feat(rt): implement retries for imds (#404)

Author: aajtodd

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsClient.kt

@@ -17,11 +17,13 @@ import aws.smithy.kotlin.runtime.client.SdkLogMode
 import aws.smithy.kotlin.runtime.http.*
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
 import aws.smithy.kotlin.runtime.http.middleware.ResolveEndpoint
+import aws.smithy.kotlin.runtime.http.middleware.RetryFeature
 import aws.smithy.kotlin.runtime.http.operation.*
 import aws.smithy.kotlin.runtime.http.response.HttpResponse
 import aws.smithy.kotlin.runtime.io.Closeable
 import aws.smithy.kotlin.runtime.io.middleware.Phase
 import aws.smithy.kotlin.runtime.logging.Logger
+import aws.smithy.kotlin.runtime.retries.impl.*
 import aws.smithy.kotlin.runtime.time.Clock
 import aws.smithy.kotlin.runtime.util.Platform
 import aws.smithy.kotlin.runtime.util.PlatformProvider
@@ -86,11 +88,18 @@ public class ImdsClient private constructor(builder: Builder) : InstanceMetadata
         UserAgent.create {
             staticMetadata = AwsUserAgentMetadata.fromEnvironment(ApiMetadata(SERVICE, "unknown"))
         },
+        RetryFeature.create {
+            val tokenBucket = StandardRetryTokenBucket(StandardRetryTokenBucketOptions.Default)
+            val delayProvider = ExponentialBackoffWithJitter(ExponentialBackoffWithJitterOptions.Default)
+            strategy = StandardRetryStrategy(StandardRetryStrategyOptions.Default, tokenBucket, delayProvider)
+            policy = ImdsRetryPolicy()
+        },
+        // must come after retries
         TokenMiddleware.create {
             httpClient = this@ImdsClient.httpClient
             ttl = tokenTtl
             clock = this@ImdsClient.clock
-        }
+        },
     )
 
     public companion object {

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsRetryPolicy.kt

@@ -0,0 +1,37 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+package aws.sdk.kotlin.runtime.config.imds
+
+import aws.smithy.kotlin.runtime.http.HttpStatusCode
+import aws.smithy.kotlin.runtime.http.category
+import aws.smithy.kotlin.runtime.logging.Logger
+import aws.smithy.kotlin.runtime.retries.RetryDirective
+import aws.smithy.kotlin.runtime.retries.RetryErrorType
+import aws.smithy.kotlin.runtime.retries.RetryPolicy
+
+internal class ImdsRetryPolicy : RetryPolicy<Any?> {
+    override fun evaluate(result: Result<Any?>): RetryDirective = when {
+        result.isSuccess -> RetryDirective.TerminateAndSucceed
+        else -> evaluate(result.exceptionOrNull()!!)
+    }
+
+    private fun evaluate(throwable: Throwable): RetryDirective = when (throwable) {
+        is EC2MetadataError -> {
+            val status = HttpStatusCode.fromValue(throwable.statusCode)
+            when {
+                status.category() == HttpStatusCode.Category.SERVER_ERROR -> RetryDirective.RetryError(RetryErrorType.ServerSide)
+                // 401 indicates the token has expired, this is retryable
+                status == HttpStatusCode.Unauthorized -> RetryDirective.RetryError(RetryErrorType.ServerSide)
+                else -> {
+                    val logger = Logger.getLogger<ImdsRetryPolicy>()
+                    logger.debug { "Non retryable IMDS error: statusCode=${throwable.statusCode}; ${throwable.message}" }
+                    RetryDirective.TerminateAndFail
+                }
+            }
+        }
+        else -> RetryDirective.TerminateAndFail
+    }
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/TokenMiddleware.kt

@@ -51,7 +51,7 @@ internal class TokenMiddleware(config: Config) : Feature {
     }
 
     override fun <I, O> install(operation: SdkHttpOperation<I, O>) {
-        operation.execution.mutate.intercept { req, next ->
+        operation.execution.finalize.intercept { req, next ->
             val token = cachedToken.getOrLoad { getToken(clock, req).let { ExpiringValue(it, it.expires) } }
             req.subject.headers.append(X_AWS_EC2_METADATA_TOKEN, token.value.decodeToString())
             next.call(req)

