Merge pull request #26 from jeskew/feature/credential-provider-imds

Feature/credential provider imds

Author: jeskew

packages/credential-provider-imds/.gitignore

@@ -0,0 +1,4 @@
+/node_modules/
+*.js
+*.js.map
+*.d.ts

packages/credential-provider-imds/__tests__/fromContainerMetadata.ts

@@ -0,0 +1,191 @@
+import {
+  ENV_CMDS_AUTH_TOKEN,
+  ENV_CMDS_FULL_URI,
+  ENV_CMDS_RELATIVE_URI,
+  fromContainerMetadata
+} from "../lib/fromContainerMetadata";
+import { httpGet } from "../lib/remoteProvider/httpGet";
+import {
+  fromImdsCredentials,
+  ImdsCredentials
+} from "../lib/remoteProvider/ImdsCredentials";
+import MockInstance = jest.MockInstance;
+import { RequestOptions } from "http";
+
+interface HttpGet {
+  (options: RequestOptions): Promise<Buffer>;
+}
+
+const mockHttpGet = <MockInstance<HttpGet>>(<any>httpGet);
+jest.mock("../lib/remoteProvider/httpGet", () => ({ httpGet: jest.fn() }));
+
+const relativeUri = process.env[ENV_CMDS_RELATIVE_URI];
+const fullUri = process.env[ENV_CMDS_FULL_URI];
+const authToken = process.env[ENV_CMDS_AUTH_TOKEN];
+
+beforeEach(() => {
+  mockHttpGet.mockReset();
+  delete process.env[ENV_CMDS_RELATIVE_URI];
+  delete process.env[ENV_CMDS_FULL_URI];
+  delete process.env[ENV_CMDS_AUTH_TOKEN];
+});
+
+afterAll(() => {
+  process.env[ENV_CMDS_RELATIVE_URI] = relativeUri;
+  process.env[ENV_CMDS_FULL_URI] = fullUri;
+  process.env[ENV_CMDS_AUTH_TOKEN] = authToken;
+});
+
+describe("fromContainerMetadata", () => {
+  const creds: ImdsCredentials = Object.freeze({
+    AccessKeyId: "foo",
+    SecretAccessKey: "bar",
+    Token: "baz",
+    Expiration: new Date().toISOString()
+  });
+
+  it("should reject the promise with a terminal error if the container credentials environment variable is not set", async () => {
+    await fromContainerMetadata()().then(
+      () => {
+        throw new Error("The promise should have been rejected");
+      },
+      err => {
+        expect((err as any).tryNextLink).toBeFalsy();
+      }
+    );
+  });
+
+  it(`should inject an authorization header containing the contents of the ${ENV_CMDS_AUTH_TOKEN} environment variable if defined`, async () => {
+    const token = "Basic abcd";
+    process.env[ENV_CMDS_FULL_URI] = "http://localhost:8080/path";
+    process.env[ENV_CMDS_AUTH_TOKEN] = token;
+    mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+
+    await fromContainerMetadata()();
+
+    expect(mockHttpGet.mock.calls.length).toBe(1);
+    const [options = {}] = mockHttpGet.mock.calls[0];
+    expect(options.headers).toMatchObject({
+      Authorization: token
+    });
+  });
+
+  describe(ENV_CMDS_RELATIVE_URI, () => {
+    beforeEach(() => {
+      process.env[ENV_CMDS_RELATIVE_URI] = "/relative/uri";
+    });
+
+    it("should resolve credentials by fetching them from the container metadata service", async () => {
+      mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+
+      expect(await fromContainerMetadata()()).toEqual(
+        fromImdsCredentials(creds)
+      );
+    });
+
+    it("should retry the fetching operation up to maxRetries times", async () => {
+      const maxRetries = 5;
+      for (let i = 0; i < maxRetries - 1; i++) {
+        mockHttpGet.mockReturnValueOnce(Promise.reject("No!"));
+      }
+      mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+      expect(await fromContainerMetadata({ maxRetries })()).toEqual(
+        fromImdsCredentials(creds)
+      );
+      expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
+    });
+
+    it("should retry responses that receive invalid response values", async () => {
+      for (let key of Object.keys(creds)) {
+        const invalidCreds: any = { ...creds };
+        delete invalidCreds[key];
+        mockHttpGet.mockReturnValueOnce(
+          Promise.resolve(JSON.stringify(invalidCreds))
+        );
+      }
+      mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+      await fromContainerMetadata({ maxRetries: 100 })();
+      expect(mockHttpGet.mock.calls.length).toEqual(
+        Object.keys(creds).length + 1
+      );
+    });
+
+    it("should pass relevant configuration to httpGet", async () => {
+      const timeout = Math.ceil(Math.random() * 1000);
+      mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+      await fromContainerMetadata({ timeout })();
+      expect(mockHttpGet.mock.calls.length).toEqual(1);
+      expect(mockHttpGet.mock.calls[0][0]).toEqual({
+        hostname: "169.254.170.2",
+        path: process.env[ENV_CMDS_RELATIVE_URI],
+        timeout
+      });
+    });
+  });
+
+  describe(ENV_CMDS_FULL_URI, () => {
+    it("should pass relevant configuration to httpGet", async () => {
+      process.env[ENV_CMDS_FULL_URI] = "http://localhost:8080/path";
+
+      const timeout = Math.ceil(Math.random() * 1000);
+      mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+      await fromContainerMetadata({ timeout })();
+      expect(mockHttpGet.mock.calls.length).toEqual(1);
+      const {
+        protocol,
+        hostname,
+        path,
+        port,
+        timeout: actualTimeout
+      } = mockHttpGet.mock.calls[0][0];
+      expect(protocol).toBe("http:");
+      expect(hostname).toBe("localhost");
+      expect(path).toBe("/path");
+      expect(port).toBe(8080);
+      expect(actualTimeout).toBe(timeout);
+    });
+
+    it(`should prefer ${ENV_CMDS_RELATIVE_URI} to ${ENV_CMDS_FULL_URI}`, async () => {
+      process.env[ENV_CMDS_RELATIVE_URI] = "foo";
+      process.env[ENV_CMDS_FULL_URI] = "http://localhost:8080/path";
+
+      const timeout = Math.ceil(Math.random() * 1000);
+      mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+      await fromContainerMetadata({ timeout })();
+      expect(mockHttpGet.mock.calls.length).toEqual(1);
+      expect(mockHttpGet.mock.calls[0][0]).toEqual({
+        hostname: "169.254.170.2",
+        path: "foo",
+        timeout
+      });
+    });
+
+    it("should reject the promise with a terminal error if a unexpected protocol is specified", async () => {
+      process.env[ENV_CMDS_FULL_URI] = "wss://localhost:8080/path";
+
+      await fromContainerMetadata()().then(
+        () => {
+          throw new Error("The promise should have been rejected");
+        },
+        err => {
+          expect((err as any).tryNextLink).toBeFalsy();
+        }
+      );
+    });
+
+    it("should reject the promise with a terminal error if a unexpected hostname is specified", async () => {
+      process.env[ENV_CMDS_FULL_URI] = "https://bucket.s3.amazonaws.com/key";
+
+      await fromContainerMetadata()().then(
+        () => {
+          throw new Error("The promise should have been rejected");
+        },
+        err => {
+          expect((err as any).tryNextLink).toBeFalsy();
+        }
+      );
+    });
+  });
+});

