_URI]) {
+        const parsed = parse(process.env[ENV_CMDS_FULL_URI]);
+        if (!parsed.hostname || !GREENGRASS_HOSTS.has(parsed.hostname)) {
+            return Promise.reject(new CredentialError(
+                `${parsed.hostname} is not a valid container metadata service hostname`,
+                false
+            ));
+        }
+
+        if (!parsed.protocol || !GREENGRASS_PROTOCOLS.has(parsed.protocol)) {
+            return Promise.resolve(new CredentialError(
+                `${parsed.protocol} is not a valid container metadata service protocol`,
+                false
+            ));
+        }
+
+        return Promise.resolve({
+            ...parsed,
+            port: parsed.port ? Number.parseInt(parsed.port, 10) : undefined
+        });
+    }
+
+    return Promise.reject(new CredentialError(
+        'The container metadata credential provider cannot be used unless' +
+        ` the ${ENV_CMDS_RELATIVE_URI} or ${ENV_CMDS_FULL_URI} environment` +
+        ' variable is set',
+        false
+    ));
+}