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/config/imds/ImdsClientTest.kt

@@ -7,7 +7,11 @@ package aws.sdk.kotlin.runtime.config.imds
 
 import aws.sdk.kotlin.runtime.testing.TestPlatformProvider
 import aws.sdk.kotlin.runtime.testing.runSuspendTest
+import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.HttpBody
+import aws.smithy.kotlin.runtime.http.HttpStatusCode
 import aws.smithy.kotlin.runtime.http.operation.Endpoint
+import aws.smithy.kotlin.runtime.http.response.HttpResponse
 import aws.smithy.kotlin.runtime.httptest.buildTestConnection
 import aws.smithy.kotlin.runtime.time.Instant
 import aws.smithy.kotlin.runtime.time.ManualClock
@@ -139,24 +143,70 @@ class ImdsClientTest {
         connection.assertRequests()
     }
 
-    @Ignore
     @Test
-    fun testRetryHttp500() {
-        fail("not implemented yet")
+    fun testRetryHttp500(): Unit = runSuspendTest {
+        val connection = buildTestConnection {
+            expect(
+                tokenRequest("http://169.254.169.254", DEFAULT_TOKEN_TTL_SECONDS),
+                tokenResponse(DEFAULT_TOKEN_TTL_SECONDS, "TOKEN_A")
+            )
+            expect(
+                imdsRequest("http://169.254.169.254/latest/metadata", "TOKEN_A"),
+                HttpResponse(HttpStatusCode.InternalServerError, Headers.Empty, HttpBody.Empty)
+            )
+            expect(
+                imdsRequest("http://169.254.169.254/latest/metadata", "TOKEN_A"),
+                imdsResponse("output 2")
+            )
+        }
+
+        val client = ImdsClient { engine = connection }
+        val r1 = client.get("/latest/metadata")
+        assertEquals("output 2", r1)
+        connection.assertRequests()
     }
 
-    @Ignore
     @Test
-    fun testRetryTokenFailure() {
+    fun testRetryTokenFailure(): Unit = runSuspendTest {
         // 500 during token acquisition should be retried
-        fail("not implemented yet")
+        val connection = buildTestConnection {
+            expect(
+                tokenRequest("http://169.254.169.254", DEFAULT_TOKEN_TTL_SECONDS),
+                HttpResponse(HttpStatusCode.InternalServerError, Headers.Empty, HttpBody.Empty)
+            )
+            expect(
+                tokenRequest("http://169.254.169.254", DEFAULT_TOKEN_TTL_SECONDS),
+                tokenResponse(DEFAULT_TOKEN_TTL_SECONDS, "TOKEN_A")
+            )
+            expect(
+                imdsRequest("http://169.254.169.254/latest/metadata", "TOKEN_A"),
+                imdsResponse("output 2")
+            )
+        }
+
+        val client = ImdsClient { engine = connection }
+        val r1 = client.get("/latest/metadata")
+        assertEquals("output 2", r1)
+        connection.assertRequests()
     }
 
-    @Ignore
     @Test
-    fun testNoRetryHttp403() {
+    fun testNoRetryHttp403(): Unit = runSuspendTest {
         // 403 responses from IMDS during token acquisition MUST not be retried
-        fail("not implemented yet")
+        val connection = buildTestConnection {
+            expect(
+                tokenRequest("http://169.254.169.254", DEFAULT_TOKEN_TTL_SECONDS),
+                HttpResponse(HttpStatusCode.Forbidden, Headers.Empty, HttpBody.Empty)
+            )
+        }
+
+        val client = ImdsClient { engine = connection }
+        val ex = assertFailsWith<EC2MetadataError> {
+            client.get("/latest/metadata")
+        }
+
+        assertEquals(HttpStatusCode.Forbidden.value, ex.statusCode)
+        connection.assertRequests()
     }
 
     @Test