Merge pull request #1567 from dagnir/imds-token-other-calls

Add token path for other IMDS calls

Author: dagnir

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -22,11 +22,11 @@
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
-import software.amazon.awssdk.core.exception.SdkServiceException;
+
 import software.amazon.awssdk.core.internal.util.UserAgentUtils;
+import software.amazon.awssdk.regions.internal.util.EC2MetadataUtils;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
-import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.ToString;
 
 /**
@@ -38,15 +38,9 @@
  */
 @SdkPublicApi
 public final class InstanceProfileCredentialsProvider extends HttpCredentialsProvider {
-    private static final Logger log = Logger.loggerFor(InstanceProfileCredentialsProvider.class);
-
-    private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
     private static final String EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token";
-    private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
-    private static final String DEFAULT_TOKEN_TTL = "21600";
 
     private static final String SECURITY_CREDENTIALS_RESOURCE = "/latest/meta-data/iam/security-credentials/";
-    private final InstanceProviderTokenEndpointProvider tokenEndpointProvider = new InstanceProviderTokenEndpointProvider();
 
     /**
      * @see #builder()
@@ -87,28 +81,7 @@ public String toString() {
     }
 
     private String getToken() {
-        try {
-            return HttpResourcesUtils.instance().readResource(getTokenEndpointProvider(), "PUT");
-        } catch (Exception e) {
-            log.debug(() -> "Error retrieving credentials metadata token", e);
-
-            boolean is400ServiceException = e instanceof SdkServiceException
-                    && ((SdkServiceException) e).statusCode() == 400;
-
-            // Credentials resolution must not continue to the token-less flow for a 400
-            if (is400ServiceException) {
-                throw SdkClientException.builder()
-                        .message("Unable to load credentials from service endpoint")
-                        .cause(e)
-                        .build();
-            }
-
-            return null;
-        }
-    }
-
-    private ResourcesEndpointProvider getTokenEndpointProvider() {
-        return tokenEndpointProvider;
+        return EC2MetadataUtils.getToken();
     }
 
     private static ResourcesEndpointProvider includeTokenHeader(ResourcesEndpointProvider provider, String token) {
@@ -170,27 +143,6 @@ public Map<String, String> headers() {
         }
     }
 
-    private static final class InstanceProviderTokenEndpointProvider implements ResourcesEndpointProvider {
-        @Override
-        public URI endpoint() {
-            String host = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
-            if (host.endsWith("/")) {
-                host = host.substring(0, host.length() - 1);
-            }
-            return URI.create(host + TOKEN_RESOURCE_PATH);
-        }
-
-        @Override
-        public Map<String, String> headers() {
-            Map<String, String> requestHeaders = new HashMap<>();
-            requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
-            requestHeaders.put("Accept", "*/*");
-            requestHeaders.put("Connection", "keep-alive");
-            requestHeaders.put(EC2_METADATA_TOKEN_TTL_HEADER, DEFAULT_TOKEN_TTL);
-
-            return requestHeaders;
-        }
-    }
 
     /**
      * A builder for creating a custom a {@link InstanceProfileCredentialsProvider}.

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java

@@ -168,7 +168,7 @@ public void resolveCredentials_queriesTokenResource_405Error_fallbackToInsecure(
     @Test
     public void resolveCredentials_queriesTokenResource_400Error_throws() {
         thrown.expect(SdkClientException.class);
-        thrown.expectMessage("Unable to load credentials");
+        thrown.expectMessage("token");
 
         stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(400).withBody("oops")));
 

core/regions/src/main/java/software/amazon/awssdk/regions/internal/util/EC2MetadataUtils.java

@@ -35,10 +35,14 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.annotations.SdkTestInternalApi;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.exception.SdkServiceException;
+import software.amazon.awssdk.core.internal.util.UserAgentUtils;
 import software.amazon.awssdk.core.util.json.JacksonUtils;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
+import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
 
 /**
  * Utility class for retrieving Amazon EC2 instance metadata.<br>
@@ -71,12 +75,18 @@ public final class EC2MetadataUtils {
     private static final String EC2_METADATA_ROOT = "/latest/meta-data";
     private static final String EC2_USERDATA_ROOT = "/latest/user-data/";
     private static final String EC2_DYNAMICDATA_ROOT = "/latest/dynamic/";
+
+    private static final String EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token";
+
     private static final int DEFAULT_QUERY_RETRIES = 3;
     private static final int MINIMUM_RETRY_WAIT_TIME_MILLISECONDS = 250;
     private static final ObjectMapper MAPPER = new ObjectMapper();
     private static final Logger log = LoggerFactory.getLogger(EC2MetadataUtils.class);
     private static Map<String, String> cache = new ConcurrentHashMap<>();
 
+    private static final InstanceProviderTokenEndpointProvider TOKEN_ENDPOINT_PROVIDER =
+            new InstanceProviderTokenEndpointProvider();
+
     private EC2MetadataUtils() {}
 
     static {
@@ -379,6 +389,11 @@ public static List<String> getItems(String path, int tries) {
         return getItems(path, tries, false);
     }
 
+    @SdkTestInternalApi
+    static void clearCache() {
+        cache.clear();
+    }
+
     private static List<String> getItems(String path, int tries, boolean slurp) {
         if (tries == 0) {
             throw SdkClientException.builder().message("Unable to contact EC2 metadata service.").build();
@@ -389,9 +404,12 @@ private static List<String> getItems(String path, int tries, boolean slurp) {
         }
 
