bugfix: correct handling of non-success errors in ecs credential provider (#710)

Author: lucix-aws

.changes/5c8b043d-ea3d-43da-9db3-9978ddf9b9ff.json

@@ -0,0 +1,8 @@
+{
+    "id": "5c8b043d-ea3d-43da-9db3-9978ddf9b9ff",
+    "type": "bugfix",
+    "description": "Correct handling of non-success responses when retrieving credentials on ECS.",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#697"
+    ]
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/EcsCredentialsProvider.kt

@@ -8,7 +8,7 @@ package aws.sdk.kotlin.runtime.auth.credentials
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting.AwsContainerCredentialsRelativeUri
 import aws.sdk.kotlin.runtime.config.resolve
-import aws.smithy.kotlin.runtime.ServiceException
+import aws.smithy.kotlin.runtime.ErrorMetadata
 import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
 import aws.smithy.kotlin.runtime.client.ExecutionContext
@@ -172,21 +172,46 @@ public class EcsCredentialsProvider internal constructor(
 
 private class EcsCredentialsDeserializer : HttpDeserialize<Credentials> {
     override suspend fun deserialize(context: ExecutionContext, response: HttpResponse): Credentials {
+        if (!response.status.isSuccess()) {
+            throwCredentialsResponseException(response)
+        }
+
         val payload = response.body.readAll() ?: throw CredentialsProviderException("HTTP credentials response did not contain a payload")
         val deserializer = JsonDeserializer(payload)
-        return when (val resp = deserializeJsonCredentials(deserializer)) {
-            is JsonCredentialsResponse.SessionCredentials -> Credentials(
-                resp.accessKeyId,
-                resp.secretAccessKey,
-                resp.sessionToken,
-                resp.expiration,
-                PROVIDER_NAME,
-            )
-            is JsonCredentialsResponse.Error -> throw CredentialsProviderException("Error retrieving credentials from container service: code=${resp.code}; message=${resp.message}")
+        val resp = deserializeJsonCredentials(deserializer)
+        if (resp !is JsonCredentialsResponse.SessionCredentials) {
+            throw CredentialsProviderException("HTTP credentials response was not of expected format")
         }
+
+        return Credentials(
+            resp.accessKeyId,
+            resp.secretAccessKey,
+            resp.sessionToken,
+            resp.expiration,
+            PROVIDER_NAME,
+        )
+    }
+}
+
+private suspend fun throwCredentialsResponseException(response: HttpResponse): Nothing {
+    val errorResp = tryParseErrorResponse(response)
+    val messageDetails = errorResp?.run { "code=$code; message=$message" } ?: "HTTP ${response.status}"
+
+    throw CredentialsProviderException("Error retrieving credentials from container service: $messageDetails").apply {
+        sdkErrorMetadata.attributes[ErrorMetadata.ThrottlingError] = response.status == HttpStatusCode.TooManyRequests
+        sdkErrorMetadata.attributes[ErrorMetadata.Retryable] =
+            sdkErrorMetadata.isThrottling ||
+            response.status.category() == HttpStatusCode.Category.SERVER_ERROR
     }
 }
 
+private suspend fun tryParseErrorResponse(response: HttpResponse): JsonCredentialsResponse.Error? {
+    if (response.headers["Content-Type"] != "application/json") return null
+    val payload = response.body.readAll() ?: return null
+
+    return deserializeJsonCredentials(JsonDeserializer(payload)) as? JsonCredentialsResponse.Error
+}
+
 private class EcsCredentialsSerializer(
     private val authToken: String? = null,
 ) : HttpSerialize<Unit> {
@@ -209,14 +234,10 @@ internal class EcsCredentialsRetryPolicy : RetryPolicy<Any?> {
     }
 
     private fun evaluate(throwable: Throwable): RetryDirective = when (throwable) {
-        is ServiceException -> {
-            val httpResp = throwable.sdkErrorMetadata.protocolResponse as? HttpResponse
-            val status = httpResp?.status
-            if (status?.category() == HttpStatusCode.Category.SERVER_ERROR) {
-                RetryDirective.RetryError(RetryErrorType.ServerSide)
-            } else {
-                RetryDirective.TerminateAndFail
-            }
+        is CredentialsProviderException -> when {
+            throwable.sdkErrorMetadata.isThrottling -> RetryDirective.RetryError(RetryErrorType.Throttling)
+            throwable.sdkErrorMetadata.isRetryable -> RetryDirective.RetryError(RetryErrorType.ServerSide)
+            else -> RetryDirective.TerminateAndFail
         }
         else -> RetryDirective.TerminateAndFail
     }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/JsonCredentialsDeserializer.kt

@@ -53,7 +53,7 @@ internal sealed class JsonCredentialsResponse {
     /**
      * Response successfully parsed as an error response
      */
-    data class Error(val code: String, val message: String?) : JsonCredentialsResponse()
+    data class Error(val code: String?, val message: String?) : JsonCredentialsResponse()
 }
 
 /**
@@ -125,6 +125,6 @@ internal suspend fun deserializeJsonCredentials(deserializer: Deserializer): Jso
             if (expiration == null) throw InvalidJsonCredentialsException("missing field `Expiration`")
             JsonCredentialsResponse.SessionCredentials(accessKeyId!!, secretAccessKey!!, sessionToken!!, expiration!!)
         }
-        else -> JsonCredentialsResponse.Error(code!!, message)
+        else -> JsonCredentialsResponse.Error(code, message)
     }
 }

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/EcsCredentialsProviderTest.kt

