Add support for disable IMDS v1 fallback for regions

Author: cenedhryn

.changes/next-release/feature-AWSSDKforJavav2-2c52c12.json

@@ -2,5 +2,5 @@
     "type": "feature",
     "category": "AWS SDK for Java v2",
     "contributor": "",
-    "description": "Adds setting to disable making EC2 Instance Metadata Service (IMDS) calls for credentials without a token header when prefetching a token does not work. This feature can be configured through environment variables (AWS_EC2_METADATA_V1_DISABLED), system property (aws.disableEc2MetadataV1) or AWS config file (ec2_metadata_v1_disabled). When you configure this setting to true, no calls without token headers will be made to IMDS."
+    "description": "Adds setting to disable making EC2 Instance Metadata Service (IMDS) calls without a token header when prefetching a token does not work. This feature can be configured through environment variables (AWS_EC2_METADATA_V1_DISABLED), system property (aws.disableEc2MetadataV1) or AWS config file (ec2_metadata_v1_disabled). When you configure this setting to true, no calls without token headers will be made to IMDS."
 }

core/regions/src/main/java/software/amazon/awssdk/regions/internal/util/EC2MetadataUtils.java

@@ -33,6 +33,7 @@
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.exception.SdkServiceException;
 import software.amazon.awssdk.core.util.SdkUserAgent;
+import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.protocols.jsoncore.JsonNode;
 import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
@@ -54,11 +55,13 @@
  * retrieve their content from the Amazon S3 bucket you specify at launch. To
  * add a new customer at any time, simply create a bucket for the customer, add
  * their content, and launch your AMI.<br>
- *
- * <P>
+ * <p>
  * If {@link SdkSystemSetting#AWS_EC2_METADATA_DISABLED} is set to true, EC2 metadata usage
  * will be disabled and {@link SdkClientException} will be thrown for any metadata retrieval attempt.
- *
+ * <p>
+ * If {@link SdkSystemSetting#AWS_EC2_METADATA_V1_DISABLED} or {@link ProfileProperty#EC2_METADATA_V1_DISABLED}
+ * is set to true, data will only be loaded from EC2 metadata service if a token is successfully retrieved -
+ * fallback to load data without a token will be disabled.
  * <p>
  * More information about Amazon EC2 Metadata
  *
@@ -434,9 +437,28 @@ public static String getToken() {
                         .cause(e)
                         .build();
             }
+            return handleTokenErrorResponse(e);
+        }
+    }
 
-            return null;
+    private static String handleTokenErrorResponse(Exception e) {
+        if (isInsecureFallbackDisabled()) {
+            String message = String.format("Failed to retrieve IMDS token, and fallback to IMDS v1 is disabled via the "
+                                           + "%s system property, %s environment variable, or %s configuration file profile"
+                                           + " setting.",
+                                           SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.environmentVariable(),
+                                           SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property(),
+                                           ProfileProperty.EC2_METADATA_V1_DISABLED);
+            throw SdkClientException.builder()
+                                    .message(message)
+                                    .cause(e)
+                                    .build();
         }
+        return null;
+    }
+
+    private static boolean isInsecureFallbackDisabled() {
+        return Ec2MetadataDisableV1Resolver.create().resolve();
     }
 
     private static String fetchData(String path) {

core/regions/src/main/java/software/amazon/awssdk/regions/internal/util/Ec2MetadataDisableV1Resolver.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.regions.internal.util;
+
+import java.util.Optional;
+import java.util.function.Supplier;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.profiles.ProfileFile;
+import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
+import software.amazon.awssdk.profiles.ProfileProperty;
+import software.amazon.awssdk.utils.OptionalUtils;
+
+@SdkInternalApi
+public final class Ec2MetadataDisableV1Resolver {
+
+    private Ec2MetadataDisableV1Resolver() {
+    }
+
+    public static Ec2MetadataDisableV1Resolver create() {
+        return new Ec2MetadataDisableV1Resolver();
+    }
+
+    public boolean resolve() {
+        return OptionalUtils.firstPresent(fromSystemSettings(), Ec2MetadataDisableV1Resolver::fromProfileFile)
+                            .orElse(false);
+    }
+
+    private static Optional<Boolean> fromSystemSettings() {
+        return SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.getBooleanValue();
+    }
+
+    private static Optional<Boolean> fromProfileFile() {
+        Supplier<ProfileFile> profileFile = ProfileFile::defaultProfileFile;
+        String profileName = ProfileFileSystemSetting.AWS_PROFILE.getStringValueOrThrow();
+        if (profileFile.get() == null) {
+            return Optional.empty();
+        }
+        return profileFile.get()
+                          .profile(profileName)
+                          .flatMap(p -> p.property(ProfileProperty.EC2_METADATA_V1_DISABLED))
+                          .map(Ec2MetadataDisableV1Resolver::safeProfileStringToBoolean);
+    }
+
+    private static boolean safeProfileStringToBoolean(String value) {
+        if (value.equalsIgnoreCase("true")) {
+            return true;
+        }
+        if (value.equalsIgnoreCase("false")) {
+            return false;
+        }
+
+        throw new IllegalStateException("Profile property '" + ProfileProperty.EC2_METADATA_V1_DISABLED + "', "
+                                        + "was defined as '" + value + "', but should be 'false' or 'true'");
+    }
+
+}