         List<String> items;
+
+        String token = getToken();
+
         try {
             String hostAddress = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
-            String response = HttpResourcesUtils.instance().readResource(new URI(hostAddress + path));
+            String response = doReadResource(new URI(hostAddress + path), token);
             if (slurp) {
                 items = Collections.singletonList(response);
             } else {
@@ -414,6 +432,31 @@ private static List<String> getItems(String path, int tries, boolean slurp) {
         }
     }
 
+    private static String doReadResource(URI resource, String token) throws IOException {
+        return HttpResourcesUtils.instance().readResource(new DefaultEndpointProvider(resource, token), "GET");
+    }
+
+    public static String getToken() {
+        try {
+            return HttpResourcesUtils.instance().readResource(TOKEN_ENDPOINT_PROVIDER, "PUT");
+        } catch (Exception e) {
+
+            boolean is400ServiceException = e instanceof SdkServiceException
+                    && ((SdkServiceException) e).statusCode() == 400;
+
+            // metadata resolution must not continue to the token-less flow for a 400
+            if (is400ServiceException) {
+                throw SdkClientException.builder()
+                        .message("Unable to fetch metadata token")
+                        .cause(e)
+                        .build();
+            }
+
+            return null;
+        }
+    }
+
+
     private static String fetchData(String path) {
         return fetchData(path, false);
     }
@@ -428,6 +471,8 @@ private static String fetchData(String path, boolean force) {
                 cache.put(path, getData(path));
             }
             return cache.get(path);
+        } catch (SdkClientException e) {
+            throw e;
         } catch (RuntimeException e) {
             return null;
         }
@@ -758,4 +803,33 @@ private List<String> getItems(String key) {
             }
         }
     }
+
+    private static final class DefaultEndpointProvider implements ResourcesEndpointProvider {
+        private final URI endpoint;
+        private final String metadataToken;
+
+        private DefaultEndpointProvider(URI endpoint, String metadataToken) {
+            this.endpoint = endpoint;
+            this.metadataToken = metadataToken;
+        }
+
+        @Override
+        public URI endpoint() {
+            return endpoint;
+        }
+
+        @Override
+        public Map<String, String> headers() {
+            Map<String, String> requestHeaders = new HashMap<>();
+            requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
+            requestHeaders.put("Accept", "*/*");
+            requestHeaders.put("Connection", "keep-alive");
+
+            if (metadataToken != null) {
+                requestHeaders.put(EC2_METADATA_TOKEN_HEADER, metadataToken);
+            }
+
+            return requestHeaders;
+        }
+    }
 }

core/regions/src/main/java/software/amazon/awssdk/regions/internal/util/InstanceProviderTokenEndpointProvider.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.regions.internal.util;
+
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.core.internal.util.UserAgentUtils;
+import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
+
+@SdkInternalApi
+public final class InstanceProviderTokenEndpointProvider implements ResourcesEndpointProvider {
+    private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
+    private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
+    private static final String DEFAULT_TOKEN_TTL = "21600";
+
+    @Override
+    public URI endpoint() {
+        String host = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
+        if (host.endsWith("/")) {
+            host = host.substring(0, host.length() - 1);
+        }
+        return URI.create(host + TOKEN_RESOURCE_PATH);
+    }
+
+    @Override
+    public Map<String, String> headers() {
+        Map<String, String> requestHeaders = new HashMap<>();
+        requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
+        requestHeaders.put("Accept", "*/*");
+        requestHeaders.put("Connection", "keep-alive");
+        requestHeaders.put(EC2_METADATA_TOKEN_TTL_HEADER, DEFAULT_TOKEN_TTL);
+
+        return requestHeaders;
+    }
+}

core/regions/src/test/java/software/amazon/awssdk/regions/internal/util/EC2MetadataUtilsServer.java

@@ -90,7 +90,7 @@ private void handleConnection(BufferedReader input,
         if (parts.length != 3) {
             throw new RuntimeException("Bogus request: " + line);
         }
-        if (!"GET".equals(parts[0])) {
+        if (!"GET".equals(parts[0]) && !"PUT".equals(parts[0])) {
             throw new RuntimeException("Bogus verb: " + line);
         }
 
@@ -107,13 +107,13 @@ private void handleConnection(BufferedReader input,
             .startsWith("/latest/meta-data/iam/security-credentials/")) {
 
             outputIamCred(output);
-
         } else if (path.equals("/latest/dynamic/instance-identity/document")) {
             outputInstanceInfo(output);
 
         } else if (path.equals("/latest/dynamic/instance-identity/signature")) {
             outputInstanceSignature(output);
-
+        } else if (path.equals("/latest/api/token")) {
+            outputToken(output);
         } else {
             throw new RuntimeException("Unknown path: " + path);
         }
@@ -132,6 +132,18 @@ private void ignoreRequest(BufferedReader input) throws IOException {
         }
     }
 
+    private void outputToken(PrintWriter output) {
+        String payload = "test-token";
+
+        output.println("HTTP/1.1 200 OK");
+        output.println("Connection: close");
+        output.println("Content-Length: " + payload.length());
+        output.println();
+
+        output.print(payload);
+        output.flush();
+    }
+
     private void outputIamInfo(PrintWriter output) throws IOException {
 
         String payload =