@@ -20,6 +20,7 @@ import aws.smithy.kotlin.runtime.http.request.url
 import aws.smithy.kotlin.runtime.http.response.HttpResponse
 import aws.smithy.kotlin.runtime.httptest.TestConnection
 import aws.smithy.kotlin.runtime.httptest.buildTestConnection
+import aws.smithy.kotlin.runtime.retries.StandardRetryStrategyOptions
 import aws.smithy.kotlin.runtime.time.Instant
 import aws.smithy.kotlin.runtime.time.TimestampFormat
 import io.kotest.matchers.string.shouldContain
@@ -57,16 +58,12 @@ class EcsCredentialsProviderTest {
         return HttpResponse(HttpStatusCode.OK, Headers.Empty, ByteArrayContent(payload))
     }
 
-    private fun errorResponse(): HttpResponse {
-        val payload = """
-        {
-            "Code" : "TestError",
-            "LastUpdated" : "2021-09-17T20:57:08Z",
-            "Message": "Test error code response"
-        }
-        """.encodeToByteArray()
-        return HttpResponse(HttpStatusCode.BadRequest, Headers.Empty, ByteArrayContent(payload))
-    }
+    private fun errorResponse(
+        statusCode: HttpStatusCode = HttpStatusCode.BadRequest,
+        headers: Headers = Headers.Empty,
+        body: String = "",
+    ): HttpResponse =
+        HttpResponse(statusCode, headers, ByteArrayContent(body.encodeToByteArray()))
 
     private fun ecsRequest(url: String, authToken: String? = null): HttpRequest {
         val resolvedUrl = Url.parse(url)
@@ -207,7 +204,117 @@ class EcsCredentialsProviderTest {
         val provider = EcsCredentialsProvider(testPlatform, engine)
         assertFailsWith<CredentialsProviderException> {
             provider.getCredentials()
-        }.message.shouldContain("Error retrieving credentials from container service: code=TestError; message=Test error code response")
+        }.message.shouldContain("Error retrieving credentials from container service: HTTP 400: Bad Request")
+
+        engine.assertRequests()
+    }
+
+    @Test
+    fun testThrottledErrorResponse() = runTest {
+        val engine = buildTestConnection {
+            repeat(StandardRetryStrategyOptions.Default.maxAttempts) {
+                expect(
+                    ecsRequest("http://169.254.170.2/relative"),
+                    errorResponse(statusCode = HttpStatusCode.TooManyRequests),
+                )
+            }
+        }
+
+        val testPlatform = TestPlatformProvider(
+            env = mapOf(AwsSdkSetting.AwsContainerCredentialsRelativeUri.environmentVariable to "/relative"),
+        )
+
+        val provider = EcsCredentialsProvider(testPlatform, engine)
+        assertFailsWith<CredentialsProviderException> {
+            provider.getCredentials()
+        }.message.shouldContain("Error retrieving credentials from container service: HTTP 429: Too Many Requests")
+
+        engine.assertRequests()
+    }
+
+    @Test
+    fun testJsonErrorResponse() = runTest {
+        val engine = buildTestConnection {
+            expect(
+                ecsRequest("http://169.254.170.2/relative"),
+                errorResponse(
+                    HttpStatusCode.BadRequest,
+                    Headers { append("Content-Type", "application/json") },
+                    """
+                        {
+                            "Code": "failed",
+                            "Message": "request was malformed"
+                        }
+                    """,
+                ),
+            )
+        }
+
+        val testPlatform = TestPlatformProvider(
+            env = mapOf(AwsSdkSetting.AwsContainerCredentialsRelativeUri.environmentVariable to "/relative"),
+        )
+
+        val provider = EcsCredentialsProvider(testPlatform, engine)
+        assertFailsWith<CredentialsProviderException> {
+            provider.getCredentials()
+        }.message.shouldContain("Error retrieving credentials from container service: code=failed; message=request was malformed")
+
+        engine.assertRequests()
+    }
+
+    @Test
+    fun testThrottledJsonErrorResponse() = runTest {
+        val engine = buildTestConnection {
+            repeat(StandardRetryStrategyOptions.Default.maxAttempts) {
+                expect(
+                    ecsRequest("http://169.254.170.2/relative"),
+                    errorResponse(
+                        HttpStatusCode.TooManyRequests,
+                        Headers { append("Content-Type", "application/json") },
+                        """
+                        {
+                            "Code": "failed",
+                            "Message": "too many requests"
+                        }
+                    """,
+                    ),
+                )
+            }
+        }
+
+        val testPlatform = TestPlatformProvider(
+            env = mapOf(AwsSdkSetting.AwsContainerCredentialsRelativeUri.environmentVariable to "/relative"),
+        )
+
+        val provider = EcsCredentialsProvider(testPlatform, engine)
+        assertFailsWith<CredentialsProviderException> {
+            provider.getCredentials()
+        }.message.shouldContain("Error retrieving credentials from container service: code=failed; message=too many requests")
+
+        engine.assertRequests()
+    }
+
+    @Test
+    fun test5XXErrorResponse() = runTest {
+        val engine = buildTestConnection {
+            repeat(StandardRetryStrategyOptions.Default.maxAttempts) {
+                expect(
+                    ecsRequest("http://169.254.170.2/relative"),
+                    errorResponse(
+                        HttpStatusCode.BadGateway,
+                    ),
+                )
+            }
+        }
+
+        val testPlatform = TestPlatformProvider(
+            env = mapOf(AwsSdkSetting.AwsContainerCredentialsRelativeUri.environmentVariable to "/relative"),
+        )
+
+        val provider = EcsCredentialsProvider(testPlatform, engine)
+        assertFailsWith<CredentialsProviderException> {
+            provider.getCredentials()
+        }.message.shouldContain("Error retrieving credentials from container service: HTTP 502: Bad Gateway")
 
         engine.assertRequests()
     }