core/regions/src/main/java/software/amazon/awssdk/regions/providers/InstanceProfileRegionProvider.java

@@ -18,16 +18,20 @@
 import software.amazon.awssdk.annotations.SdkProtectedApi;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.regions.internal.util.EC2MetadataUtils;
 
 /**
  * Attempts to load region information from the EC2 Metadata service. If the application is not
- * running on EC2 this provider will thrown an exception.
- *
- * <P>
+ * running on EC2 this provider will throw an exception.
+ * <p>
  * If {@link SdkSystemSetting#AWS_EC2_METADATA_DISABLED} is set to true, it will not try to load
  * region from EC2 metadata service and will return null.
+ * <p>
+ * If {@link SdkSystemSetting#AWS_EC2_METADATA_V1_DISABLED} or {@link ProfileProperty#EC2_METADATA_V1_DISABLED}
+ * is set to true, the region will only be loaded from EC2 metadata service if a token is successfully retrieved -
+ * fallback to load region without a token will be disabled.
  */
 @SdkProtectedApi
 public final class InstanceProfileRegionProvider implements AwsRegionProvider {

core/regions/src/test/java/software/amazon/awssdk/regions/internal/util/EC2MetadataUtilsTest.java

@@ -39,10 +39,10 @@ public class EC2MetadataUtilsTest {
     private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
     private static final String TOKEN_HEADER = "x-aws-ec2-metadata-token";
     private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
-
     private static final String EC2_METADATA_ROOT = "/latest/meta-data";
-
     private static final String AMI_ID_RESOURCE = EC2_METADATA_ROOT + "/ami-id";
+    private static final String TOKEN_STUB = "some-token";
+    private static final String EMPTY_BODY = "{}";
 
 
     @Rule
@@ -59,28 +59,27 @@ public void methodSetup() {
 
     @Test
     public void getToken_queriesCorrectPath() {
-        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody("some-token")));
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(TOKEN_STUB)));
 
         String token = EC2MetadataUtils.getToken();
-        assertThat(token).isEqualTo("some-token");
+        assertThat(token).isEqualTo(TOKEN_STUB);
 
         WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
     }
 
     @Test
     public void getAmiId_queriesAndIncludesToken() {
-        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody("some-token")));
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(TOKEN_STUB)));
         stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
 
         EC2MetadataUtils.getAmiId();
 
         WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
-        WireMock.verify(getRequestedFor(urlPathEqualTo(AMI_ID_RESOURCE)).withHeader(TOKEN_HEADER, equalTo("some-token")));
+        WireMock.verify(getRequestedFor(urlPathEqualTo(AMI_ID_RESOURCE)).withHeader(TOKEN_HEADER, equalTo(TOKEN_STUB)));
     }
 
     @Test
     public void getAmiId_tokenQueryTimeout_fallsBackToInsecure() {
-
         stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withFixedDelay(Integer.MAX_VALUE)));
         stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
 
@@ -93,7 +92,7 @@ public void getAmiId_tokenQueryTimeout_fallsBackToInsecure() {
     @Test
     public void getAmiId_queriesTokenResource_403Error_fallbackToInsecure() {
         stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(403).withBody("oops")));
-        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
+        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody(EMPTY_BODY)));
 
         EC2MetadataUtils.getAmiId();
 
@@ -104,7 +103,7 @@ public void getAmiId_queriesTokenResource_403Error_fallbackToInsecure() {
     @Test
     public void getAmiId_queriesTokenResource_404Error_fallbackToInsecure() {
         stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(404).withBody("oops")));
-        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
+        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody(EMPTY_BODY)));
 
         EC2MetadataUtils.getAmiId();
 
@@ -115,14 +114,43 @@ public void getAmiId_queriesTokenResource_404Error_fallbackToInsecure() {
     @Test
     public void getAmiId_queriesTokenResource_405Error_fallbackToInsecure() {
         stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(405).withBody("oops")));
-        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
+        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody(EMPTY_BODY)));
 
         EC2MetadataUtils.getAmiId();
 
         WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
         WireMock.verify(getRequestedFor(urlPathEqualTo(AMI_ID_RESOURCE)).withoutHeader(TOKEN_HEADER));
     }
 
+    @Test
+    public void getAmiId_fallbackToInsecureDisabledThroughProperty_throwsWhenTokenFails() {
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property(), "true");
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withStatus(403).withBody("oops")));
+        try {
+            EC2MetadataUtils.getAmiId();
+        } catch (Exception e) {
+            assertThat(e).isInstanceOf(SdkClientException.class);
+            assertThat(e).hasMessageContaining("fallback to IMDS v1 is disabled");
+        }
+        finally {
+            System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property());
+        }
+    }
+
+    @Test
+    public void getAmiId_fallbackToInsecureDisabledThroughProperty_returnsDataWhenTokenReturned() {
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property(), "true");
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(TOKEN_STUB)));
+        stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withBody("{}")));
+        try {
+            EC2MetadataUtils.getAmiId();
+            WireMock.verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)).withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
+            WireMock.verify(getRequestedFor(urlPathEqualTo(AMI_ID_RESOURCE)).withHeader(TOKEN_HEADER, equalTo(TOKEN_STUB)));
+        } finally {
+            System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property());
+        }
+    }
+
     @Test
     public void getAmiId_queriesTokenResource_400Error_throws() {
         thrown.expect(SdkClientException.class);
@@ -140,7 +168,7 @@ public void fetchDataWithAttemptNumber_ioError_shouldHonor() {
         thrown.expect(SdkClientException.class);
         thrown.expectMessage("Unable to contact EC2 metadata service");
 
-        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody("some-token")));;
+        stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(TOKEN_STUB)));
         stubFor(get(urlPathEqualTo(AMI_ID_RESOURCE)).willReturn(aResponse().withFault(Fault.CONNECTION_RESET_BY_PEER)));
 
         EC2MetadataUtils.fetchData(AMI_ID_RESOURCE, false, attempts);

core/regions/src/test/java/software/amazon/awssdk/regions/internal/util/Ec2MetadataDisableV1ResolverTest.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.regions.internal.util;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.util.stream.Stream;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.testutils.EnvironmentVariableHelper;
+
+public class Ec2MetadataDisableV1ResolverTest {
+
+    private static final EnvironmentVariableHelper ENVIRONMENT_VARIABLE_HELPER = new EnvironmentVariableHelper();
+
+    @BeforeEach
+    public void methodSetup() {
+        ENVIRONMENT_VARIABLE_HELPER.reset();
+        System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property());
+    }
+
+    @ParameterizedTest(name = "{index} - EXPECTED:{3}  (sys:{0}, env:{1}, cfg:{2})")
+    @MethodSource("booleanConfigValues")
+    public void resolveDisableValue_whenBoolean_resolvesCorrectly(
+        String systemProperty, String envVar, boolean expected) {
+
+        setUpSystemSettings(systemProperty, envVar);
+
+        Ec2MetadataDisableV1Resolver resolver = Ec2MetadataDisableV1Resolver.create();
+        assertThat(resolver.resolve()).isEqualTo(expected);
+    }
+
+    private static Stream<Arguments> booleanConfigValues() {
+        return Stream.of(
+            Arguments.of(null, null, false),
+            Arguments.of("false", null, false),
+            Arguments.of("true", null, true),
+            Arguments.of(null, "false", false),
+            Arguments.of(null, "true", true),
+            Arguments.of(null, null, false),
+            Arguments.of("false", "true", false),
+            Arguments.of("true", "false", true)
+        );
+    }
+
+    @ParameterizedTest(name = "{index} - sys:{0}, env:{1}")
+    @MethodSource("nonBooleanConfigValues")
+    public void resolveDisableValue_whenNonBoolean_throws(String systemProperty, String envVar) {
+        setUpSystemSettings(systemProperty, envVar);
+
+        Ec2MetadataDisableV1Resolver resolver = Ec2MetadataDisableV1Resolver.create();
+        assertThatThrownBy(resolver::resolve).isInstanceOf(IllegalStateException.class)
+                                             .hasMessageContaining("but should be 'false' or 'true'");
+    }
+
+    private static Stream<Arguments> nonBooleanConfigValues() {
+        return Stream.of(
+            Arguments.of("foo", null, null),
+            Arguments.of(null, "foo", null)
+        );
+    }
+
+    private static void setUpSystemSettings(String systemProperty, String envVar) {
+        if (systemProperty != null) {
+            System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property(), systemProperty);
+
+        }
+        if (envVar != null) {
+            ENVIRONMENT_VARIABLE_HELPER.set(SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.environmentVariable(),
+                                            envVar);
+        }
+    }
+}