packages/credential-provider-imds/__tests__/fromInstanceMetadata.ts

@@ -0,0 +1,120 @@
+import { fromInstanceMetadata } from "../lib/fromInstanceMetadata";
+import { httpGet } from "../lib/remoteProvider/httpGet";
+import {
+  fromImdsCredentials,
+  ImdsCredentials
+} from "../lib/remoteProvider/ImdsCredentials";
+import MockInstance = jest.MockInstance;
+import { RequestOptions } from "http";
+
+interface HttpGet {
+  (options: RequestOptions): Promise<Buffer>;
+}
+
+const mockHttpGet = <MockInstance<HttpGet>>(<any>httpGet);
+jest.mock("../lib/remoteProvider/httpGet", () => ({ httpGet: jest.fn() }));
+
+beforeEach(() => {
+  mockHttpGet.mockReset();
+});
+
+describe("fromInstanceMetadata", () => {
+  const creds: ImdsCredentials = Object.freeze({
+    AccessKeyId: "foo",
+    SecretAccessKey: "bar",
+    Token: "baz",
+    Expiration: new Date().toISOString()
+  });
+
+  it("should resolve credentials by fetching them from the container metadata service", async () => {
+    mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+    expect(await fromInstanceMetadata({ profile: "foo" })()).toEqual(
+      fromImdsCredentials(creds)
+    );
+  });
+
+  it("should retry the fetching operation up to maxRetries times", async () => {
+    const maxRetries = 5;
+    for (let i = 0; i < maxRetries - 1; i++) {
+      mockHttpGet.mockReturnValueOnce(Promise.reject("No!"));
+    }
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+    expect(
+      await fromInstanceMetadata({ maxRetries, profile: "foo" })()
+    ).toEqual(fromImdsCredentials(creds));
+    expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
+  });
+
+  it("should retry responses that receive invalid response values", async () => {
+    for (let key of Object.keys(creds)) {
+      const invalidCreds: any = { ...creds };
+      delete invalidCreds[key];
+      mockHttpGet.mockReturnValueOnce(
+        Promise.resolve(JSON.stringify(invalidCreds))
+      );
+    }
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+    await fromInstanceMetadata({ maxRetries: 100, profile: "foo" })();
+    expect(mockHttpGet.mock.calls.length).toEqual(
+      Object.keys(creds).length + 1
+    );
+  });
+
+  it("should pass relevant configuration to httpGet", async () => {
+    const timeout = Math.ceil(Math.random() * 1000);
+    const profile = "foo-profile";
+    mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+    await fromInstanceMetadata({ timeout, profile })();
+    expect(mockHttpGet.mock.calls.length).toEqual(1);
+    expect(mockHttpGet.mock.calls[0][0]).toEqual({
+      host: "169.254.169.254",
+      path: `/latest/meta-data/iam/security-credentials/${profile}`,
+      timeout
+    });
+  });
+
+  it("should fetch the profile name if not supplied", async () => {
+    const defaultTimeout = 1000;
+    const profile = "foo-profile";
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(profile));
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+    await fromInstanceMetadata()();
+    expect(mockHttpGet.mock.calls.length).toEqual(2);
+    expect(mockHttpGet.mock.calls[0][0]).toEqual({
+      host: "169.254.169.254",
+      path: "/latest/meta-data/iam/security-credentials/",
+      timeout: defaultTimeout
+    });
+    expect(mockHttpGet.mock.calls[1][0]).toEqual({
+      host: "169.254.169.254",
+      path: `/latest/meta-data/iam/security-credentials/${profile}`,
+      timeout: defaultTimeout
+    });
+  });
+
+  it("should retry the profile name fetch as necessary", async () => {
+    const defaultTimeout = 1000;
+    const profile = "foo-profile";
+    mockHttpGet.mockReturnValueOnce(Promise.reject("Too busy"));
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(profile));
+    mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+    await fromInstanceMetadata({ maxRetries: 1 })();
+    expect(mockHttpGet.mock.calls.length).toEqual(3);
+    expect(mockHttpGet.mock.calls[2][0]).toEqual({
+      host: "169.254.169.254",
+      path: `/latest/meta-data/iam/security-credentials/${profile}`,
+      timeout: defaultTimeout
+    });
+    for (let index of [0, 1]) {
+      expect(mockHttpGet.mock.calls[index][0]).toEqual({
+        host: "169.254.169.254",
+        path: "/latest/meta-data/iam/security-credentials/",
+        timeout: defaultTimeout
+      });
+    }
+  });
+});

packages/credential-provider-imds/__tests__/remoteProvider/ImdsCredentials.ts

@@ -0,0 +1,55 @@
+import {
+  fromImdsCredentials,
+  ImdsCredentials,
+  isImdsCredentials
+} from "../../lib/remoteProvider/ImdsCredentials";
+import { Credentials } from "@aws/types";
+
+const creds: ImdsCredentials = Object.freeze({
+  AccessKeyId: "foo",
+  SecretAccessKey: "bar",
+  Token: "baz",
+  Expiration: new Date().toISOString()
+});
+
+describe("isImdsCredentials", () => {
+  it("should accept valid ImdsCredentials objects", () => {
+    expect(isImdsCredentials(creds)).toBe(true);
+  });
+
+  it("should reject credentials without an AccessKeyId", () => {
+    expect(isImdsCredentials({ ...creds, AccessKeyId: void 0 })).toBe(false);
+  });
+
+  it("should reject credentials without a SecretAccessKey", () => {
+    expect(isImdsCredentials({ ...creds, SecretAccessKey: void 0 })).toBe(
+      false
+    );
+  });
+
+  it("should reject credentials without a Token", () => {
+    expect(isImdsCredentials({ ...creds, Token: void 0 })).toBe(false);
+  });
+
+  it("should reject credentials without an Expiration", () => {
+    expect(isImdsCredentials({ ...creds, Expiration: void 0 })).toBe(false);
+  });
+
+  it("should reject scalar values", () => {
+    for (let scalar of ["string", 1, true, null, void 0]) {
+      expect(isImdsCredentials(scalar)).toBe(false);
+    }
+  });
+});
+
+describe("fromImdsCredentials", () => {
+  it("should convert IMDS credentials to a credentials object", () => {
+    const converted: Credentials = fromImdsCredentials(creds);
+    expect(converted.accessKeyId).toEqual(creds.AccessKeyId);
+    expect(converted.secretAccessKey).toEqual(creds.SecretAccessKey);
+    expect(converted.sessionToken).toEqual(creds.Token);
+    expect(converted.expiration).toEqual(
+      Math.floor(new Date(creds.Expiration).valueOf() / 1000)
+    );
+  });
+});

packages/credential-provider-imds/__tests__/remoteProvider/RemoteProviderInit.ts

@@ -0,0 +1,24 @@
+import {
+  DEFAULT_MAX_RETRIES,
+  DEFAULT_TIMEOUT,
+  providerConfigFromInit
+} from "../../lib/remoteProvider/RemoteProviderInit";
+
+describe("providerConfigFromInit", () => {
+  it("should populate default values for retries and timeouts", () => {
+    expect(providerConfigFromInit({})).toEqual({
+      timeout: DEFAULT_TIMEOUT,
+      maxRetries: DEFAULT_MAX_RETRIES
+    });
+  });
+
+  it("should pass through timeout and retries overrides", () => {
+    const timeout = 123456789;
+    const maxRetries = 987654321;
+
+    expect(providerConfigFromInit({ timeout, maxRetries })).toEqual({
+      timeout,
+      maxRetries
+    });
+  });
+});